CX91x Series Switch Modules V100R001C00 Configuration Guide 09

CX91x Series Switch Modules
V100R001C00
Configuration Guide
Issue 09
Date 2022-06-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2022. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. i

Configuration Guide About This Document
About This Document
Purpose
The documents describe the configuration of various services supported by the
CX91x series switch modules. The description covers configuration examples and
function configurations.
The product features and commands for the 10GE switching plane of the CX91x
series switch modules vary according to the software version. For details, see the
documents listed in the following table.
NOTE
Run the display version command in the switching plane CLI and select a reference document
based on the Switch Version or Software Version displayed in the command output.
Huawei Support 10GE Switching Plane Reference Document

Website Version Software Version
V100R001C00 or 1.1.0.200.3 See this document.

V100R001C00SPCxxx
1.1.3.300.5
1.1.3.301.6
1.2.1.0.19
1.2.1.0.21
2.23
2.26
2.29
V100R001C10 or 1.2.1.0.39 See the CX11x, CX31x,

V100R001C10SPCxxx CX710 (Earlier Than
Versions in the x.xx V6.03), and CX91x
format, except 2.23, Series Switch Modules
2.26, and 2.29. V100R001C10
NOTE Configuration Guide.
2.05 and later versions are
displayed in the x.xx
format.
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. ii

Intended Audience
This document is intended for:
● Data configuration engineers

● Commissioning engineers
● Network monitoring engineers
● System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation which, if

not avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if

not avoided, could result in death or serious injury.

not avoided, may result in minor or moderate injury.

not avoided, could result in equipment damage, data
loss, performance deterioration, or unanticipated
results.
NOTICE is used to address practices not related to
personal injury.
Calls attention to important information, best

practices and tips.
NOTE is used to address information not related to
personal injury, equipment damage, and environment
deterioration.
Command Conventions
The command conventions that may be found in this document are defined as
follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. iii

Convention Description
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are

optional.
{ x | y | ... } Optional items are grouped in braces and separated

by vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and

separated by vertical bars. One item is selected or
no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated

by vertical bars. A minimum of one item or a
maximum of all items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and

separated by vertical bars. You can select one or
several items, or select no item.
&<1-n> The parameter before the & sign can be repeated 1

to n times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use
the existing interface numbers on devices.
Security Conventions
● Password setting
– When configuring a password in plain text, the password is saved in the
configuration file in plain text. The plain text has high security risks. The
cipher text is recommended. To ensure device security, change the
password periodically.
– When you configure a password in cipher text that starts and ends with
%@%@ (the password can be decrypted by the device), the password is
displayed in the same manner as the configured one in the configuration
file. Do not use this setting.
● Encryption algorithm
Currently, the device uses the following encryption algorithms: DES, AES,
SHA-1, SHA-2, and MD5. DES and AES are reversible, and SHA-1, SHA-2, and
MD5 are irreversible. The encryption algorithm depends on actual networking.
If protocols are used for interconnection, the locally stored password must be
reversible. It is recommended that the irreversible encryption algorithm be
used for the administrator password.
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. iv

● Personal data
Some personal data may be obtained or used during operation or fault
location of your purchased products, services, features, so you have an
obligation to make privacy policies and take measures according to the
applicable law of the country to protect personal data.
● Remote access
– The Telnet protocol is not secure. Data is not encrypted during
transmission over Telnet. Therefore, transmitted data may be restored
after IP packets are captured without authorization. It is recommended
that files be transmitted over SSH.
– The FTP and TFTP protocol is not secure. Data is not encrypted during
transmission over FTP and TFTP. Therefore, transmitted data may be
restored after IP packets are captured without authorization. It is
recommended that files be transmitted over SFTP.
Change History
Changes between document issues are cumulative. Therefore, the latest document
version contains all updates made to previous versions.
Issue Date Description
09 2022-06-30 Updated the document links.
08 2019-11-30 This issue is the eighth official release.
07 2017-09-04 This issue is the seventh official release,

and includes the following changes:
Deleted information about ISSU.
06 2017-03-27 This issue is the sixth official release, and

includes the following changes:
Modified the relationships between
switching plane software versions and
reference documents in About This
Document.
05 2015-02-16 This issue is the fifth official release, and

The 2.2.6.1 Example for Configuring
Link Aggregation in Manual Load
Balancing Mode and 2.2.6.2 Example
for Configuring Link Aggregation in
Static LACP Mode are modified.
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. v

Issue Date Description
04 2014-11-10 This issue is the fourth official release,

The 2.2.4.3 Adding Member Interfaces
to an Eth-Trunk and 2.2.3.3 Adding
Member Interfaces to an Eth-Trunk are
modified.
03 2014-09-15 This issue is the third official release, and

"Tecal" is deleted from the product
document.
02 2014-07-30 This issue is the second official release,

The document name is updated.
01 2013-11-18 This issue is the first official release.
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. vi

Configuration Guide Contents
Contents
About This Document................................................................................................................ ii

1 Configuration Guide - Basic Configuration....................................................................... 1
1.1 Logging In to Switch Module.............................................................................................................................................. 2
1.1.1 Introduction........................................................................................................................................................................... 2
1.1.2 Login Modes.......................................................................................................................................................................... 2
1.1.2.1 Logging In to a Switching Plane Using PuTTY (Serial Port Mode)................................................................. 2
1.1.2.2 Logging In to a Switching Plane Using PuTTY (Network Port Mode)........................................................... 5
1.1.2.3 Switching a Switching Plane......................................................................................................................................... 7
1.2 CLI Overview............................................................................................................................................................................. 9
1.2.1 CLI Introduction.................................................................................................................................................................... 9
1.2.1.1 Command Line Interface............................................................................................................................................... 9
1.2.1.2 Command Levels............................................................................................................................................................ 10
1.2.1.3 Command Views............................................................................................................................................................ 11
1.2.2 Online Help......................................................................................................................................................................... 14
1.2.2.1 Full Help............................................................................................................................................................................ 14
1.2.2.2 Partial Help...................................................................................................................................................................... 14
1.2.2.3 Error Messages of the Command Line Interface................................................................................................ 15
1.2.3 Features of Command Line Interface......................................................................................................................... 15
1.2.3.1 Editing................................................................................................................................................................................ 15
1.2.3.2 Displaying......................................................................................................................................................................... 16
1.2.3.3 Regular Expressions....................................................................................................................................................... 17
1.2.3.4 History Commands........................................................................................................................................................ 20
1.2.4 Shortcut Keys...................................................................................................................................................................... 21
1.2.4.1 System hotkeys............................................................................................................................................................... 21
1.2.4.2 Using Hotkeys................................................................................................................................................................. 23
1.2.5 Configuration Examples.................................................................................................................................................. 23
1.2.5.1 Example for Using the Tab Key................................................................................................................................. 23
1.3 How to Use Interfaces......................................................................................................................................................... 24
1.3.1 Introduction to Interfaces............................................................................................................................................... 24
1.3.2 Setting Basic Parameters of an Interface.................................................................................................................. 26
1.3.2.1 Establishing the Configuration Task........................................................................................................................ 26
1.3.2.2 Entering the Interface View........................................................................................................................................ 27
1.3.2.3 Viewing All the Commands in the Interface View..............................................................................................27
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. vii

1.3.2.4 Configuring the Description for an Interface....................................................................................................... 28

1.3.2.5 Starting and Shutting Down an Interface............................................................................................................. 28
1.3.2.6 Further Configuration an Interface.......................................................................................................................... 29
1.3.2.7 Checking the Configuration........................................................................................................................................30
1.3.3 Configuring the Loopback Interface........................................................................................................................... 30
1.3.3.2 Configuring IPv4 Parameters of the Loopback Interface................................................................................. 31
1.3.4 Maintaining the Interface............................................................................................................................................... 31
1.3.4.1 Clearing Statistics Information on the Interface................................................................................................. 31
1.4 Basic Configuration.............................................................................................................................................................. 32
1.4.1 Basic Configuration Introduction................................................................................................................................. 32
1.4.2 Configuring the Basic System Environment............................................................................................................. 32
1.4.2.2 Configuring the Equipment Name........................................................................................................................... 33
1.4.2.3 Configuring the Header Text...................................................................................................................................... 33
1.4.2.4 Configuring Command Levels....................................................................................................................................34
1.4.3 Displaying System Status Messages........................................................................................................................... 35
1.4.3.1 Displaying System Configuration............................................................................................................................. 35
1.4.3.2 Collecting System Diagnostic Information............................................................................................................ 36
1.5 User Management................................................................................................................................................................ 36
1.5.1 User Management Introduction................................................................................................................................... 36
1.5.1.1 User Interface.................................................................................................................................................................. 36
1.5.1.2 User Authentication...................................................................................................................................................... 37
1.5.2 Configuring Console User Interface............................................................................................................................ 38
1.5.2.2 Setting Console Terminal Attributes........................................................................................................................38
1.5.2.3 Configuring User Priority............................................................................................................................................. 39
1.5.3 Managing User Interfaces.............................................................................................................................................. 40
1.5.3.2 Sending Messages to Other User Interfaces........................................................................................................ 41
1.5.3.3 Clearing Online User..................................................................................................................................................... 41
1.6 File System Management.................................................................................................................................................. 42
1.6.1 Overview of the File System.......................................................................................................................................... 42
1.6.2 Managing a Storage Device...........................................................................................................................................42
1.6.2.2 (Optional) Formatting a Storage Device............................................................................................................... 43
1.6.3 Managing the Directory.................................................................................................................................................. 43
1.6.3.2 Viewing the Current Directory................................................................................................................................... 44
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. viii

1.6.3.3 Switching a Directory....................................................................................................................................................44

1.6.3.4 Displaying a Directory or File.................................................................................................................................... 45
1.6.3.5 Creating a Directory...................................................................................................................................................... 45
1.6.3.6 Deleting a Directory...................................................................................................................................................... 45
1.6.4 Managing Files................................................................................................................................................................... 46
1.6.4.2 Displaying Contents of Files....................................................................................................................................... 46
1.6.4.3 Copying Files.................................................................................................................................................................... 47
1.6.4.4 Moving Files..................................................................................................................................................................... 47
1.6.4.5 Renaming Files................................................................................................................................................................ 47
1.6.4.6 Compressing Files.......................................................................................................................................................... 48
1.6.4.7 Deleting Files................................................................................................................................................................... 48
1.6.4.8 Deleting Files in the Recycle Bin............................................................................................................................... 48
1.6.4.9 Undeleting Files.............................................................................................................................................................. 48
1.6.4.10 Running Files in Batch............................................................................................................................................... 49
1.6.4.11 Configuring Prompt Modes...................................................................................................................................... 49
1.7 Management of Configuration Files.............................................................................................................................. 50
1.7.1 Management of Configuration Files Introduction................................................................................................. 50
1.7.1.1 Configuration Files.........................................................................................................................................................50
1.7.1.2 Configuration Files and Current Configurations................................................................................................. 51
1.7.2 Managing Configuration Files.......................................................................................................................................51
1.7.2.2 Saving Configuration File............................................................................................................................................ 52
1.7.2.3 Comparing Configuration Files................................................................................................................................. 52
1.8 FTP and TFTP..........................................................................................................................................................................54
1.8.1 FTP and TFTP Introduction.............................................................................................................................................54
1.8.1.1 FTP...................................................................................................................................................................................... 54
1.8.1.2 TFTP.................................................................................................................................................................................... 54
1.8.2 Configuring the Switch Module to Be the FTP Client........................................................................................... 55
1.8.2.2 Logging In to the FTP Server..................................................................................................................................... 55
1.8.2.3 Configuring the Data Type and Transmission Mode for a File.......................................................................56
1.8.2.4 Viewing Online Help of the FTP Command......................................................................................................... 57
1.8.2.5 Uploading or Downloading Files.............................................................................................................................. 57
1.8.2.6 Managing Directories................................................................................................................................................... 58
1.8.2.7 Managing Files................................................................................................................................................................ 59
1.8.2.8 Changing the Login User............................................................................................................................................. 60
1.8.2.9 Disconnecting from the FTP Server......................................................................................................................... 61
1.8.3 Configuring the Switch Module to Be the TFTP Client........................................................................................ 61
1.8.3.2 Downloading Files Through TFTP............................................................................................................................ 62
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. ix

1.8.3.3 Uploading Files Through TFTP.................................................................................................................................. 62

1.8.4 Limiting the Access to the TFTP Server..................................................................................................................... 63
1.8.4.2 Configuring the Basic ACL.......................................................................................................................................... 63
1.8.4.3 Configuring the Basic TFTP ACL............................................................................................................................... 64
1.8.5.1 Example for Configuring the FTP Client.................................................................................................................64
1.8.5.2 Example for Configuring the TFTP Client.............................................................................................................. 67
1.9 Telnet and SSH.......................................................................................................................................................................68
1.9.1 Telnet and SSH Introduction..........................................................................................................................................68
1.9.1.1 Overview of User Login............................................................................................................................................... 68
1.9.1.2 Telnet Terminal Services.............................................................................................................................................. 69
1.9.1.3 SSH Terminal Services.................................................................................................................................................. 69
1.9.2 Configuring the STelnet Client Function................................................................................................................... 71
1.9.2.2 Enabling the First-Time Authentication on the SSH Client............................................................................. 72
1.9.2.3 (Optional) Assigning an RSA Public Key to the SSH Server............................................................................73
1.9.2.4 Enabling the STelnet Client........................................................................................................................................ 74
1.9.3 Configuring the SFTP Client Function........................................................................................................................ 75
1.9.3.2 Configuring the First-Time Authentication on the SSH Client....................................................................... 76
1.9.3.3 (Optional) Assigning an RSA Public Key to the SSH Server............................................................................77
1.9.3.4 Enabling the SFTP Client............................................................................................................................................. 78
1.9.3.5 (Optional) Managing the Directory........................................................................................................................ 79
1.9.3.6 (Optional) Managing the File....................................................................................................................................80
1.9.3.7 (Optional) Displaying the SFTP Client Command Help................................................................................... 81
2 Configuration Guide-Ethernet............................................................................................83
2.1 Ethernet Interface Configuration.....................................................................................................................................83
2.1.1 Introduction to Ethernet Interfaces............................................................................................................................. 84
2.1.2 Ethernet Interface Features Supported by the CX91x series.............................................................................. 84
2.1.3 Configuring Basic Attributes of the Ethernet Interface........................................................................................ 85
2.1.3.2 (Optional) Configuring the Description................................................................................................................. 85
2.1.3.3 (Optional) Setting the Duplex Mode...................................................................................................................... 86
2.1.3.4 (Optional) Setting the Rate of an Interface......................................................................................................... 87
2.1.3.5 (Optional) Enabling Auto-Negotiation.................................................................................................................. 87
2.1.4 Configuring the Advanced Attributes of an Ethernet Interface........................................................................ 89
2.1.4.2 (Optional) Configuring Loopback Test on the Ethernet Interface................................................................ 89
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. x

2.1.4.3 (Optional) Configuring the Interface Group........................................................................................................ 90

2.1.4.4 (Optional) Setting the Maximum Frame Length on the Ethernet Interface.............................................90
2.1.4.5 (Optional) Enabling Flow Control............................................................................................................................ 91
2.1.4.6 (Optional) Enabling Auto-Negotiation of Flow Control.................................................................................. 92
2.1.5 Maintaining Ethernet Interfaces...................................................................................................................................93
2.1.5.1 Debugging Ethernet Interfaces................................................................................................................................. 93
2.1.6.1 Example for Configuring Port Isolation.................................................................................................................. 94
2.2 Link Aggregation Configuration...................................................................................................................................... 96
2.2.1 Introduction to Link Aggregation................................................................................................................................ 96
2.2.2 Link Aggregation Supported by the CX91x series.................................................................................................. 96
2.2.3 Configuring Link Aggregation in Manual Load Balancing Mode..................................................................... 98
2.2.3.2 Configuring the Eth-Trunk to Work in Manual Load Balancing Mode........................................................99
2.2.3.3 Adding Member Interfaces to an Eth-Trunk......................................................................................................... 99
2.2.3.4 (Optional) Configuring the Load Balancing Mode.......................................................................................... 101
2.2.3.5 (Optional) Limiting the Number of Active Interfaces.................................................................................... 101
2.2.3.6 (Optional) Configuring the Load Balancing Mode for Unknown Unicast Traffic.................................102
2.2.3.7 Checking the Configuration..................................................................................................................................... 103
2.2.4 Configuring Link Aggregation in Static LACP Mode........................................................................................... 103
2.2.4.1 Establishing the Configuration Task......................................................................................................................103
2.2.4.2 Configuring the Eth-Trunk to Work in Static LACP Mode............................................................................. 104
2.2.4.3 Adding Member Interfaces to an Eth-Trunk.......................................................................................................105
2.2.4.4 (Optional) Configuring the Load Balancing Mode.......................................................................................... 107
2.2.4.5 (Optional) Limiting the Number of Active Interfaces.................................................................................... 107
2.2.4.6 (Optional) Setting the LACP Priority of the System........................................................................................ 108
2.2.4.7 (Optional) Setting the LACP Priority of the Interface.................................................................................... 109
2.2.4.8 (Optional) Enabling LACP Preemption and Setting the Delay for LACP Preemption..........................109
2.2.4.9 (Optional) Setting the Timeout Interval for Receiving LACP Packets....................................................... 110
2.2.4.10 (Optional) Configuring the Load Balancing Mode for Unknown Unicast Traffic.............................. 111
2.2.4.11 Checking the Configuration................................................................................................................................... 111
2.2.5 Maintaining Link Aggregation.................................................................................................................................... 112
2.2.5.1 Clearing Statistics of LACP Packets....................................................................................................................... 112
2.2.5.2 Monitoring the Operation Status of the Link Aggregation Group............................................................. 113
2.2.6 Configuration Examples................................................................................................................................................ 113
2.2.6.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode...................................... 113
2.2.6.2 Example for Configuring Link Aggregation in Static LACP Mode.............................................................. 116
2.3 VLAN Configuration...........................................................................................................................................................119
2.3.1 Introduction to VLAN..................................................................................................................................................... 119
2.3.2 VLAN Features Supported by the CX91x series.................................................................................................... 120
2.3.3 Creating VLANs................................................................................................................................................................ 122
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xi


2.3.3.2 Creating a VLAN.......................................................................................................................................................... 122
2.3.3.3 (Optional) Creating VLANs in a Batch................................................................................................................. 123
2.3.3.4 (Optional) Enabling Traffic Statistic in a VLAN................................................................................................ 123
2.3.3.5 (Optional) Disabling MAC Address Learning on a VLAN.............................................................................. 124
2.3.4 Adding Interfaces to a VLAN...................................................................................................................................... 125
2.3.4.2 Adding an Access Interface to a VLAN................................................................................................................ 126
2.3.4.3 Adding a Trunk Interface to a VLAN.....................................................................................................................127
2.3.4.4 Adding a Hybrid Interface to a VLAN...................................................................................................................128
2.3.4.5 (Optional) Specifying the Default VLAN of a Trunk Interface.................................................................... 128
2.3.4.6 (Optional) Specifying the Default VLAN of a Hybrid Interface.................................................................. 129
2.3.5 Configuring VLANIF Interfaces to Implement Layer-3 Communication...................................................... 131
2.3.5.2 Creating a VLANIF Interface.................................................................................................................................... 131
2.3.5.3 Assigning an IP Address to the VLANIF Interface............................................................................................ 132
2.3.5.4 (Optional) Setting the MTU of a VLANIF Interface.........................................................................................133
2.3.6 Configuring Management VLANs............................................................................................................................. 134
2.3.6.2 Configuring a Management VLAN........................................................................................................................ 135
2.3.7 Maintaining the VLAN...................................................................................................................................................136
2.3.7.1 Clearing Statistics on a VLAN..................................................................................................................................136
2.4 MAC Address Table Configuration................................................................................................................................136
2.4.1 Introduction to the MAC Address Table.................................................................................................................. 136
2.4.2 MAC Address Table Features Supported by the CX91x series......................................................................... 136
2.4.3 Configuring the MAC Address Table........................................................................................................................ 137
2.4.3.2 Creating a Static MAC Address Entry................................................................................................................... 138
2.4.3.3 Creating a Blackhole MAC Address Entry........................................................................................................... 138
2.4.3.4 (Optional) Setting the Aging Time of Dynamic MAC Address Entries..................................................... 138
2.4.3.5 (Optional) Disabling MAC Address Learning.....................................................................................................139
2.4.4 Configuring Interface Security.................................................................................................................................... 141
2.4.5 Maintaining the MAC Address Table........................................................................................................................ 142
2.4.5.1 Debugging the MAC Address Table...................................................................................................................... 143
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xii

2.4.6.1 Example for Configuring the MAC Address Table............................................................................................ 143

2.5 ARP Configuration.............................................................................................................................................................. 146
2.5.1 Introduction to ARP........................................................................................................................................................ 146
2.5.2 ARP Features Supported by the CX91x series....................................................................................................... 146
2.5.3 Configuring ARP.............................................................................................................................................................. 146
2.5.3.2 Creating a Static ARP Entry......................................................................................................................................147
2.5.3.3 Optimizing Dynamic ARP......................................................................................................................................... 148
2.5.4 Maintaining ARP..............................................................................................................................................................149
2.5.4.1 Clearing ARP Statistics............................................................................................................................................... 149
2.5.4.2 Monitoring the Running Status of ARP............................................................................................................... 149
2.5.4.3 Debugging ARP............................................................................................................................................................ 150
2.5.5.1 Example for Configuring ARP.................................................................................................................................. 150
2.6 MSTP Configuration.......................................................................................................................................................... 153
2.6.1 Overview of STP, RSTP, and MSTP.............................................................................................................................153
2.6.2 MSTP Features Supported by the CX91x series.................................................................................................... 155
2.6.3 Adding an CX91x series to a Specified MST Region........................................................................................... 160
2.6.3.2 Setting the Working Mode of the CX91x series................................................................................................ 161
2.6.3.3 Configuring the MST Region................................................................................................................................... 162
2.6.3.4 Activating the Configuration of an MST Region...............................................................................................163
2.6.3.5 (Optional) Configuring an CX91x series as a Root Switch or Secondary Root Switch........................163
2.6.3.6 (Optional) Setting the Priority of an CX91x series in a Specified MSTI................................................... 164
2.6.3.7 Enabling MSTP..............................................................................................................................................................165
2.6.4 Setting MSTP parameters.............................................................................................................................................166
2.6.4.2 Setting MSTP Network Parameters of the CX91x series................................................................................ 167
2.6.4.3 Setting MSTP Parameters of an Interface........................................................................................................... 169
2.6.4.4 Switching an Interface to the MSTP Mode.........................................................................................................171
2.6.4.5 Setting the Format of MSTP Packets on an Interface.....................................................................................171
2.6.4.6 Configuring Fast Transition Mechanism on an Interface............................................................................... 172
2.6.5 Configuring MSTP Protection......................................................................................................................................174
2.6.5.2 Configuring BPDU Protection on the CX91x series.......................................................................................... 175
2.6.5.3 Configuring Root Protection on an Interface.....................................................................................................176
2.6.5.4 Configuring Loop Protection on the CX91x series............................................................................................177
2.6.5.5 Configuring TC Packet Suppression on the CX91x series............................................................................... 178
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xiii

2.6.6 Maintaining MSTP.......................................................................................................................................................... 180

2.6.6.1 Clearing MSTP Statistics............................................................................................................................................ 180
2.6.6.2 Debugging MSTP......................................................................................................................................................... 180
2.6.7.1 Example for Configuring Basic MSTP Functions............................................................................................... 181
3 Configuration Guide-IP Services...................................................................................... 189

3.1 IP Address Configuration................................................................................................................................................. 189
3.1.1 Introduction to IP Addresses....................................................................................................................................... 189
3.1.2 IP Address Features Supported by the CX91x series........................................................................................... 189
3.1.3 Assigning IP Addresses to VLANIF Interfaces........................................................................................................ 190
3.1.3.2 Setting a Primary IP Address for an VLANIF Interface................................................................................... 190
3.1.3.3 (Optional)Setting a Secondary IP Addresses for an VLANIF Interface..................................................... 191
3.1.4.1 Example for Setting Primary and Secondary IP Addresses........................................................................... 192
4 Configuration Guide-QoS.................................................................................................. 195

4.1 Class-based QoS Configuration..................................................................................................................................... 195
4.1.1 Introduction to Class-based QoS............................................................................................................................... 195
4.1.2 Class-based QoS Features Supported by the CX91x series...............................................................................196
4.1.3 Creating a Traffic Policy Based on Complex Traffic Classification.................................................................198
4.1.3.2 Configuring Complex Traffic Classification.........................................................................................................199
4.1.3.2.1 Creating a Traffic Classifier Based on Layer 2 Information.......................................................................199
4.1.3.2.2 Creating a Traffic Classifier Based on Layer 3 Information.......................................................................200
4.1.3.2.3 Creating a Traffic Classifier Based on an ACL................................................................................................ 201
4.1.3.3 Configuring a Traffic Behavior................................................................................................................................ 203
4.1.3.3.1 Configuring the Deny or Permit Action............................................................................................................ 204
4.1.3.3.2 Configuring the Re-marking Action...................................................................................................................204
4.1.3.3.3 Configuring Traffic Policing.................................................................................................................................. 205
4.1.3.3.4 Configuring Flow Mirroring.................................................................................................................................. 205
4.1.3.3.5 Configuring Traffic Statistics................................................................................................................................ 206
4.1.3.4 Creating a Traffic Policy............................................................................................................................................ 206
4.1.3.5 Applying a Traffic Policy............................................................................................................................................207
4.1.4 Maintaining Class-based QoS..................................................................................................................................... 209
4.1.4.1 Displaying the Flow-based Traffic Statistics...................................................................................................... 209
4.1.4.2 Clearing the Flow-based Traffic Statistics...........................................................................................................209
4.1.5.1 Example for Re-marking the Priorities Based on Complex Traffic Classification.................................. 209
4.1.5.2 Example for Redirecting Packets Based on Complex Traffic Classification............................................. 213
4.1.5.3 Example for Configuring Traffic Statistics Based on Complex Traffic Classification............................216
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xiv

4.2 Traffic Policing and Traffic Shaping Configuration................................................................................................ 219

4.2.1 Overview of Traffic Policing and Traffic Shaping................................................................................................ 219
4.2.1.1 Traffic Policing.............................................................................................................................................................. 219
4.2.1.2 Traffic Shaping............................................................................................................................................................. 221
4.2.2 Configuring Traffic Policing Based on a Traffic Classifier................................................................................. 223
4.2.2.2 Configuring Complex Traffic Classification.........................................................................................................224
4.2.2.3 Configuring a Traffic Policing Action.................................................................................................................... 224
4.2.2.4 Creating a Traffic Policy............................................................................................................................................ 224
4.2.2.5 Applying the Traffic Policy........................................................................................................................................225
4.2.3 Configuring Traffic Policing Based on an Interface............................................................................................ 226
4.2.3.2 Limiting the Rate of Traffic on the Inbound Interface................................................................................... 227
4.2.4 Configuring Traffic Shaping........................................................................................................................................ 228
4.2.4.2 Configuring Traffic Shaping on an Interface......................................................................................................229
4.2.4.3 Configuring Traffic Shaping in an Interface Queue........................................................................................ 230
4.2.5 Maintaining Traffic Policing and Traffic Shaping................................................................................................ 230
4.2.5.1 Displaying the Traffic Statistics.............................................................................................................................. 231
4.2.5.2 Clearing the Traffic Statistics...................................................................................................................................231
4.2.6.1 Example for Configuring Traffic Policing Based on a Traffic Classifier.....................................................231
4.2.6.2 Example for Configuring Traffic Policing Based on an Interface................................................................ 238
4.2.6.3 Example for Configuring Traffic Shaping............................................................................................................ 241
4.3 Congestion Management Configuration.................................................................................................................... 244
4.3.1 Overview of Congestion Management....................................................................................................................244
4.3.2 Configuring Congestion Management.................................................................................................................... 245
4.3.2.2 Setting the Scheduling Mode for an Interface Queue....................................................................................246
4.3.2.3 (Optional) Configuring Traffic Shaping............................................................................................................... 248
4.3.3 Maintaining Congestion Management....................................................................................................................248
4.3.3.1 Displaying the Queue-based Statistics.................................................................................................................248
4.3.3.2 Clearing the Queue-based Statistics..................................................................................................................... 249
4.3.4.1 Example for Configuring Congestion Management........................................................................................ 249
5 Configuration Guide-Security.......................................................................................... 253

5.1 Traffic Suppression Configuration................................................................................................................................ 253
5.1.1 Introduction to Traffic Suppression.......................................................................................................................... 253
5.1.2 Traffic Suppression Features Supported by the CX91x series.......................................................................... 253
5.1.3 Configuring Traffic Suppression................................................................................................................................. 254
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xv


5.1.3.2 Configuring Traffic Suppression on an Interface.............................................................................................. 254
5.1.4.1 Example for Configuring Traffic Suppression.................................................................................................... 256
5.2 ACL Configuration.............................................................................................................................................................. 257
5.2.1 Introduction to the ACL................................................................................................................................................ 257
5.2.2 Classification of ACLs Supported by the CX91x series....................................................................................... 257
5.2.3 Configuring an ACL........................................................................................................................................................ 258
5.2.3.2 Creating an ACL........................................................................................................................................................... 259
5.2.3.3 (Optional) Setting the Time Range When an ACL Takes Effect................................................................. 260
5.2.3.4 (Optional) Configuring the Description of an ACL.......................................................................................... 260
5.2.3.5 Configuring a Basic ACL............................................................................................................................................ 261
5.2.3.6 Configuring an Advanced ACL................................................................................................................................ 262
5.2.3.7 Configuring a Layer 2 ACL........................................................................................................................................263
5.2.3.8 (Optional) Setting the Step Between ACL Rules.............................................................................................. 263
5.2.4.1 Example for Configuring a Basic ACL................................................................................................................... 265
5.2.4.2 Example for Configuring an Advanced ACL....................................................................................................... 267
5.2.4.3 Example for Configuring a Layer 2 ACL...............................................................................................................271
6 Configuration Guide-Reliability.......................................................................................275
6.1 Smart Link and Monitor Link Configuration............................................................................................................. 275
6.1.1 Smart Link and Monitor Link...................................................................................................................................... 275
6.1.2 Configuring a Smart Link Group................................................................................................................................276
6.1.2.2 Creating and Enabling a Smart Link Group....................................................................................................... 277
6.1.2.3 Configuring the Master and Slave Interfaces in a Smart Link Group....................................................... 278
6.1.2.4 Enabling the Sending of Flush Packets................................................................................................................ 279
6.1.2.5 (Optional) Configuring Load Balancing in a Smart Link Group................................................................. 280
6.1.2.6 (Optional) Enabling Revertive Switching and Setting the WTR Time.......................................................280
6.1.2.7 (Optional) Enabling the Receiving of Flush Packets....................................................................................... 281
6.1.2.8 (Optional) Setting the Holdtime of the Smart Link Switchover................................................................. 282
6.1.2.9 Enabling the Functions of the Smart Link Group............................................................................................. 282
6.1.3 Configuring a Flow Control Policy in a Smart Link Group................................................................................284
6.1.3.2 Locking Data Flows on the Master Interface.....................................................................................................285
6.1.3.3 Locking Data Flows on the Slave Interface........................................................................................................ 286
6.1.3.4 Switching Data Flows Manually............................................................................................................................. 286
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xvi

6.1.4 Configuring a Monitor Link Group............................................................................................................................287

6.1.4.2 Creating a Monitor Link Group...............................................................................................................................289
6.1.4.3 Configuring the Uplink and Downlink Interfaces in a Monitor Link Group............................................289
6.1.4.4 Setting the Revertive Switching Interval of a Monitor Link group.............................................................290
6.1.5.1 Example for Configuring Basic Functions of Smart Link................................................................................291
6.1.5.2 Example for Configuring Load Balancing Between Active and Standby Links of a Smart Link Group
......................................................................................................................................................................................................... 294
6.1.5.3 Example for Applying the Smart Link Functions.............................................................................................. 298
7 Configuration Guide-Device Management................................................................... 304

7.1 Using display commands to check the status of the device................................................................................304
7.1.1 Introduction.......................................................................................................................................................................304
7.1.2 Checking the Status of the CX91x series................................................................................................................ 305
7.1.2.1 Checking Information About the CX91x series.................................................................................................. 305
7.1.2.2 Checking the Version of the CX91x series........................................................................................................... 305
7.1.2.3 Checking the CPU Usage.......................................................................................................................................... 306
7.1.2.4 Checking the Memory Usage.................................................................................................................................. 306
7.2 Monitoring the Device Through the Information Center..................................................................................... 306
7.2.1 Information Center Overview..................................................................................................................................... 307
7.2.1.1 Introduction to the Information Center............................................................................................................... 307
7.2.1.2 Information Center Supported by the CX91x series........................................................................................ 307
7.2.2 Configuring the Information Center......................................................................................................................... 313
7.2.2.2 Enabling the Information Center........................................................................................................................... 314
7.2.2.3 (Optional) Naming the Information Channel................................................................................................... 314
7.2.2.4 Defining the Information to Be Sent to the Information Center................................................................ 314
7.2.2.5 (Optional) Configuring the Timestamp for the Output Information........................................................ 315
7.2.3 Sending Information of the Information Center.................................................................................................. 316
7.2.3.1 Sending Information to the Console..................................................................................................................... 316
7.2.3.2 Sending Information to the Telnet Terminal......................................................................................................317
7.2.3.3 Sending Information to the SNMP Agent........................................................................................................... 318
7.2.3.4 Sending Information to the Log Buffer................................................................................................................318
7.2.3.5 Sending Information to the Trap Buffer.............................................................................................................. 318
7.2.3.6 Sending Information to the Log Host.................................................................................................................. 319
7.2.3.7 Writing Information to the Log File...................................................................................................................... 319
7.2.4 Maintaining the Information Center........................................................................................................................ 320
7.2.5.1 Example for Configuring the Information Center............................................................................................ 321
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xvii

7.3 Mirroring................................................................................................................................................................................323
7.3.1 Introduction.......................................................................................................................................................................323
7.3.1.1 Mirroring Functions.................................................................................................................................................... 323
7.3.1.2 Logical Relationships Between Configuration Tasks....................................................................................... 324
7.3.2 Configuring Local Port Mirroring...............................................................................................................................324
7.3.2.2 Configuring a Mirrored Port.................................................................................................................................... 325
7.3.3 Canceling Port-based Mirroring................................................................................................................................. 326
7.3.3.2 Canceling Port Mirroring........................................................................................................................................... 327
7.3.4 Changing or Deleting an Observing Port............................................................................................................... 327
7.3.4.2 (Optional) Deleting an Observing Port............................................................................................................... 328
7.3.4.3 (Optional) Changing an Observing Port............................................................................................................. 328
7.3.5.1 Example for Configuring Local Port Mirroring.................................................................................................. 329
7.3.5.2 Example for Changing an Observing Port.......................................................................................................... 331
7.4 Restarting.............................................................................................................................................................................. 333
7.4.1 Restarting the CX91x series Immediately Through Command Lines............................................................ 333
7.4.2 Restarting the CX91x series Using the Ejector Levers........................................................................................ 334
8 Configuration Guide-Network Management............................................................... 335

8.1 SNMP Configuration..........................................................................................................................................................335
8.1.1 Introduction to SNMP.................................................................................................................................................... 335
8.1.2 SNMP Supported by the CX91x series..................................................................................................................... 337
8.1.3 Configuring Basic Functions of SNMPv1.................................................................................................................338
8.1.3.2 Enabling Basic SNMP Functions............................................................................................................................. 339
8.1.3.3 Configuring the SNMP Version............................................................................................................................... 339
8.1.3.4 Setting the SNMP Community Name...................................................................................................................340
8.1.4 Configuring Community-Name-based Access Control in SNMPv1............................................................... 341
8.1.4.2 Configuring the SNMP Version .............................................................................................................................. 341
8.1.4.4 Configuring the ACL................................................................................................................................................... 342
8.1.5 Configuring MIB-View-based Access Control in SNMPv1................................................................................. 344
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xviii

8.1.5.3 Creating a MIB View................................................................................................................................................... 345

8.1.5.4 Configuring MIB-View-based Access Control.....................................................................................................345
8.1.6 Configuring Basic Functions of SNMPv2c...............................................................................................................347
8.1.6.2 Enabling Basic SNMP Functions ............................................................................................................................ 347
8.1.6.4 Setting the SNMP Community Name...................................................................................................................348
8.1.7 Configuring Community-Name-based Access Control in SNMPv2c............................................................. 349
8.1.7.4 Configuring the ACL................................................................................................................................................... 351
8.1.8 Configuring MIB-View-based Access Control in SNMPv2c............................................................................... 352
8.1.8.3 Creating a MIB View................................................................................................................................................... 353
8.1.8.4 Configuring MIB-View-based Access Control.....................................................................................................354
8.1.9 Configuring Basic Functions of SNMPv3.................................................................................................................355
8.1.9.2 Enabling Basic SNMP Functions ............................................................................................................................ 356
8.1.9.4 Configuring an SNMP User Group.........................................................................................................................357
8.1.9.5 Configuring User Information................................................................................................................................. 357
8.1.10 Configuring User Group-based Access Control in SNMPv3........................................................................... 358
8.1.10.1 Establishing the Configuration Task................................................................................................................... 358
8.1.10.2 Configuring the SNMP Version.............................................................................................................................359
8.1.10.3 Configuring an SNMP User Group...................................................................................................................... 359
8.1.10.4 Configuring User Information............................................................................................................................... 360
8.1.10.5 Configuring a Basic ACL..........................................................................................................................................360
8.1.10.6 Configuring the ACL................................................................................................................................................. 361
8.1.11 Configuring User-based Access Control in SNMPv3......................................................................................... 362
8.1.11.3 Configuring an SNMP User Group ..................................................................................................................... 363
8.1.11.5 Configuring a Basic ACL..........................................................................................................................................364
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xix

8.1.11.6 Applying the ACL....................................................................................................................................................... 364

8.1.12 Configuring Authentication and Encryption Functions in SNMPv3............................................................ 366
8.1.12.3 Configuring an SNMP User Group...................................................................................................................... 367
8.1.12.5 Configuring the Authentication Function for the SNMP User Group..................................................... 368
8.1.12.6 Configuring the Encryption Function for the SNMP User Group............................................................. 368
8.1.12.7 Configuring Authentication and Encryption Functions for the SNMP User......................................... 369
8.1.13 Configuring MIB-View-based Access Control in SNMPv3...............................................................................370
8.1.13.3 Creating a MIB View................................................................................................................................................ 371
8.1.13.4 Assigning Permission to the SNMP User Group............................................................................................. 372
8.1.14 Configuring SNMP Maintenance Information.................................................................................................... 374
8.1.14.2 Configuring Contact Methods of the Administrator..................................................................................... 374
8.1.14.3 Configuring the Location of the Switch Module............................................................................................ 375
8.1.15 Configuring the Maximum Size of the SNMP Packet...................................................................................... 375
8.1.15.2 Configuring the Maximum Size of an SNMP Packet.................................................................................... 376
8.1.15.3 Verifying the Configurations................................................................................................................................. 377
8.1.16 Configuring the Trap Function................................................................................................................................. 377
8.1.16.2 (Optional) Enabling the Switch Module to Send Alarms to the NM Station...................................... 378
8.1.16.3 (Optional) Enabling the Switch Module to Send an Alarm Message of a Specified Feature to the
NM Station................................................................................................................................................................................... 379
8.1.16.4 Setting the Destination Host of Trap Messages............................................................................................. 379
8.1.16.5 (Optional) Setting the Source Interface for Sending Trap Messages..................................................... 379
8.1.16.6 (Optional) Setting the Queue Length of Trap Messages............................................................................ 380
8.1.16.7 (Optional) Setting the Lifetime of Trap Messages........................................................................................ 381
8.1.16.8 Verifying the Configurations................................................................................................................................. 381
8.1.17 Propagating Alarms in the Inform Mode............................................................................................................. 382
8.1.17.1 Establishing the Configuration Task.................................................................................................................. 382
8.1.17.2 (Optional) Enabling the Switch Module to Send Alarms to the NM Station ..................................... 383
8.1.17.3 (Optional) Enabling the Switch Module to Send an Alarm Message of a Specified Feature to the
NM Station ................................................................................................................................................................................. 383
8.1.17.4 Configuring the Destination Host of Informing Messages......................................................................... 384
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xx

8.1.17.5 (Optional) Configuring Global Parameters for the Informing Mode......................................................384

8.1.17.6 (Optional) Configuring the Parameters for the Informing Mode............................................................ 385
8.1.17.7 (Optional) Configuring the Logging Function for the Informing Mode................................................ 385
8.1.18 Configuring the Extended Error Code Function on the SNMP Agent........................................................ 387
8.1.18.2 Enabling the Extended Error Code Function on the SNMP Agent........................................................... 388
8.1.19 Configuration Examples............................................................................................................................................. 389
8.1.19.1 Example for Configuring Basic SNMPv1 Functions....................................................................................... 389
8.1.19.2 Example for Specifying an NMS to Manage the Switch..............................................................................391
8.1.19.3 Example for Configuring Different NMSs to Access the Switch............................................................... 393
8.1.19.4 Example for Configuring Different NMSs to Access the Switch (Inform Mode).................................397
8.1.19.5 Example for Enabling the Extended Error Code Function on the SNMP Agent.................................. 401
8.1.19.6 Example for Configuring Alarm Messages to Be Sent to the Huawei NMS.........................................402
8.2 Ping and Tracert.................................................................................................................................................................. 404
8.2.1 Ping...................................................................................................................................................................................... 404
8.2.2 Tracert................................................................................................................................................................................. 405
8.2.3 Performing Ping and Tracert Operations................................................................................................................ 406
8.2.3.2 Checking Network Connectivity Through the Ping Operation.................................................................... 407
8.2.3.3 Locating Faults on the Network Through the Tracert Operation............................................................... 407
8.2.4.1 Example for Performing Ping and Tracert Operations....................................................................................408
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xxi

Configuration Guide 1 Configuration Guide - Basic Configuration
1 Configuration Guide - Basic

Configuration
This topic describes how to use the command-line interface (CLI), how to log in to
a switch module, and how to configure functions such as file operations and
system startup.
1.1 Logging In to Switch Module

Before configuring Switch Module, you need to log in to the Switch Module.
1.2 CLI Overview
Users operate devices, that is, configure the device and perform routine
maintenance, by entering command lines.
1.3 How to Use Interfaces
This chapter describes the concept of the interface and the basic configuration
about the interface.
1.4 Basic Configuration
This chapter describes how to configure the basic system environment and the
basic user environment.
1.5 User Management
This chapter describes user interfaces and the configuration of users' login.
1.6 File System Management
This chapter describes the basic knowledge of the file system, including the
methods of managing files, directories, and storage devices.
1.7 Management of Configuration Files
This chapter describes current configurations, configuration files, detection of
master/slave configuration consistency, and configuration recovery.
1.8 FTP and TFTP
This chapter describes the fundamentals, configuration procedures and
configuration examples of FTP and TFTP.
1.9 Telnet and SSH
Telnet or SSH enables a terminal to remotely log in and access to a server.
Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. 1

1.1 Logging In to Switch Module

Before configuring Switch Module, you need to log in to the Switch Module.
1.1.1 Introduction
This topic describes how to log in to Switch Module. You can log in to Switch
Module over the SYS COM port or serial over LAN (SOL).
NOTICE
For the first login, you must use the SYS COM serial port to log in to the Switch
Module and set the initial user password. Otherwise, security risks may occur.
The Switch Module has onboard GE switching plane, 10GE switching plane, and FC
switching plane. The commands and examples are based on onboard GE switching
plane in this document. Other planes may be slightly different.
1.1.2 Login Modes

This topic describes the modes of logging in to the Switch Module.
1.1.2.1 Logging In to a Switching Plane Using PuTTY (Serial Port Mode)
Context
This document uses PuTTY as an example to describe how to log in to a switching
plane over a serial port. The application scenarios are as follows:
● If the Switch Module is configured for the first time at a new site, you can log
in to the switching plane from a local PC over a Switch Module serial port to
perform initial configuration.
● If the network is faulty and the Switch Module cannot be remotely connected,
you can log in to the switching plane over a Switch Module serial port to
locate the fault.
Set passwords for logging in to the Switch Module onboard GE and 10GE
switching planes over a serial port for the first time. The system automatically
saves the passwords.
After you successfully set the login passwords, the passwords are used as
authentication passwords in the succeeding logins to the onboard GE and 10GE
switching planes.
You can use the default user name and password to log in to the Switch Module
FC switching plane over a serial port.
Prerequisites
PuTTY is installed and its version is 0.60 or later.

