Professional Documents
Culture Documents
CX91x Series Switch Modules V100R001C00 Configuration Guide 09
CX91x Series Switch Modules V100R001C00 Configuration Guide 09
CX91x Series Switch Modules V100R001C00 Configuration Guide 09
V100R001C00
Configuration Guide
Issue 09
Date 2022-06-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: https://e.huawei.com
Purpose
The documents describe the configuration of various services supported by the
CX91x series switch modules. The description covers configuration examples and
function configurations.
The product features and commands for the 10GE switching plane of the CX91x
series switch modules vary according to the software version. For details, see the
documents listed in the following table.
NOTE
Run the display version command in the switching plane CLI and select a reference document
based on the Switch Version or Software Version displayed in the command output.
1.1.3.301.6
1.2.1.0.19
1.2.1.0.21
2.23
2.26
2.29
Intended Audience
This document is intended for:
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as
follows.
Convention Description
Convention Description
Security Conventions
● Password setting
– When configuring a password in plain text, the password is saved in the
configuration file in plain text. The plain text has high security risks. The
cipher text is recommended. To ensure device security, change the
password periodically.
– When you configure a password in cipher text that starts and ends with
%@%@ (the password can be decrypted by the device), the password is
displayed in the same manner as the configured one in the configuration
file. Do not use this setting.
● Encryption algorithm
Currently, the device uses the following encryption algorithms: DES, AES,
SHA-1, SHA-2, and MD5. DES and AES are reversible, and SHA-1, SHA-2, and
MD5 are irreversible. The encryption algorithm depends on actual networking.
If protocols are used for interconnection, the locally stored password must be
reversible. It is recommended that the irreversible encryption algorithm be
used for the administrator password.
● Personal data
Some personal data may be obtained or used during operation or fault
location of your purchased products, services, features, so you have an
obligation to make privacy policies and take measures according to the
applicable law of the country to protect personal data.
● Remote access
– The Telnet protocol is not secure. Data is not encrypted during
transmission over Telnet. Therefore, transmitted data may be restored
after IP packets are captured without authorization. It is recommended
that files be transmitted over SSH.
– The FTP and TFTP protocol is not secure. Data is not encrypted during
transmission over FTP and TFTP. Therefore, transmitted data may be
restored after IP packets are captured without authorization. It is
recommended that files be transmitted over SFTP.
Change History
Changes between document issues are cumulative. Therefore, the latest document
version contains all updates made to previous versions.
Contents
2 Configuration Guide-Ethernet............................................................................................83
2.1 Ethernet Interface Configuration.....................................................................................................................................83
2.1.1 Introduction to Ethernet Interfaces............................................................................................................................. 84
2.1.2 Ethernet Interface Features Supported by the CX91x series.............................................................................. 84
2.1.3 Configuring Basic Attributes of the Ethernet Interface........................................................................................ 85
2.1.3.1 Establishing the Configuration Task........................................................................................................................ 85
2.1.3.2 (Optional) Configuring the Description................................................................................................................. 85
2.1.3.3 (Optional) Setting the Duplex Mode...................................................................................................................... 86
2.1.3.4 (Optional) Setting the Rate of an Interface......................................................................................................... 87
2.1.3.5 (Optional) Enabling Auto-Negotiation.................................................................................................................. 87
2.1.3.6 Checking the Configuration........................................................................................................................................88
2.1.4 Configuring the Advanced Attributes of an Ethernet Interface........................................................................ 89
2.1.4.1 Establishing the Configuration Task........................................................................................................................ 89
2.1.4.2 (Optional) Configuring Loopback Test on the Ethernet Interface................................................................ 89
6 Configuration Guide-Reliability.......................................................................................275
6.1 Smart Link and Monitor Link Configuration............................................................................................................. 275
6.1.1 Smart Link and Monitor Link...................................................................................................................................... 275
6.1.2 Configuring a Smart Link Group................................................................................................................................276
6.1.2.1 Establishing the Configuration Task......................................................................................................................276
6.1.2.2 Creating and Enabling a Smart Link Group....................................................................................................... 277
6.1.2.3 Configuring the Master and Slave Interfaces in a Smart Link Group....................................................... 278
6.1.2.4 Enabling the Sending of Flush Packets................................................................................................................ 279
6.1.2.5 (Optional) Configuring Load Balancing in a Smart Link Group................................................................. 280
6.1.2.6 (Optional) Enabling Revertive Switching and Setting the WTR Time.......................................................280
6.1.2.7 (Optional) Enabling the Receiving of Flush Packets....................................................................................... 281
6.1.2.8 (Optional) Setting the Holdtime of the Smart Link Switchover................................................................. 282
6.1.2.9 Enabling the Functions of the Smart Link Group............................................................................................. 282
6.1.2.10 Checking the Configuration................................................................................................................................... 283
6.1.3 Configuring a Flow Control Policy in a Smart Link Group................................................................................284
6.1.3.1 Establishing the Configuration Task......................................................................................................................284
6.1.3.2 Locking Data Flows on the Master Interface.....................................................................................................285
6.1.3.3 Locking Data Flows on the Slave Interface........................................................................................................ 286
6.1.3.4 Switching Data Flows Manually............................................................................................................................. 286
6.1.3.5 Checking the Configuration..................................................................................................................................... 287
7.3 Mirroring................................................................................................................................................................................323
7.3.1 Introduction.......................................................................................................................................................................323
7.3.1.1 Mirroring Functions.................................................................................................................................................... 323
7.3.1.2 Logical Relationships Between Configuration Tasks....................................................................................... 324
7.3.2 Configuring Local Port Mirroring...............................................................................................................................324
7.3.2.1 Establishing the Configuration Task......................................................................................................................325
7.3.2.2 Configuring a Mirrored Port.................................................................................................................................... 325
7.3.2.3 Checking the Configuration..................................................................................................................................... 326
7.3.3 Canceling Port-based Mirroring................................................................................................................................. 326
7.3.3.1 Establishing the Configuration Task......................................................................................................................326
7.3.3.2 Canceling Port Mirroring........................................................................................................................................... 327
7.3.3.3 Checking the Configuration..................................................................................................................................... 327
7.3.4 Changing or Deleting an Observing Port............................................................................................................... 327
7.3.4.1 Establishing the Configuration Task......................................................................................................................327
7.3.4.2 (Optional) Deleting an Observing Port............................................................................................................... 328
7.3.4.3 (Optional) Changing an Observing Port............................................................................................................. 328
7.3.4.4 Checking the Configuration..................................................................................................................................... 329
7.3.5 Configuration Examples................................................................................................................................................ 329
7.3.5.1 Example for Configuring Local Port Mirroring.................................................................................................. 329
7.3.5.2 Example for Changing an Observing Port.......................................................................................................... 331
7.4 Restarting.............................................................................................................................................................................. 333
7.4.1 Restarting the CX91x series Immediately Through Command Lines............................................................ 333
7.4.2 Restarting the CX91x series Using the Ejector Levers........................................................................................ 334
This topic describes how to use the command-line interface (CLI), how to log in to
a switch module, and how to configure functions such as file operations and
system startup.
1.1.1 Introduction
This topic describes how to log in to Switch Module. You can log in to Switch
Module over the SYS COM port or serial over LAN (SOL).
NOTICE
For the first login, you must use the SYS COM serial port to log in to the Switch
Module and set the initial user password. Otherwise, security risks may occur.
The Switch Module has onboard GE switching plane, 10GE switching plane, and FC
switching plane. The commands and examples are based on onboard GE switching
plane in this document. Other planes may be slightly different.
Context
This document uses PuTTY as an example to describe how to log in to a switching
plane over a serial port. The application scenarios are as follows:
● If the Switch Module is configured for the first time at a new site, you can log
in to the switching plane from a local PC over a Switch Module serial port to
perform initial configuration.
● If the network is faulty and the Switch Module cannot be remotely connected,
you can log in to the switching plane over a Switch Module serial port to
locate the fault.
Set passwords for logging in to the Switch Module onboard GE and 10GE
switching planes over a serial port for the first time. The system automatically
saves the passwords.
After you successfully set the login passwords, the passwords are used as
authentication passwords in the succeeding logins to the onboard GE and 10GE
switching planes.
You can use the default user name and password to log in to the Switch Module
FC switching plane over a serial port.
Prerequisites
PuTTY is installed and its version is 0.60 or later.
Data
User name and password for logging in to the baseboard management controller
(BMC) over a serial port
Software
PuTTy.exe is free software. You can download it from the Internet. The PuTTY used
to log in over a serial port must be 0.60 or later.
Procedure
Step 1 Log in to a switching plane.
1. Connect the PC RS232 serial port to the serial port marked SYS on the Switch
Module panel by using a DB9-RJ45 cable.
2. Double-click PuTTY.exe on the PC.
The PuTTY Configuration window is displayed.
3. In the navigation tree, choose Connection > Serial.
4. Set the login parameters.
The key communication parameters are as follows:
– Serial Line to connect to: COMn
– Speed (baud): 115200
– Data bits: 8
– Stop bits: 1
– Parity: None
– Flow control: None
n indicates the serial port number, and the value is an integer.
NOTE
The baud rates of the onboard GE switching plane and 10GE switching plane are
115200 bit/s, and the baud rate of the FC switching plane is 9600 bit/s.
5. In the navigation tree, choose Session.
6. Set Connection type to Serial, as shown in Figure 1-1.
7. Click Open.
Open the switching plane command-line interface (CLI).
8. Determine if you log in to the switching plane over a serial port for the first
time.
NOTE
You need to set login passwords of the onboard GE switching plane and 10GE
switching plane upon the first login. The FC switching plane has a default user name
and password. You can perform Step 1.9 to log in to the FC switching plane.
– If yes, go to Step 2.1.
– If no, go to Step 1.9.
9. Enter the user name and password of the switching plane, and press Enter.
After login, the host name of the current login plane is displayed on the left
of the prompt.
Step 2 Set a password for logging in to the switching plane.
1. Press Enter.
The following information is displayed:
Please configure the login password (6-16)
Enter Password:
Confirm Password:
Set the initial password as prompted. The system automatically saves the
password.
NOTE
After login, the host name of the current login plane is displayed on the left
of the prompt.
----End
Context
This document uses PuTTY as an example to describe how to log in to the Switch
Module switching planes over Secure Shell (SSH) for configuration and
maintenance.
NOTE
You can log in to the Switch Module switching planes over Telnet and SSH. The login
methods are similar. The Telnet login has security risks. You are advised to use SSH login.
This document describes how to log in switching planes over SSH.
Prerequisites
PuTTY is installed and its version is 0.60 or later.
Data
● User names and passwords for logging in to the Switch Module switching
planes over SSH
● IP address and subnet mask of the management network port on the
switching plane to be connected
Software
PuTTy.exe is free software. You can download it from the Internet.
Procedure
Step 1 Connect the Ethernet port on the PC to that on the management module over the
local area network (LAN).
Step 2 Set the IP address and subnet mask of the PC, and ensure that the IP address of
the PC is on the same network segment as the IP address of the management
module.
After setting Host Name and then Saved Sessions, click Save. At the next login, you
can double-click the saved settings under Saved Sessions to log in to the switching
plane directly.
3. Click Open.
The PuTTY user interface (UI) is displayed, waiting you to enter a user name.
NOTE
– If you log in to the switching plane for the first time, the PuTTY Security Alert
window is displayed. If you trust the site, click Yes. Then the PuTTY window is
displayed.
– If the entered account is incorrect during the login, PuTTY must be connected
again.
----End
Context
By default, the SYS serial port is used for the onboard GE switching plane. You
need to switch the SYS COM port to another plane when configuring the plane
using a baseboard management controller (BMC) command.
Prerequisites
PuTTY is installed and its version is 0.60 or later.
Data
● Password for logging in to the onboard GE switching plane over a serial port
● Password for logging in to the 10GE switching plane over a serial port
● User name and password for logging in to the switching plane to be
connected over a serial port
Software
PuTTy.exe is free software. You can download it from the Internet. The PuTTY used
to log in over a serial port must be 0.60 or later.
Procedure
Step 1 Connect the PC RS232 serial port to the serial port marked BMC on the switch
module panel by using a DB9-RJ45 cable.
Step 2 Log in to the BMC command-line interface (CLI) using PuTTY.
1. Double-click PuTTY.exe on the PC.
The PuTTY Configuration window is displayed.
2. In the navigation tree, choose Connection > Serial.
3. Set the login parameters.
The key communication parameters are as follows:
– Serial Line to connect to: COMn
– Speed (baud): 115200
– Data bits: 8
– Stop bits: 1
– Parity: None
– Flow control: None
n indicates the serial port number, and the value is an integer.
6. Click Open.
The PuTTY user interface (UI) is displayed, waiting you to enter a user name.
7. Enter a user name and password as prompted.
After login, the host name of the current login plane is displayed on the left
of the prompt.
Step 3 On the BMC CLI, switch the SYS COM serial port to the switching plane.
● Switch to the onboard GE switching plane.
root@BMC:/#ipmcset -d systemcom -v 0
If you have successfully switched to the onboard GE switching plane, the
following information is displayed:
Set systemcom successfully!
Serial port direction is:Base Com
Step 4 Connect the PC RS232 serial port and the SYS serial port on the switch module by
using a DB9-RJ45 cable.
Step 5 Log in to the switching plane CLI using PuTTY.
The key communication parameters are as follows:
● Serial Line to connect to: COMn
● Speed (baud): 115200
● Data bits: 8
● Stop bits: 1
● Parity: None
● Flow control: None
n indicates the serial port number, and the value is an integer.
NOTE
The baud rates of the onboard GE switching plane and 10GE switching plane are 115200
bit/s, and the baud rate of the FC switching plane is 9600 bit/s.
For details about login methods, see Step 2.1 to Step 2.7.
----End
● The system supports the command with up to 512 characters. The command can be
incomplete.
● The system saves the incomplete command to the configuration files in the complete
form; therefore, the command may have more than 512 characters. When the system is
restarted, however, the incomplete command cannot be restored. Therefore, pay
attention to the length of the incomplete command.
NOTICE
Not all display commands are of the monitoring level. For example, the display
current-configuration and display saved-configuration commands are of the
management level. For the level of a command, see the CX91x Series Switch
Modules V100R001C00 Command Reference.
NOTE
● The default command level may be higher than the command level defined according
to the command rules in application.
● Log in users have the same 16 levels as the command levels. The log in users can use
only the command of the levels that are equal to or lower than their own levels. For
details of log in user levels, refer to 1.5 User Management.
Basic Concepts
# Establish connection with the Switch Module. If the Switch Module adopts the
default configuration, you can enter the user view with the prompt of <Base>.
<Base>
# Type interface gigabitethernet 0/0/1 in the system view, and you can enter the
GE interface view.
[Base] interface gigabitethernet 0/0/1
[Base-GigabitEthernet0/0/1]
NOTE
The prompt <Base> indicates the default Switch Module name. The prompt <> indicates the
user view and the prompt [] indicates other views.
Some commands that are implemented in the system view can also be
implemented in the other views; however, the functions that can be implemented
are command view-specific.
Common Views
The CX91x series provides various command line views. For the methods of
entering the command line views except the following views, see the CX91x Series
Switch Modules V100R001C00 Command Reference.
● User View
Item Description
Item Description
● System View
Item Description
NOTE
Item Description
NOTE
Item Description
Item Description
Item Description
NOTE
The value 10 indicates the number of a VLANIF interface to be configured. You must
create a VLAN before entering the VLANIF interface view.
You can obtain the partial help of the command line in the following ways.
● Enter a character string with a "?" closely following it to display all commands
that begin with this character string.
<Base> f?
format free
ftp
● Enter a command and a character string with "?" closely following it to
display all the key words that begin with this character string.
<Base> display d?
default-parameter device
diagnostic-information
● Enter the first several letters of a key word in the command and then press
Tab to display the complete key word on the condition that the letters
uniquely identify the key word. Otherwise, if you continue to press Tab,
different key words are displayed. You can select the needed key word.
1.2.3.1 Editing
The editing function of command lines helps you edit command lines or obtain
help by using certain keys.
The command line supports multi-line edition. The maximum length of each
command is 512 characters.
Keys for editing that are often used are shown in Table 1-2.
Left cursor key ← or Moves the cursor to the left by the space of a character.
Ctrl_B When the cursor reaches the head of the command,
there is a warning sound.
Right cursor key → Moves the cursor to the right by the space of a
or Ctrl_F character. When the cursor reaches the end of the
command, there is a warning sound.
Tab Press Tab after typing the incomplete key word and the
system runs the partial help:
● If the matching key word is unique, the system
replaces the typed one with the complete key word
and displays it in a new line with the cursor a space
behind.
● If there are several matches or no match at all, the
system displays the prefix first. Then you can press
Tab to view the matching key word one by one. In
this case, the cursor closely follows the end of the
word and you can type a space to enter the next
word.
● If a wrong key word is entered, press Tab and the
word is displayed in a new line.
1.2.3.2 Displaying
All command lines have the same displaying feature. You can construct the
displaying mode as required.
You can control the display of information on CLI as follows:
● Display prompt and help information in English.
● When the information displayed exceeds a full screen, it provides the pause
function. In this case, the user has three choices as shown in Table 1-3.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the
screen.
● Degeneration of particular characters
Certain particular characters, when being placed at the following positions in
the regular expression, degenerate to common characters.
– The particular characters following "\" is transferred to match particular
characters themselves.
– The particular characters "*", "+", and "?" placed at the starting position
of the regular expression. For example, +45 matches "+45" and abc(*def)
matches "abc*def".
– The particular character "^" placed at any position except for the start of
the regular expression. For example, abc^ matches "abc^".
– The particular character "$" placed at any position except for the end of
the regular expression. For example, 12$2 matches "12$2".
– The right bracket such as ")" or "]" being not paired with its
corresponding left bracket "(" or "[". For example, abc) matches "abc)"
and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules are applicable when preceding regular
expressions serve as subexpressions within parentheses.
● Combination of common and particular characters
In actual application, a regular expression combines multiple common and
particular characters to match certain strings.
NOTICE
The CX91x series uses a regular expression to implement the filtering function of
the pipe character. A display command supports the pipe character only when
there is excessive output information.
When the output information is queried according to the filtering conditions, the
first line of the command output starts with the information containing the
regular expression.
The command can carry the parameter | count to display the number of matching
entries. The parameter | count can be used together with other parameters.
For the commands supporting regular expressions, the three filtering methods are
as follows:
● | begin regular-expression: displays the information that begins with the line
that matches regular expression.
● | exclude regular-expression: displays the information that excludes the lines
that match regular expression.
● | include regular-expression: displays the information that includes the lines
that match regular expression.
NOTE
● /regular-expression: displays the information that begins with the line that
matches regular expression.
● -regular-expression: displays the information that excludes lines that match
regular expression.
● +regular-expression: displays the information that includes lines that match
regular expression.
By default, the system saves 10 history commands at most for each user. The
operations are as shown in Table 1-5.
Access the Up cursor key↑ or Display the last history command if there is
last history Ctrl_P an earlier history command. Otherwise,
command. there is a warning sound.
Access the Down cursor key ↓ Display the next history command if there
next history or Ctrl_N is a later history command. Otherwise, the
command. command is cleared and there is a warning
sound.
NOTE
System hotkeys are not defined by users, and their functions are fixed. Table 1-6
describes system hotkeys and their functions.
NOTE
Different terminal software defines hotkeys differently; therefore, the shortcut keys on the
terminal may be different from the hotkeys listed in this section.
Hotkeys Function
Hotkeys Function
● You can use hotkeys where a command can be run. When hotkeys are
executed in the system, the command assigned to the hotkeys is displayed the
same as the complete command is entered.
● Using hotkeys is the same as running the command assigned to the hotkeys.
After hotkeys are used, the corresponding commands are recorded in the
command buffer and log for fault location and query.
NOTE
The terminals that you use may affect the functions of hotkeys. For example, the function
of the hotkey that is defined by the terminal used by a user varies with the function of the
hotkey on the CX91x series. In this case, after a user enters hotkeys, the command assigned
to the hotkeys is not run.
Procedure
● If only one keyword contains the incomplete keyword.
Do as follows on the CX91x series.
a. Enter an incomplete keyword.
[Base] info-
b. Press Tab.
The system replaces the incomplete keyword with a complete keyword
and displays the complete keyword. There is only one space between the
cursor and the end of the keyword.
[Base] info-center
● If more than one keyword contains the incomplete keyword.
Do as follows on the CX91x series.
# The keyword info-center can be followed by the following keywords.
b. Press Tab.
The system displays the prefix of all the matched keywords. The prefix in
this example is log.
[Base] info-center log
Stop pressing Tab when you find the required keyword logbuffer.
d. Enter a space and enter the next keyword channel.
[Base] info-center logbuffer channel
----End
Interfaces are classified into management interfaces and service interfaces based
on their functions; interfaces are classified into physical interfaces and logical
interfaces based on their physical forms.
NOTE
A physical interface is sometimes called a port. Both physical interfaces and logical
interfaces are called interfaces in this document.
Management Interface
Management interfaces are used for managing and configuring the device. That is,
you can log in to the CX91x series through a management interface to configure
and manage the CX91x series. Management interfaces do not transmit services.
The CX91x series provides a console interface and an MEth interface as the
management interface.
NOTE
● You can log in over the management network port Meth 0/0/1 on the onboard GE
switching plane or 10GE switching plane to manage onboard GE switching plane or
10GE switching plane services respectively.
● After the Base plane of one CX91x series is faulty, you can log in to the faulty
management network port Meth 0/0/1 over the Base plane of the other CX91x series.
Physical Interfaces
Physical interfaces exist on the CX91x series.
Physical interfaces include management interfaces and service interfaces.
The CX91x series supports the following physical interfaces:
● Serial Port
● Gigabit Ethernet interface
● 10-Gigabit Ethernet interface
Logical Interfaces
Logical interfaces do not exist and are set up through configurations.
The CX91x series supports the following logical interfaces:
● Eth-Trunk
An Eth-Trunk comprises only Ethernet links.
The Eth-Trunk technology has the following advantages:
– Increased bandwidth: The bandwidth of an Eth-Trunk is the total
bandwidth of all member interfaces.
– Improved reliability: When a link fails, traffic is automatically switched to
other available links. This ensures the reliability of the connection.
For details about the configuration, see section Configuring the Eth-Trunk in
Chapter Configuration Guide-Ethernet in the CX91x Series Switch Modules
V100R001C00 Configuration Guide.
● Loopback interface
A loopback interface is a virtual interface. The TCP/IP protocol suite defines
that the IP addresses with the first byte 127 are loopback addresses. When
the system starts, it automatically creates an interface using the loopback
address 127.0.0.1 to receive all data packets sent to the local host. Some
applications such as mutual access between Virtual Private Networks ,
however, need to be configured with a local interface with a specified IP
address when the configuration of a physical interface is not affected. In this
case, the IP address of the local interface is 32-bit mask, which saves IP
addresses; the IP address can be advertised by routing protocols.
The status of the loopback interface is always Up; therefore, the IP address of
the loopback interface can be used as the router ID, the label switching router
(LSR) ID.
For details, see 1.3.3 Configuring the Loopback Interface.
● Null interface
Null interfaces are similar to null devices supported by certain operating
systems. Any data packets sent to this interface are discarded. Null interfaces
are mainly used for route selection and policy-based routing (PBR). For
example, if no route is matched during route selection, the packet is sent to
the null interface.
● VLANIF interface
When the CX91x series needs to communicate with devices at the network
layer, you can create a logical interface of the Virtual Local Area Network
(VLAN) on the CX91x series, namely, a VLANIF interface. You can assign IP
addresses to VLANIF interfaces because VLANIF interfaces work at the
network layer. The CX91x series then communicates with devices at the
network layer through VLANIF interfaces.
For details about the configuration, see section Configuring the VLANIF
Interface in Chapter Configuration Guide-Ethernet in the CX91x Series
Switch Modules V100R001C00 Configuration Guide.
Applicable Environment
To facilitate the configuration and maintenance of an interface, the CX91x series
provides interface views. The commands related to the interface are valid only in
the interface views.
The basic interface configurations include entering an interface view, configuring
interface description, enabling an interface, and disabling an interface.
Pre-configuration Tasks
The RTM is properly installed in the paired slot of the CX91x series. Both ejector
levers on the RTM are lowered, and the floating nuts are tightened.
Data Preparation
To set parameters of an interface, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
?
All the commands in the view of the specified interface are displayed.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
description description
----End
Context
NOTE
Procedure
Step 1 Shutting down the interface
1. Run:
system-view
1. Run:
system-view
----End
Context
When you access a network through an interface, you need to further setting
multiple parameters of the interface based on the networking requirements in
addition to performing basic configurations on the interface.
For the detailed Configuration, please see section Configuration Guide - Ethernet
CX91x Series Switch Modules V100R001C00 Configuration Guide and
Configuration Guide - IP Routing in the CX91x Series Switch Modules
V100R001C00 Configuration Guide.
Procedure
Step 1 Run:
display interface [ interface-type [ interface-number ] ]
The running status of the interface and the statistics on the interface are
displayed.
Step 2 Run:
display interface description
----End
Applicable Environment
Some applications such as mutual access between need to be configured with a
local interface with a specified IP address when the configuration of a physical
interface is not affected. In this case, the IP address of the local interface needs to
be advertised by routing protocols. Loopback interfaces are used to improve the
reliability of the configuration.
Pre-configuration Tasks
Before configuring the loopback interface, the CX91x series is properly powered on
and started.
Data Preparation
To configure the loopback interface, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run the display interface loopback [ number ] command to check the status of
the loopback interface.
----End
Procedure
Step 1 Run:
reset counters interface [ interface-type [ interface-number ] ]
----End
Before configuring services, users often need to perform basic configurations for
actual operation and maintenance.
● Basic system environment: includes the language mode, host name, system
name, system time, header text, and command level for actual environment.
● Basic user environment: includes password for changing levels and the
terminal lock.
Applicable Environment
Before configuring the services, you need to configure the basic system
environments to meet the requirements of the actual environments.
By default, the CX91x series supports commands of Level 0 to Level 3, namely, visit
level, monitoring level, configuration level, and management level.
If the user needs to define more levels, or refine management privileges on the
device, the user can extend the range of command line level from the range of
Level 0 to Level 3 to the range of Level 0 to Level 15.
Pre-configuration Tasks
Before configuring basic system environment, complete the following task:
● Powering on the Switch Module
Data Preparation
To configure basic system environment, you need the following data.
No. Data
1 System time
2 Host name
3 Login information
4 Command level
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
NOTE
● If a user logs in to the Switch Module by using SSH1.X, the login header is not displayed
during login, but the shell header is displayed after login.
● If a user logs in to the Switch Module by using SSH2.0,both login and shell headers are
displayed.
----End
Context
If the user does not adjust a command level separately, after the command level is
updated, all originally-registered command lines adjust automatically according to
the following rules:
● The commands of Level 0 and Level 1 remain unchanged.
● The command Level 2 is updated to Level 10 and Level 3 is updated to Level
15.
● No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The
user can adjust the command lines to these levels separately to refine the
management of privilege.
NOTE
The update of command Level 2 to Level 10 and Level 3 to Level 15 is not a two-step
process but one-step by batch.
Procedure
Step 1 Run:
system-view
The system will prompt you to confirm the update. Select N, the operation is
canceled. Select Y, the command levels are updated in batch mode.
Step 3 Run:
command-privilege level level view view-name command-key
The command level is configured. With the command, you can specify the level
and view multiple commands at one time (command-key).
All commands have default command views and levels. You need not reconfigure
them.
----End
You can use the display commands to collect information about the system status.
The display commands are classified according to the following functions:
See the related sections for display commands for protocols and interfaces. The
following only shows the system display commands.
Procedure
Step 1 Run:
display version
Step 2 Run:
display clock
Step 3 Run:
display saved-configuration
Step 4 Run:
display current-configuration
----End
Procedure
Step 1 Run:
display diagnostic-information [ file-name ]
When the system fails or performs the routine maintenance, you need to collect a
lot of information to locate faults. Then, you have to run different display
commands to collect all information. In this case, you can use the display
diagnostic-information command to collect all information about the current
running modules in the system.
----End
CON Local login through the It is a linear interface conforming to the EIA/
console interface TIA-232 standard. The type of the interface is
DCE. Each device provides a console interface.
● Relative numbering
Relative numbering indicates that the interfaces of the same type are
numbered. The relative numbering uniquely specifies a user interface of a
specified type.
The format of the relative numbering is: user interface type + number.
Number of the CON interface is console0.
● Absolute numbering
The CX91x series uniquely specifies the default numbers of 0 for the user
interfaces of CON. You can enter a specific user interface view by entering any
of these numbers.
Figure 1-4 shows the mapping between relative and absolute numbering of a user
interface.
NOTE
The login user must be authenticated for the sake of security. The default user
name is root and the password is hwosta2.0. If the authentication succeeds, the
user can log in to the CX91x series to configure and maintain the CX91x series.
Applicable Environment
If you need to maintain a Switch Module on a local device, the console user
interface is required.
Pre-configuration Tasks
Before configuring a console user interface, complete the following tasks:
● Powering on the Switch Module
● Connecting the client (for example a PC) with the Switch Module
Data Preparation
To configure a console user interface, you need the following data.
No. Data
1 Baud rate, flow-control mode, parity, stop bit, and data bit
2 Idle timeout period, screen length, and the size of history command
buffer
3 User priority
NOTE
All the default values are stored on the Switch Module and do not need additional
configuration.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
This process is to set the priority for a user who logs in through the console port.
A user can only use the command of the level corresponding to the user level.
For more information about the command priority, see 1.2.1.2 Command Levels.
----End
Procedure
Step 1 Run the display users [ all ] command to check information about user interface.
Step 3 Run the display local-user command to check the local user list.
----End
Applicable Environment
To ensure that the operator manages Switch Modules safely, you need to send
messages between user interfaces and clear designated user.
Pre-configuration Tasks
Before managing the user interface, complete the following tasks:
Data Preparations
To manage the user interface, you need the following data:
No. Data
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
Step 2 Following the prompt, you can enter the message to be sent. You can press Ctrl_Z
or Enter to end.
----End
Procedure
Step 1 Run:
free user-interface { ui-number | ui-type ui-number1 }
Step 2 On receiving the prompts, you can confirm whether the designated online users
have to be cleared.
----End
Prerequisites
The configuration of User Interfaces are complete.
Procedure
Step 1 Run the display users [ all ] command to check the usage information of the user
interface.
----End
Storage Device
A storage device is a hardware device used to store data.
Different products support different storage devices. Currently, the CX91x series
supports the flash memory.
File
A file stores and manages information.
Directory
A directory collects and organizes files. It is a logical container of files.
Pre-configuration Tasks
Before managing a storage device, complete the following tasks:
Data Preparation
To manage a storage device, you need the following data.
No. Data
1 Device name
Context
The CX91x series has two independent file systems: flash file system (Flash:/) and
flashVX file system (FlashVX:/). You can use the flashVX file system to store
temporary data. Run cd ? to view the two file systems.
NOTICE
Running the format command will delete all files and directories from the CX91x
series memory, and they cannot be recovered. Run the command with caution.
Procedure
Step 1 Run the following command in the user view:
format device-name
----End
Applicable Environment
When you need to transfer files between the client and the server, configure the
directory by using the file system.
Pre-configuration Tasks
Before configuring the management directory, complete the following tasks:
Data Preparation
To configure a management directory, you need the following data.
No. Data
Procedure
Step 1 Run:
pwd
----End
Procedure
Step 1 Run:
cd directory
A directory is specified.
Step 2 Run:
pwd
----End
Procedure
Step 1 Run:
cd directory
Step 2 Run:
dir [ /all ] [ filename | flash: ]
----End
Procedure
Step 1 Run:
cd directory
Step 2 Run:
mkdir directory
----End
Procedure
Step 1 Run:
cd directory
Step 2 Run:
rmdir directory
----End
Applicable Environment
To view, create, delete, or rename files on the Switch Module, you need to
configure files using the file system.
Pre-configuration Tasks
Before configuring the file system, complete the following tasks:
Data Preparation
To configure a file system, you need the following data.
No. Data
Procedure
Step 1 Run:
cd directory
Step 2 Run:
more filename
----End
Procedure
Step 1 Run:
cd directory
NOTE
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
----End
Procedure
Step 1 Run:
cd directory
----End
Procedure
Step 1 Run:
cd directory
----End
Procedure
Step 1 Run:
zip source-filename destination-filename
----End
Procedure
Step 1 Run:
cd directory
Step 2 Run:
delete [ /unreserved ] filename
----End
Procedure
Step 1 Run:
reset recycle-bin [ filename ]
----End
Procedure
Step 1 Run:
undelete filename
NOTE
● If the current directory is not the root directory, you must operate the file by using the
absolute path.
● If you use the parameter [ /unreserved ] in the delete command, the file cannot be
restored after being deleted.
----End
Prerequisites
Uploading the batched files on the client end to the Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
execute filename
----End
Prerequisites
Before configuring a file system, complete the following tasks:
Context
The data may be lost or damaged during the process, and the prompt is required.
