S2300&S3300 V100R006C05 Typical Configuration Examples 02

S2300&S3300 Series Ethernet Switches
V100R006C05
Typical Configuration Examples
Issue 02
Date 2013-04-20
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 02 (2013-04-20) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
Typical Configuration Examples About This Document
About This Document
Related Versions
The following table lists the product versions related to this document.
Product Name Version
S2300&S3300 V100R006C05
This document provides the typical configuration examples supported by the S2300&S3300
device.
This document is intended for:
l Data configuration engineers

l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level or medium level of risk

which, if not avoided, could result in death or serious injury.
DANGER
Indicates a hazard with a low level of risk which, if not

avoided, could result in minor or moderate injury.
WARNING
Indicates a potentially hazardous situation that, if not

avoided, could result in equipment damage, data loss,
CAUTION
performance deterioration, or unanticipated results.
TIP Provides a tip that may help you solve a problem or save time.
Issue 02 (2013-04-20) Huawei Proprietary and Confidential ii

Symbol Description
NOTE Provides additional information to emphasize or supplement

important points in the main text.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. You can select one or several items, or select
no item.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 02 (2013-04-20)

This version has the following updates:
l Some contents are modified according to updates in the product such as features and
commands.
l Output information of some commands is modified.
Issue 02 (2013-04-20) Huawei Proprietary and Confidential iii

Changes in Issue 01 (2013-02-08)

Initial commercial release.
Issue 02 (2013-04-20) Huawei Proprietary and Confidential iv

Typical Configuration Examples Contents
Contents
About This Document.....................................................................................................................ii

1 Configuration Guide - Basic Configuration.............................................................................1
1.1 CLI Overview.....................................................................................................................................................2
1.1.1 Example for Using Tab..............................................................................................................................2
1.2 Logging In to the System for the First Time......................................................................................................3
1.2.1 Example for Performing Basic Configuration on the Device at First Login.............................................3
1.3 Configuring a User Interface..............................................................................................................................5
1.3.1 Example of Configuring the Console User Interface................................................................................5
1.3.2 Example of Configuring a VTY User Interface........................................................................................6
1.4 Configuring User Login......................................................................................................................................8
1.4.1 Example for Logging In to the Device Through a Console Port...............................................................8
1.4.2 Example for Logging In to the Device Through Telnet..........................................................................12
1.4.3 Example for Logging In to the Device Through STelnet........................................................................14
1.4.4 Example for Logging In to the Device Through HTTP..........................................................................24
1.4.5 Example for Logging In to the Device Through HTTPS........................................................................27
1.4.6 Example for Configuring the Device as the Telnet Client to Log In to Another Device........................30
1.4.7 Example for Configuring the Device as the STelnet Client to Log In to Another Device......................32
1.5 File Management..............................................................................................................................................38
1.5.1 Example of Logging In to the Device to Manage Files...........................................................................38
1.5.2 Example for Managing Files When the Device Functions as an FTP Server.........................................39
1.5.3 Example for Managing Files Using SFTP When the Device Functions as an SSH Server....................41
1.5.4 Example for Managing Files When the Device Functions as a TFTP Client..........................................43
1.5.5 Example for Managing Files When the Device Functions as an FTP Client..........................................44
1.5.6 Example for Managing Files When the Device Functions as an SFTP Client........................................46
1.5.7 Example for Managing Files When the Device Functions as an SCP Client..........................................51
1.6 Configuring System Startup.............................................................................................................................53
1.6.1 Example for Backing Up the Configuration File.....................................................................................53
1.6.2 Example for Recovering the Configuration File.....................................................................................54
1.6.3 Example of Configuring System Startup.................................................................................................55
2 Configuration Guide - Interface Management......................................................................59

2.1 Ethernet Interfaces Configuration.....................................................................................................................60
2.1.1 Example for Configuring Interface Isolation...........................................................................................60
Issue 02 (2013-04-20) Huawei Proprietary and Confidential v

2.2 Logical Interface Configuration.......................................................................................................................61

2.2.1 Example for Configuring VLANs to Communicate Through Sub-interfaces.........................................62
2.2.2 Example for Configuring FR Sub-Interfaces...........................................................................................63
2.2.3 Example for Configuring the Loopback's IP Address to Be Borrowed..................................................67
2.2.4 Example for Configuring the QinQ Termination Sub-interface to Access an L3VPN...........................68
3 Configuration Guide - Ethernet................................................................................................73

3.1 Link Aggregation Configuration......................................................................................................................75
3.1.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode.....................................75
3.1.2 Example for Configuring Link Aggregation in LACP Mode..................................................................77
3.2 VLAN Configuration........................................................................................................................................80
3.2.1 Example for Assigning VLANs Based on Ports.....................................................................................81
3.2.2 Example for Assigning VLANs based on MAC Addresses....................................................................82
3.2.3 Example for Assigning VLANs Based on IP Subnets............................................................................84
3.2.4 Example for Assigning VLANs Based on Protocols...............................................................................87
3.2.5 Example for Implementing Inter-VLAN Communication Using VLANIF Interfaces...........................90
3.2.6 Example for Configuring VLAN Aggregation........................................................................................92
3.2.7 Example for Configuring MUX VLAN..................................................................................................94
3.3 Voice VLAN Configuration.............................................................................................................................96
3.3.1 Example for Configuring a Voice VLAN in Auto Mode........................................................................96
3.3.2 Example for Configuring a Voice VLAN in Manual Mode....................................................................99
3.4 QinQ Configuration........................................................................................................................................101
3.4.1 Example for Configuring basic QinQ....................................................................................................101
3.4.2 Example for Configuring Selective QinQ.............................................................................................104
3.4.3 Example for Configuring Selective QinQ with VLAN Mapping..........................................................107
3.4.4 Example for Configuring QinQ Stacking on a VLANIF Interface.......................................................110
3.5 GVRP Configuration......................................................................................................................................112
3.5.1 Example for Configuring GVRP...........................................................................................................113
3.6 MAC Address Table Configuration...............................................................................................................116
3.6.1 Example for Configuring the MAC Address Table...............................................................................116
3.6.2 Example for Configuring MAC Address Learning in a VLAN............................................................118
3.6.3 Example for Configuring Port Security.................................................................................................120
3.7 STP/RSTP Configuration...............................................................................................................................121
3.7.1 Example for Configuring Basic STP Functions....................................................................................121
3.7.2 Example for Configuring Basic RSTP Functions..................................................................................125
3.8 MSTP Configuration......................................................................................................................................130
3.8.1 Example for Configuring MSTP...........................................................................................................130
3.9 SEP Configuration..........................................................................................................................................138
3.9.1 Example for Configuring SEP on a Closed Ring Network...................................................................138
3.9.2 Example for Configuring SEP on a Multi-Ring Network.....................................................................144
3.9.3 Example for Configuring a Hybrid SEP+MSTP Ring Network...........................................................155
3.9.4 Example for Configuring a Hybrid SEP+RRPP Ring Network............................................................163
3.10 Layer 2 Protocol Transparent Transmission Configuration.........................................................................175
Issue 02 (2013-04-20) Huawei Proprietary and Confidential vi

3.10.1 Example for Configuring Interface-based Layer 2 Protocol Transparent Transmission.....................175

3.10.2 Example for Configuring VLAN-based Layer 2 Protocol Transparent Transmission........................179
3.10.3 Example for Configuring QinQ-based Layer 2 Protocol Transparent Transmission..........................184
3.11 Loopback Detection Configuration..............................................................................................................191
3.11.1 Example for Configuring Loopback Detection...................................................................................191
3.12 VoIP Access Configuration..........................................................................................................................192
3.12.1 Example for Configuring LLDP on a Switch to Provide VoIP Access...............................................193
3.12.2 Example for Configuring a DHCP Server on a Switch to Provide VoIP Access................................195
3.12.3 Example for Configuring an Simplified ACL on a Switch to Provide VoIP Access..........................197
4 Configuration Guide - IP Service...........................................................................................200

4.1 IP Address Configuration...............................................................................................................................202
4.1.1 Example for Configuring IP Addresses for an Interface.......................................................................202
4.1.2 Example for Configuring an IP Unnumbered Interface........................................................................203
4.2 ARP Configuration.........................................................................................................................................207
4.2.1 Example for Configuring ARP..............................................................................................................208
4.2.2 Example for Configuring Routed Proxy ARP.......................................................................................210
4.2.3 Example for Configuring Intra-VLAN Proxy ARP..............................................................................212
4.2.4 Example for Configuring Inter-VLAN Proxy ARP..............................................................................214
4.2.5 Example for Configuring Layer 2 Topology Detection........................................................................216
4.2.6 Example for Configuring ARP Packet Forwarding Between Isolated Interfaces.................................219
4.3 DHCP Configuration......................................................................................................................................223
4.3.1 Example for Configuring a DHCP Server Based on the Global Address Pool.....................................223
4.3.2 Example for Configuring a DHCP Server Based on the Interface Address Pool..................................226
4.3.3 Example for Configuring a DHCP Server and a DHCP Relay Agent...................................................229
4.3.4 Example for Configuring the DHCP and BOOTP Clients....................................................................233
4.3.5 Example for Configuring the BOOTP Clients......................................................................................236
4.4 DHCP Policy VLAN Configuration...............................................................................................................239
4.4.1 Example for Configuring the DHCP Policy VLAN..............................................................................239
4.5 DHCPv6 Configuration..................................................................................................................................247
4.5.1 Example for Configuring a DHCPv6 Server.........................................................................................247
4.5.2 Example for Configuring a DHCPv6 PD Server...................................................................................249
4.5.3 Example for Configuring a DHCPv6 Relay Agent...............................................................................251
4.6 IP Performance Configuration........................................................................................................................254
4.6.1 Example for Configuring ICMP Redirection Packets...........................................................................254
4.6.2 Example for Configuring ICMP Host Unreachable Packets.................................................................257
4.6.3 Example for Optimizing System Performance by Discarding Certain ICMP Packets..........................260
4.7 DNS Configuration.........................................................................................................................................262
4.7.1 Example for Configuring the DNS Client.............................................................................................262
4.8 Basic IPv6 Configurations..............................................................................................................................266
4.8.1 Example for Configuring IPv6 Addresses for Interfaces......................................................................266
4.9 IPv6 DNS configuration.................................................................................................................................269
4.9.1 Example for Configuring IPv6 DNS Client..........................................................................................269
Issue 02 (2013-04-20) Huawei Proprietary and Confidential vii

4.10 IPv6 over IPv4 Tunnel Configuration..........................................................................................................273

4.10.1 Example for Configuring an Automatic IPv6 over IPv4 Tunnel.........................................................273
4.10.2 Example for Configuring a Manual IPv6 over IPv4 Tunnel...............................................................276
4.10.3 Example for Configuring a 6to4 Tunnel..............................................................................................281
4.10.4 Example for Configuring an ISATAP Tunnel.....................................................................................285
5 Configuration Guide - IP Routing.........................................................................................289

5.1 Static Route Configuration.............................................................................................................................291
5.1.1 Example for Configuring IPv4 Static Routes........................................................................................291
5.1.2 Example for Configuring IPv6 Static Routes........................................................................................294
5.1.3 Example for Configuring Static BFD for IPv4 Static Routes...............................................................298
5.2 RIP Configuration...........................................................................................................................................301
5.2.1 Example for Configuring Basic RIP Functions.....................................................................................301
5.2.2 Example for Configuring RIP to Import Routes...................................................................................305
5.2.3 Example for Configuring One-Arm Static BFD for RIP.......................................................................309
5.3 RIPng Configuration.......................................................................................................................................314
5.3.1 Example for Configuring RIPng to Filter the Received Routes............................................................314
5.4 OSPF Configuration.......................................................................................................................................319
5.4.1 Example for Configuring Basic OSPF Functions..................................................................................319
5.4.2 Example for Configuring a Stub Area of OSPF....................................................................................325
5.4.3 Example for Configuring an OSPF NSSA Area...................................................................................329
5.4.4 Example for Configuring DR Election of an OSPF Process.................................................................333
5.4.5 Example for Configuring OSPF Load Balancing..................................................................................338
5.5 OSPFv3 Configuration...................................................................................................................................343
5.5.1 Example for Configuring OSPFv3 Areas..............................................................................................343
5.6 IPv4 IS-IS Configuration................................................................................................................................349
5.6.1 Example for Configuring Basic IS-IS Functions...................................................................................349
5.6.2 Example for Configuring IS-IS Route Aggregation..............................................................................355
5.6.3 Example for Configuring the DIS Election...........................................................................................358
5.6.4 Example for Configuring IS-IS Load Balancing...................................................................................364
5.6.5 Example for Configuring Static BFD for IS-IS.....................................................................................369
5.6.6 Example for Configuring Dynamic BFD for IS-IS...............................................................................373
5.7 BGP Configuration.........................................................................................................................................379
5.7.1 Example for Configuring Basic BGP Functions...................................................................................379
5.7.2 Example for Configuring BGP to Interact With an IGP.......................................................................385
5.7.3 Example for Configuring MED Attributes to Control BGP Route Selection.......................................389
5.8 Routing Policy Configuration.........................................................................................................................394
5.8.1 Example for Filtering the Routes to Be Received or Advertised..........................................................394
5.8.2 Example for Applying a Routing Policy for Importing Routes.............................................................399
5.9 MCE Configuration........................................................................................................................................403
5.9.1 Example for Configuring an MCE........................................................................................................404
6 Configuration Guide - IP Multicast.......................................................................................417

6.1 IGMP Configuration.......................................................................................................................................419
Issue 02 (2013-04-20) Huawei Proprietary and Confidential viii

6.1.1 Example for Configuring Basic IGMP Functions.................................................................................419

6.1.2 Example for Configuring a Static Multicast Group on an Interface......................................................423
6.1.3 Example for Configuring IGMP SSM Mapping...................................................................................427
6.2 PIM-SM (IPv4) Configuration.......................................................................................................................434
6.2.1 Example for Configuring PIM-SM in the ASM Model........................................................................434
6.2.2 Example for Configuring PIM-SM in the SSM Model.........................................................................441
6.2.3 Example for Configuring PIM BFD......................................................................................................449
6.3 Multicast Route Management (IPv4) Configuration......................................................................................452
6.3.1 Example for Configuring a Multicast Static Route to Change the RPF Route.....................................452
6.3.2 Example for Configuring Multicast Static Routes to Connect RPF Routes..........................................457
6.3.3 Example for Configuring Multicast Load Splitting...............................................................................463
6.4 IGMP Snooping Configuration......................................................................................................................470
6.4.1 Example for Configuring IGMP Snooping...........................................................................................470
6.4.2 Example for Configuring Layer 2 Multicast Through Static Interfaces................................................473
6.4.3 Example for Configuring an IGMP Snooping Querier.........................................................................476
6.4.4 Example for Configuring IGMP Snooping Proxy.................................................................................480
6.4.5 Example for Configuring IGMP Snooping SSM Mapping...................................................................483
6.5 Multicast VLAN Replication Configuration..................................................................................................486
6.5.1 Example for Configuring 1-to-N Multicast VLAN Replication Based on User VLANs......................486
6.5.2 Example for Configuring N-to-N Multicast VLAN Replication Based on User VLANs.....................488
6.5.3 Example for Configuring Interface-based Multicast VLAN Replication..............................................491
6.6 Controllable Multicast Configuration.............................................................................................................494
6.6.1 Example for Configuring Controllable Multicast..................................................................................494
6.7 MLD Configuration........................................................................................................................................498
6.7.1 Example for Configuring Basic MLD Functions..................................................................................498
6.7.2 Example for Configuring the MLD Limit.............................................................................................501
6.8 MLD Snooping Configuration........................................................................................................................504
6.8.1 Example for Configuring MLD Snooping.............................................................................................504
6.8.2 Example for Configuring a Static Interface to Implement Layer 2 Multicast.......................................507
6.8.3 Example for Configuring the MLD Snooping Querier.........................................................................510
6.8.4 Example for Configuring Prompt Leave for Interfaces.........................................................................513
6.8.5 Example for Configuring MLD Snooping to Respond to Network Topology Change.........................516
7 Configuration Guide - QoS.....................................................................................................522

7.1 Priority Mapping Configuration.....................................................................................................................523
7.1.1 Example for Configuring Priority Mapping on the S2352P-EI, S3300SI, and S3300EI......................523
7.2 Traffic Policing and Traffic Shaping Configurations.....................................................................................526
8 Configuration Guide - Security..............................................................................................527

8.1 AAA Configuration........................................................................................................................................529
8.1.1 Example for Configuring RADIUS Authentication and Accounting....................................................529
8.1.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization...................531
8.2 NAC Configuration........................................................................................................................................535
8.2.1 Example for Configuring 802.1x Authentication..................................................................................535
Issue 02 (2013-04-20) Huawei Proprietary and Confidential ix

8.2.2 Example for Configuring MAC Address Authentication......................................................................537

8.2.3 Example for Configuring Portal Authentication...................................................................................540
8.3 ACL Configuration.........................................................................................................................................542
8.3.1 Example for Configuring a Basic ACL to Limit Access to the FTP Server..........................................542
8.3.2 Example for Using an Advanced ACL to Configure Traffic Classifiers...............................................544
8.3.3 Example for Using a Layer 2 ACL to Configure a Traffic Classifier...................................................548
8.3.4 Example for Using a User-defined ACL to Configure a Traffic Classifier...........................................550
8.3.5 Example for Using an ACL6 to Configure a Traffic Classifier.............................................................552
8.4 DHCP Snooping Configuration......................................................................................................................555
8.4.1 Example for Configuring DHCP Snooping Attack Defense.................................................................555
8.5 Local Attack Defense Configuration..............................................................................................................559
8.5.1 Example for Configuring Local Attack Defense...................................................................................559
8.6 Attack Defense Configuration........................................................................................................................562
8.6.1 Example for Configuring Attack Defense.............................................................................................562
8.7 IPSG Configuration........................................................................................................................................564
8.7.1 Example for Configuring IPSG.............................................................................................................564
8.8 URPF Configuration.......................................................................................................................................566
8.8.1 Example for Configuring URPF............................................................................................................566
8.9 ARP Security Configuration...........................................................................................................................567
8.9.1 Example for Configuring ARP Security Functions...............................................................................567
8.9.2 Example for Configuring Defense Against ARP MITM Attacks.........................................................571
8.10 MFF Configuration.......................................................................................................................................574
8.10.1 Example for Configuring MFF............................................................................................................575
8.11 Traffic Suppression and Storm Control Configuration................................................................................578
8.11.1 Example for Configuring Traffic Suppression....................................................................................578
8.11.2 Example for Configuring Storm Control.............................................................................................580
8.12 PPPoE+ Configuration.................................................................................................................................581
8.12.1 Example for Configuring PPPoE+......................................................................................................581
8.13 Keychain Configuration...............................................................................................................................583
8.13.1 Example for Applying the Keychain to RIP........................................................................................584
8.13.2 Example for Applying the Keychain to BGP......................................................................................587
8.14 ND Snooping Configuration.........................................................................................................................591
8.14.1 Example for Configuring ND Snooping on a Layer 2 Network..........................................................591
8.15 SAVI Configurations....................................................................................................................................594
8.15.1 Example for Configuring the SAVI Function in a DHCPv6-Only Scenario......................................594
8.15.2 Example for Configuring the SAVI Function in an SLAAC-Only Scenario......................................597
8.15.3 Example for Configuring the SAVI Function in a DHCPv6+SLAAC Scenario................................600
9 Configuration Guide - Reliability..........................................................................................605

9.1 BFD Configuration.........................................................................................................................................607
9.1.1 Example for Configuring Single-hop BFD for Detecting Faults on a Layer 2 Link.............................607
9.1.2 Example for Configuring Single-Hop BFD on a VLANIF Interface....................................................609
9.1.3 Example for Configuring Multi-Hop BFD............................................................................................612
Issue 02 (2013-04-20) Huawei Proprietary and Confidential x

9.1.4 Example for Associating the BFD Session Status with the Interface Status.........................................615
9.1.5 Example for Configuring Association Between a BFD Session and an Interface................................620
9.1.6 Example for Configuring the BFD Echo Function................................................................................627
9.2 DLDP Configuration......................................................................................................................................629
9.2.1 Example for Configuring DLDP to Detect a Disconnected Optical Fiber Link....................................629
9.2.2 Example for Configuring DLDP to Detect Cross-Connected Optical Fibers........................................631
9.3 MAC Swap Loopback Configuration.............................................................................................................634
9.3.1 Example for Configuring Local MAC Swap Loopback........................................................................634
9.3.2 Example for Configuring Remote MAC Swap Loopback....................................................................636
9.4 Smart Link Configuration...............................................................................................................................637
9.4.1 Example for Configuring Load Balancing on a Smart Link Instance...................................................638
9.4.2 Example for Configuring the Integrated Application of Monitor Link and Smart Link.......................642
9.4.3 Example for Configuring the Smart Link with the Function of Notifying the VPLS Module of Detecting
Link Switching...............................................................................................................................................647
9.5 Monitor Link Configuration...........................................................................................................................651
9.5.1 Example for Configuring the Integrated Application of Monitor Link and Smart Link.......................651
9.6 ERPS (G.8032) Configuration........................................................................................................................651
9.6.1 Example for Configuring ERPS............................................................................................................652
9.6.2 Example for Configuring ERPS Multi-Instance....................................................................................658
9.7 VRRP Configuration......................................................................................................................................666
9.7.1 Example for Configuring a VRRP Group in Active/Standby Mode.....................................................666
9.7.2 Example for Configuring a VRRP Group in Load Balancing Mode....................................................672
9.7.3 Example for Configuring Association Between VRRP and BFD to Implement a Rapid Active/Standby
Switchover......................................................................................................................................................677
9.7.4 Example for Configuring a VRRP6 Group in Active/Standby Mode...................................................682
9.7.5 Example for Configuring a VRRP6 Group in Load Balancing Mode..................................................689
9.8 RRPP Configuration.......................................................................................................................................694
9.8.1 Example for Configuring a Single RRPP Ring with a Single Instance.................................................694
9.8.2 Example for Configuring Intersecting RRPP Rings with a Single Instance (RRPP Defined by the National
Standard of China)..........................................................................................................................................699
9.8.3 Example for Configuring Intersecting RRPP Rings with a Single Instance.........................................710
9.8.4 Example for Configuring Tangent RRPP Rings....................................................................................720
9.8.5 Example for Configuring a Single RRPP Ring with Multiple Instances..............................................728
9.8.6 Example for Configuring Intersecting RRPP Rings with Multiple Instances (RRPP Defined by the
National Standard of China)...........................................................................................................................737
9.8.7 Example for Configuring Intersecting RRPP Rings with Multiple Instances.......................................753
9.8.8 Example for Configuring Tangent RRPP Rings with Multiple Instances.............................................770
9.9 EFM Configuration.........................................................................................................................................780
9.9.1 Example for Configuring Basic EFM Functions...................................................................................781
9.9.2 Example for Configuring Association Between an EFM Module and an Interface..............................786
9.9.3 Example for Configuring Association Between EFM Modules............................................................788
9.9.4 Example for Configuring Association between EFM and BFD............................................................791
9.10 CFM Configuration......................................................................................................................................797
Issue 02 (2013-04-20) Huawei Proprietary and Confidential xi

9.10.1 Example for Configuring VLAN-based Ethernet CFM on a Layer 2 Network..................................797

9.10.2 Example for Associating Ethernet CFM with an Interface.................................................................801
9.10.3 Example for Configuring Association Between CFM Modules.........................................................807
9.10.4 Example for Configuring Association Between CFM and EFM........................................................811
9.10.5 Example for Configuring Association Between CFM and RRPP.......................................................816
9.10.6 Example for Configuring Association Between CFM and MSTP......................................................829
9.11 Y.1731 Configuration...................................................................................................................................836
9.11.1 Example for Configuring One-way Frame Delay Measurement in a VLAN......................................836
9.11.2 Example for Configuring Two-way Frame Delay Measurement in a VLAN.....................................839
9.11.3 Example for Configuring AIS.............................................................................................................842
10 Configuration Guide - Device Management......................................................................848

10.1 Energy-saving Management.........................................................................................................................849
10.1.1 Example for Configuring ALS............................................................................................................849
10.2 Information Center Configuration................................................................................................................850
10.2.1 Example for Outputting Logs to a Log Host.......................................................................................850
10.2.2 Example for Outputting Traps to the SNMP Agent............................................................................853
10.2.3 Example for Outputting Traps to the Console.....................................................................................855
10.3 USB-based Deployment Configuration........................................................................................................856
10.3.1 Example for Configuring Auto-Config on the Same Network Segment.............................................857
10.3.2 Example for Configuring Auto-Config on Different Network Segments...........................................860
10.4 NAP Configuration.......................................................................................................................................864
10.4.1 Example for Configuring NAP-based Remote Deployment...............................................................864
10.5 Mirroring Configuration...............................................................................................................................866
10.5.1 Example for Configuring Local Port Mirroring..................................................................................866
10.5.2 Example for Configuring Layer 2 Remote Port Mirroring..................................................................867
10.5.3 Example for Configuring Local Traffic Mirroring..............................................................................870
10.5.4 Example for Configuring Local VLAN Mirroring..............................................................................872
10.5.5 Example for Configuring Local MAC Address Mirroring..................................................................874
10.6 PoE Configuration........................................................................................................................................875
10.6.1 Example for Configuring PoE.............................................................................................................875
10.7 iStack Configuration.....................................................................................................................................877
10.7.1 Example for Configuring the iStack Function.....................................................................................877
10.7.2 Example for Configuring in Direct Mode...........................................................................................880
10.7.3 Example for Configuring in Relay Mode............................................................................................881
11 Configuration Guide - Network Management..................................................................884

11.1 SNMP Configuration....................................................................................................................................885
11.1.1 Example for Configuring a Switch to Communicate with NMSs Using SNMPv1.............................885
11.1.2 Example for Configuring a Switch to Communicate with an NMS Using SNMPv2c........................888
11.1.3 Example for Configuring a Switch to Communicate with an NMS Using SNMPv3.........................892
11.2 RMON Configuration...................................................................................................................................895
11.2.1 Example for Configuring RMON........................................................................................................895
11.3 NTP Configuration.......................................................................................................................................899
Issue 02 (2013-04-20) Huawei Proprietary and Confidential xii

11.3.1 Example for Configuring Authenticated NTP Unicast Server/Client Mode.......................................900

11.3.2 Example for Configuring NTP Symmetric Peer Mode.......................................................................904
11.3.3 Example for Configuring Authenticated NTP Broadcast Mode..........................................................907
11.3.4 Example for Configuring NTP Multicast Mode..................................................................................912
11.4 Ping and Tracert Configuration....................................................................................................................916
11.4.1 Example for Performing Ping and Tracert Operations........................................................................916
11.5 NQA Configuration......................................................................................................................................917
11.5.1 Example for Configuring a DNS Test Instance...................................................................................917
11.5.2 Example for Configuring an FTP Download Test Instance................................................................919
11.5.3 Example for Configuring an FTP Upload Test Instance.....................................................................922
11.5.4 Example for Configuring an HTTP Test Instance...............................................................................924
11.5.5 Example for Configuring an ICMP Test Instance...............................................................................926
11.5.6 Example for Configuring an ICMP Jitter Test Instance......................................................................928
11.5.7 Example for Configuring an SNMP Query Test Instance...................................................................930
11.5.8 Example for Configuring a TCP Test Instance...................................................................................932
11.5.9 Example for Configuring a Trace Test Instance..................................................................................935
11.5.10 Example for Configuring a UDP Test Instance.................................................................................937
11.5.11 Example for Configuring a UDP Jitter Test Instance........................................................................939
11.5.12 Example for Sending Trap Massages to the NMS When the Threshold Is Exceeded......................942
11.6 LLDP Configuration.....................................................................................................................................945
11.6.1 Example for Configuring LLDP on the Device That Has a Single Neighbor.....................................945
11.6.2 Example for Configuring LLDP on the Device That Has Multiple Neighbors...................................951
11.6.3 Example for Configuring LLDP on the Network with link aggregation configured..........................958
Issue 02 (2013-04-20) Huawei Proprietary and Confidential xiii

Typical Configuration Examples 1 Configuration Guide - Basic Configuration
1 Configuration Guide - Basic Configuration
About This Chapter
This document describes methods to use command line interface and to log in to the device, file
operations, and system startup configurations.
1.1 CLI Overview
Users perform configuration and routine maintenance on devices by running commands.
1.2 Logging In to the System for the First Time
This section describes how to log in to a new device to configure the device. You can log in
through the console port.
1.3 Configuring a User Interface
When a user logs in to the device using the console port, Telnet, or SSH, the system manages
the session between the user and the device on the corresponding user interface.
1.4 Configuring User Login
Users can log in to the device through a console port, Telnet, STelnet, or web to perform local
or remote device maintenance. When there is no reachable route between user terminals and
remote devices, users can log in to these devices through Telnet or STelnet from reachable
devices to manage and configure the devices.
1.5 File Management
All files on the device are stored in storage devices and can be managed in multiple modes. The
current device can function as a client to access files on other devices.
1.6 Configuring System Startup
When the device is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the device, you need to manage system software and configuration
files efficiently.
Issue 02 (2013-04-20) Huawei Proprietary and Confidential 1

1.1 CLI Overview

Users perform configuration and routine maintenance on devices by running commands.
1.1.1 Example for Using Tab

Networking Requirements
The user wants to enter commands in fast and convenient mode to facilitate completion of service
configurations. The device supports the function that the user enters the first character or first
several characters of the keyword and presses Tab to complete the keyword, which improves
input efficiency
Configuration Roadmap
The configuration roadmap is as follows:
1. If there is only one match for the incomplete keyword, enter the incomplete keyword and
press Tab.
2. If there are several matches for the keyword, enter the incomplete keyword and press
Tab repeatedly until the desired keyword is displayed.
3. Enter the incorrect keyword and press Tab. In this case, the incorrect keyword remains
unchanged.
Use Tab if:
There Is Only One Match for an Incomplete Keyword
1. Enter an incomplete keyword.
[Quidway] info-
2. Press Tab.
The system replaces the entered keyword and displays it in a new line with the complete
keyword followed by a space.
[Quidway] info-center
There Are Several Matches for an Incomplete Keyword

# The keyword info-center can be followed by the following keywords. (The command output
provided here is used for reference only. The actual output information may differ from the
following information.)
[Quidway] info-center ?
channel Set the name of information channel
console Setting of console configuration
enable Enable the information center
filter-id Specify the configuration of the ID filtering table
local Setting of logging configuraitons except loghost
logbuffer Setting of log buffer configuration
loghost Setting of logging host configuration
monitor Setting of monitor configuration
rate-limit Specify the rate at which the information center
processes information
snmp Setting of snmp configuration
source Informational source setting
statistic-suppress Suppression that the first occurrence of an event is

always logged immediately, but subsequence identical

messages are suppressed
timestamp Set the time stamp type of information
trapbuffer Setting of trap buffer configuration
1. Enter an incomplete keyword.

[Quidway] info-center log
2. Press Tab.
The system displays the prefixes of all the matched keywords. In this example, the prefix
is log.
[Quidway] info-center loghost
Press Tab to switch from one matched keyword to another. In this case, the cursor closely
follows the end of a word.
[Quidway] info-center logbuffer
Stop pressing Tab when the desired keyword is displayed.
An Incorrect keyword Is Entered
1. Enter an incorrect keyword.

[Quidway] info-center loglog
2. Press Tab.
[Quidway] info-center loglog
The system displays information in a new line, but the keyword loglog remains unchanged
and there is no space between the cursor and the keyword, indicating that this keyword
does not exist.
1.2 Logging In to the System for the First Time

This section describes how to log in to a new device to configure the device. You can log in
through the console port.
1.2.1 Example for Performing Basic Configuration on the Device at

First Login
After logging in to the device through the console port, set the user level for Telnet users 0
through 4 to 15, and set the authentication mode to AAA authentication.
Figure 1-1 Networking diagram for configuring the device through the console port
Console
Network
PC1 Switch PC2

1. Log in to the device through the console port.
NOTE
The HyperTerminal of Windows XP can be used as the terminal emulation software on the PC.
2. Configure the device.
Procedure
Step 1 Log in to the device from PC1 through the console port. For details, see Logging In Through
the Console Port.
Step 2 Configure the device.
# Set the system date, time, and time zone.

<Quidway> clock timezone BJ add 08:00:00
<Quidway> clock datetime 20:10:0 2012-07-26
# Set the device name and IP address of the management interface.

<Quidway> system-view
[Quidway] sysname Server
[Server] vlan 10
[Server-vlan10] quit
[Server] interface ethernet 0/0/1
[Server-Ethernet0/0/1] port hybrid pvid vlan 10
[Server-Ethernet0/0/1] port hybrid untagged vlan 10
[Server-Ethernet0/0/1] quit
[Server] interface vlanif 10
[Server-Vlanif10] ip address 10.137.217.177 24
[Server-Vlanif10] quit
# Set the user level and authentication mode for Telnet users.
[Server] user-interface vty 0 4
[Server-ui-vty0-4] user privilege level 15
[Server-ui-vty0-4] authentication-mode aaa
[Server-ui-vty0-4] quit
[Server] aaa
[Server-aaa] local-user huawei password cipher huawei2012
[Server-aaa] local-user huawei privilege level 15
[Server-aaa] local-user huawei service-type telnet
[Server-aaa] quit
Step 3 Verify the configuration.
When completing the configuration, you can log in to the device through Telnet on PC2.
Access the command line interface of Windows XP and log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.137.217.177
Press Enter. On the displayed login page, enter the user name and password. If the authentication
succeeds, the command line interface for the user view is displayed. (The following information
is only for reference.)
Login authentication
Username:huawei
Password:
Info: The max number of VTY users is 15, and the number

of current VTY users on line is 1.

<Server>
----End
Configuration Files
Configuration file of the device
#
sysname Server
#
vlan batch 10
#
aaa
local-user huawei password cipher %$%$~^Mg.QBcGS^}H.Q*w~#*,JA8%$%$
local-user huawei privilege level 15
local-user huawei service-type telnet
#
interface Vlanif10
ip address 10.137.217.177 255.255.255.0
#
interface Ethernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
#
return
1.3 Configuring a User Interface

When a user logs in to the device using the console port, Telnet, or SSH, the system manages
the session between the user and the device on the corresponding user interface.
1.3.1 Example of Configuring the Console User Interface
When a user logs in to the device using the console user interface to maintain the device locally,
the user can configure the attributes of the console user interface to ensure the device security
as required.
The level of console users is 15. The password authentication mode and authentication password
huawei2012 are configured for console users to log in to the device.
1. Configure the user level on the console user interface.

2. Configure the authentication mode and password on the console user interface.

Procedure
Step 1 Configure the user level on the console user interface.
[Quidway] user-interface console 0
[Quidway-ui-console0] user privilege level 15
Step 2 Configure the authentication mode and password on the console user interface.
[Quidway-ui-console0] authentication-mode password
[Quidway-ui-console0] set authentication password cipher huawei2012
[Quidway-ui-console0] quit
After the console user interface is configured, users can use the console interface to log in to the
device in the password authentication mode to maintain the device locally. For details on how
to log in to the device see Logging In to the Device Through a Console Port.

# Run the quit command to disconnect the terminal from the device, connect the terminal to the
device using a console cable, and verify that the new password is valid.
# Run the user-interface console 0 command to enter the console interface view, and run the
display this command to check the configurations on the console interface.
[Quidway-ui-console0] display this
#
user-interface con 0
authentication-mode password
set authentication password cipher %%$%$RdF~Z+6N|0dâ3%v5`W~3.%ymjpAD#$u
[T'e#e32hd8G~4+&%$%$
#
return
----End
Configuration File
#
[T'e#e32hd8G~4+&%$%$
#
return
1.3.2 Example of Configuring a VTY User Interface
A user can use the VTY interface to log in to a remote device using Telnet. The device
administrator can configure the attributes of the VTY user interface to ensure the device security
as required.
The level of VTY users is 15. The password authentication mode and authentication password
huawei2012 are configured for VTY users to log in to the device. Only the user whose IP address
is 10.1.1.1 can log in to the device.
If a user logs in to the device and does not perform any operation within 30 minutes, the user's
terminal disconnects from the device.

1. Configure the maximum number of concurrent VTY user interfaces to 8.
2. Configure restrictions on call-in and call-out permissions on the VTY user interface to
allow users at a specified address or address segment to log in to the device.
3. Configure terminal attributes on the VTY user interface.
4. Configure the user level on the VTY user interface.
5. Configure the authentication mode and password of the VTY user interface.
Procedure
Step 1 Configure the maximum number of concurrent VTY user interfaces.
[Quidway] user-interface maximum-vty 8
Step 2 Configure restrictions on call-in and call-out permissions on the VTY user interface.
[Quidway] acl 2000
[Quidway-acl-basic-2000] rule deny source 10.1.1.1 0
[Quidway-acl-basic-2000] rule permit source any
[Quidway-acl-basic-2000] quit
[Quidway] user-interface vty 0 7
[Quidway-ui-vty0-7] acl 2000 inbound
Step 3 Configure terminal attributes on the VTY user interface.

[Quidway-ui-vty0-7] shell
[Quidway-ui-vty0-7] idle-timeout 30
[Quidway-ui-vty0-7] screen-length 30
[Quidway-ui-vty0-7] history-command max-size 20
Step 4 Configure the user level on the VTY user interface.

[Quidway-ui-vty0-7] user privilege level 15
Step 5 Configure the authentication mode and password of the VTY user interface.
[Quidway-ui-vty0-7] authentication-mode password
[Quidway-ui-vty0-7] quit
After the VTY user interface is configured, users can to log in to the device in the password
authentication mode using Telnet to maintain the device locally or remotely. For details on how
to log in to the device see Logging In to the Device Through Telnet.
# Run the quit command to disconnect the terminal from the device, connect the terminal to the
device using Telnet, and verify that the new password is valid.
# Use 10.1.1.1 to log in to the device using Telnet. The login fails.
# Run the user-interface vty 0 7 command to enter the VTY interface view, and run the display
this command to check the configurations on VTY interfaces.
[Quidway] user-interface vty 0 7
[Quidway-ui-console0] display this
#
user-interface maximum-vty 8
acl 2000 inbound
[T'e#e32hd8G~4+&%$%$

history-command max-size 20
idle-timeout 30 0
screen-length 30
#
return
----End
Configuration File
#
acl number 2000
rule 5 deny source 10.1.1.1 0
rule 10 permit
#
acl 2000 inbound
[T'e#e32hd8G~4+&%$%$
idle-timeout 30 0
screen-length 30
#
return
1.4 Configuring User Login

Users can log in to the device through a console port, Telnet, STelnet, or web to perform local
or remote device maintenance. When there is no reachable route between user terminals and
remote devices, users can log in to these devices through Telnet or STelnet from reachable
devices to manage and configure the devices.
1.4.1 Example for Logging In to the Device Through a Console Port
When you cannot remotely log in to the device, you can perform local login through a console
port. If you log in to the device through a console port, only password authentication is required.
To improve security, use AAA on the console user interface.
Figure 1-2 Networking diagram of user login through a console port
PC Switch
1. Use the terminal simulation software to log in to the device through a console port.

2. Configure the authentication mode of the console user interface.
Procedure
Step 1 Use the terminal simulation software to log in to the device through a console port. The Windows
XP HyperTerminal is used as an example in this section.
NOTE
The settings of the terminal communication parameters must be consistent with those of the physical
attribute parameters on the user interface of the console port. If the user authentication mode is set on the
user interface of the console port, you can log in to the device only after you are authenticated.
1. Insert the DB9 connector of the console cable delivered with the product to the 9-pin serial
port on the PC, and insert the RJ45 connector to the console port of the device, as shown
in Figure 1-3.
Figure 1-3 Connecting to the device through the console port
2. Choose Start > All Program > Accessories > Communications > HyperTerminal on
the PC to start the HyperTerminal. Set up a connection, as shown in Figure 1-4.
Figure 1-4 Setting up a connection

3. Select the connection port, as shown in Figure 1-5.
Figure 1-5 Selecting the connection port
4. Set the port communication parameters. If the parameters on the user interface have been
set, you must set the port communication parameters to be consistent with the settings on
the user interface. If the parameters on the user interface have not been set, retain the default
settings on the device.

Figure 1-6 Setting communication parameters
5. Press Enter until the system prompts you to enter the password. (The system will prompt
you to enter the user name and password in AAA authentication. The following information
is only for reference.)
Password:
You can run commands to configure the device. Enter a question mark (?) whenever you
need help.
Step 2 Configure the authentication mode of the console user interface.
[Quidway-ui-console0] authentication-mode aaa
[Quidway-ui-console0] user privilege level 15
[Quidway-ui-console0] quit
[Quidway] aaa
[Quidway-aaa] local-user huawei password cipher huawei2012
[Quidway-aaa] local-user huawei privilege level 3
[Quidway-aaa] local-user huawei service-type terminal
After the preceding operations, you can re-log in to the device on the console user interface only
by entering the user name huawei and password huawei2012.
----End
Configuration Files
#
aaa

local-user huawei password cipher %$%$]*6iWr7EVM|uc:"B/A=FF}tk%$%$

local-user huawei service-type terminal
#
#
return
1.4.2 Example for Logging In to the Device Through Telnet

As shown in Figure 1-7, the PC and the server (Huawei device) are reachable to each other. To
implement easy remote configuration and management of the device, configure AAA
authentication for Telnet users on the server and configure a security policy that allows only the
administrator to log in to the device.
Figure 1-7 Networking diagram of logging in to the device through Telnet
10.1.1.1/32 10.137.217.177/24
Network
PC Telnet Server
1. Configure the Telnet login mode to implement remote network device maintenance.
2. Configure the administrator's user name and password and the AAA authentication mode
to ensure that only the administrator can log in to the device.
3. Configure the security policy to ensure that the administrator's PC can be used to log in to
the device.
Procedure
Step 1 Set the server listening port number and enable the server function.
[Quidway] sysname Telnet Server
[Telnet Server] telnet server enable
[Telnet Server] telnet server port 1025
Step 2 Set the VTY user interface parameters.

# Set the maximum number of VTY user interfaces.
[Telnet Server] user-interface maximum-vty 8
# Set the IP address of the device to which the user is allowed to log in.
[Telnet Server] acl 2001
[Telnet Server-acl-basic-2001] rule permit source 10.1.1.1 0

[Telnet Server-acl-basic-2001] quit

[Telnet Server] user-interface vty 0 7
[Telnet Server-ui-vty0-7] acl 2001 inbound
# Configure the terminal attributes of the VTY user interface.

[Telnet Server-ui-vty0-7] shell
[Telnet Server-ui-vty0-7] idle-timeout 20
[Telnet Server-ui-vty0-7] screen-length 30
[Telnet Server-ui-vty0-7] history-command max-size 20
# Configure the user authentication mode and user level of the VTY user interface.
[Telnet Server-ui-vty0-7] authentication-mode aaa
[Telnet Server-ui-vty0-7] user privilege level 15
[Telnet Server-ui-vty0-7] quit
Step 3 Configure the login user information.

# Configure the login authentication mode.
[Telnet Server] aaa
[Telnet Server-aaa] local-user huawei password cipher hello@123
[Telnet Server-aaa] local-user huawei service-type telnet
[Telnet Server-aaa] local-user huawei privilege level 3
[Telnet Server-aaa] quit
Step 4 Configure the client login.

Enter commands at the command line prompt to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025
Press Enter, and enter the user name and password in the login window. If the authentication
is successful, the command line prompt of the user view is displayed. The user view
configuration environment is displayed.
Username:huawei
Password:
<Telnet Server>
----End
Configuration Files
Telnet server configuration file
#
sysname Telnet Server
#
telnet server port 1025
#
acl number 2001
rule 5 permit source 10.1.1.1 0
#
aaa
local-user huawei password cipher %$%$m}Dl9RZy2Y8'|X<>l&B,fRI@%$%$
local-user huawei service-type telnet
#
acl 2001 inbound

idle-timeout 20 0
screen-length 30
#
return
1.4.3 Example for Logging In to the Device Through STelnet

As shown in Figure 1-8, users require secure remote login, but Telnet cannot provide a secure
authentication method. In this scenario, STelnet can be configured to ensure security of remote
login. PC1 and PC2 have reachable routes to the SSH server, and 10.137.217.203 is the IP address
of the management interface on the SSH server. Two login users client001 and client002 need
to be configured on the SSH server. PC1 uses the account of cliet001 to log in to the SSH server
through password authentication; PC2 uses the account of cliet002 to log in to the SSH server
through RSA authentication.
Figure 1-8 Networking diagram of logging in to the device through STelnet
10.137.217.203/16
Network Network
SSH Server PC2

PC1
1. Install the SSH server software on PC1. Install the key pair generation software, public key
conversion software, and SSH server login software on PC2.
2. Generate a local key pair on the SSH server to implement secure data exchange between
the server and client.
3. Configure different authentication modes for the SSH users client001 and client002 on the
SSH server.
4. Enable the STelnet service on the SSH server.
5. Configure the STelnet server type for the SSH users client001 and client002 on the SSH
server.
6. Log in to the SSH server as the client001 and client002 users through STelnet.
Procedure
Step 1 Generate a local key pair on the server.
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

it will take a few minutes.
Input the bits in the modulus[default = 2048]:1024
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
Step 2 Create an SSH user on the server.

NOTE
There are four authentication modes for an SSH user: password, RSA, password-RSA, and all.
l If the authentication mode is password or password-RSA, configure a local user on the server with the
same user name.
l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the
SSH client to the server.
# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] user privilege level 5
[SSH Server-ui-vty0-4] quit
l Create an SSH user named client001.

# Create an SSH user named client001 and configure the password authentication mode for
the user.
[SSH Server] ssh user client001 authentication-type password
# Set the password of the client001 user to huawei.

[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher huawei@123
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit

# Create an SSH user named client002 and configure the RSA authentication mode for the
user.
[SSH Server] ssh user client002 authentication-type rsa
# Generate a local key pair of the client on PC2.

1. Run puttygen.exe on the client. It is used to generate the public and private key files.
Select SSH2 RSA and click Generate. By moving the cursor in the blank area, you can
find that the key is being generated.

Figure 1-9 PuTTY Key Generate page (1)
After the key is generated, click save public key to save the key in the key.pub file.

Click save private key. The PuTTYgen Warning dialog box is displayed. Click
Yes. The private key is saved in the private.ppk file.
2. Run sshkey.exe on the client. Convert the generated public key to the character string
required for the device.
Open the key.pub file.

Figure 1-12 ssh key converter page (1)
Click Convert(C). You can see the public keys before and after conversion.

Figure 1-13 ssh key converter page (2)
# Enter the RSA public key generated on PC2 to the SSH server.
[SSH Server] rsa peer-public-key rsakey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code] 30818702 818100CD 1ACDD096 5E779319 F6A88F9E E7669F0A
[SSH Server-rsa-key-code] 5F898844 09961F38 7215B1D6 98380C6E B4A52BEF B421023D
[SSH Server-rsa-key-code] 3E6F9732 69FB08B8 2713BE30 8F587C07 80B37D5C 5D3D4E61
[SSH Server-rsa-key-code] 8F30F514 AEC917F8 F6D91F90 948D89CD F5E4ED58 E24AE5E7
[SSH Server-rsa-key-code] 6CA9CB13 713680AC C24265DA 33D4E7B2 B80A4CD9 FE897BC5
[SSH Server-rsa-key-code] 457A8D31 23B82692 93F3D7CE EFE74102 0125
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
# Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.
[SSH Server] ssh user client002 assign rsa-key rsakey001
Step 3 Enable the STelnet service on the SSH server.
# Enable the STelnet service.

[SSH Server] stelnet server enable

Step 4 Configure the STelnet service type for the client001 and client002 users.
[SSH Server] ssh user client001 service-type stelnet

l Log in to the SSH server as the client001 user from PC1 using the password authentication
mode.
# Use the PuTTY software to log in to the device, enter the device IP address, and select the
SSH protocol type.
Figure 1-14 PuTTY Configuration page - password authentication mode
# Click Open. Enter the user name and password at the prompt, and press Enter. You have
logged in to the SSH server.
login as: client001
Sent username "client001"
client001@10.137.217.203's password:


<SSH Server>
l Log in to the SSH server as the client002 user from PC2 using the RSA authentication mode.
# Use the PuTTY software to log in to the device, enter the device IP address, and select the
SSH protocol type.
Figure 1-15 PuTTY Configuration page - RSA authentication mode (1)
# Choose Connection > SSH in the navigation tree. The page shown in Figure 1-16 is
displayed. Select 2 for Preferred SSH protocol version

# Choose Connection > SSH > Auth in the navigation tree. The page shown in Figure
1-17 is displayed. Select the private.ppk file corresponding to the public key configured on
the server.

# Click Open. Enter the user name at the prompt, and press Enter. You have logged in to
the SSH server.
login as: client002
Authenticating with public key "rsa-key"

<SSH Server>
----End
Configuration Files
SSH server configuration file
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
308186
028180

CD1ACDD0 965E7793 19F6A88F 9EE7669F 0A5F8988 4409961F 387215B1 D698380C

6EB4A52B EFB42102 3D3E6F97 3269FB08 B82713BE 308F587C 0780B37D 5C5D3D4E
618F30F5 14AEC917 F8F6D91F 90948D89 CDF5E4ED 58E24AE5 E76CA9CB 13713680
ACC24265 DA33D4E7 B2B80A4C D9FE897B C5457A8D 3123B826 9293F3D7 CEEFE741
0201
25
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %$%$S${AA4{(~(t-#&J%{$_Q,ulcf0!
`>I~Bk6~S&89Bb`rO.{rm%$%$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key rsakey001
#
protocol inbound ssh
#
return
1.4.4 Example for Logging In to the Device Through HTTP
As shown in Figure 1-18, the device is logged in through HTTP from a PC and the device works
as the web server to implement the graphical user management and device maintenance.
Figure 1-18 Networking diagram of logging in to the device through HTTP
192.168.0.1/24
Network
PC HTTP Server
1. Upload the web page file.

2. Load the web page file.
3. Enable the HTTPS/HTTP service and configure an HTTP user.
4. Log in to the web system.

Procedure
Step 1 Upload the web page file.
# Enable the FTP service.

[Quidway] sysname HTTP-Server
[HTTP-Server] ftp server enable
# Configure the FTP user verification information, and authentication mode and directory.
[HTTP-Server] aaa
[HTTP-Server-aaa] local-user huawei password cipher hello@123
[HTTP-Server-aaa] local-user huawei service-type ftp
[HTTP-Server-aaa] local-user huawei privilege level 15
[HTTP-Server-aaa] local-user huawei ftp-directory flash:
[HTTP-Server-aaa] quit
[HTTP-Server] quit
# Upload the web page file to the HTTP server from the user terminal. (The operation details
are not provided here.)
After the preceding operations are completed, run the dir command on the HTTP server to check
the web page file that have been uploaded.
<HTTP-Server> dir
Directory of flash:/
Idx Attr Size(Byte) Date Time(LMT) FileName

0 -rw- 524,558 Apr 14 2011 16:24:39 private-data.txt
1 -rw- 1,302 Apr 14 2011 19:22:30 back_time_a
2 -rw- 951 Apr 14 2011 19:22:35 back_time_b
3 drw- - Apr 09 2011 19:46:14 src
4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip
5 -rw- 1,308,478 Apr 14 2011 19:22:45 webtest.zip
6 drw- - Apr 10 2011 01:35:54 logfile
7 -rw- 4 Apr 14 2011 04:56:35 snmpnotilog.txt
8 drw- - Apr 11 2011 16:18:53 security
9 drw- - Apr 13 2011 11:37:40 lam
...
14,632 KB total (1,580 KB free)
Step 2 Load the web page file.

<HTTP-Server> system-view
[HTTP-Server] http server load webtest.zip
Step 3 Enable the HTTPS/HTTP service and configure an HTTP user.
# Enable the HTTPS and HTTP services.

[HTTP-Server] http secure-server enable
[HTTP-Server] http server enable
# Configure an HTTP user.

[HTTP-Server] aaa
[HTTP-Server-aaa] local-user admin password cipher huawei
[HTTP-Server-aaa] local-user admin privilege level 15
[HTTP-Server-aaa] local-user admin service-type http
[HTTP-Server-aaa] quit
Step 4 Log in to the web system.
Open the web browser on the PC, enter http://192.168.0.1 in the address box, and press
Enter. The Login dialog box is displayed, as shown in Figure 1-19.

Figure 1-19 Login page
Enter the correct HTTP user name, password, and verification code, and click Login or press
Enter. The home page of the web system is displayed.
# Run the display http server command on the HTTP server to check the HTTP server status.
[HTTP-Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 1
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : Default
----End
Configuration Files of the HTTP Server

#
sysname HTTP-Server
#
FTP server enable
#
http server load webtest.zip
#
aaa
local-user admin password cipher %$%$D/[nJdkW1WDY6Êk83G;-\SJ%$%$
local-user admin privilege level 15
local-user admin service-type http
local-user huawei password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
local-user huawei ftp-directory flash:
local-user huawei service-type ftp
#
return

1.4.5 Example for Logging In to the Device Through HTTPS
HTTP enables the device supporting the web system to function as a web server. You can log
in to this device using HTTP and manage the device on web pages. HTTP cannot authenticate
web servers or encrypt data, so it cannot protect data privacy or security. HTTPS is used on
devices to provide encrypted communication and secure identification of web servers.
As shown in Figure 1-20, an SSL policy is configured on the device that works as an HTTP
server. After the digital certificate is loaded and the HTTPS service is enabled on the device,
you can log in to the device through HTTPS and manage the device on web pages.(Use the
certificate form the CA and manually configure an SSL policy.)
Figure 1-20 Networking diagram of logging in to the device through HTTPS
192.168.0.1/24
Network
PC HTTPS Server
1. Upload the digital certificate and web page file saved in the PC to the device that works as
the HTTPS server.
2. Copy the digital certificate from the root directory on the HTTPS server to the security
subdirectory, configure the SSL policy, and load the digital certificate.
3. Load the web page file.
4. Enable the HTTPS service and configure an HTTP user.
5. Log in to the web system.
Procedure
Step 1 Upload the digital certificate and web page file.
# Enable the FTP service.

[Quidway] sysname HTTPS-Server
[HTTPS-Server] ftp server enable
# Configure the FTP user verification information, and authentication mode and directory.
[HTTPS-Server] aaa
[HTTPS-Server-aaa] local-user huawei password cipher hello@123
[HTTPS-Server-aaa] local-user huawei service-type ftp
[HTTPS-Server-aaa] local-user huawei privilege level 15
[HTTPS-Server-aaa] local-user huawei ftp-directory flash:
[HTTPS-Server-aaa] quit
[HTTPS-Server] quit

# Open the command line window on the PC, run the ftp 192.168.0.1 command to set up an FTP
connection with the device, and then run the put command to upload the digital certificate and
web page file to the device.
You can run the dir command on the HTTP server to check the digital certificate and web page
file that have been uploaded.
<HTTPS-Server> dir

0 -rw- 524,558 Apr 14 2011 16:24:39 private-data.txt
1 -rw- 1,302 Apr 14 2011 19:22:30 1_servercert_pem_rsa.pem
2 -rw- 951 Apr 14 2011 19:22:35 1_serverkey_pem_rsa.pem
3 drw- - Apr 09 2011 19:46:14 src
4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip
5 -rw- 1,308,478 Apr 14 2011 19:22:45 web001.zip
6 drw- - Apr 10 2011 01:35:54 logfile
7 -rw- 4 Apr 14 2011 04:56:35 snmpnotilog.txt
8 drw- - Apr 11 2011 16:18:53 security
9 drw- - Apr 13 2011 11:37:40 lam
...
Step 2 Configure the SSL policy and load the digital certificate.
# Create the security subdirectory and copy the certificates from the CA to the subdirectory.
<HTTPS-Server> mkdir security/
<HTTPS-Server> copy 1_servercert_pem_rsa.pem security/
<HTTPS-Server> copy 1_serverkey_pem_rsa.pem security/
You can run the dir command in the security subdirectory to check the digital certificate.
<HTTPS-Server> cd security/
<HTTPS-Server> dir
Directory of flash:/security/
Idx Attr Size(Byte) Date Time FileName

1 -rw- 1,302 Apr 13 2011 14:29:31 1_servercert_pem_rsa.pem
2 -rw- 951 Apr 13 2011 14:29:49 1_serverkey_pem_rsa.pem
# Create the SSL policy and load the digital certificate in the PEM format.
<HTTPS-Server> system-view
[HTTPS-Server] ssl policy http_server
[HTTPS-Server-ssl-policy-http_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code
cipher 123456
[HTTPS-Server-ssl-policy-http_server] quit
You can run the display ssl policy command on the HTTPS server to check the details about
the digital certificate that has been loaded.
[HTTPS-Server] display ssl policy
SSL Policy Name: http_server
Policy Applicants:
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:

CRL File:
Trusted-CA File:
Step 3 Load the web page file.

[HTTPS-Server] http server load web001.zip
Step 4 Enable the HTTPS service and configure an HTTP user.

# Enable the HTTPS service.
[HTTPS-Server] http secure-server ssl-policy http_server
[HTTPS-Server] http secure-server enable
# Configure an HTTP user.

[HTTPS-Server] aaa
[HTTPS-Server-aaa] local-user admin password cipher huawei
[HTTPS-Server-aaa] local-user admin privilege level 15
[HTTPS-Server-aaa] local-user admin service-type http
[HTTPS-Server-aaa] quit
Step 5 Log in to the web system.

Open the web browser on the PC, enter https://192.168.0.1 in the address box, and press
Enter. The Login dialog box is displayed, as shown in Figure 1-21.
Figure 1-21 Login page
Enter the correct HTTP user name, password, and verification code, and click Login or press
Enter. The home page of the web system is displayed.
# Run the display http server command on the HTTPS server to check the SSL policy name
and HTTPS server status.
[HTTPS-Server] display http server
HTTP Server Status : disabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 1

Maximum Users Allowed : 5

HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server
----End
Configuration Files of the HTTPS Server

#
sysname HTTPS-Server
#
FTP server enable
#
http server load web001.zip
http secure-server ssl-policy http_server
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code cipher %$%$"DlqKik*GE*~ù4H+LFJ(K-=%$%$
#
aaa
local-user admin password cipher %$%$D/[nJdkW1WDY6Êk83G;-\SJ%$%$
local-user admin privilege level 15
local-user admin service-type http
local-user huawei password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
#
return
1.4.6 Example for Configuring the Device as the Telnet Client to Log
In to Another Device
As shown in Figure 1-22, the PC and Switch1 have reachable routes to each other; Switch1 and
Switch2 have reachable routes to each other. The user needs to manage and maintain Switch2
remotely. However, the PC cannot directly log in to Switch2 through Telnet because it has not
reachable route to Switch2. The user can log in Switch1 through Telnet, and then log in to
Switch2 from Switch1. To prevent unauthorized devices from logging in to Switch2 through
Telnet, an ACL needs to be configured to allow only the Telnet connection from Switch1 to
Switch2.
Figure 1-22 Networking diagram of configuring the device as the Telnet client to log in to
another device
Session Session
1.1.1.1/24 2.1.1.1/24
Network Network
PC Switch1 Switch2

1. Configure the Telnet authentication mode and password on Switch2.
2. Configure the Switch2 to allow Switch1 access with ACL.
3. Log in to Switch2 from Switch1 through Telnet.
Procedure
Step 1 Configure the Telnet authentication mode and password on Switch2.
[Quidway] sysname Switch2
[Switch2] user-interface vty 0 4
[Switch2-ui-vty0-4] user privilege level 15
[Switch2-ui-vty0-4] authentication-mode password
[Switch2-ui-vty0-4] quit
Step 2 Configure the Switch2 to allow Switch1 access with ACL.

[Switch2] acl 2000
[Switch2-acl-basic-2000] rule permit source 1.1.1.1 0
[Switch2-acl-basic-2000] quit
[Switch2] user-interface vty 0 4
[Switch2-ui-vty0-4] acl 2000 inbound
[Switch2-ui-vty0-4] quit
NOTE
It is optional to configure an ACL for Telnet services.

# After the preceding configuration, you can log in to Switch2 from Switch1 through Telnet.
You cannot log in to Switch2 from other devices.
[Quidway] sysname Switch1
[Switch1] quit
<Switch1> telnet 2.1.1.1
Trying 2.1.1.1 ...
Press CTRL+K to abort
Connected to 2.1.1.1 ...
Password:
<Switch2>
----End
Configuration Files
Switch2 configuration file
#
sysname Switch2
#
acl number 2000
#

acl 2000 inbound
set authentication password cipher %$%$]*6iWr7EVM|uc:"B/A=FF}tk%$%$
#
return
1.4.7 Example for Configuring the Device as the STelnet Client to

Log In to Another Device
The enterprise requires that secure data exchange shoule be performed between the server and
client. As shown in Figure 1-23, two login users client001 and client002 are configured and
they use the password and RSA authentication modes respectively to log in to the SSH server.
A new port number is configured and the default port number is not used.
Figure 1-23 Networking diagram of logging in to another device through STelnet

SSH Server
10.1.1.1/16
10.1.2.2/16 10.1.3.3/16
Client001 Client002
1. Generate a local key pair on the SSH server to implement secure data exchange between
the server and client.
2. Configure different authentication modes for the SSH users client001 and client002 on the
SSH server.
3. Enable the STelnet service on the SSH server.
4. Configure the STelnet server type for the SSH users client001 and client002 on the SSH
server.
5. Set the SSH server listening port number on the SSH server to prevent attackers from
accessing the SSH service standard port and ensure security.
6. Log in to the SSH server as the client001 and client002 users through STelnet.
Procedure
Step 1 Generate a local key pair on the server.


Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
Step 2 Create an SSH user on the server.

NOTE
There are four authentication modes for an SSH user: password, RSA, password-RSA, and all.
l If the authentication mode is password or password-RSA, configure a local user on the server with the
same user name.
l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the
SSH client to the server.


# Create an SSH user named client001 and configure the password authentication mode for
the user.
[SSH Server] ssh user client001
# Set the password of the client001 user to huawei@123.

[SSH Server] aaa

# Create an SSH user named client002 and configure the RSA authentication mode for the
user.
# Generate a local key pair for Client002.

[Quidway] sysname client002
[client002] rsa local-key-pair create
The key name will be: client002_Host
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
# Check the public key in the RSA key pair generated on the STelnet client.
[client002] display rsa local-key-pair public

=====================================================
Time of Key pair created: 2012-05-03 17:07:29+00:00
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001
Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQDOA7vPdHr+mR9lCZXI8loF3ws7eewGCPcB
r2tt9HlGdXKY5waGdDwgJMtvI+5B7/9bZb+tADLHiubqAVLwDpf5
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQDOA7vPdHr
+mR9lCZXI8loF3ws7eewGCPcBr2tt9HlG
dXKY5waGdDwgJMtvI+5B7/9bZb+tADLHiubqAVLwDpf5 rsa-key
=====================================================
Time of Key pair created: 2012-05-03 17:07:45+00:00
Key name: client002_Server
=====================================================
Key code:
3067
0260
D1792921 5DFF9F87 EB606267 227BD303 379EF5F9
E987B7BC A408A692 14E71149 FC32F8FB A790684E
0441DFB0 1C3125D8 4E097F47 76E57B18 65CF46FC
914DBF53 43F5AAA3 BAB1A6D9 5C0EBA4F 16DC4A36
D54EE51E C91E08E4 93127550 874EA1BB
0203
010001
# Configure the RSA public key generated on the STelnet client to the SSH server.
(Information in bold in the display command output is the RSA public key of client002.
Copy the information to the server.)
[SSH Server-rsa-key-code] 308188
[SSH Server-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[SSH Server-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[SSH Server-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[SSH Server-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[SSH Server-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[SSH Server-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[SSH Server-rsa-key-code] 171896FB 1FFC38CD
# Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.
[SSH Server] ssh user client002 assign rsa-key rsakey001

Step 3 Enable the STelnet service on the SSH server.

# Enable the STelnet service.
[SSH Server] stelnet server enable
Step 4 Configure the STelnet service type for the client001 and client002 users.
Step 5 Configure a new listening port number on the SSH server.

[SSH Server] ssh server port 1025
Step 6 Connect the STelnet client to the SSH server.

# Enable the first authentication function on the SSH client upon the first login.
Enable the first authentication function for Client001.
[client001] ssh client first-time enable
Enable the first authentication function for Client002.

# Log in to the SSH server from Client001 in password authentication mode by entering the user
name and password.
[client001] stelnet 10.1.1.1 1025
Please input the username:client001
Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it?[Y/N]:y
Save the server's public key?[Y/N]:y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Enter password:
Enter the password. The following information indicates that you have logged in successfully:
<SSH Server>
# Log in to the SSH server from Client002 in RSA authentication mode.

[client002] stelnet 10.1.1.1 1025
Please input the username: client002
Trying 10.1.1.1 ...
The server's public key will be saved with the name 10.1.1.1. Please wait...

<SSH Server>
If the user view is displayed, you have logged in successfully. If the message "Session is
disconnected" is displayed, the login fails.
Attackers fail to log in to the SSH server using the default listening port number 22.

[client002] stelnet 10.1.1.1

Please input the username:client002
Trying 10.1.1.1 ...
Error: Failed to connect to the remote host.
Run the display ssh server status and display ssh server session commands. You can see that
the STelnet service has been enabled and the STelnet clients have logged in to the server
successfully.
# Check the status of the SSH server.
[SSH Server] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Disable
Stelnet server :Enable
Scp server :Disable
SSH server port :1025
# Check the SSH server connections.

[SSH Server] display ssh server session
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group1-sha1
Service Type : stelnet
Authentication Type : password
Session 2:
Conn : VTY 4
Version : 2.0
State : started
Retry : 1
Service Type : stelnet
Authentication Type : rsa
# Check information about SSH users.

[SSH Server] display ssh user-information
User 1:
User Name : client001
Authentication-type : password
User-public-key-name : -
Sftp-directory : -
Service-type : stelnet
Authorization-cmd : No
User 2:
Authentication-type : rsa

User-public-key-name : rsakey001
Sftp-directory : -
Service-type : stelnet
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %$%$S${AA4{(~(t-#&J%{$_Q,ulcf0!
`>I~Bk6~S&89Bb`rO.{rm%$%$
#
stelnet server enable
ssh server port 1025
ssh user client001
ssh user client002
#
#
return
l Client001 configuration file

#
sysname client001
#
ssh client first-time enable
#
return
l Client002 configuration file

#
sysname client002
#
#
return

1.5 File Management

All files on the device are stored in storage devices and can be managed in multiple modes. The
current device can function as a client to access files on other devices.
1.5.1 Example of Logging In to the Device to Manage Files
Configuration Requirements
After logging in to the device through the console interface, Telnet, or STelnet, perform the
following operations:
l View files and subdirectories in the current directory.
l Create the test directory, copy the vrpcfg.zip file to test, and rename vrpcfg.zip as
backup.zip.
l View files in the test directory.
Procedure
Step 1 View files and subdirectories in the current directory.
<Quidway> dir

0 -rw- 889 Mar 01 2012 14:41:56 private-data.txt
1 -rw- 6,311 Feb 17 2012 14:05:04 backup.cfg
2 -rw- 2,393 Mar 06 2012 17:20:10 vrpcfg.zip
3 -rw- 812 Dec 12 2011 15:43:10 hostkey
4 drw- - Mar 01 2012 14:41:46 compatible
5 -rw- 540 Dec 12 2011 15:43:12 serverkey
...
Step 2 Create the test directory, copy the vrpcfg.zip file to test, and rename vrpcfg.zip as
backup.zip.
# Create the test directory.
<Quidway> mkdir test
Info: Create directory flash:/test......Done.
# Copy the vrpcfg.zip file to test and rename vrpcfg.zip as backup.zip.

<Quidway> copy vrpcfg.zip flash:/test/backup.zip
Copy flash:/vrpcfg.zip to flash:/test/backup.zip?[Y/N]:y
100% complete
Info: Copied file flash:/vrpcfg.zip to flash:/test/backup.zip...Done.
NOTE
If no destination file name is specified, the destination file is set to the source file name by default.
Step 3 View files in the test directory.

# Access the test directory.
<Quidway> cd test
# View the current working directory.

<Quidway> pwd
flash:/test
# View files in the test directory.

<Quidway> dir
Directory of flash:/test/

0 -rw- 2,399 Mar 12 2012 11:16:44 backup.zip
----End
Configuration File
None
1.5.2 Example for Managing Files When the Device Functions as an

FTP Server
As shown in Figure 1-24, routes between the PC and the device functioning as an FTP server
are reachable. 10.136.23.5 is the management IP address on the FTP server. To upgrade the
device, you must upload the system software devicesoft.cc to and download the configuration
file vrpcfg.zip from the FTP server.
Figure 1-24 Network for managing files when the device functions as an FTP server
10.136.23.5/24
Network
PC FTP Server
1. Configure the FTP function and FTP user information including user name, password, user
level, service type, and authorized directory on the FTP server.
2. Save the vrpcfg.zip file on the FTP server.
3. Connect to the FTP server on the PC.
4. Upload devicesoft.cc to and download vrpcfg.zip from the FTP server.
Procedure
Step 1 Configure the FTP function and FTP user information on the FTP server.
[Quidway] ftp server enable

[Quidway] aaa
[Quidway-aaa] local-user huawei password cipher huawei@123
[Quidway-aaa] local-user huawei service-type ftp
[Quidway-aaa] local-user huawei ftp-directory flash:/
[Quidway-aaa] quit
[Quidway] quit
Step 2 Save the vrpcfg.zip file on the FTP server.

<Quidway> save
Step 3 Connect to the FTP server on the PC as the huawei user whose password is huawei@123.
Assume that the PC runs the Window XP operating system.
C:\Documents and Settings\Administrator> ftp 10.136.23.5
Connected to 10.136.23.5.
220 FTP service ready.
User (10.136.23.5:(none)): huawei
331 Password required for huawei.
Password:
230 User logged in.
ftp>
Step 4 Upload devicesoft.cc to and download vrpcfg.zip from the FTP server.
# Upload the devicesoft.cc file to the FTP server.
ftp> put devicesoft.cc
200 Port command okay.
150 Opening ASCII mode data connection for devicesoft.cc.
226 Transfer complete.
ftp: 6721804 bytes sent in 98.05Seconds 560.79Kbytes/sec.
# Download the vrpcfg.zip file.

ftp> get vrpcfg.zip
200 Port command okay.
150 Opening ASCII mode data connection for vrpcfg.zip.
226 Transfer complete.
ftp: 1257 bytes received in 0.03Seconds 40.55Kbytes/sec.
NOTE
The devicesoft.cc file to upload and the vrpcfg.zip file to download are stored in the local directory on the
FTP client. Before uploading and downloading files, obtain the local directory on the client. The default
FTP user's local directory on the Windows XP operating system is C:\Documents and Settings
\Administrator.
Step 5 Verify the configurations.

# Run the dir command on the FTP server to check the devicesoft.cc file.
<Quidway> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
2 -rw- 4 Nov 17 2011 09:33:58 snmpnotilog.txt
3 -rw- 11,238 Mar 12 2012 21:15:56 private-data.txt
4 -rw- 1,257 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
6 -rw- 6,721,804 Mar 13 2012 14:24:24 devicesoft.cc
7 drw- - Oct 31 2011 10:20:28 sysdrv
8 drw- - Feb 21 2012 17:16:36 compatible
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 23,496 Dec 15 2011 20:59:36 20111215.zip
12 -rw- 588 Nov 04 2011 13:54:04 servercert.der
13 -rw- 320 Nov 04 2011 13:54:26 serverkey.der

14 drw- - Nov 04 2011 13:58:36 security

...
# Access the FTP user's local directory on the PC and check the vrpcfg.zip file.
----End
Configuration File
#
sysname Quidway
#
FTP server enable
#
aaa
local-user huawei password cipher %$%$k$Xg7H;w4HZP5nE4-E4(FcZQ%$%$
local-user huawei ftp-directory flash:/
#
return
1.5.3 Example for Managing Files Using SFTP When the Device
Functions as an SSH Server
As shown in Figure 1-25, routes between the PC and the device functioning as an SSH server
are reachable. 10.136.23.4 is the management IP address on the SSH server.
Configure the device as an SSH server so that the server can authenticate the client and encrypts
data in bidirectional mode, preventing man-in-middle attacks and MAC/IP address spoofing to
ensure secure file transfer.
Figure 1-25 Network for managing files using SFTP when the device functions as an SSH server
10.136.23.4/24
Network
PC SSH Server
1. Generate a local key pair and enable the SFTP server function on the SSH server so that
the server and client can securely exchange data.
2. Configure the VTY user interface on the SSH server.
3. Configure SSH user information including the authentication mode, service type,
authorized directory, user name, and password.

4. Connect to the SSH server using the third-party software OpenSSH on the PC.
Procedure
Step 1 Generate a local key pair on the SSH server.
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++
[SSH Server] sftp server enable
Step 2 Configure the VTY user interface on the SSH server.

Step 3 Configure SSH user information including the authentication mode, service type, authorized
directory, user name, and password.
[SSH Server] ssh user client001 service-type sftp
[SSH Server] ssh user client001 sftp-directory flash:
[SSH Server] aaa
Step 4 Connect to the SSH server using the third-party software OpenSSH on the PC.
The Windows CLI can identify OpenSSH commands only when the OpenSSH is installed on
the PC.
Figure 1-26 Connecting to the SSH server

After connecting to the SSH server, the SFTP view is displayed. Users can run SFTP commands
to perform file-related operations in the SFTP view.
----End
Configuration File
#
sysname SSH Server
#
aaa
local-user client001 password cipher %$%$c|-D8KO4/,B[(FR.r!LHg]TK%$%$
#
sftp server enable
ssh user client001
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
#
return
1.5.4 Example for Managing Files When the Device Functions as a

TFTP Client
As shown in Figure 1-27, the remote device at 10.1.1.1/24 functions as the TFTP server. The
device at 10.2.1.1/24 functions as the TFTP client. Routes between the device and the server are
reachable.
The device needs to be upgraded. To upgrade the device, you must download system software
devicesoft.cc from and upload the configuration file vrpcfg.zip to the TFTP server.
Figure 1-27 Network for managing files when the device functions as a TFTP client
10.2.1.1/24 10.1.1.1/24
Network
TFTP Client TFTP Server
1. Run the TFTP software on the TFTP server and configure the working directory.
2. Run TFTP commands to download devicesoft.cc from and upload vrpcfg.zip to the TFTP
server.

Procedure
Step 1 Run the TFTP software on the TFTP server and configure the working directory. (For details,
see the appropriate third-party documentation.)
Step 2 Run TFTP commands to download devicesoft.cc from and upload vrpcfg.zip to the TFTP
server.
<Quidway> tftp 10.1.1.1 get devicesoft.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...\
TFTP: Downloading the file successfully.
6721804 bytes received in 199 seconds.
<Quidway> tftp 10.1.1.1 put vrpcfg.zip
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait...|
TFTP: Uploading the file successfully.
7717 bytes send in 1 second.

# Run the dir command on the TFTP client to check the devicesoft.cc file.
<Quidway> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
7 drw- - Oct 31 2011 10:20:28 sysdrv
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip
14 drw- - Nov 04 2011 13:58:36 security
...
# Access the working directory on the TFTP server and check the vrpcfg.zip file.
----End
Configuration File
None

FTP Client
As shown in Figure 1-28, the remote device at 10.1.1.1/24 functions as the FTP server. The
device at 10.2.1.1/24 functions as the FTP client. Routes between the device and the server are
reachable.
The device needs to be upgraded. To upgrade the device, you must download system software
devicesoft.cc from and upload the configuration file vrpcfg.zip to the FTP server.

Figure 1-28 Network for managing files when the device functions as an FTP client
10.2.1.1/24 10.1.1.1/24
Network
FTP Client FTP Server
1. Run the FTP software on the FTP server and configure FTP user information.
2. Connect to the FTP server.
3. Run FTP commands to download devicesoft.cc from and upload vrpcfg.zip to the FTP
server.
Procedure
Step 1 Run the FTP software on the FTP server and configure FTP user information. (For details, see
the appropriate third-party documentation.)
Step 2 Connect to the FTP server.
<Quidway> ftp 10.1.1.1
Trying 10.1.1.1 ...
Connected to 10.1.1.1.
220 FTP service ready.
User(10.1.1.1:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.
[ftp]
Step 3 Run FTP commands to download devicesoft.cc from and upload vrpcfg.zip to the FTP server.
[ftp] get devicesoft.cc
[ftp] put vrpcfg.zip
[ftp] quit

# Run the dir command on the FTP client to check the devicesoft.cc file.
<Quidway> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
7 drw- - Oct 31 2011 10:20:28 sysdrv
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip


14 drw- - Nov 04 2011 13:58:36 security
...
# Access the working directory on the FTP server and check the vrpcfg.zip file.
----End
Configuration File
None

SFTP Client
SSH secures file transfer on a traditional insecure network by authenticating the client and
encrypting data in bidirectional mode. The client uses SFTP to securely connect to the SSH
server and transfer files.
As shown in Figure 1-29, routes between the SSH server and clients client001 and client002
are reachable. In this example, Huawei device functions as an SSH server.
Client001 connects to the SSH server using the password authentication mode, and client002
using the RSA authentication mode.
Figure 1-29 Example for managing files when the device functions as an SFTP client
10.2.1.1/24
client001 10.1.1.1/24
Network
SSH Server
10.3.1.1/24
client002
1. Generate a local key pair and enable the SFTP server function on the SSH server so that
the server and client can securely exchange data.
2. Create users client001 and client002 and set their authentication modes on the SSH server.
3. Generate a local key pair on client002 and configure the RSA public key of client002 on
the SSH server so that the server can authenticate the client when the client connects to the
server.

4. Log in to the SSH server as users client001 and client002 using SFTP and manage files.
Procedure
Step 1 Generate a local key pair and enable the SFTP server function on the SSH server.
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++
[SSH Server] sftp server enable
Step 2 Create SSH users on the SSH server.

NOTE
The system supports the following authentication modes: password, RSA, password-rsa, and all.
l If the authentication mode is password, or password-rsa, a local user named local-user must be
configured.
l If the authentication mode is RSA, password-rsa, or all, save the RSA public key generated on the SSH
client to the server.

# Create the client001 user and set the authentication mode to password for the user.
[SSH Server] aaa
# Create an SSH user named client002 and set the authentication mode to rsa for the user.
Step 3 Generate a local key pair on client002 and configure the RSA public key of client002 on the
SSH server.
# Generate a local key pair on client002.
[client002] rsa local-key-pair create
The key name will be: client002_Host


Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++
# Check the RSA public key of the client.

[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 2012-05-03 17:07:45
Key name: client002_Host
=====================================================
Key code:
3048
0241
DD9A793D 4B231FDB 7BEF8545 0B466FB5 1A1EA9CE
F345E468 56948790 18244678 D2264734 AA8135BE
7F8FA0BC 2A4F600E C8622818 A994698F 0F45E870
8EC551DA 4B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 2012-05-03 17:07:45
Key name: client002_Server
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
# Configure the RSA public key of client002 on the SSH server. (Information in bold in the
display command output is the RSA public key of client002. Copy the information to the server.)
[SSH Server-rsa-key-code] DD9A793D 4B231FDB 7BEF8545 0B466FB5 1A1EA9CE
[SSH Server-rsa-key-code] F345E468 56948790 18244678 D2264734 AA8135BE
[SSH Server-rsa-key-code] 7F8FA0BC 2A4F600E C8622818 A994698F 0F45E870
[SSH Server-rsa-key-code] 8EC551DA 4B
# Bind the client002 user to the RSA public key of client002.

[SSH Server] ssh user client002 assign rsa-key rsaKey001
Step 4 Connect SFTP clients to the SSH server.

# If the clients connect to the SSH server for the first time, enable the initial authentication
function on the clients.
Enable the initial authentication function on client001.
Enable the initial authentication function on client002.

# Log in to the SSH server from client001 in password authentication mode.

<client001> system-view
[client001] sftp 10.1.1.1
Trying 10.1.1.1 ...
The server's public key will be saved with the name 10.1.1.1. Please wait.
..
Enter password:
sftp-client>
# Log in to the SSH server from client002 in RSA authentication mode.

<client002> system-view
[client002] sftp 10.1.1.1
Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
..
sftp-client>

Run the display ssh server status and display ssh server session commands. You can see that
the SFTP service has been enabled, and the SFTP clients have connected to the server
successfully. Run the display ssh user-information command. Information about the
configured SSH users is displayed.
# Check the SSH server status.
[SSH Server] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Enable
Stelnet server :Disable
Scp server :Disable
# Check the SSH session status.

[SSH Server] display ssh server session

Session 1:
Conn : VTY 1
Version : 2.0
State : started
Retry : 1
Service Type : sftp
Authentication Type : password
Session 2:
Conn : VTY 2
Version : 2.0
State : started
Retry : 1
Service Type : sftp
Authentication Type : rsa
# Check information about SSH users.

[SSH Server] display ssh user-information
User 1:
Authentication-type : password
User-public-key-name : -
Sftp-directory : flash:
Service-type : sftp
User 2:
Authentication-type : rsa
User-public-key-name : rsakey001
Sftp-directory : flash:
Service-type : sftp
----End
Configuration Files
l Configure file on the SSH server
#
sysname SSH Server
#
3048
0241
DD9A793D 4B231FDB 7BEF8545 0B466FB5 1A1EA9CE F345E468 56948790 18244678
D2264734 AA8135BE 7F8FA0BC 2A4F600E C8622818 A994698F 0F45E870 8EC551DA
4B
0203
010001
public-key-code end

peer-public-key end
#
aaa
local-user client001 password cipher %$%$c|-D8KO4/,B[(FR.r!LHg]TK%$%$
#
sftp server enable
ssh user client001
ssh user client002
#
#
return
l Configuration file on client001

#
sysname client001
#
#
return
l Configuration file on client002

#
sysname client002
#
#
return

SCP Client
Compared to the SFTP protocol, the SCP protocol combines the process of authenticating user
identity and transferring files, improving configuration efficiency.
As shown in Figure 1-30, routes between the device functioning as the SCP client and the SSH
server are reachable. The SCP client can download files from the SSH server.
Figure 1-30 Network for managing files when the device functions as an SCP client
10.2.1.1/24 10.1.1.1/24
Network
PC SCP Client SSH Server

1. Generate a local key pair on the SSH server.
2. Create an SSH user on the SSH server.
3. Enable the SCP function on the SSH server.
4. Download the backup.cfg file from the SSH server.
Procedure
Step 1 Generate a local key pair on the SSH server.
Input the bits in the modulus[default = 2048]: 1024
Generating keys...
.....++++++++++++
....++++++++++++
......++++++++
................................++++++++
Step 2 Create an SSH user on the SSH server.

# Create an SSH user named client001 and set the authentication mode to password and service
type to all.
[SSH Server] ssh user client001 service-type all
# Set the password of the client001 user to huawei@123.

[SSH Server] aaa
Step 3 Enable the SCP function on the SSH server.

[SSH Server] scp server enable
Step 4 Download the backup.cfg file from the SSH server.

# If the client connects to the SSH server for the first time, enable the initial authentication
function on the client.
[Quidway] sysname SCP Client
[SCP Client] ssh client first-time enable
# Use the 3des encryption algorithm to download the backup.cfg file from the SSH server to
the local user's directory.

[SCP Client] scp -cipher 3des client001@10.1.1.1:backup.cfg backup.cfg

Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
..
Enter password:
backup.cfg 100% 19174Bytes 7Kb/s
----End
Configuration File
l Configuration file on the SSH server
#
sysname SSH Server
#
aaa
local-user client001 password cipher %$%$bn[j7'Fn>3x[kk-R+jx%f*!u%$%$
#
scp server enable
ssh user client001
ssh user client001 service-type all
#
#
return
l Configuration file on the SCP client

#
sysname SCP Client
#
#
return
1.6 Configuring System Startup

When the device is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the device, you need to manage system software and configuration
files efficiently.
1.6.1 Example for Backing Up the Configuration File
As shown in Figure 1-31, a user logs in to the device and backs up the configuration file to the
TFTP server. So the configuration file can be recovered in case that the device is damaged.

Figure 1-31 Networking diagram of backing up the configuration file

Switch TFTP Server
Network
1. Save the configuration file.
2. Back up the configuration file through TFTP.
Procedure
Step 1 Save configurations to the config.cfg file.
<Quidway> save config.cfg
Step 2 Back up the configuration file through TFTP.

1. Start the TFTP server program.
Start the TFTP server program on the PC. Set the path for transmitting the configuration
file, and the IP address and port number of the TFTP server.
2. Transfer the configuration file.
Run the tftp command in the user view to back up the specified configuration file.
<Quidway> tftp 10.110.24.254 put flash:/config.cfg backup.cfg
----End
1.6.2 Example for Recovering the Configuration File
As shown in Figure 1-32, a user logs in to the device and finds that some incorrect configurations
cause errors in the system. To recover the original configuration, the user downloads the
configuration file saved in the TFTP server to the device and specifies the configuration file for
the next startup.
Figure 1-32 Network diagram of recovering the configuration file

Switch TFTP Server
Network

1. Recover the configuration file that is backed up on the PC through TFTP.
2. Specify the recovered configuration file for the next startup.
Procedure
Step 1 Recover the configuration file that is backed up on the PC through TFTP.
1. Start the TFTP server program.
Start the TFTP server program on the PC. Set the path for transmitting the configuration
file, and the IP address and port number of the TFTP server.
2. Transfer the configuration file.
Run the tftp command in the user view.
<Quidway> tftp 10.110.24.254 get backup.cfg config.cfg
Step 2 Specify the recovered configuration file for the next startup.
<Quidway> startup saved-configuration config.cfg
----End
1.6.3 Example of Configuring System Startup

As shown in Figure 1-33, the current system software cannot meet user needs. The device must
load new software version with higher specifications and features. Then the device software
needs to be upgraded remotely.
Figure 1-33 Configuring System Startup Networking
10.1.1.1/24
Network
PC Switch
1. Upload the new system software to the root directory of the device.
2. Save the current configuration so that it remains active after upgrade.
3. Specify the system software for next startup.
4. Specify the configuration file for next startup of the device.
5. Restart the device to complete upgrade.

Procedure
Step 1 Upload the new system software to the root directory of the device.
Before configuration, run the display startup command to view the files for next startup.
<Quidway> display startup
MainBoard:
Configured startup system software: flash:/basicsoft.cc
Startup system software: flash:/basicsoft.cc
Next startup system software: flash:/basicsoft.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup paf file: NULL
Next startup paf file: NULL
Startup license file: NULL
Next startup license file: NULL
Startup patch package: NULL
Next startup patch package: NULL
Upload the new system software to the device. This example uses FTP to transfer the system
software. Configure the device as an FTP server and upload the system software to the device
from the FTP client. Make sure there is enough space in the storage device before uploading
files. If the space is insufficient, delete unnecessary files to free up space in the storage device.
[Quidway] ftp server enable
[Quidway] aaa
[Quidway-aaa] local-user huawei password cipher huawei@123
[Quidway-aaa] local-user huawei service-type ftp
[Quidway-aaa] local-user huawei ftp-directory flash:
[Quidway-aaa] quit
[Quidway] quit
Run the ftp 10.1.1.1 command in the command line window of the PC to set up an FTP
connection with the device. Run the put command to upload new system software
newbasicsoft.cc. After the upload completes, run the dir command to check the system software.
<Quidway> dir

0 -rw- 36 Jan 03 2008 01:10:06 $_patchstate_reboot
1 -rw- 727 Jan 01 2012 00:22:58 private-data.txt
2 drw- - Jan 01 2012 00:25:20 syslogfile
3 drw- - Jan 29 2012 00:00:54 resetinfo
4 -rw- 6,590,684 Dec 31 2011 23:46:52 basicsoft.cc
5 -rw- 1,111 Nov 29 2011 19:43:54 vrpcfg.zip
6 drw- 6,721,804 Jul 16 2012 19:14:26 newbasicsoft.cc
...
Step 2 Save the current configuration.

<Quidway> save
The system displays a message indicating that the current configuration will be saved and asks
you whether to continue. Enter y and the configuration will be saved to the device.
Step 3 Specify the system software to be loaded for next startup.

<Quidway> startup system-software newbasicsoft.cc
Step 4 Specify the configuration file for next startup.

<Quidway> startup saved-configuration vrpcfg.zip

NOTE
In step 1, you can run the display startup command to check the configuration file for next startup. The
message "Next startup saved-configuration file: flash:/vrpcfg.zip" will be displayed. This means the
vrpcfg.zip configuration file has been specified for next startup, so you do not need to perform this step.
To specify another file for next startup, perform this step.
Step 5 Checking the configuration
Run the following command to view the system software and configuration file for next startup.
MainBoard:
Configured startup system software: flash:/basicsoft.cc
Startup system software: flash:/basicsoft.cc
Next startup system software: flash:/newbasicsoft.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup patch package: NULL
Next startup patch package: NULL
Step 6 Restart the device.
# Since the configuration file has been saved, run the reboot fast command to restart the device
quickly.
<Quidway> reboot fast
When the system asks you whether to start the device, enter y.
# Wait for several minutes until the device restart is complete. Run the display version command
to check the current system version. If the current system software is new, the upgrading has
succeeded.
The display version command output is not provided here.
----End
Configuration File
#
sysname Quidway
#
FTP server enable
#
vlan batch 10
#
aaa
local-user huawei password cipher %$%$thp#,S-+/%=\Ko*Q2&~6Tzqh%$%$
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10

#
return

Typical Configuration Examples 2 Configuration Guide - Interface Management
2 Configuration Guide - Interface

Management
About This Chapter
This document describes configuration of interfaces supported by the S2300&S3300 and

provides configuration examples.
2.1 Ethernet Interfaces Configuration
Ethernet is flexible, simple, and easy to implement, and therefore it becomes an important local
area network (LAN) networking technology. You need to configure Ethernet interfaces when
using Ethernet technology to establish LANs.
2.2 Logical Interface Configuration
The information provided here on logical interface types, configuration procedures, and
configuration examples can help you make full use of logical interfaces.

2.1 Ethernet Interfaces Configuration

Ethernet is flexible, simple, and easy to implement, and therefore it becomes an important local
area network (LAN) networking technology. You need to configure Ethernet interfaces when
using Ethernet technology to establish LANs.
2.1.1 Example for Configuring Interface Isolation
As shown in Figure 2-1, PC1, PC2, and PC3 belong to VLAN 10. PC1 and PC2 are not allowed
to communicate with each other but are allowed to communicate with PC3.
Figure 2-1 Networking diagram of interface isolation configuration

Switch
Eth0/0/1 Eth0/0/3
Eth0/0/2
PC1 PC2 PC3

10.10.10.1/24 10.10.10.2/24 10.10.10.3/24
VLAN10
1. By default, interfaces are isolated at Layer 2 but can communicate at Layer 3. You can add
interfaces to an isolation group to implement Layer 2 isolation between these interfaces.
Procedure
Step 1 Configure interface isolation.
# Configure interface isolation for Eth0/0/1.
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] port link-type access

[Quidway-Ethernet0/0/1] port default vlan 10

[Quidway-Ethernet0/0/1] port-isolate enable
[Quidway-Ethernet0/0/1] quit
# Configure interface isolation for Eth0/0/2.

[Quidway-Ethernet0/0/2] port-isolate enable
# Add interface Eth0/0/3 to VLAN10.


# PC1 and PC2 cannot ping each other.
# PC1 and PC3 can ping each other.
# PC2 and PC3 can ping each other.
----End
Configuration Files
Configuration file of Switch
#
vlan batch 10
#
port link-type access
port default vlan 10
port-isolate enable group 1
#
#
#
return
2.2 Logical Interface Configuration

The information provided here on logical interface types, configuration procedures, and
configuration examples can help you make full use of logical interfaces.

2.2.1 Example for Configuring VLANs to Communicate Through

Sub-interfaces
As shown in Figure 2-2, SwitchA connects PC1 in VLAN10 to the Ethernet through the Eth1/0/0
interface, and SwitchB connects PC2 in VLAN20 to the Ethernet through the Eth1/0/1 interface.
The packets sent to the Layer 3 Ethernet interface are discarded as unauthorized packets because
the Layer 3 Ethernet interface does not support VLAN packets. Therefore, PC1 and PC2 cannot
communicate.
Due to service requirement, PC1 and PC2 in different VLANs and different network segments
are required to communicate.
Figure 2-2 Network diagram of communication between VLANs through sub-interfaces

Router
Eth1/0/0.1 Eth1/0/1.1
10.10.10.1/24 20.20.20.1/24
VLAN 10 VLAN 20
SwitchA SwitchB
PC1 PC2
10.10.10.2/24 20.20.20.2/24
1. Configure sub-interfaces for Ethernet interfaces.

2. Configure Tag packet termination for sub-interfaces.
3. Enable the ARP broadcast function of termination sub-interfaces.
4. Configure IP addresses for sub-interfaces.
5. Configure default gateways for PCs in different VLANs.
Procedure
Step 1 Configure the interface connecting the Switch to Switch A.
# Create and configure a sub-interface Eth1/0/0.1.

<Switch> system-view
[Switch] sysname Switch
[Switch] interface ethernet 1/0/0.1
[Switch-Ethernet1/0/0.1] dot1q termination vid 10
[Switch-Ethernet1/0/0.1] arp broadcast enable

[Switch-Ethernet1/0/0.1] ip address 10.10.10.1 24

[Switch-Ethernet1/0/0.1] quit
Step 2 Configure the interface connecting the Switch to Switch B.

# Create and configure a sub-interface Eth1/0/1.1.
[Switch] interface ethernet 1/0/1.1
[Switch-Ethernet1/0/1.1] dot1q termination vid 20
[Switch-Ethernet1/0/1.1] arp broadcast enable
[Switch-Ethernet1/0/1.1] ip address 20.20.20.1 24
[Switch-Ethernet1/0/1.1] quit

On PC1 in VLAN 10, set the IP address (10.10.10.1/24) of Eth1/0/0.1 as the default gateway
address.
On PC2 in VLAN 20, set the IP address (20.20.20.1/24) of Eth1/0/1.1 as the default gateway
address.
After the preceding configurations are complete, PC1 in VLAN 10 and PC2 in VLAN 20 can
communicate.
----End
Configuration Files
Only the configuration file of the Switch is provided.
#
sysname Switch
#
interface Ethernet1/0/0.1
dot1q termination vid 10
ip address 10.10.10.1 255.255.255.0
arp broadcast enable
#
ip address 20.20.20.1 255.255.255.0
#
return
2.2.2 Example for Configuring FR Sub-Interfaces

As shown in Figure 2-3, RouterA connects to RouterB and RouterC through the serial1/0/0
interface over the frame relay network. Sub-interfaces are configured for the Serial1/0/0 interface
on Router A so that LAN1 can communicate with LAN2 and LAN3.
RouterA and RoutrerB function as DTEs to transmit IP packets and connect LANs through the
frame relay network.

Figure 2-3 Networking diagram of FR sub-interface configuration

LAN2:129.10.0.0/16
Serial1/0/0 RouterB
202.38.160.2
DLCI=70
Serial1/0/0.1
RouterA 202.38.160.1
DLCI=50
Frame Relay
network
Serial1/0/0.2
202.38.161.1
DLCI=60
Serial1/0/0
LAN1:129.9.0.0/16 202.38.161.2
DLCI=80
RouterC
LAN3:129.11.0.0/16
1. Configure the link protocol of the interface that accesses the FR network on switchA.
2. Configure sub-interfaces and allocate IP addresses and VC.
3. Configure the static route to the peer LAN.
Procedure
Step 1 Configure SwitchA.
# Configure link layer protocol as FR on Serial 1/0/0 of SwitchA.
[Quidway] sysname SwitchA
[SwitchA] interface serial 1/0/0
[SwitchA-Serial1/0/0] link-protocol fr
[SwitchA-Serial1/0/0] fr interface-type dte
[SwitchA-Serial1/0/0] quit
# Configure the sub-interface Serial 1/0/0.1 on SwitchA, and assign VC for it.
[SwitchA] interface serial 1/0/0.1 p2mp
[SwitchA-Serial1/0/0.1] ip address 202.38.160.1 255.255.255.0
[SwitchA-Serial1/0/0.1] fr dlci 50
[SwitchA-fr-dlci-Serial1/0/0.1-50] quit
# Configure the sub-interface Serial 1/0/0.2 on SwitchA, and assign VC for it.
[SwitchA] interface serial 1/0/0.2 p2mp
[SwitchA-Serial1/0/0.2] ip address 202.38.161.1 255.255.255.0

[SwitchA-Serial1/0/0.2] fr dlci 60
[SwitchA-fr-dlci-Serial1/0/0.2-60] quit
# Configure the static routes from SwitchA to LAN2 and LAN3.

[SwitchA] ip route-static 129.10.0.0 255.255.0.0 202.38.160.2
Step 2 Configure SwitchB.

# Configure link layer protocol as FR on Serial 1/0/0 of SwitchB.
[Quidway] sysname SwitchB
[SwitchB] interface serial 1/0/0
[SwitchB-Serial1/0/0] link-protocol fr
[SwitchB-Serial1/0/0] fr interface-type dte
# Configure the IP address on Serial 1/0/0 of SwitchB, and assign VC for it.
[SwitchB-Serial1/0/0] ip address 202.38.160.2 255.255.255.0
[SwitchB-Serial1/0/0] fr dlci 70
[SwitchB-fr-dlci-Serial1/0/0-70] quit
# Configure the static routes from SwitchB to LAN1.

[SwitchB] ip route-static 129.9.0.0 255.255.0.0 202.38.160.2
Step 3 Configure SwitchC.

# Configure link layer protocol as FR on Serial 1/0/0 of SwitchC.
[Quidway] sysname SwitchC
[SwitchC] interface serial 1/0/0
[SwitchC-Serial1/0/0] link-protocol fr
[SwitchC-Serial1/0/0] fr interface-type dte
# Configure the IP address on Serial 1/0/0 of SwitchC, and assign VC for it.
[SwitchC-Serial1/0/0] ip address 202.38.161.2 255.255.255.0
[SwitchC-Serial1/0/0] fr dlci 80
[SwitchC-fr-dlci-Serial1/0/0-80] quit
# Configure the static routes from SwitchB to LAN1.

[SwitchC] ip route-static 129.9.0.0 255.255.0.0 202.38.161.2
Step 4 Check the configuration.

Run the display ip route-table command on SwitchA to view routes of LAN2 and LAN3. The
ping command output shows that three LANs can access each other.
[SwitchA] display ip route-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 2 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
129.10.0.0/16 Static 60 0 RD 202.38.160.2 Serial1/0/0.1

129.11.0.0/16 Static 60 0 RD 202.38.161.2 Serial1/0/0.2
[SwitchA] ping 202.38.160.2
PING 202.38.160.2: 56 data bytes, press CTRL_C to break
Reply from 202.38.160.2: bytes=56 Sequence=1 ttl=255 time=3 ms

--- 202.38.160.2 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/3/3 ms

--- 202.38.161.2 ping statistics ---

0.00% packet loss
----End
Configuration Files
l Configuration files of SwitchA
#
sysname SwitchA
#
interface Serial1/0/0
link-protocol fr
#
interface Serial1/0/0.1 p2mp
fr dlci 50
ip address 202.38.160.1 255.255.255.0
#
interface Serial1/0/0.2 p2mp
fr dlci 60
ip address 202.38.161.1 255.255.255.0
#
ip route-static 129.10.0.0 255.255.0.0 202.38.160.2
ip route-static 129.11.0.0 255.255.0.0 202.38.161.2
#
return
l Configuration files of SwitchB

#
sysname SwitchB
#
link-protocol fr
fr dlci 70
ip address 202.38.160.2 255.255.255.0
#
ip route-static 129.9.0.0 255.255.0.0 202.38.160.1
#
return
l Configuration files of SwitchC

#
sysname SwitchC
#
link-protocol fr
fr dlci 80
ip address 202.38.161.2 255.255.255.0

#
ip route-static 129.9.0.0 255.255.0.0 202.38.161.1
#
return
2.2.3 Example for Configuring the Loopback's IP Address to Be

Borrowed
As shown in Figure 2-4, RouterA connects to RouterB by Serial interface. A Loopback interface
is configured on RouterA and an IP address is configured for the interface.
To save IP addresses, users do not want to configure an IP address for the Serial 1/0/0 interface
of Router A, which also does not affect the normal communication.
Figure 2-4 Networking diagram of configuring a Loopback Interface

Loopback1
10.1.1.1/32
Serial1/0/0
Serial1/0/0
RouterA RouterB
10.1.1.2/30
Configure the Serial interface of RouterA to borrow the IP address of the loopback1 interface.so
that RouterA can communicate with RouterB.
Procedure
Step 1 Create a loopback interface on Switch A and allocate an IP address for it.
[Switch] sysname SwitchA
[SwitchA] interface loopback 1
[SwitchA-LoopBack1] ip address 10.1.1.1 32
[SwitchA-LoopBack1] quit
Step 2 Configure 1/0/0 of Switch A to borrow the IP address of the created loopback1 interface.
[SwitchA] interface serial 1/0/0
[SwitchA-Serial1/0/0] ip address unnumbered interface loopback 1
[SwitchA-Serial1/0/0] quit
Step 3 Configure Switch B.

[Switch] sysname SwitchB
[SwitchB] interface serial 1/0/0
[SwitchB-Serial1/0/0] ip address 10.1.1.2 30
[SwitchB-Serial1/0/0] quit

# Display the status of Serial1/0/0.

[SwitchA] display interface serial 1/0/0
Pos1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2011-12-14 16:08:45 UTC-08:00
Route Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec)
Internet Address is unnumbered, using address of LoopBack1(10.1.1.1/32)
Link layer protocol is PPP
LCP opened, IPCP opened
Last physical up time : 2011-12-14 16:08:39 UTC-08:00
Last physical down time : 2011-12-14 16:06:19 UTC-08:00
Current system time: 2011-12-14 16:09:00-08:00
Interface is V35
Last 300 seconds input rate 0 bytes/sec, 0 packets/sec
Last 300 seconds output rate 0 bytes/sec, 0 packets/sec
Input: 7 packets, 102 bytes
Output: 7 packets , 106 bytes
Input bandwidth utilization : 0%
Output bandwidth utilization : 0%
The information in bold shows that Serial1/0/0 borrows the IP address of loopback1.
If Switch A can ping Switch B, Switch A can communicate with Switch B.
----End
Configuration Files
l Configuration files of Switch A.
#
sysname SwitchA
#
link-protocol ppp
ip address unnumbered interface LoopBack1
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.255
#
return
l Configuration files of Switch B.

#
sysname SwitchB
#
link-protocol ppp
ip address 10.1.1.2 255.255.255.252
#
return
2.2.4 Example for Configuring the QinQ Termination Sub-interface

to Access an L3VPN
As shown in Figure 2-5, users are connected to CEs through LAN switches. CE1 and CE3 belong
to VPN-A; CE2 and CE4 belong to VPN-B. The users in a VPN access each other through the
MPLS backbone. The existing configurations are as follows:
l An IGP protocol has been enabled on the MPLS backbone network to implement
connectivity between the devices on the backbone network.

l Basic MPLS functions and MPLS LDP have been configured on the MPLS backbone
network to set up LDP LSPs.
l MP-IBGP peer relationships have been set up between PEs.
l The LAN switches are configured to add inner VLAN tags to received packets.
To save VLAN IDs on the public network, the CEs are configured with QinQ to add outer VLAN
tags to the received packets. Therefore, the user packets sent from CEs to PEs have two VLAN
tags. The QinQ termination sub-interfaces on PEs need to connect to the L3VPN so that CE1
and CE3 can communicate and CE2 and CE4 can communicate.
Figure 2-5 Connecting QinQ termination sub-interfaces to L3VPN
VPN-A VPN-A
LAN LAN
Switch Switch
CE1 CE3
Eth1/0/0.1 Eth1/0/0.1
MPLS
PE1 backbone PE2
Eth2/0/0.1
Eth2/0/0.1
CE2 CE4
LAN LAN
Switch Switch
VPN-B VPN-B
1. Create VPN instances on PEs.

2. Configure QinQ termination sub-interfaces on PEs and bind them to VPN instances.
3. Configure EBGP on CEs and PEs to exchange VPN routing information.
NOTE
This example only provides the configurations related to this task. For details about L3VPN configuration, see
the S2300&S3300 Series Ethernet Switches Configuration Guide-VPN Configuration.

Procedure
Step 1 Configure VPN instances on PEs and bind the VPN instances to QinQ sub-interfaces.
# Configure PE1.
[Quidway] sysname PE1
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] interface ethernet 1/0/0.1
[PE1-Ethernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE1-Ethernet1/0/0.1] ip binding vpn-instance vpna
[PE1-Ethernet1/0/0.1] ip address 10.1.1.1 24
[PE1-Ethernet1/0/0.1] arp broadcast enable
[PE1-Ethernet1/0/0.1] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1-Ethernet2/0/0.1] ip binding vpn-instance vpnb
# Configure PE2.
[PE2-Ethernet1/0/0.1] ip binding vpn-instance vpna
[PE2-Ethernet2/0/0.1] ip binding vpn-instance vpnb
Step 2 Set up EBGP peer relationships between PEs and CEs and import VPN routes. The detailed
configurations are not provided here.
# Run the display ip vpn-instance verbose command on the PEs to view VPN instance
configurations.

The following is information on PE1:

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1
Interfaces : Ethernet 1/0/0.1
Address family ipv4
Create date : 2011/01/21 11:30:35
Up time : 0 days, 00 hours, 05 minutes and 19 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per route
Log Interval : 5
VPN-Instance Name and ID : vpnb, 1
Interfaces : Ethernet 2/0/0.1
Address family ipv4
Create date : 2011/01/21 11:31:18
Up time : 0 days, 00 hours, 04 minutes and 36 seconds
Route Distinguisher : 200:2
Export VPN Targets : 222:2
Import VPN Targets : 222:2
Label Policy : label per route
Log Interval : 5
# Run the display qinq information termination command, and you can see that the QinQ
termination sub-interface is bound to the L3VPN.
The following is information on PE1:

[PE1] display qinq information termination interface ethernet 1/0/0.1
Ethernet1/0/0.1
L3VPN bound
Total QinQ Num: 1
qinq termination pe-vid 100 ce-vid 10
Total vlan-group Num: 0
[PE1] display qinq information termination interface ethernet 2/0/0.1
Ethernet2/0/0.1
L3VPN bound
Total QinQ Num: 1
Total vlan-group Num: 0
After the preceding configurations, PEs will remove the two VLAN tags from the packets from
users and forward the packets to L3VPN. The users in the same VPN can communicate with
each other. Hosts connected to CE1 and CE3 can ping each other, and hosts connected to CE2
and CE4 can ping each other. However, hosts connected to CE1 and CE3 cannot communicate
with hosts connected to CE2 and CE4 because they are in different VPN instances.
----End
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance
vpna
ipv4-
family
route-distinguisher
100:1
vpn-target 111:1 export-
extcommunity
vpn-target 111:1 import-extcommunity

#
ip vpn-instance
vpnb
ipv4-
family
route-distinguisher
200:2
extcommunity
#
ip binding vpn-instance vpna
ip address 10.1.1.1 255.255.255.0
#
ip binding vpn-instance vpnb
ip address 10.2.1.1 255.255.255.0
#
return

#
sysname PE2
#
ip vpn-instance
vpna
ipv4-
family
route-distinguisher
100:1
extcommunity
#
ip vpn-instance
vpnb
ipv4-
family
route-distinguisher
200:2
extcommunity
#
ip address 10.3.1.1 255.255.255.0
#
ip address 10.4.1.1 255.255.255.0
#
return

Typical Configuration Examples 3 Configuration Guide - Ethernet
3 Configuration Guide - Ethernet
About This Chapter
This document describes the configuration of Ethernet services, including configuring link
aggregation, VLANs, Voice VLAN, VLAN mapping, QinQ, GVRP, MAC table, Loopback
DetectionSTP/RSTP/MSTP, SEP, and so on.
The document provides the configuration procedures and configuration examples to illustrate
the service configuration methods and application scenario.
3.1 Link Aggregation Configuration
Link aggregation is a technology that bundles multiple Ethernet links into a logical link to
increase bandwidth, improve reliability, and load balance traffic.
3.2 VLAN Configuration
Virtual Local Area Networks (VLANs) have advantages of broadcast domain isolation, security
hardening, flexible networking, and good extensibility.
3.3 Voice VLAN Configuration
This chapter describes voice VLAN concepts and how to configure voice VLAN.
3.4 QinQ Configuration
This chapter describes the concepts and configuration procedure of 802.1Q-in-802.1Q (QinQ),
and provides configuration examples.
3.5 GVRP Configuration
This chapter describes basic GVRP concepts, GVRP configuration procedures, and concludes
with a GVRP configuration example.
3.6 MAC Address Table Configuration
This chapter provides the basics for MAC address table configuration, configuration procedure,
and configuration examples.
3.7 STP/RSTP Configuration
The Spanning Tree Protocol (STP) trims a ring network into a loop-free tree network. It prevents
replication and circular propagation of packets. The Rapid Spanning Tree Protocol (RSTP) was
developed based on STP to implement faster convergence. RSTP defines edge ports and provides
protection functions.
3.8 MSTP Configuration

The Multiple Spanning Tree Protocol (MSTP) trims a ring network into a loop-free tree network.
It prevents replication and circular propagation of packets, provides multiple redundant paths
for Virtual LAN (VLAN) data traffic, and enables load balancing.
3.9 SEP Configuration
Smart Ethernet Protection (SEP) is a ring network protocol specially used for the Ethernet link
layer. It blocks redundant links to prevent logical loops on a ring network.
3.10 Layer 2 Protocol Transparent Transmission Configuration
This chapter describes the concept, configuration procedure, and configuration examples of
Layer 2 protocol transparent transmission.
3.11 Loopback Detection Configuration
Loopback detection can detect loops on the network connected to the device and reduce impacts
on the network.
3.12 VoIP Access Configuration

3.1 Link Aggregation Configuration

Link aggregation is a technology that bundles multiple Ethernet links into a logical link to
increase bandwidth, improve reliability, and load balance traffic.
3.1.1 Example for Configuring Link Aggregation in Manual Load

Balancing Mode
As shown in Figure 3-1, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20
through Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB.
SwitchA and SwitchB can provide higher link bandwidth to implement inter-VLAN
communication. Reliability of data transmission needs to be ensured.
Figure 3-1 Networking diagram for configuring link aggregation in manual load balancing mode
VLAN10 VLAN10
Eth0/0/4 Eth0/0/1 Eth0/0/4

Eth0/0/1
SwitchA Eth0/0/2 Eth-Trunk Eth0/0/2 SwitchB
Eth0/0/3 Eth0/0/3
Eth0/0/5 Eth-Trunk 1 Eth-Trunk 1 Eth0/0/5
VLAN20 VLAN20
1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link
bandwidth.
NOTE
An interface is added to VLAN1 by default. To avoid broadcast strom, shut down the interface or
remove the interface from VLAN1 before adding it to an Eth-Trunk interface.
2. Create VLANs and add interfaces to the VLANs.
3. Set the load balancing mode to ensure that traffic is load balanced between member
interfaces of the Eth-Trunk.

Procedure
Step 1 Create an Eth-Trunk on SwitchA and add member interfaces to the Eth-Trunk. The configuration
of SwitchB is similar to the configuration of SwitchA, and the configuration details are not
mentioned here.
[SwitchA] interface Eth-Trunk1
[SwitchA-Eth-Trunk1] trunkport ethernet 0/0/1 to 0/0/3
[SwitchA-Eth-Trunk1] quit
Step 2 Create VLANs and add interfaces to the VLANs. The configuration of SwitchB is similar to the
configuration of SwitchA, and the configuration details are not mentioned here.
# Create VLAN 10 and VLAN 20, and add interfaces to VLAN 10 and VLAN 20.
[SwitchA] vlan batch 10 20
[SwitchA] interface ethernet 0/0/4
[SwitchA-Ethernet0/0/4] port link-type trunk
[SwitchA-Ethernet0/0/4] port trunk allow-pass vlan 10
[SwitchA-Ethernet0/0/4] quit
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through.
[SwitchA] interface Eth-Trunk1
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
Step 3 Set the load balancing mode of Eth-Trunk 1. The configuration of SwitchB is similar to the
configuration of SwitchA, and the configuration details are not mentioned here.
[SwitchA-Eth-Trunk1] load-balance src-dst-mac

Run the display eth-trunk 1 command in any view to check whether the Eth-Trunk is created
and whether member interfaces are added.
[SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
Ethernet0/0/1 Up 1
Ethernet0/0/2 Up 1
Ethernet0/0/3 Up 1
The preceding command output shows that Eth-Trunk 1 has three member interfaces:
Ethernet0/0/1, Ethernet0/0/2, and Ethernet0/0/3. The member interfaces are both in Up state.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#

vlan batch 10 20
#
interface Eth-Trunk1
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
l Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 10 20
#
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
3.1.2 Example for Configuring Link Aggregation in LACP Mode
To improve bandwidth and connection reliability, configure a link aggregation group on two
directly connected Switches, as shown in Figure 3-2. The requirements are as follows:
l Two active links implement load balancing.

l One link function as the backup link. When a fault occurs on an active link, the backup link
replaces the faulty link to maintain reliable data transmission.
Figure 3-2 Networking diagram for configuring link aggregation in LACP mode
SwitchA SwitchB
Eth0/0/1 Eth0/0/1
Eth0/0/2 Eth-Trunk Eth0/0/2
Eth0/0/3 Eth0/0/3
Eth-Trunk 1 Eth-Trunk 1
Active link
Backup link
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to implement
link aggregation.
2. Add member interfaces to the Eth-Trunk.
NOTE
An interface is added to VLAN1 by default. To avoid broadcast strom, shut down the interface or
remove the interface from VLAN1 before adding it to an Eth-Trunk interface.
3. Set the system priority and determine the Actor so that the Partner selects active interfaces
based on the Actor interface priority.
4. Set the upper threshold for the number of active interfaces to improve reliability.
5. Set interface priorities and determine active interfaces so that interfaces with higher
priorities are selected as active interfaces.
Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode. The
configuration of SwitchB is similar to the configuration of SwitchA, and the configuration details
are not mentioned here.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] mode lacp-static
Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration of SwitchB is similar to
the configuration of SwitchA, and the configuration details are not mentioned here.
[SwitchA-Ethernet0/0/1] eth-trunk 1
Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100

Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[SwitchA-Eth-Trunk1] max active-linknumber 2
Step 5 Set the priority of the interface and determine active links on SwitchA.
[SwitchA-Ethernet0/0/1] lacp priority 100
[SwitchA-Ethernet0/0/2] lacp priority 100
# Check information about the Eth-Trunk of the Switchs and check whether negotiation is
successful on the link.
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 100 System ID: 00e0-fca8-0417
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: up Number Of Up Port In Trunk: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey
PortState Weight
Ethernet0/0/1 Selected 100M 100 6145 2865
11111100 1
11111100 1
Ethernet0/0/3 Unselect 100M 32768 6147 2865
11100000 1
Partner:
------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo
PortKey PortState
Ethernet0/0/1 32768 00e0-fca6-7f85 32768 6145
2609 11111100
Ethernet0/0/2 32768 00e0-fca6-7f85 32768 6146
2609 11111100
Ethernet0/0/3 32768 00e0-fca6-7f85 32768 6147
2609 11110000
[SwitchB] display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768 System ID: 00e0-fca6-7f85
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: Up Number Of Up Port In Trunk: 2
------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey
PortState Weight
11111100 1
11111100 1
Ethernet0/0/3 Unselect 100M 32768 6147 2609
11100000 1
Partner:
------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo
PortKey PortState

Ethernet0/0/1 100 00e0-fca8-0417 100 6145

2865 11111100
Ethernet0/0/2 100 00e0-fca8-0417 100 6146
2865 11111100
Ethernet0/0/3 100 00e0-fca8-0417 32768 6147
2865 11110000
The preceding information shows that the system priority of SwitchA is 100, which is higher
than the system priority of SwitchB. Member interfaces Ethernet0/0/1 and Ethernet0/0/2 become
the active interfaces and are in Selected state. Interface Ethernet0/0/3 is in Unselect state. Two
links are active and working in load balancing mode, and one link is the backup links.
----End
Configuration Files
#
sysname SwitchA
#
lacp priority 100
#
mode lacp-static
max active-linknumber 2
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
#
return

#
sysname SwitchB
#
mode lacp-static
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
return
3.2 VLAN Configuration

Virtual Local Area Networks (VLANs) have advantages of broadcast domain isolation, security
hardening, flexible networking, and good extensibility.

3.2.1 Example for Assigning VLANs Based on Ports
As shown in Figure 3-3, multiple user terminals are connected to switches in an enterprise.
Users who use the same service access the enterprise network using different devices.
To ensure the communication security and avoid broadcast storms, the enterprise wants to allow
users who use the same service to communicate with each other but isolate users who use
different services.
Configure port-based VLANs on the switch and add ports connecting to terminals of users who
use the same service to the same VLAN. Users in different VLANs cannot perform Layer 2
communication. Users in the same VLAN can communicate directly.
Figure 3-3 Networking diagram for assigning VLANs based on ports

Eth0/0/3 Eth0/0/3
SwitchA SwitchB
Eth0/0/1 Eth0/0/2 Eth0/0/1 Eth0/0/2
User1 User3 User2 User4

VLAN2 VLAN3 VLAN2 VLAN3
1. Create VLANs and add ports connecting to user terminals to VLANs to isolate Layer 2
traffic between users who use different services.
2. Configure the type of link between SwitchA and SwitchB and VLANs to allow users who
use the same service to communicate.
Procedure
Step 1 Create VLAN2 and VLAN3 on SwitchA, and add ports connecting to user terminals to different
VLANs. Configuration of SwitchB is similar to that of SwitchA.
[SwitchA-Ethernet0/0/1] port link-type access
[SwitchA-Ethernet0/0/1] port default vlan 2
Step 2 Configure the type of port connecting to SwitchB on SwitchA and VLANs. Configuration of
SwitchB is similar to that of SwitchA.


[SwitchA-Ethernet0/0/3] port trunk allow-pass vlan 2 3

Add User1 and User2 to the same IP address segment, for example, 192.168.100.0/24. Add
User3 and User4 to the same IP address segment, for example, 192.168.200.0/24.
Only User1's and User2's terminals can ping each other. Only User3's and User4's terminals can
ping each other.
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
port trunk allow-pass vlan 2 to 3
#
return
Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return
3.2.2 Example for Assigning VLANs based on MAC Addresses

On a company intranet, the network administrator adds the PCs in a department to the same
VLAN. To improve information security, only employees in this department are allowed to
access the intranet.

As shown in Figure 3-4, only PC1, PC2, and PC3 are allowed to access the intranet using
SwitchA and Switch.
You can assign VLANs based on MAC addresses and associate MAC addresses of PCs with the
specified VLAN.
NOTE
The S2300SI does not support this configuration.
Figure 3-4 Networking diagram for assigning VLANs based on MAC addresses
Enterprise
network
Eth0/0/2
Switch
Eth0/0/1
Eth0/0/1
SwitchA
MAC:22-22-22 MAC:33-33-33 MAC:44-44-44

PC1 PC2 PC3
VLAN 10
1. Create VLANs and determine which VLAN the PCs of employees belong to.
2. Add Ethernet interfaces to VLANs so that packets of the VLANs can pass through the
interfaces.
3. Associate MAC addresses of PC1, PC2, and PC3 with the specified VLAN so that the
VLAN of the packet can be determined based on the source MAC address.
Procedure
Step 1 Configure the Switch.
# Create VLANs.
[Quidway] vlan batch 10 100
# Set the PVID of interfaces and add interfaces to the VLANs.


[Quidway-Ethernet0/0/1] port hybrid pvid vlan 100
[Quidway-Ethernet0/0/1] port hybrid untagged vlan 10
[Quidway-Ethernet0/0/2] port hybrid tagged vlan 10
# Associate MAC addresses of PC1, PC2, and PC3 with VLAN 10.
[Quidway] vlan 10
[Quidway-Vlan10] mac-vlan mac-address 22-22-22
[Quidway-Vlan10] quit
# Enable MAC address-based VLAN assignment on Eth0/0/1.

[Quidway-Ethernet0/0/1] mac-vlan enable
PC1, PC2, and PC3 can access the intranet, whereas other PCs cannot access the intranet.
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 10 100
#
vlan 10
mac-vlan mac-address 0022-0022-0022 priority 0
#
mac-vlan enable
#
port hybrid tagged vlan 10
#
return
3.2.3 Example for Assigning VLANs Based on IP Subnets
A company has multiple services, including IPTV, VoIP, and Internet access. Each service uses
a unique IP subnet. Packets of the same service must be transmitted in the same VLAN, and
packets of different services must be transmitted in different VLANs.
On the network shown in Figure 3-5, the Switch receives Internet, IPTV, and voice services
from users with diverse IP subnets. Packets of different services need to be transmitted in
different VLANs, and packets of each service need to be sent to a specified remote server.

NOTE
Figure 3-5 Networking diagram for assigning VLANs based on IP subnets
IPTV
server Voice
Internet Network
RouterB
RouterA Eth0/0/3 RouterC
Eth0/0/2 Eth0/0/4
Switch
Eth0/0/1
SwitchA
192.168.1.2 192.168.3.2
/24 192.168.2.2 /24
/24
1. Create VLANs and determine which VLAN each service belongs to.
2. Associate IP subnets with VLANs so that VLANs of packets can be determined based on
the source IP addresses or specified network segments.
3. Add interfaces to VLANs so that packets of the IP subnet-based VLANs can pass through
the interfaces.
4. Configure the highest priority for IP subnet-based VLAN assignment.
5. Enable IP subnet-based VLAN assignment.
Procedure
Step 1 Create VLANs.
# Create VLAN 100, VLAN 200, and VLAN 300 on the Switch.

[Quidway] vlan batch 100 200 300
Step 2 Configure interfaces.

# Set the link type of Eth0/0/1 to hybrid and add it to VLAN 100, VLAN 200, and VLAN 300.
[Quidway-Ethernet0/0/1] port link-type hybrid
[Quidway-Ethernet0/0/1] port hybrid untagged vlan 100 200 300
# Add Eth0/0/2 of the Switch to VLAN 100.

[Quidway-Ethernet0/0/2] port link-type trunk
[Quidway-Ethernet0/0/2] port trunk allow-pass vlan 100


# Enable IP subnet-based VLAN assignment on Eth0/0/1.

[Quidway-Ethernet0/0/1] ip-subnet-vlan enable
Step 3 Configure IP subnet-based VLAN assignment.

# Associate 192.168.1.2/24 to VLAN 100 and set the 802.1p priority of VLAN 100 to 2.
[Quidway] vlan 100
[Quidway-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2
# Associate 192.168.2.2/24 to VLAN 200 and set the 802.1p priority of VLAN 200 to 3.
[Quidway] vlan 200
# Associate IP subnet 192.168.3.2/24 to VLAN 100 and set the 802.1p priority of VLAN 300
to 4.
[Quidway] vlan 300

Run the display ip-subnet-vlan vlan all command on the Switch. The following information
is displayed:
[Quidway] display ip-subnet-vlan vlan all
----------------------------------------------------------------
Vlan Index IpAddress SubnetMask Priority
----------------------------------------------------------------

100 1 192.168.1.2 255.255.255.0 2

200 1 192.168.2.2 255.255.255.0 3
300 1 192.168.3.2 255.255.255.0 4
----------------------------------------------------------------
ip-subnet-vlan count: 3 total count: 3
----End
Configuration Files
l Configuration file of the Switch
#
sysname Quidway
#
vlan batch 100 200 300
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2
vlan 200
vlan 300
#
port hybrid untagged vlan 100 200 300
ip-subnet-vlan enable
#
#
#
#
return
3.2.4 Example for Assigning VLANs Based on Protocols

A company has multiple services, including IPTV, VoIP, and Internet access. Each service uses
a unique protocol. To facilitate network management and reduce manual VLAN configuration
workload, each service is added to a different VLAN.
As shown in Figure 3-6, the Switch receives packets of multiple services that use different
protocols. Users in VLAN 10 use IPv4 to communicate with remote users, and users in VLAN
20 use IPv6 to communicate with the servers. The Switch needs to assign VLANs to packets of
different services and transmit packets with different VLAN IDs to different servers.
NOTE

Figure 3-6 Networking diagram for assigning VLANs based on protocols
Voice
Network Internet
RouterA RouterB
Eth0/0/2 Eth0/0/3
Switch
Eth0/0/1
IPv4 IPv6
VLAN 10 VLAN 20
1. Create VLANs and determine which VLAN each service belongs to.
2. Associate protocols with VLANs so that VLAN IDs that received packets belong to can
be assigned based on the protocol types.
3. Add interfaces to VLANs so that packets of the protocol-based VLANs can pass through
the interfaces.
4. Associate ports with VLANs.
After the Switch receives a frame of a specified protocol, it assigns the VLAN ID associated
with the protocol to the frame.
Procedure
[Quidway] sysname Switch
[Switch] vlan batch 10 20
Step 2 Configure protocol-based VLANs.

# Associate IPv4 with VLAN 10.
[Switch] vlan 10
[Switch-vlan10] protocol-vlan ipv4
[Switch-vlan10] quit
# Associate IPv6 with VLAN 20.

[Switch] vlan 20
[Switch-vlan20] protocol-vlan ipv6
Step 3 Associate interfaces with protocol-based VLANs.

# Associate Eth0/0/1 with VLAN 10 and set the 802.1p priority of VLAN 10 to 5.
[Switch] interface ethernet 0/0/1
[Switch-Ethernet0/0/1] protocol-vlan vlan 10 all priority 5
# Associate Eth0/0/1 with VLAN 20 and set the 802.1p priority of VLAN 20 to 6.
[Switch-Ethernet0/0/1] protocol-vlan vlan 20 all priority 6
[Switch-Ethernet0/0/1] quit
Step 4 Configure interfaces.

# Add Eth0/0/1 to VLAN 10 and VLAN 20 so that Eth0/0/1 allows packets of VLAN 10 and
VLAN 20 to pass through.
[Switch-Ethernet0/0/1] port link-type hybrid
[Switch-Ethernet0/0/1] port hybrid untagged vlan 10 20
# Add Eth0/0/2 to VLAN 10 so that Eth0/0/2 allows packets of VLAN 10 to pass through.
[Switch-Ethernet0/0/2] port link-type trunk
[Switch-Ethernet0/0/2] port trunk allow-pass vlan 10
# Add Eth0/0/3 to VLAN 20 so that Eth0/0/3 allows packets of VLAN 20 to pass through.
[Switch-Ethernet0/0/3] return

After you complete the configuration, run the display protocol-vlan interface all command to
view the protocol-based VLAN assignment on Eth0/0/1.
<Switch> display protocol-vlan interface all
-------------------------------------------------------------------------------
Interface VLAN Index Protocol Type Priority
-------------------------------------------------------------------------------
Ethernet0/0/1 10 0 IPv4 5
Ethernet0/0/1 20 0 IPv6 6
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
vlan 10
protocol-vlan 0 ipv4
vlan 20
protocol-vlan 0 ipv6
#

port hybrid untagged vlan 10 20
protocol-vlan vlan 10 0 priority 5
protocol-vlan vlan 20 0 priority 6
#
#
#
return
3.2.5 Example for Implementing Inter-VLAN Communication

Using VLANIF Interfaces
Users in an enterprise use different services and locate at different network segments. Users who
use the same service belong to different VLANs and they want to communicate with each other.
As shown in Figure 3-7, User 1 and User 2 use the same service but belong to different VLANs
and locate at different network segments. User 1 wants to communicate with User 2.
Figure 3-7 Networking diagram for implementing inter-VLAN communication using VLANIF
interfaces
Switch
Eth0/0/1 Eth0/0/2
VLANIF10 VLANIF20
10.10.10.2/24 20.20.20.2/24
VLAN 10 VLAN 20
User1 User2
10.10.10.3/24 20.20.20.3/24
1. Create VLANs on the switches for different users.