Data
User name and password for logging in to the baseboard management controller
(BMC) over a serial port
Software
PuTTy.exe is free software. You can download it from the Internet. The PuTTY used
to log in over a serial port must be 0.60 or later.
Procedure
Step 1 Log in to a switching plane.
1. Connect the PC RS232 serial port to the serial port marked SYS on the Switch
Module panel by using a DB9-RJ45 cable.
2. Double-click PuTTY.exe on the PC.
The PuTTY Configuration window is displayed.
3. In the navigation tree, choose Connection > Serial.
4. Set the login parameters.
The key communication parameters are as follows:
– Serial Line to connect to: COMn
– Speed (baud): 115200
– Data bits: 8
– Stop bits: 1
– Parity: None
– Flow control: None
n indicates the serial port number, and the value is an integer.
NOTE
The baud rates of the onboard GE switching plane and 10GE switching plane are
115200 bit/s, and the baud rate of the FC switching plane is 9600 bit/s.
5. In the navigation tree, choose Session.
6. Set Connection type to Serial, as shown in Figure 1-1.

Figure 1-1 PuTTY Configuration
7. Click Open.
Open the switching plane command-line interface (CLI).
8. Determine if you log in to the switching plane over a serial port for the first
time.
NOTE
You need to set login passwords of the onboard GE switching plane and 10GE
switching plane upon the first login. The FC switching plane has a default user name
and password. You can perform Step 1.9 to log in to the FC switching plane.
– If yes, go to Step 2.1.
– If no, go to Step 1.9.
9. Enter the user name and password of the switching plane, and press Enter.
After login, the host name of the current login plane is displayed on the left
of the prompt.
Step 2 Set a password for logging in to the switching plane.
1. Press Enter.
The following information is displayed:
Please configure the login password (6-16)
Enter Password:
Confirm Password:
Set the initial password as prompted. The system automatically saves the
password.

NOTE
The entered password is not displayed on the terminal screen.
of the prompt.
----End
1.1.2.2 Logging In to a Switching Plane Using PuTTY (Network Port Mode)
Context
This document uses PuTTY as an example to describe how to log in to the Switch
Module switching planes over Secure Shell (SSH) for configuration and
maintenance.
NOTE
You can log in to the Switch Module switching planes over Telnet and SSH. The login
methods are similar. The Telnet login has security risks. You are advised to use SSH login.
This document describes how to log in switching planes over SSH.
Prerequisites
Data
● User names and passwords for logging in to the Switch Module switching
planes over SSH
● IP address and subnet mask of the management network port on the
switching plane to be connected
Software
PuTTy.exe is free software. You can download it from the Internet.
Procedure
Step 1 Connect the Ethernet port on the PC to that on the management module over the
local area network (LAN).
Step 2 Set the IP address and subnet mask of the PC, and ensure that the IP address of
the PC is on the same network segment as the IP address of the management
module.
Step 3 Log in to the Switch Module switching plane over SSH.

1. Double-click PuTTY.exe.
The PuTTY Configuration window is displayed, as shown in Figure 1-2.

2. Set login parameters.
The following describes the parameters:

– Host Name (or IP address): Enter the IP address of the management
network port for logging in to the switching plane, for example,
191.100.34.32.
– Port: Retain the default value 22.
– Connection type: Retain the default value SSH.
– Close window on exit: Retain the default value Only on clean exit.
NOTE
After setting Host Name and then Saved Sessions, click Save. At the next login, you
can double-click the saved settings under Saved Sessions to log in to the switching
plane directly.
3. Click Open.
The PuTTY user interface (UI) is displayed, waiting you to enter a user name.
NOTE
– If you log in to the switching plane for the first time, the PuTTY Security Alert
window is displayed. If you trust the site, click Yes. Then the PuTTY window is
displayed.
– If the entered account is incorrect during the login, PuTTY must be connected
again.

4. Enter a user name and password as prompted.

of the prompt.
----End
1.1.2.3 Switching a Switching Plane
Context
By default, the SYS serial port is used for the onboard GE switching plane. You
need to switch the SYS COM port to another plane when configuring the plane
using a baseboard management controller (BMC) command.
Prerequisites
Data
● Password for logging in to the onboard GE switching plane over a serial port
● Password for logging in to the 10GE switching plane over a serial port
● User name and password for logging in to the switching plane to be
connected over a serial port
Software
PuTTy.exe is free software. You can download it from the Internet. The PuTTY used
to log in over a serial port must be 0.60 or later.
Procedure
Step 1 Connect the PC RS232 serial port to the serial port marked BMC on the switch
module panel by using a DB9-RJ45 cable.
Step 2 Log in to the BMC command-line interface (CLI) using PuTTY.
1. Double-click PuTTY.exe on the PC.
The PuTTY Configuration window is displayed.
2. In the navigation tree, choose Connection > Serial.
3. Set the login parameters.
– Serial Line to connect to: COMn
– Speed (baud): 115200
– Data bits: 8
– Stop bits: 1
– Parity: None
– Flow control: None

4. In the navigation tree, choose Session.

5. Set Connection type to Serial, as shown in Figure 1-3.
6. Click Open.
The PuTTY user interface (UI) is displayed, waiting you to enter a user name.
7. Enter a user name and password as prompted.
of the prompt.
Step 3 On the BMC CLI, switch the SYS COM serial port to the switching plane.
● Switch to the onboard GE switching plane.
root@BMC:/#ipmcset -d systemcom -v 0
If you have successfully switched to the onboard GE switching plane, the
following information is displayed:
Set systemcom successfully!
Serial port direction is:Base Com
● Switch to the 10GE switching plane.

If you have successfully switched to the 10GE switching plane, the following
information is displayed:
Serial port direction is:Fabric Com

● Switch to the fibre channel (FC) switching plane.

If you have successfully switched to the FC switching plane, the following
information is displayed.
Serial port direction is:Thirty Com
Step 4 Connect the PC RS232 serial port and the SYS serial port on the switch module by
using a DB9-RJ45 cable.
Step 5 Log in to the switching plane CLI using PuTTY.
● Serial Line to connect to: COMn
● Speed (baud): 115200
● Data bits: 8
● Stop bits: 1
● Parity: None
● Flow control: None
NOTE
The baud rates of the onboard GE switching plane and 10GE switching plane are 115200
bit/s, and the baud rate of the FC switching plane is 9600 bit/s.
For details about login methods, see Step 2.1 to Step 2.7.
----End
1.2 CLI Overview

Users operate devices, that is, configure the device and perform routine
maintenance, by entering command lines.
1.2.1 CLI Introduction

This topic describes the command line management functions supported by the
CX91x series. You can configure and manage a Switch Module by using the
command line interface (CLI) commands.
The parameter detailed description in this document, see the CX91x Series Switch
Modules V100R001C00 Command Reference.
1.2.1.1 Command Line Interface

The system provides a series of configuration commands, you can configure and
manage a Switch Module by using the CLI commands.
When a prompt appears, you enter the CLI and interact with Switch Module
through CLI.
The characteristics of CLI are as follows:

● Local configuration through SYS COM port.

● A user interface view for specific configuration management.
● Hierarchical command protection for users of different levels, that is, running
the commands of the corresponding level.
● Entering "?" for online help at any time.
● Network testing commands such as tracert and ping for rapidly diagnosing a
network.
● The telnet command for directly logging in to and manage other Switch
Module.
● FTP service for file uploading and downloading.
● Running a history command, like DosKey.
● A command line interpreter provides intelligent command resolution methods
such as key word incomplete match and context conjunction. These methods
make it easy for users to enter their commands.
NOTE
● The system supports the command with up to 512 characters. The command can be
incomplete.
● The system saves the incomplete command to the configuration files in the complete
form; therefore, the command may have more than 512 characters. When the system is
restarted, however, the incomplete command cannot be restored. Therefore, pay
attention to the length of the incomplete command.
1.2.1.2 Command Levels

The system adopts a hierarchical protection mode that has 16 command levels.
The default command levels are as follows:

● Level 0-Visit level: Commands of this level include commands of network
diagnosis tool (such as ping and tracert) and commands that start from the
local device and visit external device (such as Telnet client side).
● Level 1-Monitoring level: Commands of this level, including the display
commands, are used for system maintenance and fault diagnosis.
● Level 2-Configuration level: Commands of this level are service configuration
commands that provide direct network service to the user, including routing
and network layer commands.
● Level 3-Management level: Commands of this level are commands that
influence the basic operation of the system and provide support to the
service. They include file system commands, FTP commands, TFTP commands,
user management commands, level setting commands, system internal
parameter setting commands, and debugging commands that are used for
fault diagnosis.
NOTICE
Not all display commands are of the monitoring level. For example, the display
current-configuration and display saved-configuration commands are of the
management level. For the level of a command, see the CX91x Series Switch
Modules V100R001C00 Command Reference.

To implement efficient management, you can increase the command levels to

0-15. For the increase in the command levels, refer to 1.4.2.4 Configuring
Command Levels.
NOTE
● The default command level may be higher than the command level defined according
to the command rules in application.
● Log in users have the same 16 levels as the command levels. The log in users can use
only the command of the levels that are equal to or lower than their own levels. For
details of log in user levels, refer to 1.5 User Management.
1.2.1.3 Command Views

Command view is the interface where command line can be input. System are
classified into different command views. Each command is enrolled in one or more
command views. The commands can only run in the proper views.
Basic Concepts
# Establish connection with the Switch Module. If the Switch Module adopts the
default configuration, you can enter the user view with the prompt of <Base>.
<Base>
# Type system-view, and you can enter the system view.

<Base> system-view
[Base]
# Type interface gigabitethernet 0/0/1 in the system view, and you can enter the
GE interface view.
[Base] interface gigabitethernet 0/0/1
[Base-GigabitEthernet0/0/1]
NOTE
The prompt <Base> indicates the default Switch Module name. The prompt <> indicates the
user view and the prompt [] indicates other views.
Some commands that are implemented in the system view can also be
implemented in the other views; however, the functions that can be implemented
are command view-specific.
Common Views
The CX91x series provides various command line views. For the methods of
entering the command line views except the following views, see the CX91x Series
Switch Modules V100R001C00 Command Reference.
● User View
Item Description
Function Displays the operation status and statistics about the

CX91x series

Item Description
Entry Enters the user view after setting up a connection

command
Prompt upon <Base>

entry
Quit <Base> quit
Prompt upon None

quit
● System View
Item Description
Function Sets the system parameters of the CX91x series. After

entering the system view, you can enter other views to
configure the CX91x series.
Entry <Base> system-view

command
Prompt upon [Base]

entry
Quit [Base] quit
Prompt upon <Base>

quit
● Ethernet Interface Views

– GE interface view
Item Description
Function Set parameters of a Gigabit Ethernet interface and

manage the Gigabit Ethernet interface of CX91x series.
Entry [Base]interface GigabitEthernet X/Y/Z

command
Prompt upon [Base- GigabitEthernetX/Y/Z]

entry
Quit [Base- GigabitEthernetX/Y/Z] quit
Prompt upon [Base]

quit

NOTE
X/Y/Z specifies the number of a Gigabit Ethernet interface to be configured. It is

in the format of slot number/subcard number/interface sequence number.
– XGE interface view
Item Description
Function Set parameters of a XGigabit Ethernet interface and

manage the XGigabit Ethernet interface of CX91x series.
Entry [Fabric]interface XGigabitEthernet X/Y/Z

command
Prompt upon [Fabric-XGigabitEthernetX/Y/Z]

entry
Quit [Fabric-XGigabitEthernetX/Y/Z] quit
Prompt upon [Fabric]

quit
NOTE
X/Y/Z specifies the number of a XGigabit Ethernet interface to be configured. It is

in the format of slot number/subcard number/interface sequence number.
● VLAN Views
Item Description
Function Adds an interface to or deletes an interface from a VLAN,

and enables the multicast function in the VLAN.
Entry [Base] vlan 10

command
Prompt upon [Base-vlan10]

entry
Quit [Base-vlan10] quit
Prompt upon [Base]

quit
● VLANIF Interface Views
Item Description
Function Assigns IP addresses to VLANIF interfaces and manages the

VLANIF interfaces.
Entry [Base] interface vlanif 10

command

Item Description
Prompt upon [Base-Vlanif10]

entry
Quit [Base-Vlanif10] quit
Prompt upon [Base]

quit
NOTE
The value 10 indicates the number of a VLANIF interface to be configured. You must
create a VLAN before entering the VLANIF interface view.
1.2.2 Online Help

The CLI of the CX91x series provides three types of help: full help, part help, and
command error messages.
1.2.2.1 Full Help

When you enter a command line, you can view the description of keywords or
parameters in the command line through the Full Help.
You can obtain full help from a command view in the following methods:
● In a command view, enter "?" to obtain all the commands in this command
view and descriptions of the commands.
<Base> ?
● Enter a command and a "?" separated by a space. If a keyword is in place of
the "?", all keywords and their descriptions are listed. Here is an example.
<Base> format ?
flash: Device name
flashVX: Device name
<Base> format flash: ?
<cr>
<Base> format flash:
flash: and format flash: are keywords. Device name are the descriptions of
the two keywords.
<cr> indicates that no key word or parameter is in this position and you can
press Enter to repeat the command in the next command line.
● Enter a command and a "?" separated by a space. If a parameter is in place of
the "?", all parameters and their descriptions are listed. Here is an example.
<Base> system-view
[Base] sysname ?
TEXT Host name(1 to 246 characters)
TEXT is a parameter and Host name (1 to 246 characters) is the description.
1.2.2.2 Partial Help

When you enter a command line, you can obtain prompts on the keywords or
parameters at the beginning of the string through the Partial Help.

You can obtain the partial help of the command line in the following ways.
● Enter a character string with a "?" closely following it to display all commands
that begin with this character string.
<Base> f?
format free
ftp
● Enter a command and a character string with "?" closely following it to
display all the key words that begin with this character string.
<Base> display d?
default-parameter device
diagnostic-information
● Enter the first several letters of a key word in the command and then press
Tab to display the complete key word on the condition that the letters
uniquely identify the key word. Otherwise, if you continue to press Tab,
different key words are displayed. You can select the needed key word.
1.2.2.3 Error Messages of the Command Line Interface

If an entered command passes the syntax check, the system executes it.
Otherwise, the system prompts an error message.
See Table 1-1 for the common error messages.
Table 1-1 Common error messages of the command line

Error messages Cause of the error
Unrecognized command The command cannot be found
The key word cannot be found
Wrong parameter Parameter type error
The parameter value exceeds the limit
Incomplete command Incomplete command entered
Too many parameters Too many parameters entered
Ambiguous command Indefinite parameters entered
1.2.3 Features of Command Line Interface

You can edit command lines, display command lines, use the regular expression
for command lines, and invoke historical commands.
1.2.3.1 Editing
The editing function of command lines helps you edit command lines or obtain
help by using certain keys.
The command line supports multi-line edition. The maximum length of each
command is 512 characters.

Keys for editing that are often used are shown in Table 1-2.
Table 1-2 Keys for editing

Key Function
Common key Inserts a character in the current position of the cursor if

the editing buffer is not full and the cursor moves to the
right. Otherwise, there is a warning sound.
Backspace Deletes the character on the left of the cursor that

moves to the left. When the cursor reaches the head of
the command, there is a warning sound.
Left cursor key ← or Moves the cursor to the left by the space of a character.
Ctrl_B When the cursor reaches the head of the command,
there is a warning sound.
Right cursor key → Moves the cursor to the right by the space of a
or Ctrl_F character. When the cursor reaches the end of the
command, there is a warning sound.
Tab Press Tab after typing the incomplete key word and the
system runs the partial help:
● If the matching key word is unique, the system
replaces the typed one with the complete key word
and displays it in a new line with the cursor a space
behind.
● If there are several matches or no match at all, the
system displays the prefix first. Then you can press
Tab to view the matching key word one by one. In
this case, the cursor closely follows the end of the
word and you can type a space to enter the next
word.
● If a wrong key word is entered, press Tab and the
word is displayed in a new line.
1.2.3.2 Displaying
All command lines have the same displaying feature. You can construct the
displaying mode as required.
You can control the display of information on CLI as follows:
● Display prompt and help information in English.
● When the information displayed exceeds a full screen, it provides the pause
function. In this case, the user has three choices as shown in Table 1-3.

Table 1-3 Keys for displaying

Key Function
Ctrl_C Stops displaying and running of the command.

NOTE
You can also press any of the keys except the spacebar and
Enter key to stop the display and running of the command.
Space Continues to display the information on the next

screen.
Enter Continues to display the information on the next

line.
1.2.3.3 Regular Expressions

The regular expression is a mode matching tool. You can construct the matching
mode based on certain rules, and then match the mode with the target object.
The regular expression is an expression that describes a set of strings. It consists of
common characters (such as letters from "a" to "z") and particular characters
(also named metacharacters). The regular expression is a template according to
which you can search for the required string.
A regular expression can provide the following functions:
● Searching for and obtaining a sub-string that matches a rule in the string.
● Substituting a string according to a certain matching rule.
Formal Language Theory of the Regular Expression

The regular expression consists of common characters and particular characters.
● Common characters
Common characters are used to match themselves in a string, including all
upper-case and lower-case letters, digits, punctuations, and special symbols.
For example, a matches the letter "a" in "abc", 202 matches the digit "202" in
"202.113.25.155", and @ matches the symbol "@" in "xxx@xxx.com".
● Particular characters
Particular characters are used together with common characters to match the
complex or particular string combination. Table 1-4 describes particular
characters and their syntax.

Table 1-4 Description of particular characters

Particul Syntax Example
ar
charact
er
\ Defines an escape character, \* matches "*".

which is used to mark the next
character (common or
particular) as the common
character.
^ Matches the starting position ^10 matches "10.10.10.1"

of the string. instead of "20.10.10.1".
$ Matches the ending position of 1$ matches 10.10.10.1 instead

the string. of 10.10.10.2.
* Matches the preceding 10* matches "1", "10", "100",

element zero or more times. and "1000".
(10)* matches "null", "10",
"1010", and "101010".
+ Matches the preceding 10+ matches "10", "100", and

element one or more times "1000".
(10)+ matches "10", "1010",
and "101010".
? Matches the preceding 10? matches "1" and "10".

element zero or one time. (10)? matches "null" and "10".
. Matches any single character. 0.0 matches "0x0" and "020".

.oo matches "book", "look",
and "tool".
() Defines a subexpression, which 100(200)+ matches "100200"

can be null. Both the and "100200200".
expression and the
subexpression should be
matched.
x|y Matches x or y. 100|200 matches "100" or

"200".
1(2|3)4 matches "124" or
"134", instead of "1234", "14",
"1224", and "1334".
[xyz] Matches any single character [123] matches the character 2

in the regular expression. in "255".
[^xyz] Matches any character that is [^123] matches any character

not contained within the except for "1", "2", and "3".
brackets.

Particul Syntax Example

ar
charact
er
[a-z] Matches any character within [0-9] matches any character

the specified range. ranging from 0 to 9.
[^a-z] Matches any character beyond [^0-9] matches all non-

the specified range. numeric characters.
_ Matches a comma "," left _2008_ matches "2008", "space

brace "{", right brace "}", left 2008 space", "space 2008",
parenthesis "(", and right "2008 space", ",2008,",
parenthesis ")". "{2008}", "(2008)", "{2008",
Matches the starting position and "(2008}".
of the input string. NOTE
space is a space.
Matches the ending position of
the input string.
Matches a space.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the
screen.
● Degeneration of particular characters
Certain particular characters, when being placed at the following positions in
the regular expression, degenerate to common characters.
– The particular characters following "\" is transferred to match particular
characters themselves.
– The particular characters "*", "+", and "?" placed at the starting position
of the regular expression. For example, +45 matches "+45" and abc(*def)
matches "abc*def".
– The particular character "^" placed at any position except for the start of
the regular expression. For example, abc^ matches "abc^".
– The particular character "$" placed at any position except for the end of
the regular expression. For example, 12$2 matches "12$2".
– The right bracket such as ")" or "]" being not paired with its
corresponding left bracket "(" or "[". For example, abc) matches "abc)"
and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules are applicable when preceding regular
expressions serve as subexpressions within parentheses.
● Combination of common and particular characters
In actual application, a regular expression combines multiple common and
particular characters to match certain strings.

Specifying a Filtering Mode in Command
NOTICE
The CX91x series uses a regular expression to implement the filtering function of
the pipe character. A display command supports the pipe character only when
there is excessive output information.
When the output information is queried according to the filtering conditions, the
first line of the command output starts with the information containing the
regular expression.
The command can carry the parameter | count to display the number of matching
entries. The parameter | count can be used together with other parameters.
For the commands supporting regular expressions, the three filtering methods are
as follows:
● | begin regular-expression: displays the information that begins with the line
that matches regular expression.
● | exclude regular-expression: displays the information that excludes the lines
that match regular expression.
● | include regular-expression: displays the information that includes the lines
that match regular expression.
NOTE
The value of regular-expression is a string of 1 to 255 characters.
Specify a Filtering Mode when Information is Displayed

When a lot of information is displayed, you can specify a filtering mode in the
prompt "---- More ----".
● /regular-expression: displays the information that begins with the line that
matches regular expression.
● -regular-expression: displays the information that excludes lines that match
regular expression.
● +regular-expression: displays the information that includes lines that match
regular expression.
1.2.3.4 History Commands

The command line interface provides a function similar to DosKey, which can
automatically save historical commands. You can invoke the historical commands
saved on the command line interface at any time and run them again.
By default, the system saves 10 history commands at most for each user. The
operations are as shown in Table 1-5.

Table 1-5 Access the history commands

Action Key or Command Result
Display the display history- Display the history commands entered by

history command users.
commands.
Access the Up cursor key↑ or Display the last history command if there is
last history Ctrl_P an earlier history command. Otherwise,
command. there is a warning sound.
Access the Down cursor key ↓ Display the next history command if there
next history or Ctrl_N is a later history command. Otherwise, the
command. command is cleared and there is a warning
sound.
NOTE
On the HyperTerminal of Windows 9X, cursor key ↑ is invalid as the HyperTerminals of

Windows 9X define the keys differently. In this case, you can replace the cursor key ↑ with
Ctrl_P.
When you use the history commands, note the following:

● The saved history commands are the same as that those entered by users. For
example, if the user enters an incomplete command, the saved command also
is incomplete.
● If the user runs the same command several times, the earliest command is
saved. If the command is entered in different forms, they are considered as
different commands.
For example, if the display ip routing-table command is run several times,
only one history command is saved. If the disp ip routing command and the
display ip routing-table command are run, two history commands are saved.
1.2.4 Shortcut Keys

This section describes the shortcut keys of the CX91x series.
1.2.4.1 System hotkeys
System hotkeys are not defined by users, and their functions are fixed. Table 1-6
describes system hotkeys and their functions.
NOTE
Different terminal software defines hotkeys differently; therefore, the shortcut keys on the
terminal may be different from the hotkeys listed in this section.

Table 1-6 System hotkeys
Hotkeys Function
CTRL_A Moves the cursor to the beginning of the

current line.
CTRL_B Moves the cursor back one character.
CTRL_C Stops performing current functions.
CTRL_D Deletes the character where the cursor is

located.
CTRL_E Moves the cursor to the end of the

current line.
CTRL_F Moves the cursor one character right.
CTRL_H Deletes a character on the left side of the

cursor.
CTRL_K Stops outgoing connections.
CTRL_N Displays the next command in the history

command buffer.
CTRL_P Displays the previous command in the

history command buffer.
CTRL_R Re-displays information about the current

line.
CTRL_U Deletes all the characters on the left side

of the cursor.
CTRL_V Pastes the contents of the clipboard.
CTRL_W Deletes a word on the left side of the

cursor.
CTRL_X Deletes all the characters on the left side

of the cursor.
CTRL_Y Deletes all the characters on the right

side of the cursor.
CTRL_Z Returns to the user view.
CTRL_] Stops incoming connections or redirects

the connections.
ESC_B Moves the cursor one word back.
ESC_D Deletes a word on the right side of the

cursor.
ESC_F Moves the cursor one word forward.
ESC_N Moves the cursor downward a line.

Hotkeys Function
ESC_P Moves the cursor upward a line.
ESC_< Locates the cursor at the beginning of the

text in the clipboard.
ESC_> Locates the cursor at the end of the text

in the clipboard.
1.2.4.2 Using Hotkeys
● You can use hotkeys where a command can be run. When hotkeys are
executed in the system, the command assigned to the hotkeys is displayed the
same as the complete command is entered.
● Using hotkeys is the same as running the command assigned to the hotkeys.
After hotkeys are used, the corresponding commands are recorded in the
command buffer and log for fault location and query.
NOTE
The terminals that you use may affect the functions of hotkeys. For example, the function
of the hotkey that is defined by the terminal used by a user varies with the function of the
hotkey on the CX91x series. In this case, after a user enters hotkeys, the command assigned
to the hotkeys is not run.
1.2.5 Configuration Examples

This section provides several examples for using command lines.
1.2.5.1 Example for Using the Tab Key

You can obtain prompts on keywords or check whether the entered keywords are
correct by pressing Tab.
Procedure
● If only one keyword contains the incomplete keyword.
Do as follows on the CX91x series.
a. Enter an incomplete keyword.
[Base] info-
b. Press Tab.
The system replaces the incomplete keyword with a complete keyword
and displays the complete keyword. There is only one space between the
cursor and the end of the keyword.
[Base] info-center
● If more than one keyword contains the incomplete keyword.
# The keyword info-center can be followed by the following keywords.

[Base] info-center log?

logbuffer logfile
loghost
a. Enter an incomplete keyword.

[Base] info-center l
b. Press Tab.
The system displays the prefix of all the matched keywords. The prefix in
this example is log.
[Base] info-center log
c. Continue to press Tab to display all the keywords. There is no space

between the cursor and the end of the keywords.
[Base] info-center loghost
[Base] info-center logbuffer
Stop pressing Tab when you find the required keyword logbuffer.
d. Enter a space and enter the next keyword channel.
[Base] info-center logbuffer channel
----End
1.3 How to Use Interfaces

This chapter describes the concept of the interface and the basic configuration
about the interface.
1.3.1 Introduction to Interfaces

This section describes the concepts of interfaces. The interfaces are provided by
the CX91x series to receive and send data.
Interfaces are classified into management interfaces and service interfaces based
on their functions; interfaces are classified into physical interfaces and logical
interfaces based on their physical forms.
NOTE
A physical interface is sometimes called a port. Both physical interfaces and logical
interfaces are called interfaces in this document.
Management Interface
Management interfaces are used for managing and configuring the device. That is,
you can log in to the CX91x series through a management interface to configure
and manage the CX91x series. Management interfaces do not transmit services.
The CX91x series provides a console interface and an MEth interface as the
management interface.

Table 1-7 Description of management interfaces

Name Description Usage
Console The console interface The console interface is connected

interface complies with the EIA/ to the COM series interface of the
TIA-232 standard and the configuration terminal. It is used to
interface type is DCE. set up the on-site configuration
environment.
MEth The MEth interface complies The MEth interface can be

interface with the 1000M Serdes connected to the network interface
standard. of the configuration terminal or
network management workstation.
It is used to set up the on-site or
remote configuration environment.
The rules for numbering management interfaces are as follows:
Table 1-8 Management interface numbers

Name Number
Console interface Console 0
MEth interface MEth 0/0/1
NOTE
● You can log in over the management network port Meth 0/0/1 on the onboard GE
switching plane or 10GE switching plane to manage onboard GE switching plane or
10GE switching plane services respectively.
● After the Base plane of one CX91x series is faulty, you can log in to the faulty
management network port Meth 0/0/1 over the Base plane of the other CX91x series.
Physical Interfaces
Physical interfaces exist on the CX91x series.
Physical interfaces include management interfaces and service interfaces.
The CX91x series supports the following physical interfaces:
● Serial Port
● Gigabit Ethernet interface
● 10-Gigabit Ethernet interface
Logical Interfaces
Logical interfaces do not exist and are set up through configurations.
The CX91x series supports the following logical interfaces:

● Eth-Trunk
An Eth-Trunk comprises only Ethernet links.
The Eth-Trunk technology has the following advantages:
– Increased bandwidth: The bandwidth of an Eth-Trunk is the total
bandwidth of all member interfaces.
– Improved reliability: When a link fails, traffic is automatically switched to
other available links. This ensures the reliability of the connection.
For details about the configuration, see section Configuring the Eth-Trunk in
Chapter Configuration Guide-Ethernet in the CX91x Series Switch Modules
V100R001C00 Configuration Guide.
● Loopback interface
A loopback interface is a virtual interface. The TCP/IP protocol suite defines
that the IP addresses with the first byte 127 are loopback addresses. When
the system starts, it automatically creates an interface using the loopback
address 127.0.0.1 to receive all data packets sent to the local host. Some
applications such as mutual access between Virtual Private Networks ,
however, need to be configured with a local interface with a specified IP
address when the configuration of a physical interface is not affected. In this
case, the IP address of the local interface is 32-bit mask, which saves IP
addresses; the IP address can be advertised by routing protocols.
The status of the loopback interface is always Up; therefore, the IP address of
the loopback interface can be used as the router ID, the label switching router
(LSR) ID.
For details, see 1.3.3 Configuring the Loopback Interface.
● Null interface
Null interfaces are similar to null devices supported by certain operating
systems. Any data packets sent to this interface are discarded. Null interfaces
are mainly used for route selection and policy-based routing (PBR). For
example, if no route is matched during route selection, the packet is sent to
the null interface.
● VLANIF interface
When the CX91x series needs to communicate with devices at the network
layer, you can create a logical interface of the Virtual Local Area Network
(VLAN) on the CX91x series, namely, a VLANIF interface. You can assign IP
addresses to VLANIF interfaces because VLANIF interfaces work at the
network layer. The CX91x series then communicates with devices at the
network layer through VLANIF interfaces.
For details about the configuration, see section Configuring the VLANIF
Interface in Chapter Configuration Guide-Ethernet in the CX91x Series
Switch Modules V100R001C00 Configuration Guide.
1.3.2 Setting Basic Parameters of an Interface

This section describes how to set the basic parameters of an interface.
1.3.2.1 Establishing the Configuration Task

Before configuring advanced functions of an interface such as the working mode
and routes, you need to complete the basic configuration of the interface.

Applicable Environment
To facilitate the configuration and maintenance of an interface, the CX91x series
provides interface views. The commands related to the interface are valid only in
the interface views.
The basic interface configurations include entering an interface view, configuring
interface description, enabling an interface, and disabling an interface.
Pre-configuration Tasks
The RTM is properly installed in the paired slot of the CX91x series. Both ejector
levers on the RTM are lowered, and the floating nuts are tightened.
Data Preparation
To set parameters of an interface, you need the following data.
No. Data
1 Type and number of the interface to be configured
2 Description of the interface
1.3.2.2 Entering the Interface View

To configure an interface, you need to enter the interface view.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
interface interface-type interface-number
The view of a specified interface is displayed.

interface-type specifies the type of the interface and interface-number specifies
the number of the interface.
----End
1.3.2.3 Viewing All the Commands in the Interface View

After entering the interface view, you can view all the commands in the interface
view.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
?
All the commands in the view of the specified interface are displayed.
----End
1.3.2.4 Configuring the Description for an Interface

The description configured for an interface on the CX91x series helps you identify
and memorize the usage of the interface, which facilitates the management.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
description description
The description is configured for the interface.
----End
1.3.2.5 Starting and Shutting Down an Interface

When a physical interface is idle and is not connected to a cable, shut down this
interface to protect the interface against interference. To use a shutdown
interface, you need to start the interface.
Context
NOTE
● A null interface is always Up and cannot be shut down by command.

● A loopback interface is always Up and cannot be shut down by command.
Procedure
Step 1 Shutting down the interface

1. Run:
system-view

2. Run:

3. Run:
shutdown
The interface is shut down.

NOTE
By default, an interface is enabled.
Step 2 Starting an interface
1. Run:
system-view

2. Run:

3. Run:
undo shutdown
The interface is started.
----End
1.3.2.6 Further Configuration an Interface

After configuring basic parameters, configure the interface as required.
Context
When you access a network through an interface, you need to further setting
multiple parameters of the interface based on the networking requirements in
addition to performing basic configurations on the interface.
Further configurations of an interface include:
● Configuring the operating mode of an interface

● Configuring routes
For the detailed Configuration, please see section Configuration Guide - Ethernet
CX91x Series Switch Modules V100R001C00 Configuration Guide and
Configuration Guide - IP Routing in the CX91x Series Switch Modules

1.3.2.7 Checking the Configuration

After completing the basic configuration of an interface, you can use the display
commands to check the configuration.
Procedure
Step 1 Run:
display interface [ interface-type [ interface-number ] ]
The running status of the interface and the statistics on the interface are
displayed.
Step 2 Run:
display interface description
The brief information about the interface is displayed.

Step 3 Run:
display ip interface [ interface-type interface-number ]
The main configurations of the interface is displayed.

Step 4 Run:
display ip interface brief [ interface-type interface-number ]
The brief state of the interface is displayed.
----End
1.3.3 Configuring the Loopback Interface

This section describes how to configure the loopback interface.

The users can create or delete a loopback interface. When being created, the
loopback interface remains in the Up state until you delete it.
Some applications such as mutual access between need to be configured with a
local interface with a specified IP address when the configuration of a physical
interface is not affected. In this case, the IP address of the local interface needs to
be advertised by routing protocols. Loopback interfaces are used to improve the
reliability of the configuration.
Before configuring the loopback interface, the CX91x series is properly powered on
and started.
Data Preparation
To configure the loopback interface, you need the following data.

No. Data
1 Number of the loopback
2 IP address of the loopback
1.3.3.2 Configuring IPv4 Parameters of the Loopback Interface

A loopback interface can be assigned an IPv4 address, and configured to check the
source IPv4 addresses of packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface loopback interface-number
A loopback interface is created.

The value of interface-number ranges from 0 to 1023. A maximum of 1024
loopback interfaces can be created.
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
An IPv4 address is assigned to the loopback interface.
----End

After configuring a loopback interface, run the following commands to check the
configuration.
Procedure
Step 1 Run the display interface loopback [ number ] command to check the status of
the loopback interface.
----End
1.3.4 Maintaining the Interface

This section describes how to maintain the interface.
1.3.4.1 Clearing Statistics Information on the Interface

The statistics on the interface cannot be restored after you clear them. So, confirm
the action before you use the command.

Procedure
Step 1 Run:
reset counters interface [ interface-type [ interface-number ] ]
The statistics on the interface to be cleared in the user view.
----End
1.4 Basic Configuration

This chapter describes how to configure the basic system environment and the
basic user environment.
1.4.1 Basic Configuration Introduction

This section describes the meaning and scope of the basic configuration.
Before configuring services, users often need to perform basic configurations for
actual operation and maintenance.
The CX91x series provides configurations of two kinds of basic environments:
● Basic system environment: includes the language mode, host name, system
name, system time, header text, and command level for actual environment.
● Basic user environment: includes password for changing levels and the
terminal lock.
1.4.2 Configuring the Basic System Environment

This section describes how to configure the basic system environment according to
user habits or the requirements of the actual environment.

Before configuring the basic system environment, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the
required data. This can help you complete the configuration task quickly and
accurately.
Before configuring the services, you need to configure the basic system
environments to meet the requirements of the actual environments.
By default, the CX91x series supports commands of Level 0 to Level 3, namely, visit
level, monitoring level, configuration level, and management level.
If the user needs to define more levels, or refine management privileges on the
device, the user can extend the range of command line level from the range of
Level 0 to Level 3 to the range of Level 0 to Level 15.

Before configuring basic system environment, complete the following task:
● Powering on the Switch Module
Data Preparation
To configure basic system environment, you need the following data.
No. Data
1 System time
2 Host name
3 Login information
4 Command level
1.4.2.2 Configuring the Equipment Name

You can change the equipment name as required. The new equipment name takes
effect immediately.
Procedure
Step 1 Run:
system-view

Step 2 Run:
sysname host-name
The equipment name is set.

You can change the name of the Switch Module that appears in the command
prompt.
By default, the host name of the Switch Module in onboard GE switching plane is
Base, the host name of the 10GE switching plane is Fabric.
----End
1.4.2.3 Configuring the Header Text

If you need to warn or prompt login users, you can configure the header text that
the system prompts during the login or after the login.
Procedure
Step 1 Run:
system-view


Step 2 Run:
header login { information text | file file-name }
The header text is set during login.

Step 3 Run:
header shell { information text | file file-name }
The header text is set after the login.

Header text is the prompt displayed in the system when users connect to the
Switch Module, log in or start interactive configuration. Configure the header text
to provide detailed instruction.
NOTE
● If a user logs in to the Switch Module by using SSH1.X, the login header is not displayed
during login, but the shell header is displayed after login.
● If a user logs in to the Switch Module by using SSH2.0,both login and shell headers are
displayed.
----End
1.4.2.4 Configuring Command Levels

By default, commands are registered in the sequence of Level 0 to Level 3. If
refined rights management is required, you can divide commands in to 16 levels,
that is, from Level 0 to Level 15.
Context
If the user does not adjust a command level separately, after the command level is
updated, all originally-registered command lines adjust automatically according to
the following rules:
● The commands of Level 0 and Level 1 remain unchanged.
● The command Level 2 is updated to Level 10 and Level 3 is updated to Level
15.
● No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The
user can adjust the command lines to these levels separately to refine the
management of privilege.
NOTE
The update of command Level 2 to Level 10 and Level 3 to Level 15 is not a two-step
process but one-step by batch.
Procedure
Step 1 Run:
system-view

Step 2 Run:

command-privilege level rearrange
Update the command level in batch.
The system will prompt you to confirm the update. Select N, the operation is
canceled. Select Y, the command levels are updated in batch mode.
Step 3 Run:
command-privilege level level view view-name command-key
The command level is configured. With the command, you can specify the level
and view multiple commands at one time (command-key).
All commands have default command views and levels. You need not reconfigure
them.
----End
1.4.3 Displaying System Status Messages

This section describes the display commands that are used for displaying basic
system configurations.
You can use the display commands to collect information about the system status.
The display commands are classified according to the following functions:
● Displays system configurations.

● Displays the running status of the system.
● Displays the diagnostic information about a system.
● Displays the restart information about the main control board.
See the related sections for display commands for protocols and interfaces. The
following only shows the system display commands.
Run the following commands in any view.
1.4.3.1 Displaying System Configuration

You can view information about the system version, system time, original
configuration, and current configuration.
Procedure
Step 1 Run:
display version
The system version is displayed.
Step 2 Run:
display clock
The system time is displayed.
Step 3 Run:
display saved-configuration
The original configuration is displayed.

Step 4 Run:
display current-configuration
The current configuration is displayed.
----End
1.4.3.2 Collecting System Diagnostic Information

You can view the system diagnosis information.
Procedure
Step 1 Run:
display diagnostic-information [ file-name ]
The system diagnosis information is displayed.
When the system fails or performs the routine maintenance, you need to collect a
lot of information to locate faults. Then, you have to run different display
commands to collect all information. In this case, you can use the display
diagnostic-information command to collect all information about the current
running modules in the system.
The display diagnostic-information command collects all information collected

by running the following commands, including display clock, display version,
display cpu-usage, display interface, display current-configuration, display
saved-configuration, display history-command, and so on.
----End
1.5 User Management

This chapter describes user interfaces and the configuration of users' login.
1.5.1 User Management Introduction

This section describes basic concepts of user interfaces and user management.
1.5.1.1 User Interface

A user interface (UI) enables users to log in to the CX91x series. Through a user
interface, you can configure the parameters on all physical and logical interfaces
that work in asynchronous and interactive modes. In this manner, you can
manage, authenticate, and authorize the login users.
Types of User Interfaces

Table 1-9 describes the types of user interfaces supported by the CX91x series.

Table 1-9 Types of user interfaces
Type Purpose Description
CON Local login through the It is a linear interface conforming to the EIA/
console interface TIA-232 standard. The type of the interface is
DCE. Each device provides a console interface.
Numbering of User Interfaces

You can number a user interface in the following ways:
● Relative numbering
Relative numbering indicates that the interfaces of the same type are
numbered. The relative numbering uniquely specifies a user interface of a
specified type.
The format of the relative numbering is: user interface type + number.
Number of the CON interface is console0.
● Absolute numbering
The CX91x series uniquely specifies the default numbers of 0 for the user
interfaces of CON. You can enter a specific user interface view by entering any
of these numbers.
Figure 1-4 shows the mapping between relative and absolute numbering of a user
interface.
Figure 1-4 Numbering of user interfaces on the CX91x series
In the figure, console0 and 0 indicate the same user interface.
NOTE
On the CX91x series, the absolute number can be 0.
1.5.1.2 User Authentication

When a user logs in to the CX91x series, the CX91x series authenticates the user
according to the configuration to ensure system security.
You can log in to the CX91x series in two modes:

● For the first time, you can log in to the CX91x series through the SYS COM
port.
● Not for the first time, you can also log in to the CX91x series through the SOL.

The login user must be authenticated for the sake of security. The default user
name is root and the password is hwosta2.0. If the authentication succeeds, the
user can log in to the CX91x series to configure and maintain the CX91x series.
1.5.2 Configuring Console User Interface

You can configure the console user interface so as to maintain a Switch Module
on the local device.