Procedure
Step 1 Run:
system-view
Step 2
NOTICE
If the prompt is in the quiet mode, no prompt appears for data loss due to
maloperation.
Run:
file prompt { alert | quiet }
----End
The configuration file is the add-in configuration item when restarting the Switch
Module this time or next time.
NOTE
● The system can run the command with the maximum length of 512 characters,
including the command in an incomplete form.
● If the configuration is in the incomplete form, the command is saved in complete form.
Therefore, the command length in the configuration file may exceed 512 characters.
When the system restarts, these commands cannot be restored.
Applicable Environment
In one of the following situations, you need to manage configuration files:
Pre-configuration Tasks
Before managing configuration files, complete the following task:
● Installing the Switch Module and starting it properly
Data Preparation
To manage configuration files, you need the following data.
No. Data
3 The number of the start line from which the comparison of the
configuration files begins
Procedure
Step 1 Run:
save
----End
Procedure
Step 1 Run:
compare configuration [ configuration-file ] [ current-line-number save-line-number ]
The current configuration is compared with the configuration file for next startup.
If no parameter is set, the comparison begins with the first lines of configuration
files. current-line-number and save-line-number are used to continue the
comparison by ignoring the differences between the configuration files.
When comparing differences between the configuration files, the system displays
the contents of the current configuration file and saved configuration file from the
first different line. By default, 150 characters are displayed for each configuration
file. If the number of characters from the first different line to the end is less than
150, the contents after the first different line are all displayed.
In comparing the current configurations with the configuration file for next
startup, if the configuration file for next startup is unavailable or its contents are
null, the system prompts that reading files fails.
----End
Prerequisites
The configuration of Managing Configuration Files are complete.
Procedure
Step 1 Run:
display current-configuration
The configuration file that the Switch Module loads the next time when it starts is
displayed.
Step 3 Run:
dir [ /all ] [ filename ]
----End
Example
After the configurations succeed, run the preceding commands, and you can find
the following results:
1.8.1.1 FTP
You can transfer files between local and remote hosts through FTP. FTP is
commonly used in version upgrade, log downloading, file transfer, and
configuration saving.
FTP is an application layer protocol in the TCP/IP protocol suite. It implements file
transfer between local and remote hosts based on related file systems. The FTP
protocol is implemented based on corresponding file system.
The Switch Module provides the following FTP services:
● FTP server service. Users can run the FTP client program to log in to the
Switch Module and access the files on the Switch Module.
● FTP client service. Users can establish a connection with the Switch Module by
running a terminal emulation program or a Telnet program on a client (for
example a PC). Enter an FTP command to connect with the remote FTP server
and access the files on the remote host.
NOTE
CX91x series only provides FTP client service.
1.8.1.2 TFTP
TFTP does not have a complex interactive access interface and authentication
control. TFTP is applicable when there is no complex interaction between the
client and server.
The TFTP is a simple file transfer protocol.
Compared with FTP, TFTP does not have a complex interactive access interface and
authentication control. TFTP is applicable in an environment where there is no
complex interaction between the client and the server. For example, TFTP is used
to obtain the memory image of the system when the system starts up.
TFTP is implemented based on the User Datagram Protocol (UDP).
The client initiates the TFTP transfer. To download files, the client sends a read
request packet to the TFTP server, receives packets from the server, and sends
acknowledgement to the server. To upload files, the client sends a write request
packet to the TFTP server, sends packets to the server, and receives
acknowledgement from the server.
Applicable Environment
When a Switch Module serves as an FTP client, you can log in to the FTP server
through the Switch Module and then transmit files or manage server directory.
Pre-configuration Tasks
Before configuring the Switch Module as an FTP client, complete the following
tasks:
● Powering on the Switch Module
● The communication between Switch Module and server is normal
Data Preparation
To configure the Switch Module as an FTP client, you need the following data.
No. Data
3 Local file name and file name on the remote FTP server
Procedure
Step 1 Run the following commands according to different views.
● In the user view, establish a connection to the FTP server.
Run:
a. ftp host [ port-number ]
----End
1.8.2.3 Configuring the Data Type and Transmission Mode for a File
You can configure the data type and transmission mode for a file.
Procedure
Step 1 Run the following commands according to different views.
● In the user view, establish a connection to the FTP server.
Run:
a. ftp host [ port-number ]
or
binary
The data type for the file to be transmitted is set to ASCII code or binary.
FTP supports the ASCII type and the binary type. Their differences are as follows:
● In ASCII transmission mode, ASCII characters are used to separate carriage
returned from line feeds.
----End
Procedure
Step 1 Run the following commands according to different views.
● In the user view, establish a connection to the FTP server.
Run:
a. ftp host [ port-number ]
Step 2 Run:
remotehelp command
----End
Procedure
Step 1 Run the following commands according to different views.
● In the user view, establish a connection to the FTP server.
Run:
a. ftp host [ port-number ]
The file is downloaded from the FTP server and saved to the local device.
----End
Procedure
Step 1 Run the following commands according to different views.
● In the user view, establish a connection to the FTP server.
Run:
a. ftp host [ port-number ]
Step 2 Run one or more commands in the following order to manage directories.
● Run:
cd pathname
The working path of the FTP server is switched to the upper-level directory.
● Run:
pwd
– The directory to be created can comprise letters and digits, but not special
characters such as <, >, ?, \ and :.
– When running the mkdir /abc command, you create a sub-directory named "abc"
in the root directory.
----End
Procedure
Step 1 Run the following commands according to different views.
● In the user view, establish a connection to the FTP server.
Run:
a. ftp host [ port-number ]
When local-filename is set, related information about the file can be downloaded
locally.
----End
Procedure
Step 1 Run the following commands according to different views.
● In the user view, establish a connection to the FTP server.
Run:
a. ftp host [ port-number ]
Step 2 Run:
user user-name [ password ]
The current login user is changed and the specified user logs in again.
After the current login user is changed, the specified user logs in, and the original
user connection is broken.
----End
Procedure
Step 1 Run the following commands according to different views.
● In the user view, establish a connection to the FTP server.
Run:
a. ftp host [ port-number ]
----End
Applicable Environment
You can transfer files through TFTP between the server and the client in a simple
interaction environment.
Pre-configuration Tasks
Before configuring TFTP, complete the following tasks:
● Powering on the Switch Module
● Connecting the TFTP client with the server
Data Preparation
To configure TFTP, you need the following data.
No. Data
3 File directory
Procedure
Step 1 The IP address of the server is IPv4 address, run:
tftp tftp-server get source-filename [ destination-filename ]
----End
Procedure
Step 1 The IP address of the server is IPv4 address, run:
tftp tftp-server put source-filename [ destination-filename ]
----End
Applicable Environment
When the Switch Module serves as the TFTP client, you can configure the ACL on
the Switch Module. After the configuration, you can control the TFTP server to
which the device can log in through TFTP.
Pre-configuration Tasks
Before configuring a limit to access the TFTP server, complete the following tasks:
Data Preparation
To configure a limit to access to the TFTP server, you need the following data.
No. Data
2 ACL number
Context
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address source-wildcard | any } |
time-range time-name ] *
----End
Procedure
Step 1 Run:
system-view
You can use the ACL to limit the access to the TFTP server.
----End
Networking Requirements
As shown in Figure 1-5, the remote server at 10.1.1.2 serves as the FTP server. The
Switch and the FTP server are directly connected and on the same network
segment. The Switch has a reachable route to the FTP server.
The Switch acts as the FTP client. Interfaces ranging from GigabitEthernet0/0/1 to
GigabitEthernet0/0/4 can be used to set up FTP connections and they share the IP
address 10.1.1.1.
The Switch downloads files from the FTP server.
Figure 1-5 Networking diagram of the Switch functioning as the FTP client
Configuration Roadmap
The configuration roadmap is as follows:
1. Log in to the FTP server from the FTP client.
2. Download files from the server to the storage device of the client.
Data Preparation
To complete the configuration, you need the following data:
● IP address of the FTP server
● Name of the destination file and position where the destination files are
located on the Switch
● Name of the FTP user set as u1 and the password set as ftppwd on the client
Procedure
Step 1 Enable FTP on the remote FTP server. Add an FTP user named u1 and set the
password to ftppwd.
Step 2 Create VLAN 10 on the Switch , add GigabitEthernet0/0/1 to GigabitEthernet0/0/4
to VLAN, and assign the IP address 10.1.1.1 to VLANIF10.
<Base> system-view
[Base] vlan 10
[Base-vlan10] quit
[Base] interface gigabitethernet 0/0/1
[Base-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[Base-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[Base-GigabitEthernet0/0/1] quit
[Base] interface gigabitethernet 0/0/2
[Base-GigabitEthernet0/0/2] port hybrid pvid vlan 10
[Base-GigabitEthernet0/0/2] port hybrid untagged vlan 10
[Base-GigabitEthernet0/0/2] quit
[Base] interface gigabitethernet 0/0/3
[Base-GigabitEthernet0/0/3] port hybrid pvid vlan 10
[Base-GigabitEthernet0/0/3] port hybrid untagged vlan 10
[Base-GigabitEthernet0/0/3] quit
[Base] interface gigabitethernet 0/0/4
[Base-GigabitEthernet0/0/4] port hybrid pvid vlan 10
[Base-GigabitEthernet0/0/4] port hybrid untagged vlan 10
[Base-GigabitEthernet0/0/4] quit
[Base] interface vlanif 10
[Base-Vlanif10] ip address 10.1.1.3 24
Step 3 On the Switch, initiate a connection to the FTP server with the user name ul and
the password ftppwd.
<Base> ftp 10.1.1.2
Trying 10.1.1.2 ...
Press CTRL+K to abort
Connected to 10.1.1.2.
220 FTP service ready.
User(10.1.1.2:(none)):u1
331 Password required for u1.
Enter password:
230 User logged in.
[ftp]
Step 4 On the Switch, set the mode of transferring files to binary and the flash directory.
[ftp] binary
200 Type is Image (Binary)
[ftp] lcd flash:/
The current local directory is flash:.
Step 5 Download the vrpcfg.cfg file from the remote FTP server on the Switch.
[ftp] get vrpcfg.cfg vrpcfg.cfg
200 Port command okay.
150 Opening BINARY mode data connection for vrpcfg.cfg.
----End
Configuration Files
#
sysname Base
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.3 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet0/0/2
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet0/0/3
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet0/0/4
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
Networking Requirements
As shown in Figure 1-6, the Switch cannot function as the TFTP server. The
remote server at 10.1.1.2 functions as the TFTP server.
The Switch acts as a TFTP client. VLAN 10 is created on the Switch, and
GigabitEthernet0/0/1 is added to VLAN 10. The IP address 10.1.1.1/24 is assigned
to VLANIF 10.
The Switch downloads files from the TFTP server.
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the TFTP software on the TFTP server and set the position where the
source file is located on the Switch.
2. Download files through TFTP commands on the Switch.
Data Preparation
To complete the configuration, you need the following data:
● TFTP software installed on the TFTP server
● Path of the source file on the TFTP server
● Name of the destination file and position where the destination file is located
on the Switch
Procedure
Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is
started.
Step 2 Create VLAN 10 on the Switch , add GigabitEthernet0/0/1 to VLAN 10, and assign
the IP address 10.1.1.1/24 to VLANIF 10.
<Base> system-view
[Base] vlan 10
[Base-vlan10] quit
[Base] interface gigabitethernet 0/0/1
Step 3 On the Switch, initiate a connection to the TFTP server and download the 8031.cc
file.
<Base> tftp 10.1.1.2 get 8031.cc 8031new.cc
Info: Transfer file in binary mode.
Downloading the file from the remote tftp server, please wait...
----End
Configuration Files
#
sysname Base
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
Return
The Telnet protocol is not secure. Data is not encrypted during transmission over Telnet.
Therefore, transmitted data may be restored after IP packets are captured without
authorization. It is recommended that files be transmitted over SSH.
Telnet Services
Telnet is an application layer protocol in the TCP/IP protocol suite. It provides
remote login and a virtual terminal service through the network.
Telnet provides the following services:
● Telnet server: You can run the Telnet client program on a client (for example a
PC) to log in to the Switch Module, configure and manage it. The Switch
Module acts as a Telnet server.
● Telnet client: You can run the terminal emulation program or the Telnet client
program on a client (for example a PC) to connect with the Switch Module.
With the telnet command, you can log in to other Switch Modules to
configure and manage them. As shown in Figure 1-7, Switch A serves as both
the Telnet server and the Telnet client.
NOTE
Introduction to SSH
SSH works at the application layer in the TCP/IP protocol suite. SSH provides
remote login and virtual terminal on the network where security is guaranteed.
Based on TCP connections, SSH guarantees security and provides authentication
for transmitted information, preventing the following attacks shown in Figure 1-8:
● IP spoofing
● Interception of the password in plain text
● Denial of Service (DoS)
Figure 1-8 Establishing a local SSH connection between the client (for example a
PC) and the CX91x series
SSH adopts the client/server model and sets up multiple secure transmission
channels. The Switch, as the SSH server, can be connected to multiple PCs that
function as SSH clients. A Layer 2 switch may exist between the client (for
example a PC) and the SSH server. In the actual networking, a route is required to
be reachable between the client (for example a PC) and the Switch.
Advantages of SSH
The applications of SSH include STelnet and SFTP.
Different from Telnet and FTP terminal services, SSH provides secure remote
access on the network without security guaranteed. The advantages of SSH are
described as follows:
● STelnet client functions
There is a potential risk on security for login through Telnet because there is
no authentication and the data transmitted through TCP is in plain text. The
insecure access results in malicious attacks including DoS attacks, IP spoofing
attacks, and route spoofing attacks.
SSH provides secure remote access on an insecure network by supporting the
following functions:
– Supporting Revest-Shamir-Adleman Algorithm (RSA) authentication
– Supporting Data Encryption Standard (DES) and Triple DES (3DES)
– Supporting the encrypted transfer of the user name or password
– Supporting the encrypted transfer of interactive data
SSH adopts RSA. After the public key and the private key are generated
according to the encryption principle of the asymmetric encryption system,
the following information is transmitted with security between the SSH client
and the SSH server:
– Key
– User name or password
– Interactive data
● SFTP client functions
SFTP provides the following types of applications:
– By using SFTP, you can securely log in to the CX91x series to manage files
from the remote device. In this manner, the security of data transmission
is improved when files need to be transferred during the upgrade of the
remote system.
– The CX91x series can function as the client to log in to the remote device
through FTP to transfer files with security.
Applicable Environment
STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the
same manner as using the Telnet service.
Pre-configuration Tasks
Before connecting the STelnet client to the SSH server, complete the following
tasks:
● Generating the local RSA key pair on the SSH server
● Configuring the STelnet user on the SSH server
● Enabling the STelnet service on the SSH server
Data Preparation
To connect the STelnet client to the SSH server, you need the following data:
No. Data
No. Data
3 Preferred encrypted algorithm from the STelnet client to the SSH server
4 Preferred encrypted algorithm from the SSH server to the STelnet client
6 Preferred HMAC algorithm from the SSH server to the STelnet client
9 Source address
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does
not check the validity of the RSA public key when logging in to the SSH server for
the first time. After the login, the system automatically allocates the RSA public
key and saves it for authentication in next login.
To simplify user operations, you are recommended to enable the first-time
authentication on the SSH client.
Do as follows on the Switch Module that serves as an SSH client.
Procedure
Step 1 Run:
system-view
NOTE
● The purpose of enabling the first-time authentication on the SSH client is to skip
checking the validity of the RSA public key of the SSH server when the STelnet client
logs in to the SSH server for the first time. The check is skipped because the STelnet
server has not saved the RSA public key of the SSH server.
● If the first-time authentication is not enabled on the SSH client, when the STelnet client
logs in to the SSH server for the first time, the STelnet client fails to pass the check on
the RSA public key validity and cannot log in to the server.
NOTE
To ensure that the STelnet client can log in to the SSH server at the first attempt, you can
assign the RSA public key in advance to the SSH server on the SSH client in addition to
enabling the first-time authentication on the SSH client.
----End
Context
If the first-time authentication on the SSH client is disabled, you need to allocate
an RSA public key to the SSH server before the STelnet client logs in to the SSH
server.
Procedure
Step 1 Run:
system-view
If the specified hex-data is invalid, the public key cannot be generated after the
peer-public-key end command is run; If the specified key-name in Step 2 is
deleted in other views, the system prompts that the key does not exist after the
peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
Step 7 Run:
ssh client servername assign rsa-key keyname
NOTE
● Before being assigned to the SSH server, the assigned peer RSA public key must be
obtained from the SSH server and must be configured on the SSH client. Then, the
STelnet client client can successfully undergo the validity check on the RSA public key of
the SSH server.
● If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client
servername assign rsa-key command to cancel the association between the SSH client
and the SSH server. Then, run the ssh client servername assign rsa-key keyname
command to allocate a new RSA public key to the SSH server.
----End
Context
NOTE
When accessing an SSH server, the STelnet client can carry the source address and choose
the key exchange algorithm, encryption algorithm, or HMAC algorithm.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configuration of the STelnet Client Function are complete.
Procedure
Step 1 Run:
display ssh server-info
The mapping between the RSA public key and the SSH server on the SSH client is
displayed.
Step 2 Run:
display ssh server session
----End
Example
When running the display ssh server session command, you can view that the
client logs in from VTY3, with Stelent service by password authentication.
<Base> display ssh server session
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Username : client001
Retry :1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : stelnet
Authentication Type : password
Applicable Environment
SFTP enables users to log in to the device from a secure remote end to manage
files. This improves the security of data transmission for the remote end to update
its system. The SFTP client function also enables you to log in to the remote
device through SFTP for the secure file transmission.
Pre-configuration Tasks
Before connecting the SFTP client to the SSH server, complete the following tasks:
Data Preparation
To connect an SFTP client to an SSH server, you need the following data.
No. Data
3 Preferred encrypted algorithm from the SFTP client to the SSH server
4 Preferred encrypted algorithm from the SFTP server to the SSH client
5 Preferred HMAC algorithm from the SFTP client to the SSH server
6 Preferred HMAC algorithm from the SFTP server to the SSH client
9 Directory name
10 File name
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does
not check the validity of the RSA public key when logging in to the SSH server for
the first time. After the login, the system automatically allocates the RSA public
key and saves it for authentication in next login.
Procedure
Step 1 Run:
system-view
NOTE
● The purpose of enabling the first-time authentication on the SSH client is to skip
checking the validity of the RSA public key of the SSH server when the SFTP client logs
in to the SSH server for the first time. The check is skipped because the SFTP server has
not saved the RSA public key of the SSH server.
● If the first-time authentication is not enabled on the SSH client, when the SFTP client
logs in to the SSH server for the first time, the SFTP client fails to pass the check on the
RSA public key validity and cannot log in to the server.
NOTE
Except for enabling the first-time authentication on the SSH client, the SFTP client can
assign the RSA public key in advance to the SSH server on the SSH client to log in to the
server successfully for the first time.
----End
Context
If the first-time authentication on the SSH client is disabled, you need to assign an
RSA public key to the SSH server before the STelnet client logs in to the SSH
server.
Procedure
Step 1 Run:
system-view
public-key-code begin
Step 4 Run:
hex-data
Step 5 Run:
public-key-code end
If the specified hex-data is invalid, the public key cannot be generated after the
peer-public-key end command is run; If the specified key-name in Step 2 is
deleted in other views, the system prompts that the key does not exist after the
peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
Step 7 Run:
ssh client servername assign rsa-key keyname
NOTE
● Before being assigned to the SSH server, the assigned peer RSA public key must be
obtained from the SSH server and must be configured on the SSH client. Then, the SFTP
client can successfully undergo the validity check on the RSA public key of the SSH
server.
● If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client
servername assign rsa-key command to cancel the association between the SSH client
and the SSH server. Then, run the ssh client servername assign rsa-key keyname
command to allocate a new RSA public key to the SSH server.
----End
Context
NOTE
The command of enabling the SFTP client is similar to that of the STelnet. When accessing
the SSH server, the SFTP can carry the source address and the name of the VPN instance
and choose the key exchange algorithm, encrypted algorithm and HMAC algorithm, and
configure the keepalive function.
Procedure
Step 1 Run:
system-view
----End
Context
NOTE
After the SFTP client logs in to the SSH server, the SFTP client can create or delete the
directory on the SSH server, display the current operating directory and information about a
specified directory and its files.
Procedure
Step 1 Run:
system-view
● Run:
dir / ls [ remote-directory ]
----End
Context
NOTE
After the SFTP client logs in to the SSH server, SFTP client can change file names, delete
files, display the file list, upload and download files on the SFTP server.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Step 3 Run:
help [all | command-name ]
----End
Prerequisites
The configuration of the SFTP Client Function are complete.
Procedure
Step 1 Run:
display ssh server-info
The mapping between the SSH server and the RSA public key on the SSH client is
displayed.
Step 2 Run:
display ssh server session
----End
Example
Run the display ssh server session command, and you can view that the client
logs in from the VTY4 through the sftp service in rsa authentication mode.
[Base] display ssh server session
Session 2:
Conn : VTY 4
Version : 2.0
State : started
Username : client002
Retry :1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : sftp
Authentication Type : rsa
2 Configuration Guide-Ethernet
This topic describes the configuration methods and scenarios for Ethernet services
of a device. The configurations of Ethernet ports, link aggregation, virtual local
area networks (VLANs), Media Access Control (MAC) lists, Address Resolution
Protocol (ARP), and Multiple Spanning Tree Protocol (MSTP), are described by
using examples.
10000 No No Yes No
If the local interface works in auto-negotiation mode, the peer interface must also
work in auto-negotiation mode; otherwise, the link is operating abnormally.
Interface Group
The interface group function of the CX91x series enables you to configure multiple
interfaces at the same time. In the interface group view, you can run commands
to configure all the interfaces in the group.
Auto-Negotiation
During auto-negotiation, the devices on two ends of a physical link can choose the
same operation parameters by exchanging information. The main parameters to
be negotiated are mode (half-duplex or full-duplex), rate, and flow control. After
the negotiation is successful, the devices on two ends operate in the agreed mode
and rate.
Port Isolation
Ports enabled with port isolation cannot communicate with each other, and thus
ports on the same VLAN can be isolated. Port isolation provides secure and
flexible networking schemes for customers.
Applicable Environment
The configuration task is applicable to the following situations:
Pre-configuration Tasks
None
Data Preparation
To configure the basic functions of Ethernet interfaces, you need the following
data.
No. Data
Context
Do as follows on the CX91x series where you need to configure the interface
description.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
description description
----End
Context
Do as follows on the CX91x series where you need to set the duplex mode of
interfaces.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
undo negotiation auto
Step 4 Run:
duplex { full | half }
----End
Context
Do as follows on the CX91x series where you need to set the rate of interfaces.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the CX91x series where you want to enable auto-negotiation and
on the switch connected to this CX91x series.
Procedure
Step 1 Run:
system-view
Step 3 Run:
negotiation auto
The local interface and peer interface must work in the same mode, that is, both
in auto-negotiation mode or not.
----End
Procedure
Step 1 Run the display interface [ interface-type [ interface-number ] ] command to
display the description, duplex mode, and rate of an Ethernet interface.
----End
Example
By running the display interface command, you can check whether the
description, duplex mode, and rate of an Ethernet interface are set correctly.
<Base> display interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 current state : UP
Line protocol current state : UP
Description:GigabitEthernet0/0/1 Interface
Switch Port,PVID : 1,The Maximum Frame Length is 9712
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0025-9e80-2494
Port Mode: COMMON COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 760 bits/sec, 0 packets/sec
Last 300 seconds output rate 896 bits/sec, 0 packets/sec
Input peak rate 12304 bits/sec,Record time: 2010-08-05 10:32:18
Output peak rate 14568 bits/sec,Record time: 2010-08-03 08:47:01
Input: 28643 packets, 2734204 bytes
Unicast : 20923,Multicast : 7703
Broadcast : 17,Jumbo : 0
CRC : 0,Giants : 0
Jabbers : 0,Throttles : 0
Runts : 0,DropEvents : 0
Alignments : 0,Symbols : 0
Ignoreds : 0,Frames : 0
Discard : 474,Total Error : 0
Output: 68604 packets, 8057155 bytes
Unicast : 20429,Multicast : 14054
Broadcast : 34121,Jumbo : 0
Collisions : 0,Deferreds : 0
Late Collisions: 0,ExcessiveCollisions: 0
Buffers Purged : 0
Discard : 0,Total Error : 0
Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%
Input bandwidth utilization : 0.01%
Output bandwidth utilization : 0.00%
Applicable Environment
The configuration task is applicable in the following situations:
● The CX91x series provides the interface group function, which enables you to
configure multiple interfaces at the same time.
● When the traffic volume received on an interface of the CX91x series exceeds
the processing capability of the interface and the directly connected interface
supports traffic control, you can enable the traffic control function on the
interface of the CX91x series. After traffic control is enabled on the interface,
the interface sends a Pause frame to the peer interface to request the peer
interface to stop sending traffic if the received traffic reaches the set
threshold. If the peer interface supports traffic control, the peer interface
decreases the rate of sending traffic after receiving the frame so that the local
interface can properly process received traffic.
● Ports enabled with port isolation cannot communicate with each other, and
thus ports on the same VLAN can be isolated. Port isolation provides secure
and flexible networking schemes for customers.
Pre-configuration Tasks
None.
Data Preparation
To configure the advanced functions of Ethernet interfaces, you need the following
data.
No. Data
1 Interface number
Context
Do as follows on the CX91x series where you need to configure the loopback test.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
loopbacktest internal
----End
Context
Do as follows on the CX91x series where you need to configure interface groups.
Procedure
Step 1 Run:
system-view
Step 2 Run:
port-group port-group-name
Step 3 Run:
group-member interface-type interface-number
----End
Context
Do as follows on the CX91x series where you need to set the maximum frame
length.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
jumboframe enable [ value ]
When an interface of the CX91x series is enabled to allow jumbo frames but the
maximum length of jumbo frames is not set, the interface allows jumbo frames of
up to 9712 bytes.
----End
Context
Do as follows on the CX91x series where you need to enable flow control.
To implement flow control, you must enable this function on both the local
interface and peer interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
flow-control
----End
Context
Do as follows on the CX91x series whose interface needs to be configured with
auto-negotiation of flow control.
GE interfaces support auto-negotiation of flow control, but FE interfaces do not
support this function.
Procedure
Step 1 Run:
system-view
----End
Procedure
● Run the display port-group [ all | port-group-name ] command to display
information about the interface group.
● Run the display interface [ interface-type [ interface-number ] ] command to
display information about auto-negotiation capability on an Ethernet
interface.
● Run the display this command the maximum frame, flow control, and port
isolation of the port.
----End
Example
By running the display port-group command, you can check whether the
interface group is configured properly.
<Base> display port-group all Portgroup:1 GigabitEthernet0/0/1
By running the display interface command, you can check whether an Ethernet
interface is configured correctly.
Run the display this command the maximum frame, flow control, and port
isolation of the port.
[Fabric-XGigabitEthernet0/0/3]display this
#
interface XGigabitEthernet0/0/3
broadcast-suppression value 10
multicast-suppression value 10
unknown-unicast-suppression value 10
flow-control
#
return
[Base-GigabitEthernet0/0/3]display this
#
interface GigabitEthernet0/0/3
broadcast-suppression value 10
multicast-suppression value 10
unknown-unicast-suppression value 10
port hybrid untagged vlan 10
port-isolate enable group 1
jumboframe enable 5000
#
return
Context
NOTICE
Debugging affects the performance of the system. So, after debugging, run the
undo debugging all command to disable it immediately.
Procedure
Step 1 Run the debugging l2if [ error | event | msg | updown ] command to enable the
debugging of link layer features.
----End
Networking Requirements
As shown in Figure 2-1, it is required that PC1 and PC2 cannot communicate with
each other, but they can communicate with PC3.
Configuration Roadmap
The configuration roadmap is as follows:
Enable port isolation on the ports connected to PC1 and PC2 respectively to
prevent PC1 and PC2 from communicating with each other.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Enable port isolation.
1. Enable port isolation on GigabitEthernet 0/0/1.
<Base> system-view
[Base] interface gigabitethernet 0/0/1
[Base-GigabitEthernet0/0/1] port-isolate enable
[Base-GigabitEthernet0/0/1] quit
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
interface GigabitEthernet0/0/1
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
#
return
By setting up a link aggregation group between two devices, you can obtain
higher bandwidth and reliability. Link aggregation provides redundancy protection
for communication among devices without upgrading the hardware.
You must set up the Eth-Trunk and add an interface to the Eth-Trunk manually.
The Link Aggregation Control Protocol (LACP) is not used.
The manual load balancing mode is usually used when the peer device does not
support LACP.
The static LACP mode is also called the M:N mode. In this mode, links can
implement load balancing and redundancy at the same time. In a link aggregation
group, M links are active and they forward data in load balancing mode. N links
are inactive and they function as backup links. The backup links do not forward
data. When an active link fails, the backup link with the highest priority replaces
the failed link to forward data and its status changes to active.
In static LACP mode, some links function as backup links. In manual load
balancing mode, all member interfaces work in forwarding state to share the
traffic. This is the main difference between the two modes.
CX91x series does not support dynamic LACP mode.
Applicable Environment
When the bandwidth or the reliability of two devices should be increased and
either of the two devices does not support LACP, you should create an Eth-Trunk in
manual load balancing mode on Switches and add member interfaces to the Eth-
Trunk to increase the bandwidth and improve reliability of devices.
As shown in Figure 2-3, Eth-Trunks are created between SwitchA and SwitchB.
Figure 2-3 Networking diagram for configuring link aggregation in load balancing
mode
Pre-configuration Tasks
Before configuring an Eth-Trunk in manual load balancing mode, complete the
following tasks:
Data Preparation
To configure an Eth-Trunk in manual load balancing mode, you need the following
data.
No. Data
Context
NOTE
Check whether the Eth-Trunk contains member interfaces before you configure the
operation mode of the Eth-Trunk. If the Eth-Trunk contains member interfaces, the mode of
the Eth-Trunk cannot be changed. To delete member interfaces from the Eth-Trunk, run the
undo eth-trunk trunk-id command in the interface view or run the undo trunkport
interface-type interface-number command in the Eth-Trunk view.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the CX91x series where you need to configure member interfaces
of an Eth-Trunk.
Procedure
● Configuration in the Eth-Trunk interface view
a. Run:
system-view
----End
Context
Do as follows on the CX91x series where the load balancing mode of Eth-Trunk
needs to be configured.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
Member interfaces of an Eth-Trunk perform per-flow load balancing. The local end
and the remote end can use different load balancing modes, and the load
balancing mode on one end does not affect load balancing on the other end.
----End
Context
Do as follows on the CX91x series where you need to limit the number of active
interfaces.
Procedure
● Setting the upper threshold of the number of interfaces that determine
bandwidth of the Eth-Trunk
a. Run:
system-view
The upper threshold the number of interfaces that determine bandwidth of the Eth-
Trunk of the local CX91x series and that of the remote CX91x series can be different. If
the upper thresholds at two ends are different, the smaller one is used.
● Setting the lower threshold of the number of active interfaces
a. Run:
system-view
In manual load balancing mode, you can determine the minimum number of
active interfaces in the Eth-Trunk by setting the lower threshold. If the
number of active interfaces is smaller than the value in manual load
balancing mode, the status the Eth-Trunk becomes Down.
NOTE
The lower threshold of the number of active interfaces of the local CX91x series and
that of the remote CX91x series can be different. If the lower thresholds at two ends
are different, the larger one is used.
----End
Context
Do as follows on the CX91x series where you need to configure the load balancing
mode for unknown unicast traffic.
Procedure
Step 1 Run:
system-view
Step 2 Run:
unknown-unicast load-balance { dmac | smac | smacxordmac }
----End
Procedure
● Run the display trunkmembership eth-trunk trunk-id command to display
the member interfaces of the Eth-Trunk.
● Run the display eth-trunk trunk-id command to display the load balancing
status of the Eth-Trunk.
----End
Example
By running the display trunkmembership eth-trunk command, you can find that
the operation mode of the Eth-Trunk is Normal and you can see the number of
member interfaces, number of member interfaces in Up state, and information
about member interfaces.
<Base> display trunkmembership eth-trunk 1
Trunk ID: 1
used status: VALID
TYPE: ethernet
Working Mode : Normal
Working State: Normal
Number Of Ports in Trunk = 2
Number Of UP Ports in Trunk = 0
operate status: down
Run the display eth-trunk command to check the load balancing mode of the
Eth-Trunk. By default, the load balancing mode is displayed as "SA-XOR-DA" in the
output information.
<Base> display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: down Number Of Up Port In Trunk: 0
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/1 Down 1
GigabitEthernet0/0/2 Down 1
Applicable Environment
To increase the bandwidth and improve the connection reliability, you can
configure a link aggregation group on two directly connected Switches. The
requirements are as follows:
● The links between two devices can implement redundancy backup. When a
fault occurs on some links, the backup links replace the faulty ones to keep
data transmission uninterrupted.
● The active links have the load balancing capability.