2. Add interfaces to VLANs so that packets of the VLANs can pass through the interfaces.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to
implement Layer 3 communication.
NOTE
To implement communication between VLANs, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as the gateway address.

Procedure
Step 1 Configure the Switch.
# Create VLANs.
# Add interfaces to VLANs.

# Assign IP addresses to the VLANIF interfaces.

[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.10.10.2 24
[Quidway-Vlanif10] quit

Configure the IP address 10.10.10.3/24 on user 1's host, configure the VLANIF 10 interface IP
address 10.10.10.2/24 as the gateway address.
Configure the IP address 20.20.20.3/24 on user 1's host, configure the VLANIF 10 interface IP
address 20.20.20.2/24 as the gateway address.
After the preceding configurations are complete, User 1 in VLAN 10 and User 2 in VLAN 20
can communicate.
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 20.20.20.2 255.255.255.0
#
#
#
return

3.2.6 Example for Configuring VLAN Aggregation
Multiple departments in an enterprise locate at the same network segment. To improve the
service security, assign departments to different VLANs. Some departments need to
communicate.
As shown in Figure 3-8, departments in VLAN 2 and VLAN 3 want to communicate with each
other.
You can configure VLAN aggregation on the switch to isolate VLAN 2 from VLAN 3 at Layer
2 and allow them to communicate at Layer 3. VLAN 2 and VLAN 3 use the same subnet segment,
saving IP addresses.
NOTE
The S2300SI does not support VLAN aggregation.
Figure 3-8 Networking diagram for configuring VLAN aggregation

Switch
Eth0/0/1 Eth0/0/3
Eth0/0/2 Eth0/0/4
VLAN2 VLAN3
VLAN4
VLANIF4:100.1.1.12/24
VLAN 2 VLAN 3
1. Add interfaces of the Switch to sub-VLANs to isolate sub-VLANs at Layer 2.

2. Add the sub-VLANs to a super-VLAN.
3. Configure the IP address for the VLANIF interface.
4. Configure proxy ARP for the super-VLAN to allow sub-VLANs to communicate at Layer
3.

Procedure
Step 1 Set the interface type.
# Configure Eth 0/0/1 as an access interface.
Configurations of Eth0/0/2, Eth0/0/3, and Eth0/0/4 are the same as that of Eth0/0/1.
Step 2 Create VLAN 2 and add Eth0/0/1 and Eth0/0/2 to VLAN 2.
[Quidway] vlan 2
[Quidway-vlan2] port ethernet 0/0/1 0/0/2
Step 3 Create VLAN 3 and add Eth0/0/3 and Eth0/0/4 to VLAN 3.

[Quidway] vlan 3
[Quidway-vlan3] port ethernet 0/0/3 0/0/4
Step 4 Configure VLAN 4.

# Configure the super-VLAN.
[Quidway] vlan 4
[Quidway-vlan4] aggregate-vlan
[Quidway-vlan4] access-vlan 2 to 3
# Configure the VLANIF interface.

[Quidway-Vlanif4] ip address 100.1.1.12 255.255.255.0
Step 5 Configure the PCs.

Configure an IP address for each PC. Ensure that the PC IP addresses are in the same network
segment as VLAN 4.
When the configuration is complete, the PCs and the Switch can ping each other, but the PCs in
VLAN 2 and the PCs in VLAN 3 cannot ping each other. You need to configure proxy ARP on
the switch.
Step 6 Configure proxy ARP.
[Quidway-Vlanif4] arp-proxy inter-sub-vlan-proxy enable

When the configuration is complete, the PCs in VLAN 2 and VLAN 3 can ping each other.
----End
Configuration Files
#
sysname Quidway
#

vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 100.1.1.12 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
return
3.2.7 Example for Configuring MUX VLAN

On an enterprise network, all users can access the enterprise server. Some users need to
communicate with each other, whereas some users must be isolated each other.
As shown in Figure 3-9, MUX VLAN can be configured on the Switch to meet the enterprise's
requirements using fewer VLAN IDs. In addition, MUX VLAN reduces the configuration
workload of the network administrator, and facilitates network maintenance.
NOTE
The S2300 does not support MUX VLAN.
Figure 3-9 MUX VLAN configuration

Switch
Eth0/0/1 Server
VLAN2
(Principal VLAN)
Eth0/0/2 Eth0/0/5
Eth0/0/3 Eth0/0/4
HostB HostC HostD HostE

VLAN3(Group VLAN) VLAN4(Separate VLAN)

1. Configure the principal VLAN.
2. Configure the group VLAN.
3. Configure the separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function.
Procedure
Step 1 Configure the MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4.
# Configure the principal VLAN, subordinate VLANs.

[Quidway] vlan 2
[Quidway-vlan2] mux-vlan
[Quidway-vlan2] subordinate group 3
[Quidway-vlan2] subordinate separate 4
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
[Quidway-Ethernet0/0/1] port mux-vlan enable

l Server can ping Hosts B to E. Hosts B to E can also ping Server.
l Host B and Host C can ping each other.
l Host D and Host E cannot ping each other.
l Host B and Host C cannot ping Host D or host E. Host D and Host E cannot ping Host B or
Host C.
----End

Configuration Files
#
sysname Quidway
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
port default vlan 2
port mux-vlan enable
#
port default vlan 3
#
port default vlan 3
#
port default vlan 4
#
port default vlan 4
#
return
3.3 Voice VLAN Configuration

This chapter describes voice VLAN concepts and how to configure voice VLAN.
NOTE
The S2300SI does not support Voice VLAN.
3.3.1 Example for Configuring a Voice VLAN in Auto Mode

As shown in Figure 3-10, data flows of the HSI, VoIP, and IPTV services are transmitted on
the network. Users require high quality of the VoIP service. Therefore, voice data flows must
be transmitted with a high priority.

Figure 3-10 Configuring a voice VLAN in auto mode

DHCP Server
Internet
Switch
Eth0/0/1
HG
HSI VoIP IPTV
1. Create VLANs and VLANIF interfaces on Switch and configure interfaces so that users
can access the WAN.
2. Configure a voice VLAN and set the mode in which interfaces are added to the voice VLAN
to auto so that voice data packets are transmitted in the voice VLAN with a high priority.
Procedure
Step 1 Create VLANs and configure the interface on the Switch.
# Create VLAN 2 and VLAN 6.
# Configure the link type and default VLAN of the interface.

Step 2 Configure the voice VLAN on the Switch.

# Configure the voice VLAN on the interface.
[Quidway-Ethernet0/0/1] voice-vlan 2 enable
# Set the voice VLAN mode to auto so that the interface can be automatically added to or deleted
from the voice VLAN.

[Quidway-Ethernet0/0/1] voice-vlan mode auto

# Set the OUI of the voice VLAN.

[Quidway] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
# Set the working mode of the voice VLAN.

[Quidway-Ethernet0/0/1] voice-vlan security enable

Run the display voice-vlan oui command to check the OUI of the voice VLAN.
<Quidway> display voice-vlan oui
---------------------------------------------------
OuiAddress Mask Description
---------------------------------------------------
0011-2200-0000 ffff-ff00-0000
Run the display voice-vlan 2 status command to check the voice VLAN mode, voice security
mode, and voice VLAN aging time.
<Quidway> display voice-vlan 2 status
Voice VLAN Configurations:
---------------------------------------------------
Voice VLAN ID : 2
Voice VLAN status : Enable
Voice VLAN aging time : 1440 (minutes)
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark : 46
----------------------------------------------------------
Port Information:
-----------------------------------------------------------
Port Add-Mode Security-Mode Legacy
-----------------------------------------------------------
Ethernet0/0/1 Auto Security Disable
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2 6
#
voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
#
voice-vlan 2 enable
#
return

3.3.2 Example for Configuring a Voice VLAN in Manual Mode
As shown in Figure 3-11, data flows of the HSI, VoIP, and IPTV services are transmitted on
the network. Users require high quality of the VoIP service. Therefore, voice data flows must
be transmitted with a high priority.
Figure 3-11 Configuring a voice VLAN in manual mode

DHCP Server
Internet
Switch
Eth0/0/1
HG
HSI VoIP IPTV
1. Create VLANs and VLANIF interfaces on Switch and configure interfaces so that users
can access the WAN.
2. Configure a voice VLAN and set the mode in which interfaces are added to the voice VLAN
to manual so that voice data packets are transmitted in the voice VLAN with a high priority.
Procedure
Step 1 Create VLANs and configure the interface on the Switch.

# Configure the link type and default VLAN of the interface.



Step 2 Configure the voice VLAN on the Switch.

# Configure the voice VLAN on the interface.
# Set the voice VLAN mode to manual and add the interface to the voice VLAN.
[Quidway-Ethernet0/0/1] voice-vlan mode manual
# Set the OUI of the voice VLAN.

[Quidway] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
# Set the working mode of the voice VLAN.

[Quidway-Ethernet0/0/1] voice-vlan security enable

Run the display voice-vlan oui command to check the OUI of the voice VLAN.
<Quidway> display voice-vlan oui
---------------------------------------------------
OuiAddress Mask Description
---------------------------------------------------
0011-2200-0000 ffff-ff00-0000
Run the display voice-vlan 2 status command to check the voice VLAN mode, voice security
mode, and voice VLAN aging time.
---------------------------------------------------
Voice VLAN ID : 2
Voice VLAN aging time : 1440 (minutes)
----------------------------------------------------------
Port Information:
-----------------------------------------------------------
-----------------------------------------------------------
Ethernet0/0/1 Manual Security Disable
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2 6
#
voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
#
voice-vlan 2 enable

voice-vlan mode manual

#
return
3.4 QinQ Configuration

This chapter describes the concepts and configuration procedure of 802.1Q-in-802.1Q (QinQ),
and provides configuration examples.
NOTE
The S2300SI does not support QinQ.
3.4.1 Example for Configuring basic QinQ
As shown in Figure 3-12, there are two enterprises on the network, Enterprise 1 and Enterprise
2. Enterprise 1 has two office locations, and Enterprise 2 has 2 office locations. The office
locations of the two enterprises access SwitchA and SwitchB of the ISP network. A non-Huawei
device with the TPID value 0x9100 exists on the public network.
The requirements are as follows:
l Enterprise 1 and Enterprise 2 plans their VLANs independently.
l Traffic of the two branches is transparently transmitted on the public network. Users using
the same services in the two branches are allowed to communicate and users using different
services are isolated.
You can configure QinQ to meet the preceding requirements. VLAN 100 provided by the public
network can be used to implement communication of Enterprise 1 in the two branches and VLAN
200 is used for Enterprise 2. You can set the TPID value in the outer VLAN on the interface that
connects the non-Huawei device to implement communication between devices.

Figure 3-12 Configuring basic QinQ
ISP
VLAN 100,200
TPID=0x9100
Eth0/0/3 Eth0/0/3
Switch A Switch B
Eth0/0/1 Eth0/0/2 Eth0/0/1 Eth0/0/2
Enterprise 1 Enterprise 2 Enterprise 1 Enterprise 2

VLAN 10 to 50 VLAN 20 to 60 VLAN 10 to 50 VLAN 20 to 60
1. Configure VLAN 100 and VLAN 200 on both SwitchA and SwitchB. Set the link type of
the interface to QinQ and add the interfaces to VLAN. In this way, different outer VLAN
tags are added to different services.
2. Add interfaces connecting to the public network on SwitchA and SwitchB to VLAN 100
and VLAN 200 to permit packets from these VLANs to pass through.
3. Set the TPID values in the outer VLAN tag on interfaces connecting to the public network
on SwitchA and SwitchB to implement communication between the device with devices
from other vendors.
Procedure
# Create VLAN 100 and VLAN 200 on SwitchA.

# Create VLAN 100 and VLAN 200 on SwitchB.

[SwitchB] vlan batch 100 200

Step 2 Set the link type of the interface to QinQ.

# Configure Eth0/0/1 and Eth0/0/2 of SwitchA as QinQ interfaces. Set the VLAN of Eth0/0/1
to VLAN 100 and the VLAN of Eth0/0/2 to VLAN 200.
[SwitchA-Ethernet0/0/1] port link-type dot1q-tunnel
[SwitchA-Ethernet0/0/2] port link-type dot1q-tunnel
# Configure Eth0/0/1 and Eth0/0/2 of SwitchB as QinQ interfaces. Set the VLAN of Eth0/0/1
to VLAN 100 and the VLAN of Eth0/0/2 to VLAN 200. The configuration procedure of SwitchB
is the same as that of SwitchA.
Step 3 Configure the interface connecting to the public network on the switch.
# Add Eth0/0/3 of SwitchA to VLAN 100 and VLAN 200.
# Add Eth0/0/3 of SwitchB to VLAN 100 and VLAN 200. The configuration procedure of
SwitchB is the same as that of SwitchA.
Step 4 Configure the TPID value for an outer VLAN tag
# Set the TPID value of an outer VLAN tag to 0x9100 on SwitchA.
[SwitchA-Ethernet0/0/3] qinq protocol 9100
# Set the TPID value of an outer VLAN tag to 0x9100 on SwitchB.

[SwitchB] interface ethernet 0/0/3
[SwitchB-Ethernet0/0/3] qinq protocol 9100

In Enterprise 1, ping a PC of a VLAN in a branch from a PC of the same VLAN in another
branch. If the two PCs can ping each other, internal users of Enterprise 1 can communicate.
In Enterprise 2, ping a PC of a VLAN in a branch from a PC of the same VLAN in another
branch. If the two PCs can ping each other, internal users of Enterprise 2 can communicate.
Ping a PC in a VLAN of Enterprise 2 in a branch from a PC in the same VLAN of Enterprise 1
in either branch. If the two PCs cannot ping each other, users in Enterprise 1 and Enterprise 2
are isolated.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200

#
port link-type dot1q-tunnel
#
#
qinq protocol 9100
#
return
#
sysname SwitchB
#
vlan batch 100 200
#
#
#
qinq protocol 9100
#
return
3.4.2 Example for Configuring Selective QinQ
As shown in Figure 3-13, Internet access users (using PCs) and VoIP users (using VoIP
terminals) connect to the ISP network through SwitchA and SwitchB and communicate with
each other through the ISP network.
It is required that packets of PCs and VoIP terminals be tagged VLAN 2 and VLAN 3 when the
packets are transmitted through the ISP network.
NOTE
Only the S3300 supports Selective QinQ.

Figure 3-13 Networking diagram for configuring selective QinQ
SwitchA SwitchB
Eth0/0/2 Eth0/0/2
Network
Eth0/0/1 Eth0/0/1
PC VoIP VoIP PC
1. Create VLANs on SwitchA and SwitchB.
2. Configure link types of interfaces on SwitchA and SwitchB and add interfaces to VLANs.
3. Configure selective QinQ on the interfaces of SwitchA and SwitchB.
Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
Step 2 Configure selective QinQ on interfaces.

# Configure Eth0/0/1 on SwitchA.
[SwitchA-Ethernet0/0/1] port link-type hybrid
[SwitchA-Ethernet0/0/1] port hybrid untagged vlan 2 3
[SwitchA-Ethernet0/0/1] qinq vlan-translation enable
[SwitchA-Ethernet0/0/1] port vlan-stacking vlan 100 stack-vlan 2
# Configure Eth0/0/1 on SwitchB.

[SwitchB-Ethernet0/0/1] port link-type hybrid

[SwitchB-Ethernet0/0/1] port hybrid untagged vlan 2 3

[SwitchB-Ethernet0/0/1] qinq vlan-translation enable
[SwitchB-Ethernet0/0/1] port vlan-stacking vlan 100 stack-vlan 2
[SwitchB-Ethernet0/0/1] port vlan-stacking vlan 300 stack-vlan 3
[SwitchB-Ethernet0/0/1] quit
Step 3 Configure other interfaces.

# Add Eth0/0/2 to VLAN 2 and VLAN 3 on SwitchA.
# Add Eth0/0/2 to VLAN 2 and VLAN 3 on SwitchB.

[SwitchB-Ethernet0/0/2] port link-type trunk
[SwitchB-Ethernet0/0/2] port trunk allow-pass vlan 2 3

# View the interface configuration on SwitchA.
<SwitchA> display current-configuration interface ethernet 0/0/1
#
qinq vlan-translation enable
port hybrid untagged vlan 2 to 3
port vlan-stacking vlan 100 stack-vlan 2
#
return
<SwitchA> display current-configuration interface ethernet 0/0/2
#
#
return
# View the interface configuration on SwitchB.

<SwitchB> display current-configuration interface ethernet 0/0/1
#
#
return
<SwitchB> display current-configuration interface ethernet 0/0/2
#
#
return
If the configurations on SwitchA and SwitchB are correct:
l PCs can communicate with each other through the ISP network.
l VoIP terminals can communicate with each other through the ISP network.
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 3
#
#
#
return
3.4.3 Example for Configuring Selective QinQ with VLAN

Mapping
As shown in Figure 3-14, the Internet access, IPTV, and VoIP services are provided for users
through home gateways.
The corridor switches allocate VLANs to the services as follows:
l VLANs for the Internet access service of different users: VLAN 1000 to VLAN 1100
l Shared VLAN for the IPTV service: VLAN 1101
l Shared VLAN for the VoIP service: VLAN 1102
l Shared VLAN for home gateways: VLAN 1103
Each community switch is connected to 50 downstream corridor switches, and maps the VLAN
IDs in the Internet access service packets from the corridor switches to VLAN 101 to VLAN
150.
The aggregate switch of the carrier is connected to 50 downstream community switches, and
adds outer VLAN IDs 21 to 70 to the packets sent from the community switches.
NOTE
Only the S3300 supports Selective QinQ.

Figure 3-14 Networking diagram for configuring selective QinQ-VLAN mapping
ME60
Internet
Aggregate switch of carrier SwitchA

Eth0/0/1
…… ……
Eth0/0/2
Community SwitchB
switch Eth0/0/1
…… …… …… ……
Corridor
switch
…… …… …… ……
Home
gateway
1. Create VLANs on SwitchA and SwitchB.

2. Configure VLAN mapping on SwitchB and add Eth 0/0/1 and Eth 0/0/2 to the VLANs.
3. Configure selective QinQ on SwitchA and add Eth 0/0/1 to VLANs.
4. Add other downlink interfaces of SwitchA and SwitchB to the VLANs. The configurations
are similar to the configurations of their Eth 0/0/1 interfaces
5. Configure other community switches. The configuration is similar to the configuration on
SwitchB.
Procedure
# Create VLANs.
[SwitchA] vlan batch 21 to 70 1101 to 1103

[SwitchA-Ethernet0/0/1] port hybrid untagged vlan 21

[SwitchA-Ethernet0/0/1] port hybrid tagged vlan 1101 to 1103

# Configure selective QinQ on interfaces.

[SwitchA-Ethernet0/0/1] port vlan-stacking vlan 101 to 150 stack-vlan 21

# Create VLANs.
[SwitchB] vlan batch 101 to 150 1000 to 1103

[SwitchB-Ethernet0/0/1] port hybrid tagged vlan 101 1000 to 1103
[SwitchB-Ethernet0/0/2] port hybrid tagged vlan 101 to 150 1101 to 1103
# Configure VLAN mapping on interfaces.

[SwitchB-Ethernet0/0/1] qinq vlan-translation enable
[SwitchB-Ethernet0/0/1] port vlan-mapping vlan 1000 to 1100 map-vlan 101

The Internet access service, IPTV service, and VoIP service can be used.
----End
Configuration Files
Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 21 to 70 1101 to 1103
#
port hybrid tagged vlan 1101 to 1103
port vlan-stacking vlan 101 to 150 stack-vlan 21
#
return
Configuration file of Switch B

#
sysname SwitchB
#
vlan batch 101 to 150 1000 to 1103
#
port hybrid tagged vlan 101 1000 to 1103
port vlan-mapping vlan 1000 to 1100 map-vlan 101

#
port hybrid tagged vlan 101 to 150 1101 to 1103
#
return
3.4.4 Example for Configuring QinQ Stacking on a VLANIF

Interface
The management VLAN is deployed on the remote SwitchB and the VLAN ID of SwitchA is
the same as the management VLAN ID. However, the VLAN ID provided by the carrier is
different from the management VLAN ID. To remotely log in to the remote SwitchB on SwitchA,
you can configure VLAN stacking according to this example. As shown in Figure 3-15, SwitchA
is connected to the remote SwitchB through the third-party network. The management VLAN
is deployed on the remote SwitchB and the VLAN ID of SwitchA is the same as the management
VLAN ID. However, the VLAN ID provided by the carrier is different from the management
VLAN ID.
Figure 3-15 Networking diagram for configuring QinQ stacking on the VLANIF interface
20 10 IP
SwitchB
Eth0/0/2 Eth0/0/2
Internet
SwitchA Eth0/0/1
10 IP
Eth0/0/2
Eth0/0/1 SwitchC
user1
VLAN 10
To remotely log in to the remote SwitchB for managing VLAN services on SwitchA, you can
configure QinQ stacking on the VLANIF interface corresponding to the management VLAN on
SwitchB.
NOTE
When configuring QinQ stacking on a VLANIF interface, ensure that the VLANIF interface corresponds
to the management VLAN. VLANIF interfaces corresponding to other VLANs do not support QinQ
stacking.

1. Configure QinQ on SwitchA.

2. Do as follows on the remote SwitchB:
a. Create VLAN 10 and configure VLAN 10 as the management VLAN.
b. Create a VLANIF interface on VLAN 10.
c. Configure QinQ stacking on the VLANIF interface.
Procedure
# Allow packets from VLAN 10 to pass through Eth0/0/1 and Eth0/0/2.

[SwitchC] vlan batch 10
[SwitchC] interface ethernet 0/0/1
[SwitchC-Ethernet0/0/1] port hybrid tagged vlan 10
[SwitchC-Ethernet0/0/1] quit
[SwitchC-Ethernet0/0/2] port hybrid tagged vlan 10
# Configure QinQ so that the packets sent from SwitchA to the remote SwitchB carry double
tags.
[SwitchA] vlan batch 20
[SwitchA-Ethernet0/0/2] port hybrid tagged vlan 20
Step 3 Configure the remote SwitchB.
# Permit packets from VLAN 20 to pass through Eth0/0/2.

[SwitchB-Ethernet0/0/2] port hybrid tagged vlan 10 20
# Configure QinQ stacking.

[SwitchB] vlan 10
[SwitchB-vlan10] management-vlan
[SwitchB-vlan10] quit
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] undo icmp host-unreachable send
[SwitchB-Vlanif10] qinq stacking vlan 20
[SwitchB-Vlanif10] ip address 10.10.10.1 24
[SwitchB-Vlanif10] quit

You can log in to the remote SwitchB for managing VLAN services on SwitchA.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 20
#
#
#
return
l Configuration file of SwitchC

#
sysname SwitchC
#
vlan batch 10
#
#
#
return
l Configuration file of the remote SwitchB

#
sysname SwitchB
#
vlan batch 10 20
#
vlan 10
management-vlan
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
undo icmp host-unreachable send
qinq stacking vlan 20
#
port hybrid tagged vlan 10 20
#
return
3.5 GVRP Configuration

This chapter describes basic GVRP concepts, GVRP configuration procedures, and concludes
with a GVRP configuration example.
Context
NOTE
The S2300SI does not support GVRP.

3.5.1 Example for Configuring GVRP
As shown in Figure 3-16, company A, a branch of company A, and company B are connected
using switches. To implement dynamic VLAN registration, enable GVRP. The branch of
company A can communicate with the headquarters using SwitchA and SwitchB. Company B
can communicate with company A using SwitchB and SwitchC. Interfaces connected to
company A allow only the VLAN to which company B belongs to pass.
Figure 3-16 Configuring GVRP

SwitchB
Eth0/0/1 Eth0/0/2
Eth0/0/1 Eth0/0/1 SwitchC
SwitchA
Company A
Eth0/0/2 Eth0/0/2
Branch of
Company B
company A
1. Enable GVRP to implement dynamic VLAN registration.
2. Configure GVRP on all switches of company A and set the registration mode to normal for
the interfaces to simplify configurations.
3. Configure GVRP on all switches of company A and set the registration mode to fixed for
the interfaces connecting to company A to allow only the VLAN to which company B
belongs to pass.
Procedure
# Enable GVRP globally.
[SwitchA] gvrp
# Set the link type of Eth 0/0/1 and Eth 0/0/2 to trunk and configure the interfaces to allow all
VLANs to pass through.
[SwitchA-Ethernet0/0/1] port trunk allow-pass vlan all


[SwitchA-Ethernet0/0/2] port trunk allow-pass vlan all
# Enable GVRP and set the registration mode on the interfaces.

[SwitchA-Ethernet0/0/1] gvrp
[SwitchA-Ethernet0/0/1] gvrp registration normal
[SwitchA-Ethernet0/0/2] gvrp
[SwitchA-Ethernet0/0/2] gvrp registration normal
The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here.
# Create VLAN 101 to VLAN 200.
[SwitchC] vlan batch 101 to 200
# Enable GVRP globally.

[SwitchC] gvrp
# Set the link type of Eth 0/0/1 and Eth 0/0/2 to trunk and configure the interfaces to allow all
VLANs to pass through.
[SwitchC-Ethernet0/0/1] port link-type trunk
[SwitchC-Ethernet0/0/1] port trunk allow-pass vlan all
[SwitchC-Ethernet0/0/2] port trunk allow-pass vlan all
# Enable GVRP and set the registration mode on the interfaces.

[SwitchC-Ethernet0/0/1] gvrp
[SwitchC-Ethernet0/0/1] gvrp registration fixed
[SwitchC-Ethernet0/0/2] gvrp
[SwitchC-Ethernet0/0/2] gvrp registration normal

After the configuration is complete, the branch of Company A can communicate with the
headquarters, and users of Company A in VLAN 101 to VLAN 200 can communicate with users
in Company B.
Run the display gvrp status command on SwitchA to check whether GVRP is enabled globally.
The following information is displayed:
<SwitchA> display gvrp status
GVRP is enabled
Run the display gvrp statistics command on SwitchA to view GVRP statistics on GVRP
interfaces, including the GVRP state of each interface, number of GVRP registration failures,
source MAC address of the last GVRP PDU, and registration mode of each interface.

<SwitchA> display gvrp statistics

GVRP statistics on port Ethernet0/0/1
GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0000-0000-0000
GVRP registration type : Normal
GVRP statistics on port Ethernet0/0/2

GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0000-0000-0000
GVRP registration type : Normal
Verify the configurations of SwitchB and SwitchC in the same way.
----End
Configuration Files
#
sysname SwitchA
#
gvrp
#
gvrp
#
gvrp
#
return

#
sysname SwitchB
#
gvrp
#
gvrp
#
gvrp
#
return

#
sysname SwitchC
#
vlan batch 101 to 200
#
gvrp
#
gvrp
gvrp registration fixed

#
gvrp
#
return
3.6 MAC Address Table Configuration

This chapter provides the basics for MAC address table configuration, configuration procedure,
and configuration examples.
3.6.1 Example for Configuring the MAC Address Table
As shown in Figure 3-17, the MAC address of the user host PC1 is 0002-0002-0002 and that
of the user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the Switch through the
LSW. The LSW is connected to Eth0/0/1 of the Switch, which belongs to VLAN 2. The MAC
address of the server is 0004-0004-0004. The server is connected to Eth0/0/2 of the Switch.
Eth0/0/2 belongs to VLAN 2.
l To prevent hackers from using MAC addresses to attack the network, configure two static
MAC address entries for each user host on the Switch.
l To prevent hackers from stealing user information by forging the MAC address of the
server, configure a static MAC address entry on the Switch for the server.
Figure 3-17 Configuring the MAC address table
Network Server
Switch MAC address: 4-4-4

Eth0/0/2
Eth0/0/1
LSW
PC1 PC2
MAC address: 2-2-2 MAC address: 3-3-3

1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
2. Configure static MAC address entries to prevent MAC address attacks.
3. Configure the aging time of dynamic MAC address entries to update the entries.
Procedure
Step 1 Configure static MAC address entries.
# Create VLAN 2 and add Ethernet0/0/1 and Ethernet0/0/2 to VLAN 2.
[Switch] vlan 2
[Switch-vlan2] quit
[Switch-Ethernet0/0/1] port hybrid pvid vlan 2
[Switch-Ethernet0/0/1] port hybrid untagged vlan 2
# Configure a static MAC address entry.

[Switch] mac-address static 2-2-2 Ethernet 0/0/1 vlan 2
Step 2 Set the aging time of a dynamic MAC address entry.

[Switch] mac-address aging-time 500

# Run the display mac-address command in any view to check whether the static MAC address
entries are successfully added to the MAC address table.
[Switch] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/- Eth0/0/1 static
0003-0003-0003 2/- Eth0/0/1 static
0004-0004-0004 2/- Eth0/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 3
# Run the display mac-address aging-time command in any view to check whether the aging
time of dynamic entries is set successfully.
[Switch] display mac-address aging-time
Aging time: 500 seconds
----End
Configuration Files
#
sysname Switch
#
vlan batch 2
#

mac-address aging-time 500

#
#
#
mac-address static 0002-0002-0002 Ethernet0/0/1 vlan 2
#
return
3.6.2 Example for Configuring MAC Address Learning in a VLAN
As shown in Figure 3-18, user network 1 is connected to Switch on the Ethernet0/0/1 through
an LSW. User network 2 is connected to Switch on the Ethernet0/0/2 through another LSW.
Both Ethernet0/0/1 and Ethernet0/0/2 belong to VLAN 2. To prevent MAC address attacks and
limit the number of access users on the device, limit MAC address learning on all the interfaces
in VLAN 2.
NOTE
Only the S3300 supports limiting the number of MAC addresses learned in a VLAN.
Figure 3-18 Networking diagram for MAC address limiting in a VLAN
Network
Switch
Eth0/0/1 Eth0/0/2
LSW LSW
User User
network 1 VLAN 2 network 2

1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
2. Limit MAC address learning on all the interfaces in the VLAN to prevent MAC address
attacks and limit the number of access users.
Procedure
Step 1 Limit MAC address learning.
# Add Ethernet0/0/1 and Ethernet0/0/2 to VLAN 2.

[Switch] vlan 2
[Switch-vlan2] quit
# Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MAC
addresses can be learned. When the number of learned MAC addresses reaches the limit, the
device and sends an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 alarm enable
[Switch-vlan2] quit
# Run the display mac-limit command in any view to check whether the MAC address limiting
rule is successfully configured.
<Switch> display mac-limit
MAC Limit is enabled
Total MAC Limit rule count : 1
PORT VLAN/VSI/SI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
- 2 - 100 - forward enable
----End
Configuration Files
The following lists only the configuration file of Switch.
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100
#
#

#
return
3.6.3 Example for Configuring Port Security
As shown in Figure 3-19, a company wants to prevent computers of non-employees from
accessing the intranet of the company to protect information security. To achieve this goal, the
company needs to enable port security on the interface connected to computers of employees
and set the maximum number of MAC addresses learned by the interface to be the same as the
number of trusted computers.
NOTE
The S2300SI does not support Port Security.
Figure 3-19 Network diagram of port security
Intranet
Switch
Eth0/0/1
VLAN 10
SwitchA
PC1 PC2 PC3
1. Configure a VLAN to implement Layer 2 forwarding.

2. Configure port security to prevent the learned MAC addresses from aging.
Procedure
Step 1 Create a VLAN and set the link type of the interface.
[Switch] vlan 10


Step 2 Configure port security.

# Enable port security.
[Switch-Ethernet0/0/1] port-security enable
# Enable the sticky MAC function.

[Switch-Ethernet0/0/1] port-security mac-address sticky
# Configure the security protection action.

[Switch-Ethernet0/0/1] port-security protect-action protect
# Set the limit on the number of MAC addresses that can be learned on the interface.
[Switch-Ethernet0/0/1] port-security max-mac-num 4
To enable the port security function on other interfaces, repeat the preceding steps.
If PC1 is replaced by another device, the device cannot access the intranet of the company.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 10
#
port-security enable
port-security protect-action protect
port-security max-mac-num 4
port-security mac-address sticky
#
return
3.7 STP/RSTP Configuration

The Spanning Tree Protocol (STP) trims a ring network into a loop-free tree network. It prevents
replication and circular propagation of packets. The Rapid Spanning Tree Protocol (RSTP) was
developed based on STP to implement faster convergence. RSTP defines edge ports and provides
protection functions.
3.7.1 Example for Configuring Basic STP Functions

Network designers tend to deploy multiple physical links between two devices (one link is the
master and the others are backups) to fulfill network redundancy requirements. Loops are bound
to occur on such types of complex networks.

Loops will cause broadcast storms, which exhaust network resources and paralyze the network.
Loops also cause MAC address flapping that damages MAC address entries.
STP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 3-20, after SwitchA, SwitchB, SwitchC, and SwitchD running STP discover
loops by exchanging information, they trim the ring topology into a loop-free tree topology by
blocking a certain port. STP prevents replication and circular propagation of packets on the
network and the release the switching devices from processing duplicate packets, improving
their processing performance.
Figure 3-20 Configuring basic STP functions
Network
Eth0/0/3 Eth0/0/3
Root
SwitchD Eth0/0/1 Eth0/0/1
Bridge
Eth0/0/2 Eth0/0/2 SwitchA
STP
Eth0/0/3 Eth0/0/3
SwitchC SwitchB
Eth0/0/1 Eth0/0/1
Eth0/0/2 Eth0/0/2
PC1 PC2
Blocked port
1. Configure basic STP functions, including:
a. Configure the STP mode for the ring network.
b. Configure primary and secondary root bridges.
c. Set path costs for ports to block certain ports.
d. Enable STP to eliminate loops.
NOTE
STP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in STP calculation.

Procedure
Step 1 Configure basic STP functions.
1. Configure the STP mode for the devices on the ring network.
# Configure the STP mode on SwitchA.
[SwitchA] stp mode stp
# Configure the STP mode on SwitchB.

[SwitchB] stp mode stp
# Configure the STP mode on SwitchC.

[SwitchC] stp mode stp
# Configure the STP mode on SwitchD.

[Quidway] sysname SwitchD
[SwitchD] stp mode stp
2. Configure primary and secondary root bridges.

# Configure SwitchA as a primary root bridge.
[SwitchA] stp root primary
# Configure SwitchD as a secondary root bridge.

[SwitchD] stp root secondary
3. Set path costs for ports in each spanning tree to block certain ports.
NOTE
l The values of path costs depend on the path-cost calculation method. Huawei calculation method
is used in this example, and the path cost of the blocked port is set to 20000 (the highest value
in the range).
l All switching devices on a network must use the same path cost calculation method.
# On Switch A, configure the path cost calculation method as the Huawei proprietary
method.
[SwitchA] stp pathcost-standard legacy
# On Switch B, configure the path cost calculation method as the Huawei proprietary
method.
[SwitchB] stp pathcost-standard legacy
# Set the path cost of Ethernet0/0/1 on SwitchC to 20000.

[SwitchC] stp pathcost-standard legacy
[SwitchC-Ethernet0/0/1] stp cost 20000
# On SwitchD, configure the path cost calculation method as the Huawei proprietary
method.
[SwitchD] stp pathcost-standard legacy
4. Enable STP to eliminate loops.

l Disable STP on interfaces connected to PCs.
# Disable STP on Ethernet 0/0/2 on SwitchB.

[SwitchB-Ethernet0/0/2] stp disable

# Disable STP on Ethernet 0/0/2 on SwitchC.

[SwitchC-Ethernet0/0/2] stp disable
l Enable STP globally.

# Enable STP globally on SwitchA.
[SwitchA] stp enable
# Enable STP globally on SwitchB.

[SwitchB] stp enable
# Enable STP globally on SwitchC.

[SwitchC] stp enable
# Enable STP globally on SwitchD.

[SwitchD] stp enable
After the previous configurations, run the following commands to verify the configuration when
the network is stable:
# Run the display stp brief command on SwitchA to view the interface status and protection
type. The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 Ethernet0/0/1 DESI FORWARDING NONE
After SwitchA is configured as a root bridge, Ethernet 0/0/2 and Ethernet 0/0/1 connected to
SwitchB and SwitchD respectively are elected as designated ports in spanning tree calculation.
# Run the display stp interface ethernet 0/0/1 brief command on SwitchB to view status of
Ethernet 0/0/1. The displayed information is as follows:
[SwitchB] display stp interface ethernet 0/0/1 brief
Ethernet 0/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding
state.
# Run the display stp brief command on SwitchC to view the interface status and protection
[SwitchC] display stp brief
0 Ethernet0/0/1 ALTE DISCARDING NONE
0 Ethernet0/0/3 ROOT FORWARDING NONE
Ethernet 0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.
Ethernet 0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding
state.
----End

Configuration Files
#
sysname SwitchA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
return

#
sysname SwitchB
#
stp mode stp
#
stp disable
#
return

#
sysname SwitchC
#
stp mode stp
#
stp instance 0 cost 20000
#
stp disable
#
return
l Configuration file of SwitchD

#
sysname SwitchD
#
stp mode stp
stp instance 0 root secondary
#
return
3.7.2 Example for Configuring Basic RSTP Functions

On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and damage MAC address entries.
RSTP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 3-21, after SwitchA, SwitchB, SwitchC, and SwitchD running RSTP discover
loops on the network by exchanging information with each other, they trim the ring topology

into a loop-free tree topology by blocking a certain port. In this manner, replication and circular
propagation of packets are prevented on the network and the switching devices are released from
processing duplicated packets, thereby improving their processing performance.
Figure 3-21 Configuring basic RSTP configurations
Network
Eth0/0/3 Eth0/0/3
Root
SwitchD Eth0/0/1 Eth0/0/1
Bridge
RSTP
Eth0/0/3 Eth0/0/3
SwitchC SwitchB
Eth0/0/1 Eth0/0/1
Eth0/0/2 Eth0/0/2
PC1 PC2
Blocked port
1. Configure basic RSTP functions, including:
a. Configure the RSTP mode for the ring network.
b. Configure primary and secondary root bridges.
c. Set path costs for ports in each MSTI to block certain ports.
d. Enable RSTP to eliminate loops.
NOTE
The port connected to the PC does not participate in RSTP calculation, so it is configured as
an edge port and BPDU filter port.
2. Configure RSTP protection functions, for example, root protection on a designated port of
a root bridge in each MSTI.
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the RSTP mode for the devices on the ring network.

# Configure the RSTP mode on SwitchA.

[SwitchA] stp mode rstp
# Configure the RSTP mode on SwitchB.

[SwitchB] stp mode rstp
# Configure the RSTP mode on SwitchC.

[SwitchC] stp mode rstp
# Configure the RSTP mode on SwitchD.

[SwitchD] stp mode rstp
2. Configure primary and secondary root bridges.

# Configure SwitchA as a primary root bridge.
[SwitchA] stp root primary
# Configure SwitchD as a secondary root bridge.

[SwitchD] stp root secondary
3. Set path costs for ports in each MSTI to block certain ports.
NOTE
l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary
calculation method as an example to set the path costs of the ports to be blocked to 20000.
# On Switch A, configure the path cost calculation method as the Huawei proprietary
method.
# On Switch B, configure the path cost calculation method as the Huawei proprietary
method.
# Set the path cost of Ethernet0/0/1 on SwitchC to 20000.

[SwitchC-Ethernet0/0/1] stp cost 20000
# On SwitchD, configure the path cost calculation method as the Huawei proprietary
method.
4. Enable RSTP to eliminate loops.

l Configure the port connected to the PC as an edge port and BPDU filter port.
# Configure Ethernet0/0/2 on SwitchB as an edge port and BPDU filter port.
[SwitchB-Ethernet0/0/2] stp edged-port enable
[SwitchB-Ethernet0/0/2] stp bpdu-filter enable
# Configure Ethernet0/0/2 on SwitchC as an edge port and BPDU filter port.

[SwitchC-Ethernet0/0/2] stp edged-port enable
[SwitchC-Ethernet0/0/2] stp bpdu-filter enable

l Enable RSTP globally.

# Enable RSTP globally on SwitchA.
# Enable RSTP globally on SwitchB.

# Enable RSTP globally on SwitchC.

# Enable RSTP globally on SwitchD.

Step 2 Configure RSTP protection functions, for example, root protection on a designated port of a root
bridge in each MSTI.
# Enable root protection on GE 0/0/1 on SwitchA.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-Ethernet0/0/1] stp root-protection
# Enable root protection on GE 0/0/2 on SwitchA.


the network is stable:
# Run the display stp brief command on SwitchA to view the interface status and protection
0 Ethernet0/0/1 DESI FORWARDING ROOT
After SwitchA is configured as a root bridge, Ethernet0/0/2 and Ethernet0/0/1 connected to

SwitchB and SwitchD respectively are elected as designated ports in spanning tree calculation.
The root protection function is enabled on the designated ports.
# Run the display stp interface gigabitethernet 0/0/1 brief command on SwitchB to view status
of Ethernet0/0/1. The displayed information is as follows:
[SwitchB] display stp interface gigabitethernet 0/0/1 brief
Ethernet0/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding
state.
# Run the display stp brief command on SwitchC to view the interface status and protection
[SwitchC] display stp brief
GE0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state.

GE0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode rstp
#
stp root-protection
#
stp root-protection
#
return

#
sysname SwitchB
#
stp mode rstp
#
stp bpdu-filter enable
stp edged-port enable
#
return

#
sysname SwitchC
#
stp mode rstp
#
#
stp bpdu-filter enable
stp edged-port enable
#
return

#
sysname SwitchD
#
stp mode rstp
#
return

3.8 MSTP Configuration

The Multiple Spanning Tree Protocol (MSTP) trims a ring network into a loop-free tree network.
It prevents replication and circular propagation of packets, provides multiple redundant paths
for Virtual LAN (VLAN) data traffic, and enables load balancing.
NOTE
The S2300SI does not support MSTP.
3.8.1 Example for Configuring MSTP

On a complex network, to implement redundancy, network designers tend to deploy multiple
physical links between two devices, one of which is the master and the others are the backup.
Loops occur, causing broadcast storms or damaging MAC addresses. After the network designer
plans a network, you can deploy MSTP on the network to prevent loops. MSTP blocks redundant
links and prunes a network into a tree topology free from loops.
As shown in Figure 3-22,SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. to load balance
traffic from VLANs 2 to 20 and VLANs 11 to 20, use MSTP multi-instance. You can configure
a VLAN mapping table to associate VLANs with MSTIs.

Figure 3-22 Networking diagram of MSTP configuration
Network
RG1
SwitchA SwitchB
Eth0/0/2
Eth0/0/2
Eth0/0/1 Eth0/0/1
Eth0/0/3 Eth0/0/3
Eth0/0/2
SwitchC SwitchD
Eth0/0/2
Eth0/0/1 Eth0/0/1
VLAN2~10 MSTI1
VLAN11~20 MSTI2
MSTI1:
Root Switch:SwitchA
Blocked port
MSTI2:
Root Switch:SwitchB
Blocked port
1. Configure basic MSTP functions on the switching device on the ring network.
2. Configure protection functions to protect devices or links. You can configure root
protection on the designated port of the root bridge.

3. Configure Layer 2 forwarding.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD in the same MST region named
RG1 and create MSTI 1 and MSTI 2.
NOTE
Two switching devices belong to the same MST region when they have the same:
l Name of the MST region
l Mapping between VLANs and MSTIs
l Revision level of the MST region
# Configure an MST region on SwitchA.
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 2 to 10
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
# Configure an MST region on SwitchB.

[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name RG1
[SwitchB-mst-region] instance 1 vlan 2 to 10
[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
# Configure an MST region on SwitchC.

[SwitchC] stp region-configuration
[SwitchC-mst-region] region-name RG1
[SwitchC-mst-region] instance 1 vlan 2 to 10
[SwitchC-mst-region] active region-configuration
[SwitchC-mst-region] quit
# Configure an MST region on SwitchD.

[SwitchD] stp region-configuration
[SwitchD-mst-region] region-name RG1
[SwitchD-mst-region] instance 1 vlan 2 to 10
[SwitchD-mst-region] active region-configuration
[SwitchD-mst-region] quit
2. In the MST region RG1, configure the root bridge and secondary root bridge in MSTI 1
and MSTI 2.
l Configure the root bridge and secondary root bridge in MSTI 1.
# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
# Configure SwitchB as the secondary root bridge in MSTI 1.

[SwitchB] stp instance 1 root secondary

l Configure the root bridge and secondary root bridge in MSTI 2.

# Configure SwitchB as the root bridge in MSTI 2.
[SwitchB] stp instance 2 root primary
# Configure SwitchA as the secondary root bridge in MSTI 2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be greater than the
default value.
NOTE
l The values of path costs depend on path cost calculation methods. This example uses the Huawei
proprietary calculation method as an example to set the path costs of the ports to be blocked to
20000.
# Configure SwitchA to use Huawei private algorithm to calculate the path cost.
# Configure SwitchB to use Huawei private algorithm to calculate the path cost.
# Configure SwitchC to use Huawei private algorithm to calculate the path cost, and set
the path cost of Eth0/0/2 in MSTI 2 to 20000.
[SwitchC-Ethernet0/0/2] stp instance 2 cost 20000
# Configure SwitchD to use Huawei private algorithm to calculate the path cost, and set
the path cost of Eth0/0/2 in MSTI 1 to 20000.
[SwitchD] interface ethernet 0/0/2
[SwitchD-Ethernet0/0/2] stp instance 1 cost 20000
[SwitchD-Ethernet0/0/2] quit
4. Enable MSTP to eliminate loops.

l Enable MSTP globally.
# Enable MSTP on SwitchA.
# Enable MSTP on SwitchB.

# Enable MSTP on SwitchC.

# Enable MSTP on SwitchD.

l Disable MSTP on the interface connected to the terminal.

# Disable STP on Eth0/0/1 of SwitchC.
# Disable STP on Eth0/0/1 of SwitchD.

[SwitchD-Ethernet0/0/1] stp disable
Step 2 Configure root protection on the designated port of the root bridge.

# Enable root protection on Eth0/0/1 of SwitchA.

# Enable root protection on Eth0/0/1 of SwitchB.

[SwitchB-Ethernet0/0/1] stp root-protection
Step 3 Configure Layer 2 forwarding on devices on the ring network.

l Create VLANs 2 to 20 on SwitchA, SwitchB, SwitchC, and SwitchD.
# Create VLANs 2 to 20 on SwitchA.
[SwitchA] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchB.

[SwitchB] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchC.

# Create VLANs 2 to 20 on SwitchD.

[SwitchD] vlan batch 2 to 20
l Add ports on switching devices to VLANs.

# Add Eth0/0/1 on SwitchA to a VLAN.
[SwitchA-Ethernet0/0/1] port trunk allow-pass vlan 2 to 20
# Add Eth0/0/2 on SwitchA to a VLAN.

# Add Eth0/0/1 on SwitchB to a VLAN.

[SwitchB-Ethernet0/0/1] port trunk allow-pass vlan 2 to 20
# Add Eth0/0/2 on SwitchB to a VLAN.

# Add Eth0/0/1 on SwitchC to a VLAN.

[SwitchC-Ethernet0/0/1] port link-type access
[SwitchC-Ethernet0/0/1] port default vlan 2

[SwitchC-Ethernet0/0/2] port trunk allow-pass vlan 2 to 20



# Add Eth0/0/1 on SwitchD to a VLAN.

[SwitchD-Ethernet0/0/1] port link-type access
[SwitchD-Ethernet0/0/1] port default vlan 11

[SwitchD-Ethernet0/0/2] port link-type trunk
[SwitchD-Ethernet0/0/2] port trunk allow-pass vlan 2 to 20

After the preceding configurations are complete and the network topology becomes stable,
perform the following operations to verify the configuration.
# Run the display stp brief command on SwitchA to view the status and protection type on the
ports. The displayed information is as follows:

# Run the display stp brief command on SwitchB. The displayed information is as follows:
[SwitchB] display stp brief
In MSTI 2, Eth0/0/1 and Eth0/0/2 are designated ports because SwitchB is the root bridge. In
MSTI 1, Eth0/0/1 on SwitchB is the designated port and Eth0/0/2 is the root port.
# Run the display stp interface brief commands on SwitchC. The displayed information is as
follows:
[SwitchC] display stp interface ethernet 0/0/3 brief
[SwitchC] display stp interface ethernet 0/0/2 brief

Eth0/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. Eth0/0/2 on SwitchC is the
designated port in MSTI 1 but is blocked in MSTI 2.
# Run the display stp interface brief commands on SwitchD. The displayed information is as
follows:
[SwitchD] display stp interface ethernet 0/0/3 brief
[SwitchD] display stp interface ethernet 0/0/2 brief
Eth0/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. Eth0/0/2 on SwitchD is the blocked
port in MSTI 1 and is the designated port in MSTI 2.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 20
#
stp enable
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
active region-configuration
#
stp root-protection
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 20
#
stp enable
#
region-name RG1

#
stp root-protection
#
#
return
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp enable
#
region-name RG1
#
port default vlan 2
stp disable
#
#
#
return
#
sysname SwitchD
#
vlan batch 2 to 20
#
stp enable
#
region-name RG1
#
stp disable
#
#


#
return
3.9 SEP Configuration

Smart Ethernet Protection (SEP) is a ring network protocol specially used for the Ethernet link
layer. It blocks redundant links to prevent logical loops on a ring network.
NOTE
Only the S3300 supports SEP.
3.9.1 Example for Configuring SEP on a Closed Ring Network

Generally, redundant links are used to connect an Ethernet switching network to an upper-layer
network to provide link backup and enhance network reliability. The use of redundant links,
however, may produce loops, causing broadcast storms and rendering the MAC address table
unstable. As a result, communication quality deteriorates, and services may even be interrupted.
SEP can be deployed on the ring network to eliminate loops and restore communication if a link
fault occurs.
In the closed ring networking, CE1 is dual-homed to a Layer 2 network through multiple Layer
2 switching devices. The two edge devices connected to the upper-layer Layer 2 network are
directly connected to each other. The closed ring network is deployed at the aggregation layer
to transparently transmit Layer 2 unicast and multicast packets. SEP runs at the aggregation layer
to implement link redundancy.
As shown in Figure 3-23, Layer 2 switching devices LSW1 to LSW5 form a ring network.
SEP runs at the aggregation layer.
l When there is no faulty link on a ring network, SEP can eliminate loops on the network.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes on the network.

Figure 3-23 Networking diagram of a closed ring SEP network
Core
IP/MPLS Core
Eth0/0/2 Eth0/0/3 Eth0/0/2

LSW1 LSW5
Eth0/0/3
Eth0/0/1 Eth0/0/1
Aggregation
SEP
Segment1
Eth0/0/1 Eth0/0/1
LSW2 LSW4
LSW3
Eth0/0/2 Eth0/0/2
Eth0/0/1 Eth0/0/2
Eth0/0/3
Eth0/0/1
Access
Primary Edge Port

CE1
Secondary Edge Port
VLAN
100 Block Port
1. Configure basic SEP functions.

a. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control
VLAN of SEP segment 1.
b. Add all devices on the ring to SEP segment 1, and configure the roles of Eth0/0/1 and
Eth0/0/3 of LSW1 in SEP segment 1.
c. On the device where the primary edge interface is located, specify the interface with
the highest priority to block.
d. Set priorities of the interfaces in the SEP segment.
Set the highest priority for Eth0/0/2 of LSW3 and retain the default priority of the
other interfaces so that Eth0/0/2 of LSW3 will be blocked.

e. Configure delayed preemption on the device where the primary edge interface is
located.
2. Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control VLAN
of SEP segment 1.
# Configure LSW1.
[Quidway] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
NOTE
l The control VLAN must be a VLAN that has not been created or used, but the configuration file
automatically displays the command for creating the VLAN.
l Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the control
VLAN.
2. Add all devices on the ring to SEP segment 1 and configure interface roles on the devices.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.
# On LSW1, configure Eth0/0/1 as the primary edge interface and Eth0/0/3 as the secondary
edge interface.

[LSW1] interface ethernet 0/0/1

[LSW1-Ethernet0/0/1] stp disable
[LSW1-Ethernet0/0/1] sep segment 1 edge primary
[LSW1-Ethernet0/0/1] quit
[LSW1-Ethernet0/0/3] sep segment 1 edge secondary
# Configure LSW2.
[LSW2-Ethernet0/0/1] sep segment 1
# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
3. Specify an interface to block.

# On LSW1 where the primary edge interface is located, specify the interface with the
highest priority to block.
[LSW1-sep-segment1] block port optimal
4. Set the priority of Eth0/0/2 on LSW3.

[LSW3-Ethernet0/0/2] sep segment 1 priority 128
5. Configure the preemption mode.

# Configure delayed preemption on LSW1.
[LSW1-sep-segment1] preempt delay 30

NOTE
l You must set the preemption delay when delayed preemption is used because there is no default
delay time.
l When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the fault.
For example:
Run the shutdown command on Eth0/0/1 of LSW2 to simulate an interface fault, and then run
the undo shutdown command on Eth0/0/2 to rectify the fault.
Step 2 Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
For details about the configuration, see the configuration files.
l Run the shutdown command on Eth0/0/1 of LSW3 to simulate an interface fault, and then
run the display sep interface command on LSW3 to check whether Eth0/0/2 of LSW3 has
switched from the Discarding state to the Forwarding state.
<LSW3> display sep interface ethernet 0/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
Eth0/0/2 common up forwarding
----End
Configuration Files
l Configuration file of LSW1
#
sysname LSW1
#
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
protected-instance 0 to 48
#
stp disable
sep segment 1 edge primary
#
#
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1 edge secondary
#
return

#
sysname LSW2

#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
sep segment 1 priority 128
#
#
return
#
sysname LSW4
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname LSW5

#
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
#
stp disable
sep segment 1
#
return
l Configuration file of CE1

#
sysname CE1
#
vlan batch 100
#
#
return
3.9.2 Example for Configuring SEP on a Multi-Ring Network

fault occurs.
In multi-ring networking, multiple rings consisting of Layer 2 switching devices are deployed
at the access layer and aggregation layer. SEP runs at the access layer and aggregation layer to
implement link redundancy.
As shown in Figure 3-24, multiple Layer 2 switching devices form ring networks at the access
layer and aggregation layer.
SEP runs at the access layer and aggregation layer. When there is no faulty link on a ring network,
SEP can eliminate loops on the network. When a link fails on the ring network, SEP can rapidly
restore communication between nodes on the network.

Figure 3-24 Networking diagram of a multi-ring SEP network
Core
IP/MPLS Core
Eth0/0/2 Eth0/0/2
LSW1 Eth0/0/3 Eth0/0/3 LSW5

Eth0/0/1 Eth0/0/1
Aggregation
SEP
Eth0/0/1 Segment 1 Eth0/0/3
LSW4
LSW2 Et Eth0/0/1
h Eth0/0/2
Eth0/0/2 0/ LSW3
0/
3
Eth0/0/4
Eth0/0/1 Eth0/0/2 Eth0/0/1 Eth0/0/2
Se S
t2
gm EP
gm E P
en
Se S
LSW6 Eth0/0/2 en LSW11

Eth0/0/2 LSW8 t3
Eth0/0/1
Eth0/0/1 Eth0/0/1 Eth0/0/2
Eth0/0/1 Eth0/0/2 LSW9 Eth0/0/1
LSW7 Eth0/0/3 LSW10 Eth0/0/3
Access
Eth0/0/1 Eth0/0/1
CE2
CE1
VLAN VLAN
200 100
Primary Edge Port Control VLAN 10

Secondary Edge Port Control VLAN 20
Block Port Control VLAN 30
a. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30
as their respective control VLANs.

l Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the

control VLAN of SEP segment 1.
l Configure SEP segment 2 on LSW2, LSW3, and LSW6 to LSW8, and configure
VLAN 20 as the control VLAN of SEP segment 2.
l Configure SEP segment 3 on LSW3, LSW4, and LSW9 to LSW11, and configure
VLAN 30 as the control VLAN of SEP segment 3.
b. Add devices on the rings to the SEP segments and configure interface roles on the
edge devices of the SEP segments.
l On LSW1 to LSW5, add the interfaces on the ring at the access layer to SEP
segment 1. Configure the roles of Eth0/0/1 and Eth0/0/3 of LSW1 in SEP segment
1.
l Add Eth0/0/2 of LSW2, Eth0/0/1 and Eth0/0/2 of LSW6 to LSW8, and Eth0/0/2
of LSW3 to SEP segment 2. Configure the roles of Eth0/0/2 of LSW2 and
Eth0/0/2 of LSW3 in SEP segment 2.
l Add Eth0/0/1 of LSW3, Eth0/0/1 and Eth0/0/2 of LSW9 to LSW11, and
Eth0/0/1 of LSW4 to SEP segment 3. Configure the roles of Eth0/0/1 of LSW3
and Eth0/0/1 of LSW4 in SEP segment 3.
c. Specify an interface to block on the device where the primary edge interface is located.
l In SEP segment 1, specify the interface with the highest priority to block.
l In SEP segment 2, specify the device and interface names to block the specified
interface.
l In SEP segment 3, specify the blocked interface based on the configured hop count.
d. Configure the preemption mode on the device where the primary edge interface is
located.
Configure delayed preemption in SEP segment 1 and manual preemption in SEP
segment 2 and SEP segment 3.
e. Configure the topology change notification function on the edge devices between SEP
segments, namely, LSW2, LSW3, and LSW4.
2. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW11.
Procedure
1. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as their
respective control VLANs, as shown in Figure 3-24.
# Configure LSW1.
# Configure LSW2.

# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
# Configure LSW6 to LSW11.

The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to LSW5
except for the control VLANs of different SEP segments.
NOTE
VLAN.
2. Add devices on the rings to the SEP segments and configure interface roles according to
Figure 3-24.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.
# On LSW1, configure Eth0/0/1 as the primary edge interface and Eth0/0/3 as the secondary
edge interface.


# Configure LSW2.
[LSW2-sEthernet0/0/2] sep segment 2 edge primary
# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
# Configure LSW6 to LSW11.
The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to LSW5
except for the interface roles.
# On LSW1 where the primary edge interface of SEP segment 1 is located, specify the
interface with the highest priority to block.


[LSW1-sep-segment1] block port optimal
# On LSW3, set the priority of Eth0/0/4 to 128, which is the highest priority among the
interfaces so that Eth0/0/4 will be blocked.
[LSW3-Ethernet0/0/4] sep segment 1 priority 128
Retain the default priority of the other interfaces in SEP segment 1.

# On LSW2 where the primary edge interface of SPE segment 2 is located, specify the
device and interface names so that the specified interface will be blocked.
Before specifying the interface to block, use the display sep topology command to view
the current topology information and obtain information about all the interfaces in the
topology. Then specify the device and interface names.
[LSW2-sep-segment2] block port sysname LSW7 interface ethernet 0/0/1
# On LSW4 where the primary edge interface of SEP segment 3 is located, specify the
blocked interface based on the configured hop count.
[LSW4-sep-segment3] block port hop 5
NOTE
SEP sets the hop count of the primary edge interface to 1 and the hop count of the secondary edge
interface to 2. Hop counts of other interfaces increase by steps of 1 in the downstream direction of
the primary interface.
# Configure delayed preemption on LSW1.
[LSW1-sep-segment1] preempt delay 30
NOTE
l You must set the preemption delay when delayed preemption is used because there is no default
delay time.
l When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the fault.
For example:
Run the shutdown command on Eth0/0/1 of LSW2 to simulate an interface fault, and then run
the undo shutdown command on Eth0/0/2 to rectify the fault.
# Configure manual preemption on LSW2.
[LSW2-sep-segment2] preempt manual
# Configure the manual preemption mode on LSW4.

5. Configure the topology change notification function.

# Configure devices in SEP segment 2 to notify SEP segment 1 of topology changes.
# Configure LSW2.


[LSW2-sep-segment2] tc-notify segment 1
# Configure LSW3.
# Configure SEP segment 3 to notify SEP segment 1 of topology changes.

# Configure LSW3.
# Configure LSW4.
NOTE
The topology change notification function is configured on edge devices between SEP segments so
that the upper-layer network can be notified of topology changes on the lower-layer network.
Step 2 Configure the Layer 2 forwarding function on the CEs and LSW1 to LSW11.
After completing the preceding configurations, verify the configuration. LSW1 is used as an
example.
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
#
stp disable
#

#
port hybrid tagged vlan 10 100 200 300
stp disable
#
return
#
sysname LSW2
#
vlan batch 10 20 100 200
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 20
block port sysname LSW7 interface Ethernet0/0/1
tc-notify segment 1
#
stp disable
sep segment 1
#
stp disable
#
stp disable
sep segment 1
#
return
#
sysname LSW3
#
vlan batch 10 20 30 100 200
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 20
tc-notify segment 1
sep segment 3
control-vlan 30
tc-notify segment 1
#
stp disable
#
stp disable


#
stp disable
sep segment 1
#
stp disable
sep segment 1
sep segment 1 priority 128
#
return
#
sysname LSW4
#
vlan batch 10 30 100 200
#
sep segment 1
control-vlan 10
sep segment 3
control-vlan 30
block port hop 5
tc-notify segment 1
#
stp disable
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname LSW5
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
#
port hybrid tagged vlan 10 100 200 300
stp disable

sep segment 1
#
return
#
sysname LSW6
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2
#
return
#
sysname LSW7
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2
#
#
return
#
sysname LSW8
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2

#
return

#
sysname LSW9
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#
stp disable
sep segment 3
#
stp disable
sep segment 3
#
return

#
sysname LSW10
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#
stp disable
sep segment 3
#
stp disable
sep segment 3
#
#
return

#
sysname LSW11
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#
stp disable
sep segment 3
#
stp disable
sep segment 3

#
return

#
sysname CE1
#
vlan batch 100
#
#
return

#
sysname CE2
#
vlan batch 200
#
#
return
3.9.3 Example for Configuring a Hybrid SEP+MSTP Ring Network
fault occurs.
NOTE
In this example, devices at the aggregation layer run the MSTP protocol.
As shown in Figure 3-25, multiple Layer 2 switching devices form a ring at the access layer,
and multiple Layer 3 devices form a ring at the aggregation layer. The two devices where the
access layer and the aggregation layer are intersected do not support SEP. You can configure
SEP at the access layer to implement redundancy protection switching and configure the
topology change notification function on an edge device in a SEP segment. This function enables
an upper-layer network to detect topology changes in a lower-layer network in time.
l When there is no faulty link on the ring network, SEP can eliminate loops.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes.
l The topology change notification function must be configured on an edge device in a SEP
segment. This enables an upper-layer network to detect topology changes in a lower-layer
network in time.
After receiving a message indicating the topology change in a lower-layer network, a device on
an upper-layer network sends TC packets to instruct other devices to delete original MAC
addresses and learn new MAC addresses after the topology of the lower-layer network changes.
This ensures uninterrupted traffic forwarding.

Figure 3-25 Networking diagram of a hybrid-ring SEP network
IP/MPLS Core
Core
Eth0/0/2
Eth0/0/3 Eth0/0/3
Eth0/0/2
Aggregation
PE3 PE4
Eth0/0/1
Eth0/0/1
MSTP
Eth0/0/2 PE1 PE2 Eth0/0/2
Eth0/0/3
Eth0/0/1 Do not Support SEP Eth0/0/1
Eth0/0/1 Eth0/0/1
SEP
LSW1 Segment1 LSW2
Eth0/0/2 Eth0/0/2
Eth0/0/2 Eth0/0/1
Access
Eth0/0/3LSW3
Eth0/0/1
CE
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
VLAN100
Block Port(SEP)
Block Port(MSTP)
a. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control
VLAN of SEP segment 1.
b. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles on the edge
devices (LSW1 and LSW2) of the SEP segment.

NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of LSW1 and LSW2
connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located, specify the
interface in the middle of the SEP segment as the interface to block.
d. Configure manual preemption.
e. Configure the topology change notification function so that the upper-layer network
running MSTP can be notified of topology changes in the SEP segment.
2. Configure basic MSTP functions.
a. Add LSW1, LSW2, PE1 to PE4 to an MST region RG1.
b. Create VLANs on LSW1, LSW2, PE1 to PE4 and add interfaces on the STP ring to
the VLANs.
c. Configure PE3 as the root bridge and PE4 as the backup root bridge.
3. Configure the Layer 2 forwarding function on CE and LSW1 to LSW3.
Procedure
1. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control VLAN
of SEP segment 1.
# Configure LSW1.
# Configure LSW2.
# Configure LSW3.
NOTE
VLAN.
2. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles.
# Configure LSW1.
[LSW1-Ethernet0/0/1] sep segment 1 edge no-neighbor primary


# Configure LSW2.
[LSW2-Ethernet0/0/1] sep segment 1 edge no-neighbor secondary
# Configure LSW3.

# On LSW1 where the no-neighbor primary edge interface of SEP segment 1 is located,
specify the interface in the middle of the SEP segment as the interface to block.
[LSW1-sep-segment1] block port middle

# Configure the manual preemption mode on LSW1.

# Configure devices in SEP segment 1 to notify the MSTP network of topology changes.
# Configure LSW1.
[LSW1-sep-segment1] tc-notify stp
# Configure LSW2.
[LSW2-sep-segment1] tc-notify stp
Step 2 Configure basic MSTP functions.

1. Configure an MST region.
# Configure PE1.
[PE1] stp region-configuration
[PE1-mst-region] region-name RG1
[PE1-mst-region] active region-configuration
[PE1-mst-region] quit
# Configure PE2.
# Configure PE3.

# Configure PE4.
# Configure LSW1.
[LSW1] stp region-configuration
[LSW1-mst-region] region-name RG1
[LSW1-mst-region] active region-configuration
[LSW1-mst-region] quit
# Configure LSW2.
[LSW2] stp region-configuration
[LSW2-mst-region] region-name RG1
[LSW2-mst-region] active region-configuration
[LSW2-mst-region] quit
2. Create VLANs and add interfaces to VLANs.

# On PE1, create VLAN 100 and add Eth0/0/1, Eth0/0/2, and Eth0/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface ethernet 0/0/1
[PE1-Ethernet0/0/1] port hybrid tagged vlan 100
[PE1-Ethernet0/0/1] quit
# On PE2, PE3, and PE4, create VLAN 100 and add Eth0/0/1, Eth0/0/2, and Eth0/0/3 to
VLAN 100.
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1. For details
about the configuration, see the configuration files.
# On LSW1 and LSW2, create VLAN 100 and add Eth0/0/1 to VLAN 100. The
configurations of LSW1 and LSW2 are similar to the configuration of PE1. For details
about the configuration, see the configuration files.
3. Enable MSTP.
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure PE4.
[PE4] stp enable
# Configure LSW1.
[LSW1] stp enable

# Configure LSW2.
[LSW2] stp enable
4. Configure PE3 as the root bridge and PE4 as the backup root bridge.
# Set the priority of PE3 to 0 in MSTI0 to ensure that PE3 functions as the root bridge.
[PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTI0 to ensure that PE4 functions as the backup root
bridge.
[PE4] stp root secondary
Step 3 Configure the Layer 2 forwarding function on the CE and LSW1 to LSW3.
After the configurations are complete and network becomes stable, run the following commands
to verify the configuration. LSW1 is used as an example.
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100
#
region-name RG1
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
#
sep segment 1 edge no-neighbor primary
#
stp disable
sep segment 1
#
return

#
sysname LSW2

#
vlan batch 10 100
#
#
region-name RG1
#
sep segment 1
control-vlan 10
tc-notify stp
#
sep segment 1 edge no-neighbor secondary
#
stp disable
sep segment 1
#
return

#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
port hybrid tagged vlan vlan 100
#
return

#
sysname PE1
#
vlan batch 100
#
region-name RG1
#
#
#
#
return


#
sysname PE2
#
vlan batch 100
#
region-name RG1
#
#
#
#
return

#
sysname PE3
#
vlan batch 100 200
#
#
region-name RG1
#
#
#
#
return

#
sysname PE4
#
vlan batch 100 200
#
#
region-name RG1
#
#
#

#
return
l Configuration file of CE
#
sysname CE
#
vlan batch 100
#
#
return
3.9.4 Example for Configuring a Hybrid SEP+RRPP Ring Network

In the networking of this example, you can configure SEP at the access layer to implement
redundancy protection switching and configure the topology change notification function on an
edge device in a SEP segment. This enables an upper-layer network to detect topology changes
in a lower-layer network in time.
fault occurs.

Figure 3-26 Hybrid rings running SEP and RRPP
Network
NPE1 NPE2
Eth0/0/2
Eth0/0/3 Eth0/0/3
Eth0/0/2
Aggregation
PE3 PE4
Eth0/0/1
Eth0/0/1
RRPP
Eth0/0/2 PE1 PE2 Eth0/0/2
Eth0/0/3
Eth0/0/1 Eth0/0/1
Eth0/0/1 Eth0/0/1
SEP
LSW1 Segment1 LSW2
Eth0/0/2 Eth0/0/2
Eth0/0/2 Eth0/0/1
Access
Eth0/0/3LSW3
Eth0/0/1
CE
Primary Edge Port
Secondary Edge Port
VLAN100
Block Port(SEP)
Block Port(RRPP)
As shown in Figure 3-26, multiple Layer 2 switching devices at the access layer and aggregation
layer form a ring network to access the core layer. RRPP has been configured at the aggregation
layer to eliminate loops. In this case, SEP needs to run at the access layer to implement the
following functions:
l Eliminates loops when there is no faulty link on the ring network.
l Rapidly restores communication between nodes when a link fault occurs on the ring
network.
l Provides the topology change notification function on an edge device in a SEP segment.
This function enables an upper-layer network to detect topology changes in a lower-layer
network in time.
After receiving a message indicating the topology change in a lower-layer network, a device
on an upper-layer network sends TC packets to instruct other devices to delete original

MAC addresses and learn new MAC addresses after the topology of the lower-layer
network changes. This ensures uninterrupted traffic forwarding.
a. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN
10 as the control VLAN of SEP segment 1.
b. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1, and configure interface roles
on edge devices (PE1 and PE2) of the SEP segment.
c. Set an interface blocking mode on the device where a primary edge interface is located
to specify an interface to block.
d. Configure the preemption mode to ensure that the specified interface is blocked when
a fault is rectified.
e. Configure the topology change notification function so that the topology change in
the local SEP segment can be notified to the upper-layer network where RRPP is
enabled.
2. Configure basic RRPP functions.
a. Add PE1 to PE4 to RRPP domain 1, create control VLAN 5 on PE1 to PE4, and
configure a protected VLAN.
b. Configure PE1 as the master node and PE2 to PE4 as transit nodes on the major ring,
and configure the primary and secondary interfaces of the major ring.
c. Create a VLAN on PE1 to PE4, and add the interfaces on the RRPP ring network to
the VLAN.
3. Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.
Procedure
1. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN 10 as
the control VLAN of SEP segment 1.
# Configure PE1.
[PE1] sep segment 1
[PE1-sep-segment1] control-vlan 10
[PE1-sep-segment1] protected-instance all
[PE1-sep-segment1] quit
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] control-vlan 10
[PE2-sep-segment1] protected-instance all
# Configure LSW1.


# Configure LSW2.
# Configure LSW3.
2. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1 and configure interface roles.
NOTE
By default, STP is enabled on an interface. Before adding an interface to a SEP segment, disable STP
on the interface.
# Configure PE1.
[PE1-Ethernet0/0/1] stp disable
[PE1-Ethernet0/0/1] sep segment 1 edge primary
# Configure LSW1.
# Configure LSW2.
# Configure LSW3.
# Configure PE2.
[PE2-Ethernet0/0/1] sep segment 1 edge secondary
After completing the preceding configurations, run the display sep topology command on
PE1 to view the topology of the SEP segment. The command output shows that the blocked
interface is one of the two interfaces that complete neighbor negotiations last.
[PE1] display sep topology

SEP segment 1
-----------------------------------------------------------------
System Name Port Name Port Role Port Status
-----------------------------------------------------------------
PE1 Eth0/0/1 primary forwarding
LSW1 Eth0/0/1 common forwarding
PE2 Eth0/0/1 secondary discarding
3. Set an interface blocking mode.

# In SEP segment 1, block the interface in the middle of the SEP segment on PE1 where
the primary edge interface resides.
[PE1] sep segment 1
[PE1-sep-segment1] block port middle
4. Set the preemption mode.

# In SEP segment 1, set manual preemption on PE1 where the primary edge interface
resides.
[PE1-sep-segment1] preempt manual

# Configure devices in SEP segment 1 to notify topology changes to the RRPP ring network.
# Configure PE1.
[PE1-sep-segment1] tc-notify rrpp
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] tc-notify rrpp
After the preceding configurations are successful, perform the following operations to verify the
configurations. PE1 is used as an example.
l Run the display sep topology command on PE1 to view the topology of the SEP segment.
The command output shows that the status of Eth 0/0/2 on LSW3 is discarding and the status
of the other interfaces is forwarding.
[PE1] display sep topology
SEP segment 1
-----------------------------------------------------------------
System Name Port Name Port Role Port Status
-----------------------------------------------------------------
PE1 Eth0/0/1 primary forwarding
LSW3 Eth0/0/2 common discarding
PE2 Eth0/0/1 secondary forwarding
l Run the display sep interface verbose command on PE1 to view detailed information about
the interfaces added to the SEP segment.
[PE1] display sep interface verbose
SEP segment 1
Control-vlan :10
Preempt Delay Timer :0
TC-Notify Propagate to :rrpp
----------------------------------------------------------------

Interface :Eth0/0/1
Port Role :Config = primary / Active = primary
Port Priority :64
Port Status :forwarding
Neighbor Status :up
Neighbor Port :LSW1 - Eth0/0/1 (00e0-0829-7c00.0000)
NBR TLV rx :2124 tx :2126
LSP INFO TLV rx :2939 tx :135
LSP ACK TLV rx :113 tx :768
PREEMPT REQ TLV rx :0 tx :3
PREEMPT ACK TLV rx :3 tx :0
TC Notify rx :5 tx :3
EPA rx :363 tx :397
Step 2 Configure basic RRPP functions.

1. Add PE1 to PE4 to RRPP domain 1, create control VLAN 5 on PE1 to PE4, and configure
a protected VLAN.
# Configure PE1.
[PE1-mst-region] instance 1 vlan 5 6 100
[PE1] rrpp domain 1
[PE1-rrpp-domain-region1] control-vlan 5
[PE1-rrpp-domain-region1] protected-vlan reference-instance 1
# Configure PE2.
[PE2] rrpp domain 1
# Configure PE3.
[PE3] rrpp domain 1
# Configure PE4.
[PE4] rrpp domain 1
2. Create a VLAN and add interfaces on the ring network to the VLAN.
# Create VLAN 100 on PE1, and add Eth 0/0/1, Eth 0/0/2, and Eth 0/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1-Ethernet0/0/1] port link-type trunk
[PE1-Ethernet0/0/1] port trunk allow-pass vlan 100

# Create VLAN 100 on PE2, and add Eth 0/0/1, Eth 0/0/2, and Eth 0/0/3 to VLAN 100.
[PE2] vlan 100
[PE2-vlan100] quit
# Create VLAN 100 on PE3, and add Eth 0/0/1 and Eth 0/0/2 to VLAN 100.
[PE3] vlan 100
[PE3-vlan100] quit
# Create VLAN 100 on PE4, and add Eth 0/0/1 and Eth 0/0/2 to VLAN 100.
[PE4] vlan 100
[PE4-vlan100] quit
3. Configure PE1 as the master node and PE2 to PE4 as transit nodes of the major ring, and
configure the primary and secondary interfaces of the major ring.
# Configure PE1.
[PE1] rrpp domain 1
[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port ethernet0/0/2
secondary-port ethernet0/0/3 level 0
[PE1-rrpp-domain-region1] ring 1 enable
# Configure PE2.
[PE2] rrpp domain 1
[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port ethernet0/0/2
# Configure PE3.

[PE3] rrpp domain 1

# Configure PE4.
[PE4] rrpp domain 1
4. Enable RRPP.
# Configure PE1.
[PE1] rrpp enable
# Configure PE2.
[PE2] rrpp enable
# Configure PE3.
[PE3] rrpp enable
# Configure PE4.
[PE4] rrpp enable
After completing the preceding configurations, run the display rrpp brief or display rrpp
verbose domain command on PE1 to check the RRPP configuration.
[PE1] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
RRPP Protocol Status: Enable

RRPP Working Mode: HW
RRPP Linkup Delay Timer: 0 sec (0 sec default)
Number of RRPP Domains: 1
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is
ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
1 0 M Ethernet0/0/2 Ethernet0/0/3 Yes
The command output shows that RRPP is enabled on PE1. In domain 1, VLAN 5 is the major
control VLAN, VLAN 6 is the sub-control VLAN, Instance 1 is the protected VLAN, and PE1
is the master node in major ring 1 with the primary and secondary interfaces as Ethernet0/0/2
and Ethernet0/0/3 respectively.
[PE1] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : Ethernet0/0/2 Port status: UP
Secondary port : Ethernet0/0/3 Port status: BLOCKED
The command output shows that in domain 1, VLAN 5 is the major control VLAN, VLAN 6 is
the sub-control VLAN, Instance 1 is the protected VLAN, PE1 is the master node in major ring

1 with the primary and secondary interfaces as Ethernet0/0/2 and Ethernet0/0/3 respectively,
and the node status is Complete.
Step 3 Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.
For the configuration details, see the configuration files.
the network is stable. LSW1 is used as an example.
run the display sep interface command on LSW3 to check whether the status of Eth0/0/2
changes from blocked to forwarding.
[LSW3] display sep interface ethernet 0/0/2
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
interface Ethernet0/0/1 port link-type trunk
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW2
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#


stp disable
sep segment 1
#
return
#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
#
return
#
sysname PE1
#
vlan batch 5 to 6 10 100
#
rrpp enable
#
instance 1 vlan 5 to 6 100
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode master primary-port Ethernet 0/0/2 secondary-port Ethernet
0/0/3 level 0
ring 1 enable
#
sep segment 1
control-vlan 10
block port middle
tc-notify rrpp
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100
stp disable

#
stp disable
#
return
#
sysname PE2
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 node-mode transit primary-port Ethernet 0/0/2 secondary-port Ethernet
0/0/3 level 0
ring 1 enable
#
sep segment 1
control-vlan 10
tc-notify rrpp
#
stp disable
#
stp disable
#
stp disable
#
return
#
sysname PE3
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
0/0/2 level 0
ring 1 enable
#


stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
#
return

#
sysname PE4
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
0/0/2 level 0
ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
#
return

#
sysname CE1
#
vlan batch 100
#
#
return

3.10 Layer 2 Protocol Transparent Transmission

Configuration
This chapter describes the concept, configuration procedure, and configuration examples of
Layer 2 protocol transparent transmission.
NOTE
The S2300SI does not support Layer 2 Protocol Transparent Transmission.
3.10.1 Example for Configuring Interface-based Layer 2 Protocol

Transparent Transmission
As shown in Figure 3-27, CEs are edge devices on two private networks of an enterprise located
in different areas, and PE1 and PE2 are edge devices on the ISP network. The two private
networks of the enterprise are Layer 2 networks and they are connected through the ISP network.
STP is run on the Layer 2 networks to prevent loops. Enterprise users require that STP run only
on the private networks so that spanning trees can be generated correctly.
Figure 3-27 Networking diagram for configuring interface-based Layer 2 protocol transparent
transmission
ISP
network
PE2
Eth0/0/1
Eth0/0/1
PE1 Eth0/0/1
CE1 Eth0/0/1
CE2
User A User A
network1 network2
1. Configure STP on CEs to prevent loops on Layer 2 networks.

2. Add PE interfaces connected to CEs to specified VLANs so that PEs forward packets from
the VLANs.
3. Configure interface-based Layer 2 protocol transparent transmission on PEs so that STP
packets are not sent to the CPUs of PEs for processing.

Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
[Quidway] sysname CE1
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] stp enable
[CE1] interface ethernet 0/0/1
[CE1-Ethernet0/0/1] port hybrid pvid vlan 100
[CE1-Ethernet0/0/1] port hybrid untagged vlan 100
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] stp enable
[CE2-Ethernet0/0/1] port hybrid pvid vlan 100
[CE2-Ethernet0/0/1] port hybrid untagged vlan 100
Step 2 Add Eth0/0/1 on PE1 and PE2 to VLAN 100 and enable Layer 2 protocol transparent
transmission on PEs.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface Ethernet 0/0/1
[PE1-Ethernet0/0/1] port hybrid pvid vlan 100
[PE1-Ethernet0/0/1] port hybrid untagged vlan 100
[PE1-Ethernet0/0/1] l2protocol-tunnel stp enable
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] interface Ethernet 0/0/1
[PE2-Ethernet0/0/1] l2protocol-tunnel stp enable
Step 3 Configure PEs to replace the destination MAC address of STP packets received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
# Configure PE2.

After the configuration is complete, run the display l2protocol-tunnel group-mac command
on PEs. You can view the protocol type or name, multicast destination MAC address, group
MAC address, and priority of Layer 2 protocol packets to be transparently transmitted.

The display on PE1 is used as an example.

<PE1> display l2protocol-tunnel group-mac stp
Protocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0
ssap 0x42
Run the display stp command on CE1 and CE2 to view the root in the MSTP region. You can
find that a spanning tree is calculated between CE1 and CE2. Eth0/0/1 on CE1 is the root port
and Eth0/0/1 on CE2 is the designated port.
<CE1> display stp
-------[CIST Global Info] [Mode MSTP] -------
CIST Bridge :32768.00e0-fc9f-3257
Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC :32768.00e0-fc9f-3257 / 0
CIST RootPortId :128.82
BPDU-Protection :Disabled
TC or TCN received :6
TC count per hello :6
STP Converge Mode :
Time since last TC :0 days 2h:24m:36s
----[Port1(Ethernet0/0/1)] [FORWARDING] ----
Port Protocol :Enabled
Port Role :Root Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=200000000
Designated Bridge/Port :32768.00e0-fc9a-4315 / 128.82
Port Edged :Config=disabled / Active=disabled
Point-to-point :Config=auto / Active=true
Transit Limit :147 packets/hello-time
Protection Type :None
Port STP Mode :MSTP
Port Protocol Type :Config=auto / Active= dot1s
PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send :0
BPDU Sent :6
TCN: 0, Config: 0, RST: 0, MST: 6
BPDU Received :4351
<CE2> display stp
-------[CIST Global Info] [Mode MSTP] -------
CIST Bridge :32768.00e0-fc9a-4315
CIST RegRoot/IRPC :32768.00e0-fc9a-4315 / 0
BPDU-Protection :Disabled
STP Converge Mode :
----[Port1(Ethernet0/0/1)] [FORWARDING] ----
Port Role :Designated Port
Port Priority :128
Port STP Mode :MSTP

TC or TCN send :0
BPDU Sent :4534
BPDU Received :6
----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
#
return

#
sysname CE2
#
vlan batch 100
#
#
return

#
sysname PE1
#
vlan batch 100
#
l2protocol-tunnel stp group-mac 0100-5e00-0011
#
l2protocol-tunnel stp enable
#
return

#
sysname PE2
#
vlan batch 100
#
#
l2protocol-tunnel stp enable
#
return

3.10.2 Example for Configuring VLAN-based Layer 2 Protocol

in different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100 and VLAN
200 are Layer 2 networks for different users and are connected through the ISP network. STP
is run on the Layer 2 networks to prevent loops. Enterprise users require that STP run only on
the private networks so that spanning trees can be generated correctly.
l All the devices in VLAN 100 participate in calculation of a spanning tree.
Figure 3-28 Networking diagram for configuring VLAN-based Layer 2 protocol transparent
transmission
PE1 PE2
ISP
network
Eth0/0/2 Eth0/0/3 Eth0/0/2 Eth0/0/3
Eth0/0/1 Eth0/0/1 Eth0/0/1

Eth0/0/1
CE1 CE2 CE4
CE3
VLAN 100 VLAN 200

VLAN 100 VLAN 200
User A User B
User A User B
2. Configure CEs to send STP packets with specified VLAN tags to PEs so that calculation
of a spanning tree is complete independently in VLAN 100 and VLAN 200.
3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STP
Procedure
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.

[CE3] stp enable
# Configure CE4.
[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and configure CE3
and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1-Ethernet0/0/1] port hybrid tagged vlan 100
[CE1-Ethernet0/0/1] stp bpdu vlan 100
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
Step 3 Configure PE interfaces to transparently transmit STP packets of CEs to the peer ends.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] vlan 200
[PE1-vlan200] quit
[PE1-Ethernet0/0/2] l2protocol-tunnel stp vlan 100
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] vlan 200
[PE2-vlan200] quit


# Configure PE1.
# Configure PE2.

-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0
ssap 0x42
<CE1> display stp
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge :32768.000b-09f0-1b91
CIST Root/ERPC :32768.000b-09d4-b66c / 199999
CIST RegRoot/IRPC :32768.000b-09f0-1b91 / 0
BPDU-Protection :disabled
STP Converge Mode :
Share region-configuration :enabled
Port Priority :128
Designated Bridge/Port :32768.000b-09d4-b66c / 128.82
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :237
BPDU Received :9607
<CE2> display stp
CIST Bridge :32768.000b-09d4-b66c
CIST RegRoot/IRPC :32768.000b-09d4-b66c / 0


STP Converge Mode :
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :7095
BPDU Received :2
<CE3> display stp
STP Converge Mode :
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :238
BPDU Received :9745
<CE4> display stp

STP Converge Mode :

Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :7171
BPDU Received :2
----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
stp bpdu vlan 100
#
return

#
sysname CE2
#
vlan batch 100
#
stp bpdu vlan 100
#
return

#
sysname CE3
#
vlan batch 200
#
stp bpdu vlan 200
#
return

#
sysname CE4
#
vlan batch 200
#


stp bpdu vlan 200
#
Return

#
sysname PE1
#
vlan batch 100 200
#
#
l2protocol-tunnel stp vlan 100
#
#
return

#
sysname PE2
#
vlan batch 100 200
#
#
#
#
return
3.10.3 Example for Configuring QinQ-based Layer 2 Protocol

in different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100 and VLAN
200 are Layer 2 networks for different users and are connected through the ISP network. STP
is run on the Layer 2 networks to prevent loops. Enterprise users require that STP run only on
the private networks so that spanning trees can be generated correctly.

Because of shortage of public VLAN resources, VLAN IDs on carrier networks must be saved.
NOTE
Only the S3300 supports QinQ-based Layer 2 Protocol Transparent Transmission.

Figure 3-29 Networking diagram for configuring QinQ-based Layer 2 protocol transparent
transmission
User A User A
VLAN100 VLAN100
Eth0/0/1
Eth0/0/1
Eth0/0/2
Eth0/0/2
CE1 CE2
ISP
PE1 Network PE2
CE3 Eth0/0/3 Eth0/0/3

CE4
Eth0/0/1
User B Eth0/0/1
User B
VLAN200 VLAN200
2. Configure CEs to send STP packets with specified VLAN tags to PEs so that calculation
of a spanning tree is complete independently in VLAN 100 and VLAN 200.
3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STP
4. Configure QinQ (VLAN stacking) on PEs so that PEs add outer VLAN tag 10 to STP
packets sent from CEs, saving public network VLAN IDs.
Procedure
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and configure CE3
and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit


[CE1-Ethernet0/0/1] quit
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
Step 3 Configure QinQ-based Layer 2 protocol transparent transmission on PEs so that STP packets
with VLAN tags 100 and 200 are tagged with outer VLAN 10 by PEs and can be transmitted
on the ISP network.
# Configure PE1.
[PE1] vlan 10
[PE1-Vlan10] quit
[PE1-Ethernet0/0/2] qinq vlan-translation enable
[PE1-Ethernet0/0/2] port vlan-stacking vlan 100 stack-vlan 10
# Configure PE2.
[PE2] vlan 10
[PE2-Vlan10] quit

# Configure PE1.
# Configure PE2.

-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0
ssap 0x42
<CE1> display stp
CIST Bridge :32768.000b-09f0-1b91
CIST RegRoot/IRPC :32768.000b-09f0-1b91 / 0
STP Converge Mode :
----[Port17(Ethernet0/0/1)][FORWARDING]----
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :237
BPDU Received :9607
<CE2> display stp
CIST Bridge :32768.000b-09d4-b66c
CIST RegRoot/IRPC :32768.000b-09d4-b66c / 0


STP Converge Mode :
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :7095
BPDU Received :2
<CE3> display stp
STP Converge Mode :
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :238
BPDU Received :9745
<CE4> display stp
STP Converge Mode :


Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :7171
BPDU Received :2
Run the display vlan command on PEs to view the QinQ configuration.
<PE1> display vlan 10 verbose
* : Management-VLAN
---------------------
VLAN ID : 10
VLAN Type : Common
Description : VLAN 0010
Status : Enable
Broadcast : Enable
MAC learning : Enable
Statistics : Disable
Property : Default
VLAN State : Up
----------------
Untagged Port: Ethernet0/0/2 Ethernet0/0/3
----------------
Active Untag Port: Ethernet0/0/2 Ethernet0/0/3
----------------
QinQ-stack Port: Ethernet0/0/2 Ethernet0/0/3
----------------
Interface Physical
Ethernet0/0/2 UP
Ethernet0/0/3 UP
----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
stp bpdu vlan 100
#
return

#
sysname CE2
#

vlan batch 100

#
stp bpdu vlan 100
#
return

#
sysname CE3
#
vlan batch 200
#
stp bpdu vlan 200
#
return

#
sysname CE4
#
vlan batch 200
#
stp bpdu vlan 200
#
return

#
sysname PE1
#
vlan batch 10
#
#
#
#
return

#
sysname PE2
#
vlan batch 10
#
#
#


#
return
3.11 Loopback Detection Configuration

Loopback detection can detect loops on the network connected to the device and reduce impacts
on the network.
3.11.1 Example for Configuring Loopback Detection
As shown in Figure 3-30, if there is a loop on the network connected to the Eth0/0/1 interface,
broadcast storms will occur on the Switch or even the entire network.
To detect loops on the network connected to the switch and disabled downlink interfaces to
reduce impacts on the switch and other networks, enable loopback detection on the Switch.
Figure 3-30 Loopback detection network diagram

Switch
Eth0/0/1
1. Enable loopback detection on the interface to detect loops on downlink networks.
2. Specify the VLAN ID for loopback detection packets.
3. Set loopback detection parameters to enable the interface automatic recovery.
Procedure
Step 1 Enable loopback detection on the interface.


[Switch-Ethernet0/0/1] loopback-detect enable
Step 2 Specify the VLAN ID for loopback detection packets.

[Switch] vlan 100
[Switch-Ethernet0/0/1] port hybrid tagged vlan 100
[Switch-Ethernet0/0/1] loopback-detect packet vlan 100
Step 3 Set loopback detection parameters.
# Configure the action the interface when a loopback is detected.

[Switch-Ethernet0/0/1] loopback-detect action block
# Set the interface recovery time after a loop is removed.

[Switch-Ethernet0/0/1] loopback-detect recovery-time 30
# Set the interval between sending loopback detection packets.

[Switch] loopback-detect packet-interval 10
Run the display loopback-detect command to check the configuration.

<Switch> display loopback-detect
Loopback-detect sending-packet interval:10
Interface RecoverTime Action Status

--------------------------------------------------------------------------------
Ethernet0/0/1 30 block NORMAL
When loops occur on the Ethernet0/0/1 interface, the interface is blocked. The interface will
recover 30s after no loopback packets are detected.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
loopback-detect packet-interval 10
#
loopback-detect recovery-time 30
loopback-detect packet vlan 100
loopback-detect enable
#
return
3.12 VoIP Access Configuration

3.12.1 Example for Configuring LLDP on a Switch to Provide VoIP

Access
Flows of the HSI, VoIP, and IPTV services are transmitted on the network. Users require high
quality of the VoIP service. Therefore, voice data flows must be transmitted with a high priority.
If a voice device supports LLDP and has a high 802.1p priority (for example, 5), you can
configure LLDP and Voice VLAN on the switch. Then the switch uses the LLDP protocol to
deliver the Voice VLAN ID to the voice device and does not change the packet priority.
As shown in Figure 3-31, after a Voice VLAN is configured on the Switch, the voice device
learns the Voice VLAN ID using LLDP.
NOTE
The S2300SI does not support this example.
Figure 3-31 Configuring LLDP to provide VoIP access

DHCP Server
Internet
Switch
Eth0/0/1
HG
HSI VoIP IPTV
1. Create VLANs.
2. Configure the link type and default VLAN of the interface connected to the IP phone.
3. Enable the Voice VLAN function on the interface.
4. Configure the interface to join the Voice VLAN in manual mode.
5. Set the working mode of the Voice VLAN.

6. Configure the interface to trust the 802.1p priority of packets.

7. Enable LLDP globally and on the interface.
Procedure
Step 1 Configure VLANs and interface on the Switch.
# Configure the link type and default VLAN of Ethernet0/0/1.

Step 2 Configure the Voice VLAN on the Switch.

# Enable the Voice VLAN on Ethernet0/0/1.
# Configure the mode in which Ethernet0/0/1 is added to the Voice VLAN.

[Quidway-Ethernet0/0/1] voice-vlan mode manual
# Configure the working mode of the Voice VLAN.

[Quidway-Ethernet0/0/1] undo voice-vlan security enable
Step 3 Configure the interface to trust the 802.1p priority of packets.

[Quidway-Ethernet0/0/1] trust 8021p
Step 4 Enable LLDP.

[Quidway] lldp enable
[Quidway-Ethernet0/0/1] lldp enable
[Quidway-Ethernet0/0/1] return

Run the display voice-vlan 2 status command to check the Voice VLAN configuration,
including the mode in which the interface is added to the Voice VLAN, working mode, and
aging time of the Voice VLAN.
---------------------------------------------------
Voice VLAN ID : 2
Voice VLAN aging time : 1440(minutes)
----------------------------------------------------------
Port Information:
-----------------------------------------------------------
-----------------------------------------------------------
Ethernet0/0/1 Manual Normal Disable
----End

Configuration Files
#
sysname Quidway
#
vlan batch 2 6
#
lldp enable
#
voice-vlan 2 enable
voice-vlan mode manual
undo voice-vlan security enable
trust 8021p
#
return
3.12.2 Example for Configuring a DHCP Server on a Switch to

Provide VoIP Access
If a voice device supports DHCP and has a high 802.1p priority (for example, 5), you can
configure DHCP and Voice VLAN on the switch. Then the switch uses the DHCP protocol to
deliver the Voice VLAN ID to the voice device and does not change the packet priority.
As shown in Figure 3-32, the voice device does not support VLAN configuration. In this case,
you can configure the DHCP option so that the DHCP server can deliver the voice VLAN ID to
the voice device.
NOTE
Only the S3300 supports this example.

Figure 3-32 Configuring a DHCP server to provide VoIP access
Internet
Switch DHCP Server
Eth0/0/1
HG
HSI VoIP IPTV
1. Create VLANs.
2. Configure the link type and default VLAN of the interface connected to the IP phone.
3. Configure the interface to trust the 802.1p priority of packets.
4. Configure an IP address pool.
5. Configure Option in the address pool.
6. Enable DHCP globally and configure the DHCP server on the VLANIF interface to allocate
IP addresses using the global IP address pool.
Procedure
Step 1 Configure VLANs and interface on the Switch.

# Configure the link type and default VLAN of Ethernet0/0/1.

Step 2 Configure an IP address pool on the Switch.
# Create an IP address pool.

[Quidway] ip pool ip_access

# Configure the address range in the IP address pool.

[Quidway-ip-pool-ip_access] network 192.168.10.0 mask 24
[Quidway-ip-pool-ip_access] gateway-list 192.168.10.254
[Quidway-ip-pool-ip_access] option184 voice-vlan 6
[Quidway-ip-pool-ip_access] quit
NOTE
The DHCP option is configured to enable the DHCP server to deliver the voice VLAN ID to the voice
device. Option184 is used as an example here. IP phones from different vendors may use different options.
For the specific option used by an IP phone, see the user manual of the IP phone. For details on how to
configure the option, see the option command in S2300&S3300 Series Ethernet Switches IP Service
Commands - DHCP Configuration Commands.
Step 3 Configure the interface to trust the 802.1p priority of packets.

[Quidway-Ethernet0/0/1] trust 8021p
Step 4 Enable DHCP globally,

[Quidway] dhcp enable
Step 5 Create the VLANIF interface corresponding to the default VLAN of Ethernet0/0/1. Configure
the DHCP server on the VLANIF interface to allocate IP addresses using the global address
pool.
[Quidway] interface Vlanif2
[Quidway-Vlanif2] dhcp select global
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2 6
#
dhcp enable
#
ip pool ip_access
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
option184 voice-vlan 6
#
interface Vlanif2
ip address 192.168.10.1 255.255.255.0
dhcp select global
#
trust 8021p
#
return
3.12.3 Example for Configuring an Simplified ACL on a Switch to

Provide VoIP Access

If a voice device connected to a switch does not support LLDP or DHCP, you can configure an
ACL on the switch to implement VoIP access.
As shown in Figure 1, the voice device sends untagged packets. To ensure high-quality VoIP
service, the Switch identifies voice data packets based on the source MAC address, tags the
voice data packets with VLAN 200, and sets the priority of the voice data packets to 7.
NOTE
The S2300SI does not support this example.
Figure 3-33 Configuring an ACL to provide VoIP access

DHCP Server
Internet
Switch
Eth0/0/1
HG
HSI VoIP IPTV
1. Create a VLAN.
2. Configure the link type and default VLAN of the interface connected to the voice device.
3. Configure an ACL rule to match the MAC address of the voice device.
4. Configure the Switch to change the priority of the packets matching the ACL rule.
Procedure
Step 1 Configure VLAN and interface on the Switch.
# Create VLAN 200.

[Quidway] vlan 200
# Configure the link type and default VLAN of the interface connected to the voice device.
[Quidway-Ethernet0/0/1] port link-type dot1q-tunnel
Step 2 Configure an ACL.

[Quidway] acl 4000
[Quidway-acl-L2-4000] rule permit source-mac 1234-1234-1234 ffff-ffff-ff00
[Quidway-acl-L2-4000] quit
Step 3 Apply the ACL to Eth0/0/1 and re-mark the priority of the packets matching the ACL.
[Quidway-Ethernet0/0/1] traffic-remark inbound acl 4000 8021p 7
[Quidway-Ethernet0/0/1] return

Run the display acl 4000 command to check the ACL configuration.
<Quidway> display acl 4000
L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 permit source-mac 1234-1234-1200 ffff-ffff-ff00
----End
Configuration Files
#
sysname Quidway
#
vlan batch 200
#
acl number 4000
rule 5 permit source-mac 1234-1234-1200 ffff-ffff-ff00
#
traffic-remark inbound acl 4000 8021p 7
#
return

Typical Configuration Examples 4 Configuration Guide - IP Service
4 Configuration Guide - IP Service
About This Chapter
This document describes configuration of IP Service supported by the device and provides
configuration examples.
4.1 IP Address Configuration
Network devices can communicate at the network layer only after they are configured with IP
addresses.
4.2 ARP Configuration
The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses so that Ethernet
frames can be transmitted on a physical network.
4.3 DHCP Configuration
Dynamic Host Configuration Protocol (DHCP) dynamically manages and configures clients in
a concentrated manner. It ensures proper IP address allocation and improves IP address use
efficiency.
4.4 DHCP Policy VLAN Configuration
On a network supporting VLAN assignment based on IP subnets, after the Dynamic Host
Configuration Protocol (DHCP) policy VLAN is configured on a switch, a new host can
communicate with the DHCP server using DHCP packets.
4.5 DHCPv6 Configuration
This section describes how to configure the DHCPv6 function. Currently, the switch can function
as the DHCPv6 relay on the IPv6 network.
4.6 IP Performance Configuration
You can optimize IP performance by adjusting parameters on the network.
4.7 DNS Configuration
This chapter describes the principles, basic functions and configuration procedures of DNS on
the switch, and provides configuration examples.
4.8 Basic IPv6 Configurations
The IPv6 protocol stack supports routing protocols and application protocols on an IPv6 network.
4.9 IPv6 DNS configuration
This section describes how to configure IPv6 DNS so that devices can use domain names to
communicate.

4.10 IPv6 over IPv4 Tunnel Configuration

IPv6 over IPv4 tunnel technology enables transition from the IPv4 network to the IPv6 network.

4.1 IP Address Configuration

Network devices can communicate at the network layer only after they are configured with IP
addresses.
4.1.1 Example for Configuring IP Addresses for an Interface

As shown in Figure 4-1, the Switch has only one idle interface GigabitEthernet0/0/1 to connect
to a LAN. The hosts on the LAN are located on two network segments: 172.16.1.0/24 and
172.16.2.0/24. The interface must be configured with two interfaces to provide access for hosts
on the two network segments.
Figure 4-1 Network diagram for IP addresses configuration
172.16.1.1/24 172.16.1.2/24 Switch
GE0/0/1
VLANIF100
172.16.1.1/24
172.16.2.1/24 sub
172.16.2.1/24 172.16.2.2/24
Configure a primary IP address and a secondary IP address for the interface.
Procedure
Step 1 Add GigabitEthernet0/0/1 to VLAN 100, and configure a primary IP address and a secondary
IP address for VLANIF100.
[Quidway] vlan 100
[Quidway-Vlan100] quit
[Quidway] interface gigabitethernet 0/0/1
[Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[Quidway-GigabitEthernet0/0/1] quit


[Quidway-Vlanif100] ip address 172.16.2.1 24 sub
# Ping a host on network segment 172.16.1.0 from the Switch. The ping operation succeeds.
<Quidway> ping 172.16.1.2
--- 172.16.1.2 ping statistics ---
0.00% packet loss
# Ping a host on network segment 172.16.2.0 from the Switch. The ping operation succeeds.
0.00% packet loss
----End
Configuration Files
#
sysname Quidway
#
vlan batch 100
#
interface Vlanif100
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#
#
return
4.1.2 Example for Configuring an IP Unnumbered Interface
As shown in Figure 4-2, Tunnel interfaces (Tunnel0/0/15) of SwitchA and SwitchC are seldom
used, so they have no IP address configured. IP unnumbered need to be configured on the tunnel
interfaces so that the two switches can communicate through the tunnel.

Figure 4-2 Network diagram for IP unnumbered interface configuration

SwitchB
GE0/0/1 GE0/0/2
VLANIF10 VLANIF20
20.1.1.2/24 30.1.1.1/24
GE0/0/1 GE0/0/1
SwitchA
116.116.116.1/24
VLANIF10 VLANIF10 SwitchC
LoopBack 0
LoopBack 0
20.1.1.1/24 30.1.1.2/24
9.9.9.1/24
Tunnel
Tunnel Tunnel
0/0/15 0/0/15
PC 1 PC 2
1. Create tunnel interfaces on SwitchA and SwitchC, set up a GRE tunnel between them, and
specify the source and destination addresses of the tunnel interfaces.
2. On SwitchA and SwitchC, configure an IP address for a loopback interface and configure
the tunnel interface to borrow the IP address from this loopback interface.
Procedure
Step 1 Configure public IP and the IP address of interface Loopback0
# Configure SwitchA.
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 10
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 20.1.1.1 24
[SwitchA-Vlanif10] quit
# Configure SwitchB.
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type access

[SwitchB-GigabitEthernet0/0/1] port default vlan 10

[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB-GigabitEthernet0/0/2] port link-type access
[SwitchB-GigabitEthernet0/0/2] port default vlan 20
# Configure SwitchC.
[SwitchC] vlan 10
[SwitchC-vlan10] quit
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 10
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ip address 30.1.1.2 24
[SwitchC-Vlanif10] quit
[SwitchC] interface loopback 0
[SwitchC-LoopBack0] ip address 9.9.9.1 24
[SwitchC-LoopBack0] quit
Step 2 Configure OSPF on the devices
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
[SwitchB] ospf 1
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
[SwitchC] ospf 1
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
Step 3 Configure Tunnel0/0/15 to borrow the IP address from Loopback0 and configure the gre tunnel.
[SwitchA] interface tunnel 0/0/15
[SwitchA-Tunnel0/0/15] tunnel-protocol gre
[SwitchA-Tunnel0/0/15] ip address unnumbered interface loopback 0
[SwitchA-Tunnel0/0/15] source 20.1.1.1
[SwitchA-Tunnel0/0/15] destination 30.1.1.2
[SwitchA-Tunnel0/0/15] quit

[SwitchC] interface tunnel 0/0/15

[SwitchC-Tunnel0/0/15] tunnel-protocol gre
[SwitchC-Tunnel0/0/15] ip address unnumbered interface loopback 0
[SwitchC-Tunnel0/0/15] source 30.1.1.2
[SwitchC-Tunnel0/0/15] destination 20.1.1.1
[SwitchC-Tunnel0/0/15] quit
Step 4 Configure static routes.

[SwitchA] ip route-static 9.9.9.0 255.255.255.0 tunnel 0/0/15
[SwitchC] ip route-static 116.116.116.0 255.255.255.0 tunnel 0/0/15

# Ping 9.9.9.1 from SwitchA. The ping operation succeeds.

0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
interface LoopBack0
ip address 116.116.116.1 255.255.225.0
#
interface Vlanif10
ip address 20.1.1.1 255.255.255.0
#
#
interface Tunnel0/0/15
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 9.9.9.0 255.255.255.0 tunnel 0/0/15
#
return


#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 30.1.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 10
#
interface LoopBack0
ip address 9.9.9.1 255.255.225.0
#
interface Vlanif10
ip address 30.1.1.2 255.255.255.0
#
#
tunnel-protocol gre
source 30.1.1.2
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ip route-static 116.116.116.0 255.255.255.0 tunnel 0/0/15
#
return
4.2 ARP Configuration

The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses so that Ethernet
frames can be transmitted on a physical network.

4.2.1 Example for Configuring ARP
As shown in Figure 4-3, GE0/0/1 on the switch connects to hosts through the LAN Switch
(LSW). GE0/0/2 connects to a server through the Router. Requirements are as follows:
l GE0/0/1 belongs to VLAN2 and GE0/0/2 belongs to VLAN3.
l Dynamic ARP parameters should be configured for VLANIF2 of the switch so that packets
are transmitted correctly regardless of network typology change.
l A static ARP entry should be configured on GE0/0/2 of the switch to ensure secure
communication with the server and prevent illegal ARP packets. The IP address of the
router should be 10.2.2.3 and the corresponding MAC address is 00e0-fc01-0000.
Figure 4-3 Networking diagram for configuring ARP

Server
Internet
Router
VLANIF3
GE0/0/2 10.2.2.2/24
Switch
GE0/0/1 VLANIF2
2.2.2.2/24
LSW
PC1
Internet
PC3
PC2

2. Set dynamic ARP parameters for the user-side VLANIF interface.
3. Configure a static ARP entry.

Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
# Create VLAN2 and VLAN3.

# Add GE0/0/1 to VLAN2 and GE0/0/2 to VLAN3.

[Quidway-GigabitEthernet0/0/1] port hybrid tagged vlan 2
[Quidway-GigabitEthernet0/0/2] port hybrid tagged vlan 3
Step 2 Set dynamic ARP parameters for the VLANIF interface.
# Create VLANIF2.
# Configure an IP address for VLANIF2.

# Set the aging time of ARP entries to 60s.

[Quidway-Vlanif2] arp expire-time 60
# Set the number of probes to ARP entries to 2.

[Quidway-Vlanif2] arp detect-times 2
# Create VLANIF3.

Step 3 Configure a static ARP entry.
# Configure a static ARP entry with IP address 10.2.2.3, MAC address 00e0-fc01-0000, VLAN
ID 3, and outbound interface GE0/0/2.
[Quidway] arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface gigabitethernet 0/0/2
[Quidway] quit
# Run the display current-configuration command to check the aging time, number of probes,
and ARP mapping entries.
<Quidway> display current-configuration | include arp
arp detect-times 2
arp expire-time 60
arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2
----End

Configuration Files
#
sysname Quidway
#
vlan batch 2 to 3
#
interface Vlanif2
arp detect-times 2
arp expire-time 60
ip address 2.2.2.2 255.255.255.0
#
interface Vlanif3
ip address 10.2.2.2 255.255.255.0
#
#
#
arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2
#
return
4.2.2 Example for Configuring Routed Proxy ARP
In Figure 4-4, Ethernet interfaces GE0/0/1 and GE0/0/2 connect to two LANs respectively. The
two LANs are at the same network segment 172.16.0.0/16. HostA and HostB have no default
gateway. Routed proxy ARP is required to be configured on the switch so that hosts on two
LANs can communicate.
Figure 4-4 Networking diagram for configuring routed proxy ARP

Host A Host B
172.16.1.2/16 172.16.2.2/16
0000-5e33-ee20 0000-5e33-ee10
GE0/0/1 GE0/0/2
172.16.1.1/24 172.16.2.1/24
VLAN2 VLAN3
Switch
Ethernet A Ethernet B
1. Configure IP addresses for interfaces.

2. Enable routed proxy ARP on interfaces.
Procedure
Step 1 Create VLAN2 and add GE0/0/1 to VLAN2.
[Quidway] vlan 2
[Quidway-GigabitEthernet0/0/1] port link-type access
[Quidway-GigabitEthernet0/0/1] port default vlan 2
Step 2 Create and configure VLANIF2.

Step 3 Enable routed proxy ARP on VLANIF2.

[Quidway-Vlanif2] arp-proxy enable
Step 4 Create VLAN3 and add GE0/0/2 to VLAN3.

[Quidway] vlan 3

Step 6 Enable routed proxy ARP on VLANIF3.

[Quidway-Vlanif3] arp-proxy enable
Step 7 Configure hosts.

# Configure IP address 172.16.1.2/16 for HostA.
# Configure IP address 172.16.2.2/16 for HostB.
# Ping Host B from Host A. Host A can ping Host B successfully.
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2 to 3
#
interface Vlanif2
ip address 172.16.1.1 255.255.255.0
arp-proxy enable
#
interface Vlanif3

ip address 172.16.2.1 255.255.255.0

arp-proxy enable
#
port default vlan 2
#
port default vlan 3
#
return
4.2.3 Example for Configuring Intra-VLAN Proxy ARP
As shown in Figure 4-5, GE0/0/2 and GE0/0/1 on the switch belong to sub-VLAN2. Sub-
VLAN2 belongs to super-VLAN3. Requirements are as follows:
l HostA and HostB in VLAN2 should be isolated at Layer 2.
l HostA and HostB can communicate at Layer 3 using intra-VLAN proxy ARP.
The IP address of the VLANIF interface corresponding to the super-VLAN is 10.10.10.1 and
the mask is 255.255.255.0.
Figure 4-5 Networking diagram for configuring intra-VLAN proxy ARP
Internet
Switch
GE0/0/2 GE0/0/1
hostB hostA
10.10.10.3/24 10.10.10.2/24
00-e0-fc-00-00-03 00-e0-fc-00-00-02
sub-VLAN2
1. Create and configure a super-VLAN and a sub-VLAN.

2. Add interfaces to the sub-VLAN.
3. Create a VLANIF interface corresponding to the super-VLAN and assign an IP address to
the VLANIF interface.

4. Enable intra-VLAN proxy ARP on the VLANIF interface.
Procedure
Step 1 Configure a super-VLAN and a sub-VLAN.
# Configure sub-VLAN2.
[Quidway] vlan 2
# Enable interface isolation on GE0/0/1 and GE0/0/2.

[Quidway] port-isolate mode l2
[Quidway-GigabitEthernet0/0/1] port-isolate enable
[Quidway-GigabitEthernet0/0/2] port-isolate enable
# Add GE0/0/1 and GE0/0/2 to sub-VLAN2.

# Configure super-VLAN3 and add sub-VLAN2 to super-VLAN3.

[Quidway] vlan 3
[Quidway-vlan3] access-vlan 2
# Create VLANIF3.

Step 3 Enable intra-VLAN proxy ARP on VLANIF3.

[Quidway-Vlanif3] arp-proxy inner-sub-vlan-proxy enable
# Run the display current-configuration command to check configurations of the super-

VLAN, sub-VLAN, and VLANIF interface. The output of the command is displayed in the
following configuration file.
# hostA and hostB can ping each other.
----End
Configuration Files

#
sysname Quidway
#
vlan batch 2 to 3
#
vlan 3
aggregate-vlan
access-vlan 2
#
port-isolate mode l2
#
interface Vlanif3
ip address 10.10.10.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
port default vlan 2
#
port default vlan 2
#
return
4.2.4 Example for Configuring Inter-VLAN Proxy ARP
As shown in Figure 4-6, VLAN2 and VLAN3 belong to super-VLAN4. Requirements are as
follows:
l Hosts in VLAN2 and VLAN3 cannot ping each other.
l Hosts in VLAN2 and VLAN3 can communicate after inter-VLAN proxy ARP is
configured.
Figure 4-6 Networking diagram for configuring inter-VLAN proxy ARP

Switch
GE0/0/1 GE0/0/3
GE0/0/2 GE0/0/4
VLAN2 VLAN3
VLAN4
VLAN2 VLAN3

1. Configure a super-VLAN and sub-VLANs.

2. Add interfaces to the sub-VLANs.
3. Create a VLANIF interface corresponding to the super-VLAN and assign an IP address to
the VLANIF interface.
4. Enable inter-VLAN proxy ARP.
Procedure
Step 1 Configure a super-VLAN and sub-VLANs.
[Quidway] vlan 2

[Quidway] vlan 3

# Configure super-VLAN4, then add sub-VLAN2 and sub-VLAN3 to super-VLAN4.

[Quidway] vlan 4
# Create VLANIF4.

Step 3 Enable inter-VLAN proxy ARP on VLANIF4.

[Quidway-Vlanif4] arp-proxy inter-sub-vlan-proxy enable


# Run the display current-configuration command to check configurations of the super-
VLAN, sub-VLANs, and VLANIF interface. The output of the command is displayed in the
following configuration file.
# Hosts in VLAN2 and VLAN3 can communicate after inter-VLAN proxy ARP is configured.
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 3
#
interface Vlanif4
ip address 10.10.10.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
return
4.2.5 Example for Configuring Layer 2 Topology Detection

As shown in Figure 4-7, two GE interfaces are added to VLAN100 in default mode. IP addresses
of the switch that two GE interfaces connect.

Figure 4-7 Networking diagram for configuring Layer 2 topology detection

Switch
GE0/0/1 GE0/0/2
VLANIF100
10.1.1.2/24
PC A PC B
10.1.1.1/24 VLAN100 10.1.1.3/24
1. Add two GE interfaces to VLAN100 in default mode.
2. Enable Layer 2 topology detection to view changes of ARP entries.
Procedure
Step 1 Create VLAN100 and add two GE interfaces on the switch to VLAN100 in default mode.
# Create VLAN100 and configure an IP address for the VLANIF interface.
[Quidway] vlan 100
# Add two GE interfaces to VLAN100 in default mode.

Step 2 Enable Layer 2 topology detection.

[Quidway] l2-topology detect enable
Step 3 Restart GE0/0/1 and view changes of ARP entries and aging time.
# View ARP entries on the switch. You can find the switch has learnt the MAC address of the
PC.
[Quidway] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN

-----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I - Vlanif100
10.1.1.1 00e0-c01a-4901 20 D-0 GE0/0/1
100/-
10.1.1.3 00e0-de24-bf04 20 D-0 GE0/0/2
100/-
-----------------------------------------------------------------------------
Total:3 Dynamic:2 Static:0 Interface:1
# Run the shutdown and undo shutdown commands on GE0/0/1 and view the aging time of
ARP entries.
l Run the shutdown command on GE0/0/1 to view the aging time of ARP entries.
[Quidway-GigabitEthernet0/0/1] shutdown
[Quidway-GigabitEthernet0/0/1] display arp all
INSTANCE
VLAN
----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I -
Vlanif100
10.1.1.3 00e0-de24-bf04 18 D-0 GE0/0/2
100/-
------------------------------------------------------------------------------
l Run the undo shutdown command on GE0/0/1 to view the aging time of ARP entries.
[Quidway-GigabitEthernet0/0/1] undo shutdown
[Quidway-GigabitEthernet0/0/1] display arp all
INSTANCE
VLAN
-----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I - Vlanif100
10.1.1.1 00e0-c01a-4901 20 D-0 GE0/0/1
100/-
10.1.1.3 00e0-de24-bf04 20 D-0 GE0/0/2
100/-
-----------------------------------------------------------------------------
NOTE
The preceding command output shows that the ARP entries learned from GE 0/0/1 are deleted after GE
0/0/1 is shut down. After the undo shutdown command is run on GE 0/0/1 and GE 0/0/1 goes Up, the ARP
entry learned from GE 0/0/2 is aged, and then the device sends an ARP probe packet for updating ARP
entry. After the entry is updated, the aging time restores the default value, 20 minutes.
----End
Configuration Files
#
sysname Quidway
#
L2-topology detect enable
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#


#
#
return
4.2.6 Example for Configuring ARP Packet Forwarding Between

Isolated Interfaces
As shown in Figure 4-8, SwitchB connects to SwitchA (DHCP server) through Eth0/0/3 and
connects to UserA and UserB through interfaces Eth0/0/1 and Eth0/0/2 respectively. UserA and
UserB obtain IP addresses using DHCP. Eth0/0/3 of SwitchA, Eth0/0/1, Eth0/0/2, Eth0/0/3 of
SwitchB belong to VLAN 2. The administrator has the following requirements:
l UserA and UserB in VLAN 2 are isolated at Layer 2 and communicate at Layer 3.
l SwitchB does not broadcast ARP Request packets in the VLAN to reduce traffic volume
in the VLAN.
Figure 4-8 Networking diagram for configuring ARP packet forwarding between isolated
interfaces
SwitchA
DHCP Sever VLAN2

VLANIF2
GE0/0/3
10.10.10.12/24
GE0/0/3
SwitchB
GE0/0/1 GE0/0/2
UserB UserA
10.10.10.3/24 10.10.10.2/24
00-e0-fc-00-00-03 00-e0-fc-00-00-02
VLAN2
1. Configure port isolation on Eth0/0/1 and Eth0/0/2 of SwitchB and enable intra-VLAN ARP
proxy on SwitchA so that UserA and UserB are isolated at Layer 2 and communicate at
Layer 3.
2. Enable DHCP snooping and EAI on SwitchB so that SwitchB matches the destination IP
addresses of received ARP Request packets with the dynamic DHCP snooping binding

entries to determine the outbound interfaces, preventing ARP Request packets from being
broadcast in a VLAN.
3. Enable ARP packet forwarding between isolated interfaces on SwitchB so that UserA and
UserB can be isolated at Layer 2 and communicate at Layer 3 after EAI is enabled on the
outbound interface.
Procedure
Step 1 Enable DHCP on SwitchA.
[SwitchA] dhcp enable
Step 2 Create a VLAN on SwitchA, add the interface to the VLAN, and create a VLANIF interface.
# Create VLAN 2 and add Eth0/0/3 to VLAN 2.
[SwitchA] vlan 2
# Create VLANIF2, configure an IP address for VLANIF2, and enable DHCP on VLANIF2.
[SwitchA-Vlanif2] dhcp select interface
Step 3 Create a VLAN on SwitchB and add interfaces to the VLAN.

# Create VLAN 2 and add Eth0/0/1, Eth0/0/2, and Eth0/0/3 to VLAN 2.
[SwitchB] vlan 2
[SwitchB-Ethernet0/0/1] port link-type access
[SwitchB-Ethernet0/0/1] port default vlan 2
[SwitchB-Ethernet0/0/2] port link-type access
[SwitchB-Ethernet0/0/2] port default vlan 2
[SwitchB-Ethernet0/0/3] port trunk allow-pass vlan 2
Step 4 Enable DHCP snooping on SwitchB.

# Enable DHCP snooping globally and in VLAN 2.
[SwitchB] dhcp enable
[SwitchB] dhcp snooping enable
[SwitchB] vlan 2
[SwitchB-vlan2] dhcp snooping enable
# Configure Eth0/0/3 as the trusted interface.

[SwitchB-Ethernet0/0/3] dhcp snooping trusted

After the configuration is complete, UserA and UserB can go online using DHCP, and UserA
and UserB can ping each other. Dynamic DHCP snooping binding entries are generated on
SwitchB.
Step 5 Configure port isolation on SwitchB.
# Configure Layer 2 isolation and Layer 3 communication.

[SwitchB] port-isolate mode l2
# Configure port isolation on Eth0/0/1 and Eth0/0/2.

[SwitchB-Ethernet0/0/1] port-isolate enable
[SwitchB-Ethernet0/0/2] port-isolate enable
After the configuration is complete, UserA and UserB cannot ping each other, indicating that
UserA and UserB are isolated at Layer 2.
Step 6 Enable intra-VLAN proxy ARP on SwitchA.
# Enable intra-VLAN proxy ARP on VLANIF2.

[SwitchA-Vlanif2] arp-proxy inner-sub-vlan-proxy enable
After the configuration is complete, UserA and UserB can ping each other, indicating that UserA
and UserB can communicate at Layer 3.
Step 7 Enable EAI on the outbound interface of SwitchB.
# Enable EAI on the outbound interface in VLAN 2.

[SwitchB] vlan 2
[SwitchB-vlan2] dhcp snooping arp security enable
After the configuration is complete, if ARP entries corresponding to UserA and UserB have
aged, UserA sends an ARP Request packet to UserB before performing the ping operation.
After EAI is enabled, SwitchB matches the destination IP addresses of received ARP Request
packets with the dynamic DHCP snooping binding entries to determine the outbound interface.
SwitchB then forwards ARP Request packets to Eth0/0/1. Intra-VLAN ARP proxy on SwitchA
does not take effect when ARP packets are forwarded to SwitchA through Eth0/0/3. The
outbound interface Eth0/0/1 with EAI enabled and the inbound interface Eth0/0/2 are configured
with port isolation. Therefore, SwitchB discards the ARP Request packet, and UserA fails to
learn ARP entries.
UserA and UserB cannot ping each other.
Step 8 Configure ARP packet forwarding between isolated interfaces on SwitchB.
# Configure ARP packet forwarding between isolated interfaces in VLAN 2.

[SwitchB-vlan2] dhcp snooping arp security isolate-forwarding-trust
[SwitchB] quit
After the configuration is complete, SwitchB forwards ARP Request packets sent from UserA
to the trusted interface Eth0/0/3. SwitchA with intra-VLAN ARP proxy enabled allows UserA
and UserB to ping each other. ARP packet forwarding between isolated interfaces is configured
successfully.

Run the display current-configuration command on SwitchA and SwitchB to check the
configuration. The command output is displayed in the following configuration files.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2
#
dhcp enable
#
interface Vlanif2
ip address 10.10.10.12 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
#
#
return

#
sysname SwitchB
#
vlan batch 2
#
dhcp
enable
#
dhcp snooping
enable
#
vlan
2
dhcp snooping
enable
dhcp snooping arp security
enable
dhcp snooping arp security isolate-forwarding-trust
#
port default vlan 2
#
port default vlan 2
#
port link-type
trunk
port trunk allow-pass vlan
2
dhcp snooping trusted
#
return

4.3 DHCP Configuration

Dynamic Host Configuration Protocol (DHCP) dynamically manages and configures clients in
a concentrated manner. It ensures proper IP address allocation and improves IP address use
efficiency.
4.3.1 Example for Configuring a DHCP Server Based on the Global

Address Pool
As shown in Figure 4-9, an enterprise has two offices on the same network segment. To reduce
network construction cost, the enterprise uses one DHCP server to assign IP addresses for hosts
in the two offices.
All the hosts in Office1 are on the network segment 10.1.1.0/25 and added to VLAN 10. Hosts
in Office1 only use the DNS service with a lease of ten days. All the hosts in Office2 are on the
network segment 10.1.1.128/25 and added to VLAN 20. Hosts in Office2 use the DNS service
and NetBIOS service with a lease of two days.
You can configure a global address pool on SwitchA and enable the server to dynamically assign
IP addresses to hosts in the two offices.
Figure 4-9 Networking diagram for configuring a DHCP server based on the global address
pool
NetBIOS DHCP DHCP DHCP
server client client client
10.1.1.4/25
GE0/0/1 GE0/0/2
VLANIF10 VLANIF20
10.1.1.1/25 10.1.1.129/25
SwtichB SwtichC
SwtichA
DHCP server
10.1.1.2/25 DNS DHCP DHCP DHCP

server client client client
Network: 10.1.1.0/25 Network: 10.1.1.128/25

1. Create two global address pools on the SwitchA and set attributes of the pools. Assign IP
addresses to Office1 and Office2 as required.
2. Configure VLANIF interfaces to use the global address pool to assign IP addresses to
clients.
Procedure
Step 1 Enable DHCP
Step 2 Create address pools and set the attributes of the address pools
# Set the attributes of IP address pool 1, including the address pool range, DNS server address,
gateway address, and address lease.
[SwitchA] ip pool 1
[SwitchA-ip-pool-1] network 10.1.1.0 mask 255.255.255.128
[SwitchA-ip-pool-1] dns-list 10.1.1.2
[SwitchA-ip-pool-1] gateway-list 10.1.1.1
[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.2
[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.4
[SwitchA-ip-pool-1] lease day 10
[SwitchA-ip-pool-1] quit
# Set the attributes of IP address pool 2, including the address pool range, DNS server address,
egress gateway address, NetBIOS server address, and address lease
[SwitchA] ip pool 2
[SwitchA-ip-pool-2] network 10.1.1.128 mask 255.255.255.128
[SwitchA-ip-pool-2] dns-list 10.1.1.2
[SwitchA-ip-pool-2] nbns-list 10.1.1.4
[SwitchA-ip-pool-2] gateway-list 10.1.1.129
[SwitchA-ip-pool-2] lease day 2
[SwitchA-ip-pool-2] quit
Step 3 Set the address assignment mode on the VLANIF interfaces
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to the corresponding VLANs.

[SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10
# Configure clients on VLANIF 10 to obtain IP addresses from the global address pool.
[SwitchA-Vlanif10] ip address 10.1.1.1 255.255.255.128
[SwitchA-Vlanif10] dhcp select global
# Configure clients on VLANIF 20 to obtain IP addresses from the global address pool.
[SwitchA-Vlanif20] dhcp select global

Step 4 Verify the configuration

Run the display ip pool command on the SwitchA to view the IP address pool configuration.
[SwitchA] display ip pool
-----------------------------------------------------------------------
Pool-name : 1
Pool-No : 0
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.1
Mask : 255.255.255.128
VPN instance : --
-----------------------------------------------------------------------
Pool-name : 2
Pool-No : 1
Gateway-0 : 10.1.1.129
Mask : 255.255.255.128
VPN instance : --
IP address Statistic
Total :250
Used :1 Idle :248
Expired :0 Conflict :0 Disable :1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
dhcp enable
#
ip pool 1
network 10.1.1.0 mask 255.255.255.128
excluded-ip-address 10.1.1.2
excluded-ip-address 10.1.1.4
lease day 10 hour 0 minute 0
dns-list 10.1.1.2
#
ip pool 2
network 10.1.1.128 mask 255.255.255.128
lease day 2 hour 0 minute 0
dns-list 10.1.1.2
nbns-list 10.1.1.4
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.128
dhcp select global
#
interface Vlanif20
ip address 10.1.1.129 255.255.255.128
dhcp select global
#
#


#
return
4.3.2 Example for Configuring a DHCP Server Based on the

Interface Address Pool
As shown in Figure 4-10, an enterprise has two offices on the same network segment. To reduce
network construction cost, the enterprise uses one DHCP server to assign IP addresses for hosts
in the two offices.
All the hosts in Office1 are on the network segment 10.1.1.0/24 and added to VLAN 10. Hosts
in Office1 use the DNS service and NetBIOS service with a lease of thirty days. All the hosts
in Office2 are on the network segment 10.1.2.0/24 and added to VLAN 11. Hosts in Office2 do
not use the DNS service or NetBIOS service. The lease of the IP address is tweenty days.
Figure 4-10 Networking diagram for configuring a DHCP server based on the VLANIF interface
address pool
NetBIOS Server DHCP DNS Server
10.1.1.3/24 Client 10.1.1.2/24
VLANIF10
10.1.1.1/24
SwitchB
GE0/0/1
SwitchA
GE0/0/2 DHCP
SwitchC VLANIF11 Server
10.1.2.1/24
DHCP DHCP DHCP

Client Client Client
1. Create two interface address pools on the SwitchA and set attributes of the address pool.
Configure the interface address pools to enable the DHCP server to assign IP addresses and
configuration parameters to hosts from different interface address pools.
2. Configure VLANIF interfaces to assign IP addresses to hosts from the interface address
pool.