Before configuring the console user interface, familiarize yourself with the
accurately.
If you need to maintain a Switch Module on a local device, the console user
interface is required.
Before configuring a console user interface, complete the following tasks:
● Connecting the client (for example a PC) with the Switch Module
Data Preparation
To configure a console user interface, you need the following data.
No. Data
1 Baud rate, flow-control mode, parity, stop bit, and data bit
2 Idle timeout period, screen length, and the size of history command
buffer
3 User priority
4 User authentication method, user name, and password
NOTE
All the default values are stored on the Switch Module and do not need additional
configuration.
1.5.2.2 Setting Console Terminal Attributes

You can configure the idle timeout period, one-screen length of the terminal
screen, and the size of historical command buffer for the console port.

Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface console interface-number
The user interface view is displayed.

Step 3 Run:
shell
The terminal service is started.

Step 4 Run:
idle-timeout minutes [ seconds ]
The timeout period is set.

By default, idle timeout period on the user interface is 10 minutes.
Step 5 Run:
screen-length screen-length
One-screen length of the terminal screen is set.

By default, the length of a terminal screen is 24 lines.
You can run the screen-length screen-length temporary command to specify the
number of lines temporarily displayed on the terminal screen.
Step 6 Run:
history-command max-size size-value
The buffer of the history command is set.

By default, the size of history command buffer on a user interface is 10 entries.
----End
1.5.2.3 Configuring User Priority

You can set the priority for a user who logs in through the console port.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface console interface-number
The user interface view is displayed.

Step 3 Run:

user privilege level level
The priority of the user is set.
This process is to set the priority for a user who logs in through the console port.
A user can only use the command of the level corresponding to the user level.
For more information about the command priority, see 1.2.1.2 Command Levels.
----End

After configuring the console user interface, you can view the usage information
of the user interface, physical attributes and configurations of the user interface,
local user list, and online users.
Procedure
Step 1 Run the display users [ all ] command to check information about user interface.
Step 2 Run the display user-interface console ui-number1 [ summary ] command to

check physical attributes and configurations of the user interface.
Step 3 Run the display local-user command to check the local user list.
Step 4 Run the display access-user command to check online users.
----End
1.5.3 Managing User Interfaces

You need to configure user management to ensure that the operator manages
Switch Modules safely.

Before configuring user management interfaces, familiarize yourself with the
accurately.
To ensure that the operator manages Switch Modules safely, you need to send
messages between user interfaces and clear designated user.
Before managing the user interface, complete the following tasks:

● Connecting the client (for example a PC) with the Switch Module properly

Data Preparations
To manage the user interface, you need the following data:
No. Data
1 Type and number of the user interface
2 Contents of the message to be sent
1.5.3.2 Sending Messages to Other User Interfaces

You can configure messaging between user interfaces.
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
You can enable message sending between user interfaces.
Step 2 Following the prompt, you can enter the message to be sent. You can press Ctrl_Z
or Enter to end.
----End
1.5.3.3 Clearing Online User

You can clear specified online users.
Procedure
Step 1 Run:
free user-interface { ui-number | ui-type ui-number1 }
Online users are cleared.
Step 2 On receiving the prompts, you can confirm whether the designated online users
have to be cleared.
----End

After configuring user management interfaces, you can view the usage
information of user interfaces.
Prerequisites
The configuration of User Interfaces are complete.

Procedure
Step 1 Run the display users [ all ] command to check the usage information of the user
interface.
----End
1.6 File System Management

This chapter describes the basic knowledge of the file system, including the
methods of managing files, directories, and storage devices.
1.6.1 Overview of the File System

This section describes the concepts of the file system.
Basic Concepts of the File System

A file system allows you to manage files and directories on the storage devices. In
the file system, you can create, delete, modify, and rename a file or a directory,
and view contents of a file.
The file system provides the following functions:

● Managing the files that are stored on the storage devices
● Managing the storage devices
Storage Device
A storage device is a hardware device used to store data.
Different products support different storage devices. Currently, the CX91x series
supports the flash memory.
File
A file stores and manages information.
Directory
A directory collects and organizes files. It is a logical container of files.
1.6.2 Managing a Storage Device

This section describes how to format a storage device.
Before managing a storage device, complete the following tasks:

● Installing the CX91x series and switching it on properly

● Client logging in to the CX91x series
Data Preparation
To manage a storage device, you need the following data.
No. Data
1 Device name
1.6.2.2 (Optional) Formatting a Storage Device
Context
The CX91x series has two independent file systems: flash file system (Flash:/) and
flashVX file system (FlashVX:/). You can use the flashVX file system to store
temporary data. Run cd ? to view the two file systems.
NOTICE
Running the format command will delete all files and directories from the CX91x
series memory, and they cannot be recovered. Run the command with caution.
Procedure
Step 1 Run the following command in the user view:
format device-name
A storage device is formatted. device-name have two values:
● format flashVX: formats the flashVX file storage device.

● format flash: formats the flash file storage device.
----End
1.6.3 Managing the Directory

You can manage directories to logically store files in hierarchy.

Before managing directories, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.

When you need to transfer files between the client and the server, configure the
directory by using the file system.
Before configuring the management directory, complete the following tasks:
● Powering on the Switch Module.

● Connecting the client with the base of Switch Module correctly.
Data Preparation
To configure a management directory, you need the following data.
No. Data
1 Directory name to be created
2 Directory name to be deleted
1.6.3.2 Viewing the Current Directory

You can view the current directory to know its information.
Procedure
Step 1 Run:
pwd
The current directory is displayed.
----End
1.6.3.3 Switching a Directory

You can switch the current directory to another directory.
Procedure
Step 1 Run:
cd directory
A directory is specified.
Step 2 Run:
pwd
The current directory is displayed.
----End

1.6.3.4 Displaying a Directory or File

You can view a directory or files in the directory.
Procedure
Step 1 Run:
cd directory
A directory is specified and the specified directory is displayed.
Step 2 Run:
dir [ /all ] [ filename | flash: ]
The file and sub-directory list in the directory is displayed.
Either the absolute path or relative path is applicable.
----End
1.6.3.5 Creating a Directory

You can create a directory in the specified directory on a specified storage device.
Procedure
Step 1 Run:
cd directory
The parent directory of the directory to be created is displayed.
Step 2 Run:
mkdir directory
The directory is created.
----End
1.6.3.6 Deleting a Directory

You can delete an unneeded directory.
Procedure
Step 1 Run:
cd directory
The parent directory of the directory to be deleted is displayed.
Step 2 Run:
rmdir directory
The directory is deleted.
----End

1.6.4 Managing Files

You can manage files through view, delete, and rename operation .

Before managing files, familiarize yourself with the applicable environment,
To view, create, delete, or rename files on the Switch Module, you need to
configure files using the file system.
Before configuring the file system, complete the following tasks:

● Connecting the client with the server correctly
Data Preparation
To configure a file system, you need the following data.
No. Data
1 File name to be created
2 File name to be deleted
1.6.4.2 Displaying Contents of Files

You can view the contents of a file, which are displayed in texts.
Procedure
Step 1 Run:
cd directory
The directory of the file is displayed.
Step 2 Run:
more filename
The content of the file is displayed.
----End

1.6.4.3 Copying Files

You can copy files.
Procedure
Step 1 Run:
cd directory

Step 2 Run:
copy source-filename destination-filename
The file is copied.
NOTE
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
----End
1.6.4.4 Moving Files

You can move files to a specified directory.
Procedure
Step 1 Run:
cd directory

Step 2 Run:
move source-filename destination-filename
The file is moved.
----End
1.6.4.5 Renaming Files

You can rename files.
Procedure
Step 1 Run:
cd directory

Step 2 Run:
rename source-filename destination-filename
The file is renamed.
----End

1.6.4.6 Compressing Files

You can compress files to reduce the size of the files.
Procedure
Step 1 Run:
zip source-filename destination-filename
The file is compressed.
----End
1.6.4.7 Deleting Files

You can delete unneeded files.
Procedure
Step 1 Run:
cd directory
Step 2 Run:
delete [ /unreserved ] filename
The file is deleted.
----End
1.6.4.8 Deleting Files in the Recycle Bin

You can permanently delete files in the recycle bin.
Procedure
Step 1 Run:
reset recycle-bin [ filename ]
The file is deleted.
----End
1.6.4.9 Undeleting Files

You can recover deleted files.
Procedure
Step 1 Run:
undelete filename
The deleted file is recovered.

NOTE
● If the current directory is not the root directory, you must operate the file by using the
absolute path.
● If you use the parameter [ /unreserved ] in the delete command, the file cannot be
restored after being deleted.
----End
1.6.4.10 Running Files in Batch

You can upload the files and then process the files in batches.
Prerequisites
Uploading the batched files on the client end to the Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
execute filename
The batched file is executed.
----End
1.6.4.11 Configuring Prompt Modes

The system displays prompts or warning messages when you operate the device. If
you need to change the prompt mode for file operations, you can configure the
prompt mode of the file system.
Prerequisites
Before configuring a file system, complete the following tasks:

● Logging in to the Switch Module from the client end
Context
The data may be lost or damaged during the process, and the prompt is required.
Procedure
Step 1 Run:
system-view

Step 2
NOTICE
If the prompt is in the quiet mode, no prompt appears for data loss due to
maloperation.
Run:
file prompt { alert | quiet }
The prompt mode of the file system is configured.
By default, the prompt mode is alert.
----End
1.7 Management of Configuration Files

This chapter describes current configurations, configuration files, detection of
master/slave configuration consistency, and configuration recovery.
1.7.1 Management of Configuration Files Introduction

The configuration file is the add-in configuration item when restarting the Switch
Module this time or next time.
1.7.1.1 Configuration Files

This part describes basic concepts of configuration files.
The configuration file is the add-in configuration item when restarting the Switch
Module this time or next time.
The configuration file is a text file in the following formats:
● It is saved in the command format.

● To save space, default parameters are not saved. For the default values of the
configuration parameters, see following sections.
● Commands are organized on the basis of the command view. All commands
of the identical command view are grouped into a section. Every two
command sections are separated by one or several blank lines or comment
lines (beginning with "#").
● The sequence of command sections is global configuration, physical interface
configuration, logic interface configuration, routing protocol configuration
and so on.

NOTE
● The system can run the command with the maximum length of 512 characters,
including the command in an incomplete form.
● If the configuration is in the incomplete form, the command is saved in complete form.
Therefore, the command length in the configuration file may exceed 512 characters.
When the system restarts, these commands cannot be restored.
1.7.1.2 Configuration Files and Current Configurations

The part describes basic concepts of configuration files and current configurations.
● Initial configurations: On powering on, the Switch Module retrieves the

configuration files from a default save path to initiate itself. If configuration
files do not exist in the default save path, the Switch Module uses the default
parameters.
● Current configurations: indicates the effective configurations of the currently
running Switch Module.
● Users can modify the current configurations of the Switch Module through
the command line interface. Use the save command to save the current
configuration to the configuration file of the default storage devices, and the
current configuration becomes the initial configuration of the Switch Module
when the Switch Module is powered on next time.
1.7.2 Managing Configuration Files

You can manage configuration files to ensure that the Switch Module starts
normally.

Before managing configuration files, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data.
This can help you complete the configuration task quickly and accurately.
In one of the following situations, you need to manage configuration files:
● After modifying current configurations, you need to save the modified

contents.
● You need to view the configuration of the Switch Module.
Before managing configuration files, complete the following task:
● Installing the Switch Module and starting it properly
Data Preparation
To manage configuration files, you need the following data.

No. Data
1 CX91x series system software and its file name
2 Configuration file and its name
3 The number of the start line from which the comparison of the
configuration files begins
1.7.2.2 Saving Configuration File

The system can save the configuration files in real-time to prevent data loss when
the Switch Module is powered off or accidentally restarted.
Procedure
Step 1 Run:
save
The current configurations are saved.

Run the save command. Then the vrpcfg.cfg configuration file is generated on the
flash memory and then synchronized to the Management Module. The CX91x
series obtains the configuration file from the Management Module at next startup
and restores the configurations using file.
The configuration file name vrpcfg.cfg cannot be changed. The system startup
configuration file must be saved in the root directory of a storage device.
The user can modify the current configuration through the command line
interface. To set the current configuration as initial configuration when the Switch
Module starts next time, you can use the save command to save the current
configuration in the flash memory.
----End
1.7.2.3 Comparing Configuration Files

You can compare whether the current configurations are identical with the next
startup configuration files.
Procedure
Step 1 Run:
compare configuration [ configuration-file ] [ current-line-number save-line-number ]
The current configuration is compared with the configuration file for next startup.
If no parameter is set, the comparison begins with the first lines of configuration
files. current-line-number and save-line-number are used to continue the
comparison by ignoring the differences between the configuration files.
When comparing differences between the configuration files, the system displays
the contents of the current configuration file and saved configuration file from the

first different line. By default, 150 characters are displayed for each configuration
file. If the number of characters from the first different line to the end is less than
150, the contents after the first different line are all displayed.
In comparing the current configurations with the configuration file for next
startup, if the configuration file for next startup is unavailable or its contents are
null, the system prompts that reading files fails.
----End

After managing configuration files, you can view the current configuration files,
configuration files for the next startup, information about files for device startup,
and files in the storage device.
Prerequisites
The configuration of Managing Configuration Files are complete.
Procedure
Step 1 Run:
display current-configuration
The current configuration files are displayed.
Step 2 Run the display saved-configuration [ last ] command to check the

configuration file that the Switch Module loads the next time when it starts.
display saved-configuration [ last ]
The configuration file that the Switch Module loads the next time when it starts is
displayed.
Step 3 Run:
dir [ /all ] [ filename ]
The information in storage device is displayed.
----End
Example
After the configurations succeed, run the preceding commands, and you can find
the following results:
● The current configuration of the Switch Module is correct without any

redundant configuration.
● The current configuration of the Switch Module is saved in the storage device.
● The CX91x series system software and configuration file that are to be loaded
on the Switch Module next time are correct and they are saved in the root
directory of the storage device.

1.8 FTP and TFTP

This chapter describes the fundamentals, configuration procedures and
configuration examples of FTP and TFTP.
1.8.1 FTP and TFTP Introduction

This section describes the basic concepts of File Transfer Protocol (FTP) and Trivial
File Transfer Protocol (TFTP).
1.8.1.1 FTP
You can transfer files between local and remote hosts through FTP. FTP is
commonly used in version upgrade, log downloading, file transfer, and
configuration saving.
FTP is an application layer protocol in the TCP/IP protocol suite. It implements file
transfer between local and remote hosts based on related file systems. The FTP
protocol is implemented based on corresponding file system.
The Switch Module provides the following FTP services:
● FTP server service. Users can run the FTP client program to log in to the
Switch Module and access the files on the Switch Module.
● FTP client service. Users can establish a connection with the Switch Module by
running a terminal emulation program or a Telnet program on a client (for
example a PC). Enter an FTP command to connect with the remote FTP server
and access the files on the remote host.
NOTE
CX91x series only provides FTP client service.
1.8.1.2 TFTP
TFTP does not have a complex interactive access interface and authentication
control. TFTP is applicable when there is no complex interaction between the
client and server.
The TFTP is a simple file transfer protocol.
Compared with FTP, TFTP does not have a complex interactive access interface and
authentication control. TFTP is applicable in an environment where there is no
complex interaction between the client and the server. For example, TFTP is used
to obtain the memory image of the system when the system starts up.
TFTP is implemented based on the User Datagram Protocol (UDP).
The client initiates the TFTP transfer. To download files, the client sends a read
request packet to the TFTP server, receives packets from the server, and sends
acknowledgement to the server. To upload files, the client sends a write request
packet to the TFTP server, sends packets to the server, and receives
acknowledgement from the server.

TFTP transfers the files in two formats:

● The binary format: transfers program files.
● The ASCII format: transfers text files.
At present, the CX91x series serves only as the TFTP client and transfers files in the
binary format.
1.8.2 Configuring the Switch Module to Be the FTP Client

You can configure a Switch Module to be an FTP client and then log in to the FTP
server.

Before configuring a Switch Module to be an FTP client, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain the
accurately.
When a Switch Module serves as an FTP client, you can log in to the FTP server
through the Switch Module and then transmit files or manage server directory.
Before configuring the Switch Module as an FTP client, complete the following
tasks:
● The communication between Switch Module and server is normal
Data Preparation
To configure the Switch Module as an FTP client, you need the following data.
No. Data
1 Host name or IP address of the FTP server
2 Port number of connecting FTP
3 Local file name and file name on the remote FTP server
4 Working directory name of the remote FTP server, local working

directory of the FTP client, or directory name of the remote FTP server
5 Login username and password
1.8.2.2 Logging In to the FTP Server

You can log in to the FTP server in the user view or the FTP view.

Procedure
Step 1 Run the following commands according to different views.
● In the user view, establish a connection to the FTP server.
Run:
a. ftp host [ port-number ]
The Switch Module is connected to the FTP server.

● In the FTP view, establish a connection to the FTP server.
a. Run:
ftp
The FTP view is displayed.

b. Run:
open host [ port-number ]
----End
1.8.2.3 Configuring the Data Type and Transmission Mode for a File
You can configure the data type and transmission mode for a file.
Procedure
Run:

a. Run:
ftp

b. Run:

Step 2 Run:
ascii
or
binary
The data type for the file to be transmitted is set to ASCII code or binary.
FTP supports the ASCII type and the binary type. Their differences are as follows:
● In ASCII transmission mode, ASCII characters are used to separate carriage
returned from line feeds.

● In binary transmission mode, characters can be transferred without format

conversion or formatting.
The selection of the FTP transmission mode is client-customized. The system

defaults to the ASCII transmission mode. The client can use a mode switch
command to switch between the ASCII mode and the binary mode. The ASCII
mode is used to transmit text files and the binary mode is used to transmit binary
files.
Step 3 Configure the file transfer mode

● Run:
passive
The passive file transfer mode is configured.

● Run:
undo passive
The active file transfer mode is configured.
----End
1.8.2.4 Viewing Online Help of the FTP Command

This section describes how to view the online help of the FTP command.
Procedure
Run:

a. Run:
ftp

b. Run:
Step 2 Run:
remotehelp command
The online help of the FTP command is displayed.
----End
1.8.2.5 Uploading or Downloading Files

You can upload local files to a remote FTP server, download files of the FTP server,
and save the files on the local device.

Procedure
Run:

a. Run:
ftp

b. Run:
Step 2 Upload or download files.

● Run:
put local-filename [ remote-filename ]
The local file is uploaded to the remote FTP server.

● Run:
get remote-filename [ local-filename ]
The file is downloaded from the FTP server and saved to the local device.
----End
1.8.2.6 Managing Directories

You can perform management operations, such as creating and deleting
directories, on the FTP server.
Procedure
Run:

a. Run:
ftp

b. Run:

Step 2 Run one or more commands in the following order to manage directories.
● Run:
cd pathname
The working path of the remote FTP server is specified.

● Run:
cdup
The working path of the FTP server is switched to the upper-level directory.
● Run:
pwd
The specified directory of the FTP server is displayed.

● Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.

● Run:
mkdir remote-directory
A directory is created on the FTP server.

● Run:
rmdir remote-directory
A directory is removed from the FTP server.

NOTE
– The directory to be created can comprise letters and digits, but not special
characters such as <, >, ?, \ and :.
– When running the mkdir /abc command, you create a sub-directory named "abc"
in the root directory.
----End
1.8.2.7 Managing Files

You can view a specified directory or file on the remote FTP server or delete a
specified file from the FTP server.
Procedure
Run:

a. Run:
ftp

b. Run:

Step 2 Run one or more commands in the following to manage directories.

● Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.

If the directory name is not specified when a specific remote file is selected,
the system searches the working directory for the specific file.
● Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.

● Run:
delete remote-filename
The specified file on the FTP server is deleted.

When local-filename is set, related information about the file can be downloaded
locally.
----End
1.8.2.8 Changing the Login User

You can change the current login user and then re-log in to the FTP server.
Procedure
Run:

a. Run:
ftp

b. Run:
Step 2 Run:
user user-name [ password ]
The current login user is changed and the specified user logs in again.

After the current login user is changed, the specified user logs in, and the original
user connection is broken.
----End
1.8.2.9 Disconnecting from the FTP Server

You can disconnect yourself with the FTP server and return to the user view or the
FTP view.
Procedure
Run:

a. Run:
ftp
b. Run:
Step 2 Run the following commands according to different configurations.
● Run:
bye
Or,
quit
The client Switch Module is disconnected from the FTP server.
Return to the user view.
● Run:
close
Or,
disconnect
The client Switch Module is disconnected from the FTP server.
Return to the FTP view.
NOTE
The configurations can be performed only in the FTP client view.
----End
1.8.3 Configuring the Switch Module to Be the TFTP Client

You can configure a Switch Module to be an TFTP client and then log in to the
TFTP server.


Before configuring TFTP, familiarize yourself with the applicable environment,
You can transfer files through TFTP between the server and the client in a simple
interaction environment.
Before configuring TFTP, complete the following tasks:
● Connecting the TFTP client with the server
Data Preparation
To configure TFTP, you need the following data.
No. Data
1 IP address of the TFTP server
2 Name of the specific file in the TFTP server
3 File directory
1.8.3.2 Downloading Files Through TFTP

You can download files from the TFTP server to the TFTP client.
Procedure
Step 1 The IP address of the server is IPv4 address, run:
tftp tftp-server get source-filename [ destination-filename ]
The Switch Module is configured to download files through TFTP.
----End
1.8.3.3 Uploading Files Through TFTP

You can upload files from the TFTP client to the TFTP server.
Procedure
Step 1 The IP address of the server is IPv4 address, run:
tftp tftp-server put source-filename [ destination-filename ]

The Switch Module is configured to upload files through TFTP.
----End
1.8.4 Limiting the Access to the TFTP Server

Configure the client not to log in to the Switch Module over TFTP, and specify the
TFTP servers that the CX91x series can log in to over TFTP.

Before configuring a limit to access TFTP servers, familiarize yourself with the
accurately.
When the Switch Module serves as the TFTP client, you can configure the ACL on
the Switch Module. After the configuration, you can control the TFTP server to
which the device can log in through TFTP.
Before configuring a limit to access the TFTP server, complete the following tasks:

● Connecting the TFTP client to the server
Data Preparation
To configure a limit to access to the TFTP server, you need the following data.
No. Data
1 IP address of the TFTP server
2 ACL number
1.8.4.2 Configuring the Basic ACL

You can configure ACL rules.
Context
NOTE
TFTP supports only the basic ACL.

Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
The ACL view is displayed.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address source-wildcard | any } |
time-range time-name ] *
The ACL rule is configured.
----End
1.8.4.3 Configuring the Basic TFTP ACL

You can configure the basic TFTP ACL.
Procedure
Step 1 Run:
system-view
Step 2 TFTP server is IPv4 addresses, run:

tftp-server acl acl-number
You can use the ACL to limit the access to the TFTP server.
----End

This section provides several configuration examples for FTP and TFTP together
with the configuration network diagram. The configuration examples explain
networking requirements, configuration notes, and configuration roadmap.
1.8.5.1 Example for Configuring the FTP Client

In this example, a Switch Module is configured to be an FTP client. Then, the
Switch Module logs in to the FTP server and downloads system software and
configuration software.
Networking Requirements
As shown in Figure 1-5, the remote server at 10.1.1.2 serves as the FTP server. The
Switch and the FTP server are directly connected and on the same network
segment. The Switch has a reachable route to the FTP server.

The Switch acts as the FTP client. Interfaces ranging from GigabitEthernet0/0/1 to
GigabitEthernet0/0/4 can be used to set up FTP connections and they share the IP
address 10.1.1.1.
The Switch downloads files from the FTP server.
Figure 1-5 Networking diagram of the Switch functioning as the FTP client
Configuration Roadmap
The configuration roadmap is as follows:
1. Log in to the FTP server from the FTP client.
2. Download files from the server to the storage device of the client.
Data Preparation
To complete the configuration, you need the following data:
● IP address of the FTP server
● Name of the destination file and position where the destination files are
located on the Switch
● Name of the FTP user set as u1 and the password set as ftppwd on the client
Procedure
Step 1 Enable FTP on the remote FTP server. Add an FTP user named u1 and set the
password to ftppwd.
Step 2 Create VLAN 10 on the Switch , add GigabitEthernet0/0/1 to GigabitEthernet0/0/4
to VLAN, and assign the IP address 10.1.1.1 to VLANIF10.
<Base> system-view
[Base] vlan 10
[Base-vlan10] quit
[Base-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[Base-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[Base-GigabitEthernet0/0/1] quit

[Base] interface vlanif 10
[Base-Vlanif10] ip address 10.1.1.3 24
Step 3 On the Switch, initiate a connection to the FTP server with the user name ul and
the password ftppwd.
<Base> ftp 10.1.1.2
Trying 10.1.1.2 ...
Press CTRL+K to abort
Connected to 10.1.1.2.
220 FTP service ready.
User(10.1.1.2:(none)):u1
331 Password required for u1.
Enter password:
230 User logged in.
[ftp]
Step 4 On the Switch, set the mode of transferring files to binary and the flash directory.
[ftp] binary
200 Type is Image (Binary)
[ftp] lcd flash:/
The current local directory is flash:.
Step 5 Download the vrpcfg.cfg file from the remote FTP server on the Switch.
[ftp] get vrpcfg.cfg vrpcfg.cfg
200 Port command okay.
150 Opening BINARY mode data connection for vrpcfg.cfg.
226 Transfer complete.

FTP: 9124 byte(s) received in 3.100 second(s) 2.94Kbyte(s)/sec.
[ftp] quit
<Base>
----End
Configuration Files
#
sysname Base
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.3 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
#
#
#
return

1.8.5.2 Example for Configuring the TFTP Client

In this example, the TFTP application is run on the TFTP server and the location of
the source file on the server is set. After that, you can upload and download files.
As shown in Figure 1-6, the Switch cannot function as the TFTP server. The
remote server at 10.1.1.2 functions as the TFTP server.
The Switch acts as a TFTP client. VLAN 10 is created on the Switch, and
GigabitEthernet0/0/1 is added to VLAN 10. The IP address 10.1.1.1/24 is assigned
to VLANIF 10.
The Switch downloads files from the TFTP server.
Figure 1-6 Networking diagram for configuring TFTP
1. Run the TFTP software on the TFTP server and set the position where the
source file is located on the Switch.
2. Download files through TFTP commands on the Switch.
Data Preparation
● TFTP software installed on the TFTP server
● Path of the source file on the TFTP server
● Name of the destination file and position where the destination file is located
on the Switch
Procedure
Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is
started.
Step 2 Create VLAN 10 on the Switch , add GigabitEthernet0/0/1 to VLAN 10, and assign
the IP address 10.1.1.1/24 to VLANIF 10.
<Base> system-view
[Base] vlan 10
[Base-vlan10] quit


Step 3 On the Switch, initiate a connection to the TFTP server and download the 8031.cc
file.
<Base> tftp 10.1.1.2 get 8031.cc 8031new.cc
Info: Transfer file in binary mode.
Downloading the file from the remote tftp server, please wait...
----End
Configuration Files
#
sysname Base
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
Return
1.9 Telnet and SSH

Telnet or SSH enables a terminal to remotely log in and access to a server.
1.9.1 Telnet and SSH Introduction

This section describes basic concepts of user login, Telnet, and SSH.
1.9.1.1 Overview of User Login

You can locally or remotely log in to a Switch Module through the SYS COM port,
or SOL.
To configure, monitor, and maintain the local or remote CX91x series, you need to
configure the user interface, the user management, and the terminal service.
The user interface provides a login plane. The user management guarantees the
login security and the terminal service provides related processes of login protocol.
The CX91x series supports through the SYS COM port and SOL login methods.
● Login through the SYS COM port
● Local or remote login through Telnet or SSH
NOTE
The Telnet protocol is not secure. Data is not encrypted during transmission over Telnet.
Therefore, transmitted data may be restored after IP packets are captured without
authorization. It is recommended that files be transmitted over SSH.

1.9.1.2 Telnet Terminal Services

Telnet services including Telnet server and Telnet client.
Telnet Services
Telnet is an application layer protocol in the TCP/IP protocol suite. It provides
remote login and a virtual terminal service through the network.
Telnet provides the following services:
● Telnet server: You can run the Telnet client program on a client (for example a
PC) to log in to the Switch Module, configure and manage it. The Switch
Module acts as a Telnet server.
● Telnet client: You can run the terminal emulation program or the Telnet client
program on a client (for example a PC) to connect with the Switch Module.
With the telnet command, you can log in to other Switch Modules to
configure and manage them. As shown in Figure 1-7, Switch A serves as both
the Telnet server and the Telnet client.
NOTE
CX91x series only provides Telnet client service.
Figure 1-7 Telnet client services
1.9.1.3 SSH Terminal Services

The CX91x series supports the basic SSH protocol, client function, SFTP protocol,
STelnet protocol.
Introduction to SSH
SSH works at the application layer in the TCP/IP protocol suite. SSH provides
remote login and virtual terminal on the network where security is guaranteed.
Based on TCP connections, SSH guarantees security and provides authentication
for transmitted information, preventing the following attacks shown in Figure 1-8:
● IP spoofing
● Interception of the password in plain text
● Denial of Service (DoS)

In the figure, Switch is an CX91x series.
Figure 1-8 Establishing a local SSH connection between the client (for example a
PC) and the CX91x series
SSH adopts the client/server model and sets up multiple secure transmission
channels. The Switch, as the SSH server, can be connected to multiple PCs that
function as SSH clients. A Layer 2 switch may exist between the client (for
example a PC) and the SSH server. In the actual networking, a route is required to
be reachable between the client (for example a PC) and the Switch.
Advantages of SSH
The applications of SSH include STelnet and SFTP.
Different from Telnet and FTP terminal services, SSH provides secure remote
access on the network without security guaranteed. The advantages of SSH are
described as follows:
● STelnet client functions
There is a potential risk on security for login through Telnet because there is
no authentication and the data transmitted through TCP is in plain text. The
insecure access results in malicious attacks including DoS attacks, IP spoofing
attacks, and route spoofing attacks.
SSH provides secure remote access on an insecure network by supporting the
following functions:
– Supporting Revest-Shamir-Adleman Algorithm (RSA) authentication
– Supporting Data Encryption Standard (DES) and Triple DES (3DES)
– Supporting the encrypted transfer of the user name or password
– Supporting the encrypted transfer of interactive data
SSH adopts RSA. After the public key and the private key are generated
according to the encryption principle of the asymmetric encryption system,
the following information is transmitted with security between the SSH client
and the SSH server:
– Key
– User name or password
– Interactive data
● SFTP client functions
SFTP provides the following types of applications:

– By using SFTP, you can securely log in to the CX91x series to manage files
from the remote device. In this manner, the security of data transmission
is improved when files need to be transferred during the upgrade of the
remote system.
– The CX91x series can function as the client to log in to the remote device
through FTP to transfer files with security.
Setting Up an SSH Connection

The procedure for setting up an SSH connection is as follows:
1. Negotiating the SSH version
2. Negotiating the key
3. Authenticating the user identity
4. Initiating a session request
5. Performing the interactive session
1.9.2 Configuring the STelnet Client Function

This section describes how to configure the STelnet client. A secure connection can
be set up between the client and server through negotiation, and the client can
log in to the server in the same manner as using Telnet services.

Before configuring an STelnet client, familiarize yourself with the applicable
STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the
same manner as using the Telnet service.
Before connecting the STelnet client to the SSH server, complete the following
tasks:
● Generating the local RSA key pair on the SSH server
● Configuring the STelnet user on the SSH server
● Enabling the STelnet service on the SSH server
Data Preparation
To connect the STelnet client to the SSH server, you need the following data:
No. Data
1 Name of the SSH server

No. Data
2 Number of the port monitored by the SSH server
3 Preferred encrypted algorithm from the STelnet client to the SSH server
4 Preferred encrypted algorithm from the SSH server to the STelnet client
5 Preferred keyed-Hash Message Authentication Code (HMAC) algorithm

from the STelnet client to the SSH server
6 Preferred HMAC algorithm from the SSH server to the STelnet client
7 Preferred algorithm of key exchange
8 Name of the outgoing interface
9 Source address
1.9.2.2 Enabling the First-Time Authentication on the SSH Client

After the first-time authentication on the SSH client is enabled, the STelnet client
does not check the validity of the RSA public key when logging in to the SSH
server for the first time.
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does
not check the validity of the RSA public key when logging in to the SSH server for
the first time. After the login, the system automatically allocates the RSA public
key and saves it for authentication in next login.
To simplify user operations, you are recommended to enable the first-time
authentication on the SSH client.
Do as follows on the Switch Module that serves as an SSH client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh client first-time enable
The first-time authentication on the SSH client is enabled.

By default, the first-time authentication on the SSH client is disabled.

NOTE
● The purpose of enabling the first-time authentication on the SSH client is to skip
checking the validity of the RSA public key of the SSH server when the STelnet client
logs in to the SSH server for the first time. The check is skipped because the STelnet
server has not saved the RSA public key of the SSH server.
● If the first-time authentication is not enabled on the SSH client, when the STelnet client
logs in to the SSH server for the first time, the STelnet client fails to pass the check on
the RSA public key validity and cannot log in to the server.
NOTE
To ensure that the STelnet client can log in to the SSH server at the first attempt, you can
assign the RSA public key in advance to the SSH server on the SSH client in addition to
enabling the first-time authentication on the SSH client.
----End
1.9.2.3 (Optional) Assigning an RSA Public Key to the SSH Server

You can assign an RSA public key to the SSH server.
Context
If the first-time authentication on the SSH client is disabled, you need to allocate
an RSA public key to the SSH server before the STelnet client logs in to the SSH
server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rsa peer-public-key key-name
The public key view is displayed.

Step 3 Run:
public-key-code begin
The public key editing view is displayed.

Step 4 Run:
hex-data
The public key is edited.

The public key must be a string of hexadecimal alphanumeric characters. It is
automatically generated by an SSH client. You can run the display rsa local-key-
pair public command to view a generated public key.
Step 5 Run:
public-key-code end
Quit the public key editing view.

If the specified hex-data is invalid, the public key cannot be generated after the
peer-public-key end command is run; If the specified key-name in Step 2 is
deleted in other views, the system prompts that the key does not exist after the
peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
Return to the system view from the public key view.
Step 7 Run:
ssh client servername assign rsa-key keyname
The RSA public key is assigned to the SSH server.
NOTE
● Before being assigned to the SSH server, the assigned peer RSA public key must be
obtained from the SSH server and must be configured on the SSH client. Then, the
STelnet client client can successfully undergo the validity check on the RSA public key of
the SSH server.
● If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client
servername assign rsa-key command to cancel the association between the SSH client
and the SSH server. Then, run the ssh client servername assign rsa-key keyname
command to allocate a new RSA public key to the SSH server.
----End
1.9.2.4 Enabling the STelnet Client

You can log in to the SSH server from the SSH client through STelnet.
Context
NOTE
When accessing an SSH server, the STelnet client can carry the source address and choose
the key exchange algorithm, encryption algorithm, or HMAC algorithm.
Procedure
Step 1 Run:
system-view
Step 2 SSH server is IPv4 addresses, run the following command.

stelnet host-ipv4 [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher
{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki
aliveinterval [ -kc alivecountmax ] ]
You can log in to the SSH server through STelnet.
----End


After configuring the STelnet client, you can view the global configuration of the
SSH server.
Prerequisites
The configuration of the STelnet Client Function are complete.
Procedure
Step 1 Run:
display ssh server-info
The mapping between the RSA public key and the SSH server on the SSH client is
displayed.
Step 2 Run:
display ssh server session
The session of the SSH client on the SSH server is displayed.
----End
Example
When running the display ssh server session command, you can view that the
client logs in from VTY3, with Stelent service by password authentication.
<Base> display ssh server session
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Username : client001
Retry :1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : stelnet
Authentication Type : password
1.9.3 Configuring the SFTP Client Function

This section describes how to configure the SFTP client. You can configure the
authentication and bidirectional data encryption of the SFTP client, which ensures
secure file transmission on the network.

Before configuring the SFTP client, familiarize yourself with the applicable

SFTP enables users to log in to the device from a secure remote end to manage
files. This improves the security of data transmission for the remote end to update
its system. The SFTP client function also enables you to log in to the remote
device through SFTP for the secure file transmission.
Before connecting the SFTP client to the SSH server, complete the following tasks:
● Creating a local RSA key pair on an SSH server

● Configuring an SFTP client on the SSH server
● Enabling the SFTP service on the SSH server
Data Preparation
To connect an SFTP client to an SSH server, you need the following data.
No. Data
1 Name of the SSH server
2 Number of the port monitored by the SSH server
3 Preferred encrypted algorithm from the SFTP client to the SSH server
4 Preferred encrypted algorithm from the SFTP server to the SSH client
5 Preferred HMAC algorithm from the SFTP client to the SSH server
6 Preferred HMAC algorithm from the SFTP server to the SSH client
7 Preferred algorithm of key exchange
8 Name of the outgoing interface
9 Directory name
10 File name
1.9.3.2 Configuring the First-Time Authentication on the SSH Client

After the first-time authentication on the SSH client is enabled, the STelnet client
does not check the validity of the RSA public key when logging in to the SSH
server for the first time.
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does
not check the validity of the RSA public key when logging in to the SSH server for
the first time. After the login, the system automatically allocates the RSA public
key and saves it for authentication in next login.

To simplify user operations, you are recommended to enable the first-time

authentication on the SSH client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh client first-time enable
Enable the SSH client with the first authentication.

By default, first-time authentication is disabled on SSH clients.
NOTE
● The purpose of enabling the first-time authentication on the SSH client is to skip
checking the validity of the RSA public key of the SSH server when the SFTP client logs
in to the SSH server for the first time. The check is skipped because the SFTP server has
not saved the RSA public key of the SSH server.
● If the first-time authentication is not enabled on the SSH client, when the SFTP client
logs in to the SSH server for the first time, the SFTP client fails to pass the check on the
RSA public key validity and cannot log in to the server.
NOTE
Except for enabling the first-time authentication on the SSH client, the SFTP client can
assign the RSA public key in advance to the SSH server on the SSH client to log in to the
server successfully for the first time.
----End
1.9.3.3 (Optional) Assigning an RSA Public Key to the SSH Server

You can assign an RSA public key on the SSH client to the SSH server.
Context
If the first-time authentication on the SSH client is disabled, you need to assign an
RSA public key to the SSH server before the STelnet client logs in to the SSH
server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rsa peer-public-key key-name
The public key view is displayed.

Step 3 Run:

public-key-code begin
The public key editing view is displayed.
Step 4 Run:
hex-data
The public key is edited.
The public key must be a string of hexadecimal alphanumeric characters. It is

automatically generated by an SSH client. You can run the display rsa local-key-
pair public command to view a generated public key.
Step 5 Run:
public-key-code end
Quit the public key editing view.
If the specified hex-data is invalid, the public key cannot be generated after the
peer-public-key end command is run; If the specified key-name in Step 2 is
deleted in other views, the system prompts that the key does not exist after the
peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
Return to the system view from the public key view.
Step 7 Run:
ssh client servername assign rsa-key keyname
Assign a public key to the SSH server.
NOTE
● Before being assigned to the SSH server, the assigned peer RSA public key must be
obtained from the SSH server and must be configured on the SSH client. Then, the SFTP
client can successfully undergo the validity check on the RSA public key of the SSH
server.
● If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client
servername assign rsa-key command to cancel the association between the SSH client
and the SSH server. Then, run the ssh client servername assign rsa-key keyname
command to allocate a new RSA public key to the SSH server.
----End
1.9.3.4 Enabling the SFTP Client

You can log in to the SSH server from the SSH client through SFTP.
Context
NOTE
The command of enabling the SFTP client is similar to that of the STelnet. When accessing
the SSH server, the SFTP can carry the source address and the name of the VPN instance
and choose the key exchange algorithm, encrypted algorithm and HMAC algorithm, and
configure the keepalive function.

Procedure
Step 1 Run:
system-view

sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ prefer_kex
{ dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] |
[ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] |
[ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]
You can log in to the SSH server through SFTP.
----End
1.9.3.5 (Optional) Managing the Directory

On the SFTP client, you can log in to the SSH server to create or delete directories
on the SSH server.
Context
NOTE
After the SFTP client logs in to the SSH server, the SFTP client can create or delete the
directory on the SSH server, display the current operating directory and information about a
specified directory and its files.
Procedure
Step 1 Run:
system-view

Step 3 Perform the following as required:

● Run:
cd [ remote-directory ]
The current operating directory of users is changed.
● Run:
cdup
The operating directory of users is switched to the upper-level directory.
● Run:
pwd
The current operating directory of users is displayed.

● Run:
dir / ls [ remote-directory ]
The file list in the specified directory is displayed.

● Run:
rmdir remote-directory & <1-10>
● The directory on the server is deleted.

● Run:
mkdir remote-directory
A directory is created on the server.
----End
1.9.3.6 (Optional) Managing the File

On the SFTP client, you can view specified remote directories or files on the SFTP
server or delete specified files on the SFTP server.
Context
NOTE
After the SFTP client logs in to the SSH server, SFTP client can change file names, delete
files, display the file list, upload and download files on the SFTP server.
Procedure
Step 1 Run:
system-view

Step 3 Run the command.

● Run:
rename old-name new-name
The name of the specified file on the server is changed.

● Run:
get remote-filename [local-filename]
The file on the remote server is downloaded.

● Run:
put local-filename [remote-filename]
The local file is uploaded to the remote server.

● Run:
remove remote-filename

The file on the server is removed.
----End
1.9.3.7 (Optional) Displaying the SFTP Client Command Help

You can view the SFTP client command help.
Procedure
Step 1 Run:
system-view

Step 3 Run:
help [all | command-name ]
The SFTP client command help is displayed.
----End

After configuring the SFTP client, you can view the global configuration of the
SSH server.
Prerequisites
The configuration of the SFTP Client Function are complete.
Procedure
Step 1 Run:
display ssh server-info
The mapping between the SSH server and the RSA public key on the SSH client is
displayed.
Step 2 Run:
display ssh server session
The session of the SSH client on the SSH server is displayed.
----End

Example
Run the display ssh server session command, and you can view that the client
logs in from the VTY4 through the sftp service in rsa authentication mode.
[Base] display ssh server session
Session 2:
Conn : VTY 4
Version : 2.0
State : started
Username : client002
Retry :1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : sftp
Authentication Type : rsa

Configuration Guide 2 Configuration Guide-Ethernet
2 Configuration Guide-Ethernet
This topic describes the configuration methods and scenarios for Ethernet services
of a device. The configurations of Ethernet ports, link aggregation, virtual local
area networks (VLANs), Media Access Control (MAC) lists, Address Resolution
Protocol (ARP), and Multiple Spanning Tree Protocol (MSTP), are described by
using examples.
2.1 Ethernet Interface Configuration

This chapter describes the basic knowledge, methods, and examples for
configuring the Ethernet interface.
2.2 Link Aggregation Configuration
This chapter describes the concepts, configuration procedures, and configuration
examples of link aggregation.
2.3 VLAN Configuration
configuring VLAN.
2.4 MAC Address Table Configuration
configuring the MAC address table.
2.5 ARP Configuration
This chapter describes the principle of the Address Resolution Protocol (ARP), and
provides configuration procedures and examples of ARP.
2.6 MSTP Configuration
configuring the Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol
(RSTP), and Multiple Spanning Tree Protocol (MSTP).
2.1 Ethernet Interface Configuration

configuring the Ethernet interface.