Pre-configuration Tasks
Before configuring an Eth-Trunk in static LACP mode, complete the following
tasks:
● Closing BPDU processing on the Eth-Trunk
● Creating the Eth-Trunk
Data Preparation
To configure an Eth-Trunk in static LACP mode, you need the following data.
No. Data
Context
NOTE
● Check whether an Eth-Trunk contains member interfaces before you configure the
working mode of the Eth-Trunk. If the Eth-Trunk contains member interfaces, the
working mode of the Eth-Trunk cannot be changed. To delete member interfaces from
the Eth-Trunk, run the undo eth-trunk trunk-id command in the view of member
interfaces or run the undo trunkport interface-type interface-number command in the
Eth-Trunk interface view.
● In static LACP mode, the local and remote devices exchange LACPDUs to implement link
aggregation. Therefore, after setting the Eth-Trunk working mode to static LACP, run the
bpdu { disable | enable } command to enable the Eth-Trunk member interfaces to
process and send BPDUs.
To configure the Eth-Trunk in static LACP mode on the CX91x series, perform the
following steps:
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
mode lacp-static
If the Eth-Trunk working mode is set to static LACP on the local device, you must
set the Eth-Trunk working mode to static LACP on the remote device.
----End
Context
Do as follows on the CX91x series where you need to configure member interfaces
of an Eth-Trunk.
Procedure
● Configuration in the Eth-Trunk interface view
a. Run:
system-view
b. Run:
interface eth-trunk trunk-id
----End
Context
Do as follows on the CX91x series where you need to configure the Eth-Trunk load
balancing mode.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the CX91x series where you need to limit the number of active
interfaces.
Procedure
● Setting the upper threshold of the number of active interfaces
a. Run:
system-view
In static LACP mode, you can limit the maximum number (M) of active
interfaces in the Eth-Trunk by setting the upper threshold. The other member
interfaces function as backup.
If the upper threshold is not set, up to eight interfaces in the Eth-Trunk can be
active.
NOTE
● The upper threshold of the number of active interfaces should not be smaller the
lower threshold for the number of active interfaces.
● The upper threshold of the number of active interfaces of the local CX91x series
and that of the remote CX91x series can be different. If the upper thresholds at
two ends are different, the smaller one is used.
● Setting the lower threshold of the number of active interfaces
a. Run:
system-view
In static LACP mode, you can determine the minimum number of active
interfaces in the Eth-Trunk by setting the lower threshold. If the number of
active interfaces is smaller than the value in static mode, the status of the
Eth-Trunk becomes Down.
NOTE
● The lower threshold of the number of active interfaces should not be larger than
the upper threshold of the number of active interfaces.
● The lower threshold of the number of active interfaces of the local CX91x series
and that of the remote CX91x series can be different. If the lower thresholds at two
ends are different, the larger one is used.
----End
Context
Do as follows on the CX91x series where you need to set the LACP priority of the
system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
lacp priority priority
The smaller the LACP priority value of the system is, the higher the priority is. By
default, the LACP priority of the system is 32768.
The end of a smaller priority value functions as the Actor. If the two ends have the
same priority, the end with a smaller MAC address functions as the Actor.
----End
Context
Do as follows on the CX91x series where you need to set the LACP priority of
interfaces.
NOTE
You can set the LACP priority of a interface only when the interface is a member interface
of the Eth-Trunk.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
lacp priority priority
----End
2.2.4.8 (Optional) Enabling LACP Preemption and Setting the Delay for LACP
Preemption
Context
Do as follows on the CX91x series where you need to enable LACP preemption
mode and set the delay for LACP preemption.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
lacp preempt enable
NOTE
Step 4 Run:
lacp preempt delay delay-time
Enabling the LACP preemption function ensures that the interface with the highest
LACP priority can be an active interface. For example, when an interface with the
highest priority becomes inactive due to a failure, and then recovers, the interface
can become an active interface if the LACP preemption function is enabled; if the
LACP preemption function is disabled, the interface cannot become an active
interface again.
The delay for LACP preemption refers to the period in which an inactive interface
of the Eth-Trunk in static LACP mode waits before it becomes active.
----End
2.2.4.9 (Optional) Setting the Timeout Interval for Receiving LACP Packets
Context
Do as follows on the CX91x series where you need to set the timeout interval for
receiving LACP packets.
Procedure
Step 1 Run:
system-view
The timeout for receiving LACP protocol packets the Eth-Trunk is set.
NOTE
● After the lacp timeout command is used, the local end informs the peer end of the
timeout interval through LACP packets. If the fast is selected, the interval for sending
LACP packets is 1 second. If the slow keyword is selected, the interval for sending LACP
packets is 30 seconds.
● The timeout interval for receiving LACP packets is three times the interval for sending
LACP packets. That is, when the fast keyword is used, the timeout interval for receiving
LACP packets is 3s; when the slow keyword is used, the timeout interval for receiving
LACP packets is 90s.
● You can select different keywords on the two ends. To facilitate the maintenance,
however, it is recommended that you select the same keyword on both ends.
----End
Context
Do as follows on the CX91x series where you need to configure the load balancing
mode for unknown unicast traffic.
Procedure
Step 1 Run:
system-view
----End
Procedure
● Run the display trunkmembership eth-trunk trunk-id command to display
the member interfaces of the Eth-Trunk.
● Run the display eth-trunk [ trunk-id [interface interface-type interface-
number ] ] command to display information about the Eth-Trunk and
member interfaces.
----End
Example
By running the display trunkmembership eth-trunk command, you can find that
the operation mode of the Eth-Trunk is Static and you can see the number of
member interfaces, number of member interfaces in Up state, and information
about member interfaces.
<Base> display trunkmembership eth-trunk 1
Trunk ID: 1
used status: VALID
TYPE: ethernet
Working Mode : Static
Number Of Ports in Trunk = 3
Number Of UP Ports in Trunk = 0
operate status: down
Interface GigabitEthernet0/0/1, valid, operate down, weight=1
Interface GigabitEthernet0/0/2, valid, operate down, weight=1
Interface GigabitEthernet0/0/3, valid, operate down, weight=1
By running the display eth-trunk command, you can find that the operation
mode of the Eth-Trunk is STATIC.
<Base> display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 50 System ID: 000b-09d3-dc62
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: down Number Of Up Port In Trunk: 0
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/1 Unselect 1GE 10 1547 561 11100000 1
GigabitEthernet0/0/2 Unselect 1GE 32768 1548 561 11100010 1
GigabitEthernet0/0/3 Unselect 1GE 32768 1549 561 11100010 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 0 0000-0000-0000 0 0 0 11100000
GigabitEthernet0/0/2 0 0000-0000-0000 0 0 0 11100011
GigabitEthernet0/0/3 0 0000-0000-0000 0 0 0 11100011
Context
NOTICE
The statistics of LACP packets cannot be restored after you clear them. So, confirm
the action before you use the command.
Procedure
Step 1 Run the reset lacp statistics eth-trunk [ trunk-id ] command to clear statistics of
received and sent LACP packets.
----End
Context
During the daily maintenance, you can run the following commands in any view
to check the operation status of the link aggregation group.
Procedure
● Run the display eth-trunk [ trunk-id [ interface interface-type interface-
number ] ] command to display the status of the link aggregation group.
● Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type
interface-number ] ] command to display the statistics of sent and received
LACP packets.
● Run the display trunkmembership eth-trunk trunk-id command to display
the member interfaces of the Eth-Trunk.
----End
Networking Requirements
As shown in Figure 2-5, the Switch is connected to the BRAS (Broadband Remote
Access Server) through an Eth-Trunk. The link between the Switch and BRAS must
ensure high reliability.
Figure 2-5 Networking diagram for configuring link aggregation in manual load
balancing mode
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk.
2. Add member interfaces to the Eth-Trunk.
Data Preparation
To complete the configuration, you need the following data:
● Number of the Eth-Trunk
● Types and numbers of the member interfaces in the Eth-Trunk
Procedure
Step 1 Create an Eth-Trunk.
# Create Eth-Trunk 1.
[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] bpdu enable
[Switch-Eth-Trunk1] quit
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 to 200
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
return
Networking Requirements
To improve the bandwidth and the connection reliability, configure the link
aggregation group on two directly connected Switches, as shown in Figure 2-6.
The requirements are as follows:
● M active links can implement load balancing.
● N links between two Switches can carry out redundancy backup. When a fault
occurs on an active link, the backup link replaces the faulty link to keep the
reliability of data transmission.
Figure 2-6 Networking diagram for configuring link aggregation in static LACP
mode
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk on the Switch and configure the Eth-Trunk to work in
static LACP mode.
2. Add member interfaces to the Eth-Trunk.
3. Set the system priority and determine the Actor.
4. Set the upper threshold of the active interfaces.
5. Set the priority of the interface and determine the active link.
Data Preparation
To complete the configuration, you need the following data:
● Numbers of the link aggregation groups on the Switches
● System priority of SwitchA
● Upper threshold of active interfaces
● LACP priority of the active interface
Procedure
Step 1 Create Eth-Trunk 1 and set the load balancing mode of the Eth-Trunk to static
LACP mode.
# Configure SwitchA.
<Base> system-view
[Base] sysname SwitchA
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] bpdu enable
[SwitchA-Eth-Trunk1] mode lacp-static
[SwitchA-Eth-Trunk1] quit
# Configure SwitchB.
<Base> system-view
[Base] sysname SwitchB
[SwitchB] interface eth-trunk 1
[SwitchB-Eth-Trunk1] bpdu enable
[SwitchB-Eth-Trunk1] mode lacp-static
[SwitchB-Eth-Trunk1] quit
# Configure SwitchB.
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] bpdu disable
[SwitchB-GigabitEthernet0/0/1] eth-trunk 1
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] bpdu disable
[SwitchB-GigabitEthernet0/0/2] eth-trunk 1
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] bpdu disable
[SwitchB-GigabitEthernet0/0/3] eth-trunk 1
[SwitchB-GigabitEthernet0/0/3] quit
Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100
Step 4 Set the upper threshold M of active interfaces on SwitchA to 2.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] bpdu enable
[SwitchA-Eth-Trunk1] max active-linknumber 2
[SwitchA-Eth-Trunk1] quit
Step 5 Set the priority of the interface and determine active links on SwitchA.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] bpdu disable
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
GigabitEthernet0/0/2 32768 00e0-fca6-7f85 32768 6146 2609 11111100
GigabitEthernet0/0/3 32768 00e0-fca6-7f85 32768 6147 2609 11110000
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 100 00e0-fca8-0417 100 6145 2865 11111100
GigabitEthernet0/0/2 100 00e0-fca8-0417 100 6146 2865 11111100
GigabitEthernet0/0/3 100 00e0-fca8-0417 32768 6147 2865 11110000
The preceding information shows that the system priority of SwitchA is 100 and it
is higher than the system priority of SwitchB. Member interfaces GE0/0/1 and
GE0/0/2 become the active interfaces and are in Selected state. Interface GE0/0/3
is in Unselect state. M active links work in load balancing mode and N links are
the backup links.
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
lacp priority 100
#
interface Eth-Trunk1
mode lacp-static
max active-linknumber 2
bpdu enable
#
interface GigabitEthernet0/0/1
eth-trunk 1
lacp priority 100
#
interface GigabitEthernet0/0/2
eth-trunk 1
lacp priority 100
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
return
● Configuration file of SwitchB
#
sysname SwitchB
#
interface Eth-Trunk1
mode lacp-static
bpdu enable
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
return
Definition of a VLAN
A local area network (LAN) can be divided into several logical LANs. Each logical
LAN is a broadcast domain, which is called a virtual LAN (VLAN). That is, the
devices in a LAN are logically divided into different LAN segments, namely,
different VLANs, irrespective of their physical locations. In this manner, the
broadcast domains within a LAN are separated from each other.
Functions of a VLAN
In VLAN networking, the devices that need to communicate with each other are
added to a VLAN; the devices that do not need to communicate with each other
Port-based VLAN
The CX91x series supports port-based VLANs.
Ports on the CX91x series are classified into the following types:
● Access: An access port can join only one VLAN, namely, the default VLAN.
Access ports are usually connected to user devices.
● Trunk: A trunk port can join multiple VLANs and is usually connected to a
network device.
● Hybrid: A hybrid port can join multiple VLANs and can be connected to a
network device or a user device.
Table 2-2 describes how various ports process received packets depending on the
default VLAN ID.
Access port Accepts the packet ● When the VLAN Removes the tag
and adds the default ID of the packet is from the packet
VLAN tag to the the same as the and sends the
packet. default VLAN ID, packet.
the access port
accepts the
packet.
● When the VLAN
ID of the packet is
different from the
default VLAN ID,
the access port
discards the
packet.
VLAN Trunk
When a VLAN is configured on multiple switches, the interfaces on the switches
must be able to identify and forward the packets of different VLANs. This problem
also exists in the package transmission between the switch and router that
support VLAN. The link that can identify and forward the packets of different
VLANs is called a trunk.
● Relay
A trunk can transmit the packets from a VLAN to a switch or router
transparently, thus expanding the VLAN.
● Transmission backbone
A trunk can transmit the packets of multiple VLANs.
The most popular protocol used by the trunk is IEEE 802.1Q, which identifies
VLANs through the VLAN tag.
The trunk refers to a point-to-point (P2P) link between two devices. The interfaces
on the trunk are called the trunk interfaces. One trunk can transmit data flows of
multiple VLANs to other devices.
Applicable Environment
Through a VLAN, hosts that do not need to communicate with each other are
isolated. The VLAN improves the security of the network, reduces broadcast traffic,
and suppresses broadcast storms.
Pre-configuration Tasks
None
Data Preparation
To create a VLAN, you need the following data.
No. Data
1 VLAN ID
Context
Do as follows on the CX91x series that need to be configured with VLANs.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the CX91x series that need to be configured with VLANs.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the CX91x series configured with VLANs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
----End
Context
Do as follows on the CX91x series that is configured with a VLAN.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run the display vlan [ vlan-id [ verbose | statistics ] ] command to display basic
information about a VLAN.
----End
Example
By running the display vlan command, you can display the created VLANs.
<Base> display vlan
* : management-vlan
---------------------
The total number of vlans is : 5
VLAN ID Type Status MAC Learning Broadcast/Multicast/Unicast Property
--------------------------------------------------------------------------------
1 common enable enable forward forward forward default
10 common enable enable forward forward forward default
20 common enable enable forward forward forward default
30 common enable enable forward forward forward default
100 common enable enable forward forward forward default
By running the display vlan vlan-id verbose command, you can check whether
the description of a VLAN is correct.
<Base> display vlan 10 verbose
* : management-vlan
---------------------
VLAN ID : 10
VLAN Type : Common
Description : VLAN 0010
Status : Enable
Broadcast : Enable
MAC learning : Enable
Statistics : Disable
Property : default
VLAN state : Down
----------------
Untagged Port: GigabitEthernet0/0/1
----------------
Tagged Port: GigabitEthernet0/0/2
----------------
Interface Physical
GigabitEthernet0/0/1 DOWN
GigabitEthernet0/0/2 DOWN
By running the display vlan vlan-id statistics command, you can view the traffic
statistics in a VLAN.
<Base> display vlan 20 statistics
Board: 0
VLAN: 20
----------------------------------------------------------------
Item Packets
----------------------------------------------------------------
Inbound: 0
Outbound: 0
Unkown-unicast: 0
Multicast: 0
Broadcast: 0
Drop: 0
Drop-percentage: 0%
----------------------------------------------------------------
Applicable Environment
You can configure VLANs based on interfaces. You can group the interfaces that
process the same service into a VLAN. In this manner, the interfaces that process
different services are isolated. For example, interface 1 and interface 2 connect to
broadband access users; interface 3 connects to users of video services. In this
case, interface 1 and interface 2 are grouped into a VLAN; interface 3 is added
into a different VLAN.
NOTE
Before changing the interface type, delete the VLAN configuration of the previous interface
type to restore the default VLAN configuration of the interface. That is, make the interface
belong to only VLAN 1.
Pre-configuration Tasks
Before adding interfaces to a VLAN, complete the following task:
● Creating a VLAN
Data Preparation
To add interfaces to a VLAN, you need the following data.
No. Data
2 VLAN ID
Context
You can add an access interface to the VLAN.
Procedure
● Adding an access interface to a VLAN in the VLAN view
a. Run:
system-view
The access interface is added to the VLAN, which becomes the default
VLAN of the interface.
● Adding an access interface to a VLAN in the interface view
a. Run:
system-view
Context
Do as follows on the CX91x series on which interfaces need to be added to a
VLAN.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the CX91x series on which interfaces need to be added to a
VLAN.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the CX91x series where you specify the default VLAN of a trunk
interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
port link-type trunk
Step 4 Run:
port trunk pvid vlan vlan-id
An interface is not added to the default VLAN after the default VLAN is specified.
To enable the interface to forward packets of the default VLAN, you must add the
interface to the default VLAN.
----End
Context
Do as follows on the CX91x series where you specify the default VLAN of a hybrid
interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
port link-type hybrid
Step 4 Run:
port hybrid pvid vlan vlan-id
----End
Procedure
● Run the display interface [ interface-type [ interface-number ] ] command to
display the VLAN where the interface is added.
● Run the display vlan [ vlan-id ] command to display basic information about
the VLAN.
----End
Example
By running the display interface [ interface-type [ interface-number ] ]
command, you can see that the PVID of GigabitEthernet 0/0/1 is 100.
<Base> display interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 current state : UP
Line protocol current state : UP
Description:GigabitEthernet0/0/1 Interface
Switch Port,PVID : 100,The Maximum Frame Length is 9712
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0025-9e80-2494
Port Mode: COMMON COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 64 bits/sec, 0 packets/sec
Last 300 seconds output rate 416 bits/sec, 0 packets/sec
Input peak rate 4920 bits/sec,Record time: 2010-08-06 04:40:19
Output peak rate 14568 bits/sec,Record time: 2010-08-06 04:40:19
Input: 75 packets, 15375 bytes
Unicast : 0,Multicast : 75
Broadcast : 0,Jumbo : 0
CRC : 0,Giants : 0
Jabbers : 0,Throttles : 0
Runts : 0,DropEvents : 0
Alignments : 0,Symbols : 0
Ignoreds : 0,Frames : 0
Discard : 0,Total Error : 0
Output: 223 packets, 97725 bytes
Unicast : 0,Multicast : 223
Broadcast : 0,Jumbo : 0
Collisions : 0,Deferreds : 0
Late Collisions: 0,ExcessiveCollisions: 0
Buffers Purged : 0
Discard : 0,Total Error : 0
Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%
Input bandwidth utilization : 0.00%
Output bandwidth utilization : 0.00%
By running the display vlan [ vlan-id ] command, you can see that
GigabitEthernet0/0/1 is added to VLAN 2.
<Base> display vlan 2
* : management-vlan
---------------------
VLAN ID Type Status MAC Learning Broadcast/Multicast/Unicast Property
----------------------------------------------------------
2 common enable enable forward forward forward default
----------------
Untagged Port: GigabitEthernet0/0/1
----------------
Interface Physical
GigabitEthernet0/0/1 UP
Applicable Environment
When the CX91x series needs to communicate with devices at the network layer,
you can create a logical interface based on the VLAN on the CX91x series, namely,
a VLANIF interface. You can assign IP addresses to VLANIF interfaces because
VLANIF interfaces work at the network layer. The CX91x series then communicates
with the devices at the network layer through VLANIF interfaces.
Pre-configuration Tasks
Before creating a VLANIF interface, complete the following task:
● Creating VLANs
Data Preparation
To create a VLANIF interface, you need the following data.
No. Data
1 VLAN ID
Context
Do as follows on the CX91x series where you need to configure the VLANIF
interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif vlan-id
The VLANIF interface is created and the VLANIF interface view is displayed.
NOTE
A VLANIF interface can be Up only when the corresponding VLAN contains physical
interfaces in Up state.
----End
Context
Do as follows on the CX91x series where you need to configure the VLANIF
interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif vlan-id
The VLANIF interface is created and the VLANIF interface view is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }
----End
Context
NOTE
● After changing the maximum transmission unit (MTU) by using the mtu command on a
specified interface, you need to restart the interface to make the new MTU take effect.
To restart the interface, run the shutdown command and then the undo shutdown
command, or run the restart command in the interface view.
● If you change the MTU of an interface, you need to change the MTU of the peer
interface to the same value by using the mtu command; otherwise, services may be
interrupted.
● To ensure availability of Layer 3 functions, set the MTU value of the VLANIF interface to
be smaller than the maximum length of frames on the physical interface in the
corresponding VLAN.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif vlan-id
Step 3 Run:
mtu mtu
The MTU of a VLANIF interface ranges from 128 to 9216, in bytes. The default
value is 1500.
NOTE
If the MTU is too small whereas the packet size is large, the packet is probably split into
many fragments. Therefore, the packet may be discarded due to the insufficient QoS queue
length. To avoid this situation, lengthen the QoS queue accordingly.
----End
Procedure
Step 1 Run the display interface vlanif [ vlan-id ] command to display basic information
about the VLANIF interface.
----End
Example
By running the display interface vlanif command, you can check whether the IP
address of a VLANIF interface is correct.
<Base> display interface vlanif
Vlanif5 current state : DOWN
Line protocol current state : DOWN
Description:Vlanif5 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-2000-0083
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes
Output: 0 packets, 0 bytes
Applicable Environment
Generally, an access interface can be added to only customer VLANs but cannot be
added to management VLANs.
After a VLAN is configured as a management VLAN, interfaces added to the VLAN
must be trunk interfaces or hybrid interfaces. This improves security of devices.
Users usually log in to and manage the device through the VLANIF interface
corresponding to the management VLAN.
Pre-configuration Tasks
Before configuring a management VLAN, complete the following task:
● Creating a VLAN
Data Preparation
To configure a management VLAN, you need the following data.
No. Data
1 VLAN ID
Context
Do as follows on the CX91x series where you need to configure a management
VLAN.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run the display vlan command to check the configuration of the management
VLAN.
----End
Example
Run the display vlan command, and you can view the configuration of VLANs.
The VLAN marked with * is the management VLAN. For example:
<Base> display vlan
* : management-vlan
---------------------
The total number of vlans is : 20
VLAN ID Type Status MAC Learning Broadcast/Multicast/Unicast Property
--------------------------------------------------------------------------------
1 common enable enable forward forward forward default
93 common enable enable forward forward forward multicastVLAN
95 common enable enable forward forward forward userVLAN
100 super enable enable forward forward forward default
Context
NOTICE
The statistics on a VLAN cannot be restored after you clear them. So, confirm the
action before you use the command.
Before clearing the statistics on a VLAN, enable the statistics function in the VLAN.
Procedure
Step 1 Run the reset vlan statistics vlan-idcommand to clear statistics on a VLAN.
----End
● Dynamic entries are the MAC address entries generated after the CX91x series
automatically learns the source MAC addresses of the received packets. The
dynamic entries will be aged after a certain period.
● Static entries are the manually configured MAC address entries. The static
entries will not be aged.
● Blackhole entries are the manually configured MAC entries. They are used to
discard the data frames that have certain destination MAC addresses or
source MAC addresses. The blackhole entries will not be aged.
Applicable Environment
In the following situations, you need to configure static entries and blackhole
entries or adjust the aging time of the dynamic entries in the MAC table to meet
different requirements:
Pre-configuration Tasks
None
Data Preparation
To configure the MAC address table, you need the following data.
No. Data
Context
Do as follows on the CX91x series where you need to configure the MAC address
entries.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the CX91x series where you need to configure the MAC address
entries.
Procedure
Step 1 Run:
system-view
----End
2.4.3.4 (Optional) Setting the Aging Time of Dynamic MAC Address Entries
Context
Do as follows on the CX91x series where you need to configure the MAC address
entries.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the CX91x series.
Procedure
● Disabling MAC address learning in the interface view
a. Run:
system-view
system-view
Procedure
● Run the display mac-address command to view information about the MAC
address table.
● Run the display mac-address static [ vlan vlan-id ] command to view static
MAC address entries.
● Run the display mac-address dynamic [ interface-type interface-number |
vlan vlan-id ] command to view dynamic MAC address entries.
● Run the display mac-address blackhole [ vlan vlan-id ] command to view
blackhole MAC address entries.
● Run the display mac-address aging-time command to view the aging time
of dynamic MAC address entries.
● Run the display mac-address summary command to view the statistics
about MAC address entries.
----End
Example
Run the display mac-address command, and you can view the destination MAC
addresses, outgoing interface numbers, VLAN IDs of outgoing interfaces, and
VLAN IDs of incoming interfaces of all MAC address entries.
<Base> display mac-address
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
00e0-1234-5678 100 - - - blackhole -
00e0-1111-2222 100 - - GE0/0/1 static -
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 2
Run the display mac-address static command, and you can view the destination
MAC addresses, outgoing interface numbers, VLAN IDs of outgoing interfaces, and
VLAN IDs of incoming interfaces of static MAC address entries.
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 1
Run the display mac-address dynamic command, and you can view the
destination MAC addresses, outgoing interface numbers, VLAN IDs of outgoing
interfaces, and VLAN IDs of incoming interfaces of dynamic MAC address entries.
<Base> display mac-address dynamic
MAC address table:
-------------------------------------------------------------------------------
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total matching items displayed = 0
Run the display mac-address blackhole command, and you can view the
destination MAC addresses, outgoing interface numbers, VLAN IDs of outgoing
interfaces, and VLAN IDs of incoming interfaces of blackhole MAC address entries.
<Base> display mac-address blackhole
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
00e0-1234-5678 100 - - - blackhole -
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 1
Run the display mac-address aging-time command, and you can view the aging
time of dynamic MAC address entries.
<Base> display mac-address aging-time
Aging-time: 300 seconds
Run the display mac-address summary command, and you can view the statistics
about MAC address entries.
<Base> display mac-address summary
--------------------------------------------------------
Slot Total Blackhole Static Dynamic
--------------------------------------------------------
0 9 0 4 5
--------------------------------------------------------
Applicable Environment
The port security function can prevent hosts with untrusted MAC addresses from
communicating with the CX91x series through an interface. This function is
applicable to the networks that require high access security.
Pre-configuration Tasks
Before configuring port security, you need the following data.
● Disabling MAC address limiting on the interface
Data Preparation
To configure port security, you need the following data.
No. Data
Procedure
● Run the display current-configuration interface interface-type interface-
number command to check the configuration of an interface.
● Run the display mac-address command to check the secure dynamic MAC
address entries and sticky MAC address entries.
----End
Example
Run the display mac-address command, and you can view the secure dynamic
MAC address entries and sticky MAC address entries.
<Base> display mac-address sticky
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
0018-2000-0083 15 - - GE0/0/1 sticky -
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 1
Context
NOTICE
Debugging affects the performance of the system. So, after debugging, run the
undo debugging all command to disable it immediately.
When the MAC address table runs abnormally, run the following debugging
command in the user view to debug the MAC address table, view the debugging
information, and locate and analyze the fault.
Procedure
Step 1 Run the debugging ethernet packet mac { dest_mac mac-address | src_mac
mac-address } command to debug the Ethernet packets with the specified source
MAC address or destination address.
----End
Networking Requirements
As shown in Figure 2-7, the MAC address of the user host PC1 is 0002-0002-0002
and the MAC address of the user host PC2 is 0003-0003-0003. PC1 and PC2 are
connected to the Switch through the LSW. The LSW is connected to
GigabitEthernet0/0/1 of the Switch. Interface GigabitEthernet0/0/1 belongs to
VLAN 2. The MAC address of the server is 0004-0004-0004. The server is
connected to GigabitEthernet0/0/2 of the Switch. Interface GigabitEthernet0/0/2
belongs to VLAN 2.
● To prevent hackers from attacking the network with MAC addresses, you need
to add a static entry to the MAC table of the Switch for each user host. When
sending packets through GigabitEthernet0/0/1, the Switch changes the VLAN
ID to VLAN 4 to which the LSW belongs. In addition, you need to set the
aging time of the dynamic entries in the MAC address table to 500 seconds.
● To prevent hackers from forging the MAC address of the server and stealing
user information, you can configure the packet forwarding based on static
MAC address entries on the Switch.
Figure 2-7 Networking diagram for configuring the MAC address table
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add interfaces to the VLAN.
2. Add static MAC address entries.
3. Set the aging time of dynamic MAC address entries.
Data Preparation
To complete the configuration, you need the following data:
● MAC address of PC1: 0002-0002-0002
● MAC address of PC2: 0003-0003-0003
● MAC address of the server: 0004-0004-0004
● VLAN to which the Switch belongs: VLAN 2
● Interface connecting the Switch to the LSW: GigabitEthernet 0/0/1
● Interface connecting the Switch to the server: GigabitEthernet 0/0/2
● Aging time of dynamic entries in the MAC address table of the Switch: 500
seconds
Procedure
Step 1 Add static MAC address entries.
# Create VLAN 2; add GigabitEthernet0/0/1, GigabitEthernet0/0/2 to VLAN 2.
<Base> system-view
[Base] vlan 2
[Base-vlan2] quit
[Base] interface gigabitethernet 0/0/1
[Base-GigabitEthernet0/0/1] port hybrid pvid vlan 2
[Base-GigabitEthernet0/0/1] port hybrid untagged vlan 2
[Base-GigabitEthernet0/0/1] quit
[Base] interface gigabitethernet 0/0/2
[Base-GigabitEthernet0/0/2] port hybrid pvid vlan 2
[Base-GigabitEthernet0/0/2] port hybrid untagged vlan 2
[Base-GigabitEthernet0/0/2] quit
-------------------------------------------------------------------------------
Total matching items displayed = 3
# Run the display mac-address aging-time command in any view. You can check
whether the aging time of dynamic entries is set successfully.
[Base] display mac-address aging-time
Aging time: 500 seconds
----End
Configuration Files
The following lists the configuration file of the Switch.
#
sysname Base
#
vlan batch 2
#
mac-address aging-time 500
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
interface GigabitEthernet0/0/2
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
mac-address static 0002-0002-0002 GigabitEthernet0/0/1 vlan 2
mac-address static 0003-0003-0003 GigabitEthernet0/0/1 vlan 2
mac-address static 0004-0004-0004 GigabitEthernet0/0/2 vlan 2
#
return
ARP
ARP is classified into the following types: dynamic ARP and static ARP.
● Static ARP means the mapping between manually configured IP addresses
and MAC addresses.
● Dynamic ARP means that the ARP mapping table is dynamically maintained
by the ARP protocol.
Applicable Environment
On the CX91x series, you can configure dynamic ARP. You do not need to enable
this function, however, you can change certain parameters of dynamic ARP entries.
● When you need to forward the packets destined for other network segments
through a gateway of the local network segment.
● When you need to filter out certain packets with invalid destination IP
addresses and bind these invalid addresses to a nonexistent MAC address.
Pre-configuration Tasks
Before configuring ARP, complete the following tasks:
Data Preparation
To configure static ARP, you need the following data.
No. Data
No. Data
Context
Do as follows on the CX91x series.
Procedure
Step 1 Run:
system-view
NOTE
Static ARP entries are always valid when the CX91x series works normally.
CX91x series don't support VPN.
----End
Context
Do as follows on the CX91x series.
Procedure
Step 1 Run:
system-view
The number of detection times before deleting dynamic ARP entries is set.
Step 4 Run:
arp expire-time expire-time
----End
Procedure
● Run the display arp [ all ] command to check all the ARP mapping tables,
including static and dynamic ARP entries.
● Run the display arp dynamic command to check the dynamic ARP mapping
table.
Context
NOTICE
Running the reset arp command deletes the mapping between IP addresses and
MAC addresses; therefore, you may not access certain nodes. So, confirm the
action before you use the command.
Procedure
Step 1 Run the reset arp { all | dynamic | interface interface-type interface-number |
packet statistics | static } command in the user view to clear ARP entries in the
ARP mapping table.
----End
Context
In routine maintenance, you can run the following command in any view to view
the running status of ARP.
Procedure
● Run the display arp [ all ] command to check all the ARP mapping tables,
including static and dynamic ARP entries.
● Run the display arp dynamic command to check the dynamic ARP mapping
table.
● Run the display arp interface interface-type interface-number command to
check the ARP mapping table on a specified interface.
----End
Context
NOTICE
Debugging affects the performance of the system. So, after debugging, run the
undo debugging all command to disable it immediately.
When an ARP fault occurs, run the debugging command in the user view to locate
the fault.
Procedure
● Run the debugging arp packet [ interface interface-type interface-number ]
command to debug ARP.
----End
Networking Requirements
As shown in Figure 2-8, GigabitEthernet 0/0/1 of the Switch is connected to the
host through the LAN switch (LSW); GigabitEthernet 0/0/2 is connected to the
server through the router. It is required that:
● GigabitEthernet 0/0/1 should be added to VLAN 2, and GigabitEthernet 0/0/2
should be added to VLAN 3.
● To adapt to fast changes of the network and ensure correct forwarding of
packets, dynamic ARP parameters should be set on VLANIF 2 of the Switch.
● To ensure the security of the server and prevent invalid ARP packets, a static
ARP entry should be created on GigabitEthernet 0/0/2 of the Switch, with the
IP address of the router being 10.2.2.3 and the MAC address being 00e0-
fc01-0000.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add an interface to the VLAN.