Procedure
Step 1 Enable DHCP
Step 2 Adds the interface to the VLAN
# Add GE0/0/1 to VLAN 10.

# Add GE0/0/2 to VLAN 11.

Step 3 Assign IP addresses to VLANIF interfaces
# Assign an IP address to VLANIF 10.

# Allocate an IP address to VLANIF 11.

Step 4 Enable the VLANIF interface address pool
# Configure clients on VLANIF 10 to obtain IP addresses from the interface address pool.
# Configure clients on VLANIF 11 to obtain IP addresses from the interface address pool.
Step 5 Configure the DNS service and NetBIOS service for the interface address pool
# Configure the DNS service and NetBIOS service for the interface address pool on VLANIF
10.
[SwitchA-Vlanif10] dhcp server domain-name huawei.com
[SwitchA-Vlanif10] dhcp server dns-list 10.1.1.2
[SwitchA-Vlanif10] dhcp server nbns-list 10.1.1.3
[SwitchA-Vlanif10] dhcp server excluded-ip-address 10.1.1.2
[SwitchA-Vlanif10] dhcp server excluded-ip-address 10.1.1.3
[SwitchA-Vlanif10] dhcp server netbios-type b-node
Step 6 Set IP address leases of IP address pools

# Set the IP address lease of VLANIF 10 address pool to 30 days.

[SwitchA-Vlanif10] dhcp server lease day 30
# Set the IP address lease of VLANIF 11 address pool to 20 days.

[SwitchA-Vlanif11] dhcp server lease day 20

Run the display ip pool interface command on SwitchA to view interface address pool
configuration.
[SwitchA] display ip pool interface vlanif 10
Pool-name : Vlanif10
Pool-No : 0
Lease : 30 Days 0 Hours 0 Minutes
Domain-name : huawei.com
DNS-server0 : 10.1.1.2
NBNS-server0 : 10.1.1.3
Netbios-type : b-node
Position : Interface Status : Unlocked
Gateway-0 : 10.1.1.1
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 2 249(0) 0 2
-----------------------------------------------------------------------------
[SwitchA] display ip pool interface vlanif 11
Pool-name : Vlanif11
Pool-No : 1
Lease : 20 Days 0 Hours 0 Minutes
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 10.1.2.1
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.2.1 10.1.2.254 253 2 251(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10 to 11
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp server excluded-ip-address 10.1.1.2 10.1.1.3

dhcp server lease day 30 hour 0 minute 0

dhcp server dns-list 10.1.1.2
dhcp server netbios-type b-node
dhcp server nbns-list 10.1.1.3
dhcp server domain-name huawei.com
#
interface Vlanif11
ip address 10.1.2.1 255.255.255.0
dhcp server lease day 20 hour 0 minute 0
#
#
#
return
4.3.3 Example for Configuring a DHCP Server and a DHCP Relay

Agent
When the DHCP server and clients are on different network segments, a DHCP relay agent is
required.
As shown in Figure 4-11, an enterprise has multiple offices, which are distributed in different
office buildings. The offices in different buildings belong to different VLANs. The enterprise
uses SwitchB, which functions as the DHCP server, to assign IP addresses to hosts in different
offices.
Hosts in OfficeA are on 20.20.20.0/24 and the DHCP server is on 100.10.10.0/24. By using
SwitchA enabled with DHCP relay, the DHCP clients can obtain IP addresses from the DHCP
server.
On SwitchA, the public address of VLANIF200 is 100.10.20.1/24 and the interface address of
SwitchA connected to the carrier device is 100.10.20.2/24.
On SwitchB, the public address of VLANIF300 is 100.10.10.1/24 and the interface address of
SwitchB connected to the carrier device is 100.10.10.2/24.

Figure 4-11 DHCP relay agent

SwitchB
VLANIF300
Internet DHCP Server

100.10.10.1/24
VLANIF200
100.10.20.1/24
DHCP Relay SwitchA

GE0/0/2 VLANIF100
20.20.20.1/24
DHCP DHCP DHCP

Client Client Client
VLAN100
OfficeA
1. Configure DHCP relay on SwitchA to enable SwitchA to forward DHCP messages from
different network segments.
2. Configure a global address pool at 20.20.20.0/24 to enable the DHCP server to assign IP
address to clients on different network segments.
Procedure
Step 1 Configure DHCP relay on SwitchA.
1. Create a DHCP server group and add DHCP servers to the group.
# Create a DHCP server group.

[SwitchA] dhcp server group dhcpgroup1
# Add a DHCP server to the DHCP server group.

[SwitchA-dhcp-server-group-dhcpgroup1] dhcp-server 100.10.10.1
[SwitchA-dhcp-server-group-dhcpgroup1] quit

2. Enable DHCP relay on the interface.

# Create a VLAN and add GE0/0/2 to the VLAN.
# Enable DHCP globally and DHCP relay on the interface.

[SwitchA-Vlanif100] dhcp select relay
3. Bind an interface to a DHCP server group.

# Assign IP addresses to interfaces.
Bind the interface to the DHCP server group.

[SwitchA-Vlanif100] dhcp relay server-select dhcpgroup1
Step 2 Configure a default route on SwitchA.

Step 3 Configure the DHCP server based on the global address pool on SwitchB.
# Enable DHCP.
# Configure VLANIF300 to use the global address pool.

[SwitchB] vlan 300
[SwitchB-Vlanif300] dhcp select global
Create an address pool and set the attributes of the address pool.
[SwitchB] ip pool pool1
[SwitchB-ip-pool-pool1] network 20.20.20.0 mask 24
[SwitchB-ip-pool-pool1] gateway-list 20.20.20.1
[SwitchB-ip-pool-pool1] quit
Step 4 Configure a default route on SwitchB.


# Run the display dhcp relay interface vlanif 100 command on SwitchA to view the DHCP
relay configuration on the interface.
[SwitchA] display dhcp relay interface vlanif 100
DHCP relay agent running information of interface Vlanif100 :

Server group name : dhcpgroup1

Gateway address in use : 20.20.20.1
# Run the display ip pool command on SwitchB to view the IP address pool configuration.
[SwitchB] display ip pool
-----------------------------------------------------------------------
Pool-name : pool1
Pool-No : 0
Gateway-0 : 20.20.20.1
Mask : 255.255.255.0
VPN instance : --
IP address Statistic
Total :253
Used :2 Idle :251
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
dhcp enable
#
dhcp server group dhcpgroup1
dhcp-server 100.10.10.1 0
#
interface Vlanif100
ip address 20.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-select dhcpgroup1
#
interface Vlanif200
ip address 100.10.20.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 100.10.20.2
#
return

#
sysname SwitchB
#
vlan batch 300
#
dhcp enable
#
ip pool pool1
network 20.20.20.0 mask 255.255.255.0
#
interface Vlanif300
ip address 100.10.10.1 255.255.255.0
dhcp select global
#
ip route-static 0.0.0.0 0.0.0.0 100.10.10.2

#
return
4.3.4 Example for Configuring the DHCP and BOOTP Clients

As shown in Figure 4-12, SwitchA functions as a DHCP client, and SwitchB functions as a
DHCP server. SwitchA dynamically obtains an IP address, a DNS server address, and a gateway
address from SwitchB.
Figure 4-12 Networking diagram for configuring DHCP clients
Gateway
VLANIF10
192.168.1.126/24
VLANIF10 VLANIF10 VLANIF10

192.168.1.1/24 192.168.1.2/24 GigabitEthernet
0/0/1
GigabitEthernet
0/0/1
SwitchB SwitchA
DNS Server
DHCP Server DHCP Client
1. Enable the DHCP client function on SwitchA so that SwitchA can dynamically obtains an
IP address from the DHCP server.
2. Create a global address pool on SwitchB and configure related attributes.
Procedure
l Configure the DHCP client function on SwitchA
# Enable the DHCP service
# Create VLAN 10 and add GigabitEthernet0/0/1 to VLAN 10

[SwitchA] vlan 10
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
# Enable the DHCP client function on VLANIF 10


[SwitchA-Vlanif10] ip address dhcp-alloc
l Create a global address pool on SwitchB and configure related attributes

1. Enable the DHCP service
2. Create VLAN 10 and add GigabitEthernet0/0/1 to VLAN 10

[SwitchB] vlan 10
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
3. Configure Vlanif10 to select a global address pool for IP address allocation

4. Create an address pool and configure related attributes

[SwitchB-ip-pool-pool1] dns-list 192.168.1.2
l Verify the configuration

# Run the display current-configuration command on SwitchA to view the configuration
of the DHCP client function
[SwitchA] display current-configuration
...
#
interface Vlanif 10
ip address dhcp-alloc
#
...
# After VLANIF10 obtains an IP address, run the display dhcp client command on
SwitchA to check the status of the DHCP client on VLANIF10
[SwitchA] display dhcp client
DHCP client lease information on interface
Vlanif10 :
Current machine state :
Bound
Internet address assigned via :
DHCP
Physical address :
0018-8201-0987
IP address :
192.168.1.254
Subnet mask :
255.255.255.0
Gateway ip address :
192.168.1.126
DHCP server :
192.168.1.2
Lease obtained at : 2008-11-06
02:48:09
Lease expires at : 2008-11-06
03:48:09
Lease renews at : 2008-11-06
03:18:09

Lease rebinds at : 2008-11-06

03:40:39
DNS : 192.168.1.2
# Run the display ip pool command on SwitchC. You can view the configuration about
the IP address pool of SwitchC
-----------------------------------------------------------------------
Pool-name :
pool1
Pool-No :
0
Position : Local Status :
Unlocked
Gateway-0 :
192.168.1.126
Mask :
255.255.255.0
VPN instance :
--
IP address
Statistic
Total :
253
Used :1 Idle :
252
----End
Example
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
interface
GigabitEthernet0/0/1
10
#
interface Vlanif10
ip address dhcp-
alloc
#
return

#
sysname SwitchB
#
vlan batch 10
#
dhcp enable
#
interface


10
#
interface Vlanif10
ip address 192.168.1.1 24
dhcp select global
#
ip pool pool1
network 192.168.1.0 mask 24
dns-list 192.168.1.2
#
return
4.3.5 Example for Configuring the BOOTP Clients

As shown in Figure 4-13, SwitchA functions as a BOOTP client, and SwitchB functions as a
DHCP server. SwitchA obtains an IP address from an IP-MAC binding entry, a DNS server
address, and a gateway address from SwitchB functioning as a DHCP server.
Figure 4-13 Networking diagram for configuring DHCP clients
Gateway
VLANIF10
192.168.1.126/24

192.168.1.1/24 192.168.1.2/24 GigabitEthernet
0/0/1
GigabitEthernet
0/0/1
SwitchB SwitchA
DNS Server
DHCP Server BOOTP Client
1. Enable the DHCP client function on SwitchA so that SwitchA can dynamically obtains an
IP address from the DHCP server.
2. Create a global address pool on SwitchB and configure related attributes.
Procedure
l Configure the DHCP client function on SwitchA
# Enable the DHCP service.


# Create VLAN 10 and add GigabitEthernet0/0/1 to VLAN 10

[SwitchA] vlan 10
[SwitchA-Vlan10] quit
# Enable the DHCP client function on VLANIF interface

[SwitchA] vlan 10
[SwitchA-Vlanif10] ip address dhcp-alloc
l Create a global address pool on SwitchB and configure related attributes

1. Enable the DHCP service.
[SwitchB] dhcp server bootp
[SwitchB] dhcp server bootp automatic
2. Create VLAN 10 and add GigabitEthernet0/0/1 to VLAN 10

[SwitchB] vlan 10
[SwitchB-Vlan10] quit
3. Configure VLANIF10 to select a global address pool for IP address allocation

4. Create an address pool and configure related attributes

[SwitchB-ip-pool-pool1] dns-list 192.168.1.2
l Verify the configuration.

# Run the display current-configuration command on SwitchA. You can view the
configurations of the DHCP client function
[SwitchA] display current-configuration
...
#
interface Vlanif 10
ip address dhcp-alloc
#
...
# After VLANIF10 obtains an IP address, run the display dhcp client command on
SwitchA to check the status of the DHCP client on VLANIF10
[SwitchA] display dhcp client
BOOTP client lease information on interface
Vlanif10 :
Current machine state :
Bound

Internet address assigned via :

BOOTP
Physical address :
0018-8201-0987
IP address :
192.168.1.254
Subnet mask :
255.255.255.0
Gateway ip address :
192.168.1.126
Lease obtained at : 2008-11-06
23:04:47
DNS : 192.168.1.2
# Run the display ip pool command on SwitchB. You can view the configuration about
the IP address pool of SwitchB
-----------------------------------------------------------------------
Pool-name :
pool1
Pool-No :
0
Position : Local Status :
Unlocked
Gateway-0 :
192.168.1.126
Mask :
255.255.255.0
VPN instance :
--
-----------------------------------------------------------------------
IP address
Statistic
Total :
253
Used :1 Idle :
252
----End
Example
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
interface
10
#
interface Vlanif10
ip address bootp-
alloc
#
return
Configuration file of Switch B

#
sysname SwitchB
#
vlan batch 10
#
dhcp enable
#
dhcp server bootp
dhcp server bootp automatic
#
interface
10
#
interface Vlanif10
ip address 192.168.1.1 24
dhcp select global
#
ip pool pool1
network 192.168.1.0 mask 24
dns-list 192.168.1.2
#
return
4.4 DHCP Policy VLAN Configuration

On a network supporting VLAN assignment based on IP subnets, after the Dynamic Host
Configuration Protocol (DHCP) policy VLAN is configured on a switch, a new host can
communicate with the DHCP server using DHCP packets.
4.4.1 Example for Configuring the DHCP Policy VLAN
As shown in Figure 4-14, an enterprise deploys multiple branch networks for departments.
SwitchA functions as the DHCP server. Hosts in Department A and Department B connect to
SwitchA through SwitchB and SwitchC respectively. Departments are assigned to VLANs based
on IP subnets. HostA and HostB in Department A and all hosts in Department B access the
network for the first time. HostA with the MAC address 0018-1111-2123 wants to obtain an IP
address on the network segment 10.1.1.1/28 and join VLAN 10, and HostB connecting to
GE0/0/3 on SwitchB wants to obtain an IP address on the network segment 10.2.2.1/28 and join
VLAN 30. All hosts in DepartmentB including HostC and HostD wants to obtain IP addresses
on the network segment 10.3.3.1/28 and join VLAN 50. To meet the preceding requirements,
configure the DHCP policy VLAN on switches.

Figure 4-14 Networking diagram for configuring the DHCP policy VLAN
DHCP Server
SwitchA
VLANIF10: 10.1.1.1/28 VLANIF50: 10.3.3.1/28
VLANIF30: 10.2.2.1/28
GE0/0/1 GE0/0/2
GE0/0/1 GE0/0/1
SwitchB SwitchC
GE0/0/2 GE0/0/3 GE0/0/2 GE0/0/3
DHCP Client DHCP Client
HostA HostB HostC HostD

VLAN 10 VLAN 30 VLAN 50 VLAN 50
MAC:0018-1111-2123
Department A Department B
1. Configure an interface address pool on SwitchA to assign IP addresses on different network
segments to hosts in different departments.
2. Configure IP subnet-based VLAN assignment on SwitchB and SwitchC interfaces
connecting to hosts so that hosts are added to VLANs.
3. Configure the MAC address-based DHCP policy VLAN on SwitchB so that HostA can
obtain an IP address on the network segment 10.1.1.1/28 based on its MAC address.
4. Configure the interface-based DHCP policy VLAN on SwitchB so that HostB connecting
to GE0/0/3 on SwitchB can obtain an IP address on the network segment 10.2.2.1/28.
5. Configure the generic DHCP policy VLAN on SwitchC so that all hosts in Department B
can obtain IP addresses on the network segment 10.3.3.1/28.
Configuration Procedure
1. Configure an interface address pool on SwitchA.
# Create VLANs on SwitchA and configure IP addresses for VLANIF interfaces.
[SwitchA] vlan batch 10 30 50

# Enable the VLANIF interface address pools on SwitchA.

# Add interfaces on SwitchA to VLANs.

[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 30
2. Configure IP subnet-based VLAN assignment on SwitchB and SwitchC interfaces

connecting to hosts.
# Configure IP subnet-based VLAN assignment on GE0/0/2 and GE0/0/3 on SwitchB.
Configure the two interfaces as hybrid interfaces and VLAN packets to pass the interfaces
in untagged mode.
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 30
[SwitchB-GigabitEthernet0/0/2] ip-subnet-vlan enable
[SwitchB-GigabitEthernet0/0/2] port hybrid untagged vlan 10
[SwitchB-GigabitEthernet0/0/3] ip-subnet-vlan enable
# Configure IP subnet-based VLAN assignment on GE0/0/2 and GE0/0/3 on SwitchC.

Configure the two interfaces as hybrid interfaces and VLAN packets to pass the interfaces
in untagged mode.
[SwitchC] dhcp enable
[SwitchC] vlan batch 50
[SwitchC-GigabitEthernet0/0/1] port link-type trunk
[SwitchC-GigabitEthernet0/0/1] port trunk allow-pass vlan 50
[SwitchC-GigabitEthernet0/0/2] ip-subnet-vlan enable
[SwitchC-GigabitEthernet0/0/2] port hybrid untagged vlan 50

[SwitchC-GigabitEthernet0/0/3] ip-subnet-vlan enable

3. Configure the MAC address-based DHCP policy VLAN on SwitchB so that HostA can
obtain an IP address on the network segment 10.1.1.1/28 based on its MAC address.
[SwitchB] vlan 10
[SwitchB-vlan10] ip-subnet-vlan ip 10.1.1.1 28
[SwitchB-vlan10] dhcp policy-vlan mac-address 0018-1111-2123
4. Configure the interface-based DHCP policy VLAN on SwitchB so that HostB connecting
to GE0/0/3 on SwitchB can obtain an IP address on the network segment 10.2.2.1/28.
[SwitchB] vlan 30
[SwitchB-vlan30] ip-subnet-vlan ip 10.2.2.1 28
[SwitchB-vlan30] dhcp policy-vlan port gigabitethernet 0/0/3
5. Configure the generic DHCP policy VLAN on SwitchC so that all hosts in Department B
can obtain IP addresses on the network segment 10.3.3.1/28.
[SwitchC] vlan 50
[SwitchC-vlan50] ip-subnet-vlan ip 10.3.3.1 28
[SwitchC-vlan50] dhcp policy-vlan generic
6. Verify the configuration.

# After HostA obtains the IP address 10.1.1.14/28, check the address allocation of VLANIF
10 address pool on SwitchA and ping HostA from SwitchA. The ping succeeds.
[SwitchA] display ip pool interface vlanif10
Pool-name :
Vlanif10
Pool-No :
0
Lease : 1 Days 0 Hours 0

Minutes
Domain-name :
-
DNS-server0 :
-
NBNS-server0 :
-
Netbios-type :
-
Position : Interface Status :

Unlocked
Gateway-0 :
10.1.1.1
Mask :
255.255.255.240
VPN instance :
--
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict

Disable

-----------------------------------------------------------------------------
10.1.1.1 10.1.1.14 13 1 12(0) 0

0
-----------------------------------------------------------------------------

PING 10.1.1.14: 56 data bytes, press CTRL_C to
break
Reply from 10.1.1.14: bytes=56 Sequence=1 ttl=254 time=1
ms
ms
ms
ms
ms
--- 10.1.1.14 ping statistics

---
5 packet(s)
transmitted
5 packet(s)
received
0.00% packet
loss
round-trip min/avg/max = 1/1/1

ms
# After HostB obtains the IP address 10.2.2.14/28, check the address allocation of VLANIF
30 address pool on SwitchA and ping HostB from SwitchA. The ping succeeds.
Pool-name :
Vlanif30
Pool-No :
1

Minutes
Domain-name :
-
DNS-server0 :
-
NBNS-server0 :
-
Netbios-type :
-

Unlocked
Gateway-0 :
10.2.2.1

Mask :
255.255.255.240
VPN instance :
--
-----------------------------------------------------------------------------

Disable
-----------------------------------------------------------------------------
10.2.2.1 10.2.2.14 13 1 12(0) 0

0
-----------------------------------------------------------------------------

break
ms
ms
ms
ms
ms

---
5 packet(s)
transmitted
5 packet(s)
received
0.00% packet
loss

ms
# After HostC and HostD obtain IP addresses 10.3.3.14/28 and 10.3.3.13/28, check the
address allocation of VLANIF 50 address pool on SwitchA and ping HostC and HostD
from SwitchA respectively. The ping operations succeed.
Pool-name :
Vlanif50
Pool-No :
2

Minutes
Domain-name :
-
DNS-server0 :

NBNS-server0 :
-
Netbios-type :
-

Unlocked
Gateway-0 :
10.3.3.1
Mask :
255.255.255.240
VPN instance :
--
-----------------------------------------------------------------------------

Disable
-----------------------------------------------------------------------------
10.3.3.1 10.3.3.14 13 2 11(0) 0

0
-----------------------------------------------------------------------------

break
ms
ms
ms
ms
ms

---
5 packet(s)
transmitted
5 packet(s)
received
0.00% packet
loss

ms

break
ms


ms
ms
ms
ms

---
5 packet(s)
transmitted
5 packet(s)
received
0.00% packet
loss

ms
Configuration Files
#
sysname SwitchA
#
vlan batch 10 30 50
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.240
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.240
#
interface Vlanif50
ip address 10.3.3.1 255.255.255.240
#
#
#
return

#
sysname SwitchB
#
vlan batch 10 30
#
dhcp enable
#
vlan 10

ip-subnet-vlan 1 ip 10.1.1.1 255.255.255.240

dhcp policy-vlan mac-address 0018-1111-2123
vlan 30
ip-subnet-vlan 1 ip 10.2.2.1 255.255.255.240
dhcp policy-vlan port GigabitEthernet 0/0/3
#
#
#
#
return

#
sysname SwitchC
#
vlan batch 50
#
dhcp enable
#
vlan 50
ip-subnet-vlan 1 ip 10.3.3.1 255.255.255.240
dhcp policy-vlan generic
#
#
#
#
return
4.5 DHCPv6 Configuration

This section describes how to configure the DHCPv6 function. Currently, the switch can function
as the DHCPv6 relay on the IPv6 network.
4.5.1 Example for Configuring a DHCPv6 Server
If a large number of IPv6 addresses need to be manually configured, the workload on
configuration will be huge, and the manually configured addresses have poor manageability.
The administrator requires that IPv6 addresses and network configuration parameters be
obtained automatically to facilitate centralized management and hierarchical IPv6 network
deployment.

Figure 4-15 Networking diagram for configuring the DHCPv6 server
VLANIF100 Switch A
3000::1/64
GE0/0/1
DHCPv6 Client DHCPv6 Server
1. Enable IPv6 functions on the interface so that devices can communicate using IPv6.
2. Enable the DHCPv6 PD Server function so that devices can obtain IPv6 address prefixes
using DHCPv6.
Procedure
Step 1 Enable the DHCPv6 service
[Quidway] sysname Switch A
[Switch A] dhcp enable
Step 2 Configure the ipv6 function on interfaces

[Switch A] ipv6
[Switch A] vlan 100
[Switch A-vlan100] quit
[Switch A] interface gigabitethernet 0/0/1
[Switch A-GigabitEthernet0/0/1] port link-type access
[Switch A-GigabitEthernet0/0/1] port default vlan 100
[Switch A-GigabitEthernet0/0/1] quit
[Switch A] interface vlanif 100
[Switch A-Vlanif100] ipv6 enable
[Switch A-Vlanif100] ipv6 address 3000::1/64
[Switch A-Vlanif100] quit
Step 3 Configure a DHCPv6 server

[Switch A] dhcpv6 pool pool1
[Switch A-dhcpv6-pool-pool1] address prefix 3000::2/64
[Switch A-dhcpv6-pool-pool1] dns-server 4000::1
[Switch A-dhcpv6-pool-pool1] quit
Step 4 Enable the DHCPv6 server function on the interface

# Enable the DHCPv6 server function on Vlanif100.

[Switch A-Vlanif100] dhcpv6 server pool1

Run the display dhcpv6 pool command on the switch to check information about the DHCPv6
address pool.
<Switch A> display dhcpv6 pool
DHCPv6 pool: pool1
Address prefix: 3000::/64
lifetime valid 172800 seconds, preferred 86400 seconds

0 in use, 0 conflicts
Information refresh time: 86400
DNS server address: 4000::1
Conflict-address expire-time: 172800
Active normal clients: 0
Run the display dhcpv6 server command on the switch to check information about the DHCPv6
server.
<Switch A> display dhcpv6 server
Interface DHCPv6 pool
Vlanif100 pool1
----End
Configuration File
#
sysname Switch A
#
ipv6
#
vlan batch 100
#
dhcp enable
#
dhcpv6 pool pool1
address prefix 3000::2/64
dns-server 4000::1
#
port default vlan
100
#
interface Vlanif100
ipv6 enable
ipv6 address 3000::1/64
dhcpv6 server pool1
#
return
4.5.2 Example for Configuring a DHCPv6 PD Server

As shown in Figure 4-16, RouterB and SwitchA are directly connected and on the same link.
RouterB cannot communicate with other devices because it has no IPv6 address and other
network configuration parameters. The Switch A needs to be configured as a DHCPv6 PD server
to assign IPv6 addresses and other network configuration parameters to DHCPv6 clients. This
facilitates centralized management and layered IPv6 network deployment.

Figure 4-16 Networking diagram of configuring the DHCPv6 PD server

IPv6 HostC
Router B VLANIF100 Switch A

GE0/0/1 3000::1/64
GE0/0/1
DHCPv6 PD Client
DHCPv6 PD Server
IPv6 HostA IPv6 HostB
1. Enable IPv6 on interfaces so that devices can communicate using IPv6.
2. Enable the DHCPv6 PD server function so that DHCPv6 PD server can assign IPv6
addresses using DHCPv6.
Procedure
[Quidway] sysname Switch A
[Switch A] dhcp enable
Step 2 Configure IPv6 functions on interfaces

[Switch A] ipv6
[Switch A] vlan 100
[Switch A-vlan100] quit
[Switch A] interface gigabitethernet 0/0/1
[Switch A-GigabitEthernet0/0/1] port link-type access
[Switch A-GigabitEthernet0/0/1] port default vlan 100
[Switch A-GigabitEthernet0/0/1] quit
[Switch A-Vlanif100] ipv6 enable
[Switch A-Vlanif100] ipv6 address 3000::1/64
Step 3 Configure a DHCPv6 PD server

[Switch A] dhcpv6 pool pool1
[Switch A-dhcpv6-pool-pool1] prefix-delegation 3000::/60 64
[Switch A-dhcpv6-pool-pool1] dns-server 4000::1
[Switch A-dhcpv6-pool-pool1] quit
Step 4 Enable the DHCPv6 PD server function on an interface

# Enable the DHCPv6 PD server function on VLANIF 100.

[Switch A-Vlanif100] dhcpv6 server pool1

Run the display dhcpv6 pool command on the switch to check information about the DHCPv6
address pool.
<Switch A> display dhcpv6 pool
DHCPv6 pool: pool1
Prefix delegation: 3000::/60 64
lifetime valid 172800 seconds, preferred 86400 seconds
0 in use
Information refresh time: 86400
DNS server address: 4000::1
Conflict-address expire-time: 172800
Active pd clients: 0
Run the display dhcpv6 server command on the switch to check information about the DHCPv6
PD server.
<Switch A> display dhcpv6 server
Interface DHCPv6 pool
Vlanif100 pool1
----End
Configuration File
#
sysname Switch A
#
ipv6
#
vlan batch 100
#
dhcp enable
#
dhcpv6 pool pool1
prefix-delegation 3000::/60 64
dns-server 4000::1
#
port default vlan
100
#
interface Vlanif100
ipv6 enable
dhcpv6 server pool1
#
return
4.5.3 Example for Configuring a DHCPv6 Relay Agent
As shown in Figure 4-17, the DHCPv6 client address is 2000::/64 and the DHCPv6 server
address is 3000::3/64. The DHCPv6 client and server are on different links; therefore, a DHCPv6
relay agent is required to forward DHCPv6 packets.
The Switch needs to function as the DHCPv6 relay agent to forward DHCPv6 packets between
the DHCPv6 client and server. In addition, the Switch functions as the gateway device of the

network at 2000::/64. The M flag bit and O flag bit in RA messages allow hosts on the network
to obtain IPv6 addresses and other network configuration parameters through DHCPv6.
Figure 4-17 Networking diagram of configuring a DHCPv6 relay agent

DHCPv6 client DHCPv6 client
GE0/0/1 GE0/0/2
VLANIF10 Switch VLANIF20
2000::1/64 3000::1/64
DHCPv6 relay agent 3000::3/64

DHCPv6 server
DHCPv6 client DHCPv6 client
1. Enable IPv6 on interfaces so that devices can communicate using IPv6.
2. Enable the DHCPv6 relay function so that the DHCPv6 server and client on different links
can transmit packets.
Procedure
[Quidway] dhcp enable
Step 2 Adding interfaces to VLANs

# Add GigabitEthernet0/0/1 to VLAN 10.
# Add GigabitEthernet0/0/2 to VLAN 20.

Step 3 Assign IPv6 addresses to VLANIF interfaces

# Enable the IPv6 packet forwarding function.
[Quidway] ipv6
# Assign an IPv6 address to VLANIF 10.

[Quidway-Vlanif10] ipv6 enable

[Quidway-Vlanif10] ipv6 address 2000::1 64

# Assign an IPv6 address to VLANIF 20.

[Quidway-Vlanif20] ipv6 address 3000::1 64
Step 4 Enable the DHCPv6 relay function

# Enable the DHCPv6 relay function on VLANIF 10 and specify the IPv6 address of the DHCPv6
server.
[Quidway-Vlanif10] dhcpv6 relay destination 3000::3
Step 5 Configure the Switch as the gateway

# Configure the Switch to send RA messages and configure M and O flag bits.
[Quidway-Vlanif10] undo ipv6 nd ra halt
[Quidway-Vlanif10] ipv6 nd autoconfig managed-address-flag
[Quidway-Vlanif10] ipv6 nd autoconfig other-flag

Run the display dhcpv6 relay command on the Switch, and you can view the DHCPv6 relay
configuration.
[Quidway] display dhcpv6 relay
Interface Mode Destination
------------------------------------------------------------------
Vlanif10 Relay 3000::3
------------------------------------------------------------------
Run the display dhcpv6 relay statistics command on the Switch, and you can view statistics
about DHCPv6 packets passing through the DHCPv6 relay agent.
[Quidway] display dhcpv6 relay statistics
MessageType Receive Send Error
Solicit 0 0 0
Advertise 0 0 0
Request 0 0 0
Confirm 0 0 0
Renew 0 0 0
Rebind 0 0 0
Reply 0 0 0
Release 0 0 0
Decline 0 0 0
Reconfigure 0 0 0
Information-request 0 0 0
Relay-forward 0 0 0
Relay-reply 0 0 0
UnknownType 0 0 0
----End
Configuration File
#
sysname Quidway
#
vlan batch 10 20

#
ipv6
#
dhcp enable
#
interface Vlanif10
ipv6 enable
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 relay destination 3000::3
#
interface Vlanif20
ipv6 enable
#
#
#
return
4.6 IP Performance Configuration

You can optimize IP performance by adjusting parameters on the network.
4.6.1 Example for Configuring ICMP Redirection Packets
In Figure 4-18, SwitchA, SwitchB, and SwitchC are connected to the Internet through GE
interfaces. When SwitchB detects that SwitchA uses a non-optimal route, it sends an ICMP
redirection packet to SwitchA, requesting SwitchA to change the route. To prevent SwitchB
from sending ICMP packets, the function of sending ICMP redirection packets is required to be
disabled. Ping SwitchB from SwitchA to check whether SwitchB is disabled from sending ICMP
redirection packets.

Figure 4-18 Network diagram for configuring ICMP redirection packets

SwitchA
GE0/0/1
VLANIF100
1.1.1.1/24
Internet
GE0/0/1 GE0/0/1
VLANIF100 VLANIF100
2.2.2.2/24 1.1.1.2/24
SwitchC SwitchB
Disable the function of sending ICMP redirection packets on VLANIF100 on SwithB. Ping
SwitchB from SwitchA. SwitchB does not send ICMP redirection packets.
Procedure
Step 1 Configure an IP address for the VLANIF interface.
[SwitchA] vlan 100
[SwitchA-Vlan100] quit
[SwitchA-GigabitEthernet0/0/1] port hybrid tagged vlan 100
[SwitchB] vlan 100
[SwitchB-Vlan100] quit
[SwitchB-GigabitEthernet0/0/1] port hybrid tagged vlan 100

[SwitchC] vlan 100
[SwitchC-Vlan100] quit
[SwitchC-GigabitEthernet0/0/1] port hybrid tagged vlan 100

Step 3 Disable the function of sending ICMP redirection packets on VLANIF100 on SwitchB.
[SwitchB-Vlanif100] undo icmp redirect send

# Enable ICMP packet debugging on SwitchB.
<SwitchB> debugging ip icmp
<SwitchA> terminal monitor
<SwitchA> terminal debugging
# Ping SwitchB from SwitchA. SwitchB does not send ICMP redirection packets. There is no
information about ICMP redirection packets in the debugging command output.

0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 1.1.1.1 255.255.255.0
#
#

ip route-static 2.2.2.0 255.255.255.0 1.1.1.2

#
return

#
sysname SwitchB
#
vlan batch 100
#
interface Vlanif100
ip address 1.1.1.2 255.255.255.0
undo icmp redirect send
#
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.1
#
return
l Configuration of SwitchC
#
sysname SwitchC
#
vlan batch 100
#
interface Vlanif100
ip address 2.2.2.2 255.255.255.0
#
#
return
4.6.2 Example for Configuring ICMP Host Unreachable Packets
In Figure 4-19, SwitchA, SwitchB, and SwitchC are connected to each other through GE
interfaces. To check the sending of ICMP host unreachable packets.
Figure 4-19 Network diagram for configuring ICMP host unreachable packets
GE0/0/2 GE0/0/2
VLANIF11 VLANIF11
2.2.2.2/24 2.2.2.1/24
SwitchB
SwitchC GE0/0/1
VLANIF10
1.1.1.2/24
GE0/0/1
VLANIF10
1.1.1.1/24
SwitchA

Disable the function of sending ICMP host unreachable packets on SwitchB. Ping 2.2.2.2 on
SwitchA. SwitchA can not receive ICMP host unreachable packets sent from SwitchB.
NOTE
By default, the function of sending ICMP host unreachable packets is enabled in both the system and the
interface view. If the configuration is not modified, you do not need to use a command to enable the function
of sending ICMP host unreachable packets.
Procedure
# Configure an IP address for VLANIF 10.
[SwitchA] vlan 10
[SwitchA-GigabitEthernet0/0/1] port hybrid tagged vlan 10
# Configure static routes on SwitchA.

[SwitchA] ip route-static 2.2.2.0 24 1.1.1.2

# Configure an IP address for VLANIF 10 on SwitchB and disable the function of sending ICMP
host unreachable packets.
[SwitchB] undo icmp host-unreachable send
[SwitchB] vlan 10
[SwitchB] vlan 11
[SwitchB-Vlanif11] undo icmp host-unreachable send

# Configure an IP address for VLANIF 11 on SwitchC.
[SwitchC] vlan 11

[SwitchC-GigabitEthernet0/0/2] port hybrid tagged vlan 11
# Configure static routes on SwitchC.

[SwitchC] ip route-static 1.1.1.0 24 2.2.2.1

# Enable ICMP packet debugging on SwitchA.
<SwitchA> debugging ip icmp
# Ping 2.2.2.2 on SwitchA.

0.00% packet loss
# Run the display icmp statistics, If you can view that the statistics of destination
unreachable is 0, it proved that SwitchB does not send the host unreachable packets, it means
that the configuration succeeds.
<SwitchA> display icmp statistics
Input: bad format 0 bad checksum 0
echo 0 destination unreachable 0
source quench 0 redirects 0
echo reply 0 parameter problem 0
timestamp 0 information request 0
mask requests 0 mask replies 0
time exceeded 0 other 0
Mping request 0 Mping reply 0
Output: echo 0 destination unreachable 0
source quench 0 redirects 0
echo reply 0 parameter problem 0
timestamp 0 information reply 0
mask requests 0 mask replies 0
time exceeded 0
Mping request 0 Mping reply 0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif 10
ip address 1.1.1.1 255.255.255.0

#
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 10 to 11
#
#
interface Vlanif 10
ip address 1.1.1.2 255.255.255.0
#
interface Vlanif 11
ip address 2.2.2.1 255.255.255.0
#
#
#
return
l Configuration of SwitchC
#
sysname SwitchC
#
vlan batch 11
#
interface Vlanif 11
ip address 2.2.2.2 255.255.255.0
#
#
ip route-static 1.1.1.0 24 2.2.2.1
#
return
4.6.3 Example for Optimizing System Performance by Discarding

Certain ICMP Packets
The switch in Figure 4-20 functions as the aggregation device. Enterprise users, individual users,
and DSLAMs are attached to the switch and the switch is connected to the Internet through a
BRAS. When a large amount of information is exchanged on the network or the network is
attacked, lots of ICMP packets are forwarded and the network performance is degraded. In this
case, some ICMP packets are required to be discarded to reduce the burden on the switch.

Figure 4-20 Networking diagram for configuring ICMP security function
Internet
BRAS
Swtich
DSLAM
User
network
Enterprise Individual
user user
Configure the function of discarding ICMP packets whose TTL value is 1, ICMP packets that
carry options, and ICMP destination unreachable packets to reduce the burden of the device in
processing a large number of ICMP packets.
Procedure
Step 1 Configure the device to discard certain ICMP packets.
# Configure the device to discard ICMP packets whose TTL value is 1.
[Quidway] icmp ttl-exceeded drop all
# Configure the device to discard ICMP packets that carry options.

[Quidway] icmp with-options drop all
# Configure the device to discard ICMP packets whose destination addresses are unreachable.
[Quidway] icmp unreachable drop

# Run the display this command in the system view to view the ICMP security configurations.
[Quidway] display this
#

icmp unreachable drop

icmp ttl-exceeded drop slot 0
icmp with-options drop slot 0
----End
Configuration Files
#
sysname Quidway
#
icmp unreachable drop
icmp ttl-exceeded drop slot 0
icmp with-options drop slot 0
#
return
4.7 DNS Configuration

This chapter describes the principles, basic functions and configuration procedures of DNS on
the switch, and provides configuration examples.
4.7.1 Example for Configuring the DNS Client
Compared with an IP address, the URL is easy to remember. Users want to access network
servers using domain names. It is required that the DNS server can resolve a domain name after
a user enters some fields of the domain name. For example, when a user attempts to access the
host huawei.com, the user only needs to enter huawei. It is required that the DNS server can
fast resolve common domain names.
Figure 4-21 Networking diagram for configuring the DNS client

Host B Host C
Loopback0 Loopback0
4.1.1.1/32 4.1.1.2/32
GE0/0/1 GE0/0/2
VLANIF 101 SwitchB SwitchC
VLANIF 101
1.1.1.2/16 3.1.1.1/16
GE0/0/1 GE0/0/1
DNS Client GE0/0/2 VLANIF 100
VLANIF 101 VLANIF 100 DNS Server
SwitchA 2.1.1.1/16 2.1.1.2/16
1.1.1.1/16 3.1.1.2/16
huawei.com
2.1.1.3/16

1. Configure static DNS entries on Switch A to access HostB and HostC.
2. Configure the dynamic DNS resolution on SwitchA to access the network server.
3. Configure the domain name suffix on SwitchA to support a domain name suffix list.
4. Configure OSPF on switches to ensure routes among all devices are reachable.
Procedure
[SwitchA] vlan 101
# Configure OSPF.
[SwitchA] ospf
# Configure static DNS entries.

[SwitchA] ip host hostB 4.1.1.1
[SwitchA] ip host hostC 4.1.1.2
# Enable DNS resolution.

[SwitchA] dns resolve
# Configure an IP address for the DNS server.

[SwitchA] dns server 3.1.1.2
# Set the domain name suffix to ".net".

[SwitchA] dns domain net
# Set the domain name suffix to ".com".

[SwitchA] dns domain com
NOTE
You need to configure OSPF on SwitchB and SwitchC to ensure reachable routes between them. For details
about OSPF configurations on SwitchB and SwitchC, see the configuration files.

# Run the ping hostB command on SwitchA. You can see that the ping operation succeeds and
the destination IP address is 4.1.1.1.

<SwitchA> ping hostB

PING hostB (4.1.1.1): 56 data bytes, press CTRL_C to break
--- hostB ping statistics ---

0.00% packet loss
# Run the ping huawei.com command on SwitchA. You can see that the ping operation succeeds
and the destination IP address is 2.1.1.3.
<SwitchA> ping huawei.com
PING huawei.com (2.1.1.3): 56 data bytes, press CTRL_C to break
--- huawei.com ping statistics ---

0.00% packet loss
# Run the ping huawei command on SwitchA. You can see that the ping operation succeeds,
the domain name changes to huawei.com, and the destination IP address is 2.1.1.3.
<SwitchA> ping huawei
PING huawei.com (2.1.1.3): 56 data bytes, press CTRL_C to break

0.00% packet loss
Run the display ip host command on SwitchA. You can view mappings between host names
and IP addresses in static DNS entries.
<SwitchA> display ip host
Host Age Flags Address
hostB 0 static 4.1.1.1
hostC 0 static 4.1.1.2
# Run the display dns dynamic-host command on SwitchA. You can view information about
dynamic DNS entries saved in the cache.
<SwitchA> display dns dynamic-host
No Domain-name IpAddress TTL Alias
1 huawei.com 2.1.1.3 114
----End

Configuration File
#
sysname SwitchA
#
vlan batch 101
#
ip host hostB 4.1.1.1
ip host hostC 4.1.1.2
#
dns resolve
dns server 3.1.1.2
dns domain net
dns domain com
#
interface Vlanif101
ip address 1.1.1.2 255.255.0.0
#
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
#
return

#
sysname SwitchB
#
vlan batch 100 101
#
interface LoopBack0
ip address 4.1.1.1 255.255.255.255
#
interface Vlanif101
ip address 1.1.1.1 255.255.0.0
#
interface Vlanif100
ip address 2.1.1.1 255.255.0.0
#
#
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
network 2.1.0.0 0.0.255.255
network 4.1.1.1 0.0.0.0
#
return
Configuration file of SwitchC

#
sysname SwitchC
#
vlan batch 100 101
#

interface LoopBack0
ip address 4.1.1.2 255.255.255.255
#
interface Vlanif101
ip address 3.1.1.1 255.255.0.0
#
interface Vlanif100
ip address 2.1.1.2 255.255.0.0
#
#
#
ospf 1
area 0.0.0.0
network 2.1.0.0 0.0.255.255
network 3.1.0.0 0.0.255.255
network 4.1.1.2 0.0.0.0
#
return
4.8 Basic IPv6 Configurations

The IPv6 protocol stack supports routing protocols and application protocols on an IPv6 network.
4.8.1 Example for Configuring IPv6 Addresses for Interfaces
As shown in Figure 4-22, GE0/0/1 of SwitchA connects to GE0/0/1 of SwitchB. The two
interfaces correspond to their VLANIF interfaces (VLANIF 100). You need to configure IPv6
global unicast addresses for the VLANIF interfaces and check the Layer 3 interconnection
between the interfaces.
IPv6 global unicast addresses for the VLANIF interfaces are 3001::1/64 and 3001::2/64.
Figure 4-22 Networking diagram for configuring IPv6 addresses for interfaces
SwitchA SwitchB
GE0/0/1 GE0/0/1
VLANIF100 VLANIF100
3001::1/64 3001::2/64
1. Enable the IPv6 forwarding function on switches.

2. Configure IPv6 global unicast addresses for the interfaces.
Procedure
Step 1 Enable the IPv6 forwarding function on switches.
[SwitchA] ipv6
[SwitchB] ipv6
Step 2 Configure global unicast addresses for interfaces.

[SwitchA] vlan 100
[SwitchA-Vlanif100] ipv6 enable
[SwitchA-Vlanif100] ipv6 address 3001::1/64
[SwitchB] vlan 100
[SwitchB-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[SwitchB-Vlanif100] ipv6 enable
[SwitchB-Vlanif100] ipv6 address 3001::2/64

If the preceding configurations are successful, you can view the configured global unicast
addresses. The interface status and the IPv6 protocol are Up.
# Check interface information on SwitchA.
[SwitchA] display ipv6 interface vlanif 100
Vlanif100 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::218:20FF:FE00:83
Global unicast address(es):
3001::1, subnet is 3001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF00:83
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds

ND retransmit interval is 1000 milliseconds

Hosts use stateless autoconfig for addresses
# Check interface information on SwitchB.

[SwitchB] display ipv6 interface vlanif 100
Vlanif100 current state : UP
IPv6 is enabled, link-local address is FE80::2E0:FCFF:FE33:11
3001::2, subnet is 3001::/64
FF02::1:FF00:2
FF02::1:FF33:11
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
# Ping the link-local address of SwitchB from SwitchA. You need to use the parameter -i to
specify the interface of the link-local address.
[SwitchA] ping ipv6 FE80::2E0:FCFF:FE33:11 -i vlanif 100
PING FE80::2E0:FCFF:FE33:11 : 56 data bytes, press CTRL_C to break
Reply from FE80::2E0:FCFF:FE33:11
bytes=56 Sequence=1 hop limit=64 time = 7 ms
--- FE80::2E0:FCFF:FE33:11 ping statistics ---

0.00% packet loss
# Ping the IPv6 global unicast address of SwitchB from SwitchA.

[SwitchA] ping ipv6 3001::2
PING 3001::2 : 56 data bytes, press CTRL_C to break
Reply from 3001::2
Reply from 3001::2
Reply from 3001::2
Reply from 3001::2
Reply from 3001::2
--- 3001::2 ping statistics ---

0.00% packet loss
----End

Configuration File
#
sysname SwitchA
#
ipv6
#
vlan batch 100
#
interface Vlanif100
ipv6 enable
#
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 100
#
interface Vlanif100
ipv6 enable
#
#
return
4.9 IPv6 DNS configuration

This section describes how to configure IPv6 DNS so that devices can use domain names to
communicate.
4.9.1 Example for Configuring IPv6 DNS Client
As shown in Figure 4-23, SwitchA, functioning as the IPv6 DNS client and working jointly
with IPv6 DNS server, can access the host with the IPv6 address as 2002::1/64 based on the
domain name huawei.com.
On SwitchA, the static IPv6 DNS entries of SwitchB and SwitchC are configured. This ensures
that SwitchA can manage both the devices based on the domain names SwitchB and SwitchC.

Figure 4-23 Networking diagram of IPv6 DNS configurations

Loopback0 Loopback0
4.1.1.1/32 4.1.1.2/32
GE0/0/1
GE0/0/1
VLANIF101 SwitchB SwitchC
VLANIF101
2001::1/64 2003::1/64
GE0/0/2 GE0/0/2
GE0/0/1 VLANIF100
DNS client VLANIF101 VLANIF100 DNS server
2002::2/64 2002::3/64
SwitchA 2001::2/64 2003::2/64
huawei.com
2002::1/64
1. Configure static DNS entries on SwitchA to access SwitchB and SwitchC using the domain
name.
2. Configure dynamic DNS resolution on SwithcA to enable SwitchA to access the web server
by querying dynamic DNS entries.
3. Configure domain name suffixes on SwitchA so that SwitchA can filter domain names
using the domain name suffix list.
4. Configure OSPF on the switches to ensure reachable routes between them.
Procedure
# Configure IPv6 function.
[SwitchA] ipv6
# Configure static IPv6 DNS entries.

[SwitchA] ipv6 host SwitchB 2001::2
[SwitchA] ipv6 host SwitchC 2002::3
# Enable the DNS resolution function.

# Configure the IPv6 address of the IPv6 DNS server.

[SwitchA] dns server ipv6 2003::2
# Set the domain name suffix to ".net".

[SwitchA] dns domain net
# Set the domain name suffix to ".com".

[SwitchA] dns domain com
[SwitchA] quit
NOTE
To resolve the domain name, you also need to configure the route from Switch A to the IPv6 DNS server.
For details of how to configure the route, see Configuration example of IP static route in the
S2300&S3300 Series Ethernet Switches Configuration Guide: IP Routing.

# Run the ping ipv6 huawei.com command on Switch A. You can find that the Ping operation
succeeds, and the destination IPv6 address is 2002::1.
<SwitchA> ping ipv6 huawei.com
Resolved Host ( huawei.com -> 2002::1)
PING huawei.com : 56 data bytes, press CTRL_C to break
Reply from 2002::1: bytes=56 Sequence=1 ttl=126 time=6 ms

0.00% packet loss
# Run the display ipv6 host command on SwitchA. You can view the mapping relationships
between the host names and the IPv6 addresses in IPv6 static DNS entries.
<SwitchA> display ipv6 host
Host Age Flags IPv6Address (es)
SwitchB 0 static 2001::2
SwitchC 0 static 2002::3
Run the display dns ipv6 dynamic-host command on SwitchA. You can view information about
IPv6 dynamic DNS entries in the dynamic cache.
<SwitchA> display dns ipv6 dynamic-host
No Domain-name Ipv6address TTL
1 huawei.com 2002::1 3579
NOTE
TTL in the command output indicates the life time of the entry, in seconds.
----End
Configuration Files
l #
sysname SwitchA
#
vlan batch 101
#
ipv6
#

ipv6 host SwitchB 2001::2

ipv6 host SwitchC 2002::3
#
dns resolve
dns server ipv6 2003::2
dns domain net
dns domain com
#
#
interface Vlanif101
ipv6 enable
#
return

#
sysname SwitchB
#
#
ipv6
#
#
#
interface Vlanif100
ipv6 enable
#
interface Vlanif101
ipv6 enable
#
return

#
sysname SwitchC
#
#
ipv6
#
#
#
interface Vlanif100
ipv6 enable
#
interface Vlanif101
ipv6 enable
#
return

4.10 IPv6 over IPv4 Tunnel Configuration

IPv6 over IPv4 tunnel technology enables transition from the IPv4 network to the IPv6 network.
4.10.1 Example for Configuring an Automatic IPv6 over IPv4

Tunnel
As shown in Figure 4-24, two IPv6 networks connect to an IPv4 backbone network through
SwitchA and SwitchB respectively. An automatic IPv6 over IPv4 tunnel needs to be set up
between SwitchA and SwitchB so that devices on the two IPv6 networks can communicate.
Figure 4-24 Networking diagram for configuring an automatic IPv6 over IPv4 tunnel
IPv4
Dual Dual
Stack Stack
VLANIF100 VLANIF100
SwitchA SwitchB
2.1.1.1/8 2.1.1.2/8
Tunnel0/0/1 Tunnel0/0/1
IPv6 ::2.1.1.1/96 ::2.1.1.2/96 IPv6
1. Configure IP addresses for physical interfaces so that devices can communicate on the IPv4
backbone network.
2. Configure IPv6 addresses and source interfaces for tunnel interfaces so that devices can
communicate with hosts on the two IPv6 networks.
3. Set the tunnel protocol to automatic so that hosts on the two IPv6 networks can
communicate through the IPv4 network.
Procedure
# Enable the service loopback function on an Eth-Trunk.

CAUTION
The interface must be idle. That is, the interface does not transmit services.
[Quidway] interface eth-trunk 1
[Quidway-Eth-Trunk1] service type tunnel
[Quidway-Eth-Trunk1] quit
[Quidway-GigabitEthernet0/0/3] eth-trunk 1
# Configure an IPv4/IPv6 dual stack.

[SwitchA] ipv6
# Configure an automatic IPv6 over IPv4 tunnel.

[SwitchA-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 auto-tunnel
[SwitchA-Tunnel0/0/1] eth-trunk 1
[SwitchA-Tunnel0/0/1] ipv6 enable
[SwitchA-Tunnel0/0/1] ipv6 address ::2.1.1.1/96
[SwitchA-Tunnel0/0/1] source vlanif 100

CAUTION

[SwitchB] ipv6
[SwitchB-Vlanif100] ip address 2.1.1.2 255.0.0.0
# Configure an automatic IPv6 over IPv4 tunnel.

[SwitchB] interface tunnel 0/0/1
[SwitchB-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 auto-tunnel
[SwitchB-Tunnel0/0/1] eth-trunk 1
[SwitchB-Tunnel0/0/1] ipv6 enable

[SwitchB-Tunnel0/0/1] ipv6 address ::2.1.1.2/96

[SwitchB-Tunnel0/0/1] source vlanif 100
[SwitchB-Tunnel0/0/1] quit

# View the IPv6 status of tunnel0/0/1 on SwitchA. You can see that the tunnel status is Up.
[SwitchA] display ipv6 interface tunnel 0/0/1
Tunnel0/0/1 current state : UP
IPv6 is enabled, link-local address is FE80::201:101 [TENTATIVE]
::2.1.1.1, subnet is ::/96 [TENTATIVE]
FF02::1:FF01:101
FF02::2
FF02::1
MTU is 1500 bytes
# Ping the IPv6 address of the peer device that is compatible with the IPv4 address from
SwitchA. The IPv6 address is pinged successfully.
[SwitchA] ping ipv6 ::2.1.1.2
PING ::2.1.1.2 : 56 data bytes, press CTRL_C to break
Reply from ::2.1.1.2
--- ::2.1.1.2 ping statistics ---
0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
interface vlanif100
ip address 2.1.1.1 255.0.0.0
#
service type tunnel
#
eth-trunk 1
#
interface Tunnel 0/0/1
eth-trunk 1
ipv6 enable
ipv6 address ::2.1.1.1/96
tunnel-protocol ipv6-ipv4 auto-tunnel

source vlanif100
#
return

#
sysname SwitchB
#
ipv6
#
interface vlanif100
ip address 2.1.1.2 255.0.0.0
#
service type tunnel
#
eth-trunk 1
#
interface Tunnel 0/0/1
eth-trunk 1
ipv6 enable
ipv6 address ::2.1.1.2/96
tunnel-protocol ipv6-ipv4 auto-tunnel
source vlanif100
#
return
4.10.2 Example for Configuring a Manual IPv6 over IPv4 Tunnel
As shown in Figure 4-25, two IPv6 networks connect to SwitchB on an IPv4 backbone network
respectively through SwitchA and SwitchC. A manual IPv6 over IPv4 tunnel needs to be set up
between SwitchA and SwitchC so that hosts on the two IPv6 networks can communicate.
Figure 4-25 Networking diagram for configuring a manual IPv6 over IPv4 tunnel
IPv4
network
GE0/0/1 GE0/0/2
VLANIF100 VLANIF200
192.168.50.1/24 192.168.51.1/24
GE0/0/1 GE0/0/1
VLANIF100 VLANIF200
192.168.50.2/24 SwitchB 192.168.51.2/24
Dual Dual
IPv6 IPv6
stack stack
SwitchA SwitchC

1. Configure IP addresses for interfaces so that devices can communicate on the IPv4
backbone network.
2. Configure IPv6 addresses, source interfaces, and destination addresses for tunnel interfaces
so that devices can communicate with hosts on the two IPv6 networks.
3. Set the tunnel protocol to IPv6-IPv4 so that hosts on the two IPv6 networks can
communicate through the IPv4 backbone network.
Procedure
CAUTION
# Configure an IP address for an interface.

[SwitchA] ipv6
[SwitchA] vlan 100
[SwitchA-Ethernet0/0/1] port hybrid pvid vlan 100
# Set the tunnel protocol to IPv6-IPv4.

[SwitchA-Tunnel0/0/1] tunnel-protocol ipv6-ipv4
# Configure an IPv6 address and a destination address for the tunnel interface.
[SwitchA-Tunnel0/0/1] ipv6 address 3001::1 64
[SwitchA-Tunnel0/0/1] destination 192.168.51.2
# Configure a static route.


# Configure IP addresses for interfaces.

[SwitchB] ipv6
[SwitchB] vlan 100
[SwitchB] vlan 200

CAUTION
# Configure an IP address for an interface.

[SwitchC] ipv6
[SwitchC] vlan 200
[SwitchC] interface gigabitethernet0/0/1
[SwitchC-GigabitEthernet0/0/1] port hybrid pvid vlan 200
[SwitchC-Vlanif200] ip address 192.168.51.2 255.255.255.0
# Set the tunnel protocol to IPv6-IPv4.

[SwitchC] interface tunnel 0/0/1
[SwitchC-Tunnel0/0/1] tunnel-protocol ipv6-ipv4
[SwitchC-Tunnel0/0/1] eth-trunk 1
# Configure an IPv6 address and a destination address for the tunnel interface.
[SwitchC-Tunnel0/0/1] ipv6 enable
[SwitchC-Tunnel0/0/1] ipv6 address 3001::2 64
[SwitchC-Tunnel0/0/1] source vlanif 200
[SwitchC-Tunnel0/0/1] destination 192.168.50.2
[SwitchC-Tunnel0/0/1] quit

# Configure a static route.


# Ping the IPv4 address of VLANIF 100 on SwitchA from SwitchC. SwitchC can receive a
Reply packet from SwitchA.
[SwitchC] ping 192.168.50.2
--- 192.168.50.2 ping statistics ---

0.00% packet loss
# Ping the IPv6 address of Tunnel0/0/1 on SwitchA from SwitchC. SwitchC can receive a Reply
packet from SwitchA.
[SwitchC] ping ipv6 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 100
#
interface Vlanif100
ip address 192.168.50.2 255.255.255.0
#
service type tunnel
#
#
eth-trunk 1

#
ipv6 enable
tunnel-protocol ipv6-ipv4
source Vlanif100
eth-trunk 1
#
ip route-static 192.168.51.0 255.255.255.0 192.168.50.1
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 100 200
#
interface Vlanif100
ip address 192.168.50.1 255.255.255.0
#
interface Vlanif200
ip address 192.168.51.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 200
#
interface Vlanif200
ip address 192.168.51.2 255.255.255.0
#
service type tunnel
#
#
eth-trunk 1
#
ipv6 enable
tunnel-protocol ipv6-ipv4
source Vlanif200
eth-trunk 1
#
ip route-static 192.168.50.0 255.255.255.0 192.168.51.1
#
return

4.10.3 Example for Configuring a 6to4 Tunnel
As shown in Figure 4-26, the IPv6 network-side interface of 6to4 SwitchA connects to a 6to4
network. SwitchB is a 6to4 relay agent and connects to the IPv6 Internet (2002::/64). SwitchA
and SwitchB are connected through an IPv4 backbone network. A 6to4 tunnel needs to be set
up between SwitchA and SwitchB so that hosts on the 6to4 network and the IPv6 network can
communicate.
Figure 4-26 Networking diagram for configuring a 6to4 tunnel
IPv4
GE0/0/1 GE0/0/1
VLANIF100 VLANIF100
2.1.1.1 2.1.1.2
SwitchA SwitchB
GE0/0/2 GE0/0/2
VLANIF200 VLANIF200
2002:201:101:1::1/64 2002:201:102:1::1/64
Tunnel0/0/1 Tunnel0/0/1
2002:201:101::1/64 2002:201:102::1/64
PC1 2002:201:101:1::2 2002:201:102:1::2 PC2

IPv6 IPv6
1. Configure an IPv4/IPv6 dual stack on switches so that they can access the IPv4 network
and the IPv6 network.
2. Configure a 6to4 tunnel on switches to connect IPv6 networks through the IPv4 backbone
network.
3. Configure a static route between SwitchA and SwitchB so that they can be connected
through the IPv4 backbone network.
Procedure

CAUTION

[SwitchA] ipv6
[SwitchA-Vlanif200] ipv6 address 2002:0201:0101:1::1/64
# Configure a 6to4 tunnel.

[SwitchA-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 6to4
[SwitchA-Tunnel0/0/1] ipv6 address 2002:0201:0101::1/64
# Configure a route to the other 6to4 network.

[SwitchA] ipv6 route-static 2002:: 16 tunnel 0/0/1
CAUTION


[SwitchB] ipv6
[SwitchB] interface gigabitethernet0/0/1
[SwitchB] interface gigabitethernet0/0/2
[SwitchB-Vlanif200] ipv6 address 2002:0201:0102:1::1/64
# Configure a 6to4 tunnel.

[SwitchB] interface tunnel 0/0/1
[SwitchB-Tunnel0/0/1] eth-trunk 1
[SwitchB-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 6to4
[SwitchB-Tunnel0/0/1] ipv6 enable
[SwitchB-Tunnel0/0/1] ipv6 address 2002:0201:0102::1/64
[SwitchB-Tunnel0/0/1] source vlanif 100
[SwitchB-Tunnel0/0/1] quit
# Configure a route to the other 6to4 network.

[SwitchB] ipv6 route-static 2002:: 16 tunnel 0/0/1
NOTE
There must be a reachable route between SwitchA and SwitchB. In this example, a routing protocol needs
to be configured on VLANIF 100 of SwitchA and SwitchB. For details, see the S2300&S3300 Series
Ethernet Switches Configuration Guide - IP Routing

# Check the IPv6 status of Tunnel0/0/1 on SwitchA. You can see that the tunnel status is Up.
[SwitchA] display ipv6 interface tunnel 0/0/1
IPv6 is enabled, link-local address is FE80::201:101
2002:201:101::1, subnet is 2002:201:101::/64
FF02::1:FF01:101
FF02::1:FF00:1
FF02::2
FF02::1
MTU is 1500 bytes
# Ping the 6to4 address of VLANIF200 on SwitchB from SwitchA. The 6to4 address can be
pinged successfully.
[SwitchA] ping ipv6 2002:0201:0102:1::1
PING 2002:0201:0102:1::1 : 56 data bytes, press CTRL_C to break

Reply from 2002:201:102:1::1

Reply from 2002:201:102:1::1
Reply from 2002:201:102:1::1
Reply from 2002:201:102:1::1
Reply from 2002:201:102:1::1
--- 2002:0201:0102:1::1 ping statistics ---

0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 100 200
#
interface Vlanif100
ip address 2.1.1.1 255.0.0.0
#
interface Vlanif200
ipv6 enable
ipv6 address 2002:201:101:1::1/64
#
service type tunnel
#
#
#
eth-trunk 1
#
ipv6 enable
ipv6 address 2002:201:101::1/64
tunnel-protocol ipv6-ipv4 6to4
source vlanif100
eth-trunk 1
#
ipv6 route-static 2002:: 16 Tunnel0/0/1
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 100 200

#
interface Vlanif100
ip address 2.1.1.2 255.0.0.0
#
interface Vlanif200
ipv6 enable
ipv6 address 2002:201:102:1::1/64
#
service type tunnel
#
#
#
eth-trunk 1
#
ipv6 enable
ipv6 address 2002:201:102::1/64
tunnel-protocol ipv6-ipv4 6to4
source vlanif100
eth-trunk 1
#
ipv6 route-static 2002:: 16 Tunnel0/0/1
#
return
4.10.4 Example for Configuring an ISATAP Tunnel
As shown in Figure 4-27, an IPv6 host on the IPv4 network runs Windows XP. The IPv6 host
needs to be connected to the IPv6 network through a border device. The IPv6 host and border
device support ISATAP. An ISATAP tunnel needs to be set up between the IPv6 host and the
border device.
Figure 4-27 Networking diagram for configuring an ISATAP tunnel
ISATAP
IPv6 IPv4
network network
IPv6 host Switch

ISATAP host
3001::2 GE0/0/1 GE0/0/2
VLANIF200 FE80::5EFE:0201:0102
VLANIF100 2.1.1.2
3001::1/64 2.1.1.1/8 2001::5EFE:0201:0102

1. Configure an IPv4/IPv6 dual stack on the switch so that the switch can access the IPv4
network and IPv6 network.
2. Configure an ISATAP tunnel on the switch so that IPv6 hosts on the IPv4 network can
communicate with IPv6 hosts on the IPv6 network.
3. Configure a static route from the IPv6 host to the ISATAP host so that the IPv6 host can
forward packets directly over the tunnel.
Procedure
Step 1 Configure the ISATAP border device.
CAUTION
# Enable the IPv4/IPv6 dual stack and configure an IP address for each interface.
[Quidway] ipv6
[Quidway-Vlanif100] ipv6 address 3001::1/64
# Configure an ISATAP tunnel.

[Quidway] interface tunnel 0/0/2
[Quidway-Tunnel0/0/2] tunnel-protocol ipv6-ipv4 isatap
[Quidway-Tunnel0/0/2] eth-trunk 1
[Quidway-Tunnel0/0/2] ipv6 enable
[Quidway-Tunnel0/0/2] ipv6 address 2001::/64 eui-64
[Quidway-Tunnel0/0/2] source vlanif 200
[Quidway-Tunnel0/0/2] undo ipv6 nd ra halt
[Quidway-Tunnel0/0/2] quit
Step 2 Configure the ISATAP host.

NOTE
The ISATAP host needs to run IPv6 and be enabled with the IPv6 function.

# Run the following command to add a static route to the border device. The number of the
pseudo interface on the host is 2. You can run the ipv6 if command to check the interface
corresponding to Automatic Tunneling Pseudo-Interface.
C:\> netsh interface ipv6 isatap set router 2.1.1.1
Step 3 Configure the IPv6 host.

# Configure a static route to the border device on the IPv6 host so that PCs on two different
networks can communicate through the ISATAP tunnel.
C:\> netsh interface ipv6 set route 2001::/64 3001::1

# Check the IPv6 status of Tunnel0/0/2 on the ISATAP device. You can see that the tunnel status
is Up.
[Quidway] display ipv6 interface tunnel 0/0/2
IPv6 is enabled, link-local address is FE80::5EFE:201:101
2001::5EFE:201:101, subnet is 2001::/64
FF02::1:FF01:101
FF02::2
FF02::1
MTU is 1500 bytes
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
# Ping the global unicast address of the tunnel interface on the ISATAP host from the ISATAP
device.
[Quidway] ping ipv6 2001::5efe:2.1.1.2
PING 2001::5efe:2.1.1.2 : 56 data bytes, press CTRL_C to break
Reply from 2001::5EFE:201:102
--- 2001::5efe:2.1.1.2 ping statistics ---

0.00% packet loss
# Ping the global unicast address of the ISATAP device from the ISATAP host.
C:\> ping6 2001::5efe:2.1.1.1
Pinging 2001::5efe:2.1.1.1
from 2001::5efe:2.1.1.2 with 32 bytes of data:
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms



Ping statistics for 2001::5efe:2.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
# Ping the IPv6 host from the ISATAP host. They can ping each other.
C:\> ping6 3001::2
Pinging 3001::2 with 32 bytes of data:
Reply from 3001::2: time<1ms

Ping statistics for 3001::2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
----End
Configuration Files
#
sysname Quidway
#
vlan batch 100 200
#
ipv6
#
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ip address 2.1.1.1 255.0.0.0
#
service type tunnel
#
ipv6 enable
ipv6 address 2001::/64 eui-64
undo ipv6 nd ra halt
tunnel-protocol ipv6-ipv4 isatap
source Vlanif200
eth-trunk 1
#
#
#
eth-trunk 1
#
return

Typical Configuration Examples 5 Configuration Guide - IP Routing
5 Configuration Guide - IP Routing
About This Chapter
This document describes the IP routing features of the device and provides the configuration
procedures and configuration examples of these features.
5.1 Static Route Configuration

Static routes apply to simple networks. Proper static routes can improve network performance
and ensure bandwidth for important applications.
5.2 RIP Configuration
RIP is widely used on small-sized networks to discover routes and generate routing information.
5.3 RIPng Configuration
RIPng is widely used on small-sized networks to discover routes and generate routing
information.
5.4 OSPF Configuration
By building OSPF networks, you can enable OSPF to discover and calculate routes in ASs.
OSPF is applicable to a large-scale network that consists of hundreds of devices.
5.5 OSPFv3 Configuration
By building Open Shortest Path First Version 3 (OSPFv3) networks, you can enable OSPFv3
to discover and calculate routes in ASs. OSPFv3 is applicable to a large-scale network that
consists of hundreds of switches.
5.6 IPv4 IS-IS Configuration
You can build an IPv4 IS-IS network to allow IS-IS to discover and calculate routes in an
autonomous system (AS).
5.7 BGP Configuration
The Border Gateway Protocol (BGP) is used between Autonomous Systems (ASs) to transmit
routing information. BGP applies to large and complex networks.
5.8 Routing Policy Configuration
Routing policies are applied to routing information to change the path through which network
traffic passes.
5.9 MCE Configuration
Generally, one CE device connects to only one VPN. If multiple VPNs are deployed on a
customer network, multiple CE devices are required. A multi-VPN-instance CE (MCE) device

can connect to multiple VPNs. The MCE solution isolates services of different VPNs while
reducing cost of network devices.

5.1 Static Route Configuration

Static routes apply to simple networks. Proper static routes can improve network performance
and ensure bandwidth for important applications.
5.1.1 Example for Configuring IPv4 Static Routes

As shown in Figure 5-1, hosts on different network segments are connected using several
Switchs. Each two hosts on different network segments can communicate with each other
without using dynamic routing protocols.
Figure 5-1 Networking diagram of configuring IPv4 static routes

PC2
1.1.2.2/24
Eth0/0/3
VLANIF40
1.1.2.1/24
Eth0/0/1 Eth0/0/2
VLANIF10 VLANIF20
1.1.4.2/30 1.1.4.5/30
SwitchB
SwitchA SwitchC
Eth0/0/1 Eth0/0/1
VLANIF10 VLANIF20
1.1.4.1/30 1.1.4.6/30
Eth0/0/2 Eth0/0/2
VLANIF30 VLANIF50
1.1.1.1/24 1.1.3.1/24
PC1 PC3
1.1.1.2/24 1.1.3.2/24
1. Create VLANs, add interfaces to the VLANs, and assign IPv4 addresses to VLANIF
interfaces so that neighboring devices can communicate with each other.
2. Configure the IPv4 default gateway on each host, and configure IPv4 static routes or default
static routes on each Switch so that hosts on different network segments can communicate
with each other.
Procedure


The configurations of SwitchB and SwitchC are similar to the configuration of SwitchA, and
Step 2 Assign IPv4 addresses to the VLANIF interfaces.
Step 3 Configure hosts.
Set the default gateway addresses of PC1, PC2, and PC3 to 1.1.1.1, 1.1.2.1, and 1.1.3.1
respectively.
# Configure a default IPv4 route on SwitchA.
# Configure two IPv4 static routes on SwitchB.

# Configure a default IPv4 route on SwitchC.


# Check the routing table on SwitchA.
[SwitchA] display ip routing-table
------------------------------------------------------------------------------
0.0.0.0/0 Static 60 0 RD 1.1.4.2 Vlanif10

1.1.1.0/24 Direct 0 0 D 1.1.1.1 Vlanif30
1.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
1.1.4.0/30 Direct 0 0 D 1.1.4.1 Vlanif10
# Run the ping command to verify the connectivity.




0.00% packet loss
# Run the tracert command to verify the connectivity.

[SwitchA] tracert 1.1.3.1
traceroute to 1.1.3.1(1.1.3.1), max hops: 30 ,packet length: 40
1 1.1.4.2 31 ms 32 ms 31 ms
2 1.1.4.6 62 ms 63 ms 62 ms
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 1.1.4.1 255.255.255.252
#
interface Vlanif30
ip address 1.1.1.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 1.1.4.2
#
return

#
sysname SwitchB
#
vlan batch 10 20 40
#
interface Vlanif10
ip address 1.1.4.2 255.255.255.252
#
interface Vlanif20
ip address 1.1.4.5 255.255.255.252
#
interface Vlanif40
ip address 1.1.2.1 255.255.255.0
#
#
#


#
ip route-static 1.1.1.0 255.255.255.0 1.1.4.1
ip route-static 1.1.3.0 255.255.255.0 1.1.4.6
#
return

#
sysname SwitchC
#
vlan batch 20 50
#
interface Vlanif20
ip address 1.1.4.6 255.255.255.252
#
interface Vlanif50
ip address 1.1.3.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 1.1.4.5
#
return
5.1.2 Example for Configuring IPv6 Static Routes

Networking requirements
As shown in Figure 5-2, on an IPv6 network, hosts on different network segments are connected
using several Switchs. Each two hosts on different network segments can communicate with
each other without using dynamic routing protocols.
Figure 5-2 Networking diagram of configuring IPv6 static routes

PC2
2::2/64
Eth0/0/3
VLANIF30
Eth0/0/1 2::1/64 Eth0/0/2
VLANIF20 VLANIF40
FE80::218:20FF:FE00:80 FE80::218:20FF:FE00:83
SwitchA SwitchB
Eth0/0/1 SwitchC
Eth0/0/1 VLANIF40
VLANIF20 FE80::218:20FF:FE00:82
FE80::218:20FF:FE00:81
Eth0/0/2 Eth0/0/2
VLANIF10 VLANIF50
1::1/64 3::1/64
PC1 PC3
1::2/64 3::2/64

1. Create VLANs, add interfaces to the VLANs, and assign IPv6 addresses to VLANIF
interfaces so that neighboring devices can communicate with each other.
2. Configure the IPv6 default gateway on each host, and configure IPv6 static routes or default
static routes on each Switch so that hosts on different network segments can communicate
with each other.
Procedure
Step 1 Add interfaces to VLANs.
[SwitchA] interface ethernet0/0/2
[SwitchA] ipv6
[SwitchA-Vlanif20] ipv6 address auto link-local
NOTE
Run the display ipv6 interface brief command to check the automatically generated IPv6 address on the
interface.
Step 3 Configure host addresses and default gateway addresses.

Assign IPv6 addresses to the hosts, and set the default gateway address of PC1, PC2, and PC3
to 1::1, 2::1, and 3::1 respectively.
Step 4 Configure static IPv6 routes.
# Configure a default IPv6 route on SwitchA.
[SwitchA] ipv6 route-static :: 0 vlanif20 FE80::218:20FF:FE00:80
# Configure two IPv6 static routes on SwitchB.

[SwitchB] ipv6 route-static 1:: 64 vlanif20 FE80::218:20FF:FE00:81
[SwitchB] ipv6 route-static 3:: 64 vlanif40 FE80::218:20FF:FE00:82
# Configure an IPv6 default route on SwitchC.

[SwitchC] ipv6 route-static :: 0 vlanif40 FE80::218:20FF:FE00:83
# Check the IPv6 routing table on SwitchA.

[SwitchA] display ipv6 routing-table
Routing Table : Public
Destination : :: PrefixLength : 0
NextHop : FE80::218:20FF:FE00:80 Preference : 60
Cost : 0 Protocol : Static
RelayNextHop : :: TunnelID : 0x0
Interface : Vlanif20 Flags : D
Destination : ::1 PrefixLength : 128

NextHop : ::1 Preference : 0
Cost : 0 Protocol : Direct
Interface : InLoopBack0 Flags : D
Destination : 1:: PrefixLength : 64

NextHop : 1::1 Preference : 0
Interface : Vlanif10 Flags : D
Destination : 1::1 PrefixLength : 128

NextHop : ::1 Preference : 0
Interface : InLoopBack0 Flags : D
Destination : FE80:: PrefixLength : 10

NextHop : :: Preference : 0
Interface : NULL0 Flags : D
# Run the ping command to verify the connectivity.

[SwitchA] ping ipv6 3::1
Reply from 3::1
Reply from 3::1
Reply from 3::1
Reply from 3::1
Reply from 3::1

0.00% packet loss
# Run the tracert command to verify the connectivity.

[SwitchA] tracert ipv6 3::1
traceroute to 3::1 30 hops max,60 bytes packet
1 2::1 31 ms 32 ms 31 ms
2 3::1 62 ms 63 ms 62 ms
----End

Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10 20
#
interface Vlanif10
ipv6 enable
#
interface Vlanif20
ipv6 enable
ipv6 address auto link-local
#
#
#
ipv6 route-static :: 0 vlanif20 FE80::218:20FF:FE00:80
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 20 30 40
#
interface Vlanif20
ipv6 enable
#
interface Vlanif30
ipv6 enable
#
interface Vlanif40
ipv6 enable
#
#
#
#
ipv6 route-static 1:: 64 Vlanif20 FE80::218:20FF:FE00:81
ipv6 route-static 3:: 64 Vlanif40 FE80::218:20FF:FE00:82
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 40 50
#
interface Vlanif40
ipv6 enable
#
interface Vlanif50
ipv6 enable
#
#
#
ipv6 route-static :: 0 Vlanif40 FE80::218:20FF:FE00:83
#
return
5.1.3 Example for Configuring Static BFD for IPv4 Static Routes
As shown in Figure 5-3, SwitchA is connected to the network management system (NMS)
through SwitchB. You need to configure static routes on SwitchA so that SwitchA can
communicate with the NMS. Link fault detection between SwitchA and SwitchB must be at the
millisecond level to improve convergence speed.
Figure 5-3 Networking diagram of configuring static BFD for IPv4 static routes
Eth0/0/1 Eth0/0/2
VLANIF10 VLANIF20
1.1.1.1/24 2.2.2.2/24
Eth0/0/1 2.2.2.1/24
SwitchA VLANIF10 SwitchB NMS
1.1.1.2/24
1. Configure a BFD session between SwitchA and SwitchB to implement link fault detection
at the millisecond level.
2. Configure a static route from SwitchA to the NMS and bind a BFD session to the static
route. This configuration can implement link fault detection at the millisecond level and
improve convergence speed of static routes.

Procedure
Step 1 Add interfaces to the VLANs.
[SwitchA] vlan 10
The configurations of SwitchB are similar to the configuration of SwitchA, and are not
mentioned here.
Step 2 Assign IP addresses to the VLANIF interfaces.
The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here.
Step 3 Configure a BFD session between SwitchA and SwitchB.
# Create a BFD session on SwitchA.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd aa bind peer-ip 1.1.1.2
[SwitchA-bfd-session-aa] discriminator local 10
[SwitchA-bfd-session-aa] discriminator remote 20
[SwitchA-bfd-session-aa] commit
[SwitchA-bfd-session-aa] quit
# Create a BFD session on SwitchB.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd bb bind peer-ip 1.1.1.1
[SwitchB-bfd-session-bb] discriminator local 20
[SwitchB-bfd-session-bb] discriminator remote 10
[SwitchB-bfd-session-bb] commit
[SwitchB-bfd-session-bb] quit
Step 4 Configure a static route and bind the route to the BFD session.
# Configure a default static route to the external network on SwitchA and bind the static route
to the BFD session named aa.
[SwitchA]ip route-static 2.2.2.0 24 1.1.1.2 track bfd-session aa

# After the configuration is complete, run the display bfd session all command on SwitchA and
SwitchB. You can view that the BFD session is established and its status is Up.
Take the display on SwitchA as an example.
[SwitchA] display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
10 20 1.1.1.2 Up S_IP_PEER -
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0

# Check the IP routing table on SwitchA, and you can find that the static route exists in the
routing table.
------------------------------------------------------------------------------
1.1.1.0/24 Direct 0 0 D 1.1.1.1 Vlanif10

2.2.2.0/24 Static 60 0 RD 1.1.1.2 Vlanif10
# Run the shutdown command on Eth 0/0/1 of SwitchB to simulate a link fault.
[SwitchB-Ethernet0/0/1] shutdown
# Check the routing table on SwitchA, and you can find that default route 2.2.2.0/24 does not
exist. The reason is that the default static route is bound to a BFD session, and BFD immediately
notifies that the bound static route is unavailable when a fault is detected.
[SwitchA]display ip routing-table
------------------------------------------------------------------------------

# Run the undo shutdown command on Eth0/0/1 of SwitchB to simulate link recovery.
[SwitchB-Ethernet0/0/1]undo shutdown
# Check the routing table on SwitchA, and you can find default route 2.2.2.0/24 in the routing
table. After detecting link recovery, BFD immediately notifies that the bound static route is
reachable.
------------------------------------------------------------------------------
1.1.1.0/24 Direct 0 0 D 1.1.1.1 Vlanif10

2.2.2.0/24 Static 60 0 RD 1.1.1.2 Vlanif10
----End
Configuration Files
#
sysname SwitchA
#

vlan batch 10
#
bfd
#
interface Vlanif10
ip address 1.1.1.1 255.255.255.0
#
#
bfd aa bind peer-ip 1.1.1.2
discriminator local 10
discriminator remote 20
commit
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2 track bfd-session aa
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 1.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 2.2.2.2 255.255.255.0
#
#
#
bfd bb bind peer-ip 1.1.1.1
commit
#
return
5.2 RIP Configuration

RIP is widely used on small-sized networks to discover routes and generate routing information.
5.2.1 Example for Configuring Basic RIP Functions

As shown in Figure 5-4, SwitchA, SwitchB, SwitchC, and SwitchD are located on a small-sized
network, and they need to communicate with each other.

Figure 5-4 Networking diagram for configuring the RIP version

SwitchC
Eth0/0/2
VLANIF20
172.16.1.2/24
Eth0/0/2
Eth0/0/1 VLANIF20 Eth0/0/3
VLANIF10 172.16.1.1/24 VLANIF30
192.168.1.1/24 10.1.1.2/24
Eth0/0/1 Eth0/0/3
SwitchA VLANIF10 SwitchB VLANIF30 SwitchD
192.168.1.2/24 10.1.1.1/24
The network size is small, so RIP-2 is recommended. The configuration roadmap is as follows:
1. Configure VLAN and IP address for each interface to ensure network reachability.
2. Enable RIP on each switch to implement network connections between processes.
3. Configure RIP-2 on each switch to improve RIP performance.
Procedure
Step 1 Configure VLANs that the related interfaces belong to.
[SwitchA] vlan 10
The configurations of Switch B, Switch C, and Switch D are similar to the configuration of
Switch A, and are not mentioned here.
Step 2 Configure an IP address to each VLANIF interface.
Step 3 Configure the basic RIP functions.
# Configure Switch A.
[SwitchA] rip
[SwitchA-rip-1] network 192.168.1.0
[SwitchA-rip-1] quit

# Configure Switch B.
[SwitchB] rip
[SwitchB-rip-1] network 192.168.1.0
[SwitchB-rip-1] quit
# Configure Switch C.
[SwitchC] rip
[SwitchC-rip-1] network 172.16.0.0
[SwitchC-rip-1] quit
# Configure Switch D.
[SwitchD] rip
[SwitchD-rip-1] network 10.0.0.0
[SwitchD-rip-1] quit
# Check the RIP routing table of Switch A.

[SwitchA] display rip 1 route
Route Flags: R - RIP
A - Aging, S - Suppressed, G - Garbage-collect
-------------------------------------------------------------------------
Peer 192.168.1.2 on Vlanif10
Destination/Mask Nexthop Cost Tag Flags Sec
10.0.0.0/8 192.168.1.2 1 0 RA 14
172.16.0.0/16 192.168.1.2 1 0 RA 14
From the routing table, you can find that the routes advertised by RIP-1 use natural masks.
Step 4 Configure the RIP version.
# Configure RIPv2 on Switch A.
[SwitchA] rip
[SwitchA-rip-1] version 2
# Configure RIPv2 on Switch B.

[SwitchB] rip
[SwitchB-rip-1] version 2
# Configure RIPv2 on Switch C.

[SwitchC] rip
[SwitchC-rip-1] version 2
# Configure RIPv2 on Switch D.

[SwitchD] rip
[SwitchD-rip-1] version 2

# Check the RIP routing table of Switch A.
[SwitchA] display rip 1 route
Route Flags: R - RIP
A - Aging, S - Suppressed, G - Garbage-collect
-------------------------------------------------------------------------
Peer 192.168.1.2 on Vlanif10
Destination/Mask Nexthop Cost Tag Flags Sec

10.1.1.0/24 192.168.1.2 1 0 RA 32
172.16.1.0/24 192.168.1.2 1 0 RA 32
From the routing table, you can find that the routes advertised by RIP-2 contain more accurate
subnet masks.
----End
Configuration Files
l Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
rip 1
version 2
network 192.168.1.0
#
return
l Configuration file of Switch B

#
sysname SwitchB
#
vlan batch 10 20 30
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 172.16.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
#
#
#
#
rip 1
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.1.0
#
return
l Configuration file of Switch C

#
sysname SwitchC
#

vlan batch 20
#
interface Vlanif20
ip address 172.16.1.2 255.255.255.0
#
#
rip 1
version 2
network 172.16.0.0
#
return
l Configuration file of Switch D

#
sysname SwitchD
#
vlan batch 30
#
interface Vlanif30
ip address 10.1.1.2 255.255.255.0
#
#
rip 1
version 2
network 10.0.0.0
#
return
5.2.2 Example for Configuring RIP to Import Routes

As shown in Figure 5-5, two RIP processes, RIP100 and RIP200, run on SwitchB. SwitchA
needs to communicate with network segment 192.168.3.0/24.
Figure 5-5 Network diagram of configuring RIP to import external routes
Eth0/0/1 Eth0/0/2
VLANIF50 VLANIF30
192.168.0.1/24 192.168.3.1/24
Eth0/0/2 Eth0/0/1
VLANIF10 VLANIF20
192.168.2.1/24 Eth0/0/3
192.168.1.2/24
Eth0/0/2 Eth0/0/1 VLANIF40
VLANIF10 VLANIF20 192.168.4.1/24
SwitchA 192.168.1.1/24 SwitchB 192.168.2.2/24 SwitchC
RIP 100 RIP 200


2. Import routes between RIP100 and RIP200 on SwitchB and set the default metric of routes
imported from RIP200 to 3.
3. Configure an ACL on SwitchB to filter route 192.168.4.0/24 imported from RIP200 so that
SwitchA can only communicate with network segment 192.168.3.0/24.
Procedure
[SwitchA] vlan bath 10 50
The configurations of Switch B, and Switch C are similar to the configuration of Switch A, and
The configurations of Switch B, and Switch C are similar to the configuration of Switch A, and
Step 3 Configure the basic RIP functions.
# Enable RIP process 100 on SwitchA.
[SwitchA] rip 100
# Enable RIP processes 100 and 200 on SwitchB.

[SwitchB] rip 100
[SwitchB] rip 200
# Enable RIP process 200 on SwitchC.

[SwitchC] rip 200
# View the routing table on SwitchA.



------------------------------------------------------------------------------
192.168.0.0/24 Direct 0 0 D 192.168.0.1 Vlanif50
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
The routing table of SwitchA does not contain the routes imported from other processes.
Step 4 Configure RIP to import external routes.
# On SwitchB, set the default metric of imported routes to 3 in RIP 100 process and configure
the RIP processes to import routes into each other's routing table.
[SwitchB] rip 100
[SwitchB-rip-100] default-cost 3
[SwitchB-rip-100] import-route rip 200
[SwitchB] rip 200
[SwitchB-rip-200] import-route rip 100
# View the routing table of SwitchA after the routes are imported.
------------------------------------------------------------------------------
192.168.0.0/24 Direct 0 0 D 192.168.0.1 Vlanif50
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.2.0/24 RIP 100 4 D 192.168.1.2 Vlanif10
192.168.3.0/24 RIP 100 4 D 192.168.1.2 Vlanif10
192.168.4.0/24 RIP 100 4 D 192.168.1.2 Vlanif10
The routing table of SwitchA contains routes 192.168.2.0/24, 192.168.3.0/24, and

192.168.4.0/24, which are learned by RIP200 on SwitchB.
Step 5 Configure RIP to filter imported routes.
# Configure an ACL on SwitchB and add a rule to the ACL. The rule denies the packets sent
from 192.168.4.0/24.
[SwitchB] acl 2000
[SwitchB-acl-basic-2000] rule deny source 192.168.4.0 0.0.0.255
[SwitchB-acl-basic-2000] rule permit
[SwitchB-acl-basic-2000] quit
# Configure SwitchB to filter route 192.168.4.0/24 imported from RIP200.

[SwitchB] rip 100
[SwitchB-rip-100] filter-policy 2000 export

# Display the RIP routing table of SwitchA after the routes are filtered.


------------------------------------------------------------------------------
192.168.0.0/24 Direct 0 0 D 192.168.0.1 Vlanif50
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.2.0/24 RIP 100 4 D 192.168.1.2 Vlanif10
192.168.3.0/24 RIP 100 4 D 192.168.1.2 Vlanif10
The routing table of SwitchA does not contain the route originating from 192.168.4.0/24.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 50
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif50
ip address 192.168.0.1 255.255.255.0
#
#
#
rip 100
network 192.168.0.0
network 192.168.1.0
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
acl number 2000
rule 5 deny source 192.168.4.0 0.0.0.255
rule 10 permit
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
#


#
rip 100
default-cost 3
network 192.168.1.0
filter-policy 2000 export
import-route rip 200
#
rip 200
network 192.168.2.0
#
return

#
sysname SwitchC
#
vlan batch 20 30 40
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
#
#
#
#
rip 200
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
#
return
5.2.3 Example for Configuring One-Arm Static BFD for RIP

As shown in Figure 5-6, there are four switches that communicate using RIP on a small-sized
network. Services are transmitted through the primary link SwitchA→SwitchB→SwitchD.
Reliability must be improved for data transmitted from SwitchA to SwitchB so that services can
be rapidly switched to another path for transmission when the primary link fails.

Figure 5-6 Networking diagram for One-Arm static BFD for RIP
GE0/0/1 GE0/0/1 GE0/0/3
SwitchA VLANIF10 VLANIF10 SwitchB VLANIF40 SwitchD
2.2.2.1/24 2.2.2.2/24 172.16.1.1/24
GE0/0/1
GE0/0/2 GE0/0/2 VLANIF40
VLANIF20 VLANIF30 172.16.1.2/24
3.3.3.1/24 4.4.4.1/24
GE0/0/2 GE0/0/1
VLANIF20 VLANIF30
3.3.3.2/24 SwitchC 4.4.4.2/24
1. Configure IP address for each interface to ensure network reachability.
3. Configure One-Arm static BFD on SwitchA. BFD can rapidly detect the link status and
help RIP speed up route convergence to implement fast link switching.
Procedure
[SwitchA] vlan bath 10 20
Step 3 Configure basic RIP functions.
[SwitchA] rip 1

[SwitchB] rip 1
[SwitchC] rip 1
[SwitchC-rip-1] version 2
[SwitchD] rip 1
[SwitchD-rip-1] version 2
[SwitchD-rip-1] network 172.16.0.0
# After completing the preceding operations, run the display rip neighbor command. The
command output shows that Switchs A, B, and C have established neighbor relationships with
each other. In the following example, the display on Switch A is used.
[SwitchA] display rip 1 neighbor
---------------------------------------------------------------------
IP Address Interface Type Last-Heard-Time
---------------------------------------------------------------------
2.2.2.2 Vlanif10 RIP 0:0:10
Number of RIP routes : 2
3.3.3.2 Vlanif20 RIP 0:0:8
Number of RIP routes : 1
# Run the display ip routing-table command. The command output shows that the devices have
imported routes from each other. In the following example, the display on Switch A is used.
------------------------------------------------------------------------------
2.2.2.0/24 Direct 0 0 D 2.2.2.1 Vlanif10

2.2.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
3.3.3.0/24 Direct 0 0 D 3.3.3.1 Vlanif20
3.3.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
4.4.4.0/24 RIP 100 1 D 3.3.3.2 Vlanif20
RIP 100 1 D 2.2.2.2 Vlanif10
172.16.1.0/24 RIP 100 1 D 2.2.2.2 Vlanif10
The preceding command output shows that the next-hop address and outbound interface of the
route to destination 172.16.1.0/24 are 2.2.2.2 and VLANIF10 respectively, and traffic is
transmitted over the active link Switch A->Switch B.
Step 4 Configure One-Arm static BFD on Switch A.
# Configure one-arm BFD on Switch A.
[SwitchA] bfd
[SwitchA-bfd] quit

[SwitchA] bfd 1 bind peer-ip 2.2.2.2 interface vlanif 10 source-ip 1.1.1.1 one-arm-
echo
[SwitchA-session-1] discriminator local 1
[SwitchA-session-1] min-echo-rx-interval 200
[SwitchA-session-1] commit
[SwitchA-session-1] quit
# Enable static BFD on VLANIF 10.

[SwitchA-Vlanif10] rip bfd static
# After the configurations are completed, run the display bfd sessionall command on Switch A
and you can see that a static BFD session is set up.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 - 2.2.2.2 Up S_IP_IF Vlanif10
--------------------------------------------------------------------------------

# Run the shutdown command on GE 0/0/1 of Switch B to simulate a fault in the active link.
NOTE
The link fault is simulated to verify the configuration. In actual situations, the operation is not required.
[SwitchB-GigabitEthernet0/0/1] shutdown
# Check the routing table of Switch A.

------------------------------------------------------------------------------
3.3.3.0/24 Direct 0 0 D 3.3.3.1 Vlanif20

3.3.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
4.4.4.0/24 RIP 100 1 D 3.3.3.2 Vlanif20
172.16.1.0/24 RIP 100 2 D 3.3.3.2 Vlanif20
The preceding command output shows that the standby link Switch A->Switch C->Switch B is
used after the active link fails, and the next-hop address and outbound interface of the route to
destination 172.16.1.0/24 are 3.3.3.2 and VLANIF20 respectively.
----End
Configuration files
#
sysname SwitchA
#
vlan batch 10 20
#
bfd

#
interface Vlanif10
ip address 2.2.2.1 255.255.255.0
rip bfd static
#
interface Vlanif20
ip address 3.3.3.1 255.255.255.0
#
#
#
bfd 1 bind peer-ip 2.2.2.2 interface Vlanif10 source-ip 1.1.1.1 one-arm-echo
min-echo-rx-interval 200
commit
#
rip 1
version 2
network 2.0.0.0
network 3.0.0.0
#
return
#
sysname SwitchB
#
vlan batch 10 30 40
#
bfd
#
interface Vlanif10
ip address 2.2.2.2 255.255.255.0
#
interface Vlanif30
ip address 4.4.4.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
#
rip 1
version 2
network 2.0.0.0
network 4.0.0.0
network 172.16.0.0
#
return
#
sysname SwitchC
#
vlan batch 20 30

#
interface Vlanif20
ip address 3.3.3.2 255.255.255.0
#
interface Vlanif30
ip address 4.4.4.2 255.255.255.0
#
#
#
rip 1
version 2
network 3.0.0.0
network 4.0.0.0
#
return

#
sysname SwitchD
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
rip 1
version 2
network 172.16.0.0
#
return
5.3 RIPng Configuration

RIPng is widely used on small-sized networks to discover routes and generate routing
information.
5.3.1 Example for Configuring RIPng to Filter the Received Routes

As shown in Figure 5-7, the prefix length of all the IPv6 addresses is 64 bits. In addition, the
VLANIF interfaces between the neighboring Switches are assigned IPv6 link-local addresses.
All the Switches must learn IPv6 routing information on the network through RIPng. SwitchB
should filter the routes received from SwitchC (3::/64). That is, SwitchB does not add the routes
to its own routing table or advertise the routes to SwitchA.

Figure 5-7 Networking diagram for configuring RIPng to filter the received routes
SwitchB
Eth0/0/1 Eth0/0/2
VLANIF20 VLANIF30
SwitchA SwitchC Eth0/0/2

VLANIF40
Eth0/0/1 Eth0/0/1 2::1/64
VLANIF20 VLANIF30
Eth0/0/2 Eth0/0/3
VLANIF10 VLANIF50
1::1/64 3::1/64
1. Enable RIPng on each Switch so that the Switches can communicate with each other.
2. Configure an ACL on SwitchB to filter the received routes.
Procedure
[SwitchA] vlan 10
[SwitchA] vlan 20
The configurations of SwitchB and SwitchC are similar to the configuration of SwitchA and are
not mentioned here.

[SwitchA] ipv6
[SwitchA-Vlanif20] ipv6 address auto link-local

not mentioned here.
Step 3 Configure the basic RIPng functions.
[SwitchA] ripng 1
[SwitchA-ripng-1] quit
[SwitchA-Vlanif10] ripng 1 enable
[SwitchA-Vlanif20] ripng 1 enable
[SwitchB] ripng 1
[SwitchB-ripng-1] quit
[SwitchB] interface vlaif 20
[SwitchB-Vlanif20] ripng 1 enable
[SwitchB-Vlanif30] ripng 1 enable
[SwitchC] ripng 1
[SwitchC-ripng-1] quit
[SwitchC-Vlanif30] ripng 1 enable
# Display the RIPng routing table of SwitchB.

[SwitchB] display ripng 1 route
Route Flags: A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------
Peer FE80::F54C:0:9FDB:1 on Vlanif30

Dest 2::/64,
via FE80::F54C:0:9FDB:1, cost 1, tag 0, RA, 3 Sec
Dest 3::/64,
Peer FE80::D472:0:3C23:1 on Vlanif20

Dest 1::/64,
via FE80::D472:0:3C23:1, cost 1, tag 0, RA, 4 Sec
The preceding information shows that the RIPng routing table of SwitchB contains the routes
of network segment 3::/64.
# Display the RIPng routing table of SwitchA.
[SwitchA] display ripng 1 route
----------------------------------------------------------------
Peer FE80::476:0:3624:1 on Vlanif20

Dest 2::/64,
via FE80::476:0:3624:1, cost 2, tag 0, RA, 21 Sec

Dest 3::/64,
The preceding information shows that the RIPng routing table of SwitchA contains the routes
of network segment 3::/64 advertised by SwitchB.
Step 4 Configure SwitchB to filter the received routes.
[SwitchB] acl ipv6 number 2000
[SwitchB-acl6-basic-2000] rule deny source 3:: 64
[SwitchB-acl6-basic-2000] rule permit
[SwitchB-acl6-basic-2000] quit
[SwitchB] ripng 1
[SwitchB-ripng-1] filter-policy 2000 import
[SwitchB-ripng-1] quit

NOTE
After the aging time of the filtered routing entry expires, check the verification result. The default aging time is
180 seconds.
# Check the RIPng routing table of SwitchB. The RIPng routing table should not contain the
routes of network segment 3::/64.
[SwitchB] display ripng 1 route
----------------------------------------------------------------
Peer FE80::F54C:0:9FDB:1 on Vlanif30

Dest 2::/64,
Peer FE80::D472:0:3C23:1 on Vlanif20

Dest 1::/64,
via FE80::D472:0:3C23:1, cost 1, tag 0, RA, 25 Sec
# Check the RIPng routing table of SwitchA. The RIPng routing table should not contain the
routes of network segment 3::/64.
[SwitchA] display ripng 1 route
----------------------------------------------------------------
Peer FE80::476:0:3624:1 on Vlanif20

Dest 2::/64,
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10 20
#
interface Vlanif10
ipv6 enable
ripng 1 enable
#
interface Vlanif20
ipv6 enable


ripng 1 enable
#
#
#
ripng 1
#
return
#
sysname SwitchB
#
ipv6
#
vlan batch 20 30
#
acl ipv6 number 2000
rule 0 deny source 3::/64
rule 1 permit
#
interface Vlanif20
ipv6 enable
ripng 1 enable
#
interface Vlanif30
ipv6 enable
ripng 1 enable
#
#
#
ripng 1
filter-policy 2000 import
#
return
#
sysname SwitchC
#
ipv6
#
vlan batch 30 40 50
#
interface Vlanif30
ipv6 enable
ripng 1 enable
#
interface Vlanif40
ipv6 enable
ripng 1 enable
#
interface Vlanif50
ipv6 enable


ripng 1 enable
#
#
#
#
ripng 1
#
return
5.4 OSPF Configuration

By building OSPF networks, you can enable OSPF to discover and calculate routes in ASs.
OSPF is applicable to a large-scale network that consists of hundreds of devices.
5.4.1 Example for Configuring Basic OSPF Functions
As shown in Figure 5-8, all switches run OSPF, and the entire AS is partitioned into three areas.
Switch A and Switch B serve as ABRs to forward routes between areas.
After the configuration, each Switch should learn the routes to all network segments from the
AS.
Figure 5-8 Networking diagram of basic OSPF configurations
Switch A Area 0 Switch B

Eth0/0/1
Eth0/0/2 Eth0/0/2
Eth0/0/1
Switch C Switch D
Eth0/0/1 Eth0/0/1
Area 1 Area 2
Eth0/0/2 Eth0/0/2
Eth0/0/1 Eth0/0/1
Switch E Switch F
Switch Interface VLANIF Interface IP Address
Switch A Ethernet 0/0/1 VLANIF 10 192.168.0.1/24
Switch A Ethernet 0/0/2 VLANIF 20 192.168.1.1/24

Switch B Ethernet 0/0/1 VLANIF 10 192.168.0.2/24
Switch B Ethernet 0/0/2 VLANIF 30 192.168.2.1/24
Switch C Ethernet 0/0/1 VLANIF 20 192.168.1.2/24
Switch C Ethernet 0/0/2 VLANIF 40 172.16.1.1/24
Switch D Ethernet 0/0/1 VLANIF 30 192.168.2.2/24
Switch D Ethernet 0/0/2 VLANIF 50 172.17.1.1/24
Switch E Ethernet 0/0/1 VLANIF 40 172.16.1.2/24
Switch F Ethernet 0/0/1 VLANIF 50 172.17.1.2/24
1. Create the ID of a VLAN to which each interface belongs.
2. Assign an IP address to each VLANIF interface.
3. Enable OSPF on each Switch and specify network segments in different areas.
4. Check the routing table and LSDB.
1. Create a VLAN to which each interface belongs.
The configuration details are not mentioned here.
2. Assign an IP address to each interface.
3. Configuring Basic OSPF Functions.
[SwitchA] router id 1.1.1.1
[SwitchA] ospf
[SwitchB] router id 2.2.2.2
[SwitchB] ospf
[SwitchC] router id 3.3.3.3
[SwitchC] ospf

[SwitchD] router id 4.4.4.4
[SwitchD] ospf
[SwitchD-ospf-1] area 2
[SwitchD-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.2] quit
[SwitchD-ospf-1] quit
# Configure Switch E.
[SwitchE] router id 5.5.5.5
[SwitchE] ospf
[SwitchE-ospf-1] area 1
[SwitchE-ospf-1-area-0.0.0.1] network 172.16.1.0 0.0.0.255
[SwitchE-ospf-1-area-0.0.0.1] quit
[SwitchE-ospf-1] quit
# Configure Switch F.
[SwitchF] router id 6.6.6.6
[SwitchF] ospf
[SwitchF-ospf-1] area 2
[SwitchF-ospf-1-area-0.0.0.2] network 172.17.1.0 0.0.0.255
[SwitchF-ospf-1-area-0.0.0.2] quit
[SwitchF-ospf-1] quit

# Check OSPF neighbors of Switch A.
[SwitchA] display ospf peer
OSPF Process 1 with Router ID 1.1.1.1
Neighbors
Area 0.0.0.0 interface 192.168.0.1(Vlanif10)'s neighbors

Router ID: 2.2.2.2 Address: 192.168.0.2
State: Full Mode:Nbr is Master Priority: 1
DR: 192.168.0.1 BDR: 192.168.0.2 MTU: 0
Dead timer due in 36 sec
Retrans timer interval: 5
Neighbor is up for 00:15:04
Authentication Sequence: [ 0 ]
Neighbors

DR: 192.168.1.1 BDR: 192.168.1.2 MTU: 0
# Check OSPF routing information of Switch A.

[SwitchA] display ospf routing

Routing Tables
Routing for Network

Destination Cost Type NextHop AdvRouter Area
172.16.1.0/24 2 Transit 192.168.1.2 3.3.3.3 0.0.0.1
172.17.1.0/24 3 Inter-area 192.168.0.2 2.2.2.2 0.0.0.0
192.168.0.0/24 1 Transit 192.168.0.1 1.1.1.1 0.0.0.0
192.168.1.0/24 1 Transit 192.168.1.1 1.1.1.1 0.0.0.1

192.168.2.0/24 2 Inter-area 192.168.0.2 2.2.2.2 0.0.0.0
Total Nets: 5
Intra Area: 3 Inter Area: 2 ASE: 0 NSSA: 0
# View the LSDB of Switch A.

[SwitchA] display ospf lsdb

Link State Database
Area: 0.0.0.0
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 2.2.2.2 2.2.2.2 317 48 80000003 1
Router 1.1.1.1 1.1.1.1 316 48 80000002 1
Network 192.168.0.1 1.1.1.1 316 32 80000001 0
Sum-Net 172.16.1.0 1.1.1.1 250 28 80000001 2
Sum-Net 172.17.1.0 2.2.2.2 203 28 80000001 2
Sum-Net 192.168.2.0 2.2.2.2 237 28 80000002 1
Sum-Net 192.168.1.0 1.1.1.1 295 28 80000002 1
Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 5.5.5.5 5.5.5.5 214 36 80000004 1
Router 3.3.3.3 3.3.3.3 217 60 80000008 1
Router 1.1.1.1 1.1.1.1 289 48 80000002 1
Network 192.168.1.1 1.1.1.1 202 28 80000002 0
Network 172.16.1.1 3.3.3.3 670 32 80000001 0
Sum-Net 172.17.1.0 1.1.1.1 202 28 80000001 3
Sum-Net 192.168.2.0 1.1.1.1 242 28 80000001 2
Sum-Net 192.168.0.0 1.1.1.1 300 28 80000001 1
# Check the routing table of Switch D and perform the ping operation to test the
connectivity.
[SwitchD] display ospf routing

Routing Tables
Routing for Network

172.16.1.0/24 4 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2
172.17.1.0/24 1 Transit 172.17.1.1 4.4.4.4 0.0.0.2
192.168.0.0/24 2 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2
192.168.1.0/24 3 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2
192.168.2.0/24 1 Transit 192.168.2.2 4.4.4.4 0.0.0.2
Total Nets: 5
[SwitchD] ping 172.16.1.1


0.00% packet loss
Configuration Files
#

sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 10 30
#
interface Vlanif10
ip address 192.168.0.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.2
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif40

ip address 172.16.1.1 255.255.255.0

#
#
#
ospf 1
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return
#
sysname SwitchD
#
router id 4.4.4.4
#
vlan batch 30 50
#
interface Vlanif30
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif50
ip address 172.17.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.2
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
return
l Configuration file of Switch E
#
sysname SwitchE
#
router id 5.5.5.5
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
#
return
l Configuration file of Switch F
#
sysname SwitchF
#

router id 6.6.6.6
#
vlan batch 50
#
interface Vlanif50
ip address 172.17.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.2
network 172.17.1.0 0.0.0.255
#
return
5.4.2 Example for Configuring a Stub Area of OSPF
As shown in Figure 5-9, OSPF is enabled on all Switches and the entire AS is partitioned into
three areas. SwitchA and SwitchB function as ABRs to forward routes between areas. SwitchD
functions as the ASBR to import static routes.
The requirement is to configure Area 1 as the stub area, thus reducing the LSAs advertised to
this area without affecting the route reachability.
Figure 5-9 Configuring OSPF stub areas

Eth0/0/1
Eth0/0/2 Eth0/0/2
Eth0/0/1
Switch C Switch D
Eth0/0/1 Eth0/0/1
Area 1 Area 2
Eth0/0/2 Eth0/0/2
Eth0/0/1 Eth0/0/1
Switch E Switch F
S-switch Interface VLANIF Interface IP Address
SwitchA Ethernet 0/0/1 VLANIF 10 192.168.0.1/24
SwitchB Ethernet 0/0/1 VLANIF 10 192.168.0.2/24
SwitchC Ethernet 0/0/1 VLANIF 20 192.168.1.2/24

SwitchD Ethernet 0/0/1 VLANIF 30 192.168.2.2/24
SwitchE Ethernet 0/0/1 VLANIF 40 172.16.1.2/24
SwitchF Ethernet 0/0/1 VLANIF 50 172.17.1.2/24
1. Enable OSPF on each Switch and configure basic OSPF functions.

2. Configure static routes on SwitchD and import them.
3. Configure Area 1 as a stub area. You need to run the stub command on all Switches in
Area 1.
4. Do not advertise Type3 LSAs to the stub area on SwitchA.
1. 5.4.1 Example for Configuring Basic OSPF Functions.
2. Configure SwitchD to import static routes.
# Import static routes on SwitchD, as follows:
[SwitchD] ip route-static 200.0.0.0 8 null 0
[SwitchD] ospf
[SwitchD-ospf-1] import-route static type 1
# Display the ABR or ASBR of SwitchC.

[SwitchC] display ospf abr-asbr

Routing Table to ABR and ASBR
Type Destination Area Cost Nexthop RtType

Intra-area 1.1.1.1 0.0.0.1 1 192.168.1.1 ABR
Inter-area 4.4.4.4 0.0.0.1 3 192.168.1.1 ASBR
# Check the routing table of an OSPF process of SwitchC.

[SwitchC] display ospf routing

Routing Tables
Routing for Network

172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1
172.17.1.0/24 4 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
192.168.0.0/24 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
192.168.1.0/24 1 Transit 192.168.1.2 3.3.3.3 0.0.0.1
192.168.2.0/24 3 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
Routing for ASEs

Destination Cost Type Tag NextHop AdvRouter
200.0.0.0/8 4 Type1 1 192.168.1.1 4.4.4.4
Total Nets: 6

If the area where SwitchC resides is the common area, you can view that AS external routes
exist in the routing table.
3. Configure Area 1 as a stub area.
[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.1] stub
[SwitchC] ospf
[SwitchC-ospf-1-area-0.0.0.1] stub
# Configure SwitchE.
[SwitchE] ospf
[SwitchE-ospf-1-area-0.0.0.1] stub
# Check the routing table of SwitchC.


Routing Tables
Routing for Network

0.0.0.0/0 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1
172.17.1.0/24 4 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
192.168.0.0/24 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
192.168.1.0/24 1 Transit 192.168.1.2 3.3.3.3 0.0.0.1
192.168.2.0/24 3 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
Total Nets: 6
When the area where SwitchC resides is configured as a stub area, you may not find the
AS external route but a default route external to the AS.
# Disable Router A from advertising Type3 LSAs to the stub area.
[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.1] stub no-summary

# Check the OSPF routing table of SwitchC.

Routing Tables
Routing for Network

0.0.0.0/0 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1
192.168.1.0/24 1 Transit 192.168.1.2 3.3.3.3 0.0.0.1
Total Nets: 3

After the advertisement of Summary-LSA to the stub area is disabled, the route entries are
further reduced. The AS external routes are invisible in the routing table. Instead, there is
a default route.
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
stub no-summary
#
return
NOTE
Configuration files of SwitchB and SwitchF are the same as the configuration file of SwitchA, and
#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.1
network 192.168.1.0 0.0.0.255

network 172.16.1.0 0.0.0.255

stub
#
return

#
sysname SwitchD
#
vlan batch 30 50
#
router id 4.4.4.4
#
interface Vlanif30
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif50
ip address 172.17.1.1 255.255.255.0
#
#
#
ospf 1
import-route static type 1
area 0.0.0.2
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
ip route-static 200.0.0.0 255.0.0.0 NULL0
#
return
l Configuration file of SwitchE

#
sysname SwitchE
#
router id 5.5.5.5
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
stub
#
return
5.4.3 Example for Configuring an OSPF NSSA Area
As shown in Figure 5-10, OSPF is enabled on all Switches and the entire AS is partitioned into
three areas. SwitchA and SwitchB function as ABRs to forward routes between areas. SwitchD
functions as the ASBR to import external routes (static routes).

The requirement is to configure Area 1 as an NSSA area and configure SwitchC as an ASBR to
import external routes (static routes). The routing information can be transmitted correctly in
the AS.
Figure 5-10 Configuring OSPF NSSA areas

Eth0/0/1
Eth0/0/2 Eth0/0/1 Eth0/0/2
Switch C Eth0/0/1 Eth0/0/1 Switch D
Area 1 Area 2
Eth0/0/2 Eth0/0/2
Eth0/0/1 Eth0/0/1
Switch E Switch F
S-switch Interface VLANIF Interface IP Address
SwitchE Ethernet 0/0/1 VLANIF 40 172.16.1.2/24
SwitchF Ethernet 0/0/1 VLANIF 50 172.17.1.2/24
1. Enable OSPF on each Switch and configure basic OSPF functions.

2. Configure static routes on SwitchD and import them into OSPF.
3. Configure Area 1 as an NSSA area (run the nssa command on all routers in Area 1) and
check the OSPF routing information of SwitchC.
4. Configure static routes on SwitchC, import them into OSPF, and check the OSPF routing
information of SwitchD.

2. Configure SwitchD to import static routes. See 5.4.2 Example for Configuring a Stub
Area of OSPF.
3. Configure Area 1 as an NSSA area.
[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.1] nssa default-route-advertise no-summary
[SwitchC] ospf
[SwitchC-ospf-1-area-0.0.0.1] nssa
# Configure SwitchE.
[SwitchE] ospf
[SwitchE-ospf-1-area-0.0.0.1] nssa
NOTE
You should run the default-route-advertise no-summary command on SwitchA. In this manner,
the size of the routing table of devices in the NSSA area can be reduced. For other devices in the
NSSA area, you need to use only the nssa command.
# Check the OSPF routing table of SwitchC.

Routing Tables
Routing for Network

0.0.0.0/0 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1
192.168.1.0/24 1 Transit 192.168.1.2 3.3.3.3 0.0.0.1
Total Nets: 3
4. Configure SwitchC to import static routes.

# Import static routes on SwitchC, as follows:
[SwitchC]ip route-static 100.0.0.0 8 null 0
[SwitchC] ospf
[SwitchC-ospf-1] import-route static

# Check the OSPF routing table of SwitchD.
[SwitchD] display ospf routing

Routing Tables
Routing for Network

172.16.1.0/24 4 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2

172.17.1.0/24 1 Transit 172.17.1.1 4.4.4.4 0.0.0.2

192.168.0.0/24 2 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2
192.168.1.0/24 3 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2
192.168.2.0/24 1 Transit 192.168.2.2 4.4.4.4 0.0.0.2
Routing for ASEs
100.0.0.0/8 1 Type2 1 192.168.2.1 1.1.1.1
Total Nets: 6
You can view one imported AS external route on SwitchD in the NSSA area.
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
nssa default-route-advertise no-summary
#
return
NOTE
Configuration files of SwitchB, SwitchD, and SwitchF are the same as the configuration file of
SwitchA, and are not mentioned here.
#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#


#
ospf 1
import-route static
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
nssa
#
#
return

#
sysname SwitchE
#
router id 5.5.5.5
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
nssa
#
return
5.4.4 Example for Configuring DR Election of an OSPF Process
As shown in Figure 5-11, Switch A has the highest priority of 100 in the network and is selected
as DR. Switch C has the second highest priority, and is selected as BDR. The priority of Switch
B is 0, so Switch B cannot be selected as DR. The priority of Switch D is not configured and its
default value is 1.
Figure 5-11 Networking diagram for configuring DR election of an OSPF process

Switch A Switch B
Eth0/0/1 Eth0/0/1
Eth0/0/1 Eth0/0/1
Switch C Switch D
Switch Interface VLANIF IP address

1. Create the ID of a VLAN to which each interface belongs.
2. Assign an IP address to each VLANIF interface.
3. Configure the router ID of each Switch, enable OSPF, and specify network segments.
4. Check the DR or BDR status of each Switch.
5. Set the DR priority of the interface and check the DR or BDR status.
[SwitchA] router id 1.1.1.1
[SwitchA] ospf
[SwitchB] router id 2.2.2.2
[SwitchB] ospf
[SwitchC] router id 3.3.3.3
[SwitchC] ospf
[SwitchD] router id 4.4.4.4
[SwitchD] ospf

# Check the DR or BDR status.

[SwitchA] display ospf peer

Neighbors

State: 2-Way Mode:Nbr is Master Priority: 1
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0

DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0

DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Check information about the neighbor of Switch A. You can view the DR priority and
neighbor status. By default, the DR priority is 1. Now Switch D is a DR and Switch C is a
BDR.
NOTE
When the priority is the same, the Switch with a higher router ID is selected as DR. If one Ethernet
interface of the Switch becomes DR, the other broadcast interfaces of the Switch have a high priority
of being selected as DRs in future DR selection. That is, select the DR Switch as DR. DR cannot be
preempted.
4. Configure DR priorities on the interfaces.
[SwitchA-Vlanif10] ospf dr-priority 100
[SwitchB-Vlanif10] ospf dr-priority 0
[SwitchC-Vlanif10] ospf dr-priority 2
# View the DR or BDR status.

[SwitchD] display ospf peer

Neighbors

State: Full Mode:Nbr is Slave Priority: 100
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0


DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0

DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
NOTE
The DR priority on the interface is invalid after it is configured.

5. Restart OSPF processes.
On each Switch, run the reset ospf 1 process command in the user view to restart the OSPF
process.
# Check the status of OSPF neighbors.
[SwitchD] display ospf peer

Neighbors

DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0

State: 2-Way Mode:Nbr is Slave Priority: 0
DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0

DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0
# Check the status of an interface enabled with OSPF.

[SwitchA] display ospf interface

Interfaces
Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
192.168.1.1 Broadcast DR 1 100 192.168.1.1 192.168.1.3

[SwitchB] display ospf interface

Interfaces
Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
192.168.1.2 Broadcast DROther 1 0 192.168.1.1 192.168.1.3
All neighbors are in the full state. This indicates that SwitchA sets up neighbor relationships
with all its neighbors. If the neighbor remains "2-Way", it indicates both of them are not
DRs or BDRs. Thus, they need not exchange LSAs.
All other neighbors are DR Others. This indicates that they are neither DRs nor BDRs.
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
ospf dr-priority 100
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
ospf dr-priority 0
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 10

#
interface Vlanif10
ip address 192.168.1.3 255.255.255.0
ospf dr-priority 2
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchD
#
router id 4.4.4.4
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.4 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
5.4.5 Example for Configuring OSPF Load Balancing
As shown in Figure 5-12:
l SwitchA, SwitchB, SwitchC, and SwitchD connect to each other through OSPF.
l SwitchA, SwitchB, SwitchC, and SwitchD belong to Area 0.
l Load balancing is performed between SwitchB and SwitchC. The traffic of SwitchA is sent
to SwitchD by SwitchB and SwitchC.

Figure 5-12 Networking diagram for configuring OSPF load balancing
SwitchB
Eth0/0/1 Eth0/0/2
Eth0/0/1 Eth0/0/1 SwitchD

Eth0/0/3 Eth0/0/3
Area 0
SwitchA Eth0/0/2
Eth0/0/2
Eth0/0/1 Eth0/0/2
SwitchC
Device Interface VLANIF Interface IP Address
1. Enable OSPF on each Switch to implement interconnection.
2. Cancel load balancing and check the routing table.
3. (Optional) Set the preferences for equal-cost routes on SwitchA.

4. Cancel load balancing on SwitchA.

[SwitchA] ospf
[SwitchA-ospf-1] maximum load-balancing 1
# Check the routing table of SwitchA.

------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif20
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif50
172.17.1.0/24 OSPF 10 3 D 10.1.1.2 Vlanif10
192.168.0.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
192.168.1.0/24 OSPF 10 2 D 10.1.2.2 Vlanif20
As shown in the routing table, when the maximum number of the equal-cost routes is 1,
the next hop to the destination network segment 172.17.1.0 is 10.1.1.2.
NOTE
In the preceding example, 10.1.1.2 is selected as the optimal next hop. This is because OSPF selects
the next hop of the equal-cost route randomly.
5. Restore the default number of routes for load balancing on SwitchA.
[SwitchA] ospf
[SwitchA-ospf-1] undo maximum load-balancing

----------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif50
172.16.1.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
172.17.1.0/24 OSPF 10 3 D 10.1.1.2 Vlanif10
OSPF 10 3 D 10.1.2.2 Vlanif20
192.168.0.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
192.168.1.0/24 OSPF 10 2 D 10.1.2.2 Vlanif20
As shown in the routing table, when the default setting of load balancing is restored, the
next hops of SwitchA, that is, 10.1.1.2 (SwitchB) and 10.1.2.2 (SwitchC), become valid
routes. This is because the default number of equal-cost routes is 4.

6. (Optional) Set the preferences for equal-cost routes on SwitchA.

If you need not perform load balancing between SwitchB and SwitchC, set the preferences
for equal-cost routes and specify the next hop.
[SwitchA] ospf
[SwitchA-ospf-1] nexthop 10.1.2.2 weight 1

------------------------------------------------------------------------------

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10
10.1.1.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif50
172.16.1.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
172.17.1.0/24 OSPF 10 3 D 10.1.2.2 Vlanif20
192.168.0.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
192.168.1.0/24 OSPF 10 2 D 10.1.2.2 Vlanif20
As shown in the routing table, OSPF selects the next hop 10.1.2.2 as the unique optimal
route. This is because the preference of the next hop 10.1.2.2 (SwitchC) is higher than that
of the next hop 10.1.1.2 (SwitchB) after the preferences of the equal-cost routes are set.
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 50
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.1.1 255.255.255.0
#
#
#
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0

network 10.1.1.0 0.0.0.255

network 10.1.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
#
#
#
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
return
#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.1.1 255.255.255.0
#
#
#
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchD
#
vlan batch 30 40 60
#
interface Vlanif30
ip address 192.168.0.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.1.2 255.255.255.0

#
interface Vlanif60
ip address 172.17.1.1 255.255.255.0
#
#
#
#
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
return
5.5 OSPFv3 Configuration

By building Open Shortest Path First Version 3 (OSPFv3) networks, you can enable OSPFv3
to discover and calculate routes in ASs. OSPFv3 is applicable to a large-scale network that
consists of hundreds of switches.
5.5.1 Example for Configuring OSPFv3 Areas

As shown in Figure 5-13, OSPFv3 is enabled on all Switches and the AS is divided into three
areas. Switch B and Switch C serve as ABRs to forward the inter-area routes.
You need to configure Area 2 as a stub area. The LSAs advertised to this area can thus be reduced,
without affecting the reachability of routes.

Figure 5-13 Networking diagram for configuring an OSPFv3 area
SwitchB Area 0
SwitchC
VLANIF30 VLANIF30
1000::1/64 1000::2/64
Eth0/0/1 Eth0/0/2 Eth0/0/2
Eth0/0/1
VLANIF20 VLANIF40
1001::1/64 1002::1/64
Eth0/0/1 Eth0/0/2
VLANIF20 VLANIF40
1001::2/64 1002::2/64
SwitchA SwitchD
Eth0/0/3
VLANIF10 Area 2
2000::1/64
Stub
Area 1
1. Configure IPv6 addresses for interfaces.
2. Enable the basic OSPFv3 functions on each Switch.
3. Configure Area 2 as a stub area by running the stub command on all the Switches in Area
2 and check the OSPFv3 routing table of Switch D.
4. Configure the Area 2 as a totally stub area and check the OSPFv3 routing table of Switch
D.
Procedure
[SwitchA] vlan 10
[SwitchA] vlan 20
The configurations of Switch B, Switch C, Switch D are similar to the configuration of Switch
A and are not mentioned here.
[SwitchA] ipv6


The configurations of Switch B, Switch C, Switch D are similar to the configuration of Switch
A and are not mentioned here.
Step 3 Configure the basic OSPFv3 functions.
[Switch A] ospfv3
[Switch A-ospfv3-1] router-id 1.1.1.1
[Switch A-ospfv3-1] quit
[Switch A-Vlanif10] ospfv3 1 area 1
[Switch A-Vlanif20] ospfv3 1 area 1
[Switch B] ospfv3
[Switch B-ospfv3-1] router-id 2.2.2.2
[Switch B-ospfv3-1] quit
[Switch B] interface vlanif 20
[Switch B-Vlanif20] ospfv3 1 area 1
[Switch B-Vlanif20] quit
[Switch B] interface vlanif 30
[Switch B-Vlanif30] ospfv3 1 area 0
[Switch B-Vlanif30] quit
[Switch C] ospfv3
[Switch C-ospfv3-1] router-id 3.3.3.3
[Switch C-ospfv3-1] quit
[Switch C] interface vlanif 30
[Switch C-Vlanif30] ospfv3 1 area 0
[Switch C-Vlanif30] quit
[Switch C] interface vlanif 40
[Switch C-Vlanif40] ospfv3 1 area 2
[Switch C-Vlanif40] quit
[Switch D] ospfv3
[Switch D-ospfv3-1] router-id 4.4.4.4
[Switch D-ospfv3-1] quit
[Switch D] interface vlanif 40
[Switch D-Vlanif40] ospfv3 1 area 2
[Switch D-Vlanif40] quit
# View the status of the OSPFv3 neighbors of Switch B.

[Switch B] display ospfv3 peer
OSPFv3 Process (1)

OSPFv3 Area (0.0.0.1)
Neighbor ID Pri State Dead Time Interface Instance ID
1.1.1.1 1 Full/DR 00:00:34 Vlanif20 0
3.3.3.3 1 Full/Backup 00:00:32 Vlanif30 0

# View the status of the OSPFv3 neighbors of Switch C.

[Switch C] display ospfv3 peer
OSPFv3 Process (1)

Area (0.0.0.0)
2.2.2.2 1 Full/DR 00:00:37 Vlanif30 0
4.4.4.4 1 Full/Backup 00:00:33 Vlanif40 0
# View the OSPFv3 routing table of Switch D.

[Switch D] display ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
IA 1000::/64 2
via FE80::1572:0:5EF4:1, Vlanif40
IA 1001::/64 3
via FE80::1572:0:5EF4:1, Vlanif40
1002::/64 1
directly-connected, Vlanif40
IA 2000::/64 4
via FE80::1572:0:5EF4:1, Vlanif40
Step 4 Configure the stub areas.

# Configure the stub area of Switch D.
[Switch D] ospfv3
[Switch D-ospfv3-1] area 2
[Switch D-ospfv3-1-area-0.0.0.2] stub
[Switch D-ospfv3-1-area-0.0.0.2] quit
# Configure the stub area of Switch C, and set the cost of the default route advertised to the stub
area to 10.
[Switch C] ospfv3
[Switch C-ospfv3-1] area 2
[Switch C-ospfv3-1-area-0.0.0.2] stub
[Switch C-ospfv3-1-area-0.0.0.2] default-cost 10
[Switch C-ospfv3-1-area-0.0.0.2] quit
# View the OSPFv3 routing table of Switch D, and you can see a new default route in the routing
table. The cost of the default route is the sum of the cost of the directly connected routes and the
configured cost.
OSPFv3 Process (1)
Destination Metric
Next-hop
IA ::/0 11
via FE80::1572:0:5EF4:1, vlanif40
IA 1000::/64 2
via FE80::1572:0:5EF4:1, vlanif40
IA 1001::/64 3
via FE80::1572:0:5EF4:1, vlanif40
1002::/64 1
directly-connected, vlanif40
IA 2000::/64 4
via FE80::1572:0:5EF4:1, vlanif40
Step 5 Configure the totally sub area.