2.1.1 Introduction to Ethernet Interfaces

This section describes the Ethernet interfaces.
The Ethernet is flexible, simple, and easy to implement and thus it becomes an
important local area network (LAN) networking technology.
Ethernet interfaces are classified into Ethernet electrical interfaces and Ethernet
optical interfaces.
Table 2-1 describes the attributes of Ethernet electrical interfaces and Ethernet
optical interfaces.
Table 2-1 Attributes of Ethernet interfaces

Interface Rate Auto-negotiation Non-negotiation
Type (Mbit/s)
Full Half Full Half
Duplex Duplex Duplex Duplex
Ethernet 10 Yes Yes Yes Yes

electrical
interface 100 Yes Yes Yes Yes
1000 Yes No Yes No
Ethernet 100 No No Yes No

optical
interface 1000 Yes No Yes No
10000 No No Yes No
If the local interface works in auto-negotiation mode, the peer interface must also
work in auto-negotiation mode; otherwise, the link is operating abnormally.
2.1.2 Ethernet Interface Features Supported by the CX91x

series
This section describes the Ethernet interface features supported by the CX91x
series.
Interface Group
The interface group function of the CX91x series enables you to configure multiple
interfaces at the same time. In the interface group view, you can run commands
to configure all the interfaces in the group.
Auto-Negotiation
During auto-negotiation, the devices on two ends of a physical link can choose the
same operation parameters by exchanging information. The main parameters to
be negotiated are mode (half-duplex or full-duplex), rate, and flow control. After
the negotiation is successful, the devices on two ends operate in the agreed mode
and rate.

Port Isolation
Ports enabled with port isolation cannot communicate with each other, and thus
ports on the same VLAN can be isolated. Port isolation provides secure and
flexible networking schemes for customers.
2.1.3 Configuring Basic Attributes of the Ethernet Interface

This section describes how to configure the description, cable type, duplex mode,
rate, and auto-negotiation an Ethernet interface, and switch between the optical
and electrical interfaces.
The configuration task is applicable to the following situations:
● You can configure the description of interfaces to facilitate the identification,

maintenance, and configuration of the interfaces.
● By default, an GE electrical interface automatically identifies the network
cable type.
● By default, an GE electrical interface negotiates the duplex mode and rate
with the equipment that is directly connected to the interface. If the
connected equipment does not have the auto-negotiation capability, set the
duplex mode and rate for the GE interface manually so that the interface can
work with the connected equipment.
None
Data Preparation
To configure the basic functions of Ethernet interfaces, you need the following
data.
No. Data
1 Number of an Ethernet interface
2 (Optional) Description of an interface
3 (Optional) Duplex mode of an ethernet electrical interface
4 (Optional) Rate of an ethernet interface
2.1.3.2 (Optional) Configuring the Description

Context
Do as follows on the CX91x series where you need to configure the interface
description.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The interface view is displayed.
Step 3 Run:
The description of the interface is configured.
By default, the description of an interface is "X interface". X specifies an interface.
----End
2.1.3.3 (Optional) Setting the Duplex Mode
Context
Do as follows on the CX91x series where you need to set the duplex mode of
interfaces.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The Ethernet electrical interface view is displayed.
Step 3 Run:
undo negotiation auto
The auto-negotiation mode is disabled on the Ethernet electrical interface.
Step 4 Run:
duplex { full | half }
The duplex mode is set for the Ethernet electrical interface.

By default, the duplex mode of an Ethernet electrical interface is full-duplex when

auto-negotiation is disabled on the interface.
----End
2.1.3.4 (Optional) Setting the Rate of an Interface
Context
Do as follows on the CX91x series where you need to set the rate of interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
undo negotiation auto
The auto-negotiation mode is disabled on the interface.

Step 4 Run:
speed { 10 | 100 | 1000 }
The rate is set for the interface.

By default, an Ethernet interface works at its maximum rate when auto-
negotiation is disabled on the interface.
----End
2.1.3.5 (Optional) Enabling Auto-Negotiation
Context
Do as follows on the CX91x series where you want to enable auto-negotiation and
on the switch connected to this CX91x series.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
negotiation auto
Auto-negotiation is enabled on the interface.
By default, an interface works in auto-negotiation mode.
The local interface and peer interface must work in the same mode, that is, both
in auto-negotiation mode or not.
----End
Procedure
Step 1 Run the display interface [ interface-type [ interface-number ] ] command to
display the description, duplex mode, and rate of an Ethernet interface.
----End
Example
By running the display interface command, you can check whether the
description, duplex mode, and rate of an Ethernet interface are set correctly.
<Base> display interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 current state : UP
Line protocol current state : UP
Description:GigabitEthernet0/0/1 Interface
Switch Port,PVID : 1,The Maximum Frame Length is 9712
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0025-9e80-2494
Port Mode: COMMON COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 760 bits/sec, 0 packets/sec
Last 300 seconds output rate 896 bits/sec, 0 packets/sec
Input peak rate 12304 bits/sec,Record time: 2010-08-05 10:32:18
Output peak rate 14568 bits/sec,Record time: 2010-08-03 08:47:01
Input: 28643 packets, 2734204 bytes
Unicast : 20923,Multicast : 7703
Broadcast : 17,Jumbo : 0
CRC : 0,Giants : 0
Jabbers : 0,Throttles : 0
Runts : 0,DropEvents : 0
Alignments : 0,Symbols : 0
Ignoreds : 0,Frames : 0
Discard : 474,Total Error : 0
Output: 68604 packets, 8057155 bytes
Collisions : 0,Deferreds : 0
Late Collisions: 0,ExcessiveCollisions: 0
Buffers Purged : 0
Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%
Input bandwidth utilization : 0.01%
Output bandwidth utilization : 0.00%

2.1.4 Configuring the Advanced Attributes of an Ethernet

Interface
This section describes how to configure the loopback test, interface group, jumbo
frame size, flow control .
The configuration task is applicable in the following situations:
● The CX91x series provides the interface group function, which enables you to
configure multiple interfaces at the same time.
● When the traffic volume received on an interface of the CX91x series exceeds
the processing capability of the interface and the directly connected interface
supports traffic control, you can enable the traffic control function on the
interface of the CX91x series. After traffic control is enabled on the interface,
the interface sends a Pause frame to the peer interface to request the peer
interface to stop sending traffic if the received traffic reaches the set
threshold. If the peer interface supports traffic control, the peer interface
decreases the rate of sending traffic after receiving the frame so that the local
interface can properly process received traffic.
● Ports enabled with port isolation cannot communicate with each other, and
thus ports on the same VLAN can be isolated. Port isolation provides secure
and flexible networking schemes for customers.
None.
Data Preparation
To configure the advanced functions of Ethernet interfaces, you need the following
data.
No. Data
1 Interface number
2 (Optional) Maximum frame length allowed on the interface
2.1.4.2 (Optional) Configuring Loopback Test on the Ethernet Interface
Context
Do as follows on the CX91x series where you need to configure the loopback test.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
loopbacktest internal
The loopback test is configured on the Ethernet interface.
By default, loopback test is not configured on an Ethernet interface.
----End
2.1.4.3 (Optional) Configuring the Interface Group
Context
Do as follows on the CX91x series where you need to configure interface groups.
Procedure
Step 1 Run:
system-view
Step 2 Run:
port-group port-group-name
The interface group view is displayed.
Step 3 Run:
group-member interface-type interface-number
The Ethernet interface is added to the interface group.
----End
2.1.4.4 (Optional) Setting the Maximum Frame Length on the Ethernet

Interface
Context
Do as follows on the CX91x series where you need to set the maximum frame
length.

Procedure
Step 1 Run:
system-view
Step 2 Run:
The Ethernet interface view is displayed.
Step 3 Run:
jumboframe enable [ value ]
The maximum length of the frame is set on the Ethernet interface.
By default, an interface is disabled from transmitting jumbo frames, and the

maximum length of frames that the interface can transmit is 9712 bytes.
When an interface of the CX91x series is enabled to allow jumbo frames but the
maximum length of jumbo frames is not set, the interface allows jumbo frames of
up to 9712 bytes.
----End
2.1.4.5 (Optional) Enabling Flow Control
Context
Do as follows on the CX91x series where you need to enable flow control.
By default, flow control is disabled on an Ethernet interface.
To implement flow control, you must enable this function on both the local
interface and peer interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
flow-control
Flow control is enabled on the Ethernet interface.
----End

2.1.4.6 (Optional) Enabling Auto-Negotiation of Flow Control
Context
Do as follows on the CX91x series whose interface needs to be configured with
auto-negotiation of flow control.
GE interfaces support auto-negotiation of flow control, but FE interfaces do not
support this function.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface gigabitethernet interface-number
The GE interface view is displayed.

Step 3 Run:
flow-control negotiation
Auto-negotiation of flow control is enabled on the GE interface.

By default, auto-negotiation of flow control is disabled on a GE interface.
You also need to configure auto-negotiation of flow control on the peer interface.
----End
Procedure
● Run the display port-group [ all | port-group-name ] command to display
information about the interface group.
● Run the display interface [ interface-type [ interface-number ] ] command to
display information about auto-negotiation capability on an Ethernet
interface.
● Run the display this command the maximum frame, flow control, and port
isolation of the port.
----End
Example
By running the display port-group command, you can check whether the
interface group is configured properly.
<Base> display port-group all Portgroup:1 GigabitEthernet0/0/1
By running the display interface command, you can check whether an Ethernet
interface is configured correctly.


Mdi : AUTO
CRC : 0,Giants : 0
Buffers Purged : 0
Run the display this command the maximum frame, flow control, and port
isolation of the port.
[Fabric-XGigabitEthernet0/0/3]display this
#
interface XGigabitEthernet0/0/3
broadcast-suppression value 10
multicast-suppression value 10
unknown-unicast-suppression value 10
flow-control
#
return
[Base-GigabitEthernet0/0/3]display this
#
broadcast-suppression value 10
port-isolate enable group 1
jumboframe enable 5000
#
return
2.1.5 Maintaining Ethernet Interfaces

This section describes how to maintain Ethernet interfaces.
2.1.5.1 Debugging Ethernet Interfaces

Context
NOTICE
Debugging affects the performance of the system. So, after debugging, run the
undo debugging all command to disable it immediately.
When an Ethernet interface or Eth-Trunk fault occurs, run the following

debugging commands in the user view to locate the fault.
For operation procedures for enabling debugging, refer to Chapter "Monitoring

and Debugging" in the CX91x Series Switch Modules V100R001C00
Configuration Guide. For the description of the debugging commands, see the
CX91x Series Switch Modules V100R001C00 Debugging Command Reference.
Procedure
Step 1 Run the debugging l2if [ error | event | msg | updown ] command to enable the
debugging of link layer features.
----End

This section provides several configuration examples of Ethernet interfaces.
2.1.6.1 Example for Configuring Port Isolation
As shown in Figure 2-1, it is required that PC1 and PC2 cannot communicate with
each other, but they can communicate with PC3.
Figure 2-1 Networking diagram for configuring port isolation

Enable port isolation on the ports connected to PC1 and PC2 respectively to
prevent PC1 and PC2 from communicating with each other.
Data Preparation
● Number of the port connected to PC1

● Number of the port connected to PC2
● ID of the VLAN that the ports connected to PC1, PC2, and PC3 belong to
(VLAN 1 by default)
● Port isolation group that the ports connected to PC1 and PC2 belong to
(group 1 by default)
Procedure
Step 1 Enable port isolation.
1. Enable port isolation on GigabitEthernet 0/0/1.
<Base> system-view
[Base-GigabitEthernet0/0/1] port-isolate enable
2. Enable port isolation on GigabitEthernet 0/0/2.

<Base> system-view
[Base-GigabitEthernet0/0/2] port-isolate enable
Step 2 Verify the configuration.
PC1 and PC2 cannot ping each other.
PC1 and PC3 can ping each other.
PC2 and PC3 can ping each other.
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
#
#
#
return

2.2 Link Aggregation Configuration

This chapter describes the concepts, configuration procedures, and configuration
examples of link aggregation.
2.2.1 Introduction to Link Aggregation

This section describes the concept of link aggregation.
Link aggregation refers to a method of bundling a group of physical interfaces

into a logical interface to increase bandwidth and reliability. It is also called multi-
interface load sharing group or link aggregation group. For details, refer to
IEEE802.3ad.
By setting up a link aggregation group between two devices, you can obtain
higher bandwidth and reliability. Link aggregation provides redundancy protection
for communication among devices without upgrading the hardware.
2.2.2 Link Aggregation Supported by the CX91x series

This section describes link aggregation features supported by the CX91x series.
Manual Load Balancing Mode

In load balancing mode, you can manually add member interfaces to the link
aggregation group. All the interfaces configured with load balancing are in
forwarding state. The CX91x series can perform load balancing based on source
MAC addresses, destination MAC addresses, source MAC address exclusive-or
destination MAC address, source IP addresses, destination IP addresses, source
address exclusive-or destination IP address.
You must set up the Eth-Trunk and add an interface to the Eth-Trunk manually.
The Link Aggregation Control Protocol (LACP) is not used.
The manual load balancing mode is usually used when the peer device does not
support LACP.
Static LACP Mode

The static LACP mode is a link aggregation mode in which the two parties
negotiate aggregation parameters by exchanging LACP packets. After the
negotiation, the two parties determine the active interface and the inactive
interface. In static LACP mode, you need to create an Eth-Trunk manually and add
members to the Eth-Trunk. The active interfaces and inactive interfaces are
determined by LACP negotiation.
The static LACP mode is also called the M:N mode. In this mode, links can
implement load balancing and redundancy at the same time. In a link aggregation
group, M links are active and they forward data in load balancing mode. N links
are inactive and they function as backup links. The backup links do not forward
data. When an active link fails, the backup link with the highest priority replaces
the failed link to forward data and its status changes to active.

In static LACP mode, some links function as backup links. In manual load
balancing mode, all member interfaces work in forwarding state to share the
traffic. This is the main difference between the two modes.
CX91x series does not support dynamic LACP mode.
Active Interface and Inactive Interface

Active interfaces refer to the interfaces that are in active state and are responsible
for forwarding data. The interfaces that do not forward data and are in inactive
state are called inactive interfaces. According to the operation modes, active and
inactive interfaces are classified as follows:
● Manual load balancing mode: Generally, all member interfaces are active
interfaces unless a fault occurs on these interfaces.
● Static LACP mode: The interfaces connected to M links are active interfaces
that are responsible for forwarding data; the interfaces connected to N links
are inactive interfaces that are used for redundancy backup.
Actor and Partner

In static LACP mode, the device in the link aggregation group with a higher LACP
priority is the Actor and the device with a lower LACP priority is the Partner.
If the two devices have the same LACP priority, the Actor is selected based on the
MAC addresses of the devices. The device with a smaller MAC address becomes
the Actor.
Differentiating the Actor and the Partner is to keep the active interfaces of devices
at both ends consistent. If the devices at both ends select active interfaces
according to the priority of their own interfaces, the active interfaces may be
different and the active links cannot be set up. Therefore, the Actor is first
determined. The Partner selects active interfaces according to the priority of the
interfaces of the Actor. Figure 2-2 shows the process of selecting active interfaces.
Figure 2-2 Determining the active links in static LACP mode

2.2.3 Configuring Link Aggregation in Manual Load Balancing

Mode
This section describes how to configure link aggregation in manual load balancing
mode.
When the bandwidth or the reliability of two devices should be increased and
either of the two devices does not support LACP, you should create an Eth-Trunk in
manual load balancing mode on Switches and add member interfaces to the Eth-
Trunk to increase the bandwidth and improve reliability of devices.
As shown in Figure 2-3, Eth-Trunks are created between SwitchA and SwitchB.
Figure 2-3 Networking diagram for configuring link aggregation in load balancing
mode
Before configuring an Eth-Trunk in manual load balancing mode, complete the
following tasks:
● Creating the Eth-Trunks
Data Preparation
To configure an Eth-Trunk in manual load balancing mode, you need the following
data.
No. Data
1 Number of the Eth-Trunk in manual load balancing mode
2 Type and number of the member interface

2.2.3.2 Configuring the Eth-Trunk to Work in Manual Load Balancing Mode
Context
NOTE
Check whether the Eth-Trunk contains member interfaces before you configure the
operation mode of the Eth-Trunk. If the Eth-Trunk contains member interfaces, the mode of
the Eth-Trunk cannot be changed. To delete member interfaces from the Eth-Trunk, run the
undo eth-trunk trunk-id command in the interface view or run the undo trunkport
interface-type interface-number command in the Eth-Trunk view.
Do as follows on the CX91x series where you need to configure an Eth-Trunk in

manual load balancing mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface eth-trunk trunk-id
The Eth-Trunk view is displayed.

Step 3 Run:
mode manual [ load-balance ]
The operation mode of the Eth-Trunk is set to load balancing.

By default, an Eth-Trunk works in manual load balancing mode.
If the local device is configured with the Eth-Trunk in manual load balancing
mode, you need to configure the Eth-Trunk in manual load balancing mode on the
peer device.
----End
2.2.3.3 Adding Member Interfaces to an Eth-Trunk
Context
Do as follows on the CX91x series where you need to configure member interfaces
of an Eth-Trunk.
Procedure
● Configuration in the Eth-Trunk interface view
a. Run:
system-view

b. Run:

The Eth-Trunk interface view is displayed.

c. Run:
bpdu enable
All BPDUs are sent to the CPU.

● Configuration in the member interface view
a. Run:
system-view

b. Run:

c. Run:
bpdu disable
All BPDUs are discarded directly.

d. Run:
eth-trunk trunk-id
The interface is added to the Eth-Trunk.
When adding an interface to an Eth-Trunk, pay attention to the following

points:
– An Eth-Trunk contains a maximum of eight member interfaces.

– A member interface cannot be configured with any service or static MAC
address.
– When adding an interface to an Eth-Trunk, ensure that the interface is a
hybrid interface, which is the default interface type.
– An Eth-Trunk cannot be nested, that is, its member interfaces cannot be
Eth-Trunk.
– An Ethernet interface can be added to only one Eth-trunk interface. To
add the Ethernet interface to another Eth-trunk, delete the Ethernet
interface from the current Eth-Trunk first.
– The member interfaces of an Eth-trunk must be of the same type, For
example, the GE interfaces and the 10GE interface cannot be added to
the same Eth-trunk.
– The peer interface directly connected to the Eth-Trunk on the local end
must also be added to an Eth-Trunk; otherwise, the two ends cannot
communicate.
– When the rates of member interfaces are different, the interfaces with a
smaller rate may be congested, and thus packets may be lost.
– After an interface is added to an Eth-Trunk, MAC address learning is
performed by the Eth-Trunk rather than the member interfaces.
----End

2.2.3.4 (Optional) Configuring the Load Balancing Mode
Context
Do as follows on the CX91x series where the load balancing mode of Eth-Trunk
needs to be configured.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
The load balancing mode is configured for the Eth-Trunk.
By default, the load balancing mode of the Eth-Trunk is src-dst-mac.
Member interfaces of an Eth-Trunk perform per-flow load balancing. The local end
and the remote end can use different load balancing modes, and the load
balancing mode on one end does not affect load balancing on the other end.
----End
2.2.3.5 (Optional) Limiting the Number of Active Interfaces
Context
Do as follows on the CX91x series where you need to limit the number of active
interfaces.
Procedure
● Setting the upper threshold of the number of interfaces that determine
bandwidth of the Eth-Trunk
a. Run:
system-view

b. Run:

c. Run:
max bandwidth-affected-linknumber link-number

The maximum number of interfaces that determine bandwidth of the

Eth-Trunk is set.
By default, the maximum number of interfaces that determine bandwidth

of the Eth-Trunk is 8.
NOTE
The upper threshold the number of interfaces that determine bandwidth of the Eth-
Trunk of the local CX91x series and that of the remote CX91x series can be different. If
the upper thresholds at two ends are different, the smaller one is used.
● Setting the lower threshold of the number of active interfaces
a. Run:
system-view

b. Run:

c. Run:
least active-linknumber link-number
The lower threshold of the number of active interfaces is set.
By default, the lower threshold of the number of active interfaces is 1.
In manual load balancing mode, you can determine the minimum number of
active interfaces in the Eth-Trunk by setting the lower threshold. If the
number of active interfaces is smaller than the value in manual load
balancing mode, the status the Eth-Trunk becomes Down.
NOTE
The lower threshold of the number of active interfaces of the local CX91x series and
that of the remote CX91x series can be different. If the lower thresholds at two ends
are different, the larger one is used.
----End
2.2.3.6 (Optional) Configuring the Load Balancing Mode for Unknown

Unicast Traffic
Context
Do as follows on the CX91x series where you need to configure the load balancing
mode for unknown unicast traffic.
Procedure
Step 1 Run:
system-view

Step 2 Run:
unknown-unicast load-balance { dmac | smac | smacxordmac }
The load balancing mode for unknown unicast traffic is configured.
----End
Procedure
● Run the display trunkmembership eth-trunk trunk-id command to display
the member interfaces of the Eth-Trunk.
● Run the display eth-trunk trunk-id command to display the load balancing
status of the Eth-Trunk.
----End
Example
By running the display trunkmembership eth-trunk command, you can find that
the operation mode of the Eth-Trunk is Normal and you can see the number of
member interfaces, number of member interfaces in Up state, and information
about member interfaces.
<Base> display trunkmembership eth-trunk 1
Trunk ID: 1
used status: VALID
TYPE: ethernet
Working Mode : Normal
Working State: Normal
Number Of Ports in Trunk = 2
Number Of UP Ports in Trunk = 0
operate status: down
Interface GigabitEthernet0/0/1, valid, operate down, weight=1

Run the display eth-trunk command to check the load balancing mode of the
Eth-Trunk. By default, the load balancing mode is displayed as "SA-XOR-DA" in the
output information.
<Base> display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: down Number Of Up Port In Trunk: 0
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/1 Down 1
GigabitEthernet0/0/2 Down 1
2.2.4 Configuring Link Aggregation in Static LACP Mode

This section describes how to configure link aggregation in static LACP mode.

To increase the bandwidth and improve the connection reliability, you can
configure a link aggregation group on two directly connected Switches. The
requirements are as follows:
● The links between two devices can implement redundancy backup. When a
fault occurs on some links, the backup links replace the faulty ones to keep
data transmission uninterrupted.
● The active links have the load balancing capability.
Figure 2-4 Typical networking of link aggregation in static LACP mode
Before configuring an Eth-Trunk in static LACP mode, complete the following
tasks:
● Closing BPDU processing on the Eth-Trunk
● Creating the Eth-Trunk
Data Preparation
To configure an Eth-Trunk in static LACP mode, you need the following data.
No. Data
1 Number of the Eth-Trunk
2 Type and number of the member interfaces
3 Maximum number of active interfaces
2.2.4.2 Configuring the Eth-Trunk to Work in Static LACP Mode

Context
NOTE
● Check whether an Eth-Trunk contains member interfaces before you configure the
working mode of the Eth-Trunk. If the Eth-Trunk contains member interfaces, the
working mode of the Eth-Trunk cannot be changed. To delete member interfaces from
the Eth-Trunk, run the undo eth-trunk trunk-id command in the view of member
interfaces or run the undo trunkport interface-type interface-number command in the
Eth-Trunk interface view.
● In static LACP mode, the local and remote devices exchange LACPDUs to implement link
aggregation. Therefore, after setting the Eth-Trunk working mode to static LACP, run the
bpdu { disable | enable } command to enable the Eth-Trunk member interfaces to
process and send BPDUs.
To configure the Eth-Trunk in static LACP mode on the CX91x series, perform the
following steps:
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
mode lacp-static
The Eth-Trunk is configured to work in static LACP mode.
By default, an Eth-Trunk works in manual load balancing mode.
If the Eth-Trunk working mode is set to static LACP on the local device, you must
set the Eth-Trunk working mode to static LACP on the remote device.
----End
2.2.4.3 Adding Member Interfaces to an Eth-Trunk
Context
Do as follows on the CX91x series where you need to configure member interfaces
of an Eth-Trunk.
Procedure
● Configuration in the Eth-Trunk interface view
a. Run:
system-view

b. Run:

c. Run:
bpdu enable
All BPDUs are sent to the CPU.

● Configuration in the member interface view
a. Run:
system-view

b. Run:

c. Run:
bpdu disable
All BPDUs are discarded directly.

d. Run:
eth-trunk trunk-id
The interface is added to the Eth-Trunk.
When adding an interface to an Eth-Trunk, pay attention to the following

points:
– An Eth-Trunk contains a maximum of eight member interfaces.

– A member interface cannot be configured with any service or static MAC
address.
– When adding an interface to an Eth-Trunk, ensure that the interface is a
hybrid interface, which is the default interface type.
– An Eth-Trunk cannot be nested, that is, its member interfaces cannot be
Eth-Trunk.
– An Ethernet interface can be added to only one Eth-trunk interface. To
add the Ethernet interface to another Eth-trunk, delete the Ethernet
interface from the current Eth-Trunk first.
– The member interfaces of an Eth-trunk must be of the same type, For
example, the GE interface and the 10GE interface cannot be added to the
same Eth-trunk.
– The peer interface directly connected to the Eth-Trunk on the local end
must also be added to an Eth-Trunk; otherwise, the two ends cannot
communicate.
– When the rates of member interfaces are different, the interfaces with a
smaller rate may be congested, and thus packets may be lost.
– After an interface is added to an Eth-Trunk, MAC address learning is
performed by the Eth-Trunk rather than the member interfaces.
----End

2.2.4.4 (Optional) Configuring the Load Balancing Mode
Context
Do as follows on the CX91x series where you need to configure the Eth-Trunk load
balancing mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
The load balancing mode is configured for the Eth-Trunk.

By default, the load balancing mode of an Eth-Trunk is src-dst-mac.
Member interfaces of an Eth-Trunk perform per-flow load balancing. The local end
and the remote end can use different load balancing modes, and the load
balancing mode on one end does not affect load balancing on the other end.
----End
2.2.4.5 (Optional) Limiting the Number of Active Interfaces
Context
Do as follows on the CX91x series where you need to limit the number of active
interfaces.
Procedure
● Setting the upper threshold of the number of active interfaces
a. Run:
system-view

b. Run:

c. Run:
max active-linknumber link-number
The upper threshold of the number of active interfaces is set.

By default, the upper threshold of the number of active interfaces is 8.
In static LACP mode, you can limit the maximum number (M) of active
interfaces in the Eth-Trunk by setting the upper threshold. The other member
interfaces function as backup.
If the upper threshold is not set, up to eight interfaces in the Eth-Trunk can be
active.
NOTE
● The upper threshold of the number of active interfaces should not be smaller the
lower threshold for the number of active interfaces.
● The upper threshold of the number of active interfaces of the local CX91x series
and that of the remote CX91x series can be different. If the upper thresholds at
two ends are different, the smaller one is used.
● Setting the lower threshold of the number of active interfaces
a. Run:
system-view

b. Run:

c. Run:
least active-linknumber link-number
The lower threshold of the number of active interfaces is set.
By default, the lower threshold of the number of active interfaces is 1.
In static LACP mode, you can determine the minimum number of active
interfaces in the Eth-Trunk by setting the lower threshold. If the number of
active interfaces is smaller than the value in static mode, the status of the
Eth-Trunk becomes Down.
NOTE
● The lower threshold of the number of active interfaces should not be larger than
the upper threshold of the number of active interfaces.
● The lower threshold of the number of active interfaces of the local CX91x series
and that of the remote CX91x series can be different. If the lower thresholds at two
ends are different, the larger one is used.
----End
2.2.4.6 (Optional) Setting the LACP Priority of the System
Context
Do as follows on the CX91x series where you need to set the LACP priority of the
system.

Procedure
Step 1 Run:
system-view
Step 2 Run:
lacp priority priority
The system LACP priority of the CX91x series is set.
The smaller the LACP priority value of the system is, the higher the priority is. By
default, the LACP priority of the system is 32768.
The end of a smaller priority value functions as the Actor. If the two ends have the
same priority, the end with a smaller MAC address functions as the Actor.
----End
2.2.4.7 (Optional) Setting the LACP Priority of the Interface
Context
Do as follows on the CX91x series where you need to set the LACP priority of
interfaces.
NOTE
You can set the LACP priority of a interface only when the interface is a member interface
of the Eth-Trunk.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
lacp priority priority
The interface LACP priority of the CX91x series is set.
By default, the interface LACP priority is 32768.
----End
2.2.4.8 (Optional) Enabling LACP Preemption and Setting the Delay for LACP
Preemption

Context
Do as follows on the CX91x series where you need to enable LACP preemption
mode and set the delay for LACP preemption.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
lacp preempt enable
The LACP preemption function is enabled on the Eth-Trunk.
By default, the LACP preemption function is disabled.
NOTE
To ensure normal running of an Eth-Trunk, it is recommended that you enable or disable

LACP preemption on both ends of the Eth-Trunk.
Step 4 Run:
lacp preempt delay delay-time
The delay for LACP preemption on the Eth-Trunk is set.
By default, the delay for LACP preemption is 30 seconds.
Enabling the LACP preemption function ensures that the interface with the highest
LACP priority can be an active interface. For example, when an interface with the
highest priority becomes inactive due to a failure, and then recovers, the interface
can become an active interface if the LACP preemption function is enabled; if the
LACP preemption function is disabled, the interface cannot become an active
interface again.
The delay for LACP preemption refers to the period in which an inactive interface
of the Eth-Trunk in static LACP mode waits before it becomes active.
----End
2.2.4.9 (Optional) Setting the Timeout Interval for Receiving LACP Packets
Context
Do as follows on the CX91x series where you need to set the timeout interval for
receiving LACP packets.

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
lacp timeout { fast | slow }
The timeout for receiving LACP protocol packets the Eth-Trunk is set.
NOTE
● After the lacp timeout command is used, the local end informs the peer end of the
timeout interval through LACP packets. If the fast is selected, the interval for sending
LACP packets is 1 second. If the slow keyword is selected, the interval for sending LACP
packets is 30 seconds.
● The timeout interval for receiving LACP packets is three times the interval for sending
LACP packets. That is, when the fast keyword is used, the timeout interval for receiving
LACP packets is 3s; when the slow keyword is used, the timeout interval for receiving
LACP packets is 90s.
● You can select different keywords on the two ends. To facilitate the maintenance,
however, it is recommended that you select the same keyword on both ends.
----End
2.2.4.10 (Optional) Configuring the Load Balancing Mode for Unknown

Unicast Traffic
Context
Do as follows on the CX91x series where you need to configure the load balancing
mode for unknown unicast traffic.
Procedure
Step 1 Run:
system-view

Step 2 Run:
unknown-unicast load-balance { dmac | smac | smacxordmac }
The load balancing mode for unknown unicast traffic is configured.
----End

Procedure
● Run the display eth-trunk [ trunk-id [interface interface-type interface-
number ] ] command to display information about the Eth-Trunk and
member interfaces.
----End
Example
By running the display trunkmembership eth-trunk command, you can find that
the operation mode of the Eth-Trunk is Static and you can see the number of
member interfaces, number of member interfaces in Up state, and information
about member interfaces.
<Base> display trunkmembership eth-trunk 1
Trunk ID: 1
used status: VALID
TYPE: ethernet
Working Mode : Static
operate status: down
By running the display eth-trunk command, you can find that the operation
mode of the Eth-Trunk is STATIC.
<Base> display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 50 System ID: 000b-09d3-dc62
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: down Number Of Up Port In Trunk: 0
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/1 Unselect 1GE 10 1547 561 11100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 0 0000-0000-0000 0 0 0 11100000
2.2.5 Maintaining Link Aggregation

This section describes how to clear the statistics of received and sent LACP
packets, debug the link aggregation group, and monitor the running status of the
link aggregation group.
2.2.5.1 Clearing Statistics of LACP Packets

Context
NOTICE
The statistics of LACP packets cannot be restored after you clear them. So, confirm
Procedure
Step 1 Run the reset lacp statistics eth-trunk [ trunk-id ] command to clear statistics of
received and sent LACP packets.
----End
2.2.5.2 Monitoring the Operation Status of the Link Aggregation Group
Context
During the daily maintenance, you can run the following commands in any view
to check the operation status of the link aggregation group.
Procedure
● Run the display eth-trunk [ trunk-id [ interface interface-type interface-
number ] ] command to display the status of the link aggregation group.
● Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type
interface-number ] ] command to display the statistics of sent and received
LACP packets.
----End

This section provides several configuration examples of link aggregation in manual
load balancing mode and in static LACP mode.
2.2.6.1 Example for Configuring Link Aggregation in Manual Load Balancing

Mode
As shown in Figure 2-5, the Switch is connected to the BRAS (Broadband Remote
Access Server) through an Eth-Trunk. The link between the Switch and BRAS must
ensure high reliability.

Figure 2-5 Networking diagram for configuring link aggregation in manual load
balancing mode
1. Create an Eth-Trunk.
2. Add member interfaces to the Eth-Trunk.
Data Preparation
● Number of the Eth-Trunk
● Types and numbers of the member interfaces in the Eth-Trunk
Procedure
Step 1 Create an Eth-Trunk.
# Create Eth-Trunk 1.
[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] bpdu enable
[Switch-Eth-Trunk1] quit
Step 2 Add member interfaces to the Eth-Trunk.

# Add GigabitEthernet 0/0/3 to Eth-Trunk 1.

[Switch] interface gigabitethernet 0/0/3

[Switch-GigabitEthernet0/0/3] bpdu disable
[Switch-GigabitEthernet0/0/3] eth-trunk 1
[Switch-GigabitEthernet0/0/3] quit
# Add GigabitEthernet 0/0/4 to Eth-Trunk 1.

[Switch-GigabitEthernet0/0/4] bpdu disable
[Switch-GigabitEthernet0/0/4] eth-trunk 1
Step 3 Configure Eth-Trunk 1.

# Configure Eth-Trunk 1 to allow packets of VLANs 100 to 200 to pass through.
[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] bpdu enable
[Switch-Eth-Trunk1] port link-type trunk
[Switch-Eth-Trunk1] port trunk allow-pass vlan 100 to 200
[Switch-Eth-Trunk1] quit

Run the display trunkmembership command in any view to check whether Eth-
Trunk 1 is created and whether member interfaces are added.
[Switch] display trunkmembership eth-trunk 1
Trunk ID: 1
used status: VALID
TYPE: ethernet
Working Mode : Normal
Working State: Normal
operate status: up
Interface GigabitEthernet0/0/3, valid, operate up, weight=1,
Interface GigabitEthernet0/0/4, valid, operate up, weight=1,
# Display the configuration of Eth-Trunk 1.

[Switch] display eth-trunk 1
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/3 Up 1
GigabitEthernet0/0/4 Up 1
The preceding information indicates that Eth-Trunk 1 consists of member

interfaces GigabitEthernet 0/0/3 and GigabitEthernet 0/0/4. The member
interfaces are both in Up state.
----End
Configuration Files
#
sysname Switch
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 to 200

#
eth-trunk 1
#
eth-trunk 1
#
return
2.2.6.2 Example for Configuring Link Aggregation in Static LACP Mode
To improve the bandwidth and the connection reliability, configure the link
aggregation group on two directly connected Switches, as shown in Figure 2-6.
The requirements are as follows:
● M active links can implement load balancing.
● N links between two Switches can carry out redundancy backup. When a fault
occurs on an active link, the backup link replaces the faulty link to keep the
reliability of data transmission.
Figure 2-6 Networking diagram for configuring link aggregation in static LACP
mode
1. Create an Eth-Trunk on the Switch and configure the Eth-Trunk to work in
static LACP mode.
2. Add member interfaces to the Eth-Trunk.
3. Set the system priority and determine the Actor.
4. Set the upper threshold of the active interfaces.
5. Set the priority of the interface and determine the active link.
Data Preparation
● Numbers of the link aggregation groups on the Switches
● System priority of SwitchA
● Upper threshold of active interfaces
● LACP priority of the active interface

Procedure
Step 1 Create Eth-Trunk 1 and set the load balancing mode of the Eth-Trunk to static
LACP mode.
# Configure SwitchA.
<Base> system-view
[Base] sysname SwitchA
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] bpdu enable
[SwitchA-Eth-Trunk1] mode lacp-static
[SwitchA-Eth-Trunk1] quit
# Configure SwitchB.
<Base> system-view
[Base] sysname SwitchB
[SwitchB] interface eth-trunk 1
[SwitchB-Eth-Trunk1] bpdu enable
[SwitchB-Eth-Trunk1] mode lacp-static
[SwitchB-Eth-Trunk1] quit
Step 2 Add member interfaces to the Eth-Trunk.

[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] bpdu disable
[SwitchA-GigabitEthernet0/0/1] eth-trunk 1
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] bpdu disable
[SwitchB-GigabitEthernet0/0/1] eth-trunk 1
[SwitchB-GigabitEthernet0/0/1] quit
Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100
Step 4 Set the upper threshold M of active interfaces on SwitchA to 2.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] bpdu enable
[SwitchA-Eth-Trunk1] max active-linknumber 2
[SwitchA-Eth-Trunk1] quit
Step 5 Set the priority of the interface and determine active links on SwitchA.

[SwitchA-GigabitEthernet0/0/1] lacp priority 100

[SwitchA-GigabitEthernet0/0/2] lacp priority 100

# Check information about the Eth-Trunk of the Switches and check whether the
negotiation is successful on the link.
[SwitchA] display eth-trunk 1
Local:
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 100 System ID: 00e0-fca8-0417
Operate status: Up Number Of Up Port In Trunk: 2
------------------------------------------------------------------------------
GigabitEthernet0/0/1 Selected 1GE 100 6145 2865 11111100 1
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
[SwitchB] display eth-trunk 1

Local:
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 32768 System ID: 00e0-fca6-7f85
Operate status: Up Number Of Up Port In Trunk: 2
------------------------------------------------------------------------------
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 100 00e0-fca8-0417 100 6145 2865 11111100
The preceding information shows that the system priority of SwitchA is 100 and it
is higher than the system priority of SwitchB. Member interfaces GE0/0/1 and
GE0/0/2 become the active interfaces and are in Selected state. Interface GE0/0/3
is in Unselect state. M active links work in load balancing mode and N links are
the backup links.
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA

#
lacp priority 100
#
mode lacp-static
max active-linknumber 2
bpdu enable
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
#
return
● Configuration file of SwitchB
#
sysname SwitchB
#
mode lacp-static
bpdu enable
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
return
2.3 VLAN Configuration

configuring VLAN.
2.3.1 Introduction to VLAN

This section describes the concept of the VLAN.
Definition of a VLAN
A local area network (LAN) can be divided into several logical LANs. Each logical
LAN is a broadcast domain, which is called a virtual LAN (VLAN). That is, the
devices in a LAN are logically divided into different LAN segments, namely,
different VLANs, irrespective of their physical locations. In this manner, the
broadcast domains within a LAN are separated from each other.
Functions of a VLAN
In VLAN networking, the devices that need to communicate with each other are
added to a VLAN; the devices that do not need to communicate with each other

are added to different VLANs. This isolates broadcast domains, eliminates

broadcast storms, and improves the security of data transmission.
With the expansion of network scales, a local network fault impacts the entire
network. After VLANs are used, a fault affects only a VLAN. This improves the
network robustness.
2.3.2 VLAN Features Supported by the CX91x series

This section describes the VLAN features supported by the CX91x series.
Port-based VLAN
The CX91x series supports port-based VLANs.
Ports on the CX91x series are classified into the following types:
● Access: An access port can join only one VLAN, namely, the default VLAN.
Access ports are usually connected to user devices.
● Trunk: A trunk port can join multiple VLANs and is usually connected to a
network device.
● Hybrid: A hybrid port can join multiple VLANs and can be connected to a
network device or a user device.
Table 2-2 describes how various ports process received packets depending on the
default VLAN ID.
Table 2-2 Processing of packets on different ports

Port Type For an Untagged For a Tagged For a Packet to Be
Packet Received Packet Received Sent
Access port Accepts the packet ● When the VLAN Removes the tag
and adds the default ID of the packet is from the packet
VLAN tag to the the same as the and sends the
packet. default VLAN ID, packet.
the access port
accepts the
packet.
● When the VLAN
ID of the packet is
different from the
default VLAN ID,
the access port
discards the
packet.

Port Type For an Untagged For a Tagged For a Packet to Be

Packet Received Packet Received Sent
Trunk port ● Adds the default ● If the default ● If the VLAN ID

VLAN tag to the VLAN ID is in the of the packet is
packet. If the list of allowed the same as the
default VLAN ID VLAN IDs, the default VLAN
is in the list of port accepts the and is in the list
allowed VLAN packet. of allowed VLAN
IDs, the port ● If the default IDs, the port
accepts the VLAN ID is not in removes the tag
packet. the list of allowed from the packet
● Adds the default VLAN IDs, the and sends the
VLAN tag to the port discards the packet.
packet. If the packet. ● If the VLAN ID
default VLAN ID of the packet is
is not in the list of different from
allowed VLAN the default
IDs, the port VLAN and is in
discards the the list of
packet. allowed VLAN
IDs, the port
retains the tag
of the packet
and sends the
packet.
Hybrid port If the VLAN ID of

the packet is in the
list allowed VLAN
IDs, the port sends
the packet. You can
run the port hybrid
untagged/tagged
vlan command to
determine whether
the port sends the
packet with the
tag.
VLAN Broadcast Attribute

When an interface of a VLAN receives a broadcast packet or a unicast packet
whose destination MAC address does not exist in the MAC address table, this
interface broadcasts this packet to other interfaces in the VLAN.
VLAN Trunk
When a VLAN is configured on multiple switches, the interfaces on the switches
must be able to identify and forward the packets of different VLANs. This problem
also exists in the package transmission between the switch and router that

support VLAN. The link that can identify and forward the packets of different
VLANs is called a trunk.
The trunk has the following functions:
● Relay
A trunk can transmit the packets from a VLAN to a switch or router
transparently, thus expanding the VLAN.
● Transmission backbone
A trunk can transmit the packets of multiple VLANs.
The most popular protocol used by the trunk is IEEE 802.1Q, which identifies
VLANs through the VLAN tag.
The trunk refers to a point-to-point (P2P) link between two devices. The interfaces
on the trunk are called the trunk interfaces. One trunk can transmit data flows of
multiple VLANs to other devices.
2.3.3 Creating VLANs

This section describes how to create one or multiple VLANs.
Through a VLAN, hosts that do not need to communicate with each other are
isolated. The VLAN improves the security of the network, reduces broadcast traffic,
and suppresses broadcast storms.
None
Data Preparation
To create a VLAN, you need the following data.
No. Data
1 VLAN ID
2.3.3.2 Creating a VLAN
Context
Do as follows on the CX91x series that need to be configured with VLANs.

Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created and the VLAN view is displayed.

Step 3 (Optional) Run:
The description of the VLAN is set.

The description of a VLAN is set for managing and memorizing the VLAN. By
default, the description of a VLAN shows the VLAN ID. For example, the
description of VLAN 15 is "VLAN 0015".
----End
2.3.3.3 (Optional) Creating VLANs in a Batch
Context
Do as follows on the CX91x series that need to be configured with VLANs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan batch { vlan-id1 [ to vlan-id2 ] }
VLANs are created in a batch.
----End
2.3.3.4 (Optional) Enabling Traffic Statistic in a VLAN
Context
Do as follows on the CX91x series configured with VLANs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
The VLAN view is displayed.