2. Set dynamic ARP parameters on a VLANIF interface at the user side.
3. Create a static ARP entry.
Data Preparation
To complete the configuration, you need the following data:
● GigabitEthernet 0/0/1 added to VLAN 2 and GigabitEthernet 0/0/2 added to
VLAN 3
● VLANIF 2 with the IP address being 2.2.2.2 and subnet mask being
255.255.255.0, aging time of ARP entries being 60s, and number of detection
times being 2
● LSW with the IP address being 2.2.2.1 and subnet mask being 255.255.255.0
● Interface connecting the router and the Switch, with the IP address being
10.2.2.3, subnet mask being 255.255.255.0, and MAC address being 00e0-
fc01-0000
Procedure
Step 1 Create a VLAN and add an interface to the VLAN.
# Create VLANIF2.
[Base] interface vlanif 2
# Create VLANIF 3.
[Base] interface vlanif 3
# Create a static ARP entry with IP address 10.2.2.3, MAC address 00e0-fc01-0000,
VLAN ID 3, and outgoing interface GigabitEthernet0/0/2.
[Base] arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface gigabitethernet 0/0/2
[Base] quit
# Run the display current-configuration command. You can view the aging time
of ARP entries, the number of detection times before deleting ARP entries, and the
ARP mapping table.
<Base> display current-configuration | include arp
arp expire-time 60
arp detect-times 2
arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2
----End
Configuration Files
The following is the configuration file of the Switch.
#
sysname Base
#
vlan batch 2 to 3
#
interface Vlanif2
ip address 2.2.2.2 255.255.255.0
arp expire-time 60
arp detect-times 2
#
interface Vlanif3
ip address 10.2.2.2 255.255.255.0
#
interface GigabitEthernet 0/0/1
port hybrid tagged vlan 2
#
interface GigabitEthernet 0/0/2
port hybrid tagged vlan 3
#
arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2
#
return
● Host A and Host B belong to VLAN 2. The link between SwitchB and SwitchE
is blocked and the link between SwitchC and SwitchF does not permit packets
from VLAN 2 to pass through. Therefore, Host A and Host B cannot
communicate with each other.
MSTP
The IEEE 802.1S standard issued in 2002 defines MSTP.
MSTP is compatible with STP and RSTP and rectifies the defects of STP and RSTP.
An MSTP network converges fast and provides redundant paths for data
forwarding. In addition, the MSTP network implements load balancing among
VLANs.
MSTP divides a switching network into multiple regions, each of which has
multiple spanning trees independent of each other. Each spanning tree is called a
multiple spanning tree instance (MSTI) and each region is called a multiple
spanning tree (MST) region.
MSTP associates VLANs with MSTIs through a VLAN mapping table.
NOTE
Each VLAN can be associated with only one MSTI, that is, data of the same VLAN can be
transmitted in only one MSTI. One MSTI, however, may be associated with multiple VLANs.
MSTP is applied to the LAN, as shown in Figure 2-10, and then the MSTI is
generated, as shown in Figure 2-10.
Concepts of MSTP
As shown in Figure 2-11, four MST regions are located in a LAN. Each region
consists of four switches. The concepts of MSTP are clarified based on Figure 2-11.
● MST region
An MST region consists of several switches in the LAN and the network
segments between the switches. A LAN can comprise several directly or
indirectly connected MST regions. You can group several switches into an MST
region by using MSTP configuration commands. In Figure 2-11, the LAN
comprises four MST regions, namely, A0, B0, C0, and D0.
● MSTI
Multiple spanning trees can be generated in an MST region. Each spanning
tree is independent of one another and maps a VLAN. Such a spanning tree is
called an MSTI. In Figure 2-12, the MST region D0 has three MSTIs: MSTI0,
MSTI1 and MSTI2.
● CST
The common spanning tree (CST) is a single spanning tree that connects all
MST regions on a switching network. If each MST region is considered as a
switch, the CST is a spanning tree generated by STP and RSTP calculation. In
Figure 2-11, the dotted line indicates the CST.
Port Roles
● Root Port
On a non-root switch, the port nearest to the root switch is the root port of
the switch. A root switch does not have a root port.
The root port forwards data to the tree root.
In Figure 2-13, SwitchA is the root switch; CP1 is the root port of SwitchC;
BP1 is the root port of SwitchB.
Figure 2-13 Root port, designated port, alternate port and backup port
● Designated Port
The designated port of a switch is the port on the upstream switch that
forwards the Bridge Protocol Data Unit (BPDU) to the local switch.
The designated port forwards data to the downstream network segment or
switch.
In Figure 2-13, AP2 and AP3 are the designated ports of SwitchA, and CP2 is
the designated port of SwitchC.
● Edge Port
An edge port is the port located at the edge of a region and is not connected
to any switch.
Generally, an edge port is directly connected to the user terminals.
● Alternate Port
From the aspect of sending BPDU, an alternate port is a port that is blocked
after receiving the BPDU sent by other switches. From the aspect of
forwarding traffic, an alternate port is a port that provides a backup path
from the designated switch to the root switch.
An alternate port is the backup port of a root port. If the root port is blocked,
the alternate port becomes the root port.
In Figure 2-13, BP2 is the alternate port.
● Backup Port
When the two ports of a switch are connected, a loop is formed, and then the
switch blocks one port. The backup port is the blocked port. In Figure 2-13,
CP3 is the backup port.
From the aspect of sending the BPDU, a backup port is a port that is blocked
after learning the BPDU sent by itself. For forwarding traffic, a backup port, as
a backup of the designated port, provides a backup path from the root switch
to the leaf node.
● Master Port
A master port is the port on the shortest path among all paths that connect
the MST region to the CIST root. A master port is the port of a switch that
connects the MST region to the CIST root. As shown in Figure 2-14, SwitchA,
SwitchB, SwitchC, SwitchD and the links between them form an MST region.
Port AP1 on SwitchA has the least path cost to the CIST root among all ports
in the MST region; therefore, AP1 is the master port of the MST region.
MSTP Protection
● BPDU protection
On a switch, the port that is directly connected to the user terminal such as a
PC or a file server is configured as an edge port to ensure fast switch of the
port status.
Generally, edge ports do not receive any BPDU. If an edge port receives forged
BPDUs sent by an attacker, the switch sets the edge port to a non-edge port
and recalculates the spanning tree. Thus, network flapping occurs.
MSTP provides BPDU protection to prevent such attacks. After the BPDU
protection is enabled, the switch disables the edge port and informs the
network management system if the port receives BPDUs. The edge port can
only be manually resumed by the network administrator.
● Root protection
If the root switch on a network is incorrectly configured or attacked, it may
receive a BPDU with a higher priority. Thus, the root switch becomes a non-
root switch, which causes changes of the network topology. In this case, the
traffic transmitted on a high-speed link is switched to a low-speed link, which
causes network congestion.
To prevent the preceding problem, the Switch provides root protection.
Through root protection, the Switch can retain the designated port to protect
its position as the root switch. After root protection is enabled on a port, the
port retains the role of the designated port in all instances.
When the port receives a BPDU with a higher priority, the port stops
forwarding packets and turns to the listening state, but does not change into
a non-root port. If the port does not receive any BPDUs with higher priorities
within a certain period, it is restored.
● Loop protection
A switch determines the root port and blocked ports according to the BPDUs
received from the upstream switch. If these ports cannot receive any BPDU
from the upstream switch because of link congestion or link failure, the
switch selects a new root port. Then the previous root port becomes a
designated port and the blocked ports turn to the forwarding state. This may
cause network loops.
The Switch provides loop protection to prevent network loops. After loop
protection is enabled, the root port is blocked if it does not receive any BPDU
from the upstream switch. The blocked ports are still blocked and cannot
forward packets. Thus, network loops will not be generated.
● TC protection
After receiving TC-BPDUs, a switch deletes MAC address entries and ARP
entries. If a malicious attacker sends pseudo TC-BPDUs to attack the switch,
the switch will receive a large number of TC-BPDUs within a short time
period, and delete its MAC entries and ARP entries frequently. As a result, the
switch is heavily burdened, threatening the network stability.
After enabling TC-BPDU attack defense, you can set the number of times TC-
BPDUs are processed by the CX91x series within a given time period (the
default time period is 2s, and the default number of times is 3). If the number
of TC-BPDUs that the CX91x series receives within the given time exceeds the
specified threshold, the CX91x series processes TC-BPDUs only for the
specified number of times. After the timer expires, the CX91x series processes
the remaining TC-BPDUs together. In this way, the switch is prevented from
frequently deleting its MAC entries and ARP entries, and thus is protected
from being over-burdened.
Applicable Environment
You need to perform this configuration task when you want to:
● Add an CX91x series that does not run MSTP to an MST region.
● Change the MST region attribute of an CX91x series running MSTP, that is,
add it to another MST.
Pre-configuration Tasks
Before adding an CX91x series to a specified MST region, complete the following
tasks:
● Configuring physical attributes of the ports
● Configuring VLAN features of the ports
NOTE
After a hybrid interface is added to the default VLAN in tagged mode, SEP packets
sent by the interface contain VLAN tags. In this case, configure the peer interface to
allow packets of the default VLAN to pass.
Data Preparation
To add an CX91x series to a specified MST region, you need the following data.
No. Data
Context
Do as follows on the CX91x series that needs to be added to the MST region.
Procedure
Step 1 Run:
system-view
----End
Context
NOTICE
Two switches belong to the same MST region when they have the same:
● Name of the MST region
● Mapping between VLANs and MSTIs
● Revision level of the MST region
Do as follows on the CX91x series that needs to be added to the MST region.
Procedure
Step 1 Run:
system-view
In the command, vlan-mapping modulo indicates that the formula (VLAN ID-1)%modulo
+1 is used. In the formula, (VLAN ID-1)%modulo means the remainder of (VLAN ID-1)
divided by the value of modulo. This formula is used to map a VLAN to the corresponding
MSTI. The calculation result of the formula is ID of the mapping MSTI.
Step 5 Run:
revision-level level
----End
Context
Do as follows on the CX91x series that needs to be added to the MST region.
Procedure
Step 1 Run:
system-view
The parameters of the MST region that have not taken effect are displayed.
Changing the values of parameters (especially the VLAN mapping table) of an
MST region causes the recalculation of spanning trees and the route flapping on a
network. Therefore, it is recommended that you run the check region-
configuration command in the MST region view before activating the
configuration of the MST region to check whether the parameters of the MST
region are set correctly. After verifying that the parameters of the MST region are
correct, run the active region-configuration command to activate the
configuration of the MST region.
Step 4 Run:
active region-configuration
----End
Context
Do as follows on the CX91x series that needs to be added to the MST region.
Procedure
Step 1 Run:
system-view
The CX91x series is configured as a root switch. This is similar to setting the
priority of the CX91x series to 0.
● Run:
stp [ instance instance-id ] root secondary
By default, an CX91x series does not function as the root switch or the secondary
root switch of a spanning tree.
An CX91x series can play different roles in different spanning trees. That is, the
CX91x series can function as the root switch of a spanning tree and function as
the secondary root switch of another spanning tree. The CX91x series, however,
cannot function as the root switch and secondary root switch of the same
spanning tree simultaneously.
An CX91x series can function as the root of multiple spanning trees, but it is
recommended that you specify only one root switch for a spanning tree. You can
specify multiple secondary root switches for the same spanning tree. It is
recommended that you specify one root switch and multiple secondary root
switches for a spanning tree.
----End
Context
NOTICE
If an CX91x series is configured as the root switch or secondary root switch, the
priority of the CX91x series cannot be set. If you want to set the priority of the
CX91x series, you must disable the root switch or secondary root switch.
Do as follows on the CX91x series that needs to be added to the MST region.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp [ instance instance-id ] priority priority
A smaller value of priority indicates a higher priority. The CX91x series with a
higher priority is more likely to be elected as the root switch.
The priority of the root switch or secondary root switch must be higher than the
priorities of other switches. Otherwise, the root switch or the secondary root
switch may be replaced by other switches.
If the CX91x seriess in an MSTI have the same priorities, the CX91x series with the
smallest MAC address is elected as the root switch.
----End
Context
Do as follows on the CX91x series that needs to be added to the MST region.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp enable
MSTP is enabled.
----End
Procedure
● Run the display stp [ instance instance-id ] [ interface interface-type
interface-number ] [ brief ] and display stp [ instance instance-id ] [ brief ]
command to check the state and statistics of a spanning tree.
----End
Example
Run the display stp command, and you can find that the operation mode of the
spanning tree is MSTP; VLANs are mapped to MSTI 0; the CX91x series uses the
default priority 32768. The following is an example:
<Base> display stp instance 0 interface gigabitethernet 0/0/1
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge :32768.00e0-fc0e-a421
Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :32768.00e0-fc0e-a421 / 0
CIST RegRoot/IRPC :32768.00e0-fc0e-a421 / 0
CIST RootPortId :0.0
BPDU-Protection :disabled
TC or TCN received :8
TC count per hello :8
STP Converge Mode :Fast
Time since last TC :0 days 23h:9m:30s
----[Port3(GigabitEthernet0/0/1)][FORWARDING]----
Port Protocol :enabled
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=200000000
Desg. Bridge/Port :32768.00e0-fc0e-a421 / 128.1229
Port Edged :Config=disabled / Active=disabled
Point-to-point :Config=auto / Active=true
Transit Limit :3 packets/hello-time
Protection Type :None
Port Stp Mode :MSTP
Port Protocol Type :Config=auto / Active= dot1s
PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 0
TC or TCN send :0
TC or TCN received :0
BPDU Sent :0
TCN: 0, Config: 0, RST: 0, MST: 0
BPDU Received :0
TCN: 0, Config: 0, RST: 0, MST: 0
Run the display stp region-configuration command, and you can view the
effective MST region name, revision level of the MST region, and mappings
between MSTIs and VLANs.
<Base> display stp region-configuration
Oper Configuration:
Format selector :0
Region name :huawei
Revision level :0
Instance Vlans Mapped
0 21 to 4094
1 1 to 10
2 11 to 20
Applicable Environment
On certain networks, you need to modify MSTP parameters of some switches to
optimize their performance.
Pre-configuration Tasks
Before setting MSTP parameters of an CX91x series, complete the following tasks:
● Configuring physical attributes of the ports
● Configure the VLANs on each port
● Adding the CX91x series to the specified MST region
Data Preparation
To set MSTP parameters of an CX91x series, you need the following data.
No. Data
1 Network diameter
2 Hello time, forward delay, and max age of the CX91x series
7 Method of calculating the path cost of the port, path cost of the port,
maximum rate of sending packets on the port, and STP convergence
mode of the port
8 Protocol format of the packets received and sent through the port
Context
Do as follows on the CX91x series functioning as the root switch in the MST
region.
Procedure
Step 1 Run:
system-view
The timer factor that is used to calculate the timeout interval of the CX91x series
according to the Hello time is set.
The timeout interval is calculated through the following formula: Timeout interval
= Hello time x Timer factor. If the CX91x series does not receive the BPDU from
the upstream CX91x series within the timeout interval, the CX91x series considers
that the upstream CX91x series has failed and recalculates the spanning tree.
Sometimes, the CX91x series does not receive the BPDU from the upstream CX91x
series because the upstream CX91x series is busy. In this case, the spanning tree
should not be recalculated. Therefore, to save network resources, you should set a
longer timeout interval on a stable network.
On a stable network, the recommended timer factor range is 5 to 7.
By default, the timer factor is 3.
Step 6 Run:
stp timer max-age max-age
Step 7 Run:
stp max-hops hop
The maximum number of hops of the spanning tree in an MST region is set.
By default, the maximum number of hops of the spanning tree in an MST region
is 20.
----End
Context
NOTICE
Procedure
Step 1 Run:
system-view
Compared with the P2P link, the shared link spends longer time in network
convergence.
By default, the designated port automatically checks whether it is connected to a
P2P link.
Step 6 Run:
stp instance instance-id port priority priority
The path cost of the port in the specified spanning tree is set.
By default, the path cost of an interface is calculated by MSTP.
Step 8 Run:
stp transmit-limit packet-number
The maximum number of BPDUs that the interface sends within the Hello time is
set.
By default, the maximum number of BPDUs that an interface can send in a Hello
time is 147.
Step 9 Run:
stp config-digest-snoop
The algorithm for calculating the path cost of the interface is specified.
By default, the algorithm defined in IEEE 802.1t is used to calculate the default
value of the path cost.
The switches on the same network must use the same algorithm to calculate the
path cost of interfaces.
Step 13 Run:
stp converge { fast | normal }
In fast mode, the interface deletes the related ARP entries directly after receiving
a TC packet. In normal mode, the interface waits until the aging time of the ARP
entries expire instead of directly deleting them after receiving a TC packet.
----End
Context
Do as follows on the CX91x series in an MST region.
Procedure
Step 1 Run:
system-view
Step 3 Run:
stp mcheck
In the following cases, you need to switch the interface to the MSTP mode
manually:
If you run the stp mcheck command in the system view, the MCheck operation is
performed on all the interfaces.
----End
Context
Do as follows on the CX91x series in an MST region.
Procedure
Step 1 Run:
system-view
NOTE
If the format of MSTP packets is set to dotls on one end and legacy on the other end, the
negotiation fails.
----End
Context
Do as follows on the CX91x series in an MST region.
Procedure
Step 1 Run:
system-view
Step 3 Run:
stp no-agreement-check
----End
Procedure
Step 1 Run the display stp [ instance instance-id ] [ interface interface-type interface-
number ] [ brief ] and display stp [ instance instance-id ] [ brief ] command to
check the state and statistics of a spanning tree.
----End
Example
Run the display stp command, and you can view the Hello time, forward delay,
and max age of the spanning tree, maximum number of hops in the MST region,
STP convergence mode of the specified port, link type of the port, maximum
number of BPDUs that the port sends within each Hello time, format of the MSTP
packets sent and received on the port, and whether digest snooping is configured.
The following is an example:
<Base> display stp instance 0 interface gigabitethernet 0/0/1
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge :32768.00e0-fc0e-a421
Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :32768.00e0-fc0e-a421 / 0
CIST RegRoot/IRPC :32768.00e0-fc0e-a421 / 0
CIST RootPortId :0.0
BPDU-Protection :disabled
TC or TCN received :8
TC count per hello :8
STP Converge Mode :Fast
Time since last TC :0 days 23h:9m:30s
----[Port3(GigabitEthernet0/0/1)][FORWARDING]----
Port Protocol :enabled
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=200000000
Desg. Bridge/Port :32768.00e0-fc0e-a421 / 128.1229
Port Edged :Config=disabled / Active=disabled
Point-to-point :Config=auto / Active=true
Transit Limit :3 packets/hello-time
Protection Type :None
Port Stp Mode :MSTP
Port Protocol Type :Config=auto / Active= dot1s
PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 0
TC or TCN send :0
TC or TCN received :0
BPDU Sent :136
TCN: 0, Config: 0, RST: 0, MST: 136
BPDU Received :0
TCN: 0, Config: 0, RST: 0, MST: 0
NOTE
Applicable Environment
The MSTP protection function includes the following:
● BPDU protection
On a switch, the port that is directly connected to a user terminal such as a
PC or a file server is configured as an edge port to ensure fast transition of
the port status.
Usually, no BPDU are sent to edge ports. If the switch is attacked by pseudo
BPDUs, the switch sets edge ports as non-edge ports after these edge ports
receive BPDUs, and recalculates the spanning tree. As a result, network
flapping occurs.
To defend against pseudo BPDU attacks, MSTP provides BPDU protection.
After BPDU protection is enabled, the switch shuts down the edge port that
receives BPDUs and informs the NMS. The edge ports shut down by the
switch can be manually started only by the network administrator.
● Root protection
If the root switch on a network is incorrectly configured or attacked, it may
receive a BPDU with a higher priority. Thus, the root switch becomes a non-
root switch, which causes changes of the network topology.
As a result, traffic may be switched from high-speed links to low-speed links,
causing network congestion.
To address this problem, the switch provides the root protection function. The
root protection function protects the role of the root switch by retaining the
role of the designated port. After root protection is enabled on a port, the
port retains the role of the designated port in all instances.
When the port receives a BPDU with a higher priority, the port stops
forwarding packets and turns to the listening state, but is still a designated
port. If the port does not receive any BPDU with a higher priority for a certain
period, the port status is restored from the listening state.
● Loop protection
The switch maintains the status of the root port and blocked ports by
continually receiving BPDUs from the upstream switch.
If the root port cannot receive BPDUs from the upstream switch due to link
congestion or unidirectional link failure, the switch re-selects a root port. Then
the previous root port becomes a designated port and the blocked ports
change to the forwarding state. As a result, loops may occur on the network.
The switch provides loop protection to prevent network loops. After the loop
protection function is enabled, the root port is blocked if it cannot receive
BPDUs from the upstream switch. The blocked port remains in the blocked
state and does not forward packets. This prevents loops on the network.
● TC protection
After receiving TC-BPDUs, a switch deletes MAC address entries and ARP
entries. If a malicious attacker sends pseudo TC-BPDUs to attack the switch,
the switch will receive a large number of TC-BPDUs within a short time
period, and delete its MAC entries and ARP entries frequently. As a result, the
switch is heavily burdened, threatening the network stability.
After enabling TC-BPDU attack defense, you can set the number of times TC-
BPDUs are processed by the CX91x series within a given time period (the
default time period is 2s, and the default number of times is 3). If the number
of TC-BPDUs that the CX91x series receives within the given time exceeds the
specified threshold, the CX91x series processes TC-BPDUs only for the
specified number of times. After the timer expires, the CX91x series processes
the remaining TC-BPDUs together. In this way, the switch is prevented from
frequently deleting its MAC entries and ARP entries, and thus is protected
from being over-burdened.
Pre-configuration Tasks
Before configuring MSTP protection on the CX91x series, complete the following
tasks:
● Configuring physical attributes of the ports
● Configuring VLAN features of the ports
● Adding the CX91x series to the specified MST region
● Configuring an edge port on the CX91x series before configuring BPDU
protection
Data Preparation
To configure MSTP protection on the CX91x series, you need the following data.
No. Data
Context
On a switch, the port that is directly connected to a user terminal such as a PC or
a file server is configured as an edge port to ensure fast transition of the port
status.
Usually, no BPDU are sent to edge ports. If the switch is attacked by pseudo
BPDUs, the switch sets edge ports as non-edge ports after these edge ports
receive BPDUs, and recalculates the spanning tree. As a result, network flapping
occurs.
MSTP provides BPDU protection to defend against attacks. After BPDU protection
is enabled, the switch shuts down the edge port that receives BPDUs and informs
the NMS. The edge ports shut down by the switch can be manually started only by
the network administrator.
Do as follows on the CX91x series with an edge port.
Procedure
Step 1 Run:
system-view
----End
Context
If the root switch on a network is incorrectly configured or attacked, it may receive
a BPDU with a higher priority. Thus, the root switch becomes a non-root switch,
which causes changes of the network topology.
As a result, traffic may be switched from high-speed links to low-speed links,
causing network congestion.
To address this problem, the switch provides the root protection function. The root
protection function protects the role of the root switch by retaining the role of the
designated port. After root protection is enabled on a port, the port retains the
role of the designated port in all instances.
When the port receives a BPDU with a higher priority, the port stops forwarding
packets and turns to the listening state, but is still a designated port. If the port
does not receive any BPDU with a higher priority for a certain period, the port
status is restored from the listening state.
NOTE
Do as follows on the CX91x series functioning as the root switch in the MST
region.
Procedure
Step 1 Run:
system-view
----End
Context
The switch maintains the status of the root port and blocked ports by continually
receiving BPDUs from the upstream switch.
If the root port cannot receive BPDUs from the upstream switch due to link
congestion or unidirectional link failure, the switch re-selects a root port. Then the
previous root port becomes a designated port and the blocked ports change to the
forwarding state. As a result, loops may occur on the network.
The switch provides loop protection to prevent network loops. After the loop
protection function is enabled, the root port is blocked if it cannot receive BPDUs
from the upstream switch. The blocked port remains in the blocked state and does
not forward packets. This prevents loops on the network.
Do as follows on the CX91x series functioning as the root switch in the MST
region.
Procedure
Step 1 Run:
system-view
● Run:
interface interface-type interface-number
The Ethernet interface view or virtual Ethernet interface view is displayed.
● Run:
interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run:
stp loop-protection
----End
Context
After receiving TC-BPDUs, a switch deletes MAC address entries and ARP entries. If
a malicious attacker sends pseudo TC-BPDUs to attack the switch, the switch will
receive a large number of TC-BPDUs within a short time period, and delete its
MAC entries and ARP entries frequently. As a result, the switch is heavily
burdened, threatening the network stability.
After enabling TC-BPDU attack defense, you can set the number of times TC-
BPDUs are processed by the CX91x series within a given time period (the default
time period is 2s, and the default number of times is 3). If the number of TC-
BPDUs that the CX91x series receives within the given time exceeds the specified
threshold, the CX91x series processes TC-BPDUs only for the specified number of
times. After the timer expires, the CX91x series processes the remaining TC-BPDUs
together. In this way, the switch is prevented from frequently deleting its MAC
entries and ARP entries, and thus is protected from being over-burdened.
Do as follows on the CX91x series.
Procedure
Step 1 Run:
system-view
The CX91x series is configured to suppress the BPDUs of the TC type, that is, TC
packets.
Step 3 Run:
stp tc-protection threshold threshold
The number of times the CX91x series parses TC packets and updates forwarding
entries in a certain period of time is set.
The stp tc-protection threshold command sets the number of times the CX91x
series parses TC packets in a certain period of time. By default, this period of time
is 2 seconds, and the CX91x series parses TC packets 3 times in 2 seconds.
When the CX91x series receives a TC packet, it deletes the related ARP entries and
MAC address entries. If the CX91x series receives too many TC packets in a certain
period, the CPU usages stays high. To prevent this problem, you can configure the
TC packet suppression function.
----End
Procedure
Step 1 Run the display stp [ instance instance-id ] [ interface interface-type interface-
number ] [ brief ] and display stp [ instance instance-id ] [ brief ] command to
check the state and statistics of a spanning tree.
----End
Example
Run the display stp command, you can check whether BPUD is enabled and view
the protection type. The following is an example:
<Base> display stp instance 0 interface gigabitethernet 0/0/1
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge :32768.00e0-fc0e-a421
Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :32768.00e0-fc0e-a421 / 0
CIST RegRoot/IRPC :32768.00e0-fc0e-a421 / 0
CIST RootPortId :0.0
BPDU-Protection :enabled
TC or TCN received :8
TC count per hello :8
STP Converge Mode :Fast
Time since last TC :0 days 23h:9m:30s
----[Port3(GigabitEthernet0/0/1)][FORWARDING]----
Port Protocol :enabled
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=200000000
Desg. Bridge/Port :32768.00e0-fc0e-a421 / 128.1229
Port Edged :Config=disabled / Active=disabled
Point-to-point :Config=auto / Active=true
Transit Limit :3 packets/hello-time
Protection Type :None
Port Stp Mode :MSTP
Port Protocol Type :Config=auto / Active= dot1s
PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 0
TC or TCN send :0
TC or TCN received :0
BPDU Sent :43
TCN: 0, Config: 0, RST: 0, MST: 43
BPDU Received :3
TCN: 0, Config: 0, RST: 0, MST: 3
Context
NOTICE
MSTP statistics cannot be restored after you clear them. So, confirm the action
before you use the command.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics
command to clear the statistics of the specified spanning tree.
----End
Context
NOTICE
Debugging affects the performance of the system. So, after debugging, run the
undo debugging all command to disable it immediately.
When an MSTP fault occurs, run the following debugging commands in the user
view to locate the fault.
Procedure
● Run the debugging stp instance instance-id event command to enable
debugging of the specified MSTI.
● Run the debugging stp [ interface interface-type interface-number ] { event
| packet { all | receive |send } } command to enable debugging of BPUDs
sent and received and events on the specified port.
● Run the debugging stp msti { instance-id1 [ to instance-id2 ] } &<1-10>
command to enable debugging of BPDUs in the specified MSTI.
----End
Networking Requirements
SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. In this example, MSTP runs on
Layer 2 interfaces of the Switches.
Configuration Roadmap
The configuration roadmap is as follows:
1. Add SwitchA and SwitchC to MST region RG1, and create MSTI1.
2. Add SwitchB and SwitchD to MST region RG2, and create MSTI1.
3. Configure SwitchA as the CIST root.
4. In RG1, configure SwitchA as the CIST regional root and regional root of
MSTI1. Configure the root protection function on GigabitEthernet 0/0/2 and
the GigabitEthernet 0/0/1 on SwitchA.
5. In RG2, configure SwitchB as the CIST regional root and SwitchD as the
regional root of MSTI1.
6. On SwitchC and SwitchD, connect GigabitEthernet 0/0/1 to a PC and
configure GigabitEthernet 0/0/1 as an edge port. Enable BPDU protection on
SwitchC and SwitchD.
7. Configure the Switches to calculate the path cost by using the algorithm of
Huawei.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure SwitchA.
# Configure the MST region on SwitchA.
<SwitchA> system-view
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 1 to 10
# Set the priority of SwitchA in MSTI0 to 0 to ensure that SwitchA functions as the
CIST root.
[SwitchA] stp instance 0 priority 0
# Set the priority of SwitchA in MSTI1 to 1 to ensure that SwitchA functions as the
regional root of MSTI1.
[SwitchA] stp instance 1 priority 0
# Enable MSTP.
[SwitchA] stp enable
# Set the priority of SwitchB in MSTI0 to 4096 to ensure that SwitchB functions as
the CIST root.
[SwitchB] stp instance 0 priority 4096
# Enable MSTP.
[SwitchB] stp enable
# Enable MSTP.
[SwitchC] stp enable
# Enable MSTP.
[SwitchD] stp enable
The priority of SwitchA is the highest in the CIST; therefore, SwitchA is elected as
the CIST root and regional root of RG1. GigabitEthernet 0/0/2 and GigabitEthernet
0/0/1 of SwitchA are designated ports in the CIST.
The priority of SwitchA in MSTI1 is the highest in RG1; therefore, SwitchA is
elected as the regional root of SwitchA. GigabitEthernet 0/0/2 and GigabitEthernet
0/0/1 of SwitchA are designated ports in MSTI1.
# Run the display stp interface brief commands on SwitchC. The displayed
information is as follows:
<SwitchC> display stp interface GigabitEthernet 0/0/3 brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/3 ROOT FORWARDING NONE
1 GigabitEthernet0/0/3 ROOT FORWARDING NONE
<SwitchC> display stp interface GigabitEthernet 0/0/2 brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/2 DESI FORWARDING NONE
1 GigabitEthernet0/0/2 DESI FORWARDING NONE
GigabitEthernet 0/0/3 of SwitchC is the root port in the CIST and MSTI1.
GigabitEthernet 0/0/2 of SwitchC is a designated port in the CIST and MSTI1.
# Run the display stp brief command on SwitchB. The displayed information is as
follows:
<SwitchB> display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/2 ROOT FORWARDING NONE
0 GigabitEthernet0/0/1 DESI FORWARDING NONE
1 GigabitEthernet0/0/2 MAST FORWARDING NONE
1 GigabitEthernet0/0/1 ROOT FORWARDING NONE
The priority of SwitchB in the CIST is lower than that of SwitchA; therefore,
GigabitEthernet 0/0/2 of SwitchB functions as the root port in the CIST. SwitchA
and SwitchB belong to different regions; therefore, GigabitEthernet 0/0/2 of
SwitchB functions as the master port in MSTI1. In MSTI1, the priority of SwitchB is
lower than that of SwitchD; therefore, GigabitEthernet 0/0/1 of SwitchB functions
as the root port. The priority of SwitchB in the CIST is higher than that of SwitchB;
therefore, GigabitEthernet 0/0/1 of SwitchB functions as the designated port in the
CIST.
# Run the display stp interface brief commands on SwitchD. The displayed
information is as follows:
<SwitchD> display stp interface GigabitEthernet 0/0/3 brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/3 ROOT FORWARDING NONE
1 GigabitEthernet0/0/3 DESI FORWARDING NONE
<SwitchD> display stp interface GigabitEthernet 0/0/2 brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/2 ALTE DISCARDING NONE
1 GigabitEthernet0/0/2 ALTE DISCARDING NONE
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 20
#
stp instance 0 priority 0
stp instance 1 priority 0
stp pathcost-standard legacy
stp enable
stp region-configuration
region-name RG1
instance 1 vlan 1 to 10
active region-configuration
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
bpdu enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
bpdu enable
#
return
● Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 2 to 20
#
stp instance 0 priority 4096
stp pathcost-standard legacy
stp enable
stp region-configuration
region-name RG2
instance 1 vlan 1 to 10
active region-configuration
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
bpdu enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
bpdu enable
#
return
● Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp bpdu-protection
stp pathcost-standard legacy
stp enable
stp region-configuration
region-name RG1
instance 1 vlan 1 to 10
active region-configuration
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 20
port hybrid untagged vlan 20
stp edged-port enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
bpdu enable
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 20
bpdu enable
#
return
● Configuration file of SwitchD
#
sysname SwitchD
#
vlan batch 2 to 20
#
stp instance 1 priority 0
stp bpdu-protection
stp pathcost-standard legacy
stp enable
stp region-configuration
region-name RG2
instance 1 vlan 1 to 10
active region-configuration
#
interface GigabitEthernet0/0/1
Applicable Environment
To run IP services on an VLANIF interface, you need to set an IP address for the
VLANIF interface. Each VLANIF interface of the CX91x series can be assigned with
multiple IP addresses, in which one is the primary IP address and the others are
secondary IP addresses.