# On Switch C, configure Area 2 as the totally stub area.
[Switch C] ospfv3
[Switch C-ospfv3-1] area 2

[Switch C-ospfv3-1-area-0.0.0.2] stub no-summary

[Switch C-ospfv3-1-area-0.0.0.2] quit
# View the OSPFv3 routing table of Switch D, and you can see that the entries in the routing
table are reduced; other non-directly connected routes are suppressed; only the default route is
reserved.
OSPFv3 Process (1)
Destination Metric
Next-hop
IA ::/0 11
via FE80::1572:0:5EF4:1, vlanif40
1002::/64 1
directly-connected, vlanif40
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10 20
#
interface Vlanif10
ipv6 enable
ospfv3 1 area 0.0.0.1
#
interface Vlanif20
ipv6 enable
#
#
#
ospfv3 1
router-id 1.1.1.1
#
return

#
sysname Switch B
#
ipv6
#
vlan batch 20 30
#
interface Vlanif20
ipv6 enable
#
interface Vlanif30

ipv6 enable
#
#
#
ospfv3 1
router-id 2.2.2.2
#
return
#
sysname Switch C
#
ipv6
#
vlan batch 30 40
#
interface Vlanif30
ipv6 enable
#
interface Vlanif40
ipv6 enable
#
#
#
ospfv3 1
router-id 3.3.3.3
area 0.0.0.2
stub no-summary
default-cost 10
#
return
#
sysname Switch D
#
ipv6
#
vlan batch 40
#
interface Vlanif40
ipv6 enable
#
#
ospfv3 1
router-id 4.4.4.4

area 0.0.0.2
stub
#
return
5.6 IPv4 IS-IS Configuration

You can build an IPv4 IS-IS network to allow IS-IS to discover and calculate routes in an
autonomous system (AS).
5.6.1 Example for Configuring Basic IS-IS Functions
As shown in Figure 5-14, there are four switches (SwitchA, SwitchB, SwitchC, and SwitchD)
on the network. The four switches need to communicate with each other. SwitchA and SwitchB
can only process a small amount of data because they have lower performance than the other
two switches.
Figure 5-14 Networking diagram of configuring basic IS-IS functions
SwitchA
L1
Eth0/0/1
VLANIF10
10.1.1.2/24
Eth0/0/2
SwitchC Eth0/0/1 VLANIF40
Eth0/0/1
VLANIF10 L1/2 VLANIF30 172.16.1.1/24
10.1.1.1/24 192.168.0.2/24
IS-IS
Area 10 Eth0/0/2 Eth0/0/3
VLANIF20 VLANIF30 SwitchD
10.1.2.1/24 192.168.0.1/24 L2
Eth0/0/1 IS-IS
VLANIF20 Area 20
10.1.2.2/24
SwitchB
L1
1. Enable IS-IS on each switch so that the switches can be interconnected. Configure SwitchA
and SwitchB as Level-1 devices to enable them to maintain less data.
Procedure
Step 1 Create VLANs and add corresponding interfaces to the VLANs.

The configurations of SwitchB, SwitchC, and SwitchD are similar to the configuration of
Step 2 Assign an IP address to each VLANIF interface.
Step 3 Run the IS-IS progress on each Switch, specify the network entity title, and configure the level.
[SwitchA] isis 1
[SwitchA-isis-1] is-level level-1
[SwitchA-isis-1] network-entity 10.0000.0000.0001.00
[SwitchA-isis-1] quit
[SwitchB] isis 1
[SwitchB-isis-1] is-level level-1
[SwitchB-isis-1] network-entity 10.0000.0000.0002.00
[SwitchB-isis-1] quit
[SwitchC] isis 1
[SwitchC-isis-1] network-entity 10.0000.0000.0003.00
[SwitchC-isis-1] quit
# Configure SwitchD.
[SwitchD] isis 1
[SwitchD-isis-1] is-level level-2
[SwitchD-isis-1] network-entity 20.0000.0000.0004.00
[SwitchD-isis-1] quit
Step 4 Enable the IS-IS progress on each interface.

[SwitchA-Vlanif10] isis enable 1
[SwitchB-Vlanif20] isis enable 1
[SwitchC-Vlanif10] isis enable 1

[SwitchD] interface vlanif 30

[SwitchD-Vlanif30] isis enable 1
[SwitchD-Vlanif30] quit

# View the IS-IS LSDB of each Switch.
[SwitchA] display isis lsdb
Database information for ISIS(1)

--------------------------------
Level-1 Link State Database
LSPID Seq Num Checksum Holdtime Length ATT/P/OL

-------------------------------------------------------------------------------
0000.0000.0001.00-00* 0x0000006e 0x953e 862 68 0/0/0
0000.0000.0002.00-00 0x0000006a 0xc015 766 68 0/0/0
0000.0000.0002.01-00 0x00000008 0xccb6 766 55 0/0/0
0000.0000.0003.00-00 0x00000086 0x529e 1155 111 1/0/0
0000.0000.0003.01-00 0x0000005e 0xf238 1155 55 0/0/0
*(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended),

ATT-Attached, P-Partition, OL-Overload
[SwitchB] display isis lsdb

--------------------------------

-------------------------------------------------------------------------------
0000.0000.0001.00-00 0x0000006e 0x953e 899 68 0/0/0
0000.0000.0002.00-00* 0x0000006a 0xc015 808 68 0/0/0
0000.0000.0002.01-00* 0x00000008 0xccb6 808 55 0/0/0
0000.0000.0003.00-00 0x00000086 0x529e 1195 111 1/0/0
0000.0000.0003.01-00 0x0000005e 0xf238 1195 55 0/0/0

[SwitchC] display isis lsdb

--------------------------------

-------------------------------------------------------------------------------
0000.0000.0001.00-00 0x0000006e 0x953e 953 68 0/0/0
0000.0000.0002.00-00 0x0000006a 0xc015 859 68 0/0/0
0000.0000.0002.01-00 0x00000008 0xccb6 859 55 0/0/0
0000.0000.0003.00-00* 0x00000085 0x549d 937 111 1/0/0
0000.0000.0003.01-00* 0x0000005d 0xf437 937 55 0/0/0


-------------------------------------------------------------------------------
0000.0000.0003.00-00* 0x0000008a 0x513c 876 100 0/0/0

0000.0000.0004.00-00 0x00000063 0x48ad 761 84 0/0/0

0000.0000.0004.01-00 0x0000005b 0x3aef 761 55 0/0/0

[SwitchD] display isis lsdb

--------------------------------

-------------------------------------------------------------------------------
0000.0000.0003.00-00 0x0000008a 0x513c 901 100 0/0/0
0000.0000.0004.00-00* 0x00000063 0x48ad 789 84 0/0/0
0000.0000.0004.01-00* 0x0000005b 0x3aef 789 55 0/0/0

# View the IS-IS routing table of each Switch. A default route is available in the routing table
of the Level-1 devices and the next hop is a Level-1-2 device. The routing table of the Level-2
device contains all Level-1 and Level-2 routes.
[SwitchA] display isis route
Route information for ISIS(1)

-----------------------------
ISIS(1) Level-1 Forwarding Table

--------------------------------
IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags

-------------------------------------------------------------------------------
0.0.0.0/0 10 NULL Vlanif10 10.1.1.1 A/-/-/-
192.168.0.0/24 20 NULL Vlanif10 10.1.1.1 A/-/-/-
10.1.1.0/24 10 NULL Vlanif10 Direct D/-/L/-
10.1.2.0/24 20 NULL Vlanif10 10.1.1.1 A/-/-/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, U-Up/Down Bit Set
[SwitchB] display isis route

-----------------------------

--------------------------------

-------------------------------------------------------------------------------
0.0.0.0/0 10 NULL Vlanif20 10.1.2.1 A/-/-/-
192.168.0.0/24 20 NULL Vlanif20 10.1.2.1 A/-/-/-
10.1.1.0/24 20 NULL Vlanif20 10.1.2.1 A/-/-/-
[SwitchC] display isis route

-----------------------------

--------------------------------

-------------------------------------------------------------------------------



--------------------------------

-------------------------------------------------------------------------------
172.16.1.0/24 20 NULL Vlanif30 192.168.0.2 A/-/-/-
[SwitchD] display isis route

-----------------------------

--------------------------------

-------------------------------------------------------------------------------
10.1.1.0/24 20 NULL Vlanif30 192.168.0.1 A/-/-/-
10.1.2.0/24 20 NULL Vlanif30 192.168.0.1 A/-/-/-
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
isis 1
is-level level-1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchB
#
vlan batch 20
#
isis 1
is-level level-1
network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
isis enable 1
#

#
return

#
sysname SwitchC
#
vlan batch 10 20 30
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
isis enable 1
#
#
#
#
return

#
sysname SwitchD
#
vlan batch 30 40
#
isis 1
is-level level-2
network-entity 20.0000.0000.0004.00
#
interface Vlanif30
ip address 192.168.0.2 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
isis enable 1
#
#
#
Return

5.6.2 Example for Configuring IS-IS Route Aggregation
As shown in Figure 5-15, three switches run IS-IS to communicate with each other. SwitchA
is a Level-2 device, SwitchB is a Level-1-2 device, and SwitchC is a Level-1 device. SwitchA
is heavily loaded because there are too many routing entries on the IS-IS network. Therefore,
system resource consumption of SwitchA needs to be reduced.
Figure 5-15 Networking diagram for configuring IS-IS route aggregation
Eth0/0/2
Network1 VLANIF20
172.1.1.0/24 172.1.1.1/24
SwitchB
SwitchC Eth0/0/1 SwitchA
Eth0/0/3 Eth0/0/1 L1/L2
L1 VLANIF50 L2
VLANIF30 VLANIF10
172.1.2.1/24 172.1.4.2/24 172.2.1.1/24
Network2
172.1.2.0/24 Eth0/0/1 Eth0/0/2
VLANIF10 VLANIF50
172.1.4.1/24 172.2.1.2/24
Area20
Eth0/0/4 Area10
VLANIF40
Network3
172.1.3.1/24
172.1.3.0/24
1. Configure IP addresses for interfaces and enable IS-IS on each switch so that the switches
can be interconnected.
2. Configure route summarization on SwitchB to reduce the routing table size of SwitchA
without affecting data forwarding so that the system resource consumption of SwitchA can
be reduced.
Procedure


Step 3 Configure the basic IS-IS functions.
[SwitchA] isis 1
[SwitchB] isis 1
[SwitchC] isis 1
[SwitchC-isis-1] is-level level-1
The configurations of the VLANIF 20, VLANIF 30, and VLANIF 40 interfaces are similar to
the configuration of VLANIF 10, and are not mentioned here.
Step 4 Check the IS-IS routing table of SwitchA.
[SwitchA]display isis route

-----------------------------

--------------------------------

-------------------------------------------------------------------------
172.1.1.0/24 30 NULL Vlanif50 172.2.1.2 A/-/-/-
172.1.2.0/24 30 NULL Vlanif50 172.2.1.2 A/-/-/-
172.1.3.0/24 30 NULL Vlanif50 172.2.1.2 A/-/-/-
172.1.4.0/24 20 NULL Vlanif50 172.2.1.2 A/-/-/-
Step 5 Configure route aggregation on SwitchB.

# Aggregate 172.1.1.0/24, 172.1.2.0/24, 172.1.3.0./24, and 172.1.4.0/24 as 172.1.0.0/16 on
SwitchB.

[SwitchB] isis 1
[SwitchB-isis-1] summary 172.1.0.0 255.255.0.0 level-1-2

# Check the routing table of SwitchA, and you can find that 172.1.1.0/24, 172.1.2.0/24,
172.1.3.0./24 and 172.1.4.0/24 are aggregated as 172.1.0.0/16.

-----------------------------

--------------------------------

-------------------------------------------------------------------------
172.1.0.0/16 20 NULL Vlanif50 172.2.1.2 A/-/-/-
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 50
#
isis 1
is-level level-2
network-entity 20.0000.0000.0001.00
#
interface Vlanif50
ip address 172.2.1.1 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchB
#
vlan batch 10 50
#
isis 1
network-entity 10.0000.0000.0002.00
summary 172.1.0.0 255.255.0.0 level-1-2
#
interface Vlanif10
ip address 172.1.4.2 255.255.255.0
isis enable 1
#
interface Vlanif50
ip address 172.2.1.2 255.255.255.0
isis enable 1
#


#
#
return

#
sysname SwitchC
#
vlan batch 10 20 30 40
#
isis 1
is-level level-1
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 172.1.4.1 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 172.1.1.1 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 172.1.2.1 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 172.1.3.1 255.255.255.0
isis enable 1
#
#
#
#
#
return
5.6.3 Example for Configuring the DIS Election

As shown in Figure 5-16, four switches on the broadcast network communicate using IS-IS.
SwitchA and SwitchB are Level-1-2 devices, SwitchC is a Level-1 device, and SwitchD is a
Level-2 device. SwitchA with high performance needs to be configured as a Level-2 DIS.

Figure 5-16 Networking diagram for configuring the DIS election

SwitchA SwitchB
L1/L2 L1/L2
Eth0/0/1 Eth0/0/1
VLANIF10 VLANIF10
10.1.1.1/24 10.1.1.2/24
Eth0/0/1 Eth0/0/1
VLANIF10 VLANIF10
10.1.1.3/24 10.1.1.4/24
SwitchC SwitchD
L1 L2
1. Configure IS-IS to enable network interconnectivity.
2. Configure the DIS priority of Switch A to 100 so that SwitchA can be elected as a Level-2
DIS.
Procedure
Step 3 View the MAC address of the VLANIF 10 interface on each Switch.
# View the MAC address of the VLANIF 10 interface on SwitchA.
[SwitchA] display arp interface vlanif 10
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC

------------------------------------------------------------------------------
10.1.1.1 00e0-fc10-afec I - Vlanif10
------------------------------------------------------------------------------
# View the MAC address of the VLANIF 10 interface on SwitchB.

[SwitchB] display arp interface vlanif 10
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.1.1.2 00e0-fccd-acdf I - Vlanif10
------------------------------------------------------------------------------
# View the MAC address of the VLANIF 10 interface on SwitchC.

[SwitchC] display arp interface vlanif 10
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.1.1.3 00e0-fc50-25fe I - Vlanif10
------------------------------------------------------------------------------
# View the MAC address of the VLANIF 10 interface on SwitchD.

[SwitchD] display arp interface vlanif 10
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.1.1.4 00e0-fcfd-305c I - Vlanif10
------------------------------------------------------------------------------
Step 4 Configure the basic IS-IS functions.

[SwitchA] isis 1
[SwitchB] isis 1
[SwitchC] isis 1
[SwitchD] isis 1
[SwitchD-isis-1] network-entity 10.0000.0000.0004.00
[SwitchD-isis-1] is-level level-2
[SwitchD-isis-1] quit
# View information about the IS-IS neighbors of SwitchA.

[SwitchA] display isis peer
Peer information for ISIS(1)

System Id Interface Circuit Id State HoldTime Type
PRI
----------------------------------------------------------------------------------
---
0000.0000.0002 Vlanif10 0000.0000.0002.01 Up 9s L1(L1L2)
64
0000.0000.0003 Vlanif10 0000.0000.0002.01 Up 27s L1
64
0000.0000.0002 Vlanif10 0000.0000.0004.01 Up 28s L2(L1L2)
64
0000.0000.0004 Vlanif10 0000.0000.0004.01 Up 8s L2
64
Total Peer(s): 4
# View information about the IS-IS interface of SwitchA.

[SwitchA] display isis interface
Interface information for ISIS(1)

---------------------------------
Interface Id IPV4.State MTU Type DIS
Vlanif10 001 Up 1497 L1/L2 No/No
# View information about the IS-IS interface of SwitchB.

[SwitchB] display isis interface

---------------------------------
Vlanif10 001 Up 1497 L1/L2 Yes/No
# View information about the IS-IS interface of SwitchD.

[SwitchD] display isis interface

---------------------------------
Vlanif10 001 Up 1497 L1/L2 No/Yes
NOTE
When the default DIS priority is used, the interface on SwitchB has the greatest MAC address among all
the interfaces on the Level-1 Switches. Therefore, SwitchB is elected as the Level-1 DIS. The interface on
SwitchD has the greatest MAC address among all the interfaces on the Level-2 Switches. Therefore,
SwitchD is elected as the Level-2 DIS. The Level-1 pseudonode is 0000.0000.0002.01. The Level-2
pseudonode is 0000.0000.0004.01.
Step 5 Set the DIS priority of SwitchA.

[SwitchA-Vlanif10] isis dis-priority 100
# View information about the IS-IS neighbors of SwitchA.


PRI
----------------------------------------------------------------------------------
----
0000.0000.0002 Vlanif10 0000.0000.0001.01 Up 21s L1(L1L2)
64
0000.0000.0003 Vlanif10 0000.0000.0001.01 Up 27s L1
64
0000.0000.0002 Vlanif10 0000.0000.0001.01 Up 28s L2(L1L2)

64
0000.0000.0004 Vlanif10 0000.0000.0001.01 Up 30s L2
64
Total Peer(s): 4
# View information about the IS-IS interface of SwitchA.

[SwitchA] display isis interface

---------------------------------
Vlanif10 001 Up 1497 L1/L2 Yes/Yes
As shown in the output information, after the DIS priority of the IS-IS interface is changed,
SwitchA immediately becomes a Level-1 and Level-2 DIS and its pseudonode is
0000.0000.0001.01.
# View information about the IS-IS neighbors and IS-IS interfaces on SwitchB.
[SwitchB] display isis peer

PRI
----------------------------------------------------------------------------------
----
0000.0000.0001 Vlanif10 0000.0000.0001.01 Up 7s L1(L1L2)
100
0000.0000.0003 Vlanif10 0000.0000.0001.01 Up 25s L1
64
0000.0000.0001 Vlanif10 0000.0000.0001.01 Up 7s L2(L1L2)
100
0000.0000.0004 Vlanif10 0000.0000.0001.01 Up 25s L2
64
Total Peer(s): 4
[SwitchB] display isis interface

---------------------------------
# View information about the IS-IS neighbors and IS-IS interfaces on SwitchD.
[SwitchD] display isis peer

PRI
----------------------------------------------------------------------------------
----
0000.0000.0001 Vlanif10 0000.0000.0001.01 Up 9s L2
100
0000.0000.0002 Vlanif10 0000.0000.0001.01 Up 28s L2 64
Total Peer(s): 2
[SwitchD] display isis interface

---------------------------------
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
isis enable 1
isis dis-priority 100
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
isis 1
network-entity 10.0000.0000.0002.00
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchC
#
vlan batch 10
#
isis 1
is-level level-1
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 10.1.1.3 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchD
#
vlan batch 10
#
isis 1
is-level level-2
network-entity 10.0000.0000.0004.00

#
interface Vlanif10
ip address 10.1.1.4 255.255.255.0
isis enable 1
#
#
return
5.6.4 Example for Configuring IS-IS Load Balancing

As shown in Figure 5-17, switches run IS-IS to implement IP interworking. Congestion of the
network from SwitchA to destination address 172.17.1.0/24 needs to be relieved to improve
network resource efficiency.
Figure 5-17 Networking diagram for configuring IS-IS load balancing
Eth0/0/1 Eth0/0/2
VLANIF10 VLANIF30
10.1.1.2/24 192.168.0.1/24
Eth0/0/1 SwitchB Eth0/0/1
VLANIF10 L2 VLANIF30
Eth0/0/3 10.1.1.1/24 192.168.0.2/24 Eth0/0/3
VLANIF50 VLANIF60
172.16.1.1/24 SwitchA Area 10 SwitchD 172.17.1.1/24
L2 L2
Eth0/0/2 Eth0/0/2
VLANIF20 VLANIF40
SwitchC 192.168.1.2/24
10.1.2.1/24
L2 Eth0/0/2
Eth0/0/1
VLANIF20 VLANIF40
10.1.2.2./24 192.168.1.1/24
1. Configure basic IS-IS functions on each switch to implement IP interworking.
2. Configure load balancing to balance traffic from SwitchA to SwitchD between SwitchB
and SwitchC.
Procedure



Step 3 Configure basic IS-IS functions.
[SwitchA] isis 1
Step 4 Set the number of equal-cost routes for load balancing to 1 on SwitchA.
[SwitchA] isis 1
[SwitchA-isis-1] maximum load-balancing 1
# View the routing table of SwitchA.


-----------------------------

--------------------------------

-------------------------------------------------------------------------
192.168.1.0/24 20 NULL Vlanif20 10.1.2.2 A/-/-/-
172.17.1.0/24 30 NULL Vlanif10 10.1.1.2 A/-/-/-


192.168.0.0/24 20 NULL Vlanif10 10.1.1.2 A/-/-/-
As shown in the routing table, when the maximum number of equal-cost routes for load balancing
is set to 1, IS-IS selects 10.1.1.2 as the next hop to the destination network 172.17.1.0. This is
because SwitchB has a smaller system ID.
Step 5 Restore the default number of equal-cost routes for load balancing on SwitchA.
[SwitchA] isis 1
[SwitchA-isis-1] undo maximum load-balancing


-----------------------------

--------------------------------

-------------------------------------------------------------------------
192.168.1.0/24 20 NULL Vlanif20 10.1.2.2 A/-/-/-
172.17.1.0/24 30 NULL Vlanif10 10.1.1.2 A/-/-/-
Vlanif20 10.1.2.2
192.168.0.0/24 20 NULL Vlanif10 10.1.1.2 A/-/-/-
As shown in the routing table, the number of equal-cost routes for load balancing is restored to
the default value 4. Both the next hops of SwitchA, 10.1.1.2 (SwitchB) and 10.1.2.2 (SwitchC)
now become valid.
Step 6 (Optional) Set the preference for equal-cost routes on SwitchA.

[SwitchA] isis
[SwitchA-isis-1] nexthop 10.1.2.2 weight 1

-----------------------------

--------------------------------

--------------------------------------------------------------------------------
192.168.1.0/24 20 NULL Vlanif20 10.1.2.2 A/-/-/-
172.17.1.0/24 30 NULL Vlanif20 10.1.2.2 A/-/-/-
192.168.0.0/24 20 NULL Vlanif10 10.1.1.2 A/-/-/-

As shown in the routing table, the preference of the next hop 10.1.2.2 (SwitchC) with the weight
as 1, is higher than that of 10.1.1.2 (SwitchB), after the weight is set for equal-cost routes.
Therefore, IS-IS selects route with the next hop 10.1.2.2 as the optimal route.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 50
#
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
nexthop 10.1.2.2 weight 1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
isis enable 1
#
interface Vlanif50
ip address 172.16.1.1 255.255.255.0
isis enable 1
#
#
#
#
return

#
sysname SwitchB
#
vlan batch 10 30
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
isis enable 1
#
#


#
return

#
sysname SwitchC
#
vlan batch 20 40
#
isis 1
is-level level-2
network-entity 10.0000.0000.0003.00
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 192.168.1.1 255.255.255.0
isis enable 1
#
#
#
return

#
sysname SwitchD
#
vlan batch 30 40 60
#
isis 1
is-level level-2
network-entity 10.0000.0000.0004.00
#
interface Vlanif30
ip address 192.168.0.2 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 192.168.1.2 255.255.255.0
isis enable 1
#
interface Vlanif60
ip address 172.17.1.1 255.255.255.0
isis enable 1
#
#
#
#
return

5.6.5 Example for Configuring Static BFD for IS-IS

As shown in Figure 5-18, three routers are interconnected using IS-IS, and SwitchA and SwitchB
communicate with each other through a Layer 2 switch. When the link between SwitchA and
SwitchB is faulty, the two routers need to rapidly respond to the fault and reestablish a neighbor
relationship.
Figure 5-18 Networking diagram of configuring static BFD for IS-IS

Eth0/0/1 Eth0/0/1 Eth0/0/2
100.1.1.1/24 100.1.1.2/24 100.2.1.1/24
Eth0/0/1
SwitchA SwitchB VLANIF30 SwitchC
100.2.1.2/24
NOTE
BFD for IS-IS cannot be used to detect the multi-hop link between SwitchA and SwitchC, because the IS-
IS neighbor relationship cannot be established between SwitchA and SwitchC.
1. Configure IP addresses for interfaces and enable IS-IS on each router to ensure reachable
routes between the routers.
2. Enable static BFD for IS-IS on SwitchA and SwitchB so that routers can rapidly detect link
faults.
Procedure
Step 1 Configure VLANs that each interface belongs to.
Step 2 Assign the IP addresses for VLANIF interfaces.


[SwitchA] isis 1
[SwitchA-isis-1] network-entity aa.1111.1111.1111.00
[SwitchB] isis 1
[SwitchB-isis-1] network-entity aa.2222.2222.2222.00
[SwitchC] isis 1
[SwitchC-isis-1] network-entity aa.3333.3333.3333.00
# After the preceding configurations, you can see that the neighbor relationship is established
between SwitchA and SwitchB.
System Id Interface Circuit Id State HoldTime Type PRI
-----------------------------------------------------------------------------
2222.2222.2222 Vlanif10 2222.2222.2222.01 Up 23s L2 64
The IS-IS routing table of SwitchA contains the routes to SwitchB and SwitchC.
-----------------------------
--------------------------------
-------------------------------------------------------------------------
100.2.1.0/24 20 NULL Vlanif10 100.1.1.2 A/-/L/-
Step 4 Configure BFD.

# Enable BFD on SwitchA and configure a BFD session.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip 100.1.1.2 interface vlanif 10
[SwitchA-bfd-session-atob] discriminator local 1
[SwitchA-bfd-session-atob] discriminator remote 2
[SwitchA-bfd-session-atob] commit
[SwitchA-bfd-session-atob] quit
# Enable BFD on SwitchB and configure a BFD session.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip 100.1.1.1 interface vlanif 10
[SwitchB-bfd-session-btoa] discriminator local 2
[SwitchB-bfd-session-btoa] discriminator remote 1
[SwitchB-bfd-session-btoa] commit
[SwitchB-bfd-session-btoa] quit
After the preceding configurations, run the display bfd session command on SwitchA or
SwitchB, and you can see that the status of the BFD session is Up.
The following uses the display on SwitchA as an an example.

------------------------------------------------------------------------
------------------------------------------------------------------------
1 2 100.1.1.2 Up S_IP_IF Vlanif10
------------------------------------------------------------------------
Step 5 Enable IS-IS fast detect.
[SwitchA-Vlanif10] isis bfd static
[SwitchB-Vlanif10] isis bfd static
# Enable log information display on SwitchA.

[SwitchA] info-center source bfd channel 1 log level debugging state on
[SwitchA] quit
<SwitchA> debugging isis circuit-information
<SwitchA> terminal logging
# Run the shutdown command on Ethernet0/0/1 on SwitchB to simulate a link fault.

# On SwitchA, you can view the following log and debugging information, which indicates that
IS-IS deletes the neighbor relationship with SwitchB after being notified by BFD of the fault.
Sep 12 2007 11:32:18 RT2 %%01ISIS/4/PEER_DOWN_BFDDOWN(l): IS-IS process id 1 nei
ghbor 2222.2222.2222 is down on the interface Vlanif10 because BFD node is Down.
The last Hello packet is received at 11:32:10. The maximum interval for sending
Hello packets is 9247. The local router sends 426 Hello packets and receives 61
Hello packets. The Hello packet type is Lan Level-2.
*0.481363988 RT2 ISIS/6/ISIS:
ISIS-1-FastSense: Deleting Neighbour by IP Address 100.1.1.2 On Vlanif10(IS01_1048)
Run the display isis route command or the display isis peer command on SwitchA, and you
can see that no information is displayed. This indicates that the IS-IS neighbor relationship
between SwitchA and SwitchB is deleted.
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
info-center source BFD channel 1 log level debugging
#
bfd
#
isis 1
is-level level-2
network-entity aa.1111.1111.1111.00
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
isis enable 1
isis bfd static
#
bfd atob bind peer-ip 100.1.1.2 interface Vlanif10
commit
#
#
return

#
sysname SwitchB
#
vlan batch 10 30
#
bfd
#
isis 1
is-level level-2
#
interface Vlanif10
ip address 100.1.1.2 255.255.255.0
isis enable 1
isis bfd static
#
interface Vlanif30
ip address 100.2.1.1 255.255.255.0
isis enable 1
#
bfd btoa bind peer-ip 100.1.1.1 interface Vlanif10
commit
#
#
#
return

#
sysname SwitchC
#
vlan batch 30
#
isis 1
is-level level-2
#
interface Vlanif30
ip address 100.2.1.2 255.255.255.0
isis enable 1
#
#
return
5.6.6 Example for Configuring Dynamic BFD for IS-IS
As shown in Figure 5-19, three routers are interconnected using IS-IS, and SwitchA and SwitchB
communicate with each other through a Layer 2 switch. When the link that passes through the
switch between SwitchA and SwitchB fails, the two routers need to rapidly respond to the fault,
and traffic can be switched to the link that passes through SwitchC for forwarding.
Figure 5-19 Networking diagram of configuring dynamic BFD for IS-IS

Eth0/0/2 Eth0/0/2 Eth0/0/3
SwitchA VLANIF20 VLANIF20 SwitchB VLANIF40
3.3.3.1/24 3.3.3.2/24 172.16.1.1/24
Eth0/0/1 Eth0/0/1
VLANIF10 VLANIF50
1.1.1.1/24 2.2.2.2/24
Eth0/0/1 Eth0/0/2
VLANIF10 VLANIF50
1.1.1.2/24 2.2.2.1/24
SwitchC
1. Configure IP addresses for interfaces and enable IS-IS on each router to ensure reachable
routes between the routers.
2. Set the IS-IS interface cost to control route selection of the routers to make the link that
passes through the switch from SwitchA to SwitchB as the primary link and the link that
passes through SwitchC as the backup link.

3. Configure dynamic BFD for IS-IS on SwitchA, SwitchB, and SwitchC so that link faults
can be detected rapidly and traffic can be switched to the backup link for forwarding.
Procedure
Step 1 Configure VLANs that each interface belongs to.
Step 2 Assign the IP addresses for VLANIF interfaces.
[SwitchA] isis
[SwitchA] interface vlanif10
[SwitchB] isis
[SwitchC] isis


# After the preceding configurations, run the display isis peer command. You can see that the
neighbor relationships are established between SwitchA and SwitchB, and between SwitchA
and SwitchC. The following uses the configuration of SwitchA as an example.
----------------------------
System Id Interface Circuit Id State HoldTime Type PRI
0000.0000.0002 Vlanif20 0000.0000.0002.01 Up 9s L2 64
0000.0000.0003 Vlanif10 0000.0000.0001.02 Up 21s L2 64
Total Peer(s): 2
# Switchs have learned routes from each other. The following uses the routing table of
SwitchA as an example.
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------

1.1.1.0/24 Direct 0 0 D 1.1.1.1 Vlanif10
2.2.2.0/24 ISIS-L2 15 20 D 3.3.3.2 Vlanif20
ISIS-L2 15 20 D 1.1.1.2 Vlanif10
3.3.3.0/24 Direct 0 0 D 3.3.3.1 Vlanif20
172.16.1.0/24 ISIS-L2 15 20 D 3.3.3.2 Vlanif20
As shown in the routing table, the next-hop address of the route to 172.16.1.0/24 is 3.3.3.2, and
traffic is transmitted on the primary link SwitchA→SwitchB.
Step 4 Set the interface cost.
[SwitchA-Vlanif20] isis cost 5
[SwitchB-Vlanif20] isis cost 5
Step 5 Configure BFD for IS-IS processes.

# Enable BFD for IS-IS on SwitchA.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] isis
[SwitchA-isis-1] bfd all-interfaces enable
# Enable BFD for IS-IS on SwitchB.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] isis
[SwitchB-isis-1] bfd all-interfaces enable
# Enable BFD for IS-IS on SwitchC.

[SwitchC] bfd
[SwitchC-bfd] quit
[SwitchC] isis
[SwitchC-isis-1] bfd all-interfaces enable
# After the preceding configurations, run the display isis bfd session all command on SwitchA,
SwitchB, and SwitchC. You can see that the BFD session status is Up.
The following uses the display on SwitchA as an example.
[SwitchA] display isis bfd session all
BFD session information for ISIS(1)

-----------------------------------
Peer System ID : 0000.0000.0002 Interface : Vlanif20

TX : 1000 BFD State : up Peer IP Address : 3.3.3.2
RX : 1000 LocDis : 8192 Local IP Address: 3.3.3.1
Multiplier : 3 RemDis : 8192 Type : L2
Diag : No diagnostic information

Total BFD session(s): 2
As shown in the preceding display, the status of the BFD session between SwitchA and
SwitchB and that between SwitchA and SwitchC is Up.
Step 6 Configure BFD for IS-IS interfaces.
# Configure BFD on VLANIF20 of SwitchA, set the minimum interval for sending packets to
100 ms, the minimum interval for receiving packets to 100 ms, and the local detection multiplier
to 4.
[SwitchA-Vlanif20] isis bfd enable
[SwitchA-Vlanif20] isis bfd min-tx-interval 100 min-rx-interval 100 detect-
multiplier 4
# Configure BFD on VLANIF20 of SwitchB, set the minimum interval for sending packets to
100 ms, the minimum interval for receiving packets to 100 ms, and the local detection multiplier
to 4.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB-Vlanif20] isis bfd enable
[SwitchB-Vlanif20] isis bfd min-tx-interval 100 min-rx-interval 100 detect-
multiplier 4
# After the preceding configurations, run the display isis bfd session all command on SwitchA
or SwitchB. You can see that the BFD parameters have taken effect. The following uses the
display on SwitchB as an example.

[SwitchB] display isis bfd session all

-----------------------------------



# Run the shutdown command on Ethernet0/0/2 of SwitchB to simulate a primary link failure.
Step 8 # View the routing table of SwitchA.

------------------------------------------------------------------------------
1.1.1.0/24 Direct 0 0 D 1.1.1.1 Vlanif10
2.2.2.0/24 ISIS-L2 15 20 D 1.1.1.2 Vlanif10
172.16.1.0/24 ISIS-L2 15 30 D 1.1.1.2 Vlanif10
As shown in the routing table, the backup link SwitchA→SwitchC→SwitchB takes effect after
the primary link fails, and the next-hop address of the route to 172.16.1.0/24 becomes 1.1.1.2.
# Run the display isis bfd session all command on SwitchA. You can see that the status of the
BFD session between SwitchA and SwitchC is Up.
[SwitchA] display isis bfd session all

-----------------------------------

----End
Configuration Files
#
sysname SwitchA
#

vlan batch 10 20
#
bfd
#
isis 1
is-level level-2
bfd all-interfaces enable
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 1.1.1.1 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 3.3.3.1 255.255.255.0
isis enable 1
isis cost 5
isis bfd enable
isis bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4
#
#
#
return

#
sysname SwitchB
#
vlan batch 20 40 50
#
bfd
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Vlanif50
ip address 2.2.2.2 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 3.3.3.2 255.255.255.0
isis enable 1
isis cost 5
isis bfd enable
isis bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
isis enable 1
#
#
#

#
return

#
sysname SwitchC
#
vlan batch 10 50
#
bfd
#
isis 1
is-level level-2
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 1.1.1.2 255.255.255.0
isis enable 1
#
interface Vlanif50
ip address 2.2.2.1 255.255.255.0
isis enable 1
#
#
#
return
5.7 BGP Configuration

The Border Gateway Protocol (BGP) is used between Autonomous Systems (ASs) to transmit
routing information. BGP applies to large and complex networks.
5.7.1 Example for Configuring Basic BGP Functions

As shown in Figure 5-20, BGP runs between Switches; an EBGP connection is established
between SwitchA and SwitchB; IBGP full-mesh connections are established between SwitchB,
SwitchC, and SwitchD.

Figure 5-20 Networking diagram for configuring basic BGP functions

SwitchC
Eth0/0/1
VLANIF20
9.1.3.2/24
Eth0/0/2 Eth0/0/2
VLANIF50 VLANIF20 Eth0/0/2
Eth0/0/1 9.1.3.1/24
8.1.1.1/8 VLANIF10 VLANIF40
200.1.1.1/24 9.1.2.1/24
AS65009
Eth0/0/1 SwitchB Eth0/0/2
SwitchA VLANIF10 Eth0/0/3 VLANIF40
200.1.1.2/24 VLANIF30 9.1.2.2/24
9.1.1.1/24
AS65008 Eth0/0/1
VLANIF30
9.1.1.2/24 SwitchD
1. Configure IBGP connections between SwitchB, SwitchC, and SwitchD.
2. Configure an EBGP connection between SwitchA and SwitchB.
Procedure
Step 1 Create VLANs and add interfaces to the corresponding VLANs.
The configurations of SwitchB, SwitchC, and SwitchD are the same as the configuration of
The configurations of SwitchB, SwitchC, and SwitchD are the same as the configuration of
Step 3 Configure IBGP connections.
[SwitchB] bgp 65009
[SwitchB-bgp] router-id 2.2.2.2

[SwitchB-bgp] peer 9.1.1.2 as-number 65009

[SwitchC] bgp 65009
[SwitchC-bgp] router-id 3.3.3.3
[SwitchC-bgp] peer 9.1.3.1 as-number 65009
[SwitchC-bgp] quit
[SwitchD] bgp 65009
[SwitchD-bgp] router-id 4.4.4.4
[SwitchD-bgp] peer 9.1.1.1 as-number 65009
[SwitchD-bgp] peer 9.1.2.1 as-number 65009
[SwitchD-bgp] quit
Step 4 Configure EBGP connections.

[SwitchA] bgp 65008
[SwitchA-bgp] router-id 1.1.1.1
[SwitchA-bgp] peer 200.1.1.1 as-number 65009
[SwitchB] bgp 65009
[SwitchB-bgp] quit
# Check the status of BGP connections.

[SwitchB] display bgp peer
BGP local router ID : 2.2.2.2

Local AS number : 65009
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
9.1.1.2 4 65009 49 62 0 00:44:58 Established 0

9.1.3.2 4 65009 56 56 0 00:40:54 Established 0
200.1.1.2 4 65008 49 65 0 00:44:03 Established 1
You can view that the BGP connections between SwitchB and all the other Switches are set up.
Step 5 Configure SwitchA to advertise route 8.0.0.0/8.
# Configure SwitchA to advertise routes.
[SwitchA] bgp 65008
[SwitchA-bgp] ipv4-family unicast
[SwitchA-bgp-af-ipv4] network 8.0.0.0 255.0.0.0
[SwitchA-bgp-af-ipv4] quit
[SwitchA-bgp] quit

[SwitchA] display bgp routing-table
Total Number of Routes: 1

BGP Local router ID is 1.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn

*> 8.0.0.0 0.0.0.0 0 0 i
# Check the routing table of SwitchB.

[SwitchB] display bgp routing-table

*> 8.0.0.0 200.1.1.2 0 0 65008i

[SwitchC] display bgp routing-table

i 8.0.0.0 200.1.1.2 0 100 0 65008i
According to the routing table, you can view that SwitchC has learned the route to the destination
8.0.0.0 in AS 65008, but the next hop 200.1.1.2 is unreachable. Therefore, this route is invalid.
Step 6 Configure BGP to import direct routes.
[SwitchB] bgp 65009
[SwitchB-bgp] ipv4-family unicast
[SwitchB-bgp-af-ipv4] import-route direct
[SwitchB-bgp-af-ipv4] quit
[SwitchB-bgp] quit
# Check the BGP routing table of SwitchA.


*> 8.0.0.0 0.0.0.0 0 0 i

*> 9.1.1.0/24 200.1.1.1 0 0 65009?
*> 9.1.3.0/24 200.1.1.1 0 0 65009?
200.1.1.0 200.1.1.1 0 0 65009?

[SwitchC] display bgp routing-table


*>i 8.0.0.0 200.1.1.2 0 100 0 65008i

*>i 9.1.1.0/24 9.1.3.1 0 100 0 ?
i 9.1.3.0/24 9.1.3.1 0 100 0 ?
*>i 200.1.1.0 9.1.3.1 0 100 0 ?
You can view that the route destined for 8.0.0.0 becomes valid, and the next hop is the address
of SwitchA.
# Perform the ping operation to verify the configuration.
[SwitchC] ping 8.1.1.1

0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 50
#
interface Vlanif10
ip address 200.1.1.2 255.255.255.0
#
interface Vlanif50
ip address 8.1.1.1 255.0.0.0
#
#
#
bgp 65008
router-id 1.1.1.1
peer 200.1.1.1 as-number 65009
#
ipv4-family unicast
undo synchronization
network 8.0.0.0
peer 200.1.1.1 enable
#
return

#
sysname SwitchB
#
vlan batch 10 20 30
#
interface Vlanif10
ip address 200.1.1.1 255.255.255.0
#

interface Vlanif20
ip address 9.1.3.1 255.255.255.0
#
interface Vlanif30
ip address 9.1.1.1 255.255.255.0
#
#
#
#
bgp 65009
router-id 2.2.2.2
#
ipv4-family unicast
import-route direct
peer 9.1.1.2 enable
peer 9.1.3.2 enable
#
return
#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 9.1.3.2 255.255.255.0
#
interface Vlanif40
ip address 9.1.2.1 255.255.255.0
#
#
#
bgp 65009
router-id 3.3.3.3
#
ipv4-family unicast
peer 9.1.2.2 enable
peer 9.1.3.1 enable
#
return
#
sysname SwitchD
#
vlan batch 30 40

#
interface Vlanif30
ip address 9.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 9.1.2.2 255.255.255.0
#
#
#
bgp 65009
router-id 4.4.4.4
#
ipv4-family unicast
peer 9.1.1.1 enable
peer 9.1.2.1 enable
#
return
5.7.2 Example for Configuring BGP to Interact With an IGP
The network shown in Figure 5-21 is divided into AS 65008 and AS 65009. In AS 65009, an
IGP is used to calculate routes. In this example, OSPF is used as an IGP. The two ASs need to
communicate with each other.
Figure 5-21 Networking diagram for configuring BGP to interact with an IGP
Eth0/0/2 Eth0/0/2
VLANIF30 Eth0/0/1 Eth0/0/1 VLANIF40
8.1.1.1/24 VLANIF10 VLANIF20 9.1.2.1/24
3.1.1.1/24 9.1.1.2/24
Eth0/0/1 Eth0/0/2
Switch A VLANIF10 Switch B VLANIF20 Switch C
3.1.1.2/24 9.1.1.1/24
AS65008 AS65009
1. Configure OSPF on SwitchB and SwitchC so that these devices can access each other.
2. Establish an EBGP connection between SwitchA and SwitchB so that these devices can
exchange routing information.
3. Configure BGP and OSPF to import routes from each other on SwitchB so that the two
ASs can communicate with each other.

4. (Optional) Configure BGP route summarization on SwitchB to simplify the BGP routing
table.
Procedure
The configurations of SwitchB and SwitchC are the same as the configuration of SwitchA, and

Step 3 Configure OSPF.
[SwitchB] ospf 1
[SwitchC] ospf 1
Step 4 Configure an EBGP connection.
[SwitchA] bgp 65008
[SwitchA-bgp-af-ipv4] network 8.1.1.0 255.255.255.0
[SwitchA-bgp] quit

[SwitchB] bgp 65009

Step 5 Configure BGP to interact with an IGP.

# On SwitchB, configure BGP to import OSPF routes.
[SwitchB-bgp-af-ipv4] import-route ospf 1
[SwitchB-bgp] quit



*> 8.1.1.0/24 0.0.0.0 0 0 i
*> 9.1.1.0/24 3.1.1.1 0 0 65009?
*> 9.1.2.0/24 3.1.1.1 2 0 65009?
# On SwitchB, configure OSPF to import BGP routes.

[SwitchB] ospf
[SwitchB-ospf-1] import-route bgp

[SwitchC] display ip routing-table
------------------------------------------------------------------------------
8.1.1.0/24 O_ASE 150 1 D 9.1.1.1 Vlanif20

9.1.1.0/24 Direct 0 0 D 9.1.1.2 Vlanif20
9.1.2.0/24 Direct 0 0 D 9.1.2.1 Vlanif40
Step 6 Configure automatic aggregation.

[SwitchB] bgp 65009
[SwitchB-bgp-af-ipv4] summary automatic
[SwitchB-bgp] quit
# Check the BGP routing table of SwitchA.



*> 8.1.1.0/24 0.0.0.0 0 0 i

*> 9.0.0.0 3.1.1.1 0 65009?
# Perform the ping operation to verify the configuration.

[SwitchA] ping -a 8.1.1.1 9.1.2.1
0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 3.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 8.1.1.1 255.255.255.0
#
#
#
bgp 65008
router-id 1.1.1.1
#
ipv4-family unicast
network 8.1.1.0 255.255.255.0
peer 3.1.1.1 enable
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 3.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 9.1.1.1 255.255.255.0

#
#
#
bgp 65009
router-id 2.2.2.2
#
ipv4-family unicast
summary automatic
import-route ospf 1
peer 3.1.1.2 enable
#
ospf 1
import-route bgp
area 0.0.0.0
network 9.1.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 9.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 9.1.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 9.1.1.0 0.0.0.255
network 9.1.2.0 0.0.0.255
#
return
5.7.3 Example for Configuring MED Attributes to Control BGP

Route Selection
As shown in Figure 5-22, BGP is configured on all switches; Switch A resides in AS 65008;
Switch B and Switch C reside in AS 65009. EBGP connections are established between
Switch A and Switch B, and between Switch A and Switch C. An IBGP connection is established
between Switch B and Switch C. After a period, traffic from AS 65008 to AS 65009 needs to
first pass through SwitchC.

Figure 5-22 Networking diagram for configuring MED attributes of routes to control route
selection
Eth0/0/1
VLANIF10
200.1.1.1/24
SwitchB
Eth0/0/1 EBGP
VLANIF10 Eth0/0/2
AS 65008 200.1.1.2/24 VLANIF30
AS 65009 9.1.1.1/24
SwitchA IBGP
Eth0/0/2
Eth0/0/2
VLANIF30
VLANIF20
EBGP 9.1.1.2/24
200.1.2.2/24
SwitchC
Eth0/0/1
VLANIF20
200.1.2.1/24
1. Establish EBGP connections between SwitchA and SwitchB and between SwitchA and
SwitchC, and establish an IBGP connection between SwitchB and SwitchC.
2. Apply a routing policy to increase the MED value of the route sent by SwitchB to
SwitchA so that SwitchA will send traffic to AS 65009 through SwitchC.
Procedure
[SwitchA-Ethernet0/0/2]port hybrid pvid vlan 20
[SwitchA-Ethernet0/0/2]port hybrid untagged vlan 20


Step 3 Establish an BGP connection.

[SwitchA] bgp 65008
[SwitchA-bgp] quit
[SwitchB] bgp 65009
[SwitchB-bgp-af-ipv4] network 9.1.1.0 255.255.255.0
[SwitchB-bgp] quit
[SwitchC] bgp 65009
[SwitchC-bgp] router-id 3.3.3.3
[SwitchC-bgp] ipv4-family unicast
[SwitchC-bgp-af-ipv4] network 9.1.1.0 255.255.255.0
[SwitchC-bgp-af-ipv4] quit
[SwitchC-bgp] quit


*> 9.1.1.0/24 200.1.1.1 0 0 65009i

* 200.1.2.1 0 0 65009i
According to the routing table, you can view that there are two valid routes destined for
9.1.1.0/24. The route whose next hop is 200.1.1.1 is the optimal route because the router ID of
SwitchB is smaller.
Step 4 Configure load balancing.
[SwitchA] bgp 65008
[SwitchA-bgp-af-ipv4] maximum load-balancing 2
[SwitchA-bgp] quit



*> 9.1.1.0/24 200.1.1.1 0 0 65009i

*> 200.1.2.1 0 0 65009i
According to the routing table, you can view that the BGP route 9.1.1.0/24 has two next hops
that are 200.1.1.1 and 200.1.2.1. Both of them are optimal routes.
Step 5 Set the MED.
# Set the MED sent from SwitchB to SwitchA through the policy.
[SwitchB] route-policy 10 permit node 10
[SwitchB-route-policy] apply cost 100
[SwitchB-route-policy] quit
[SwitchB] bgp 65009
[SwitchB-bgp] peer 200.1.1.2 route-policy 10 export


*> 9.1.1.0/24 200.1.2.1 0 0 65009i

* 200.1.1.1 100 0 65009i
According to the routing table, you can view that the MED of the next hop 200.1.1.1 (SwitchB)
is 100, and that of the next hop 200.1.2.1 is 0. Therefore, the route with the smaller MED is
selected.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 200.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 200.1.2.2 255.255.255.0
#
#
#
bgp 65008
router-id 1.1.1.1
#

ipv4-family unicast
maximum load-balancing 2
#
return
#
sysname SwitchB
#
vlan batch 10 30
#
interface Vlanif10
ip address 200.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 9.1.1.1 255.255.255.0
#
#
#
bgp 65009
router-id 2.2.2.2
#
ipv4-family unicast
default med 100
network 9.1.1.0 255.255.255.0
peer 9.1.1.2 enable
peer 200.1.1.2 route-policy 10 export
#
route-policy 10 permit node 10
apply cost 100
#
return
#
sysname SwitchC
#
vlan batch 20 30
#
interface Vlanif20
ip address 200.1.2.1 255.255.255.0
#
interface Vlanif30
ip address 9.1.1.2 255.255.255.0
#
#
#
bgp 65009
router-id 3.3.3.3

#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
peer 9.1.1.1 enable
#
return
5.8 Routing Policy Configuration

Routing policies are applied to routing information to change the path through which network
traffic passes.
5.8.1 Example for Filtering the Routes to Be Received or Advertised
As shown in Figure 5-23, on the network where OSPF runs, SwitchA receives routes from the
Internet, and provides these routes for the OSPF network. Users want devices on the OSPF
network to access only the network segments 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24,
and SwitchC to access only the network segment 172.1.18.0/24.
Figure 5-23 Networking diagram for filtering the received and advertised routes
SwitchC
Eth0/0/1
172.1.16.0/24
172.1.17.0/24
Eth0/0/2 Eth0/0/1 172.1.18.0/24
Eth0/0/3 172.1.19.0/24
Eth0/0/1 172.1.20.0/24
SwitchB SwitchA
Eth0/0/1
OSPF
SwitchD
SwitchA Eth0/0/1 VLANIF10 192.168.1.1/24
SwitchB Eth0/0/1 VLANIF10 192.168.1.2/24
SwitchC Eth0/0/1 VLANIF20 192.168.2.2/24
SwitchD Eth0/0/1 VLANIF30 192.168.3.2/24

1. Configure a routing policy on SwitchA and apply the routing policy during route
advertisement. When routes are advertised, the routing policy allows SwitchA to provide
routes from network segments 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24 for
SwitchB, and allows devices on the OSPF network to access these three network segments.
2. Configure a routing policy on SwitchC and apply the routing policy during route importing.
When routes are imported, the routing policy allows SwitchC to receive only the routes
from the network segment 172.1.18.0/24 and access this network segment.
Procedure
[SwitchA] vlan 10
Step 3 Configure the basic OSPF functions.
[SwitchA] ospf
[SwitchB] ospf
[SwitchC] ospf

[SwitchD] ospf
Step 4 Configure five static routes on SwitchA and import these routes into OSPF.
[SwitchA] ip route-static 172.1.16.0 24 NULL 0
[SwitchA] ospf
[SwitchA-ospf-1] import-route static
# Check the routing table on SwitchB. You can find that the five static routes are imported into
OSPF.
[SwitchB] display ip routing-table
------------------------------------------------------------------------------
192.168.1.0/24 Direct 0 0 D 192.168.1.2 Vlanif10
192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif20
192.168.3.0/24 Direct 0 0 D 192.168.3.1 Vlanif30
172.1.16.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.17.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.18.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.19.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.20.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
Step 5 Configure a policy for advertising routes.

# Set an IP prefix list named a2b on SwitchA.
[SwitchA] ip ip-prefix a2b index 10 permit 172.1.17.0 24
# Configure a policy for advertising routes on SwitchA, and use the IP prefix list named a2b to
filter routes.
[SwitchA] ospf
[SwitchA-ospf-1] filter-policy ip-prefix a2b export static
# Check the routing table on SwitchB. You can find that SwitchB receives only three routes
defined in a2b.
[SwitchB] display ip routing-table
------------------------------------------------------------------------------

192.168.1.0/24 Direct 0 0 D 192.168.1.2 Vlanif10
192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif20


192.168.3.0/24 Direct 0 0 D 192.168.3.1 Vlanif30
172.1.17.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.18.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.19.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
Step 6 Configure a policy for receiving routes.
# Set an IP prefix list named in on SwitchC.

[SwitchC] ip ip-prefix in index 10 permit 172.1.18.0 24
# Set a policy for receiving routes on SwitchC, and use in to filter routes.
[SwitchC] ospf
[SwitchC-ospf-1] filter-policy ip-prefix in import
# Check the routing table on SwitchC. You can find that SwitchC in the local routing table
receives only one route defined in in.
[SwitchC] display ip routing-table
------------------------------------------------------------------------------

192.168.2.0/24 Direct 0 0 D 192.168.2.2 Vlanif20
172.1.18.0/24 O_ASE 150 1 D 192.168.2.1 Vlanif20
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
ospf 1
filter-policy ip-prefix a2b export static
import-route static
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ip ip-prefix a2b index 10 permit 172.1.17.0 24
#

#
return
#
sysname SwitchB
#
vlan batch 10 20 30
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
return
#
sysname SwitchC
#
vlan batch 20
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
#
ospf 1
filter-policy ip-prefix in import
area 0.0.0.0
network 192.168.2.0 0.0.0.255
#
ip ip-prefix in index 10 permit 172.1.18.0 24
#
return
#
sysname SwitchD
#
vlan batch 30
#
interface Vlanif30
ip address 192.168.3.2 255.255.255.0
#


#
ospf 1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
#
return
5.8.2 Example for Applying a Routing Policy for Importing Routes
As shown in Figure 5-24, SwitchB exchanges routing information with SwitchA through OSPF
and with SwitchC through IS-IS. Users want SwitchB to import IS-IS routes into the OSPF
network. Users also want that the route to 172.17.1.0/24 on the OSPF network has a low
preference and the route to 172.17.2.0/24 has a tag, which makes it easy to reference by a routing
policy.
Figure 5-24 Networking diagram for applying a routing policy for importing routes
OSPF IS-IS
Eth0/02
Eth0/0/1 Eth0/0/1 Eth0/0/3

Eth0/0/1 Eth0/0/2
SwitchA SwitchC Eth0/0/4
SwitchB
SwitchA Eth0/0/1 VLANIF10 192.168.1.1/24
1. Configure a routing policy on SwitchB, set the cost of the route to 172.17.1.0/24 to 100,
and apply the routing policy when OSPF imports IS-IS routes. The routing policy allows
the route to 172.17.1.0/24 have a low preference.

2. Configure a routing policy on SwitchB, set the tag of the route to 172.17.2.0/24 is 20, and
apply the routing policy when OSPF imports IS-IS routes. In this way, the tag of the route
to 172.17.2.0/24 can take effect, which makes it easy to reference by a routing policy.
Procedure
[SwitchA] vlan 10

Step 3 Configure IS-IS.
[SwitchC] isis
[SwitchC-Vlanif20] isis enable
[SwitchB] isis
[SwitchB-Vlanif20] isis enable
Step 4 Configure OSPF and import routes.
# Configure SwitchA and enable OSPF.

[SwitchA] ospf

# Configure SwitchB, enable OSPF, and import IS-IS routes.

[SwitchB] ospf
[SwitchB-ospf-1] import-route isis 1
# Check the OSPF routing table on SwitchA. You can find the imported routes.

Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.1 192.168.1.1 0.0.0.0
Routing for ASEs

192.168.2.0/24 1 Type2 1 192.168.1.2 192.168.1.2
172.17.1.0/24 1 Type2 1 192.168.1.2 192.168.1.2
172.17.2.0/24 1 Type2 1 192.168.1.2 192.168.1.2
172.17.3.0/24 1 Type2 1 192.168.1.2 192.168.1.2
Total Nets: 5
Step 5 Set the filtering list.

# Set ACL 2002 to match 172.17.2.0/24.
[SwitchB] acl number 2002
[SwitchB-acl-basic-2002] rule permit source 172.17.2.0 0.0.0.255
[SwitchB-acl-basic-2002] quit
# Set an IP prefix list named prefix-a to match 172.17.1.0/24.

[SwitchB] ip ip-prefix prefix-a index 10 permit 172.17.1.0 24
Step 6 Configure a routing policy.

[SwitchB] route-policy isis2ospf permit node 10
[SwitchB-route-policy] if-match ip-prefix prefix-a
[SwitchB-route-policy] apply cost 100
[SwitchB-route-policy] if-match acl 2002
[SwitchB-route-policy] apply tag 20
Step 7 Apply the routing policy when routes are imported.

# Configure SwitchB and apply the routing policy when routes are imported.
[SwitchB] ospf
[SwitchB-ospf-1] import-route isis 1 route-policy isis2ospf
# Check the OSPF routing table on SwitchA. You can find that the cost of the route to
172.17.1.0/24 is 100; the tag of the route to 172.17.2.0/24 is 20; other route attributes remain
unchanged.


Routing Tables
Routing for Network
192.168.1.0/24 1 Transit 192.168.1.1 192.168.1.1 0.0.0.0
Routing for ASEs

192.168.2.0/24 1 Type2 1 192.168.1.2 192.168.1.2
172.17.1.0/24 100 Type2 1 192.168.1.2 192.168.1.2
172.17.2.0/24 1 Type2 20 192.168.1.2 192.168.1.2
172.17.3.0/24 1 Type2 1 192.168.1.2 192.168.1.2
Total Nets: 5
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
acl number 2002
rule 5 permit source 172.17.2.0 0.0.0.255
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
isis enable 1
#
#
#

ospf 1
import-route isis 1 route-policy isis2ospf
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
route-policy isis2ospf permit node 10
if-match ip-prefix prefix-a
apply cost 100
#
if-match acl 2002
apply tag 20
#
#
ip ip-prefix prefix-a index 10 permit 172.17.1.0 24
#
return

#
sysname SwitchC
#
#
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 172.17.1.1 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 172.17.2.1 255.255.255.0
isis enable 1
#
interface Vlanif50
ip address 172.17.3.1 255.255.255.0
isis enable 1
#
#
#
#
#
return
5.9 MCE Configuration

Generally, one CE device connects to only one VPN. If multiple VPNs are deployed on a
customer network, multiple CE devices are required. A multi-VPN-instance CE (MCE) device

can connect to multiple VPNs. The MCE solution isolates services of different VPNs while
reducing cost of network devices.
5.9.1 Example for Configuring an MCE

The headquarters and branches of a company need to communicate through MPLS VPN, and
two services of the company must be isolated. To reduce hardware costs, the company wants
the branch to connect to the PE through one CE.
As shown in Figure 5-25, the networking requirements are as follows:
l CE1 and CE2 connect to the headquarters. CE1 belongs to vpna, and CE2 belongs to vpnb.
l The MCE connects to vpna and vpnb of the branch through SwitchA and SwitchB.
Users in the same VPN need to communicate with each other, but users on different VPNs must
be isolated.
NOTE
The S3300EI can only work as an MCE or CE device.
Figure 5-25 Networking diagram for configuring an MCE
vpna
vpna
192.168.1.0/24
CE1
SwitchA
GE0/0/1
VLANIF10 GE0/0/1
10.1.1.1/24 VLANIF60
Loopback1 10.3.1.1/24
GE0/0/1 2.2.2.9./32 GE0/0/3
VLANIF10 VPN VLANIF60
10.1.1.2/24 Backbone 10.3.1.2/24
MCE
Loopback1 PE1 PE2
1.1.1.9./32 GE0/0/3 GE0/0/1 GE0/0/2 GE0/0/1
GE0/0/2 VLANIF30 VLANIF30 VLANIF60 VLANIF60 GE0/0/4
VLANIF20 172.1.1.1/24 172.1.1.2/24 10.3.1.3/24 10.3.1.2/24 VLANIF70
10.2.1.2/24 VLANIF70 VLANIF70 10.4.1.2/24
GE0/0/1 10.4.1.3/24 10.4.1.2/24 GE0/0/1
VLANIF20 VLANIF70
10.2.1.1/24 10.4.1.1/24
SwitchB
CE2
192.168.2.0/24
vpnb
vpnb

1. Configure OSPF between PEs so that they can communicate and configure MP-IBGP to
exchange VPN routing information.
2. Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.
3. Create VPN instances vpna and vpnb on the MCE and PEs to isolate services.
4. Establish EBGP peer relationships between PE1 and its connected CEs, and import BGP
routes to the VPN routing table of PE1.
5. Configure routing between the MCE and VPN sites and between the MCE and PE2.
Procedure
Step 1 Configure VLANs on interfaces and assign IP addresses to the VLANIF interfaces and loopback
interfaces according to Figure 5-25.
# Configure PE1.
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 10 20 30
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 172.1.1.1 24
[PE1-Vlanif30] quit
The configuration on PE2, CE1, CE2, MCE, SwitchA and SwitchB is similar to the configuration
on PE1 and is not mentioned here.
Step 2 Configure OSPF on PEs of the backbone network.
# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.
After the configuration is complete, PEs can obtain Loopback1 address of each other.
The information displayed on PE2 is used as an example.
[PE2] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------

1.1.1.9/32 OSPF 10 1 D 172.1.1.1 Vlanif30

2.2.2.9/32 Direct 0 0 D 127.0.0.1 LoopBack1
172.1.1.0/24 Direct 0 0 D 172.1.1.2 Vlanif30
172.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif30
Step 3 Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit
The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.
After the configuration is complete, run the display mpls ldp session command on the PEs. The
command output shows that the MPLS LDP session between the PEs is in Operational state.
The information displayed on PE2 is used as an example.
[PE2] display mpls ldp session
LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
1.1.1.9:0 Operational DU Active 0000:00:04 17/17
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
Step 4 Configure VPN instances on the PEs. On PE1, bind the interfaces connected to CE1 and CE2
to the VPN instances respectively. On PE2, bind the interface connected to the MCE to the VPN
instances.
# Configure PE1.
[PE1] vlan batch 10 20



[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] quit
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] quit
# Configure PE2.
[PE2] vlan batch 60 70

[PE2-Ethernet0/0/2] port trunk allow-pass vlan 60 70
[PE2-Vlanif60] ip binding vpn-instance vpna
[PE2-Vlanif60] quit
[PE2]interface vlanif 70
[PE2-Vlanif70] ip binding vpn-instance vpnb
[PE2-Vlanif70] quit
Step 5 Configure VPN instances on the MCE and bind the interfaces connected to SwitchA and SwitchB
to the VPN instances respectively.
[Quidway] sysname MCE
[MCE] vlan batch 60 70
[MCE] interface ethernet 0/0/1
[MCE-Ethernet0/0/1] port link-type trunk
[MCE-Ethernet0/0/1] port trunk allow-pass vlan 60 70
[MCE-Ethernet0/0/1] quit
[MCE-Ethernet0/0/3] port trunk allow-pass vlan 60
[MCE-Ethernet0/0/4] port trunk allow-pass vlan 70
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] route-distinguisher 100:1
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] route-distinguisher 100:2
[MCE-vpn-instance-vpnb] quit
[MCE] interface vlanif 60
[MCE-Vlanif60] ip binding vpn-instance vpna
[MCE-Vlanif60] ip address 10.3.1.2 24
[MCE-Vlanif60] quit
[MCE] interface vlanif 70

[MCE-Vlanif70] ip binding vpn-instance vpnb

[MCE-Vlanif70] ip address 10.4.1.2 24
[MCE-Vlanif70] quit
Step 6 Establish an MP-IBGP peer relationship between PEs. Establish an EBGP peer relationship
between PE1 and CE1, and between PE1 and CE2.
After the configuration is complete, run the display bgp vpnv4 all peer command on PE1. The
command output shows that PE1 has established an IBGP peer relationship with PE2 and EBGP
peer relationships with CE1 and CE2. The peer relationships are in Established state.
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9

Local AS number : 100
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 288 287 0 01:19:16 Established 6
Peer of IPv4-family for vpn instance :
VPN-Instance vpna, Router ID 1.1.1.9:

10.1.1.1 4 65410 9 11 0 00:01:38 Established 2
VPN-Instance vpnb, Router ID 1.1.1.9:
10.2.1.1 4 65420 9 12 0 00:04:09 Established 2
Step 7 Configure routing between the MCE and VPN sites.

The MCE directly connects to vpna, and no routing protocol is used in vpna. Configure static
routes to implement communication between the MCE and vpna.
l # Configure SwitchA.
Assign IP address 192.168.1.1/24 to the interface connected to vpna. The configuration
details are not mentioned here.
l # Configure the MCE.
[MCE] ip route-static vpn-instance vpna 192.168.1.0 24 10.3.1.1
l # Check the routes of vpna on the MCE.

[MCE]display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Routing Tables:
vpna
Destinations : 3 Routes :
3
Destination/Mask Proto Pre Cost Flags NextHop

Interface

10.3.1.0/24 Direct 0 0 D 10.3.1.2

Vlanif60
10.3.1.2/32 Direct 0 0 D 127.0.0.1
Vlanif60
192.168.1.0/24 Static 60 0 RD 10.3.1.1
Vlanif60
The preceding information shows that the MCE has a static route to vpna.
The RIP protocol runs in vpnb. Configure RIP process 200 on the MCE and bind it to vpnb so
that routes learned by RIP are added to the routing table of vpnb.
l # Configure the MCE.
[MCE] rip 200 vpn-instance vpnb
[MCE-rip-200] version 2
[MCE-rip-200] network 10.0.0.0
[MCE-rip-200] import-route ospf 200
[MCE-rip-200] quit
l # Configure SwitchB.
Assign IP address 192.168.2.1/24 to the interface connected to vpnb. The configuration is
not provided here.
[SwitchB] vlan batch 70
[SwitchB] rip 200
l # Check the routes of vpnb on the MCE.

[MCE]display ip routing-table vpn-instance vpnb
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Routing Tables:
vpnb
Destinations : 3 Routes :
3
Destination/Mask Proto Pre Cost Flags NextHop

Interface
10.4.1.0/24 Direct 0 0 D 10.4.1.2

Vlanif70
10.4.1.2/32 Direct 0 0 D 127.0.0.1
Vlanif70
192.168.2.0/24 RIP 100 1 D 10.4.1.1
Vlanif70
The preceding information shows that the MCE has learned the route to vpnb using RIP. The
route to vpnb and the route to vpna (192.168.1.0) are maintained in different VPN routing
tables so that users in the two VPNs are isolated from each other.
Step 8 Configure OSPF multi-instance between the MCE and PE2.
# Configure PE2.

NOTE
To configure OSPF multi-instance between the MCE and PE2, complete the following tasks on PE2:
l In the OSPF view, import BGP routes and advertise VPN routes of PE1 to the MCE.
l In the BGP view, import routes of the OSPF processes and advertise the VPN routes of the MCE to
PE1.
[PE2] ospf 100 vpn-instance vpna

[PE2-ospf-100] import-route bgp
[PE2-ospf-100] area 0
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-200] import-route bgp
[PE2-ospf-200] area 0
[PE2-ospf-200] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] import-route ospf 100
[PE2-bgp-vpna] quit
[PE2-bgp] ipv4-family vpn-instance vpnb
[PE2-bgp-vpnb] import-route ospf 200
[PE2-bgp-vpnb] quit
# Configure the MCE.

NOTE
Import VPN routes to the OSPF processes.
[MCE] ospf 100 vpn-instance vpna

[MCE-ospf-100] import-route static
[MCE-ospf-100] vpn-instance-capability simple
[MCE-ospf-100] area 0
[MCE-ospf-100-area-0.0.0.0] network 10.3.1.0 0.0.0.255
[MCE-ospf-100-area-0.0.0.0] quit
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance vpnb
[MCE-ospf-200] import-route rip 200
[MCE-ospf-200] vpn-instance-capability simple
[MCE-ospf-200] area 0
[MCE-ospf-200-area-0.0.0.0] network 10.4.1.0 0.0.0.255
[MCE-ospf-200-area-0.0.0.0] quit
[MCE-ospf-200] quit

After the configuration is complete, run the display ip routing-table vpn-instance command
on the MCE to view the routes to the remote CEs.
The VPN instance vpna is used as an example.
[MCE] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
Routing Tables: vpna
10.1.1.0/24 O_ASE 150 1 D 10.3.1.3 Vlanif60

10.3.1.0/24 Direct 0 0 D 10.3.1.2 Vlanif60
10.3.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif60
192.168.1.0/24 Static 60 0 RD 10.3.1.1 Vlanif60

Run the display ip routing-table vpn-instance command on the PEs to view the routes to the
remote CEs.
The VPN instance vpna on PE1 is used as an example.
[PE1] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
Routing Tables: vpna
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10

10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.3.1.0/24 IBGP 255 0 RD 2.2.2.9 Vlanif30
192.168.1.0/24 IBGP 255 2 RD 2.2.2.9 Vlanif30
CE1 and SwitchA can communicate with each other. CE2 and SwitchB can communicate with
each other.
The information displayed on CE1 is used as an example.
[CE1] ping 10.3.1.1

0.00% packet loss
CE1 cannot ping CE2 or SwitchB. SwitchA cannot ping CE2 or SwitchB.
The ping from CE1 to SwitchB is used as an example.
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#

#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
#
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
#
ip vpn-instance vpnb
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0

mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 30 60 70
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0

mpls
mpls ldp
#
interface
Vlanif60
ip binding vpn-instance
vpna
ip address 10.3.1.3
255.255.255.0
#
interface
Vlanif70
ip binding vpn-instance
vpnb
ip address 10.4.1.3
255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
#
port link-type
trunk
#
bgp 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route ospf 100
#
ipv4-family vpn-instance vpnb
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 10.3.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 10.4.1.0 0.0.0.255
#
return
l Configuration file of the MCE
#
sysname MCE
#
vlan batch 60 70
#

#
#
interface Vlanif60
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif70
ip address 10.4.1.2 255.255.255.0
#
port link-type
trunk
#
port link-type
trunk
#
port link-type
trunk
#
ospf 100 vpn-instance vpna
import-route static
vpn-instance-capability simple
area 0.0.0.0
network 10.3.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
vpn-instance-capability simple
area 0.0.0.0
network 10.4.1.0 0.0.0.255
#
rip 200 vpn-instance vpnb
version 2
network 10.0.0.0
#
return
#
sysname SwitchA
#
vlan batch 60
#
interface Vlanif60
ip address 10.3.1.1 255.255.255.0
#
port link-type
trunk
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.2
#
return
#
sysname SwitchB
#

vlan batch 70
#
interface Vlanif70
ip address 10.4.1.1 255.255.255.0
#
port link-type
trunk
#
rip
200
version
2
network
10.0.0.0
network
192.168.2.0
#
return

Typical Configuration Examples 6 Configuration Guide - IP Multicast
6 Configuration Guide - IP Multicast
About This Chapter
This document describes IP Multicast based on configuration procedures and examples.
6.1 IGMP Configuration

You can manage multicast group members by configuring IGMP on multicast device interfaces
connected to user networks.
6.2 PIM-SM (IPv4) Configuration
The PIM protocol implements multicast routing and data forwarding in a domain. The PIM-SM
protocol is a multicast routing protocol in sparse mode. It applies to a large-scale network with
sparsely-distributed group members.
6.3 Multicast Route Management (IPv4) Configuration
The switch can run multiple multicast routing protocols to control multicast routing and
forwarding through message exchange between the control plane and forwarding plane.
6.4 IGMP Snooping Configuration
IGMP snooping enables a Layer 2 multicast device to create and maintain a Layer 2 multicast
forwarding table by analyzing IGMP messages exchanged between the upstream Layer 3 device
and user hosts. This technology implements on-demand multicast data transmission at the data
link layer.
6.5 Multicast VLAN Replication Configuration
After multicast VLAN replication is configured on a device, the upstream device only needs to
transmit multicast data to a multicast VLAN. This function saves bandwidth because the
upstream device does not need to send a copy of multicast data to each user VLAN.
6.6 Controllable Multicast Configuration
Controllable multicast flexibly controls user rights to join multicast groups and meets the
requirements of IPTV services.
6.7 MLD Configuration
On an IPv6 network, you can manage local multicast group members by configuring MLD on
multicast device interfaces connected to user networks.
6.8 MLD Snooping Configuration

MLD snooping is configured on Layer 2 multicast devices to resolve the MLD packets between
Layer 3 devices and users. It generates and maintains IPv6 Layer 2 multicast forwarding tables
to distribute multicast data to only the receivers at the data link layer.

6.1 IGMP Configuration

You can manage multicast group members by configuring IGMP on multicast device interfaces
connected to user networks.
6.1.1 Example for Configuring Basic IGMP Functions
As shown in Figure 6-1, users receive data in multicast mode. User hosts are located on two
network segments: N1 and N2. Receivers HostA and HostC are located on the two network
segments respectively. The source sends multicast data to group addresses 225.1.1.1 to 225.1.1.5.
HostA orders only the program of group 225.1.1.1, and HostC can receive all the programs.
Figure 6-1 Networking diagram for basic IGMP configuration
PIM network Receiver

SwitchA
4 1 1
2 /2 IF Eth0/0/1 N1 HostA
8 .1 . L A N /2 VLANIF10
6 1 V 0
0/ 24
2 .1 IF 1 E th .1 .1 / 10.110.1.1/24
19 LAN0/1
SwitchD V th0/ 68
E 9 2 .1
1 HostB
Eth0/0/4 VLAN SwitchB 10.110.2.1/24
VLANIF40 I F 2 1 Eth0
Eth0 / 0 VLANIF20
192.168.4.1/24 19 / 0/ 2 / 2
1 9 V E t 2. 168. 2. VLAN
I
Eth0/0/1 Receiver
2.1 LA h0 2/24 19 F21
68 NI /0/3 2. 16
.3. F3 8. 2. 1
2 /2 1 /24
4
SwitchC 10.110.2.2/24 N2 HostC
E
19 VLAth0/0 VLANIF20
2 .1 N I /2 Eth0/0/1
68 F31
.3 .
1/2
4 HostD
To meet the preceding requirements, configure basic IGMP functions and limit the range of
multicast groups on the interface connected to the network segment of HostA. The configuration
roadmap is as follows:
1. Configure a unicast routing protocol to implement IP interworking.

Configure IP addresses for interfaces and configure a unicast routing protocol on each
switch. Multicast routing protocols depend on unicast routing protocols.
2. Configure basic multicast functions to enable multicast data to be forwarded on the network.
Enable PIM-SM and configure an RP on each switch. Enable IGMP on the interfaces
connected to the receiver network segments.
3. Control the multicast data that HostA can receive.

Configure an ACL on the interface of SwitchA connected to the network segment of HostA
to filter multicast data sent to HostA.
Procedure
Step 1 Configure IP addresses for interfaces and configure a unicast routing protocol on each switch.
Configure an IP address and mask for each interface according to Figure 6-1. Configure OSPF
on each switch to ensure IP connectivity between them, and enable them to dynamically update
routing information. The configuration details are not mentioned here.
Step 2 Enable IP multicast routing on each switch and enable PIM-SM on all interfaces.
# On SwitchA, enable multicast routing in the system view, enable PIM-SM on all interfaces,
and configure VLANIF40 of SwitchD as a static RP. The configurations of SwitchB, SwitchC
and SwitchD are similar to the configuration of SwitchA, and are not mentioned here.
[SwitchA] multicast routing-enable

[SwitchA-Vlanif10] pim sm
[SwitchA] pim
[SwitchA-pim] static-rp 192.168.4.1
[SwitchA-pim] quit
Step 3 On SwitchA, SwitchB, and SwitchC, enable IGMP on the interfaces connected to the receiver
network segments.
# Enable IGMP on VLANIF10 of SwitchA. The configurations of SwitchB and SwitchC are
similar to the configuration of SwitchA, and are not mentioned here.

[SwitchA-Vlanif10] igmp enable
Step 4 Allow VLANIF10 of SwitchA to join only multicast group 225.1.1.1.

# On SwitchA, create an ACL, configure a rule that permits only packets of multicast group
225.1.1.1, and then apply the ACL to VLANIF10.
[SwitchA] acl number 2001

[SwitchA-acl-basic-2001] rule permit source 225.1.1.1 0
[SwitchA-acl-basic-2001] quit
[SwitchA-Vlanif10] igmp group-policy 2001

# Run the display igmp interface command to check the IGMP configuration and running status
on each interface. The following is the IGMP information on VLANIF10 of SwitchA:
<SwitchA> display igmp interface vlanif 10
Interface information
Vlanif 10 (10.110.1.1):
IGMP is enabled
Current IGMP version is 2
IGMP state: up
IGMP group policy: 2001

Value of query interval for IGMP (negotiated): -

Value of query interval for IGMP (configured): 60 s
Value of other querier timeout for IGMP: 0 s
Value of maximum query response time for IGMP: 10 s
Querier for IGMP: 10.110.1.1 (this router)
Total 1 IGMP Group reported
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 11
#
multicast routing-enable
#
acl number 2001
#
interface Vlanif10
ip address 10.110.1.1 255.255.255.0
pim sm
igmp enable
igmp group-policy 2001
#
interface Vlanif11
ip address 192.168.1.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

#
sysname SwitchB
#
vlan batch 20 21
#
#
interface Vlanif20
ip address 10.110.2.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif21
ip address 192.168.2.1 255.255.255.0
pim sm
#


#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return
#
sysname SwitchC
#
vlan batch 20 31
#
#
interface Vlanif20
ip address 10.110.2.2 255.255.255.0
pim sm
igmp enable
#
interface Vlanif31
ip address 192.168.3.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return
#
sysname SwitchD
#
#
#
interface Vlanif11
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif21
ip address 192.168.2.2 255.255.255.0
pim sm
#
interface Vlanif31
ip address 192.168.3.2 255.255.255.0

pim sm
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return
6.1.2 Example for Configuring a Static Multicast Group on an

Interface
As shown in Figure 6-2, users receive data in multicast mode. User hosts are located on two
network segments: N1 and N2. Receiver HostA is located on N1, and receivers HostC and HostD
are located on N2. HostA wants to receive data of multicast group 225.1.1.3 for a long time,
while HostC and HostD do not have such requirements.

Figure 6-2 Networking diagram for static multicast group configuration
PIM network Receiver

SwitchA
1 1
24 N IF 2 Eth0/0/1
. 1 .2 / A N1 HostA
6 8 1 V L / 0 / VLANIF10
4
9 2 . 1 NI F 1 E th 0 .1 /2 10.110.1.1/24
1 A /1
SwitchD VLth0/0 8.1
2 . 16
E 19 HostB
Eth0/0/4 VLAN SwitchB 10.110.2.1/24
VLANIF40 IF21 Eth0
Eth0 / 0 VLANIF20
192.168.4.1/24 19 / 0 /2 / 2
1 9 V E t 2. 168. 2. VLAN Eth0/0/1 Receiver
2.1 LA h0 2/24 19 IF21
68 NI /0/3 2. 16
.3. F3 8. 2. 1
2 /2 1 /24
4
SwitchC 10.110.2.2/24 N2 HostC
E
19 VLAth0/0 VLANIF20
2 .1 N I /2 Eth0/0/1
68 F31
.3 .
1/2
4 HostD
To meet the preceding requirements, configure static multicast group 225.1.1.3 on the interface
connected to the network segment of HostA. The configuration roadmap is as follows:
Enable PIM-SM and configure a rendezvous point (RP) on each switch. Enable IGMP on
the interfaces connected to the receiver network segments.
3. Enable HostA to receive data of multicast group 225.1.1.3 for a long time.
On SwitchA, statically bind the interface connected to the network segment of HostA to
group 225.1.1.3.
Procedure
Step 2 Enable IP multicast routing on each switch and enable PIM-SM on all interfaces.
# On SwitchA, enable multicast routing in the system view, enable PIM-SM on all interfaces,
and configure VLANIF40 of SwitchD as a static RP. The configurations of SwitchB, SwitchC



[SwitchA] pim
[SwitchA-pim] quit
Step 3 On SwitchA, SwitchB, and SwitchC, enable IGMP on the interfaces connected to the receiver
network segments.
# Enable IGMP on VLANIF10 of SwitchA. The configurations of SwitchB and SwitchC are
similar to the configuration of SwitchA, and are not mentioned here.
Step 4 Configure static multicast group 225.1.1.3 on VLANIF10 of SwitchA.

[SwitchA-Vlanif10] igmp static-group 225.1.1.3

# Run the display igmp group static command to check the static multicast group configuration.
The command output shows that static multicast group 225.1.1.3 has been configured on
VLANIF10.
<SwitchA> display igmp group static
Static join group information
Total 1 entry
Group Address Source Address Interface State Expires
225.1.1.3 0.0.0.0 Vlanif10 UP never
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 11
#
#
interface Vlanif10
ip address 10.110.1.1 255.255.255.0
pim sm
igmp enable
igmp static-group 225.1.1.3
#
interface Vlanif11
ip address 192.168.1.1 255.255.255.0
pim sm
#
#
#
ospf 1

area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return
#
sysname SwitchB
#
vlan batch 20 21
#
#
interface Vlanif20
ip address 10.110.2.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif21
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return
#
sysname SwitchC
#
vlan batch 20 31
#
#
interface Vlanif20
ip address 10.110.2.2 255.255.255.0
pim sm
igmp enable
#
interface Vlanif31
ip address 192.168.3.1 255.255.255.0
pim sm
#
#
#
ospf 1

area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return
#
sysname SwitchD
#
#
#
interface Vlanif11
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif21
ip address 192.168.2.2 255.255.255.0
pim sm
#
interface Vlanif31
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return
6.1.3 Example for Configuring IGMP SSM Mapping
As shown in Figure 6-3, the multicast network runs PIM-SM, and uses ASM and SSM models
to provide multicast services. The switch interface connected to the receiver network segment

runs IGMPv3, whereas the receiver runs IGMPv2 and does not support IGMPv3. Therefore, the
receiver cannot specify a multicast source from which it wants to receive multicast data when
joining a multicast group.
The range of SSM group addresses on the network is 232.1.1.0/24. Source 1, Source 2, and
Source 3 all send multicast data to the multicast groups in this range. However, the receiver only
wants to receive multicast data from Source 1 and Source 3.
Figure 6-3 Networking diagram for the SSM mapping configuration
PIM-SM
Source2 Source3
10.10.2.2/24 192.168.2.2/24
VLANIF11 VLANIF31 VLANIF31 VLANIF12
Eth0/0/1 Eth0/0/3 Eth0/0/3 Eth0/0/1
192.168.2.1/24 10.10.3.2/24
SwitchB Eth0/0/2 Eth0/0/2
10.10.2.1/24 VLANIF20 VLANIF21 SwitchC 10.10.3.1/24
192.168.1.2/24 192.168.3.1/24
Source1 192.168.1.1/24 192.168.3.2/24

VLANIF20 VLANIF21 Receiver
Eth0/0/2 Eth/0/2 SwitchD
SwitchA
Eth0/0/1 Eth0/0/3 Eth0/0/3 Eth0/0/1
10.10.1.2/24 192.168.4.2/24 192.168.4.1/24
10.10.1.1/24 10.10.4.2/24 10.10.4.1/24
To meet the preceding requirements, configure basic multicast functions on the switches, and
then configure SSM mapping on SwitchD. The configuration roadmap is as follows:

Enable PIM-SM on each switch and configure a rendezvous point (RP). Enable IGMP on
the interface connected to the receiver network segment.
3. Configure SSM mapping to enable the receiver to select multicast sources.
Enable SSM mapping on the interface of SwitchD connected to the receiver network
segment, and configure SSM mapping rules on SwitchD.
Procedure
Step 2 Enable IP multicast routing on each switch, and enable PIM-SM and IGMP on interfaces.

# On SwitchD, enable IP multicast routing in the system view and enable PIM-SM on all
interfaces. Enable IGMP on VLANIF13 and set the IGMP version to v3.
[SwitchD] multicast routing-enable

[SwitchD-Vlanif13] pim sm
[SwitchD-Vlanif13] igmp enable
[SwitchD-Vlanif13] igmp version 3
# On SwitchA, enable IP multicast routing in the system view and enable PIM-SM on all
interfaces. The configurations of SwitchB and SwitchC are similar to the configuration of

# Configure VLANIF 40 of SwitchD as a static RP. The configurations of SwitchB, SwitchC,

[SwitchA] pim
[SwitchA-pim] quit
Step 3 Enable SSM mapping on the interface connected to the receiver network segment.
# Enable SSM mapping on VLANIF13 of SwitchD.

[SwitchD-Vlanif13] igmp ssm-mapping enable
Step 4 Configure the range of SSM group addresses on all Switches.

# Set the range of SSM group addresses to 232.1.1.0/24 on SwitchA. The configurations of
SwitchB, SwitchC, and SwitchD are similar to the configuration of SwitchA, and are not
mentioned here.

[SwitchA-acl-basic-2000] rule permit source 232.1.1.0 0.0.0.255
[SwitchA] pim
[SwitchA-pim] ssm-policy 2000
[SwitchA-pim] quit
Step 5 Configure SSM mapping rules on SwitchD.

# Map the multicast groups in the range of 232.1.1.0/24 to Source 1 and Source 3.
[SwitchD] igmp
[SwitchD-igmp] ssm-mapping 232.1.1.0 24 10.10.1.1

[SwitchD-igmp] ssm-mapping 232.1.1.0 24 10.10.3.1

[SwitchD-igmp] quit

# Check the SSM mapping entries on SwitchD.
<SwitchD> display igmp ssm-mapping group
IGMP SSM-Mapping conversion table
Total 2 entries 2 entries matched
00001. (10.10.1.1, 232.1.1.0)
00002. (10.10.3.1, 232.1.1.0)
Total 2 entries matched
# The receiver joins group 232.1.1.1.

# Run the display igmp group ssm-mapping command on SwitchD to view information about
the group memberships established with SSM mapping. The command output is as follows:
<SwitchD> display igmp group ssm-mapping
IGMP SSM mapping interface group report information
Vlanif13 (10.10.4.2):
Total 1 IGMP SSM-Mapping Group reported
Group Address Last Reporter Uptime Expires
232.1.1.1 10.10.4.1 00:01:44 00:00:26
<SwitchD> display igmp group ssm-mapping verbose

Interface group report information
Vlanif13 (10.10.4.2):
Total entry on this interface: 1
Total 1 IGMP SSM-Mapping Group reported
Group: 232.1.1.1
Uptime: 00:01:52
Expires: 00:00:18
Last reporter: 10.10.4.1
Last-member-query-counter: 0
Last-member-query-timer-expiry: off
Group mode: exclude
Version1-host-present-timer-expiry: off
Version2-host-present-timer-expiry: 00:01:55
# Run the display pim routing-table command on SwitchD to view the PIM-SM multicast
routing table. The command output is as follows:
<SwitchD> display pim routing-table
VPN-Instance: public net
Total 2 (S, G) entries
(10.10.1.1, 232.1.1.1)
Protocol: pim-ssm, Flag: SG_RCVR
UpTime: 00:19:40
Upstream interface: Vlanif30
Upstream neighbor: 192.168.4.2
RPF prime neighbor: 192.168.4.2
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif13
Protocol: ssm-map, UpTime: 00:19:40, Expires: -
(10.10.3.1, 232.1.1.1)
Protocol: pim-ssm, Flag: SG_RCVR
UpTime: 00:19:40


1: Vlanif13
Protocol: ssm-map, UpTime: 00:19:40, Expires: -
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
#
acl number 2000
#
interface Vlanif10
ip address 10.10.1.2 255.255.255.0
pim sm
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
pim sm
#
interface Vlanif30
ip address 192.168.4.2 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.10.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
static-rp 192.168.4.2
ssm-policy 2000
#
return

#
sysname SwitchB
#
vlan batch 11 20 31
#
#
acl number 2000
#
interface Vlanif11
ip address 10.10.2.2 255.255.255.0

pim sm
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif31
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.10.2.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
static-rp 192.168.4.2
ssm-policy 2000
#
return
#
sysname SwitchC
#
vlan batch 12 21 31
#
#
acl number 2000
#
interface Vlanif12
ip address 10.10.3.2 255.255.255.0
pim sm
#
interface Vlanif21
ip address 192.168.3.1 255.255.255.0
pim sm
#
interface Vlanif31
ip address 192.168.2.2 255.255.255.0
pim sm
#
#
#
#
ospf 1

area 0.0.0.0
network 10.10.3.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
static-rp 192.168.4.2
ssm-policy 2000
#
return

#
sysname SwitchD
#
vlan batch 13 21 30
#
#
acl number 2000
#
interface Vlanif13
ip address 10.10.4.2 255.255.255.0
pim sm
igmp enable
igmp version 3
igmp ssm-mapping enable
#
interface Vlaniaf21
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif30
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.10.4 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
igmp
ssm-mapping 232.1.1.0 255.255.255.0 10.10.1.1
ssm-mapping 232.1.1.0 255.255.255.0 10.10.3.1
#
pim
static-rp 192.168.4.2
ssm-policy 2000
#
return

6.2 PIM-SM (IPv4) Configuration

The PIM protocol implements multicast routing and data forwarding in a domain. The PIM-SM
protocol is a multicast routing protocol in sparse mode. It applies to a large-scale network with
sparsely-distributed group members.
6.2.1 Example for Configuring PIM-SM in the ASM Model
As shown in Figure 6-4, the shared network segment is connected to the Internet. HostA and
HostB want to receive multicast data from Source.
Figure 6-4 Networking diagram for configuring PIM-SM in the ASM model
SwitchA
PIM-SM 10.110.1.1/24
/0 0 2 4
VLANIF20
h0 IF3 .1/
Eth0/0/2
Et N 8.1
/3
VL .16
Eth0/0/1
2
A
VLANIF10 HostA
19
192.168.5.1/24 Receiver
24
/3 0 2/
/0 IF3 .1.
192.168.5.2/24
h0 N 68
Source VLANIF10
Et LA 2.1
Eth0/0/1 SwitchB
V 9
192.168.4.2/24
1
SwitchD 192.168.2.2/24
VLANIF60 VLANIF90 10.110.2.1/24
Eth0/0/4 Eth0/0/3 VLANIF40
Eth0/0/1 Eth0/0/4 Eth0/0/1 Eth0/0/2
VLANIF80 VLANIF60 SwitchE VLANIF90
10.110.3.1/24 192.168.4.1/24 Eth0/0/2 192.168.2.1/24
VLANIF50 HostB
192.168.3.2/24 Receiver
192.168.3.1/24
VLANIF50
Eth0/0/2
Eth0/0/1
SwitchC VLANIF40
10.110.2.2/24
Configure the PIM-SM protocol on the switches to enable them to provide the ASM service for
user hosts on the network. Then all the hosts in a multicast group can receive multicast data sent
from any sources to this group.

1. Configure an IP address for each interface and a unicast routing protocol. PIM is an intra-
domain multicast routing protocol that depends on unicast routing protocols.
2. Enable the multicast function on all switches providing multicast services. Before
configuring PIM-SM, you must enable the multicast function.
3. Enable PIM-SM on all interfaces. You can configure other PIM-SM functions only after
PIM-SM is enabled.
4. Enable IGMP on interfaces that connect the switch and hosts. A receiver can join and leave
a multicast group by sending IGMP messages. The leaf switches maintain the multicast
member relationship through IGMP.
NOTE
If both PIM-SM and IGMP need to be configured on interfaces that connect the switch and hosts,
you must configure PIM-SM first, and then configure IGMP.
5. Configure the RP. In PIM-SM domain, RP is essential in providing ASM services and helps
forward multicast data. You are advised to configure RP on switches that have more
multicast flows. For example, you can configure RP on SwitchE in the figure.
Procedure
Step 1 Configure an IP address for each interface and a unicast routing protocol.
# Configure the IP address and mask for each interface shown in Figure 6-4, and configure
OSPF on each switch to ensure that switches can communicate at the network layer and can
dynamically update routes through the unicast routing protocol. The configuration of SwitchB,
SwitchC, SwitchD, and SwitchE are similar to the configuration of SwitchA, and are not
provided here.
[SwitchA] ospf
Step 2 Enable multicast, and enable PIM-SM on all interfaces.

# Enable multicast on all switches and PIM-SM on all interfaces. The configuration of SwitchB,
SwitchC, SwitchD, and SwitchE are similar to the configuration of SwitchA, and are not
provided here.
Step 3 Enable IGMP on interfaces that connect the switch and hosts.
# Enable IGMP on interfaces that connect SwitchA and user hosts. The configuration of SwitchB
and SwitchC are similar to the configuration of SwitchA, and are not provided here.
Step 4 Configure the RP.

# Configure the static RP. Specify the address of static RP on all interfaces. Perform the following
configurations on SwitchA. The configuration of SwitchB, SwitchC, SwitchD, and SwitchE are
similar to the configuration of SwitchA, and are not provided here.
[SwitchA] pim

# Run the display pim interface command to check the PIM configuration and status. In this
example, the PIM information on SwitchC is displayed as follows:
<SwitchC> display pim interface
Interface State NbrCnt HelloInt DR-Pri DR-Address
Vlanif40 up 0 30 1 10.110.2.2 (local)
Vlanif50 up 1 30 1 192.168.3.1 (local)
# Run the display pim rp-info command to check the RP information on SwitchA. In this
example, the RP information on SwitchA is displayed as follows:
<SwitchA> display pim rp-info
PIM SM static RP Number:1
Static RP: 192.168.2.2
# Run the display pim routing-table command to view the PIM routing table. The multicast
source 10.110.3.100/24 sends message to the multicast group 225.1.1.1/24. Host A and Host B
join the multicast group 225.1.1.1/24. Detailed information is displayed as follows:
NOTE
By default, after the receiver's DR receives the first multicast data, an SPT switchover is performed and
(S, G) routing entries are created. Therefore, (S, G) routing entries displayed on the switch are (S, G) entries
after the SPT switchover.
[SwitchA] display pim routing-table
Total 1 (*, G) entry; 1 (S, G) entry
(*, 225.1.1.1)
RP: 192.168.2.2

Protocol: pim-sm, Flag: WC

UpTime: 00:13:46
Upstream interface: Vlanif10,
1: Vlanif20
Protocol: pim-sm, UpTime: 00:13:46, Expires:-
(10.110.3.100, 225.1.1.1)
RP: 192.168.2.2
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
1: Vlanif20
[SwitchB] display pim routing-table
(*, 225.1.1.1)
RP: 192.168.2.2
UpTime: 00:10:12
1: Vlanif40
(10.110.3.100, 225.1.1.1)
RP: 192.168.2.2
UpTime: 00:00:42
1: Vlanif40
[SwitchC] display pim routing-table

Total 1 (S, G) entry
(10.110.3.100, 225.1.1.1)
RP: 192.168.2.2
UpTime: 00:01:25
1: Vlanif40
[SwitchD] display pim routing-table


(10.110.3.100, 225.1.1.1)
RP: 192.168.2.2
UpTime: 00:00:42
1: Vlanif30
1: Vlanif60
[SwitchE] display pim routing-table

(*, 225.1.1.1)
RP: 192.168.2.2 (local)
UpTime: 00:13:16
Upstream interface: Register
1: Vlanif10
1: Vlanif90
Protocol: pim-sm, UpTime: 00:13:16, Expires: 00:03:22
(10.110.5.100, 225.1.1.1)
RP: 192.168.2.2
UpTime: 00:01:22
1: Vlanif90
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
#
interface Vlanif10
ip address 192.168.5.1 255.255.255.0
pim sm
#
interface Vlanif20
ip address 10.110.1.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif30
ip address 192.168.1.1 255.255.255.0
pim sm
#


#
#
#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
pim
static-rp 192.168.2.2
#
return
#
sysname SwitchB
#
#
vlan batch 40 90
#
interface Vlanif40
ip address 10.110.2.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif90
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
static-rp 192.168.2.2
#
return
#
sysname SwitchC
#
vlan batch 40 50
#
#
interface Vlanif40
ip address 10.110.2.2 255.255.255.0
pim sm
igmp enable
#

interface Vlanif50
ip address 192.168.3.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
static-rp 192.168.2.2
#
return
#
sysname SwitchD
#
vlan batch 30 60 80
#
#
interface Vlanif30
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif60
ip address 192.168.4.1 255.255.255.0
pim sm
#
interface Vlanif80
ip address 10.110.3.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.110.3.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
static-rp 192.168.2.2
#
return
#
sysname SwitchE
#

#
#
interface Vlanif10
ip address 192.168.5.2 255.255.255.0
pim sm
#
interface Vlanif50
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif60
ip address 192.168.4.2 255.255.255.0
pim sm
#
interface Vlanif90
ip address 192.168.2.2 255.255.255.0
pim sm
#
#
#
#
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
pim
static-rp 192.168.2.2
#
return
6.2.2 Example for Configuring PIM-SM in the SSM Model
As shown in Figure 6-5, HostA wants to receive multicast data from S1 and S2, while HostB
wants to receive multicast data from S2.

Figure 6-5 Networking diagram for configuring PIM-SM in the SSM model
PIM-SM
SwitchA
10.110.4.1/24 192.168.1.1/24 10.110.1.1/24
Eth0/0/1 Eth0/0/2 Eth0/0/3
Eth0/0/2
S1 VLANIF30
Eth0/0/1
SwitchF 192.168.1.2/24 HostA
Source VLANIF10
192.168.5.1/24 Receiver
SwitchE 192.168.5.2/24
VLANIF10
10.110.3.1/24 192.168.4.2/24 Eth0/0/1 192.168.2.1/24 10.110.2.1/24
Eth0/0/1 Eth0/0/4 Eth0/0/1 Eth0/0/2
Eth0/0/4 Eth0/0/3
S2 VLANIF60 VLANIF90
SwitchD 192.168.4.1/24 Eth0/0/2 SwitchB
VLANIF50 192.168.2.2/24
Source
192.168.3.2/24 HostB
192.168.3.1/24 Receiver
VLANIF50
Eth0/0/2
SwitchC
Eth0/0/1
VLANIF40
10.110.2.2/24
Configure the PIM-SM protocol on the switches to enable them to provide the SSM service for
user hosts on the network. Then hosts in a multicast group can receive multicast data sent from
specified sources to this group.
1. Configure an IP address for each interface and a unicast routing protocol. PIM is an intra-
domain multicast routing protocol that depends on unicast routing protocols.
2. Enable the multicast function on switches providing multicast services. Before configuring
PIM-SM, you must enable the multicast function.
3. Enable PIM-SM on all interfaces. You can configure other PIM-SM functions only after
PIM-SM is enabled.
4. Enable IGMP on interfaces that connect the switch and hosts and set the IGMP version to
IGMPv3. A receiver can join and leave a multicast group of a specified source by sending
IGMP messages. The leaf switches maintain the multicast member relationship through
IGMP.
NOTE
If both PIM-SM and IGMP need to be configured on interfaces that connect the switch and hosts,
you must configure PIM-SM first, and then configure IGMP.
5. Configure the address range for SSM groups on each switch. Ensure that switches in the
PIM-SM domain provide services only for multicast groups in the range of SSM group
addresses. In this manner, multicast can be controlled effectively.

NOTE
SSM group address range configured on each switch must be the same.
Procedure
Step 1 Configure an IP address for each interface and a unicast routing protocol.
# Configure the IP address and mask for each interface shown in Figure 6-5, and configure
OSPF on each switch to ensure that switches can communicate at the network layer and can
dynamically update routes through the unicast routing protocol. The configuration details are
not provided here. The configuration of SwitchB, SwitchC, SwitchD, SwitchE, and SwitchF are
similar to the configuration of SwitchA, and are not mentioned.
[SwitchA] ospf
Step 2 Enable multicast, and enable PIM-SM on all interfaces.

# Enable multicast on all switches and PIM-SM on all interfaces. The configuration of SwitchB,
SwitchC, SwitchD,SwitchE, and SwitchF are similar to the configuration of SwitchA, and are
not mentioned.
Step 3 Enable IGMP on interfaces that connect the switch and hosts and set the IGMP version to
IGMPv3.
# Enable IGMP on interfaces that connect SwitchA and user hosts. The configuration of SwitchB
and SwitchC are similar to the configuration of SwitchA, and are not mentioned here.


[SwitchA-Vlanif20] igmp version 3
Step 4 Configure the address range for SSM groups.

# Set the address of SSM group to range from 232.1.1.0 to 232.1.1.255 on all switches. The
configuration of SwitchB, SwitchC, SwitchD, SwitchE and SwitchF are similar to the
configuration of SwitchA, and are not mentioned here.
[SwitchA-acl-basic-2000] rule permit source 232.1.1.0 0.0.0.255
[SwitchA] pim
[SwitchA-pim] ssm-policy 2000

# Run the display pim interface command to check the PIM configuration and status. The PIM
information on SwitchC is displayed as follows:
<SwitchC> display pim interface
Interface State NbrCnt HelloInt DR-Pri DR-Address
Vlanif40 up 0 30 1 10.110.2.2 (local)
Vlanif50 up 1 30 1 192.168.3.1 (local)
# Run the display pim routing-table command to view the PIM routing table. HostA receives
information sent from multicast source 10.110.3.100/24 and 10.110.4.100/24 to the multicast
group 232.1.1.1/24. HostB receives information sent from multicast source 10.110.3.100/24 to
multicast group 232.1.1.1/24. The following information is displayed.
[SwitchA] display pim routing-table
(10.110.3.100, 232.1.1.1)
Protocol: pim-ssm, Flag: SG_RCVCR
UpTime: 00:13:46
1: Vlanif20
Protocol: pim-ssm, UpTime: 00:13:46, Expires:-
(10.110.4.100, 232.1.1.1)
UpTime: 00:00:42
1: Vlanif20
[SwitchB] display pim routing-table
(10.110.3.100, 232.1.1.1)
UpTime: 00:10:12


1: Vlanif40

(10.110.3.100, 232.1.1.1)
Protocol: pim-ssm, Flag:
UpTime: 00:01:25
1: Vlanif40
[SwitchD] display pim routing-table

(10.110.3.100, 232.1.1.1)
Protocol: pim-ssm, Flag: LOC
UpTime: 00:00:42
1: Vlanif60
[SwitchE] display pim routing-table

(10.110.3.100, 232.1.1.1)
UpTime: 00:13:16
Upstream interface: Vlanif 60
1: Vlanif10
2: Vlanif50
3: Vlanif90
Protocol: pim-ssm, UpTime: 00:13:16, Expires: 00:03:22
[SwitchF] display pim routing-table

(10.110.4.100, 232.1.1.1)
UpTime: 00:13:16
Upstream interface: Vlanif 70
1: Vlanif30
Protocol: pim-ssm, UpTime: 00:15:28, Expires: 00:05:21
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
#
acl number 2000
#
interface Vlanif10
ip address 192.168.5.1 255.255.255.0
pim sm
#
interface Vlanif20
ip address 10.110.1.1 255.255.255.0
pim sm
igmp enable
igmp version 3
#
interface vlanif 30
ip address 192.168.1.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
pim
ssm-policy 2000
#
return

#
sysname SwitchB
#
#
vlan batch 40 90
#
acl number 2000
#
interface Vlanif40
ip address 10.110.2.1 255.255.255.0
pim sm
#
interface Vlanif90
ip address 192.168.2.1 255.255.255.0
pim sm
igmp enable

igmp version 3
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
ssm-policy 2000
#
return
#
sysname SwitchC
#
vlan batch 40 50
#
#
acl number 2000
#
interface Vlanif40
ip address 10.110.2.2 255.255.255.0
pim sm
igmp enable
igmp version 3
#
interface Vlanif50
ip address 192.168.3.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
ssm-policy 2000
#
return
#
sysname SwitchD
#
vlan batch 60 80
#
#
acl number 2000
#

interface Vlanif60
ip address 192.168.4.1 255.255.255.0
pim sm
#
interface Vlanif80
ip address 10.110.3.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
ssm-policy 2000
#
return
#
sysname SwitchE
#
#
#
acl number 2000
#
interface Vlanif10
ip address 192.168.5.2 255.255.255.0
pim sm
#
interface Vlanif50
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif60
ip address 192.168.4.2 255.255.255.0
pim sm
#
interface Vlanif90
ip address 192.168.2.2 255.255.255.0
pim sm
#
#
#
#
#
ospf 1

area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
pim
ssm-policy 2000
#
return
l Configuration file of SwitchF

#
sysname SwitchF
#
vlan batch 30 70
#
#
acl number 2000
#
interface Vlanif30
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif70
ip address 10.110.4.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.4.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
pim
ssm-policy 2000
#
return
6.2.3 Example for Configuring PIM BFD
In Figure 6-6, basic PIM-SM configuration has been completed on the Switches. User hosts
receive multicast data from the multicast source. SwitchA is the source DR. SwitchB and
SwitchC are connected to the user host network segment. When the receiver DR changes, other
switches are required to fast respond to the change.
You can set up BFD sessions on the user host network segment so that switches can fast respond
to the change of the DR.

Figure 6-6 Networking diagram for configuring PIM BFD on the shared network segment
SwitchA
Source
10.1.7.1/24 PIM-SM
10.1.3.1/24
VLANIF200
Eth0/0/1
10.1.2.1/24
VLANIF200 SwitchC
Eth0/0/1
SwitchB Eth0/0/2
VLANIF100
Eth0/0/2 10.1.1.2/24
VLANIF100
10.1.1.1/24
VLAN 100
HostA HostB
1. Configure PIM BFD on interfaces that connect the Switch to the user host network segment.
NOTE
This configuration example describes only relevant PIM-SM BFD commands.
Procedure
Step 1 Enable BFD globally and configure PIM BFD in the interface view.
Enable BFD globally on SwitchB and SwitchC and enable PIM BFD on interfaces connecting
to the user host network segment and configure PIM BFD parameters. The configuration of
SwitchC is similar to the configuration of SwitchB, and is not mentioned here.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB-Vlanif100] pim bfd enable
[SwitchB-Vlanif100] pim bfd min-tx-interval 100 min-rx-interval 100 detect-
multiplie 3

Run the display pim interface verbose command to check information on the PIM-enabled
interface. The information about the PIM-enabled interface on SwitchB indicates that the DR
on the host network segment is SwitchC. PIM BFD is enabled on the interface.
<SwitchB> display pim interface vlanif100 verbose

Interface: Vlanif100, 10.1.1.1

PIM version: 2
PIM mode: Sparse
PIM state: up
PIM DR: 10.1.1.2
PIM DR Priority (configured): 1
PIM neighbor count: 1
PIM hello interval: 30 s
PIM LAN delay (negotiated): 500 ms
PIM LAN delay (configured): 500 ms
PIM hello override interval (negotiated): 2500 ms
PIM hello override interval (configured): 2500 ms
PIM generation ID: 0XF5712241
PIM require-GenID: disabled
PIM hello hold interval: 105 s
PIM assert hold interval: 180 s
PIM triggered hello delay: 5 s
PIM J/P interval: 60 s
PIM J/P hold interval: 210 s
PIM BSR domain border: disabled
PIM BFD: enabled
PIM BFD min-tx-interval: 100 ms
PIM BFD min-rx-interval: 100 ms
PIM BFD detect-multiplier: 3
Number of routers on link not using DR priority: 0
Number of routers on link not using LAN delay: 0
# Run the display pim bfd session command to check information about the BFD session on
each Switch. You can check whether the BRD session is set up.
<SwitchB> display pim bfd session
Total 1 BFD session Created
Vlanif100 (10.1.1.1): Total 1 BFD session Created
Neighbor ActTx(ms) ActRx(ms) ActMulti Local/Remote State

10.1.1.2 100 100 3 8192/8192 Up
# Run the display pim routing-table command to view the PIM routing table. SwitchC functions
as the DR. The (S, G) and (*, G) entries exist. The following information is displayed.
<SwitchC> display pim routing-table
(*, 225.1.1.1)
RP: 10.1.5.2
UpTime: 00:13:46
1: Vlanif100,
(10.1.7.1, 225.1.1.1)
RP: 10.1.5.2
UpTime: 00:00:42
1: Vlanif100
----End

Configuration Files
l SwitchA needs to be configured with only basic PIM SM functions. The configuration file
is not provided here.
l SwitchB has the following configuration file. The configuration file of SwitchC is similar
to that of SwitchB and is not provided here.
#
sysname SwitchB
#
vlan batch 100 200
#
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
pim sm
pim bfd enable
pim bfd min-tx-interval 100 min-rx-interval 100
igmp enable
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return
6.3 Multicast Route Management (IPv4) Configuration

The switch can run multiple multicast routing protocols to control multicast routing and
forwarding through message exchange between the control plane and forwarding plane.
6.3.1 Example for Configuring a Multicast Static Route to Change

the RPF Route
As shown in Figure 6-7, SwitchA, SwitchB, and SwitchC run OSPF to implement IP
interworking, and switch interfaces use PIM-SM to provide multicast services. Data sent from
the multicast source (Source) is forwarded to the receiver host (Receiver) through SwitchA and
SwitchB. The link between SwitchA and SwitchB transmits unicast and multicast services
simultaneously. To reduce the loads on this link, multicast data needs to be transmitted along
the path SwitchA→SwitchC→SwitchB.

Figure 6-7 Configuring a static route to change the RPF route
SwitchC
Eth0/0/3 Eth0/0/2
VLANIF30 VLANIF40
12.1.1.2/24 13.1.1.2/24
12.1.1.1/24 13.1.1.1/24
VLANIF30 PIM-SM VLANIF40
Eth0/0/3 Eth0/0/2
SwitchA SwitchB
Eth0/0/1 Eth0/0/1
Eth0/0/2 VLANIF10 VLANIF10
9.1.1.1/24 9.1.1.2/24 Eth0/0/3
VLANIF20 VLANIF50
8.1.1.1/24 7.1.1.1/24
8.1.1.2/24 7.1.1.2/24
Source Receiver
Multicast static route
The RPF interface used to receive multicast data can be changed by configuring a multicast static
route. After the RPF route is changed, multicast and unicast services are transmitted through
different links so that the load on a single link is reduced. The configuration roadmap is as
follows:
1. Configure IP addresses for interfaces and configure a unicast routing protocol (OSPF in
this example) on each switch. Multicast routing protocols depend on unicast routing
protocols.
2. Enable multicast routing on all switches and PIM-SM on all Layer 3 interfaces. Configure
a static RP and specify the static RP address an all the switches. Enable IGMP on the
interface connected to the network segment of the receiver host. After these basic multicast
functions are configured, the switches can establish a multicast distribution tree using
default parameter settings. Then multicast data can be forwarded to Receiver along the
multicast distribution tree.
3. Configure a multicast RPF static route on SwitchB and specify SwitchC as the RPF
neighbor.
Procedure
Step 1 Configure IP addresses for interfaces and configure OSPF on each switch.
# Create VLANs and add Layer 2 physical interfaces to VLANs on the switches. (The
configurations of the other switches are similar to the configuration of SwitchB.)

[SwitchB] vlan batch 10 40 50

[SwitchB] interface ethernet0/0/1
[SwitchB-Ethernet0/0/1] port hybrid pvid vlan 10
[SwitchB-Ethernet0/0/1] port hybrid untagged vlan 10
# Configure IP addresses and masks for Layer 3 VLANIF interfaces on the switches. (The
# Configure OSPF on the switches. (The configurations of the other switches are similar to the
configuration of SwitchB.)
[SwitchB] ospf
Step 2 Enable multicast routing on the switches and enable PIM-SM on all Layer 3 interfaces.
# Enable multicast routing on all the switches and enable PIM-SM on all Layer 3 interfaces.
Enable IGMP on the interface connected to the network segment of the receiver host. (The
configurations on the other switches are similar to the configuration on SwitchB.)
[SwitchB] multicast routing-enable
[SwitchB-Vlanif10] pim sm
[SwitchB-Vlanif50] igmp enable
# Configure the IP address of VLANIF30 of SwitchC as a static RP address. (The configurations

on the other switches are similar to the configuration on SwitchB.)
[SwitchB] pim
[SwitchB-pim] static-rp 12.1.1.2
[SwitchB] quit
# Run the display multicast rpf-info command on SwitchB to check the RPF route to Source.
The following command output shows that the RPF route is originated from a unicast routing
protocol, and the RPF neighbor is SwitchA.
[SwitchB] display multicast rpf-info 8.1.1.2

RPF information about source 8.1.1.2:

RPF interface: vlanif10, RPF neighbor: 9.1.1.1
Referenced route/mask: 8.1.1.0/24
Referenced route type: unicast
Route selection rule: preference-preferred
Load splitting rule: disable
Step 3 Configure a multicast static route.

# Configure a multicast RPF static route to Source on SwitchB, and configure SwitchC as the
RPF neighbor.
[SwitchB] ip rpf-route-static 8.1.1.0 255.255.255.0 13.1.1.2

# Run the display multicast rpf-info command on SwitchB to check the RPF route to Source.
The following information is displayed, indicating that the unicast RPF route has been replaced
by the multicast static route and the RPF neighbor has changed to SwitchC.
Referenced route type: mstatic
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
#
interface Vlanif10
ip address 9.1.1.1 255.255.255.0
pim sm
#
interface Vlanif20
ip address 8.1.1.1 255.255.255.0
pim sm
#
interface Vlanif30
ip address 12.1.1.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0

network 8.1.1.0 0.0.0.255

network 9.1.1.0 0.0.0.255
network 12.1.1.0 0.0.0.255
#
pim
static-rp 12.1.1.2
#
return
#
sysname SwitchB
#
vlan batch 10 40 50
#
#
interface Vlanif10
ip address 9.1.1.2 255.255.255.0
pim sm
#
interface Vlanif40
ip address 13.1.1.1 255.255.255.0
pim sm
#
interface Vlanif50
ip address 7.1.1.1 255.255.255.0
pim sm
igmp enable
#
#
#
#
ospf 1
area 0.0.0.0
network 7.1.1.0 0.0.0.255
network 9.1.1.0 0.0.0.255
network 13.1.1.0 0.0.0.255
#
pim
static-rp 12.1.1.2
#
ip rpf-route-static 8.1.1.0 24 13.1.1.2
#
return
#
sysname SwitchC
#
vlan batch 30 40
#
#
interface Vlanif30
ip address 12.1.1.2 255.255.255.0
pim sm
#
interface Vlanif40
ip address 13.1.1.2 255.255.255.0
pim sm

#
#
#
ospf 1
area 0.0.0.0
network 12.1.1.0 0.0.0.255
network 13.1.1.0 0.0.0.255
#
pim
static-rp 12.1.1.2
#
return
6.3.2 Example for Configuring Multicast Static Routes to Connect

RPF Routes
As shown in Figure 6-8, SwitchB and SwitchC run OSPF to implement IP interworking, but
they have no unicast route to SwitchA. Switch interfaces need to run PIM-SM to provide
multicast services. The receiver host (Receiver) can receive data from Source1. Now Receiver
needs to receive data from Source2.

Figure 6-8 Configuring multicast static routes to connect RPF routes
Source1
10.1.3.2/24
10.1.3.1/24 10.1.4.1/24
VLANIF13 VLANIF40
SwitchB
Eth0/0/3
Eth0/0/1 VLANIF40
PIM-SM 10.1.4.2/24 Eth0/0/1
VLANIF20
10.1.2.2/24 VLANIF11
10.1.2.1/24 10.1.5.1/24
VLANIF20
OSPF Eth0/0/1
SwitchC
Eth0/0/2
VLANIF12
10.1.1.1/24
Source2
10.1.5.2/24
Receiver
Multicast static route
An RPF route to Source2 can be established on the path SwitchC→SwitchB→SwitchA by
configuring multicast static routes on SwitchB and SwitchC. The configuration roadmap is as
follows:
1. Configure IP addresses for interfaces of the switches. Configure OSPF on SwitchB and
SwitchC but not on SwitchA, so that SwitchB and SwitchC have no unicast route to
SwitchA.
2. Enable multicast routing on all switches and PIM-SM on all Layer 3 interfaces. Configure
a static RP and specify the static RP address an all the switches. Enable IGMP on the
interface connected to the network segment of the receiver host. After these basic multicast
functions are configured, the switches can establish a multicast distribution tree using
default parameter settings. Then multicast data can be forwarded to Receiver along the
multicast distribution tree.
3. Configure multicast static routes to Source2 on SwitchB and SwitchC.

Procedure
Step 1 Configure IP addresses for interfaces and configure OSPF on each switch.
# Create VLANs and add Layer 2 physical interfaces to VLANs on the switches. (The
[SwitchB] vlan batch 13 20 40
# Configure IP addresses and masks for Layer 3 VLANIF interfaces on the switches. (The
# Configure OSPF on SwitchB and SwitchC. (The configuration of SwitchC is similar to the
configuration of SwitchB.)
[SwitchB] ospf
Step 2 Enable multicast routing on the switches and enable PIM-SM on all Layer 3 interfaces.
# Enable multicast routing on all the switches and enable PIM-SM on all Layer 3 interfaces.
Enable IGMP on the interface connected to the network segment of the receiver host. (The
configurations on the other switches are similar to the configuration on SwitchA.)
Configure SwitchA.
Configure SwitchB.
[SwitchB] multicast routing-enable

Configure SwitchC.
[SwitchC] multicast routing-enable
[SwitchC-Vlanif20] pim sm
[SwitchC-Vlanif12] igmp enable
# Configure the IP address of VLANIF20 of SwitchB as a static RP address. (The configurations

on the other switches are similar to the configuration on SwitchA.)
[SwitchB] pim
[SwitchB-pim] static-rp 10.1.2.2
[SwitchB] quit
# Source1 (10.1.3.2/24) and Source2 (10.1.5.2/24) send multicast data to group G (225.1.1.1).
After Receiver joins group G, it receives the multicast data sent by Source1 but cannot receive
the multicast data sent by Source2.
# Run the display multicast rpf-info 10.1.5.2 command on SwitchB and SwitchC. No
information is displayed, indicating that SwitchB and SwitchC have no RPF route to Source2.
Step 3 Configure multicast static routes.
# Configure a multicast RPF static route to Source2 on SwitchB, and configure SwitchA as the
RPF neighbor.
[SwitchB] ip rpf-route-static 10.1.5.0 255.255.255.0 10.1.4.2
# Configure a multicast RPF static route to Source2 on SwitchC, and configure SwitchB as the
RPF neighbor.
[SwitchC] ip rpf-route-static 10.1.5.0 255.255.255.0 10.1.2.2
# Run the display multicast rpf-info 10.1.5.2 command on SwitchB and SwitchC to check the
RPF route to Source2. The following information is displayed:
RPF information about source: 10.1.5.2
Route selecting rule: preference-preferred
[SwitchC] display multicast rpf-info 10.1.5.2

# Run the display pim routing-table command on SwitchC to check the PIM routing table.
SwitchC has multicast entries of Source2, indicating that Receiver can receive multicast data
from Source2.
Total 1 (*, G) entry; 2 (S, G) entries
(*, 225.1.1.1)
RP: 10.1.2.2
UpTime: 03:54:19
Upstream interface: NULL
Upstream neighbor: NULL
RPF prime neighbor: NULL
1: Vlanif12
Protocol: pim-sm, UpTime: 01:38:19, Expires: never
(10.1.3.2, 225.1.1.1)
RP: 10.1.2.2
Protocol: pim-sm, Flag: ACT
UpTime: 00:00:44
1: Vlanif12
(10.1.5.2, 225.1.1.1)
RP: 10.1.2.2
Protocol: pim-sm, Flag: ACT
UpTime: 00:00:44
1: Vlanif12
----End
Configuration Files
#
sysname SwitchA
#
#
vlan batch 11 40
#
interface Vlanif11
ip address 10.1.5.1 255.255.255.0
pim sm
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
pim sm
#
#

#
pim
static-rp 10.1.2.2
#
return
#
sysname SwitchB
#
vlan batch 13 20 40
#
#
interface Vlanif13
ip address 10.1.3.1 255.255.255.0
pim sm
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
pim sm
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
#
pim
static-rp 10.1.2.2
#
#
return
#
sysname SwitchC
#
vlan batch 12 20
#
#
interface Vlanif12
ip address 10.1.1.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
pim sm
#

#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
pim
static-rp 10.1.2.2
#
#
return
6.3.3 Example for Configuring Multicast Load Splitting
As shown in Figure 6-9, SwitchE connects to HostA and has three equal-cost routes to the
multicast source (Source). According to the default RPF check policy, SwitchE will select one
of equal-cost routes to transmit multicast data. When the rate of multicast traffic is high, the
network may be congested, degrading the quality of multicast services. To ensure the quality of
multicast services, configure multicast load splitting so that multicast data can be transmitted
through multiple equal-cost routes.
Figure 6-9 Networking diagram of multicast load splitting
Source
24 19
. 1 .2 / 2 0 VL 2 . 1 6
68 IF /1 Et h AN 8 . 4
2.1 AN /0 0/0 IF6 .1/2
1 9 V L E th 0 /2 0 4
SwitchB
4 19
1 /2 2 .1
8 .1 . 6
1 6 0 VL 8.4.
9 2 . I F2 PIM-SM E A 2
1 N 1 th0NIF /24
10.110.1.2/24 VLA 0/0/ /0 / 6 0
VLANIF10 Eth 192.168.2.1/24 SwitchC 1
Eth0/0/4 192.168.5.2/24 SwitchE
VLANIF30 VLANIF80
Eth0/0/2 Eth0/0/2
SwitchA Eth0/0/1 Eth0/0/2
VLANIF30 VLANIF80
Et h /3 Eth0/0/4
0/0100 10.110.2.2/24
0 192.168.2.2/24 192.168.5.1/24
/
VL 0 / 3 t h
19 AN E NIF /24 VLANIF140
2.1 IF4 A .2
68 0 VL 68.6
.3 . 2. 1
1/2 19
Loopback0 4 Et h 2 0
/ 0 4
1.1.1.1/32 19
2.1 VLA 0/0/1 0/0 IF1 .1/2
6 8 N IF EthLAN 68.6
.3 . 4 0 V 2 .1
2/2 19
4
SwitchD
HostA

l Configure IP addresses for interfaces on the switches.
l Configure a unicast routing protocol (IS-IS in this example) to implement interworking
among all the switches and ensure that route costs are the same.
l Enable multicast routing on all the switches and enable PIM-SM on all the Layer 3
interfaces. Configure the loopback interface on SwitchA as a C-BSR and C-RP.
l On SwitchE, configure group address-based load splitting to distribute multicast data traffic
to multiple equal-cost paths.
l On SwitchE, configure static multicast groups on the interface connected to the network
segment of HostA, because HostA needs to receive data of these groups for a long time.
Procedure
Step 1 Configure IP addresses for interfaces on the switches.
# Create VLANs and add Layer 2 physical interfaces to VLANs on the switches. (Configurations
of the other switches are similar to the configuration of SwitchA.)
[SwitchA] vlan batch 10 20 30 40
# Configure IP addresses and masks for Layer 3 interfaces on the switches. (Configurations of
the other switches are similar to the configuration of SwitchA.)
[SwitchA] interface loopback0
Step 2 Configure IS-IS to implement interworking among all the switches and ensure that route costs
are the same.
# Configure SwitchA. (Configurations of the other switches are similar to the configuration of
SwitchA.)

[SwitchA] isis
[SwitchA-Vlanif10] isis enable
[SwitchA] interface loopback0
[SwitchA-LoopBack0] isis enable
Step 3 Enable multicast routing on all the switches and enable PIM-SM on all the Layer 3 interfaces.
SwitchA.)
[SwitchA-LoopBack0] pim sm
Step 4 On all the switches, specify the IP address of Loopback0 on SwitchA as a static RP address.
SwitchA.)
[SwitchA] pim
[SwitchA-pim] quit
Step 5 On SwitchE, configure group address-based load splitting.

[SwitchE] multicast load-splitting group
Step 6 Configure static multicast groups on the interface of SwitchE connected to the network segment
of HostA.
# Configure static multicast groups 225.1.1.1 to 225.1.1.3 on VLANIF140.
[SwitchE] interface Vlanif140
[SwitchE-Vlanif140] igmp static-group 225.1.1.1 inc-step-mask 32 number 3
[SwitchE-Vlanif140] quit
Step 7 Verify the configuration of multicast load splitting.

# Source (10.110.1.1/24) sends multicast data to multicast groups 225.1.1.1 to 225.1.1.3. HostA
can receive multicast data from Source. Check information about the PIM routing table on
SwitchE.

<SwitchE> display pim routing-table

Total 3 (*, G) entries; 3 (S, G) entries
(*, 225.1.1.1)
RP: 1.1.1.1
UpTime: 3d:20h
1: Vlanif140
Protocol: static, UpTime: 3d:20h, Expires: -
(10.110.1.1, 225.1.1.1)
RP: 1.1.1.1
UpTime: 00:00:11
1: Vlanif140
Protocol: pim-sm, UpTime: 00:00:11, Expires: -
(*, 225.1.1.2)
RP: 1.1.1.1
UpTime: 01:06:42
1: Vlanif140
Protocol: static, UpTime: 01:06:42, Expires: -
(10.110.1.1, 225.1.1.2)
RP: 1.1.1.1
UpTime: 00:00:11
1: Vlanif140
(*, 225.1.1.3)
RP: 1.1.1.1
UpTime: 01:06:42
1: Vlanif140
Protocol: static, UpTime: 01:06:42, Expires: -
(10.110.1.1, 225.1.1.3)
RP: 1.1.1.1
UpTime: 00:00:10
1: Vlanif140

(*, G) and (S, G) entries are evenly distributed on the three equal-cost routes. The upstream
interfaces of the routes are VLANIF100, VLANIF80, and VLANIF60 respectively.
NOTE
The load splitting algorithm processes (*, G) and (S, G) entries separately using the same rule.
----End
Configuration Files
#
sysname SwitchA
#
#
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 10.110.1.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif30
ip address 192.168.2.1 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif40
ip address 192.168.3.1 255.255.255.0
isis enable 1
pim sm
#
#
#
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
isis enable 1
pim sm
#
pim
static-rp 1.1.1.1
#
return


#
sysname SwitchB
#
vlan batch 20 60
#
#
isis 1
network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif60
ip address 192.168.4.1 255.255.255.0
isis enable 1
pim sm
#
#
#
pim
static-rp 1.1.1.1
#
return

#
sysname SwitchC
#
vlan batch 30 80
#
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface Vlanif30
ip address 192.168.2.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif80
ip address 192.168.5.1 255.255.255.0
isis enable 1
pim sm
#
#
#
pim
static-rp 1.1.1.1
#
return

#
sysname SwitchD
#
vlan batch 40 100
#
#
isis 1
network-entity 10.0000.0000.0004.00
#
interface Vlanif40
ip address 192.168.3.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif100
ip address 192.168.6.1 255.255.255.0
isis enable 1
pim sm
#
#
#
pim
static-rp 1.1.1.1
#
return
#
sysname SwitchE
#
vlan batch 60 80 100 140
#
multicast load-splitting group
#
isis 1
network-entity 10.0000.0000.0005.00
#
interface Vlanif60
ip address 192.168.4.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif80
ip address 192.168.5.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif100
ip address 192.168.6.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif140
ip address 10.110.2.2 255.255.255.0
isis enable 1
pim sm
igmp static-group 225.1.1.1 inc-step-mask 0.0.0.1 number 3
#
#

#
#
#
pim
static-rp 1.1.1.1
#
return
6.4 IGMP Snooping Configuration

IGMP snooping enables a Layer 2 multicast device to create and maintain a Layer 2 multicast
forwarding table by analyzing IGMP messages exchanged between the upstream Layer 3 device
and user hosts. This technology implements on-demand multicast data transmission at the data
link layer.
6.4.1 Example for Configuring IGMP Snooping
As shown in Figure 6-10, Router connects to user hosts through a Layer 2 Switch and Router
runs IGMPv2. The multicast source sends data to multicast groups 225.1.1.1 to 225.1.1.5. On
the network, there are three receivers HostA, HostB, and HostC and the three hosts only want
to receive data of multicast groups 225.1.1.1 to 225.1.1.3.

Figure 6-10 Networking diagram for IGMP snooping configuration

Source
IP/MPLS core
Router
VLAN10
Eth0/0/3
Eth0/0/1 Eth0/0/2
Switch
HostA HostB HostC
To meet the preceding requirements, configure basic IGMP snooping functions and a multicast
group policy on the Layer 2 Switch. The configuration roadmap is as follows:
1. On the Switch, create a VLAN and add interfaces to the VLAN.

2. Enable IGMP snooping globally and in the VLAN.
3. Configure a multicast group policy and apply this policy to the VLAN.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
[Switch] vlan 10

Step 2 Enable IGMP snooping.