Step 3 Run:
statistic enable
The traffic statistics function is enabled in the VLAN.

By default, the traffic statistics function is disabled in a VLAN.
----End
2.3.3.5 (Optional) Disabling MAC Address Learning on a VLAN
Context
Do as follows on the CX91x series that is configured with a VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
mac-address learning disable
The MAC address learning is disabled in the VLAN.

By default, MAC address learning is enabled in VLANs.
----End
Procedure
Step 1 Run the display vlan [ vlan-id [ verbose | statistics ] ] command to display basic
information about a VLAN.
----End
Example
By running the display vlan command, you can display the created VLANs.
<Base> display vlan
* : management-vlan

---------------------
The total number of vlans is : 5
VLAN ID Type Status MAC Learning Broadcast/Multicast/Unicast Property
--------------------------------------------------------------------------------
1 common enable enable forward forward forward default
By running the display vlan vlan-id verbose command, you can check whether
the description of a VLAN is correct.
<Base> display vlan 10 verbose
* : management-vlan
---------------------
VLAN ID : 10
VLAN Type : Common
Description : VLAN 0010
Status : Enable
Broadcast : Enable
MAC learning : Enable
Statistics : Disable
Property : default
VLAN state : Down
----------------
Untagged Port: GigabitEthernet0/0/1
----------------
Tagged Port: GigabitEthernet0/0/2
----------------
Interface Physical
GigabitEthernet0/0/1 DOWN
GigabitEthernet0/0/2 DOWN
By running the display vlan vlan-id statistics command, you can view the traffic
statistics in a VLAN.
<Base> display vlan 20 statistics
Board: 0
VLAN: 20
----------------------------------------------------------------
Item Packets
----------------------------------------------------------------
Inbound: 0
Outbound: 0
Unkown-unicast: 0
Multicast: 0
Broadcast: 0
Drop: 0
Drop-percentage: 0%
----------------------------------------------------------------
2.3.4 Adding Interfaces to a VLAN

This section describes how to add an access interface, a hybrid interface, or a
trunk interface to a VLAN.
You can configure VLANs based on interfaces. You can group the interfaces that
process the same service into a VLAN. In this manner, the interfaces that process

different services are isolated. For example, interface 1 and interface 2 connect to
broadband access users; interface 3 connects to users of video services. In this
case, interface 1 and interface 2 are grouped into a VLAN; interface 3 is added
into a different VLAN.
NOTE
Before changing the interface type, delete the VLAN configuration of the previous interface
type to restore the default VLAN configuration of the interface. That is, make the interface
belong to only VLAN 1.
Before adding interfaces to a VLAN, complete the following task:
● Creating a VLAN
Data Preparation
To add interfaces to a VLAN, you need the following data.
No. Data
1 Types and numbers of the interfaces to be added to a VLAN
2 VLAN ID
2.3.4.2 Adding an Access Interface to a VLAN
Context
You can add an access interface to the VLAN.
Procedure
● Adding an access interface to a VLAN in the VLAN view
a. Run:
system-view

b. Run:

c. Run:
port link-type access
The link type of the interface is set to access.

By default, the link type of an interface is hybrid.
d. Run:
quit

Return to the system view.

e. Run:
vlan vlan-id

f. Run:
port interface-type { interface-number1 [ to interface-number2 ] }
The access interface is added to the VLAN, which becomes the default
VLAN of the interface.
● Adding an access interface to a VLAN in the interface view
a. Run:
system-view

b. Run:

c. Run:
The link type of the interface is set to access.

By default, the link type of an interface is hybrid.
d. Run:
port default vlan vlan-id
The default VLAN of the interface is set.

By default, VLAN 1 is the default VLAN for all interfaces.
----End
2.3.4.3 Adding a Trunk Interface to a VLAN
Context
Do as follows on the CX91x series on which interfaces need to be added to a
VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

The link type of the interface is set to trunk.

By default, the interface type is hybrid.
Step 4 Run:
port trunk allow-pass vlan { vlan-id1 [ to vlan-id2 ] }
The trunk interface is added to a VLAN or multiple VLANs.

By default, VLAN 1 is the default VLAN of a trunk interface.
----End
2.3.4.4 Adding a Hybrid Interface to a VLAN
Context
Do as follows on the CX91x series on which interfaces need to be added to a
VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
port link-type hybrid
The link type of the interface is set to hybrid.

Step 4 Run the following commands as required:
● To add the hybrid interface to a VLAN or multiple VLANs in tagged mode, run
port hybrid tagged vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>.
● To add the hybrid interface to a VLAN or multiple VLANs in untagged mode,
run port hybrid untagged vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>.
By default, a hybrid interface is added to VLAN 1 in untagged mode.
----End
2.3.4.5 (Optional) Specifying the Default VLAN of a Trunk Interface
Context
Do as follows on the CX91x series where you specify the default VLAN of a trunk
interface.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
The link type of the interface is set to trunk.
Step 4 Run:
port trunk pvid vlan vlan-id
The default VLAN of the trunk interface is specified.
By default, VLAN 1 is the default VLAN of trunk interfaces.
An interface is not added to the default VLAN after the default VLAN is specified.
To enable the interface to forward packets of the default VLAN, you must add the
interface to the default VLAN.
----End
2.3.4.6 (Optional) Specifying the Default VLAN of a Hybrid Interface
Context
Do as follows on the CX91x series where you specify the default VLAN of a hybrid
interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
The link type of the interface is set to hybrid.

Step 4 Run:
port hybrid pvid vlan vlan-id
The default VLAN of the hybrid interface is specified.

By default, VLAN 1 is the default VLAN of hybrid interfaces.
An interface is not added to the default VLAN after the default VLAN is specified.
To enable the interface to forward packets of the default VLAN, you must add the
interface to the default VLAN.
----End
Procedure
● Run the display interface [ interface-type [ interface-number ] ] command to
display the VLAN where the interface is added.
● Run the display vlan [ vlan-id ] command to display basic information about
the VLAN.
----End
Example
By running the display interface [ interface-type [ interface-number ] ]
command, you can see that the PVID of GigabitEthernet 0/0/1 is 100.
Mdi : AUTO
CRC : 0,Giants : 0
Buffers Purged : 0

By running the display vlan [ vlan-id ] command, you can see that
GigabitEthernet0/0/1 is added to VLAN 2.
<Base> display vlan 2
* : management-vlan
---------------------
----------------------------------------------------------
----------------
Untagged Port: GigabitEthernet0/0/1
----------------
Interface Physical
GigabitEthernet0/0/1 UP
2.3.5 Configuring VLANIF Interfaces to Implement Layer-3

Communication
This section describes how to configure VLANIF interfaces to implement Layer 3
communication.
When the CX91x series needs to communicate with devices at the network layer,
you can create a logical interface based on the VLAN on the CX91x series, namely,
a VLANIF interface. You can assign IP addresses to VLANIF interfaces because
VLANIF interfaces work at the network layer. The CX91x series then communicates
with the devices at the network layer through VLANIF interfaces.
Before creating a VLANIF interface, complete the following task:
● Creating VLANs
Data Preparation
To create a VLANIF interface, you need the following data.
No. Data
1 VLAN ID
2 IP address of a VLANIF interface
2.3.5.2 Creating a VLANIF Interface

Context
Do as follows on the CX91x series where you need to configure the VLANIF
interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif vlan-id
The VLANIF interface is created and the VLANIF interface view is displayed.
NOTE
A VLANIF interface can be Up only when the corresponding VLAN contains physical
interfaces in Up state.
----End
2.3.5.3 Assigning an IP Address to the VLANIF Interface
Context
Do as follows on the CX91x series where you need to configure the VLANIF
interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The VLANIF interface is created and the VLANIF interface view is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }
The IP address of the VLANIF interface is configured.
----End

2.3.5.4 (Optional) Setting the MTU of a VLANIF Interface
Context
NOTE
● After changing the maximum transmission unit (MTU) by using the mtu command on a
specified interface, you need to restart the interface to make the new MTU take effect.
To restart the interface, run the shutdown command and then the undo shutdown
command, or run the restart command in the interface view.
● If you change the MTU of an interface, you need to change the MTU of the peer
interface to the same value by using the mtu command; otherwise, services may be
interrupted.
● To ensure availability of Layer 3 functions, set the MTU value of the VLANIF interface to
be smaller than the maximum length of frames on the physical interface in the
corresponding VLAN.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The VLANIF interface view is displayed.
Step 3 Run:
mtu mtu
The MTU of the VLANIF interface is set.
The MTU of a VLANIF interface ranges from 128 to 9216, in bytes. The default
value is 1500.
NOTE
If the MTU is too small whereas the packet size is large, the packet is probably split into
many fragments. Therefore, the packet may be discarded due to the insufficient QoS queue
length. To avoid this situation, lengthen the QoS queue accordingly.
----End
Procedure
Step 1 Run the display interface vlanif [ vlan-id ] command to display basic information
about the VLANIF interface.
----End

Example
By running the display interface vlanif command, you can check whether the IP
address of a VLANIF interface is correct.
<Base> display interface vlanif
Vlanif5 current state : DOWN
Line protocol current state : DOWN
Description:Vlanif5 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-2000-0083
Input bandwidth utilization : --

Output bandwidth utilization : --
Vlanif10 current state : UP
Last line protocol up time : 2009-06-15 20:40:44 DST
Description:Vlanif10 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.10.12.20/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-2000-0083
Input bandwidth utilization : --
Output bandwidth utilization : --
2.3.6 Configuring Management VLANs

This section describes how to configure a management VLAN.
Generally, an access interface can be added to only customer VLANs but cannot be
added to management VLANs.
After a VLAN is configured as a management VLAN, interfaces added to the VLAN
must be trunk interfaces or hybrid interfaces. This improves security of devices.
Users usually log in to and manage the device through the VLANIF interface
corresponding to the management VLAN.
Before configuring a management VLAN, complete the following task:
● Creating a VLAN
Data Preparation
To configure a management VLAN, you need the following data.

No. Data
1 VLAN ID
2.3.6.2 Configuring a Management VLAN
Context
Do as follows on the CX91x series where you need to configure a management
VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created and the VLAN view is displayed.

Step 3 Run:
management-vlan
The VLAN is configured as a management VLAN.
----End
Procedure
Step 1 Run the display vlan command to check the configuration of the management
VLAN.
----End
Example
Run the display vlan command, and you can view the configuration of VLANs.
The VLAN marked with * is the management VLAN. For example:
<Base> display vlan
* : management-vlan
---------------------
The total number of vlans is : 20
--------------------------------------------------------------------------------
93 common enable enable forward forward forward multicastVLAN
95 common enable enable forward forward forward userVLAN
100 super enable enable forward forward forward default

202 mux enable enable forward forward forward default

1000 *common enable enable forward forward forward default
2.3.7 Maintaining the VLAN

This section describes how to maintain a VLAN.
2.3.7.1 Clearing Statistics on a VLAN
Context
NOTICE
The statistics on a VLAN cannot be restored after you clear them. So, confirm the
action before you use the command.
Before clearing the statistics on a VLAN, enable the statistics function in the VLAN.
Procedure
Step 1 Run the reset vlan statistics vlan-idcommand to clear statistics on a VLAN.
----End
2.4 MAC Address Table Configuration

configuring the MAC address table.
2.4.1 Introduction to the MAC Address Table

This section describes the concept of the MAC address table.
Each switch chip on the CX91x series has a MAC address table. The MAC address
table stores the MAC addresses of other devices learned by the CX91x series, the
VLAN IDs, and the outgoing interfaces that are used to send data. Before
forwarding the data, the CX91x series searches the MAC address table based on
the destination MAC address and the VLAN ID of the data to find the
corresponding outgoing interface rapidly. This reduces the number of broadcast
packets.
The network administrator can manually configure the static entries in the MAC
address table to bind user devices to interfaces. This can improve the security of
interfaces, preventing unauthorized users from accessing the network.
2.4.2 MAC Address Table Features Supported by the CX91x

series
This section describes the MAC address table features supported by the CX91x
series.

Classification of MAC Address Entries

MAC address entries are classified into three categories, namely, dynamic entries,
static entries, and blackhole entries.
● Dynamic entries are the MAC address entries generated after the CX91x series
automatically learns the source MAC addresses of the received packets. The
dynamic entries will be aged after a certain period.
● Static entries are the manually configured MAC address entries. The static
entries will not be aged.
● Blackhole entries are the manually configured MAC entries. They are used to
discard the data frames that have certain destination MAC addresses or
source MAC addresses. The blackhole entries will not be aged.
2.4.3 Configuring the MAC Address Table

This section describes how to configure the static entries, blackhole entries, and
dynamic entries of a MAC address table.
In the following situations, you need to configure static entries and blackhole
entries or adjust the aging time of the dynamic entries in the MAC table to meet
different requirements:
● Specify interfaces to forward the packets with specified destination MAC

addresses.
● Discard the packets with the specified destination MAC addresses or source
MAC addresses to:
– Prevent invalid MAC address entries from consuming the capacity of the
MAC address table.
– Prevent hackers from using MAC addresses to attack user devices or
networks.
● Change the aging time of dynamic entries in the MAC address table to
prevent an explosive increase in MAC address entries.
None
Data Preparation
To configure the MAC address table, you need the following data.

No. Data
1 (Optional) Destination MAC address, outgoing interface number, VLAN

ID of the outgoing interface on the destination device, VLAN ID required
to be changed when the packet is sent out from the interface
2 (Optional) Aging time of dynamic entries
2.4.3.2 Creating a Static MAC Address Entry
Context
Do as follows on the CX91x series where you need to configure the MAC address
entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address static mac-address interface-type interface-number { vlan vlan-id1 }
A static MAC address entry is created.
----End
2.4.3.3 Creating a Blackhole MAC Address Entry
Context
entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address blackhole mac-address [ vlan vlan-id ]
A blackhole MAC address entry is created.
----End
2.4.3.4 (Optional) Setting the Aging Time of Dynamic MAC Address Entries

Context
entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address aging-time aging-time
The aging time of the dynamic MAC address entries is set.

By default, the aging time of dynamic MAC address entries is 300 seconds.
----End
2.4.3.5 (Optional) Disabling MAC Address Learning
Context
Procedure
● Disabling MAC address learning in the interface view
a. Run:
system-view

b. Run:

c. Run:
mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.

By default, MAC address learning is enabled on an interface.
By default, the CX91x series performs the forward action after MAC
address learning is disabled. That is, the CX91x series forwards packets
according to the MAC address table. When the action is configured to
discard, the CX91x series matches the source MAC addresses of packets
with the MAC address entries. If the inbound interface and source MAC
address of a packet matches a MAC address entry, the CX91x series
forwards the packet. Otherwise, the CX91x series discards the packet.
● Disabling MAC address learning in the VLAN view
a. Run:

system-view

b. Run:
vlan vlan-id

c. Run:
mac-address learning disable
The MAC address learning is disabled in the VLAN.

By default, MAC address learning is enabled in a VLAN.
----End
Procedure
● Run the display mac-address command to view information about the MAC
address table.
● Run the display mac-address static [ vlan vlan-id ] command to view static
MAC address entries.
● Run the display mac-address dynamic [ interface-type interface-number |
vlan vlan-id ] command to view dynamic MAC address entries.
● Run the display mac-address blackhole [ vlan vlan-id ] command to view
blackhole MAC address entries.
● Run the display mac-address aging-time command to view the aging time
of dynamic MAC address entries.
● Run the display mac-address summary command to view the statistics
about MAC address entries.
----End
Example
Run the display mac-address command, and you can view the destination MAC
addresses, outgoing interface numbers, VLAN IDs of outgoing interfaces, and
VLAN IDs of incoming interfaces of all MAC address entries.
<Base> display mac-address
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
00e0-1234-5678 100 - - - blackhole -
00e0-1111-2222 100 - - GE0/0/1 static -
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 2
Run the display mac-address static command, and you can view the destination
MAC addresses, outgoing interface numbers, VLAN IDs of outgoing interfaces, and
VLAN IDs of incoming interfaces of static MAC address entries.

<Base> display mac-address static

-------------------------------------------------------------------------------
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
00e0-1111-2222 100 - - GE0/0/1 static -
-------------------------------------------------------------------------------
Run the display mac-address dynamic command, and you can view the
destination MAC addresses, outgoing interface numbers, VLAN IDs of outgoing
interfaces, and VLAN IDs of incoming interfaces of dynamic MAC address entries.
<Base> display mac-address dynamic
MAC address table:
-------------------------------------------------------------------------------
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total matching items displayed = 0
Run the display mac-address blackhole command, and you can view the
destination MAC addresses, outgoing interface numbers, VLAN IDs of outgoing
interfaces, and VLAN IDs of incoming interfaces of blackhole MAC address entries.
<Base> display mac-address blackhole
-------------------------------------------------------------------------------
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
00e0-1234-5678 100 - - - blackhole -
-------------------------------------------------------------------------------
Run the display mac-address aging-time command, and you can view the aging
time of dynamic MAC address entries.
<Base> display mac-address aging-time
Aging-time: 300 seconds
Run the display mac-address summary command, and you can view the statistics
about MAC address entries.
<Base> display mac-address summary
--------------------------------------------------------
Slot Total Blackhole Static Dynamic
--------------------------------------------------------
0 9 0 4 5
--------------------------------------------------------
2.4.4 Configuring Interface Security

This section describes how to configure the interface security function.

The port security function can prevent hosts with untrusted MAC addresses from
communicating with the CX91x series through an interface. This function is
applicable to the networks that require high access security.
Before configuring port security, you need the following data.
● Disabling MAC address limiting on the interface
Data Preparation
To configure port security, you need the following data.
No. Data
1 Interface type and number
2 Maximum number of MAC addresses learned by the interface
3 (Optional) Port protection action
Procedure
● Run the display current-configuration interface interface-type interface-
number command to check the configuration of an interface.
● Run the display mac-address command to check the secure dynamic MAC
address entries and sticky MAC address entries.
----End
Example
Run the display mac-address command, and you can view the secure dynamic
MAC address entries and sticky MAC address entries.
<Base> display mac-address sticky
-------------------------------------------------------------------------------
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
0018-2000-0083 15 - - GE0/0/1 sticky -
-------------------------------------------------------------------------------
2.4.5 Maintaining the MAC Address Table

This section describes how to maintain the MAC address table.

2.4.5.1 Debugging the MAC Address Table
Context
NOTICE
When the MAC address table runs abnormally, run the following debugging
command in the user view to debug the MAC address table, view the debugging
information, and locate and analyze the fault.
Procedure
Step 1 Run the debugging ethernet packet mac { dest_mac mac-address | src_mac
mac-address } command to debug the Ethernet packets with the specified source
MAC address or destination address.
----End

This section provides several examples for the configuration of the MAC address
table.
2.4.6.1 Example for Configuring the MAC Address Table
As shown in Figure 2-7, the MAC address of the user host PC1 is 0002-0002-0002
and the MAC address of the user host PC2 is 0003-0003-0003. PC1 and PC2 are
connected to the Switch through the LSW. The LSW is connected to
GigabitEthernet0/0/1 of the Switch. Interface GigabitEthernet0/0/1 belongs to
VLAN 2. The MAC address of the server is 0004-0004-0004. The server is
connected to GigabitEthernet0/0/2 of the Switch. Interface GigabitEthernet0/0/2
belongs to VLAN 2.
● To prevent hackers from attacking the network with MAC addresses, you need
to add a static entry to the MAC table of the Switch for each user host. When
sending packets through GigabitEthernet0/0/1, the Switch changes the VLAN
ID to VLAN 4 to which the LSW belongs. In addition, you need to set the
aging time of the dynamic entries in the MAC address table to 500 seconds.
● To prevent hackers from forging the MAC address of the server and stealing
user information, you can configure the packet forwarding based on static
MAC address entries on the Switch.

Figure 2-7 Networking diagram for configuring the MAC address table
1. Create a VLAN and add interfaces to the VLAN.
2. Add static MAC address entries.
3. Set the aging time of dynamic MAC address entries.
Data Preparation
● MAC address of PC1: 0002-0002-0002
● MAC address of PC2: 0003-0003-0003
● MAC address of the server: 0004-0004-0004
● VLAN to which the Switch belongs: VLAN 2
● Interface connecting the Switch to the LSW: GigabitEthernet 0/0/1
● Interface connecting the Switch to the server: GigabitEthernet 0/0/2
● Aging time of dynamic entries in the MAC address table of the Switch: 500
seconds
Procedure
Step 1 Add static MAC address entries.
# Create VLAN 2; add GigabitEthernet0/0/1, GigabitEthernet0/0/2 to VLAN 2.
<Base> system-view
[Base] vlan 2

[Base-vlan2] quit
# Configure static MAC address entries.

[Base] mac-address static 2-2-2 gigabitethernet 0/0/1 vlan 2
Step 2 Set the aging time of dynamic MAC address entries.

[Base] mac-address aging-time 500

# Run the display mac-address command in any view. You can check whether the
static MAC address entries are successfully added.
[Base] display mac-address static vlan 2
-------------------------------------------------------------------------------
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
0004-0004-0004 2 - - GE0/0/2 static -
0003-0003-0003 2 - - GE0/0/1 static -
0002-0002-0002 2 - - GE0/0/1 static -
-------------------------------------------------------------------------------
Total matching items displayed = 3
# Run the display mac-address aging-time command in any view. You can check
whether the aging time of dynamic entries is set successfully.
[Base] display mac-address aging-time
Aging time: 500 seconds
----End
Configuration Files
The following lists the configuration file of the Switch.
#
sysname Base
#
vlan batch 2
#
mac-address aging-time 500
#
#
#
mac-address static 0002-0002-0002 GigabitEthernet0/0/1 vlan 2

#
return
2.5 ARP Configuration

This chapter describes the principle of the Address Resolution Protocol (ARP), and
provides configuration procedures and examples of ARP.
2.5.1 Introduction to ARP

This section describes the basic concepts and principle of ARP.
Each device in a local area network (LAN) has a 32-bit IP address (IPV4) for
communicating with all other hosts. IP addresses are independent of hardware
addresses.
On an Ethernet, a host or a switching device transmits Ethernet frames based on
48-bit Medium Access Control (MAC) addresses. A MAC address is also called
physical address or hardware address, which is assigned to an Ethernet interface
when a device is produced. In actual network interworking, a certain address
resolution mechanism is required to provide a mapping between MAC addresses
and IP addresses.
ARP provides a mapping between IP addresses and MAC addresses.
2.5.2 ARP Features Supported by the CX91x series

This section describes the ARP features supported by the CX91x series.
The CX91x series supports dynamic ARP, static ARP.
ARP
ARP is classified into the following types: dynamic ARP and static ARP.
● Static ARP means the mapping between manually configured IP addresses
and MAC addresses.
● Dynamic ARP means that the ARP mapping table is dynamically maintained
by the ARP protocol.
2.5.3 Configuring ARP

This section describes how to configure static ARP and dynamic ARP. Dynamic ARP
entries are maintained by ARP, but you can optimize dynamic ARP entries by
setting the number of detection times before deleting dynamic ARP entries, aging
time of dynamic ARP entries, and other parameters.
On the CX91x series, you can configure dynamic ARP. You do not need to enable
this function, however, you can change certain parameters of dynamic ARP entries.

Static ARP is used in the following situations:
● When you need to forward the packets destined for other network segments
through a gateway of the local network segment.
● When you need to filter out certain packets with invalid destination IP
addresses and bind these invalid addresses to a nonexistent MAC address.
Before configuring ARP, complete the following tasks:
● Connecting interfaces and setting physical parameters of the interfaces to

ensure that the physical layer on the interfaces is in the Up state
● Setting parameters of the link layer protocol for the interfaces to ensure that
the link layer protocol on the interfaces is in the Up state
● Configuring the network layer protocol on the interfaces
Data Preparation
To configure static ARP, you need the following data.
No. Data
1 IP address and MAC address of the static ARP entry
2 ID of a VLAN that the static ARP entry belongs to
3 Outgoing interface of ARP packets
To configure dynamic ARP, you need the following data.
No. Data
1 Number of detection times before deleting dynamic ARP entries
2 Aging time of dynamic ARP entries
2.5.3.2 Creating a Static ARP Entry
Context
Procedure
Step 1 Run:
system-view

Step 2 Add a static ARP entry.

Create static ARP entries according to different configuration items.
● To create a static entry in a VLAN, do as follows:
If the VLANIF interface is bound to a VPN instance, run:
arp static ip-address mac-address vid vlan-id interface interface-type interface-number
NOTE
Static ARP entries are always valid when the CX91x series works normally.
CX91x series don't support VPN.
----End
2.5.3.3 Optimizing Dynamic ARP
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp detect-times detect-times
The number of detection times before deleting dynamic ARP entries is set.
Step 4 Run:
arp expire-time expire-time
The aging time of dynamic ARP entries is set.

By default, the number of detection times before deleting dynamic ARP entries is
3 and the aging time of dynamic ARP entries is 1200 seconds, namely, 20 minutes.
----End
Procedure
● Run the display arp [ all ] command to check all the ARP mapping tables,
including static and dynamic ARP entries.
● Run the display arp dynamic command to check the dynamic ARP mapping
table.

● Run the display arp interface interface-type interface-number command to

check the ARP mapping table on a specified interface.
● Run the display arp network net-number net-mask [ dynamic | static ]
command to check the dynamic ARP mapping table on a specified network
segment.
● Run the display arp static command to check the static ARP mapping table.
● Run the display arp statistics all command to check statistics about ARP
entries, including the number of dynamic ARP entries and the number of
static ARP entries.
----End
2.5.4 Maintaining ARP

This section describes how to maintain ARP.
2.5.4.1 Clearing ARP Statistics
Context
NOTICE
Running the reset arp command deletes the mapping between IP addresses and
MAC addresses; therefore, you may not access certain nodes. So, confirm the
action before you use the command.
Procedure
Step 1 Run the reset arp { all | dynamic | interface interface-type interface-number |
packet statistics | static } command in the user view to clear ARP entries in the
ARP mapping table.
----End
2.5.4.2 Monitoring the Running Status of ARP
Context
In routine maintenance, you can run the following command in any view to view
the running status of ARP.
Procedure
● Run the display arp [ all ] command to check all the ARP mapping tables,
including static and dynamic ARP entries.
● Run the display arp dynamic command to check the dynamic ARP mapping
table.
● Run the display arp interface interface-type interface-number command to
check the ARP mapping table on a specified interface.

● Run the display arp network net-number net-mask [ dynamic | static ]

command to check the dynamic ARP mapping table on a specified network
segment.
● Run the display arp static command to check the static ARP mapping table.
● Run the display arp statistics all command to check the number of static
ARP entries and dynamic ARP entries.
----End
2.5.4.3 Debugging ARP
Context
NOTICE
When an ARP fault occurs, run the debugging command in the user view to locate
the fault.
Procedure
● Run the debugging arp packet [ interface interface-type interface-number ]
command to debug ARP.
----End

This section provides static ARP configuration example.
2.5.5.1 Example for Configuring ARP
As shown in Figure 2-8, GigabitEthernet 0/0/1 of the Switch is connected to the
host through the LAN switch (LSW); GigabitEthernet 0/0/2 is connected to the
server through the router. It is required that:
● GigabitEthernet 0/0/1 should be added to VLAN 2, and GigabitEthernet 0/0/2
should be added to VLAN 3.
● To adapt to fast changes of the network and ensure correct forwarding of
packets, dynamic ARP parameters should be set on VLANIF 2 of the Switch.
● To ensure the security of the server and prevent invalid ARP packets, a static
ARP entry should be created on GigabitEthernet 0/0/2 of the Switch, with the
IP address of the router being 10.2.2.3 and the MAC address being 00e0-
fc01-0000.

Figure 2-8 Networking diagram for configuring ARP
1. Create a VLAN and add an interface to the VLAN.
2. Set dynamic ARP parameters on a VLANIF interface at the user side.
3. Create a static ARP entry.
Data Preparation
● GigabitEthernet 0/0/1 added to VLAN 2 and GigabitEthernet 0/0/2 added to
VLAN 3
● VLANIF 2 with the IP address being 2.2.2.2 and subnet mask being
255.255.255.0, aging time of ARP entries being 60s, and number of detection
times being 2
● LSW with the IP address being 2.2.2.1 and subnet mask being 255.255.255.0
● Interface connecting the router and the Switch, with the IP address being
10.2.2.3, subnet mask being 255.255.255.0, and MAC address being 00e0-
fc01-0000
Procedure
Step 1 Create a VLAN and add an interface to the VLAN.

# Create VLAN 2 and VLAN 3.

<Base> system-view
[Base] vlan batch 2 3
# Add GigabitEthernet0/0/1 to VLAN 2 and add GigabitEthernet0/0/2 to VLAN 3.

[Base-GigabitEthernet0/0/1] port hybrid tagged vlan 2
[Base-GigabitEthernet0/0/2] port hybrid tagged vlan 3
Step 2 Set dynamic ARP parameters on a VLANIF interface.
# Create VLANIF2.
# Assign an IP address to VLANIF 2.

[Base-Vlanif2] ip address 2.2.2.2 255.255.255.0
# Set the aging time of ARP entries to 60s.

[Base-Vlanif2] arp expire-time 60
# Set the number of detection times before deleting ARP entries to 2.

[Base-Vlanif2] arp detect-times 2
[Base-Vlanif2] quit
Step 3 Create a static ARP entry.
# Create VLANIF 3.
# Assign an IP address to VLANIF 3.

[Base-Vlanif3] quit
# Create a static ARP entry with IP address 10.2.2.3, MAC address 00e0-fc01-0000,
VLAN ID 3, and outgoing interface GigabitEthernet0/0/2.
[Base] arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface gigabitethernet 0/0/2
[Base] quit
# Run the display current-configuration command. You can view the aging time
of ARP entries, the number of detection times before deleting ARP entries, and the
ARP mapping table.
<Base> display current-configuration | include arp
arp expire-time 60
arp detect-times 2
arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2
----End
Configuration Files
The following is the configuration file of the Switch.

#
sysname Base
#
vlan batch 2 to 3
#
interface Vlanif2
ip address 2.2.2.2 255.255.255.0
arp expire-time 60
arp detect-times 2
#
interface Vlanif3
ip address 10.2.2.2 255.255.255.0
#
interface GigabitEthernet 0/0/1
port hybrid tagged vlan 2
#
interface GigabitEthernet 0/0/2
port hybrid tagged vlan 3
#
arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2
#
return
2.6 MSTP Configuration

configuring the Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol
(RSTP), and Multiple Spanning Tree Protocol (MSTP).
2.6.1 Overview of STP, RSTP, and MSTP

This section describes the concepts of STP, RSTP, and MSTP.
STP and RSTP

● STP
The IEEE 802.1D standard issued in 1998 defines STP.
STP is a management protocol on the data link layer and is used to detect
and prevent loops on the local area network (LAN). STP blocks redundant
links and trims a network into a tree topology to prevent loops.
However, an STP network converges slowly. A port, even an edge port, transits
to the forwarding state after at least 30 seconds.
● RSTP
The IEEE 802.1W standard issued in 2001 defines the RSTP.
As an enhancement of STP, RSTP speeds up network convergence.
However, both RSTP and STP have a defect, that is, all the VLANs on the same
LAN share the same spanning tree. As a result, load balancing cannot be
implemented among VLANs, and packets of some VLANs may fail to be
forwarded.
As shown in Figure 2-9, RSTP is applied to the LAN. The structure of the
spanning tree is represented by dotted lines and SwitchF is the root switch.
The link between SwitchB and SwitchE and the link between SwitchA and
SwitchD are blocked. Links of VLAN 2 and VLAN 3 permit packets from the
two VLANs to pass through. Other links do not permit packets from VLAN 2
and VLAN 3 to pass through.

Figure 2-9 Defect of RSTP
● Host A and Host B belong to VLAN 2. The link between SwitchB and SwitchE
is blocked and the link between SwitchC and SwitchF does not permit packets
from VLAN 2 to pass through. Therefore, Host A and Host B cannot
communicate with each other.
MSTP
The IEEE 802.1S standard issued in 2002 defines MSTP.
MSTP is compatible with STP and RSTP and rectifies the defects of STP and RSTP.
An MSTP network converges fast and provides redundant paths for data
forwarding. In addition, the MSTP network implements load balancing among
VLANs.
MSTP divides a switching network into multiple regions, each of which has
multiple spanning trees independent of each other. Each spanning tree is called a
multiple spanning tree instance (MSTI) and each region is called a multiple
spanning tree (MST) region.
MSTP associates VLANs with MSTIs through a VLAN mapping table.
NOTE
Each VLAN can be associated with only one MSTI, that is, data of the same VLAN can be
transmitted in only one MSTI. One MSTI, however, may be associated with multiple VLANs.
MSTP is applied to the LAN, as shown in Figure 2-10, and then the MSTI is
generated, as shown in Figure 2-10.

Figure 2-10 Spanning trees in an MST region
Two spanning trees are generated through calculation:

● In MSTI 1, SwitchD functions as the root switch to forward packets of VLAN 2.
● In MSTI 2, SwitchF functions as the root switch to forward packets of VLAN 3.
In this case, all VLANs can communicate, and packets of different VLANs are
forwarded along different paths. Thus, load balancing is implemented.
2.6.2 MSTP Features Supported by the CX91x series

This section describes the MSTP features supported by the CX91x series.
Concepts of MSTP
As shown in Figure 2-11, four MST regions are located in a LAN. Each region
consists of four switches. The concepts of MSTP are clarified based on Figure 2-11.

Figure 2-11 Concepts of MSTP
● MST region
An MST region consists of several switches in the LAN and the network
segments between the switches. A LAN can comprise several directly or
indirectly connected MST regions. You can group several switches into an MST
region by using MSTP configuration commands. In Figure 2-11, the LAN
comprises four MST regions, namely, A0, B0, C0, and D0.
● MSTI
Multiple spanning trees can be generated in an MST region. Each spanning
tree is independent of one another and maps a VLAN. Such a spanning tree is
called an MSTI. In Figure 2-12, the MST region D0 has three MSTIs: MSTI0,
MSTI1 and MSTI2.
● CST
The common spanning tree (CST) is a single spanning tree that connects all
MST regions on a switching network. If each MST region is considered as a
switch, the CST is a spanning tree generated by STP and RSTP calculation. In
Figure 2-11, the dotted line indicates the CST.

Figure 2-12 Mapping table of the MSTI, IST and VLAN
● VLAN mapping table

The VLAN mapping table is an attribute of an MST region. It describes the
mapping between a VLAN and an MSTI. In Figure 2-12, the VLAN mapping
table of MST region D0 shows that VLAN 1 maps to MSTI2, VLAN 2 and VLAN
3 map to MSTI0.
● CIST
The common and internal spanning tree (CIST) is a single spanning tree
calculated by STP and RSTP and connects all switches on a switching network.
● IST
An MST region has an internal spanning tree (IST), which is a fragment of the
CIST in the MST region. The IST is also called MSTI0. In Figure 2-12, MSTI0 is
the IST. The ISTs of all MST regions and the CST form a complete spanning
tree, that is, the CIST.
● Regional root
Regional roots are classified into IST regional roots and MSTI regional roots. A
CIST regional root is the root of the IST, and an MSTI regional root is the root
of an MSTI.
● CIST root
The CIST root is the root switch of the CIST.
Port Roles
● Root Port
On a non-root switch, the port nearest to the root switch is the root port of
the switch. A root switch does not have a root port.
The root port forwards data to the tree root.
In Figure 2-13, SwitchA is the root switch; CP1 is the root port of SwitchC;
BP1 is the root port of SwitchB.

Figure 2-13 Root port, designated port, alternate port and backup port
● Designated Port
The designated port of a switch is the port on the upstream switch that
forwards the Bridge Protocol Data Unit (BPDU) to the local switch.
The designated port forwards data to the downstream network segment or
switch.
In Figure 2-13, AP2 and AP3 are the designated ports of SwitchA, and CP2 is
the designated port of SwitchC.
● Edge Port
An edge port is the port located at the edge of a region and is not connected
to any switch.
Generally, an edge port is directly connected to the user terminals.
● Alternate Port
From the aspect of sending BPDU, an alternate port is a port that is blocked
after receiving the BPDU sent by other switches. From the aspect of
forwarding traffic, an alternate port is a port that provides a backup path
from the designated switch to the root switch.
An alternate port is the backup port of a root port. If the root port is blocked,
the alternate port becomes the root port.
In Figure 2-13, BP2 is the alternate port.
● Backup Port
When the two ports of a switch are connected, a loop is formed, and then the
switch blocks one port. The backup port is the blocked port. In Figure 2-13,
CP3 is the backup port.
From the aspect of sending the BPDU, a backup port is a port that is blocked
after learning the BPDU sent by itself. For forwarding traffic, a backup port, as
a backup of the designated port, provides a backup path from the root switch
to the leaf node.
● Master Port
A master port is the port on the shortest path among all paths that connect
the MST region to the CIST root. A master port is the port of a switch that
connects the MST region to the CIST root. As shown in Figure 2-14, SwitchA,

SwitchB, SwitchC, SwitchD and the links between them form an MST region.
Port AP1 on SwitchA has the least path cost to the CIST root among all ports
in the MST region; therefore, AP1 is the master port of the MST region.
Figure 2-14 Master port and regional edge port
● Regional Edge Port

A regional edge port refers to:
– A port that is located on the edge of an MST region and is connected to
another MST region
– Or a port that connects regions running STP and RSTP
The regional edge port plays the same role in the MSTI and the CIST during
MSTP calculation. That is, if the regional edge port functions as the master
port in the CIST, it functions as the master port in all other MSTIs.
As shown in Figure 2-14, ports AP1, DP1 and DP2 in the MST region are
directly connected with other regions; therefore, they are all regional edge
ports of the MST region.
MSTP Protection
● BPDU protection
On a switch, the port that is directly connected to the user terminal such as a
PC or a file server is configured as an edge port to ensure fast switch of the
port status.
Generally, edge ports do not receive any BPDU. If an edge port receives forged
BPDUs sent by an attacker, the switch sets the edge port to a non-edge port
and recalculates the spanning tree. Thus, network flapping occurs.
MSTP provides BPDU protection to prevent such attacks. After the BPDU
protection is enabled, the switch disables the edge port and informs the

network management system if the port receives BPDUs. The edge port can
only be manually resumed by the network administrator.
● Root protection
If the root switch on a network is incorrectly configured or attacked, it may
receive a BPDU with a higher priority. Thus, the root switch becomes a non-
root switch, which causes changes of the network topology. In this case, the
traffic transmitted on a high-speed link is switched to a low-speed link, which
causes network congestion.
To prevent the preceding problem, the Switch provides root protection.
Through root protection, the Switch can retain the designated port to protect
its position as the root switch. After root protection is enabled on a port, the
port retains the role of the designated port in all instances.
When the port receives a BPDU with a higher priority, the port stops
forwarding packets and turns to the listening state, but does not change into
a non-root port. If the port does not receive any BPDUs with higher priorities
within a certain period, it is restored.
● Loop protection
A switch determines the root port and blocked ports according to the BPDUs
received from the upstream switch. If these ports cannot receive any BPDU
from the upstream switch because of link congestion or link failure, the
switch selects a new root port. Then the previous root port becomes a
designated port and the blocked ports turn to the forwarding state. This may
cause network loops.
The Switch provides loop protection to prevent network loops. After loop
protection is enabled, the root port is blocked if it does not receive any BPDU
from the upstream switch. The blocked ports are still blocked and cannot
forward packets. Thus, network loops will not be generated.
● TC protection
After receiving TC-BPDUs, a switch deletes MAC address entries and ARP
entries. If a malicious attacker sends pseudo TC-BPDUs to attack the switch,
the switch will receive a large number of TC-BPDUs within a short time
period, and delete its MAC entries and ARP entries frequently. As a result, the
switch is heavily burdened, threatening the network stability.
After enabling TC-BPDU attack defense, you can set the number of times TC-
BPDUs are processed by the CX91x series within a given time period (the
default time period is 2s, and the default number of times is 3). If the number
of TC-BPDUs that the CX91x series receives within the given time exceeds the
specified threshold, the CX91x series processes TC-BPDUs only for the
specified number of times. After the timer expires, the CX91x series processes
the remaining TC-BPDUs together. In this way, the switch is prevented from
frequently deleting its MAC entries and ARP entries, and thus is protected
from being over-burdened.
2.6.3 Adding an CX91x series to a Specified MST Region

This section describes how to add an CX91x series to an MST region and configure
the MST region.

You need to perform this configuration task when you want to:
● Add an CX91x series that does not run MSTP to an MST region.
● Change the MST region attribute of an CX91x series running MSTP, that is,
add it to another MST.
Before adding an CX91x series to a specified MST region, complete the following
tasks:
● Configuring physical attributes of the ports
● Configuring VLAN features of the ports
NOTE
After a hybrid interface is added to the default VLAN in tagged mode, SEP packets
sent by the interface contain VLAN tags. In this case, configure the peer interface to
allow packets of the default VLAN to pass.
Data Preparation
To add an CX91x series to a specified MST region, you need the following data.
No. Data
1 Name of the MST region that the CX91x series belongs to
2 Mapping between VLANs and MSTIs
3 MSTP revision level of the MST region
4 Priority of the CX91x series in the MSTI
2.6.3.2 Setting the Working Mode of the CX91x series
Context
Do as follows on the CX91x series that needs to be added to the MST region.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp mode { stp | rstp | mstp }
The working mode of the CX91x series is set.

By default, the CX91x series works in MSTP mode.
----End
2.6.3.3 Configuring the MST Region
Context
NOTICE
Two switches belong to the same MST region when they have the same:
● Name of the MST region
● Mapping between VLANs and MSTIs
● Revision level of the MST region
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp region-configuration
The MST region view is displayed.

Step 3 Run:
region-name name
The name of the MST region is set.

By default, the name of the MST region is the MAC address of the management
network port on the main control board of the CX91x series.
Step 4 Run the following commands as required.
● Run:
instance instance-id vlan { vlan-id [ to vlan-id ] }&<1-10>
The mapping between an MSTI and VLANs is set.
● Run:
vlan-mapping modulo modulo
The default algorithm is used to set the mapping between MSTIs and VLANs.
NOTE
In the command, vlan-mapping modulo indicates that the formula (VLAN ID-1)%modulo
+1 is used. In the formula, (VLAN ID-1)%modulo means the remainder of (VLAN ID-1)
divided by the value of modulo. This formula is used to map a VLAN to the corresponding
MSTI. The calculation result of the formula is ID of the mapping MSTI.
By default, all VLANs in an MST region are mapped to MSTI 0.

Step 5 Run:
revision-level level
The MSTP revision level of the MST region is set.

By default, the revision level of an MST region is 0.
----End
2.6.3.4 Activating the Configuration of an MST Region
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The MST region view is displayed.