Generally, only one IP address, namely, the primary IP address, is required for an
VLANIF interface. In special cases, the secondary IP addresses need to be set for
the VLANIF interface. For example, the CX91x series is connected to a physical
network through an VLANIF interface. The hosts on this physical network belong
to two Class C networks. In this case, you need to set a primary IP address and a
secondary IP address on the VLANIF interface of the CX91x series. The CX91x
series can then communicate with all the hosts on the physical network.
Pre-configuration Tasks
Before setting an IP address for an VLANIF interface, complete the following tasks:
● Connecting interfaces and setting the physical parameters of each interface to
make the physical layer in Up state
● Setting parameters of the link layer protocol for interfaces and ensuring that
the status of the link layer protocol on the interfaces is Up
● Configuring the corresponding VLAN
Data Preparation
To set an IP address for an VLANIF interface, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run the display interface [ interface-type interface-number ] command to view
the interface.
Step 2 Run the display ip interface brief [ interface-type [ interface-number ] ]
command to view brief information about IP addresses on the interface.
----End
Networking Requirements
As shown in Figure 3-1, GigabitEthernet0/0/1 of the Switch is connected to a LAN,
in which hosts belong to two different network segments, that is 172.16.1.0/24
and 172.16.2.0/24. It is required that the Switch can access the two network
segments but the hosts in 172.16.1.0/24 cannot interconnect with the hosts in
172.16.2.0/24.
Configuration Roadmap
The configuration roadmap of the primary and secondary IP addresses is as
follows:
NOTE
Note that the primary and secondary IP addresses of the same interface or different
secondary IP addresses of the same interface cannot be in the same network segment.
Data Preparation
To complete the configuration, you need the following data.
Procedure
Step 1 Set the IP address for VLANIF 100 where GigabitEthernet0/0/1 of the Switch
belongs.
<Base> system-view
[Base] vlan 100
[Base-Vlan100] quit
[Base] interface gigabitethernet 0/0/1
[Base-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[Base-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[Base-GigabitEthernet0/0/1] quit
[Base] interface vlanif 100
[Base-Vlanif100] ip address 172.16.1.1 24
[Base-Vlanif100] ip address 172.16.2.1 24 sub
# Ping a host on network segment 172.16.1.0 from Switch. The ping succeeds.
<Base> ping 172.16.1.2
PING 172.16.1.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=128 time=25 ms
Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=128 time=27 ms
Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=128 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=128 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=128 time=26 ms
--- 172.16.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
Ping a host on network segment 172.16.2.0 from the Switch. The ping succeeds.
<Base> ping 172.16.2.2
PING 172.16.2.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=128 time=25 ms
Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=128 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=128 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=128 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=128 time=26 ms
--- 172.16.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
----End
Configuration Files
Configuration file of the Switch
#
sysname Base
#
vlan 100
#
interface Vlanif100
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
return
4 Configuration Guide-QoS
Quality of service (QoS) is used to evaluate the service capabilities of the service
provider. After QoS is configured, the system controls network traffic to avoid
network congestion and reduce the packet dropping rate while provides dedicated
bandwidth for enterprises or provides differentiated services for services such as
voice, video, and data services.
Priority Mapping
Packets carry different precedence fields on various networks. For example,
packets carry the 802.1p field on a VLAN network, the DSCP field on an IP
network. When packets pass through different networks, the mapping of the
precedence fields of packets must be configured on the device connected to
different networks. When the CX91x series is connected to different networks, the
precedence fields in the packets entering the CX91x series are all mapped to
internal priorities. The internal priorities are identified by class of service (CoS) and
colors defined in the DiffServ model.
The CX91x series sends the packets to different interface queues according to the
internal priority, and then traffic shaping, and queue scheduling are performed for
the queues. Table 4-1 shows the mapping of internal priorities and queues.
BE 0
AF1 1
AF2 2
AF3 3
AF4 4
EF 5
CS6 6
CS7 7
NOTE
The color is used to determine whether the packets are discarded, and is independent of
the mapping of internal priorities and queues.
Traffic Behavior
Complex traffic classification is used to provide differentiated services. Traffic
classification takes effect only when it is associated with traffic control or resource
allocation actions.
The CX91x series supports the combinations of the following traffic actions:
● Deny/Permit
This traffic control action is the simplest. The CX91x series controls network
traffic by forwarding or discarding packets.
● Re-marking
This traffic control action is used to set the precedence field in a packet.
Packets carry different precedence fields on various networks. For example,
packets carry the 802.1p field on a VLAN network, the DSCP field on an IP
network. Therefore, the CX91x series is required to mark the precedence fields
of packets according to the network type.
Generally, a device at the border of a network needs to mark the precedence
fields of incoming packets. The device at the core of a network provides
corresponding QoS services according to the precedence fields marked by the
Traffic Policy
A traffic policy is a QoS policy in which traffic classifiers are bound to traffic
behaviors. You can bind a specified traffic classifier to a traffic behavior through
the traffic policy to better perform QoS.
Applicable Environment
At the ingress of a network, the CX91x series functions as a border node. To limit
the incoming traffic on a network, the CX91x series can provide differentiated
services for various services according to the DSCP field, protocol type, IP address,
port number and time range of packets. In this case, you need to create a traffic
policy based on complex traffic classification.
Generally, complex traffic classification is configured on a border node, and simple
traffic classification is configured on a core node.
Pre-configuration Tasks
Before creating a traffic policy based on complex traffic classification, complete
the following tasks:
● Configuring the physical parameters of interfaces.
● Setting link layer attributes of interfaces.
● Configuring routing protocols to ensure the connectivity of the network.
● Configuring ACLs if ACLs are used as matching rules for traffic classification.
Data Preparation
To create a traffic policy based on complex traffic classification, you need the
following data.
No. Data
1 Name of the traffic classifier and matching rules of the traffic classifier
Procedure
Step 1 Run:
system-view
A traffic classifier based on Layer 2 information is created and the traffic classifier
view is displayed.
By default, the relationship between rules in a traffic classifier is and.
Step 3 Run the following command as required.
● To define matching rules based on the 802.1p priority of packets in a VLAN,
run:
if-match 8021p { 8021p-value } &<1-8>
● To define matching rules based on the protocol field in the Ethernet frame
header, run:
if-match l2-protocol{ arp | ip | mpls | rarp | protocol-value }
NOTE
When if-match any and other rules are configured in a traffic classifier, packets match only
if-match any.
----End
Procedure
Step 1 Run:
system-view
A traffic classifier based on Layer 3 information is created and the traffic classifier
view is displayed.
By default, the relationship between rules in a traffic classifier is and.
Step 3 Run the following command as required.
● To define matching rules based on the DSCP priority of IP packets, run:
NOTE
In a traffic classifier where the relationship between rules is AND, the if-match dscp
and if-match ip-precedence commands cannot be used simultaneously.
----End
Context
The CX91x series can use the ACL to classify packets according to the IP quintuple.
The CX91x series supports basic ACLs, advanced ACLs, Layer 2 ACLs.
● Basic ACLs are used to classify data packets based on the source IP address,
and time segment of the packets.
● Advanced ACLs are used to classify and define data packets according to the
source IP address, destination IP address, source port number, destination port
number, fragmentation flag, time segment, and protocol type of the packets.
● Layer 2 ACLs are used to classify data packets according to the source MAC
address and destination MAC address of the packets.
Create a traffic classifier based on an ACL as required.
Procedure
● Creating a traffic classifier based on a basic ACL
a. Run:
system-view
quit
d. Run:
quit
NOTE
----End
Procedure
Step 1 Run:
system-view
● If the deny action is configured, the packets matching a traffic classifier are discarded.
In this case, you cannot configure other actions except the traffic statistics action.
● If the permit action is configured, the packets matching a traffic classifier are processed
in order.
----End
Procedure
Step 1 Run:
system-view
● Run:
remark vlan-id vlan-id
The VLAN ID in the outer VLAN tag of the packets in a VLAN matching the
traffic behavior is re-marked.
● Run:
remark dscp { dscp-name | dscp-value }
The DSCP priority of the packets matching the traffic behavior is re-marked.
● Run:
remark local-precedence { local-precedence-name | local-precedence-value }
The local priority of the packets matching the traffic behavior is re-marked.
NOTICE
In a traffic behavior, the remark 8021p command and the remark local-
precedence command cannot be used together.
----End
Procedure
Step 1 Run:
system-view
NOTE
For details on traffic policing and CAR, see 4.2.1.1 Traffic Policing in 4.2 Traffic Policing
and Traffic Shaping Configuration.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
traffic behavior behavior-name
Step 3 Run:
mirroring to observe-port index
All the flows that match a traffic classifier are mirrored to an observing interface.
NOTE
For details about flow mirroring, see section Configuration Guide-Device Management in
the CX91x Series Switch Modules V100R001C00 Configuration Guide.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
traffic behavior behavior-name
Step 3 Run:
statistic enable
NOTE
To collect the flow-based statistics, you must enable the traffic statistics function in a traffic
behavior.
----End
Procedure
Step 1 Run:
system-view
----End
Context
A traffic policy takes effect only after it is applied. You can apply the traffic policy
to the system, an interface on the CX91x series.
● Applying a traffic policy globally
After a traffic policy is applied, the system performs traffic policing for all the
packets that match a traffic classifier in the inbound or outbound direction.
● Applying a traffic policy on an interface
After a traffic policy is applied, the system performs traffic policing for all the
packets that pass through this interface and match a traffic classifier in the
inbound or outbound direction.
Do as follows on the CX91x series where a traffic policy based on complex traffic
classification needs to be created.
Procedure
● Applying a traffic policy to the system
a. Run:
system-view
b. Run:
interface interface-type interface-number [.subnumber ]
You can apply only one traffic policy in the inbound or outbound
direction on each interface, but the same traffic policy can be applied to
the inbound and outbound directions of different interfaces
simultaneously.
NOTE
It is recommended that you should not use the traffic policy containing the re-
marking of the 802.p priority, and the VLAN ID of packets in a VLAN is used on
the untagged interface in the outbound direction; otherwise, the information
carried in the packets may be incorrect.
----End
Prerequisites
The configurations of the traffic policy based on complex traffic classification are
complete.
Procedure
Step 1 Run the display acl { acl-number | all } command to check the ACL rules.
Step 5 Run the display traffic policy user-defined [ policy-name [ classifier classifier-
name ] ] command to check the configuration of the traffic policy.
----End
Prerequisite
To view the flow-based traffic statistics, a traffic policy must exist and contain the
traffic statistics action.
Procedure
Run the display traffic policy statistics { global | interface interface-type
interface-number } { inbound | outbound } command to check the flow-based
traffic statistics.
Procedure
NOTICE
The flow-based traffic statistics cannot be restored after you clear them. So,
confirm the action before you use the command.
Run the reset traffic policy statistics { global | interface interface-type interface-
number } { inbound | outbound } command to clear the flow-based traffic
statistics.
Networking Requirements
The Switch is connected to the router through GigabitEthernet0/0/3; enterprise
and individual users can access the network through the Switch and router. See
Figure 4-1.
Data services of enterprise and individual users come from VLANs 100 and 200
respectively. Enterprise users require better QoS guarantee; therefore, the priority
of data packets from enterprise users is mapped to 4 and the priority of data
packets from individual users is mapped to 2. In this manner, differentiated
services are provided.
Figure 4-1 Networking diagram for re-marking the priorities based on complex
traffic classification
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that enterprise and individual users
can access the network through the Switch.
2. Create traffic classifiers based on the VLAN ID on the Switch.
3. Create traffic behaviors on the Switch and re-mark 802.1p priorities of
packets.
4. Create a traffic policy on the Switch, bind traffic behaviors to traffic classifiers
in the traffic policy, and apply the traffic policy to the interface at the
outbound direction.
Data Preparation
To complete the configuration, you need the following data:
● Re-marked priorities of packets with different VLAN IDs
● Type, direction, and number of the interface that a traffic policy needs to be
applied to
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLANs 100 and 200 on the Switch, and allow interface
GigabitEthernet0/0/1 to forward packets from VLAN 100, interface
GigabitEthernet0/0/2 to forward packets from VLAN 200, and interface
GigabitEthernet0/0/3 to forward packets from VLANs 100 and 200.
[Switch] vlan batch 100 200
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
[Switch-GigabitEthernet0/0/3] quit
Classifier: c1
Operator: AND
Rule(s) : if-match vlan-id 100
----End
Configuration Files
● Configuration file of the Switch
#
vlan batch 100 200
#
traffic classifier c2 operator and
if-match vlan-id 200
traffic classifier c1 operator and
if-match vlan-id 100
#
traffic behavior b2
remark 8021p 2
traffic behavior b1
remark 8021p 4
#
traffic policy p1
classifier c1 behavior b1
classifier c2 behavior b2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 200
traffic-policy p1 outbound
#
return
Networking Requirements
The Layer 2 switch of a company is connected to the ISP device through the
Switch; one is A link and the other is B link. The company requires that the B link
sends only the packets with priorities as 4, 5, 6, and 7 and A link sends packets of
lower priorities to the ISP. See Figure 4-2.
Figure 4-2 Networking diagram for redirecting packets based on complex traffic
classification
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that the Switch can ping the ISP
device.
2. Create ACL rules to match the packets with priorities as 4, 5, 6, and 7 and
priorities as 0, 1, 2, and 3.
3. Create traffic classifiers to match the preceding ACL rules.
4. Create traffic behaviors to redirect matching packets to GigabitEthernet0/0/2
and GigabitEthernet0/0/1.
5. Create a traffic policy, bind traffic classifiers to traffic behaviors in the traffic
policy, and apply the traffic policy to an interface.
Data Preparation
To complete the configuration, you need the following data:
● Add all of GigabitEthernet0/0/3, GigabitEthernet0/0/2, and
GigabitEthernet0/0/1 to VLAN 20 and VLAN 30
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLANs 20 and 30.
[Switch] vlan batch 20 30
# Create traffic policy p1 on the Switch and bind traffic classifiers to traffic
behaviors in the traffic policy.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] classifier c2 behavior b2
[Switch-trafficpolicy-p1] quit
Classifier: c1
Operator: AND
Rule(s) : if-match acl 3001
Redirect:
Redirect interface GigabitEthernet 0/0/1
----End
Configuration Files
● Configuration file of the Switch
#
vlan batch 20 30
#
acl number 3001
rule 5 permit tcp precedence routine
rule 10 permit tcp precedence priority
rule 15 permit tcp precedence immediate
rule 20 permit tcp precedence flash
#
acl number 3002
rule 5 permit tcp precedence flash-override
rule 10 permit tcp precedence critical
rule 15 permit tcp precedence internet
rule 20 permit tcp precedence network
#
traffic classifier c2 operator and
if-match acl 3002
traffic classifier c1 operator and
if-match acl 3001
#
traffic behavior b2
redirect interface GigabitEthernet 0/0/1
traffic behavior b1
redirect interface GigabitEthernet 0/0/2
#
traffic policy p1
classifier c1 behavior b1
classifier c2 behavior b2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 30
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20 30
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 20 30
traffic-policy p1 inbound
#
return
Networking Requirements
PC1 with the MAC address as 0000-0000-0003 is connected to other devices
through GigabitEthernet0/0/1 on the Switch. It is required that the Switch should
take the statistics on the packets with the source MAC address as
0000-0000-0003. See Figure 4-3.
Figure 4-3 Networking diagram for configuring traffic statistics based on complex
traffic classification
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interfaces so that the Switch is connected to PC1 and the router.
2. Create an ACL to match the packets with the source MAC address as
0000-0000-0003.
3. Create a traffic classifier to match the ACL.
4. Create a traffic behavior to take the statistics on the matching packets.
5. Create a traffic policy, bind the traffic classifier to the traffic behavior in the
traffic policy, and apply the traffic policy to GigabitEthernet0/0/1 in the
inbound direction.
Data Preparation
To complete the configuration, you need the following data:
● VLAN 20
● ACL 4000
● Traffic classifier c1
● Traffic behavior b1
● Traffic policy p1
Procedure
Step 1 Create a VLAN and configure interfaces.
# Create VLAN 20.
[Switch] vlan 20
[Switch-vlan20] quit
NOTE
Assign network segment address 20.20.20.2/24 to the interface connecting the router and
Switch. The details are not mentioned here.
# Create Layer 2 ACL 4000 on the Switch to match the packets with the source
MAC address as 0000-0000-0003.
[Switch] acl 4000
[Switch-acl-L2-4000] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff
[Switch-acl-L2-4000] quit
Create traffic classifier c1 on the Switch with ACL 4000 as the matching rule.
[Switch] traffic classifier c1
[Switch-classifier-c1] if-match acl 4000
[Switch-classifier-c1] quit
# Create traffic behavior b1 on the Switch and configure the traffic statistics
action.
[Switch] traffic behavior b1
[Switch-behavior-b1] statistic enable
[Switch-behavior-b1] quit
# Create traffic policy p1 on the Switch and bind the traffic classifier to the traffic
behavior in the traffic policy.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
Operator: AND
Rule(s) : if-match acl 4000
----End
Configuration Files
● Configuration file of the Switch
#
vlan 20
#
acl number 4000
rule 5 permit source-mac 0000-0000-0003
#
traffic classifier c1 operator and
if-match acl 4000
#
traffic behavior b1
statistic enable
#
traffic policy p1
classifier c1 behavior b1
#
interface Vlanif20
ip address 20.20.20.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
traffic-policy p1 inbound
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
return
Traffic policing is a traffic control action used to limit traffic and resources by
monitoring the specification of the traffic.
Traffic policing is used to police the volume of certain traffic entering a network
and retain it in a proper range. In addition, it discards the excessive traffic to
protect network resources and profits of carriers.
Traffic policing is widely used to police the volume of traffic entering the Internet
Service Provider (ISP).
When measuring the traffic in a token bucket, the CX91x series forwards packets
considering whether the number of tokens in the token bucket meets the
requirements for forwarding packets. If there are sufficient tokens in the token
bucket to forward packets, the traffic complies with the allowed value; otherwise,
the traffic does not comply with the allowed value or exceeds the allowed value.
The CX91x series supports the single token bucket and dual token buckets.
Traffic shaping is a traffic control action used to limit traffic and resources by
monitoring the specification of the traffic. In traffic shaping, token buckets are
also used to measure the traffic.
The traffic shaping technology limits the rate of outgoing traffic, and mainly
controls the local outgoing traffic based on the traffic policing specification of a
downstream network node.
The delay may be increased just because the traffic shaping technology puts the
packets into a buffer or a queue. The traffic policing technology, however, does
not cause a delay.
NOTE
The device does not support traffic shaping according to user-defined policy.
Applicable Environment
If the traffic sent by users is not limited, a large amount of increasing burst service
data makes a network congested. To make full use of network resources and
provide better services for more users, you must limit user service traffic.
Traffic policing based on a traffic classifier can be used to control the service
traffic of a certain type.
Pre-configuration Tasks
Before configuring traffic policing based on a traffic classifier, complete the
following tasks:
Data Preparation
To configure traffic policing based on a traffic classifier, you need the following
data.
No. Data
2 Name of the traffic behavior and CAR parameters: CIR, (optional) PIR,
(optional) CBS, (optional) PBS, (optional) coloring mode, (optional)
color, and (optional) CoS.
3 Name of the traffic policy, and interface on which traffic policing based
on a traffic classifier is applied and inbound or outbound direction.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Step 3 Run:
classifier classifier-name behavior behavior-name
----End
Context
A traffic policy takes effect only after being applied. You can apply a traffic policy
globally, on an interface on the CX91x series.
Procedure
● Applying a traffic policy globally
a. Run:
system-view
You can apply only one traffic policy in the inbound or outbound
direction in the system view.
● Applying a traffic policy on an interface
a. Run:
system-view
Prerequisites
The configurations of traffic policing based on a traffic classifier are complete.
Procedure
Step 1 Run the display traffic behavior user-defined [ behavior-name ] command to
check the configuration of the traffic behavior.
Step 2 Run the display traffic classifier user-defined [ classifier-name ] command to
check the configuration of the traffic classifier.
Step 3 Run the display traffic policy { interface [ interface-type interface-number ]
[ inbound | outbound ] | global [ inbound | outbound ] } command to check the
configuration of the traffic policy.
----End
Applicable Environment
If the service traffic sent by users is not limited, a large amount of increasing burst
service data makes a network more congested. To make full use of network
resources and provide better services for more users, you must limit user service
traffic. After interface-based traffic policing is applied to the interface, the rate of
all the user service traffic entering the interface is limited.
Pre-configuration Tasks
Before configuring a limit rate on the interface, complete the following tasks:
Data Preparation
To configure interface-based traffic policing, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
----End
Prerequisite
The configurations of interface-based rate limit are complete.
Procedure
Run the display qos lr inbound interface interface-type interface-number
command to check the configuration of traffic policing based on an interface.
Applicable Environment
If the bandwidth of upstream and downstream networks is different, you can
configure traffic shaping on the outgoing interface connecting the upstream
network and downstream network. In this manner, the rate of packets sent to the
downstream network meets the requirements of the bandwidth of the
downstream network. This can prevent congestion and packet loss on the network
to a certain degree.
Pre-configuration Tasks
Before configuring traffic shaping, complete the following tasks:
Data Preparation
To configure traffic shaping, you need the following data.
No. Data
Context
To perform traffic shaping for all the downstream packets on an interface,
perform this procedure.
Set the same traffic shaping rate on multiple interfaces, you can perform the
configuration on the interface group to reduce the workload. For details about
creating an interface group, see section Configuration Guide-Ethernet in the
CX91x Series Switch Modules V100R001C00 Configuration Guide.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
NOTE
You need to create the interface group before performing this task. For details about
creating an interface group, see section Configuration Guide-Ethernet in the CX91x Series
Switch Modules V100R001C00 Configuration Guide.
Step 3 Run:
qos lr outbound cir cir-value [ cbs cbs-value ]
By default, the CIR for traffic shaping on an interface is the maximum bandwidth
of the interface. For example, and the CIR for traffic shaping on a GE interface is
1000000 kbit/s, the CIR for traffic shaping on a 10GE interface is 10000000 kbit/s.
NOTE
● If this command is run repeatedly on the same interface, the latest configuration
overrides the previous configuration.
● If traffic shaping in an interface queue is configured on the same interface, the CIR for
traffic shaping on an interface must be greater than or equal to the sum of CIRs for
traffic shaping in an interface queue. Otherwise, traffic shaping fails. For example, traffic
of lower priorities preempts the bandwidth of traffic of higher priorities.
----End
Context
To perform traffic shaping for the packets of a certain type of services on an
interface, perform this procedure.
Before configuring traffic shaping in an interface queue, you need to re-mark the
internal priorities based on complex traffic classification. In this case, different
services can enter different interface queues. For details, see Creating a Traffic
Policy Based on Complex Traffic Classification.
If you need to set the same queue shaping rate on multiple interfaces, you can
perform the configuration on the interface group to reduce the workload.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Or run:
port-group port-group-name
NOTE
You need to create the interface group before performing this task. For details about
creating an interface group, see section Configuration Guide-Ethernet in the CX91x Series
Switch Modules V100R001C00 Configuration Guide.
Step 3 Run:
qos queue queue-index shaping cir cir-value pir pir-value [ cbs cbs-value pbs pbs-value]
By default, the rate for traffic shaping in an interface queue is the maximum
bandwidth of the interface.
----End
Context
To view the flow-based traffic statistics, a traffic policy must exist and contain the
traffic statistics action.
Procedure
Step 1 Run the display traffic policy statistics { global | interface interface-type
interface-number } { inbound | outbound } command to check the flow-based
traffic statistics.
Step 2 Run the display qos lr { inbound | outbound } interface interface-type interface-
number command to view the rate limit information on an interface of the CX91x
series.
----End
Procedure
NOTICE
The statistics on traffic policing cannot be restored after you clear them. So,
confirm the action before you use the command.
Run the reset traffic policy statistics { global | interface interface-type interface-
number } { inbound | outbound } command to clear the flow-based traffic
statistics.
Networking Requirements
The Switch is connected to the router through GigabitEthernet0/0/3; enterprise
and individual users can access the network through the Switch and router.
SeeTable 4-2.
● The voice services of enterprise and individual users belong to VLANs 120 and
220.
● The video services of enterprise and individual users belong to VLANs 110 and
210.
● The data services of enterprise and individual users belong to VLANs 100 and
200.
On the Switch, packets of different services need to be policed, and the total
traffic of enterprise and individual users needs to be controlled in a proper range.
The DSCP priorities carried in service packets sent from the user side are unreliable
and services require different QoS in actual applications; therefore, you need to re-
mark DSCP priorities of different service packets on the Switch. In this manner, the
downstream router can process packets according to different priorities.
The requirements are as follows:
Enterprise Voice 10 15 46
users
Video 50 75 30
Data 40 60 14
Individual Voice 10 15 46
users
Video 40 60 30
Data 30 45 14
Figure 4-6 Networking diagram for configuring traffic policing based on a traffic
classifier
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that enterprise and individual users
can access the network through the Switch.
2. Create traffic classifiers based on the VLAN ID on the Switch.
3. Create traffic behaviors on the Switch to police the traffic received from the
user side and re-mark DSCP priorities of packets, and police the traffic sent to
the user side.
4. Create traffic policies on the Switch, bind traffic behaviors to traffic classifiers
in the traffic policies, and apply the traffic policies to the interfaces that
packets pass through.
Data Preparation
To complete the configuration, you need the following data:
● Re-marked priorities of packets with different VLAN IDs
● Parameters for packets with different VLAN IDs: CIR and PIR
● Type, direction, and number of the interface on which a traffic policy needs to
be applied
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 100, VLAN 110, VLAN 120, VLAN 200, VLAN 210, VLAN 220, and
VLAN 300 on the Switch.
[Switch] vlan batch 100 110 120 200 210 220 300
# Create VLANIF 300 and set its network segment address to 10.10.10.1/24.
NOTE
# On the router, set the IP address of the interface connecting the router and Switch to
10.10.10.2/24.
Classifier: c4
Precedence: 20
Operator: AND
Rule(s) : if-match 5 vlan-id 220
Classifier: c2
Precedence: 10
Operator: AND
Rule(s) : if-match 5 vlan-id 110
Classifier: c5
Precedence: 25
Operator: AND
Rule(s) : if-match 5 vlan-id 210
Classifier: c3
Precedence: 15
Operator: AND
Rule(s) : if-match 5 vlan-id 100
Classifier: c1
Precedence: 5
Operator: AND
Rule(s) : if-match 5 vlan-id 120
# Check the configuration of the traffic policy. Here, the configuration of traffic
policy p1 is displayed.
[Switch] display traffic policy user-defined p1
User Defined Traffic Policy Information:
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Committed Access Rate:
CIR 1000 (Kbps), CBS 125000 (Byte)
PIR 15000 (Kbps), PBS 1875000 (Byte)
Green Action : pass
Yellow Action : pass
Red Action : discard
Marking:
Remark DSCP ef
statistic: enable
Classifier: c2
Operator: AND
Behavior: b2
Committed Access Rate:
CIR 5000 (Kbps), CBS 625000 (Byte)
PIR 75000 (Kbps), PBS 9375000 (Byte)
Green Action : pass
Yellow Action : pass
Red Action : discard
Marking:
Remark DSCP af33
statistic: enable
Classifier: c3
Operator: AND
Behavior: b3
Committed Access Rate:
CIR 40000 (Kbps), CBS 5000000 (Byte)
PIR 60000 (Kbps), PBS 7500000 (Byte)
Green Action : pass
Yellow Action : pass
Red Action : discard
statistic: enable
Classifier: c4
Operator: AND
Behavior: b4
Committed Access Rate:
CIR 10000 (Kbps), CBS 1250000 (Byte)
PIR 15000 (Kbps), PBS 1875000 (Byte)
Green Action : pass
Yellow Action : pass
Red Action : discard
statistic: enable
Classifier: c5
Operator: AND
Behavior: b5
Committed Access Rate:
CIR 40000 (Kbps), CBS 5000000 (Byte)
PIR 60000 (Kbps), PBS 7500000 (Byte)
Green Action : pass
Yellow Action : pass
Red Action : discard
statistic: enable
Classifier: c6
Operator: AND
Behavior: b6
Committed Access Rate:
CIR 30000 (Kbps), CBS 3750000 (Byte)
PIR 45000 (Kbps), PBS 5625000 (Byte)
Green Action : pass
Yellow Action : pass
Red Action : discard
statistic: enable
# Check the statistics of the traffic policy applied on an interface. Here, the
statistics of the traffic policy applied on GE 0/0/1 is displayed.
[Switch] display traffic policy statistics interface gigabitethernet 0/0/1 inbound
Interface: GigabitEthernet0/0/1
Traffic policy inbound: p1
Rule number: 1
Current status: OK!
Item Packets Bytes
---------------------------------------------------------------------
Matched 10 10000
+--Passed 8 8000
+--Dropped 2 2000
+--Filter 2 2000
+--URPF - -
+--CAR 2 2000
----End
Configuration Files
● Configuration file of the Switch
#
vlan batch 100 110 120 200 210 220 300
#
interface Vlanif300
ip address 10.10.10.1 255.255.255.0
#
traffic classifier c6 operator and
if-match 5 vlan-id 200
traffic classifier c4 operator and
if-match 5 vlan-id 220
traffic classifier c2 operator and
if-match 5 vlan-id 110
traffic classifier c5 operator and
if-match 5 vlan-id 210
traffic classifier c3 operator and
if-match 5 vlan-id 100
traffic classifier c1 operator and
if-match 5 vlan-id 120
#
traffic behavior b1
car cir 10000 pir 15000 cbs 1250000 pbs 1875000 green pass yellow pass red discard
remark dscp ef
statistic enable
traffic behavior b3
car cir 40000 pir 60000 cbs 5000000 pbs 7500000 green pass yellow pass red discard
remark dscp af13
statistic enable
traffic behavior b5
car cir 40000 pir 60000 cbs 5000000 pbs 7500000 green pass yellow pass red discard
remark dscp af33
statistic enable
traffic behavior b2
car cir 50000 pir 75000 cbs 6250000 pbs 9375000 green pass yellow pass red discard
remark dscp af33
statistic enable
traffic behavior b4
car cir 10000 pir 15000 cbs 1250000 pbs 1875000 green pass yellow pass red discard
remark dscp ef
statistic enable
traffic behavior b6
car cir 30000 pir 45000 cbs 3750000 pbs 5625000 green pass yellow pass red discard
remark dscp af13
statistic enable
#
traffic policy p1
classifier c1 behavior b1
classifier c2 behavior b2
classifier c3 behavior b3
classifier c4 behavior b4
classifier c5 behavior b5
classifier c6 behavior b6
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 110 120
traffic-policy p1 inbound
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200 210 220
traffic-policy p1 inbound
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 110 120 200 210 220
#
return
Networking Requirements
As shown in Figure 4-7, the Switch is connected to GigabitEthernet0/0/3 through
the router; the enterprise user and residential user are connected to the Switch
through GigabitEthernet0/0/1 and GigabitEthernet0/0/2 and access the network
through the Switch and router. The enterprise user and the residential user require
8 Mbit/s and 5 Mbit/s bandwidth.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interfaces of the Switch so that users can access the network.
2. Configure traffic policing on GigabitEthernet0/0/1 and GigabitEthernet0/0/2
of the Switch.
Data Preparation
To complete the configuration, you need the following data:
● Uplink interface address of the Switch: 192.168.1.1/24
● VLAN IDs of the enterprise user and the residential user: VLAN 100 and VLAN
200
● CIR and CBS of the enterprise user: 8000 kbit/s and 1000000 bytes CIR and
CBS of the residential user: 5000 kbit/s and 625000 bytes
Procedure
Step 1 Create VLANs and configure interfaces of the Switch.
# Create VLANs 100, 200, and 300.
[Switch] vlan batch 100 200 300
# Create VLANIF 300 and set its network segment address to 192.168.1.1/24.
NOTE
# On the router, set the IP address of the interface connecting the router and Switch to
192.168.1.2/24.
----End
Configuration Files
● Configuration file of the Switch
#
vlan batch 100 200 300
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
qos lr inbound cir 8000 cbs 1000000
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
qos lr inbound cir 5000 cbs 625000
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 200 300
#
return
Networking Requirements
The Switch is connected to GigabitEthernet0/0/2 and the router; the 802.1p
priorities of voice, video, and data services from the Internet are 5, 4, and 1
respectively, and these services can reach individual users through the router and
Switch, as shown in Figure 4-8. The rate of the traffic from the network side is
greater than the rate of the LSW interface; therefore, a jitter may occur in the
outbound direction of GigabitEthernet0/0/1. To reduce the jitter and ensure the
bandwidth of various services, the requirements are as follows:
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure each interface so that the residential user can
access the network through the Switch.