# Enable IGMP snooping globally.
[Switch] igmp-snooping enable
# Enable IGMP snooping in VLAN 10.

[Switch] vlan 10
[Switch-vlan10] igmp-snooping enable
Step 3 Configure a multicast group policy and apply this policy.

# Configure a multicast group policy.
[Switch] acl 2000
[Switch-acl-basic-2000] rule deny source 225.1.1.4 0
[Switch-acl-basic-2000] rule deny source 225.1.1.5 0
[Switch-acl-basic-2000] quit
# Apply the multicast group policy in VLAN 10.

[Switch] vlan 10
[Switch-vlan10] igmp-snooping group-policy 2000

# Check the interface information on the Switch.
<Switch> display igmp-snooping port-info vlan 10
-----------------------------------------------------------------------
(Source, Group) Port Flag
Flag: S:Static D:Dynamic M: Ssm-mapping
-----------------------------------------------------------------------
VLAN 10, 3 Entry(s)
(*, 225.1.1.1) Eth0/0/1 -D-
Eth0/0/2 -D-
2 port(s)
(*, 225.1.1.2) Eth0/0/1 -D-
Eth0/0/2 -D-
2 port(s)
(*, 225.1.1.3) Eth0/0/1 -D-
Eth0/0/2 -D-
2 port(s)
-----------------------------------------------------------------------
The command output shows that multicast groups 225.1.1.1 to 225.1.1.3 have dynamically
generated member ports Eth0/0/1 and Eth0/0/2 on the Switch.
# Check the Layer 2 multicast forwarding table on the Switch.
<Switch> display l2-multicast forwarding-table vlan 10
VLAN ID : 10, Forwarding Mode : IP
------------------------------------------------------------------------
(Source, Group) Interface Out-Vlan
------------------------------------------------------------------------
Router-port Ethernet0/0/3 10
(*, 225.1.1.1) Ethernet0/0/1 10
Ethernet0/0/2 10
Ethernet0/0/3 10
(*, 225.1.1.2) Ethernet0/0/1 10
Ethernet0/0/2 10
Ethernet0/0/3 10
(*, 225.1.1.3) Ethernet0/0/1 10
Ethernet0/0/2 10
Ethernet0/0/3 10
----------------------------------------------------------------------
Total Group(s) : 3

The command output shows that the forwarding table contains only information about multicast
groups 225.1.1.1 to 225.1.1.3. The multicast groups 225.1.1.4 to 225.1.1.5 do not forward data
to the hosts.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
igmp-snooping enable
#
acl number 2000
#
vlan 10
igmp-snooping group-policy 2000
#
#
#
#
return
6.4.2 Example for Configuring Layer 2 Multicast Through Static

Interfaces
As shown in Figure 6-11, Router connects to user hosts through a Layer 2 swtich. The user-side
VLANIF interface of Router has static groups 225.1.1.1 to 225.1.1.5 configured and does not
run IGMP. There are four receivers on the network: HostA, HostB, HostC, and HostD. HostA
and HostB expect to receive data of multicast groups 225.1.1.1 to 225.1.1.3 for long time. HostC
and HostD expect to receive data of multicast groups 225.1.1.4 to 225.1.1.5.

Figure 6-11 Networking diagram for Layer 2 multicast configuration through static interfaces
Source
IP/MPLS core
Router
VLAN10
Eth0/0/3
Eth0/0/1 Eth0/0/2
Switch
HostA HostB HostC HostD
To meet the preceding requirements, configure a static router port and static member ports of
IGMP snooping on the Layer 2 Switch. The configuration roadmap is as follows:

3. Configure a static router port.
4. Configure static member ports.
Procedure
Quidway> system-view
[Switch] vlan 10




[Switch] vlan 10
Step 3 Configure a static router port.

[Switch-Ethernet0/0/3] igmp-snooping static-router-port vlan 10
Step 4 Configure static member ports.

[Switch-Ethernet0/0/1] l2-multicast static-group group-address 225.1.1.1 to
225.1.1.3 vlan 10
[Switch-Ethernet0/0/2] l2-multicast static-group group-address 225.1.1.4 to
225.1.1.5 vlan 10
# Check the router port information on the Switch.

<Switch> display igmp-snooping router-port vlan 10
Port Name UpTime Expires Flags
---------------------------------------------------------------------
VLAN 10, 1 router-port(s)
Eth0/0/3 00:20:09 -- STATIC
The command output shows that Eth0/0/3 has been configured as static router port.
# Check the member port information on the Switch.

<Switch> display igmp-snooping port-info vlan 10
-----------------------------------------------------------------------
-----------------------------------------------------------------------
VLAN 10, 5 Entry(s)
(*, 225.1.1.1) Eth0/0/1 S--
1 port(s)
(*, 225.1.1.2) Eth0/0/1 S--
1 port(s)
(*, 225.1.1.3) Eth0/0/1 S--
1 port(s)
(*, 225.1.1.4) Eth0/0/2 S--
1 port(s)
(*, 225.1.1.5) Eth0/0/2 S--
1 port(s)
-----------------------------------------------------------------------
The command output shows that multicast groups 225.1.1.1 to 225.1.1.3 have a static member
port Eth0/0/1 on the Switch and multicast groups 225.1.1.4 to 225.1.1.5 have a static member
port Eth0/0/2 on the Switch.
# Check the Layer 2 multicast forwarding table on the Switch.


---------------------------------------------------------------------------
---------------------------------------------------------------------------
(*, 225.1.1.1) Ethernet0/0/1 10
Ethernet0/0/3 10
(*, 225.1.1.2) Ethernet0/0/1 10
Ethernet0/0/3 10
(*, 225.1.1.3) Ethernet0/0/1 10
Ethernet0/0/3 10
(*, 225.1.1.4) Ethernet0/0/2 10
Ethernet0/0/3 10
(*, 225.1.1.5) Ethernet0/0/2 10
Ethernet0/0/3 10
--------------------------------------------------------------------------
Total Group(s) : 5
The command output shows that multicast groups 225.1.1.1 to 225.1.1.5 have a forwarding table
on the Switch.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
#
vlan 10
#
l2-multicast static-group group-address 225.1.1.1 to 225.1.1.3 vlan 10
#
l2-multicast static-group group-address 225.1.1.4 to 225.1.1.5 vlan 10
#
igmp-snooping static-router-port vlan 10
#
return
6.4.3 Example for Configuring an IGMP Snooping Querier
As shown in Figure 6-12, on a pure Layer 2 network, multicast sources Source1 and Source2
send multicast data to multicast groups 224.1.1.1 and 225.1.1.1. HostA and HostC expect to
receive data of multicast group 224.1.1.1 for long time, while HostB and HostD expect to receive
data of multicast group 225.1.1.1 for long time. All the hosts run IGMPv2.

Figure 6-12 Networking diagram for IGMP snooping querier configuration

Source1 Source2
VLAN10
Eth0/0/3 Eth0/0/4
Eth0/0/1 Eth0/0/2 Eth0/0/3
Eth0/0/2
HostA SwitchA SwitchB Eth0/0/1 HostB
Eth0/0/1
Eth0/0/1 Eth0/0/2
Eth0/0/2 Eth0/0/3
HostD SwitchD SwitchC HostC
To meet the preceding requirements, enable IGMP snooping on the four switches and configure
an IGMP snooping querier. Enable all the switches to discard unknown multicast packets to
prevent the switches from broadcasting multicast data in the VLAN when there are no Layer 2
multicast forwarding entries on the switches. The configuration roadmap is as follows:
1. On all the switches, create a VLAN and add interfaces to the VLAN according to Figure
6-12.
2. Enable IGMP snooping globally and in the VLAN on all the switches.
3. Configure SwitchA as an IGMP snooping querier.
4. Enable all the Switches to discard unknown multicast packets.
Procedure
Step 1 On all the switches, create a VLAN and add interfaces to the VLAN.
[SwitchA] vlan 10


# The configurations of SwitchB, SwitchC and SwitchD are similar to the configuration of
SwitchA, and the configurations are not provided here.
Step 2 Enable IGMP snooping globally and in the VLAN on all the switches.
[SwitchA] igmp-snooping enable
[SwitchA] vlan 10
[SwitchA-vlan10] igmp-snooping enable
Step 3 Configure SwitchA as an IGMP snooping querier.

[SwitchA] vlan 10
[SwitchA-vlan10] igmp-snooping querier enable
Step 4 Enable all the switches to discard unknown multicast packets.

NOTE
On the S2300 (except the S2352P-EI), run this command in the system view.
[SwitchA] vlan 10
[SwitchA-vlan10] multicast drop-unknown
# When the IGMP snooping querier begins to work, all the switches except the IGMP snooping
querier receive IGMP General Query messages. Run the display igmp-snooping statistics vlan
10 command on SwitchB to view IGMP message statistics. The command output is as follows:
<SwitchB> display igmp-snooping statistics vlan 10
IGMP Snooping Packets Counter
Statistics for VLAN 10
Recv V1 Report 0
Recv V2 Report 32
Recv V3 Report 0
Recv V1 Query 0
Recv V2 Query 30
Recv V3 Query 0
Recv Leave 0
Recv Pim Hello 0
Send Query(S=0) 0
Send Query(S!=0) 0
Suppress Report 0
Suppress Leave 0
Proxy Send General Query 0
Proxy Send Group-Specific Query 0
Proxy Send Group-Source-Specific Query 0
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
vlan 10
multicast drop-unknown
igmp-snooping querier enable
#
#
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
#
vlan 10
#
#
#
#
#
return

#
sysname SwitchC
#
vlan batch 10
#
#
vlan 10

#
#
#
#
return

#
sysname SwitchD
#
vlan batch 10
#
#
vlan 10
#
#
#
return
6.4.4 Example for Configuring IGMP Snooping Proxy
As shown in Figure 6-13, Router connects to user hosts through a Layer 2 Switch and Router
runs IGMPv3. There are multiple receiver hosts on the network, and the administrator expects
that exchange of IGMP messages will not be a burden to Router.

Figure 6-13 Networking diagram for the IGMP snooping proxy configuration
Source
IP/MPLS core
Router
VLAN10 Eth0/0/3
Eth0/0/1 Eth0/0/2
Switch
… …
HostA HostG HostH HostN
To meet the preceding requirements, configure IGMP snooping proxy on the Switch. The
configuration roadmap is as follows:
1. Create a VLAN and add interfaces to the VLAN.
3. Configure IGMP snooping proxy on the Switch to reduce packet exchange between the
Switch and Router.
4. Disable the Switch from sending IGMP Query messages to the upstream Router to prevent
election of the IGMP querier.
Procedure
[Switch] vlan 10




[Switch] vlan 10
# Configure IGMPv3 snooping to enable the Switch to process IGMP messages of all versions.
[Switch-vlan10] igmp-snooping version 3
Step 3 Enable IGMP snooping proxy.

[Switch-vlan10] igmp-snooping proxy
Step 4 Disable the Switch from sending IGMP Query messages to the upstream Router.
[Switch-Ethernet0/0/3] igmp-snooping proxy-uplink-port vlan 10

# Check IGMP message statistics on the Switch.
<Switch> display igmp-snooping statistics vlan 10
IGMP Snooping Packets Counter
Recv V1 Report 0
Recv V2 Report 121
Recv V3 Report 0
Recv V1 Query 0
Recv V2 Query 0
Recv V3 Query 0
Recv Leave 82
Recv Pim Hello 0
Send Query(S=0) 0
Send Query(S!=0)0
Suppress Report 0
Suppress Leave 0
Proxy Send General Query 135
Proxy Send Group-Specific Query 95
Proxy Send Group-Source-Specific Query 0
The command output shows that the IGMP snooping proxy takes effect as the Switch functions
as a proxy to send IGMP General Query messages.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
#

vlan 10
igmp-snooping version 3
igmp-snooping proxy
#
port pvid untagged vlan 10
#
#
igmp-snooping proxy-uplink-port vlan 10
#
return
6.4.5 Example for Configuring IGMP Snooping SSM Mapping
As shown in Figure 6-14, Router connects to user hosts through a Layer 2 Switch. Router runs
IGMPv3 and uses the ASM mode and SSM mode to provide multicast services. User hosts
HostA, HostB, and HostC on the network run IGMPv2 and do not support IGMPv3. The
multicast sources Source1 and Source2 send multicast data to the multicast group 225.1.1.1, but
the user hosts want to receive only the multicast data sent from Source1.
Figure 6-14 Networking diagram for the SSM mapping configuration
IP/MPLS core Source2

10.10.2.1
Source1
10.10.1.1
Router
VLAN10
Eth0/0/3
Switch
Eth0/0/1
HostA HostB HostC

To meet the preceding requirements, configure SSM mapping on the Switch. The configuration

3. Configure an IGMP snooping SSM policy to add the multicast address of the ASM mode
to the SSM group address range.
4. Configure SSM mapping to allow the users to receive only multicast data sent from the
specified source.
Procedure
[Switch] vlan 10


[Switch] vlan 10
Step 3 Configure an IGMP snooping SSM policy.
# Create an ACL, and configure a rule that allows hosts to receive data of multicast group
225.1.1.1.
[Switch] acl number 2008
[Switch-acl-basic-2008] rule 5 permit source 225.1.1.1 0
# Apply the SSM mapping policy in the VLAN and treat the multicast group 225.1.1.1 as a
member in the SSM groups.
[Switch] vlan 10
[Switch-vlan10] igmp-snooping ssm-policy 2008
Step 4 Enable SSM mapping.
# Configure the Switch to run IGMPv3, enable SSM mapping, and configure a mapping between
the multicast group 225.1.1.1 and the source IP address 10.10.1.1.
[Switch-vlan10] igmp-snooping version 3
[Switch-vlan10] igmp-snooping ssm-mapping enable

[Switch-vlan10] igmp-snooping ssm-mapping 225.1.1.1 32 10.10.1.1


# Check the IGMP snooping configuration in the VLAN.
<Switch> display igmp-snooping vlan configuration
IGMP Snooping Configuration for VLAN 10
igmp-snooping ssm-mapping enable
igmp-snooping ssm-policy 2008
igmp-snooping ssm-mapping 225.1.1.1 255.255.255.255 10.10.1.1
An SSM mapping policy has been configured in VLAN 10.

# Check the Layer 2 multicast forwarding table.
----------------------------------------------------------------------------
----------------------------------------------------------------------------
(10.10.1.1, 225.1.1.1) Ethernet0/0/1 10
Ethernet0/0/3 10
(10.10.1.1, 225.1.1.1) Stream 10
Ethernet0/0/3 10
----------------------------------------------------------------------------
Total Group(s) : 1
The command output shows that a mapping entry (10.10.1.1, 225.1 .1.1) has been generated on
the Switch. The mapping entry indicates that the data is sent by Source1.
NOTE
The preceding stream entries are triggered by unknown streams that are generated because user hosts have
no order for services delivered from multicast source 10.10.2.1.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
#
acl number 2008
#
vlan 10
igmp-snooping ssm-mapping enable
igmp-snooping ssm-policy 2008
igmp-snooping ssm-mapping 225.1.1.1 255.255.255.255 10.10.1.1
#
#


#
return
6.5 Multicast VLAN Replication Configuration

After multicast VLAN replication is configured on a device, the upstream device only needs to
transmit multicast data to a multicast VLAN. This function saves bandwidth because the
upstream device does not need to send a copy of multicast data to each user VLAN.
6.5.1 Example for Configuring 1-to-N Multicast VLAN Replication

Based on User VLANs
As shown in Figure 6-15, service VLAN 10 is used to transmit multicast data between RouterA
and SwitchA. HostA, HostB, and HostC belong to VLAN 100, VLAN 200, and VLAN 300
respectively. All of them want to receive multicast data from Source.
You can configure 1-to-N multicast VLAN replication based on user VLANs, so that RouterA
only needs to copy multicast data for VLAN 10 to respond to the same multicast data request
from different user hosts. This reduces bandwidth consumption between RouterA and SwitchA.
Figure 6-15 Configuring 1-to-N multicast VLAN replication based on user VLANs
Source GE1/0/0 RouterA
VLAN10
Eth0/0/1 SwitchA
Eth0/0/2 Eth0/0/4
Eth0/0/3
VLAN100 VLAN200 VLAN300
HostA HostB HostC

Receiver Receiver Receiver
1. Enable IGMP snooping in the system view.
2. Create user VLANs and enable IGMP snooping in the user VLANs.
3. Create a multicast VLAN and enable IGMP snooping in the multicast VLAN.

4. Bind the user VLANs to the multicast VLAN.

5. Add the network-side interface and user-side interfaces to VLANs as hybrid interfaces.
Procedure
Step 1 Enable IGMP snooping in the system view.
<SwitchA> system-view
Step 2 Create user VLANs and enable IGMP snooping in the user VLANs.
[SwitchA] vlan 100
[SwitchA] vlan 200
[SwitchA] vlan 300
Step 3 Create a multicast VLAN and enable IGMP snooping in the multicast VLAN.
[SwitchA] vlan 10
[SwitchA-vlan10] multicast-vlan enable
Step 4 Bind user VLANs 100, 200, and 300 to multicast VLAN 10.
[SwitchA-vlan10] multicast-vlan user-vlan 100 200 300
Step 5 Add interfaces to VLANs as hybrid interfaces.

# Add Eth0/0/1 to multicast VLAN 10.
# Add Eth0/0/2, Eth0/0/3, and Eth0/0/4 to user VLANs 100, 200, and 300 respectively.
Step 6 Verify the configuration. View information about the multicast VLAN and user VLANs on
SwitchA.
[SwitchA] display multicast-vlan vlan
Total multicast vlan 1
multicast-vlan user-vlan number snooping-state
----------------------------------------------------------------
10 3 IGMP Enable /MLD Disable
[SwitchA] display user-vlan vlan
Total user vlan 3
user-vlan snooping-state multicast-vlan snooping-state
-----------------------------------------------------------------------------
100 IGMP Enable /MLD Disable 10 IGMP Enable /MLD Disable


----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 100 200 300
#
#
vlan 10
multicast-vlan enable
multicast-vlan user-vlan 100 200 300
#
vlan 100
#
vlan 200
#
vlan 300
#
#
#
#
#
return
6.5.2 Example for Configuring N-to-N Multicast VLAN Replication

Based on User VLANs
As shown in Figure 6-16, the Switch is connected to RouterA, RouterB, and the Receiver
through Eth0/0/1, Eth0/0/2, and Eth0/0/3 respectively. S1 and S2 are multicast sources provided
by different ISPs.
You can configure N-to-N multicast VLAN replication based on user VLANs and distinguish
ISPs by different multicast VLANs, so that the user host can receive multicast data sent from
S1 to the multicast group 225.1.1.1 and from S2 to the multicast group 225.1.2.1.

Figure 6-16 Configuring N-to-N multicast VLAN replication based on user VLANs
S1 RouterA RouterB S2
MVLAN10 MVLAN20
Eth0/0/1 Eth0/0/2
Eth0/0/3 Switch
VLAN100
Receiver

2. Create a user VLAN and enable IGMP snooping in the user VLAN. Enable the triggering
of the multicast flow in the user VLAN.
3. Create multicast VLANs and enable IGMP snooping in the multicast VLANs.
4. Add the user VLAN to multiple multicast VLANs and configure static multicast flow in
the multicast VLANs.
5. Add the network-side interfaces and user-side interface to VLANs as hybrid interfaces.
Procedure
Step 1 Enable IGMP snooping in the system view.
Step 2 Create user VLAN 100 and enable IGMP snooping in the user VLAN. Enable the triggering of
the multicast flow in the user VLAN.
[Switch] vlan 100
[Switch-vlan100] multicast flow-trigger enable
Step 3 Create multicast VLANs 10 and 20 and enable IGMP snooping in the multicast VLANs.
[Switch] vlan 10
[Switch-vlan10] multicast-vlan enable
[Switch] vlan 20
[Switch-vlan20] multicast-vlan enable
Step 4 Add user VLAN 100 to multicast VLANs 10 and 20 and configure static multicast flow in the
multicast VLANs.

[Switch] vlan 10
[Switch-vlan10] multicast-vlan user-vlan 100
[Switch-vlan10] multicast static-flow 225.1.1.1
[Switch] vlan 20
[Switch-vlan20] multicast-vlan user-vlan 100
[Switch-vlan20] multicast static-flow 225.1.2.1
Step 5 Add interfaces to VLANs as hybrid interfaces.

# Add Eth0/0/1 to multicast VLAN 10. Add Eth0/0/2 to multicast VLAN 20.
# Add Eth0/0/3 to user VLAN 100.


# Run the display user-vlan vlan command on the Switch. You can see that the user VLAN
has been added to multicast VLANs 10 and 20.
[Switch] display user-vlan vlan
Total user vlan 2
user-vlan snooping-state multicast-vlan snooping-state
-----------------------------------------------------------------------------
# Run the display multicast static-flow command. You can see that the static multicast flow in
the multicast VLAN, which indicates that users in the user VLAN can be added to the multicast
group.
[Switch] display multicast static-flow
-------------------------------------------------------------------
Vlan (Source, Group)
-------------------------------------------------------------------
10 (*, 225.1.1.1)
20 (*, 225.1.2.1)
-------------------------------------------------------------------
Total Table(s) : 2
----End
Configuration Files
#
sysname Switch
#
#
#
vlan 10

multicast static-flow 225.1.1.1
multicast-vlan user-vlan 100
#
vlan 20
multicast static-flow 225.1.2.1
multicast-vlan user-vlan 100
#
vlan 100
multicast flow-trigger enable
#
#
#
#
return
6.5.3 Example for Configuring Interface-based Multicast VLAN

Replication
As shown in Figure 6-17, Eth0/0/1 of the SwitchA is connected to the Router. Eth0/0/2 provides
services for ISP1, and Eth0/0/3 provides services for ISP2. ISP1 and ISP2 use multicast VLAN
2 and VLAN 3 respectively to provide multicast services for users. Eth0/0/2 and Eth0/0/3 have
the same user VLAN (VLAN 10).
To protect interests of the ISPs and ensure that multicast packets of each ISP are sent only to
users of the ISP, the interface-based multicast VLAN replication is required. After the
configuration is complete, multicast data of an ISP will be sent only to the interface connected
to the ISP.

Figure 6-17 Configuring interface-based multicast VLAN replication
Router GE1/0/0
Source
Eth0/0/1
Eth0/0/2
Eth0/0/3
SwitchA
ISP1 ISP2
VLAN10 VLAN10
Receiver Receiver
HostA HostB
Multicast Packet
Multicast VLAN 2
Multicast VLAN 3
2. Create user VLAN 10.
3. Create multicast VLANs 2 and 3 and enable IGMP snooping in the multicast VLANs.
4. Bind user VLAN 10 to multicast VLANs on Eth0/0/2 and Eth0/0/3 respectively.
5. Add the network-side interface and user-side interfaces to VLANs as hybrid interfaces.
Procedure
Step 1 Create user VLAN 10.
Step 2 Create multicast VLANs 2 and 3 and enable IGMP snooping in the multicast VLANs.
[SwitchA] vlan 2
[SwitchA] vlan 3
Step 3 Bind user VLAN 10 to multicast VLANs on Eth0/0/2 and Eth0/0/3 respectively.
[SwitchA-Ethernet0/0/2] l2-multicast-bind vlan 10 mvlan 2

[SwitchA-Ethernet0/0/3] l2-multicast-bind vlan 10 mvlan 3
Step 4 Add Eth0/0/1 to the multicast VLANs. Add Eth0/0/2 and Eth0/0/3 to the user VLAN.
# Add Eth0/0/1 to multicast VLANs 2 and 3 as a trunk interface.
# Add Eth0/0/2 and Eth0/0/3 respectively to user VLAN 10 as hybrid interfaces.


Run the display l2-multicast-bind command on SwitchA to view binding between the user
VLAN and multicast VLANs.
[SwitchA] display l2-multicast-bind
-------------------------------------------------------------------
Port Startvlan Endvlan Mvlan
-------------------------------------------------------------------
Ethernet0/0/2 10 -- 2
Ethernet0/0/3 10 -- 3
-------------------------------------------------------------------
Total Table(s) : 2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3 10
#
#
vlan 2
#
vlan 3
#
#
l2-multicast-bind vlan 10 mvlan 2
#


l2-multicast-bind vlan 10 mvlan 3
#
return
6.6 Controllable Multicast Configuration

Controllable multicast flexibly controls user rights to join multicast groups and meets the
requirements of IPTV services.
6.6.1 Example for Configuring Controllable Multicast
As shown in Figure 6-18, multicast groups G1 (225.0.0.1), G2 (225.0.0.2), G3 (225.0.0.3), and
G4 (225.0.0.4) exist on the network connected to the router. You are required to configure users
in VLAN 10 and VLAN 20 to watch only G1 and G2 and users in VLAN 30 and VLAN 40 to
watch all multicast groups.
NOTE
This example illustrates how to configure controllable multicast on an IPv4 network. Controllable multicast
configuration on an IPv6 network is similar. You only need to replace IGMP snooping with MLD snooping
on the IPv6 network.
Figure 6-18 Configuring controllable multicast

G1(10.1.1.1,225.0.0.1) G3(12.1.1.1,225.0.0.3)
Network
G2(11.1.1.1,225.0.0.2) G4(13.1.1.1,225.0.0.4)
Switch
/1 Eth
th 0/0 0/0
Et h
E /4
0/2
0/
0/0
h
Et
/3
VLAN10 VLAN20 VLAN30 VLAN40

You can configure controllable multicast on the switch.The configuration roadmap is as follow:
1. Configure IGMP snooping on the switch.
2. Configure controllable multicast.
l Configure two multicast group lists L1 (G1, G2) and L2 (G3, G4).
l Configure two multicast profiles P1 and P2.
1. Configure user VLANs and add interfaces to these user VLANs.
[Switch] vlan batch 10 20 30 40
2. Configure IGMP snooping.

[Switch] vlan 10
[Switch] vlan 20
[Switch] vlan 30
[Switch] vlan 40
3. Configure controllable multicast.

# Configure multicast groups.
[Switch] btv
[Switch-btv] multicast-group G1 ip-address 225.0.0.1
# Configure multicast group lists.

[Switch-btv] multicast-list L1
[Switch-btv-list-L1] add multicast-group name G1
[Switch-btv-list-L1] quit
[Switch-btv] multicast-list L2
[Switch-btv-list-L2] quit
# Configure multicast profiles.

[Switch-btv] multicast-profile P1
[Switch-btv-profile-P1] add multicast-list name L1 watch
[Switch-btv-profile-P1] quit
[Switch-btv] multicast-profile P2
[Switch-btv-profile-P2] quit
[Switch-btv] quit
# Apply multicast profiles to VLANs.
[Switch] vlan 10
[Switch-vlan10] attach multicast-profile P1
[Switch] vlan 20
[Switch] vlan 30
[Switch] vlan 40
[Switch] display multicast-profile-apply
------------------------------------------------------------------------------
Vlan-id Port SMAC Max-Users

Index Profile-name
------------------------------------------------------------------------------
Vlan10 -- --
8
1 P1
Vlan20 -- --
8
1 P1
Vlan30 -- --
8
2 P2
Vlan40 -- --
8
2 P2
Total: 4
[Switch] display multicast-profile
-----------------------------------------------------------------------------
Index Profile-Name Multicast-list Attach-

User
-----------------------------------------------------------------------------
1 P1 1 2
2 P2 2 2
Total: 2
[Switch] display multicast-list
-------------------------------------------------------------------------
Index Multicast-list-name Multicast-
group
-------------------------------------------------------------------------
1 L1
2
2 L2
2

Total: 2
[Switch] display multicast-group

-------------------------------------------------------------------------
Index Multicast-group-name
Address
-------------------------------------------------------------------------
1 G1 225.0.0.1
2 G2 225.0.0.2
3 G3 225.0.0.3
4 G4 225.0.0.4
Total: 4
Configuration Files
sysname Switch
#
#
#
btv
multicast-group G1 ip-address 225.0.0.1
multicast-list L1
add multicast-group name G1
multicast-list L2
multicast-profile P1
add multicast-list name L1 watch
multicast-profile P2
#
vlan 10
attach multicast-profile P1
#
vlan 20
#
vlan 30
#
vlan 40
#
#
#

#
#
return
6.7 MLD Configuration

On an IPv6 network, you can manage local multicast group members by configuring MLD on
multicast device interfaces connected to user networks.
6.7.1 Example for Configuring Basic MLD Functions
On the IPv6 network shown in Figure 6-19, unicast routes are working properly. The multicast
function needs to be enabled on the network so that hosts can receive multicast data.
Figure 6-19 Networking diagram of configuring basic MLD functions
PIM network Ethernet

HostA
VLANIF100 Receiver
GE0/0/2 3000::12/64 N1
VLANIF101 GE0/0/1
2002::1/64 SwitchA HostB
VLANIF200
3001::10/64 Leaf network
GE0/0/2
VLANIF201 GE0/0/1
2003::1/64 SwitchB HostC
VLANIF200 Receiver
3001::12/64 N2
GE0/0/2 GE0/0/1 HostD
VLANIF301
2004::1/64 SwitchC
Ethernet
1. Enable the IPv6 multicast function so that multicast data can be forwarded on the network.
To achieve this purpose, enable PIM-SM (IPv6) on each switch.
2. Enable MLD on the interfaces connected to hosts so that hosts can receive multicast data.

Procedure
Step 1 Create VLANs and VLANIF interfaces on the switches and assign IPv6 addresses to the
VLANIF interfaces. The configuration details are not mentioned here.
Step 2 Enable the IPv6 multicast function and enable MLD and PIM-SM (IPv6) on the interfaces
connected to hosts.
# Enable the IPv6 multicast function on SwitchA, and enable MLD and PIM-SM (IPv6) on
VLANIF 100.
[SwitchA] multicast ipv6 routing-enable
[SwitchA-Vlanif100] pim ipv6 sm
[SwitchA-Vlanif100] mld enable
# The configurations of SwitchB and SwitchC are similar to the configuration of SwitchA and
# Run the display mld interface command to check information about MLD configuration and
running on each interface of the switches. MLD information about VLANIF 200 on SwitchB is
as follows:
<SwitchB> display mld interface vlanif 200 verbose
Vlanif200(FE80::200:5EFF:FE66:5100):
MLD is enabled
Current MLD version is 2
MLD state: up
MLD group policy: none
MLD limit: -
Value of query interval for MLD (negotiated): 125 s
Value of query interval for MLD (configured): 125 s
Value of other querier timeout for MLD: 0 s
Value of maximum query response time for MLD: 10 s
Value of last listener query time: 2 s
Value of last listener query interval: 1 s
Value of startup query interval: 31 s
Value of startup query count: 2
General query timer expiry (hours:minutes:seconds): 00:00:28
Querier for MLD: FE80::200:5EFF:FE66:5100 (this router)
MLD activity: 0 joins, 0 dones
Robustness (negotiated): 2
Robustness (configured): 2
Require-router-alert: disabled
Send-router-alert: enabled
Ip-source-policy: disabled
Query Ip-source-policy: disabled
Prompt-leave: disabled
SSM-Mapping: disabled
Startup-query-timer-expiry: on
Other-querier-present-timer-expiry: off
The command output shows that SwitchB is a querier. This is because the IPv6 address of
VLANIF 200 on SwitchB is smaller than those of other multicast switches on the same network
segment.
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100 101
#
ipv6
#
multicast ipv6 routing-enable
#
interface Vlanif100
ipv6 enable
pim ipv6 sm
mld enable
#
interface Vlanif101
ipv6 enable
pim ipv6 sm
#
#
#
return

#
sysname SwitchB
#
vlan batch 200 201
#
ipv6
#
#
interface Vlanif200
ipv6 enable
pim ipv6 sm
mld enable
#
interface Vlanif201
ipv6 enable
pim ipv6 sm
#
#
#
return

#
sysname SwitchC
#
vlan batch 200 301

#
ipv6
#
#
interface Vlanif200
ipv6 enable
pim ipv6 sm
mld enable
#
interface Vlanif301
ipv6 enable
pim ipv6 sm
#
#
#
return
6.7.2 Example for Configuring the MLD Limit
In Figure 6-20, multicast services are deployed on the network. The MLD limit needs to be
configured for the entire system and an interface on SwitchA, SwitchB, and SwitchC to limit
the number of multicast groups that users can join. When the number of multicast memberships
reaches the MLD limit, no new MLD entry can be created. This configuration ensures that users
in existing multicast groups receive stable multicast data.
Figure 6-20 Networking diagram of configuring the MLD limit
PIM network Ethernet

HostA
VLANIF100 Receiver
GE0/0/2 3000::12/64 N1
VLANIF101 GE0/0/1
2002::1/64 SwitchA HostB
VLANIF200
3001::10/64 Leaf network
GE0/0/2
VLANIF201 GE0/0/1
2003::1/64 SwitchB HostC
VLANIF200 Receiver
3001::12/64 N2
GE0/0/2 GE0/0/1 HostD
VLANIF301
2004::1/64 SwitchC
Ethernet

1. Enable the IPv6 multicast function so that multicast data can be forwarded on the network.
To achieve this purpose, enable PIM-SM (IPv6) on each switch.
2. Enable MLD on the interfaces connected to hosts.
3. Configure the MLD limit on SwitchA, SwitchB, and SwitchC.
Procedure
Step 1 Create VLANs and VLANIF interfaces on the switches and assign IPv6 addresses to the
VLANIF interfaces. The configuration details are not mentioned here.
Step 2 Enable the multicast function and enable MLD and PIM-SM (IPv6) on the interfaces connected
to hosts.
# Enable the IPv6 multicast function on SwitchA, and enable MLD and PIM-SM (IPv6) on
VLANIF 100.
[SwitchA] multicast ipv6 routing-enable
[SwitchA-Vlanif100] mld enable
Step 3 Set the MLD limit on the last-hop switch.
# Set the MLD limit on SwitchA to 50.
[SwitchA] mld global limit 50
# Set the MLD limit on VLANIF 100 to 30.

[SwitchA-Vlanif100] mld limit 30
# Run the display mld interface command to check information about MLD configuration and
running on each interface of the switches. MLD information about VLANIF 100 on SwitchB is
as follows:
[SwitchB] display mld interface vlanif 100
Vlanif100(FE80::200:5EFF:FE66:5100):
MLD is enabled
Current MLD version is 2
MLD state: up
MLD group policy: none
MLD limit: 30
Value of query interval for MLD (negotiated): 125 s

Value of query interval for MLD (configured): 125 s

Value of other querier timeout for MLD: 0 s
Value of maximum query response time for MLD: 10 s
Querier for MLD: FE80::200:5EFF:FE66:5100 (this router)
The command output shows that the MLD limit on VLANIF 100 of SwitchB is 30.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 101
#
ipv6
#
mld global limit 50
#
#
interface Vlanif100
ipv6 enable
pim ipv6 sm
mld enable
mld limit 30
#
interface Vlanif101
ipv6 enable
pim ipv6 sm
#
#
#
return

#
sysname SwitchB
#
vlan batch 200 201
#
ipv6
#
mld global limit 50
#
#
interface Vlanif200
ipv6 enable
pim ipv6 sm
mld enable
mld limit 30
#
interface Vlanif201
ipv6 enable
pim ipv6 sm

#
#
#
return

#
sysname SwitchC
#
vlan batch 200 301
#
ipv6
#
mld global limit 50
#
#
interface Vlanif200
ipv6 enable
pim ipv6 sm
mld enable
mld limit 30
#
interface Vlanif301
ipv6 enable
pim ipv6 sm
#
#
#
return
6.8 MLD Snooping Configuration

MLD snooping is configured on Layer 2 multicast devices to resolve the MLD packets between
Layer 3 devices and users. It generates and maintains IPv6 Layer 2 multicast forwarding tables
to distribute multicast data to only the receivers at the data link layer.
6.8.1 Example for Configuring MLD Snooping
In Figure 6-21, the router connects to the user network through the Layer 2 Switch on an IPv6
network. When the multicast source sends data to multicast group FF16::1 to FF16::5, HostA,
HostB, and HostC on the network only want to receive date of multicast groups FF16::1 to
FF16::3.

Figure 6-21 Networking diagram for configuring MLD snooping

Source
IP/MPLS core
Router
VLAN10
Eth0/0/3
Eth0/0/1 Eth0/0/2
Switch
HostA HostB HostC
To meet the requirement, basic MLD snooping functions and multicast group policy need to be
configured on the Layer 2 device. The configuration roadmap is as follows:
1. Create a VLAN on the Switch and add the interface to the VLAN.
2. Enable MLD snooping globally and in a VLAN.
3. Configure a multicast group policy in a VLAN.
Procedure
[Switch] vlan 10

Step 2 Enable MLD snooping.

# Enable MLD snooping globally.
[Switch] mld-snooping enable
# Enable MLD snooping in VLAN 10.

[Switch] vlan 10
[Switch-vlan10] mld-snooping enable
Step 3 Configure and apply a multicast group policy.

# Configure a multicast group policy.
[Switch] acl ipv6 2000
[Switch-acl6-basic-2000] rule deny source ff16::4 128
[Switch-acl6-basic-2000] rule deny source ff16::5 128
[Switch-acl6-basic-2000] quit
# Apply the multicast policy in VLAN 10.

[Switch] vlan 10
[Switch-vlan10] mld-snooping group-policy 2000

# Check the interface on the Switch.
<Switch> display mld-snooping port-info vlan 10
-----------------------------------------------------------------------
-----------------------------------------------------------------------
VLAN 10, 3 Entry(s)
( *, ff16:0:0:0:0:0:0:1)Eth0/0/3 Router
Eth0/0/1 -D-
Eth0/0/2 -D-
3 port(s)
( *, ff16:0:0:0:0:0:0:2)Eth0/0/3 Router
Eth0/0/1 -D-
Eth0/0/2 -D-
3 port(s)
( *, ff16:0:0:0:0:0:0:3)Eth0/0/3 Router
Eth0/0/1 -D-
Eth0/0/2 -D-
3 port(s)
-----------------------------------------------------------------------
The command output shows that Eth0/0/1 and Eth0/0/2 on the Switch have joined the group
FF16::1 to FF16::3.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
mld-snooping enable
#

rule 0 deny source FF16::4/128

rule 1 deny source FF16::5/128
#
vlan 10
mld-snooping enable
mld-snooping group-policy 2000
#
#
#
#
return
6.8.2 Example for Configuring a Static Interface to Implement Layer

2 Multicast
In Figure 6-22, the router connects to the user network through the Layer 2 switch on an IPv6
network. HostA, HostB, and HostC are the receivers. The user-side VLANIF interface of Router
has static groups FF16::1 to FF16::5 configured and does not run MLD. HostA and HostB require
to steadily receive data from FF16::1 to FF16::3 while HostC wants to steadily receive data from
FF16::4 to FF16::5.
Figure 6-22 Networking diagram for configuring a static interface to implement Layer 2
multicast
Source
IP/MPLS core
Router
VLAN10
Eth0/0/3
Eth0/0/1 Eth0/0/2
Switch
HostA HostB HostC

To meet the requirement, MLD snooping static router and member ports need to configured on
the Switch.
1. Create a VLAN and add interfaces to the VLAN.
2. Enable MLD snooping globally and in a VLAN.
3. Configure a static router port.
4. Configure a static member port.
Procedure
Step 1 Create VLAN 10 and add the interface to VLAN 10.
[Switch] vlan 10
Step 2 Enable MLD snooping globally and in VLAN 10.


[Switch] vlan 10
Step 3 Configure a static router port.

[Switch-Ethernet0/0/3] mld-snooping static-router-port vlan 10
Step 4 Configure a static member port.

[Switch-Ethernet0/0/1] mld-snooping static-group ff16::1 vlan 10

# Check the router port on the Switch.

<Quidway> display mld-snooping router-port

Total Number of Router Port on VLAN 10 is 1
Port Name UpTime Expires Flags
Eth0/0/3 00:00:06 -- STATIC
The command output shows that Eth0/0/3 becomes the static router port.
# Check the member port on the Switch.

<Switch> display mld-snooping port-info vlan 10
-----------------------------------------------------------------------
-----------------------------------------------------------------------
VLAN 10, 5 Entry(s)
( *, ff16:0:0:0:0:0:0:1) Eth0/0/3 Router
Eth0/0/1 S--
2 port(s)
( *, ff16:0:0:0:0:0:0:2) Eth0/0/3 Router
Eth0/0/1 S--
2 port(s)
( *, ff16:0:0:0:0:0:0:3) Eth0/0/3 Router
Eth0/0/1 S--
2 port(s)
( *, ff16:0:0:0:0:0:0:4) Eth0/0/3 Router
Eth0/0/2 S--
2 port(s)
( *, ff16:0:0:0:0:0:0:5) Eth0/0/3 Router
Eth0/0/2 S--
2 port(s)
-----------------------------------------------------------------------
The command output shows that Eth0/0/1 on the Switch joins multicast groups FF16::1 to
FF16::3 and Eth0/0/2 on the Switch joins multicast groups FF16::4 to FF16::5.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
mld-snooping enable
#
vlan 10
mld-snooping enable
#
mld-snooping static-group ff16:0:0:0:0:0:0:1 vlan 10
#
#
mld-snooping static-router-port vlan 10

#
return
6.8.3 Example for Configuring the MLD Snooping Querier
In Figure 6-23, Source1 and Source2 on a Layer 2 network send multicast data to FF16::1 and
FF16::2. HostA and HostC need to receive data of multicast group FF16::1 and HostB and Host
D need to receive data of multicast group FF16::2.
Figure 6-23 Networking diagram for configuring MLD snooping querier

Source1 Source2
VLAN10
Eth0/0/3 Eth0/0/4
Eth0/0/1 Eth0/0/2 Eth0/0/3
Eth0/0/2
HostA SwitchA SwitchB Eth0/0/1 HostB
Eth0/0/1
Eth0/0/1 Eth0/0/2
Eth0/0/2 Eth0/0/3
HostD SwitchD SwitchC HostC
Enable MLD snooping on each switch in the network and configure MLD snooping querier to
meet the service requirement. Enable each switch to discard unknown multicast packets to
prevent the device from broadcasting multicast packets in a VLAN when there is no
corresponding Layer 2 forwarding entry.
1. According to Figure 6-23, create a VLAN on the switches and add interfaces to the VLAN.
2. Enable MLD snooping globally and in a VLAN on all the switches.
3. Configure SwitchA closest to the multicast source as the MLD snooping querier.
4. Enable all the switches to discard unknown multicast packets.
Procedure

[SwitchA] vlan 10
Step 2 Enable MLD snooping.
[SwitchA] mld-snooping enable
[SwitchA] vlan 10
[SwitchA-vlan10] mld-snooping enable
Step 3 Configure MLD snooping querier.
# Configure SwitchA as the querier.
[SwitchA] vlan 10
[SwitchA-vlan10] mld-snooping querier enable
Step 4 Configure the switches to discard unknown multicast packets.

NOTE
On the S2300 (except the S2352P-EI), run this command in the system view.
[SwitchA] vlan 10
[SwitchA-vlan10] multicast drop-unknown
# After the MLD snooping querier is started, all devices except the querier can receive MLD
General Query messages. You can use the following command to check MLD packet statistics.
For example, you can check statistics of received MLD packets on SwitchB.
<SwitchB> display mld-snooping statistics vlan 10
MLD Snooping Packets Counter
Recv V1 Report 316
Recv V2 Report 0
Recv V1 Query 305
Recv V2 Query 0
Recv Done 2
Recv Pim Hello 85

Send Query(S=0) 1
Send Query(S!=0)0
Send General Query 0
Send Group-Specific Query 0
Send Group-Source-Specific Query 0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
mld-snooping enable
#
vlan 10
mld-snooping enable
mld-snooping querier enable
#
#
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
mld-snooping enable
#
vlan 10
mld-snooping enable
#
#
#
#
#
return

#
sysname SwitchC
#
vlan batch 10
#
mld-snooping enable
#
vlan 10
mld-snooping enable
#
#
#
#
return

#
sysname SwitchD
#
vlan batch 10
#
mld-snooping enable
#
vlan 10
mld-snooping enable
#
#
#
return
6.8.4 Example for Configuring Prompt Leave for Interfaces
In Figure 6-24, the router connects to the user network through the Layer 2 Switch on an IPv6
network. Eth0/0/1 and Eth0/0/2 on the Switch respectively connect to only one receiver host.
Therefore, when receiving MLD Done messages from the two interfaces, the Switchdeletes the
forwarding entries of the multicast group that the hosts leave, without waiting for the timeout
of the aging timer. This saves the bandwidth and system resources.

Figure 6-24 Networking diagram for configuring prompt leave for interfaces
Source
IP/MPLS core
Router
VLAN10
Eth0/0/3
Eth0/0/1 Eth0/0/2
Switch
HostA HostB
Enabling MLD snooping and configuring prompt leave for interfaces on the Switch can meet
the requirements.
l Create a VLAN and add interfaces to the VLAN.
l Enable MLD snooping globally and in a VLAN.
l Enable prompt leave for interfaces in a VLAN.
Procedure
Step 1 Create VLAN 10 and add interfaces to VLAN 10.
[Switch] vlan 10

Step 2 Enable MLD snooping globally and in VLAN 10.


[Switch] vlan 10
Step 3 Configure prompt leave for interfaces in VLAN 10.

[Switch-vlan10] mld-snooping prompt-leave
# Run the display mld-snooping command on the Switch to check VLAN 10 configuration.
<Switch> display mld-snooping vlan 10
MLD Snooping Vlan Information for VLAN 10
MLD Snooping is Enabled
MLD Version is Set to default 1
MLD Query Interval is Set to default 125
MLD Max Response Interval is Set to default 10
MLD Robustness is Set to default 2
MLD Last Member Query Interval is Set to default 1
MLD Router Port Aging Interval is Set to 180s or holdtime in hello
MLD Filter Group-Policy is Set to default : Permit All
MLD Prompt Leave Enable
MLD Router Alert is Not Required
MLD Send Router Alert Enable
MLD Snooping Querier Disable
As shown in the preceding command output, "MLD Prompt Leave enable" indicates that the
configuration of prompt leave for interfaces in VLAN 10 is successful.
----End
Configuration Files
#
sysname Switch
#
mld-snooping enable
#
vlan batch 10
#
vlan 10
mld-snooping enable
mld-snooping prompt-leave
#
#
#
#
return

6.8.5 Example for Configuring MLD Snooping to Respond to

Network Topology Change
On an IPv6 multicast network in Figure 6-25, four switches form a ring network to improve the
network reliability. To prevent routing loops, STP runs on the four switches. HostA and HostB
need to receive multicast data from the multicast source.
Figure 6-25 Networking diagram for configuring MLD snooping to respond to Layer 2 network
topology change
Source
IP/MPLS
core
Router
Eth0/0/3 VLAN10
SwitchA
Eth0/0/1 Eth0/0/2
Eth0/0/1 MSTP Eth0/0/2

Eth0/0/3
SwitchC SwitchD
Eth0/0/2 Eth0/0/1
SwitchB
HostB
Eth0/0/2 Eth0/0/1
Eth0/0/3
HostA
Enable MLD snooping and configure MLD snooping to respond to Layer 2 network topology
change on the Switch.
1. Configure STP on all Switches.
2. Create VLAN 10 on all Switches and add interfaces to VLAN 10.

3. Enable MLD snooping globally on all Switches and in a VLAN.

4. Enable MLD snooping of SwitchA to respond to the Layer 2 network topology change.
Procedure
Step 1 Configure STP on all Switches.
# Configure STP on SwitchA.
The configurations of other switches are similar to the configuration of SwitchA, and are not
mentioned here.
Step 2 Create VLAN 10 on all Switches and add interfaces to VLAN 10.
# Add interfaces on SwitchA to VLAN 10.
[SwitchA] vlan 10
mentioned here.
Step 3 Enable MLD snooping on all the Switches.
# Enable MLD snooping on SwitchA globally and in VLAN 10.
[SwitchA] mld-snooping enable
[SwitchA] vlan 10
[SwitchA-vlan10] mld-snooping enable
mentioned here.
Step 4 Enable MLD snooping of SwitchA to respond to the Layer 2 network topology change.
[SwitchA] mld-snooping send-query enable
[SwitchA] mld-snooping send-query source-address fe80::1

1. Check whether multicast data is forwarded correctly.
# Check MLD packet statistics on the SwitchA.
<SwitchA> display mld-snooping statistics
MLD Snooping Events
Counter
Recv VLAN Up Event Times
0
Recv VLAN Down Event Times

0
Recv VLAN Del Event Times
0
Recv Port Up Event Times
0
Recv Port Down Event Times
0
Recv Port Del Event Times
0
Recv Port Inc Event Times
0
Recv Port Exc Event Times
0
Recv MSTP Block Event Times
0
Recv MSTP Forward Event Times
0
Recv LINK Change Event Times
0
MLD Snooping Packets
Counter
Statistics for VLAN
10
Recv V1 Report
12
Recv V2 Report
0
Recv V1 Query
15
Recv V2 Query
0
Recv Done
0
Recv Pim Hello 3
Send Query(S=0)
0
Send Query(S!=0)
0
Send General Query
0
Send Group-Specific Query
0
The command output shows that SwitchA does not send Query messages.
2. Run the display stp brief command on all Switches to check the interfaces that are blocked
and the transmission path of multicast data.
The command output shows that Eth0/0/1 of SwitchB is blocked.
<SwitchB> display stp brief
MSTID Port Role STP State
Protection
0 Ethernet0/0/2 ROOT FORWARDING
NONE
0 Ethernet0/0/3 DESI FORWARDING
NONE
The multicast data is forwarded to HostA over the path: SwitchA-SwitchC-SwitchB and
to HostB over the path: SwitchA-SwitchD.
3. Run the shutdown command on Eth0/0/1 of SwitchC to shut down the interface so that the
topology of the STP network changes.
4. Check whether HostA and HostB can still receive multicast data after the network topology
changes.
# Check MLD packet statistics on SwitchA.
<SwitchA> display mld-snooping statistics
MLD Snooping Events

Counter
Recv VLAN Up Event Times
0
Recv VLAN Down Event Times
0
Recv VLAN Del Event Times
0
Recv Port Up Event Times
0
Recv Port Down Event Times
1
Recv Port Del Event Times
0
Recv Port Inc Event Times
1
Recv Port Exc Event Times
2
Recv MSTP Block Event Times
0
Recv MSTP Forward Event Times
1
Recv LINK Change Event Times
70
MLD Snooping Packets
Counter
Statistics for VLAN
10
Recv V1 Report
18
Recv V2 Report
0
Recv V1 Query
15
Recv V2 Query
0
Recv Done
0
Recv Pim Hello
38
Send Query(S=0)
8
Send Query(S!=0)
0
Send General Query
0
Send Group-Specific Query
0
The command output indicates that SwitchA has sent Query messages with source address
0.
----End
Configuration Files
#
sysname SwitchA
#
mld-snooping enable
mld-snooping send-query enable
mld-snooping send-query source-address fe80:0:0:0:0:0:0:1
#
vlan batch 10
#
stp enable
#

vlan 10
mld-snooping enable
#
#
#
#
return
#
sysname SwitchB
#
mld-snooping enable
#
vlan batch 10
#
stp enable
#
vlan 10
mld-snooping enable
#
#
#
#
return
#
sysname SwitchC
#
mld-snooping enable
#
vlan batch 10
#
stp enable
#
vlan 10
mld-snooping enable
#
#
#
return
#
sysname SwitchD
#

mld-snooping enable
#
vlan batch 10
#
stp enable
#
vlan 10
mld-snooping enable
#
#
#
#
return

Typical Configuration Examples 7 Configuration Guide - QoS
7 Configuration Guide - QoS
About This Chapter
Quality of service (QoS) defines a service provider's ability to meet the level of service required
by a customers' traffic. The QoS-enabled device controls enterprise network traffic, implements
congestion congestion and congestion avoidance, reduces the packet loss ratio, and provides
dedicated bandwidth for enterprise users or differentiated services.
7.1 Priority Mapping Configuration

This chapter provides priority mapping configuration method, configuration examples, and
common configuration errors.
7.2 Traffic Policing and Traffic Shaping Configurations
This document describes basic concepts of traffic policing and traffic shaping, and configuration
methods of traffic policing based on a traffic classifier and traffic shaping, and provides

7.1 Priority Mapping Configuration

This chapter provides priority mapping configuration method, configuration examples, and
common configuration errors.
7.1.1 Example for Configuring Priority Mapping on the S2352P-EI,

S3300SI, and S3300EI
The is used as an example. After priority mapping is configured, the Switch maps DSCP
priorities of packets to new DSCP priorities so that it can provide differentiated services.
As shown in Figure 7-1, SwitchA and SwitchB are connected to the router, and enterprise
branches 1 and 2 can access the network through LSW1 and LSW2. Enterprise branch 1 requires
better QoS guarantee, so DSCP priorities of data packets from enterprise branches 1 and 2 are
mapped to 45 and 30 respectively. The Switch trusts DSCP priorities of packets. When
congestion occurs, the Switch first processes packets of higher DSCP priority.
Figure 7-1 Networking diagram of priority mapping
Core Network
Router
SwitchA SwitchB
Eth0/0/2 Eth0/0/2
Eth0/0/1 Eth0/0/1
LSW1 LSW2
Enterprise Enterprise
Branches 1 Branches 2
VLAN 100 VLAN 200
1. Create VLANs and configure interfaces so that the enterprise can access the network.

2. Configure priority mapping to map DSCP priorities of data packets from enterprise
branches 1 and 2 to 45 and 30 respectively.
Procedure
# Create VLAN 100.

# Set the link type of Eth 0/0/1 and Eth 0/0/2 to trunk and add them to VLAN 100.
# Configure interfaces to trust DSCP priorities of packets.

[SwitchA-Ethernet0/0/1] trust dscp
[SwitchA-Ethernet0/0/2] trust dscp
# Configure priority mapping.

[SwitchA] qos map-table dscp-dscp
[SwitchA-dscp-dscp] input 0 to 63 output 45
# Create VLAN 200.

# Set the link type of Eth 0/0/1 and Eth 0/0/2 to trunk and add them to VLAN 200.
# Configure interfaces to trust DSCP priorities of packets.

[SwitchB-Ethernet0/0/1] trust dscp
[SwitchB-Ethernet0/0/2] trust dscp
# Configure priority mapping.

[SwitchB] qos map-table dscp-dscp

[SwitchB-dscp-dscp] input 0 to 63 output 30

# View priority mapping information on SwitchA.
[SwitchA] display qos map-table dscp-dscp
Input DSCP DSCP
------------------------
0 45
1 45
2 45
3 45
4 45
......
63 45
# View the interface configuration on SwitchA.

[SwitchA-Ethernet0/0/1] display this
#
trust dscp
#
return
#
trust dscp
#
return
# View priority mapping information on SwitchB.

[SwitchB] display qos map-table dscp-dscp
Input DSCP DSCP
------------------------
0 30
1 30
2 30
3 30
4 30
......
63 30
# View the interface configuration on SwitchB.

[SwitchB-Ethernet0/0/1] display this
#
trust dscp
#
return
[SwitchB-Ethernet0/0/2] display this
#


trust dscp
#
return
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
trust dscp
#
trust dscp
#
qos map-table dscp-dscp
input 0 to 44 output 45
#
return

#
sysname SwitchB
#
vlan batch 200
#
trust dscp
#
trust dscp
#
qos map-table dscp-dscp
#
return
7.2 Traffic Policing and Traffic Shaping Configurations

This document describes basic concepts of traffic policing and traffic shaping, and configuration
methods of traffic policing based on a traffic classifier and traffic shaping, and provides

Typical Configuration Examples 8 Configuration Guide - Security
8 Configuration Guide - Security
About This Chapter
This document describes security features of the switch such as AAA and user management,
DHCP snooping, ARP security, IP source guard, local attack defense, traffic suppression, and
ACL from aspects of function introduction, configuration methods, maintenance, and
8.1 AAA Configuration
The AAA-capable device checks validity of users and assigns rights to authorized users to ensure
network security.
8.2 NAC Configuration
This chapter describes NAC principles and configuration methods and provides configuration
examples.
8.3 ACL Configuration
This chapter explains how to configure an Access Control List (ACL) on a Switch to filter
packets.
8.4 DHCP Snooping Configuration
This chapter describes the principle and configuration method of DHCP snooping and provides
8.5 Local Attack Defense Configuration
Local attack defense limits the rate of packets sent to the CPU, ensuring device security and
uninterrupted services when attacks occur.
8.6 Attack Defense Configuration
Attack defense is a network security feature. Attack defense allows the device to identify various
types of network attacks and protect itself and the connected network against malicious attacks
to ensure device and network operation.
8.7 IPSG Configuration
You can configure IPSG to enable an interface to filter and control forwarded packets, preventing
invalid packets.
8.8 URPF Configuration
URPF can prevent network attacks based on source IP address spoofing.
8.9 ARP Security Configuration

This chapter describes the principle and configuration methods of ARP security and provides
8.10 MFF Configuration
This chapter provides MAC-Forced Forwarding (MFF) basics, configuration method,
configuration examples, and common configuration errors.
8.11 Traffic Suppression and Storm Control Configuration
This chapter describes basic concepts, configuration procedures and examples, and common
configuration errors.
8.12 PPPoE+ Configuration
Point-to-Point Protocol over Ethernet (PPPoE+), also called PPPoE Intermediate Agent,
intercepts PPPoE packets sent by the PPPoE client, adds information about the interface
connecting the PPPoE client to the PPPoE packets, and sends the packets to the PPPoE server.
In this manner, the user account and access interface information are both authenticated, which
prevents user account embezzling.
8.13 Keychain Configuration
A keychain is a widely used application that controls authentication algorithms and key-string
in a centralized way.
8.14 ND Snooping Configuration
This chapter describes the principle and configuration method of ND snooping and provides
8.15 SAVI Configurations
This chapter describes the principle and configuration methods of Source Address Validation
Improvements (SAVI) and provides configuration examples.

8.1 AAA Configuration

The AAA-capable device checks validity of users and assigns rights to authorized users to ensure
network security.
8.1.1 Example for Configuring RADIUS Authentication and

Accounting
As shown in Figure 8-1, users access the network through Switch A and belong to the domain
huawei. Switch B functions as the network access server of the destination network. Request
packets from users need to traverse the network where Switch A and Switch B are located to
reach the authentication server. Users can access the destination network through Switch B only
after being authenticated. The remote authentication on Switch B is described as follows:
l The RADIUS server will authenticate access users for SwitchB. If RADIUS authentication
fails, local authentication is used.
l The RADIUS server at 129.7.66.66/24 functions as the primary authentication and
accounting server. The RADIUS server at 129.7.66.67/24 functions as the secondary
authentication and accounting server. The default authentication port and accounting port
are 1812 and 1813.
Figure 8-1 Networking diagram of RADIUS authentication and accounting
Domain Huawei
Switch A Switch B
129.7.66.66/24
Network
129.7.66.67/24
Destination
Network

1. Configure a RADIUS server template.
2. Configure an authentication scheme and an accounting scheme.
3. Apply the RADIUS server template, authentication scheme, and accounting scheme to the
domain.
NOTE
Perform the following configurations only on Switch B.
Procedure
Step 1 Configure a RADIUS server template.
# Configure a RADIUS template shiva.
[Quidway] radius-server template shiva
# Configure the IP address and port numbers of the primary RADIUS authentication and
accounting server.
[Quidway-radius-shiva] radius-server authentication 129.7.66.66 1812
[Quidway-radius-shiva] radius-server accounting 129.7.66.66 1813
# Configure the IP address and port numbers of the secondary RADIUS authentication and
accounting server.
[Quidway-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary
[Quidway-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Configure the shared key and retransmission count of the RADIUS server.
[Quidway-radius-shiva] radius-server shared-key cipher hello
[Quidway-radius-shiva] radius-server retransmit 2
[Quidway-radius-shiva] quit
Step 2 Configure authentication and accounting schemes.

# Create an authentication scheme auth. In the authentication scheme, the system performs
RADIUS authentication first, and performs local authentication if RADIUS authentication fails.
[Quidway] aaa
[Quidway-aaa] authentication-scheme auth
[Quidway-aaa-authen-auth] authentication-mode radius local
[Quidway-aaa-authen-auth] quit
# Configure the accounting scheme abc that uses RADIUS accounting and the policy that the
device is kept online when accounting fails.
[Quidway-aaa] accounting-scheme abc
[Quidway-aaa-accounting-abc] accounting-mode radius
[Quidway-aaa-accounting-abc] accounting start-fail online
[Quidway-aaa-accounting-abc] quit
Step 3 Configure a domain huawei and apply authentication scheme auth, accounting scheme abc,
and RADIUS server template shiva to the domain.
[Quidway-aaa] domain huawei
[Quidway-aaa-domain-huawei] authentication-scheme 1
[Quidway-aaa-domain-huawei] accounting-scheme 1
[Quidway-aaa-domain-huawei] radius-server shiva

Run the display radius-server configuration template command on Switch B, and you can
see that the configuration of the RADIUS server template meets the requirements.
<Quidway> display radius-server configuration template shiva
------------------------------------------------------------------------------
Server-template-name : shiva
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : %$%$1"y;E[c;<.(_RS/w*!ÌOxof%$%$
Timeout-interval(in second) : 5
Primary-authentication-server : 129.7.66.66 :1812 LoopBack:NULL
Primary-accounting-server : 129.7.66.66 :1813 LoopBack:NULL
Secondary-authentication-server : 129.7.66.67 :1812 LoopBack:NULL
Secondary-accounting-server : 129.7.66.67 :1813 LoopBack:NULL
Retransmission : 2
Domain-included : YES
Calling-station-id MAC-format : xxxx-xxxx-xxxx
------------------------------------------------------------------------------
----End
Configuration Files
Configuration files on Switch B
#
radius-server template shiva
radius-server shared-key cipher %$%$1"y;E[c;<.(_RS/w*!ÌOxof%$%$
radius-server authentication 129.7.66.66 1812
radius-server authentication 129.7.66.67 1812 secondary
radius-server accounting 129.7.66.66 1813
radius-server accounting 129.7.66.67 1813 secondary
radius-server retransmit 2
#
aaa
authentication-scheme auth
authentication-mode radius local
accounting-scheme abc
accounting-mode radius
accounting start-fail online
domain huawei
authentication-scheme auth
accounting-scheme abc
radius-server shiva
#
return
8.1.2 Example for Configuring HWTACACS Authentication,

Accounting, and Authorization
As shown in Figure 8-2, the customer requirements are as follows:
l The HWTACACS server will authenticate access users for SwitchB. If HWTACACS
authentication fails, local authentication is used.
l HWTACACS authentication is required before the level of access users is upgraded. If
HWTACACS authentication fails, local authentication is used.

l The HWTACACS server will authorize access users for SwitchB. If HWTACACS
authorization fails, local authorization is used.
l HWTACACS accounting is used by SwitchB for access users.
l Real-time accounting is performed every 3 minutes.
l The IP addresses of primary and secondary HWTACACS servers are 129.7.66.66/24 and
129.7.66.67/24. The port number for authentication, accounting, and authorization is 49.
Figure 8-2 Networking diagram of HWTACACS authentication, accounting, and authorization
Domain Huawei
Switch A Switch B
129.7.66.66/24
Network
129.7.66.67/24
Destination
Network
1. Configure an HWTACACS server template.

2. Configure authentication, authorization, and accounting schemes.
3. Apply the HWTACACS server template, authentication scheme, authorization scheme, and
accounting scheme to the domain.
NOTE
Perform the following configurations only on SwitchB.
Procedure
Step 1 Configure an HWTACACS server template.
# Configure the HWTACACS server template ht.

[Quidway] hwtacacs-server template ht

# Configure the IP addresses and port numbers of the primary HWTACACS authentication,
authorization, and accounting servers.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49
[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49
[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP addresses and port numbers of the secondary HWTACACS authentication,
authorization, and accounting servers.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary
[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary
[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure the shared key of the HWTACACS server.

[Quidway-hwtacacs-ht] hwtacacs-server shared-key cipher hello
[Quidway-hwtacacs-ht] quit
Step 2 Configure the authentication scheme, authorization scheme, and accounting scheme.
# Create an authentication scheme l-h. In the authentication scheme, the system performs
HWTACACS authentication first, and performs local authentication if HWTACACS
authentication fails. HWTACACS authentication is used first if the level of users is upgraded.
[Quidway] aaa
[Quidway-aaa] authentication-scheme l-h
[Quidway-aaa-authen-l-h] authentication-mode hwtacacs local
[Quidway-aaa-authen-l-h] authentication-super hwtacacs super
[Quidway-aaa-authen-l-h] quit
# Create an authorization scheme hwtacacs. In the authorization scheme, the system performs
HWTACACS authorization first, and performs local authorization if HWTACACS
authorization fails.
[Quidway-aaa] authorization-scheme hwtacacs
[Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs local
[Quidway-aaa-author-hwtacacs] quit
# Create an accounting scheme hwtacacs and set HWTACACS accounting.

[Quidway-aaa] accounting-scheme hwtacacs
[Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs
[Quidway-aaa-accounting-hwtacacs] accounting start-fail online
# Set the interval of real-time accounting to 3 minutes.

[Quidway-aaa-accounting-hwtacacs] accounting realtime 3
[Quidway-aaa-accounting-hwtacacs] quit
Step 3 Configure a domain huawei, and apply the authentication scheme l-h, authorization scheme
hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain.
[Quidway-aaa] domain huawei
[Quidway-aaa-domain-huawei] authentication-scheme l-h
[Quidway-aaa-domain-huawei] authorization-scheme hwtacacs
[Quidway-aaa-domain-huawei] accounting-scheme hwtacacs
[Quidway-aaa-domain-huawei] hwtacacs-server ht
[Quidway-aaa-domain-huawei] quit
[Quidway-aaa] quit
[Quidway] quit

Run the display hwtacacs-server template command on SwitchB, and you can see that the
configuration of the HWTACACS server template meets the requirements.
<Quidway> display hwtacacs-server template ht
---------------------------------------------------------------------------

HWTACACS-server template name : ht

Primary-authentication-server : 129.7.66.66:49:-
Primary-authorization-server : 129.7.66.66:49:-
Primary-accounting-server : 129.7.66.66:49:-
Secondary-authentication-server : 129.7.66.67:49:-
Secondary-authorization-server : 129.7.66.67:49:-
Secondary-accounting-server : 129.7.66.67:49:-
Current-authentication-server : 129.7.66.66:49:-
Current-authorization-server : 129.7.66.66:49:-
Current-accounting-server : 129.7.66.66:49:-
Source-IP-address : 0.0.0.0
Shared-key : ****************
Quiet-interval(min) : 5
Response-timeout-Interval(sec) : 5
Domain-included : Yes
Traffic-unit : B
---------------------------------------------------------------------------
Run the display domain command on SwitchB, and you can see that the configuration of the
domain meets the requirements.
<Quidway> display domain name huawei
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : l-h
Accounting-scheme-name : hwtacacs
Authorization-scheme-name : hwtacacs
Service-scheme-name : -
RADIUS-server-template : -
HWTACACS-server-template : ht
----End
Configuration Files
Configuration files on Switch B
#
hwtacacs-server template ht
hwtacacs-server authentication 129.7.66.66
hwtacacs-server authentication 129.7.66.67 secondary
hwtacacs-server authorization 129.7.66.66
hwtacacs-server authorization 129.7.66.67 secondary
hwtacacs-server accounting 129.7.66.66
hwtacacs-server accounting 129.7.66.67 secondary
hwtacacs-server shared-key cipher %$%$|)&LT+J>dN>=IqD<gO/Fj$xo%$%$
#
aaa
authentication-scheme default
authentication-scheme l-h
authentication-mode hwtacacs local
authentication-super hwtacacs super
authorization-scheme default
authorization-scheme hwtacacs
authorization-mode hwtacacs local
accounting-scheme default
accounting-scheme hwtacacs
accounting-mode hwtacacs
accounting realtime 3
accounting start-fail online
domain default
domain default_admin
domain huawei
authentication-scheme l-h
accounting-scheme hwtacacs

authorization-scheme hwtacacs
hwtacacs-server ht
#
return
8.2 NAC Configuration

This chapter describes NAC principles and configuration methods and provides configuration
examples.
8.2.1 Example for Configuring 802.1x Authentication
As shown in Figure 8-3, many users on a company access network through Eth0/0/1 of the
Switch (used as an access device). After the network operates for a period of time, attacks are
detected. The administrator must control network access rights of user terminals to ensure
network security. The Switch allows user terminals to access Internet resources only after they
are authenticated.
Figure 8-3 Networking diagram for configuring 802.1x authentication
To control the network access permission of users, the administrator can configure 802.1x
authentication on the Switch after the server with the IP address 192.168.2.30 is used as the
RADIUS server.
The configuration roadmap is as follows (configured on the Switch):
1. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain.
Bind the RADIUS server template and the AAA scheme to the ISP domain. The Switch
can then exchange information with the RADIUS server.
2. Configure 802.1x authentication.

a. Enable 802.1x authentication globally and on the interface.

b. Enable MAC address bypass authentication to authenticate terminals (such as printers)
that cannot install 802.1x authentication client software.
c. A maximum of 200 802.1x authentication users are allowed to access an interface,
preventing excessive concurrent access users.
d. Set the maximum number of times that an authentication request packet is sent to a
user to 3 to avoid repeated authentication.
e. Configure VLAN10 as the guest VLAN so that users can access resources in the guest
VLAN without authentication.
Procedure
Step 1 Create and configure a RADIUS server template, an AAA scheme, and an ISP domain.
# Create and configure RADIUS server template rd1.
[Quidway] radius-server template rd1
[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812
[Quidway-radius-rd1] radius-server shared-key cipher hello
[Quidway-radius-rd1] radius-server retransmit 2
[Quidway-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Quidway] aaa
[Quidway-aaa] authentication-scheme abc
[Quidway-aaa-authen-abc] authentication-mode radius
[Quidway-aaa-authen-abc] quit
# Create ISP domain isp1, and bind AAA scheme abc and RADIUS server template rd1 to ISP
domain isp1.
[Quidway-aaa] domain isp1
[Quidway-aaa-domain-isp1] authentication-scheme abc
[Quidway-aaa-domain-isp1] radius-server rd1
[Quidway-aaa-domain-isp1] quit
[Quidway-aaa] quit
Step 2 Configure 802.1x authentication.

# Enable 802.1x authentication globally and on an interface.
[Quidway] dot1x enable
[Quidway-Ethernet0/0/1] dot1x enable
# Configure MAC address bypass authentication.

[Quidway-Ethernet0/0/1] dot1x mac-bypass
# Set the maximum number of concurrent access users for 802.1x authentication on an interface
to 200.
[Quidway-Ethernet0/0/1] dot1x max-user 200
# Set the maximum number of times that an authentication request packet is sent to the user to
3.
[Quidway] dot1x retry 3
# Configure VLAN10 as the guest VLAN in 802.1x authentication.

[Quidway] vlan batch 10

[Quidway] dot1x guest-vlan 10 interface ethernet 0/0/1
Step 3 View the 802.1x configuration.

[Quidway] display dot1x interface ethernet 0/0/1
Ethernet0/0/1 status: UP 802.1x protocol is Enabled[mac-bypass]
Port control type is Auto
Authentication method is MAC-based
Reauthentication is disabled
Maximum users: 200
Current users: 0
Guest VLAN 10 is not effective
Authentication Success: 0 Failure: 0

EAPOL Packets: TX : 0 RX : 0
Sent EAPOL Request/Identity Packets : 0
EAPOL Request/Challenge Packets : 0
Multicast Trigger Packets : 0
EAPOL Success Packets : 0
EAPOL Failure Packets : 0
Received EAPOL Start Packets : 0
EAPOL Logoff Packets : 0
EAPOL Response/Identity Packets : 0
EAPOL Response/Challenge Packets: 0
----End
Configuration Files
#
dot1x enable
dot1x retry 3
#
radius-server template rd1
radius-server shared-key cipher %$%$lrWRXXUmJ/5W\uBqID/6EULC%$%$
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
radius-server rd1
#
dot1x mac-bypass
dot1x max-user 200
dot1x guest-vlan 10
#
return
8.2.2 Example for Configuring MAC Address Authentication

As shown in Figure 8-4, many printers on a company access network through Eth0/0/1 of the
Switch (used as an access device). After the network operates for a period of time, the
administrator controls the network access rights of the printers to improve network security. The
Switch allows a printer to access Internet resources only after the printer is authenticated.

Figure 8-4 Networking diagram for configuring MAC address authentication

RADIUS Server
192.168.2.30
Printer
Eth0/0/1 Internet
……
LAN Switch Switch

VLAN 10
Printer
Update Server
Printers cannot install and use the 802.1x client. The administrator can configure MAC address
authentication on the Switch to control the network access rights of the printers.
1. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain;
bind the RADIUS server template and the AAA scheme to the ISP domain. The Switch
2. Configure MAC address authentication.
a. Enable MAC address authentication globally and on the interface.
b. A maximum of 100 MAC address authentication users are allowed to access an
interface, preventing excessive concurrent access users.
c. Configure VLAN10 as the guest VLAN, so that users can access resources in the guest
VLAN without authentication.
Procedure
[Quidway] aaa

domain isp1.
[Quidway-aaa] quit
Step 2 Configure MAC address authentication.
# Enable MAC address authentication globally and on the interface.

[Quidway] mac-authen
[Quidway-Ethernet0/0/1] mac-authen
#Set the maximum number of concurrent MAC authentication access users on the interface to
100.
[Quidway-Ethernet0/0/1] mac-authen max-user 100
# Configure VLAN10 as the guest VLAN for MAC address authentication.

[Quidway] vlan batch 10
[Quidway] mac-authen guest-vlan 10 interface ethernet 0/0/1
Step 3 Run the display mac-authen interface command to view the configuration of MAC address
authentication.
[Quidway] display mac-authen interface ethernet 0/0/1
Ethernet0/0/1 state: UP. MAC address authentication is enabled
Maximum users: 100
Current users: 0
Authentication Success: 0, Failure: 0
Guest VLAN 10 is not effective
----End
Configuration Files
#
vlan batch 10
#
mac-authen
#
#
aaa
domain isp1
radius-server rd1
#
mac-authen
mac-authen guest-vlan 10
mac-authen max-user 100
#
return

8.2.3 Example for Configuring Portal Authentication

As shown in Figure 8-5, many users on a company access network through Eth0/0/1 of the
Switch (used as an access device). After the network operates for a period of time, attacks are
detected. The administrator must control network access rights of user terminals to ensure
network security. The Switch allows user terminals to access Internet resources only after they
are authenticated.
Figure 8-5 Networking diagram for configuring Portal authentication

RADIUS Server
192.168.2.30
Printer
Eth0/0/1 Internet
……
LAN Switch Switch

VLAN 10
Printer
Update Server
To control the network access permission of users, the administrator can configure Portal
authentication on the Switch after the server with the IP address 192.168.2.30 is used as the
RADIUS server, and configure the IP address 192.168.3.20 as the IP address for the Portal server.
1. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain.
Bind the RADIUS server template and the AAA scheme to the ISP domain. The Switch
2. Configure Portal authentication.
a. Create and configure a Portal server template to ensure normal information exchange
between the device and the Portal server.
b. Enable Portal authentication to authenticate access users.
c. Configure a shared key that the device uses to exchange information with the Portal
server to improve communication security.
Procedure


[Quidway] aaa
domain isp1.
[Quidway-aaa] quit
Step 2 Configure Portal authentication.
# Create and configure Portal server template abc.

[Quidway] web-auth-server abc
[Quidway-web-auth-server-abc] server-ip 192.168.3.20
[Quidway-web-auth-server-abc] quit
# Enable Portal authentication.

[Quidway-Vlanif10] web-auth-server abc
# Set the shared key in cipher text to 12345.

[Quidway] web-auth-server abc
[Quidway-web-auth-server-abc] shared-key cipher 12345
[Quidway-web-auth-server-abc] quit
Step 3 # Verify the configuration.
# Run the display web-auth-server configuration command to check the configuration of the
Portal authentication server.
[Quidway] display web-auth-server configuration
Listening port : 2000
Portal : version 1, version 2
Include reply message : enabled
------------------------------------------------------------------------
Web-auth-server Name : abc
IP-address : 192.168.3.20
Shared-key : %$%$C[>q!et)j7"I{`7hK)`7T*!u%$%$
Port / PortFlag : 50100 / NO
URL :
Bounded Vlanif : 10
------------------------------------------------------------------------
1 Web authentication server(s) in total
----End

Configuration Files
#
vlan batch 10
#
web-auth-server abc
server-ip 192.168.3.20
port 50100
shared-key cipher %$%$9|vQ3(`Js#[:m\+~xK:W7cZQ%$%$
server-detect interval 60 max-times 3 critical-num 0 action
log
user-sync
#
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
web-auth-server abc
#
return
8.3 ACL Configuration

This chapter explains how to configure an Access Control List (ACL) on a Switch to filter
packets.
8.3.1 Example for Configuring a Basic ACL to Limit Access to the

FTP Server
As shown in Figure 8-6, the Switch functions as an FTP server (172.16.104.110/24). The
requirements are as follows:
l All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server at any
time.
l All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only at
the specified period of time.
l Other users are not allowed to access the FTP server.
The routes between the Switch and subnets are reachable. You need to configure the Switch to
limit user access to the FTP server.

Figure 8-6 Configuring a basic ACL to limit user access to the FTP server
PC A
172.16.105.111/24
FTP Server
PC B
Network
172.16.107.111/24
Switch
172.16.104.110/24
PC C
10.10.10.1/24
l Create a basic ACL on the Switch and configure rules in the basic ACL.
l Configure basic FTP functions on the Switch.
l Apply a basic ACL to the Switch to limit user access.
Procedure
Step 1 Configure a time range.
[Switch] time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31
[Switch] time-range ftp-access 14:00 to 18:00 off-day
Step 2 Configure a basic ACL.

[Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255
[Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-
access
[Switch-acl-basic-2001] rule deny source any
Step 3 Configure basic FTP functions.

[Switch] ftp server enable
Step 4 Configure access permissions on the FTP server.

[Switch] ftp acl 2001
Run the ftp 172.16.104.110 command on PC A (172.16.105.111/24) in subnet 1. PC A can

connect to the FTP server.
Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 on Monday in

2010. PC B cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC B
(172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2010. PC B can connect to the FTP
server.

Run the ftp 172.16.104.110 command on PC C (10.10.10.1/24). PC C cannot connect to the FTP
server.
----End
Configuration Files
# Configuration file of the Switch
#
sysname Switch
#
ftp server enable
ftp acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2009/1/1 to 23:59 2011/12/31
#
acl number 2001
rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
rule 15 deny
#
return
8.3.2 Example for Using an Advanced ACL to Configure Traffic

Classifiers
As shown in Figure 8-7, the departments of the company are connected through the Switch. An
IPv4 ACL needs to be configured to prevent the R&D department and marketing department
from accessing the salary query server from 8:00 to 17:30 and allow the president's office to
access the salary query server at any time.
Figure 8-7 Using an advanced ACL to configure traffic classifiers

Salary query server
10.164.9.9
Eth0/0/2 Eth0/0/4
Eth0/0/1
Switch
Eth0/0/3
Marketing department
10.164.2.0/24 President's office
10.164.1.0/24
R&D department
10.164.3.0/24

1. Assign IP addresses to interfaces.

2. Configure the time range.
3. Configure ACLs.
4. Configure traffic classifiers.
5. Configure traffic behaviors.
6. Configure traffic policies.
7. Apply traffic policies to interfaces.
Procedure
Step 1 Assign IP addresses to interfaces.
# Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
Add Eth 0/0/1, Eth 0/0/2, and Eth 0/0/3 to VLAN 10, VLAN 20, and VLAN 30 respectively,
and add Eth 0/0/4 to VLAN 100. The first IP address of a network segment is taken as the address
of the VLANIF interface of the same network segment. The configuration on Eth 0/0/1 is used
as an example here. The configurations of other interfaces are similar to the configuration on
Eth 0/0/1, and are not mentioned here.
[Quidway] vlan batch 10 20 30 100
Step 2 Configure the time range.
# Configure the time range from 8:00 to 17:30.

[Quidway] time-range satime 8:00 to 17:30 working-day
Step 3 Configure ACLs.
# Configure the ACL for the marketing department to access the salary query server.
[Quidway] acl 3002
[Quidway-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination
10.164.9.9 0.0.0.0 time-range satime
[Quidway-acl-adv-3002] quit
# Configure the ACL for the R&D department to access the salary query server.
[Quidway] acl 3003
[Quidway-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination
10.164.9.9 0.0.0.0 time-range satime
[Quidway-acl-adv-3003] quit
Step 4 Configure ACL-based traffic classifiers.
# Configure the traffic classifier c_market to classify the packets that match ACL 3002.

[Quidway] traffic classifier c_market

[Quidway-classifier-c_market] if-match acl 3002
[Quidway-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Quidway] traffic classifier c_rd
[Quidway-classifier-c_rd] if-match acl 3003
[Quidway-classifier-c_rd] quit
Step 5 Configure traffic behaviors.
# Configure the traffic behavior b_market to reject packets.

[Quidway] traffic behavior b_market
[Quidway-behavior-b_market] deny
[Quidway-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.

[Quidway] traffic behavior b_rd
[Quidway-behavior-b_rd] deny
[Quidway-behavior-b_rd] quit
Step 6 Configure traffic policies.
# Configure the traffic policy p_market and associate the traffic classifier c_market and the
traffic behavior b_market with the traffic policy.
[Quidway] traffic policy p_market
[Quidway-trafficpolicy-p_market] classifier c_market behavior b_market
[Quidway-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic
behavior b_rd with the traffic policy.
[Quidway] traffic policy p_rd
[Quidway-trafficpolicy-p_rd] classifier c_rd behavior b_rd
[Quidway-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy.
# Apply the traffic policy p_market to Eth 0/0/2.

[Quidway-Ethernet0/0/2] traffic-policy p_market inbound
# Apply the traffic policy p_rd to Eth 0/0/3.

[Quidway-Ethernet0/0/3] traffic-policy p_rd inbound
# Check the configuration of ACL rules.

<Quidway> display acl all
Total nonempty ACL number is 2
Advanced ACL 3002, 1 rule

Acl's step is 5
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime(Active)
Advanced ACL 3003, 1 rule

Acl's step is 5


satime(Active)
# Check the configuration of the traffic classifier.

<Quidway> display traffic classifier user-defined
User Defined Classifier Information:
Classifier: c_market
Operator: AND
Rule(s) : if-match acl 3002
Classifier: c_rd
Operator: AND
Total classifier number is 2
# Check the configuration of the traffic policy.

<Quidway> display traffic policy user-defined
User Defined Traffic Policy Information:
Policy: p_market
Classifier:
c_market
Operator: AND
Behavior:
b_market
Deny
Policy: p_rd
Classifier: c_rd
Operator: AND
Behavior: b_rd
Deny
Total policy number is 2
----End
Configuration Files
#
vlan batch 10 20 30 100
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
satime
#
acl number 3003
satime
#
traffic classifier c_market operator and
if-match acl 3002
traffic classifier c_rd operator and
if-match acl 3003
#
traffic behavior b_market
deny
traffic behavior b_rd
deny
#
traffic policy p_market
classifier c_market behavior b_market
traffic policy p_rd
classifier c_rd behavior b_rd
#

interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.9.1 255.255.255.0
#
#
traffic-policy p_market inbound
#
traffic-policy p_rd inbound
#
#
return
8.3.3 Example for Using a Layer 2 ACL to Configure a Traffic

Classifier
As shown in Figure 8-8, the Switch that functions as the gateway is connected to PCs. ACL
needs to be configured to prevent the packets with the source MAC address 00e0-f201-0101 and
the destination MAC address 0260-e207-0002 from passing through.
Figure 8-8 Using a Layer 2 ACL to configure a traffic classifier
Eth0/0/2 Eth0/0/1
IP network
Switch
00e0-f201-0101
1. Configure an ACL.

2. Configure a traffic classifier.

3. Configure a traffic behavior.
4. Configure a traffic policy.
5. Apply the traffic policy to an interface.
Procedure
# Configure a Layer 2 ACL.
[Quidway] acl 4000
[Quidway-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff
destination-mac 0260-e207-0002 ffff-ffff-ffff
[Quidway-acl-L2-4000] quit
Step 2 Configure the traffic classifier that is based on the ACL.

# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Quidway] traffic classifier tc1
[Quidway-classifier-tc1] if-match acl 4000
[Quidway-classifier-tc1] quit
Step 3 Configure the traffic behavior.

# Configure the traffic behavior tb1 to reject packets.
[Quidway] traffic behavior tb1
[Quidway-behavior-tb1] deny
[Quidway-behavior-tb1] quit
Step 4 Configure the traffic policy.

# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Quidway] traffic policy tp1
[Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1
[Quidway-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy.

# Apply the traffic policy tp1 to Eth 0/0/2.
[Quidway-Ethernet0/0/2] traffic-policy tp1 inbound

# Check the configuration of ACL rules.
<Quidway> display acl 4000
L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101

<Quidway> display traffic classifier user-defined
Classifier: tc1
Operator: AND


<Quidway> display traffic policy user-defined tp1
Policy: tp1
Classifier: tc1
Operator: AND
Behavior: tb1
Deny
----End
Configuration Files
#
acl number 4000
rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101
#
traffic classifier tc1 operator and
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
traffic-policy tp1 inbound
#
return
8.3.4 Example for Using a User-defined ACL to Configure a Traffic

Classifier
As shown in Figure 8-9, Eth 0/0/1 of the Switch is connected to PCs, and Eth 0/0/2 is connected
to the upstream router. A user-defined ACL needs to be configured on Eth 0/0/1 to deny the
packets of which the bytes from the 14th byte in the Layer 2 header matching 0x0180C200.
Figure 8-9 Using a user-defined ACL to configure a traffic classifier
PC A
Eth0/0/1 Eth0/0/2
Switch
PC B

1. Configure an ACL.
2. Configure a traffic classifier.
3. Configure a traffic behavior.
4. Configure a traffic policy.
Procedure
# Configure a user-defined ACL.
[Quidway] acl 5000
[Quidway-acl-user-5000] rule deny l2-head 0x0180C200 0xFFFFFFFF 14
[Quidway-acl-user-5000] quit
Step 2 Configure a traffic classifier based on the user-defined ACL.

# Configure the traffic classifier tc1 to classify the packets that match ACL 5000.
[Quidway] traffic classifier tc1
[Quidway-classifier-tc1] if-match acl 5000
[Quidway-classifier-tc1] quit
Step 3 Configure a traffic behavior.

# Configure the traffic behavior tb1 to deny packets.
[Quidway] traffic behavior tb1
[Quidway-behavior-tb1] deny
[Quidway-behavior-tb1] quit
Step 4 Configure a traffic policy.

# Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic
policy.
[Quidway] traffic policy tp1
[Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1
[Quidway-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy to an interface.

# Apply the traffic policy to Eth0/0/1.
[Quidway-Ethernet0/0/1] traffic-policy tp1 inbound

# Check the configuration of the ACL rule.
[Quidway] display acl 5000
User ACL 5000, 1 rule
Acl's step is 5
rule 5 deny 0x0180c200 0xffffffff 14

[Quidway] display traffic classifier user-defined

Classifier: tc1
Operator: AND

[Quidway] display traffic policy user-defined tp1
Policy: tp1
Classifier: tc1
Operator: AND
Behavior: tb1
Deny
----End
Configuration Files
#
acl number 5000
rule 5 deny 0x0180c200 0xffffffff 14
#
traffic classifier tc1 operator and
if-match acl 5000
#
traffic behavior tb1
deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
traffic-policy tp1 inbound
#
return
8.3.5 Example for Using an ACL6 to Configure a Traffic Classifier

As shown in Figure 8-10, SwitchA and SwitchB are connected through Eth interfaces. An ACL6
needs to be configured on SwitchA to deny the IPv6 packets with source IP address 3001::2/64
on Eth 0/0/1.
Figure 8-10 Configuring ACL6 to filter IPv6 packets

VLAN 10
SwitchA VLANIF 10 VLANIF 10 SwitchB
3001::1/64 3001::2/64 Loopback2
Eth0/0/1 Eth0/0/1 3002::2/64

1. Configure an ACL6.
2. Configure the traffic classifier.
3. Configure the traffic behavior.
4. Configure the traffic policy.
Procedure
Step 1 Enable IPv6 forwarding capability on SwitchA and SwitchB, and set the parameters for the
interfaces.
[SwitchA] ipv6
[SwitchA-Vlanif10] ipv6 address 3001::1 64
# Configure a static route on SwitchA.

[SwitchA] ipv6 route-static 3002:: 64 3001::2
[SwitchB] ipv6
[SwitchB] interface loopback 2
[SwitchB-LoopBack2] ipv6 enable
[SwitchB-LoopBack2] ipv6 address 3002::2 64
[SwitchB-LoopBack2] quit
[SwitchB-Vlanif10] ipv6 address 3001::2 64
Step 2 Create an ACL6 rule and apply the rule to the interface to deny the IPv6 packets from 3001::2.
[SwitchA] acl ipv6 number 3001
[SwitchA-acl6-adv-3001] rule deny ipv6 source 3001::2/64
[SwitchA-acl6-adv-3001] quit
[SwitchA] traffic classifier class1
[SwitchA-classifier-class1] if-match ipv6 acl 3001
[SwitchA-classifier-class1] quit
[SwitchA] traffic behavior behav1
[SwitchA-behavior-behav1] deny
[SwitchA-behavior-behav1] quit
[SwitchA] traffic policy policy1
[SwitchA-trafficpolicy-policy1] classifier class1 behavior behav1
[SwitchA-trafficpolicy-policy1] quit

[SwitchA-Ethernet0/0/1] traffic-policy policy1 inbound

# Check the configuration of ACL6 rules.

[SwitchA] display acl ipv6 3001
Advanced IPv6 ACL 3001, 1 rule
rule 0 deny ipv6 source 3001::2/64

[SwitchA] display traffic classifier user-defined
Classifier: class1
Operator: AND
Rule(s) : if-match ipv6 acl 3001

[SwitchA] display traffic policy user-defined
Policy: policy1
Classifier: class1
Operator: AND
Behavior: behav1
Deny
Total policy number is 1
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
rule 0 deny ipv6 source 3001::2/64
#
traffic classifier class1 operator and
if-match ipv6 acl 3001
#
traffic behavior behav1
deny
#
traffic policy policy1
classifier class1 behavior behav1
#
interface Vlanif10
ipv6 enable
#
traffic-policy policy1 inbound
#
ipv6 route-static 3002:: 64 3001::2
#
return


#
sysname SwitchB
#
ipv6
#
interface Vlanif10
ipv6 enable
#
#
interface LoopBack2
ipv6 enable
#
return
8.4 DHCP Snooping Configuration

This chapter describes the principle and configuration method of DHCP snooping and provides
Product Support
S2300 Supported (excluding S2300SI)
S3300 Supported
8.4.1 Example for Configuring DHCP Snooping Attack Defense

In Figure 8-11, SwitchA and SwitchB are access devices, and SwitchC is a DHCP relay agent.
Client1 and Client2 are connected to SwitchA through Eth0/0/1 and Eth0/0/2 respectively.
Client3 is connected to SwitchB through Eth0/0/1. Client1 and Client3 obtain IPv4 addresses
using DHCP, while Client2 uses the static IPv4 address. Attacks from unauthorized users prevent
authorized users from obtaining IP addresses. The administrator needs to enable the device to
defend against DHCP attacks on the network and provide better services to DHCP clients.

Figure 8-11 Networking diagram for configuring DHCP snooping attack defense
DHCP Client1
Eth0/0/1
Eth0/0/3
IP:10.1.1.1/24
DHCP Server
MAC:0001-0002-0003 Eth0/0/1
Eth0/0/2 SwitchA
Eth0/0/2 Eth0/0/3
Client2 SwitchC
（DHCP Relay）
Eth0/0/2
Eth0/0/1
SwitchB
DHCP Client3
1. Enable DHCP snooping and configure the device to process only DHCPv4 messages.
2. Configure an interface as the trusted interface to ensure that DHCP clients obtain IP
addresses from the authorized server.
3. Enable association between ARP and DHCP snooping to enable the device to update the
binding entries when a DHCP user is disconnected.
4. Enable the device to generate static MAC address entries on the interface based on DHCP
snooping binding entries to prevent attacks from non-DHCP users.
5. Enable the device to check DHCP messages against the binding table to prevent bogus
DHCP message attacks.
6. Set the maximum rate of sending DHCP messages to the processing unit to prevent DHCP
flood attacks.
7. Set the maximum number of access DHCP clients and enable the device to check whether
the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP
message to prevent DHCP server DoS attacks.
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally and configure the device to process only DHCPv4 messages.
[SwitchC] dhcp enable
[SwitchC] dhcp snooping enable ipv4
# Enable DHCP snooping on the user-side interface. Eth0/0/1 is used as an example. The
configuration on Eth0/0/2 is the same as the configuration on Eth0/0/1 and is not mentioned
here.


[SwitchC-Ethernet0/0/1] dhcp snooping enable
Step 2 Configure the interface connected to the DHCP server as the trusted interface.
[SwitchC-Ethernet0/0/3] dhcp snooping trusted
Step 3 Enable association between ARP and DHCP snooping.

[SwitchC] arp dhcp-snooping-detect enable
Step 4 Enable the device to generate static MAC address entries on the interface based on DHCP
snooping binding entries.
# Configure the user-side interface. Eth0/0/1 is used as an example. The configuration on

Eth0/0/2 is the same as the configuration on Eth0/0/1 and is not mentioned here.
[SwitchC-Ethernet0/0/1] dhcp snooping sticky-mac
Step 5 Enable the device to check DHCP messages against the DHCP snooping binding table.

[SwitchC-Ethernet0/0/1] dhcp snooping check dhcp-request enable
Step 6 Set the maximum rate of sending DHCP messages to the processing unit to 90 pps.
[SwitchC] dhcp snooping check dhcp-rate enable
[SwitchC] dhcp snooping check dhcp-rate 90
Step 7 Set the maximum number of access users allowed on the interface and enable the device to check
the CHADDR field.

[SwitchC-Ethernet0/0/1] dhcp snooping max-user-number 20
[SwitchC-Ethernet0/0/1] dhcp snooping check dhcp-chaddr enable
Step 8 Configure the trap function for the number of discarded messages and the rate limit.
# Enable the trap function for discarding messages and set the alarm threshold. Eth0/0/1 is used
as an example. The configuration on Eth0/0/2 is the same as the configuration on Eth0/0/1 and
is not mentioned here.
[SwitchC-Ethernet0/0/1] dhcp snooping alarm dhcp-chaddr enable
[SwitchC-Ethernet0/0/1] dhcp snooping alarm dhcp-request enable
[SwitchC-Ethernet0/0/1] dhcp snooping alarm dhcp-reply enable
[SwitchC-Ethernet0/0/1] dhcp snooping alarm dhcp-chaddr threshold 120
[SwitchC-Ethernet0/0/1] dhcp snooping alarm dhcp-request threshold 120
[SwitchC-Ethernet0/0/1] dhcp snooping alarm dhcp-reply threshold 120
# Enable the trap function for the rate limit and set the alarm threshold.
[SwitchC-Ethernet0/0/1] dhcp snooping alarm dhcp-rate enable
[SwitchC-Ethernet0/0/1] dhcp snooping alarm dhcp-rate threshold 500


# Run the display dhcp snooping global command to view the DHCP snooping configuration.
[SwitchC] display dhcp snooping global
dhcp snooping enable ipv4
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate 90
Dhcp snooping enable is configured at vlan :NULL
Dhcp snooping enable is configured at interface :

Ethernet0/0/1 Ethernet0/0/2
Dhcp snooping trusted is configured at interface :

Ethernet0/0/3
Dhcp option82 insert is configured at interface :NULL
Dhcp option82 rebuild is configured at interface :NULL
Dhcp option82 insert is configured at vlan :NULL
Dhcp option82 rebuild is configured at vlan :NULL
dhcp packet drop count within alarm range : 0

dhcp packet drop count total : 0
# Run the display dhcp snooping interface command to view DHCP snooping information on
an interface.
[SwitchC] display dhcp snooping interface ethernet 0/0/1

dhcp snooping enable
dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 120
dhcp packet dropped by dhcp-request checking = 0
dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold 120
dhcp packet dropped by dhcp-chaddr checking = 0
dhcp snooping alarm dhcp-rate enable threshold 500
dhcp snooping alarm dhcp-reply enable threshold 120
dhcp packet dropped by untrust-reply checking = 0
dhcp snooping max-user-number 20
[SwitchC] display dhcp snooping interface ethernet 0/0/3
dhcp packet dropped by untrust-reply checking = 0
----End
Configuration Files
# Configuration file of the SwitchC
#
sysname SwitchC
#
dhcp enable
#
dhcp snooping enable ipv4
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate 90
arp dhcp-snooping-detect enable
#


dhcp snooping sticky-mac
#
dhcp snooping sticky-mac
#
#
return
8.5 Local Attack Defense Configuration

Local attack defense limits the rate of packets sent to the CPU, ensuring device security and
uninterrupted services when attacks occur.
8.5.1 Example for Configuring Local Attack Defense
As shown in Figure 8-12, users from different LANs connect to the Internet through the
Switch. The Switch is connected to a large number of users, and receives many packets sent to
the CPU. In this case, the CPU of the Switch may be attacked by packets.
l The administrator needs to know about the CPU status in real time and check whether the
CPU is attacked. When potential attacks occur, the device sends alarms to the administrator
to protect the CPU.
l Users on Net1 are forbidden to access the network because they often attack the CPU.
l The CPU usage occupied by ARP Request packets is `reduced because attackers may send
a large number of ARP Request packets to deteriorate CPU performance.
l Stable and reliable data transmission is required between the administrator host and the
Switch.

Figure 8-12 Networking diagram for configuring local attack defense
Net1: 1.1.1.0/24
Internet
Switch
Net2: 2.2.2.0/24
Net3: 3.3.3.0/24
1. Attack source tracing provides traffic analysis and statistics, attack source identification
and alarm function. Enable attack source tracing and its alarm function. In this way, the
administrator can know about the CPU status in real time.
2. Add users on Net1 to the blacklist to prevent users on Net1 from accessing the network.
3. Configure the rate limit for ARP Request packets sent to the CPU to reduce the CPU usage
occupied by ARP Request packets.
4. ALP protects session-based application layer data and ensures service reliability and
stability on the application layer. Configure rate limit of FTP packets sent to the CPU when
an FTP connection is set up (by default, ALP is enabled for FTP packets) to ensure data
transmission between the administrator host and the Switch.
Procedure
Step 1 Configure a rule for filtering packets sent to the CPU.
# Define an ACL rule.
[Switch-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255
Step 2 Configure an attack defense policy.

Create an attack defense policy.
[Switch] cpu-defend policy test1
# Enable attack source tracing.

[Switch-cpu-defend-policy-test1] auto-defend enable
# Enable the alarm function for attack source tracing.

[Switch-cpu-defend-policy-test1] auto-defend alarm enable
# Configure a blacklist.
[Switch-cpu-defend-policy-test1] blacklist 1 acl 2001
Configure the rate limit for ARP Request packets sent to the CPU.
[Switch-cpu-defend-policy-test1] car packet-type arp-request cir 128
# Set the CIR for sending FTP packets to the CPU when FTP connections are set up.
[Switch-cpu-defend-policy-test1] linkup-car packet-type ftp cir 5000
[Switch-cpu-defend-policy-test1] quit
Step 3 Apply the attack defense policy globally.

[Switch] cpu-defend-policy test1 global
[Switch] quit

# View information about the configured attack defense policy.
<Switch> display cpu-defend policy test1
Related slot : <0>
Configuration :
Blacklist 1 ACL number : 2001
Car packet-type arp-request : CIR(128) CBS(24064)
Linkup-car packet-type ftp : CIR(5000) CBS(940000)
# View the CAR configuration.

<Switch> display cpu-defend configuration packet-type arp-request
Car Configurations On Slot 0.
----------------------------------------------------------------------
Packet Name Status Cir(Kbps) Cbs(Byte) Queue
----------------------------------------------------------------------
arp-request Enabled 128 24064 4
----------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
acl number 2001
#
cpu-defend policy test1
blacklist 1 acl 2001
car packet-type arp-request cir 128 cbs 24064
linkup-car packet-type ftp cir 5000 cbs 940000
auto-defend enable
auto-defend alarm enable
#
cpu-defend-policy test1 global
#
return

8.6 Attack Defense Configuration

Attack defense is a network security feature. Attack defense allows the device to identify various
types of network attacks and protect itself and the connected network against malicious attacks
to ensure device and network operation.
8.6.1 Example for Configuring Attack Defense
As shown in Figure 8-13, if a hacker on the LAN initiates malformed packet attacks, packet
fragment attacks, and flood attacks to SwitchA, SwitchA may break down. The administrator
requires that attack defense measures be deployed on SwitchA to provide a secure network
environment and ensure normal services.
Figure 8-13 Networking of attack defense
Campus Network
SwitchA
Attack
Defense
…… ……
User User Hacker
1. Enable defense against malformed packet attacks so that SwitchA can defend against such
attacks.
2. Enable defense against packet fragment attacks so that SwitchA can defend against such
attacks.
3. Enable defense against packet flood attacks so that SwitchA can defend against such
attacks.

Procedure
Step 1 Enable defense against malformed packet attacks.
[SwitchA] anti-attack abnormal enable
Step 2 Enable defense against packet fragment attacks and set the rate limit at which packet fragments
are received to 15000 bit/s.
[SwitchA] anti-attack fragment enable
[SwitchA] anti-attack fragment car cir 15000
Step 3 Enable defense against flood attacks.

# Enable defense against TCP SYN flood attacks and set the rate limit at which TCP SYN flood
packets are received to 15000 bit/s.
[SwitchA] anti-attack tcp-syn enable
[SwitchA] anti-attack tcp-syn car cir 15000
# Enable defense against UDP flood attacks to discard UDP packets sent from specified ports.
[SwitchA] anti-attack udp-flood enable
# Enable defense against ICMP flood attacks and set the rate limit at which ICMP flood packets
are received to 15000 bit/s.
[SwitchA] anti-attack icmp-flood enable
[SwitchA] anti-attack icmp-flood car cir 15000

# After the configuration is complete, run the display anti-attack statistics command to view
attack defense statistics.
<SwitchA> display anti-attack statistics
Packets Statistic Information:
-------------------------------------------------------------------------------
AntiAtkType TotalPacketNum DropPacketNum PassPacketNum
(H) (L) (H) (L) (H) (L)
-------------------------------------------------------------------------------
Abnormal 0 0 0 0 0 0
Fragment 0 0 0 0 0 0
Tcp-syn 0 34 0 28 0 6
Udp-flood 0 0 0 0 0 0
Icmp-flood 0 0 0 0 0 0
-------------------------------------------------------------------------------
On SwitchA, there are statistics on discarded TCP SYN packets, indicating that the attack
defense function takes effect.
----End
Configuration Files
#
sysname SwitchA
#
anti-attack fragment car cir 15000
anti-attack tcp-syn car cir 15000
anti-attack icmp-flood car cir 15000
#
return

8.7 IPSG Configuration

You can configure IPSG to enable an interface to filter and control forwarded packets, preventing
invalid packets.
Support
Product Support
S3300 Supported
8.7.1 Example for Configuring IPSG
As shown in Figure 8-14, HostA and HostB are connected to Eth0/0/1 and Eth0/0/2 on the
Switch respectively. It is required that HostB not forge the IP address and MAC address of HostA
and IP packets from HostA be sent to the server.
Figure 8-14 Networking diagram of configuring IPSG

Server
Switch
Eth0/0/1 Eth0/0/2
Packets:
SIP:10.0.0.1/24
SMAC:1-1-1
Host A Host B (Attacker)

IP:10.0.0.1/24 IP:10.0.0.2/24
MAC:1-1-1 MAC:2-2-2
Assume that the user is configured with an IP address statically. The configuration roadmap is
as follows:
1. Enable IP packet check on the interfaces connecting HostA and HostB.

2. Configure static binding entries for users statically obtaining IP addresses.

NOTE
This configuration example provides only the commands related to IP source guard.
Procedure
Step 1 Configure IP packet check.
# Enable IP packet check on Eth0/0/1 connected to HostA.
[Switch-Ethernet0/0/1] ip source check user-bind enable
# Enable the alarm function of IP packet check and set the alarm threshold on Eth0/0/1 connected
to HostA.
[Switch-Ethernet0/0/1] ip source check user-bind alarm enable
[Switch-Ethernet0/0/1] ip source check user-bind alarm threshold 200
# Enable IP packet check on Eth0/0/2 connected to HostB.

[Switch-Ethernet0/0/2] ip source check user-bind enable
# Enable the alarm function of IP packet check and set the alarm threshold on Eth0/0/2 connected
to HostB.
[Switch-Ethernet0/0/2] ip source check user-bind alarm enable
[Switch-Ethernet0/0/2] ip source check user-bind alarm threshold 200
Step 2 Configure a static binding entry.

# Configure HostA in the static binding table.
[Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface
ethernet 0/0/1 vlan 10

Run the display dhcp static user-bind all command on Switch to check the binding table.
<Switch> display dhcp static user-bind all
DHCP Static Bind-table:
Flags: O - outer vlan, I - inner vlan, P - map vlan
IP Address MAC Address VSI/VLAN(O/I/P) Interface
--------------------------------------------------------------------------------
10.0.0.1 0001-0001-0001 10 /-- /-- Eth0/0/1
--------------------------------------------------------------------------------
Print count: 1 Total count: 1
The command output indicates that HostA has been configured in the static binding table.
----End
Configuration Files
#
sysname Switch

#
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface
Ethernet 0/0/1 vlan 10
#
ip source check user-bind enable
ip source check user-bind alarm enable
ip source check user-bind alarm threshold 200
#
ip source check user-bind alarm enable
ip source check user-bind alarm threshold 200
#
return
8.8 URPF Configuration

URPF can prevent network attacks based on source IP address spoofing.
8.8.1 Example for Configuring URPF
As shown in Figure 8-15, the Switch is connected to the ISP router through Eth0/0/2 and
connected to user networks through Eth0/0/1.The administrator hopes that the Switch can defend
against source address spoofing attacks. If the Switch cannot provide this function, unauthorized
users will occupy too many service resources by sending valid service requests, and authorized
users cannot communicate with each other due to no response.
Figure 8-15 Networking diagram of URPF configuration
GE0/0/1 GE0/0/2
User ISP
network
Switch
Configure URPF on the user-side interface Eth0/0/1 of the device and enable allow-default-
route to prevent source IP address spoofing attacks from users.
NOTE
Route symmetry is ensured in this example; so the URPF strict check is used.
Procedure
Step 1 Configure the URPF check mode on the interface.


[Switch-Ethernet0/0/1] urpf strict allow-default-route
Run the display this command on Eth0/0/1 to check the URPF configuration.
[Switch-Ethernet0/0/1] display this
#
urpf strict allow-default-route
#
return
----End
Configuration Files
#
sysname Switch
#
urpf strict allow-default-route
#
8.9 ARP Security Configuration

This chapter describes the principle and configuration methods of ARP security and provides
8.9.1 Example for Configuring ARP Security Functions
As shown in Figure 8-16, the switch functioning as the gateway connects to a server using
Eth0/0/3 and connects to four users in VLAN 10 and VLAN 20 using Eth0/0/1 and Eth0/0/2.
The following ARP threats exist on the network:
l Attackers send bogus ARP packets or bogus gratuitous ARP packets to the switch. ARP
entries on the switch are modified, leading to packet sending and receiving failures.
l Attackers send a large number of IP packets with unresolvable destination IP addresses to
the switch, leading to CPU overload.
l User1 sends a large number of ARP packets with fixed MAC addresses but variable source
IP addresses to the switch. As a result, ARP entries on the switch are exhausted.
l User3 sends a large number of ARP packets with fixed source IP addresses to the switch.
As a result, the CPU of the switch is insufficient to process other services.
The administrator wants to prevent the preceding ARP flood attacks and provide users with
stable services on a secure network.

Figure 8-16 Networking for configuring ARP security functions

VLAN 30
VLANIF 30
10.10.10.2/24 10.10.10.3/24
Switch
Eth0/0/3
Gateway
Eth0/0/1 Eth0/0/2
Server
VLANIF 10 VLANIF 20
8.8.8.4/24 9.9.9.4/24
VLAN10 VLAN20
User1 User2 User3 User4

8.8.8.2/24 8.8.8.3/24 9.9.9.2/24 9.9.9.3/24
1-1-1 2-2-2 3-3-3 4-4-4
1. Configure strict ARP learning and ARP entry fixing to prevent ARP entries from being
modified by bogus ARP packets.
2. Configure rate limit on ARP Miss messages based on the source IP address. This function
defends against attacks from ARP Miss messages triggered by a large number of IP packets
with unresolvable IP addresses (ARP Miss packets). At the same time, the switch must
have the capability to process a large number of ARP Miss packets from the server to ensure
network communication.
3. Configure ARP entry limit. This function defend against ARP flood attacks caused by a
large number of ARP packets with fixed MAC addresses but variable IP addresses and
prevent ARP entries from being exhausted.
4. Configure rate limit on ARP packets based on the source IP address. This function defends
against ARP flood attacks from User3 with a fixed IP address and prevents CPU overload.
Procedure
Step 1 Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.
# Create VLAN 10, VLAN 20, VLAN 30, and add Eth0/0/1 to VLAN 10, Eth0/0/2 to VLAN
20, and Eth0/0/3 to VLAN 30.


# Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.
Step 2 Configure strict ARP learning.

[Quidway] arp learning strict
Step 3 Configure ARP entry fixing.

# Set the ARP entry fixing mode to fixed-mac.
[Quidway] arp anti-attack entry-check fixed-mac enable
Step 4 Configure rate limit on ARP Miss messages based on the source IP address.
# Set the maximum rate of ARP Miss messages triggered by the server with the IP address
10.10.10.2 to 40 pps, and set the maximum rate of ARP Miss messages triggered by other hosts
to 20 pps.
[Quidway] arp-miss speed-limit source-ip maximum 20
[Quidway] arp-miss speed-limit source-ip 10.10.10.2 maximum 40
Step 5 Configure interface-based ARP entry limit.

# Configure that Eth0/0/1 can dynamically learn a maximum of 20 ARP entries.
[Quidway-Ethernet0/0/1] arp-limit vlan 10 maximum 20
Step 6 Configure rate limit on ARP packets based on the source IP address.
# Set the maximum rate of ARP packets from User3 with the source IP address 9.9.9.2 to 10
pps.
[Quidway] arp speed-limit source-ip 9.9.9.2 maximum 10

# Run the display arp learning strict command to check the global configuration of strict ARP
entry learning.
[Quidway] display arp learning strict
The global configuration:arp learning strict
Interface LearningStrictState
------------------------------------------------------------
------------------------------------------------------------
Total:0
Force-enable:0
Force-disable:0

# Run the display arp-limit command to check the maximum number of ARP entries that the
interface can dynamically learn.
[Quidway] display arp-limit interface ethernet 0/0/1
Interface LimitNum VlanID LearnedNum(Mainboard)
---------------------------------------------------------------------------
Ethernet0/0/1 20 10 0
---------------------------------------------------------------------------
Total:1
# Run the display arp anti-attack configuration all command to check the configuration of
ARP anti-attack.
[Quidway] display arp anti-attack configuration all
ARP anti-attack packet-check function: disable
ARP gateway-duplicate anti-attack function: disabled
ARP anti-attack log-trap-timer: 0 second(s)

(The log and trap timer of speed-limit, default is 0 and means disabled.)
ARP anti-attack entry-check mode:

Vlanif Mode
-------------------------------------------------------------------------------
All fixed-mac
-------------------------------------------------------------------------------
ARP rate-limit configuration:

-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
Vlan configuration:
-------------------------------------------------------------------------------
ARP miss rate-limit configuration:

-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
Vlan configuration:
-------------------------------------------------------------------------------
ARP speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
9.9.9.2 10
Others 0
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is
256.
ARP miss speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
10.10.10.2/32 40
Others 20
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is 256.
# Run the display arp packet statistics command to check statistics on ARP-based packets.
[Quidway] display arp packet statistics
ARP Pkt Received: sum 8678904
ARP-Miss Msg Received: sum 183
ARP Learnt Count: sum 37
ARP Pkt Discard For Limit: sum 146
ARP Pkt Discard For SpeedLimit: sum
40529
ARP Pkt Discard For Proxy Suppress: sum 0
ARP Pkt Discard For Other: sum 8367601

ARP-Miss Msg Discard For SpeedLimit: sum 20

ARP-Miss Msg Discard For Other: sum 104
In the preceding command output, the numbers of ARP packets and ARP Miss messages
discarded by the switch is displayed, indicating that the ARP security functions have taken effect.
----End
Configuration File
#
vlan batch 10 20 30
#
arp-miss speed-limit source-ip 10.10.10.2 maximum 40
arp speed-limit source-ip 9.9.9.2 maximum 10
arp anti-attack entry-check fixed-mac enable
#
arp-miss speed-limit source-ip maximum 20
#
interface Vlanif10
ip address 8.8.8.4 255.255.255.0
#
interface Vlanif20
ip address 9.9.9.4 255.255.255.0
#
interface Vlanif30
ip address 10.10.10.3
255.255.255.0
#
arp-limit vlan 10 maximum 20
#
#
#
return
8.9.2 Example for Configuring Defense Against ARP MITM Attacks
As shown in Figure 8-17, SwitchA connects to the DHCP server using Eth0/0/4, connects to
DHCP clients UserA and UserB using Eth0/0/1 and Eth0/0/2, and connects to UserC configured
with a static IP address using Eth0/0/3. Eth0/0/1, Eth0/0/2, Eth0/0/3, and Eth0/0/4 on SwitchA
all belong to VLAN 10. The administrator wants to prevent ARP MITM attacks and theft on
authorized user information, and learn the frequency and range of ARP MITM attacks.

Figure 8-17 Networking diagram for defending against ARP MITM attacks
SwitchB
DHCP Server
Eth0/0/4
SwitchA
Eth0/0/1
Eth0/0/2 Eth0/0/3
UserA UserB UserC
IP:10.0.0.2/24
DHCP Client DHCP Client
MAC:1-1-1
VLAN ID:10
1. Enable DAI so that SwitchA compares the source IP address, source MAC address,
interface number, and VLAN ID of the ARP packet with DHCP snooping binding entries.
This prevents ARP MITM attacks.
2. Enable packet discarding alarm function upon DAI so that SwitchA collects statistics on
ARP packets matching no DHCP snooping binding entry and generates alarms when the
number of discarded ARP packets exceeds the alarm threshold. The administrator learns
the frequency and range of the current ARP MITM attacks based on the alarms and the
number of discarded ARP packets.
3. Enable DHCP snooping and configure a static binding table to make DAI take effect.
Procedure
# Create VLAN 10, and add Eth0/0/1, Eth0/0/2, Eth0/0/3, and Eth0/0/4 to VLAN 10.


Step 2 Enable DAI and the packet discarding alarm function.
# Enable DAI and the packet discarding alarm function on Eth0/0/1, Eth0/0/2, and Eth0/0/3.
Eth0/0/1 is used as an example. Configurations of other interfaces are similar to the configuration
of Eth0/0/1, and are not mentioned here.
[SwitchA-Ethernet0/0/1] arp anti-attack check user-bind enable
[SwitchA-Ethernet0/0/1] arp anti-attack check user-bind alarm enable
Step 3 Configure DHCP snooping.
# Enable DHCP snooping globally.

[SwitchA] dhcp snooping enable
# Enable DHCP snooping in VLAN 10.

[SwitchA] vlan 10
[SwitchA-vlan10] dhcp snooping enable
# Configure Eth0/0/4 as a trusted interface.

[SwitchA-Ethernet0/0/4] dhcp snooping trusted
# Configure a static binding table.

[SwitchA] user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001
interface ethernet 0/0/3 vlan 10
# Run the display arp anti-attack configuration check user-bind interface command to check
the DAI configuration on each interface. Eth0/0/1 is used as an example.
[SwitchA] display arp anti-attack configuration check user-bind interface ethernet
0/0/1
arp anti-attack check user-bind enable
arp anti-attack check user-bind alarm enable
# Run the display arp anti-attack statistics check user-bind interface command to check the
number of ARP packets discarded based on DAI. Eth0/0/1 is used as an example.
[SwitchA] display arp anti-attack statistics check user-bind interface ethernet
0/0/1
Dropped ARP packet number is 966
Dropped ARP packet number since the latest warning is 605
In the preceding command output, the number of discarded ARP packets on Eth0/0/1 is
displayed, indicating that the defense against ARP MITM attacks has taken effect.

When you run the display arp anti-attack statistics check user-bind interface command for
multiple times on each interface, the administrator can learn the frequency and range of ARP
MITM attacks based on the number of discarded ARP packets.
----End
Configuration File
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface
Ethernet0/0/3 vlan 10
#
vlan 10
#
#
#
#
#
return
8.10 MFF Configuration

This chapter provides MAC-Forced Forwarding (MFF) basics, configuration method,
configuration examples, and common configuration errors.
Support
Product Support
S3300 Supported

8.10.1 Example for Configuring MFF
As shown in Figure 8-18, all the users obtain IP addresses from the DHCP server and all the
devices are located in VLAN 10. To isolate the user hosts at Layer 2 and enable them to
communicate at Layer 3, configure MFF on SwitchA and SwitchB.
Figure 8-18 MFF networking

DHCP server
10.10.10.1/24
Eth0/0/2
SwitchB Eth0/0/3
Eth0/0/1
Eth0/0/1
SwitchA
Eth0/0/4 Eth0/0/3
Eth0/0/2
1. Configure DHCP snooping to enable SwitchA and SwitchB to learn user binding entries
by snooping DHCP packets.
2. Enable MFF on SwitchA and SwitchB and configure basic MFF functions.
3. Configure the application server IP address so that users can communicate with the
application server at Layer 2.
4. Configure transparent transmission of ARP request packets so that the gateway can detect
the user status immediately.
Procedure
Step 1 Configure DHCP snooping.
# Enable global DHCP snooping on SwitchA.

# Enable DHCP snooping on the interfaces of SwitchA. Eth0/0/4 is used as an example. The
configurations on Eth0/0/2, Eth0/0/3, and Eth0/0/1 are the same as the configuration on
Eth0/0/4 and are not mentioned here.
[SwitchA-Ethernet0/0/4] dhcp snooping enable
# On SwitchA, configure Eth0/0/1 as the trusted interface.

# Enable global DHCP snooping on SwitchB.

[SwitchB] dhcp snooping enable
# Enable DHCP snooping on the interfaces of SwitchB. Eth0/0/1 is used as an example. The
configurations on Eth0/0/2 and Eth0/0/3 are the same as the configuration on Eth0/0/1 and are
not mentioned here.
[SwitchB-Ethernet0/0/1] dhcp snooping enable
# On SwitchB, configure Eth0/0/2 as the trusted interface.

[SwitchB-Ethernet0/0/2] dhcp snooping trusted
Step 2 Configure basic MFF functions.

# Enable global MFF.
# Enable global MFF on SwitchA.
[SwitchA] mac-forced-forwarding enable
# Enable global MFF on SwitchB.

[SwitchB] mac-forced-forwarding enable
# Configure MFF network interfaces.

# On SwitchA, configure Eth0/0/1 as an MFF network interface.
[SwitchA-Ethernet0/0/1] mac-forced-forwarding network-port
# On SwitchB, configure Eth0/0/2 as an MFF network interface.

[SwitchB-Ethernet0/0/2] mac-forced-forwarding network-port
# Enable MFF in the VLAN where users reside.

# Enable MFF in VLAN 10 on SwitchA.

[SwitchA] vlan 10
[SwitchA-vlan10] mac-forced-forwarding enable
# Enable MFF in VLAN 10 on SwitchB.

[SwitchB] vlan 10
[SwitchB-vlan10] mac-forced-forwarding enable
# Enable timed gateway detection.

# Enable timed gateway detection on SwitchA.
[SwitchA-vlan10] mac-forced-forwarding gateway-detect
# Enable timed gateway detection on SwitchB.

[SwitchB-vlan10] mac-forced-forwarding gateway-detect
Step 3 Configure the application server IP address.

# Configure the server IP address on SwitchA.
[SwitchA-vlan10] mac-forced-forwarding server 10.10.10.1
# Configure the server IP address on SwitchB.

[SwitchB-vlan10] mac-forced-forwarding server 10.10.10.1
Step 4 Configure transparent transmission of ARP request packets.

# Configure SwitchA to transparently transmit ARP request packets.
[SwitchA-vlan10] mac-forced-forwarding user-detect transparent
# Configure SwitchB to transparently transmit ARP request packets.

[SwitchB-vlan10] mac-forced-forwarding user-detect transparent
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
mac-forced-forwarding enable
#
vlan 10
mac-forced-forwarding user-detect transparent
mac-forced-forwarding gateway-detect
mac-forced-forwarding server 10.10.10.1
#
mac-forced-forwarding network-port
#


#
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
dhcp enable
#
vlan 10
mac-forced-forwarding gateway-detect
mac-forced-forwarding server 10.10.10.1
#
#
mac-forced-forwarding network-port
#
#
return
8.11 Traffic Suppression and Storm Control Configuration

This chapter describes basic concepts, configuration procedures and examples, and common
configuration errors.
8.11.1 Example for Configuring Traffic Suppression
As shown in Figure 8-19, Switch A is connected to the Layer 2 network and Layer 3 router.
Switch A prevents broadcast storms caused by a large number of broadcast packets, multicast
packets, or unknown unicast packets forwarded at Layer 2.

Figure 8-19 Networking diagram
Eth0/0/1 Eth0/0/2
L2 network L3 network
Switch A
The roadmap of configuring traffic suppression is as follows:
1. Configure traffic suppression in the view of Eth0/0/1 to prevent broadcast storms caused
by a large number of broadcast packets, multicast packets, or unknown unicast packets
forwarded at Layer 2 and prevent broadcast storms.
Procedure
Step 1 Enter the interface view.
Step 2 Configure traffic suppression for broadcast packets.

[SwitchA-Ethernet0/0/1] broadcast-suppression 80
Step 3 Configure traffic suppression for multicast packets.

[SwitchA-Ethernet0/0/1] multicast-suppression 80
Step 4 Configure traffic suppression for unknown unicast packets.

[SwitchA-Ethernet0/0/1] unicast-suppression 80
Step 5 Check the configuration

Run the display flow-suppression interface command. You can view the traffic suppression
configuration on Eth0/0/1.
[SwitchA] display flow-suppression interface ethernet 0/0/1
storm type rate mode set rate value
-------------------------------------------------------------------------------
unknown-unicast percent percent: 80%
multicast percent percent: 80%
broadcast percent percent: 80%
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
unicast-suppression 80

multicast-suppression 80
broadcast-suppression 80
#
return
8.11.2 Example for Configuring Storm Control
As shown in Figure 8-20, Switch A is connected to the Layer 2 network and Layer 3 router.
Switch A prevents broadcast storms caused by a large number of broadcast packets, multicast
packets, or unknown unicast packets forwarded at Layer 2
Figure 8-20 Networking diagram
Eth0/0/1 Eth0/0/2
L2 network L3 network
Switch A
The roadmap of configuring storm control is as follows:
1. Configure storm control in the interface view on Eth0/0/1 to prevent broadcast storms
caused by a large number of broadcast packets, multicast packets, or unknown unicast
packets forwarded at Layer 2 and prevent broadcast storms.
Procedure
Step 1 Enter the interface view.
Step 2 Configure storm control for broadcast packets.

[SwitchA-Ethernet0/0/1] storm-control broadcast min-rate 1000 max-rate 2000
Step 3 Configure storm control for multicast packets.

[SwitchA-Ethernet0/0/1] storm-control multicast min-rate 1000 max-rate 2000
Step 4 Configure storm control for unknown unicast packets.

[SwitchA-Ethernet0/0/1] storm-control multicast min-rate 1000 max-rate 2000
Step 5 Set the storm control action to or block.

[SwitchA-Ethernet0/0/1] storm-control action block
Step 6 Enable the function of recording logs during storm control.

[SwitchA-Ethernet0/0/1] storm-control enable log
Step 7 Set the detection interval.

[SwitchA-Ethernet0/0/1] storm-control interval 90

Step 8 Check the configuration

Run the display storm-control interface command. You can view the storm control
configuration on Eth0/0/1.
[SwitchA] display storm-control interface ethernet 0/0/1
PortName Type Rate Action Punish- Trap Log Interval Last-
(Min/Max) Status Punish-Time
--------------------------------------------------------------------------------
Eth0/0/1 Multicast 1000 Pps Block Normal Off On 90
/2000
Eth0/0/1 Broadcast 1000 Pps Block Normal Off On 90
/2000
Eth0/0/1 Unicast 1000 Pps Block Normal Off On 90
/2000
----End
Configuration Files
#
sysname SwitchA
#
storm-control broadcast min-rate 1000 max-rate 2000
storm-control multicast min-rate 1000 max-rate 2000
storm-control unicast min-rate 1000 max-rate 2000
storm-control interval 90
storm-control action block
storm-control enable log
#
return
8.12 PPPoE+ Configuration

Point-to-Point Protocol over Ethernet (PPPoE+), also called PPPoE Intermediate Agent,
intercepts PPPoE packets sent by the PPPoE client, adds information about the interface
connecting the PPPoE client to the PPPoE packets, and sends the packets to the PPPoE server.
In this manner, the user account and access interface information are both authenticated, which
prevents user account embezzling.
Product Support
S3300 Supported
8.12.1 Example for Configuring PPPoE+
As shown in Figure 8-21, the Switch is connected to an upstream BRAS and a downstream
PPPoE client. The BRAS functions as a PPPoE server. On networks, unauthorized users listen

to PPPoE packets of authorized users and even embezzle accounts of authorized users. The
administrator wants to prevent these problems and ensure user account security.
Figure 8-21 Networking diagram for configuring PPPoE+
RADIUS Server
Internet
BRAS
PPPoE Server
Eth0/0/1
PPPoE+ Switch
Eth0/0/2 Eth0/0/3
PPPoE client PPPoE client
1. Enable PPPoE+ globally to authenticate the user account and access interface information,
preventing the user account from embezzling.
2. Configure the interface connecting the Switch and the PPPoE server as a trusted interface,
preventing PPPoE packets from being listened by unauthorized users when the packets are
forwarded to non-PPPoE service port.
3. Configure the policy for processing user-side PPPoE packets on the Switch, enabling the
Switch to properly communicate with the PPPoE server.
Procedure
Step 1 Enable PPPoE+.
[Switch] pppoe intermediate-agent information enable

NOTE
After PPPoE+ is enabled globally, PPPoE+ is enabled on all the interfaces.
Step 2 Configure the Eth0/0/1 interface as a trusted interface.

[Switch-Ethernet0/0/1] pppoe uplink-port trusted
Step 3 Set the policy for processing original fields in user-side PPPoE packets to replace on all
interfaces, and replace original fields in PPPoE packets with the circuit ID and remote ID of the
Switch.
[Switch] pppoe intermediate-agent information policy replace
Step 4 Set the format of circuit-id to extend.

[Switch] pppoe intermediate-agent information format circuit-id extend
# Run the display pppoe intermediate-agent information policy command to verify the policy
for processing original fields in user-side packets.
[Switch] display pppoe intermediate-agent information policy
The current information Policy :REPLACE
The current ignore-reply Policy:ENABLE
# Run the display pppoe intermediate-agent information format to verify the format of
circuit-id.
[Switch] display pppoe intermediate-agent information format
The current information format :
Circuit ID : EXTEND
Remote ID : COMMON
For example:
interface Ethernet0/0/1 SVLAN:200 CVLAN:100
The PPPOE Intermediate Agent information follow:
Circuit ID:00 04 00 c8 00 00
Remote ID:0022-0033-0044
----End
Configuration Files
#
sysname Switch
#
pppoe intermediate-agent information enable
pppoe intermediate-agent information format circuit-id extend
#
pppoe uplink-port trusted
#
return
8.13 Keychain Configuration

A keychain is a widely used application that controls authentication algorithms and key-string
in a centralized way.