Step 3 Run:
check region-configuration
The parameters of the MST region that have not taken effect are displayed.
Changing the values of parameters (especially the VLAN mapping table) of an
MST region causes the recalculation of spanning trees and the route flapping on a
network. Therefore, it is recommended that you run the check region-
configuration command in the MST region view before activating the
configuration of the MST region to check whether the parameters of the MST
region are set correctly. After verifying that the parameters of the MST region are
correct, run the active region-configuration command to activate the
configuration of the MST region.
Step 4 Run:
active region-configuration
The configuration of the MST region is activated.

The active region-configuration command activates the name, VLAN mapping
table, and MSTP revision level of the MST region.
It is recommended that you run the active region-configuration command after
complete all the configurations to reduce network flapping.
----End
2.6.3.5 (Optional) Configuring an CX91x series as a Root Switch or

Secondary Root Switch

Context
Procedure
Step 1 Run:
system-view
Step 2 Run either of the following commands as required.

● Run:
stp [ instance instance-id ] root primary
The CX91x series is configured as a root switch. This is similar to setting the
priority of the CX91x series to 0.
● Run:
stp [ instance instance-id ] root secondary
The CX91x series is configured as a secondary switch. This is similar to setting

the priority of the CX91x series to 4096.
By default, an CX91x series does not function as the root switch or the secondary
root switch of a spanning tree.
An CX91x series can play different roles in different spanning trees. That is, the
CX91x series can function as the root switch of a spanning tree and function as
the secondary root switch of another spanning tree. The CX91x series, however,
cannot function as the root switch and secondary root switch of the same
spanning tree simultaneously.
An CX91x series can function as the root of multiple spanning trees, but it is
recommended that you specify only one root switch for a spanning tree. You can
specify multiple secondary root switches for the same spanning tree. It is
recommended that you specify one root switch and multiple secondary root
switches for a spanning tree.
----End
2.6.3.6 (Optional) Setting the Priority of an CX91x series in a Specified MSTI
Context
NOTICE
If an CX91x series is configured as the root switch or secondary root switch, the
priority of the CX91x series cannot be set. If you want to set the priority of the
CX91x series, you must disable the root switch or secondary root switch.

Procedure
Step 1 Run:
system-view
Step 2 Run:
stp [ instance instance-id ] priority priority
The priority of the CX91x series in the specified MSTI is set.
A smaller value of priority indicates a higher priority. The CX91x series with a
higher priority is more likely to be elected as the root switch.
The priority of the root switch or secondary root switch must be higher than the
priorities of other switches. Otherwise, the root switch or the secondary root
switch may be replaced by other switches.
If the CX91x seriess in an MSTI have the same priorities, the CX91x series with the
smallest MAC address is elected as the root switch.
By default, the priority of the CX91x series is 32768.
----End
2.6.3.7 Enabling MSTP
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp enable
MSTP is enabled.
----End
Procedure
● Run the display stp [ instance instance-id ] [ interface interface-type
interface-number ] [ brief ] and display stp [ instance instance-id ] [ brief ]
command to check the state and statistics of a spanning tree.

● Run the display stp region-configuration command to check the effective

configuration of the MST region.
----End
Example
Run the display stp command, and you can find that the operation mode of the
spanning tree is MSTP; VLANs are mapped to MSTI 0; the CX91x series uses the
default priority 32768. The following is an example:
<Base> display stp instance 0 interface gigabitethernet 0/0/1
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge :32768.00e0-fc0e-a421
Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :32768.00e0-fc0e-a421 / 0
CIST RegRoot/IRPC :32768.00e0-fc0e-a421 / 0
CIST RootPortId :0.0
BPDU-Protection :disabled
TC or TCN received :8
TC count per hello :8
STP Converge Mode :Fast
Time since last TC :0 days 23h:9m:30s
----[Port3(GigabitEthernet0/0/1)][FORWARDING]----
Port Protocol :enabled
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=200000000
Desg. Bridge/Port :32768.00e0-fc0e-a421 / 128.1229
Port Edged :Config=disabled / Active=disabled
Point-to-point :Config=auto / Active=true
Transit Limit :3 packets/hello-time
Protection Type :None
Port Stp Mode :MSTP
Port Protocol Type :Config=auto / Active= dot1s
PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 0
TC or TCN send :0
BPDU Sent :0
TCN: 0, Config: 0, RST: 0, MST: 0
BPDU Received :0
Run the display stp region-configuration command, and you can view the
effective MST region name, revision level of the MST region, and mappings
between MSTIs and VLANs.
<Base> display stp region-configuration
Oper Configuration:
Format selector :0
Region name :huawei
Revision level :0
Instance Vlans Mapped
0 21 to 4094
1 1 to 10
2 11 to 20
2.6.4 Setting MSTP parameters

This section describes how to set MSTP parameters.

On certain networks, you need to modify MSTP parameters of some switches to
optimize their performance.
Before setting MSTP parameters of an CX91x series, complete the following tasks:
● Configure the VLANs on each port
● Adding the CX91x series to the specified MST region
Data Preparation
To set MSTP parameters of an CX91x series, you need the following data.
No. Data
1 Network diameter
2 Hello time, forward delay, and max age of the CX91x series
3 Maximum number of hops of the spanning tree in an MST region
4 Priority of the CX91x series in the MSTI
5 Number of the port on which you want to enable or disable MSTP
6 Priority of the port in the specified MSTI
7 Method of calculating the path cost of the port, path cost of the port,
maximum rate of sending packets on the port, and STP convergence
mode of the port
8 Protocol format of the packets received and sent through the port
2.6.4.2 Setting MSTP Network Parameters of the CX91x series
Context
Do as follows on the CX91x series functioning as the root switch in the MST
region.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bridge-diameter diameter

The network diameter is set.

Step 3 Run:
stp timer forward-delay forward-delay
The forward delay of the CX91x series is set.

It is recommended that you run the stp bridge-diameter command to set the
network diameter instead of setting the forward delay directly. The CX91x series
calculates the optimal forward delay according to the network diameter.
By default, the forward delay is 1500 centiseconds, that is, 15 seconds.
To prevent frequent network flapping, make sure that the Hello time, forward
delay, and max age conform to the following formulas:
● 2 x (Forward delay - 1.0 second) >= Max age
● Max age >= 2 x (Hello time + 1.0 second)
Step 4 Run:
stp timer hello hello-time
The Hello time of the CX91x series is set.

network diameter instead of setting the Hello time directly. The CX91x series
calculates the optimal Hello time according to the network diameter.
By default, the Hello time is 200 centiseconds, that is, 2 seconds.
Step 5 Run:
stp timer-factor timer-factor
The timer factor that is used to calculate the timeout interval of the CX91x series
according to the Hello time is set.
The timeout interval is calculated through the following formula: Timeout interval
= Hello time x Timer factor. If the CX91x series does not receive the BPDU from
the upstream CX91x series within the timeout interval, the CX91x series considers
that the upstream CX91x series has failed and recalculates the spanning tree.
Sometimes, the CX91x series does not receive the BPDU from the upstream CX91x
series because the upstream CX91x series is busy. In this case, the spanning tree
should not be recalculated. Therefore, to save network resources, you should set a
longer timeout interval on a stable network.
On a stable network, the recommended timer factor range is 5 to 7.
By default, the timer factor is 3.
Step 6 Run:
stp timer max-age max-age
The max age of the CX91x series is set.

network diameter instead of setting the max age directly. The CX91x series
calculates the optimal max age according to the network diameter.
By default, the max age is 2000 centiseconds, that is, 20 seconds.

Step 7 Run:
stp max-hops hop
The maximum number of hops of the spanning tree in an MST region is set.
By default, the maximum number of hops of the spanning tree in an MST region
is 20.
----End
2.6.4.3 Setting MSTP Parameters of an Interface
Context
NOTICE
When MSTP is disabled on an interface, loops may be generated.
Do as follows on the CX91x series in an MST region.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
stp { enable | disable }
MSTP is enabled on the interface.

Step 4 Run:
stp edged-port { enable | disable }
The interface is configured as an edge interface.

By default, an interface is a non-edge interface.
Step 5 Run:
stp point-to-point { auto | force-false | force-true }
The link type of the interface is set.

On a point-to-point (P2P) link, the designated port enters the forwarding state
without delay after one-way handshake with the downstream switch. The network
convergence time is thus shortened.
On a shared link connecting more than three switches, the downstream switch
does not respond to the handshake request sent by the designated port. The
designated port must wait twice the forward delay to enter the forwarding state.

Compared with the P2P link, the shared link spends longer time in network
convergence.
By default, the designated port automatically checks whether it is connected to a
P2P link.
Step 6 Run:
stp instance instance-id port priority priority
The priority of the interface in the specified spanning tree is set.

By default, the priority of an interface is 128.
Step 7 Run:
stp [ instance instance-id ] cost cost
The path cost of the port in the specified spanning tree is set.
By default, the path cost of an interface is calculated by MSTP.
Step 8 Run:
stp transmit-limit packet-number
The maximum number of BPDUs that the interface sends within the Hello time is
set.
By default, the maximum number of BPDUs that an interface can send in a Hello
time is 147.
Step 9 Run:
stp config-digest-snoop
The digest snooping function is enabled on the interface.

When the CX91x series is connected to a device of another vendor, the two devices
cannot interoperate because their BPDU keys are different.
You can run the stp config-digest-snoop command to ensure that the BPDU keys
of the CX91x series and third-party devices are the same.
Step 10 Run:
quit

Step 11 Run: stp edged-port default All ports are configured as edge ports.
By default, all ports are edge ports.
Step 12 Run:
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
The algorithm for calculating the path cost of the interface is specified.
By default, the algorithm defined in IEEE 802.1t is used to calculate the default
value of the path cost.
The switches on the same network must use the same algorithm to calculate the
path cost of interfaces.
Step 13 Run:
stp converge { fast | normal }

The STP convergence mode of the interface is set.
By default, the STP convergence mode of an interface is normal.
In fast mode, the interface deletes the related ARP entries directly after receiving
a TC packet. In normal mode, the interface waits until the aging time of the ARP
entries expire instead of directly deleting them after receiving a TC packet.
----End
2.6.4.4 Switching an Interface to the MSTP Mode
Context
Procedure
Step 1 Run:
system-view

● Run:

● Run:
Step 3 Run:
stp mcheck
The interface is switched to the MSTP mode.
On the switch running MSTP, if an interface is connected to a switch running STP,

the interface is automatically switched to the STP compatible mode.
In the following cases, you need to switch the interface to the MSTP mode
manually:
● The switch running STP is shut down or disconnected.

● The switch running STP is switched to the MSTP mode.
NOTE
If you run the stp mcheck command in the system view, the MCheck operation is
performed on all the interfaces.
----End
2.6.4.5 Setting the Format of MSTP Packets on an Interface

Context
Procedure
Step 1 Run:
system-view

● Run:
The Ethernet interface view or GE interface view is displayed.
● Run:
Step 3 Run:
stp compliance { auto | dot1s | legacy }
The format of MSTP packets on the interface is set.

By default, the format of the received and sent MSTP packets is auto.
NOTE
If the format of MSTP packets is set to dotls on one end and legacy on the other end, the
negotiation fails.
----End
2.6.4.6 Configuring Fast Transition Mechanism on an Interface
Context
Procedure
Step 1 Run:
system-view

● Run:
● Run:

Step 3 Run:
stp no-agreement-check
Fast transition mechanism is configured on an interface.
----End
Procedure
Step 1 Run the display stp [ instance instance-id ] [ interface interface-type interface-
number ] [ brief ] and display stp [ instance instance-id ] [ brief ] command to
check the state and statistics of a spanning tree.
----End
Example
Run the display stp command, and you can view the Hello time, forward delay,
and max age of the spanning tree, maximum number of hops in the MST region,
STP convergence mode of the specified port, link type of the port, maximum
number of BPDUs that the port sends within each Hello time, format of the MSTP
packets sent and received on the port, and whether digest snooping is configured.
The following is an example:
BPDU-Protection :disabled
Port Priority :128
Port Stp Mode :MSTP
TC or TCN send :0
BPDU Sent :136
BPDU Received :0

NOTE
Config-digest-snoop, which indicates whether digest snooping is configured, is displayed

only if you have run the stp config-digest-snoop command. If the stp config-digest-
snoop command is not run, Config-digest-snoop is not displayed after you run the display
stp command.
2.6.5 Configuring MSTP Protection

This section describes how to configure the MSTP protection function.
The MSTP protection function includes the following:
● BPDU protection
On a switch, the port that is directly connected to a user terminal such as a
PC or a file server is configured as an edge port to ensure fast transition of
the port status.
Usually, no BPDU are sent to edge ports. If the switch is attacked by pseudo
BPDUs, the switch sets edge ports as non-edge ports after these edge ports
receive BPDUs, and recalculates the spanning tree. As a result, network
flapping occurs.
To defend against pseudo BPDU attacks, MSTP provides BPDU protection.
After BPDU protection is enabled, the switch shuts down the edge port that
receives BPDUs and informs the NMS. The edge ports shut down by the
switch can be manually started only by the network administrator.
● Root protection
If the root switch on a network is incorrectly configured or attacked, it may
receive a BPDU with a higher priority. Thus, the root switch becomes a non-
root switch, which causes changes of the network topology.
As a result, traffic may be switched from high-speed links to low-speed links,
causing network congestion.
To address this problem, the switch provides the root protection function. The
root protection function protects the role of the root switch by retaining the
role of the designated port. After root protection is enabled on a port, the
port retains the role of the designated port in all instances.
When the port receives a BPDU with a higher priority, the port stops
forwarding packets and turns to the listening state, but is still a designated
port. If the port does not receive any BPDU with a higher priority for a certain
period, the port status is restored from the listening state.
● Loop protection
The switch maintains the status of the root port and blocked ports by
continually receiving BPDUs from the upstream switch.
If the root port cannot receive BPDUs from the upstream switch due to link
congestion or unidirectional link failure, the switch re-selects a root port. Then
the previous root port becomes a designated port and the blocked ports
change to the forwarding state. As a result, loops may occur on the network.

The switch provides loop protection to prevent network loops. After the loop
protection function is enabled, the root port is blocked if it cannot receive
BPDUs from the upstream switch. The blocked port remains in the blocked
state and does not forward packets. This prevents loops on the network.
● TC protection
After receiving TC-BPDUs, a switch deletes MAC address entries and ARP
entries. If a malicious attacker sends pseudo TC-BPDUs to attack the switch,
the switch will receive a large number of TC-BPDUs within a short time
period, and delete its MAC entries and ARP entries frequently. As a result, the
switch is heavily burdened, threatening the network stability.
BPDUs are processed by the CX91x series within a given time period (the
default time period is 2s, and the default number of times is 3). If the number
of TC-BPDUs that the CX91x series receives within the given time exceeds the
specified threshold, the CX91x series processes TC-BPDUs only for the
specified number of times. After the timer expires, the CX91x series processes
the remaining TC-BPDUs together. In this way, the switch is prevented from
frequently deleting its MAC entries and ARP entries, and thus is protected
from being over-burdened.
Before configuring MSTP protection on the CX91x series, complete the following
tasks:
● Configuring VLAN features of the ports
● Adding the CX91x series to the specified MST region
● Configuring an edge port on the CX91x series before configuring BPDU
protection
Data Preparation
To configure MSTP protection on the CX91x series, you need the following data.
No. Data
1 Number of the port on which root protection is to be enabled
2 Number of the port on which loop protection is to be enabled
2.6.5.2 Configuring BPDU Protection on the CX91x series
Context
On a switch, the port that is directly connected to a user terminal such as a PC or
a file server is configured as an edge port to ensure fast transition of the port
status.
Usually, no BPDU are sent to edge ports. If the switch is attacked by pseudo
BPDUs, the switch sets edge ports as non-edge ports after these edge ports

receive BPDUs, and recalculates the spanning tree. As a result, network flapping
occurs.
MSTP provides BPDU protection to defend against attacks. After BPDU protection
is enabled, the switch shuts down the edge port that receives BPDUs and informs
the NMS. The edge ports shut down by the switch can be manually started only by
the network administrator.
Do as follows on the CX91x series with an edge port.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bpdu-protection
BPDU protection is configured on the CX91x series.

The edge port is a port that is directly connected to terminals. If the CX91x series
has an edge port, you need to configure BPDU protection on the CX91x series to
prevent network flapping.
----End
2.6.5.3 Configuring Root Protection on an Interface
Context
If the root switch on a network is incorrectly configured or attacked, it may receive
a BPDU with a higher priority. Thus, the root switch becomes a non-root switch,
which causes changes of the network topology.
As a result, traffic may be switched from high-speed links to low-speed links,
causing network congestion.
To address this problem, the switch provides the root protection function. The root
protection function protects the role of the root switch by retaining the role of the
designated port. After root protection is enabled on a port, the port retains the
role of the designated port in all instances.
When the port receives a BPDU with a higher priority, the port stops forwarding
packets and turns to the listening state, but is still a designated port. If the port
does not receive any BPDU with a higher priority for a certain period, the port
status is restored from the listening state.
NOTE
Root protection is a function implemented on a designated port. Root protection takes

effect only when a port functions as a designated port in all MSTIs. Root protection does
not take effect when you configure this function on other types of ports.
region.

Procedure
Step 1 Run:
system-view

● Run:

● Run:

Step 3 Run:
stp root-protection
Root protection is configured on the interface.

After root protection is configured on a port, the interface sets the state of itself
to Discarding to protect the root port when receiving a PBDU with a higher
priority.
----End
2.6.5.4 Configuring Loop Protection on the CX91x series
Context
The switch maintains the status of the root port and blocked ports by continually
receiving BPDUs from the upstream switch.
If the root port cannot receive BPDUs from the upstream switch due to link
congestion or unidirectional link failure, the switch re-selects a root port. Then the
previous root port becomes a designated port and the blocked ports change to the
forwarding state. As a result, loops may occur on the network.
The switch provides loop protection to prevent network loops. After the loop
protection function is enabled, the root port is blocked if it cannot receive BPDUs
from the upstream switch. The blocked port remains in the blocked state and does
not forward packets. This prevents loops on the network.
region.
Procedure
Step 1 Run:
system-view


● Run:
The Ethernet interface view or virtual Ethernet interface view is displayed.
● Run:
Step 3 Run:
stp loop-protection
Loop protection is configured on the root port of the CX91x series.

The alternate port is the backup of the root port. If the CX91x series has an
alternate port, you need to configure loop protection on both the root port and
alternate port.
After loop protected is configured, the alternate port changes to the forwarding
state when the link of the root port fails. In this case, loop protection takes effect
and the original root port changes to the Discarding state.
----End
2.6.5.5 Configuring TC Packet Suppression on the CX91x series
Context
After receiving TC-BPDUs, a switch deletes MAC address entries and ARP entries. If
a malicious attacker sends pseudo TC-BPDUs to attack the switch, the switch will
receive a large number of TC-BPDUs within a short time period, and delete its
MAC entries and ARP entries frequently. As a result, the switch is heavily
burdened, threatening the network stability.
BPDUs are processed by the CX91x series within a given time period (the default
time period is 2s, and the default number of times is 3). If the number of TC-
BPDUs that the CX91x series receives within the given time exceeds the specified
threshold, the CX91x series processes TC-BPDUs only for the specified number of
times. After the timer expires, the CX91x series processes the remaining TC-BPDUs
together. In this way, the switch is prevented from frequently deleting its MAC
entries and ARP entries, and thus is protected from being over-burdened.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp tc-protection
The CX91x series is configured to suppress the BPDUs of the TC type, that is, TC
packets.

Step 3 Run:
stp tc-protection threshold threshold
The number of times the CX91x series parses TC packets and updates forwarding
entries in a certain period of time is set.
The stp tc-protection threshold command sets the number of times the CX91x
series parses TC packets in a certain period of time. By default, this period of time
is 2 seconds, and the CX91x series parses TC packets 3 times in 2 seconds.
When the CX91x series receives a TC packet, it deletes the related ARP entries and
MAC address entries. If the CX91x series receives too many TC packets in a certain
period, the CPU usages stays high. To prevent this problem, you can configure the
TC packet suppression function.
----End
Procedure
Step 1 Run the display stp [ instance instance-id ] [ interface interface-type interface-
number ] [ brief ] and display stp [ instance instance-id ] [ brief ] command to
check the state and statistics of a spanning tree.
----End
Example
Run the display stp command, you can check whether BPUD is enabled and view
the protection type. The following is an example:
BPDU-Protection :enabled
Port Priority :128
Port Stp Mode :MSTP
TC or TCN send :0
BPDU Sent :43

BPDU Received :3
2.6.6 Maintaining MSTP

This section describes how to clear the statistics of MSTP and debug MSTP.
2.6.6.1 Clearing MSTP Statistics
Context
NOTICE
MSTP statistics cannot be restored after you clear them. So, confirm the action
before you use the command.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics
command to clear the statistics of the specified spanning tree.
----End
2.6.6.2 Debugging MSTP
Context
NOTICE
When an MSTP fault occurs, run the following debugging commands in the user
view to locate the fault.
Procedure
● Run the debugging stp instance instance-id event command to enable
debugging of the specified MSTI.
● Run the debugging stp [ interface interface-type interface-number ] { event
| packet { all | receive |send } } command to enable debugging of BPUDs
sent and received and events on the specified port.
● Run the debugging stp msti { instance-id1 [ to instance-id2 ] } &<1-10>
command to enable debugging of BPDUs in the specified MSTI.
----End


This section provides a configuration example of MSTP.
2.6.7.1 Example for Configuring Basic MSTP Functions
SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. In this example, MSTP runs on
Layer 2 interfaces of the Switches.
Figure 2-15 Networking diagram for configuring basic MSTP functions
1. Add SwitchA and SwitchC to MST region RG1, and create MSTI1.
2. Add SwitchB and SwitchD to MST region RG2, and create MSTI1.
3. Configure SwitchA as the CIST root.
4. In RG1, configure SwitchA as the CIST regional root and regional root of
MSTI1. Configure the root protection function on GigabitEthernet 0/0/2 and
the GigabitEthernet 0/0/1 on SwitchA.
5. In RG2, configure SwitchB as the CIST regional root and SwitchD as the
regional root of MSTI1.
6. On SwitchC and SwitchD, connect GigabitEthernet 0/0/1 to a PC and
configure GigabitEthernet 0/0/1 as an edge port. Enable BPDU protection on
SwitchC and SwitchD.
7. Configure the Switches to calculate the path cost by using the algorithm of
Huawei.
Data Preparation

● Region that SwitchA and SwitchC belong to: RG1

● Region that SwitchB and SwitchD belong to: RG2
● Numbers of the GE interfaces, as shown in Figure 2-15
● VLAN IDs: 1-20
Procedure
Step 1 Configure SwitchA.
# Configure the MST region on SwitchA.
<SwitchA> system-view
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 1 to 10
# Activate the configuration of the MST region.

[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
# Set the priority of SwitchA in MSTI0 to 0 to ensure that SwitchA functions as the
CIST root.
[SwitchA] stp instance 0 priority 0
# Set the priority of SwitchA in MSTI1 to 1 to ensure that SwitchA functions as the
regional root of MSTI1.
[SwitchA] stp instance 1 priority 0
# Configure SwitchA to use Huawei algorithm to calculate the path cost.

[SwitchA] stp pathcost-standard legacy
# Create VLANs 2 to 20.

[SwitchA] vlan batch 2 to 20
# Add GigabitEthernet 0/0/2 to the VLANs.

[SwitchA] interface GigabitEthernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 20
[SwitchA-GigabitEthernet0/0/2] bpdu enable

[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 1 to 20
[SwitchA-GigabitEthernet0/0/1] bpdu enable
# Enable root protection on the GigabitEthernet 0/0/1.

[SwitchA-GigabitEthernet0/0/1] stp root-protection
# Enable root protection on the GigabitEthernet 0/0/2.

[SwitchA-GigabitEthernet0/0/2] stp root-protection

# Enable MSTP.
[SwitchA] stp enable
Step 2 Configure SwitchB.

# Configure the MST region on SwitchB.
[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name RG2
[SwitchB-mst-region] instance 1 vlan 1 to 10

[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
# Set the priority of SwitchB in MSTI0 to 4096 to ensure that SwitchB functions as
the CIST root.
[SwitchB] stp instance 0 priority 4096
# Configure SwitchB to use Huawei algorithm to calculate the path cost.

[SwitchB] stp pathcost-standard legacy

[SwitchB] vlan batch 2 to 20

[SwitchB] interface GigabitEthernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 1 to 20
[SwitchB-GigabitEthernet0/0/1] bpdu enable

[SwitchB] interface GigabitEthernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 20
[SwitchB-GigabitEthernet0/0/2] bpdu enable
# Enable MSTP.
[SwitchB] stp enable
Step 3 Configure SwitchC.

# Configure the MST region on SwitchC.
[SwitchC] stp region-configuration
[SwitchC-mst-region] region-name RG1
[SwitchC-mst-region] instance 1 vlan 1 to 10

[SwitchC-mst-region] active region-configuration
[SwitchC-mst-region] quit
# Configure SwitchC to use Huawei algorithm to calculate the path cost.

[SwitchC] stp pathcost-standard legacy
# Enable BPDU protection.

[SwitchC] stp bpdu-protection


[SwitchC] vlan batch 2 to 20

[SwitchC] interface GigabitEthernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] port link-type trunk
[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 20
[SwitchC-GigabitEthernet0/0/2] bpdu enable
[SwitchC-GigabitEthernet0/0/2] quit

[SwitchC-GigabitEthernet0/0/3] port link-type trunk
[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 1 to 20
[SwitchC-GigabitEthernet0/0/3] bpdu enable
# Configure GigabitEthernet 0/0/1 as an edge port.

[SwitchC-GigabitEthernet0/0/1] stp edged-port enable
[SwitchC-GigabitEthernet0/0/1] port hybrid pvid vlan 20
[SwitchC-GigabitEthernet0/0/1] port hybrid untagged vlan 20
# Enable MSTP.
[SwitchC] stp enable
Step 4 Configure SwitchD.

# Configure the MST region on SwitchD.
[SwitchD] stp region-configuration
[SwitchD-mst-region] region-name RG2
[SwitchD-mst-region] instance 1 vlan 1 to 10

[SwitchD-mst-region] active region-configuration
[SwitchD-mst-region] quit
# Set the priority of SwitchD in MSTI1 to 0 to ensure that SwitchD functions as

the regional root of MSTI1.
[SwitchD] stp instance 1 priority 0
# Configure SwitchD to use Huawei algorithm to calculate the path cost.

[SwitchD] stp pathcost-standard legacy
# Enable BPDU protection.

[SwitchD] stp bpdu-protection

[SwitchD] vlan batch 2 to 20

[SwitchD] interface GigabitEthernet 0/0/2
[SwitchD-GigabitEthernet0/0/2] port link-type trunk
[SwitchD-GigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 20
[SwitchD-GigabitEthernet0/0/2] bpdu enable
[SwitchD-GigabitEthernet0/0/2] quit


[SwitchD-GigabitEthernet0/0/3] port link-type trunk
[SwitchD-GigabitEthernet0/0/3] port trunk allow-pass vlan 1 to 20
[SwitchD-GigabitEthernet0/0/3] bpdu enable
# Configure GigabitEthernet 0/0/1 as an edge port.

[SwitchD-GigabitEthernet0/0/1] stp edged-port enable
[SwitchD-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[SwitchD-GigabitEthernet0/0/1] port hybrid untagged vlan 10
# Enable MSTP.
[SwitchD] stp enable

After the preceding configurations are complete and the network topology
becomes stable, perform the following operations to verify the configuration.
# Run the display stp brief command on SwitchA to view the status and
protection type on the interfaces. The displayed information is as follows:
<SwitchA> display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/2 DESI FORWARDING ROOT
The priority of SwitchA is the highest in the CIST; therefore, SwitchA is elected as
the CIST root and regional root of RG1. GigabitEthernet 0/0/2 and GigabitEthernet
0/0/1 of SwitchA are designated ports in the CIST.
The priority of SwitchA in MSTI1 is the highest in RG1; therefore, SwitchA is
elected as the regional root of SwitchA. GigabitEthernet 0/0/2 and GigabitEthernet
0/0/1 of SwitchA are designated ports in MSTI1.
# Run the display stp interface brief commands on SwitchC. The displayed
information is as follows:
<SwitchC> display stp interface GigabitEthernet 0/0/3 brief
0 GigabitEthernet0/0/3 ROOT FORWARDING NONE
<SwitchC> display stp interface GigabitEthernet 0/0/2 brief
0 GigabitEthernet0/0/2 DESI FORWARDING NONE
GigabitEthernet 0/0/3 of SwitchC is the root port in the CIST and MSTI1.
GigabitEthernet 0/0/2 of SwitchC is a designated port in the CIST and MSTI1.
# Run the display stp brief command on SwitchB. The displayed information is as
follows:
<SwitchB> display stp brief
1 GigabitEthernet0/0/2 MAST FORWARDING NONE

The priority of SwitchB in the CIST is lower than that of SwitchA; therefore,
GigabitEthernet 0/0/2 of SwitchB functions as the root port in the CIST. SwitchA
and SwitchB belong to different regions; therefore, GigabitEthernet 0/0/2 of
SwitchB functions as the master port in MSTI1. In MSTI1, the priority of SwitchB is
lower than that of SwitchD; therefore, GigabitEthernet 0/0/1 of SwitchB functions
as the root port. The priority of SwitchB in the CIST is higher than that of SwitchB;
therefore, GigabitEthernet 0/0/1 of SwitchB functions as the designated port in the
CIST.
# Run the display stp interface brief commands on SwitchD. The displayed
information is as follows:
<SwitchD> display stp interface GigabitEthernet 0/0/3 brief
<SwitchD> display stp interface GigabitEthernet 0/0/2 brief
0 GigabitEthernet0/0/2 ALTE DISCARDING NONE
1 GigabitEthernet0/0/2 ALTE DISCARDING NONE
On SwitchD, GigabitEthernet 0/0/2 functions as the alternate port in the CIST.

SwitchD and SwitchC are in different regions; therefore, GigabitEthernet 0/0/2 of
SwitchD also functions as the alternate port in MSTI1.
GigabitEthernet 0/0/3 of SwitchD is the root port in the CIST. The priority of
SwitchD is higher than that of SwitchB in MSTI1; therefore, GigabitEthernet 0/0/3
also functions as the designated port in MSTI1.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 20
#
stp instance 0 priority 0
stp pathcost-standard legacy
stp enable
region-name RG1
instance 1 vlan 1 to 10
#
stp root-protection
bpdu enable
#
stp root-protection
bpdu enable
#
return
#
sysname SwitchB

#
vlan batch 2 to 20
#
stp enable
region-name RG2
#
bpdu enable
#
bpdu enable
#
return
● Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp bpdu-protection
stp enable
region-name RG1
#
stp edged-port enable
#
bpdu enable
#
bpdu enable
#
return
● Configuration file of SwitchD
#
sysname SwitchD
#
vlan batch 2 to 20
#
stp bpdu-protection
stp enable
region-name RG2
#


stp edged-port enable
#
bpdu enable
#
bpdu enable
#
Return

Configuration Guide 3 Configuration Guide-IP Services
3 Configuration Guide-IP Services
This topic describes how to configure IP addresses by using examples. After IP

addresses of network devices are configured, the network devices can
communicate with each other.
3.1 IP Address Configuration

This chapter describes the concept and configuration procedures of the IP
addresses on the CX91x series.
3.1 IP Address Configuration

This chapter describes the concept and configuration procedures of the IP
addresses on the CX91x series.
3.1.1 Introduction to IP Addresses

This section describes the concept of IP addresses.
Each host needs an IP address to communicate with each other on an IP network.
An IP address is a 32-bit address used on the Internet. It consists of a network ID
and a host ID.
The network ID identifies a network and the host ID identifies a specific network
device on the network. If multiple network devices have the same network ID,
they reside on the same network regardless of their physical locations.
3.1.2 IP Address Features Supported by the CX91x series

This section describes the methods for setting the IP addresses for the CX91x
series.
The CX91x series supports the following method for setting IP addresses:Setting
static IP addresses for interfaces manually.
The CX91x series supports management IP address. You can management IP
address through SSH to the switch .
On the CX91x series, MEth 0/0/1 can be configured with an IP address, which is
used as the management IP address.

3.1.3 Assigning IP Addresses to VLANIF Interfaces

This section describes the procedure for assigning the IP addresses to VLANIF
interfaces.
To run IP services on an VLANIF interface, you need to set an IP address for the
VLANIF interface. Each VLANIF interface of the CX91x series can be assigned with
multiple IP addresses, in which one is the primary IP address and the others are
secondary IP addresses.
Generally, only one IP address, namely, the primary IP address, is required for an
VLANIF interface. In special cases, the secondary IP addresses need to be set for
the VLANIF interface. For example, the CX91x series is connected to a physical
network through an VLANIF interface. The hosts on this physical network belong
to two Class C networks. In this case, you need to set a primary IP address and a
secondary IP address on the VLANIF interface of the CX91x series. The CX91x
series can then communicate with all the hosts on the physical network.
Before setting an IP address for an VLANIF interface, complete the following tasks:
● Connecting interfaces and setting the physical parameters of each interface to
make the physical layer in Up state
● Setting parameters of the link layer protocol for interfaces and ensuring that
the status of the link layer protocol on the interfaces is Up
● Configuring the corresponding VLAN
Data Preparation
To set an IP address for an VLANIF interface, you need the following data.
No. Data
1 VLANIF interface number
2 IP address and subnet mask of the VLANIF interface
3 (Optional) Secondary IP address and subnet mask of the VLANIF

interface
3.1.3.2 Setting a Primary IP Address for an VLANIF Interface
Procedure
Step 1 Run:

system-view

Step 2 Run:

Step 3 Run:
ip address ip-address { mask | mask-length }
The IP address of the VLANIF interface is set.

One VLANIF interface has only one primary IP address. If a primary IP address is
already set on an VLANIF interface when a new primary IP address is set, the
original primary IP address is deleted and the new primary IP address takes effect.
On the CX91x series, a maximum of 256 VLANIF interfaces can be configured with
IP addresses.
----End
3.1.3.3 (Optional)Setting a Secondary IP Addresses for an VLANIF Interface
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ip address ip-address { mask | mask-length } sub
The secondary IP address of the VLANIF interface is set.
----End
Procedure
Step 1 Run the display interface [ interface-type interface-number ] command to view
the interface.
Step 2 Run the display ip interface brief [ interface-type [ interface-number ] ]
command to view brief information about IP addresses on the interface.
----End

This section provides several examples of IP address configuration.

3.1.4.1 Example for Setting Primary and Secondary IP Addresses
As shown in Figure 3-1, GigabitEthernet0/0/1 of the Switch is connected to a LAN,
in which hosts belong to two different network segments, that is 172.16.1.0/24
and 172.16.2.0/24. It is required that the Switch can access the two network
segments but the hosts in 172.16.1.0/24 cannot interconnect with the hosts in
172.16.2.0/24.
Figure 3-1 Networking diagram for setting IP addresses
The configuration roadmap of the primary and secondary IP addresses is as
follows:
1. Analyze the address of the network segment to which each interface is

connected.
2. Set the primary and secondary IP addresses for an interface.
NOTE
Note that the primary and secondary IP addresses of the same interface or different
secondary IP addresses of the same interface cannot be in the same network segment.
Data Preparation
To complete the configuration, you need the following data.
● Primary IP address and subnet mask of the VLANIF interface

● Secondary IP address and subnet mask of the VLANIF interface

Procedure
Step 1 Set the IP address for VLANIF 100 where GigabitEthernet0/0/1 of the Switch
belongs.
<Base> system-view
[Base] vlan 100
[Base-Vlan100] quit
[Base-Vlanif100] ip address 172.16.2.1 24 sub
# Ping a host on network segment 172.16.1.0 from Switch. The ping succeeds.
<Base> ping 172.16.1.2
PING 172.16.1.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=128 time=25 ms
--- 172.16.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
Ping a host on network segment 172.16.2.0 from the Switch. The ping succeeds.
<Base> ping 172.16.2.2
0.00% packet loss
----End
Configuration Files
#
sysname Base
#
vlan 100
#
interface Vlanif100
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#

#
return

Configuration Guide 4 Configuration Guide-QoS
4 Configuration Guide-QoS
Quality of service (QoS) is used to evaluate the service capabilities of the service
provider. After QoS is configured, the system controls network traffic to avoid
network congestion and reduce the packet dropping rate while provides dedicated
bandwidth for enterprises or provides differentiated services for services such as
voice, video, and data services.
4.1 Class-based QoS Configuration

This chapter describes the basic concepts of the traffic classifier, traffic behavior
and traffic policy, and configuration methods and configuration examples of the
traffic policy based on complex traffic classification.
4.2 Traffic Policing and Traffic Shaping Configuration
This document describes basic concepts of traffic policing and traffic shaping, and
introduces traffic policing based on a traffic classifier, and traffic shaping, and
provides configuration examples.
4.3 Congestion Management Configuration
This chapter describes the basic concepts of congestion management, and
provides configuration methods and configuration examples of congestion
management.
4.1 Class-based QoS Configuration

This chapter describes the basic concepts of the traffic classifier, traffic behavior
and traffic policy, and configuration methods and configuration examples of the
traffic policy based on complex traffic classification.
4.1.1 Introduction to Class-based QoS

Class-based QoS is used to classify packets sharing common features into one
class and provide the same QoS service for traffic of the same type by matching
packets with certain rules. In this manner, differentiated services are provided.

4.1.2 Class-based QoS Features Supported by the CX91x series

The CX91x series supports simple traffic classification, complex traffic
classification, and priority mapping.
Simple Traffic Classification

On the CX91x series, you can perform simple traffic classification for packets
according to the mapping between priorities of packets and Per-Hop Behaviors
(PHBs). If packets come from an upstream device, the CX91x series maps priorities
of the packets to PHBs and colors. On the CX91x series, congestion management
is performed for packets according to PHBs of packets . The downstream device
provides QoS services according to the priorities of packets.
Simple traffic classification is based on:
● DiffServ Code Point (DSCP) priority of IP packets
● IP priority of IP packets
● 802.1p priority of VLAN packets
Complex Traffic Classification

You can perform complex traffic classification according to Layer 2 or Layer 3
information in packets or through access control lists (ACLs). Then, you can bind a
traffic classifier to a traffic behavior to process packets matching the traffic
classifier.
The traffic behavior adopted is related to the current phase of packets and the
current load of a network. For example, when packets enter an CX91x series, the
CX91x series performs traffic policing and access control for the packets according
to the committed information rate (CIR); when packets exit an CX91x series, the
CX91x series shapes the traffic of packets and re-marks the priorities of packets.
Complex traffic classification is based on:
● 802.1p priority of VLAN packets
● VLAN ID of packets
● Incoming or outgoing interface
● IP priority of IP packets
● DSCP priority of IP packets
● Source MAC address
● Destination MAC address
● Protocol type field encapsulated in Layer 2 packets
● Layer 3 protocol type
● IP quintuple
Priority Mapping
Packets carry different precedence fields on various networks. For example,
packets carry the 802.1p field on a VLAN network, the DSCP field on an IP
network. When packets pass through different networks, the mapping of the
precedence fields of packets must be configured on the device connected to

different networks. When the CX91x series is connected to different networks, the
precedence fields in the packets entering the CX91x series are all mapped to
internal priorities. The internal priorities are identified by class of service (CoS) and
colors defined in the DiffServ model.
The CX91x series sends the packets to different interface queues according to the
internal priority, and then traffic shaping, and queue scheduling are performed for
the queues. Table 4-1 shows the mapping of internal priorities and queues.
Table 4-1 Mapping between internal priorities and queues

Internal Priority Queue Index
BE 0
AF1 1
AF2 2
AF3 3
AF4 4
EF 5
CS6 6
CS7 7
NOTE
The color is used to determine whether the packets are discarded, and is independent of
the mapping of internal priorities and queues.
Traffic Behavior
Complex traffic classification is used to provide differentiated services. Traffic
classification takes effect only when it is associated with traffic control or resource
allocation actions.
The CX91x series supports the combinations of the following traffic actions:
● Deny/Permit
This traffic control action is the simplest. The CX91x series controls network
traffic by forwarding or discarding packets.
● Re-marking
This traffic control action is used to set the precedence field in a packet.
Packets carry different precedence fields on various networks. For example,
packets carry the 802.1p field on a VLAN network, the DSCP field on an IP
network. Therefore, the CX91x series is required to mark the precedence fields
of packets according to the network type.
Generally, a device at the border of a network needs to mark the precedence
fields of incoming packets. The device at the core of a network provides
corresponding QoS services according to the precedence fields marked by the

border device, or re-marks the precedence fields according to its own

standard.
● Redirection
This traffic control action indicates that the CX91x series does not forward
packets according to the destination address but redirects them to the
specified interface.
The CX91x series can redirect only incoming packets.
● Traffic policing
It is a traffic control action used to limit traffic and resources by monitoring
the specifications of the traffic. Through traffic policing, the CX91x series can
discard and CoS of packets that exceed the specifications.
Here, traffic policing based on a traffic behavior is implemented. For details
about traffic policing, see 4.2 Traffic Policing and Traffic Shaping
Configuration.
● Flow mirroring
Flow mirroring is used to copy the specified data packets to a specified
destination to detect and troubleshoot faults on a network.
For details about flow mirroring, see section Configuration Guide-Device
Management in the CX91x Series Switch Modules V100R001C00
Configuration Guide.
● Traffic statistics
The traffic statistics action is used to collect data packets of specified service
flows, that is, data packets matching complex traffic classification rules on the
CX91x series.
Traffic Policy
A traffic policy is a QoS policy in which traffic classifiers are bound to traffic
behaviors. You can bind a specified traffic classifier to a traffic behavior through
the traffic policy to better perform QoS.
4.1.3 Creating a Traffic Policy Based on Complex Traffic

Classification
After the traffic policy based on complex traffic classification is configured, the
CX91x series classifies packets according to the priority of packets and quintuple
information. Then the CX91x series takes different traffic actions for packets
matching classification conditions, such as permit/deny, re-marking, and
redirection.

Before configuring the traffic policy based on complex traffic classification,
familiarize yourself with the applicable environment, complete the pre-
configuration tasks, and obtain the required data. This helps you complete the
configuration task quickly and accurately.