2. Configure interfaces to trust 802.1p priorities of packets.
3. Configure traffic shaping on an interface to limit the bandwidth of the
interface.
4. Configure traffic shaping in an interface queue to limit the CIRs of voice,
video, and data services.
Data Preparation
To complete the configuration, you need the following data:
● 802.1p priorities
● Rate for traffic shaping on an interface
● Rate for traffic shaping in each interface queue
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 10.
[Switch] vlan 10
NOTE
Assign IP address 10.10.10.2/24 to the interface connecting the router and Switch.
# Configure traffic shaping on an interface of the Switch and set the CIR to 20000
kbit/s.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] qos lr outbound cir 20000 cbs 2500000
[Switch-GigabitEthernet0/0/1] quit
# Configure traffic shaping in the interface queues on the Switch, and then set the
CIR and PIR of the voice service to 3000 kbit/s and 5000 kbit/s, the CIR and PIR of
the video service to 5000 kbit/s and 8000 kbit/s, and the CIR and PIR of the data
service to 2000 kbit/s and 3000 kbit/s.
[Switch-GigabitEthernet0/0/1] qos queue 5 shaping cir 3000 pir 5000
[Switch-GigabitEthernet0/0/1] qos queue 4 shaping cir 5000 pir 8000
[Switch-GigabitEthernet0/0/1] qos queue 1 shaping cir 2000 pir 3000
[Switch-GigabitEthernet0/0/1] quit
[Switch] quit
----End
Configuration Files
● Configuration file of the Switch
#
vlan 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
qos lr outbound cir 20000 cbs 2500000
qos queue 1 shaping cir 2000 pir 3000
qos queue 4 shaping cir 5000 pir 8000
qos queue 5 shaping cir 3000 pir 5000
#
interface GigabitEthernet0/0/2
port link-type trunk
PQ Scheduling
Priority Queuing (PQ) scheduling is a queuing technology by which packets are
scheduled based on the priorities of queues in a strict manner. The packets of
lower priorities can be scheduled only after packets of higher priorities are
scheduled.
In PQ scheduling mode, packets of delay-sensitive core services are put into a high
priority queue and packets of other non-core services are put into a low priority
queue. This ensures that core services are sent first.
The disadvantage of PQ scheduling is that the packets of lower priorities are not
processed if there are a large number of packets of higher priorities, when
congestion occurs.
WRR Scheduling
WRR refers to Weighted Round Robin. WRR schedules packets of queues in a
polling manner, ensuring that packets in each queue are sent at a certain time.
Assume that there are eight output queues on an interface. WRR sets weights for
the eight queues, that is, w7, w6, w5, w4, w3, w2, w1, and w0. The weight
indicates a percentage of obtaining resources. For example, the weights of queues
on a 100-Mbit/s interface are set to 50, 50, 30, 30, 10, 10, 10, and 10,
corresponding to w7, w6, w5, w4, w3, w2, w1, and w0. In this case, the lowest
priority queue can obtain bandwidth of at least 5 Mbit/s. This avoids the
disadvantage of PQ scheduling.
The advantage of WRR is as follows: Although packets in multiple queues are
processed in a polling manner, the time allocated to each queue is not fixed. If a
queue is null, packets of the next queue are scheduled. This ensures better usage
of bandwidth.
The disadvantages of WRR are as follows:
● WRR allocates bandwidth according to the number of packets. When the
average length of packets in each queue is the same or known, you can
obtain the required bandwidth by setting the weight of WRR. You, however,
cannot obtain the required bandwidth by setting the weight of WRR when the
average length of packets in each queue changes.
● The packets of short-delay services such as voice services cannot be scheduled
in time.
DRR Scheduling
The principle of Deficit Round Robin (DRR) is similar to the principle of WRR.
Their difference is that WRR schedules packets according to the number of
packets, but DRR schedules packets according to the length of packets. If the
packet length exceeds the scheduling capability of a queue, DRR allows the deficit
weight to ensure that packets of a long length are scheduled. When packets are
scheduled in a polling manner again, this queue is not scheduled until the weight
becomes positive. Then, this queue participates in DRR scheduling.
DRR scheduling offsets the disadvantage of PQ scheduling and one disadvantage
of WRR scheduling (that is, bandiwdth cannot be obtained according to the
proportion).
The packets of short-delay services such as voice services cannot be scheduled in
time in DRR mode.
PQ+WRR/PQ+DRR Scheduling
PQ scheduling, WRR scheduling, and DRR scheduling have their own advantages
and disadvantages. If only PQ scheduling is used, packets of lower priorities
cannot obtain the bandwidth for a long time. If only WRR or DRR scheduling is
used, delay-sensitive services such as voice service cannot be scheduled first. PQ
+WRR or PQ+DRR scheduling can use the advantages of both PQ and WRR or DRR
scheduling and offset their disadvantages.
Through PQ+WRR or PQ+DRR scheduling, important protocol packets and delay-
sensitive service packets are put in a PQ queue and specified bandwidth is
allocated to this queue; other packets are put into a WRR or DRR queue according
to their priorities and scheduled in a polling manner according to the weight of
the queue.
Applicable Environment
When congestion occurs, you can configure congestion management in the
following situations:
● The same delay and jitter are set for various types of packets, and packets of
core services such as video and voice services need to be processed first.
● Packets of non-core services of the same priority, such as email, are processed
in a fair manner, and services of different priorities are processed according to
the weights.
Pre-configuration Tasks
Before configuring congestion management, complete the following tasks:
● Configuring priority mapping based on simple traffic classification
● Configuring the remarking action of inner priorities based on complex traffic
classification
NOTE
Before configuring congestion management, you need to perform either of the preceding
tasks to map packets to different queues for scheduling.
Data Preparation
To configure congestion management, you need the following data.
No. Data
Context
The CX91x series supports eight interface queues that can use different scheduling
algorithms. During queue scheduling, packets in a PQ queue are first scheduled. If
there are multiple PQ queues, the packets are scheduled in descending order of
priorities of these PQ queues. After packets in PQ queues are scheduled, packets in
WRR or DRR queues are scheduled in a polling manner.
By default, the scheduling mode for queues on an interface is WRR.
Procedure
Step 1 Run:
system-view
NOTE
You need to perform this step only when the scheduling mode of an interface queue is set
to PQ+WRR or WRR.
When WRR scheduling is applied and the weight of a queue is set to 0, the queue applies
PQ scheduling and other queues apply WRR scheduling. That is, the overall scheduling
mode is PQ+WRR.
NOTE
You need to perform this step only when the scheduling mode of an interface queue is set
to DRR or PQ+DRR.
When DRR scheduling is applied and the weight of a queue is set to 0, the queue applies
PQ scheduling and other queues apply DRR scheduling. That is, the overall scheduling mode
is PQ+DRR.
Step 6 Run:
quit
NOTE
If you need to set the same scheduling parameters on multiple interfaces, you can perform
the configuration on the interface group to reduce the workload. You need to create the
interface group before performing this task. For details about creating an interface group,
see section Configuration Guide-Ethernet in the CX91x Series Switch Modules
V100R001C00 Configuration Guide.
Step 8 Run:
qos schedule-profile profile-name
----End
Procedure
Run the display qos port statistics interface interface-type interface-number
command to view the queue-based statistics.
NOTE
Before viewing the queue statistics on an interface, you need to run the qos port statistics
enable command to enable the queue statistics function on the specified outbound
interface.
Procedure
NOTICE
The queue-based statistics cannot be restored after you clear them. So, confirm
the action before you use the command.
In user view, run the reset qos port statistics command to clear the queue-based
statistics on an interface.
Networking Requirements
The Switch is connected to the router through GigabitEthernet0/0/3. The 802.1p
priorities of voice, video, and data services from the Internet are 5, 4, and 1, and
these services can reach residential users through the router and Switch, as shown
in Figure 4-9. To reduce the impact of network congestion and ensure bandwidth
for high-priority and low-delay services, you need to set the related parameters
according to the following table.
Voice 5
Video 4
Data 1
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the VLAN for each interface so that devices can communicate with
each other at the link layer.
2. Configure interfaces to trust 802.1p priorities of packets.
3. Configure the scheduling template and apply the scheduling template to the
interface.
Data Preparation
To complete the configuration, you need the following data:
● VLAN IDs of data packets, video packets, and voice packets: VLANs 10, 20,
and 30
● 802.1p priorities of data packets, video packets, and voice packets: 1, 4, and 5
● Scheduling parameters of each queue
Procedure
Step 1 Configure the VLAN for each interface so that devices can communicate with each
other at the link layer.
[Switch] vlan batch 10 20 30
[Switch] interface gigabitethernet0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
----End
Configuration Files
● Configuration file of the Switch
#
vlan batch 10 20 30
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30
qos schedule-profile p1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 30
qos schedule-profile p1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20 30
trust 8021p
#
qos schedule-profile p1
qos queue 1 wrr weight 10
qos queue 4 wrr weight 20
qos queue 5 wrr weight 0
#
return
5 Configuration Guide-Security
This topic describes how to configure the traffic suppression and access control list
(ACL) by using examples based on security requirements of the Switch Module
applications.
Broadcast packets, multicast packets and unknown unicast packets entering the
CX91x series are forwarded on all the interfaces in a VLAN. These three types of
packets consume great bandwidth, reduces available bandwidth of the system,
and affects normal forwarding and processing capabilities.
The traffic suppression function can be used to limit the traffic entering the
interface, and to protect the CX91x series against the three types of traffic. It also
guarantees available bandwidth and processing capabilities of the CX91x series
when the traffic is abnormal.
Applicable Environment
To limit the rate of incoming broadcast, multicast, and unknown unicast packets
on an interface and protect the device against traffic attacks, you can configure
traffic suppression on the interface.
Pre-configuration Tasks
None
Data Preparation
To configure traffic suppression, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
----End
Prerequisite
The configurations of traffic suppression are complete.
Procedure
Run the display this command to check the configuration of traffic suppression.
Example
Run the display this command, and you can view the configuration of traffic
suppression on a specified interface. For example, to GigabitEthernet0/0/1
interface, the command output is displayed as follows:
[Base-GigabitEthernet0/0/1] display this
#
interface GigabitEthernet0/0/1
broadcast-suppression 50
multicast-suppression value 10
unknown-unicast-suppression value 10
port hybrid untagged vlan 10
#
return
Networking Requirements
As shown in Figure 5-1, the Switch is connected to the Layer 2 network and Layer
3 router. To limit the number of broadcast, multicast, or unknown unicast packets
forwarded on the Layer 2 network, you can configure traffic suppression on
GigabitEthernet0/0/1.
Configuration Roadmap
Configure traffic suppression in the interface view of GigabitEthernet0/0/1.
Data Preparation
To complete the configuration, you need the following data:
● GigabitEthernet0/0/1 where traffic suppression is configured
● Traffic suppression for broadcast, unknown unicast and multicast packets
based on the rate percentage
● Maximum rate of broadcast, unknown unicast and multicast packets being 80
percent of the interface rate after traffic suppression is configured
Procedure
Step 1 Enter the interface view.
<Base> system-view
[Base] interface gigabitethernet 0/0/1
----End
NOTE
In this manual, the ACL refers to the access control list that is used filter IPv4 packets.
Classification of ACLs
The CX91x series supports basic ACLs, advanced ACLs, layer 2 ACLs for IPv4
packets.
● Basic ACLs: classify and define data packets according to their source IP
addresses and effective time range.
● Advanced ACLs: classify and define data packets more refinedly according to
the source IP address, destination IP address, source port number, destination
port number, protocol type, precedence, and effective time range.
● Layer 2 ACLs: classify and define data packets according to the source MAC
address, destination MAC address, and protocol type.
Application of ACLs
ACLs defined on the CX91x series can be applied in the following scenarios:
NOTE
● When the ACL is sent to the hardware and is imported by QoS to classify packets, the
CX91x series does not process packets according to the action defined in the traffic
behavior, if the packets does not match the ACL rule.
● When the ACL is imported by the upper-layer software and is used to control FTP ,
Telnet or SSH login users, the CX91x series discards the packets, if the packets does not
match the ACL rule.
Applicable Environment
ACLs can be used in multiple services, such as routing policies and packet filtering,
to distinguish the types of packets and process them accordingly.
Pre-configuration Tasks
None.
Data Preparation
To configure an ACL, you need the following data.
No. Data
2 (Optional) Name of the time range when the ACL takes effect, start
time, and end time
4 Number of ACL rule and the rule that identifies the type of packets,
including protocol, source address, source port, destination address,
destination port, the type and code of Internet Control Message Protocol
(ICMP), IP precedence, and Type of Service (ToS) value
Context
An ACL is composed of multiple lists of rules containing permit or deny clauses.
Before creating an ACL rule, you need to create an ACL.
To create an ACL, you need to specify the following parameters:
● When creating an ACL based on the number, you need to specify the ACL
number. The ACL number specifies the type of an ACL. For example, the ACL
with the number ranging from 2000 to 2999 is a basic ACL, and the ACL with
the number ranging from 3000 to 3999 is an advanced ACL.
● When creating an ACL based on the name, you need to specify the ACL name.
You can specify the number or type for a named ACL. If the number of a
named ACL is not specified, the system automatically allocates a number to
the named ACL.
Procedure
Step 1 Creating an ACL based on the number
1. Run:
system-view
1. Run:
system-view
If the number of a named ACL is not specified, the CX91x series automatically
allocates a number to the named ACL. The following situations are involved:
– If the type of a named ACL is specified, the number of the named ACL
allocated by the CX91x series is the maximum value of the named ACL of
the type.
– If the number and the type of a named ACL are not specified, the CX91x
series considers the named ACL as the advanced ACL and allocates 3999
to the named ACL.
The CX91x series does not allocate the number to a named ACL repeatedly.
----End
5.2.3.3 (Optional) Setting the Time Range When an ACL Takes Effect
When a time range is specified for an ACL, the ACL takes effect only in this time
range. If no time range is specified for the ACL, the ACL is always effective until it
is deleted or the rules of the ACL are deleted.
Procedure
Step 1 Run:
system-view
Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }
You can set the same name for multiple time ranges to describe a special period.
For example, three time ranges are set with the same name test:
● Time range 1: 2011-01-01 00:00 to 2011-12-31 23:59, a definite time range
● Time range 2: 8:00-18:00 on Monday to Friday, a periodic time range
● Time range 3: 14:00-18:00 on Saturday and Sunday, a periodic time range
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on
Saturday and Sunday in the year 2011.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl number acl-number
Or, run:
acl name acl-name
Step 3 Run:
description description
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl [ number ] acl-number
Or, run:
acl name acl-name [ advance | basic | link | acl-number ]
Step 3 Run:
rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | time-range time-
name ]*
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl [ number ] acl-number
Or, run:
acl name acl-name [ advance | basic | link | acl-number ]
You can configure different advanced ACLs on the CX91x series according to the
protocol carried by IP. Different parameter combinations are available for different
protocol types.
NOTE
dscp dscp and precedence precedence cannot be specified at the same time.
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Or, run:
acl name acl-name
Step 3 Run:
step step-value
----End
Prerequisites
The configurations of the ACL are complete.
Procedure
Step 1 Run:
display acl { acl-number | all }
Step 2 Run:
display acl name acl-name
Step 3 Run:
display time-range { all | time-name }
----End
Example
# Run the display acl command, and you can view the ACL number, rule IDs, and
step, and rule contents.
<Base> display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 deny ip source 10.1.1.1 0
# Run the display acl name command, and you can view the ACL name, ACL
number, rule quantity, step, and rule contents.
<Base> display acl name test
Advanced ACL test 3999, 1 rule
Acl's step is 5
rule 5 permit tcp
# Run the display time-range command, and you can view the configuration and
status of the current time range.
<Base> display time-range all
Current time is 14:19:16 12-4-2008 Tuesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
from 09:09 2008/9/9 to 23:59 2099/12/31
Networking Requirements
As shown in Figure 5-2, GigabitEthernet 0/0/1 of the Switch is connected to the
user, and GigabitEthernet 0/0/2 is connected to the upstream router. It is required
that the Switch does not trusts the packets from user A whose IP address is
10.0.0.2/24.
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
● ACL number
● IP address of user A
● Names of traffic classifier, traffic behavior, and traffic policy
● Interface where the traffic policy is applied
Procedure
Step 1 Configure the traffic classifier that is based on the ACL rules.
# Define the ACL rules.
[Base] acl 2000
[Base-acl-basic-2000] rule permit source 10.0.0.2 0.0.0.255
[Base-acl-basic-2000] quit
Classifier: tc1
Operator: AND
Rule(s) : if-match acl 2000
----End
Configuration Files
#
acl number 2000
rule 5 permit source 10.0.0.0 0.0.0.255
#
traffic classifier tc1 operator and
if-match acl 2000
#
traffic behavior tb1
deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
interface GigabitEthernet0/0/1
traffic-policy tp1 inbound
#
return
Networking Requirements
As shown in Figure 5-3, the departments of the company are connected through
the Switchs. It is required that the IPv4 ACL be configured correctly. The personnel
of the R&D department and marketing department cannot access the salary query
server at 10.164.9.9 from 8:00 to 17:30, whereas the personnel of the president's
office can access the server at any time.
Configuration Roadmap
The configuration roadmap is as follows:
1. Assign IP addresses to interfaces.
2. Configure the time range.
3. Configure the ACL.
4. Configure the traffic classifier.
5. Configure the traffic behavior.
6. Configure the traffic policy.
7. Apply the traffic policy to an interface.
Data Preparation
To complete the configuration, you need the following data:
● VLAN that the interface belongs to
● Name of the time range
● ACL ID and rules
● Name of the traffic classifier and classification rules
● Name of the traffic behavior and actions
● Name of the traffic policy, and traffic classifier and traffic behavior associated
with the traffic policy
● Interface that a traffic policy is applied to
Procedure
Step 1 Assign IP addresses to interfaces.
# Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces.
Add GigabitEthernet 0/0/1, GigabitEthernet 0/0/2, GigabitEthernet 0/0/3, and
GigabitEthernet0/0/4 to VLAN 10. The first IP address of the network segment is
taken as the address of the VLANIF interface. Take GigabitEthernet 0/0/1 as an
example. The configurations of other interfaces are similar to the configuration of
GigabitEthernet 0/0/1, and are not mentioned here.
<Base> system-view
[Base] vlan batch 10
[Base] interface GigabitEthernet 0/0/1
[Base-GigabitEthernet0/0/1] port link-type access
[Base-GigabitEthernet0/0/1] port default vlan 10
[Base-GigabitEthernet0/0/1] quit
[Base] interface vlanif 10
[Base-Vlanif10] ip address 10.164.1.1 255.255.255.0
[Base-Vlanif10] quit
# Configure the ACL for the personnel of the R&D department to access the salary
query server.
[Base] acl 3003
[Base-acl-adv-3003] rule permit tcp source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-
range satime
[Base-acl-adv-3003] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Base] traffic classifier c_rd
[Base-classifier-c_rd] if-match acl 3003
[Base-classifier-c_rd] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the
traffic behavior b_rd with the traffic policy.
[Base] traffic policy p_rd
[Base-trafficpolicy-p_rd] classifier c_rd behavior b_rd
[Base-trafficpolicy-p_rd] quit
Classifier: c_rd
Operator: AND
Behavior: b_rd
Deny
----End
Configuration Files
#
vlan batch 10
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
rule 5 deny tcp source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime
#
acl number 3003
rule 5 deny tcp source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime
#
traffic classifier c_market operator and
if-match acl 3002
traffic classifier c_rd operator and
if-match acl 3003
#
traffic behavior b_market
deny
traffic behavior b_rd
deny
#
traffic policy p_market
classifier c_market behavior b_market
traffic policy p_rd
classifier c_rd behavior b_rd
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
ip address 10.164.2.1 255.255.255.0 sub
ip address 10.164.3.1 255.255.255.0 sub
ip address 10.164.9.1 255.255.255.0 sub
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
traffic-policy p_market inbound
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
traffic-policy p_rd inbound
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 10
#
return
Networking Requirements
As shown in Figure 5-4, the Switch that functions as the gateway is connected to
the PC. It is required that the ACL configured to prevent the packets with the
source MAC address as 00e0-f201-0101 and the destination MAC address as 0260-
e207-0002 from passing through.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the ACL.
2. Configure the traffic classifier.
3. Configure the traffic behavior.
4. Configure the traffic policy.
5. Apply the traffic policy to an interface.
Data Preparation
To complete the configuration, you need the following data:
● ACL ID and rules
● Name of the traffic classifier and classification rules
● Name of the traffic behavior and actions
● Name of the traffic policy, and traffic classifier and traffic behavior associated
with the traffic policy
● Interface that a traffic policy is applied to
Procedure
Step 1 Configure an ACL.
# Configure the required layer 2 ACL.
[Base] acl 4000
[Base-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff destination-mac 0260-e207-0002
ffff-ffff-ffff
[Base-acl-L2-4000] quit
# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Base] traffic classifier tc1
[Base-classifier-tc1] if-match acl 4000
[Base-classifier-tc1] quit
----End
Configuration Files
#
acl number 4000
rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101
#
traffic classifier tc1 operator and
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
interface GigabitEthernet0/0/1
traffic-policy tp1 inbound
#
return
6 Configuration Guide-Reliability
This topic describes configuration methods and scenarios for reliability services of
a device. The configurations, including Smart Link and Monitor Link
configurations, are described by using examples.
The Monitor Link is introduced as a supplement to the Smart Link. This technology
supports the association of interfaces. A Monitor Link group consists of an uplink
interface and several downlink interfaces. If the uplink interface fails, the Monitor
Link group automatically disables the downlink interfaces. When the uplink
interface recovers, the downlink interfaces also recover.
NOTE
● The Smart Link uplink switch must support flush packets; otherwise, the network may
have some defects such as slow network failover if MAC addresses are not cleared in a
timely manner.
● Smart Link and MSTP cannot be used together.
● Both Smart Link and Monitor Link perform detection based on physical link status.
Applicable Environment
As shown in Figure 6-1, either Switch D or Switch E at the access and convergence
layer is connected to two uplink devices. This networking mode provides higher
security and reduces the duration of service interruption caused by the link failure.
As shown in Figure 6-1, Switch D and Switch E are connected to user devices, and
both are connected to Switch B and Switch C. Configure the Smart Link on Switch
D and Switch E and add the two uplink interfaces to the respective Smart Link
group to avoid loops. In this manner, interrupted services can be restored in
milliseconds.
Pre-configuration Tasks
Before configuring the basic functions of a Smart Link group, ensuring that the
Multiple Spanning Tree Protocol (MSTP) Rapid Ring Protection Protocol (RRPP)
and Smart Ethernet Protection (SEP) are not enabled on the master and slave
interfaces of the Smart Link group.
Data Preparation
To configure basic functions of the Smart Link group, you need the following data:
Procedure
Step 1 Run:
system-view
Step 2 Run:
smart-link group group-id
A Smart Link group is created and the Smart Link group view is displayed.
Step 3 Run:
protected-vlan reference-instance instance-id [ to instance-id2 ]
An instance is bound to the Smart Link group as the protected instance. The
functions of the Smart link group takes effect only on the VLANs bound to the
protected instance. By default, a Smart Link group protects all VLANs and the
protected-vlan reference-instance command is applicable only to multicast
services.
----End
6.1.2.3 Configuring the Master and Slave Interfaces in a Smart Link Group
Context
The slave interface of a Smart Link group is blocked when the group is started.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
stp disable
Step 4 Run:
quit
Step 5 Run:
smart-link group group-id
Step 6 Run:
port interface-type interface-number master
An interface is added to the Smart Link group and is specified as the master
interface.
Step 7 Run:
port interface-type interface-number slave
Another interface is added to the Smart Link group and is specified as the slave
interface.
A Smart Link group consists of a master interface and a slave interface. By default,
a Smart Link group does not have interfaces.
----End
Context
When the active and standby links of the Smart Link group switch, the existing
forwarding entries no longer apply to the new topology. All the MAC address
entries and ARP entries on the network need to be updated. Then the Smart Link
group sends Flush packets to ask other devices to update the MAC address table
and ARP entries.
Because manufacturers define the format of Flush packets differently, the Flush
packets described here are used only for the intercommunication between Huawei
S-series switches. In addition, the function of receiving Flush packets must be
enabled on the remote switch.
Procedure
Step 1 Run:
system-view
Step 2 Run:
smart-link group group-id
Step 3 Run:
flush send control-vlan vlan-id [ password simple password ]
The CX91x series is enabled to send Flush packets, and the control VLAN ID and
password contained in Flush packets are set.
The control VLAN ID and password contained in Flush packets on both devices
must be the same. That is, the control VLAN ID and password in Flush packets
sent by the device must be the same as the control VLAN ID and password in
Flush packets received by the device.
NOTE
After the flush send control-vlan command is run, the interface cannot be added to the control
VLAN. You need to configure the interface to allow the packets of the control VLAN to pass
through.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp region-configuration
Step 3 Run:
instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
Step 4 Run:
active region-configuration
After configuring the domain name, VLAN mapping table, or MSTP revision level,
you must run the active region-configuration command for the configuration to
take effect.
Step 5 Run:
quit
Step 6 Run:
smart-link group group-id
Step 7 Run:
load-balance instance { instance-id1 [ to instance-id2 ] } &<1-10> slave
Packets of the VLANs bound to the specified instance are sent from the slave
interface to implement load balancing.
----End
6.1.2.6 (Optional) Enabling Revertive Switching and Setting the WTR Time
Context
When the active link in a Smart Link group fails, the traffic is automatically
switched to the standby link. The original active link does not preempt the traffic
but remains blocked after recovering from the fault. To switch the traffic back to
the active link, you can adopt either of the following methods:
● Enable the revertive switching of a Smart Link group. The switching is
automatically performed after the revertive switching timer times out.
● Run the smart-link manual switch command to perform the link switching
forcibly.
NOTE
The link switching is performed only when the two member interfaces in a group are both
Up.
Procedure
Step 1 Run:
system-view
The wait to recover (WTR) time of the Smart Link group is set.
By default, the WTR time of a Smart Link group is 60 seconds.
----End
Context
An interface receives Flush packets only when it is configured with the control
VLAN ID and added to this VLAN.
Do as follows on SwitchA, SwitchB, and SwitchC shown in Figure 6-1.
Procedure
Step 1 Run:
system-view
Step 3 Run:
smart-link flush receive control-vlan vlan-id [ password simple password ]
The interface is enabled to receive Flush packets, and the control VLAN ID and
password contained in Flush packets are set.
The control VLAN ID and password contained in Flush packets on both devices
must be the same. That is, the control VLAN ID and password in Flush packets
sent by the device must be the same as the control VLAN ID and password in
Flush packets received by the device.
----End
Context
If the Smart Link switchover is performed because of temporary interruption,
packet forwarding and system performance are affected. To address this problem,
you can set the holdtime of the Smart Link switchover. If the interface of the
Smart Link group repeatedly alternates between Up and Down states, the status
of the Smart Link group is not immediately changed, but is changed according to
the Up or Down status obtained by an interface of the Smart Link group until the
holdtime expires. In this manner, Smart Link switchover caused by link interruption
is suppressed.
Procedure
Step 1 Run:
system-view
Step 2 Run:
smart-link group group-id
Step 3 Run:
smart-link hold-time hold-time
----End
Context
After the functions of the Smart Link group are enabled, the standby interface in
the group is blocked. After the functions of the Smart Link group are disabled, the
blocked standby interface is recovered.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
display smart-link group { all | group-id }
----End
Example
Run the display smart-link group { all | group-id } command to check
information about a Smart Link group. The following information is displayed:
<Base> display smart-link group 1
Smart Link group 1 information :
Smart Link group was enabled
Wtr-time is: 30 sec.
Load-Balance Instance: 1 to 2
There is no protected-vlan reference-instance
DeviceID: 0018-2000-0083 Control-vlan ID: 20
Member Role State Flush Count Last-Flush-Time
------------------------------------------------------------------------
GigabitEthernet0/0/1 Master Active 1 2008/11/21 16:37:20 UTC+05:00
GigabitEthernet0/0/2 Slave Inactive 2 2008/11/21 17:45:20 UTC+05:00
● The functions of the Smart Link group are enabled. Therefore, "Smart link
group was enabled" is displayed.
● The status of the interfaces in the Smart Link group is displayed, including the
role of each interface in the group, number of sent Flush packets, and time
when the last Flush packets are sent. As shown in the preceding information,
GigabitEthernet0/0/1 is the master interface in the Smart Link group; this
interface is in the Forwarding state; it sent a Flush packet at 16:37 on
2008-11-21.
● The control VLAN ID contained in the sent Flush packets is 20.
Run the display smart-link flush command, and you can view information about
received Flush packets.
<Base> display smart-link flush
Receive flush packets count: 1191
Receive last flush interface: GigabitEthernet0/0/1
Receive last flush packet time: 16:48:53 UTC+05:00 2009/02/23
Receive last flush packet source mac: 0018-0202-0088
Receive last flush packet control vlan ID: 20
Applicable Environment
As shown in Figure 6-2, the basic functions and revertive switching of the Smart
Link group are enabled on Switch D. During maintenance, the active link in the
Smart Link group needs to be inspected. To prevent the inspection from affecting
normal services, you need to configure a flow control policy for the Smart Link
group. Through the configuration, you can forcibly lock the data flows to the
standby link and switch them back to the active link after the inspection is
complete.
Pre-configuration Tasks
Before configuring a flow control policy for the Smart Link group, complete 6.1.2
Configuring a Smart Link Group.
Data Preparation
None.
NOTICE
If data flows are locked on the master interface, they cannot be switched to the
slave interface automatically when the master interface fails. Thus, traffic is
interrupted.
Procedure
Step 1 Run:
system-view
----End
NOTICE
If data flows are locked on the slave interface, they cannot be switched to the
master interface automatically when the slave interface fails. Thus, traffic is
interrupted.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
● The master interface and slave interface exist and are both in Up state.
● The smart-link command is not run to lock data streams.
The smart-link manual switch command can be repeatedly used in the Smart
Link group view. Each time you run the command, the active/standby switchover is
performed between links. Packet loss occurs during the switchover. The duration is
measured in milliseconds.
----End
Procedure
Run the display smart-link group { all | group-id } command to check
information about a Smart Link group.
Example
Run the display smart-link group { all | group-id } command. If lock is displayed,
it indicates that data flows are locked on the master interface. If force is
displayed, it means that data flows are locked on the slave interface.
<Base> display smart-link group 1
Smart Link group 1 information :
Smart Link group was enabled
Link status:lock
Wtr-time is: 30 sec.
Load-Balance Instance: 1 to 2
There is no protected-vlan reference-instance
DeviceID: 0018-2000-0083 Control-vlan ID: 20
Member Role State Flush Count Last-Flush-Time
------------------------------------------------------------------------
GigabitEthernet0/0/1 Master Active 1 2008/11/21 16:37:20 UTC+05:00
GigabitEthernet0/0/2 Slave Inactive 2 2008/11/21 17:45:20 UTC+05:00
Applicable Environment
As shown in Figure 6-3, the uplink of Switch A is faulty. Although Smart Link is
enabled on Switch C, link switching is not performed because the active link is not
faulty. In this case, services are interrupted. To enable the Smart Link group to
respond more quickly to the faults of the uplink, you need to configure the
Monitor Link function on the device connected to the active link to monitor the
status of the uplink. When a fault occurs on an uplink, the active link of the Smart
Link group is rapidly blocked. Thus, the Smart Link group can detect the fault and
switch the traffic to the standby link to reduce the service interruption duration.
When the uplink interface belongs to a Smart Link group, the uplink interface is
considered as faulty only if the master and slave interfaces of the Smart Link
group are in standby state (including the Down state).
Pre-configuration Tasks
Before configuring the basic functions of the Monitor Link group, complete the
following tasks:
Data Preparation
To configure the basic functions of the Monitor Link group, you need the following
data:
Procedure
Step 1 Run:
system-view
Step 2 Run:
monitor-link group group-id
A Monitor Link group is created and the Monitor Link group view is displayed.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
monitor-link group group-id
The Monitor Link group view is displayed. The CX91x series supports a maximum
of 16 Monitor Link groups.
Step 3 Run:
port interface-type interface-number { downlink [ downlink-id ] | uplink }
Or run:
smart-link group group-id uplink
A Smart Link group is configured as the uplink interface of the Monitor Link
group.
The status of the uplink interface determines the status of the Monitor Link group.
Therefore, after the downlink interface is added to the Monitor Link group, the result of the
shutdown or undo shutdown command can be retained before the status of the uplink
interface changes. When the status of the uplink interface changes, the status of the
downlink interfaces changes as follows:
● When an uplink interface in Up state is added to the Monitor Link group or when an
uplink interface in Down state becomes Up, all the downlink interfaces in the Monitor
Link group become Up.
● When an uplink interface is deleted from the Monitor Link group or when an uplink
interface in Up state becomes Down, all the downlink interfaces in the Monitor Link
group become Down.