8.13.1 Example for Applying the Keychain to RIP

As shown in Figure 8-22, SwitchA and SwitchB are connected using RIP-2.
The RIP connection needs to be retained during data transmission.
Figure 8-22 Networking diagram of applying the keychain to RIP
Vlanif 10 Vlanif 10
192.168.1.1/24 192.168.1.2/24
GE0/0/1 GE0/0/1
SwitchA SwitchB
To ensure stable RIP connections, RIP protocol packets must be correctly transmitted. You are
advised to authenticate and encrypt the packets to ensure transmission security. In addition, to
prevent unauthorized users from forging algorithms and key strings used in authentication and
encryption, you are advised to dynamically change algorithms and key strings to ensure secure
RIP packet transmission. Therefore, the keychain protocol is used to ensure stability of RIP
connections.
1. Configure basic RIP functions.
2. Configure a keychain.
3. Apply the keychain to RIP.
Procedure
Step 1 Configure basic RIP functions.
[SwitchA] rip 1
[SwitchB] rip 1
Step 2 Configure a keychain.

[SwitchA] keychain huawei mode absolute

[SwitchA-keychain] receive-tolerance 100

[SwitchA-keychain] key-id 1
[SwitchA-keychain-keyid-1] algorithm md5
[SwitchA-keychain-keyid-1] key-string plain hello
[SwitchA-keychain-keyid-1] send-time utc 0:00 2012-3-12 to 23:59 2012-3-12
[SwitchA-keychain-keyid-1] receive-time utc 0:00 2012-3-12 to 23:59 2012-3-12
[SwitchA-keychain-keyid-1] quit
[SwitchA-keychain] quit
[SwitchB] keychain huawei mode absolute
[SwitchB-keychain] receive-tolerance 100
[SwitchB-keychain] key-id 1
[SwitchB-keychain-keyid-1] algorithm md5
[SwitchB-keychain-keyid-1] key-string plain hello
[SwitchB-keychain-keyid-1] send-time utc 0:00 2012-3-12 to 23:59 2012-3-12
[SwitchB-keychain-keyid-1] receive-time utc 0:00 2012-3-12 to 23:59 2012-3-12
[SwitchB-keychain-keyid-1] quit
[SwitchB-keychain] quit
Step 3 Apply the keychain to RIP.

[SwitchA] vlan 10
[SwitchA-Vlanif10] rip authentication-mode md5 nonstandard keychain huawei
[SwitchB] vlan 10
[SwitchB-Vlanif10] rip authentication-mode md5 nonstandard keychain huawei

Run the display keychain keychain-name command to check the key-id status of the keychain.
<SwitchA> display keychain huawei
Keychain Information:
----------------------
Keychain Name : huawei
Timer Mode : Absolute
Receive Tolerance(min) : 100
TCP Kind : 254
TCP Algorithm IDs :
HMAC-MD5 : 5
HMAC-SHA1-12 : 2
HMAC-SHA1-20 : 6
HMAC-SHA-256 : 7
SHA-256 : 8
MD5 : 3
SHA1 : 4
Number of Key IDs : 1
Active Send Key ID : 1

Active Receive Key IDs : 01

Default send Key ID : Not configured
Key ID Information:
----------------------
Key ID : 1
Key string : hello(plain)
Algorithm : MD5
SEND TIMER :
Start time : 2012-03-12 00:00
End time : 2012-03-12 23:59
Status : Active
RECEIVE TIMER :
Start time : 2012-03-12 00:00
End time : 2012-03-12 23:59
Status : Active
After the keychain is applied to RIP, run the display rip process-id interface verbose command
to check the authentication mode of RIP packets. The display on Switch A is used as an example.
<SwitchA> display rip 1 interface verbose
Vlanif10(192.168.1.1)
State : UP MTU : 500
Metricin : 0
Metricout : 1
Input : Enabled Output : Enabled
Protocol : RIPv2 Multicast
Send version : RIPv2 Multicast Packets
Receive version : RIPv2 Multicast and Broadcast Packets
Poison-reverse : Disabled
Split-Horizon : Enabled
Authentication type : MD5 (Non-standard - Keychain: huawei)
Last Sequence Number Sent : 0x0
Replay Protection : Disabled
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
keychain huawei mode absolute
receive-tolerance 100
#
key-id 1
algorithm md5
key-string plain hello
send-time utc 00:00 2012-03-12 to 23:59 2012-03-12
receive-time utc 00:00 2012-03-12 to 23:59 2012-03-12
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
rip authentication-mode md5 nonstandard keychain huawei
#
#
rip 1
version 2
network 192.168.1.0
#
return


#
sysname SwitchB
#
vlan batch 10
#
keychain huawei mode absolute
#
key-id 1
algorithm md5
send-time utc 00:00 2012-03-12 to 23:59 2013-03-12
receive-time utc 00:00 2012-03-12 to 23:59 2012-03-12
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
rip authentication-mode md5 nonstandard keychain huawei
#
#
rip 1
version 2
network 192.168.1.0
#
return
8.13.2 Example for Applying the Keychain to BGP

As shown in Figure 8-23, SwitchA and SwitchB are connected using BGP.
The BGP connection needs to be retained during data transmission.
Figure 8-23 Networking diagram of applying the keychain to BGP
Vlanif 10 Vlanif 10
192.168.1.1/24 192.168.1.2/24
GE0/0/1 GE0/0/1
SwitchA SwitchB
1. Configure the basic keychain functions.
2. Configure a keychain for Switch to authenticate BGP.
Procedure
Step 1 Configure a keychain.

[SwitchA] keychain huawei mode periodic weekly

[SwitchA-keychain] tcp-kind 182
[SwitchA-keychain] tcp-algorithm-id md5 17
[SwitchA-keychain] receive-tolerance 100
[SwitchA-keychain] key-id 1
[SwitchA-keychain-keyid-1] algorithm md5
[SwitchA-keychain-keyid-1] key-string plain hello
[SwitchA-keychain-keyid-1] send-time day fri sat
[SwitchA-keychain-keyid-1] receive-time day fri sat
[SwitchA-keychain-keyid-1] quit
[SwitchA-keychain] quit
[SwitchB] keychain huawei mode periodic weekly
[SwitchB-keychain] tcp-kind 182
[SwitchB-keychain] tcp-algorithm-id md5 17
[SwitchB-keychain] receive-tolerance 100
[SwitchB-keychain] key-id 1
[SwitchB-keychain-keyid-1] algorithm md5
[SwitchB-keychain-keyid-1] key-string plain hello
[SwitchB-keychain-keyid-1] send-time day fri sat
[SwitchB-keychain-keyid-1] receive-time day fri sat
[SwitchB-keychain-keyid-1] quit
[SwitchB-keychain] quit
Step 2 Apply the keychain to BGP for authentication and encryption.
[SwitchA] vlan 10
[SwitchA] bgp 1
[SwitchA-bgp] peer 192.168.1.2 keychain huawei
[SwitchA-bgp] quit
[SwitchB] vlan 10
[SwitchB] bgp 1
[SwitchB-bgp] peer 192.168.1.1 keychain huawei
[SwitchB-bgp] quit
Run the display keychain keychain-name command to check the key-id status of the keychain.
<SwitchA> display keychain huawei

Keychain Information:
---------------------
Keychain Name : huawei
Timer Mode : Weekly periodic
Receive Tolerance(min) : 100
TCP Kind : 182
TCP Algorithm IDs :
HMAC-MD5 : 5
HMAC-SHA1-12 : 2
HMAC-SHA1-20 : 6
HMAC-SHA-256 : 7
SHA-256 : 8
MD5 : 3
SHA1 : 4
Number of Key IDs : 1
Active Send Key ID : 1
Active Receive Key IDs : 01
Default send Key ID : Not configured
Key ID Information:
-------------------
Key ID : 1
Key string : hello (plain)
Algorithm : MD5
SEND TIMER :
Day(s) : Fri Sat
Status : Active
RECEIVE TIMER :
Day(s) : Fri Sat
Status : Active
After the keychain is applied to BGP, run the display bgp peer ipv4-address verbose command
to check authentication information about the BGP peer. The display on Switch A is used as an
example.
<SwitchA> display bgp peer 192.168.1.2 verbose
BGP Peer is 192.168.1.2, remote AS 1

Type: IBGP link
BGP version 4, Remote router ID 2.2.2.2
Update-group ID: 1
BGP current state: Established, Up for 00h43m34s
BGP current event: RecvKeepalive
BGP last state: OpenConfirm
BGP Peer Up count: 2
Received total routes: 0
Received active routes total: 0
Advertised total routes: 0
Port: Local - 179 Remote - 54672
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Address family IPv4 Unicast: advertised and received
Received: Total 45 messages
Update messages 0
Open messages 1
KeepAlive messages 44
Notification messages 0
Refresh messages 0
Sent: Total 48 messages
Update messages 0
Open messages 2
KeepAlive messages 46
Notification messages 0

Refresh messages 0
Authentication type configured: Keychain(huawei)
Last keepalive received: 2012/04/20 11:37:27
Last keepalive sent : 2012/04/20 11:37:27
Minimum route advertisement interval is 15 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured
----End
Configuration Files
l # Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 10
#
keychain huawei mode periodic weekly
tcp-kind 182
tcp-algorithm-id md5 17
#
key-id 1
algorithm md5
send-time day fri sat
receive-time day fri sat
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
bgp 1
router-id 1.1.1.1
peer 192.168.1.2 keychain huawei
#
ipv4-family unicast
#
l #Configuration file of Switch B

#
sysname SwitchB
#
vlan batch 10
#
keychain huawei mode periodic weekly
tcp-kind 182
tcp-algorithm-id md5 17
#
key-id 1
algorithm md5
send-time day fri sat
receive-time day fri sat
#
interface Vlanif10

ip address 192.168.1.2
255.255.255.0
#
#
bgp 1
router-id 2.2.2.2
peer 192.168.1.1 keychain huawei
#
ipv4-family unicast
#
8.14 ND Snooping Configuration

This chapter describes the principle and configuration method of ND snooping and provides
Product Support
S3300 Supported
8.14.1 Example for Configuring ND Snooping on a Layer 2 Network

As shown in Figure 8-24, Switch is applied to a Layer 2 network between hosts and the gateway.
Attackers send bogus ND packets of authorized users to modify the ND entries of the users. The
users cannot obtain IPv6 addresses properly, and the default gateway is changed. Then the users
cannot access the network. The administrator wants to prevent ND attacks so that high-quality
services can be provided for ND users. In addition, the administrator wants to manage user
addresses based on user prefixes.

Figure 8-24 Networking diagram for configuring ND snooping on a Layer 2 network

Switch
Eth0/0/1
Eth0/0/2
L2 L3
network Gateway
network
User
network
1. Enable ND snooping globally and in the interface view. Switch generates an ND snooping
dynamic binding table based on the DAD NS packets. Then Switch checks the validity of
other ND packets to prevent ND attacks such as address spoofing.
2. Configure the interface connecting to the gateway as the trusted interface. Switch generates
a prefix management table based on RA packets received from the trusted interface so that
user addresses can be managed flexibly. Interfaces connecting to hosts are untrusted
interfaces by default. After ND snooping is enabled, Switch filters out RA packets received
from untrusted interfaces to prevent RA attacks.
3. Configure automatic user status detection for users mapping ND snooping dynamic binding
entries so that mapping entries can be deleted in time when ND users are offline.
Procedure
Step 1 Enable ND snooping.
# Enable ND snooping globally.
[Switch] dhcp enable
[Switch] nd snooping enable
# Enable ND snooping on an interface.

[Switch-Ethernet0/0/2] nd snooping enable
Step 2 # Configure Eth0/0/1 as a trusted interface.

[Switch-Ethernet0/0/1] nd snooping trusted

After ND snooping is enabled on Eth0/0/2, the interface is an untrusted interface by default.
Step 3 Enable automatic user status detection for users mapping ND snooping dynamic binding entries.
# Enable automatic user status detection for users mapping ND snooping dynamic binding entries
and set the number of times and interval for sending NS packets to detect the user status.
[Switch] nd user-bind detect enable
[Switch] nd user-bind detect retransmit 5 interval 600
Run the display this command in the system view to check whether ND snooping and automatic
user status detection for users mapping ND snooping dynamic binding entries are enabled
globally.
[Switch] display this
dhcp enable
nd snooping enable
nd user-bind detect enable
nd user-bind detect retransmit 5 interval 600
Run the display this command to verify that ND snooping has been enabled on Eth0/0/2 and
Eth0/0/1 has been configured as the trusted interface.
#
nd snooping enable
#
return
#
nd snooping trusted
#
return
[Switch] quit
Run the display nd snooping prefix command to view the prefix management table of ND
users.
<Switch> display nd snooping prefix
prefix-table:
Prefix Length Valid-Time Preferred-Time
--------------------------------------------------------------------------------
3001:: 64 100000 100000
--------------------------------------------------------------------------------
Prefix table total count: 1
Run the display nd snooping user-bind all command to view the ND snooping dynamic binding
table.
<Switch> display nd snooping user-bind all
ND Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - map vlan
IP Address MAC Address VSI/VLAN(O/I/P) Lease
--------------------------------------------------------------------------------
3001::E58C:A2E7:AA4C:8E59 00e0-4c7c-af8f 10 /-- /-- 2011.05.06-20:09
--------------------------------------------------------------------------------
print count: 1 total count: 1

If the prefix management table and ND snooping dynamic binding table are generated on Switch,
ND snooping is configured successfully.
----End
Configuration File
#
sysname Switch
#
dhcp enable
nd snooping enable
nd user-bind detect enable
nd user-bind detect retransmit 5 interval 600
#
nd snooping trusted
#
nd snooping enable
#
return
8.15 SAVI Configurations

This chapter describes the principle and configuration methods of Source Address Validation
Improvements (SAVI) and provides configuration examples.
8.15.1 Example for Configuring the SAVI Function in a DHCPv6-

Only Scenario
As shown in Figure 8-25, SwitchA functions as an access device to connect to hosts in an
enterprise department. Many hosts exist in the department. To manage IPv6 addresses
efficiently, all hosts in the department obtain IPv6 addresses using DHCPv6. If an attacker sends
a large number of invalid DHCPv6 protocol packets or invalid IPv6 data packets, communication
of authorized users may be interrupted, and user accounts and passwords may be embezzled. To
prevent these problems, the administrator wants to configure SwitchA to defend against invalid
DHCPv6 protocol packets and invalid IPv6 data packets (with invalid source addresses) and
provides users with stable services on a secure network.

Figure 8-25 Networking diagram for configuring the SAVI function in a DHCPv6-Only scenario
DHCPv6 Server
DHCPv6 Client
G
E0
…… /0
/1 SwitchA Gateway
VLAN 2
GE0/0/2 Campus
Network
DHCPv6 Client VLAN 2
GE0/0/3
Attacker
1. Configure DHCPv6 snooping so that bindings between address and ports can be generated
for validity of the source addresses in DHCPv6 protocol packets and IPv6 data packets.
2. Enable the SAVI function so that the device can check the validity of the source addresses
in DHCPv6 protocol packets based on the DHCPv6 snooping binding entries and filter out
invalid packets.
3. Enable IP source guard so that the device can check the validity of the source addresses in
IPv6 data packets based on the DHCPv6 snooping binding entries and filter out invalid
packets.
Procedure
Step 1 Enable the SAVI function.
[SwitchA] savi enable
Step 2 Create VLAN 2.

Step 3 Add Eth0/0/1, Eth0/0/2, Eth0/0/3 to VLAN 2.



Step 4 Configure DHCPv6 snooping.

# Enable DHCPv6 snooping globally.
# Enable DHCPv6 snooping for VLAN 2.

[SwitchA] vlan 2
# Enable DHCPv6 protocol packet validity check against the DHCPv6 snooping binding table
in VLAN 2.
[SwitchA-vlan2] dhcp snooping check dhcp-request enable
# Configure Eth0/0/3 connecting to the DHCP server as a trusted interface.

Step 5 Enable IP source guard for VLAN 2.

[SwitchA] vlan 2
[SwitchA-vlan2] ip source check user-bind enable

# Run the display this command in the system view to verify that the SAVI function and
DHCPv6 snooping are enabled globally.
[SwitchA] display this
#
dhcp enable
#
#
savi enable
#
return
# Run the display this command in the VLAN view. The command output shows that DHCPv6
snooping, DHCPv6 protocol packet validity check against the DHCPv6 snooping binding table,
and IP source guard have been enabled in VLAN 2.
[SwitchA] vlan 2
[SwitchA-vlan2] display this
#
vlan 2
dhcp snooping check dhcp-request enable
ip source check user-bind
enable
#
return
# Run the display this command in the interface view to verify that Eth0/0/3 connecting to the
DHCP server are configured as a trusted interface.


#
#
return
----End
Configuration File
Configuration file of SwitchA.
#
sysname SwitchA
#
vlan batch 2
#
dhcp enable
#
#
savi enable
#
vlan 2
#
port default vlan 2
#
port default vlan 2
#
#
return
8.15.2 Example for Configuring the SAVI Function in an SLAAC-

Only Scenario
enterprise department. No DHCPv6 server is deployed on the network, and hosts in the
department can obtain IPv6 addresses using only SLAAC. If an attacker sends a large number
of invalid ND protocol packets or invalid IPv6 data packets, communication of authorized users
may be interrupted, and user accounts and passwords may be embezzled. To prevent these
problems, the administrator wants to configure SwitchA to defend against invalid ND protocol
packets and invalid IPv6 data packets (with invalid source addresses) and provides users with
stable services on a secure network.

Figure 8-26 Networking diagram for configuring the SAVI function in an SLAAC-Only
scenario
Host A
G
…… E0
/0 SwitchA Gateway
/1
VLAN 2
GE0/0/2 Internet
VLAN 2
Host B
GE0/0/3
Attacker
1. Configure ND snooping so that bindings between address and ports can be generated for
validity of the source addresses in ND protocol packets and IPv6 data packets.
in ND protocol packets based on the ND snooping binding entries and filter out invalid
packets.
IPv6 data packets based on the ND snooping binding entries and filter out invalid packets.
Procedure




Step 4 Configure ND snooping.

[SwitchA] nd snooping enable
# Enable ND snooping for VLAN 2.

[SwitchA] vlan 2
[SwitchA-vlan2] nd snooping enable
# Enable validity check for NA and NS packets in VLAN 2.

[SwitchA-vlan2] nd snooping check na enable
[SwitchA-vlan2] nd snooping check ns enable
# Configure Eth0/0/3 connecting to the ND server as a trusted interface.

[SwitchA-Ethernet0/0/3] nd snooping trusted

[SwitchA] vlan 2

# Run the display this command in the system view to verify that the SAVI function and ND
snooping are enabled globally.
[SwitchA] display
this
#
nd snooping enable
savi enable
#
return
# Run the display this command in the VLAN view. The command output shows that ND
snooping, ND6 protocol packet validity check, and IP source guard have been enabled in VLAN
2.
[SwitchA] vlan 2
#
vlan 2
nd snooping enable
nd snooping check ns enable
nd snooping check na enable
ip source check user-bind
enable
#
return
# Run the display this command in the interface view to verify that Eth0/0/3 connecting to the
ND server are configured as a trusted interface.
#


nd snooping trusted
#
return
----End
Configuration File
#
sysname SwitchA
#
vlan batch 2
#
nd snooping enable
savi enable
#
vlan 2
nd snooping enable
#
port default vlan 2
#
port default vlan 2
#
nd snooping trusted
#
return
8.15.3 Example for Configuring the SAVI Function in a DHCPv6

+SLAAC Scenario
enterprise department. Some hosts in the department obtain IPv6 addresses using SLAAC, and
other hosts obtain IPv6 addresses using DHCPv6. If an attacker sends a large number of invalid
ND protocol packets, invalid DHCPv6 protocol packets, or invalid IPv6 data packets,
communication of authorized users may be interrupted, and user accounts and passwords may
be embezzled. To prevent these problems, the administrator wants to configure SwitchA to
defend against invalid ND protocol packets, invalid DHCPv6 protocol packets, and invalid IPv6
data packets (with invalid source addresses) and provides users with stable services on a secure
network.

Figure 8-27 Networking diagram for configuring the SAVI function in a DHCPv6+SLAAC
scenario
DHCPv6 Server
DHCPv6 Client
G
…… E0
/0 Gateway
/1 SwitchA
VLAN 2
GE0/0/2 Campus
Network
Host VLAN 2
GE0/0/3
Attacker
1. Configure DHCPv6 snooping so that bindings between address and ports can be generated
for validity of the source addresses in DHCPv6 protocol packets and IPv6 data packets.
2. Configure ND snooping so that bindings between address and ports can be generated for
validity of the source addresses in ND protocol packets and IPv6 data packets.
in DHCPv6 protocol packets and ND protocol packets based on the DHCPv6 snooping and
ND snooping binding entries and filter out invalid packets.
IPv6 data packets based on the DHCPv6 snooping and ND snooping binding entries and
filter out invalid packets.
Procedure




Step 4 Configure DHCPv6 snooping.

# Enable DHCPv6 snooping globally.
# Enable DHCPv6 snooping for VLAN 2.

[SwitchA] vlan 2
# Enable DHCPv6 protocol packet validity check against the DHCPv6 snooping binding table
in VLAN 2.
[SwitchA-vlan2] dhcp snooping check dhcp-request enable
# Configure Eth0/0/3 connecting to the DHCP server as a trusted interface.

Step 5 Configure ND snooping.

[SwitchA] nd snooping enable
# Enable ND snooping for VLAN 2.

[SwitchA] vlan 2
[SwitchA-vlan2] nd snooping enable
# Enable validity check for NA and NS packets in VLAN 2.

[SwitchA-vlan2] nd snooping check na enable
[SwitchA-vlan2] nd snooping check ns enable
# Configure Eth0/0/3 connecting to the ND server as a trusted interface.

[SwitchA-Ethernet0/0/3] nd snooping trusted

[SwitchA] vlan 2

# Run the display this command in the system view to verify that the SAVI function, DHCPv6
snooping, and ND snooping are enabled globally.
[SwitchA] display this
#

dhcp enable
#
#
nd snooping enable
savi enable
#
return
# Run the display this command in the VLAN view. The command output shows that DHCPv6
snooping, DHCPv6 protocol packet validity check against the DHCPv6 snooping binding table,
ND snooping, ND protocol packet validity check, and IP source guard have been enabled in
VLAN 2.
[SwitchA] vlan 2
#
vlan 2
nd snooping enable
#
return
# Run the display this command in the interface view to verify that Eth0/0/3 is configures as
the DHCP snooping trusted interface and the ND snooping trusted interface.
#
nd snooping trusted
#
return
----End
Configuration File
#
sysname SwitchA
#
vlan batch 2
#
dhcp enable
#
#
nd snooping enable
savi enable
#
vlan 2
nd snooping enable
#


port default vlan 2
#
port default vlan 2
#
nd snooping trusted
#
return

Typical Configuration Examples 9 Configuration Guide - Reliability
9 Configuration Guide - Reliability
About This Chapter
This document describes the configuration of BFD, DLDP, VRRP, SmartLink, RRPP, ERPS,
Ethernet OAM and MAC swap loopback to ensure reliability on the device.
9.1 BFD Configuration

Bidirectional forwarding detection (BFD) allows network devices to quickly detect faults.
9.2 DLDP Configuration
DLDP can detect unidirectional links of optical fibers or copper twisted pairs.
9.3 MAC Swap Loopback Configuration
MAC swap loopback checks Ethernet connectivity and network performance.
9.4 Smart Link Configuration
The Smart Link is applicable to dual uplinks and scenarios in which STP is not used, improving
access reliability.
9.5 Monitor Link Configuration
The Monitor Link configures downlink interfaces by monitoring uplink interfaces and transmits
fault information.
9.6 ERPS (G.8032) Configuration
Ethernet ring protection switching (ERPS) is a standard protocol issued by the ITU-T to prevent
loops on ring networks. ERPS features fast convergence speed, ensuring carrier-class reliability.
Huawei and non-Huawei devices on a ring network supporting ERPS can communicate with
each other.
9.7 VRRP Configuration
The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. VRRP switches
services from the master device to the backup router when the next hop device of the master
device fails. This ensures nonstop service transmission and reliability.
9.8 RRPP Configuration
Rapid Ring Protection Protocol (RRPP) prevents loops and implements fast convergence on ring
networks.
9.9 EFM Configuration

Ethernet in the First Mile (EFM) can be enabled on both devices of a point-to-point link to
monitor connectivity and link quality.
9.10 CFM Configuration
Connectivity fault management (CFM) defines OAM functions and applies to large-scale end-
to-end Ethernet networks. It monitors network connectivity and locates connectivity faults.
9.11 Y.1731 Configuration
Y.1731 provides fault detection and fault management on an Ethernet end-to-end link.

9.1 BFD Configuration

Bidirectional forwarding detection (BFD) allows network devices to quickly detect faults.
9.1.1 Example for Configuring Single-hop BFD for Detecting Faults

on a Layer 2 Link
As shown in Figure 9-1, SwitchA and SwitchB are connected through a Layer 2 interface. Faults
on the link between SwitchA and SwitchB need to be fast detected.
Figure 9-1 Single-hop BFD for detecting faults on a Layer 2 link

Eth0/0/1 Eth0/0/1
SwitchA SwitchB
Configure BFD sessions on SwitchA and SwitchB to detect faults on the link between
SwitchA and SwitchB.
Procedure
Step 1 Configure single-hop BFD on SwitchA.
# Enable BFD on SwitchA.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip default-ip interface ethernet 0/0/1

Step 2 Configure single-hop BFD on SwitchB.

# Enable BFD on SwitchB.
[SwitchB] bfd
[SwitchB-bfd] quit

[SwitchB] bfd btoa bind peer-ip default-ip interface ethernet 0/0/1


After the configuration is complete, run the display bfd session all verbose command on
SwitchA and SwitchB. You can see that a single-hop BFD session is set up and its status is Up.
The display on SwitchA is used as an example.
<SwitchA> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 4097 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : 2
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(Ethernet0/0/1)
Bind Session Type : Static
Bind Peer IP Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : Ethernet0/0/1
FSM Board Id : 0 TOS-EXP : 7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi : 3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number : -
Destination Port : 3784 TTL : 255
Proc Interface Status : Disable
WTR Interval (ms) : -
Active Multi : 3
Last Local Diagnostic : No Diagnostic
Bind Application : No Application Bind
Session TX TmrID : - Session Detect TmrID : -
Session Init TmrID : - Session WTR TmrID : -
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------
# Run the shutdown command on Eth0/0/1 of SwitchA to simulate a link fault.

[SwitchA-Ethernet0/0/1] shutdown
SwitchA and SwitchB. You can see that a single-hop BFD session is set up and its status is
Down. The display on SwitchA is used as an example.
--------------------------------------------------------------------------------
Session MIndex : 4097 (One Hop) State : Down Name : atob
--------------------------------------------------------------------------------
Local Detect Multi : 3 Detect Interval (ms) : -


Active Multi : 3
Last Local Diagnostic : Control Detection Time Expired
Session TX TmrID : 16402 Session Detect TmrID : -
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
bfd
#
bfd atob bind peer-ip default-ip interface Ethernet0/0/1
commit
#
return

#
sysname SwitchB
#
bfd
#
bfd btoa bind peer-ip default-ip interface Ethernet0/0/1
commit
#
return
9.1.2 Example for Configuring Single-Hop BFD on a VLANIF

Interface
As shown in Figure 9-2, SwitchA connects to SwitchB through the VLANIF interface. Faults
on the link between SwitchA and SwitchB need to be fast detected.
Figure 9-2 Networking diagram for configuring single-hop BFD on a VLANIF interface
VLANIF100 VLANIF100
10.1.1.5/24 10.1.1.6/24
Eth0/0/1 Eth0/0/1
SwitchA SwitchB

Configure BFD sessions on SwitchA and SwitchB.
Procedure
Step 1 On SwitchA and SwitchB, create VLANs, configure Eth0/0/1 interfaces as hybrid interfaces,
and add Eth0/0/1 interfaces to VLANs. The configuration details are not mentioned here.
Step 2 Configure IP addresses for VLANIF interfaces so that SwitchA and SwitchB can communicate
at Layer 3. The configuration details are not mentioned here.
Step 3 Configure single-hop BFD.
# Enable BFD and create a BFD session on SwitchA.
[SwitchA] bfd
[SwitchA-bfd] quit
# Enable BFD and create a BFD session on SwitchB.

[SwitchB] bfd
[SwitchB-bfd] quit

[SwitchA] display bfd session all verbose
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
BFD Bind Type : Interface(Vlanif100)
Bind Interface : Vlanif100
Active Multi : 3


--------------------------------------------------------------------------------
# Run the shutdown command on the Eth0/0/1 interface of SwitchA to simulate a link fault.
[SwitchA] interface Ethernet 0/0/1
SwitchA and SwitchB. You can see that a single-hop BFD session is set up and its status is
Down. Take the display on SwitchA as an example.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Active Multi : 3
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.5 255.255.255.0
#


#
commit
#
return

#
sysname SwitchB
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.6 255.255.255.0
#
#
commit
#
return
9.1.3 Example for Configuring Multi-Hop BFD
As shown in Figure 9-3, SwitchA is indirectly connected to SwitchC. Static routes are
configured so that SwitchA can communicate with SwitchC. Faults on the link between
SwitchA and SwitchC need to be fast detected.
Figure 9-3 Networking diagram for configuring multi-hop BFD
Eth0/0/1 Eth0/0/1 Eth0/0/2 Eth0/0/1

10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
VLAN 10 VLAN 20
SwitchA SwitchB SwitchC
Configure BFD sessions on SwitchA and SwitchC to detect the multi-hop route.

Procedure
Step 1 Add interfaces to VLANs, create VLANIF interfaces, and assign IP addresses to VLANIF
interfaces. The configuration details are not mentioned here.
Step 2 Configure a reachable static route between SwitchA and SwitchC.
[SwitchA] ip route-static 10.2.0.0 16 10.1.1.2
The configuration of SwitchC is similar to the configuration of SwitchA, and is not mentioned
here.
Step 3 Configure multi-hop BFD.
# Create a BFD session between SwitchA and SwitchC.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atoc bind peer-ip 10.2.1.2
[SwitchA-bfd-session-atoc] discriminator local 10
[SwitchA-bfd-session-atoc] discriminator remote 20
[SwitchA-bfd-session-atoc] commit
[SwitchA-bfd-session-atoc] quit
# Create a BFD session between SwitchC and SwitchA.

[SwitchC] bfd
[SwitchC-bfd] quit
[SwitchC] bfd ctoa bind peer-ip 10.1.1.1
[SwitchC-bfd-session-ctoa] discriminator local 20
[SwitchC-bfd-session-ctoa] discriminator remote 10
[SwitchC-bfd-session-ctoa] commit
[SwitchC-bfd-session-ctoa] quit

After the configuration, run the display bfd session verbose command on SwitchA and
SwitchC. You can see that a BFD session is set up and is in Up state. Take the display on
SwitchA as an example.
--------------------------------------------------------------------------------
Session MIndex : 4097 (Multi Hop) State :Up Name : atoc
--------------------------------------------------------------------------------
BFD Bind Type : Peer IP Address
Bind Interface : -
Active Multi : 3

--------------------------------------------------------------------------------
# Run the shutdown command on the Eth0/0/1 interface of SwitchA to simulate a link fault.
After the configuration, run the display bfd session all verbose command on SwitchA and
SwitchB. You can see that a multi-hop BFD session is set up and the status is Down. Take the
display on SwitchA as an example.
--------------------------------------------------------------------------------
Session MIndex : 4097 (Multi Hop) State :Down Name : atoc
--------------------------------------------------------------------------------
BFD Bind Type : Peer IP Address
Bind Interface : -
Active Multi : 3
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bfd atoc bind peer-ip 10.2.1.2
commit
#

ip route-static 10.2.0.0 255.255.0.0 10.1.1.2

#
return

#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
bfd
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
#
#
bfd ctoa bind peer-ip 10.1.1.1
commit
#
ip route-static 10.1.0.0 255.255.0.0 10.2.1.1
#
return
9.1.4 Example for Associating the BFD Session Status with the
Interface Status
As shown in Figure 9-4, SwitchA is directly connected to SwitchB and Layer 2 transmission
devices, SwitchC and SwitchD, are deployed between them. It is required that SwitchA and
SwitchB fast detect link faults to trigger fast route convergence.

Figure 9-4 Associating the BFD session status with the interface status
VLAINF10 VLAINF10
10.1.1.1/24 10.1.1.2/24
GE0/0/1 GE0/0/1
SwitchA SwitchC SwitchD SwitchB
1. Configure BFD sessions on SwitchA and SwitchB to detect faults on the link between
2. Configure association between the BFD session status and interface status on SwitchA and
SwitchB after the BFD session becomes Up.
Procedure
Step 1 Set IP addresses of the directly connected interfaces on SwitchA and SwitchB.
# Assign an IP address to the interface of SwitchA.
[SwitchA] vlan 10
# Assign an IP address to the interface of SwitchB.

[SwitchB] vlan 10
Step 2 Configure single-hop BFD.

# Enable BFD on SwitchA and configure the BFD session between SwitchA and SwitchB.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip default-ip interface ethernet 0/0/1
# Enable BFD on SwitchB and set up the BFD session between SwitchA and SwitchB.
[SwitchB] bfd
[SwitchB-bfd] quit

[SwitchB] bfd btoa bind peer-ip default-ip interface ethernet 0/0/1

# After the configuration is complete, run the display bfd session all verbose command on
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Bind Peer Ip Address : 224.0.0.184
Echo Passive : Disable Acl Number : --
Proc interface status : Disable Process PST : Disable
WTR Interval (ms) : --
Active Multi : 3
Session TX TmrID : -- Session Detect TmrID : --
Session Init TmrID : -- Session WTR TmrID : --
Session Description : --
--------------------------------------------------------------------------------
Step 3 Configuring association between BFD session status and interface status.
# Configure association between the BFD session status and the interface status on SwitchA.
[SwitchA] bfd atob
[SwitchA-bfd-session-atob] process-interface-status
# Configure association between the BFD session status and the interface status on SwitchB.
[SwitchB] bfd btoa
[SwitchB-bfd-session-btoa] process-interface-status

SwitchA and SwitchB. You can see that the Proc interface status displays field is Enable.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Proc interface status : Enable Process PST : Disable
Active Multi : 3
Bind Application : IFNET
--------------------------------------------------------------------------------
Run the shutdown command on Eth0/0/1 of SwitchB to make the BFD session go Down.
Run the display bfd session all verbose and display interface ethernet 0/0/1 commands on
SwitchA. You can see that the BFD session status is Down, and the status of GE0/0/1 is UP
(BFD status down).
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Proc interface status : Enable Process PST : Disable
Active Multi : 3
Bind Application : IFNET
--------------------------------------------------------------------------------

[SwitchA] display interface ethernet 0/0/1
Ethernet0/0/1 current state : UP
Line protocol current state : UP(BFD status down)
Description:HUAWEI, Quidway Series, Ethernet0/0/1 Interface
Switch Port,PVID : 230,The Maximum Frame Length is 9216

IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-0033-0044

QoS max-bandwidth : 1000000 Kbps
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
Last physical up time : -

Last physical down time : 2007-10-18 12:02:27 UTC-08:00
Port Mode: COMMON FIBER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : NORMAL
Last 300 seconds input rate 656 bits/sec, 1 packets/sec
Last 300 seconds output rate 763369936 bits/sec, 1490956 packets/sec
Input peak rate 27725312 bits/sec,Record time: 2007-10-18 12:15:22
Output peak rate 914311728 bits/sec,Record time: 2007-10-18 13:28:10
Unicast : 731, Multicast : 2537
Broadcast : 31215405, Jumbo : 0
CRC : 0, Giants : 0
Jabbers : 0, Throttles : 0
Runts : 0, DropEvents : 0
Alignments : 0, Symbols : 0
Ignoreds : 0, Frames : 0
Discard : 31215393, Total Error : 0
Output: 8462849788 packets, 541622420480 bytes
Collisions : 0, Deferreds : 0
Late Collisions: 0, ExcessiveCollisions: 0
Buffers Purged : 0
Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%
Input bandwidth utilization : 0.01%
Output bandwidth utilization : 85.24%
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bfd atob bind peer-ip default-ip interface Ethernet0/0/1
process-interface-status
commit
#
return

#
sysname SwitchB
#

vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
bfd btoa bind peer-ip default-ip interface Ethernet0/0/1
process-interface-status
commit
#
return
9.1.5 Example for Configuring Association Between a BFD Session

and an Interface
As shown in Figure 9-5, CE1 is dual-homed to PE1 and PE2, and CE2 is dual-homed to PE3
and PE4. Traffic is forwarded through the primary path CE1 -> PE1 -> PE3 -> CE2. It is required
that faults on links between PEs be fast detected so that CEs can detect faults and traffic is
switched to the standby path CE1 -> PE2 -> PE4 -> CE2.
NOTE
The CEs must be directly connected to the PEs and no Layer 2 devices are deployed between CE1 and PE1
and between CE2 and PE2.
Figure 9-5 Networking diagram for configuring association between a BFD session and an
interface
GE0/0/2
PE1 Vlanif20 PE3
20.1.1.1/24
GE0/0/2
GE0/0/1 Vlanif30
Vlanif10 GE0/0/1
Vlanif20 30.1.1.1/24
10.1.1.2/24
20.1.1.2/24
GE0/0/1 GE0/0/1
GE0/0/3 CE2 GE0/0/3
Vlanif10 Vlanif30
Vlanif100 Vlanif110
10.1.1.1/24 30.1.1.2/24
100.1.1.1/24 110.1.1.1/24
CE1
GE0/0/2 GE0/0/2
Vlanif40 Vlanif60
40.1.1.1/24 GE0/0/2 60.1.1.1/24
Vlanif50
GE0/0/1 GE0/0/2
50.1.1.1/24
Vlanif40 Vlanif60
40.1.1.2/24 GE0/0/1 60.1.1.2/24
PE2 Vlanif50 PE4
50.1.1.2/24

1. Configure devices to advertise routes through OSPF and set the OSPF cost of VLANIF 40
on CE1 and VLANIF 60 on CE2 to 10 so that traffic is transmitted through the primary
path CE1 -> PE1 -> PE3 -> CE2.
2. Create a BFD session on PE1 to detect the directly connected link between PE1 and PE2.
3. Create a BFD session on PE3 to detect the directly connected link between PE2 and PE1.
4. Associate the BFD session with GE0/0/1 on PE1, and associate the BFD session with
GE0/0/2 on PE3.
Procedure
Step 1 Configure interface IP addresses.
Configure VLANs allowed by interfaces and assign IP addresses to VLANIF interfaces
according to Figure 9-5.
Step 2 Configure a routing protocol.
OSPF is used in this example.
Run OSPF on CEs and PEs. To ensure that traffic is transmitted through the path CE1 -> PE1 -
> PE3 -> CE2, increase the OSPF cost of VLANIF 40 on CE1 and VLANIF 60 on CE2. For
example, change the cost to 10.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0.0.0.0
[PE1-ospf-1] quit
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1, and are not
mentioned here.
# Configure CE1.
[CE1] ospf 1
[CE1-ospf-1] area 0.0.0.0
[CE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[CE1-ospf-1-area-0.0.0.0] quit
[CE1-ospf-1] quit
[CE1] interface vlanif 40
[CE1-Vlanif40] ospf cost 10
[CE1-Vlanif40] quit
# Configure CE2.
[CE2] ospf 1
[CE2-ospf-1] area 0.0.0.0
[CE2-ospf-1-area-0.0.0.0] quit

[CE2-ospf-1] quit
[CE2] interface vlanif 60
[CE2-Vlanif60] ospf cost 10
[CE2-Vlanif60] quit
Run the display ip routing-table command on CE1. You can see that the outbound interface
for the route from CE1 to 110.1.1.0/24 is VLANIF 10, indicating that traffic is transmitted along
the primary path.
[CE1] display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
20.1.1.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
30.1.1.0/24 OSPF 10 3 D 10.1.1.2 Vlanif10
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Vlanif40
40.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
50.1.1.0/24 OSPF 10 11 D 40.1.1.2 Vlanif40
60.1.1.0/24 OSPF 10 13 D 10.1.1.2 Vlanif10
100.1.1.0/24 Direct 0 0 D 100.1.1.1 Vlanif100
100.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
110.1.1.0/24 OSPF 10 4 D 10.1.1.2 Vlanif10
Step 3 Create BFD sessions.
# Configure PE1.
[PE1] bfd
[PE1-bfd] quit
[PE1] bfd pe1tope3 bind peer-ip 20.1.1.2 interface vlanif 20
[PE1-bfd-session-pe1tope3] discriminator local 1
[PE1-bfd-session-pe1tope3] discriminator remote 2
[PE1-bfd-session-pe1tope3] commit
[PE1-bfd-session-pe1tope3] quit
# Configure PE3.
[PE3] bfd
[PE3-bfd] quit
[PE3] bfd pe3tope1 bind peer-ip 20.1.1.1 interface vlanif 20
[PE3-bfd-session-pe3tope1] discriminator local 2
[PE3-bfd-session-pe3tope1] discriminator remote 1
[PE3-bfd-session-pe3tope1] commit
[PE3-bfd-session-pe3tope1] quit
Step 4 Associate BFD sessions with interfaces.
Associate the BFD session with Eth0/0/1.
# Configure PE1.
[PE1] oam-mgr
[PE1-oam-mgr] oam-bind bfd-session 1 trigger if-down interface ethernet 0/0/1
[PE1-oam-mgr] quit
# Configure PE3.
[PE3] oam-mgr
[PE3-oam-mgr] oam-bind bfd-session 2 trigger if-down interface ethernet 0/0/2
[PE3-oam-mgr] quit

Run the shutdown command on Eth0/0/1 of PE3 to simulate a link fault. After receiving the
fault notification message encapsulated into a BFD packet sent by the OAM management
module, CE1 can detect the link fault between PE1 and PE3.
Run the display bfd session all verbose command on PE1. You can see that the BFD session
becomes Down and the value of Bind Application is ETHOAM.
[PE1] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 258 (One Hop) State : Down Name : pe1tope3
--------------------------------------------------------------------------------
Proc Interface Status : Disable Process PST : Disable
Active Multi : 3
Bind Application : ETHOAM
--------------------------------------------------------------------------------
Run the display ip routing table command on CE1 to check the route from CE1 to CE2. The
next hop of 110.1.1.0/24 is 40.1.1.2. That is, the traffic is forwarded through the standby path.
[CE1] display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
30.1.1.0/24 OSPF 10 13 D 40.1.1.2 Vlanif40
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Vlanif40
40.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
50.1.1.0/24 OSPF 10 11 D 40.1.1.2 Vlanif40
60.1.1.0/24 OSPF 10 12 D 40.1.1.2 Vlanif40
100.1.1.0/24 Direct 0 0 D 100.1.1.1 Vlanif100
100.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
110.1.1.0/24 OSPF 10 13 D 40.1.1.2 Vlanif40
----End

Configuration Files
#
sysname CE1
#
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif40
ip address 40.1.1.1 255.255.255.0
ospf cost 10
#
interface Vlanif100
ip address 100.1.1.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
network 100.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
#
bfd
#
interface Vlanif30
ip address 30.1.1.2 255.255.255.0
#
interface Vlanif60
ip address 60.1.1.1 255.255.255.0
ospf cost 10
#
interface Vlanif110
ip address 110.1.1.1 255.255.255.0
#
#
#

#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
network 60.1.1.0 0.0.0.255
network 110.1.1.0 0.0.0.255
#
return
#
sysname PE1
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
#
#
#
bfd pe1tope3 bind peer-ip 20.1.1.2 interface Vlanif20
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
oam-mgr
oam-bind ingress interface GigabitEthernet0/0/1 egress bfd-session 1 trigger
if-down
oam-bind ingress bfd-session 1 trigger if-down egress interface
#
return
#
sysname PE2
#
vlan batch 40 50
#
bfd
#
interface Vlanif40
ip address 40.1.1.2 255.255.255.0
#
interface Vlanif50
ip address 50.1.1.1 255.255.255.0
#
#

#
ospf 1
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 50.1.1.0 0.0.0.255
#
return
#
sysname PE3
#
vlan batch 20 30
#
bfd
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
#
#
#
bfd pe3tope1 bind peer-ip 20.1.1.1 interface Vlanif20
commit
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
oam-mgr
oam-bind ingress interface GigabitEthernet0/0/2 egress bfd-session 2 trigger
if-down
oam-bind ingress bfd-session 2 trigger if-down egress interface
#
return
#
sysname PE4
#
vlan batch 50 60
#
bfd
#
interface Vlanif50
ip address 50.1.1.2 255.255.255.0
#
interface Vlanif60
ip address 60.1.1.2 255.255.255.0
#
#
#

ospf 1
area 0.0.0.0
network 50.1.1.0 0.0.0.255
network 60.1.1.0 0.0.0.255
#
return
9.1.6 Example for Configuring the BFD Echo Function
As shown in Figure 9-6, SwitchA connects to SwitchB through a direct link. SwitchA supports
BFD, whereas SwitchB does not support BFD. Faults on the link between SwitchA and
SwitchB need to be fast detected.
Figure 9-6 Networking diagram for configuring the BFD echo function
SwitchA Single-hop SwitchB

BFD session
VLANIF13 VLANIF13
Eth0/0/1 Eth0/0/1
10.1.1.5/24 10.1.1.6/24
Supporting BFD Not supporting BFD
l Configure the BFD echo function on SwitchA to detect faults on the link between
Procedure
Step 1 On SwitchA and SwitchB, create VLANs, and configure Eth0/0/1 interfaces as hybrid interfaces
and add the interfaces to VLANs.
[SwitchA] vlan 13
[SwitchB] vlan 13
Step 2 Set IP addresses of VLANIF interfaces so that SwitchA can communicate with SwitchB at Layer
3.

[SwitchB] interface vlanif13
Step 3 Configure a BFD session supporting the BFD echo function.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip 10.1.1.6 interface vlanif13 source-ip 10.1.1.5 one-
arm-echo
[SwitchA-bfd-session-atob] min-echo-rx-interval 100

SwitchA. You can see that a single-hop BFD session is set up and its status is Up.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : -
Session Detect Mode : Asynchronous One-arm-echo Mode
Bind Source IP Address : 10.1.1.5
Echo Rx Interval (ms) : 100
Active Multi : 3
--------------------------------------------------------------------------------
----End
Configuration Files

#
sysname SwitchA
#
vlan batch 13
#
bfd
#
interface Vlanif13
ip address 10.1.1.5 255.255.255.0
#
#
bfd atob bind peer-ip 10.1.1.6 interface Vlanif13 source-ip 10.1.1.5 one-arm-
echo
min-echo-rx-interval 100
commit
#
return

#
sysname SwitchB
#
vlan batch 13
#
interface Vlanif13
ip address 10.1.1.6 255.255.255.0
#
#
return
9.2 DLDP Configuration

DLDP can detect unidirectional links of optical fibers or copper twisted pairs.
9.2.1 Example for Configuring DLDP to Detect a Disconnected

Optical Fiber Link
As shown in Figure 9-7, SwitchA and SwitchB are connected through a pair of optical fibers.
On an optical fiber, Rx indicates the receive end, and Tx indicates the transmit end. The
requirement is to detect unidirectional links.
Figure 9-7 Correct optical fiber connections
Eth0/0/1 Eth0/0/1
Tx Rx
Switch A Switch B
Rx Tx

1. Configure the interfaces on both ends to work in non-auto-negotiation mode.
2. Enable DLDP to detect unidirectional links between SwitchA and SwitchB.
3. Adjust DLDP parameters to detect unidirectional links more efficiently.
Procedure
Step 1 Configure the interfaces on SwitchA to work in non-auto negotiation mode.
[SwitchA-Ethernet0/0/1] undo negotiation auto
Step 2 Enable DLDP globally.

[SwitchA] dldp enable
Step 3 Enable DLDP on an interface of SwitchA.

[SwitchA-Ethernet0/0/1] dldp enable
Step 4 Set the interval for sending Advertisement packets to 10 seconds on SwitchA.
[SwitchA] dldp interval 10
Step 5 Set the timeout value of the DelayDown timer to 4 seconds on SwitchA.
[SwitchA] dldp delaydown-timer 4
Step 6 Set the authentication mode of DLDP packets to simple password authentication and set the
password to 12345 on SwitchA.
[SwitchA] dldp authentication-mode simple 12345
Perform steps 1 to 6 on SwitchB.

After the configuration is complete, run the display dldp command in the interface view. The
command output shows that the DLDP status of the interface is advertisement.
[SwitchA] display dldp
DLDP global status: enable
DLDP interval: 10s
DLDP work-mode: enhance
DLDP authentication-mode: simple, password is 12345
DLDP unidirectional-shutdown: auto
DLDP delaydown-timer: 4s
The number of enabled ports is: 1.
The number of global neighbors is: 0.
Interface Ethernet0/0/1
DLDP port state: advertisement
DLDP link state: up
The neighbor number of the port is: 1.
Neighbor mac address:80fb-0636-792d
Neighbor port index:49
Neighbor state:two way
Neighbor aged time:16
Simulate an optical fiber disconnection by removing the receive optical fiber from SwitchA.
DLDP automatically shuts down Eth0/0/1 on SwitchB when a unidirectional link occurs between
SwitchA and Eth0/0/1 on SwitchB.

# Run the display dldp command on SwitchA and SwitchB. The command output shows that
the DLDP status of Eth0/0/1 on SwitchA is inactive, and the DLDP status of Eth0/0/1 on
SwitchB is disable.
[SwitchA] display dldp interface ethernet 0/0/1
DLDP port state: inactive
DLDP link state: down
[SwitchB] display dldp interface ethernet 0/0/1
DLDP port state: disable
DLDP link state: up
----End
Configuration Files
#
sysname SwitchA
#
dldp enable
dldp interval 10
dldp delaydown-timer 4
dldp authentication-mode simple 12345
#
dldp enable
undo negotiation auto
#
return

#
sysname SwitchB
#
dldp enable
dldp interval 10
#
dldp enable
#
return
9.2.2 Example for Configuring DLDP to Detect Cross-Connected

Optical Fibers
As shown in Figure 9-8, SwitchA and SwitchB are connected through a pair of optical fibers.
On an optical fiber, Rx indicates the receive end, and Tx indicates the transmit end. Optical
fibers may be cross connected, as shown in Figure 9-9. The requirement is to detect
unidirectional links caused by cross connections of optical fibers.

Figure 9-8 Correct optical fiber connections

Eth0/0/1 Eth0/0/1
Tx Rx
SwitchA Rx Tx SwitchB
Tx Rx
Eth0/0/2 Eth0/0/2
Figure 9-9 Cross-connected optical fibers

Eth0/0/1 Eth0/0/1
Tx Rx
SwitchA Rx Tx SwitchB
Tx Rx
Eth0/0/2 Eth0/0/2
1. Configure the interfaces on both ends to work in non-auto-negotiation mode.
2. Enable DLDP to detect unidirectional links between SwitchA and SwitchB.
3. Adjust DLDP parameters to detect unidirectional links more efficiently.
Procedure
Step 1 Configure the interfaces on SwitchA to work in non-auto negotiation mode.
Step 2 Enable DLDP globally on SwitchA.

[SwitchA] dldp enable
Step 3 Enable DLDP on an interface of SwitchA.

Step 4 Set the interval for sending Advertisement packets to 10 seconds on SwitchA.
[SwitchA] dldp interval 10
Step 5 Set the timeout value of the DelayDown timer to 4 seconds on SwitchA.
[SwitchA] dldp delaydown-timer 4
Step 6 Set the authentication mode of DLDP packets to simple password authentication and set the
password to 12345 on SwitchA.
[SwitchA] dldp authentication-mode simple 12345
Perform steps 1 to 6 on SwitchB.


After the configuration is complete, run the display dldp command in the interface view. The
command output shows that the DLDP status of the interface is advertisement.
DLDP link state: up
Neighbor mac address:0001-0001-0001
DLDP link state: up
Neighbor mac address:0001-0001-0001
DLDP link state: up
Neighbor mac address:781d-ba57-c24a
DLDP link state: up
Neighbor mac address:781d-ba57-c24a
As shown in Figure 9-9, if a unidirectional link occurs between the interfaces on SwitchA and
SwitchB due to cross connections of optical fibers, DLDP will shut down the interfaces.
Run the display dldp command on SwitchA and SwitchB. The command output shows that the
DLDP status of interfaces on SwitchA and SwitchB is disable.
DLDP link state: up
The neighbor number of the port is: 0
DLDP link state: up
DLDP link state: up

DLDP link state: up

----End
Configuration Files
#
sysname SwitchA
#
dldp enable
dldp interval 10
#
dldp enable
#
dldp enable
#
return

#
sysname SwitchB
#
dldp enable
dldp interval 10
#
dldp enable
#
dldp enable
#
return
9.3 MAC Swap Loopback Configuration

MAC swap loopback checks Ethernet connectivity and network performance.
9.3.1 Example for Configuring Local MAC Swap Loopback
On SwitchB, Eth0/0/1 connects to an Ethernet network and Eth0/0/2 connects to users. A local
MAC swap loopback test needs to be performed to test connectivity and performance of the
Ethernet network. The local MAC swap loopback test checks performance of SwitchB.

Figure 9-10 Networking diagram of a local MAC swap loopback test
Tester
Ethernet Eth0/0/1 Eth0/0/2
Users
SwitchA SwitchB
1. Create a VLAN and add Eth0/0/1 and Eth0/0/2 to the VLAN.
2. Configure local MAC swap loopback on SwitchB.
3. Enable the MAC swap loopback function on SwitchB to detect network connectivity and
network quality.
Procedure
Step 1 Create VLAN 100 on SwitchB, configure Eth0/0/1 as a trunk interface and Eth0/0/2 as a hybrid
interface, and add the interfaces to VLAN 100.
Step 2 Configure local MAC swap loopback on Eth0/0/2 of SwitchB and specify Eth0/0/1 as the
outbound interface of loopback Ethernet frames. Enable the MAC swap loopback function.
[SwitchB-Ethernet0/0/2] loopback local swap-mac source-mac 0018-2000-0085 dest-mac
018-2000-0070 vlan 100 interface ethernet 0/0/1 timeout 80
[SwitchB-Ethernet0/0/2] loopback swap-mac start

# After completing the configuration, run the display loopback swap-mac information
command to verify the configuration. If the configuration is correct, send Ethernet frames from
the tester to test network performance.
[SwitchB] display loopback swap-mac information
Loopback type : local
Loopback state : running
Loopback test time(s) : 80
Loopback interface : Ethernet0/0/2
Loopback output interface : Ethernet0/0/1
Loopback source MAC : 0018-2000-0085
Loopback destination MAC : 0018-2000-0070
Loopback vlan : 100

Loopback inner vlan : 0

Loopback packets : 0
Drop packets : 3
----End
Configuration Files
#
sysname SwitchB
#
vlan batch 100
#
#
loopback local swap-mac source-mac 0018-2000-0085 dest-mac 0018-2000-0070
vlan 100 interface Ethernet0/0/1 timeout 80
#
return
9.3.2 Example for Configuring Remote MAC Swap Loopback
Eth0/0/1 on SwitchB connects to an Ethernet network. A remote MAC swap loopback test needs
to be performed to test connectivity and performance of the Ethernet network. The remote MAC
swap loopback test does not check performance of SwitchB.
Figure 9-11 Networking diagram of a remote MAC swap loopback test
Tester
Ethernet Eth0/0/1
Users
SwitchA SwitchB
1. Create a VLAN and add Eth0/0/1 to the VLAN.

2. Configure remote MAC swap loopback on SwitchB.
3. Enable the MAC swap loopback function on SwitchB to detect network connectivity and
network quality.

Procedure
Step 1 Create VLAN 100 on SwitchB, configure Eth0/0/1 as a trunk interface, and add Eth0/0/1 to
VLAN 100.
Step 2 Configure remote MAC swap loopback on Eth0/0/1 of SwitchB and enable the MAC swap
loopback function.
[SwitchB-Ethernet0/0/1] loopback remote swap-mac source-mac 0018-2000-0085 dest-
mac 018-2000-0070 vlan 100 timeout 80
[SwitchB-Ethernet0/0/1] loopback swap-mac start
# After completing the configuration, run the display loopback swap-mac information
command to verify the configuration. If the configuration is correct, send Ethernet frames from
the tester to test network performance.
[SwitchB] display loopback swap-mac information
Loopback type : remote
Loopback state : running
Loopback test time(s) : 80
Loopback interface : Ethernet0/0/1
Loopback output interface : Ethernet0/0/1
Loopback source MAC : 0018-2000-0085
Loopback destination MAC : 0018-2000-0070
Loopback vlan : 100
Loopback inner vlan : 0
Loopback packets : 0
----End
Configuration Files
#
sysname SwitchB
#
vlan batch 100
#
loopback remote swap-mac source-mac 0018-2000-0085 dest-mac 0018-2000-0070
vlan 100 timeout 80
#
return
9.4 Smart Link Configuration

The Smart Link is applicable to dual uplinks and scenarios in which STP is not used, improving
access reliability.

9.4.1 Example for Configuring Load Balancing on a Smart Link

Instance
As shown in Figure 9-12, the user-side network is connected to the MAN in dual-homing mode
to ensure network reliability. Multiple VLAN data flows exist on the network. To increase the
link use efficiency, the two uplinks both forward the data flows. The service interruption duration
is restricted to millisecond level.
Figure 9-12 Example for configuring load balancing between active and standby links of a Smart
Link group
Core
Network
SwitchB SwitchC
Eth0/0/2 Eth0/0/2
Eth0/0/1 Eth0/0/1
Smart Link group

Eth0/0/1 Eth0/0/2
SwitchA Active link
Inactive link
VLAN
100 500
1. Configure a Smart Link group on Switch A and add the corresponding interface to the Smart
Link group.
2. Map VLAN 100 and VLAN 500 to load balancing Instance 10.
3. Configure load balancing on Switch A and forward the data flows from VLANs mapped
to instance 10 through the backup link.
4. Enable revertive switching on Switch A to switch traffic to the original active link.
5. Enable the function of sending Flush packets on Switch A.
6. Enable the function of receiving Flush packets on Switch B and Switch C.
7. Enable Smart Link on Switch A.

Procedure
Step 1 Create VLANs on SwitchA, and configure interfaces to allow these VLANs.
[SwitchA-Ethernet0/0/1] port trunk allow-pass vlan 10 100 500
[SwitchA-Ethernet0/0/2] port trunk allow-pass vlan 10 100 500
not mentioned here.
Step 2 Configure VLAN mapping on SwitchA.
[SwitchA-mst-region] instance 10 vlan 100 500
Step 3 Disable STP on uplink interfaces, add the interfaces to the Smart Link group, and specify the
master and slave interfaces.
[SwitchA-Ethernet0/0/1] stp disable
[SwitchA] smart-link group 1
[SwitchA-smlk-group1] port ethernet 0/0/1 master
[SwitchA-smlk-group1] port ethernet 0/0/2 slave
Step 4 Configure load balancing on SwitchA.

[SwitchA-smlk-group1] load-balance instance 10 slave
Step 5 Enable revertive switching and set the WTR time.

[SwitchA-smlk-group1] restore enable
[SwitchA-smlk-group1] timer wtr 30
Step 6 Enable the function of sending Flush packets.

[SwitchA-smlk-group1] flush send control-vlan 10 password simple 123
Step 7 Enable the Smart Link on SwitchA.

[SwitchA-smlk-group1] smart-link enable
Step 8 Enable the function of receiving Flush packets.

[SwitchB-Ethernet0/0/1] smart-link flush receive control-vlan 10 password simple
123


123
[SwitchC-Ethernet0/0/1] smart-link flush receive control-vlan 10 password simple
123
[SwitchC-Ethernet0/0/2] smart-link flush receive control-vlan 10 password simple
123

# Run the display smart-link group command to view information about the Smart Link group
on SwitchA. If the following information is displayed, it indicates that the configuration is
successful.
l The Smart Link function is enabled.

l The WTR time is 30 seconds.
l The control VLAN ID is 10.
l Eth 0/0/1 is the active interface and is in Active state, and Eth 0/0/2 is the standby interface
and is in Inactive state. The load balancing function is configured.
<SwitchA> display smart-link group 1
Smart Link group 1 information :
Smart Link group was enabled
Wtr-time is: 30 sec.
Load-Balance Instance: 10
There is no protected-vlan reference-instance
DeviceID: 0018-2000-0083 Control-vlan ID: 10
Member Role State Flush Count Last-Flush-Time
------------------------------------------------------------------------
Ethernet0/0/1 Master Active 0 2009/01/05 10:33:46 UTC
+05:00
Ethernet0/0/2 Slave Inactive 0 0000/00/00 00:00:00 UTC
+05:00
# Run the shutdown command to shut down Eth 0/0/1, and you can find that Eth 0/0/1 is in
Inactive state and Eth 0/0/2 is in Active state.
[SwitchA-Ethernet0/0/1] display smart-link group 1
------------------------------------------------------------------------
Ethernet0/0/1 Master Inactive 0 2009/01/05 10:33:46 UTC
+05:00
Ethernet0/0/2 Slave Active 1 2009/01/05 10:34:46 UTC
+05:00
# Run the undo shutdown command to enable Eth 0/0/1 and wait for 30 seconds, and you can
find that Eth 0/0/1 is in Active state and Eth 0/0/2 is in Inactive state.
[SwitchA-Ethernet0/0/1] undo shutdown
[SwitchA-Ethernet0/0/1] display smart-link group 1


------------------------------------------------------------------------
+05:00
+05:00
----End
Configuration Files
#
sysname SwitchA
#
#
instance 10 vlan 100 500
#
port trunk allow-pass vlan 10 100 500
stp disable
#
stp disable
#
smart-link group 1
load-balance instance 10 slave
restore enable
smart-link enable
port Ethernet0/0/1 master
port Ethernet0/0/2 slave
timer wtr 30
flush send control-vlan 10 password simple 123
#
return

#
sysname SwitchB
#
#
smart-link flush receive control-vlan 10 password simple 123
#
#
return

#
sysname SwitchC
#


#
#
#
return
9.4.2 Example for Configuring the Integrated Application of

Monitor Link and Smart Link
As shown in Figure 9-13, SwitchC on the MAN is connected to user networks. It accesses the
backbone network through upstream devices SwitchA and SwitchB in dual-homing mode.
A monitoring mechanism is required to prevent service interruption caused by uplink faults.
When the uplink fails, the downlink rapidly detects the fault. Therefore, link switching is
performed in a timely manner, which shortens the interruption duration.

Figure 9-13 Example for configuring the integrated application of Smart Link and Monitor Link
IP/MPLS
core
network
Smart Link group

Eth0/0/1 Eth0/0/1
Eth0/0/2
Eth0/0/4
Monitor Link group Monitor Link group
Eth0/0/4
SwitchA
Eth0/0/3 Eth0/0/3 SwitchB
Smart Link group Eth0/0/1 Eth0/0/2
SwitchC
Active link
User1 User2
Inactive link
1. Configure a Smart Link group on SwitchA and SwitchC and add corresponding interfaces
to the Smart Link group.
2. Configure a Monitor Link group on SwitchA and set the Smart Link group as uplinks. Smart
Link and Monitor Link are used together. The Smart Link group improves the uplink
reliability in the Monitor Link group.
3. Configure a Monitor Link group on SwitchB to enable the Smart Link group on SwitchC
to rapidly detect uplink faults. The application scope of Smart Link functions is broadened.
4. Enable the function of sending Flush packets on SwitchA andSwitchC.
5. Enable the function of receiving Flush packets on SwitchA and SwitchB.
Procedure
Step 1 Configure the same control VLAN on SwitchA, SwitchB and SwitchC. Add the interfaces of
the Smart Link group or Monitor Link group to this VLAN.

The configuration procedure is not mentioned here. For details, see "VLAN Configuration" in
Configuration Guide—Ethernet.
Step 2 Create a Smart Link group.
[SwitchA-smlk-group1] quit
<SwitchC> system-view
[SwitchC] smart-link group 2
[SwitchC-smlk-group1] quit
Step 3 Add interfaces to the Smart Link group and specify the master and slave interfaces.
[SwitchA-smlk-group1] port ethernet 0/0/1 master
[SwitchA-smlk-group1] port ethernet 0/0/2 slave
[SwitchC-smlk-group2] port ethernet 0/0/1 master
[SwitchC-smlk-group2] port ethernet 0/0/2 slave

[SwitchA-smlk-group1] restore enable
[SwitchA-smlk-group1] timer wtr 30
[SwitchC-smlk-group2] restore enable
[SwitchC-smlk-group2] timer wtr 30
Step 5 Enable the function of sending or receiving Flush packets.

[SwitchA-smlk-group1] flush send control-vlan 10 password simple 123
[SwitchA-Ethernet0/0/3] smart-link flush receive control-vlan 10 password simple
123
[SwitchA-Ethernet0/0/4] smart-link flush receive control-vlan 10 password simple
123

<SwitchB> system-view
123
123
[SwitchC-smlk-group2] flush send control-vlan 10 password simple 123
Step 6 Enable the Smart Link function.

[SwitchA-smlk-group1] smart-link enable
[SwitchC-smlk-group2] smart-link enable
[SwitchC-smlk-group2] quit
Step 7 Create a Monitor Link group and add the uplink and downlink interfaces to the Monitor Link
group.
[SwitchA] monitor-link group 1
[SwitchA-mtlk-group1] smart-link group 1 uplink
[SwitchA-mtlk-group1] port ethernet 0/0/3 downlink 1
[SwitchB] monitor-link group 2
[SwitchB-mtlk-group2] port ethernet 0/0/1 uplink
[SwitchB-mtlk-group2] port ethernet 0/0/3 downlink 1
Step 8 Set the WTR time of a Monitor Link group.

[SwitchA-mtlk-group1] timer recover-time 10
[SwitchB-mtlk-group2] timer recover-time 10

<SwitchA> display smart-link group 1
There is no Load-Balance
------------------------------------------------------------------------
+05:00
+05:00

<SwitchA> display monitor-link group 1

Monitor Link group 1 information :
Recover-timer is 3 sec.
Member Role State Last-up-time Last-down-
time
Smart-link1 UpLk UP 0000/00/00 00:00:00 UTC+05:00 0000/00/00
00:00:00 UTC+05:00
Ethernet0/0/3 DwLk[1] UP 0000/00/00 00:00:00 UTC+05:00 0000/00/00
00:00:00 UTC+05:00
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
stp disable
#
stp disable
#
#
#
smart-link group 1
restore enable
smart-link enable
timer wtr 30
#
monitor-link group 1
smart-link group 1 uplink
port Ethernet0/0/3 downlink 1
timer recover-time 10
#
return

#
sysname SwitchB
#
vlan batch 10
#
#


#
#
monitor-link group 2
port Ethernet0/0/1 uplink
port Ethernet0/0/3 downlink 1
timer recover-time 10
#
return

#
sysname SwitchC
#
vlan batch 10
#
stp disable
#
stp disable
#
smart-link group 2
restore enable
smart-link enable
timer wtr 30
#
return
9.4.3 Example for Configuring the Smart Link with the Function of
Notifying the VPLS Module of Detecting Link Switching
As shown in Figure 9-14, CE-A accesses the VPLS network using the Dot1q sub-interfaces of
PE-D and PE-C in dual-homing mode. The Smart Link protocol runs between two interfaces of
CE-A. Normally, only the active link transmits service data.
If the active link fails, Smart Link unblocks the blocked interface. Then, service data is
transmitted to the connected PE through this interface. After receiving Flush packets from CEs,
the PEs prompt the VPLS module to clear the forwarding entries of the local VSI and the devices
connected to the PEs to clear the forwarding entries of the VSI. In this case, the returning traffic
of CE-B can be switched to other links that work properly.

Figure 9-14 Networking Diagram for Connecting CEs to the VPLS in Dual-homing Mode
Through Smart Link
PE-D PE-E
Smart Link GE1/0/1.5
GE1/0/1.5
GE1/0/1
GE1/0/2 VPLS
User1 GE1/0/1 User2
GE1/0/2 GE1/0/2.5
GE1/0/2.5 CE-B
CE-A
PE-C PE-F
Active link
Inactive link
1. Configure a VPLS network.
2. Configure a Smart Link on CE-A and connect CE-A to the VPLS network using PE-C and
PE-D in dual-homing mode.
3. Enable revertive switching on CE-A and switch the traffic to the original active link when
the faulty link recovers.
4. Enable CE-A to send Flush packets.
5. Enable PE-C and PE-D to receive Flush packets and enable interfaces on PE-C and PE-D
to notify the VPLS module. In this manner, CE-B on the peer network can rapidly detect
change in the network to which CE-A is connected.
6. Enable the VPLS function on PEs.
Procedure
Step 1 Connect the Dot1q sub-interfaces to the VPLS network.
For details, see "QinQ Configuration" in Configuration Guide—Ethernet.
Step 2 Configure the VLAN on CE-A and add uplink interfaces to the VLAN.
The configuration procedure is not mentioned here. For details, see "VLAN Configuration" in
Configuration Guide—Ethernet.
Step 3 Disable STP on uplink interfaces, add the interfaces to the Smart Link group, and specify the
master and slave interfaces.
# Disable STP on interfaces.
[CE-A] interface gigabitethernet 1/0/1
[CE-A-GigabitEthernet1/0/1] stp disable
[CE-A-GigabitEthernet1/0/1] quit
[CE-A] interface gigabitethernet 1/0/2
[CE-A-GigabitEthernet1/0/2] stp disable
[CE-A-GigabitEthernet1/0/2] quit
# Configure the master and slave interfaces in the Smart Link group.

[CE-A] smart-link group 1

[CE-A-smlk-group1] port gigabitethernet 1/0/1 master
[CE-A-smlk-group1] port gigabitethernet 1/0/2 slave

[CE-A-smlk-group1] restore enable
[CE-A-smlk-group1] timer wtr 30
Step 5 Enable the function of sending Flush packets.

[CE-A-smlk-group1] flush send control-vlan 10 password simple 123
Step 6 Enable functions of the Smart Link group.

[CE-A-smlk-group1] smart-link enable
[CE-A-smlk-group1] quit
Step 7 Enable PE-C and PE-D to receive Flush packets and enable the interface to notify the VPLS
module when receiving Flush packets.
# Configure PE-C.
[PE-C] interface gigabitethernet 1/0/2
[PE-C-GigabitEthernet1/0/2] smart-link flush receive control-vlan 10 password
simple 123
[PE-C-GigabitEthernet1/0/2] smart-link vpls-notify enable
[PE-C-GigabitEthernet1/0/2] quit
[PE-C] interface gigabitethernet 1/0/1
[PE-C-GigabitEthernet1/0/1] smart-link flush receive control-vlan 10 password
simple 123
[PE-C-GigabitEthernet1/0/1] quit
# Configure PE-D.
[PE-D] interface gigabitethernet 1/0/1
[PE-D-GigabitEthernet1/0/1] smart-link flush receive control-vlan 10 password
simple 123
[PE-D-GigabitEthernet1/0/1] smart-link vpls-notify enable
[PE-D-GigabitEthernet1/0/1] quit
[PE-D] interface gigabitethernet 1/0/2
[PE-D-GigabitEthernet1/0/2] smart-link flush receive control-vlan 10 password
simple 123
[PE-D-GigabitEthernet1/0/2] quit
Step 8 Configure the VPLS network on PE-C, PE-D, PE-E, and PE-F.
The configuration procedure is not mentioned here. For details, see "VPLS Configuration" in
Configuration Guide—VPN.
# Run the display smart-link group command to view information about the Smart Link group
on CE-A. If the following information is displayed, it indicates that the configuration is
successful.
l The Smart Link function is enabled.
l The control VLAN ID is 10.
l GE 1/0/1 is the active interface and is in Active state, and GE 1/0/2 is the standby interface
and is in Inactive state.
<CE-A> display smart-link group 1


------------------------------------------------------------------------
GigabitEthernet1/0/1 Master Active 1 2009/01/05 10:33:46 UTC
+05:00
GigabitEthernet1/0/2 Slave Inactive 0 0000/00/00 00:00:00 UTC
+05:00
# Run the shutdown command to shut down GE 1/0/1, and you can find that GE 1/0/1 is in
Inactive state and GE 1/0/2 is in Active state.
[CE-A-GigabitEthernet1/0/1] shutdown
[CE-A-GigabitEthernet1/0/1] display smart-link group 1
------------------------------------------------------------------------
GigabitEthernet1/0/1 Master Inactive 1 2009/01/05 10:33:46 UTC
+05:00
GigabitEthernet1/0/2 Slave Active 1 2009/01/05 10:37:58 UTC
+05:00
# After a period of time, run the display mac-address command on CE-B to check MAC
addresses, and you can find that the outbound interface of CE-A is GE 1/0/2. This indicates that
the active/standby switchover on CE-A triggers the switching of returning links of CE-B.
----End
Configuration Files
NOTE
This instance describes only the Smart Link configuration. For VPLS configuration files, see "VPLS
Configuration" in Configuration Guide—VPN.
l Configuration file of CE-A
#
sysname CE-A
#
vlan batch 10
#
stp disable
#
stp disable
#
smart-link group 1
restore enable
smart-link enable
port GigabitEthernet1/0/1 master
port GigabitEthernet1/0/2 slave
timer wtr 30
#
return
l Configuration file of PE-C

#
sysname PE-C
#

vlan batch 10
#
smart-link vpls-notify enable
#
#
interface GigabitEthernet1/0/2.5
l2 binding vsi vsi1
#
return
l Configuration file of PE-D

#
sysname PE-D
#
vlan batch 10
#
smart-link vpls-notify enable
#
#
l2 binding vsi vsi1
#
return
9.5 Monitor Link Configuration

The Monitor Link configures downlink interfaces by monitoring uplink interfaces and transmits
fault information.
9.5.1 Example for Configuring the Integrated Application of

Monitor Link and Smart Link
See Example for Configuring the Integrated Application of Monitor Link and Smart Link
9.6 ERPS (G.8032) Configuration

Ethernet ring protection switching (ERPS) is a standard protocol issued by the ITU-T to prevent
loops on ring networks. ERPS features fast convergence speed, ensuring carrier-class reliability.
Huawei and non-Huawei devices on a ring network supporting ERPS can communicate with
each other.

9.6.1 Example for Configuring ERPS
As shown in Figure 9-15, a ring topology is used at the aggregation layer to improve network
reliability. Switches A to E form a ring network that implements service aggregation at Layer 2
and processes Layer 3 services. Devices on the ring network can be manufactured by different
vendors.
The ring network needs to run a protocol that prevents loops and supports rapid switchover. In
addition, devices of different vendors supporting this protocol must be compatible with each
other.
You can enable ERPS on the nodes of the ring network to prevent loops and support rapid
switchover. ERPS is a standard protocol issued by ITU-T and ensures communication between
devices of different vendors.
Packets belong to VLANs 100 through 200. To prevent loops on the ring network, configure
ERPS on devices. Packets sent from CE1 are forwarded through SwitchB and SwitchA. Packets
sent from CE2 are forwarded through SwitchC, SwitchB, and SwitchA. Packets sent from CE3
are forwarded through SwitchD and SwitchE.

Figure 9-15 ERPS single ring network
Network
NPE1 NPE2
GE0/0/2 SwitchE
SwitchA
GE0/0/1
GE0/0/1 GE0/0/2
GE0/0/2
GE0/0/1 ERPS SwitchD
SwitchB
GE0/0/1
GE0/0/2 RPL
GE0/0/1
GE0/0/2
RPL Owner CE3
CE1 SwitchC
VLAN100-
VLAN100- 200
200 CE2
VLAN100-
200
Blocked Port
Data Flow1
Data Flow2
Data Flow3
1. Configure the basic Layer 2 forwarding function on switches A to E.
2. Create an ERPS ring, and configure a control VLAN and protected instance. The control
VLAN is used to forward RAPS PDUs. The VLAN in which RAPS PDUs and data packets
are transmitted must be mapped to a protected instance so that ERPS forwards or blocks
these packets based on rules.
3. Add Layer 2 ports to the ERPS ring and configure GE0/0/2 of SwitchC as the RPL Owner
port. The port is blocked to prevent loops. When a link on the ring network fails, ERPS
unblocks the interface in a timely manner to perform protection switchover for links and
restore the communication between nodes.
4. Set the Guard timer and WTR timer for the ERPS ring based on the network requirements.

Procedure
Step 1 Create VLANs and add ports to VLANs on Switches A to E to implement Layer 2 forwarding.
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 200
# The configurations of SwitchB, SwitchC, SwitchD and SwitchE are similar to the configuration
of SwitchA, and are not mentioned here.
Step 2 Create an ERPS ring, configure VLAN 10 as the control VLAN to transmit RAPS PDUs, and
bind VLANs 100 through 200 to a protected instance.
[SwitchA] erps ring 1
[SwitchA-erps-ring1] control-vlan 10
[SwitchA-erps-ring1] protected-instance 1
[SwitchA-erps-ring1] quit
[SwitchA-mst-region] instance 1 vlan 10 100 to 200
Step 3 Disable STP on ports and add ports to the ERPS ring and configure GE0/0/2 of SwitchC as the
RPL Owner port.
[SwitchA-GigabitEthernet0/0/1] stp disable
[SwitchA-GigabitEthernet0/0/1] erps ring 1
[SwitchC-GigabitEthernet0/0/1] stp disable
[SwitchC-GigabitEthernet0/0/1] erps ring 1
[SwitchC-GigabitEthernet0/0/2] erps ring 1 rpl owner
# The configurations of SwitchB, SwitchD and SwitchE are similar to the configuration of

Step 4 Set the Guard timer and WTR timer for the ERPS ring.
[SwitchA-erps-ring1] wtr-timer 6
[SwitchA-erps-ring1] guard-timer 100
After completing the preceding configurations, perform the following operations to verify the
configuration. SwitchC is used as an example.
l Run the display erps ring 1 command to view brief information about the ERPS ring and
ports of SwitchC that have been added to the ring.
[SwitchC] display erps ring 1
D : Discarding
F : Forwarding
R : RPL Owner
Ring Control WTR Timer Guard Timer Port 1 Port 2
ID VLAN (min) (csec)
-------------------------------------------------------------------------------
-
1 10 6 100 (F)GE0/0/1 (D,R)GE0/0/2
-------------------------------------------------------------------------------
-
l Run the display erps ring 1 verbose command to view detailed information about the ERPS
ring and ports of SwitchC that have been added to the ring.
[SwitchC] display erps ring 1 verbose
Ring ID : 1
Description : Ring 1
Control Vlan : 10
Protected Instance : 1
WTR Timer Setting (min) : 6 Running (s) : 0
Guard Timer Setting (csec) : 100 Running (csec) : 0
Holdoff Timer Setting (deciseconds) : 0 Running (deciseconds) : 0
Ring State : Idle
RAPS_MEL : 7
Time since last topology change : 0 days 0h:33m:4s
-------------------------------------------------------------------------------
-
Port Port Role Port Status Signal Status
-------------------------------------------------------------------------------
-
GE0/0/1 Common Forwarding Non-failed
GE0/0/2 RPL Owner Discarding Non-failed
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 100 to 200
#
instance 1 vlan 10 100 to 200
#

erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
#
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return
#
sysname SwitchB
#
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return
#
sysname SwitchC
#
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
#

stp disable
erps ring 1
#
stp disable
erps ring 1 rpl owner
#
return

#
sysname SwitchD
#
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return

#
sysname SwitchE
#
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
#
stp disable
erps ring 1

#
return
9.6.2 Example for Configuring ERPS Multi-Instance
As shown in Figure 9-16, a ring topology is used at the aggregation layer to improve network
reliability. Switches A to E form a ring network that implements service aggregation at Layer 2
and processes Layer 3 services. Devices on the ring network can be manufactured by different
vendors.
The ring network needs to run a protocol that prevents loops and supports rapid switchover.
Devices of different vendors supporting this protocol must be compatible with each other. In
addition, customers hope that resources on links are fully used to transmit data.
You can enable ERPS on the nodes of the ring network to prevent loops and support rapid
switchover. ERPS is a standard protocol issued by ITU-T and ensures communication between
devices of different vendors. Huawei ERPS protocol also supports multi-instance allowing data
in VLANs to be forwarded along different paths.
User packets belonging to VLANs 100 through 200 and VLANs 300 through 400 are forwarded
to Layer 3 network over this ring network. To prevent loops on the ring network, configure ERPS
on devices. To fully using resources on links, customers require that packets belonging to
VLANs 100 through 200 be forwarded through SwitchC, SwitchB, and SwitchA, and packets
belonging to VLANs 300 through 400 be forwarded through SwitchC, SwitchD, and SwitchE.

Figure 9-16 ERPS multi-instance ring network
Network
NPE1 NPE2
GE0/0/2 SwitchE
SwitchA
GE0/0/1
GE0/0/1 GE0/0/2
GE0/0/2
GE0/0/1 ERPS SwitchD
SwitchB
GE0/0/1
GE0/0/2
GE0/0/1 GE0/0/2
SwitchC Ring1 Blocked Port
CE1 CE2 Ring2 Blocked Port

Data Flow1
Data Flow2
VLAN100-200 VLAN300-400
1. Configure the basic Layer 2 forwarding function on switches A to E.

2. Create ERPS ring 1, and configure a control VLAN and protected instance. VLANs 100
through 200 are bound to the protected instance.
3. Add Layer 2 ports connecting the Switches to ERPS ring 1 and configure GE0/0/2 of
SwitchC as the RPL Owner port. The port is blocked to prevent loops. Packets belonging
to VLANs 100 through 200 are forwarded through SwitchB and SwitchA in ERPS ring 1.
4. Set the Guard timer and WTR timer for ERPS ring 1 based on the network requirements.
5. Create ERPS ring 2, and configure a control VLAN and protected instance. A different
control VLAN must be configured for ERPS ring 2. VLANs 300 through 400 are bound to
the protected instance.
6. Add Layer 2 ports connecting the Switches to ERPS ring 2 and configure GE0/0/1 of
SwitchC as the RPL Owner port. The port is blocked to prevent loops. Packets belonging
to VLANs 300 through 400 are forwarded through SwitchD and SwitchE in ERPS ring 2.

In this way, packets belonging to VLANs 300 through 400 and VLANs 100 through 200
are forwarded along different paths.
7. Set the Guard timer and WTR timer for ERPS ring 2 based on the network requirements.
Procedure
Step 1 Create VLANs and add ports to VLANs on Switches A to E to implement Layer 2 forwarding.
[SwitchA] vlan batch 100 to 200 300 to 400
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
Step 2 Create ERPS ring 1, configure VLAN 10 as the control VLAN to transmit RAPS PDUs, and
Step 3 Disable STP on ports and add ports to ERPS ring 1 and configure GE0/0/2 of SwitchC as the
RPL Owner port.

Step 4 Set the Guard timer and WTR timer for ERPS ring 1.
Step 5 Create ERPS ring 2, configure VLAN 20 as the control VLAN to transmit RAPS PDUs, and
Step 6 Disable STP on ports and add ports to ERPS ring 2 and configure GE0/0/1 of SwitchC as the
RPL Owner port.
Step 7 Set the Guard timer and WTR timer for ERPS ring 2.


After completing the preceding configurations, perform the following operations to verify the
configuration. SwitchC is used as an example.
l Run the display erps ring 1 command to view brief information about ERPS ring 1 and ports
of SwitchC that have been added to the ring.
D : Discarding
F : Forwarding
R : RPL Owner
-------------------------------------------------------------------------------
-
1 10 6 100 (F)GE0/0/1 (D,R)GE0/0/2
-------------------------------------------------------------------------------
-
l Run the display erps ring 2 command to view brief information about ERPS ring 2 and ports
of SwitchC that have been added to the ring.
D : Discarding
F : Forwarding
R : RPL Owner
-------------------------------------------------------------------------------
-
2 20 6 100 (D,R)GE0/0/1 (F)GE0/0/2
-------------------------------------------------------------------------------
-
l Run the display erps ring 1 verbose command to view detailed information about ERPS
ring 1 and ports of SwitchC that have been added to the ring.
Ring ID : 1
Control Vlan : 10
Ring State : Idle
RAPS_MEL : 7
-------------------------------------------------------------------------------
-
-------------------------------------------------------------------------------
-
l Run the display erps ring 2 verbose command to view detailed information about ERPS
ring 2 and ports of SwitchC that have been added to the ring.
Ring ID : 2
Control Vlan : 20


Ring State : Idle
RAPS_MEL : 7
-------------------------------------------------------------------------------
-
-------------------------------------------------------------------------------
-
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return

#
sysname SwitchB
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1

control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return
#
sysname SwitchC
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
#
stp disable
erps ring 2
#
return
#
sysname SwitchD
#
vlan batch 10 20 100 to 200 300 to 400
#

#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return

#
sysname SwitchE
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return

9.7 VRRP Configuration

The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. VRRP switches
services from the master device to the backup router when the next hop device of the master
device fails. This ensures nonstop service transmission and reliability.
9.7.1 Example for Configuring a VRRP Group in Active/Standby

Mode
As shown in Figure 9-17, HostA is dual-homed to SwitchA and SwitchB through the switch.
The requirements are as follows:
l The host uses SwitchA as the default gateway to connect to the Internet. When SwitchA
becomes faulty, SwitchB functions as the gateway. This implements gateway backup.
l After SwitchA recovers, it becomes the gateway within 20s.
Figure 9-17 Networking diagram for configuring a VRRP group

VRRP VRID 1
Virtual IP Address: SwitchA
10.1.1.111 Eth0/0/2 Master
Eth0/0/1
10.1.1.1/24 192.168.1.1/24
Eth0/0/5 Eth0/0/1
Eth0/0/1 192.168.1.2/24
Eth0/0/3
Switch SwitchC Internet
20.1.1.100/24
HostA Eth0/0/2 Eth0/0/2
Eth0/0/5 192.168.2.2/24
10.1.1.100/24
Eth0/0/1
Eth0/0/2
192.168.2.1/24
10.1.1.2/24 SwitchB
Backup
SwitchA Eth0/0/1 VLANIF 300 192.168.1.1/24
Eth0/0/2 VLANIF 100 10.1.1.1/24
SwitchB Eth0/0/1 VLANIF 200 192.168.2.1/24
Eth0/0/2 VLANIF 100 10.1.1.2/24
SwitchC Eth0/0/1 VLANIF 300 192.168.1.2/24
Eth0/0/2 VLANIF 200 192.168.2.2/24

Eth0/0/3 VLANIF 400 20.1.1.100/24
1. Assign an IP address to each interface and configure a routing protocol to ensure network
connectivity.
2. Configure a VRRP group on SwitchA and SwitchB, set a higher priority for SwitchA so
that SwitchA functions as the master to forward traffic and set the preemption delay to 20s
on SwitchA, and set a lower priority for SwitchB so that SwitchB functions as the backup.
3. Configure a loop prevention protocol (STP for example) on SwitchA, SwitchB and
Switch.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface. SwitchA is used as an example. The configurations of

SwitchB and SwitchC are similar to the configuration of SwitchA, and are not mentioned here.
# Configure Layer 2 transparent transmission on the switch.

[Switch] vlan 100

# Configure OSPF between SwitchA, SwitchB, and SwitchC. SwitchA is used as an example.
[SwitchA] ospf 1
Step 2 Configure VRRP groups.

# Configure VRRP group 1 on SwitchA, and set the priority of SwitchA to 120 and the
preemption delay to 20s.
[SwitchA-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
[SwitchA-Vlanif100] vrrp vrid 1 priority 120
[SwitchA-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20
# Configure VRRP group 1 on SwitchB. SwitchB uses default value 100.

[SwitchB-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
Step 3 Configure STP.

Enable STP globally on SwitchA, SwitchB and Switch.
# After the configuration is complete, run the display vrrp command on SwitchA and
SwitchB. You can see that SwitchA is in Master state and SwitchB is in Backup state.
<SwitchA> display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Config track link-bfd down-number : 0
<SwitchB> display vrrp
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

# Run the display ip routing-table command on SwitchA and SwitchB. The command output
shows that a direct route to the virtual IP address exists in the routing table of SwitchA and an
OSPF route to the virtual IP address exists in the routing table of SwitchB. The command output
on SwitchA and SwitchB is as follows:
<SwitchA> display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif100

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.111/32 Direct 0 0 D 127.0.0.1 Vlanif100
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif300
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif300
192.168.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif100
<SwitchB> display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif100

10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.111/32 OSPF 10 2 D 10.1.1.1 Vlanif100
192.168.1.0/24 OSPF 10 2 D 10.1.1.1 Vlanif100
OSPF 10 2 D 192.168.2.2 Vlanif200
192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif200
192.168.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif200
# Run the shutdown command on Eth0/0/2 and Eth0/0/5 of SwitchA to simulate a link fault.
# Run the display vrrp command on SwitchB to view the VRRP status. The command output
shows that SwitchB is in Master state.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

# Run the undo shutdown command on Eth0/0/2 and Eth0/0/5 of SwitchA. After 20s, run the
display vrrp command on SwitchA to view the VRRP status. SwitchA restores to be in Master
state.
[SwitchA] display vrrp
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 300
#
stp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return


#
sysname SwitchB
#
vlan batch 100 200
#
stp enable
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif400
ip address 20.1.1.100 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

l Configuration file of the switch

#
sysname Switch
#
vlan batch 100
#
stp enable
#
#
#
return
9.7.2 Example for Configuring a VRRP Group in Load Balancing

Mode
As shown in Figure 9-18, HostA and HostC are dual-homed to SwitchA and SwitchB through
the switch. Load balancing is required in this scenario. HostA uses SwitchA as the default
gateway to connect to the Internet, and SwitchB functions as the backup gateway. HostC uses
SwitchB as the default gateway to connect to the Internet, and SwitchA functions as the backup
gateway.
Figure 9-18 Networking diagram for configuring VRRP in load balancing mode
VRRP VRID 1 SwitchA
Virtual IP Address: VRID 1:Master
10.1.1.111 VRID 2:Backup
Eth0/0/1
HostA 192.168.1.1/24
10.1.1.100/24
Eth0/0/2 Eth0/0/1
Eth0/0/1 10.1.1.1/24 192.168.1.2/24
Switch Eth0/0/3 Internet
SwitchC 20.1.1.100/24
Eth0/0/2 Eth0/0/2 Eth0/0/2
10.1.1.2/24 192.168.2.2/24
HostC Eth0/0/1
10.1.1.101/24 192.168.2.1/24
SwitchB
VRID 1:Backup
VRRP VRID 2 VRID 2:Master
Virtual IP Address:
10.1.1.112

SwitchA Eth0/0/1 VLANIF 300 192.168.1.1/24
Eth0/0/2 VLANIF 100 10.1.1.1/24
SwitchB Eth0/0/1 VLANIF 200 192.168.2.1/24
Eth0/0/2 VLANIF 100 10.1.1.2/24
SwitchC Eth0/0/1 VLANIF 300 192.168.1.2/24
Eth0/0/2 VLANIF200 192.168.2.2/24
Eth0/0/3 VLANIF 400 20.1.1.100/24
connectivity.
2. Create VRRP groups 1 and 2 on SwitchA and SwitchB. In VRRP group 1, configure
SwitchA as the master and SwitchB as the backup. In VRRP group 2, configure SwitchB
as the master and SwitchA as the backup.
Procedure

[Switch] vlan 100

# Configure OSPF between SwitchA, SwitchB, and SwitchC. SwitchA is used as an example.
[SwitchA] ospf 1

# Configure VRRP group 1 on SwitchA and SwitchB, set the priority of SwitchA to 120 and the
preemption delay to 20s, and set the default priority for SwitchB.
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to 120 and the
preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB-Vlanif100] vrrp vrid 2 priority 120
[SwitchB-Vlanif100] vrrp vrid 2 preempt-mode timer delay 20

# After the configuration is complete, run the display vrrp command on SwitchA. You can see
that SwitchA is the master in VRRP group 1 and the backup in VRRP group 2.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

State : Backup
Virtual IP : 10.1.1.112

PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
# After the configuration is complete, run the display vrrp command on SwitchB. You can see
that SwitchB is the backup in VRRP group 1 and the master in VRRP group 2.
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

State : Master
Virtual IP : 10.1.1.112
PriorityRun : 120
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 300
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0

#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname SwitchC
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif400
ip address 20.1.1.100 255.255.255.0
#
#
#

#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
9.7.3 Example for Configuring Association Between VRRP and BFD

to Implement a Rapid Active/Standby Switchover
As shown in Figure 9-19, hosts on a LAN are dual-homed to SwitchA and SwitchB through the
switch. A VRRP group is established on SwitchA and SwitchB, and SwitchA is the master.
When SwitchA or the link between SwitchA and the switch is faulty, the switchover period is
within 1s. This reduces the impact of the fault on service transmission.
Figure 9-19 Association between VRRP and BFD to implement a rapid active/standby
switchover
VRRP VRID 1
Virtual IP Address:
10.1.1.3/24 Eth0/0/1
Master
VLANIF100 SwitchA
10.1.1.1/24
HostA
Eth0/0/1
Switch Internet
Eth0/0/2
HostB Eth0/0/1
VLANIF100 SwitchB
10.1.1.2/24 Backup BFD packets

connectivity.
2. Configure a VRRP group on SwitchA and SwitchB. SwitchA functions as the master, its
priority is 120, and the preemption delay is 20s. SwitchB functions as the backup and uses
the default priority.
3. Configure a static BFD session on SwitchA and SwitchB to monitor the link of the VRRP
group.
4. Association between VRRP and BFD is configured on SwitchB. When the link is faulty,
an active/standby switchover can be performed rapidly.
Procedure
# Assign an IP address to each interface. SwitchA is used as an example. The configuration of
SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] vlan 100

[Switch] vlan 100
# Configure OSPF between SwitchA and SwitchB. SwitchA is used as an example. The
configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] ospf 1

# Configure VRRP group 1 on SwitchA, and set the priority of SwitchA to 120 and the


# Configure VRRP group 1 on SwitchB. SwitchB uses default value 100.

Step 3 Configure a static BFD session.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA-bfd-session-atob] min-rx-interval 100
[SwitchA-bfd-session-atob] min-tx-interval 100
[SwitchB-bfd-session-atob] commit

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB-bfd-session-btoa] min-rx-interval 100
[SwitchB-bfd-session-btoa] min-tx-interval 100
Run the display bfd session command on SwitchA and SwitchB. You can see that the BFD
session is Up. The display on SwitchA is used as an example.
<SwitchA> display bfd session all
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 2 10.1.1.2 Up S_IP_IF Vlanif100
--------------------------------------------------------------------------------
Step 4 Associate BFD with VRPP.

# Configure association between VRRP and BFD on SwitchB. When the BFD session becomes
Down, the priority of SwitchB increases by 40.
[SwitchB-Vlanif100] vrrp vrid 1 track bfd-session 2 increased 40

# After the configuration is complete, run the display vrrp command on SwitchA and SwitchB.
SwitchA is the master, SwitchB is the backup, and the associated BFD session is in Up state.
State : Master
Virtual IP : 10.1.1.3
PriorityRun : 120


TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
State : Backup
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Track BFD : 2 Priority increased : 40
BFD-Session State : UP
# Run the shutdown command on Eth0/0/1 of SwitchA to simulate a link fault. Then run the
display vrrp command on SwitchA and SwitchB. You can see that SwitchA is in Initialize state,
SwitchB becomes the master, and the associated BFD session becomes Down.

State : Initialize
Master IP : 0.0.0.0
PriorityRun : 120
MasterPriority : 0
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
State : Master
PriorityRun : 140
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

BFD-Session State : DOWN
# Run the undo shutdown command on Eth0/0/1 of SwitchA. After 20s, run the display vrrp
command on SwitchA and SwitchB. You can see that SwitchA restores to be the master,
SwitchB restores to be the backup, and the associated BFD session is in Up state.

State : Master
PriorityRun : 120
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
State : Backup
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
BFD-Session State : UP
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#

#
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 track bfd-session 2 increased 40
#
#
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
9.7.4 Example for Configuring a VRRP6 Group in Active/Standby

Mode

As shown in Figure 9-20, HostA is dual-homed to SwitchA and SwitchB through the switch on
the IPv6 network. The requirements are as follows:
l The host uses SwitchA as the default gateway to connect to the Internet. When SwitchA
becomes faulty, SwitchB functions as the gateway. This implements gateway backup.
l After SwitchA recovers, it becomes the gateway within 20s.
Figure 9-20 Networking diagram for a VRRP6 group in active/standby mode

VRRP6 VRID 1
2000::100/64 Master
Eth0/0/2 Eth0/0/1
2000::1/64 2002::1/64
Eth0/0/5
Eth0/0/1
Eth0/0/1 2002::2/64
SwitchC
Eth0/0/3
Switch Internet
2003::2/64
HostA Eth0/0/2 Eth0/0/2
Eth0/0/5 2001::2/64
2000::3/64
Eth0/0/1
Eth0/0/2 2001::1/64
2000::2/64 SwitchB
Backup
SwitchA Eth0/0/1 VLANIF 300 2002::1/64
Eth0/0/2 VLANIF 100 2000::1/64
SwitchB Eth0/0/1 VLANIF 200 2001::1/64
Eth0/0/2 VLANIF 100 2000::2/64
SwitchC Eth0/0/1 VLANIF 300 2002::2/64
Eth0/0/2 VLANIF 200 2001::2/64
Eth0/0/3 VLANIF 400 2003::2/64
connectivity.
2. Configure a VRRP6 group on SwitchA and SwitchB, set a higher priority for SwitchA so
that SwitchA functions as the master to forward traffic and set the preemption delay to 20s
on SwitchA, and set a lower priority for SwitchB so that SwitchB functions as the backup.

3. Configure a loop prevention protocol (STP for example) on SwitchA, SwitchB and
Switch.
Procedure

[SwitchA] ipv6

[Switch] vlan 100
# Configure OSPFv3 between SwitchA, SwitchB, and SwitchC. SwitchA is used as an example.
[SwitchA] ospfv3
[SwitchA-ospfv3-1] router-id 1.1.1.1
[SwitchA-ospfv3-1] quit
[SwitchA-Vlanif100] ospfv3 1 area 0
Step 2 Configure VRRP6 groups.

# Configure VRRP6 group 1 on SwitchA, and set the priority of SwitchA to 120 and the
[SwitchA-Vlanif100] vrrp6 vrid 1 virtual-ip FE80::1 link-local
[SwitchA-Vlanif100] vrrp6 vrid 1 virtual-ip 2000::100
[SwitchA-Vlanif100] vrrp6 vrid 1 priority 120
[SwitchA-Vlanif100] vrrp6 vrid 1 preempt-mode timer delay 20
# Configure VRRP6 group 1 on SwitchB. SwitchB uses default value 100.

[SwitchB-Vlanif100] vrrp6 vrid 1 virtual-ip FE80::1 link-local
[SwitchB-Vlanif100] vrrp6 vrid 1 virtual-ip 2000::100
Step 3 Configure STP.
Enable STP globally on SwitchA, SwitchB and Switch.
# After the configuration is complete, run the display vrrp6 command on SwitchA and
SwitchB. You can see that SwitchA is in Master state and SwitchB is in Backup state.
<SwitchA> display vrrp6
State : Master
Virtual IP : FE80::1
2000::100
Master IP : FE80::218:82FF:FED3:2AF3
PriorityRun : 120
TimerRun : 100
TimerConfig : 100
Virtual MAC : 0000-5e00-0201
Check hop limit : YES
<SwitchB> display vrrp6
State : Backup
2000::100
PriorityRun : 100
TimerRun : 100
TimerConfig : 100
Virtual MAC : 0000-5e00-0201
# Run the shutdown command on Eth0/0/2 and Eth0/0/5 of SwitchA to simulate a link fault.
Run the display vrrp6 command on SwitchA and SwitchB. You can see that SwitchA is in
Initialize state and SwitchB is in Master state.


[SwitchA] display vrrp6
State : Initialize
2000::100
Master IP : ::
PriorityRun : 120
MasterPriority : 0
TimerRun : 100
TimerConfig : 100
Virtual MAC : 0000-5e00-0201
State : Master
2000::100
Master IP : FE80::218:82FF:FE68:7455
PriorityRun : 100
TimerRun : 100
TimerConfig : 100
Virtual MAC : 0000-5e00-0201
# Run the undo shutdown command on Eth0/0/2 and Eth0/0/5 of SwitchA. After 20s, run the
display vrrp6 command on SwitchA and SwitchB. You can see that SwitchA is in Master state
and SwitchB is in Backup state.
[SwitchA] display vrrp6
State : Master
2000::100
PriorityRun : 120
TimerRun : 100
TimerConfig : 100
Virtual MAC : 0000-5e00-0201
State : Backup
2000::100
PriorityRun : 100

TimerRun : 100
TimerConfig : 100
Virtual MAC : 0000-5e00-0201
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 100 300
#
ospfv3 1
router-id 1.1.1.1
#
interface Vlanif100
ipv6 enable
vrrp6 vrid 1 virtual-ip FE80::1 link-local
vrrp6 vrid 1 virtual-ip 2000::100
vrrp6 vrid 1 priority 120
vrrp6 vrid 1 preempt-mode timer delay 20
#
interface Vlanif300
ipv6 enable
#
#
#
#
return
#
sysname SwitchB
#
ipv6
#
vlan batch 100 200
#
ospfv3 1
router-id 2.2.2.2
#
interface Vlanif100
ipv6 enable


#
interface Vlanif200
ipv6 enable
#
#
#
#
return
#
sysname SwitchC
#
#
ipv6
#
ospfv3 1
router-id 3.3.3.3
#
interface Vlanif200
ipv6 enable
#
interface Vlanif300
ipv6 enable
#
interface Vlanif400
ipv6 enable
#
#
#
#
return
#
sysname Switch
#
vlan batch 100

#
#
#
return
9.7.5 Example for Configuring a VRRP6 Group in Load Balancing

Mode
As shown in Figure 9-21, HostA and HostC are dual-homed to SwitchA and SwitchB through
the switch on the IPv6 network. Load balancing is required in this scenario. HostA uses
SwitchA as the default gateway to connect to the Internet, and SwitchB functions as the backup
gateway. HostC uses SwitchB as the default gateway to connect to the Internet, and SwitchA
functions as the backup gateway.
Figure 9-21 Networking diagram for a VRRP6 group in load balancing mode
VRRP6 VRID 1
2000::100/64 VRID 1:Master
VRID 2:Backup
HostA Eth0/0/1
2000::3/64 2002::1/64
Eth0/0/2 Eth0/0/1
Eth0/0/1 2000::1/64 2002::2/64
Switch SwitchC Eth0/0/3 Internet
2003::2/64
Eth0/0/2 Eth0/0/2 Eth0/0/2
2000::2/64 2001::2/64
HostC Eth0/0/1
2000::4/64 2001::1/64
SwitchB
VRID 1:Backup
VRID 2:Master
VRRP6 VRID 2
Virtual IP Address:
2000::60/64
SwitchA Eth0/0/1 VLANIF 300 2002::1/64
Eth0/0/2 VLANIF 100 2000::1/64
SwitchB Eth0/0/1 VLANIF 200 2001::1/64
Eth0/0/2 VLANIF 100 2000::2/64

SwitchC Eth0/0/1 VLANIF 300 2002::2/64
Eth0/0/2 VLANIF 200 2001::2/64
Eth0/0/3 VLANIF 400 2003::2/64
connectivity.
2. Create VRRP6 groups 1 and 2 on SwitchA and SwitchB. In VRRP6 group 1, configure
SwitchA as the master and SwitchB as the backup. In VRRP6 group 2, configure
SwitchB as the master and SwitchA as the backup.
Procedure

[SwitchA] ipv6

[Switch] vlan 100

# Configure OSPFv3 between SwitchA, SwitchB, and SwitchC. SwitchA is used as an example.
[SwitchA] ospfv3
[SwitchA-ospfv3-1] router-id 1.1.1.1
[SwitchA-ospfv3-1] quit
Step 2 Configure VRRP6 groups.

# Configure VRRP6 group 1 on SwitchA and SwitchB, set the priority of SwitchA to 120 and
the preemption delay to 20s, and set the default priority for SwitchB.
[SwitchA-Vlanif100] vrrp6 vrid 1 priority 120
[SwitchA-Vlanif100] vrrp6 vrid 1 preempt-mode timer delay 20
# Configure VRRP6 group 2 on SwitchA and SwitchB, set the priority of SwitchB to 120 and
the preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB-Vlanif100] vrrp6 vrid 2 priority 120
[SwitchB-Vlanif100] vrrp6 vrid 2 preempt-mode timer delay 20

# After the configuration is complete, run the display vrrp6 command on SwitchA. You can
see that SwitchA is the master in VRRP6 group 1 and the backup in VRRP6 group 2.
<SwitchA> display vrrp6
State : Master
2000::100
PriorityRun : 120
TimerRun : 100
TimerConfig : 100
Virtual MAC : 0000-5e00-0201

State : Backup

2000::60
Master IP : FE80::218:82FF:FE68:7455
PriorityRun : 100
TimerRun : 100
TimerConfig : 100
Virtual MAC : 0000-5e00-0202
# After the configuration is complete, run the display vrrp6 command on SwitchB. You can
see that SwitchB is the backup in VRRP6 group 1 and the master in VRRP6 group 2.
State : Backup
2000::100
PriorityRun : 100
TimerRun : 100
TimerConfig : 100
Virtual MAC : 0000-5e00-0201

State : Master
2000::60
Master IP : FE80::218:82FF:FE68:7455
PriorityRun : 120
TimerRun : 100
TimerConfig : 100
Virtual MAC : 0000-5e00-0202
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 100 300
#
ospfv3 1
router-id 1.1.1.1
#
interface Vlanif100
ipv6 enable


#
interface Vlanif300
ipv6 enable
#
#
#
return
#
sysname SwitchB
#
ipv6
#
vlan batch 100 200
#
ospfv3 1
router-id 2.2.2.2
#
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ipv6 enable
#
#
#
return
#
sysname SwitchC
#
#
ipv6

#
ospfv3 1
router-id 3.3.3.3
#
interface Vlanif200
ipv6 enable
#
interface Vlanif300
ipv6 enable
#
interface Vlanif400
ipv6 enable
#
#
#
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
9.8 RRPP Configuration

Rapid Ring Protection Protocol (RRPP) prevents loops and implements fast convergence on ring
networks.
9.8.1 Example for Configuring a Single RRPP Ring with a Single

Instance
As shown in Figure 9-22, SwitchA, SwitchB, and SwitchC constitute a ring network. The
network is required to prevent loops when the ring is complete and implement fast convergence

to rapidly restore communication between nodes on the ring when the ring fails. You can enable
RRPP on SwitchA, SwitchB, and SwitchC to meet this requirement.
Figure 9-22 Networking diagram of a single RRPP ring
SwitchB
Eth0/0/2
Eth0/0/1 Eth0/0/1
Ring 1
Eth0/0/2 Eth0/0/2 SwitchC
Eth0/0/1
SwitchA
Primary interface
Secondary interface
1. Configure interfaces to be added to the RRPP domain on the devices so that data can pass
through the interfaces. Disable protocols that conflict with RRPP, such as STP.
2. Create an RRPP domain and its control VLAN.
3. Map data that needs to pass through the VLANs on the RRPP ring to Instance 1, including
data VLANs 100 to 300 and control VLANs 20 and 21 (VLAN 21 is the sub-control VLAN
generated by the device).
4. In the RRPP domain, configure a protected VLAN, create an RRPP ring and configure
SwitchA, SwitchB, and SwitchC as nodes on Ring 1 in Domain 1. Configure SwitchA as
the master node on Ring 1, and configure SwitchB and SwitchC as transit nodes on Ring
1.
5. Enable the RRPP ring and RRPP protocol on devices to make RRPP take effect.
NOTE
VLANs that are not mentioned in this example are considered nonexistent. However, interfaces on the device
join VLAN1 by default. You need to remove corresponding interfaces from VLAN1. The removing process is
not provided here.
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# On SwitchA, the master node on Ring 1, create RRPP domain 1 and configure VLAN 20 as
the major control VLAN.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] control-vlan 20
[SwitchA-rrpp-domain-region1] quit

# The configurations on SwitchB and SwitchC are similar to that on SwitchA and not mentioned
here. For details, see the configuration files.
Step 2 Map Instance 1 to control VLANs 20 and 21 and data VLANs 100 to 300. The VLAN creation
process is not provided here.
[SwitchA-mst-region] instance 1 vlan 20 21 100 to 300
Step 3 Configure the interfaces to be added to the RRPP ring as trunk interfaces, allow data VLANs
100 to 300 to pass through the interfaces, and disable STP on the interfaces.
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
# Configure the protected VLAN on SwitchA and configure SwitchA as the master node on
Ring 1 and specify the primary and secondary interfaces.
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchA-rrpp-domain-region1] ring 1 node-mode master primary-port ethernet 0/0/1
secondary-port ethernet 0/0/2 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
# Configure the protected VLAN on SwitchB and configure SwitchB as a transit node on Ring
1 and specify the primary and secondary interfaces.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port ethernet 0/0/1
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure the protected VLAN on SwitchC and configure SwitchC as a transit node on Ring
1 and specify the primary and secondary interfaces.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port ethernet 0/0/1
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
Step 5 Enable RRPP.

After the RRPP ring configuration is complete, enable RRPP on each node of the ring to activate
the RRPP ring. The configuration procedure is as follows:
# Enable RRPP on SwitchA.

[SwitchA] rrpp enable
# Enable RRPP on SwitchB.

[SwitchB] rrpp enable
# Enable RRPP on SwitchC.

[SwitchC] rrpp enable
After the preceding configurations are complete and the network becomes stable, run the
following commands to verify the configuration. The display on Switch A is used as an example.
l Run the display rrpp brief command on SwitchA. The command output is as follows:
<SwitchA> display rrpp brief

Domain Index : 1

ID Level Mode Port Port
Enabled
-------------------------------------------------------------------------------
-
The command output shows that RRPP is enabled on SwitchA, the major control VLAN of
domain 1 is VLAN 20 and the sub-control VLAN is VLAN 21, and SwitchA is the master
node on Ring 1. The primary interface is Ethernet0/0/1 and the secondary interface is
Ethernet0/0/2.
l Run the display rrpp verbose domain command on SwitchA. The command output is as
follows:
S
# Display detailed information about SwitchA in domain 1.
<SwitchA> display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Is Enabled : Enable Is Active : Yes

The command output shows that the RRPP ring is complete.
----End
Configuration Files
#
sysname SwitchA
#
#
rrpp enable
#
stp region-
configuration
instance 1 vlan 20 to 21 100 to
300
active region-
configuration
#
rrpp domain 1
control-vlan 20
ring 1 node-mode master primary-port Ethernet0/0/1 secondary-port
Ethernet0/0/2 level 0
ring 1 enable
#
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
stp disable
#

#
sysname SwitchB
#
#
rrpp enable
#
stp region-
configuration
300
active region-
configuration
#
rrpp domain 1
control-vlan 20
ring 1 node-mode transit primary-port Ethernet0/0/1 secondary-port
ring 1 enable
#
stp disable

#
stp disable
#
return

#
sysname SwitchC
#
#
rrpp enable
#
stp region-
configuration
300
active region-
configuration
#
rrpp domain 1
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return
9.8.2 Example for Configuring Intersecting RRPP Rings with a

Single Instance (RRPP Defined by the National Standard of China)
A metro Ethernet network uses two-layer rings: one is the aggregation layer between aggregation
devices PE-AGGs and the other is the access layer between PE-AGGs and UPEs.

Figure 9-23 Networking diagram of intersecting RRPP rings with a single instance
RRPP Domain
UPE1 PE-AGG2
Edge Master
Sub PE-AGG1
Ring 1
Master
Major P Core Net
Ring S
UPE Sub Block NPE
LANSwitch Ring 2
Assistant
PE-AGG3 PE-AGG：PE-Aggregation
Master NPE：Network Provider Edge
UPE：Underlayer Provider Edge
CE
As shown in Figure 9-23, the network is required to prevent loops when the ring is complete
and implement fast convergence to rapidly restore communication between nodes on the ring
when the ring fails. RRPP can meet this requirement. RRPP supports multiple rings. You can
configure the aggregation layer as the major ring and the access layer as the sub-ring, simplifying
the network configuration. To enable devices from different vendors to communicate with each
other on the network, you can use the RRPP version defined by the national standard of China.
As shown in Figure 9-24, SwitchB, SwitchA, SwitchD, and SwitchC map PE-AGG1, PE-
AGG2, PE-AGG3, and UPE1 in Figure 9-23 respectively. Figure 9-24 is used as an example
to describe how to configure intersecting RRPP rings with a single instance in the RRPP version
defined by national standard of China.
Figure 9-24 Networking diagram of intersecting RRPP rings with a single instance (RRPP
defined by the national standard of China)
SwitchA
GE1/0/3 GE1/0/1
SwitchC GE1/0/2 SwitchB

GE1/0/2 GE2/0/1
sub-ring major ring
GE1/0/1 GE2/0/2
GE1/0/2
GE1/0/3 GE1/0/1
SwitchD

3. Map the VLANs that needs to pass through the RRPP ring to Instance 1, including data
VLANs 2 to 9 and control VLANs 10 and 11 (VLAN 11 is the sub-control VLAN generated
by the device).
4. Configure the devices to use the RRPP version defined by the national standard of China.
5. Configure a protected VLAN and create an RRPP ring in the RRPP domain.
a. Configure Ring 1 (major ring) in RRPP Domain 1 on SwitchA, SwitchB, and
SwitchD.
b. Configure Ring 2 (sub-ring) in RRPP Domain 1 on SwitchA, SwitchC, and SwitchD.
c. Configure SwitchB as the master node on the major ring and configure SwitchA and
SwitchD as transit nodes on the major ring.
d. Configure SwitchC as the master node on the sub-ring and configure SwitchA and
SwitchD as edge transit nodes on the sub-ring.
NOTE
join VLAN1 by default. You need to remove corresponding interfaces from VLAN1.
Procedure
Step 1 Configure SwitchB as the master node on the major ring.
# Create data VLANs 2 to 9 on SwitchB.
Configure Instance 1, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# Configure Domain 1 on SwitchB. Configure VLAN 10 as the major control VLAN and bind
Instance 1 to the protected VLAN in Domain 1.
[SwitchB-rrpp-domain-region1] control-vlan 10
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP interface
as a trunk interface to allow data from VLANs 2 to 9 to pass through.
[SwitchB-GigabitEthernet2/0/1] port trunk allow-pass vlan 2 to 9
[SwitchB-GigabitEthernet2/0/1] stp disable
[SwitchB-GigabitEthernet2/0/2] port trunk allow-pass vlan 2 to 9
[SwitchB-GigabitEthernet2/0/2] stp disable
# Configure SwitchB to use the RRPP version defined by the national standard of China.
[SwitchB] rrpp work-mode gb

# Configure the primary interface and secondary interface on the master node of the major ring.
[SwitchB-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
2/0/1 secondary-port gigabitethernet 2/0/2 level 0
Step 2 Configure SwitchC as the master node on the sub-ring.

# Create data VLANs 2 to 9 on SwitchC.
interface.
# Configure Domain 1 on SwitchC. Configure VLAN 10 as the major control VLAN and bind
[SwitchC-rrpp-domain-region1] control-vlan 10
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 9
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 9
# Configure SwitchC to use the RRPP version defined by the national standard of China.
[SwitchC] rrpp work-mode gb
# Configure the primary interface and secondary interface on the master node of the sub-ring.
[SwitchC-rrpp-domain-region1] ring 2 node-mode master primary-port gigabitethernet
Step 3 Configure SwitchA as the transit node on the major ring and the edge node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchA.
interface.


# Configure Domain 1 on SwitchA. Then configure VLAN 10 as the major control VLAN and
bind Instance 1 to protected VLANs in Domain 1.
# Configure SwitchA to use the RRPP version defined by the national standard of China.
[SwitchA] rrpp work-mode gb
# Configure the primary interface and secondary interface on the transit node of the major ring.
[SwitchA-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/2 secondary-port gigabitethernet 1/0/1 level 0
# Configure the edge interface of the edge transit node on the sub-ring.
[SwitchA-rrpp-domain-region1] ring 2 node-mode transit secondary-port
gigabitethernet 1/0/3
Step 4 Configure SwitchD as the transit node on the major ring and the edge node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchD.

interface.

# On SwitchD, configure Domain 1. Configure VLAN 10 as the major control VLAN and bind
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] control-vlan 10
[SwitchD-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchD-rrpp-domain-region1] quit
as a trunk interface.
[SwitchD] interface gigabitethernet 1/0/1
[SwitchD-GigabitEthernet1/0/1] port link-type trunk
[SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 9
[SwitchD-GigabitEthernet1/0/1] stp disable
[SwitchD-GigabitEthernet1/0/1] quit
# Configure SwitchD to use the RRPP version defined by the national standard of China.
[SwitchD] rrpp work-mode gb
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/2 secondary-port gigabitethernet 1/0/1 level 0
[SwitchD-rrpp-domain-region1] ring 1 enable
# Configure the edge interface of the edge transit node on the sub-ring.
[SwitchD-rrpp-domain-region1] ring 2 node-mode transit secondary-port
gigabitethernet 1/0/3
Step 5 Enable RRPP.

the RRPP ring.
# The configurations on SwitchB, SwitchC, and SwitchD are similar to that on SwitchA and not
mentioned here. For details, see the configuration files.
following commands to verify the configuration.
l Run the display rrpp brief command on SwitchB. The command output is as follows:
<SwitchB> display rrpp brief

M - Master , T - Transit , EM - Edge Master, ET - Edge Transit

RRPP Working Mode: GB
Domain Index : 1

Ring Ring Node Primary Secondary/Edge Is
------------------------------------------------------------------------------
1 0 M GigabitEthernet2/0/1 GigabitEthernet2/0/2 Yes
The command output shows that RRPP is enabled on SwitchB. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11; SwitchB is the master node on the major
ring, with GE2/0/1 as the primary interface and GE2/0/2 as the secondary interface.
l Run the display rrpp verbose domain command on SwitchB. The command output is as
follows:
<SwitchB> display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: BLOCKED
The command output shows that the ring is in Complete state, and the secondary interface
on the master node is blocked.
l Run the display rrpp brief command on SwitchC. The command output is as follows:
<SwitchC> display rrpp brief

Domain Index : 1
-------------------------------------------------------------------------
The command output shows that RRPP is enabled on SwitchC. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchC is the master node on the sub-
l Run the display rrpp verbose domain command on SwitchC. The command output is as
follows:
<SwitchC> display rrpp verbose domain 1
Domain Index : 1

RRPP Ring : 2
Ring Level : 1
Node Mode : Master
Secondary port: GigabitEthernet1/0/2 Port status: BLOCKED
You can find that the sub-ring is in Complete state, and the secondary interface of the master
node on the sub-ring is blocked.

Domain Index : 1
-------------------------------------------------------------------------
1 0 T GigabitEthernet1/0/2 GigabitEthernet1/0/1 Yes
2 1 ET GigabitEthernet1/0/2 GigabitEthernet1/0/3 Yes
The command output shows that RRPP is enabled on SwitchA. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchA is the master node on the major
SwitchA is also the edge transit node on the sub-ring, with GE1/0/3 as the edge interface.
follows:
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : Linkup
Secondary port: GigabitEthernet1/0/1 Port status: UP
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge Transit
Ring State : Linkup
l Run the display rrpp brief command on SwitchD. The command output is as follows:
<SwitchD> display rrpp brief


Domain Index : 1
-------------------------------------------------------------------------
The command output shows that RRPP is enabled on SwitchD. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchD is the transit node on the major
SwitchD is also the edge transit node on the sub-ring, with GE1/0/3 as the edge interface.
l Run the display rrpp verbose domain command on SwitchD. The command output is as
follows:
<SwitchD> display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : Linkup
RRPP Ring :2
Ring Level :1
Node Mode :Edge Transit
Ring State :Linkup
Is Enabled :Enable Is Active : Yes
Primary port :GigabitEthernet1/0/2 Port status: UP
GigabitEthernet1/0/1 Port status: UP
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 11
#
rrpp enable
rrpp working-mode GB
#
stp region-
configuration
instance 1 vlan 2 to
11
active region-
configuration
#

rrpp domain 1
control-vlan 10
ring 1 node-mode transit primary-port Gigabitethernet1/0/2 secondary-port
Gigabitethernet1/0/1 level 0
ring 1 enable
ring 2 node-mode transit secondary-port Gigabitethernet1/0/3
ring 2 enable
#
stp disable
#
stp disable
#
stp disable
#
return
#
sysname SwitchB
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
11
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 1 node-mode master primary-port Gigabitethernet2/0/1 secondary-port
Gigabitethernet2/0/2 level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#

vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
11
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 2 node-mode master primary-port GigabitEthernet1/0/1 secondary-port
GigabitEthernet1/0/2 level 1
ring 2 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchD
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
11
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 1 node-mode transit primary-port GigabitEthernet1/0/2 secondary-port
ring 1 enable
ring 2 node-mode transit secondary-port GigabitEthernet1/0/3
ring 2 enable
#
stp disable
#
stp disable
#

stp disable
#
return
9.8.3 Example for Configuring Intersecting RRPP Rings with a

Single Instance
A metro Ethernet network uses two-layer rings: one is the aggregation layer between aggregation
devices PE-AGGs and the other is the access layer between PE-AGGs and UPEs.
Figure 9-25 Networking diagram of intersecting RRPP rings with a single instance
RRPP Domain
UPE1 PE-AGG2
Edge Master
Sub PE-AGG1
Ring 1
Master
Major P Core Net
Ring S
UPE Sub Block NPE
LANSwitch Ring 2
Assistant
PE-AGG3 PE-AGG：PE-Aggregation
Master NPE：Network Provider Edge
CE
configure the aggregation layer as the major ring and the access layer as the sub-ring, simplifying
the network configuration.
As shown in Figure 9-26, SwitchB, SwitchA, SwitchD, and SwitchC map PE-AGG1, PE-
AGG2, PE-AGG3, and UPE1 in Figure 9-25 respectively. Figure 9-26 is used as an example
to describe how to configure intersecting RRPP rings with a single instance in the RRPP version
defined by Huawei.

Figure 9-26 Networking diagram of intersecting RRPP rings with a single instance (RRPP
defined by Huawei)
SwitchA
Eth0/0/3 Eth0/0/1
SwitchC Eth0/0/2 SwitchB

Eth0/0/2 Eth0/0/1
sub-ring major ring
Eth0/0/1 Eth0/0/2
Eth0/0/2
Eth0/0/3 Eth0/0/1
SwitchD
2. Map the VLANs that needs to pass through the RRPP ring to Instance 1, including data
VLANs 2 to 9 and control VLANs 10 and 11 (VLAN 11 is the sub-control VLAN generated
by the device).
4. Configure a protected VLAN and create an RRPP ring in the RRPP domain.
a. Configure Ring 1 (major ring) in Domain 1 on SwitchA, SwitchB, and SwitchD.
b. Configure Ring 2 (sub-ring) in Domain 1 on SwitchA, SwitchC, and SwitchD.
c. Configure SwitchB as the master node on the major ring and configure SwitchA and
SwitchD as transit nodes on the major ring.
d. Configure SwitchC as the master node on the sub-ring, configure SwitchA as the edge
node on the sub-ring, and configure SwitchD as the assistant edge node on the sub-
ring.
NOTE
Procedure
Step 1 Configure SwitchB as the master node on the major ring.
# Create data VLANs 2 to 9 on SwitchB.
Configure instance 1, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.


# Configure Domain 1 on SwitchB. Configure VLAN 10 as the major control VLAN and bind
[SwitchB-rrpp-domain-region1] control-vlan 10
# Configure the RRPP interface as a trunk interface to allow data from VLANs 2 to 9 to pass
through and disable STP on the interface to be added to the RRPP ring.
# Configure the primary interface and secondary interface on the master node of the major ring.
[SwitchB-rrpp-domain-region1] ring 1 node-mode master primary-port ethernet 0/0/1
Step 2 Configure SwitchC as the master node on the sub-ring.

# Create data VLANs 2 to 9 on SwitchC.
interface.
# Configure Domain 1 on SwitchC. Configure VLAN 10 as the major control VLAN and bind
[SwitchC-rrpp-domain-region1] control-vlan 10


# Configure the primary interface and secondary interface on the master node of the sub-ring.
[SwitchC-rrpp-domain-region1] ring 2 node-mode master primary-port ethernet 0/0/1
Step 3 Configure SwitchA as the transit node on the major ring and the edge node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchA.
interface.
# Configure Domain 1 on SwitchA. Configure VLAN 10 as the major control VLAN and bind
[SwitchA-rrpp-domain-region1] ring 1 node-mode transit primary-port ethernet 0/0/2
# Configure the common interface and edge interface on the edge node of the sub-ring.
[SwitchA-rrpp-domain-region1] ring 2 node-mode edge common-port ethernet 0/0/2
edge-port ethernet 0/0/3

Step 4 Configure SwitchD as the transit node on the major ring and the assistant edge node on the sub-
ring.
# Create data VLANs 2 to 9 on SwitchD.
interface.
# On SwitchD, configure Domain 1. Configure VLAN 10 as the major control VLAN and bind
[SwitchD-rrpp-domain-region1] control-vlan 10
[SwitchD-rrpp-domain-region1] protected-vlan reference-instance 1
# Disable STP on the interface to be added to the RRPP ring, configure the RRPP interface as
a trunk interface, and configure the interfaces to allow service packets of VLAN 2 to VLAN 9
to pass through.
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port ethernet 0/0/2
# Configure the common interface and edge interface on the assistant edge node of the sub-ring.
[SwitchD-rrpp-domain-region1] ring 2 node-mode assistant-edge common-port ethernet
0/0/2 edge-port ethernet 0/0/3
Step 5 Enable RRPP.

the RRPP ring.

following commands to verify the configuration.
l Run the display rrpp brief command on SwitchB. The command output is as follows:
<SwitchB> display rrpp brief

Domain Index : 1

Enabled
-------------------------------------------------------------------------------
-
The command output shows that RRPP is enabled on SwitchB. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11; SwitchB is the master node on the major
ring, with Eth0/0/1 as the primary interface and Eth0/0/2 as the secondary interface.
l Run the display rrpp verbose domain command on SwitchB. The command output is as
follows:
<SwitchB> display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The command output shows that the ring is in Complete state, and the secondary interface
on the master node is blocked.
<SwitchC> display rrpp brief

Domain Index : 1



Enabled
-------------------------------------------------------------------------------
-
You can find that RRPP is enabled on SwitchC. The major control VLAN is VLAN 10, and
the sub-control VLAN is VLAN 11; SwitchC is the master node on the sub-ring, with
Eth0/0/1 as the primary interface and Eth0/0/2 as the secondary interface.
follows:
<SwitchC> display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 2
Ring Level : 1
Node Mode : Master
The command output shows that the sub-ring is in Complete state, and the secondary interface
on the master node of the sub-ring is blocked.