At the ingress of a network, the CX91x series functions as a border node. To limit
the incoming traffic on a network, the CX91x series can provide differentiated
services for various services according to the DSCP field, protocol type, IP address,
port number and time range of packets. In this case, you need to create a traffic
policy based on complex traffic classification.
Generally, complex traffic classification is configured on a border node, and simple
traffic classification is configured on a core node.
Before creating a traffic policy based on complex traffic classification, complete
the following tasks:
● Configuring the physical parameters of interfaces.
● Setting link layer attributes of interfaces.
● Configuring routing protocols to ensure the connectivity of the network.
● Configuring ACLs if ACLs are used as matching rules for traffic classification.
Data Preparation
To create a traffic policy based on complex traffic classification, you need the
following data.
No. Data
1 Name of the traffic classifier and matching rules of the traffic classifier
2 Name of the traffic behavior and related parameters
3 Name of the traffic policy
4 Interface that the traffic policy is applied to and ID of the VLAN
4.1.3.2 Configuring Complex Traffic Classification

The CX91x series can classify traffic according to the ACL, and the Layer 2
information and Layer 3 information in packets.
4.1.3.2.1 Creating a Traffic Classifier Based on Layer 2 Information

After traffic classification based on Layer 2 information is configured, the CX91x
series classifies packets based on the Layer 2 information including the 802.1p
priority, VLAN ID, source/destination MAC address, incoming/outgoing interface,
and Layer 2 protocol type.
Procedure
Step 1 Run:
system-view


Step 2 Run:
traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier based on Layer 2 information is created and the traffic classifier
view is displayed.
By default, the relationship between rules in a traffic classifier is and.
Step 3 Run the following command as required.
● To define matching rules based on the 802.1p priority of packets in a VLAN,
run:
if-match 8021p { 8021p-value } &<1-8>
● To define matching rules based on the outer VLAN ID, run:

if-match vlan-id start-vlan-id [ to end-vlan-id ]
● To define matching rules based on the destination MAC address, run:

if-match destination-mac mac-address [ mac-address-mask ]
● To define matching rules based on the destination MAC address, run:

if-match source-mac mac-address [ mac-address-mask ]
● To define matching rules based on the protocol field in the Ethernet frame
header, run:
if-match l2-protocol{ arp | ip | mpls | rarp | protocol-value }
● To define matching rules based on all the packets, run:

if-match any
NOTE
When if-match any and other rules are configured in a traffic classifier, packets match only
if-match any.
----End
4.1.3.2.2 Creating a Traffic Classifier Based on Layer 3 Information

After traffic classification based on Layer 3 information is configured, the CX91x
series classifies packets according to Layer 3 information in packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A traffic classifier based on Layer 3 information is created and the traffic classifier
view is displayed.
Step 3 Run the following command as required.
● To define matching rules based on the DSCP priority of IP packets, run:

if-match dscp dscp-value &<1-8>
● To define matching rules based on the IP priority of IP packets, run:

if-match ip-precedence ip-precedence-value &<1-8>
NOTE
In a traffic classifier where the relationship between rules is AND, the if-match dscp
and if-match ip-precedence commands cannot be used simultaneously.
----End
4.1.3.2.3 Creating a Traffic Classifier Based on an ACL

After traffic classification based on an ACL is configured, the CX91x series classifies
packets according to the defined ACL rule.
Context
The CX91x series can use the ACL to classify packets according to the IP quintuple.
The CX91x series supports basic ACLs, advanced ACLs, Layer 2 ACLs.
● Basic ACLs are used to classify data packets based on the source IP address,
and time segment of the packets.
● Advanced ACLs are used to classify and define data packets according to the
source IP address, destination IP address, source port number, destination port
number, fragmentation flag, time segment, and protocol type of the packets.
● Layer 2 ACLs are used to classify data packets according to the source MAC
address and destination MAC address of the packets.
Create a traffic classifier based on an ACL as required.
Procedure
● Creating a traffic classifier based on a basic ACL
a. Run:
system-view

b. Run:
acl [ number ] basic-acl-number
A basic ACL is created and the ACL view is displayed.

basic-acl-number specifies the number of a basic ACL. The value is an
integer that ranges from 2000 to 2999.
c. (Optional) Run:
step step-value
The step of the ACL is set.

d. Run:
rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | time-range
time-name ]*
A basic ACLv4 rule is created.

e. Run:

quit

f. Run:
A traffic classifier is created and the traffic classifier view is displayed.

g. Run:
if-match acl basic-acl-number
A traffic classifier based on a basic ACL is created.

● Creating a traffic classifier based on the advanced ACL
a. Run:
system-view

b. Run:
acl [ number ] advanced-acl-number
An advanced ACL is created and the ACL view is displayed.
advanced-acl-number specifies the number of an advanced ACL. The

value is an integer that ranges from 3000 to 3999.
c. Run the following command as required.
▪ To define an advanced ACL for GRE, IGMP, IPinIP, or OSPF packets,

run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ipinip | ospf }
[ destination { destination-address destination-wildcard | any } | dscp dscp | precedence
precedence | source { source-address source-wildcard | any } | time-range time-name |
tos tos ]*
▪ To define an advanced ACL for TCP packets, run:

rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-
address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp
dscp | precedence precedence | source { source-address source-wildcard | any } | source-
port { eq | gt | lt | range } port | time-range time-name | tos tos ]*
▪ To define an advanced ACL for UDP packets, run:

rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-
address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp
dscp | precedence precedence | source { source-address source-wildcard | any } | source-
port { eq | gt | lt | range } port | time-range time-name | tos tos ]*
▪ To define an advanced ACL for ICMP packets, run:

rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-
address destination-wildcard | any } | dscp dscp | precedence precedence | source
{ source-address source-wildcard | any } | time-range time-name | tos ]*
d. Run:
quit

e. Run:


f. Run:
if-match acl advanced-acl-number
A traffic classifier based on an advanced ACL is created.

● Creating a traffic classifier based on the Layer 2 ACL
a. Run:
system-view

b. Run:
acl [ number ] mac-acl-number
A Layer 2 ACL is created and the ACL view is displayed.
NOTE
mac-acl-number specifies the number of a Layer 2 ACL. The value is an integer

that ranges from 4000 to 4999.
c. (Optional) Run:
step step-value
The step of the ACL is set.

d. Run:
rule [ rule-id ] { permit | deny } [ l2-protocol type-value [ type-mask ] | destination-mac dest-
mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-
id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value ]* [ time-range time-range-name ]
A Layer 2 ACL rule is created.

e. Run:
quit

f. Run:

g. Run:
if-match acl l2-acl-number
A traffic classifier based on a Layer 2 ACL is created.
----End
4.1.3.3 Configuring a Traffic Behavior

The CX91x series supports the actions of permit/deny, re-marking, redirection,
traffic policing, flow mirroring, and traffic statistics, which can be configured as
required.

4.1.3.3.1 Configuring the Deny or Permit Action

By configuring the deny or permit action, the CX91x series rejects or permits
packets matching traffic classification rules to control the network traffic.
Procedure
Step 1 Run:
system-view

Step 2 Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed.

● Run:
permit
The permit action is configured.
● Run:
deny
The deny action is configured.
NOTE
● If the deny action is configured, the packets matching a traffic classifier are discarded.
In this case, you cannot configure other actions except the traffic statistics action.
● If the permit action is configured, the packets matching a traffic classifier are processed
in order.
----End
4.1.3.3.2 Configuring the Re-marking Action

By configuring the re-marking action, the CX91x series re-marks priorities of
packets matching traffic classification rules, such as the 802.1p priority of VLAN
packets, and the DSCP priority of IP packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:

● Run:
remark 8021p 8021p-value
The 802.1p priority of the packets matching the traffic behavior is re-marked.

● Run:
remark vlan-id vlan-id
The VLAN ID in the outer VLAN tag of the packets in a VLAN matching the
traffic behavior is re-marked.
● Run:
remark dscp { dscp-name | dscp-value }
The DSCP priority of the packets matching the traffic behavior is re-marked.
● Run:
remark local-precedence { local-precedence-name | local-precedence-value }
The local priority of the packets matching the traffic behavior is re-marked.
NOTICE
In a traffic behavior, the remark 8021p command and the remark local-
precedence command cannot be used together.
----End
4.1.3.3.3 Configuring Traffic Policing

By configuring the traffic policing action, the CX91x series polices packets
matching traffic classification rules, and discards the packets exceeding the
specifications or CoS of the packets exceeding the specifications.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { discard | pass [ remark-dscp
dscp-value | remark-8021p 8021p-precedence ] } | yellow { discard | pass [ remark-dscp dscp-value |
remark-8021p 8021p-precedence ] } | red { discard | pass [ remark-dscp dscp-value | remark-8021p
8021p-precedence ] } ]
The CAR action is configured.
NOTE
For details on traffic policing and CAR, see 4.2.1.1 Traffic Policing in 4.2 Traffic Policing
and Traffic Shaping Configuration.
----End
4.1.3.3.4 Configuring Flow Mirroring

By configuring the flow mirroring action, the CX91x series mirrors all the packets
matching traffic classification rules to the observing interface.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
mirroring to observe-port index
All the flows that match a traffic classifier are mirrored to an observing interface.
NOTE
For details about flow mirroring, see section Configuration Guide-Device Management in
the CX91x Series Switch Modules V100R001C00 Configuration Guide.
----End
4.1.3.3.5 Configuring Traffic Statistics

By configuring the traffic statistics action, the CX91x series collects traffic statistics
on packets matching traffic classification rules.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
statistic enable
The traffic statistics function is enabled.
NOTE
To collect the flow-based statistics, you must enable the traffic statistics function in a traffic
behavior.
----End
4.1.3.4 Creating a Traffic Policy

You can associate a traffic classifier with a traffic behavior in a traffic policy.

Procedure
Step 1 Run:
system-view

Step 2 Run:
traffic policy traffic-policy-name
A traffic policy is created and the traffic policy view is displayed.

Step 3 Run:
classifier classifier-name behavior behavior-name
A traffic classifier is bound to a traffic behavior in the traffic policy.
----End
4.1.3.5 Applying a Traffic Policy

The configured traffic policy takes effect only after it is applied to the system or
an interface.
Context
A traffic policy takes effect only after it is applied. You can apply the traffic policy
to the system, an interface on the CX91x series.
● Applying a traffic policy globally
After a traffic policy is applied, the system performs traffic policing for all the
packets that match a traffic classifier in the inbound or outbound direction.
● Applying a traffic policy on an interface
packets that pass through this interface and match a traffic classifier in the
inbound or outbound direction.
Do as follows on the CX91x series where a traffic policy based on complex traffic
classification needs to be created.
Procedure
● Applying a traffic policy to the system
a. Run:
system-view

b. Run:
traffic-policy policy-name global { inbound | outbound }
A traffic policy is applied to the system.

a. Run:
system-view

b. Run:
interface interface-type interface-number [.subnumber ]

c. Run:
traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to an interface in the inbound or outbound

direction.
You can apply only one traffic policy in the inbound or outbound
direction on each interface, but the same traffic policy can be applied to
the inbound and outbound directions of different interfaces
simultaneously.
NOTE
It is recommended that you should not use the traffic policy containing the re-
marking of the 802.p priority, and the VLAN ID of packets in a VLAN is used on
the untagged interface in the outbound direction; otherwise, the information
carried in the packets may be incorrect.
----End

After the traffic policy based on complex traffic classification is configured, you
can view the configuration of the traffic classifier, traffic behavior, and traffic
policy.
Prerequisites
The configurations of the traffic policy based on complex traffic classification are
complete.
Procedure
Step 1 Run the display acl { acl-number | all } command to check the ACL rules.
Step 2 Run the display traffic classifier user-defined [ classifier-name ] command to

check the traffic classifier on the CX91x series.
Step 3 Run the display traffic behavior user-defined [ behavior-name ] command to

check the configuration of the traffic behavior.
Step 4 Run the display traffic policy { interface [ interface-type interface-number ]

[ inbound | outbound ] | global [ inbound | outbound ] } command to check the
configuration of the traffic policy.
Step 5 Run the display traffic policy user-defined [ policy-name [ classifier classifier-
name ] ] command to check the configuration of the traffic policy.
----End

4.1.4 Maintaining Class-based QoS

You can view and clear the flow-based traffic statistics to maintain Class-based
QoS.
4.1.4.1 Displaying the Flow-based Traffic Statistics

You can use the display traffic policy statistics command to view the traffic
statistics matching the specified traffic classification rule.
Prerequisite
To view the flow-based traffic statistics, a traffic policy must exist and contain the
traffic statistics action.
Procedure
Run the display traffic policy statistics { global | interface interface-type
interface-number } { inbound | outbound } command to check the flow-based
traffic statistics.
4.1.4.2 Clearing the Flow-based Traffic Statistics

You can use the reset traffic policy statistics command to clear the flow-based
traffic statistics.
Procedure
NOTICE
The flow-based traffic statistics cannot be restored after you clear them. So,
confirm the action before you use the command.
Run the reset traffic policy statistics { global | interface interface-type interface-
number } { inbound | outbound } command to clear the flow-based traffic
statistics.

This section provides several configuration examples of class-based QoS.
4.1.5.1 Example for Re-marking the Priorities Based on Complex Traffic

Classification
After priority re-marking based on complex traffic classification is configured, the
CX91x series adds the same outer VLAN ID to packets with different VLAN IDs.
That is, these packets are uniformly taken as the service data. In addition, the
CX91x series re-marks different 802.1p priorities of packets with different VLAN
IDs. The CX91x series thus provides differentiated services.

The Switch is connected to the router through GigabitEthernet0/0/3; enterprise
and individual users can access the network through the Switch and router. See
Figure 4-1.
Data services of enterprise and individual users come from VLANs 100 and 200
respectively. Enterprise users require better QoS guarantee; therefore, the priority
of data packets from enterprise users is mapped to 4 and the priority of data
packets from individual users is mapped to 2. In this manner, differentiated
services are provided.
Figure 4-1 Networking diagram for re-marking the priorities based on complex
traffic classification
1. Create VLANs and configure interfaces so that enterprise and individual users
can access the network through the Switch.
2. Create traffic classifiers based on the VLAN ID on the Switch.
3. Create traffic behaviors on the Switch and re-mark 802.1p priorities of
packets.
4. Create a traffic policy on the Switch, bind traffic behaviors to traffic classifiers
in the traffic policy, and apply the traffic policy to the interface at the
outbound direction.

Data Preparation
● Re-marked priorities of packets with different VLAN IDs
● Type, direction, and number of the interface that a traffic policy needs to be
applied to
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLANs 100 and 200 on the Switch, and allow interface
GigabitEthernet0/0/1 to forward packets from VLAN 100, interface
GigabitEthernet0/0/2 to forward packets from VLAN 200, and interface
GigabitEthernet0/0/3 to forward packets from VLANs 100 and 200.
[Switch] vlan batch 100 200
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
Step 2 Create traffic classifiers.

# Create traffic classifiers c1 to c2 on the Switch to classify incoming packets
based on the VLAN ID.
[Switch] traffic classifier c1 operator and
[Switch-classifier-c1] if-match vlan-id 100
[Switch-classifier-c1] quit
Step 3 Create traffic behaviors.

# Create traffic behaviors b1 to b2 on the Switch to re-mark priorities of user
packets.
[Switch] traffic behavior b1
[Switch-behavior-b1] remark 8021p 4
[Switch-behavior-b1] quit
[Switch-behavior-b2] remark 8021p 2
Step 4 Create a traffic policy and apply it to an interface.

# Create traffic policy p1 on the Switch, bind traffic classifiers to traffic behaviors
in the traffic policy, and apply the traffic policy to GigabitEthernet0/0/3 in the
inbound direction to re-mark priorities of packets coming from the user side.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1


[Switch-trafficpolicy-p1] quit
[Switch-GigabitEthernet0/0/3] traffic-policy p1 outbound
[Switch] quit

# Check the configuration of traffic classifiers.
<Switch> display traffic classifier user-defined
User Defined Classifier Information:
Classifier: c2
Operator: AND
Rule(s) : if-match vlan-id 200
Classifier: c1
Operator: AND
Rule(s) : if-match vlan-id 100
# Check the configuration of the traffic policy.

<Switch> display traffic policy user-defined p1
User Defined Traffic Policy Information:
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
statistic: enable
Marking:
Remark 8021p 4
Classifier: c2
Operator: AND
Behavior: b2
statistic: enable
Marking:
Remark 8021p 2
----End
Configuration Files
● Configuration file of the Switch
#
vlan batch 100 200
#
traffic classifier c2 operator and
if-match vlan-id 200
if-match vlan-id 100
#
traffic behavior b2
remark 8021p 2
traffic behavior b1
remark 8021p 4
#
traffic policy p1
classifier c1 behavior b1
#
port trunk allow-pass vlan 100
#
#

port trunk allow-pass vlan 100 200
traffic-policy p1 outbound
#
return
4.1.5.2 Example for Redirecting Packets Based on Complex Traffic

Classification
After packet redirection based on complex traffic classification is configured, the
CX91x series redirects packets with different IP priorities to different interfaces so
that the CX91x series provides different bandwidth services.
The Layer 2 switch of a company is connected to the ISP device through the
Switch; one is A link and the other is B link. The company requires that the B link
sends only the packets with priorities as 4, 5, 6, and 7 and A link sends packets of
lower priorities to the ISP. See Figure 4-2.
Figure 4-2 Networking diagram for redirecting packets based on complex traffic
classification
1. Create VLANs and configure interfaces so that the Switch can ping the ISP
device.
2. Create ACL rules to match the packets with priorities as 4, 5, 6, and 7 and
priorities as 0, 1, 2, and 3.
3. Create traffic classifiers to match the preceding ACL rules.
4. Create traffic behaviors to redirect matching packets to GigabitEthernet0/0/2
and GigabitEthernet0/0/1.
5. Create a traffic policy, bind traffic classifiers to traffic behaviors in the traffic
policy, and apply the traffic policy to an interface.
Data Preparation
● Add all of GigabitEthernet0/0/3, GigabitEthernet0/0/2, and
GigabitEthernet0/0/1 to VLAN 20 and VLAN 30

● ACL rules 3001 and 3002

● Traffic classifiers c1 and c2
● Traffic behaviors b1 and b2
● Traffic policy p1
Procedure
# Create VLANs 20 and 30.
[Switch] vlan batch 20 30
# Configure the type of GigabitEthernet0/0/3, GigabitEthernet0/0/2, and

GigabitEthernet0/0/1 to trunk, and add all of GigabitEthernet0/0/3,
GigabitEthernet0/0/2, and GigabitEthernet0/0/1 to VLAN 20 and VLAN 30.
Step 2 Create ACL rules.

# Create advanced ACL rules 3001 and 3002 on the Switch to permit the packets
with priorities as 4, 5, 6, and 7 and priorities as 0, 1, 2, and 3 to pass through.
[Switch] acl 3001
[Switch-acl-adv-3001] rule permit tcp precedence 0
[Switch-acl-adv-3001] quit
[Switch] acl 3002
[Switch-acl-adv-3002] quit

Create traffic classifiers c1 and c2 on the Switch with matching rules as ACL 3001
and ACL 3002.
[Switch] traffic classifier c1

[Switch-classifier-c1] if-match acl 3001

# Create traffic behaviors b1 and b2 on the Switch to redirect packets to
GigabitEthernet0/0/2 and GigabitEthernet0/0/1.


[Switch-behavior-b1] redirect interface GigabitEthernet 0/0/2
[Switch-behavior-b2] redirect interface GigabitEthernet 0/0/1
# Create traffic policy p1 on the Switch and bind traffic classifiers to traffic
behaviors in the traffic policy.
# Apply traffic policy p1 to GigabitEthernet0/0/3.

[Switch-GigabitEthernet0/0/3] traffic-policy p1 inbound
[Switch] quit
# Check the configuration of ACL rules.

<Switch> display acl 3001
Advanced ACL 3001, 4 rules
Acl's step is 5
rule 5 permit tcp precedence routine
rule 10 permit tcp precedence priority
rule 15 permit tcp precedence immediate
rule 20 permit tcp precedence flash
Advanced ACL 3002, 4 rules
Acl's step is 5
rule 5 permit tcp precedence flash-override
rule 10 permit tcp precedence critical
rule 15 permit tcp precedence internet
rule 20 permit tcp precedence network
# Check the configuration of traffic classifiers.

Classifier: c2
Operator: AND
Rule(s) : if-match acl 3002
Classifier: c1
Operator: AND
# View the configuration of the traffic policy.

Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Redirect:
Redirect interface GigabitEthernet 0/0/2
Classifier: c2
Operator: AND
Behavior: b2

Redirect:
Redirect interface GigabitEthernet 0/0/1
----End
Configuration Files
#
vlan batch 20 30
#
acl number 3001
rule 5 permit tcp precedence routine
rule 10 permit tcp precedence priority
rule 15 permit tcp precedence immediate
rule 20 permit tcp precedence flash
#
acl number 3002
rule 5 permit tcp precedence flash-override
rule 10 permit tcp precedence critical
rule 15 permit tcp precedence internet
rule 20 permit tcp precedence network
#
if-match acl 3002
if-match acl 3001
#
traffic behavior b2
redirect interface GigabitEthernet 0/0/1
traffic behavior b1
redirect interface GigabitEthernet 0/0/2
#
traffic policy p1
#
#
#
traffic-policy p1 inbound
#
return
4.1.5.3 Example for Configuring Traffic Statistics Based on Complex Traffic

Classification
After traffic statistics based on complex traffic classification is configured, the
CX91x series collect traffic statistics on packets with the specified source MAC
address.
PC1 with the MAC address as 0000-0000-0003 is connected to other devices
through GigabitEthernet0/0/1 on the Switch. It is required that the Switch should
take the statistics on the packets with the source MAC address as
0000-0000-0003. See Figure 4-3.

Figure 4-3 Networking diagram for configuring traffic statistics based on complex
traffic classification
1. Configure interfaces so that the Switch is connected to PC1 and the router.
2. Create an ACL to match the packets with the source MAC address as
0000-0000-0003.
3. Create a traffic classifier to match the ACL.
4. Create a traffic behavior to take the statistics on the matching packets.
5. Create a traffic policy, bind the traffic classifier to the traffic behavior in the
traffic policy, and apply the traffic policy to GigabitEthernet0/0/1 in the
inbound direction.
Data Preparation
● VLAN 20
● ACL 4000
● Traffic classifier c1
● Traffic behavior b1
● Traffic policy p1
Procedure
Step 1 Create a VLAN and configure interfaces.
# Create VLAN 20.
[Switch] vlan 20
[Switch-vlan20] quit
# Configure the type of GigabitEthernet0/0/1 as access and GigabitEthernet0/0/2

as trunk, and add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 20.
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 20

# Create VLANIF 20 and assign IP address 20.20.20.1/24 to it.

[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 20.20.20.1 24
[Switch-Vlanif20] quit
NOTE
Assign network segment address 20.20.20.2/24 to the interface connecting the router and
Switch. The details are not mentioned here.
Step 2 Create an ACL.
# Create Layer 2 ACL 4000 on the Switch to match the packets with the source
MAC address as 0000-0000-0003.
[Switch] acl 4000
[Switch-acl-L2-4000] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff
[Switch-acl-L2-4000] quit
Step 3 Create a traffic classifier.
Create traffic classifier c1 on the Switch with ACL 4000 as the matching rule.
Step 4 Create a traffic behavior.
# Create traffic behavior b1 on the Switch and configure the traffic statistics
action.
[Switch-behavior-b1] statistic enable
# Create traffic policy p1 on the Switch and bind the traffic classifier to the traffic
behavior in the traffic policy.
# Apply traffic policy p1 to GigabitEthernet0/0/1.

[Switch] quit
# Check the configuration of the ACL.

L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 permit source-mac 0000-0000-0003
# Check the configuration of the traffic classifier.

Classifier: c1

Operator: AND
# View the configuration of the traffic policy.

Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
statistic: enable
----End
Configuration Files
#
vlan 20
#
acl number 4000
rule 5 permit source-mac 0000-0000-0003
#
if-match acl 4000
#
traffic behavior b1
statistic enable
#
traffic policy p1
#
interface Vlanif20
ip address 20.20.20.1 255.255.255.0
#
port default vlan 20
#
#
return
4.2 Traffic Policing and Traffic Shaping Configuration

This document describes basic concepts of traffic policing and traffic shaping, and
introduces traffic policing based on a traffic classifier, and traffic shaping, and
provides configuration examples.
4.2.1 Overview of Traffic Policing and Traffic Shaping

This section describes the basic concepts of traffic policing and traffic shaping and
the differences between traffic policing and traffic shaping.
4.2.1.1 Traffic Policing

To make full use of limited network resources, you can police special service flows
to adapt to the allocated network sources.

Traffic policing is a traffic control action used to limit traffic and resources by
monitoring the specification of the traffic.
Traffic policing is used to police the volume of certain traffic entering a network
and retain it in a proper range. In addition, it discards the excessive traffic to
protect network resources and profits of carriers.
Traffic policing is widely used to police the volume of traffic entering the Internet
Service Provider (ISP).
Token Bucket and Traffic Measurement

When the traffic exceeds the specification, the CX91x series uses traffic control
policies. Generally, a token bucket is used to measure the specification of traffic.
A token bucket is considered as a container that stores tokens of a certain number.

The CX91x series puts tokens at the set rate (one token bucket = 1 bit) in a token
bucket. When the token bucket is full, the excessive tokens overflows and the
number of the tokens no longer increases.
When measuring the traffic in a token bucket, the CX91x series forwards packets
considering whether the number of tokens in the token bucket meets the
requirements for forwarding packets. If there are sufficient tokens in the token
bucket to forward packets, the traffic complies with the allowed value; otherwise,
the traffic does not comply with the allowed value or exceeds the allowed value.
Figure 4-4 Using a token bucket to measure the traffic
The CX91x series supports the single token bucket and dual token buckets.
● Single token bucket

For the single token bucket, parameters of the token bucket are as follows:

– Committed burst size (CBS): indicates the maximum volume of traffic

that bursts in bucket C, in bytes.
– Committed information rate (CIR): indicates the rate of tokens that are
put into bucket C, that is, the average traffic rate allowed by bucket C, in
kbit/s.
If there are sufficient tokens in the bucket, packets are forwarded. At the
same time, the number of tokens in the bucket decreases based on the length
of the packets. If there are no tokens in the bucket, packets are discarded.
● Dual token buckets
For the dual token buckets, parameters of the token bucket include the
following in addition to the CIR and CBS:
– Peak burst size (PBS): indicates the maximum volume of traffic that
bursts and exceeds the CBS in bucket P, in bytes.
– Peak information rate (PIR): indicates the rate of tokens that are put into
bucket P, that is, the average traffic rate allowed by bucket P, in kbit/s.
For the dual token buckets:
– The service traffic that exceeds the CIR is colored as green and passes
through.
– The service traffic that exceeds the PIR is colored as red and is discarded.
– The service traffic that ranges from the CIR to the PIR is colored as
yellow, and the traffic is discarded when congestion occurs on a network.
Traffic Policing Features Supported by the CX91x series

The CX91x series supports the following traffic policing features:
● Interface-based traffic policing.

Interface-based traffic policing controls all incoming traffic on an interface
regardless of packet types. It discards the excessive traffic to limit the
incoming traffic within a proper range and to protect the network resources
and the interests of carriers.
● Traffic policing based on a traffic classifier
Traffic policing based on a traffic classifier is used to limit the rate of the
traffic matching a traffic classifier after traffic classification is performed on
the CX91x series. When policing the rate of such traffic entering the CX91x
series, the CX91x series discards the traffic that exceeds the allowed rate. In
this case, the traffic of this type is limited in a proper range. Network
resources and carriers' profits are thus protected.
4.2.1.2 Traffic Shaping

The traffic shaping function is used to control the rate of packets so that packets
are sent at an even rate. Traffic shaping is used to adapt the transmission rate of
packets to the upstream devices to prevent unnecessary packet loss and
congestion.
Traffic shaping is a traffic control action used to limit traffic and resources by
monitoring the specification of the traffic. In traffic shaping, token buckets are
also used to measure the traffic.

The traffic shaping technology limits the rate of outgoing traffic, and mainly
controls the local outgoing traffic based on the traffic policing specification of a
downstream network node.
Difference Between Traffic Shaping and Traffic Policing

Traffic policing directly discards the packets whose rate is greater than the traffic
policing rate. Traffic shaping, however, buffers the packets whose rate is greater
than the traffic shaping rate. As shown in Figure 4-5, if there are sufficient tokens
in the token bucket, the buffered packets are then forwarded at an even rate. If
the number of packets to be buffered is greater than the queue length, packets
are discarded.
Figure 4-5 Network diagram of traffic shaping
The delay may be increased just because the traffic shaping technology puts the
packets into a buffer or a queue. The traffic policing technology, however, does
not cause a delay.
Traffic Shaping Features Supported by the CX91x series

The CX91x series supports the following traffic shaping features:
● Traffic shaping on an interface
The CX91x series performs traffic shaping for all the packets that pass
through an interface.
● Traffic shaping in an interface queue
The CX91x series performs traffic shaping for the packets of a certain type
that pass through an interface based on simple traffic classification. In this
manner, traffic shaping based on voice, data, and video services is
implemented.

NOTE
The device does not support traffic shaping according to user-defined policy.
4.2.2 Configuring Traffic Policing Based on a Traffic Classifier

After traffic policing based on a traffic classifier is configured, the CX91x series
policies the traffic matching traffic classification rules.

Before configuring traffic policing based on a traffic classifier, familiarize yourself
with the applicable environment, complete the pre-configuration tasks, and obtain
the required data. This helps you complete the configuration task quickly and
accurately.
If the traffic sent by users is not limited, a large amount of increasing burst service
data makes a network congested. To make full use of network resources and
provide better services for more users, you must limit user service traffic.
Traffic policing based on a traffic classifier can be used to control the service
traffic of a certain type.
Before configuring traffic policing based on a traffic classifier, complete the
following tasks:
● Setting the physical parameters of interfaces.

● Setting link layer attributes of interfaces to ensure normal operation of these
interfaces.
● Assigning IP addresses to the interfaces and configuring routing protocols to
ensure that routes are reachable.
Data Preparation
To configure traffic policing based on a traffic classifier, you need the following
data.
No. Data
1 Name of the traffic classifier and related parameters.
2 Name of the traffic behavior and CAR parameters: CIR, (optional) PIR,
(optional) CBS, (optional) PBS, (optional) coloring mode, (optional)
color, and (optional) CoS.
3 Name of the traffic policy, and interface on which traffic policing based
on a traffic classifier is applied and inbound or outbound direction.

4.2.2.2 Configuring Complex Traffic Classification

The CX91x series can classify traffic according to the ACL, Layer 2 information in
packets, and Layer 3 information in packets.
Select proper traffic classification rules and configure complex traffic classification
as required. For details, see 4.1.3.2 Configuring Complex Traffic Classification.
4.2.2.3 Configuring a Traffic Policing Action

You can configure traffic policing actions, set CAR parameters of the PIR, PBS, CIR,
CBS, and PBS and set actions for packets with different PHBs and colors.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run the following command on the CX91x series:
car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { discard | pass [ remark-dscp
dscp-value | remark-8021p 8021p-precedence ] } | yellow { discard | pass [ remark-dscp dscp-value |
remark-8021p 8021p-precedence ] } | red { discard | pass [ remark-dscp dscp-value | remark-8021p
8021p-precedence ] } ]
The CAR is configured.

You can define the color of packets in traffic policing:
● When the burst size of a packet is less than the CBS, the packet is colored
green.
● When the burst size of a packet is equal to or greater than the CBS but less
than the PBS, the packet is colored yellow.
● When the burst size of a packet is equal to or greater than the PBS, the
packet is colored red.
----End
4.2.2.4 Creating a Traffic Policy

You can associate a traffic classifier with a traffic behavior in a traffic policy.
Procedure
Step 1 Run:
system-view

Step 2 Run:
traffic policy policy-name

A traffic policy is created and the traffic policy view is displayed.
Step 3 Run:
classifier classifier-name behavior behavior-name
A traffic classifier is bound to a traffic behavior in the traffic policy.
----End
4.2.2.5 Applying the Traffic Policy

The configured traffic policy takes effect only after it is used globally, or on an
interface.
Context
A traffic policy takes effect only after being applied. You can apply a traffic policy
globally, on an interface on the CX91x series.

packets that match a traffic classifier in the inbound or outbound direction.
After a traffic policy is applied, the system performs traffic policing for the
packets that pass through this interface and match a traffic classifier in the
inbound or outbound direction.
Procedure
a. Run:
system-view

b. Run:
traffic-policy policy-name global { inbound | outbound }
A traffic policy is applied globally in the inbound or outbound direction.
direction in the system view.
a. Run:
system-view

b. Run:

c. Run:
traffic-policy policy-name { inbound | outbound }

A traffic policy is applied on an interface in the inbound or outbound

direction.
direction of an interface.
----End

After traffic policing based on a traffic classifier is configured, you can check the
configuration of the traffic behavior, traffic classifier and traffic policy.
Prerequisites
The configurations of traffic policing based on a traffic classifier are complete.
Procedure
Step 1 Run the display traffic behavior user-defined [ behavior-name ] command to
check the configuration of the traffic behavior.
Step 2 Run the display traffic classifier user-defined [ classifier-name ] command to
check the configuration of the traffic classifier.
Step 3 Run the display traffic policy { interface [ interface-type interface-number ]
[ inbound | outbound ] | global [ inbound | outbound ] } command to check the
configuration of the traffic policy.
----End
4.2.3 Configuring Traffic Policing Based on an Interface

After traffic policing based on an interface is configured, the CX91x series policies
the traffic on the interface .

Before configuring traffic policing based on an interface, familiarize yourself with
required data. This helps you complete the configuration task quickly and
accurately.
If the service traffic sent by users is not limited, a large amount of increasing burst
service data makes a network more congested. To make full use of network
resources and provide better services for more users, you must limit user service
traffic. After interface-based traffic policing is applied to the interface, the rate of
all the user service traffic entering the interface is limited.
Before configuring a limit rate on the interface, complete the following tasks:

● Setting physical parameters of interfaces.

● Setting link layer attributes of interfaces to ensure normal operation of these
interfaces.
Data Preparation
To configure interface-based traffic policing, you need the following data.
No. Data
1 CIR and CBS
2 Interface where traffic policing is configured or queue index
4.2.3.2 Limiting the Rate of Traffic on the Inbound Interface

You need to configure traffic policing on the inbound interface to limit the rate of
traffic entering the CX91x series through the interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
qos lr inbound cir cir-value [ cbs cbs-value ]
Traffic policing is configured on the inbound interface.
----End

After interface-based rate limit is configured, you can view rate limit information
on the interface.
Prerequisite
The configurations of interface-based rate limit are complete.
Procedure
Run the display qos lr inbound interface interface-type interface-number
command to check the configuration of traffic policing based on an interface.

4.2.4 Configuring Traffic Shaping

After traffic shaping is configured, the CX91x series shapes packets matching
traffic classification rules so that packets are sent out at an even rate.

Before configuring traffic shaping, familiarize yourself with the applicable
This helps you complete the configuration task quickly and accurately.
If the bandwidth of upstream and downstream networks is different, you can
configure traffic shaping on the outgoing interface connecting the upstream
network and downstream network. In this manner, the rate of packets sent to the
downstream network meets the requirements of the bandwidth of the
downstream network. This can prevent congestion and packet loss on the network
to a certain degree.
The CX91x series supports traffic shaping on an interface and in an interface

queue. You can configure traffic shaping as required. If traffic shaping of these
two types is configured, ensure that the CIR for traffic shaping on an interface
must be greater than or equal to the sum of CIRs for traffic shaping in an
interface queue. Otherwise, traffic shaping fails. For example, traffic of lower
priorities preempts the bandwidth of traffic of higher priorities.
Before configuring traffic shaping, complete the following tasks:
● Setting link layer attributes of interfaces to ensure normal operation of the

interfaces.
Data Preparation
To configure traffic shaping, you need the following data.
No. Data
1 Rate for traffic shaping on an interface.
2 (Optional) Rate for traffic shaping in an interface queue, including the

CIR and PIR.
3 Interface on which traffic shaping is applied or index of the queue.

4.2.4.2 Configuring Traffic Shaping on an Interface

You can configure traffic shaping on an interface to limit the rate of data sent by
the interface.
Context
To perform traffic shaping for all the downstream packets on an interface,
perform this procedure.
Set the same traffic shaping rate on multiple interfaces, you can perform the
configuration on the interface group to reduce the workload. For details about
creating an interface group, see section Configuration Guide-Ethernet in the
CX91x Series Switch Modules V100R001C00 Configuration Guide.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Or run the port-group port-group-name command to display the interface group

view.
NOTE
You need to create the interface group before performing this task. For details about
creating an interface group, see section Configuration Guide-Ethernet in the CX91x Series
Step 3 Run:
qos lr outbound cir cir-value [ cbs cbs-value ]
The rate for traffic shaping on an interface is set.
By default, the CIR for traffic shaping on an interface is the maximum bandwidth
of the interface. For example, and the CIR for traffic shaping on a GE interface is
1000000 kbit/s, the CIR for traffic shaping on a 10GE interface is 10000000 kbit/s.
NOTE
● If this command is run repeatedly on the same interface, the latest configuration
overrides the previous configuration.
● If traffic shaping in an interface queue is configured on the same interface, the CIR for
traffic shaping on an interface must be greater than or equal to the sum of CIRs for
traffic shaping in an interface queue. Otherwise, traffic shaping fails. For example, traffic
of lower priorities preempts the bandwidth of traffic of higher priorities.
----End

4.2.4.3 Configuring Traffic Shaping in an Interface Queue

This section describes how to configure traffic shaping, enable traffic shaping in
an interface queue, and set traffic shaping parameters.
Context
To perform traffic shaping for the packets of a certain type of services on an
interface, perform this procedure.
Before configuring traffic shaping in an interface queue, you need to re-mark the
internal priorities based on complex traffic classification. In this case, different
services can enter different interface queues. For details, see Creating a Traffic
Policy Based on Complex Traffic Classification.
If you need to set the same queue shaping rate on multiple interfaces, you can
perform the configuration on the interface group to reduce the workload.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Or run:
The port group view is displayed.
NOTE
You need to create the interface group before performing this task. For details about
creating an interface group, see section Configuration Guide-Ethernet in the CX91x Series
Step 3 Run:
qos queue queue-index shaping cir cir-value pir pir-value [ cbs cbs-value pbs pbs-value]
The rate for traffic shaping in an interface queue is set.
By default, the rate for traffic shaping in an interface queue is the maximum
bandwidth of the interface.
----End
4.2.5 Maintaining Traffic Policing and Traffic Shaping

This section describes how to maintain traffic policing and traffic shaping.

4.2.5.1 Displaying the Traffic Statistics

If the traffic statistics action is configured, you can run display commands to view
the statistics on traffic policing.
Context
To view the flow-based traffic statistics, a traffic policy must exist and contain the
traffic statistics action.
Procedure
Step 1 Run the display traffic policy statistics { global | interface interface-type
interface-number } { inbound | outbound } command to check the flow-based
traffic statistics.
Step 2 Run the display qos lr { inbound | outbound } interface interface-type interface-
number command to view the rate limit information on an interface of the CX91x
series.
----End
4.2.5.2 Clearing the Traffic Statistics

You can use the reset commands to clear the statistics on traffic policing.
Procedure
NOTICE
The statistics on traffic policing cannot be restored after you clear them. So,
confirm the action before you use the command.
Run the reset traffic policy statistics { global | interface interface-type interface-
number } { inbound | outbound } command to clear the flow-based traffic
statistics.

This section provides several configuration examples of traffic policing and traffic
shaping.
4.2.6.1 Example for Configuring Traffic Policing Based on a Traffic Classifier

The Switch provides different bandwidth by configuring traffic policing based on a
traffic classifier and setting different CAR parameters.
The Switch is connected to the router through GigabitEthernet0/0/3; enterprise
and individual users can access the network through the Switch and router.
SeeTable 4-2.

● The voice services of enterprise and individual users belong to VLANs 120 and
220.
● The video services of enterprise and individual users belong to VLANs 110 and
210.
● The data services of enterprise and individual users belong to VLANs 100 and
200.
On the Switch, packets of different services need to be policed, and the total
traffic of enterprise and individual users needs to be controlled in a proper range.
The DSCP priorities carried in service packets sent from the user side are unreliable
and services require different QoS in actual applications; therefore, you need to re-
mark DSCP priorities of different service packets on the Switch. In this manner, the
downstream router can process packets according to different priorities.
The requirements are as follows:
Table 4-2 QoS provided by the Switch for upstream traffic

User Type Traffic Type CIR (Mbit/s) PIR (Mbit/s) DSCP
Priority
Enterprise Voice 10 15 46
users
Video 50 75 30
Data 40 60 14
Individual Voice 10 15 46
users
Video 40 60 30
Data 30 45 14

Figure 4-6 Networking diagram for configuring traffic policing based on a traffic
classifier
1. Create VLANs and configure interfaces so that enterprise and individual users
can access the network through the Switch.
2. Create traffic classifiers based on the VLAN ID on the Switch.
3. Create traffic behaviors on the Switch to police the traffic received from the
user side and re-mark DSCP priorities of packets, and police the traffic sent to
the user side.
4. Create traffic policies on the Switch, bind traffic behaviors to traffic classifiers
in the traffic policies, and apply the traffic policies to the interfaces that
packets pass through.
Data Preparation
● Re-marked priorities of packets with different VLAN IDs
● Parameters for packets with different VLAN IDs: CIR and PIR
● Type, direction, and number of the interface on which a traffic policy needs to
be applied
Procedure

# Create VLAN 100, VLAN 110, VLAN 120, VLAN 200, VLAN 210, VLAN 220, and
VLAN 300 on the Switch.
[Switch] vlan batch 100 110 120 200 210 220 300
# Configure the access types of GigabitEthernet0/0/1, GigabitEthernet0/0/2, and

GigabitEthernet0/0/3 to trunk, add GigabitEthernet0/0/1 to VLAN 100, VLAN 110,
and VLAN 120, add GigabitEthernet0/0/2 to VLAN 200, VLAN 210, and VLAN 220,
and add GigabitEthernet0/0/3 to VLAN 100, VLAN 110, VLAN 120, VLAN 200,
VLAN 210, VLAN 220, and VLAN 300.
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 110 120 200 210 220 300
# Create VLANIF 300 and set its network segment address to 10.10.10.1/24.

NOTE
# On the router, set the IP address of the interface connecting the router and Switch to
10.10.10.2/24.

# Create traffic classifiers c1 to c6 on the Switch to classify incoming and
outgoing user packets based on the VLAN ID.

# Create traffic behaviors b1 to b6 on the Switch to police user packets and re-
mark priorities of the packets.
[Switch-behavior-b1] car cir 10000 pir 15000 green pass

[Switch-behavior-b1] remark dscp 46

Step 4 Create traffic policies and apply them on interfaces.

# Create traffic policy p1 on the Switch, bind traffic classifiers to traffic behaviors
in the traffic policy, and apply the traffic policy to GigabitEthernet0/0/1 and
GigabitEthernet0/0/2 in the inbound direction to police the packets received from
the user side and re-mark priorities of these packets.