To add a Smart Link group to a Monitor Link group, you need to delete the existing uplink
interface of the Monitor Link group. The Smart Link group and common interfaces are
incompatible when serving as the uplink interface for a Monitor Link group.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
monitor-link group group-id
Step 3 Run:
timer recover-time recover-time
By default, the revertive switching of a Monitor Link group is enabled and the
interval of revertive switching is 3 seconds.
----End
Procedure
Run the display monitor-link group { all | group-id } command to check
information about a Monitor Link group.
Example
Run the display monitor-link group { all | group-id } [ | count ] [ | { begin |
include | exclude } regular-expression ], and you can view basic information
about the interfaces in the Monitor Link group, including the role and status of
the interfaces and the time when the interfaces become Up or Down for the last
time.
<Base> display monitor-link group 1
Monitor Link group 1 information :
Recover-timer is 5 sec.
Member Role State Last-up-time Last-down-time
GigabitEthernet0/0/1 UpLk UP 0000/00/00 00:00:00 UTC+00:00 0000/00/00 00:00:00 UTC+00:00
GigabitEthernet0/0/2 DwLk[1] DOWN 0000/00/00 00:00:00 UTC+00:00 0000/00/00 00:00:00 UTC+00:00
Networking Requirements
As shown in Figure 6-4, the user-side network is connected to the metropolitan
area network (MAN) in dual-homing mode to guarantee the reliability of the
network. In addition, ensure rapid switching of traffic over the standby link when
the active link fails so that the duration of service interruption is limited to several
milliseconds.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the Smart Link group on SwitchA and add the uplink interfaces to
the Smart Link group.
2. Enable revertive switching on SwitchA.
3. Enable SwitchA to send Flush packets.
4. Enable SwitchB and SwitchC to receive Flush packets.
5. Enable the Smart Link group on SwitchA.
Data Preparation
To complete the configuration, you need the following data:
● Smart Link group ID
● Number of the uplink interface of SwitchA
● Control VLAN ID and password contained in Flush packets
Procedure
Step 1 On SwitchA, configure the control VLAN and add interfaces to the control VLAN.
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] quit
# Configure SwitchC.
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] smart-link flush receive control-vlan 10 password simple 123
[SwitchC-GigabitEthernet0/0/1] quit
# Run the shutdown command to shut down GigabitEthernet 0/0/1, and you can
find that GigabitEthernet 0/0/1 is in Inactive state and GigabitEthernet 0/0/2 is in
Active state.
[SwitchA-GigabitEthernet0/0/1] shutdown
[SwitchA-GigabitEthernet0/0/1]display smart-link group 1
Smart Link group 1 information :
Smart Link group was enabled
There is no Load-Balance
There is no protected-vlan reference-instance
DeviceID: 0025-9e80-2494 Control-vlan ID: 10
Member Role State Flush Count Last-Flush-Time
----------------------------------------------------------------------
GigabitEthernet0/0/1 Master Inactive 1 0000/00/00 00:00:00 UTC+00:00
GigabitEthernet0/0/2 Slave Active 1 0000/00/00 00:00:00 UTC+00:00
# Run the undo shutdown command to shut down GigabitEthernet 0/0/1, and
you can find that GigabitEthernet 0/0/1 is in Active state and GigabitEthernet
0/0/2 is in Inactive state.
[SwitchA-GigabitEthernet0/0/1] undo shutdown
[SwitchA-GigabitEthernet0/0/1] display smart-link group 1
Smart Link group 1 information :
Smart Link group was enabled
There is no Load-Balance
There is no protected-vlan reference-instance
DeviceID: 0025-9e80-2494 Control-vlan ID: 10
Member Role State Flush Count Last-Flush-Time
----------------------------------------------------------------------
GigabitEthernet0/0/1 Master Active 1 0000/00/00 00:00:00 UTC+00:00
GigabitEthernet0/0/2 Slave Inactive 1 0000/00/00 00:00:00 UTC+00:00
----End
Configuration Files
● Configuration file of SwitchA
#
vlan 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
stp disable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
stp disable
#
smart-link group 1
restore enable
smart-link enable
port GigabitEthernet0/0/1 master
port GigabitEthernet0/0/2 slave
timer wtr 30
flush send control-vlan 10 password simple 123
#
return
● Configuration file of SwitchB
#
vlan 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
smart-link flush receive control-vlan 10 password simple 123
#
return
● Configuration file of SwitchC
#
vlan 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
smart-link flush receive control-vlan 10 password simple 123
#
return
6.1.5.2 Example for Configuring Load Balancing Between Active and Standby
Links of a Smart Link Group
Networking Requirements
As shown in Figure 6-5, packets of VLAN 100 and VLAN 500 are transmitted
through the standby link, and packets of other VLANs are transmitted through the
active link. To ensure network reliability, the customer network is dual-homed to
the MAN. When the active link fails, packets on the active link can be switched to
the standby link quickly. When the standby link fails, packets of VLAN 100 and
VLAN 500 can be switched to the active link quickly. The service interruption
duration is restricted to millisecond level.
Figure 6-5 Networking diagram for configuring load balancing between active
and standby links of a Smart Link group
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
● IDs of instances and IDs of the VLANs bound to the instances on SwitchA.
● ID of a Smart Link group.
● Numbers of the uplink interfaces on SwitchA.
● Control VLAN ID and password contained in Flush packets.
Procedure
Step 1 On SwitchA, configure the control VLAN and add the uplink interfaces to the
control VLAN.
<SwitchA> system-view
[SwitchA] vlan batch 10 100 500
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100 500
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 100 500
[SwitchA-GigabitEthernet0/0/2] quit
Step 3 Add the uplink interfaces to the Smart Link group and specify the master and
slave interfaces. Ensure that STP is disabled on the uplink interfaces.
# Configure SwitchA.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] stp disable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] stp disable
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] smart-link group 1
[SwitchA-smlk-group1] port gigabitethernet 0/0/1 master
[SwitchA-smlk-group1] port gigabitethernet 0/0/2 slave
Step 5 Enable the revertive switching and set the wait-to-restore (WTR) time.
# Configure SwitchA.
[SwitchA-smlk-group1] restore enable
[SwitchA-smlk-group1] timer wtr 30
# Configure SwitchC.
# Run the display smart-link group command to view information about the
Smart Link group on SwitchA. If the following information is displayed, it indicates
that the configuration is successful.
# Run the shutdown command to shut down GigabitEthernet0/0/1, and you can
find that GigabitEthernet0/0/1 is in Inactive state and GigabitEthernet0/0/2 is in
Active state.
[SwitchA-GigabitEthernet0/0/1] shutdown
[SwitchA-GigabitEthernet0/0/1] display smart-link group 1
Smart Link group 1 information :
Smart Link group was enabled
Load-Balance Instance: 10
There is no protected-vlan reference-instance
DeviceID: 0025-9e80-2494 Control-vlan ID: 10
Member Role State Flush Count Last-Flush-Time
----------------------------------------------------------------------
GigabitEthernet0/0/1 Master Inactive 1 0000/00/00 00:00:00 UTC+00:00
GigabitEthernet0/0/2 Slave Active 1 0000/00/00 00:00:00 UTC+00:00
----End
Configuration Files
● Configuration file of SwitchA
#
vlan batch 10 100 500
#
stp region-configuration
instance 10 vlan 10 100 500
active region-configuration
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 100 500
stp disable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 100 500
stp disable
#
smart-link group 1
load-balance instance 10 slave
restore enable
smart-link enable
port GigabitEthernet0/0/1 master
port GigabitEthernet0/0/2 slave
timer wtr 30
flush send control-vlan 10 password simple 123
#
return
Networking Requirements
As shown in Figure 6-6, Switch C on the MAN is connected to user networks. It
accesses the backbone network through uplink devices Switch A and Switch B in
dual-homed mode.
Switch A and Switch C are connected to uplink devices in dual-homed mode. One
out of each link pair needs to be blocked to prevent loops. When the active link
fails, the data flows can be rapidly switched to the standby link to ensure normal
services.
A monitoring mechanism is required to prevent service interruption caused by
faults of the uplink. This monitoring mechanism enables the downlink to quickly
detect the fault of the uplink. When the uplink fails, link switching can be
performed immediately to shorten the duration of service interruption.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Smart Link groups on Switch A and Switch C, and add uplink
interfaces to the groups.
2. Configure Monitor Link groups on Switch A and Switch B.
3. Enable Switch A and Switch C to send Flush packets.
4. Enable Switch A and Switch C to receive Flush packets.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure the same control VLAN on Switch A, Switch B, and Switch C. Add the
interfaces of the Smart Link group or Monitor Link group to this VLAN.
The configuration procedures are not mentioned here. For details, see section
VLAN Configuration in Chapter Configuration Guide - Ethernet in the CX91x
Series Switch Modules V100R001C00 Configuration Guide.
Step 2 Create Smart Link groups and enable the functions of the groups.
# Configure Switch A.
<SwitchA> system-view
[SwitchA] smart-link group 1
[SwitchA-smlk-group1] quit
# Configure Switch C.
<SwitchC> system-view
[SwitchC] smart-link group 2
[SwitchC-smlk-group2] quit
Step 3 Add interfaces to Smart Link groups and specify the master and slave interfaces of
each Smart Link group
# Configure Switch A.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] stp disable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] stp disable
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA]smart-link group 1
[SwitchA-smlk-group1] port gigabitethernet 0/0/1 master
[SwitchA-smlk-group1] port gigabitethernet 0/0/2 slave
# Configure Switch C.
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] stp disable
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] stp disable
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] smart-link group 2
[SwitchC-smlk-group2] port gigabitethernet 0/0/1 master
[SwitchC-smlk-group2] port gigabitethernet 0/0/2 slave
Step 4 Enable revertive switching and set the interval of revertive switching.
# Configure Switch A.
[SwitchA-smlk-group1] restore enable
[SwitchA-smlk-group1] timer wtr 30
# Configure Switch C.
[SwitchC-smlk-group2] restore enable
[SwitchC-smlk-group2] timer wtr 30
# Configure Switch B.
<SwitchB> system-view
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] smart-link flush receive control-vlan 10 password simple 123
# Configure Switch C.
[SwitchC-smlk-group2] flush send control-vlan 10 password simple 123
# Configure Switch C.
[SwitchC] smart-link group 2
[SwitchC-smlk-group2] smart-link enable
[SwitchC-smlk-group2] quit
Step 7 Create Monitor Link groups and add the uplink and downlink interfaces to the
Monitor Link groups.
# Configure Switch A.
[SwitchA] monitor-link group 1
[SwitchA-mtlk-group1] smart-link group 1 uplink
[SwitchA-mtlk-group1] port gigabitethernet 0/0/3 downlink 1
# Configure Switch B.
[SwitchB] monitor-link group 2
[SwitchB-mtlk-group2] port gigabitethernet 0/0/1 uplink
[SwitchB-mtlk-group2] port gigabitethernet 0/0/3 downlink 1
Step 8 Set the revertive switching interval of the Monitor Link groups.
# Configure Switch A.
[SwitchA-mtlk-group1] timer recover-time 10
# Configure Switch B.
[SwitchB-mtlk-group2] timer recover-time 10
----End
Configuration Files
● Configuration file of Switch A
#
vlan 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
stp disable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
stp disable
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10
smart-link flush receive control-vlan 10 password simple 123
#
smart-link group 1
smart-link enable
port GigabitEthernet0/0/1 master
port GigabitEthernet0/0/2 slave
timer wtr 30
restore enable
flush send control-vlan 10 password simple 123
#
monitor-link group 1
smart-link group 1 uplink
port GigabitEthernet0/0/3 downlink 1
timer recover-time 10
#
return
#
vlan 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
stp disable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
stp disable
#
smart-link group 2
smart-link enable
port GigabitEthernet0/0/1 master
port GigabitEthernet0/0/2 slave
timer wtr 30
restore enable
flush send control-vlan 10 password simple 123
#
return
7 Configuration Guide-Device
Management
This topic describes how to view the device status, restart a device, and configure
a device by using the information center, monitoring, and mirroring functions.
NOTE
The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual are
mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.
7.1.1 Introduction
This topic describes function of the display commands.
The CX91x series provides two independent switching systems: Base and Fabric.
You need to manage and maintain devices in the two switching systems
separately.
Either switch system provides two independent file systems: flash system (Flash:/)
and FlashVX system (flashVx:/). The flash system stores the switching software
programs and configuration file. The FlashVX system stores temporary data.
● After the CX91x series is powered off, the data on the FlashVX system will be
lost.
● After you use the reboot command to restart the board, the data will not be
lost.
NOTE
The data in the flash file system is not lost after the CX91x series is powered off or you
execute the reboot command.
You can use display commands to view the status of a device and check whether
the device runs normally.
NOTE
The management module manages all the hardware in the E9000 chassis, including the
chassis, management modules, boards, and fan trays. For details about management
module functions, see the MM910 Management Module V100R001 User Guide.
Context
You can run the following command in any view to check the device infomation of
the CX91x series.
Procedure
Step 1 Run:
display device
----End
Context
You can run the display version command in any view to check the hardware
version and software version of the CX91x series.
Procedure
Step 1 Run:
display version
The hardware version and software version of the CX91x series is displayed.
----End
Procedure
Step 1 Run:
display cpu-usage [ configuration]
----End
Context
You can run the following command in any view to check the memory usage of
the CX91x series.
If the memory usage exceeds 80%, contact Huawei technical support.
Procedure
Step 1 Run:
display memory-usage
----End
Information Classification
The information receives and processes the following types of information:
● Logs
● Debugging information
● Trap information
channels. For example, you can configure logs to be output to the log cache
through Channel 6 rather than Channel 3.
Table 7-2 Association relationship between the information channels and output
directions
Channel Default Output Description
Number Channel Name Direction
When multiple log hosts are configured, you can configure logs to be output to
different log hosts through one channel or several channels. For example,
configure parts of logs to be output to a log host either through Channel 2
(loghost) or through Channel 6. You can also change the name of Channel 6 for
managing channel conveniently.
Format of Logs
Syslog is a sub-function of the information center. It transmits information to a log
host using port 514 over UDP.
Figure 7-2 shows the format of logs.
<Int_16> Leading character Before logs are output to log hosts, leading
characters are added.
Logs saved in the local device do not
contain leading characters.
Format of Traps
Figure 7-3 shows the format of the output traps.
Applicable Environment
To collect debugging information, logs, and traps during the operation of the
CX91x series, and to send them to the terminal for display, or to the buffer or the
host for storage, you need to configure the information center.
Pre-configuration Tasks
None.
Data Preparation
To manage the information center, you need the following data.
No. Data
3 Severity level
4 Language used in the logs and the address of the log host
Procedure
Step 1 Run:
system-view
----End
Prerequisites
You must have the adminitrator rights to perform the operation.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
You must have the adminitrator rights to perform the operation.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center source { module-name| default } channel { channel-number | channel-name } [ { debug | log
| trap } { state { off | on } | level severity } * ] *
NOTE
----End
Prerequisites
You must have the adminitrator rights to perform the operation.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center timestamp debugging { boot | none | { short-date | format-date | date } [ precision-time
{ tenth-second | second } ] }
Step 3 Run:
info-center timestamp { trap | log } { boot | none | { short-date | format-date | date } [ precision-time
{ tenth-second | millisecond } ] }
The format of the timestamp is set for the output logs or traps information.
----End
NOTE
Action Command
Prerequisites
You must have the adminitrator rights to perform the operation.
Procedure
Step 1 Run:
system-view
or
terminal logging
or
terminal trapping
NOTE
----End
Prerequisites
You must have the adminitrator rights to perform the operation.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center monitor channel { channel-number | channel-name }
Step 3 Run:
quit
Step 4 Run:
terminal monitor
Step 5 Run:
terminal debugging
or
terminal logging
or
terminal trapping
NOTE
----End
Prerequisites
You must have the adminitrator rights to perform the operation.
Procedure
Step 1 Run:
system-view
Prerequisites
You must have the adminitrator rights to perform the operation.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
You must have the adminitrator rights to perform the operation.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ] *
----End
Prerequisites
You must have the adminitrator rights to perform the operation.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center loghost ip-address [ channel { channel-number | channel-name } | facility local-number |
{ language language-name | binary [ port ] } | { public-net } ] *
Set the channel for writing information to the IPv4 log host.
Step 3 Run:
info-center loghost source interface-type interface-number
----End
Prerequisites
You must have the adminitrator rights to perform the operation.
Context
All operating logs are stored in the log.log file in R:/logfile.
NOTE
For CX91x series, you can run the save logfile command to save the logs in the log buffer
to the log file, and run the copy command to copy the log.log file to Flash:/. For details
about save logfile, see the CX91x Series Switch Modules V100R001C00 Command
Reference.
Procedure
Step 1 Run the command system-view to go to the system view.
----End
Action Command
Run the preceding command. If the information center can send the statistics to
the destination terminal, it means that the configuration succeeds.
NOTICE
Statistics cannot be restored after being cleared. So, confirm the action before you
run the command.
Action Command
Action Command
Networking Requirements
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Configuration Procedure
NOTE
In the example, only the commands related to monitoring are listed. For details on
configuring the log host, see the help files on the log host.
# Set VLANIF 10 as the interface for sending information to the log host on the
CX91x series.
[Base] vlan 10
[Base-vlan10] quit
[Base] interface GigabitEthernet0/0/1
[Base-GigabitEthernet0/0/1] port link-type hybrid
[Base-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[Base-GigabitEthernet0/0/1] quit
[Base] interface vlanif 10 [Base-vlanif10] ip address 2.0.0.1 255.0.0.0
[Base-vlanif10] quit
[Base] info-center loghost source vlanif 10
# Enable the terminal display of the console. Enable the corresponding terminal
display to check the information type as required.
[Base] info-center console channel 0
[Base] quit
<Base> terminal monitor
Info:Current terminal monitor is on
<Base> terminal logging
Info:Current terminal logging is on
----End
Configuration Files
#
info-center source default channel loghost log level debugging state on trap state off debug state off
info-center loghost source vlanif 10
info-center loghost 1.0.0.1
info-center console channel 0
#
#
vlan batch 10
#
interface vlanif10
ip address 2.0.0.1 255.0.0.0
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid untagged vlan 10
#
return
7.3 Mirroring
The mirroring function is used to monitor packets that meet certain requirements.
7.3.1 Introduction
This section describes the basics of mirroring.
Concepts
● Observing port
An observing port on the CX91x series is connected to a monitoring host. It is
used to export the packets copied from a mirrored port.
● Mirrored port
A mirrored port is the interface to be observed. Incoming packets or outgoing
packets passing through a mirrored port is copied to an observing port.
● Local mirroring
The observing port and mirrored port are on the same switch.
Port Mirroring
In the process of port mirroring, the CX91x series copies the packets passing
through a mirrored port and then sends the copy to a specified observing port.
Figure 7-5 shows the diagram of port mirroring.
Applicable Environment
When all incoming or outgoing packets passing through a specified interface of
the CX91x series need to be monitored, you can configure local port mirroring if
the mirrored port is located on the same CX91x series as the observing port.
Pre-configuration Tasks
in
None.
Data Preparation
To configure local port mirroring, you need the following data.
No. Data
Context
A mirrored port can be a physical interface or an Eth-Trunk interface.
To configure an Eth-Trunk as a mirrored port, you must run the interface eth-
trunk trunk-id command to create the Eth-Trunk first.
● If an Eth-Trunk is configured as a mirrored port, its member interfaces cannot
be configured as mirrored ports.
● If a member interface of an Eth-Trunk is configured as a mirrored prot, the
Eth-Trunk cannot be configured as a mirrored port.
Procedure
Step 1 Run:
system-view
Step 4 Run:
port-mirroring to observe-port index { both | inbound | outbound }
----End
Action Command
If the following results are obtained, it indicates that the configuration succeeds:
● The observing port is configured properly.
● The mirrored port and the mirroring direction are configured properly.
Applicable Environment
When port mirroring is enabled on an interface of the CX91x series, and the
incoming or outgoing packets passing through this interface do not need to be
monitored, you can cancel port mirroring on that interface. You must cancel port
mirroring on the bound observing port before deleting or changing this observing
port.
Pre-configuration Tasks
None.
Data Preparation
To cancel port mirroring, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
undo port-mirroring { both | inbound | outbound }
----End
Action Command
Applicable Environment
When you do not need to monitor the flow passing through the CX91x series, you
can delete the current observing port; when you need to specify another interface
on the CX91x series as an observing port, you can change the current observing
port.
Pre-configuration Tasks
Before changing or deleting an observing port, complete the following task:
Data Preparation
To change or delete an observing port, you need the following data.
No. Data
Prerequisites
Before deleting an observing port, make sure that the observing port is not used
in any mirroring configuration.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
observe-port index interface interface-type interface-number
----End
Action Command
Networking Requirements
As shown in Figure 7-6, a Layer 2 (L2) switch is connected to GigabitEthernet
0/0/1 on the Switch, and the incoming packets on GigabitEthernet 0/0/1 needs to
be monitored. In this case, you can configure local port mirroring with
GigabitEthernet 0/0/1 as a mirrored port and GigabitEthernet 0/0/2 as an
observing port.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GigabitEthernet 0/0/2 as an observing port.
2. Configure GigabitEthernet 0/0/1 as a mirrored port.
Data Preparation
None.
Configuration Procedure
Step 1 Create a VLAN on the Switch and add interfaces to the VLAN in trunk mode.
# Add GigabitEthernet 0/0/1 and GigabitEthernet 0/0/3 to a same VLAN in trunk
mode. The following takes the configuration of GigabitEthernet 0/0/1 as an
example. The configuration of GigabitEthernet 0/0/3 is the same as the
configuration of GigabitEthernet 0/0/1 and is not mentioned here.
<Base> system-view
[Base] vlan 10
[Base-vlan10] quit
[Base] interface GigabitEthernet 0/0/1
[Base-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Base-GigabitEthernet0/0/1] quit
----End
Configuration Files
Configuration file of the Switch
#
sysname Base
#
vlan batch 1
#
observing-port 1 interface GigabitEthernet0/0/2
#
……
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
port-mirroring to observe-port 1 inbound
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
……
Networking Requirements
As shown in Figure 7-7,GigabitEthernet 0/0/1 on the Switch is connected to an L2
switch; GigabitEthernet 0/0/3 is connected to host 1; GigabitEthernet 0/0/4 is
connected to host 2. To monitor incoming traffic on GigabitEthernet 0/0/1, port
mirroring is configured on the Switch. Configure GigabitEthernet 0/0/1 as a
mirrored port, and GigabitEthernet 0/0/3 connected to host 1 as an observing
port. Enable host 1 to receive incoming traffic from GigabitEthernet 0/0/1.
Configuration Roadmap
The configuration roadmap is as follows:
1. Delete the mirrored port GigabitEthernet 0/0/1.
2. Set GigabitEthernet 0/0/4 instead of GigabitEthernet 0/0/3 as the observing
port.
3. Reset GigabitEthernet 0/0/1 as the mirrored port.
Data Preparation
You need to obtain the type and number of the port, for example, GigabitEthernet
0/0/4.
Configuration Procedure
Step 1 Check the configurations on the current observing port and mirrored port.
# Run the display port-mirroring command to check the configurations on the
current observing port and mirrored port.
<Base> display port-mirroring
Port-mirror:
----------------------------------------------------------
Mirror-port Direction Observe-port
----------------------------------------------------------
GigabitEthernet0/0/1 Inbound GigabitEthernet0/0/3
Port-mirror:
----------------------------------------------------------
Mirror-port Direction Observe-port
----------------------------------------------------------
GigabitEthernet0/0/1 Inbound GigabitEthernet0/0/4
----End
Configuration Files
Configuration file of the Switch
#
sysname Base
#
observe-port 1 interface GigabitEthernet0/0/4
#
……
#
interface GigabitEthernet0/0/1
port-mirroring to observe-port 1 inbound
#
……
7.4 Restarting
This chapter describes how to restart the CX91x series.
Context
NOTICE
The reboot command can paralyze the network for a while. Therefore, run the
reboot command with caution.
Before restarting the CX91x series, check whether to save the configuration file
and whether the file contents are correct. For details on saving the configuration
file, see section Basic Configuration in the CX91x Series Switch Modules
V100R001C00 Configuration Guide.
NOTE
Procedure
Step 1 Open the CLI of the onboard GE switching plane, and run the reboot command to
restart the onboard GE switching plane.
<Base>reboot
Step 2 Press y to save the configurations or press n to cancel the operation, and then
press Enter.
Step 3 Press y. The system restarts.
System will reboot! Continue?[Y/N]:y
Apr 4 2011 00:25:48 Base %%01CMD/4/REBOOT(l)[1]:The user chose Y when deciding whether to reboot
the system.
.
..
...
Soft Reset.....done.
----End
Context
NOTICE
● The action can paralyze the network for a while. Therefore, perform this action
with caution.
● Before restarting the CX91x series, check whether to save the configuration file
and whether the file contents are correct. For details about how to save the
configuration file, see section Basic Configuration in the CX91x Series Switch
Modules V100R001C00 Configuration Guide.
NOTE
Both onboard GE switching plane and 10 GE switching plane restart when you restart the
CX91x series by using the ejector levers.
Procedure
Step 1 Raise both ejector levers to power off the CX91x series.
Step 2 Lower both ejector levers to power on and start the CX91x series.
----End
8 Configuration Guide-Network
Management
This topic describes how to configure the Simple Network Management Protocol
(SNMP), Ping, and Tracert by using examples based on the basic device features.
NM Station
The NM Station is a station on which the client program runs.
Agent
The agent is a process that is running on the managed devices.
The agent has the following functions:
● Receives and analyzs request packets from the NM Station.
● Performs read or write operation on management variables based on the type
of packet and generates a packet to respond to the NM Station.
● Sends a trap message to the NM Station to report the events such as entering
or restarting the device once the triggering conditions configured on each
protocol module are met.
MIB
SNMP uses a hierarchical naming convention to identify managed objects and to
distinguish between managed objects. This hierarchical structure is similar to a
tree with the nodes representing managed objects. Figure 8-2 shows a managed
object that can be identified by the path from the root to the node representing it.
SNMP Operation
SNMP applies a GET-SET mode instead of a complex command set. It makes use
of the basic operations to deduce all other operations.
You can adopt the standard MIB or standard mode to define your individual MIB.
This reduces the cost of the entire network management by reducing the cost of
most of the agent components in the network management system.
Table 8-1 lists the basic SNMP operations.
SNMPv1
● Supporting community-name-based access control
● Supporting MIB-view-based access control
● Supporting Traps
SNMPv2c
● Supporting community-name-based access control
● Supporting MIB-view-based access control
● Supporting Traps and Informs
SNMPv3
SNMPv3 inherits basic operations in SNMPv2c. It defines a management frame,
imports Universal Server Manager (USM), and provides a security mechanism for
access users.
● Supporting user group
● Supporting group-based access control
● Supporting user-based access control
● Supporting authentication and encryption mechanisms
● Supporting Traps
Applicable Environment
To enable NM Station to manage the Switch Module, configure basic SNMPv1
functions on the Switch Module.
Pre-configuration Tasks
Before Configuring SNMPv1, complete the following tasks:
● Assigning an IP address to the Switch Module
● Configuring the routing protocol to make the Switch Module and the NM
Station accessible
Data Preparation
To configure SNMPv1, you need the following data.
No. Data
1 SNMP version
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent sys-info version v1
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent community { read | write } community-name
The read and write community names of the agent are configured.
NOTE
The community names for setting the read and write properties cannot be the same.
Otherwise, the read or write property of a community name will be overwritten.
----End
Prerequisites
The configurations of the Basic Functions of SNMPv1 are complete.
Procedure
● Run the display snmp-agent community command to view the community
name of the SNMP agent.
● Run the display snmp-agent sys-info version command to view the SNMP
version information.
----End
Example
Run the display snmp-agent community command. If information on the
community name is displayed, it means that the configuration succeeds.
<Base> display snmp-agent community
Community name:%$%$-yqBSyTXbNM8OIV)`6kHeri`%$%$
Group name:%$%$-yqBSyTXbNM8OIV)`6kHeri`%$%$
Storage-type: nonVolatile
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Storage-type: nonVolatile
Run the display snmp-agent sys-info version command. If the version of SNMP
run on the agent is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv1 SNMPv3
Applicable Environment
To configure the specified NM Station to manage the Switch Module (SNMP
agent), configure access control lists (ACLs) on the Switch Module.
Pre-configuration Tasks
Before configuring community-name-based access control, complete the following
tasks:
Data Preparation
To configure community-name-based access control, you need the following data.
No. Data
1 ACL number
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent sys-info version v1
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
Step 3 Run:
rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | time-range time-
name ] *
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configurations of the Community-Name-based Access Control in SNMPv1 are
complete.
Procedure
● Run the display acl acl-number command to view the rules of the configured
ACL.
● Run the display snmp-agent community command to view the community
name of the agent.
● Run the display snmp-agent sys-info version command to view the SNMP
version information.
----End
Example
Run the display acl acl-number command. If information on the rules of the
configured ACL is displayed, it means that the configuration succeeds.
<Base> display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 permit source 1.1.1.1 0
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Storage-type: nonVolatile
Run the display snmp-agent sys-info version command. If the version of SNMP
run on the agent is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info version
Applicable Environment
To set different authorities for NM Stations to access the Switch Module, configure
different MIB views on the Switch Module.
Pre-configuration Tasks
Before configuring MIB-view-based access control, complete the following tasks:
● Assigning an IP address to the Switch Module
● Configuring the routing protocol to make the Switch Module and the NM
Station accessible
Data Preparation
To configure MIB-view-based access control, you need the following data.
No. Data
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent sys-info version v1
----End
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent mib-view { excluded | included } view-name oid-tree
----End
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent community { read | write } community-name1 mib-view view-name
----End
Prerequisites
The configurations of the MIB-View-based Access Control in SNMPv1 are
complete.
Procedure
● Run the display snmp-agent mib-view command to view the MIB view.
● Run the display snmp-agent community command to view the community
name of the agent.
● Run the display snmp-agent sys-info version command to view the SNMP
version information.
----End
Example
Run the display snmp-agent mib-view command. If information on the MIB view
is displayed, it means that the configuration succeeds.
<Base> display snmp-agent mib-view
View name:ViewDefault
MIB Subtree:internet
Subtree mask:
Storage-type: nonVolatile
View Type:included
View status:active
View name:ViewDefault
MIB Subtree:snmpUsmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpVacmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpModules.18
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Storage-type: nonVolatile
Run the display snmp-agent sys-info version command to display the version of
SNMP run on the agent.
Applicable Environment
To enable NM Station Station to access and manage devices, configure basic
SNMPv2c functions on the devices.
Pre-configuration Tasks
Before configuring SNMPv2c, complete the following tasks:
Data Preparation
To configure SNMP, you need the following data.
No. Data
1 SNMP version
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
NOTE
The community names for setting the read and write properties cannot be the same.
Otherwise, the read or write property of a community name will be overwritten.
----End
Prerequisites
The configurations of the Basic Functions of SNMPv2c are complete.
Procedure
● Run the display snmp-agent community command to view the community
name of the agent.
● Run the display snmp-agent sys-info version command to view the SNMP
version information.
----End
Example
Run the display snmp-agent community command. If information on the
community name is displayed, it means that the configuration succeeds.
<Base> display snmp-agent community
Community name:%$%$-yqBSyTXbNM8OIV)`6kHeri`%$%$
Group name:%$%$-yqBSyTXbNM8OIV)`6kHeri`%$%$
Storage-type: nonVolatile
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Storage-type: nonVolatile
Run the display snmp-agent sys-info version command. If the version of SNMP
run on the agent is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv2c SNMPv3
Applicable Environment
To configure the specified NM Station to manage the Switch Module (SNMP
agent), configure access control lists on the Switch Module.
Pre-configuration Tasks
Before configuring community-name-based access control, complete the following
tasks:
Data Preparation
To configure community-name-based access control, you need the following data.
No. Data
1 ACL number
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent sys-info version v2c
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configurations of the Community-Name-based Access Control in SNMPv2c are
complete.
Procedure
● Run the display acl acl-number command to view the rules of the configured
ACL.
Example
Run the display acl acl-number command. If information on the rules of the
configured ACL is displayed, it means that the configuration succeeds.
<Base> display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 permit source 1.1.1.1 0
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Storage-type: nonVolatile
Run the display snmp-agent sys-info version command. If the version of SNMP
run on the agent is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv2c SNMPv3
Applicable Environment
To set different authorities for NM Stations to access the Switch Module, configure
different MIB views on the Switch Module.
Pre-configuration Tasks
Before configuring MIB-view-based access control, complete the following tasks:
● Assigning an IP address to the Switch Module
● Configuring the routing protocol to make the Switch Module and the NM
Station accessible
Data Preparation
To configure MIB-view-based access control, you need the following data.
No. Data
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent sys-info version v2c
----End
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent mib-view { excluded | included } view-name oid-tree
----End
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configurations of the MIB-View-based Access Control in SNMPv2c are
complete.
Procedure
● Run the display snmp-agent mib-view command to view the MIB view.
● Run the display snmp-agent community command to view the community
name of the agent.
● Run the display snmp-agent sys-info version command to view the SNMP
version information.