Domain Index : 1

Enabled
-------------------------------------------------------------------------------
-
1 0 T Ethernet0/0/2 Ethernet0/0/1 Yes
2 1 E Ethernet0/0/2 Ethernet0/0/3 Yes
The command output shows that RRPP is enabled on SwitchA. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchA is the transit node on the major
ring. The primary interface is Eth0/0/2 and the secondary interface is Eth0/0/1.
SwitchA is also the edge node on the sub-ring, with Eth0/0/2 as the common interface and
Eth0/0/3 as the edge interface.
follows:
Domain Index : 1


RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : Linkup
Secondary port: Ethernet0/0/1 Port status: UP
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : Linkup
Common port : Ethernet0/0/2 Port status: UP
Edge port : Ethernet0/0/3 Port status: UP
l Run the display rrpp brief command on SwitchD. The command output is as follows:
<SwitchD> display rrpp brief

Domain Index : 1

Enabled
-------------------------------------------------------------------------------
-
2 1 A Ethernet0/0/2 Ethernet0/0/3 Yes
The command output shows that RRPP is enabled on SwitchD. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchD is the transit node on the major
ring, with Eth0/0/2 as the primary interface and Eth0/0/1 as the secondary interface.
SwitchD is also the assistant edge node on the sub-ring, with Eth0/0/2 as the common
interface and Eth0/0/3 as the edge interface.
l Run the display rrpp verbose domain command on SwitchD. The command output is as
follows:
<SwitchD> display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : Linkup
RRPP Ring : 2
Ring Level : 1

Node Mode : Assistant-edge

Ring State : Linkup
Common port : Ethernet0/0/2 Port status: UP
Edge port : Ethernet0/0/3 Port status: UP
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 1 enable
ring 2 node-mode edge common-port Ethernet0/0/2 edge-port Ethernet0/0/3
ring 2 enable
#
stp disable
#
stp disable
#
stp disable
#
return

#
sysname SwitchB
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1

control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 2 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchD
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1

control-vlan 10
ring 1 enable
ring 2 node-mode assistant-edge common-port Ethernet0/0/2 edge-port
Ethernet0/0/3
ring 2 enable
#
stp disable
#
stp disable
#
stp disable
#
return
9.8.4 Example for Configuring Tangent RRPP Rings
A metro Ethernet network uses two-layer rings:
l One layer is the aggregation layer between aggregation devices PE-AGGs, such as RRPP
Domain 1 in Figure 9-27.
l The other layer is the access layer between PE-AGGs and UPEs, such as RRPP Domain 2
and RRPP Domain 3 in Figure 9-27.

Figure 9-27 Tangent RRPP rings
Master
UPE1
UPE2 PE-AGG3
RRPP Transit 1
Domain2
Master
PE-AGG1
UPE RRPP P IP/MPLS
Domain1 Core
UPE S
UPE Block NPE
RRPP Transit 2
Domain3
PE-AGG2
Master PE-AGG：PE-Aggregation
UPE NPE：Network Provider Edge
UMG：Universal Media Gateway
DSLAM：Digital Subscriber Line Access Multiplexer
LANSwitch CE DSLAM UMG
configure the aggregation layer and access layer as RRPP rings and the two rings are tangent,
simplifying the network configuration.
As shown in Figure 9-28, SwitchE, SwitchD, SwitchC, SwitchA, and SwitchB map PE-AGG1,
PE-AGG2, PE-AGG3, UPE 1, and UPE 2 in Figure 9-27 respectively. Figure 9-28 is used as
an example to describe how to configure tangent RRPP rings with a single instance.
Figure 9-28 Networking diagram of tangent RRPP rings
Domain 2 Domain 1
SwtichA Eth0/0/2 Eth0/0/1 SwtichE
Eth0/0/1 Eth0/0/3 Eth0/0/2 Eth0/0/2
Ring 2 SwtichC Ring 1

Eth0/0/4 Eth0/0/1
Eth0/0/2 Eth0/0/1
SwtichB Eth0/0/1 Eth0/0/2 SwtichD

1. Create different RRPP domains and control VLANs to configure an RRPP ring.
2. Map the VLANs that need to pass through Ring 1 to Instance 1, including data VLANs and
control VLANs to configure protected VLANs.
Map the VLANs that need to pass through Ring 2 to Instance 2, including data VLANs and
control VLANs to configure protected VLANs.
3. Configure timers for different RRPP domains.
NOTE
You can configure two timers for tangent points because two tangent rings locate in different domains.
5. Configure protected VLANs and create RRPP rings in RRPP domains.
a. Configure Ring 2 in Domain 2 on SwitchA, SwitchB, and SwitchC.
b. Configure Ring 1 in Domain 1 on SwitchC, SwitchD, and SwitchE.
c. Configure SwitchA as the master node on Ring 2, and configure SwitchB and
SwitchC as transit nodes on Ring 2.
d. Configure SwitchE as the master node on Ring 1, and configure SwitchC and
SwitchD as transit nodes on Ring 1.
NOTE
Procedure
Step 1 Configure instance 2, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# The configurations on SwitchB, SwitchC, SwitchD, and SwitchE are similar to that on
SwitchA and not mentioned here. For details, see the configuration files.
Step 2 Create RRPP domains and configure control VLANs and protected VLANs in the domains.
# Configure Domain 1 on SwitchE, which is the master node on Ring 1. Configure VLAN 10
as the major control VLAN in Domain 1, and bind Instance 1 to protected VLANs.
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] control-vlan 10
[SwitchE-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchE-rrpp-domain-region1] quit

Step 3 Set the timers of RRPP domains.
# Set the timers for SwitchE, the master node on Ring 1.
[SwitchE-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchD, the transit node on Ring 1.

[SwitchD-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchC, the transit node on Ring 1.

[SwitchC-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchA, the master node on Ring 2.

[SwitchA-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
# Set the timers for SwitchB, the transit node on Ring 2.

[SwitchB-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
# Set the timers for SwitchC, the transit node on Ring 2.

[SwitchC-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
Step 4 Disable STP on the interfaces to be added to the RRPP rings.

# Disable STP on the interfaces to be added to the RRPP ring on SwitchA.
Step 5 Create and enable RRPP rings.
Configure nodes on Ring 2. The configuration procedure is as follows:
# Configure SwitchA as the master node on Ring 2 and specify the primary and secondary
interfaces.
[SwitchA-rrpp-domain-region2] ring 2 node-mode master primary-port ethernet 0/0/1
# Configure SwitchB as a transit node on Ring 2 (major ring) and specify the primary and
secondary interfaces.
[SwitchB-rrpp-domain-region2] ring 2 node-mode transit primary-port ethernet 0/0/1


# Configure SwitchC as a transit node on Ring 2 and specify the primary and secondary
interfaces.
Configure nodes on Ring 1. The configuration procedure is as follows:

# Configure SwitchE as the master node on Ring 1 (major ring) and specify the primary and
secondary interfaces.
[SwitchE-rrpp-domain-region1] ring 1 node-mode master primary-port ethernet 0/0/1
[SwitchE-rrpp-domain-region1] ring 1 enable
[SwitchE-rrpp-domain-region1] quit
# Configure SwitchC as a transit node on Ring 1 and specify the primary and secondary
interfaces.
# Configure SwitchD as a transit node on Ring 1 and specify the primary and secondary
interfaces.
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port ethernet 0/0/1
Step 6 Enable RRPP.

perform the following operations to verify the configuration. The tangent point SwitchC is used
as an example.
[SwitchC] display rrpp brief



Domain Index : 1
Enabled
-------------------------------------------------------------------------------
-
Domain Index : 2
Enabled
-------------------------------------------------------------------------------
-
The command output shows that RRPP is enabled on SwitchC. In Domain 1, the major control
VLAN is VLAN 10, and the sub-control VLAN is VLAN 11. SwitchC is the transit node on
the major ring, with Ethernet0/0/1 as the primary interface and Ethernet0/0/2 as the secondary
interface.
In Domain 2, the major control VLAN is VLAN 20, and the sub-control VLAN is VLAN
21. SwitchC is a transit node on Ring 2. Ethernet0/0/3 is the primary interface and
Ethernet0/0/4 is the secondary interface.
follows:
# Display detailed information about Domain 1 on SwitchC.
[SwitchC] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : Linkup
Secondary port : Ethernet0/0/2 Port status: UP
# Display detailed information about Domain 2 on SwitchC.

[SwitchC] display rrpp verbose domain 2
Domain Index : 2
Hello Timer : 3 sec(default is 1 sec) Fail Timer : 10 sec(default is 6
sec)
RRPP Ring : 2
Ring Level : 0
Node Mode : Transit
Ring State : Linkup


----End
Configuration Files
#
sysname SwitchA
#
vlan batch 20 to 21
#
rrpp enable
#
stp region-
configuration
21
#
rrpp domain 2
control-vlan 20
timer hello-timer 3 fail-timer 10
ring 2 enable
#
undo port hybrid vlan 1
stp disable
#
stp disable
#

#
sysname SwitchB
#
vlan batch 20 to 21
#
rrpp enable
#
stp region-
configuration
21
#
rrpp domain 2
control-vlan 20
ring 2 enable
#
stp disable
#


stp disable
#
return
#
#
sysname SwitchC
#
#
rrpp enable
#
stp region-
configuration
21
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
rrpp domain 2
control-vlan 20
ring 2 enable
#
stp disable
#
pport hybrid tagged vlan 10 to 11
stp disable
#
stp disable
#
stp disable
#
return
#
sysname SwitchD
#
vlan batch 10 to 11
#
rrpp enable
#
stp region-
configuration

11
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchE
#
vlan batch 10 to 11
#
rrpp enable
#
stp region-
configuration
11
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
9.8.5 Example for Configuring a Single RRPP Ring with Multiple

Instances
As shown in Figure 9-29, on a ring network, idle links are required to forward data. In this way,
data in different VLANs are forwarded along different paths, improving network efficiency and
implementing load balancing.

Figure 9-29 Networking diagram of single RRPP ring with multiple instances
UPE B
Eth0/0/1 Eth0/0/2
CE 1
VLAN 100-300
PE-AGG
Eth0/0/1 Ring Eth0/0/1
Master 1 Backbone
UPEA 1
network
Master 2
Eth0/0/2 Eth0/0/2
CE 2
VLAN 100-300
Domain 1 ring 1
Eth0/0/2 Eth0/0/1
Domain 2 ring 1
UPEC
Table 9-1 shows the mapping between protected VLANs and instances in Domain 1 and Domain
2.
Table 9-1 Mapping between the protected VLAN and instance
Domain Control VLAN ID Data VLAN ID Instance ID

ID
Domain 1 VLANs 5 and 6 VLANs 100 to 200 Instance 1
Table 9-2 shows the master node on each ring and the primary and secondary interfaces on each
master node.
Table 9-2 Master node and its primary and secondary interfaces
Ring ID Master Node Primary Port Secondary Port
Ring 1 in Domain 1 PE-AGG Eth0/0/1 Eth0/0/2
Ring 1 in Domain 2 PE-AGG Eth0/0/2 Eth0/0/1
1. Create different RRPP domains and control VLANs.

2. Map the VLANs that need to pass through Ring 1 in Domain 1 to Instance 1, including data
VLANs and control VLANs.
Map the VLANs that need to pass through Ring 1 in Domain 2 to Instance 2, including data
VLANs and control VLANs.
a. Add UPEA, UPEB, UPEC, and PE-AGG to Ring 1 in Domain 1. Configure PE-AGG
as the master node on Ring 1 in Domain 1 and configure UPEA, UPEB, and UPEC
as transit nodes.
b. Add UPEA, UPEB, UPEC, and PE-AGG to Ring 1 in Domain 2. Configure PE-AGG
as the master node on Ring 1 in Domain 2 and configure UPEA, UPEB, and UPEC
as transit nodes.
NOTE
Procedure
Step 1 Create instances.
# Create data VLANs 100 to 300 on UPEA.
[Quidway] sysname UPEA
[UPEA] vlan batch 100 to 300
# Create Instance 1, and map the control VLANs 5 and 6 and data VLANs 100 to 200 in Domain
1 to Instance 1.
[UPEA] stp region-configuration
[UPEA-mst-region] instance 1 vlan 5 6 100 to 200
# Create Instance 2, and map the control VLANs 10 and 11 and data VLANs 201 to 300 in
Domain 2 to Instance 2.
# Activate the configuration.

[UPEA-mst-region] active region-configuration
[UPEA-mst-region] quit
# The configurations on UPEB, UPEC, and PE-AGG are similar to that on UPEA and not
Step 2 Configure the interfaces to be added into the RRPP rings.
# Configure the RRPP interface as a trunk interface to allow data from VLANs 100 to 300 to
pass through and disable STP on the interface to be added to the RRPP ring.
[UPEA] interface ethernet 0/0/1
[UPEA-Ethernet0/0/1] port link-type trunk
[UPEA-Ethernet0/0/1] port trunk allow-pass vlan 100 to 300
[UPEA-Ethernet0/0/1] stp disable
[UPEA-Ethernet0/0/1] quit


Step 3 Create RRPP domains and configure protected VLANs and control VLANs.
# Configure the VLANs mapped to Instance 1 as the protected VLANs in Domain 1, and VLAN
5 as the control VLAN.
[UPEA] rrpp domain 1
[UPEA-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEA-rrpp-domain-region1] control-vlan 5
[UPEA-rrpp-domain-region1] quit
Step 4 Create RRPP rings.
# Configure UPEA as a transit node on Ring 1 in Domain 1 and specify primary and secondary
interfaces on UPEA.
[UPEA-rrpp-domain-region1] ring 1 node-mode transit primary-port ethernet 0/0/1
[UPEA-rrpp-domain-region1] ring 1 enable
interfaces on UPEA.
# Configure UPEB as a transit node on Ring 1 in Domain 1 and specify primary and secondary
interfaces on UPEB.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] ring 1 node-mode transit primary-port ethernet 0/0/1
[UPEB-rrpp-domain-region1] ring 1 enable
[UPEB-rrpp-domain-region1] quit
interfaces on UPEB.

# Configure UPEC as a transit node on Ring 1 in Domain 1 and specify primary and secondary
interfaces on UPEC.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] ring 1 node-mode transit primary-port ethernet 0/0/1
[UPEC-rrpp-domain-region1] ring 1 enable
[UPEC-rrpp-domain-region1] quit
interfaces on UPEC.
# Configure PE-AGG as the master node on Ring 1 in Domain 1, with Eth0/0/1 as the primary
interface and Eth0/0/2 as the secondary interface.
[PE-AGG] rrpp domain 1
[PE-AGG-rrpp-domain-region1] ring 1 node-mode master primary-port ethernet 0/0/1
[PE-AGG-rrpp-domain-region1] ring 1 enable
[PE-AGG-rrpp-domain-region1] quit
Step 5 Enable RRPP.

l Configure UPEA.
# Enable RRPP.
[UPEA] rrpp enable
l Configure UPEB, UPEC, and PE-AGG.

following commands to verify the configuration. UPEA and PE-AGG are used as examples.
l Run the display rrpp brief command on UPEA. The command output is as follows:
[UPEA] display rrpp brief


Domain Index : 1

--------------------------------------------------------------------------------
Domain Index : 2

--------------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPEA.
In Domain 1, the major control VLAN is VLAN 5 and the protected VLANs are VLANs mapping
Instance 1. UPEA is a transit node on Ring 1. Ethernet0/0/1 is the primary interface and
Ethernet0/0/2 is the secondary interface.
In Domain 2, the major control VLAN is VLAN 10 and the protected VLANs are VLANs
mapping Instance 2. UPEA is a transit node on Ring 1. Ethernet0/0/1 is the primary interface
and Ethernet0/0/2 is the secondary interface.
l Run the display rrpp brief command on PE-AGG. The command output is as follows:
[PE-AGG] display rrpp brief

Domain Index : 1

--------------------------------------------------------------------------------
Domain Index : 2
Protected VLAN: Reference Instance 2

--------------------------------------------------------------------------------
The command output shows that RRPP is enabled on PE-AGG.
In Domain 1, the major control VLAN is VLAN 5, the protected VLAN is the VLAN mapped
to Instance 1, and the master node on Ring 1 is PE-AGG. Ethernet0/0/1 is the primary interface

to Instance 2, and the master node on Ring 1 is PE-AGG. Ethernet0/0/2 is the primary interface
# Check detailed information about UPEA in Domain 1. Run the display rrpp verbose
domain command on UPEA. The command output is as follows:
[UPEA] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The command output shows that the control VLAN in Domain 1 is VLAN 5, and the protected
VLANs are the VLANs mapping Instance 1. UPEA is a transit node in Domain 1 and is in
LinkUp state.
# Check detailed information about UPEA in Domain 2.
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The command output shows that, in Domain 2, the control VLAN is VLAN 10 and the protected
VLAN is the VLAN mapped to Instance 2. UPEA is a transit node in Domain 2 and is in LinkUp
state.
# Run the display rrpp verbose domain command on PE-AGG. The command output is as
follows:
# Check detailed information about PE-AGG in Domain 1.
[PE-AGG] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Secondary port: Ethernet0/0/2 Port status: BLOCKED
VLANs are the VLANs mapping Instance 1.

PE-AGG is the master node in Domain 1 and is in Complete state.

The primary interface is Ethernet0/0/1 and the secondary interface is Ethernet0/0/2.
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The command output shows that, in Domain 2, the control VLAN is VLAN 10, and the protected
VLAN is the VLAN mapped to Instance 2.
----End
Configuration Files
l Configuration file of UPEA
#
sysname UPEA
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
#
instance 1 vlan 5 to 6 100 to 200
#
rrpp domain 1
control-vlan 5
ring 1 node-mode transit primary-port Ethernet0/0/1 secondary-port Ethernet0/0/2
level 0
ring 1 enable
rrpp domain 2
control-vlan 10
level 0
ring 1 enable
#
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#

stp disable
#
return
l Configuration file of UPEB
#
sysname UPEB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
rrpp domain 2
control-vlan 10
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
l Configuration file of UPEC
#
sysname UPEC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
rrpp domain 2
control-vlan 10
level 0
ring 1 enable
#

stp disable
#
stp disable
#
return
l Configuration file of PE-AGG

#
sysname PE-AGG
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 node-mode master primary-port Ethernet0/0/1 secondary-port Ethernet0/0/2
level 0
ring 1 enable
rrpp domain 2
control-vlan 10
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
9.8.6 Example for Configuring Intersecting RRPP Rings with

Multiple Instances (RRPP Defined by the National Standard of
China)
implementing load balancing. To enable devices from different vendors to communicate with

each other on the network, you can use the RRPP version defined by the national standard of
China.
Figure 9-30 Networking diagram of intersecting RRPP rings with multiple instances
Backbone
network
GE1/0/0 GE2/0/0
PE-AGG
Master 1
GE2/0/0 Master 2 GE1/0/0
UPEA Domain 1 ring 1 UPED
GE1/0/0 Domain 2 ring 1 GE2/0/0
GE2/0/0 Edge Transit Edge Transit

GE1/0/0
UPEB GE1/0/0 UPEC
GE2/0/0
GE3/0/0 GE3/0/1
GE3/0/1 GE3/0/0
Domain 2 ring 2 Domain 2 ring 3

GE1/0/0 GE2/0/0
Master 1 Master 1
Master 2 GE2/0/0 GE1/0/0 Master 2
CE 1 Domain 1 ring 2 Domain 1 ring 3
CE 2
VLAN 100-300 VLAN 100-300
Domain 1
Domain 2
2.

Domain ID Control VLAN Data VLAN Instance ID
master node.

Ring ID Master Node Primary Port Secondary Port Ring Type
Ring 1 in PE-AGG GE1/0/0 GE2/0/0 Major ring

Domain 1
Ring 1 in PE-AGG GE2/0/0 GE1/0/0 Major ring

Domain 2
Ring 2 in CE1 GE1/0/0 GE2/0/0 Sub-ring

Domain 1

Domain 2

Domain 1

Domain 2
Table 9-5 shows the edge transit nodes and edge nodes on the sub-rings.
Table 9-5 Edge transit nodes and edge nodes on the sub-rings
Ring ID Edge-Transit Edge Port Edge-Transit Edge Port
Node Node
Ring 2 in UPEB GE3/0/0 UPEC GE3/0/0

Domain 1

Domain 1

Domain 2

Domain 2
2. Map the VLANs that need to pass through Domain 1 to Instance 1, including data VLANs
and control VLANs.
Map the VLANs that need to pass through Domain 2 to Instance 2, including data VLANs
and control VLANs.

4. Configure the devices to use the RRPP version defined by the national standard of China.
a. Add UPEA, UPEB, UPEC, UPED, and PE-AGG to Ring 1 in Domain 1 and Ring 1
in Domain 2.
b. Add CE1, UPEB, and UPEC to Ring 2 in Domain 1 and Ring 2 in Domain 2.
c. Add CE2, UPEB, and UPEC to Ring 3 in Domain 1 and Ring 3 in Domain 2.
d. Configure PE-AGG as the master node and configure UPEA, UPEB, UPEC, and
UPED as transit nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
e. Configure CE1 as the master node and configure UPEB and UPEC as transit nodes
on Ring 2 in Domain 1 and Ring 2 in Domain 2.
f. Configure CE2 as the master node and configure UPEB and UPEC as transit nodes
on Ring 3 in Domain 1 and Ring 3 in Domain 2.
6. To prevent topology flapping, set the LinkUp timer on the master nodes.
NOTE
Procedure
l Configure CE1.
# Create data VLANs 100 to 300 on CE1.

[CE1] vlan batch 100 to 300
1 to Instance 1.
[CE1] stp region-configuration
[CE1-mst-region] instance 1 vlan 5 6 100 to 200

[CE1-mst-region] active region-configuration
[CE1-mst-region] quit
l Configure CE2, UPEA, UPEB, UPEC, UPED, and PE-AGG.
# The configurations on CE2, UPEA, UPEB, UPEC, UPED, and PE-AGG are similar to that on
CE1 and not mentioned here. For details, see the configuration files.

l Configure CE1.

# Disable STP on the interfaces to be added to the RRPP ring on CE1. Configure the interfaces
to allow data from VLANs 100 to 300 to pass through.
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 300
[CE1-GigabitEthernet1/0/0] stp disable
[CE1-GigabitEthernet1/0/0] quit
[CE1-GigabitEthernet2/0/0] stp disable

l Configure CE1.
# Configure the VLANs mapping Instance 1 as protected VLANs in Domain 1, and configure
VLAN 5 as the control VLAN.
[CE1] rrpp working-mode gb
[CE1] rrpp domain 1
[CE1-rrpp-domain-region1] protected-vlan reference-instance 1
[CE1-rrpp-domain-region1] control-vlan 5
[CE1-rrpp-domain-region1] quit
# Configure the VLANs mapping Instance 2 as protected VLANs in Domain 2, and configure
[CE1] rrpp domain 2

l Configure CE1.
# Configure CE1 as the master node on Ring 2 in Domain 1. Configure GE1/0/0 as the primary
interface and GE2/0/0 as the secondary interface.
[CE1] rrpp domain 1
[CE1-rrpp-domain-region1] ring 2 node-mode master primary-port gigabitethernet
[CE1-rrpp-domain-region1] ring 2 enable
[CE1] rrpp domain 2
l Configure CE2.

[CE2] rrpp domain 1
[CE2] rrpp domain 2
l Configure UPEA.
interfaces on UPEA.
[UPEA-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
interfaces on UPEA.
[UPEA-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
l Configure UPEB.
interfaces on UPEB.
[UPEB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
interfaces on UPEB.
[UPEB-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
# Configure UPEB as an edge transit node on Ring 2 in Domain 1 and configure GE3/0/0 as the
edge interface.
[UPEB-rrpp-domain-region1] ring 2 node-mode transit secondary-port gigabitethernet
3/0/0
edge interface.


3/0/0
edge interface.
3/0/1
edge interface.
3/0/1
l Configure UPEC.
interfaces on UPEC.
[UPEC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
interfaces on UPEC.
[UPEC-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
# Configure UPEC as an edge transit node on Ring 2 in Domain 1 and configure GE3/0/0 as the
edge interface.
[UPEC-rrpp-domain-region1] ring 2 node-mode transit secondary-port gigabitethernet
3/0/0
edge interface.
3/0/0
edge interface.
3/0/1


edge interface.
3/0/1
l Configure UPED.
# Configure UPED as a transit node on Ring 1 in Domain 1 and specify primary and secondary
interfaces on UPED.
[UPED] rrpp domain 1
[UPED-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[UPED-rrpp-domain-region1] ring 1 enable
[UPED-rrpp-domain-region1] quit
# Configure UPED as a transit node of Ring 1 in Domain 2 and specify primary and secondary
interfaces on UPED.
[UPED-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
l Configure PE-AGG.
# Configure PE-AGG as the master node on Ring 1 in Domain 1, with GE1/0/0 as the primary
[PE-AGG-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
# Configure PE-AGG as the master node on Ring 1 in Domain 2, with GE2/0/0 as the primary
[PE-AGG-rrpp-domain-region2] ring 1 node-mode master primary-port gigabitethernet
Step 5 Enable RRPP.
l Configure CE1.
# Enable RRPP.
[CE1] rrpp enable

Step 6 Set the LinkUp timer.

l Configure CE1.
# Set the LinkUp timer to 1 second.

[CE1] rrpp linkup-delay-timer 1
l Configure CE2.

l Configure PE-AGG.

[PE-AGG] rrpp linkup-delay-timer 1
following commands to verify the configuration. UPEB and PE-AGG are used as examples.
l Run the display rrpp brief command on UPEB. The command output is as follows:
[UPEB] display rrpp brief

Domain Index : 1
----------------------------------------------------------------------------
Domain Index : 2
----------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPEB.
In Domain 1:
The major control VLAN is VLAN 5, and the protected VLANs are the VLANs mapped to
Instance 1.

UPEB is a transit node on Ring 1. GigabitEthernet1/0/0 is the primary interface and GE2/0/0 is
the secondary interface.
UPEB is an edge transit node on Ring 2. The edge interface is GigabitEthernet3/0/0.
In Domain 2:
Instance 2.
UPEB is a transit node on Ring 1. GigabitEthernet1/0/0 is the primary interface and
GigabitEthernet2/0/0 is the secondary interface.
l Run the display rrpp brief command on PE-AGG. The command output is as follows:
[PE-AGG]display rrpp brief

Domain Index : 1
---------------------------------------------------------------------------
Domain Index : 2
---------------------------------------------------------------------------
The command output shows that RRPP is enabled on PE-AGG, and the LinkUp timer is 1 second.
to Instance 1, and the master node on Ring 1 is PE-AGG. GigabitEthernet1/0/0 is the primary
interface and GigabitEthernet2/0/0 is the secondary interface.
to Instance 2, and the master node on Ring 1 is PE-AGG. GigabitEthernet2/0/0 is the primary
interface and GigabitEthernet1/0/0 is the secondary interface.
l Run the display rrpp verbose domain command on UPEB. The command output is as
follows:
# Check detailed information about UPEB in Domain 1.
[UPEB] display rrpp verbose domain 1
Domain Index : 1


RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Secondary port : GigabitEthernet2/0/0 Port status: UP
RRPP Ring :
2
Ring Level :
1
Node Mode :
Edge Transit
Ring State :
LinkUp
Is Enabled :
Enable Is Active: Yes
Primary port :
RRPP Ring :
3
Ring Level :
1
Node Mode :
Edge Transit
Ring State :
LinkUp
Is Enabled :
Primary port :
UPEB is a transit node on Ring 1 in Domain 1 and is in LinkUp state.
UPEB is a transit node on Ring 2 in Domain 1 and is in LinkUp state. GE3/0/0 is the edge
interface.
UPEB is an edge transit node of Ring 3 in Domain 1 and is in LinkUp state. GE3/0/1 is the edge
interface.

Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring :
2
Ring Level :
1
Node Mode :
Edge Transit
Ring State :
LinkUp
Is Enabled :
Primary port :
RRPP Ring : 3
Ring Level : 1

Node Mode :
Edge Transit
Ring State :
LinkUp
Is Enabled :
Primary port :
UPEB is a transit node in Domain 2 and is in LinkUp state.
UPEB is a transit node on Ring 2 in Domain 2 and is in LinkUp state. GE3/0/0 is the edge
interface.
UPEB is an edge transit node of Ring 3 in Domain 2 and is in LinkUp state. GE3/0/1 is the edge
interface.
l Run the display rrpp verbose domain command on PE-AGG. The command output is as
follows:
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
GigabitEthernet1/0/0 is the primary interface and GigabitEthernet2/0/0 is the secondary
interface.
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master

GigabitEthernet2/0/0 is the primary interface and GigabitEthernet1/0/0 is the secondary

interface.
----End
Configuration Files
#
sysname CE1
#
#
rrpp enable
rrpp linkup-delay-timer 1
#
#
rrpp domain 1
control-vlan 5
ring 2 enable
rrpp domain 2
control-vlan 10
ring 2 enable
#
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
stp disable
#
return

#
sysname CE2
#
#
rrpp enable
#
#
rrpp domain 1

control-vlan 5
ring 3 enable
rrpp domain 2
control-vlan 10
ring 3 enable
#
stp disable
#
stp disable
#
Return
#
sysname UPEA
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname UPEB

#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
ring 2 enable
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
ring 2 enable
ring 3 enable
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
#
sysname UPEC
#
#
rrpp enable
#

#
rrpp domain 1
control-vlan 5
ring 1 enable
ring 2 enable
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
ring 2 enable
ring 3 enable
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
Return
l Configuration file of UPED
#
sysname UPED
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2

control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname PE-AGG
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
9.8.7 Example for Configuring Intersecting RRPP Rings with

Multiple Instances

Figure 9-31 Networking diagram of intersecting RRPP rings with multiple instances
Backbone
network
Eth0/0/1 Eth0/0/2
PE-AGG
Master 1
Eth0/0/1 Master 2 Eth0/0/1
UPEA Domain 1 ring 1 UPED
Eth0/0/2 Domain 2 ring 1 Eth0/0/2
Eth0/0/2 Edge Transit Edge Transit

Eth0/0/1
UPEB Eth0/0/1 UPEC
Eth0/0/2
Eth0/0/3 Eth0/0/3
Eth0/0/4 Eth0/0/4

Eth0/0/1 Eth0/0/2
Master 1 Master 1
Master 2 Eth0/0/2 Eth0/0/1 Master 2
CE 1 Domain 1 ring 2 Domain 1 ring 3
CE 2
VLAN 100-300 VLAN 100-300
Domain 1
Domain 2
2.
Domain ID Control VLAN ID Data VLAN ID Instance ID

master node.
Ring ID Master Node Primary Port Secondary Port Ring Type
Ring 1 in PE-AGG Eth0/0/1 Eth0/0/2 Major ring

Domain 1
Ring 1 in PE-AGG Eth0/0/2 Eth0/0/1 Major ring

Domain 2
Ring 2 in CE1 Eth0/0/1 Eth0/0/2 Sub ring

Domain 1

Domain 2

Domain 1

Domain 2
Table 9-8 shows the edge nodes, assistant edge nodes, common interface, and edge interfaces
of the sub-rings.
Table 9-8 Edge nodes, assistant edge nodes, common interface, and edge interfaces of the sub-
rings
Ring Edge Common Edge Edge-Assistant Common Edge
ID Node Port Port Node Port Port
Ring 2 UPEB Eth0/0/1 Eth0/0/3 UPEC Eth0/0/2 Eth0/0/4

in
Domain
1

in
Domain
1

in
Domain
2

in
Domain
2


2. Map the VLANs that need to pass through Domain 1 to Instance 1, including data VLANs
and control VLANs.
Map the VLANs that need to pass through Domain 2 to Instance 2, including data VLANs
and control VLANs.
a. Add UPEA, UPEB, UPEC, UPED, and PE-AGG to Ring 1 in Domain 1 and Ring 1
in Domain 2.
b. Add CE1, UPEB, and UPEC to Ring 2 in Domain 1 and Ring 2 in Domain 2.
c. Add CE2, UPEB, and UPEC to Ring 3 in Domain 1 and Ring 3 in Domain 2.
d. Configure PE-AGG as the master node and configure UPEA, UPEB, UPEC, and
UPED as transit nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
e. Configure CE1 as the master node, UPEB as an edge node, and UPEC as an assistant
edge node on Ring 2 in Domain 1 and Ring 2 in Domain 2.
f. Configure CE2 as the master node, UPEB as an edge node, and UPEC as an assistant
edge node on Ring 3 in Domain 1 and Ring 3 in Domain 2.
5. To prevent topology flapping, set the LinkUp timer on the master nodes.
6. To reduce the Edge-Hello packets sent on the major ring and increase available bandwidth,
add the four sub-rings to a ring group.
NOTE
Procedure
# Create data VLANs 100 to 300 on CE1.

1 to Instance 1.


# Configure the RRPP interface as a trunk interface to allow data from VLANs 100 to 300 to
pass through and disable STP on the interface to be added to the RRPP ring.
[CE1-Ethernet0/0/1] port link-type trunk
[CE1-Ethernet0/0/1] port trunk allow-pass vlan 100 to 300
[CE1-Ethernet0/0/1] stp disable
[CE1-Ethernet0/0/2] port trunk allow-pass vlan 100 to 300
[CE1-Ethernet0/0/2] stp disable
[CE1] rrpp domain 1
[CE1] rrpp domain 2

interfaces.
interfaces.
interfaces.
[UPED-rrpp-domain-region1] ring 1 node-mode transit primary-port ethernet 0/0/1
interfaces.
interfaces.
interfaces.
# Configure UPEB as an edge node on Ring 2 in Domain 1, with Eth0/0/1 as the common
[UPEB-rrpp-domain-region1] ring 2 node-mode edge common-port ethernet 0/0/1 edge-
port ethernet 0/0/3

port ethernet 0/0/3

port ethernet 0/0/4
port ethernet 0/0/4
interfaces.
interfaces.
# Configure UPEC as an assistant edge node on Ring 2 in Domain 1, with Eth0/0/2 as the common
[UPEC-rrpp-domain-region1] ring 2 node-mode assistant-edge common-port ethernet

# Configure CE1 as the master node on Ring 2 in Domain 1, with Eth0/0/1 as the primary
[CE1] rrpp domain 1
[CE1-rrpp-domain-region1] ring 2 node-mode master primary-port ethernet 0/0/1
[CE1] rrpp domain 2
[CE2] rrpp domain 1
[CE2] rrpp domain 2
Step 5 Enable RRPP.
# Enable RRPP.
[CE1] rrpp enable
Step 6 Configure ring groups.
# Create ring group 1, which consists of four sub-rings: Ring 2 in Domain 1, Ring 3 in Domain
1, Ring 2 in Domain 2, and Ring 3 in Domain 2.
[UPEC] rrpp ring-group 1
[UPEC-rrpp-ring-group1] domain 1 ring 2 to 3
[UPEC-rrpp-ring-group1] domain 2 ring 2 to 3
[UPEC-rrpp-ring-group1] quit

# Create ring group 1, which consists of four sub-rings: Ring 2 in Domain 1, Ring 3 in Domain
1, Ring 2 in Domain 2, and Ring 3 in Domain 2.
[UPEB] rrpp ring-group 1
[UPEB-rrpp-ring-group1] domain 1 ring 2 to 3
[UPEB-rrpp-ring-group1] domain 2 ring 2 to 3
[UPEB-rrpp-ring-group1] quit
Step 7 Set the LinkUp timer.



[PE-AGG] rrpp linkup-delay-timer 1
perform the following operations to verify the configuration. UPEB and PE-AGG are used as
examples.
Run the display rrpp brief command on UPEB. The command output is as follows:
[UPEB] display rrpp brief

RRPP Linkup Delay Timer: 0 sec(0 sec default)
Domain Index : 1
---------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Domain Index : 2
--------------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPEB.
In Domain 1:

The major control VLAN is VLAN 5 and the protected VLANs are the VLANs mapped to
Instance 1.
UPEB is a transit node on Ring 1. The primary interface is Eth0/0/1 and the secondary interface
is Eth0/0/2.
On Ring 2, UPEB is the edge node. Eth0/0/1 is the common interface and Eth0/0/3 is the edge
interface.
interface.
In Domain 2:
Instance 2.
UPEB is a transit node on Ring 1. The primary interface is Eth0/0/1 and the secondary interface
is Eth0/0/2.
interface.
interface.
Run the display rrpp brief command on PE-AGG. The command output is as follows:

RRPP Linkup Delay Timer: 1 sec(0 sec default)
Domain Index : 1
--------------------------------------------------------------------------------
Domain Index : 2
--------------------------------------------------------------------------------
The command output shows that RRPP is enabled on PE-AGG, and the LinkUp timer is 2
seconds.
to Instance 1, and the master node on Ring 1 is PE-AGG. The primary interface is Eth0/0/1 and
the secondary interface is Eth0/0/2.
to Instance 2, and the master node on Ring 1 is PE-AGG. The primary interface is Eth0/0/2 and
the secondary interface is Eth0/0/1.

Run the display rrpp verbose domain command on UPEB. The command output is as follows:
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
RRPP Ring : 3
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
UPEB is the edge node on Ring 2 in Domain 1 and is in LinkUp state. Eth0/0/1 is the common
interface and Eth0/0/3 is the edge interface.
<UPEB> display rrpp verbose domain 2
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp

RRPP Ring : 3
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
You can find that, in Domain 2, the control VLAN is VLAN 10, and the protected VLAN is the
VLAN mapped to Instance 2.
Run the display rrpp verbose domain 1 command on PE-AGG. The command output is as
follows:

Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Eth0/0/1 is the primary interface and Eth0/0/2 is the secondary interface.

Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master

Eth0/0/2 is the primary interface and Eth0/0/1 is the secondary interface.
Run the display rrpp ring-group command on UPEB to check the configuration of the ring
group.
# Check the configuration of ring group 1.

[UPEB] display rrpp ring-group 1
Ring Group 1:
domain 1 ring 2 to 3
domain 1 ring 2 send Edge-Hello packet
----End
Configuration Files
#
sysname CE1
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 2 enable
rrpp domain 2
control-vlan 10
ring 2 enable
#
stp disable
#
stp disable
#
return

#
sysname CE2
#
#
rrpp enable
#

#
rrpp domain 1
control-vlan 5
ring 3 enable
rrpp domain 2
control-vlan 10
ring 3 enable
#
stp disable
#
stp disable
#
return

#
sysname UPEA
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable

#
return
#
sysname UPEB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
ring 2 enable
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
ring 2 enable
ring 3 enable
#
rrpp ring-group 1
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
#
sysname UPEC

#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
Ethernet0/0/4
ring 2 enable
Ethernet0/0/3
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
Ethernet0/0/4
ring 2 enable
Ethernet0/0/3
ring 3 enable
#
rrpp ring-group 1
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
#
sysname UPED
#

#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname PE-AGG
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#


stp disable
#
return
9.8.8 Example for Configuring Tangent RRPP Rings with Multiple

Instances
Figure 9-32 Networking diagram of tangent RRPP rings with multiple instances
UPEB UPEE
Eth0/0/1 Eth0/0/2
Eth0/0/1 Eth0/0/2
Domain 1 ring 1
CE Eth0/0/2 Eth0/0/1
Eth0/0/3 Eth0/0/1 UPEF
Master 1
UPEA
Master 2 UPED Master 3
VLAN 100-300 Eth0/0/1 Eth0/0/2 Eth0/0/4 Eth0/0/2
Eth0/0/2 Eth0/0/1 Eth0/0/2 Eth0/0/1
UPEC UPEG
domain 1
domain 2
domain 3
Table 9-9 shows the mapping between protected VLANs and instances in Domain 1, Domain
2, and Domain 3.

Domain 3 (on VLANs 20 and 21 VLANs 100 to 300 Instance 1, Instance 2,

UPED) and Instance 3

Domain 3 (on VLANs 20 and 21 VLANs 100 to 300 Instance 1

UPEE, UPEF,
and UPEG)
Table 9-10 shows the master node on each ring, and its primary and secondary interfaces.
Ring 1 in Domain 1 UPED Eth0/0/1 Eth0/0/2
Ring 1 in Domain 2 UPED Eth0/0/2 Eth0/0/1
Ring 1 in Domain 3 UPEF Eth0/0/1 Eth0/0/2
2. Map the VLANs that need to pass through the domain to the instance.
a. Add UPEA, UPEB, UPEC, and UPED to Ring 1 in Domain 1 and Ring 1 in Domain
2.
b. Add UPED, UPEE, UPEF, and UPEG to Ring 1 in Domain 3.
c. Configure UPED as the master node and configure UPEA, UPEB, and UPEC as transit
nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
d. Configure UPEF as the master node and configure UPED, UPEE, and UPEG as transit
nodes on Ring 1 in Domain 3.
NOTE
Procedure

1 to Instance 1.

# The configurations on UPEB, UPEC, UPED, UPEE, UPEF, and UPEG are similar to that on
UPEA and not mentioned here. For details, see the configuration files.
# Disable STP on the interfaces to be added to the RRPP ring on UPEA. Configure the interfaces
to allow data from VLANs 100 to 300 to pass through.
interfaces on UPEA.


interfaces on UPEA.
interfaces on UPEB.
interfaces on UPEB.
interfaces on UPEC.
interfaces on UPEC.
# Configure UPED as the master node on Ring 1 in Domain 1 and specify Eth0/0/1 as the primary
interface and Eth0/0/2 as the secondary interface on UPED.
[UPED-rrpp-domain-region1] ring 1 node-mode master primary-port ethernet 0/0/1
# Configure UPED as the master node on Ring 1 in Domain 2 and specify Eth0/0/2 as the primary
interface and Eth0/0/1 as the secondary interface on UPED.
[UPED-rrpp-domain-region2] ring 1 node-mode master primary-port ethernet 0/0/2

interfaces on UPED.
# Configure UPEE as a transit node on Ring 1 in Domain 3 and specify primary and secondary
interfaces on UPEE.
[UPEE] rrpp domain 3
[UPEE-rrpp-domain-region3] ring 1 node-mode transit primary-port ethernet 0/0/1
[UPEE-rrpp-domain-region3] ring 1 enable
[UPEE-rrpp-domain-region3] quit
# Configure UPEF as the master node on Ring 1 in Domain 3 and specify Eth0/0/1 as the primary
interface and Eth0/0/2 as the secondary interface on UPEF.
[UPEF] rrpp domain 3

[UPEF-rrpp-domain-region3] ring 1 node-mode master primary-port ethernet 0/0/1
[UPEF-rrpp-domain-region3] ring 1 enable
[UPEF-rrpp-domain-region3] quit
# Configure UPEG as a transit node on Ring 1 in Domain 3 and specify primary and secondary
interfaces.
[UPEG] rrpp domain 3
[UPEG-rrpp-domain-region3] ring 1 node-mode transit primary-port ethernet 0/0/1
[UPEG-rrpp-domain-region3] ring 1 enable
[UPEG-rrpp-domain-region3] quit
Step 5 Enable RRPP.

# Enable RRPP.
[UPEA] rrpp enable
perform the following operations to verify the configuration. UPED is used as an example. Run
the display rrpp brief command on UPED. The command output is as follows:
[UPED] display rrpp brief

Domain Index : 1


--------------------------------------------------------------------------------
Domain Index : 2

--------------------------------------------------------------------------------
Domain Index : 3
Protected VLAN : Reference Instance 1 to 3

--------------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPED.

In Domain 1:
Instance 1.
UPED is the master node on Ring 1. Ethernet0/0/1 is the primary interface and Ethernet0/0/2 is
In Domain 2:
Instance 2.
UPED is the master node on Ring 1. Ethernet0/0/2 is the primary interface and Ethernet0/0/1 is
In Domain 3:
instances 1 to 3.
UPED is a transit node on Ring 1. Ethernet0/0/3 is the primary interface and Ethernet0/0/4 is
Run the display rrpp verbose domain command on UPED. The command output is as follows:
# Check detailed information about UPED in Domain 1.
[UPED] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master


UPED is the master node in Domain 1 and is in Complete state.
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
UPED is the master node in Domain 2 and is in Complete state.
Domain Index : 3
Protected VLAN : Reference Instance 1 to 3
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The command output shows that, in Domain 3, the control VLAN is VLAN 20 and the protected
VLANs are the VLANs mapped to instances 1 to 3.
UPED is a transit node in Domain 3 and is in LinkUp state.
----End
Configuration Files
#
sysname UPEA
#

#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
rrpp domain 2
control-vlan 10
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname UPEB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
rrpp domain 2
control-vlan 10
level 0
ring 1 enable
#
stp disable
#


stp disable
#
return
#
sysname UPEC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
rrpp domain 2
control-vlan 10
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname UPED
#
vlan batch 5 to 6 10 to 11 20 to 21 100 to 300
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
rrpp domain 2
control-vlan 10
level 0

ring 1 enable
rrpp domain 3
control-vlan 20
protected-vlan reference-instance 1 to 3
level 0
ring 1 enable
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
l Configuration file of UPEE
#
sysname UPEE
#
#
rrpp enable
#
#
rrpp domain 3
control-vlan 20
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
l Configuration file of UPEF
#
sysname UPEF

#
#
rrpp enable
#
#
rrpp domain 3
control-vlan 20
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
l Configuration file of UPEG

#
sysname UPEG
#
#
rrpp enable
#
#
rrpp domain 3
control-vlan 20
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
9.9 EFM Configuration

Ethernet in the First Mile (EFM) can be enabled on both devices of a point-to-point link to
monitor connectivity and link quality.

9.9.1 Example for Configuring Basic EFM Functions
As networks develop quickly, more and more IP networks are used to carry multiple services
such as voice and video services. These services pose high requirements on network reliability
and rapid fault detection.
As shown in Figure 9-33, the network between CE1 and CE3 is newly deployed. The
requirements on the network are as follows:
l Link connectivity and quality on the network are tested before the network is started.
l Link quality is dynamically monitored after links are properly started.
l Traffic is switched to a backup link if the primary link fails.
Figure 9-33 Networking diagram for configuring basic EFM functions

CE2
Eth0/0/1
PC CE1 Eth0/0/1
Metro
User CE3 Core
Network
Eth0/0/2 CE4
Eth0/0/1 Eth0/0/2
EFM
1. Configure basic EFM functions on CE1 and CE4 to monitor link connectivity.
2. Configure remote loopback on CE1 to test the connectivity and performance of the link
between CE1 and CE4 before the link is used to transmit services.
3. Configure link monitoring on CE1 to monitor the performance and quality of the link
between CE1 and CE4.
4. Configure association between EFM and interfaces on CE4. When the link between CE1
and CE4 becomes faulty, traffic sent from CE4 will not be sent along the link.
Procedure
Step 1 Configure basic EFM functions.
# Enable EFM on CE1 globally.
[CE1] efm enable
# Enable EFM on Eth0/0/2 of CE1.


[CE1-Ethernet0/0/2] efm enable

[CE4] efm enable
# Configure the EFM mode to passive on Eth0/0/1 of CE4.

[CE4-Ethernet0/0/1] efm mode passive

# Verify the configuration.
If EFM is correctly configured on CE1 and CE4, Eth0/0/2 and Eth0/0/1 will enter the handshake
phase. Run the display efm session { all | interface interface-type interface-num } command
on CE1 or CE4. The command output shows that the EFM status is detect on Eth0/0/2 or Eth
0/0/1.
[CE1] display efm session all
Interface EFM State Loopback Timeout
----------------------------------------------------------------------
Ethernet0/0/2 detect --
Step 2 Configure remote loopback.
# Configure remote loopback on CE1.

[CE1-Ethernet0/0/2] efm loopback start
Verify the configuration.
After configuring remote loopback, run the display efm session { all | interface interface-
type interface-num } command on CE1. The command output shows that the EFM status is
loopback (control) on Eth0/0/2.
[CE1] display efm session interface ethernet 0/0/2
----------------------------------------------------------------------
Ethernet0/0/2 loopback (control) 20
After configuring remote loopback, run the display efm session { all | interface interface-
type interface-num } command on CE4. The command output shows that the EFM status is
loopback (be controlled) on Eth0/0/1.
----------------------------------------------------------------------
Ethernet0/0/1 loopback (be controlled) --
Step 3 Configure CE1 to send test packets to CE4.

[CE1] test-packet start interface ethernet 0/0/2
Please waiting..............
Info: The test is complete.

Step 4 Check returned test packets on CE1.

[CE1] display test-packet result
TestResult Value
--------------------------------------------------------
PacketsSend : 5
PacketsReceive : 5
PacketsLost : 0
BytesSend : 480
BytesReceive : 480
BytesLost : 0
StartTime : 03-05-2012 14:28:16 UTC+03:00
EndTime : 03-05-2012 14:29:22 UTC+03:00
Link quality can be evaluated based on data in the preceding command output.
Step 5 Disable remote loopback.
[CE1-Ethernet0/0/2] efm loopback stop
NOTE
By default, the timeout interval for remote loopback is 20 minutes. The remote loopback test stops after
20 minutes. To disable remote loopback, perform the preceding procedures.

After disabling remote loopback, run the display efm session { all | interface interface-type
interface-num } command on CE1 or CE4. The command output shows that the EFM status is
detect on the interfaces at both ends of the link. For example:
----------------------------------------------------------------------
If the link is working properly, perform the following operations to monitor the link in real time.
Step 7 Configure errored code detection, errored frame detection, and errored frame second detection
on Eth0/0/2 of CE1.
# Configure errored code detection on Eth0/0/2 of CE1.
[CE1-Ethernet0/0/2] efm error-frame period 5
[CE1-Ethernet0/0/2] efm error-frame threshold 5
[CE1-Ethernet0/0/2] efm error-frame notification enable
# Configure errored frame detection on Eth0/0/2 of CE1.

[CE1-Ethernet0/0/2] efm error-code period 5
[CE1-Ethernet0/0/2] efm error-code threshold 5
[CE1-Ethernet0/0/2] efm error-code notification enable
# Configure errored frame second detection on Eth0/0/2 of CE1.

[CE1-Ethernet0/0/2] efm error-frame-second period 120
[CE1-Ethernet0/0/2] efm error-frame-second threshold 5
[CE1-Ethernet0/0/2] efm error-frame-second notification enable

After the preceding configurations are complete, Eth0/0/2 on CE1 and Eth0/0/1 on CE4 will
enter the handshake phase. Run the display efm session { all | interface interface-type interface-
num } command on CE1 or CE4. The command output shows that the EFM status is detect on
Eth0/0/2 or Eth0/0/1.


----------------------------------------------------------------------
After the preceding configurations are complete, run the display efm { all | interface interface-
type interface-number } command to check EFM configurations.
[CE1] display efm interface ethernet 0/0/2
Item Value
----------------------------------------------------
Interface: Ethernet0/0/2
EFM Enable Flag: enable
Mode: active
OAMPDU MaxSize: 128
ErrCodeNotification: enable
ErrCodePeriod: 5
ErrCodeThreshold: 5
ErrFrameNotification: enable
ErrFramePeriod: 5
ErrFrameThreshold: 5
ErrFrameSecondNotification:enable
ErrFrameSecondPeriod: 120
ErrFrameSecondThreshold: 5
Hold Up Time: 0
ThresholdEvtTriggerErrDown: disable
TriggerIfDown: disable
TriggerMacRenew: disable
Remote MAC: 0010-0010-0010
Remote EFM Enable Flag: enable
Remote Mode: passive
Remote MaxSize: 128
Remote State: --
Step 9 Configure association between EFM and Eth0/0/2 on CE4.

[CE4] oam-mgr
[CE4-oam-mgr] oam-bind efm interface ethernet 0/0/1 trigger if-down interface
ethernet 0/0/2
[CE4-oam-mgr] quit
After the preceding configurations are complete, run the shutdown command on Eth0/0/2 of
CE1. The command output shows that the current state field value is TRIGGER DOWN
(3AH) on Eth0/0/2 of CE4.
[CE4] display interface ethernet 0/0/2
Ethernet0/0/2 current state : TRIGGER DOWN (3AH)
Line protocol current state : DOWN
Switch Port, PVID : 1, TPID : 8100(Hex), The Maximum Frame Length is 1600
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0200-0000-7f00
Port Mode: COMMON COPPER
Duplex: HALF, Negotiation: ENABLE
Mdi : AUTO
Input peak rate 113848 bits/sec, Record time: 2008-01-17 02:14:52
Output peak rate 3856 bits/sec, Record time: 2008-01-14 20:07:01
CRC : 0, Giants : 0
Jabbers : 0, Fragments : 0


Buffers Purged : 0
----End
Configuration Files
#
sysname CE1
#
efm
enable
#
efm
enable
efm error-frame period
5
efm error-frame threshold
5
efm error-frame notification
enable
efm error-frame-second period
120
efm error-frame-second threshold
5
efm error-frame-second notification
enable
efm error-code period
5
efm error-code threshold
5
efm error-code notification enable
#
return

#
sysname CE4
#
efm enable
#
efm mode passive
efm enable
#
oam-mgr
oam-bind ingress interface Ethernet0/0/2 egress efm interface Ethernet0/0/1
trigger if-
down
oam-bind ingress efm interface Ethernet0/0/1 trigger if-down egress interface
Ethernet0/0/2
#
return

9.9.2 Example for Configuring Association Between an EFM

Module and an Interface
As shown in Figure 9-34, EFM is configured between SwitchB and SwitchC. When
Ethernet0/0/2 on SwitchB becomes Down, EFM reports the fault to Ethernet0/0/1 on SwitchB
through association. Then Ethernet0/0/1 becomes Down.
Figure 9-34 Association between EFM and an interface

Eth0/0/1 Eth0/0/2
Eth0/0/1 Eth0/0/2
EFM OAM
Interface associated with
EFM OAM
1. Configure EFM between SwitchB and SwitchC.
2. Configure association between EFM and Ethernet0/0/1 on SwitchB.
Procedure
Step 1 Configure EFM between SwitchB and SwitchC.
[SwitchB] efm enable
[SwitchB-Ethernet0/0/2] bpdu enable
[SwitchB-Ethernet0/0/2] efm mode passive
[SwitchB-Ethernet0/0/2] efm enable
[SwitchC] efm enable
[SwitchC-Ethernet0/0/2] bpdu enable
[SwitchC-Ethernet0/0/2] efm enable
Run the display efm session interface command on SwitchB to check the EFM OAM status.
You can see that EFM OAM is in detect state.
[SwitchB] display efm session interface ethernet 0/0/2
----------------------------------------------------------------------

Step 2 Configure association between EFM and an interface.

# Configure Ethernet0/0/1 on SwitchB and EFM between SwitchB and SwitchC to report faults
to each other.
[SwitchB] oam-mgr
[SwitchB-oam-mgr] oam-bind efm interface ethernet 0/0/2 trigger if-down interface
ethernet 0/0/1

Run the shutdown command on Eth0/0/2 of SwitchB. EFM OAM reports the fault to
Ethernet0/0/1. Then Ethernet0/0/1 enters the TRIGGER DOWN (3AH) state.
[SwitchB] display interface ethernet 0/0/1
Ethernet0/0/1 current state : TRIGGER DOWN (3AH)
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0200-0000-7f00
Duplex: HALF, Negotiation: ENABLE
Mdi : AUTO
CRC : 0, Giants : 0
Jabbers : 0, Fragments : 0
Buffers Purged : 0
----End
Configuration Files
#
sysname SwitchB
#
efm enable
#
efm mode passive
efm enable
#
oam-mgr
oam-bind ingress interface Ethernet0/0/1 egress efm interface Ethernet0/0/2
trigger if-down
oam-bind ingress efm interface Ethernet0/0/2 trigger if-down egress interface

Ethernet0/0/1
#
return

#
sysname SwitchC
#
efm enable
#
efm enable
#
return
9.9.3 Example for Configuring Association Between EFM Modules
Link detection protocols are usually deployed on a network to detect link connectivity and faults.
A single fault detection protocol cannot detect all faults in all links on a complex network.
Network environments and user requirements need to be analyzed, and various detection
techniques are required to implement rapid link fault detection.
As shown in Figure 9-35, CE1 is dual-homed to CE2 and CE4. The requirements are as follows:
l Connectivity of links between CE1 and CE4, between CE4 and CE3 can be detected.
l When the link between CE1 and CE4 becomes faulty, CE3 can detect the fault.
l When the link between CE1 and CE4 becomes faulty, services are switched to the link
Figure 9-35 Association between EFM modules

CE2
GE0/0/1 GE0/0/2
PC CE1 GE0/0/1 GE0/0/2

CE3 Metro
User
CORE
Network GE0/0/3 CE4 GE0/0/3
GE0/0/1 GE0/0/2
EFM EFM
1. Configure EFM for the link between CE1 and CE4 to monitor connectivity of the link

2. Configure EFM for the link between CE4 and CE3 to monitor connectivity of the link
3. Configure association between EFM modules so that the fault can be transmitted.
4. Configure association between EFM and an interface on CE3. When EFM detects a link
fault between CE1 and CE4, the interface becomes Down.
Procedure
[CE1] efm enable
# Enable EFM on GE0/0/3 of CE1.

[CE1-GigabitEthernet0/0/3] efm enable

[CE3] efm enable


[CE4] efm enable
# Enable EFM on 0/0/1 and GE0/0/2 of CE4.


Run the display efm session { all | interface interface-type interface-num } command on each
device. If the EFM status is detect, the EFM configuration on CE3, CE1, and CE4 is correct.

----------------------------------------------------------------------
GigabitEthernet0/0/3 detect --
Step 2 Configure association between EFM modules.

# Configure association between EFM modules on CE4.
[CE4] oam-mgr
[CE4] oam-bind efm interface gigabitethernet 0/0/1 efm interface gigabitethernet

0/0/2
[CE4] quit
Step 3 Configure association between EFM and an interface.

# Configure association between EFM and an interface on CE3.
[CE3-GigabitEthernet0/0/3] efm trigger if-down

After association functions are configured, run the shutdown command on GE0/0/3 of CE1 to
simulate a fault on the link between CE1 and CE4. Run the display interface interface-type
interface-num command on GE0/0/3 of CE3. The command output shows that the Line protocol
current state field value is DOWN (EFM down), indicating that the fault is transmitted from
the link between CE1 and CE4 to the link between CE4 and CE3.
[CE3] display interface gigabitethernet 0/0/3
GigabitEthernet0/0/3 current state : UP
Line protocol current state : DOWN (EFM down)
Description:
IP Sending Frames" Format is PKTFMT_ETHNT_2, Hardware address is 781d-bacc-8be0
Last physical down time : 2012-02-20 17:21:06 UTC+03:03
Current system time: 2012-04-29 06:34:41+08:00
Mdi : AUTO

Unicast: 94284, Multicast: 1357189494
Broadcast: 2830, Jumbo: 0
Discard: 0, Total Error: 0
CRC: 0, Giants: 0
Jabbers: 0, Fragments: 0
Runts: 0, DropEvents: 0
Alignments: 0, Symbols: 0
Ignoreds: 0, Frames: 0
Pause: 0

Collisions: 0, ExcessiveCollisions: 0
Late Collisions: 0, Deferreds: 0
Buffers Purged: 0, Pause: 0

----End

Configuration Files
#
sysname CE1
#
efm
enable
#
efm enable
#
return

#
sysname CE3
#
efm
enable
#
efm enable
efm trigger if-
down
#
return

#
sysname CE4
#
efm enable
#
efm
enable
#
efm
enable
#
oam-
mgr
oam-bind ingress efm interface GigabitEthernet0/0/1 egress efm interface
oam-bind ingress efm interface GigabitEthernet0/0/2 egress efm interface
#
return
9.9.4 Example for Configuring Association between EFM and BFD
As shown in Figure 9-36, CE1 is dual-homed to PE1 and PE3. The requirements on the network
are as follows:
l Connectivity of links between CE1 and PE3, between PE3 and PE4, and between PE4 and
CE2 can be detected.

l When the link between CE1 and PE3 becomes faulty, CE2 can detect the fault, preventing
return traffic from being forwarded to PE4.
l When the link between CE1 and PE3 goes faulty, a active/standby link switchover can be
implemented.
l When the link between PE3 and PE4 becomes faulty, CE1 or CE2 can detect the fault.
Figure 9-36 Association between EFM and BFD

PE1 PE2
CE1 CE2
User User
GE0/0/1 GE0/0/1
Network1 Network2
GE0/0/1 GE0/0/1
PE3 GE0/0/2 GE0/0/2

PE4
EFM EFM
BFD
1. Configure EFM for links between CE1 and PE3 and between CE2 and PE4 to monitor link
connectivity.
2. Configure BFD for the link between PE3 and PE4 to monitor link connectivity.
3. Configure association between EFM and interfaces on CE2. When EFM detects a link fault
between CE1 and PE3, traffic can be switched to the backup link and return traffic is not
forwarded to PE4.
4. Configure association between BFD and EFM on PE3 and PE4 so that CFM and BFD can
notify each other of faults.
Procedure

[CE1] efm enable

[CE2] efm enable
# Enable EFM on PE3 globally.

[PE3] efm enable

[PE4] efm enable


# Enable EFM on GE0/0/1 of PE3.

[PE3] interface gigabitethernet 0/0/1
[PE3-GigabitEthernet0/0/1] efm enable
[PE3-GigabitEthernet0/0/1] quit
# Enable EFM on GE0/0/1 of PE4.

[PE4-GigabitEthernet0/0/1] efm enable
If EFM is correctly configured on PE3, CE1, PE4, and CE2, GE0/0/1 of these devices will enter
the handshake stage. Run the display efm session { all | interface interface-type interface-
num } command on one of these devices. The command output shows that the EFM status on
GE0/0/1 is detect.

----------------------------------------------------------------------
GigabitEthernet0/0/1 detect --
Step 2 Configure basic BFD functions.
BFD for IP is used as an example for configuring basic BFD functions.
# Configure basic BFD functions on PE3.

[PE3] bfd
[PE3-bfd] quit
[PE3] vlan 100
[PE3-vlan100] quit
[PE3-GigabitEthernet0/0/2] port link-type trunk
[PE3-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[PE3-Vlanif100] quit
[PE3] bfd pedetect bind peer-ip 1.1.1.2 interface vlanif 100
[PE3-bfd-session-pedetect] discriminator local 1
[PE3-bfd-session-pedetect] discriminator remote 2

[PE3-bfd-session-pedetect] commit
[PE3-bfd-session-pedetect] quit
# Configure basic BFD functions on PE4.

[PE3] bfd
[PE3-bfd] quit
[PE3] vlan 100
[PE3-vlan100] quit
[PE3-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[PE3-Vlanif100] quit
[PE3] bfd pedetect bind peer-ip 1.1.1.1 interface vlanif 100
[PE3-bfd-session-pedetect] discriminator local 2
[PE3-bfd-session-pedetect] discriminator remote 1
[PE3-bfd-session-pedetect] commit
[PE3-bfd-session-pedetect] quit

If BFD is correctly configured on PE3 and PE4, run the display bfd session all command on
PE3 or PE4. The command output shows that the BFD status is Up.
[PE3] display bfd session all
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 2 1.1.1.2 Up S_IP_IF Vlanif100
--------------------------------------------------------------------------------
Step 3 Configure association between EFM and BFD.

# Configure association between EFM and BFD on PE3.
[PE3] oam-mgr
[PE3-oam-mgr] oam-bind efm interface gigabitethernet 0/0/1 bfd-session 1
[PE3-oam-mgr] quit
# Configure association between EFM and BFD on PE4.

[PE4] oam-mgr
[PE4-oam-mgr] oam-bind efm interface gigabitethernet 0/0/1 bfd-session 2
[PE4-oam-mgr] quit
Step 4 Configure association between EFM and interfaces on CE2.

[CE2-GigabitEthernet0/0/1] efm trigger if-down

After association functions are configured, run the shutdown command on GE0/0/1 of CE1 to
simulate a fault on the link between CE1 and PE3. Run the display interface interface-type
interface-num command on GE0/0/1 of CE2. The command output shows that the Line protocol
current state field value is DOWN (ETHOAM down).
[CE2] display interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 current state : UP
Description:

Last physical down time : 2012-02-20 17:21:06 UTC+03:03

Mdi : AUTO

CRC: 0, Giants: 0
Pause: 0


----End
Configuration Files
#
sysname CE1
#
efm enable
#
efm enable
#
return

#
sysname PE3
#
efm
enable
#
vlan
100
#
bfd
#
interface Vlanif 100
ip address 1.1.1.1 255.255.255.0
#
interface

efm
enable
#
port link-type
trunk
#
bfd pedetect bind peer-ip 1.1.1.2 interface Vlanif100
discriminator local
1
discriminator remote
2
commit
#
oam-
mgr
oam-bind ingress efm interface GigabitEthernet1/0/1 egress bfd-session
1
oam-bind ingress bfd-session 1 egress efm interface GigabitEthernet1/0/1
#
return
#
sysname PE4
#
efm
enable
#
vlan
100
#
bfd
#
interface Vlanif 100
ip address 1.1.1.2 255.255.255.0
#
interface
efm
enable
#
port link-type
trunk
#
interface
NULL0
#
bfd pedetect bind peer-ip 1.1.1.1 interface Vlanif100
discriminator local
2
discriminator remote
1
commit
#
oam-
mgr
oam-bind ingress efm interface GigabitEthernet1/0/1 egress bfd-session
1
oam-bind ingress bfd-session 1 egress efm interface GigabitEthernet1/0/1
#
return

#
sysname CE2
#
efm enable
#
efm enable
efm trigger if-down
#
return
9.10 CFM Configuration

Connectivity fault management (CFM) defines OAM functions and applies to large-scale end-
to-end Ethernet networks. It monitors network connectivity and locates connectivity faults.
9.10.1 Example for Configuring VLAN-based Ethernet CFM on a

Layer 2 Network
As shown in Figure 9-37, VLANs are configured between devices. UPE2 and UPE3 back up
each other. It is required that connectivity of links between UPE1 and UPE2 and between UPE2
and PE-AGG be detected in real time.
Figure 9-37 Networking for configuring VLAN-based Ethernet CFM on a Layer 2 network
UPE2
Eth0/0/1 Eth0/0/2
PC UPE1 PE-AGG NPE
Eth0/0/2
Eth0/0/2
User IP/MPLS
Network Eth0/0/1 Eth0/0/1 Core
Eth0/0/1 Eth0/0/2
UPE3
CFM
l Configure VLANs for UPE1, UPE2, UPE3, and PE-AGG to implement Layer 2
connectivity.
l Configure basic CFM functions on UPE1 and PE-AGG to detect connectivity of the link
between UPE1 and PE-AGG.
Procedure
Step 1 Configure VLANs.

# Configure UPE1.
[Quidway] sysname UPE1
[UPE1] vlan 2
[UPE1-vlan2] quit
[UPE1] interface ethernet 0/0/1
[UPE1-Ethernet0/0/1] port link-type trunk
[UPE1-Ethernet0/0/1] port trunk allow-pass vlan 2
[UPE1-Ethernet0/0/1] quit
# Configure UPE2.
[UPE2] vlan 2
[UPE2-vlan2] quit
# Configure UPE3.
[UPE3] vlan 2
[UPE3-vlan2] quit
# Configure the PE-AGG.

[Quidway] sysname PEAGG
[PEAGG] vlan 2
[PEAGG-vlan2] quit
[PEAGG] interface ethernet 0/0/1
[PEAGG-Ethernet0/0/1] port link-type trunk
[PEAGG-Ethernet0/0/1] port trunk allow-pass vlan 2
[PEAGG-Ethernet0/0/1] quit
[PEAGG] interface ethernet 0/0/2
[PEAGG-Ethernet0/0/2] port link-type trunk
[PEAGG-Ethernet0/0/2] port trunk allow-pass vlan 2
[PEAGG-Ethernet0/0/2] quit
After the configuration is complete, run the display vlan vlan-id command on each device. You
can view VSI and PW information.
<UPE1>display vlan 2
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------

VID Type Ports

--------------------------------------------------------------------------------
2 common TG:Eth0/0/1(U) Eth0/0/2(U)
VID Status Property MAC-LRN Statistics Description

--------------------------------------------------------------------------------
2 enable default enable disable VLAN 0002
Step 2 Configure basic CFM functions.

# Configure basic CFM functions on UPE1.
[UPE1] cfm version standard
[UPE1] cfm enable
Info: Succeeded in enabling CFM.
[UPE1] cfm md md
[UPE1-md-md] ma ma
[UPE1-md-md-ma-ma] map vlan 2
[UPE1-md-md-ma-ma] mep mep-id 1 interface ethernet 0/0/2 outward
[UPE1-md-md-ma-ma] mep ccm-send mep-id 1 enable
[UPE1-md-md-ma-ma] remote-mep mep-id 2
[UPE1-md-md-ma-ma] remote-mep ccm-receive mep-id 2 enable
# Configure basic CFM functions on the PE-AGG.

[PEAGG] cfm version standard
[PEAGG] cfm enable
Info: Succeeded in enabling CFM.
[PEAGG] cfm md md
[PEAGG-md-md] ma ma
[PEAGG-md-md-ma-ma] map vlan 2
[PEAGG-md-md-ma-ma] mep mep-id 2 interface ethernet 0/0/2 outward
[PEAGG-md-md-ma-ma] mep ccm-send mep-id 2 enable
[PEAGG-md-md-ma-ma] remote-mep mep-id 1
[PEAGG-md-md-ma-ma] remote-mep ccm-receive mep-id 1 enable
After the configuration is complete, run the display cfm remote-mep command on UPE1 and
PE-AGG. You can view MEP information.
<UPE1>display cfm remote-mep
The total number of RMEPs is : 1
The status of RMEPS : 1 up, 0 down, 0 disable
--------------------------------------------------
MD Name : md
Level : 0
MA Name : ma
RMEP ID : 2
Vlan ID : 2
VSI Name : --
MAC : 00e0-0003-0003
CCM Receive : enabled
Trigger-If-Down : disabled
CFM Status : up
Alarm Status : None
----End
Configuration Files
l Configuration file of UPE1
#
sysname UPE1
#
vlan batch
2
#
cfm version standard
cfm

enable
#
port link-type
trunk
2
#
port link-type
trunk
2
#
cfm md
md
ma
ma
map vlan
2
mep mep-id 1 interface Ethernet0/0/2 outward
mep ccm-send mep-id 1
enable
remote-mep mep-id
2
remote-mep ccm-receive mep-id 2
enable
#
return
#
sysname
UPE2
#
vlan batch
2
#
cfm
enable
#
port link-type
trunk
2
#
port link-type
trunk
2
#
return
#
sysname
UPE3
#
vlan batch
2
#
cfm
enable
#
port link-type
trunk

2
#
port link-type
trunk
2
#
return
l Configuration file of the PE-AGG

#
sysname PEAGG
#
vlan batch
2
#
cfm
enable
#
port link-type
trunk
2
#
port link-type
trunk
2
#
cfm md
md
ma
ma
map vlan
2
enable
remote-mep mep-id
1
enable
#
return
9.10.2 Example for Associating Ethernet CFM with an Interface
As shown in Figure 9-38, a user network is connected to an ISP network through SwitchA and
SwitchB. SwitchA functions as the CE, and SwitchB functions as the UPE. The requirements
are as follows:
l The bandwidth for the user network to access the ISP network is 2000 Mbit/s and an inactive
link that serves as a backup is provided.
l When the active link between the user network and the ISP network fails, the LACP module
can detect the fault within 50 ms and stop forwarding data on the active link.

Figure 9-38 Association between CFM with an interface
ISP network
SwitchB
Eth0/0/1 Eth0/0/3
Eth0/0/2
Eth0/0/2
Eth0/0/1 Eth0/0/3
SwitchA
User
network1
Active Link
Inactive Link
Link aggreation group
in static LACP mode
l Configure a link aggregation group (LAG) in LACP mode with three member interfaces
on SwitchA and SwitchB respectively to increase the bandwidth, implement redundancy,
and improve reliability.
l Configure Ethernet CFM on SwitchA and SwitchB, and set the interval for sending and
detecting CCMs to 100s in each MA so that the LACP module can detect link faults within
50 ms.
l Associate Ethernet CFM with member interfaces of the LAGs in LACP mode on SwitchA
and SwitchB so that member interfaces can fast detect link faults.
Procedure
Step 1 Configure an LAG in static LACP mode.
For details, see 3.1 Link Aggregation Configuration in the S2300&S3300 Series Ethernet
Switches Configuration Guide - LAN Configuration.
Step 2 Configure Ethernet CFM.
# Enable Ethernet CFM globally on SwitchA.

[SwitchA] cfm enable
# Create MD, MA, MEP and RMEP on SwitchA.

[SwitchA] cfm md md1

[SwitchA-md-md1] ma ma1
[SwitchA-md-md1-ma-ma1] ccm-interval 100
[SwitchA-md-md1-ma-ma1] mep mep-id 2 interface ethernet 0/0/1 outward
[SwitchA-md-md1-ma-ma1] remote-mep mep-id 1
[SwitchA-md-md1-ma-ma1] mep ccm-send enable
[SwitchA-md-md1-ma-ma1] remote-mep ccm-receive enable
[SwitchA-md-md1-ma-ma1] quit
[SwitchA-md-md1] quit
# Enable Ethernet CFM globally on SwitchB.

[SwitchB] cfm enable
# Create MD, MA, MEP and RMEP on SwitchB.

[SwitchB] cfm md md1
[SwitchB-md-md1] ma ma1
[SwitchB-md-md1-ma-ma1] ccm-interval 100
[SwitchB-md-md1-ma-ma1] mep mep-id 1 interface ethernet 0/0/1 outward
[SwitchB-md-md1-ma-ma1] remote-mep mep-id 2
[SwitchB-md-md1-ma-ma1] mep ccm-send enable
[SwitchB-md-md1-ma-ma1] remote-mep ccm-receive enable
[SwitchB-md-md1-ma-ma1] quit
[SwitchB-md-md1] quit
[SwitchB] quit

Run the display cfm mep and display cfm remote-mep commands on SwitchA or SwitchB. If
information about the MEP and RMEP is displayed, the configuration is successful. The
displayed information on SwitchB is as follows:
[SwitchB] display cfm mep md md1
The total number of MEPs is : 3
--------------------------------------------------
MD Name : md1
MD Name Format : md-name
Level : 0
MA Name : ma1
MEP ID : 1

Vlan ID : --
VSI Name : --
Interface Name : Ethernet0/0/1
CCM Send : enabled
Direction : outward
MAC Address : 80fb-0636-792d
MD Name : md1
Level : 0
MA Name : ma2
MEP ID : 3
Vlan ID : --
VSI Name : --
CCM Send : enabled
Direction : outward
MD Name : md1
Level : 0
MA Name : ma3
MEP ID : 5
Vlan ID : --
VSI Name : --
CCM Send : enabled
Direction : outward
[SwitchB] display cfm remote-mep md md1
--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 2
Vlan ID : --
VSI Name : --
MAC : 80fb-065f-03d3
CFM Status : up
Alarm Status : None
MD Name : md1
Level : 0
MA Name : ma2
RMEP ID : 4
Vlan ID : --
VSI Name : --
MAC : 80fb-065f-03d3
CFM Status : up
Alarm Status : None
MD Name : md1
Level : 0
MA Name : ma3
RMEP ID : 6
Vlan ID : --
VSI Name : --
MAC : 80fb-065f-03d3
CFM Status : up
Alarm Status : None

Step 3 Associate Ethernet CFM with member interfaces of the LAG in static LACP mode.
# Associate Ethernet CFM with member interfaces of Eth-Trunk 2 on SwitchA.

[SwitchA-Ethernet0/0/1] cfm md md1 ma ma1 remote-mep mep-id 1 trigger if-down
# Associate Ethernet CFM with member interfaces of Eth-Trunk 2 on SwitchB.

[SwitchB-Ethernet0/0/1] cfm md md1 ma ma1 remote-mep mep-id 2 trigger if-down
Run the display cfm remote-mep command on SwitchA or SwitchB. If the Trigger-If-down
field is displayed as enabled, the configuration is successful.
[SwitchB] display cfm remote-mep md md1
--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 2
Vlan ID : --
VSI Name : --
MAC : 80fb-065f-03d3
Trigger-If-Down : enabled
CFM Status : up
Alarm Status : None
MD Name : md1
Level : 0
MA Name : ma2
RMEP ID : 4
Vlan ID : --
VSI Name : --
MAC : 80fb-065f-03d3
CFM Status : up
Alarm Status : None
MD Name : md1
Level : 0
MA Name : ma3
RMEP ID : 6
Vlan ID : --
VSI Name : --
MAC : 80fb-065f-03d3

CFM Status : up
Alarm Status : None
----End
Configuration Files
#
sysname SwitchA
#
cfm enable
#
mode lacp-static
#
eth-trunk 2
cfm md md1 ma ma1 remote-mep mep-id 1 trigger if-down
#
eth-trunk 2
#
eth-trunk 2
#
cfm md md1
ma ma1
ccm-interval 100
mep ccm-send mep-id 2 enable
remote-mep mep-id 1
remote-mep ccm-receive mep-id 1 enable
ma ma2
ccm-interval 100
remote-mep mep-id 3
ma ma3
ccm-interval 100
remote-mep mep-id 5
#
return

#
sysname SwitchB
#
lacp priority 100
#
cfm enable
#
mode lacp-static
max bandwidth-affected-linknumber 2
#
eth-trunk 2
lacp priority 2000
#

eth-trunk 2
lacp priority 2000
#
eth-trunk 2
#
cfm md md1
ma ma1
ccm-interval 100
remote-mep mep-id 2
ma ma2
ccm-interval 100
remote-mep mep-id 4
ma ma3
ccm-interval 100
remote-mep mep-id 6
#
return
9.10.3 Example for Configuring Association Between CFM Modules
As shown in Figure 9-39, SwitchA, SwitchB, and SwitchC are connected at Layer 2. The
requirements are as follows:
l Connectivity of the links between SwitchA and SwitchB and between SwitchB and
SwitchC can be monitored.
l When the link between SwitchA and SwitchB becomes faulty, SwitchC can detect the fault.
Figure 9-39 Networking diagram for configuring association between Ethernet CFM and
Ethernet CFM
Eth0/0/1 Eth0/0/2
Eth0/0/1 Eth0/0/2
CFM CFM
MEP in MA1
MEP in MA2

2. Configure Ethernet CFM between SwitchA and SwitchB and between SwitchB and
SwitchC to monitor link connectivity.
3. Configure association between CFM modules on SwitchB and SwitchC.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs. The configuration details are not mentioned
here.
Step 2 Configure Ethernet CFM between SwitchA and SwitchB.
[SwitchA] cfm enable
[SwitchA] cfm md md1
[SwitchA-md-md1-ma-ma1] map vlan 10
[SwitchA-md-md1] quit
[SwitchB-md-md1-ma-ma1] map vlan 10
Step 3 Configure CFM between SwitchB and SwitchC.

[SwitchB-md-md1-ma-ma2] map vlan 20
[SwitchC] cfm enable
[SwitchC] cfm md md1
[SwitchC-md-md1] ma ma2
[SwitchC-md-md1-ma-ma2] map vlan 20
[SwitchC-md-md1-ma-ma2] mep mep-id 2 interface ethernet 0/0/2 outward

[SwitchC-md-md1-ma-ma2] mep ccm-send enable

[SwitchC-md-md1-ma-ma2] remote-mep ccm-receive enable
[SwitchC-md-md1-ma-ma2] quit
[SwitchC-md-md1] quit
Run the display cfm remote-mep command on SwitchB to check the CFM status. You can see
that the CFM status is Up.
[SwitchB] display cfm remote-mep
--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 1
Vlan ID : 10
VSI Name : --
MAC : 0025-9efb-494a
CFM Status : up
Alarm Status : None
MD Name : md1
Level : 0
MA Name : ma2
RMEP ID : 2
Vlan ID : 20
VSI Name : --
MAC : 0002-0003-0161
CFM Status : up
Alarm Status : None
Step 4 Configure association between Ethernet CFM modules.
# Associate Ethernet CFM between SwitchA and SwitchB with Ethernet CFM between SwitchB
and SwitchC in both directions.
[SwitchB] oam-mgr
[SwitchB-oam-mgr] oam-bind cfm md md1 ma ma1 cfm md md1 ma ma2
Shut down Eth0/0/2 on SwitchB. Run the display cfm remote-mep command on SwitchA to
check the CFM status between SwitchA and SwitchB. You can see that the CFM status is Down.
[SwitchA]display cfm remote-mep
--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 2
Vlan ID : 10
VSI Name : --
MAC : 0044-0141-5410
CFM Status : down
Alarm Status : RemoteAlarm
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
cfm enable
#
#
cfm md md1
ma ma1
map vlan 10
remote-mep mep-id 2
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
cfm enable
#
#
shutdown
#
cfm md md1
ma ma1
map vlan 10
remote-mep mep-id 1
ma ma2
map vlan 20
remote-mep mep-id 2
#
oam-mgr
oam-bind ingress cfm md md1 ma ma1 egress cfm md md1 ma ma2
oam-bind ingress cfm md md1 ma ma2 egress cfm md md1 ma ma1
#
return

#
sysname SwitchC
#
vlan batch 20
#
cfm enable
#

#
cfm md md1
ma ma2
map vlan 20
remote-mep mep-id 1
#
return
9.10.4 Example for Configuring Association Between CFM and EFM
As shown in Figure 9-40, CE1 is dual-homed to PE1 and PE3. The requirements are as follows:
l Connectivity of links between CE1 and PE3, between PE3 and PE4, and between PE4 and
CE2 can be detected.
l If the link between CE1 and PE3 becomes faulty, CE2 can detect the fault, preventing return
traffic from being forwarded to PE4.
l When the link between PE3 and PE4 becomes faulty, CE1 or CE2 can detect the fault.
l When the link between CE1 and PE3 goes faulty, a active/standby link switchover can be
implemented.
Figure 9-40 Association between EFM and CFM
PE1 PE2
Eth0/0/2 Eth0/0/2
Eth0/0/1 Eth0/0/1
CE1 CE2
Eth0/0/2 Eth0/0/2
User User
Network Eth0/0/1 Eth0/0/1 Network
PE3 PE4
Eth0/0/1 Eth0/0/1
Eth0/0/2 Eth0/0/2
EFM
CFM EFM

1. Configure EFM for links between CE1 and PE3 and between CE2 and PE4 to monitor link
connectivity.
2. Configure CFM for the link between PE3 and PE4 to monitor link connectivity.
3. Configure association between EFM and interfaces on CE2. When EFM detects a link fault
between CE1 and PE3, traffic can be switched to the backup link and return traffic is not
forwarded to PE4.
4. Configure association between CFM and EFM on PE3 and PE4 so that CFM and EFM can
notify each other of faults.
Procedure
[CE1] efm enable

[CE2] efm enable

[PE3] efm enable

[PE4] efm enable


# Enable EFM on Eth0/0/1 of PE3.

[PE3-Ethernet0/0/1] efm enable
# Enable EFM on Eth0/0/1 of PE4.

[PE4-Ethernet0/0/1] efm enable


If EFM is correctly configured on PE3, CE1, PE4, and CE2, Eth0/0/1 of these devices will enter
the handshake stage. Run the display efm session { all | interface interface-type interface-
num } command on one of these devices. The command output shows that the EFM status on
Eth0/0/1 is detect.
----------------------------------------------------------------------
Step 2 Configure basic CFM functions.

An outward-facing MEP in a VLAN is used as an example to describe how to configure basic
CFM functions.
# Configure basic CFM functions on PE3.
[PE3] vlan 2
[PE3-vlan2] quit
[PE3] cfm version standard
[PE3] cfm enable
[PE3] cfm md md1
[PE3-md-md1] ma ma1
[PE3-md-md1-ma-ma1] map vlan 2
[PE3-md-md1-ma-ma1] mep mep-id 1 interface ethernet 0/0/2 outward
[PE3-md-md1-ma-ma1] remote-mep mep-id 2
[PE3-md-md1-ma-ma1] mep ccm-send enable
[PE3-md-md1-ma-ma1] remote-mep ccm-receive enable
[PE3-md-md1-ma-ma1] quit
[PE4-md-md1] quit
# Configure basic CFM functions on PE4.

[PE4] vlan 2
[PE4--vlan2] quit
[PE4] cfm enable
[PE4] cfm md md1
[PE4-md-md1] ma ma1
[PE4-md-md1-ma-ma1] mep mep-id 2 interface ethernet 0/0/2 outward
[PE4-md-md1] quit

Run the display cfm remote-mep command on PE3 or PE4. If the value of the CFM Status
field is up, the CFM configuration is correct.
[PE3] display cfm remote-mep
--------------------------------------------------
MD Name : md1
Level : 0

MA Name : ma1
RMEP ID : 2
Vlan ID : 2
VSI Name : --
MAC : --
CFM Status : up
Alarm Status : None
Step 3 Configure association between EFM and CFM.

# Configure association between EFM and CFM on PE3.
[PE3] oam-mgr
[PE3-oam-mgr] oam-bind cfm md md1 ma ma1 efm interface ethernet 0/0/1
[PE3-oam-mgr] quit
# Configure association between EFM and CFM on PE4.

[PE4] oam-mgr
[PE4-oam-mgr] oam-bind cfm md md1 ma ma1 efm interface ethernet 0/0/1
[PE4-oam-mgr] quit
Step 4 Configure association between EFM and an interface on CE2.

[CE2-Ethernet0/0/1] efm trigger if-down

After association functions are configured, run the undo efm enable command on Eth0/0/1 of
CE1 to simulate a fault on the link between CE1 and PE3. Run the display interface interface-
type interface-num command on Eth0/0/2 of CE2. The command output shows that the Line
protocol current state field value is DOWN (EFM down), indicating that the fault is transmitted
from the link between CE1 and PE3 to the link between PE4 and CE2.
[CE2] display interface ethernet 0/0/1
Ethernet0/0/1 current state : UP
Description:
IP Sending Frames" Format is PKTFMT_ETHNT_2, Hardware address is 0002-0003-0161
Last physical up time : 2012-07-08 14:20:18+00:00
Last physical down time : 2012-06-12 06:44:34+00:00
Mdi : AUTO

CRC: 0, Giants: 0
Pause: 0



----End
Configuration Files
#
sysname CE1
#
efm enable
#
efm enable
#
return

#
sysname PE3
#
vlan batch
2
#
cfm version
standard
cfm
enable
#
efm
enable
#
efm
enable
#
port link-type
trunk
2
#
cfm md
md1
ma
ma1
map vlan
2
enable
remote-mep mep-id
2
enable
#
oam-

mgr
oam-bind ingress efm interface Ethernet0/0/1 egress cfm md md1 ma ma1
oam-bind ingress cfm md md1 ma ma1 egress efm interface Ethernet0/0/1
#
return

#
sysname PE4
#
vlan batch
2
#
cfm version
standard
cfm
enable
#
efm
enable
#
efm
enable
#
port link-type
trunk
2
#
cfm md
md1
ma
ma1
map vlan
2
enable
remote-mep mep-id
1
enable
#
oam-
mgr
oam-bind ingress efm interface Ethernet0/0/1 egress cfm md md1 ma ma1
oam-bind ingress cfm md md1 ma ma1 egress efm interface Ethernet0/0/1
#
return

#
sysname CE2
#
efm enable
#
efm enable
efm trigger if-down
#
return
9.10.5 Example for Configuring Association Between CFM and

RRPP

As shown in Figure 9-41, UPEA is dual-homed to UPEB and UPEC. The requirements are as
follows:
l Connectivity of links between UPEA and UPEC, between UPEC and the PE-AGG, between
UPEA and UPEB, and between UPEB and the PE-AGG can be monitored.
l When the link between UPEA and UPEC or between UPEC and the PE-AGG goes faulty,
an active/standby switchover can be implemented.
Figure 9-41 Association between CFM and RRPP multi-instance

UPEB
EF
M
Eth0/0/1 Eth0/0/2
EF
CE1 PE-AGG
VLAN 100-300 Eth0/0/2 Eth0/0/1
Ring 1 Backbone
UPEA Master 1 network
Eth0/0/1 Eth0/0/2
EF
Eth0/0/2 Eth0/0/1
M
EF
M
Domain 1 ring 1
UPEC
Table 9-11 describes the mapping between protected VLANs in domain 1 and the instance.
Ring Control VLAN Instance ID of Data VLAN ID Instance ID of

ID ID Control VLAN Data VLAN
Domain VLAN 5 and Instance 1 VLAN 100 to 300 Instance 1

1 VLAN 6
Table 9-12 lists the master node, and primary and secondary ports on the master node of the
ring.

Table 9-12 Master node, and primary and secondary ports on the master node
Ring 1 in domain 1 PE-AGG Eth0/0/1 Eth0/0/2
1. Map instance 1 to VLANs 100 to 300.
2. Add UPEA, UPEB, UPEC, and PE-AGG to ring 1 in domain 1.
3. Configure the protected VLAN and control VLAN for domain 1.
4. Configure the PE-AGG as the master node and configure UPEA, UPEB, and UPEC as
transit nodes on ring 1 in domain 1 to remove loops.
5. Configure Ethernet CFM on the PE-AGG and UPEA to detect faults on the two links
between PE-AGG and UPEA.
6. Configure association between Ethernet CFM and primary and secondary ports on the
RRPP ring on the PE-AGG so that faults can be transmitted.
Procedure
l Configure UPEA.
# Create instance 1, and map control VLANs 5 and 6 and data VLANs 100 to 300 in domain
1 to instance 1.

l Configure UPEB.
# Create data VLANs 100 to 300 on UPEB.
[Quidway] sysname UPEB
[UPEB] vlan batch 100 to 300
1 to instance 1.
[UPEB] stp region-configuration
[UPEB-mst-region] instance 1 vlan 5 6 100 to 300

[UPEB-mst-region] active region-configuration
[UPEB-mst-region] quit
l Configure UPEC.
# Create data VLANs 100 to 300 on UPEC.

[Quidway] sysname UPEC
[UPEC] vlan batch 100 to 300
1 to instance 1.
[UPEC] stp region-configuration
[UPEC-mst-region] instance 1 vlan 5 6 100 to 300

[UPEC-mst-region] active region-configuration
[UPEC-mst-region] quit
l Configure the PE-AGG.

# Create data VLANs 100 to 300 on the PE-AGG.
[Quidway] sysname PE-AGG
[PE-AGG] vlan batch 100 to 300
1 to instance 1.
[PE-AGG] stp region-configuration
[PE-AGG-mst-region] instance 1 vlan 5 6 100 to 300

[PE-AGG-mst-region] active region-configuration
[PE-AGG-mst-region] quit
l Verify the configuration.

After the configuration is complete, run the following command to view the mapping between
instances and VLANs. The display on UPEA is used as an example.
[UPEA] display stp region-configuration
Oper configuration
Format selector :0
Region name :001820000083
Revision level :0
Instance VLANs Mapped

0 1 to 4, 7 to 9, 12 to 99, 301 to 4094
1 5 to 6, 100 to 300
Step 2 Add ports to the RRPP ring.

l Configure UPEA.
# On UPEA, disable STP on the ports to be added to the RRPP ring, and configure the ports
to allow the packets from VLANs 100 to 300 to pass through.
l Configure UPEB.
# On UPEB, disable STP on the ports to be added to the RRPP ring, and configure the ports
[UPEB] interface ethernet 0/0/1
[UPEB-Ethernet0/0/1] port link-type trunk
[UPEB-Ethernet0/0/1] port trunk allow-pass vlan 100 to 300
[UPEB-Ethernet0/0/1] stp disable

[UPEB-Ethernet0/0/1] quit
[UPEB] interface ethernet 0/0/2
[UPEB-Ethernet0/0/2] port link-type trunk
[UPEB-Ethernet0/0/2] port trunk allow-pass vlan 100 to 300
[UPEB-Ethernet0/0/2] stp disable
[UPEB-Ethernet0/0/2] quit
l Configure UPEC.
# On UPEC, disable STP on the ports to be added to the RRPP ring, and configure the ports
[UPEC] interface ethernet 0/0/1
[UPEC-Ethernet0/0/1] port link-type trunk
[UPEC-Ethernet0/0/1] port trunk allow-pass vlan 100 to 300
[UPEC-Ethernet0/0/1] stp disable
[UPEC-Ethernet0/0/1] quit
[UPEC] interface eigabitethernet 0/0/2
[UPEC-Ethernet0/0/2] port link-type trunk
[UPEC-Ethernet0/0/2] port trunk allow-pass vlan 100 to 300
[UPEC-Ethernet0/0/2] stp disable
[UPEC-Ethernet0/0/2] quit
# On the PE-AGG, disable STP on the ports to be added to the RRPP ring, and configure the
ports to allow the packets from VLANs 100 to 300 to pass through.
[PE-AGG] interface ethernet 0/0/1
[PE-AGG-Ethernet0/0/1] port link-type trunk
[PE-AGG-Ethernet0/0/1] port trunk allow-pass vlan 100 to 300
[PE-AGG-Ethernet0/0/1] stp disable
[PE-AGG-Ethernet0/0/1] quit
[PE-AGG-Ethernet0/0/2] port link-type trunk
[PE-AGG-Ethernet0/0/2] port trunk allow-pass vlan 100 to 300
[PE-AGG-Ethernet0/0/2] stp disable
l Configure UPEA.
# Configure VLANs mapping instance 1 as protected VLANs in domain 1, and configure
l Configure UPEB.
[UPEB-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEB-rrpp-domain-region1] control-vlan 5
l Configure UPEC.
[UPEC-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEC-rrpp-domain-region1] control-vlan 5


[PE-AGG-rrpp-domain-region1] protected-vlan reference-instance 1
[PE-AGG-rrpp-domain-region1] control-vlan 5
Step 4 Create an RRPP ring.

l Configure UPEA.
# Configure UPEA as a transit node of ring 1 in domain 1 and specify primary and secondary
ports.
l Configure UPEB.
# Configure UPEB as a transit node of ring 1 in domain 1 and specify primary and secondary
ports.
l Configure UPEC.
# Configure UPEC as a transit node of ring 1 in domain 1 and specify primary and secondary
ports.
secondary-port Ethernet 0/0/2 level 0

# Configure the PE-AGG as the master node of ring 1 in domain 1, Eth0/0/1 as the primary
port, and Eth0/0/2 as the secondary port.
[PE-AGG-rrpp-domain-region1] ring 1 node-mode master primary-port ethernet
0/0/1 secondary-port Ethernet 0/0/2 level 0
Step 5 Enable RRPP.
After configuring an RRPP ring, you need to enable RRPP on each node on the ring to activate
l Configure UPEA.
# Enable RRPP.
[UPEA] rrpp enable
l Configure UPEB.
# Enable RRPP.
[UPEB] rrpp enable
l Configure UPEC.
# Enable RRPP.
[UPEC] rrpp enable

# Enable RRPP.
[PE-AGG] rrpp enable
After the configuration is complete and the network topology becomes stable, perform the
following operations to verify the configuration. The display on UPEA and the PE-AGG is
used as an example.
l On UPEA, run the display rrpp brief or display rrpp verbose domain command. The
following information is displayed:
# Check brief information about RRPP on UPEA.
[UPEA] display rrpp brief

Domain Index : 1
----------------------------------------------------------------------------
RRPP is enabled on UPEA, VLAN 5 is the control VLAN and VLANs mapping instance 1
are the protected VLANs in domain 1, and UPE A is a transit node on ring 1; the primary
port is Eth0/0/1, and the secondary port is Eth0/0/2.
# View detailed information about UPEA in domain 1.
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The preceding command output shows that VLAN 5 is the control VLAN in domain 1, and
VLANs mapping instance 1 are the protected VLANs. UPEA is a transit node in domain 1
and is in LinkUp state; RRPP is enabled on UPEA.
# View brief information about RRPP on the PE-AGG.

Domain Index : 1


Enabled
---------------------------------------------------------------------------
The preceding command output shows that RRPP is enabled on the PE-AGG. In domain 1,
VLAN 5 is the control VLAN; VLANs mapping instance 1 are the protected VLANs; PE-
AGG is the master node on ring 1. The primary port is Eth0/0/1, and the secondary port is
Eth0/0/2.
# View detailed information about PE-AGG in domain 1.
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The preceding command output shows that VLAN 5 is the control VLAN in domain 1, and
VLANs mapping instance 1 are the protected VLANs. The PE-AGG is the master node, and
the status is Complete. The primary port is Ethernet0/0/1, and the secondary port is
Ethernet0/0/2.
# Configure UPEA.
[UPEA] cfm enable
[UPEA] cfm md md1
[UPEA-md-md1] ma ma1
[UPEA-md-md1-ma-ma1] map vlan 100
[UPEA-md-md1-ma-ma1] mep mep-id 1 interface ethernet 0/0/2 outward
[UPEA-md-md1-ma-ma1] remote-mep mep-id 2
[UPEA-md-md1-ma-ma1] remote-mep ccm-receive mep-id 2 enable
[UPEA-md-md1-ma-ma1] mep ccm-send enable
[UPEA-md-md1-ma-ma1] quit
[UPEA-md-md1] ma ma2
[UPEA-md-md1-ma-ma2] map vlan 100
[UPEA-md-md1-ma-ma2] mep mep-id 3 interface ethernet 0/0/1 outward
[UPEA-md-md1-ma-ma2] remote-mep mep-id 4
[UPEA-md-md1-ma-ma2] remote-mep ccm-receive mep-id 4 enable
[UPEA-md-md1-ma-ma2] mep ccm-send enable
[UPEA-md-md1-ma-ma2] quit
[UPEA-md-md1] quit

[PE-AGG] cfm enable
[PE-AGG] cfm md md1
[PE-AGG-md-md1] ma ma1
[PE-AGG-md-md1-ma-ma1] map vlan 100
[PE-AGG-md-md1-ma-ma1] mep mep-id 2 interface ethernet 0/0/1 outward
[PE-AGG-md-md1-ma-ma1] remote-mep mep-id 1
[PE-AGG-md-md1-ma-ma1] remote-mep ccm-receive mep-id 1 enable
[PE-AGG-md-md1-ma-ma1] mep ccm-send enable
[PE-AGG-md-md1-ma-ma1] quit
[PE-AGG-md-md1] ma ma2
[PE-AGG-md-md1-ma-ma2] map vlan 100
[PE-AGG-md-md1-ma-ma2] mep mep-id 4 interface ethernet 0/0/2 outward
[PE-AGG-md-md1-ma-ma2] remote-mep mep-id 3
[PE-AGG-md-md1-ma-ma2] remote-mep ccm-receive mep-id 3 enable

[PE-AGG-md-md1-ma-ma2] mep ccm-send enable

[PE-AGG-md-md1-ma-ma2] quit
[PE-AGG-md-md1] quit
On UPEA or the PE-AGG, run the display cfm remote-mep command to check the Ethernet
CFM status. You can see that Ethernet CFM is in Up state. The display on the PE-AGG is used
as an example.
[PE-AGG] display cfm remote-mep
--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 1
Vlan ID : 100
VSI Name : --
MAC : --
CFM Status : up
Alarm Status : None
MD Name : md1
Level : 0
MA Name : ma2
RMEP ID : 3
Vlan ID : 100
VSI Name : --
MAC : --
CFM Status : up
Alarm Status : None
Step 7 Associate Ethernet CFM with an interface.

# Configure the UPEA.
[UPEA] oam-mgr
[UPEA-oam-mgr] oam-bind cfm md md1 ma ma1 trigger if-down interface Ethernet 0/0/1
[UPEA-oam-mgr] oam-bind cfm md md1 ma ma2 trigger if-down interface Ethernet 0/0/2
[UPEA-oam-mgr] quit

[PE-AGG] oam-mgr
[PE-AGG-oam-mgr] oam-bind cfm md md1 ma ma1 trigger if-down interface Ethernet
0/0/1
[PE-AGG-oam-mgr] oam-bind cfm md md1 ma ma2 trigger if-down interface Ethernet
0/0/2
[PE-AGG-oam-mgr] quit

Shut down the simulated link of Eth 0/0/1 on UPEB and run the display cfm remote-mep
command on the PE-AGG to check the CFM status. The following information is displayed:
[PE-AGG] display cfm remote-mep
--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 1
Vlan ID : 100
VSI Name : --

MAC : --
CFM Status : down
Alarm Status : None
MD Name : md1
Level : 0
MA Name : ma2
RMEP ID : 3
Vlan ID : 100
VSI Name : --
MAC : --
CFM Status : up
Alarm Status : None
Run the display this interface command on the PE-AGG to check the status of Eth 0/0/1. You
can see that Eth1/0/0 is in TRIGGER DOWN (1AG) state.
[PE-AGG-Ethernet0/0/1] display this interface
Ethernet0/0/1 current state : TRIGGER DOWN
(1AG)
Mdi : AUTO

CRC: 0, Giants: 0
Pause: 0


Run the display rrpp verbose domain 1 command on the PE-AGG to check the status of the
RRPP ring and interface. The following information is displayed:
[PE-AGG] quit

<PE-AGG> display rrpp verbose domain 1

Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Failed
The status of the RRPP ring becomes Failed and the secondary port changes from BLOCKED
to UP.
Re-enable Eth0/0/1 on UPEB. You can see that the CFM status on the PE-AGG becomes Up.
Run the display rrpp verbose domain 1 command on the PE-AGG to check the status of the
RRPP ring and interface. You can see that the RRPP ring becomes Complete.
<PE-AGG> display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
----End
Configuration Files
#
sysname UPEA
#
#
rrpp enable
#
cfm enable
#
instance 1 vlan 5 6 100 to 300
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
#
stp disable
#


stp disable
#
cfm md md1
ma ma1
map vlan 100
remote-mep mep-id 2
ma ma2
map vlan 100
remote-mep mep-id 4
#
oam-mgr
oam-bind ingress interface Ethernet0/0/2 egress cfm md md1 ma ma1 trigger if-down
oam-bind ingress cfm md md1 ma ma1 trigger if-down egress interface Ethernet0/0/2
#
return
#
sysname UPEB
#
#
rrpp enable
#
cfm enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname UPEC
#
#
rrpp enable
#
cfm enable
#

#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
#
stp disable
#
stp disable
#
Return
l Configuration file of the PE-AGG
#
sysname PE-AGG
#
#
rrpp enable
#
cfm enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
#
stp disable
#
stp disable
#
cfm md md1
ma ma1
map vlan 100
remote-mep mep-id 1
ma ma2
map vlan 100
remote-mep mep-id 3
#
oam-mgr

#
return
9.10.6 Example for Configuring Association Between CFM and

MSTP
As shown in Figure 9-42, CE1 is dual-homed to PEs through sub-interfaces and a VPLS network
is deployed between PEs. CFM is enabled between GE1/0/1 on CE1 and GE1/0/1 on PE2, and
between GE1/0/2 on CE1 and GE1/0/2 on PE1 to detect faults on links. MSTP is run on directly
connected interfaces between CE1 and PE1 and between CE1 and PE2; PE1 is configured as
the root switch; PE2 is configured as the secondary root switch; MSTP blocks ports of the
secondary root switch to prevent loops.
When Ethernet CFM detects a fault on the link between CE1 and PE1, OAM Manager notifies
the MSTP module of the fault. Then, the interface notifies the MSTP module through association
between OAM Manager and the interface. The secondary root switch becomes the root switch
of a specified MSTI, protecting links connected to the VPLS network.
Figure 9-42 Association between CFM and MSTP

PE1
GE0/0/1
GE0/0/2.1
GE0/0/2
C E1 VPLS network
GE0/0/1 PE3
GE0/0/1.1
GE0/0/2
PE2
NOTE
In this example, only the configuration of MSTP, CFM, and association is mentioned. The VPLS
configuration, however, is not mentioned.
1. Create VLANs.
2. Create sub-interfaces on PE1 and PE2 and add them to VLANs to connect to the VPLS
network.
3. Configure PE1 as the CIST root.
4. Configure PE1, PE2, and CE1 to be in the same region named RG1 and create MSTI 1.
5. In RG1, PE1 functions as the CIST root and the root switch of MSTI 1, and PE2 functions
as the secondary root switch of MSTI 1.
6. Configure root protection on PE2.

7. Configure Ethernet CFM between PE1 and CE1 and between PE2 and CE1 to monitor
links.
8. Configure association between Ethernet CFM and interfaces. After the root switch fails,
the secondary root switch immediately switches to the root switch of the specified MSTI.
Procedure
Step 1 Configure MSTP on PE1.
# Create VLANs 1 to 20.
<PE1> system-view
[PE1] vlan batch 1 to 20
# Create a sub-interface on PE1 and add it to a VLAN.

[PE1] interface gigabitethernet0/0/2.1
[PE1-GigabitEthernet0/0/2.1] dot1q termination vid 20
[PE1-GigabitEthernet0/0/2.1] quit
# Configure an MST region on PE1.

[PE1-mst-region] instance 1 vlan 1 to 20
# Activate the MST region configuration.

# Configure PE1 as the root switch.

[PE1] stp instance 1 root primary
# Configure CE1 to use Huawei proprietary algorithm to calculate the path cost.
[PE1] stp pathcost-standard legacy
# Add GE1/0/2 to the VLANs.

[PE1] interface GigabitEthernet 0/0/2
[PE1-GigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 19
# Enable root protection on GE1/0/2.

[PE1-GigabitEthernet0/0/2] stp root-protection
Step 2 Configure MSTP on PE2.

<PE2> system-view
[PE2] vlan batch 1 to 20
# Create a sub-interface on PE2 and add it to a VLAN.

[PE2] interface gigabitethernet0/0/1.1
[PE2-GigabitEthernet0/0/1.1] dot1q termination vid 20
[PE2-GigabitEthernet0/0/1.1] quit
# Configure an MST region on PE2.


[PE2-mst-region] instance 1 vlan 1 to 20

# Configure PE2 as the secondary root switch.

[PE2] stp instance 1 root secondary
# Configure PE2 to use Huawei proprietary algorithm to calculate the path cost.
[PE2] stp pathcost-standard legacy

[PE2-GigabitEthernet0/0/1] port trunk allow-pass vlan 1 to 19
# Enable root protection on GEGE0/0/1.

[PE2-GigabitEthernet0/0/1] stp root-protection
Step 3 Configure MSTP on CE1.

# Configure an MST region on CE1.
[CE1-mst-region] region-name RG1
[CE1-mst-region] instance 1 vlan 1 to 20

# Configure CE1 to use Huawei proprietary algorithm to calculate the path cost.
[CE1] stp pathcost-standard legacy


[CE1] interface GigabitEthernet 0/0/1
# Add GE0/0/2 to VLANs.

[CE1] interface GigabitEthernet 0/0/2
After the configuration is complete, run the display stp brief command on PEs and CE1 to check
the status and protection type of the interface. The following information is displayed:
[PE1] display stp brief

0 0/0/2 DEST FORWARDING ROOT

1 0/0/2 DEST FORWARDING ROOT
[PE2] display stp brief
0 0/0/1 DEST DISCARDING Root
1 0/0/1 DEST DISCARDING Root

# Configure CE1.
[CE1] cfm md md1
[CE1-md-md1] ma ma1
[CE1-md-md1-ma-ma1] map vlan 10
[CE1-md-md1-ma-ma1] mep mep-id 1 interface gigabitethernet 0/0/2 outward
[CE1-md-md1-ma-ma1] remote-mep mep-id 2
[CE1-md-md1-ma-ma1] remote-mep ccm-receive mep-id 2 enable
[CE1-md-md1-ma-ma1] mep ccm-send enable
[CE1-md-md1-ma-ma1] quit
[CE1-md-md1] ma ma2
# Configure PE1.
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] mep mep-id 2 interface gigabitethernet 0/0/2 outward
[PE1-md-md1-ma-ma1] remote-mep ccm-receive mep-id 1 enable
# Configure PE2.
[PE2] cfm md md1
[PE2-md-md1] ma ma2
[PE2-md-md1-ma-ma2] remote-mep ccm-receive mep-id 3 enable
[PE2G-md-md1-ma-ma2] mep ccm-send enable
On CE1 or PEs, run the display cfm remote-mep command to check the Ethernet CFM status.
You can see that ma1 is in up state and ma2 is in down state. The display on CE1 is used as an
example.
[CE1] display cfm remote-mep
--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 2
Vlan ID : 10
VSI Name : --
MAC : --
CFM Status : up
MD Name : md1

Level : 0
MA Name : ma2
RMEP ID : 4
Vlan ID : 10
VSI Name : --
MAC : --
CFM Status : down
Step 5 Associate Ethernet CFM with interfaces.
# Configure PE1.
[PE1] oam-mgr
[PE1-oam-mgr] oam-bind cfm md md1 ma ma1 trigger if-down interface gigabitethernet
0/0/2
# Configure PE2.
[PE2-oam-mgr] oam-bind cfm md md1 ma ma2 trigger if-down interface gigabitethernet
0/0/2
Disable PE1 from sending CCMs and simulate link faults.

[PE1-md-md1-ma-ma1] undo mep ccm-send enable
Run the display interface command on PE1 to view the status of GE0/0/2. GE0/0/2 is in
TRIGGER DOWN (1AG) state.
[PE1] display interface gigabitethernet 0/0/2
GigabitEthernet0/0/2 current state : TRIGGER DOWN
(1AG)
Description:HUAWEI, Quidway Series, GigabitEthernet0/0/2 Interface
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-0033-0044
Last physical down time : 2009-03-13 19:57:53
Port Mode: COMMON FIBER
Mdi : NORMAL
Input peak rate 0 bits/sec, Record time: -
Output peak rate 0 bits/sec, Record time: -

CRC: 0, Giants: 0

Buffers Purged: 0


Run the display stp brief command on PE2 to check the status and protection type of the
interface. The following information is displayed:
# Run the display stp brief command on PE2.
<PE2> display stp brief
0 0/0/1 DESI FORWARDING ROOT
1 0/0/1 DESI FORWARDING ROOT
GE0/0/1 on PE2 is the designated port.
----End
Configuration Files
#
sysname PE1
#
vlan batch 1 to 20
#
#
cfm enable
#
region-name RG1
#
#
stp root-protection
#
#
cfm md md1
ma ma1
map vlan 10
mep mep-id 2 interface GigabitEthernet0/0/2 outward
remote-mep mep-id 1
#
oam-mgr
oam-bind ingress interface GigabitEthernet1/0/2 egress cfm md md1 ma ma1 trigger
if-down
oam-bind ingress cfm md md1 ma ma1 trigger if-down egress interface GigabitEthe
rnet1/0/2
#
return

#
sysname PE2

#
vlan batch 1 to 20
#
#
cfm enable
#
region-name RG1
#
#
#
#
cfm md md1
ma ma2
map vlan 10
remote-mep mep-id 3
#
oam-mgr
oam-bind ingress interface GigabitEthernet0/0/1 egress cfm md md1 ma ma2 trigger
if-down
oam-bind ingress cfm md md1 ma ma2 trigger if-down egress interface GigabitEthe
rnet0/0/1
#
return
#
sysname CE1
#
vlan batch 1 to 20
#
cfm enable
#
region-name RG1
#
#
#
#
cfm md md1
ma ma1
map vlan 10
remote-mep mep-id 2
ma ma2
map vlan 10


remote-mep mep-id 4
#
return
9.11 Y.1731 Configuration

Y.1731 provides fault detection and fault management on an Ethernet end-to-end link.
9.11.1 Example for Configuring One-way Frame Delay

Measurement in a VLAN
As networks rapidly develop and applications become diversified, various value-added services
such as IPTV, video conferencing and VOIP are widely used. Link connectivity and network
performance determine QoS on bearer networks. Therefore, performance monitoring is
important for service transmission.
As shown in Figure 9-43, CFM is configured between CEs. To provide high-quality video
services, carriers hope to monitor the one-way delay over mobile bearer links in real time, while
monitoring link connectivity. Monitoring the one-way delay over mobile bearer links allows the
carriers to respond quickly to video service quality deterioration.
Figure 9-43 Configuring Y.1731 in a VLAN
PE1 PE2
Eth0/0/2 Eth0/0/2
VLAN
Eth0/0/1 Eth0/0/1
Eth0/0/1 Eth0/0/1
CE1 CE2
User User
network network
1. Configure on-demand one-way frame delay measurement for the end-to-end link between
the CEs to periodically collect statistics about the delay in frame transmission.

Procedure
Step 1 Configure basic Ethernet CFM functions and specify the MEP type as outward.
Configure basic Ethernet CFM functions on each CE. Specify CFM version as IEEE Standard
802.1ag-2007, create an MD named md3 and an MA named ma3, and bind the MA to the VLAN.
# Configure CE1.
[CE1] vlan 2
[CE1-Ethernet0/0/1] port trunk allow-pass vlan 2
[CE1] cfm enable
[CE1] cfm version standard
[CE1] cfm md md3
[CE1-md-md3] ma ma3
[CE1-md-md3-ma-ma3] mep mep-id 3 interface ethernet 0/0/1 outward
[CE1-md-md3-ma-ma3] mep ccm-send mep-id 3 enable
# Configure CE2.
[CE2] vlan 2
[CE2-Ethernet0/0/1]port link-type trunk
[CE2-Ethernet0/0/1]port trunk allow-pass vlan 2
[CE2-Ethernet0/0/1]quit
[CE2] cfm enable
[CE2] cfm md md3
[CE2-md-md3] ma ma3
Step 2 Configure CE2 to receive DM frames.
# Configure CE2.
[CE2] cfm md md3
[CE2-md-md3] ma ma3
[CE2-md-md3-ma-ma3] delay-measure one-way receive
[CE2-md-md3] quit
Step 3 Enable one-way frame delay measurement.
# Configure CE1.
[CE1] cfm md md3
[CE1-md-md3] ma ma3
[CE1-md-md3-ma-ma3] delay-measure one-way remote-mep mep-id 4 interval 10000 count
20
[CE1-md-md3] quit

# After the configuration is complete, run the display y1731 statistic-type oneway-delay md
md3 ma ma3 command on CE2. You can see statistics about the one-way frame delay.
<CE2> display y1731 statistic-type oneway-delay md md3 ma ma3
Latest one-way delay statistics:
--------------------------------------------------------------------------------
Index Delay(usec) Delay variation(usec)
--------------------------------------------------------------------------------
1 10000 -
2 10000 0
3 10000 0
4 10000 0
5 10000 0
6 10000 0
7 10000 0
8 10000 0
9 10000 0
10 10000 0
11 10000 0
12 40000 30000
13 10000 30000
14 10000 0
15 10000 0
16 10000 0
17 10000 0
--------------------------------------------------------------------------------
Average delay(usec) : 11764 Average delay variation(usec) : 3750
Maximum delay(usec) : 40000 Maximum delay variation(usec) : 30000
Minimum delay(usec) : 10000 Minimum delay variation(usec) : 0
----End
Configuration Files
#
sysname CE1
#
vlan batch 2
#
cfm enable
#
#
cfm md md3
ma ma3
map vlan 2
remote-mep mep-id 4
#
return
#
sysname CE2
#
vlan batch 2
#
cfm enable
#

#
cfm md md3
ma ma3
map vlan 2
remote-mep mep-id 3
delay-measure one-way receive
#
return
9.11.2 Example for Configuring Two-way Frame Delay

Measurement in a VLAN
As networks rapidly develop and applications become diversified, various value-added services
such as IPTV, video conferencing and VOIP are widely used. Link connectivity and network
performance determine QoS on bearer networks. Therefore, performance monitoring is
especially important for service transmission.
As shown in Figure 9-44, CFM is configured between CEs. To provide high-quality video
services, carriers hope to monitor the two-way delay over mobile bearer links in real time, while
monitoring link connectivity. Monitoring the two-way delay over mobile bearer links allows the
carriers to respond quickly to video service quality deterioration.
Figure 9-44 Configuring Y.1731 in a VLAN
PE1 PE2
Eth0/0/2 Eth0/0/2
VLAN
Eth0/0/1 Eth0/0/1
Eth0/0/1 Eth0/0/1
CE1 CE2
User User
network network
1. Configure on-demand two-way frame delay measurement for the end-to-end link between
the CEs to periodically collect statistics about the delay in frame transmission.

Procedure
Step 1 Configure basic Ethernet CFM functions and specify the MEP type as outward.
# Configure CE1.
[CE1] vlan 2
[CE1-Ethernet0/0/1] port trunk allow-pass vlan 2
[CE1] cfm enable
[CE1] cfm md md3
[CE1-md-md3] ma ma3
# Configure CE2.
[CE2] vlan 2
[CE2-Ethernet0/0/1]port link-type trunk
[CE2-Ethernet0/0/1]port trunk allow-pass vlan 2
[CE2-Ethernet0/0/1]quit
[CE2] cfm enable
[CE2] cfm md md3
[CE2-md-md3] ma ma3
Step 2 Configure CE2 to receive DMM frames.
# Configure CE2.
[CE2] cfm md md3
[CE2-md-md3] ma ma3
[CE2-md-md3-ma-ma3] delay-measure two-way receive
[CE2-md-md3] quit
Step 3 Enable two-way frame delay measurement.
# Configure CE1.
[CE1] cfm md md3
[CE1-md-md3] ma ma3
[CE1-md-md3-ma-ma3] delay-measure two-way remote-mep mep-id 4 interval 10000 count
20
[CE1-md-md3] quit

# After the configuration is complete, run the display y1731 statistics-type twoway-delay md
md3 ma ma3 command. You can see the statistics about the two-way frame delay.
<CE1> display y1731 statistic-type twoway-delay md md3 ma ma3
Latest two-way delay statistics:
--------------------------------------------------------------------------------
Index Delay(usec) Delay variation(usec)
--------------------------------------------------------------------------------
1 0 -
2 0 0
3 0 0
4 0 0
5 0 0
6 0 0
7 0 0
8 0 0
9 0 0
10 0 0
--------------------------------------------------------------------------------
Average delay(usec) : 0 Average delay variation(usec) : 0
Maximum delay(usec) : 0 Maximum delay variation(usec) : 0
Minimum delay(usec) : 0 Minimum delay variation(usec) : 0
----End
Configuration Files
#
sysname CE1
#
vlan batch 2
#
cfm enable
#
#
cfm md md3
ma ma3
map vlan 2
remote-mep mep-id 4
#
return
#
sysname CE2
#
vlan batch 2
#
cfm enable
#
#
cfm md md3
ma ma3
map vlan 2


remote-mep mep-id 3
delay-measure two-way receive
#
return
9.11.3 Example for Configuring AIS
AIS is used to prevent a MEP in an MD of a higher level from sending the same trap as that sent
by a MEP in an MD of a lower level to the NMS.
As shown in Figure 9-45, CE1 is connected to PE1 and CE2 is connected to PE2 through sub-
interfaces. A VLAN is created between PEs.
AIS is configured on PEs and alarm suppression is enabled on CEs. In MD nesting scenarios, if
a MEP in a low-level MD detects a fault, the MEP sends a trap to the NMS. After a certain
period, a MEP in the MD of a higher level also detects the fault and sends the same trap to the
NMS. In this case, the MEP in the MD of a higher level must be prevented from sending the
same trap to the NMS.
Figure 9-45 Configuring AIS
CE1 PE1 PE2 CE2

GE0/0/1 GE0/0/2 GE0/0/1
GE0/0/1 GE0/0/2 GE0/0/1
MD2 Level 3
MD1 Level 6
1. Add PEs to an MD, add each PE and its attached CE to an MD, and ensure that the level
of the MD to which the PEs belong is lower than that to which each PE and its attached CE
belong so that the MEP in the MD of a higher level is suppressed from sending the same
trap to the NMS.
2. Configure alarm suppression to suppress MEPs in MDs of different levels from sending
the same trap to the NMS.
Procedure
Step 1 Configure VLANs.

Configure a VLAN between PE1 and PE2. The configuration details are not mentioned here.
For details, see 3.2 VLAN Configuration in the S2300&S3300 Series Ethernet Switches
Configuration Guide - LAN Configuration or configuration files in this configuration example.
Step 2 Configure basic Ethernet CFM functions.
Configure basic Ethernet CFM functions on each PE. Specify CFM version as IEEE Standard
# Configure PE1.
[PE1] cfm enable
[PE1] cfm md md1 level 3
[PE1-md-md1] ma ma1
[PE1-md-md1] quit
# Configure PE2.
[PE2] cfm enable
[PE2] cfm md md1 level 3
[PE2-md-md1] ma ma1
[PE2-md-md1] quit
802.1ag-2007, and create an MD named md2 and an MA named ma2.
# Configure CE1.
[CE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[CE1] cfm enable
[CE1] cfm md md2 level 6
[CE1-md-md2] ma ma2
[CE1-md-md2] quit
# Configure CE2.
[CE2-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[CE2] cfm enable
[CE2] cfm md md2 level 6
[CE2-md-md2] ma ma2
[CE2-md-md2] quit

Step 3 Create an outward-facing MEP on the AC interface of each PE.

# Configure PE1.
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1] quit
# Configure PE2.
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1] quit
Step 4 Create an outward-facing MEP on each CE.

# Configure CE1.
[CE1] cfm md md2
[CE1-md-md2] ma ma2
[CE1-md-md2-ma-ma2] ccm-interval 10000
[CE1-md-md2-ma-ma2] remote-mep ccm-receive enable
[CE1-md-md2] quit
# Configure CE2.
[CE2] cfm md md2
[CE2-md-md2] ma ma2
[CE2-md-md2-ma-ma2] ccm-interval 10000
[CE2-md-md2-ma-ma2] remote-mep ccm-receive enable
[CE2-md-md2] quit
Step 5 Configure AIS.

# Configure PE1.
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] ais enable
[PE1-md-md1-ma-ma1] ais link-status interface gigabitethernet 0/0/2
[PE1-md-md1-ma-ma1] ais level 6
[PE1-md-md1-ma-ma1] ais interval 1
[PE1-md-md1-ma-ma1] ais vlan vid 10 mep 31
[PE1-md-md1] quit
# Configure PE2.
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1] ais enable
[PE2-md-md1-ma-ma1] ais link-status interface gigabitethernet 0/0/2
[PE2-md-md1-ma-ma1] ais level 6

[PE2-md-md1-ma-ma1] ais interval 1

[PE2-md-md1-ma-ma1] ais vlan vid 10 mep 32
[PE2-md-md1] quit
Step 6 Enable alarm suppression.

# Configure CE1.
[CE1] cfm md md2
[CE1-md-md2] ma ma2
[CE1-md-md2-ma-ma2] ais enable
[CE1-md-md2-ma-ma2] ais suppress-alarm
[CE1-md-md2] quit
# Configure CE2.
[CE2] cfm md md2
[CE2-md-md2] ma ma2
[CE2-md-md2-ma-ma2] ais enable
[CE2-md-md2-ma-ma2] ais suppress-alarm
[CE2-md-md2] quit

If a fault occurs in the VLAN between PE1 and PE2 after the preceding configuration is
complete, run the display cfm ma md md1 ma ma1 command on PE1. The value of the Sending
Ais Packet field is displayed as Yes in the command output. Run the display cfm ma md md2
ma ma2 command on CE1. The value of the Suppressing Alarms field is displayed as Yes in
the command output.
[PE1] display cfm ma md md1 ma ma1
The total number of MAs is 1
MD Name : md1
MD Name Format : string
Level : 3
MIP Create-type : none
SenderID TLV-type : defer
MA Name : ma1
MA Name Format : string
Interval : 1000
Priority : 4
Vlan ID : 2
VSI Name : --
L2VC ID : --
MEP Number : 31
RMEP Number : 32
Suppressing Alarms : No
Sending Ais Packet : Yes
Interface TLV : disabled
[CE1] display cfm ma md md2 ma ma2
The total number of MAs is 1
MD Name : md2
MD Name Format : string
Level : 6
MIP Create-type : none
SenderID TLV-type : defer
MA Name : ma2
MA Name Format : string
Interval : 10000
Priority : 4
Vlan ID : 10
VSI Name : --
L2VC ID : --
MEP Number : 61
RMEP Number : 62
Suppressing Alarms : Yes

Sending Ais Packet : NO

Interface TLV : disabled
----End
Configuration Files
#
sysname PE1
#
vlan batch 2
#
cfm enable
#
#
cfm md md1 level 3
ma ma1
map vlan 2
mep ccm-send enable
remote-mep mep-id 32
remote-mep ccm-receive enable
ais enable
ais link-status interface GigabitEthernet0/0/2
ais level 6
ais interval 1
ais vlan vid 10 mep 31
#
return

#
sysname PE2
#
vlan batch 2
#
cfm enable
#
#
cfm md md1 level 3
ma ma1
map vlan 2
mep ccm-send enable
ais enable
ais link-status interface GigabitEthernet0/0/2
ais level 6
ais interval 1
ais vlan vid 10 mep 32
#
return

#
sysname CE1
#
vlan batch 10

#
cfm enable
#
#
cfm md md2 level 6
ma ma2
map vlan 10
ccm-interval 10000
mep ccm-send enable
ais enable
ais suppress-alarm
#
return

#
sysname CE2
#
vlan batch 10
#
cfm enable
#
#
cfm md md2 level 6
ma ma2
map vlan 10
ccm-interval 10000
mep ccm-send enable
ais enable
ais suppress-alarm
#
return

Typical Configuration Examples 10 Configuration Guide - Device Management
10 Configuration Guide - Device

Management
About This Chapter
This document describes procedures and provides examples for configuring the Device
Management features of the device.
10.1 Energy-saving Management
You can configure the energy-saving management function to reduce device power consumption
and save energy.
10.2 Information Center Configuration
The information center works as the information hub. It records system running information in
real time, which helps the network administrator and developers to monitor network operation
and analyze network faults.
10.3 USB-based Deployment Configuration
USB-based deployment simplifies the deployment process, reduces the deployment costs, and
relieves users from software commissioning.
10.4 NAP Configuration
Neighbor Access Protocol (NAP) is designed for implementing remote deployment of
unconfigured devices.
10.5 Mirroring Configuration
Packet mirroring copies packets to a specified destination so that you can ayalyze packets to
monitor the network and rectify faults.
10.6 PoE Configuration
PDs, such as wireless telephones and APs, are provided with power when the devices are
configured with PoE.
10.7 iStack Configuration
Multiple switches set up a stack to improve data forwarding capabilities and network reliability.

10.1 Energy-saving Management

You can configure the energy-saving management function to reduce device power consumption
and save energy.
10.1.1 Example for Configuring ALS
As shown in Figure 10-1, GigabitEthernet0/0/1 on SwitchA connects to GigabitEthernet0/0/1
on SwitchB through optical fibers.
When a link fails, the laser on the optical module is required to automatically stop sending pulses
and recover pulse sending after the link is recovered.
Figure 10-1 Networking diagram for configuring ALS

GE0/0/1 GE0/0/1
SwitchA SwitchB
1. Enable ALS on the interface so that the laser automatically stops sending pulses when a
link fails.
2. Set the restart mode of the laser to automatic restart mode so that the laser sends pulses
again after the link is recovered.
Procedure
Step 1 Configure ALS on the interface and the restart mode of the laser.
# Enable ALS on interfaces GigabitEthernet0/0/1 of SwitchA and set the restart mode of the
laser to automatic restart.
[SwitchA-GigabitEthernet0/0/1] als enable
[SwitchA-GigabitEthernet0/0/1] undo als restart mode manual
# Enable ALS on interfaces GigabitEthernet0/0/1 of SwitchB and set the restart mode of the
laser to automatic restart.
[SwitchB-GigabitEthernet0/0/1] als enable
[SwitchB-GigabitEthernet0/0/1] undo als restart mode manual


# Check ALS configurations on interfaces of SwitchA and SwitchB.
<SwitchA> display als configuration interface gigabitethernet 0/0/1
-------------------------------------------------------------------------------
Interface ALS Laser Restart Interval(s) Width(s)
Status Status Mode
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 Enable On Auto 100 2
-------------------------------------------------------------------------------
<SwitchB> display als configuration interface gigabitethernet 0/0/1
-------------------------------------------------------------------------------
Interface ALS Laser Restart Interval(s) Width(s)
Status Status Mode
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 Enable On Auto 100 2
-------------------------------------------------------------------------------
----End
Configuration file
#
sysname SwitchA
#
als enable
#
return
#
sysname SwitchB
#
als enable
#
return
10.2 Information Center Configuration

The information center works as the information hub. It records system running information in
real time, which helps the network administrator and developers to monitor network operation
and analyze network faults.
10.2.1 Example for Outputting Logs to a Log Host

As shown in , SwitchA connects to four log hosts. Log hosts are required to have reliability and
receive logs of different types so that the network administrator can monitor logs generated by
different modules on SwitchA.

Figure 10-2 Networking diagram for outputting logs to a log host

10.1.1.2/24 10.1.1.1/24
Server 3 Server1
VLANIF100
172.16.0.1/24
Ethernet0/0/1
SwitchA
Server 4 Server 2
10.2.1.2/24 10.2.1.1/24
1. Enable the information center.
2. Configure SwitchA to send logs of notification generated by the ARP module to Server1,
and specify Server3 as the backup of Server1. Configure SwitchA to send logs of warning
generated by the AAA module to Server2, and specify Server4 as the backup of Server2.
3. Configure the log host on the server so that the network administrator can receive logs
generated by SwitchA on the log host.
Procedure
Step 1 Enable the information center.
[SwitchA] info-center enable
Step 2 Configure a channel and a rule for outputting logs to a log host.
# Name a channel.
[SwitchA] info-center channel 6 name loghost1
[SwitchA] info-center channel 7 name loghost2
# Configure a channel for outputting logs to a log host.

[SwitchA] info-center loghost 10.1.1.1 channel loghost1
# Configure a rule for outputting logs to a log host.

[SwitchA] info-center source arp channel loghost1 log level notification
[SwitchA] info-center source aaa channel loghost2 log level warning
Step 3 Configure an IP address for the interface that sends log information.
[SwitchA] vlan 100

Step 4 Configure the log host on the server.

The Switch can generate many logs, which may exceed the limited storage space of the
Switch. To address this problem, configure a log server to store all the logs.
The log host can run the Unix or Linux operating system or run third-party log software. For
details about the configuration procedure, see the relevant documentation.
# View the configuration of the log host.
<SwitchA> display info-center
Information Center:enabled
Log host:
10.1.1.1, channel number 6, channel name loghost1,
language English , host facility local7
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 512,
current messages 26, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 0
Trap buffer:
current messages 11, channel number:3, channel name:trapbuffer
Information timestamp setting:
log - date, trap - date, debug - date
Sent messages = 273456, Received messages = 284845
IO Reg messages = 2 IO Sent messages = 11389
----End
Configuration Files
#
sysname SwitchA
#
info-center channel 6 name loghost1
info-center channel 7 name loghost2
info-center source ARP channel 6 log level notification
info-center source AAA channel 7 log level warning
info-center loghost 10.1.1.1 channel 6
#
vlan batch 100
#

interface Vlanif100
ip address 172.16.0.1 255.255.255.0
#
#
return
10.2.2 Example for Outputting Traps to the SNMP Agent

As shown in Figure 10-3, SwitchA connects to the NMS station. There is a reachable route
between SwitchA and the NMS station. The network administrator wants to view traps of ARP
module generated by SwitchA on the NMS station to monitor device running and locate faults.
Figure 10-3 Networking diagram for outputting traps to the SNMP agent
NM Station SwitchA
10.1.1.1/24 10.1.1.2/24
2. Configure a channel and a rule for outputting traps to the SNMP agent so that the SNMP
agent can receive traps generated by SwitchA.
3. Configure SwitchA to output traps to the NMS station so that the NMS station can receive
traps generated by SwitchA.
Procedure
Step 1 Configure the VLAN to which the interface connected to the NMS station belongs to. The
configuration details are not mentioned here.
Step 2 Assign an IP address to each VLANIF interface. The configuration details are not mentioned
here.
Step 4 Configure a channel and a rule for outputting traps to the SNMP agent.
# Configure a channel for outputting traps to the SNMP agent.
[SwitchA] info-center snmp channel channel7
# Configure a rule for outputting traps to the SNMP agent.

[SwitchA] info-center source arp channel channel7 trap level informational state on
NOTE
By default, the device uses the SNMP agent to output traps of all modules.
Step 5 Configure the SNMP agent to output traps to the NMS station.
# Enable the SNMP agent and set the SNMP version to SNMPv2c.
[SwitchA] snmp-agent sys-info version v2c
# Configure the trap function.

[SwitchA] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
[SwitchA] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname public v2c
[SwitchA] quit

# View the channel used by the SNMP agent to output traps.
<SwitchA> display info-center
Information Center:enabled
Log host:
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 7, channel name : channel7
Log buffer:
current messages 512, channel number : 4, channel name : logbuffer
Trap buffer:
current messages 185, channel number:3, channel name:trapbuffer
Information timestamp setting:
log - date, trap - date, debug - date
Sent messages = 273514, Received messages = 284905
IO Reg messages = 2 IO Sent messages = 11392
# View traps output through the channel used by the SNMP agent.
<SwitchA> display channel 7
channel number:7, channel name:channel7
MODU_ID NAME ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL
ffff0000 default Y debugging Y debugging N debugging
416e0000 ARP Y debugging Y informational N debugging
# View traps output to the NMS station by the SNMP agent.

<SwitchA> display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
IP-address : 10.1.1.1
Source interface : -
VPN instance : -
Security name : public
Port : 162
Type : trap
Version : v2c
Level : No authentication and privacy
NMS type : NMS

With ext-vb : No
-----------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2
#
interface Vlanif2
ip address 10.1.1.2 255.255.255.0
#
#
info-center source ARP channel 7 trap level informational
info-center snmp channel 7
#
snmp-agent
snmp-agent local-engineid 000007DB7FFFFFFF00003B4C
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public
v2c
snmp-agent trap enable
#
return
10.2.3 Example for Outputting Traps to the Console
As shown in Figure 10-4, the PC connects to SwitchA through a console interface. It is required
that debugging messages of the ARP module be displayed on the PC.
Figure 10-4 Networking diagram for outputting debugging messages to the console
Console
SwitchA PC

2. Configure a channel and a rule for outputting debugging messages to the console so that
the console can receive debugging messages generated by SwitchA.
3. Enable terminal display so that users can use the terminal to view debugging messages
generated by SwitchA.

Procedure
Step 2 Configure a channel and a rule for outputting debugging messages to the console.
# Configure a channel for outputting debugging messages to the console.
[SwitchA] info-center console channel console
# Configure a rule for outputting debugging messages to the console.

[SwitchA] info-center source arp channel console debug level debugging state on
[SwitchA] quit
Step 3 Enable terminal display.

Info: Current terminal monitor is on.
Info: Current terminal debugging is on.
Step 4 Debug the ARP module.

<SwitchA> debugging arp packet

# View debugging message output.
<SwitchA> display channel 0
channel number:0, channel name:console
MODU_ID NAME ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL
ffff0000 default Y warning Y debugging Y debugging
416e0000 ARP Y warning Y debugging Y debugging
----End
Configuration Files
#
sysname SwitchA
#
info-center source ARP channel 0
#
return
10.3 USB-based Deployment Configuration

USB-based deployment simplifies the deployment process, reduces the deployment costs, and
relieves users from software commissioning.

10.3.1 Example for Configuring Auto-Config on the Same Network

Segment
As shown in Figure 10-5, in the network deployment for a residential community, the
aggregation device SwitchD is connected to new Switches (such as SwitchA, SwitchB, and
SwitchC) on each layer of buildings in the residential community.
Users want to load the same system software, patch file, and configuration file on all the
Switchs on layers. Besides, to save manpower costs and deployment time of many Switches, the
Switches are required to be automatically configured with the same configuration.
Figure 10-5 Configuring Auto-Config on the Same Network Segment
VLAN10
SwitchA Eth
0/0
/ 1 Eth0/0/4
Eth0/0/2 VLAN20
3
0 /0/ SwitchD
SwitchB Et h PC
DHCP Server FTP Server
SwitchC
1. Directly connect the user PC to SwitchD and configure the PC as an FTP server.
2. Place the configuration file, system software, and patch file to be loaded to the working
directory of the FTP server to ensure that SwitchA, SwitchB, and SwitchC can obtain files
to be loaded.
3. Configure SwitchD as the DHCP server to provide network configurations to SwitchA,
SwitchB, and SwitchC. Configure information about the system software, patch file, and
configuration file in Option 67 and Option 145 because the same files are to be loaded on
all the Switches.
4. Power on SwitchA, SwitchB, and SwitchC, so that the configuration file, system software,
and patch file are automatically loaded using auto-config.
NOTE
l By default, auto-config is enabled on a Switch.

Procedure
Step 1 Configuring the FTP server
# Configure the FTP server IP address, user name, password, and working directory.
As shown in Figure 10-6, run an FTP server program on the PC, for example, wftpd32. Choose
Security > Users/rights. Click New User in the displayed dialog box to set the user name to
user and password to huawei. Enter the FTP working directory in the Home Directory: text
box to set working directory to D:\autoconfig. Click Done to finish the setting and close the
dialog box. Set the PC IP address to 192.168.1.6 and mask to 255.255.255.0.
Figure 10-6 Configuring the FTP server
Step 2 Upload the system software, configuration file, and patch file to the FTP server working directory
D:\autoconfig. Procedures for uploading the files are not mentioned here
Step 3 Configuring the DHCP server
[Quidway] sysname DHCP Server
[DHCP Server] dhcp enable
[DHCP Server] vlan batch 10 20
[DHCP Server] interface ethernet 0/0/1
[DHCP Server-Ethernet0/0/1] port hybrid pvid vlan 10
[DHCP Server-Ethernet0/0/1] port hybrid untagged vlan 10
[DHCP Server-Ethernet0/0/1] quit
[DHCP Server] interface vlanif 10
[DHCP Server-Vlanif10] ip address 192.168.2.6 255.255.255.0
[DHCP Server-Vlanif10] dhcp select global
[DHCP Server-Vlanif10] quit
[DHCP Server] ip pool auto-config
[DHCP Server-ip-pool-auto-config] network 192.168.2.0 mask 255.255.255.0

[DHCP Server-ip-pool-auto-config] gateway-list 192.168.2.6

[DHCP Server-ip-pool-auto-config] option 67 ascii s_V100R006C05.cfg
[DHCP Server-ip-pool-auto-config] option 141 ascii user
[DHCP Server-ip-pool-auto-config] option 142 ascii huawei
[DHCP Server-ip-pool-auto-config] option 143 ip-address 192.168.1.6
[DHCP Server-ip-pool-auto-config] option 145 ascii
vrpfile=s_V100R006C05.cc;vrpver=V100R006C05;patchfile=s_V100R006C05.pat;
[DHCP Server-ip-pool-auto-config] quit
Step 4 Power on SwitchA, SwitchB, and SwitchC, and run the Auto-config process
# After auto-config is finished, log in to the Switches to be configured and run the display
startup command to view the system software, configuration file, and patch file for the startup
of the Switch. SwitchA is used as an example.
MainBoard:
Configured startup system software: flash:/s_V100R006C05.cc
Startup system software: flash:/s_V100R006C05.cc
Next startup system software: flash:/s_V100R006C05.cc
Startup saved-configuration file: flash:/s_V100R006C05.cfg
Next startup saved-configuration file: flash:/s_V100R006C05.cfg
Startup patch package: flash:/s_V100R006C05.pat
Next startup patch package: flash:/s_V100R006C05.pat
----End
Configuration Files
Configuration file of the DHCP server
#
sysname DHCP Server
#
vlan batch 10 20
#
dhcp enable
#
ip pool auto-config
network 192.168.2.0 mask 255.255.255.0
option 67 ascii s_V100R006C05.cfg
option 141 ascii user
option 142 ascii huawei
option 143 ip-address 192.168.1.6
option 145 ascii
vrpfile=s_V100R006C05.cc;vrpver=V100R006C05;patchfile=s_V100R006C05.pat;
#
interface Vlanif10
ip address 192.168.2.6 255.255.255.0
dhcp select global
#
interface Vlanfi20
ip address 192.168.1.1 255.255.255.0
#
#

#
#
#
return
10.3.2 Example for Configuring Auto-Config on Different Network

Segments
As shown in Figure 10-7, in the network deployment for branches of an enterprise, the new
SwitchA, SwitchB, and SwitchC are connected to Eth0/0/1, Eth0/0/2, and Eth0/0/3 on
SwitchD respectively. SwitchD functions as the egress gateway of the branches and is connected
to the headquarters across the Layer 3 network.
Users want to load different system software, patch files, and configuration files on SwitchA,
SwitchB, and SwitchC. Besides, to save manpower costs, users want the Switches to be
automatically configured with different configurations.
Information about SwitchA, SwitchB, SwitchC, and files to be loaded is as follows:

l SwitchA: The MAC address is 0025-9e1e-773b, the name of the system software to be
loaded is auto_V100R006C05.cc, the version is V100R006C05, the patch file is
auto_V100R006C05.pat, and the configuration file is auto_V100R006C05.cfg.
l SwitchB: The MAC address is 0025-9e1e-773c, the name of the system software to be
loaded is auto_V100R006C03.cc, the version is V100R006C03, the patch file is
auto_V100R006C03.pat, and the configuration file is auto_V100R006C03.cfg.
l SwitchC: The MAC address is 0025-9e1e-773d, the name of the system software to be
loaded is auto_V100R006C00.cc, the version is V100R006C00, the version is
V100R006C00, the patch file is auto_V100R006C00.pat, and the configuration file is
auto_V100R006C00.cfg.
Figure 10-7 Configuring Auto-Config on Different Network Segments
Branches
SwitchA Headquarters
Eth0/0/1-3
Eth0/0/1 Eth0/0/2
Network
Switch SwitchD
SwitchE PC
B DHCP relay
DHCP server FTP server
agent
SwitchC

1. Directly connect the user PC to SwitchE and configure the PC as an FTP server.
2. Configure an intermediate file so that SwitchA, SwitchB, and SwitchC can obtain
configuration files, system software, and patch files through the intermediate file.
3. Place the intermediate file, configuration files, system software, and patch files to be loaded
to the working directory of the FTP server to ensure that Switches to be configured can
obtain files to be loaded.
4. Configure the branch gateway SwitchD as the DHCP relay agent and configure SwitchE
in the headquarters as the DHCP server so that the DHCP server can deliver network
configurations to Switches to be configured on different network segments.
5. Power on SwitchA, SwitchB, and SwitchC so that configuration files, system software, and
patch files are automatically loaded using auto-config.
NOTE
l By default, auto-config is enabled on a Switch.
Procedure
Step 1 Configuring the FTP server
# Configure the FTP server IP address, user name, password, and working directory.
As shown in Figure 10-8, run an FTP server program on the PC, for example, wftpd32. Choose
Security > Users/rights. Click New User in the displayed dialog box to set the user name to
user and password to huawei. Enter the FTP working directory in the Home Directory: text
box to set working directory to D:\autoconfig. Click Done to finish the setting and close the
dialog box. Set the PC IP address to 192.168.4.6 and mask to 255.255.255.0.
Figure 10-8 Configuring the FTP server
Step 2 Configuring an intermediate file lswnet.cfg

# Create a text file named lswnet.cfg. The contents and format of the intermediate file are as
follows:
MAC=0025-9e1e-773b;vrpfile=auto_V100R006C05.cc;vrpver=V100R006C05;patchfile=auto_V
100R006C05.pat;cfgfile=auto_V100R006C05.cfg;

MAC=0025-9e1e-773c;vrpfile=auto_V100R006C03.cc;vrpver=V100R006C03;patchfile=auto_V
MAC=0025-9e1e-773d;vrpfile=auto_V100R006C00.cc;vrpver=V100R006C00;patchfile=auto_V
Step 3 Upload the intermediate file, system software, configuration file, and patch file to the FTP server
working directory D:\autoconfig. Procedures for upload the files are not mentioned here
Step 4 Configuring SwitchD

# Configure SwitchD as the DHCP relay agent.
[Quidway] sysname DHCP Relay
[DHCP Relay] dhcp enable
[DHCP Relay] vlan 10
[DHCP Relay-vlan10] quit
[DHCP Relay] interface ethernet 0/0/1
[DHCP Relay-Ethernet0/0/1] port hybrid pvid vlan 10
[DHCP Relay-Ethernet0/0/1] port hybrid untagged vlan 10
[DHCP Relay-Ethernet0/0/1] quit
[DHCP Relay] interface vlanif 10
[DHCP Relay-Vlanif10] ip address 192.168.1.6 255.255.255.0
[DHCP Relay-Vlanif10] dhcp select relay
[DHCP Relay-Vlanif10] dhcp relay server-ip 192.168.2.6
[DHCP Relay-Vlanif10] quit
# Configure a static route on SwitchD. The destination IP address of the static route is the PC
IP address and the next hop is the IP address of an interface on a Layer 3 device directly connected
to SwitchD.
Step 5 Configuring SwitchE

# Configure SwitchE as the DHCP server.
[Quidway] sysname DHCP Server
[DHCP Server] dhcp enable
[DHCP Server] vlan batch 20 30
[DHCP Server-Ethernet0/0/1] port link-type trunk
[DHCP Server-Ethernet0/0/1] port trunk allow-pass vlan 20
[DHCP Server-Vlanif20] dhcp select global
[DHCP Server] ip pool auto-config
[DHCP Server-ip-pool-auto-config] network 192.168.1.0 mask 255.255.255.0
[DHCP Server-ip-pool-auto-config] gateway-list 192.168.1.6
[DHCP Server-ip-pool-auto-config] option 141 ascii user
[DHCP Server-ip-pool-auto-config] option 142 ascii huawei
[DHCP Server-ip-pool-auto-config] option 143 ip-address 192.168.4.6
[DHCP Server-ip-pool-auto-config] option 146 ascii
opervalue=1;delay=0;netfile=lswnet.cfg;
[DHCP Server-ip-pool-auto-config] quit

# Configure a static route on SwitchE. The destination IP address of the static route is the IP
address pool segment and the next hop is the IP address of an interface on a Layer 3 device
directly connected to SwitchE.
Step 6 Power on SwitchA, SwitchB, and SwitchC, and run the Auto-config process
# After auto-config is finished, log in to the Switches to be configured and run the display
startup command to view the system software, configuration file, and patch file for the startup
of the Switch. SwitchC is used as an example.
MainBoard:
Configured startup system software: flash:/auto_V100R006C00.cc
Startup system software: flash:/auto_V100R006C00.cc
Next startup system software: flash:/auto_V100R006C00.cc
Startup saved-configuration file: flash:/auto_V100R006C00.cfg
Next startup saved-configuration file: flash:/auto_V100R006C00.cfg
Startup patch package: flash:/auto_V100R006C00.pat
Next startup patch package: flash:/auto_V100R006C00.pat
----End
Configuration Files
l Configuration file of the DHCP relay agent
#
sysname DHCP Relay
#
vlan batch 10
#
dhcp enable
#
interface Vlanif10
ip address 192.168.1.6 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.2.6
#
#
#
#
return
l Configuration file of the DHCP server

#
sysname DHCP Server
#
vlan batch 20 30
#
dhcp enable
#
ip pool auto-config

network 192.168.1.0 mask 255.255.255.0

option 141 ascii user
option 142 ascii huawei
option 143 ip-address 192.168.4.6
option 146 ascii opervalue=1;delay=0;netfile=lswnet.cfg;
#
interface Vlanif20
ip address 192.168.2.6 255.255.255.0
dhcp select global
#
interface Vlanif30
ip address 192.168.4.1 255.255.255.0
#
#
#
return
10.4 NAP Configuration

Neighbor Access Protocol (NAP) is designed for implementing remote deployment of
unconfigured devices.
10.4.1 Example for Configuring NAP-based Remote Deployment
As shown in Figure 10-9, SwitchC and SwitchB are directly connected, but they are located at
equipment rooms far away from each other. SwitchC is a new device on the network and does
not load any configuration file while SwitchB is an existing device on the network.
You want to implement remote deployment for SwitchC on SwitchB to reduce network operation
and maintenance costs.
Figure 10-9 Networking diagram of configuring NAP-based remote deployment
GE0/0/1
Internet
PC SwitchA SwitchB SwitchC
1. Set interface Ethernet0/0/1 of SwitchB to a master NAP interface to establish NAP neighbor
relationship between SwitchB and SwitchC.
2. Use Telnet to log in to SwitchC from SwitchB to configure remote deployment.

3. Disable NAP for all interfaces of SwitchC.
Procedure
Step 1 Set an interface to a master NAP interface.
# Set interface Ethernet0/0/1 on SwitchB to a master NAP interface.

[SwitchB-Ethernet0/0/1] nap port master
# Run the display nap interface command on SwitchB to check whether a NAP neighbor
relationship has been established and whether IP addresses have been assigned to the master and
slave interfaces.
[SwitchB-Ethernet0/0/1] display nap interface
------------------------------------------------------
NAP master port list
Port count : 1
------------------------------------------------------
Port property : Master
Current status : IP-ASSIGNED
Local port : Ethernet0/0/1
Peer port : Ethernet0/0/1
Local IP : 10.167.253.1
Peer IP : 10.167.253.2
Hello time : 3s
Linked time : 00:00:26
------------------------------------------------------
Step 2 Log in to the slave device.
# Log in to SwitchC from SwitchB.

[SwitchB-Ethernet0/0/1] nap login neighbor
Trying 10.167.253.2 ...
Connected to 10.167.253.2 ...
An initial password is required for the first login via the vty user-interface.
Set a password and keep it safe! Otherwise you will not be able to login via the
vty user-interface.
Please configure the login password (6-16)

Enter Password:
Confirm Password:
The current login time is 2012-08-12 05:35:19+08:00.
<Quidway>
Step 3 Configure deployment on the slave device.
After logging in to SwitchC, you can configure deployment on SwitchC. It is recommended that
you set the IP address, user name, and password and enable the Telnet service on SwitchC so
that you can use Telnet to directly log in to SwitchC.
Step 4 Log in to SwitchC using the configured IP address, user name, and password to disable NAP on
the slave device.
# Disable NAP for all interfaces of SwitchC.


[SwitchC] undo nap slave enable

Warning: The operation will close NAP slave. Continue? [Y/N]:y
----End
Configuration File
None
10.5 Mirroring Configuration

Packet mirroring copies packets to a specified destination so that you can ayalyze packets to
monitor the network and rectify faults.
NOTE
The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual are mentioned only
to describe the product's function of communication error or failure detection, and do not involve collection
or processing of any personal information or communication data of users.
10.5.1 Example for Configuring Local Port Mirroring
As shown in Figure 10-10, HostA is connected to GigabitEthernet0/0/1 on SwitchA, and Server
is directly connected to GigabitEthernet0/0/2 on SwitchA.
Users want to use the monitoring device (Server) to monitor packets sent from HostA.
Figure 10-10 Networking diagram of local port mirroring

GE0/0/1 GE0/0/2
HostA SwitchA Server
1. Configure GigabitEthernet0/0/2 on SwitchA as the local observing port so that Server can
receive mirrored packets.
2. Configure GigabitEthernet0/0/1 on SwitchA as the mirrored port to monitor packets passing
through the mirrored port.
Procedure
Step 1 Configure an observing port.
# Configure GigabitEthernet0/0/2 on SwitchA as the local observing port.

[SwitchA] observe-port 1 interface gigabitethernet 0/0/2

Step 2 Configure a mirrored port.

# Configure GigabitEthernet0/0/1 on SwitchA as the mirrored port to monitor packets sent from
HostA.
[SwitchA-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound

# Check the observing port configuration.
<SwitchA> display observe-port
---------------------------------------------------------------------------
Index : 1
Interface: GigabitEthernet0/0/2
Used : 1
-----------------------------------------------------------------
# Check the mirrored port configuration.

<SwitchA> display port-mirroring
Port-mirror:
----------------------------------------------------------------------
Mirror-port Direction Observe-port
----------------------------------------------------------------------
GigabitEthernet0/0/1 Inbound GigabitEthernet0/0/2
----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
observe-port 1 interface GigabitEthernet0/0/2
#
port-mirroring to observe-port 1 inbound
#
return
10.5.2 Example for Configuring Layer 2 Remote Port Mirroring
is connected to GigabitEthernet0/0/1 on SwitchC. SwitchA and SwitchC are connected over a
Layer 2 network.
Users want to use the monitoring device (Server) to remotely monitor packets sent from HostA.

Figure 10-11 Networking diagram of Layer 2 remote port mirroring

SwitchB
VLAN2 VLAN2
GE0/0/1 GE0/0/2
SwitchA SwitchC
GE0/0/1 GE0/0/2
GE0/0/2 GE0/0/1
HostA Server
1. Configure ports so that devices can communicate on Layer 2.
2. Configure GigabitEthernet0/0/1 on SwitchA as the remote observing port so that mirrored
packets can be forwarded to Server over the Layer 2 network.
3. Configure GigabitEthernet0/0/2 on SwitchA as the mirrored port to monitor packets passing
through the mirrored port.
Procedure
Step 1 Configure ports so that devices can communicate on Layer 2.
[SwitchB] vlan 2

[SwitchC] vlan 2
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 2
[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 2
Step 2 Configure a remote observing port.

# Configure GigabitEthernet0/0/1 on SwitchA as the remote observing port.
[SwitchA] observe-port 1 interface gigabitethernet 0/0/1 vlan 2
Step 3 Configure a mirrored port.

# Configure GigabitEthernet0/0/2 on SwitchA as the mirrored port.
[SwitchA-GigabitEthernet0/0/2] port-mirroring to observe-port 1 inbound

# Check the observing port configuration.
<SwitchA> display observe-port
----------------------------------------------------------------------
Index : 1
Interface: GigabitEthernet0/0/1
Used : 1
Vlan : 2
----------------------------------------------------------------------
# Check the mirrored port configuration.

Port-mirror:
----------------------------------------------------------------------
Mirror-port Direction Observe-port
----------------------------------------------------------------------
GigabitEthernet0/0/2 Inbound GigabitEthernet0/0/1
----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
observe-port 1 interface GigabitEthernet0/0/1 vlan 2
#
#
port default vlan 3
port-mirroring to observe-port 1 inbound

#
return

#
sysname SwitchB
#
vlan batch 2
#
#
#
return

#
sysname SwitchC
#
vlan batch 2
#
port default vlan 2
#
#
return
10.5.3 Example for Configuring Local Traffic Mirroring
Users want to use the monitoring device (Server) to monitor packets with the 802.1p priority of
6 sent from HostA.
Figure 10-12 Networking diagram of local traffic mirroring

GE0/0/1 GE0/0/2
HostA SwitchA Server
1. Configure GigabitEthernet0/0/2 on SwitchA as the local observing port so that Server can
receive mirrored packets.
2. Configure a traffic classifier to match packets with the 802.1p priority of 6, and configure
a traffic behavior to mirror packets to the observing port.

3. Configure a traffic policy, bind the traffic classifier and traffic behavior to the traffic policy,
and apply the traffic policy on GigabitEthernet0/0/1.
Procedure
Step 1 Configure an observing port.
# Configure GigabitEthernet0/0/2 on SwitchA as the observing port.

Step 2 Configure a traffic classifier.
# Create a traffic classifier named c1 on SwitchA and set the traffic classification rule that only
packets with the 802.1p priority of 6 can be matched.
[SwitchA] traffic classifier c1
[SwitchA-classifier-c1] if-match 8021p 6
[SwitchA-classifier-c1] quit
Step 3 Configure a traffic behavior.
# Create a traffic behavior named b1 on SwitchA and configure it.

[SwitchA] traffic behavior b1
[SwitchA-behavior-b1] mirroring to observe-port 1
[SwitchA-behavior-b1] quit
Step 4 Configure a traffic policy and apply the traffic policy to the interface.
# Create a traffic policy named p1 on SwitchA, bind the traffic classifier and traffic behavior to
the traffic policy, and apply the traffic policy to the inbound direction of GigabitEthernet0/0/1
to monitor packets with the 802.1p priority of 6 sent from HostA.
[SwitchA] traffic policy p1
[SwitchA-trafficpolicy-p1] classifier c1 behavior b1
[SwitchA-trafficpolicy-p1] quit
[SwitchA-GigabitEthernet0/0/1] traffic-policy p1 inbound
[SwitchA] quit
# View the traffic classifier configuration.

<SwitchA> display traffic classifier user-defined c1
Classifier: c1
Operator: AND
Rule(s) : if-match 8021p 6
# View the traffic policy configuration.

<SwitchA> display traffic policy user-defined p1
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Mirroring to observe-port 1
----End

Configuration Files
#
sysname SwitchA
#
#
traffic classifier c1 operator and
if-match 8021p 6
#
traffic behavior b1
mirroring to observe-port 1
#
traffic policy p1
classifier c1 behavior b1
#
traffic-policy p1 inbound
#
return
10.5.4 Example for Configuring Local VLAN Mirroring
As shown in Figure 10-13, HostA and HostB are respectively connected to GigabitEthernet0/0/1
and GigabitEthernet0/0/2 on SwitchA, and HostA and HostB both belong to VLAN 10. Server
Users want to use the monitoring device (Server) to monitor packets sent from all active ports
in VLAN 10.
Figure 10-13 Networking diagram of local VLAN mirroring
HostA
GE0/0/1
GE0/0/3
Server
GE0/0/2
SwitchA
HostB
1. Configure GigabitEthernet0/0/3 on SwitchA as the observing port so that Server can receive
mirrored packets.
2. Configure VLAN 10 as the mirrored VLAN.
Procedure
Step 1 Configure VLANs for the ports.

[SwitchA] vlan 10
Step 2 Configure GigabitEthernet0/0/3 as the observing port.

Step 3 Configure VLAN 10 as the mirrored VLAN.

[SwitchA] vlan 10
[SwitchA-vlan10] mirroring to observe-port 1 inbound
Step 4 Checking the Configuration

# Run the display port-mirroring command to check the VLAN mirroring configuration.
Vlan-mirror:
----------------------------------------------------------------------
Mirror-vlan Direction Observe-port
----------------------------------------------------------------------
10 Inbound GigabitEthernet0/0/3
----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
vlan 10
mirroring to observe-port 1 inbound
#
#
#
return

10.5.5 Example for Configuring Local MAC Address Mirroring

As shown in Figure 10-14, HostA and HostB are respectively connected to GigabitEthernet0/0/1
and GigabitEthernet0/0/2 on SwitchA, and HostA and HostB both belong to VLAN 10. Server
Users want to monitor incoming packets with the source or destination MAC address of
0001-0001-0001 sent from VLAN 10.
Figure 10-14 Networking diagram of local MAC address mirroring
HostA
GE0/0/1
GE0/0/3
Server
GE0/0/2
SwitchA
HostB
1. Configure GigabitEthernet0/0/3 on SwitchA as the observing port so that Server can receive
mirrored packets.
2. Configure MAC address mirroring in VLAN 10 view.
Procedure
Step 1 Configure VLANs for the ports.
[SwitchA] vlan 10
Step 2 Configure GigabitEthernet0/0/3 as the observing port.

Step 3 Configure MAC address mirroring.

[SwitchA] vlan 10
[SwitchA-vlan10] mac-mirroring 0001-0001-0001 to observe-port 1 inbound
Step 4 Checking the Configuration

# Run the display port-mirroring command to check the MAC address mirroring configuration.

[SwitchA] display port-mirroring

Mac-mirror:
----------------------------------------------------------------------
Mirror-mac Vlan Direction Observe-port
----------------------------------------------------------------------
0001-0001-0001 10 Inbound GigabitEthernet0/0/3
----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
vlan 10
mac-mirroring 0001-0001-0001 to observe-port 1 inbound
#
#
#
return
10.6 PoE Configuration

PDs, such as wireless telephones and APs, are provided with power when the devices are
configured with PoE.
10.6.1 Example for Configuring PoE

Figure 10-15 shows that switches are deployed at the access layer on the network. The IP phone
connected to the switch is deployed outdoors and the AP is deployed on the external wall of the
office. It is difficult to connect power supplies to these devices. The user wants the switch to
provide power for these devices and save the deployment costs.
As the office network of a bank, AP1 cannot be powered off and should be configured with the
highest power supply priority. IP Phone1 with a large amount of services need to obtain power
supply with high priority and generally cannot be powered off.

Figure 10-15 Networking diagram of the PoE application

Switch
Eth0/0/1 Eth0/0/2
Eth0/0/3 Eth0/0/4
IP Phone1 AP1
IP Phone2 AP2
The switch supporting PoE and installed with the PoE power supply is required.
1. Configure the power management mode as automatic mode so that PDs can be flexibly
managed.
2. Configure the power supply priority on Ethernet0/0/2 and Ethernet0/0/1 so that AP1 and
IP phone1 are provided with power preferentially.
3. Configure the maximum output power on Ethernet0/0/1, Ethernet0/0/3, and
Ethernet0/0/2 to limit the power of the corresponding interface and ensure security of the
device.
Procedure
Step 1 Configure the power management mode of the device as automatic mode.
[Quidway] poe power-management auto
Step 2 Configure the maximum output power on Ethernet0/0/1, Ethernet0/0/3, and Ethernet0/0/2 as 15
W, 15 W, and 20 W respectively.
[Quidway-Ethernet0/0/1] poe power 15000
NOTE
On the device, the unit of the output power is mW.
Step 3 Configure the power supply priority on Ethernet0/0/2 as critical.


[Quidway-Ethernet0/0/2] poe priority critical
Step 4 Configure the power supply priority on Ethernet0/0/1 as high.

[Quidway-Ethernet0/0/1] poe priority high
# Display the PoE power supply status of the interface on the device.
[Quidway] display poe power-state
PORTNAME POWERON/OFF ENABLED PRIORITY STATUS
--------------------------------------------------------------------------------
Ethernet0/0/1 on enable high Powered
Ethernet0/0/2 on enable Critical Powered
Ethernet0/0/3 on enable Low Powered
Ethernet0/0/4 on enable Low Powered
Ethernet0/0/5 off enable Low Detecting
----End
Configuration Files
#
poe priority high
poe power 15000
#
poe priority critical
poe power 20000
#
poe power 15000
#
return
10.7 iStack Configuration

Multiple switches set up a stack to improve data forwarding capabilities and network reliability.
10.7.1 Example for Configuring the iStack Function
As shown in Figure 10-16, SwitchA, SwitchB, SwitchC, and SwitchD form a ring stack.
As the network size rapidly increases, the number of access interfaces provided by an access
switch needs to be increased, and the network must be easy to manage and maintain. However,
a single access switch cannot meet these requirements.
In this example, service ports on the LI are used to form a stack.

Figure 10-16 Configuring a stack
SwitchA SwitchB
GE0/0/28
GE0/0/27
GE0/0/27 GE0/0/28
GE0/0/28 GE0/0/27
GE0/0/27
SwitchC SwitchD
GE0/0/28
iStack link
common link
1. Use SFP+ cables to connect ports according to Figure 10-16.
2. Configure physical member ports and add them to a stack port to implement data packet
forwarding. Two physical member ports connected by a stack cable must be added to
different stack ports.
Procedure
Step 1 Configure stack ports.
# Configure service ports Ethernet0/0/27 and Ethernet0/0/28 on SwitchA as physical member
ports and add them to a stack port.
[SwitchA] stack port interface ethernet 0/0/27 enable
Warning: Enabling stack port may cause configuration loss on the interface, cont
inue?[Y/N]:y
[SwitchA] stack port interface ethernet 0/0/28 enable
inue?[Y/N]:y
[SwitchA] interface stack-port 0/1
[SwitchA-stack-port0/1] port member-group interface ethernet 0/0/27
[SwitchA-stack-port0/1] quit
[SwitchA] interface stack-port 0/2
[SwitchA-stack-port0/2] port member-group interface ethernet 0/0/28
[SwitchA-stack-port0/2] quit
# Configure service ports Ethernet0/0/27 and Ethernet0/0/28 on SwitchB as physical member

[SwitchB] stack port interface ethernet 0/0/27 enable
inue?[Y/N]:y

[SwitchB] stack port interface ethernet 0/0/28 enable

inue?[Y/N]:y
[SwitchB] interface stack-port 0/1
[SwitchB-stack-port0/1] port member-group interface ethernet 0/0/27
[SwitchB-stack-port0/1] quit
[SwitchB] interface stack-port 0/2
[SwitchB-stack-port0/2] port member-group interface ethernet 0/0/28
[SwitchB-stack-port0/2] quit
# Configure service ports Ethernet0/0/27 and Ethernet0/0/28 on SwitchC as physical member

[SwitchC] stack port interface ethernet 0/0/27 enable
inue?[Y/N]:y
[SwitchC] stack port interface ethernet 0/0/28 enable
inue?[Y/N]:y
[SwitchC] interface stack-port 0/1
[SwitchC-stack-port0/1] port member-group interface ethernet 0/0/27
[SwitchC-stack-port0/1] quit
[SwitchC] interface stack-port 0/2
[SwitchC-stack-port0/2] port member-group interface ethernet 0/0/28
[SwitchC-stack-port0/2] quit
# Configure service ports Ethernet0/0/27 and Ethernet0/0/28 on SwitchD as physical member

[SwitchD] stack port interface ethernet 0/0/27 enable
inue?[Y/N]:y
[SwitchD] stack port interface ethernet 0/0/28 enable
inue?[Y/N]:y
[SwitchD] interface stack-port 0/1
[SwitchD-stack-port0/1] port member-group interface ethernet 0/0/27
[SwitchD-stack-port0/1] quit
[SwitchD] interface stack-port 0/2
[SwitchD-stack-port0/2] port member-group interface ethernet 0/0/28
[SwitchD-stack-port0/2] quit
Step 2 Configure stack IDs and stack priorities.

# Set the stack priority of SwitchA to 200.
[SwitchA] stack slot 0 priority 200
Warning:Please do not frequently modify Priority, it will make the stack split!
continue?[Y/N]:y
# Set the stack ID of SwitchB to 1.

[SwitchB] stack slot 0 renumber 1
Warning:Please do not frequently modify slotid, it will make the stack split! co
ntinue?[Y/N]:y
Info: Stack configuration has been changed, need reboot to take effect.
# Set the stack ID of SwitchC to 2.

[SwitchC] stack slot 0 renumber 2
ntinue?[Y/N]:y
# Set the stack ID of SwitchD to 3.

[SwitchD] stack slot 0 renumber 3

ntinue?[Y/N]:y
Step 3 Restart all switches.
# Check stack information.

<SwitchA> display stack
Stack topology type : Ring
Stack system MAC:0018-82d2-2e85
MAC switch delay time: 10 min
Stack reserve vlanid : 4093
slot# Role Mac address Priority Device type
-------------------------------------------------------------
0 Master 0018-82d2-2e85 200
1 Slave 0018-82c6-1f44 100
2 Standby 0018-82c6-1f4c 100
3 Slave 0018-82b1-6eb8 100
----End
Configuration File
None
10.7.2 Example for Configuring in Direct Mode
As shown in , SwitchA and SwitchB form a stack. The stack IDs of SwitchA and SwitchB are
0 and 1 respectively.
To ensure stack reliability, in direct mode needs to be configured on Ethernet0/0/5 and

Ethernet1/0/5. When the stack splits because of a stack link fault and there are two devices with
the same configuration on the network, you can use to reduce the impact of a stack split on the
network.
1. Configure in direct mode on specified interfaces.
Data Preparation
To complete the configuration, you need the following data:
l Number of the interface to be configured with in direct mode
Procedure
Step 1 Configure on interfaces.
# Configure in direct mode on Ethernet0/0/5.

[Quidway-Ethernet0/0/5] detect mode direct
Warning: This command will block the port, and no other configuration running on
this port is recommended. Continue?[Y/N]:y
# Configure in direct mode on Ethernet1/0/5.

[Quidway-Ethernet1/0/5] detect mode direct
Warning: This command will block the port, and no other configuration running on
this port is recommended. Continue?[Y/N]:y
# Check detailed configuration of the stack.

<Quidway> display verbose
Current status: Detect

direct detect interfaces configured:
Ethernet0/0/5
Ethernet1/0/5
relay detect interfaces configured:
Excluded ports(configurable):
Excluded ports(can not be configured):
Ethernet0/0/27
Ethernet1/0/27
----End
Configuration File
l Configuration file of the stack
#
interface ethernet0/0/5
detect mode direct
#
interface ethernet1/0/5
detect mode direct
#
return
10.7.3 Example for Configuring in Relay Mode
As shown in , SwitchA and SwitchB form a stack. SwitchA and SwitchB connect to SwitchC
using Eth-Trunk1.
When the stack splits because of a stack link fault and there are two devices with the same
configuration on the network, you can use to reduce the impact of a stack split on the network.
1. Configure in relay mode on a specified Eth-Trunk interface.

2. Configure the relay function on the proxy device to allow the proxy device to forward
protocol packets.

Procedure
Step 1 Configure .
# Configure in relay mode.
[Quidway-Eth-Trunk1] detect mode relay
Step 2 Configure the relay function.

# Configure the relay function on proxy device SwitchC.
[SwitchC] interface eth-trunk 1
[SwitchC-Eth-Trunk1] relay
[SwitchC-Eth-Trunk1] quit
[SwitchC-GigabitEthernet0/0/1] eth-trunk 1
[SwitchC-GigabitEthernet0/0/2] eth-trunk 1

# Check detailed configuration of the stack.
<Quidway> display verbose
Current status: Detect

direct detect interfaces configured:
relay detect interfaces configured:
Eth-Trunk1
Excluded ports(configurable):
Excluded ports(can not be configured):
# Check information about the proxy device SwitchC.

<SwitchC> display proxy
relay interfaces configured:
Eth-Trunk1
----End
Configuration File
l Configuration file of the stack
#
detect mode relay
#
interface
eth-trunk 1
#

interface
eth-trunk 1
#
return

#
sysname SwitchC
#
relay
#
interface
eth-trunk 1
#
interface
eth-trunk 1
#
return

Typical Configuration Examples 11 Configuration Guide - Network Management
11 Configuration Guide - Network

Management
About This Chapter
This document describes procedures and provides examples for configuring the Device
Management features of the device.
11.1 SNMP Configuration
The Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. It uses a central computer (a network management station)
that runs network management software to manage network elements. There are three SNMP
versions, SNMPv1, SNMPv2c, and SNMPv3. Users can choose to configure one or more
versions if needed.
11.2 RMON Configuration
Remote Network Monitoring (RMON), defined by IETF, is a widely used network management
protocol. It provides packet statistics and alarm functions for Ethernet interfaces. The
management devices use RMON to remotely monitor and manage network elements.
11.3 NTP Configuration
Network Time Protocol (NTP) synchronizes time among a set of distributed time servers and
clients.
11.4 Ping and Tracert Configuration
You can use the ping command to check network connectivity, and the tracert command to
check the path from the source to the destination and to locate faults on the network.
11.5 NQA Configuration
This chapter describes how to configure the Network Quality Analysis (NQA) to monitor the
network operating status and collect network operation indexes in real time.
11.6 LLDP Configuration
The Link Layer Discovery Protocol (LLDP) allows you to obtain details about the network
topology, changes in the topology, and detect incorrect configurations on the network.

11.1 SNMP Configuration

The Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. It uses a central computer (a network management station)
that runs network management software to manage network elements. There are three SNMP
versions, SNMPv1, SNMPv2c, and SNMPv3. Users can choose to configure one or more
versions if needed.
11.1.1 Example for Configuring a Switch to Communicate with

NMSs Using SNMPv1
As shown in Figure 11-1, NMS1 and MNS2 manage devices on the network. Because network
is small and secure, devices on the network use SNMPv1 to communicate with the NMSs.
A new switch is deployed on the network and needs to be managed by an NMS. Users want to
manage the switch using existing network resources and hope that faults on the switch can be
quickly identified and rectified. To meet service requirements, the NMS must manage MIB
objects except ISIS objects of the switch.
Figure 11-1 Communication between a switch and NMS using SNMPv1
NMS1
1.1.1.1/24 Eth0/0/1
IP Network 1.1.2.1/24
Switch
NMS2
1.1.1.2/24
Because the network is small and secure, the new switch can use SNMPv1 to communicate with
the NMSs. To reduce loads on the NMSs, configure NMS2 to manage the switch and NMS1 not
to manage the switch.
1. Set the SNMP version on the switch to SNMPv1.

2. Configure the access right to enable NMS2 to manage MIB objects except ISIS objects on
the switch.

3. Configure the trap function on the switch so that the switch can send traps to NMS2. To
help quickly identify faults according to trap messages and reduce useless traps, configure
the switch to send only the traps of the modules enabled by default.
4. Configure administrator contact information on the switch so that users can contact the
administrator quickly when a fault occurs on the switch.
5. Configure NMS2.
Procedure
Step 1 Configure an IP address for the interface of switch.
# Configure an IP address for the interface of switch according to Figure 11-1.

[Quidway] vlan 100
Step 2 Configure routing function to ensure reachable routes between switch and NMS2.
[Quidway] ospf
[Quidway-ospf-1] area 0
[Quidway-ospf-1-area-0.0.0.0] network 1.1.2.0 0.0.0.255
[Quidway-ospf-1-area-0.0.0.0] quit
[Quidway-ospf-1] quit
Step 3 Enable the SNMP agent.

[Quidway] snmp-agent
Step 4 Set the SNMP version on the switch to SNMPv1.

[Quidway] snmp-agent sys-info version v1
Step 5 Set the access right for the NMSs.
# Configure an ACL that allows NMS2 to manage the switch and prevents NMS1 from managing
the switch.
[Quidway] acl 2001
[Quidway-acl-basic-2001] rule 5 permit source 1.1.1.2 0.0.0.0
[Quidway-acl-basic-2001] rule 6 deny source 1.1.1.1 0.0.0.0
# Configure the MIB view to allow NMS2 to manage objects except ISIS objects on the
switch.
[Quidway] snmp-agent mib-view excluded allextisis 1.3.6.1.3.37
# Configure a community name and reference the ACL and MIB view for the community.
[Quidway] snmp-agent community write adminnms2 mib-view allextisis acl 2001
Step 6 Configure the trap function.

[Quidway] snmp-agent target-host trap address udp-domain 1.1.1.2 params
securityname adminnms2
Step 7 Configure the administrator contact information.

[Quidway] snmp-agent sys-info contact call Operator at 010-12345678

Step 8 Configure NMS2.
You must set a read-write community name for an NMS running SNMPv1. For details about
the NMS configuration, see the manual of the NMS.
NOTE
The authentication parameter configuration on the NMS must be the same as that on the switch. Otherwise,
the NMS cannot manage the switch.
After completing the configuration, run the following commands to verify that the configurations
have taken effect.
# View the SNMP version.

[Quidway] display snmp-agent sys-info version
SNMP version running in the system:
SNMPv1 SNMPv3
# View the community name.

[Quidway] display snmp-agent community
Community name:%$%$`^G,*3SqwTbh0j/Q,1()v!ul%$%$
Group name:%$%$`^G,*3SqwTbh0j/Q,1()v!ul%$%$
Acl:2001
Storage-type: nonVolatile
# View the ACL configuration.

Basic ACL 2001, 2 rules
Acl's step is 5
# View the MIB view.

[Quidway] display snmp-agent mib-view viewname allextisis
View name:allextisis
MIB Subtree:isisMIB
Subtree mask:
View Type:excluded
View status:active
# View the configuration of the target host used to receive traps.

[Quidway] display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
VPN instance : -
Security name : %$%$n]*J3"Itf@UrL2"B%`$SdrO;%$%
$
Port : 162
Type : trap
Version : v1
NMS type : NMS
With ext-vb : No
-----------------------------------------------------------
# View the administrator contact information.

[Quidway] display snmp-agent sys-info contact

The contact person for this managed node:
call Operator at 010-12345678
----End
Configuration Files
#
vlan batch 100
#
acl number 2001
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent community write cipher %$%$`^G,*3SqwTbh0j/Q,1()v!ul%$%$ mib-view
allextisis acl 2001
snmp-agent sys-info contact call Operator at 010-12345678
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname cipher %
$%$n]*J3"Itf@UrL2"B%`$SdrO;%$%$
snmp-agent mib-view excluded allextisis isisMIB
#
return
11.1.2 Example for Configuring a Switch to Communicate with an

NMS Using SNMPv2c
As shown in Figure 11-2, NMS1 and MNS2 manage devices on the network. The network is
large and secure but the service traffic volume on the network is high. Therefore, devices on the
network use SNMPv2c to communicate with the NMSs. A new switch is deployed on the
network and needs to be managed by an NMS.
Users want to manage the switch using existing network resources and hope that faults on the
switch can be quickly identified and rectified. To meet service requirements, the NMS must
manage MIB objects except ISIS objects of the switch.

Figure 11-2 Communication between a and NMS using SNMPv2c
NMS1
1.1.1.1/24 Eth0/0/1
Switch
NMS2
1.1.1.2/24
The network is large and secure but the service traffic volume on the network is high. Therefore,
the new switch still uses SNMPv2c. To reduce loads on the NMSs, configure NMS2 to manage
the switch and NMS1 not to manage the switch.
1. Set the SNMP version on the switch to SNMPv2c.

the switch.
3. Configure the inform function on the switch so that the switch can send informs to NMS2.
To help quickly identify faults according to trap messages and reduce useless traps,
configure the switch to send only the traps of the modules enabled by default.
5. Configure NMS2.
Procedure

[Quidway] vlan 100
[Quidway] ospf


Step 4 Set the SNMP version on the switch to SNMPv2c.

[Quidway] snmp-agent sys-info version v2c

the switch.
[Quidway] acl 2001
# Configure the MIB view to allow NMS2 to manage objects except ISIS objects on the
switch.
[Quidway] snmp-agent mib-view excluded allextisis 1.3.6.1.3.37
# Configure a community name and reference the ACL and MIB view for the community.
[Quidway] snmp-agent community write adminnms2 mib-view allextisis acl 2001
Step 6 Configure the inform function.

[Quidway] snmp-agent target-host inform address udp-domain 1.1.1.2 params
securityname adminnms2 v2c
[Quidway] snmp-agent inform timeout 5 resend-times 6 pending 7


You must set a read-write community name for an NMS running SNMPv2c. For details about
the NMS configuration, see the manual of the NMS.
NOTE

have taken effect.
SNMPv2c SNMPv3
# View the community name.

[Quidway] display snmp-agent community
Community name:%$%$o<0)+Puf0Bl,fq);94]Nv`WN%$%$
Group name:%$%$o<0)+Puf0Bl,fq);94]Nv`WN%$%$
Acl:2001


Acl's step is 5

MIB Subtree:isisMIB
Subtree mask:
View Type:excluded
View status:active

Target-host NO. 1
-----------------------------------------------------------
VPN instance : -
Security name : %$%${jI1DLx8W>ZDMs-]i#^Cd"NG%$%$
Port : 162
Type : inform
Version : v2c
NMS type : NMS
With ext-vb : No
-----------------------------------------------------------

----End
Configuration Files
#
vlan batch 100
#
acl number 2001
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
#
snmp-agent
snmp-agent community write cipher %$%$o<0)+Puf0Bl,fq);94]Nv`WN%$%$ mib-view
allextisis acl 2001
snmp-agent sys-info version v2c v3

snmp-agent target-host inform address udp-domain 1.1.1.2 params securityname cipher

%$%${jI1DLx8W>ZDMs-]i#^Cd"NG%$%$ v2c
snmp-agent inform timeout 5
snmp-agent inform resend-times 6
snmp-agent inform pending 7
#
return
11.1.3 Example for Configuring a Switch to Communicate with an

NMS Using SNMPv3
As shown in Figure 11-3, NMS1 and MNS2 manage devices on the network. The network is
large and insecure. Therefore, devices on the network use SNMPv3 to communicate with the
NMSs, and authentication and encryption are configured to enhance security. A new switch is
deployed on the network and needs to be managed by an NMS.
Users want to manage the switch using existing network resources and hope that faults on the
switch can be quickly identified and rectified. To meet service requirements, the NMS must
manage MIB objects except ISIS objects of the switch.
Figure 11-3 Communication between a switch and NMS using SNMPv3
NMS1
1.1.1.1/24 Eth0/0/1
Switch
NMS2
1.1.1.2/24
Because the network is large and insecure, the new still uses SNMPv3. To reduce loads on the
NMSs, configure NMS2 to manage the switch and NMS1 not to manage the switch.
1. Set the SNMP version on the switch to SNMPv3.

the switch.
3. Configure the trap function on the switch so that the switch can send traps to NMS2. To
help quickly identify faults according to trap messages and reduce useless traps, configure
the switch to send only the traps of the modules enabled by default.

5. Configure NMS2.
Procedure

[Quidway] vlan 100
[Quidway] ospf

Step 4 Set the SNMP version on the switch to SNMPv3.

[Quidway] snmp-agent sys-info version v3
the switch.
[Quidway] acl 2001
# Configure the MIB view.

[Quidway] snmp-agent mib-view excluded allextisis 1.3.6.1.4.1.2011.6.7
# Configure a user group and a user. Configure authentication and encryption for data of the
user.
[Quidway] snmp-agent usm-user v3 nms2-admin admin authentication-mode md5 hello123
privacy-mode des56 hello123
[Quidway] snmp-agent group v3 admin privacy write-view allextisis acl 2001
Step 6 Configure the trap function.

[Quidway] snmp-agent target-host trap address udp-domain 1.1.1.2 params
securityname nms2-admin v3


On an NMS running SNMPv3, you must set a user name and select a security level. Then set
the authentication mode, authentication password, encryption mode, and encryption key
according to the security level you select. For details about the NMS configuration, see the
manual of the NMS.
NOTE

have taken effect.
SNMPv3
# View user group information.

[Quidway] display snmp-agent group admin
Group name: admin
Security model: v3 AuthPriv
Readview: ViewDefault
Writeview: allextisis
Notifyview :<no specified>
Acl:2001
# View user information.

[Quidway] display snmp-agent usm-user
User name: nms2-admin
Engine ID: 800007DB0300259E0370C3 active
Group name:admin

Acl's step is 5

MIB Subtree:isisMIB
Subtree mask:
View Type:excluded
View status:active

Target-host NO. 1
-----------------------------------------------------------
VPN instance : -
Security name : nms2-admin
Port : 162
Type : trap

Version : v3
NMS type : NMS
With ext-vb : No
-----------------------------------------------------------

----End
Configuration Files
#
vlan batch 100
#
acl number 2001
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 800007DB0300259E0370C3
snmp-agent sys-info version v3
snmp-agent group v3 admin privacy write-view allextisis acl 2001
snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname nms2-
admin v3
snmp-agent usm-user v3 nms2-admin admin authentication-mode md5 %$%
$0eiJ@*mM<~lo`1RYa2\*vNE<%$%$ privacy-mode des56 %$%$0eiJ@*mM<~lo`1RYa2\*vNE<%$%$
#
return
11.2 RMON Configuration

Remote Network Monitoring (RMON), defined by IETF, is a widely used network management
protocol. It provides packet statistics and alarm functions for Ethernet interfaces. The
management devices use RMON to remotely monitor and manage network elements.
11.2.1 Example for Configuring RMON
As shown in Figure 11-4, a subnet connects to the network through Eth0/0/1. The NMS monitors
the subnet, including:

l Collecting real-time and history statistics on traffic and each type of packets
l Recording logs when the traffic volume per minute exceeds the threshold
l Monitoring broadcast and multicast traffic volume on the subnet and reporting alarm to the
NMS when the traffic volume exceeds the threshold
Figure 11-4 Networking diagram of RMON configuration
Eth0/0/2 Eth0/0/1
IP VLANIF20 VLANIF30
Network 20.20.20.1/24 30.30.30.1/24
NMS Switch
10.10.10.1/24
To collect real-time and history statistics on traffic and each type of packets, configure the
RMON statistics function. You can configure the RMON alarm function to enable the device
record logs and report alarms to the NMS when the traffic volume exceeds the threshold.
1. Configure IP addresses for switch interfaces.

2. Configure a reachable route between the switch and NMS.
3. Configure basic SNMP functions and enable the switch to send traps to the NMS.
4. Enable RMON statistics function and configure the statistics table and history control table.
5. Configure the event table, alarm table, and extended alarm table.
Procedure
Step 1 Configure IP addresses for switch interfaces.
[Switch]vlan batch 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[Switch]interface ethernet 0/0/1
[Switch-Ethernet0/0/1]port hybrid pvid vlan 30
[Switch-Ethernet0/0/1]port hybrid untagged vlan 30
[Switch-Ethernet0/0/1]quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 30.30.30.1 24
[Switch-Vlanif30] quit
[Switch]interface ethernet 0/0/2
[Switch-Ethernet0/0/2]port hybrid pvid vlan 20
[Switch-Ethernet0/0/2]port hybrid untagged vlan 20
[Switch-Ethernet0/0/2]quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 20.20.20.1 24
[Switch-Vlanif20] quit
Step 2 Configure a reachable route between the switch and NMS.

[Switch] ospf
[Switch-ospf-1] area 0
[Switch-ospf-1-area-0.0.0.0] network 20.20.20.0 0.0.0.255
[Switch-ospf-1-area-0.0.0.0] network 30.30.30.0 0.0.0.255

[Switch-ospf-1-area-0.0.0.0] quit
[Switch-ospf-1] quit
Step 3 Configure basic SNMP functions and enable the switch to send traps to the NMS.
# Configure SNMPv3 on the switch. Configure an SNMP user group admin and add a user nms-
admin to the user group.
[Switch]snmp-agent group v3 admin
[Switch]snmp-agent usm-user v3 nms-admin admin
# Enable SNMP to send traps.

[Switch] snmp-agent trap enable
# Specify the NMS that receives the traps.

[Switch] snmp-agent target-host trap address udp-domain 10.10.10.1 params
securityname nms-admin v3
Step 4 Configure RMON statistics function.

# Enable the RMON statistics function on the interface.
[Switch-Ethernet0/0/1] rmon-statistics enable
# Configure the statistics table.

NOTE
The interface enabled with the statistics function cannot be added to an Eth-Trunk.
[Switch-Ethernet0/0/1] rmon statistics 1 owner Test300
# Configure the history control table. Sample traffic on the subnet every 30 seconds and save
the latest 10 records
[Switch-Ethernet0/0/1] rmon history 1 buckets 10 interval 30 owner Test300
Step 5 Configure RMON alarm function.

# Configure the event table. Configure the switch to record logs for RMON event 1 and send
traps to the NMS for RMON event 2.
[Switch] rmon event 1 log owner Test300
[Switch] rmon event 2 description forUseofPrialarm trap public owner Test300
# Configure the alarm table. Set the sampling interval and the threshold for triggering event 1
(OID is 1.3.6.1.2.1.16.1.1.1.6.1).
[Switch] rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.1 30 absolute rising-threshold 500 1
falling-threshold 100 1 owner Test300
# Configure the extended alarm table. Sample broadcast and multicast packets every 30 seconds.
When the number of sampled packets exceeds 1000 or decreases to 0, event 2 is triggered. That
is, the device sends a trap to the NMS.
[Switch] rmon prialarm 1 .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
sumofbroadandmulti 30 delta rising-threshold 1000 2 falling-threshold 0 2 entrytype
forever owner Test300

# View traffic volume on the subnet.
[Switch] display rmon statistics ethernet 0/0/1
Statistics entry 1 owned by Test300 is VALID.

Interface : Ethernet0/0/1<ifEntry.58>
Received :
octets :142915224 , packets :1749151
broadcast packets :11603 , multicast packets:756252
undersize packets :0 , oversize packets:0
fragments packets :0 , jabbers packets :0
CRC alignment errors:0 , collisions :0
Dropped packet (insufficient resources):1795
Packets received according to length (octets):
64 :150183 , 65-127 :150183 , 128-255 :1383
256-511:3698 , 512-1023:0 , 1024-1518:0
# View the sampling records.

[Switch] display rmon history ethernet 0/0/1
History control entry 1 owned by Test300 is VALID
Samples interface :Ethernet0/0/1<ifEntry.58>
Sampling interval : 30(sec) with 10 buckets max
Last Sampling time : 0days 22h:42m:56s.01th
Latest sampled values :
octets :74539 , packets :966
broadcast packets :1 , multicast packets :36
undersize packets :0 , oversize packets :0
CRC alignment errors :0 , collisions :0
Dropped packet: :0 , utilization :0
History record:
Record No.1 (Sample time: 0days 22h:40m:56s.50th)
octets :73926 , packets :963
broadcast packets :0 , multicast packets :36
undersize packets :0 , oversize packets :0
CRC alignment errors :0 , collisions :0
Dropped packet: :0 , utilization :0
# View the RMON event configurations.

[Switch] display rmon event
Event table 1 owned by Test300 is VALID.
Description: null.
Will cause log when triggered, last triggered at 0days 00h:24m:10s.05th.
Description: forUseofPrialarm.
Will cause snmp-trap when triggered, last triggered at 0days 00h:26m:10s.05th.
# View the RMON alarm configurations.

[Switch] display rmon alarm 1
Alarm table 1 owned by Test300 is VALID.
Samples absolute value : 1.3.6.1.2.1.16.1.1.1.6.1 <etherStatsBroadcastPkts.1>
Sampling interval : 30(sec)
Rising threshold : 500(linked with event 1)
Falling threshold : 100(linked with event 1)
When startup enables : risingOrFallingAlarm
Latest value : 1975
# View the RMON extended alarm configurations.

[Switch] display rmon prialarm 1
Prialarm table 1 owned by Test300 is VALID.
Samples delta value : .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
Sampling interval : 30(sec)
Rising threshold : 1000(linked with event 2)
Falling threshold : 0(linked with event 2)
When startup enables : risingOrFallingAlarm
This entry will exist : forever
Latest value : 16
# View the event logs.

[Switch] display rmon eventlog

Generates eventLog 1.1 at 0days 00h:39m:30s.01th.
Description: The 1.3.6.1.2.1.16.1.1.1.6.1 defined in alarm table 1,
less than or equal to 100 with alarm value 0. Alarm sample type is absolute.
----End
Configuration Files
#
sysname Switch
#
vlan batch 20 30
#
interface Vlanif20
ip address 20.20.20.1 255.255.255.0
#
interface Vlanif30
ip address 30.30.30.1 255.255.255.0
#
rmon-statistics enable
rmon statistics 1 owner Test300
rmon history 1 buckets 10 interval 30 owner Test300
#
#
rmon event 1 description null log owner Test300
rmon event 2 description forUseofPrialarm trap public owner Test300
rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.1 30 absolute rising-threshold 500 1 falling-
threshold 100 1 owner Test300
rmon prialarm 1 .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
sumofbroadandmulti 30 delta rising-threshold 1000 2 falling-threshold 0 2 entrytype
forever owner Test300
#
ospf 1
area 0.0.0.0
network 20.20.20.0 0.0.0.255
network 30.30.30.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 800007DB0300259EFBBE78
snmp-agent group v3 admin
snmp-agent target-host trap address udp-domain 10.10.10.1 params securityname nms-
admin v3
snmp-agent usm-user v3 nms-admin admin
#
return
11.3 NTP Configuration

Network Time Protocol (NTP) synchronizes time among a set of distributed time servers and
clients.

11.3.1 Example for Configuring Authenticated NTP Unicast Server/

Client Mode
As shown in Figure 11-5, SwitchB, SwitchC, and SwitchD are on a local area network (LAN),
and are connected to SwitchA through a network. SwitchA has synchronized its clock to an
authoritative clock, the Global Positioning System (GPS).
As is required by the user, the three devices SwitchB, SwitchC, and SwitchD on the LAN must
synchronize their clocks to the clock of SwitchA to ensure a precise charging service.
Figure 11-5 Networking diagram for configuring NTP unicast client/server mode
Eth0/0/1
VLANIF111
1.0.0.2/24
Eth0/0/1 Eth0/0/1 Eth0/0/2
VLANIF100 IP VLANIF110 VLANIF111 Eth0/0/1 SwitchC
Network VLANIF111
2.2.2.2/24 1.0.1.1/24 1.0.0.1/24
1.0.0.3/24
SwitchA SwitchB
SwitchD
You can configure the authenticated unicast server/client mode to meet the user's requirement
for clock synchronization on the LAN. The configuration roadmap is as follows:
1. Configure SwitchA as the primary time server.
2. The NTP unicast server/client mode is used to synchronize the clocks of SwitchA and
SwitchB. SwitchA functions as the server, and SwitchB functions as the client.
3. The NTP unicast server/client mode is used to synchronize the clocks of SwitchB,
SwitchC, and SwitchD. SwitchB functions as the server, while SwitchC and SwitchD
function as the clients.
4. SwitchA and SwitchB are connected through the network, which is not secure, so that the
NTP authentication function is enabled.
NOTE
When configuring NTP authentication in the unicast server/client mode, enable the NTP authentication on
the client, and specify the NTP server address and the authentication key sent to the server. Otherwise, the
NTP authentication is not performed, and the NTP client and server are directly synchronized.
Procedure
Step 1 According to Figure 11-5, configure IP addresses, and configure reachable routes between any
two of SwitchA, SwitchB, SwitchC, and SwitchD.
# Configure an IP address on SwitchA. For details about the configurations of SwitchB,
SwitchC, and SwitchD, see "Configuration Files".

[SwitchA] vlan 100
[SwitchA] ospf 1
Step 2 Configure an NTP primary clock on SwitchA and enable the NTP authentication function.
# Specify the local clock of SwitchA as the primary clock, and set the clock stratum to 2.
[SwitchA] ntp-service refclock-master 2
# Enable the NTP authentication function, configure the authentication key, and specify the key
as reliable.
[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 42 authentication-mode md5 Hello
[SwitchA] ntp-service reliable authentication-keyid 42
Step 3 Configure an NTP primary clock on SwitchB and enable the NTP authentication function.
# Enable the NTP authentication function on SwitchB, configure the authentication key, and
specify the key as reliable.
[SwitchB] ntp-service authentication enable
[SwitchB] ntp-service authentication-keyid 42 authentication-mode md5 Hello
[SwitchB] ntp-service reliable authentication-keyid 42
# Specify SwitchA as the NTP server of SwitchB, and use the configured authentication key.
[SwitchB] ntp-service unicast-server 2.2.2.2 authentication-keyid 42
Step 4 # Specify on SwitchC that SwitchB functions as the NTP server of SwitchC.
[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 42 authentication-mode md5 Hello
[SwitchC] ntp-service reliable authentication-keyid 42
[SwitchC] ntp-service unicast-server 1.0.0.1 authentication-keyid 42
Step 5 # Specify on SwitchD that SwitchB functions as the NTP server of SwitchD.
<SwitchD> system-view
[SwitchD] ntp-service authentication enable
[SwitchD] ntp-service authentication-keyid 42 authentication-mode md5 Hello
[SwitchD] ntp-service reliable authentication-keyid 42
[SwitchD] ntp-service unicast-server 1.0.0.1 authentication-keyid 42
After the preceding configuration is complete, SwitchB can synchronize its clock with the clock
of SwitchA.
# Check the NTP status of SwitchB, and you can find that the clock status is "synchronized",
indicating that the synchronization is complete. The stratum of the clock is 3, which is one
stratum lower than that of the clock of the server SwitchA.

[SwitchB] display ntp-service status

clock status: synchronized
clock stratum: 3
reference clock ID: 2.2.2.2
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 3.8128 ms
root delay: 31.26 ms
root dispersion: 74.20 ms
peer dispersion: 34.30 ms
reference time: 11:55:56.833 UTC Mar 2 2006(C7B15BCC.D5604189)
# Check the NTP status of SwitchC, and you can find that the clock status is "synchronized",
stratum lower than that of the clock of the server SwitchB.
[SwitchC] display ntp-service status
clock stratum: 4
# Check the NTP status of SwitchD, and you can find that the clock status is "synchronized",
stratum lower than that of the clock of the server SwitchB.
[SwitchD] display ntp-service status
clock stratum: 4
# Check the NTP status of SwitchA.

[SwitchA] display ntp-service status
clock stratum: 2
reference clock ID: LOCAL(0)
root delay: 0.00 ms
reference time: 12:01:48.377 UTC Mar 2 2012(C7B15D2C.60A15981)
----End
Configuration Files

#
sysname SwitchA
#
ntp-service authentication enable
ntp-service authentication-keyid 42 authentication-mode md5 cipher %$%
$iU;C@~zqb+};!@!vGIp5q}tk%$%$
ntp-service reliable authentication-keyid
42
ntp-service refclock-master 2
#
vlan batch 100
#
interface Vlanif100
ip address 2.2.2.2 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 2.2.2.0 0.0.0.255
#
return
#
sysname SwitchB
#
ntp-service reliable authentication-keyid 42
ntp-service unicast-server 2.2.2.2 authentication-keyid 42
#
#
interface Vlanif110
ip address 1.0.1.1 255.255.255.0
#
interface Vlanif111
ip address 1.0.0.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 1.0.0.0 0.0.0.255
network 1.0.1.0 0.0.0.255
#
return
#
sysname SwitchC
#
#
vlan batch 111
#

interface Vlanif111
ip address 1.0.0.2 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.0.0.0 0.0.0.255
#
return

#
sysname SwitchD
#
#
vlan batch 111
#
interface Vlanif111
ip address 1.0.0.3 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.0.0.0 0.0.0.255
#
return
11.3.2 Example for Configuring NTP Symmetric Peer Mode

As shown in Figure 11-6, three devices are on a local area network (LAN).
The clocks of the devices on the LAN need to be synchronized to facilitate device management.
SwitchA has synchronized its clock with an authoritative clock, the Global Positioning System
(GPS), through a network. The user requires SwitchB and SwitchC to synchronize their clocks
to the clock of SwitchA.

Figure 11-6 Networking diagram for configuring the symmetric peer mode
SwitchA
Eth0/0/1
VLANIF100
10.0.0.1/24
Eth0/0/1 Eth0/0/1
VLANIF100 VLANIF100
10.0.0.3/24 10.0.0.2/24
S
SwitchB SwitchC
You can configure the NTP protocol to synchronize time, and use the NTP symmetric peer mode
to meet the user's requirement for time synchronization. The configuration roadmap is as follows:
1. Configure the local clock of SwitchA as the NTP primary clock.
2. The NTP unicast server/client mode is used to synchronize the clocks of SwitchB and
SwitchA. SwitchA functions as the server, and SwitchB functions as the client.
3. The symmetric peer mode is used to synchronize the clocks of SwitchB and SwitchC.
SwitchC functions as the symmetric active peer and sends a clock synchronization request
to SwitchB.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB and SwitchC.
Configure an IP address for each interface according to Figure 11-6. After the configurations
are complete, the three switches can ping each other.
# Configure an IP address on SwitchA. For details about the configurations of SwitchB and
SwitchC, see "Configuration Files".
[SwitchA] vlan 100
Step 2 Configure the NTP client/server mode.

# Set the local clock of SwitchA as the NTP primary clock, and set the clock stratum to 2.
[SwitchA] ntp-service refclock-master 2
# Specify on SwitchB that SwitchA functions as the NTP server of SwitchB.

[SwitchB] ntp-service unicast-server 10.0.0.1

After the preceding configuration is complete, SwitchB can synchronize its clock with the clock
of SwitchA.
# Check the NTP status of SwitchB, and you can find that the clock status is "synchronized",
stratum lower than that of the clock of SwitchA.
[SwitchB] display ntp-service status
clock stratum: 3
reference time: 06:52:33.465 UTC Mar 7 2006(C7B7AC31.773E89A8)
Step 3 Configure the NTP unicast symmetric peer mode.

# Specify on SwitchC that SwitchB functions as the symmetric passive peer of SwitchC.
[SwitchC] ntp-service unicast-peer 10.0.0.2
Because SwitchC is not configured with a primary clock and its clock stratum is lower than that
of SwitchB, SwitchC synchronizes its clock with the clock of SwitchB.
Monitor the status of SwitchC after the synchronization. The clock of SwitchC is in
"synchronized" status, indicating that the synchronization is complete. The clock stratum of
SwitchC is 4, which is one stratum lower than that of the symmetric passive peer SwitchB.
# Display the clock status of SwitchC.
[SwitchC] display ntp-service status
clock stratum: 4
reference time: 06:55:50.784 UTC Mar 7 2006(C7B7ACF6.C8D002E2)
----End
Configuration Files
#
sysname SwitchA
#
#
vlan batch 100
#
interface Vlanif100
ip address 10.0.0.1 255.255.255.0
#

#
return

#
sysname SwitchB
#
ntp-service unicast-server 10.0.0.1
#
vlan batch 100
#
interface Vlanif100
ip address 10.0.0.2 255.255.255.0
#
#
return

#
sysname SwitchC
#
ntp-service unicast-peer 10.0.0.2
#
vlan batch 100
#
interface Vlanif100
ip address 10.0.0.3 255.255.255.0
#
#
return
11.3.3 Example for Configuring Authenticated NTP Broadcast

Mode
As shown in Figure 11-7, SwitchF, SwitchC, and SwitchD are on a local area network (LAN).
SwitchA directly connects to SwitchF. SwitchC directly synchronizes its clock to an
authoritative clock, the Global Positioning System (GPS), by radio.
To provide charging services, all switches (except SwitchA) in Figure 11-7 are required to
synchronize their clocks to a standard clock. SwitchA is outside the charging range, and does
not need to synchronize its clock to the standard clock.

Figure 11-7 Networking diagram for configuring authenticated NTP broadcast mode
Eth0/0/1
VLANIF10
3.0.1.31/24
Eth0/0/1 Eth0/0/1 Eth0/0/2
1.0.1.11/24 1.0.1.2/24 3.0.1.2/24 SwitchC
SwitchA SwitchF Eth0/0/1

VLANIF10
3.0.1.32/24
SwitchD
You can configure the NTP protocol to synchronize time, and use the authenticated NTP
broadcast mode to meet the user's requirement. The configuration roadmap is as follows:
1. Configure SwitchC as the primary time server, use the local clock as the NTP primary
clock, and set the clock stratum to 3.
2. Configure SwitchC as the NTP broadcast server that sends broadcast packets from interface
VLANIF10 (the corresponding physical interface is Eth0/0/1).
3. Configure SwitchA, SwitchD and SwitchF as NTP broadcast clients. SwitchA uses
VLANIF20 (the corresponding physical interface is Eth0/0/1) to listen to the broadcast
packets. SwitchD uses VLANIF10 (the physical interface is Eth0/0/1) to listen to the
broadcast packets. SwitchF uses VLANIF10 (the corresponding physical interface is
Eth0/0/2) to listen to the broadcast packets.
4. To strengthen the network security, the NTP authentication function is enabled.
Procedure
Step 1 Configure an IP address for each interface according to Figure 11-7, and configure reachable
routes between the switches.
# Configure an IP address for the interface and configure a routing protocol on SwitchA.
[SwitchA] vlan 20
[SwitchA] ospf 1
For details about the configurations of SwitchC, SwitchD, and SwitchF, see "Configuration
Files".

Step 2 Configure the NTP broadcast server, and enable the authentication.
# Configure the local clock of SwitchC as the NTP primary clock, and set the clock stratum to
3.
[SwitchC] ntp-service refclock-master 3
# Enable NTP authentication.

[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 16 authentication-mode md5 Hello
[SwitchC] ntp-service reliable authentication-keyid 16
# Configure SwitchC as the NTP broadcast server that sends NTP broadcast packets from
VLANIF10, and specify the key with the ID 16 for encryption.
[SwitchC-Vlanif10] ntp-service broadcast-server authentication-keyid 16
Step 3 Configure the NTP broadcast client SwitchD on a network segment the same as that of the NTP
server.

[SwitchD] ntp-service authentication enable
[SwitchD] ntp-service authentication-keyid 16 authentication-mode md5 Hello
[SwitchD] ntp-service reliable authentication-keyid 16
# Configure SwitchD as the NTP broadcast client that listens to the NTP broadcast packets from
interface VLANIF10.
[SwitchD-Vlanif10] ntp-service broadcast-client
After the configuration is complete, SwitchD synchronizes its clock to that of SwitchC. For
details about the configuration of SwitchF, which is similar to that of SwitchD, see the
corresponding configuration file.
Step 4 Configure the NTP broadcast client SwitchA on a network segment different from that of the
server.

[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 16 authentication-mode md5 Hello
[SwitchA] ntp-service reliable authentication-keyid 16
# Configure SwitchA as the NTP broadcast client that listens to the NTP broadcast packets from
interface VLANIF20.
[SwitchA-Vlanif20] ntp-service broadcast-client
After the preceding configuration is complete, SwitchD can synchronize its clock to that of
SwitchC, but SwitchA cannot synchronize its clock to that of SwitchC.
This is because SwitchA is on a network segment different from that of SwitchC, but SwitchD
is on a network segment the same as that of SwitchC.
stratum lower than that of the clock of SwitchC.


clock stratum: 4
root delay: 0.00 ms
reference time: 12:17:21.773 UTC Mar 7 2012(C7B7F851.C5EAF25B)
----End
Configuration Files
#
sysname SwitchA
#
$Q1Ub0~;Ga!9IasE'@Db-,5,#%$%$
#
vlan batch 20
#
interface Vlanif20
ip address 1.0.1.11 255.255.255.0
ntp-service broadcast-client
#
#
ospf
1
area
0.0.0.0
network 1.0.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
$Q1Ub0~;Ga!9IasE'@Db-,5,#%$%$
#
vlan batch 10
#
interface Vlanif10
ip address 3.0.1.31 255.255.255.0
ntp-service broadcast-server authentication-keyid 16
#
#
ospf
1
area
0.0.0.0
network 3.0.1.0 0.0.0.255

#
return

#
sysname SwitchD
#
$Q1Ub0~;Ga!9IasE'@Db-,5,#%$%$
#
vlan batch 10
#
interface Vlanif10
ip address 3.0.1.32 255.255.255.0
#
#
ospf
1
area
0.0.0.0
network 3.0.1.0 0.0.0.255
#
return

#
sysname SwitchF
#
$Q1Ub0~;Ga!9IasE'@Db-,5,#%$%$
#
vlan batch 10 20
#
interface Vlanif10
ip address 3.0.1.2 255.255.255.0
#
interface Vlanif20
ip address 1.0.1.2 255.255.255.0
#
#
#
ospf
1
area
0.0.0.0
network 1.0.1.0 0.0.0.255
network 3.0.1.0 0.0.0.255
#
return

11.3.4 Example for Configuring NTP Multicast Mode

As shown in Figure 11-8, SwitchF, SwitchC, and SwitchD are on a local area network (LAN).
SwitchA directly connects to SwitchF. SwitchC directly synchronizes its clock to an
authoritative clock, the Global Positioning System (GPS), by radio.
To provide charging services, the clocks of all switches on the network need to be synchronized
to the clock of SwitchC.
Figure 11-8 Networking diagram for configuring NTP multicast mode

Eth0/0/1
VLANIF10
3.0.1.31/24
Eth0/0/1 Eth0/0/1 Eth0/0/2
1.0.1.11/24 1.0.1.2/24 3.0.1.2/24 SwitchC
SwitchA SwitchF Eth0/0/1

VLANIF10
3.0.1.32/24
SwitchD
You can configure the NTP protocol to synchronize time, and use the NTP multicast mode to
meet the user's requirement. The configuration roadmap is as follows:
1. Configure SwitchC as the primary time server, use the local clock as the NTP primary
clock, and set the clock stratum to 3.
2. Configure SwitchC as the NTP multicast server that sends multicast packets from interface
VLANIF10 (the corresponding physical interface is Eth0/0/1).
3. Configure SwitchA, SwitchD, and SwitchF as NTP multicast clients. SwitchA uses
VLANIF20 (the corresponding physical interface is Eth0/0/1) to listen to the multicast
packets. SwitchD uses VLANIF10 (the corresponding physical interface is Eth0/0/1) to
listen to the multicast packets. SwitchF uses VLANIF10 (the physical interface is
Eth0/0/2) to listen to the multicast packets.
4. Configure a multicast route, so that SwitchA can receive the multicast packets.
Procedure
Step 1 Configure an IP address for each interface according to Figure 11-8, and configure reachable
routes between the switches.
# Configure an IP address for the interface and configure a routing protocol on SwitchA.
[SwitchA] vlan 20


[SwitchA] ospf 1
For details about the configurations of SwitchC, SwitchD, and SwitchF, see "Configuration
Files".
Step 2 Configure the NTP multicast server.
# Configure the local clock of SwitchC as the NTP primary clock, and set the clock stratum to
2.
[SwitchC] ntp-service refclock-master 2
# Configure SwitchC as the NTP multicast server that sends NTP multicast packets from
interface VLANIF10.
[SwitchC-Vlanif10] ntp-service multicast-server
Step 3 Configure the NTP multicast client SwitchD on a network segment the same as that of the NTP
server.
# Configure SwitchD as the NTP multicast client that listens to the NTP multicast packets from
interface VLANIF10.
[SwitchD-Vlanif10] ntp-service multicast-client
Step 4 Configure the NTP multicast client SwitchA on a network segment different from that of the
server.
# Configure SwitchA as the NTP multicast client that listens to the NTP multicast packets from
interface VLANIF20.
[SwitchA-Vlanif20] ntp-service multicast-client
Step 5 Configure a multicast route, so that SwitchA on a network segment different from that of
SwitchC can receive NTP multicast packets.
# Configure the multicast routing function on SwitchC.
[SwitchC] multicast routing-enable
# Configure the multicast routing function on SwitchF.
[SwitchF] multicast routing-enable
[SwitchF] interface vlanif 20
[SwitchF-Vlanif20] pim sm
[SwitchF-Vlanif20] igmp enable
[SwitchF-Vlanif20] igmp static-group 224.0.1.1
[SwitchF-Vlanif20] quit
[SwitchF] pim
[SwitchF-pim] c-bsr vlanif 20
[SwitchF-pim] c-rp vlanif 20

[SwitchF-pim] quit
[SwitchF] interface ethernet 0/0/1
[SwitchF-Ethernet0/0/1] l2-multicast static-group group-address 224.0.1.1 vlan 20
[SwitchF-Ethernet0/0/1] quit

After the preceding configuration is complete, SwitchD and SwitchA can synchronize their
clocks to the clock of SwitchC.
stratum lower than that of the clock of the server SwitchC.
clock stratum: 3
root delay: 0.00 ms
# Check the NTP status of SwitchA, and you can find that the clock status is "synchronized",
stratum lower than that of the clock of the server SwitchC.
[SwitchA] display ntp-service status
clock stratum: 3
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 20
#
interface Vlanif20
ip address 1.0.1.11 255.255.255.0
ntp-service multicast-client
#
#
ospf
1
area
0.0.0.0
network 1.0.1.0 0.0.0.255

#
return
#
sysname SwitchC
#
vlan batch 10
#
#
#
interface Vlanif10
ip address 3.0.1.31 255.255.255.0
pim sm
ntp-service multicast-server
#
#
ospf
1
area
0.0.0.0
network 3.0.1.0 0.0.0.255
#
return
#
sysname SwitchD
#
vlan batch 10
#
interface Vlanif10
ip address 3.0.1.32 255.255.255.0
ntp-service multicast-client
#
#
ospf
1
area
0.0.0.0
network 3.0.1.0 0.0.0.255
#
return
#
sysname SwitchF
#
vlan batch 10 20
#
#
interface Vlanif10
ip address 3.0.1.2 255.255.255.0
#
interface Vlanif20
ip address 1.0.1.2 255.255.255.0
pim sm
igmp enable
igmp static-group 224.0.1.1
#


l2-multicast static-group group-address 224.0.1.1 vlan 20
#
#
pim
c-bsr Vlanif20
c-rp Vlanif20
#
ospf
1
area
0.0.0.0
network 1.0.1.0 0.0.0.255
network 3.0.1.0 0.0.0.255
#
return
11.4 Ping and Tracert Configuration

You can use the ping command to check network connectivity, and the tracert command to
check the path from the source to the destination and to locate faults on the network.
11.4.1 Example for Performing Ping and Tracert Operations
As shown in Figure 11-9, after configuring SwitchA, check the link between SwitchA and the
log host. If the link is disconnected, you need to locate the fault.
Figure 11-9 Networking diagram of ping and tracert operations
1.1.1.1/24 1.1.2.1/24 1.1.3.1/24

1.1.1.2/24 1.1.2.2/24 1.1.3.2/24
SwitchA SwitchB SwitchC Log host
1. Run the ping command on SwitchA to check connectivity between SwitchA and the log
host.
2. Run the tracert command to locate the faulty link segment if the link is disconnected.
Procedure
Step 1 Run the ping command.
# Run the ping command on SwitchA to check connectivity between SwitchA and the log host.


Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
The output on SwitchA shows that the log host is unreachable, which indicates that a fault occurs
on the link between SwitchA and the log host.
Step 2 Run the tracert command.
# Run the tracert command on SwitchA to locate the faulty link segment.
<Quidway> tracert 1.1.3.2
traceroute to 1.1.3.2(1.1.3.2), max hops: 30 ,packet length: 40
1 1.1.1.2 4 ms 5 ms 5 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
...
The preceding output shows that the ICMP Echo Request packet passes SwitchB but does not
reach SwitchC. This indicates that the link between SwitchB and SwitchC fails. After the link
between SwitchB and SwitchC is recovered, repeat Step 1 and Step 2 to ensure that SwitchA
and the log host can communicate properly.
----End
11.5 NQA Configuration

This chapter describes how to configure the Network Quality Analysis (NQA) to monitor the
network operating status and collect network operation indexes in real time.
11.5.1 Example for Configuring a DNS Test Instance
As shown in Figure 11-10, SwitchA functions as a DNS client to access the host 10.2.1.1/24,
using a domain name server.com.

Figure 11-10 Networking diagram for configuring a DNS test instance

server.com
10.2.1.1/24
SwitchA
Eth0/0/1 IP Network
VLANIF100
10.1.1.1/24
DNS Server
10.3.1.1/24
1. Configure SwitchA as an NQA client.

2. Create and start a DNS test instance on the SwitchA to check whether SwitchA can set up
a connection with the DNS server and to obtain the speed of responding to an address
resolution request.
Procedure
Step 1 Configure IP addresses for the interfaces on the SwitchA and ensure reachable routes between
SwitchA and server.com, SwitchA and the DNS server.
[SwitchA] vlan 100
[SwitchA] interface Vlanif 100
[SwitchA] ospf
Step 2 Configure an NQA DNS test instance.

[SwitchA] dns server 10.3.1.1
[SwitchA] nqa test-instance admin dns
[SwitchA-nqa-admin-dns] test-type dns
[SwitchA-nqa-admin-dns] dns-server ipv4 10.3.1.1
[SwitchA-nqa-admin-dns] destination-address url server.com
Step 3 Start the test instance.

[SwitchA-nqa-admin-dns] start now

[SwitchA-nqa-admin-dns] display nqa results test-instance admin dns

NQA entry(admin, dns) :testflag is inactive ,testtype is dns

1 . Test 1 result The test is finished
Send operation times: 1 Receive response times: 1
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address: 10.3.1.1
Min/Max/Average Completion Time: 1/1/1
Sum/Square-Sum Completion Time: 1/1
Last Good Probe Time: 2012-07-20 16:23:49.1
Lost packet ratio: 0 %
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
dns resolve
dns server 10.3.1.1
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
nqa test-instance admin dns
test-type dns
destination-address url server.com
dns-server ipv4 10.3.1.1
#
return
11.5.2 Example for Configuring an FTP Download Test Instance
As shown in Figure 11-11, the performance of the FTP download function needs to be checked.
Figure 11-11 Networking diagram for configuring an FTP download test instance
SwitchA SwitchB
Eth0/0/1 Eth0/0/1
VLANIF100 VLANIF100
10.1.1.1/24 10.1.1.2/24


2. Configure SwitchB as the FTP server. Log in to the FTP server using user name user1 and
password hello123 to download file test.txt.
3. Create and start an FTP test instance on SwitchA to check whether SwitchA can set up a
connection with the FTP server and to obtain duration for downloading the file from the
FTP server.
Procedure
# Configure an IP address for SwitchB.

[SwitchB] vlan 100
[SwitchB] interface Vlanif 100
Configure SwitchB as the FTP server.

[SwitchB] ftp server enable
[SwitchB] aaa
[SwitchB-aaa] local-user user1 password cipher hello123
[SwitchB-aaa] local-user user1 privilege level 15
[SwitchB-aaa] local-user user1 service-type ftp
[SwitchB-aaa] local-user user1 ftp-directory flash:/
[SwitchB-aaa] quit
# Configure an IP address for SwitchA.

[SwitchA] vlan 100
# Create an NQA FTP test instance on SwitchA.

[SwitchA] nqa test-instance admin ftp
[SwitchA-nqa-admin-ftp] test-type ftp
[SwitchA-nqa-admin-ftp] destination-address ipv4 10.1.1.2
[SwitchA-nqa-admin-ftp] source-address ipv4 10.1.1.1
[SwitchA-nqa-admin-ftp] ftp-operation get
[SwitchA-nqa-admin-ftp] ftp-username user1
[SwitchA-nqa-admin-ftp] ftp-password hello123
[SwitchA-nqa-admin-ftp] ftp-filename test.txt

[SwitchA-nqa-admin-ftp] start now


[SwitchA-nqa-admin-ftp] display nqa results test-instance admin ftp
NQA entry(admin, ftp) :testflag is inactive ,testtype is ftp
SendProbe:1 ResponseProbe:1
Completion :success RTD OverThresholds number: 0
MessageBodyOctetsSum: 448 Stats errors number: 0
Operation timeout number: 0 System busy operation number:0
Drop operation number:0 Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 438/438/438
DataConnTime Min/Max/Average: 218/218/218
SumTime Min/Max/Average: 656/656/656
Average RTT:656
Lost packet ratio:0 %
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin
ftp
test-type
ftp
destination-address ipv4 10.1.1.2
source-address ipv4 10.1.1.1
ftp-username user1
ftp-password cipher %$%$1nVEX3:p~"cVPtV0[=[W^D;2%$%$
ftp-filename test.txt
ftp-operation get
#
return

#
sysname SwitchB
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
FTP server enable
#
aaa
local-user user1 password cipher %$%$1nVEX3:p~"cVPtV0[=[W^D;2%$%$
local-user user1 privilege level 15
local-user user1 ftp-directory flash:/
local-user user1 service-type ftp
#
return

11.5.3 Example for Configuring an FTP Upload Test Instance
As shown in Figure 11-12, the speed of uploading a file from SwitchA to an FTP server needs
to be tested.
Figure 11-12 Networking diagram for configuring an FTP upload test instance
SwitchA SwitchB
Eth0/0/1 Eth0/0/1
VLANIF100 VLANIF100
10.1.1.1/24 10.1.1.2/24
1. Configure Switch A as an NQA client as well as an FTP client. Create and start an FTP test
instance on SwitchA to check whether SwitchA can set up a connection with the FTP server
and to obtain the time taken by SwitchA to upload a file to the FTP server.
2. A user named user1 logs in to the FTP server by entering the password hello123 to upload
a file with the size being 10 KB.
Procedure
# Configure an IP address for SwitchB.
[SwitchB] vlan 100
# Configure SwitchB as the FTP server.

[SwitchB] ftp server enable
[SwitchB] aaa
[SwitchB-aaa] local-user user1 password cipher hello123
[SwitchB-aaa] local-user user1 privilege level 15
[SwitchB-aaa] local-user user1 service-type ftp
[SwitchB-aaa] local-user user1 ftp-directory flash:/
[SwitchB-aaa] quit

# Configure an IP address for SwitchA.
[SwitchA] vlan 100

# Create an NQA FTP test on SwitchA and create a file of 10 KB for uploading.
[SwitchA] nqa test-instance admin ftp
[SwitchA-nqa-admin-ftp] test-type ftp
[SwitchA-nqa-admin-ftp] destination-address ipv4 10.1.1.2
[SwitchA-nqa-admin-ftp] source-address ipv4 10.1.1.1
[SwitchA-nqa-admin-ftp] ftp-operation put
[SwitchA-nqa-admin-ftp] ftp-username user1
[SwitchA-nqa-admin-ftp] ftp-password hello123
[SwitchA-nqa-admin-ftp] ftp-filesize 10

[SwitchA-nqa-admin-ftp] start now

# Check NQA test results on SwitchA.
[SwitchA-nqa-admin-ftp] display nqa results test-instance admin ftp
NQA entry(admin, ftp) :testflag is inactive ,testtype is ftp
Completion :success RTD OverThresholds number: 0
MessageBodyOctetsSum: 10240 Stats errors number: 0
Operation timeout number: 0 System busy operation number:0
Drop operation number:0 Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 657/657/657
DataConnTime Min/Max/Average: 500/500/500
SumTime Min/Max/Average: 1157/1157/1157
Average RTT:656
Lost packet ratio:0 %
# On SwitchB, you can view that a file named nqa-ftp-test.txt is added. Part of the file on the
SwitchB is displayed.
<SwitchB> dir
0 -rw- 331 Jul 06 2007 18:34:34 private-data.txt
1 -rw- 10,240 Jul 06 2007 18:37:06 nqa-ftp-test.txt
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#

ftp
test-type
ftp
source-address ipv4 10.1.1.1
ftp-filesize 10
ftp-username user1
ftp-password cipher %$%$1nVEX3:p~"cVPtV0[=[W^D;2%$%$
ftp-operation put
#
return

#
sysname SwitchB
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
FTP server enable
#
aaa
local-user user1 password cipher %$%$1nVEX3:p~"cVPtV0[=[W^D;2%$%$
local-user user1 privilege level 15
local-user user1 ftp-directory flash:/
local-user user1 service-type ftp
#
return
11.5.4 Example for Configuring an HTTP Test Instance
As shown in Figure 11-13, SwitchA is connected to the HTTP server over a WAN to test the
speed of SwitchA accessing the HTTP server.
Figure 11-13 Networking diagram for configuring an HTTP test instance
HTTP Server
10.2.1.1/24
Switch A
Eth0/0/1 IP Network
VLANIF100
10.1.1.1/24

2. Create and start an HTTP test instance on the SwitchA to check whether SwitchA can set
up a connection with the HTTP server and to check the duration for transferring files
between SwitchA and the HTTP server.
Procedure
Step 1 Configure IP addresses for the interfaces on the SwitchA and ensure reachable routes between
SwitchA and the HTTP server.
[SwitchA] vlan 100
[SwitchA] ospf
Step 2 Enable the NQA client and create an NQA HTTP test instance.
[SwitchA] nqa test-instance admin http
[SwitchA-nqa-admin-http] test-type http
[SwitchA-nqa-admin-http] destination-address ipv4 10.2.1.1
[SwitchA-nqa-admin-http] http-operation get
[SwitchA-nqa-admin-http] http-url www.huawei.com

[SwitchA-nqa-admin-http] start now

[SwitchA-nqa-admin-http] display nqa results test-instance admin http
NQA entry(admin, http) :testflag is inactive ,testtype is http
Completion:success RTD OverThresholdsnumber: 0
MessageBodyOctetsSum: 411 TargetAddress: 10.2.1.1
DNSQueryError number: 0 HTTPError number: 0
TcpConnError number : 0 System busy operation number:0
DNSRTT Sum/Min/Max:0/0/0 TCPConnectRTT Sum/Min/Max: 4/1/2
TransactionRTT Sum/Min/Max: 3/1/1
RTT Sum/Min/Max/Avg: 7/2/3/2
DNSServerTimeout:0 TCPConnectTimeout:0 TransactionTimeout: 0
Lost packet ratio:0%
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#

#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
nqa test-instance admin http
test-type http
http-url www.huawei.com
http-operation get
#
return
11.5.5 Example for Configuring an ICMP Test Instance
As shown in Figure 11-14, SwitchA functions as an NQA client to test whether SwitchB is
reachable.
Figure 11-14 Networking diagram for configuring an ICMP test instance
SwitchA SwitchB
Eth0/0/1 Eth0/0/1
VLANIF100 VLANIF100
NQA Client 10.1.1.1/24 10.1.1.2/24
1. Perform the NQA ICMP test function to test whether the packet sent by SwitchA can reach
SwitchB.
2. Perform the NQA ICMP test to obtain the RTT of the packet.
Procedure
Step 1 # Configure an IP address for SwitchA.
[SwitchA] vlan 100
Step 2 # Configure an IP address for SwitchB.

[SwitchB] vlan 100

Step 3 Enable the NQA client and create an NQA ICMP test instance.
[SwitchA] nqa test-instance admin icmp
[SwitchA-nqa-admin-icmp] test-type icmp
[SwitchA-nqa-admin-icmp] destination-address ipv4 10.1.1.2

[SwitchA-nqa-admin-icmp] start now

[SwitchA-nqa-admin-icmp] display nqa results test-instance admin icmp
NQA entry(admin, icmp) :testflag is inactive ,testtype is icmp
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address:10.1.1.2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin icmp
test-type icmp
#
return

#
sysname SwitchB
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
return

11.5.6 Example for Configuring an ICMP Jitter Test Instance
As shown in Figure 11-15, SwitchA and SwitchB communicate at Layer 3 using VLANIF
interfaces.
SwitchA functions as the NQA client to test the jitter of the network between SwtichA and
SwtichB.
Figure 11-15 Networking diagram for configuring an ICMP jitter test instance
GE0/0/1 GE0/0/1
VLANIF10 VLANIF10
10.1.1.1/24 10.1.1.2/24
SwitchA SwitchB
1. Configure SwtichA as an NQA client and create an ICMP jitter test instance on SwtichA.
Procedure
[SwitchA] vlan 10
[SwitchA] interface gigabitEthernet 0/0/1
[SwitchB] vlan 10
[SwitchB] interface gigabitEthernet 0/0/1
Step 2 Create VLANIF interfaces and assign IP addresses to the VLANIF interfaces.
[SwitchA-Vlanif10] qiut


Step 3 # Enable the NQA client and create an ICMP jitter NQA test instance.
[SwitchA] nqa test-instance admin icmpjitter
[SwitchA-nqa-admin-icmpjitter] test-type icmpjitter
[SwitchA-nqa-admin-icmpjitter] destination-address ipv4 10.1.1.2
Step 4 Start the test instance immediately.

[SwitchA-nqa-admin-icmpjitter] start now

[SwitchA-nqa-admin-icmpjitter] display nqa results test-instance admin icmpjitter
NQA entry(admin, icmpjitter) :testflag is inactive ,testtype is icmpjitter
Completion:success RTD OverThresholds number:0
Min/Max/Avg/Sum RTT:1/160/25/1513 RTT Square Sum:92613
NumOfRTT:60 Drop operation number:0
Operation sequence errors number:0 RTT Stats errors number:0
System busy operation number:0 Operation timeout number:0
Min Positive SD:10 Min Positive DS:10
Max Positive SD:140 Max Positive DS:20
Positive SD Number:13 Positive DS Number:8
Positive SD Sum:510 Positive DS Sum:90
Positive SD Square Sum:37100 Positive DS Square Sum:1100
Min Negative SD:10 Min Negative DS:10
Max Negative SD:50 Max Negative DS:20
Negative SD Number:19 Negative DS Number:7
Negative SD Sum:510 Negative DS Sum:80
Negative SD Square Sum:19500 Negative DS Square Sum:1000
Min Delay SD:0 Min Delay DS:0
Avg Delay SD:12 Avg Delay DS:11
Max Delay SD:80 Max Delay DS:79
Packet Loss SD:0 Packet Loss DS:0
Packet Loss Unknown:0 Average of Jitter:25
Average of Jitter SD:31 Average of Jitter DS:11
Jitter out value:12.5280771 Jitter in value:1.7729331
NumberOfOWD:60 OWD SD Sum:750
OWD DS Sum:703 TimeStamp unit: ms
Packet Rewrite Number: 0 Packet Rewrite Ratio: 0%
Packet Disorder Number: 0 Packet Disorder Ratio: 0%
Fragment-disorder Number: 0 Fragment-disorder Ratio: 0%
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin icmpjitter
test-type icmpjitter
#
return


#
sysname SwitchB
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return
11.5.7 Example for Configuring an SNMP Query Test Instance
As shown in Figure 11-16, SNMP agent is enabled on SwitchA and SwitchC. An NQA SNMP
query test needs to be performed to obtain the time from when SwitchA sends an SNMP query
packet to when SwitchA receives an Echo packet.
Figure 11-16 Networking diagram for configuring an SNMP query test instance

Eth0/0/1 Eth0/0/1 Eth0/0/2 Eth0/0/1
10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
SNMP Agent

2. Enable SNMP agent on SwitchA.
3. Create and start an SNMP query test instance on SwitchA.
4. Enable the SNMP agent on SwitchC.
Procedure
Step 1 Configure an IP address for each interface and ensure reachable routes between switches, as
shown in Figure 11-16.
[SwitchA] vlan 100

NOTE
For configurations of SwitchB and SwitchC, see the configuration files.
Step 2 Enable SNMP agent on SwitchC.

[SwitchC] snmp-agent
Step 3 Enable SNMP agent on SwitchA.

[SwitchA] snmp-agent
Step 4 Create an SNMP query test instance on SwitchA.

[SwitchA] nqa test-instance admin snmp
[SwitchA-nqa-admin-snmp] test-type snmp
[SwitchA-nqa-admin-snmp] destination-address ipv4 10.2.1.2

[SwitchA-nqa-admin-snmp] start now

[SwitchA-nqa-admin-snmp] display nqa results test-instance admin snmp
NQA entry(admin, snmp) :testflag is inactive ,testtype is snmp
Min/Max/Average Completion Time:
63/172/109
Sum/Square-Sum Completion Time:
329/42389
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
snmp-agent
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
snmp
test-type

snmp
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 110
#
snmp-agent
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
11.5.8 Example for Configuring a TCP Test Instance
As shown in Figure 11-17, an NQA TCP test needs to be performed to obtain the duration for
setting up a TCP connection with SwitchC.
Figure 11-17 Networking diagram for configuring a TCP test instance

Eth0/0/1 Eth0/0/1 Eth0/0/2 Eth0/0/1
NQA Client 10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24 NQA Server

1. Configure SwitchA as an NQA client and configure SwitchC as an NQA server.
2. Configure the monitoring port number on the NQA server and create an NQA TCP test
instance on the NQA client.
Procedure
[SwitchA] vlan 100
NOTE
Step 2 Configure an NQA server on SwitchC.

# Configure the IP address and port number for monitoring TCP connections on the NQA server.
[SwitchC] nqa-server tcpconnect 10.2.1.2 9000
Step 3 Configure the NQA client on SwitchA.

# Enable the NQA client and create a TCP test instance.
[SwitchA] nqa test-instance admin tcp
[SwitchA-nqa-admin-tcp] test-type tcp
[SwitchA-nqa-admin-tcp] destination-address ipv4 10.2.1.2
[SwitchA-nqa-admin-tcp] destination-port 9000

[SwitchA-nqa-admin-tcp] start now

[SwitchA-nqa-admin-tcp] display nqa results test-instance admin tcp
NQA entry(admin, tcp) :testflag is inactive ,testtype is tcp
46/63/52
156/8294


----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
tcp
test-type
tcp
destination-port 9000
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
nqa-server tcpconnect 10.2.1.2 9000
#

ip route-static 10.1.1.0 255.255.255.0 10.2.1.1

#
return
11.5.9 Example for Configuring a Trace Test Instance
As shown in Figure 11-18, a trace test needs to be performed to trace the IP address of
VLANIF110 of SwitchC on SwitchA.
Figure 11-18 Networking diagram for configuring a trace test instance

Eth0/0/1 Eth0/0/1 Eth0/0/2 Eth0/0/1
NQA Client 10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
2. Create and start a trace test instance on SwitchA to obtain statistics about each hop from
SwitchA to SwitchC.
Procedure
[SwitchA] vlan 100
NOTE
Step 2 Create an NQA trace test instance on SwitchA and set the destination IP address to 10.2.1.2.
[SwitchA] nqa test-instance admin trace
[SwitchA-nqa-admin-trace] test-type trace
[SwitchA-nqa-admin-trace] destination-address ipv4 10.2.1.2

[SwitchA-nqa-admin-trace] start now


[SwitchA-nqa-admin-trace] display nqa results test-instance admin trace

NQA entry(admin, trace) :testflag is inactive ,testtype is trace
Completion:success Attempts number:1
Drop operation number:0
Last good path Time:2012-07-17 11:21:27.2
1 . Hop 1
RTD OverThresholds number: 0
2 . Hop 2
RTD OverThresholds number: 0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin trace
test-type trace
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#


#
return

#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
11.5.10 Example for Configuring a UDP Test Instance
As shown in Figure 11-19, an NQA UDP test needs to be performed to obtain the RTT of a
UDP packet transmitted between SwitchA and SwitchC.
Figure 11-19 Networking diagram for configuring a UDP test instance

Eth0/0/1 Eth0/0/1 Eth0/0/2 Eth0/0/1
2. Configure the port number monitored by the NQA server and create an NQA UDP test
instance on the NQA client.
Procedure
[SwitchA] vlan 100

NOTE
# Configure the monitoring IP address and UDP port number on the NQA server.
[SwitchC] nqa-server udpecho 10.2.1.2 6000
Step 3 Configure the NQA client on SwitchA.
# Enable the NQA client and create a UDP test instance.

[SwitchA] nqa test-instance admin udp
[SwitchA-nqa-admin-udp] test-type udp
[SwitchA-nqa-admin-udp] destination-address ipv4 10.2.1.2
[SwitchA-nqa-admin-udp] destination-port 6000

[SwitchA-nqa-admin-udp] start now

[SwitchA-nqa-admin-udp] display nqa results test-instance admin udp
NQA entry(admin, udp) :testflag is inactive ,testtype is udp
32/109/67
203/16749
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin udp
test-type udp
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2

#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
nqa-server udpecho 10.2.1.2 6000
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
11.5.11 Example for Configuring a UDP Jitter Test Instance
As shown in Figure 11-20, a UDP Jitter test needs to be performed to obtain the jitter time of
transmitting a packet from SwitchA to SwitchC.
Figure 11-20 Networking diagram for configuring a jitter test instance

Eth0/0/1 Eth0/0/1 Eth0/0/2 Eth0/0/1


2. Configure the monitoring service type and port number on the NQA server.
3. Create a UDP Jitter test instance on the NQA client.
Procedure
[SwitchA] vlan 100
NOTE

# Configure the monitoring IP address and UDP port number on the NQA server.

# Enable the NQA client and create a UDP Jitter test instance.
[SwitchA] nqa test-instance admin jitter
[SwitchA-nqa-admin-jitter] test-type jitter
[SwitchA-nqa-admin-jitter] destination-address ipv4 10.2.1.2
[SwitchA-nqa-admin-jitter] destination-port 9000

[SwitchA-nqa-admin-jitter] start now

[SwitchA-nqa-admin-jitter] display nqa results test-instance admin jitter
NQA entry(admin, jitter) :testflag is inactive ,testtype is jitter


jitter out value:2.5940387 jitter in value:2.1560009
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin jitter
test-type jitter
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#


#
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
11.5.12 Example for Sending Trap Massages to the NMS When the
Threshold Is Exceeded
A Jitter test needs to be performed to configure a transmission delay threshold and enable the
trap function as shown in Figure 11-21. After the jitter test is complete, SwitchA sends a trap
message to the NMS when the RTT of the test packet exceeds the configured two-way
transmission threshold. According to the traps received by the NMS, network administrators can
easily locate the fault.
Figure 11-21 Networking diagram for sending traps to NMS when the threshold is exceeded
NM Station
20.1.1.2/24
Eth0/0/2
VLANIF10
20.1.1.1/24 SwitchB SwitchC
Eth0/0/1 Eth0/0/1 Eth0/0/2 Eth0/0/1
10.1.1.1/24 10.1.1.2/24 30.1.1.1/24 30.1.1.2/24
SwitchA NQA Server
NQA Client
1. Configure SwitchC as the NQA server and configure the host IP address and port number.
2. Configure SwitchA as the NQA client, configure a threshold for the NQA alarm, and enable
the trap function.
3. Create a jitter test instance on SwitchA.
Procedure


NOTE
Step 2 Configure the IP address and port number for monitoring UDP services on SwitchC.
Step 3 Create a jitter test instance on SwitchA.

[SwitchA-nqa-admin-jitter] test-type jitter
[SwitchA-nqa-admin-jitter] destination-address ipv4 30.1.1.2
[SwitchA-nqa-admin-jitter] destination-port 9000
Step 4 Set a threshold on SwitchA.

# Configure the RTD threshold on SwitchA.
[SwitchA-nqa-admin-jitter] threshold rtd 20
Step 5 Enable the trap function on SwitchA.

[SwitchA-nqa-admin-jitter] send-trap rtd
[SwitchA-nqa-admin-jitter] quit
Step 6 Configure traps to be sent to the NMS.

[SwitchA] snmp-agent sys-info version v2c
[SwitchA] snmp-agent community write nsmsecurity
[SwitchA] snmp-agent target-host trap address udp-domain 20.1.1.2 params
securityname switchA
[SwitchA] snmp-agent trap enable

[SwitchA-nqa-admin-jitter] start now
[SwitchA-nqa-admin-jitter] quit
[SwitchA] quit

<SwitchA> display nqa result
NQA entry(admin, jitter) :testflag is inactive ,testtype is jitter


jitter out value:2.5940387 jitter in value:2.1560009
# Check whether traps are generated in the trap buffer.

<SwitchA> display trapbuffer
Trapping buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 256
Channel number : 3 , Channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 3363
Current messages : 256
#Nov 15 2012 16:57:21+06:00 SwitchA NQA/4/RTDTHRESHOLD:OID

1.3.6.1.4.1.2011.5.25.111.6.16 NQA entry RTD over threshold. (OwnerIndex=admin,
TestName=jitter)
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
#
#
#
snmp-
agent
snmp-agent local-engineid
800007DB0300E009877890
snmp-agent community write cipher %$%$*8GO(h4ev5m'kqN2o(sN&=[`%$%
$
snmp-agent sys-info version v2c
v3
snmp-agent target-host trap address udp-domain 20.1.1.2 params securityname
switchA
#
ip route-static 30.1.1.0 255.255.255.0 10.1.1.2

#
jitter
test-type
jitter
threshold rtd 20
send-trap rtd
#
return

#
sysname SwitchB
#
vlan batch 20 30
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 30
#
interface Vlanif30
ip address 30.1.1.2 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 30.1.1.1
#
return
11.6 LLDP Configuration

The Link Layer Discovery Protocol (LLDP) allows you to obtain details about the network
topology, changes in the topology, and detect incorrect configurations on the network.
11.6.1 Example for Configuring LLDP on the Device That Has a

Single Neighbor

As shown in Figure 11-22, SwitchA and SwitchB are directly connected; SwitchA and ME are
directly connected; routes between the NMS and SwitchA, and the NMS and SwitchB are
reachable; SNMP is configured.
A network administrator wants to obtain communication information between SwitchA and ME,
and between SwitchA and SwitchB, and alarms of device function changes to know the detailed
network topology and configuration conflicts.
Figure 11-22 Single-neighbor network
Internet
NMS
10.10.10.1 Switch A
Eth0/0/1 Eth0/0/2
Eth0/0/1
10.10.10.2
Switch B ME
The LLDP function can meet the network administrator's requirement. The configuration
1. Enable global LLDP on SwitchA and SwitchB.
2. Configure management IP addresses for SwitchA and SwitchB.
3. Enable the LLDP trap function on SwitchA and SwitchB so that trap messages can be sent
to the NMS in a timely manner.
Procedure
Step 1 Enable global LLDP on SwitchA and SwitchB.
[SwitchA] lldp enable
[SwitchB] lldp enable
Step 2 Configure management IP addresses for SwitchA and SwitchB.


[SwitchA] lldp management-address 10.10.10.1
[SwitchB] lldp management-address 10.10.10.2
Step 3 Enable the LLDP trap function on SwitchA and SwitchB.
[SwitchA] snmp-agent trap enable feature-name lldptrap
[SwitchB] snmp-agent trap enable feature-name lldptrap

l Check SwitchA.
# Check the SwitchA configuration.
[SwitchA] display lldp local
System
information
Chassis
type :macAddress
Chassis ID :
00e0-11fc-1710
System name :SwitchA
System description :S3328TP-EI
Huawei Versatile Routing Platform Software
VRP (R) software,Version 5.70 (S3328 V100R006C05 )
Copyright (C) 2003-2012 Huawei Technologies Co., Ltd.
System capabilities
supported :bridge
System capabilities
enabled :bridge
LLDP Up time :2012/5/10
11:40:49
MED system information

Device class :Network
Connectivity
(MED inventory information of master
board)
HardwareRev :VER A
FirmwareRev :NA
SoftwareRev :Version 5.70 V100R006C05
SerialNum :NA
Manufacturer name :HUAWEI TECH CO.,
LTD
Model
name :NA
Asset tracking identifier :NA
System configuration
LLDP Status :enabled (default is disabled)
LLDP Message Tx Interval :30 (default is 30s)
LLDP Message Tx Hold Multiplier :4 (default is 4)
LLDP Refresh Delay :2 (default is 2s)
LLDP Tx Delay :2 (default is 2s)
LLDP Notification Interval :5 (default is 5s)
LLDP Notification Enable :enabled (default is disabled)
Management Address :IP: 10.10.10.1
Remote Table Statistics:

Remote Table Last Change Time :0 days, 5 hours, 57 minutes, 32 seconds
Remote Neighbors Added :15
Remote Neighbors Deleted :13

Remote Neighbors Dropped :0
Remote Neighbors Aged :0
Total Neighbors :2
Port
information:
Interface Ethernet0/0/1:
LLDP Enable Status :enabled (default is
disabled)
Total Neighbors :
1
Port ID
subtype :interfaceName
Port ID :Ethernet0/0/1
Port description :Ethernet0/0/1
Port And Protocol VLAN ID(PPVID) don't

supported
Port VLAN ID(PVID) :
1
VLAN name of VLAN 1:
VLAN1
Protocol identity :STP RSTP/MSTP LACP EthOAM
CFM
Auto-negotiation
supported :Yes
Auto-negotiation
enabled :Yes
OperMau :speed(100)/duplex(Full)
Power port
class :PD
PSE power
supported :No
PSE power
enabled :No
PSE pairs control
ability:No
Power
pairs :Unknown
Port power
classification:Unknown
Link aggregation
supported:Yes
Link aggregation
enabled :No
Aggregation port ID :
0
Maximum frame Size :
1600
MED port
information
Media policy
type :Voice
Unknown
Policy :Defined
VLAN
tagged :Yes
Media policy VlanID :
0

Media policy L2 priority :

6
Media policy Dscp :
46
Power
Type :Unknown
PoE PSE power
source :Unknown
Port PSE
Priority :Unknown
Port Available power value:0.0
(w)
---- More
----
# Check neighbor information of SwitchA.
[SwitchA] display lldp neighbor interface Ethernet0/0/1
Ethernet0/0/1 has 1 neighbors:
Neighbor index :
1
Chassis
type :macAddress
Chassis ID :
00e0-11fc-1710
Port ID
type :interfaceName
Port description :NA
System
name :SwitchB
System capabilities supported :bridge
System capabilities
enabled :bridge
Management address
type :ipV4
Management address :
10.10.10.2
Expired time :
104s

1
VLAN1
Protocol identity :
Auto-negotiation
supported :Yes
Auto-negotiation
enabled :Yes
Power port
class :PD
PSE power
supported :No
PSE power
enabled :No
PSE pairs control
ability:No
Power
pairs :Unknown

Port power
Link aggregation
supported:Yes
Link aggregation
enabled :No
0
Maximum frame Size :9216
MED Device
information
Connectivity
HardwareRev :VER.B
FirmwareRev :NA
SoftwareRev :Version 5.70

V100R006C05
SerialNum :NA
LTD
Model
name :NA
Asset tracking
identifier :NA
Media policy type :Voice

Unknown
Policy :Defined
VLAN
tagged :Yes
0
6
Media policy Dscp :
46
Power
Type :Unknown
PoE PSE power
source :Unknown
Port PSE
Priority :Unknown
(w)
l Check SwitchB.
Refer to the steps for checking SwitchA.
----End
Configuration Files
#
sysname SwitchA
#
lldp enable
#
interface
LoopBack1
ip address 10.10.10.1 255.255.255.255
#

lldp management-address 10.10.10.1

#
return

#
sysname SwitchB
#
lldp enable
#
interface
LoopBack1
ip address 10.10.10.2 255.255.255.255
#
#
return
11.6.2 Example for Configuring LLDP on the Device That Has

Multiple Neighbors
As shown in Figure 11-23, SwitchA, SwitchB, SwitchC are interconnected through an unknown
network. The NMS has reachable routes to SwitchA, SwitchB, SwitchC, and SNMP
configuration has been complete.
A network administrator wants to obtain Layer 2 information about SwitchA, SwitchB, and
SwitchC to know the detailed network topology and configuration conflicts.
Figure 11-23 Multiple-neighbor network

NMS
SNMP
SNMP
SwitchD SwitchF
LL LLDPDU
D
PD
U
LL
D
U
PD
PD
U
D
LLDPDU
SwitchE
LL
10.10.10.1
10.10.10.2
SwitchA 10.10.10.3
SwitchB SwitchC
LLDP interface SNMP packet
NMS: Network Management System LLDPDU packet

The LLDP function can be used to meet the network administrator's requirement. The
configuration roadmap is as follows:
1. Enable global LLDP on SwitchA, SwitchB, and SwitchC.
2. Configure management IP addresses for SwitchA, SwitchB, and SwitchC.
Procedure
Step 1 Enable global LLDP on SwitchA, SwitchB, and SwitchC.
[SwitchC] lldp enable
Step 2 Configure management IP addresses for SwitchA, SwitchB, and SwitchC.

[SwitchC] lldp management-address 10.10.10.3

l Check SwitchA.
# Check the SwitchA configuration.
<SwitchA> display lldp local
System
information
Chassis
type :macAddress
Chassis ID :
00e0-11fc-1710
System capabilities
supported :bridge
System capabilities
enabled :bridge
11:40:49


Connectivity
(MED inventory information of master
board)
HardwareRev :VER A
FirmwareRev :NA
SerialNum :NA
LTD
Model
name :NA

Total Neighbors :2
Port
information:
LLDP Enable Status :enabled (default is
disabled)
Total Neighbors :
1
Port ID
subtype :interfaceName
Port And Protocol VLAN ID(PPVID) don't

supported
1
VLAN1
Protocol identity :STP RSTP/MSTP LACP EthOAM
CFM
Auto-negotiation
supported :Yes
Auto-negotiation
enabled :Yes

Power port
class :PD
PSE power
supported :No
PSE power
enabled :No
PSE pairs control
ability:No
Power
pairs :Unknown
Port power
Link aggregation
supported:Yes
Link aggregation
enabled :No
0
Maximum frame Size :
1526
MED port
information

Unknown Policy :Defined
VLAN tagged :Yes
Media policy VlanID :0
Media policy L2 priority :6
Media policy Dscp :46
Power
Type :Unknown
PoE PSE power
source :Unknown
Port PSE
Priority :Unknown
(w)
---- More
----
<SwitchA> display lldp neighbor interface Ethernet0/0/1
Ethernet0/0/1 has 2 neighbors:
Neighbor index :
1
Chassis
type :macAddress
Chassis ID :00e0-
fc33-0012
Port ID
type :interfaceName
System
name :SwitchB
System capabilities
supported :bridge
System capabilities
enabled :bridge
Management address
type :ipV4

Management address : 10.10.10.2

Expired time :
104s

1
VLAN1
Protocol identity :
Auto-negotiation
supported :Yes
Auto-negotiation
enabled :Yes
Power port
class :PD
PSE power
supported :No
PSE power
enabled :No
PSE pairs control
ability:No
Power
pairs :Unknown
Port power
Link aggregation
supported:Yes
Link aggregation
enabled :No
0
MED Device
information
Connectivity
HardwareRev :VER.B
FirmwareRev :NA

SerialNum :NA
LTD
Model
name :NA
Asset tracking
identifier :NA

Unknown
Policy :Defined
VLAN
tagged :Yes
0
6
Media policy Dscp :
46
Power
Type :Unknown

PoE PSE power

source :Unknown
Port PSE
Priority :Unknown
(w)
Neighbor index :
2
Chassis
type :macAddress
Chassis ID :00e0-fc33-0013
Port ID
type :interfaceName
System
name :SwitchC
System capabilities
supported :bridge
System capabilities
enabled :bridge
Management address
type :ipV4
Management address :
10.10.10.3
Expired time :
104s

1
VLAN1
Protocol identity :
Auto-negotiation
supported :Yes
Auto-negotiation
enabled :Yes
Power port
class :PD
PSE power
supported :No
PSE power
enabled :No
PSE pairs control
ability:No
Power
pairs :Unknown
Port power
Link aggregation
supported:Yes
Link aggregation
enabled :No
0
MED Device
information


Connectivity
HardwareRev :VER.B
FirmwareRev :NA

SerialNum :NA
LTD
Model
name :NA
Asset tracking
identifier :NA

Unknown
Policy :Defined
VLAN
tagged :Yes
0
6
Media policy Dscp :
46
Power
Type :Unknown
PoE PSE power
source :Unknown
Port PSE
Priority :Unknown
(w)
l Check SwitchB.
l Check SwitchC.
----End
Configuration Files
#
sysname SwitchA
#
lldp enable
#
interface
LoopBack1
ip address 10.10.10.1 255.255.255.255
#
#
return

#
sysname SwitchB
#
lldp enable
#
interface

LoopBack1
ip address 10.10.10.2 255.255.255.255
#
#
return

#
sysname SwitchC
#
lldp enable
#
interface
LoopBack1
ip address 10.10.10.3 255.255.255.255
#
#
return
11.6.3 Example for Configuring LLDP on the Network with link

aggregation configured
As shown in Figure 11-24, SwitchA and SwitchB are connected through an Eth-Trunk. Routes
between the NMS and Switches are reachable, and SNMP is configured.
A network administrator wants to obtain Layer 2 information about SwitchA and SwitchB to
know the detailed network topology and configuration conflicts.
Figure 11-24 Network with link aggregation configured

NMS
Network
VLAN 100 VLAN 200
Eth-Trunk 1
Enterprise Switch A Switch B

Enterprise
User 10.10.10.1 10.10.10.2
User
The LLDP function can meet the network administrator's requirement. The configuration
1. Add physical interfaces on SwitchA and SwitchB to the Eth-Trunk.
2. Enable global LLDP on SwitchA and SwitchB.
3. Configure management IP addresses for SwitchA and SwitchB.

Procedure
Step 1 Add physical interfaces on SwitchA and SwitchB to the Eth-Trunk.
[SwitchA-Eth-Trunk1] trunkport ethernet 0/0/1
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 100
[SwitchB] interface eth-trunk 1
[SwitchB-Eth-Trunk1] trunkport ethernet 0/0/1
[SwitchB-Eth-Trunk1] port link-type trunk
[SwitchB-Eth-Trunk1] port trunk allow-pass vlan 100
[SwitchB-Eth-Trunk1] quit
Step 2 Enable global LLDP on SwitchA and SwitchB.

Step 3 Configure management IP addresses for SwitchA and SwitchB.


l Check the SwitchA configuration.
# Check whether the physical interfaces are added to Eth-Trunk1.
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber:
8
Operate status: up Number Of Up Port In Trunk:
3
-------------------------------------------------------------------------------
-
PortName Status
Weight
Ethernet0/0/1 Up 1
Ethernet0/0/2 Up 1
Ethernet0/0/3 Up 1
# View the LLDP configurations.

<SwitchA> display lldp local
System information

Chassis
type :macAddress
Chassis ID :00e0-
fc33-0011
Copyright (C) 2003-2012 Huawei Technologies Co.,
Ltd.
System capabilities supported :bridge

System capabilities enabled :bridge
18:35:45

Device class :Network Connectivity
(MED inventory information of master board)
HardwareRev :VER A
FirmwareRev :NA
SerialNum :NA
Manufacturer name :HUAWEI TECH CO.,LTD
Model name :NA

Total Neighbors :3
Port information:
LLDP Enable Status :enabled (default is disabled)
Total Neighbors :1
Port ID subtype :interfaceName

Port And Protocol VLAN ID(PPVID) don't supported

Port VLAN ID(PVID) :1
VLAN name of VLAN 1: VLAN1
Protocol identity :STP RSTP/MSTP LACP EthOAM CFM
Auto-negotiation supported :Yes

Auto-negotiation enabled :Yes
Power port class :PD

PSE power supported :No
PSE power enabled :No
PSE pairs control ability:No
Power pairs :Unknown

Port power classification:Unknown
Link aggregation supported:Yes

Link aggregation enabled :No
Aggregation port ID :1
MED port information

VLAN tagged :Yes
Power Type :Unknown

PoE PSE power source :Unknown
Port PSE Priority :Unknown
Port Available power value:0.0(w)
Total Neighbors :1





Link aggregation enabled :Yes

VLAN tagged :Yes
Power Type :Unknown

Total Neighbors :1





Link aggregation enabled :Yes

VLAN tagged :Yes
Power Type :Unknown


[SwitchA] display lldp neighbor brief
Local Intf Neighbor Dev Neighbor Intf
Exptime
Eth0/0/1 SwitchB Eth0/0/1 115
l Check the SwitchB configuration.

----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
lldp enable
#
#
port link-type
trunk
#

eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
interface
LoopBack1
ip address 10.10.10.1 255.255.255.255
#
return

#
sysname SwitchB
#
vlan batch 100
#
lldp enable
#
#
port link-type
trunk
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
interface
LoopBack1
ip address 10.10.10.2 255.255.255.255
#
return


S2300&amp;S3300 V100R006C05 Typical Configuration Examples 02

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

S2300&amp;S3300 V100R006C05 Typical Configuration Examples 02

Uploaded by

Copyright:

Available Formats

S2300&S3300 Series Ethernet Switches

Typical Configuration Examples

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 02 (2013-04-20) Huawei Proprietary and Confidential i

About This Document

Product Name Version

This document is intended for:

l Data configuration engineers

Indicates a hazard with a high level or medium level of risk

Indicates a hazard with a low level of risk which, if not

Indicates a potentially hazardous situation that, if not

Issue 02 (2013-04-20) Huawei Proprietary and Confidential ii

NOTE Provides additional information to emphasize or supplement

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

# A line starting with the # sign is comments.

Changes in Issue 02 (2013-04-20)

Issue 02 (2013-04-20) Huawei Proprietary and Confidential iii

Changes in Issue 01 (2013-02-08)

Issue 02 (2013-04-20) Huawei Proprietary and Confidential iv

About This Document.....................................................................................................................ii

2 Configuration Guide - Interface Management......................................................................59

Issue 02 (2013-04-20) Huawei Proprietary and Confidential v

2.2 Logical Interface Configuration.......................................................................................................................61

3 Configuration Guide - Ethernet................................................................................................73

Issue 02 (2013-04-20) Huawei Proprietary and Confidential vi

3.10.1 Example for Configuring Interface-based Layer 2 Protocol Transparent Transmission.....................175

4 Configuration Guide - IP Service...........................................................................................200

Issue 02 (2013-04-20) Huawei Proprietary and Confidential vii

4.10 IPv6 over IPv4 Tunnel Configuration..........................................................................................................273

5 Configuration Guide - IP Routing.........................................................................................289

6 Configuration Guide - IP Multicast.......................................................................................417

Issue 02 (2013-04-20) Huawei Proprietary and Confidential viii

6.1.1 Example for Configuring Basic IGMP Functions.................................................................................419

7 Configuration Guide - QoS.....................................................................................................522

8 Configuration Guide - Security..............................................................................................527

Issue 02 (2013-04-20) Huawei Proprietary and Confidential ix

8.2.2 Example for Configuring MAC Address Authentication......................................................................537

9 Configuration Guide - Reliability..........................................................................................605

Issue 02 (2013-04-20) Huawei Proprietary and Confidential x

Issue 02 (2013-04-20) Huawei Proprietary and Confidential xi

9.10.1 Example for Configuring VLAN-based Ethernet CFM on a Layer 2 Network..................................797

10 Configuration Guide - Device Management......................................................................848

11 Configuration Guide - Network Management..................................................................884

Issue 02 (2013-04-20) Huawei Proprietary and Confidential xii

11.3.1 Example for Configuring Authenticated NTP Unicast Server/Client Mode.......................................900

Issue 02 (2013-04-20) Huawei Proprietary and Confidential xiii

1 Configuration Guide - Basic Configuration

About This Chapter

Issue 02 (2013-04-20) Huawei Proprietary and Confidential 1

1.1 CLI Overview

1.1.1 Example for Using Tab

There Are Several Matches for an Incomplete Keyword

Issue 02 (2013-04-20) Huawei Proprietary and Confidential 2

always logged immediately, but subsequence identical

1. Enter an incomplete keyword.

Stop pressing Tab when the desired keyword is displayed.

S2300&S3300 V100R006C05 Typical Configuration Examples 02

S2300&S3300 V100R006C05 Typical Configuration Examples 02