----End
Example
After the configurations, run the display snmp-agent mib-view command. If
information about the MIB view is displayed, it means that the configuration
succeeds.
<Base> display snmp-agent mib-view
View name:ViewDefault
MIB Subtree:internet
Subtree mask:
Storage-type: nonVolatile
View Type:included
View status:active
View name:ViewDefault
MIB Subtree:snmpUsmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpVacmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpModules.18
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Storage-type: nonVolatile
Run the display snmp-agent sys-info version command. If the version of SNMP
run on the agent is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv2c SNMPv3
Applicable Environment
To designate different groups for the NM Station, that is, to implement user
classification on the NM Station, configure SNMPv3.
Pre-configuration Tasks
Before configuring SNMPv3, complete the following tasks:
● Assigning an IP address to the Switch Module
● Configuring the routing protocol to make the Switch Module and the NM
Station accessible
Data Preparation
To configure SNMPv3, you need the following data.
No. Data
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the SNMP agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent group v3 group-name
----End
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent usm-user v3 user-name group-name
----End
Prerequisites
The configurations of the basic functions of SNMPv3 are complete.
Procedure
● Run the display snmp-agent group [ group-name ] command to view
information about the SNMP user group.
● Run the display snmp-agent usm-user [ group group-name | username
user-name ] * command to view information about users in the group.
● Run the display snmp-agent sys-info version command to view the SNMP
version information..
----End
Example
Run the display snmp-agent group command. If information on the user group is
displayed, it means that the configuration succeeds.
<Base> display snmp-agent group
Group name: a
Security model: v3 noAuthnoPriv
Readview: ViewDefault
Writeview: <no specified>
Notifyview :<no specified>
Storage-type: nonvolatile
Run the display snmp-agent sys-info version command. If the version of SNMP
run on the agent is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv3
Applicable Environment
To configure the specified NM Station in the group to manage the Switch Module
(SNMP agent), configure ACLs on the Switch Module.
Pre-configuration Tasks
Before configuring user group-based access control, complete the following tasks:
Data Preparation
To configure user group-based access control, you need the following data.
No. Data
3 ACL number
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configurations of the user group-based access control in SNMPv3 are
complete.
Procedure
● Run the display acl acl-number command to view ACL rules.
● Run the display snmp-agent group [ group-name ] command to view
information about the SNMP user group.
● Run the display snmp-agent usm-user command to view information about
the SNMP user.
● Run the display snmp-agent sys-info version command to view the SNMP
version information.
----End
Example
Run the display acl command. If information on the rules of the configured ACL is
displayed, it means that the configuration succeeds.
<Base> display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 permit source 1.1.1.1 0
Run the display snmp-agent group command. If information on the user group is
displayed, it means that the configuration succeeds.
<Base> display snmp-agent group
Group name: a
Security model: v3 noAuthnoPriv
Readview: ViewDefault
Writeview: <no specified>
Notifyview :<no specified>
Storage-type: nonvolatile
Acl:2000
Run the display snmp-agent sys-info version command. If the version of SNMP
run on the agent is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv3
Applicable Environment
To configure the specified user in the user group to manage the Switch Module
(SNMP agent), configure access control lists on the Switch Module.
Pre-configuration Tasks
Before configuring user-based access control, complete the following tasks:
Data Preparation
To configure user-based access control, you need the following data.
No. Data
3 ACL number
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the SNMP agent.
Procedure
Step 1 Run:
system-view
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent usm-user v3 user-name group-name
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
Step 3 Run:
rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | time-range time-
name ] *
----End
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configurations of the user-based access control in SNMPv3 are complete.
Procedure
● Run the display acl acl-number command to view ACL rules.
● Run the display snmp-agent group [ group-name ] command to view
information about the SNMP group.
● Run the display snmp-agent usm-user [ engineid engineid | group group-
name | username user-name ] * command to view information about users in
the SNMP group.
● Run the display snmp-agent sys-info version command to View the SNMP
version information.
----End
Example
Run the display acl command. If information on the rules of the configured ACL is
displayed, it means that the configuration succeeds.
<Base> display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 permit source 1.1.1.1 0
Run the display snmp-agent group command. If information on the user group is
displayed, it means that the configuration succeeds.
<Base> display snmp-agent group
Group name: a
Security model: v3 noAuthnoPriv
Readview: ViewDefault
Writeview: <no specified>
Notifyview :<no specified>
Storage-type: nonvolatile
User name: b
Engine ID: 000007DB7F00000100000772 active
Acl:2000
Run the display snmp-agent sys-info version command. If the version of SNMP
run on the agent is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info
SNMP version running in the system:
SNMPv3
Applicable Environment
In the case that users demand high security of the network, configure the security
mechanism of SNMPv3 to allow specified NM Stations to access the Switch
Module. That is, the NM Station can access the Switch Module only after it passes
authentication.
Pre-configuration Tasks
Before configuring authentication and encryption functions in SNMPv3, complete
the following tasks:
Data Preparation
To configure authentication and encryption functions in SNMPv3, you need the
following data.
No. Data
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the SNMP agent.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the Switch enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent usm-user v3 user-name group-name
----End
8.1.12.5 Configuring the Authentication Function for the SNMP User Group
After authentication is configured, only NM Station users in the group that passes
the authentication can access the device.
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent group v3 group-name authentication
----End
8.1.12.6 Configuring the Encryption Function for the SNMP User Group
Encryption keys configured on the NMS and the device must be identical.
Otherwise, the NMS cannot access the device.
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent group v3 group-name privacy
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Authentication and encryption functions for the SNMP user are configured.
----End
Prerequisites
The configurations of the Authentication and Encryption Functions in SNMPv3 are
complete.
Procedure
● Run the display snmp-agent group [ group-name ]command to view the
USM-based group.
● Run the display snmp-agent usm-user [ group group-name | username
user-name ] * command to view information about users in the group.
● Run the display snmp-agent sys-info version command to view the SNMP
version information.
----End
Example
Run the display snmp-agent group command. If information on the USM-based
group is displayed, it means that the configuration succeeds.
<Base> display snmp-agent group
Group name: a
Security model: v3 AuthnoPriv
Readview: ViewDefault
Writeview: <no specified>
Notifyview :<no specified>
Storage-type: nonVolatile
Run the display snmp-agent sys-info version command. If the version of SNMP
run on the Agent is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv3
Applicable Environment
When the user has a higher requirement for network security, configure MIB views
on the USM to set different NM Stations with corresponding management
authorities.
Pre-configuration Tasks
Before configuring MIB views in the USM, complete the following tasks:
Data Preparation
To configure MIB views in the USM, you need the following data.
No. Data
No. Data
4 ACL Number
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
----End
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
add asterisks to a variable OID string, but the variable OID string must not start or
end with asterisks.
----End
Context
The SNMP agent is enabled and the ACL are properly configured on the target
Switch Module .
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view | write-view write-
view | notify-view notify-view ]* [ acl acl-number ]
----End
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent usm-user v3 user-name group-name
----End
Prerequisites
The configurations of the MIB-View-based Access Control in SNMPv3 are
complete.
Procedure
● Run the display snmp-agent group [ group-name ] command to view
information about the SNMP group.
● Run the display snmp-agent mib-view command to view the information on
the MIB view
● Run the display snmp-agent usm-user [ engineid engineid | group group-
name | username user-name ] * command to view information about users in
the SNMP group.
● Run the display snmp-agent sys-info version command to view the SNMP
version information.
----End
Example
Run the display snmp-agent group command. If information on the SNMP group
is displayed, it means that the configuration succeeds.
<Base> display snmp-agent group
Group name: gg
Security model: v3 noAuthnoPriv
Readview: ViewDefault
Writeview: ViewDefault
Notifyview : <no specified>
Storage-type: nonVolatile
Run the display snmp-agent mib-view command. If information on the MIB view
is displayed, it means that the configuration succeeds.
<Base> display snmp-agent mib-view
View name:ViewDefault
MIB Subtree:internet
Subtree mask:
Storage-type: nonVolatile
View Type:included
View status:active
Run the display snmp-agent sys-info version command. If the version of SNMP
run is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info
SNMP version running in the system:
SNMPv3
Applicable Environment
When the Switch Module prompts errors that are urgent to be removed, contact
the local maintenance engineers.
Pre-configuration Tasks
Before configuring SNMP maintenance information, complete the following tasks:
● Assigning an IP address to the Switch Module
● Configuring the routing protocol to make the Switch Module and the NM
Station accessible
Data Preparation
To configure SNMP maintenance information, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configurations of the SNMP Maintenance Information are complete.
Procedure
● Run the display snmp-agent sys-info contact command to view the contact
method of the administrator.
● Run the display snmp-agent sys-info location command to view the
location of the Switch Module.
----End
Example
Run the display snmp-agent sys-info contact command to view the contact
method of the administrator.
<Base> display snmp-agent sys-info contact
The contact person for this managed node:
R&D Beijing, Huawei Technologies co.,Ltd.
Run the display snmp-agent sys-info location location command to view the
location of the Switch Module.
<Base> display snmp-agent sys-info location
The physical location of this node:
Beijing China
Applicable Environment
In case that the NM Station obtains only partial status information about the
Switch Module, increase the MTU of the SNMP packet.
Pre-configuration Tasks
Before configuring the maximize size of the SNMP packet, complete the following
tasks:
Data Preparation
To configure the maximize size of the SNMP packet, you need the following data.
No. Data
Context
NOTE
If the maximum size is not specified, by default, 12000 bytes are sent or received.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent packet max-size byte-count
The maximum size of the SNMP packet sent or received by the agent is
configured.
----End
Prerequisites
The maximum size of an SNMP packet is configured.
Procedure
Step 1 Run the display current-configuration | include max-size command to view the
current maximum size of an SNMP packet.
NOTE
If you retain the default value, no information is displayed.
----End
Example
Run the display current-configuration | include max-size command to view the
current maximum size of an SNMP packet.
<Base> display current-configuration | include max-size
snmp-agent packet max-size 1800
Applicable Environment
To configure the managed device sends a Trap message to the NM Station
without being required to report urgent events, configure the Trap function on the
managed device first.
Pre-configuration Tasks
Before configuring the Trap function, complete the following tasks:
Data Preparation
To configure the Trap function, you need the following data.
No. Data
7 (Optional)Port Number
8 Group Name
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the Switch Module that requires an alarm to be enabled
separately:
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap enable feature-name feature-name
To disable a specified trap function, you can run the undo snmp-agent trap
enable feature-name command.
----End
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
snmp-agent target-host trap address udp-domain ip-address [ udp-port port-number ] [ public-net ]
params securityname security-string [ v1 | v2c | v3 [ authentication | privacy ] ] [ private-netmanager ]
----End
8.1.16.5 (Optional) Setting the Source Interface for Sending Trap Messages
To ensure device security, you need to configure the source interface for sending
the trap messages to the default address.
Context
NOTICE
A reachable route is configured between the source interface for sending trap
messages configured on the Switch Module and the NMS; otherwise, the NM
Station discards trap messages because of unmatched addresses.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap source interface-type interface-number
----End
Follow-up Procedure
NOTE
The IP address of the specified source interface is the source IP address of trap messages.
Context
NOTE
Increase the queue length with the preceding command when the Switch Module
frequently sends Trap messages.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap queue-size size
The queue length of Trap messages sent to the destination host is set.
----End
Context
NOTE
Shorten the lifetime of Trap messages by using the preceding command when the Switch
Module frequently sends Trap messages.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The trap function is properly configured.
Procedure
Step 1 Run the display current-configuration | include trap command to view the
configurations of trap messages.
NOTE
If you retain the default configurations, no information is displayed.
----End
Example
Run the display current-configuration | include trap command to view the
configurations of trap messages.
<Base> display current-configuration configuration | include trap
snmp-agent trap enable
Applicable Environment
In SNMP, a managed device propagates the alarms to the NM Station in two
modes:
The Inform mode supports alarm logging. When the communication between the
NM Station and the managed device fails, the object can log the alarm. After the
fault is rectified, the NM Station synchronizes the alarm with the alarm log on the
managed device to avoid failure information loss.
The Inform mode applies to the large-scale network as well as the scenario where
high reliability of the NM Station is required.
NOTE
Pre-configuration Tasks
Before configuring the Inform mode, complete the following tasks:
Data Preparation
To configure the Inform mode, you need the following data.
No. Data
1 IP address of the destination and UDP port number to which the Inform
messages are sent, security name, and security level
2 ● (Optional) Timeout period for waiting for the Inform ACK messages
● (Optional) Number of times to re-propagate alarms
● (Optional) Number of pending alarms (alarms waiting for being
acknowledged)
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the Switch Module that requires an alarm to be enabled
separately:
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap enable feature-name feature-name
To disable a specified trap function, you can run the undo snmp-agent trap
enable feature-name command.
----End
Context
NOTE
When configuring the destination host, you must first ensure that the Switch Module and
the destination host are reachable.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent target-host inform address udp-domain ip-address [ udp-port port-number ] params
securityname security-string v2c
To enable the Switch Module to propagate the alarms in Inform mode, you can
use the snmp-agent trap enable command in conjunction with the snmp-agent
target-host inform command.
----End
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
The timeout period for waiting for Informing ACK messages, the times to re-send
Informing messages, and the maximum pieces of pending alarms (alarms waiting
for being acknowledged) are set.
By default, the timeout period for waiting for Informing ACK messages is 15
seconds, the times to re-send Informing messages are set to 3, and the maximum
pieces of pending alarms (alarms waiting for being acknowledged) are 39.
----End
Follow-up Procedure
If the current network is unstable, you must set a longer timeout period for
waiting for Informing ACK messages and simultaneously increase the times to re-
send Informing messages and the maximum pieces of pending alarms (alarms
waiting for being acknowledged).
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
The timeout period for the destination host to acknowledge Informing messages
and the times to re-send Inform messages are set.
By default, the timeout period for the destination host to acknowledge Informing
messages is 15 seconds and the times to re-send Informing messages are set to 3.
----End
keeps generating trap logs. When the link recovers, the Switch Module updates
trap logs recorded during the link failure to the host destination.
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent notification-log enable
After the alarm logging function is enabled, the system records the alarms
propagated only through the Informing mode.
Step 3 Run:
snmp-agent notification-log { global-ageout ageout | global-limit limit } *
The aging time of alarm logs and the maximum pieces of alarm logs allowed to
be saved in the log buffer are set.
By default, the aging time of alarm logs is 24 hours. If the aging time expires, the
alarms logs are automatically deleted.
By default, the log buffer can save a maximum of 500 alarm logs. If the number
exceeds the limit, the alarm log saved earliest is deleted first.
----End
Prerequisites
The configurations of the Alarms in the Inform Mode are complete.
Procedure
● Run the display snmp-agent target-host command to view the information
about destination host.
● Run the display snmp-agent inform [ address udp-domain ip-address
params securityname security-string ] command to view the parameters
about the Inform mode configured globally or on specified destination host
and statistics about the host.
Example
Run the display snmp-agent target-host command, and you can view
information about the destination host.
<Base> display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
IP-address : 2.2.2.2
VPN instance : -
Security name : abc
Port : 23
Type : inform
Version : v2c
Level : No authentication and privacy
NMS type : NMS
-----------------------------------------------------------
Target-host NO. 2
-----------------------------------------------------------
IP-address : 1.1.1.1
VPN instance : -
Security name : aaa
Port : 22
Type : trap
Version : v2c
Level : No authentication and privacy
NMS type : HW NMS
-----------------------------------------------------------
Run the display snmp-agent inform command, and you can view the
configurations of the alarms sent in Inform mode.
<Base> display snmp-agent inform
Global config: resend-times 3, timeout 15s, pending 39
Global status: current notification count 0
Target-host ID: VPN instance/IP-Address/Security name
-/1.1.1.1/public:
Config: resend-times 3, timeout 15s
Status: retries 0, pending 0, sent 0, dropped 0, failed 0, confirmed 0
Run the display snmp-agent notification-log info command, and you can view
the logs generated by alarms in the log buffer.
<Base> display snmp-agent notification-log info
Notification log information :
Notification Admin Status : enable
GlobalNotificationsLogged : 0
GlobalNotificationsBumped : 0
GlobalNotificationsLimit : 500
GlobalNotificationsAgeout : 24
Total number of notification log : 0
Applicable Environment
The extended error code function can help the Switch Module to enrich the
information contained in the error codes sent to the NM station.
Pre-configuration Tasks
Before configuring the extended error code function, complete the following task:
● Configuring a reachable route between the Switch Module and the NM
station
Data Preparation
None
8.1.18.2 Enabling the Extended Error Code Function on the SNMP Agent
By default, packets sent from the device to the NMS carry standard SNMP error
codes. After the extended SNMP error code function is enabled, packets sent from
the device to the NMS carry extended error codes.
Context
Do as follows on the Switch Module.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configurations of the extended error code function are complete.
Procedure
Step 1 Run the display snmp-agent extend error-code status command to check
whether the extended error code function is enabled on the SNMP agent.
----End
Example
Run the display snmp-agent extend error-code status command to check
whether the extended error code function is enabled on the SNMP agent.
<Base> display snmp-agent extend error-code status
Extend error-code status:enabled
Networking Requirements
As shown in Figure 8-3, the NMS accesses the Switch through SNMP and
manages the Switch.
Configuration Roadmap
The configuration roadmap is as follows:
1. Assign IP addresses to interfaces.
2. Set the version of SNMP.
3. Set the SNMP community name.
Data Preparation
To complete the configuration, you need the following data:
● IP addresses of interfaces
● SNMP version
● Community name
Procedure
Step 1 Configure IP addresses of the interfaces. The configuration procedure is not
mentioned here.
Step 2 Enable the SNMP function.
# Enter the system view and enable the SNMP function.
<Base> system-view
[Base] sysname Switch
[Switch] snmp-agent
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Storage-type: nonVolatile
----End
Configuration Files
The configuration file on the Switch is as follows:
#
sysname Switch
#
vlan batch 100
#
interface Vlanif100
ip address 1.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100003598
snmp-agent community read cipher %$%$-yqBSyTXbNM8OIV)`6kHeri`%$%$
Networking Requirements
In Figure 8-4, a reachable route exists between the NMS and the Switch. The IP
address of the NMS is 1.1.1.1/24; the interface connecting the Switch to the
network resides on 2.2.2.2/24. The Switch can be remotely managed by the
specified NMS.
To rectify faults quickly, you need to add the contact information about the
administrator and the location information on the Switch.
The Switch needs to monitor the status of batch statistics collection. If the
statistics collection fails, the Switch sends a trap message to the NMS.
Figure 8-4 Networking diagram for specifying an NMS to manage the Switch
Configuration Roadmap
To configure the configuration roadmap, perperform the following steps:
Data Preparation
To complete the configuration, you need the following data:
● SNMP version
● Community name and access right
● Administrator information and location of the Switch
● Number of an ACL
Procedure
Step 1 Configure reachable routes between the Switch and the NMS.
# Enter the system view, delete the version number of SNMP used in the system.
# Start the SNMP agent, and set the SNMP version to SNMPv2c.
[Switch] snmp-agent sys-info version v2c
# Set the contact information about the administrator and the physical location of
the Switch.
[Switch] snmp-agent sys-info contact Mr.Wang-Tel:21657
[Switch] snmp-agent sys-info location telephone-closet,2rd-floor
For details on how to configure NMS, see the relevant NMS configuration guide.
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Community name:%$%$k(1p/_Kz26BP~9I"7`]
Acl:2000
Storage-type: nonVolatile
# When a trap message is generated and reported to the NMS, you can run the
display trapbuffer command to view details about the trap.
[Switch] display trapbuffer
Trapping buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 256
Channel number : 3 , Channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 1
----End
Configuration Files
The configuration file on the Switch is as follows:
#
sysname Switch
#
vlan batch 100
#
acl number 2000
rule permit source 1.1.1.1 0
#
interface Vlanif100
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
snmp-agent
snmp-agent local-engineid 000007DB7F000001000031E7
snmp-agent community read cipher %$%$-yqBSyTXbNM8OIV)`6kHeri`%$%$ acl 2000
snmp-agent community write cipher %$%$k(1p/_Kz26BP~9I"7`] acl 2000
snmp-agent sys-info contact Mr.Wang-Tel:21657
snmp-agent sys-info location telephone-closet,2rd-floor
snmp-agent sys-info version v2c
undo snmp-agent sys-info version v3
snmp-agent target-host trap address udp-domain 1.1.1.1 params securityname public v2c private-
netmanager
snmp-agent target-host trap address udp-domain 172.16.128.1 params securityname public v2c private-
netmanager
snmp-agent target-host trap address udp-domain 172.17.128.1 params securityname public v2c private-
netmanager
snmp-agent trap enable
Networking Requirements
As shown in Figure 8-5, reachable routes exist between NMS1 and the Switch,
and between NMS2 and the Switch. The IP address of the interface connecting
NMS1 to the network is on 1.1.1.1/24; the IP address of the interface connecting
NMS2 to the network is on 1.1.1.2/24. The IP address of the Ethernet interface
connecting the Switch to the network is on 1.1.2.1/24.
Figure 8-5 Networking diagram for configuring different NMSs to access the
Switch
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic SNMP functions on the Switch, including enabling the SNMP
agent and setting the SNMP version.
2. Configure the access rights.
3. Configure the trap function.
4. Configure the NMS.
Data Preparation
To complete the configuration, you need the following data:
● SNMP version
● User group name and user name
● Information about the MIB objects
● Passwords for authentication and encryption
Procedure
Step 1 Configure reachable routes between the Switch and the NMSs. The configuration
procedure is not mentioned.
# Start the SNMP agent and set the SNMP version to SNMPv3.
<Switch> system-view
[Switch] snmp-agent sys-info version v3
NOTE
Readview: b
Writeview: b
Notifyview :b
Storage-type: nonVolatile
Group name: test2
Security model: v3 AuthPriv
Readview: ViewDefault
Writeview: <no specified>
Notifyview :<no specified>
Storage-type: nonvolatile
View name:ViewDefault
MIB Subtree:snmpUsmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpVacmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpModules.18
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
# When a trap is generated, you can run the display trapbuffer command to view
details about the trap.
[Switch] display trapbuffer
Trapping buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 256
Channel number : 3 , Channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 1
----End
Configuration Files
The configuration file on the Switch is as follows:
#
sysname Switch
#
vlan batch 100
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100000132
snmp-agent sys-info version v3
snmp-agent group v3 test1 read-view c write-view c notify-view c
snmp-agent group v3 test2 read-view b write-view b notify-view b
snmp-agent group v3 test1 privacy
snmp-agent group v3 test2 privacy
snmp-agent group v3 test1 authentication
snmp-agent group v3 test2 authentication
snmp-agent target-host trap address udp-domain 1.1.1.1 params securityname NMS1 v3 privacy
snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname NMS2 v3 privacy
snmp-agent mib-view included b interfaces
snmp-agent mib-view included c iso
snmp-agent usm-user v3 NMS1 test1 authentication-mode md5 %$%$qDz;-uvV^(=Az@NZw
$!!>xof%$%$ privacy-mode des56 %$%$qDz;-uvV^(=Az@NZw$!!>xof%$%$ acl 2000
snmp-agent usm-user v3 NMS1 test2 authentication-mode md5 %$%$qDz;-uvV^(=Az@NZw
$!!>xof%$%$ privacy-mode des56 %$%$qDz;-uvV^(=Az@NZw$!!>xof%$%$ acl 2000
#
return
Networking Requirements
As shown in Figure 8-6, reachable routes exist between NMS1 and the Switch,
and between NMS2 and the Switch. The IP address of the interface connecting
NMS1 to the network is on 1.1.1.1/24; the IP address of the interface connecting
NMS2 to the network is on 1.1.1.2/24. The IP address of the Ethernet interface
connecting the Switch to the network is on 1.1.2.1/24.
By using the security feature of SNMPv3, configure NMS1 to completely control
the network and configure NMS2 to manage only the interfaces on the Switch.
The NMSs manage the Switch remotely. The Switch sends trap messages to the
NMSs in Inform mode.
Figure 8-6 Networking diagram for configuring different NMSs to access the
Switch (inform mode)
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic SNMP functions on the Switch, including enabling the SNMP
agent and setting the SNMP version.
2. Configure access rights.
3. Configure the Inform function.
4. Configure the NMSs.
Data Preparation
To complete the configuration, you need the following data:
● SNMP version
● Information about the user group and users
● Information about the MIB objects
● Passwords for authentication and encryption
Procedure
Step 1 Configure reachable routes between the Switch and the NMSs. The configuration
procedure is not mentioned.
# Enter the system view, start the SNMP agent, and set the SNMP version to
SNMPv2c and SNMPv3.
<Base> system-view
[Base] sysname Switch
[Switch] snmp-agent
[Switch] snmp-agent sys-info version v2c v3
NOTE
# Configure the Switch to send trap messages to the NMSs in inform mode.
[Switch] snmp-agent target-host inform address udp-domain 1.1.1.1 params securityname NMS1 v2c
[Switch] snmp-agent target-host inform address udp-domain 1.1.1.2 params securityname NMS2 v2c
Notifyview :a
Storage-type: nonVolatile
----End
Configuration Files
The configuration file on the Switch is as follows:
#
sysname Switch
#
vlan batch 100
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
snmp-agent
snmp-agent local-engineid 000007DB7F000001000079AB
snmp-agent sys-info version v2c v3
snmp-agent group v3 test1 read-view a write-view a notify-view a
snmp-agent group v3 test2 read-view b write-view b notify-view b
snmp-agent target-host inform address udp-domain 1.1.1.2 params securityname NMS2 v2c
snmp-agent target-host inform address udp-domain 1.1.1.1 params securityname NMS1 v2c
snmp-agent mib-view included a iso
snmp-agent mib-view included b interfaces
snmp-agent usm-user v3 NMS1 test1 authentication-mode md5 %$%$qDz;-uvV^(=Az@NZw
$!!>xof%$%$ privacy-mode des56 %$%$qDz;-uvV^(=Az@NZw$!!>xof%$%$
snmp-agent usm-user v3 NMS1 test2 authentication-mode md5 %$%$qDz;-uvV^(=Az@NZw
$!!>xof%$%$ privacy-mode des56 %$%$qDz;-uvV^(=Az@NZw$!!>xof%$%$#
return
8.1.19.5 Example for Enabling the Extended Error Code Function on the
SNMP Agent
After configuring the SNMP error code function, the NMS can receive more
detailed information about the router.
Networking Requirements
As shown in Figure 8-7, a reachable Switch Module exists between the NM station
and the Switch Module. The NM station manages the Switch Module through the
SNMP agent.
Figure 8-7 Networking diagram of enabling the extended error code function on
the SNMP agent
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure reachable routes between the Switch and the NMSs. The configuration
procedure is not mentioned.
<Base> system-view
[Base] snmp-agent sys-info version v2c
Step 3 Enable the extended error code function on the SNMP agent.
# Check whether the extended error code function is enabled on the SNMP agent.
[Base] display snmp-agent extend error-code status
Extend error-code status:enabled
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
snmp-agent
snmp-agent extend error-code enable
snmp-agent local-engineid 000007DB7F0000010000393C
snmp-agent sys-info version v2c v3
#
return
Networking Requirements
As shown in Figure 8-8, when the configuration changes or fault occurs on the
Switch Module, the Switch Module automatically sends an alarm message to the
specified NMS. The alarm message sent by Huawei devices to the Huawei NMS
contains the sending time and ID of the alarm message in addition to the
information defined in the protocol.
Configuration Roadmap
The configuration roadmap is as follows:
1. Assign IP addresses to interfaces.
2. Configure the SNMP version.
3. Configure alarm messages to be sent to the Huawei NMS.
Data Preparation
To complete the configuration, you need the following data:
● IP address of Interface.
● SNMP version
● Source interface for sending alarm messages
● IP address of the NMS
Procedure
Step 1 Assign an IP addresses to the interfaces. The configuration details are not
mentioned here.
Step 2 Configure the SNMP version.
# Configure the SNMP version to v2c.
<Base> system-view
[Base] snmp-agent sys-info version v2c
# Configure the source interface that sends alarm messages to the NMS.
[Base] snmp-agent trap source Vlanif10
----End
Configuration File
Configuration file of the Switch Module
#
sysname Base
#
vlan batch 10
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface Vlanif10
ip address 11.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
snmp-agent
snmp-agent local-engineid 800007DB03001882817A30FC
snmp-agent sys-info version v2c
snmp-agent target-host trap address udp-domain 11.1.1.1 params securityname public v2c private-
netmanager
snmp-agent trap enable
snmp-agent trap source LoopBack0
#
return
8.2.1 Ping
This topic describes the functions and theory of the ping command.
Figure 8-9 shows the ping process.After you run the ping command, an Internet
Control Message Protocol (ICMP) Echo Request message is sent to the destination.
The destination then returns an ICMP Echo Reply message immediately when
receiving the ICMP Echo Request message.
Ping tests IP reachability and status of the link between the source and the
destination by checking whether the destination sends back an ICMP Echo Reply
message and measuring the interval between sending the ICMP Echo Request
message and receiving the ICMP Echo Reply message.
Figure 8-10 Format of ICMP Echo Request and Echo Reply messages
Figure 8-10 shows the format of ICMP Echo Request and Echo Reply messages.
The length of the Data field is a variable. You can specify the length of the Data
field in the ping command.
8.2.2 Tracert
This topic describes the functions and theory of the tracert command.
The CX91x series implements tracert based on ICMP. Tracert records the gateways
that the ICMP message passes along the path between a source host and a
destination. In this manner, you can check network connectivity and locate the
fault.
2. After receiving the UDP datagram from the CX91x series, Router-A finds that
the destination IP address carried in the datagram is not its own address.
Then, Router-A reduces the TTL value by 1. Finding that the TTL value reaches
0, Router-A sends an ICMP Time Exceeded message to the CX91x series.
3. After receiving the ICMP Time Exceeded message, the CX91x series increases
the TTL value and the UDP port number in the UDP datagram by 1
respectively and then sends out the UDP datagram again.
4. Repeat Step 2 and Step 3 until the log host receives the UDP datagram from
the CX91x series.
5. After receiving the UDP datagram from the CX91x series, the log host finds
that the destination is itself. It begins to process the datagram. The log host
tries to find the upper layer protocol corresponding to the destination UDP
port number carried in the datagram. In most cases, the UDP ports whose
number is greater than 30000 are not used by any protocols. Therefore, the
log host sends an ICMP Destination Unreachable message to the CX91x series
to notify the source that the destination port is unreachable.
6. After receiving the ICMP Destination Unreachable message from the log host,
the CX91x series knows that the UDP datagram has reached the destination
and thus stops running the tracert program.
In the preceding steps, the tracert program on the source records the IP addresses
of the gateways between the source and the destination through the ICMP Time
Exceeded message mentioned in Step 3.
Application Environment
The Customer Edge (CE) connected to the CX91x series cannot access the Internet.
You need to run the ping and tracert commands to check network connectivity.
Pre-configuration Tasks
Before performing ping and tracert operations, complete the following tasks:
● Checking the physical connections between the CE and the CX91x series
● Correctly configuring an IP address for the CE device
Data Preparation
To perform ping and tracert operations, you need the following data.
No. Data
No. Data
Context
Do as follows on the CX91x series:
Procedure
Step 1 Run:
ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-type interface-number | -m
time | -n | -p pattern | -q | -r | -s packetsize | -t timeout | -tos tos-value | -v ] * host
Only some of the parameters are specified in the preceding ping command. For
details on more parameters, refer to the CX91x Series Switch Modules
V100R001C00 Command Reference.
The output of the ping command is as follows:
----End
Context
Do as follows on the CX91x series:
Procedure
Step 1 Run:
tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | -p port | -q nqueries | -w timeout ]* host
----End
Networking Requirements
As shown in Figure 8-12, after configuring Switch A, you check the link between
Switch A and the log host. If Switch A and the log host are disconnected, you
cannot know which device fails because there are other network devices between
Switch A and the log host. To locate on which link segment the fault occurs, you
can perform ping and tracert operations.
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the ping command on Switch A to check the connectivity between Switch
A and the log host.
2. Run the tracert command to locate the fault after you find that the link is
faulty.
Data Preparation
To complete the configuration, you need the following data:
● IP addresses of the interfaces on Switch B (In this example, IP addresses of
the interfaces are 1.1.1.2/8 and 2.1.1.1/8.)
● IP addresses of the interfaces on Router (In this example, IP addresses of the
interfaces are 2.1.1.2/8 and 3.1.1.1/8.)
● IP address of the log host (In this example, the IP address of the log host is
3.1.1.2/8.)
Procedure
Step 1 Run the ping command.
# Run the ping command on Switch A to check the connectivity between Switch A
and the log host.
<Base> ping 3.1.1.2
PING 3.1.1.2: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
The display on Switch A shows that the log host is unreachable, which indicates
that a fault occurs on some link segment between Switch A and the log host.
The preceding display shows that the ICMP Echo Request message passes Switch B
but does not reach Router. It indicates that the link between Switch B and Router
fails. After the link between Switch B and Router is recovered, you can repeat Step
1 and Step 2 to ensure that Switch A and the log host can communicate properly.
----End
Configuration Files
None.