[Switch] display traffic classifier user-defined
Classifier: c6
Precedence: 30
Operator: AND
Rule(s) : if-match 5 vlan-id 200
Classifier: c4
Precedence: 20
Operator: AND
Classifier: c2
Precedence: 10

Operator: AND
Classifier: c5
Precedence: 25
Operator: AND
Classifier: c3
Precedence: 15
Operator: AND
Classifier: c1
Precedence: 5
Operator: AND
# Check the configuration of the traffic policy. Here, the configuration of traffic
policy p1 is displayed.
[Switch] display traffic policy user-defined p1
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Committed Access Rate:
CIR 1000 (Kbps), CBS 125000 (Byte)
PIR 15000 (Kbps), PBS 1875000 (Byte)
Green Action : pass
Yellow Action : pass
Red Action : discard
Marking:
Remark DSCP ef
statistic: enable
Classifier: c2
Operator: AND
Behavior: b2
CIR 5000 (Kbps), CBS 625000 (Byte)
PIR 75000 (Kbps), PBS 9375000 (Byte)
Green Action : pass
Marking:
Remark DSCP af33
statistic: enable
Classifier: c3
Operator: AND
Behavior: b3
CIR 40000 (Kbps), CBS 5000000 (Byte)
PIR 60000 (Kbps), PBS 7500000 (Byte)
Green Action : pass
statistic: enable
Classifier: c4
Operator: AND
Behavior: b4
CIR 10000 (Kbps), CBS 1250000 (Byte)
PIR 15000 (Kbps), PBS 1875000 (Byte)
Green Action : pass
statistic: enable
Classifier: c5
Operator: AND

Behavior: b5
CIR 40000 (Kbps), CBS 5000000 (Byte)
PIR 60000 (Kbps), PBS 7500000 (Byte)
Green Action : pass
statistic: enable
Classifier: c6
Operator: AND
Behavior: b6
CIR 30000 (Kbps), CBS 3750000 (Byte)
PIR 45000 (Kbps), PBS 5625000 (Byte)
Green Action : pass
statistic: enable
# Check the statistics of the traffic policy applied on an interface. Here, the
statistics of the traffic policy applied on GE 0/0/1 is displayed.
[Switch] display traffic policy statistics interface gigabitethernet 0/0/1 inbound
Interface: GigabitEthernet0/0/1
Traffic policy inbound: p1
Rule number: 1
Current status: OK!
Item Packets Bytes
---------------------------------------------------------------------
Matched 10 10000
+--Passed 8 8000
+--Dropped 2 2000
+--Filter 2 2000
+--URPF - -
+--CAR 2 2000
----End
Configuration Files
#
vlan batch 100 110 120 200 210 220 300
#
interface Vlanif300
ip address 10.10.10.1 255.255.255.0
#
if-match 5 vlan-id 200
#
traffic behavior b1
car cir 10000 pir 15000 cbs 1250000 pbs 1875000 green pass yellow pass red discard
remark dscp ef
statistic enable
traffic behavior b3
remark dscp af13
statistic enable

traffic behavior b5
remark dscp af33
statistic enable
traffic behavior b2
remark dscp af33
statistic enable
traffic behavior b4
remark dscp ef
statistic enable
traffic behavior b6
remark dscp af13
statistic enable
#
traffic policy p1
#
port trunk allow-pass vlan 100 110 120
#
#
port trunk allow-pass vlan 100 110 120 200 210 220
#
return
4.2.6.2 Example for Configuring Traffic Policing Based on an Interface

You can configure interface-based traffic policing so that the Switch can provide
different bandwidth services for users.
As shown in Figure 4-7, the Switch is connected to GigabitEthernet0/0/3 through
the router; the enterprise user and residential user are connected to the Switch
through GigabitEthernet0/0/1 and GigabitEthernet0/0/2 and access the network
through the Switch and router. The enterprise user and the residential user require
8 Mbit/s and 5 Mbit/s bandwidth.

Figure 4-7 Networking diagram for configuring traffic policing
1. Configure interfaces of the Switch so that users can access the network.
2. Configure traffic policing on GigabitEthernet0/0/1 and GigabitEthernet0/0/2
of the Switch.
Data Preparation
● Uplink interface address of the Switch: 192.168.1.1/24
● VLAN IDs of the enterprise user and the residential user: VLAN 100 and VLAN
200
● CIR and CBS of the enterprise user: 8000 kbit/s and 1000000 bytes CIR and
CBS of the residential user: 5000 kbit/s and 625000 bytes
Procedure
Step 1 Create VLANs and configure interfaces of the Switch.
# Create VLANs 100, 200, and 300.
[Switch] vlan batch 100 200 300
# Configure the access types of GigabitEthernet0/0/1, GigabitEthernet0/0/2, and

GigabitEthernet0/0/3 to trunk, add GigabitEthernet0/0/1 to VLAN 100, add
GigabitEthernet0/0/2 to VLAN 200, and add GigabitEthernet0/0/3 to VLAN 100,
200, and 300.

[Switch] interface gigabitethernet0/0/1

# Create VLANIF 300 and set its network segment address to 192.168.1.1/24.

NOTE
# On the router, set the IP address of the interface connecting the router and Switch to
192.168.1.2/24.
Step 2 Configure interface-based traffic policing.

# Configure traffic policing on GigabitEthernet0/0/1 and GigabitEthernet0/0/2 of
the Switch.
<Switch> display qos lr inbound interface gigabitethernet0/0/1
GigabitEthernet0/0/1 lr inbound:
cir: 8000 Kbps, cbs: 1000000 Byte
[Switch-GigabitEthernet0/0/1] qos lr inbound cir 8000 cbs 1000000
[Switch-GigabitEthernet0/0/2] qos lr inbound cir 5000 cbs 625000
[Switch] quit

# View the traffic policing configuration.
----End
Configuration Files
#
vlan batch 100 200 300
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
qos lr inbound cir 8000 cbs 1000000
#

qos lr inbound cir 5000 cbs 625000
#
#
return
4.2.6.3 Example for Configuring Traffic Shaping

You can configure traffic shaping and set different traffic shaping rates for
different types of packets to reduce the jitter and ensure bandwidth of various
services.
The Switch is connected to GigabitEthernet0/0/2 and the router; the 802.1p
priorities of voice, video, and data services from the Internet are 5, 4, and 1
respectively, and these services can reach individual users through the router and
Switch, as shown in Figure 4-8. The rate of the traffic from the network side is
greater than the rate of the LSW interface; therefore, a jitter may occur in the
outbound direction of GigabitEthernet0/0/1. To reduce the jitter and ensure the
bandwidth of various services, the requirements are as follows:
● The CIR on the interface is 20000 kbit/s.

● The CIR and PIR for the voice service are 3000 kbit/s and 5000 kbit/s
respectively.
● The CIR and PIR for the video service are 5000 kbit/s and 8000 kbit/s
respectively.
● The CIR and PIR for the data service are 2000 kbit/s and 3000 kbit/s
respectively.
Figure 4-8 Networking diagram for configuring traffic shaping

1. Create VLANs and configure each interface so that the residential user can
access the network through the Switch.
2. Configure interfaces to trust 802.1p priorities of packets.
3. Configure traffic shaping on an interface to limit the bandwidth of the
interface.
4. Configure traffic shaping in an interface queue to limit the CIRs of voice,
video, and data services.
Data Preparation
● 802.1p priorities
● Rate for traffic shaping on an interface
● Rate for traffic shaping in each interface queue
Procedure
# Create VLAN 10.
[Switch] vlan 10
# Configure the type of GigabitEthernet0/0/1 and GigabitEthernet0/0/2 as trunk,

and then add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 10.
# Create VLANIF 10 and assign network segment address 10.10.10.1/24 to VLANIF

10.
[Switch-Vlanif10] ip address 10.10.10.1 255.255.255.0
NOTE
Assign IP address 10.10.10.2/24 to the interface connecting the router and Switch.
Step 2 Configure the interface to trust packets.

# Configure the interface to trust 802.1p priorities of packets.

[Switch-GigabitEthernet0/0/2] trust 8021p
Step 3 Configure traffic shaping on an interface.

# Configure traffic shaping on an interface of the Switch and set the CIR to 20000
kbit/s.
[Switch-GigabitEthernet0/0/1] qos lr outbound cir 20000 cbs 2500000
Step 4 Configure traffic shaping in an interface queue.

# Create the scheduling template s1; set the scheduling mode of each queue to
WRR; set the WRR weight of queue 5 to 60, WRR weight of queue 4 to 40, and
WRR weight of queue 1 to 20; retain the default weight of other queues.
[Switch] qos schedule-profile s1
[Switch-qos-schedule-profile-s1] qos wrr
[Switch-qos-schedule-profile-s1] qos queue 5 wrr weight 60
[Switch-qos-schedule-profile-s1] quit
# Apply the scheduling template s1 to GigabitEthernet0/0/1.

[Switch-GigabitEthernet0/0/1] qos schedule-profile s1
# Configure traffic shaping in the interface queues on the Switch, and then set the
CIR and PIR of the voice service to 3000 kbit/s and 5000 kbit/s, the CIR and PIR of
the video service to 5000 kbit/s and 8000 kbit/s, and the CIR and PIR of the data
service to 2000 kbit/s and 3000 kbit/s.
[Switch-GigabitEthernet0/0/1] qos queue 5 shaping cir 3000 pir 5000
[Switch] quit

# If the configuration succeeds, the committed bandwidth for the packets
transmitted by GigabitEthernet0/0/1 is 20000 kbit/s; the transmission rate of the
voice service ranges from 3000 kbit/s to 5000 kbit/s; the transmission rate of the
video service ranges from 5000 kbit/s to 8000 kbit/s; the transmission rate of the
data service ranges from 2000 kbit/s to 3000 kbit/s.
----End
Configuration Files
#
vlan 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
qos lr outbound cir 20000 cbs 2500000
qos queue 1 shaping cir 2000 pir 3000
#


trust 8021p
#
qos schedule-profile s1
qos queue 1 wrr weight 20
#
return
4.3 Congestion Management Configuration

This chapter describes the basic concepts of congestion management, and
provides configuration methods and configuration examples of congestion
management.
4.3.1 Overview of Congestion Management

When intermittent congestion occurs on the network, delay-sensitive services
require higher QoS than others. In this case, congestion management is required.
The bandwidth needs to be increased if a network is always congested.
Congestion management uses the queue scheduling technologies. Currently, the
CX91x series adopts the following queue scheduling modes:
● PQ Scheduling
● WRR Scheduling
● DRR Scheduling
● PQ+WRR/PQ+DRR Scheduling
PQ Scheduling
Priority Queuing (PQ) scheduling is a queuing technology by which packets are
scheduled based on the priorities of queues in a strict manner. The packets of
lower priorities can be scheduled only after packets of higher priorities are
scheduled.
In PQ scheduling mode, packets of delay-sensitive core services are put into a high
priority queue and packets of other non-core services are put into a low priority
queue. This ensures that core services are sent first.
The disadvantage of PQ scheduling is that the packets of lower priorities are not
processed if there are a large number of packets of higher priorities, when
congestion occurs.
WRR Scheduling
WRR refers to Weighted Round Robin. WRR schedules packets of queues in a
polling manner, ensuring that packets in each queue are sent at a certain time.
Assume that there are eight output queues on an interface. WRR sets weights for
the eight queues, that is, w7, w6, w5, w4, w3, w2, w1, and w0. The weight
indicates a percentage of obtaining resources. For example, the weights of queues
on a 100-Mbit/s interface are set to 50, 50, 30, 30, 10, 10, 10, and 10,
corresponding to w7, w6, w5, w4, w3, w2, w1, and w0. In this case, the lowest

priority queue can obtain bandwidth of at least 5 Mbit/s. This avoids the
disadvantage of PQ scheduling.
The advantage of WRR is as follows: Although packets in multiple queues are
processed in a polling manner, the time allocated to each queue is not fixed. If a
queue is null, packets of the next queue are scheduled. This ensures better usage
of bandwidth.
The disadvantages of WRR are as follows:
● WRR allocates bandwidth according to the number of packets. When the
average length of packets in each queue is the same or known, you can
obtain the required bandwidth by setting the weight of WRR. You, however,
cannot obtain the required bandwidth by setting the weight of WRR when the
average length of packets in each queue changes.
● The packets of short-delay services such as voice services cannot be scheduled
in time.
DRR Scheduling
The principle of Deficit Round Robin (DRR) is similar to the principle of WRR.
Their difference is that WRR schedules packets according to the number of
packets, but DRR schedules packets according to the length of packets. If the
packet length exceeds the scheduling capability of a queue, DRR allows the deficit
weight to ensure that packets of a long length are scheduled. When packets are
scheduled in a polling manner again, this queue is not scheduled until the weight
becomes positive. Then, this queue participates in DRR scheduling.
DRR scheduling offsets the disadvantage of PQ scheduling and one disadvantage
of WRR scheduling (that is, bandiwdth cannot be obtained according to the
proportion).
The packets of short-delay services such as voice services cannot be scheduled in
time in DRR mode.
PQ+WRR/PQ+DRR Scheduling
PQ scheduling, WRR scheduling, and DRR scheduling have their own advantages
and disadvantages. If only PQ scheduling is used, packets of lower priorities
cannot obtain the bandwidth for a long time. If only WRR or DRR scheduling is
used, delay-sensitive services such as voice service cannot be scheduled first. PQ
+WRR or PQ+DRR scheduling can use the advantages of both PQ and WRR or DRR
scheduling and offset their disadvantages.
Through PQ+WRR or PQ+DRR scheduling, important protocol packets and delay-
sensitive service packets are put in a PQ queue and specified bandwidth is
allocated to this queue; other packets are put into a WRR or DRR queue according
to their priorities and scheduled in a polling manner according to the weight of
the queue.
4.3.2 Configuring Congestion Management

After congestion management is configured, if congestion occurs on a network,
the CX91x series determines the sequence of forwarding packets according to the
defined scheduling policy.


Before configuring congestion management, familiarize yourself with the
required data. This helps you complete the configuration task quickly and
accurately.
When congestion occurs, you can configure congestion management in the
following situations:
● The same delay and jitter are set for various types of packets, and packets of
core services such as video and voice services need to be processed first.
● Packets of non-core services of the same priority, such as email, are processed
in a fair manner, and services of different priorities are processed according to
the weights.
Before configuring congestion management, complete the following tasks:
● Configuring priority mapping based on simple traffic classification
● Configuring the remarking action of inner priorities based on complex traffic
classification
NOTE
Before configuring congestion management, you need to perform either of the preceding
tasks to map packets to different queues for scheduling.
Data Preparation
To configure congestion management, you need the following data.
No. Data
1 Mapping between the local precedence and queues.
2 Mode of queue scheduling.
3 Weight of queues in deficit round robin (DRR) scheduling mode.
4 Weight of queues in weighted round robin (WRR) scheduling mode.
5 (Optional) Minimum size of the static buffer for a queue.
6 (Optional) Maximum number of packets.
4.3.2.2 Setting the Scheduling Mode for an Interface Queue

The CX91x series supports the following scheduling modes: PQ, DRR, WRR, PQ
+DRR, and PQ+WRR.

Context
The CX91x series supports eight interface queues that can use different scheduling
algorithms. During queue scheduling, packets in a PQ queue are first scheduled. If
there are multiple PQ queues, the packets are scheduled in descending order of
priorities of these PQ queues. After packets in PQ queues are scheduled, packets in
WRR or DRR queues are scheduled in a polling manner.
By default, the scheduling mode for queues on an interface is WRR.
Procedure
Step 1 Run:
system-view

Step 2 Run:
qos schedule-profile profile-name
A global scheduling template is created and the scheduling template view is

displayed.
Step 3 Run:
qos { pq | wrr | drr }
The scheduling mode of an interface queue is set to PQ, WRR, or DRR.

By default, WRR scheduling is used.
qos queue queue-index wrr weight weight
The weight of an interface queue in WRR mode is set.

By default, the weight in WRR mode is 1.
NOTE
You need to perform this step only when the scheduling mode of an interface queue is set
to PQ+WRR or WRR.
When WRR scheduling is applied and the weight of a queue is set to 0, the queue applies
PQ scheduling and other queues apply WRR scheduling. That is, the overall scheduling
mode is PQ+WRR.

qos queue queue-index drr weight weight
The weight of an interface queue in DRR mode is set.

By default, the weight in DRR mode is 1.
NOTE
You need to perform this step only when the scheduling mode of an interface queue is set
to DRR or PQ+DRR.
When DRR scheduling is applied and the weight of a queue is set to 0, the queue applies
PQ scheduling and other queues apply DRR scheduling. That is, the overall scheduling mode
is PQ+DRR.

Step 6 Run:
quit

Step 7 Run:

Or run:
The port group view is displayed.
NOTE
If you need to set the same scheduling parameters on multiple interfaces, you can perform
the configuration on the interface group to reduce the workload. You need to create the
interface group before performing this task. For details about creating an interface group,
see section Configuration Guide-Ethernet in the CX91x Series Switch Modules
Step 8 Run:
qos schedule-profile profile-name
The scheduling template is applied.
----End
4.3.2.3 (Optional) Configuring Traffic Shaping

If the upstream bandwidth does not match the downstream bandwidth on a
network, you need to configure traffic shaping on an interface or in a queue.
For details on traffic shaping, see 4.2.4 Configuring Traffic Shaping.
4.3.3 Maintaining Congestion Management

This section describes how to maintain traffic avoidance and congestion
management.
4.3.3.1 Displaying the Queue-based Statistics

You can use display commands to view the queue-based traffic statistics such as
the number of passed and discarded packets.
Procedure
Run the display qos port statistics interface interface-type interface-number
command to view the queue-based statistics.
NOTE
Before viewing the queue statistics on an interface, you need to run the qos port statistics
enable command to enable the queue statistics function on the specified outbound
interface.

4.3.3.2 Clearing the Queue-based Statistics

You can use the reset command to clear the queue-based traffic statistics.
Procedure
NOTICE
The queue-based statistics cannot be restored after you clear them. So, confirm
In user view, run the reset qos port statistics command to clear the queue-based
statistics on an interface.

This section provides several configuration examples of congestion management.
The following uses an example to describe congestion management. Each
configuration example contains the networking requirements, precautions, and
configuration roadmap.
4.3.4.1 Example for Configuring Congestion Management

By configuring congestion avoidance and congestion management, the CX91x
series provides different services for packets of different priorities and
preferentially guarantees bandwidth for high-priority and low-delay services.
The Switch is connected to the router through GigabitEthernet0/0/3. The 802.1p
priorities of voice, video, and data services from the Internet are 5, 4, and 1, and
these services can reach residential users through the router and Switch, as shown
in Figure 4-9. To reduce the impact of network congestion and ensure bandwidth
for high-priority and low-delay services, you need to set the related parameters
according to the following table.
Table 4-3 Congestion management parameters
Service Type CoS
Voice 5
Video 4
Data 1

Figure 4-9 Networking diagram for configuring congestion management
1. Configure the VLAN for each interface so that devices can communicate with
each other at the link layer.
2. Configure interfaces to trust 802.1p priorities of packets.
3. Configure the scheduling template and apply the scheduling template to the
interface.
Data Preparation
● VLAN IDs of data packets, video packets, and voice packets: VLANs 10, 20,
and 30
● 802.1p priorities of data packets, video packets, and voice packets: 1, 4, and 5
● Scheduling parameters of each queue
Procedure
Step 1 Configure the VLAN for each interface so that devices can communicate with each
other at the link layer.
[Switch] vlan batch 10 20 30


Step 2 Configure interfaces to trust 802.1p priorities of packets.

[Switch-GigabitEthernet0/0/3] trust 8021p
Step 3 Configure congestion management.

# Create a scheduling template and set queue scheduling parameters.
[Switch] qos schedule-profile p1
[Switch-qos-schedule-profile-p1] qos wrr
[Switch-qos-schedule-profile-p1] qos queue 5 wrr weight 0
[Switch-qos-schedule-profile-p1] quit
# Apply the scheduling template toGigabitEthernet0/0/1 and GigabitEthernet0/0/2

of the Switch.
[Switch-GigabitEthernet0/0/1] qos schedule-profile p1
[Switch-GigabitEthernet0/0/2] qos schedule-profile p1

# View the scheduling template and queue scheduling parameters.
<Switch> system-view
[Switch] qos schedule-profile p1
[Switch-qos-schedule-profile-p1] display this
#
qos schedule-profile p1
----End
Configuration Files
#
vlan batch 10 20 30
#
#
#

trust 8021p
#
#
return

Configuration Guide 5 Configuration Guide-Security
5 Configuration Guide-Security
This topic describes how to configure the traffic suppression and access control list
(ACL) by using examples based on security requirements of the Switch Module
applications.
5.1 Traffic Suppression Configuration

This chapter describes the principle and configuration of traffic suppression .
5.2 ACL Configuration
The Access Control List (ACL) classifies packets according to the rules. After these
rules are applied to the interfaces on the CX91x series, the CX91x series can
determine packets that are received and rejected.
5.1 Traffic Suppression Configuration

This chapter describes the principle and configuration of traffic suppression .
5.1.1 Introduction to Traffic Suppression

This section describes the principle of traffic suppression.
Broadcast packets, multicast packets and unknown unicast packets entering the
CX91x series are forwarded on all the interfaces in a VLAN. These three types of
packets consume great bandwidth, reduces available bandwidth of the system,
and affects normal forwarding and processing capabilities.
The traffic suppression function can be used to limit the traffic entering the
interface, and to protect the CX91x series against the three types of traffic. It also
guarantees available bandwidth and processing capabilities of the CX91x series
when the traffic is abnormal.
5.1.2 Traffic Suppression Features Supported by the CX91x

series
This section describes the traffic suppression features supported by the CX91x
series.

The traffic suppression function can be configured on Ethernet interfaces of the

CX91x series .
5.1.3 Configuring Traffic Suppression

This section introduce how to configure traffic suppression on a specified interface.
To limit the rate of incoming broadcast, multicast, and unknown unicast packets
on an interface and protect the device against traffic attacks, you can configure
traffic suppression on the interface.
None
Data Preparation
To configure traffic suppression, you need the following data.
No. Data
1 Type and number of the interface where traffic suppression needs

to be configured
2 Type of traffic (broadcast, multicast, or unknown unicast traffic)

that needs to be suppressed
3 Mode in which traffic is suppressed (packet rate, or rate percentage

on a physical interface)
4 Limited rate, including packet rate and bandwidth percentage
5.1.3.2 Configuring Traffic Suppression on an Interface
Procedure
Step 1 Run:
system-view
Step 2 Run:

Traffic suppression can be configured on 10GE interfaces, or GE interfaces of the

CX91x series.
Step 3 Run:
{ broadcast-suppression | multicast-suppression | unknown-unicast-suppression } { percent-value |
value bandwidth-value }
Traffic suppression is configured.

Traffic suppression for three types of traffic can be configured on an interface of
the CX91x series. Select one of the following traffic suppression mode for the
traffic on an interface:
● To configure traffic suppression based on the bandwidth, you must select the
bandwidth-value parameter.
● To configure traffic suppression based on the bandwidth percentage, you
must select the percent-value parameter.
NOTE
The traffic suppression is set to 10% by default.

If traffic suppression is configured for a type of traffic on an interface, the latest
configuration overrides the previous configuration when the configuration of traffic
suppression for this type of traffic at different rate is sent.
----End
Prerequisite
The configurations of traffic suppression are complete.
Procedure
Run the display this command to check the configuration of traffic suppression.
Example
Run the display this command, and you can view the configuration of traffic
suppression on a specified interface. For example, to GigabitEthernet0/0/1
interface, the command output is displayed as follows:
[Base-GigabitEthernet0/0/1] display this
#
broadcast-suppression 50
#
return

This section provides several configuration examples of traffic suppression.

5.1.4.1 Example for Configuring Traffic Suppression
As shown in Figure 5-1, the Switch is connected to the Layer 2 network and Layer
3 router. To limit the number of broadcast, multicast, or unknown unicast packets
forwarded on the Layer 2 network, you can configure traffic suppression on
GigabitEthernet0/0/1.
Figure 5-1 Networking diagram for configuring traffic suppression
Configure traffic suppression in the interface view of GigabitEthernet0/0/1.
Data Preparation
● GigabitEthernet0/0/1 where traffic suppression is configured
● Traffic suppression for broadcast, unknown unicast and multicast packets
based on the rate percentage
● Maximum rate of broadcast, unknown unicast and multicast packets being 80
percent of the interface rate after traffic suppression is configured
Procedure
Step 1 Enter the interface view.
<Base> system-view
Step 2 Configure traffic suppression for broadcast packets.

[Base-GigabitEthernet0/0/1] broadcast-suppression 80
Step 3 Configure traffic suppression for multicast packets.

[Base-GigabitEthernet0/0/1] multicast-suppression 80
Step 4 Configure traffic suppression for unknown unicast packets.

[Base-GigabitEthernet0/0/1] unknown-unicast-suppression 80

Run the display this command, and you can view the configuration of traffic
suppression on GigabitEthernet0/0/1.

[Base-GigabitEthernet0/0/1] display this

#
broadcast-suppression 80
multicast-suppression 80
unknown-unicast-suppression 80
#
return
----End
5.2 ACL Configuration

The Access Control List (ACL) classifies packets according to the rules. After these
rules are applied to the interfaces on the CX91x series, the CX91x series can
determine packets that are received and rejected.
5.2.1 Introduction to the ACL

This section describes the basic concepts and parameters of an ACL.
To filter packets, a set of rules needs to be configured on the CX91x series to
determine the data packets that can pass through. These rules are defined in an
ACL.
An ACL is a series of orderly rules composed of permit and deny clauses. The
clauses are described based on the source address, destination address, and port
number of a packet, and so on. The ACL classifies packets according to the rules.
After these rules are applied to he CX91x series, the CX91x series can determine
packets that are received and rejected.
5.2.2 Classification of ACLs Supported by the CX91x series

This section describes the classification of ACLs supported by the CX91x series.
NOTE
In this manual, the ACL refers to the access control list that is used filter IPv4 packets.
Classification of ACLs
The CX91x series supports basic ACLs, advanced ACLs, layer 2 ACLs for IPv4
packets.
● Basic ACLs: classify and define data packets according to their source IP
addresses and effective time range.
● Advanced ACLs: classify and define data packets more refinedly according to
the source IP address, destination IP address, source port number, destination
port number, protocol type, precedence, and effective time range.
● Layer 2 ACLs: classify and define data packets according to the source MAC
address, destination MAC address, and protocol type.
Application of ACLs
ACLs defined on the CX91x series can be applied in the following scenarios:

● Hardware-based application: The ACL is sent to the hardware. For example,

when QoS is configured, the ACL is imported to classify packets. Note that
when the ACL is imported by QoS, the packets matching the ACL rule in deny
mode are discarded. If the action in the ACL is set to be in permit mode, the
packets matching the ACL are processed by the CX91x series according to the
action defined by the traffic behavior in QoS. For details on the traffic
behavior, see section Configuration Guide-QoS in the CX91x Series Switch
Modules V100R001C00 Configuration Guide.
● Software-based application: When the ACL is imported by the upper-layer
software, for example, the ACL is imported when the control function is
configured for login users, you can use the ACL to control FTP, Telnet and SSH
users. When the CX91x series functions as a TFTP client, you can configure an
ACL to specify the TFTP servers that the CX91x series can access through TFTP.
When the ACL is imported by the upper-layer software, the packets matching
the ACL are processed by the CX91x series according to the action deny or
permit defined in the ACL. For details on login user control, see section
Configuration Guide - Basic Configurations in the CX91x Series Switch
NOTE
● When the ACL is sent to the hardware and is imported by QoS to classify packets, the
CX91x series does not process packets according to the action defined in the traffic
behavior, if the packets does not match the ACL rule.
● When the ACL is imported by the upper-layer software and is used to control FTP ,
Telnet or SSH login users, the CX91x series discards the packets, if the packets does not
match the ACL rule.
5.2.3 Configuring an ACL

This section describes how to create an ACL, set the time range, configure the
description of an ACL, and set the step of an ACL.

Establishing the configuration task of ACL.
ACLs can be used in multiple services, such as routing policies and packet filtering,
to distinguish the types of packets and process them accordingly.
None.
Data Preparation
To configure an ACL, you need the following data.

No. Data
1 Number or name of the ACL
2 (Optional) Name of the time range when the ACL takes effect, start
time, and end time
3 (Optional) Description of the ACL
4 Number of ACL rule and the rule that identifies the type of packets,
including protocol, source address, source port, destination address,
destination port, the type and code of Internet Control Message Protocol
(ICMP), IP precedence, and Type of Service (ToS) value
5 (Optional) Step of the ACL
5.2.3.2 Creating an ACL

You can create an ACL based on the number or name.
Context
An ACL is composed of multiple lists of rules containing permit or deny clauses.
Before creating an ACL rule, you need to create an ACL.
To create an ACL, you need to specify the following parameters:
● When creating an ACL based on the number, you need to specify the ACL
number. The ACL number specifies the type of an ACL. For example, the ACL
with the number ranging from 2000 to 2999 is a basic ACL, and the ACL with
the number ranging from 3000 to 3999 is an advanced ACL.
● When creating an ACL based on the name, you need to specify the ACL name.
You can specify the number or type for a named ACL. If the number of a
named ACL is not specified, the system automatically allocates a number to
the named ACL.
Procedure
Step 1 Creating an ACL based on the number
1. Run:
system-view

2. Run:
acl [ number ] acl-number
An ACL with the specified number is created.

– The value of a basic ACL ranges from 2000 to 2999.
– The value of an advanced ACL ranges from 3000 to 3999.
– The value of a Layer 2 ACL ranges from 4000 to 4999.
Step 2 Creating an ACL based on the name

1. Run:
system-view

2. Run:
acl name acl-name [ advance | basic | link | acl-number ]
An ACL with the specified name is created.
If the number of a named ACL is not specified, the CX91x series automatically
allocates a number to the named ACL. The following situations are involved:
– If the type of a named ACL is specified, the number of the named ACL
allocated by the CX91x series is the maximum value of the named ACL of
the type.
– If the number and the type of a named ACL are not specified, the CX91x
series considers the named ACL as the advanced ACL and allocates 3999
to the named ACL.
The CX91x series does not allocate the number to a named ACL repeatedly.
----End
5.2.3.3 (Optional) Setting the Time Range When an ACL Takes Effect
When a time range is specified for an ACL, the ACL takes effect only in this time
range. If no time range is specified for the ACL, the ACL is always effective until it
is deleted or the rules of the ACL are deleted.
Procedure
Step 1 Run:
system-view
Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }
A time range is set.
You can set the same name for multiple time ranges to describe a special period.
For example, three time ranges are set with the same name test:
● Time range 1: 2011-01-01 00:00 to 2011-12-31 23:59, a definite time range
● Time range 2: 8:00-18:00 on Monday to Friday, a periodic time range
● Time range 3: 14:00-18:00 on Saturday and Sunday, a periodic time range
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on
Saturday and Sunday in the year 2011.
----End
5.2.3.4 (Optional) Configuring the Description of an ACL

You can configure the description of an ACL to describe the function of an ACL.

Procedure
Step 1 Run:
system-view
Step 2 Run:
acl number acl-number
Or, run:
acl name acl-name
Step 3 Run:
The description of the ACL is configured.
The description of an ACL is a string of up to 127 characters, describing the usage

of the ACL.
By default, no description is configured for an ACL.
----End
5.2.3.5 Configuring a Basic ACL

Basic ACLs can classify data packets based on the source IP address.
Procedure
Step 1 Run:
system-view
Step 2 Run:
A basic ACL is created based on the number.
Or, run:
A basic ACL is created based on the name.
The value of a basic ACL ranges from 2000 to 2999.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | time-range time-
name ]*
An ACL rule is created.
----End

5.2.3.6 Configuring an Advanced ACL

Advanced ACLs can classify data packets based on the source IP address,
destination IP address, source port number, destination port number, and protocol
type.
Procedure
Step 1 Run:
system-view
Step 2 Run:
An advanced ACL is created based on the number.
Or, run:
An advanced ACL is created based on the name.
The value of an advanced ACL ranges from 3000 to 3999.
Step 3 Run the following command as required:
You can configure different advanced ACLs on the CX91x series according to the
protocol carried by IP. Different parameter combinations are available for different
protocol types.
● When protocol is specified as the Transmission Control Protocol (TCP), run:

rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address
destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | fragment |
precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt |
range } port | time-range time-name | tos tos ]*

● When protocol is specified as the User Datagram Protocol (UDP), run:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-address
destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | precedence
precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port
| time-range time-name | tos tos ]*

● When protocol is specified as ICMP, run:
rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address
destination-wildcard | any } | dscp dscp | precedence precedence | source { source-address source-
wildcard | any } | time-range time-name | tos tos ]*
● When protocol is specified as another protocol rather than TCP, UDP, or ICMP,
run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ipinip | ospf } [ destination
{ destination-address destination-wildcard | any } | dscp dscp | fragment | precedence precedence |
source { source-address source-wildcard | any } | time-range time-name | tos tos ]*

NOTE
dscp dscp and precedence precedence cannot be specified at the same time.
----End
5.2.3.7 Configuring a Layer 2 ACL

Layer 2 ACLs can classify data packets according to the link layer information
including the source MAC address, source VLAN ID, Layer 2 protocol type, and
destination MAC address.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A layer 2 ACL is created based on the number.

Or, run:
A layer 2 ACL is created based on the name.

The value of a layer 2 ACL ranges from 4000 to 4999.
Step 3 Run:
rule [ rule-id ] { permit | deny } [ l2-protocol type-value [ type-mask ] | destination-mac dest-mac-
address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-
id-mask ] | 8021p 802.1p-value ] * [ time-range time-range-name ]
An ACL rule is created on CX91x series.
----End
5.2.3.8 (Optional) Setting the Step Between ACL Rules

The CX91x series can automatically allocates numbers to ACLs according to the
step between ACL rules.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
Or, run:
acl name acl-name

Step 3 Run:
step step-value
The step between ACL rules is set.
When changing ACL configurations, pay attention to the following point:
● By default, the value of step-value is 5.

● The undo step command sets the default step of an ACL and re-arranges the
numbers of ACL rules.
----End

Checking the Configuration of ACL.
Prerequisites
The configurations of the ACL are complete.
Procedure
Step 1 Run:
display acl { acl-number | all }
The ACL rule based on the number is checked.
Step 2 Run:
display acl name acl-name
The ACL rule based on the name is checked.
Step 3 Run:
display time-range { all | time-name }
The time range is checked.
----End
Example
# Run the display acl command, and you can view the ACL number, rule IDs, and
step, and rule contents.
<Base> display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 deny ip source 10.1.1.1 0
# Run the display acl name command, and you can view the ACL name, ACL
number, rule quantity, step, and rule contents.
<Base> display acl name test
Advanced ACL test 3999, 1 rule
Acl's step is 5
rule 5 permit tcp

# Run the display time-range command, and you can view the configuration and
status of the current time range.
<Base> display time-range all
Current time is 14:19:16 12-4-2008 Tuesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
from 09:09 2008/9/9 to 23:59 2099/12/31

This section provides configuration examples of the ACL. The configuration
examples contain networking requirements, configuration roadmap, and
Procedure.
5.2.4.1 Example for Configuring a Basic ACL

This topic describes how to configure a basic ACL, including the rules, traffic
behavior, traffic classifier, and traffic policy.
As shown in Figure 5-2, GigabitEthernet 0/0/1 of the Switch is connected to the
user, and GigabitEthernet 0/0/2 is connected to the upstream router. It is required
that the Switch does not trusts the packets from user A whose IP address is
10.0.0.2/24.
Figure 5-2 Networking diagram for configuring a basic ACL
1. Configure the ACL.

2. Configure the traffic classifier.
3. Configure the traffic behavior.
4. Configure the traffic policy.

5. Apply the traffic policy to an interface.
Data Preparation
● ACL number
● IP address of user A
● Names of traffic classifier, traffic behavior, and traffic policy
● Interface where the traffic policy is applied
Procedure
Step 1 Configure the traffic classifier that is based on the ACL rules.
# Define the ACL rules.
[Base] acl 2000
[Base-acl-basic-2000] rule permit source 10.0.0.2 0.0.0.255
[Base-acl-basic-2000] quit
# Configure the traffic classifier and define the ACL rules.

[Base] traffic classifier tc1
[Base-classifier-tc1] if-match acl 2000
[Base-classifier-tc1] quit
Step 2 Configure the traffic behavior.

# Define the traffic behavior and disable the URPF function in the traffic behavior
view.
[Base] traffic behavior tb1
[Base-behavior-tb1] deny
[Base-behavior-tb1] quit
Step 3 Configure the traffic policy.

# Define the traffic policy and associate the traffic classifier and traffic behavior
with the traffic policy.
[Base] traffic policy tp1
[Base-trafficpolicy-tp1] classifier tc1 behavior tb1
[Base-trafficpolicy-tp1] quit
# Apply the traffic policy to GigabitEthernet 0/0/1.

[Base-GigabitEthernet0/0/1] traffic-policy tp1 inbound

# Check the configuration of the ACL rules.
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 permit source 10.0.0.0 0.0.0.255

<Base> display traffic classifier user-defined

Classifier: tc1
Operator: AND

<Base> display traffic policy user-defined tp1
Policy: tp1
Classifier: tc1
Operator: AND
Behavior: tb1
Deny
----End
Configuration Files
#
acl number 2000
rule 5 permit source 10.0.0.0 0.0.0.255
#
traffic classifier tc1 operator and
if-match acl 2000
#
traffic behavior tb1
deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
traffic-policy tp1 inbound
#
return
5.2.4.2 Example for Configuring an Advanced ACL

This topic describes how to configure an advanced ACL, including the validity time
range, rules, traffic behavior, traffic classifier, and traffic policy.
As shown in Figure 5-3, the departments of the company are connected through
the Switchs. It is required that the IPv4 ACL be configured correctly. The personnel
of the R&D department and marketing department cannot access the salary query
server at 10.164.9.9 from 8:00 to 17:30, whereas the personnel of the president's
office can access the server at any time.

Figure 5-3 Networking diagram for configuring IPv4 ACLs
1. Assign IP addresses to interfaces.
2. Configure the time range.
Data Preparation
● VLAN that the interface belongs to
● Name of the time range
● ACL ID and rules
● Name of the traffic classifier and classification rules
● Name of the traffic behavior and actions
● Name of the traffic policy, and traffic classifier and traffic behavior associated
with the traffic policy
● Interface that a traffic policy is applied to
Procedure
Step 1 Assign IP addresses to interfaces.

# Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces.
Add GigabitEthernet 0/0/1, GigabitEthernet 0/0/2, GigabitEthernet 0/0/3, and
GigabitEthernet0/0/4 to VLAN 10. The first IP address of the network segment is
taken as the address of the VLANIF interface. Take GigabitEthernet 0/0/1 as an
example. The configurations of other interfaces are similar to the configuration of
GigabitEthernet 0/0/1, and are not mentioned here.
<Base> system-view
[Base] vlan batch 10
[Base] interface GigabitEthernet 0/0/1
[Base-GigabitEthernet0/0/1] port link-type access
[Base-GigabitEthernet0/0/1] port default vlan 10
[Base-Vlanif10] quit
Step 2 Configure the time range.

# Configure the time range from 8:00 to 17:30.
<Base> system-view
[Base] time-range satime 8:00 to 17:30 working-day
Step 3 Configure ACLs.

# Configure the ACL for the personnel of the marketing department to access the
salary query server.
[Base] acl 3002
[Base-acl-adv-3002] rule permit tcp source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-
range satime
[Base-acl-adv-3002] quit
# Configure the ACL for the personnel of the R&D department to access the salary
query server.
[Base] acl 3003
[Base-acl-adv-3003] rule permit tcp source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-
range satime
[Base-acl-adv-3003] quit
Step 4 Configure ACL-based traffic classifiers.

# Configure the traffic classifier c_market to classify the packets that match ACL
3002.
[Base] traffic classifier c_market
[Base-classifier-c_market] if-match acl 3002
[Base-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Base] traffic classifier c_rd
[Base-classifier-c_rd] if-match acl 3003
[Base-classifier-c_rd] quit
Step 5 Configure traffic behaviors.

# Configure the traffic behavior b_market to reject packets.
[Base] traffic behavior b_market
[Base-behavior-b_market] deny
[Base-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.

[Base] traffic behavior b_rd

[Base-behavior-b_rd] deny
[Base-behavior-b_rd] quit
Step 6 Configure traffic policies.

# Configure the traffic policy p_market and associate the traffic classifier
c_market and the traffic behavior b_market with the traffic policy.
[Base] traffic policy p_market
[Base-trafficpolicy-p_market] classifier c_market behavior b_market
[Base-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the
traffic behavior b_rd with the traffic policy.
[Base] traffic policy p_rd
[Base-trafficpolicy-p_rd] classifier c_rd behavior b_rd
[Base-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy.

# Apply the traffic policy p_market to GigabitEthernet 0/0/2.
[Base-GigabitEthernet0/0/2] traffic-policy p_market inbound
# Apply the traffic policy p_rd to GigabitEthernet 0/0/3.

[Base-GigabitEthernet0/0/3] traffic-policy p_rd inbound

<Base> display acl all
Total nonempty ACL number is 2
Acl's step is 5
rule 5 deny tcp source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime (Inactive)
Acl's step is 5
satime (Inactive)

Classifier: c_market
Operator: AND
Classifier: c_rd
Operator: AND

<Base> display traffic policy user-defined
Policy: p_market
Classifier: c_market
Operator: AND
Behavior: b_market
Deny Policy: p_rd

Classifier: c_rd
Operator: AND
Behavior: b_rd
Deny
----End
Configuration Files
#
vlan batch 10
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
satime
#
acl number 3003
satime
#
traffic classifier c_market operator and
if-match acl 3002
traffic classifier c_rd operator and
if-match acl 3003
#
traffic behavior b_market
deny
traffic behavior b_rd
deny
#
traffic policy p_market
classifier c_market behavior b_market
traffic policy p_rd
classifier c_rd behavior b_rd
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
ip address 10.164.2.1 255.255.255.0 sub
ip address 10.164.3.1 255.255.255.0 sub
ip address 10.164.9.1 255.255.255.0 sub
#
#
traffic-policy p_market inbound
#
traffic-policy p_rd inbound
#
#
return
5.2.4.3 Example for Configuring a Layer 2 ACL

This topic describes how to configure a layer 2 ACL, including the rules, traffic
behavior, traffic classifier, and traffic policy.

As shown in Figure 5-4, the Switch that functions as the gateway is connected to
the PC. It is required that the ACL configured to prevent the packets with the
source MAC address as 00e0-f201-0101 and the destination MAC address as 0260-
e207-0002 from passing through.
Figure 5-4 Networking diagram for configuring layer 2 ACLs
Data Preparation
● ACL ID and rules
● Name of the traffic classifier and classification rules
● Name of the traffic behavior and actions
● Name of the traffic policy, and traffic classifier and traffic behavior associated
with the traffic policy
● Interface that a traffic policy is applied to
Procedure
Step 1 Configure an ACL.
# Configure the required layer 2 ACL.
[Base] acl 4000
[Base-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff destination-mac 0260-e207-0002
ffff-ffff-ffff
[Base-acl-L2-4000] quit
Step 2 Configure the traffic classifier that is based on the ACL.

# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Base] traffic classifier tc1
[Base-classifier-tc1] if-match acl 4000
[Base-classifier-tc1] quit
Step 3 Configure the traffic behavior.

# Configure the traffic behavior tb1 to reject packets.
[Base] traffic behavior tb1
[Base-behavior-tb1] deny
[Base-behavior-tb1] quit
Step 4 Configure the traffic policy.

# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Base] traffic policy tp1
[Base-trafficpolicy-tp1] classifier tc1 behavior tb1
[Base-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy.

# Apply the traffic policy tp1 to GigabitEthernet 0/0/1.
[Base-GigabitEthernet0/0/1] traffic-policy tp1 inbound

L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101

Classifier: tc1
Operator: AND

<Base> display traffic policy user-defined tp1
Policy: tp1
Classifier: tc1
Operator: AND
Behavior: tb1
Deny
----End
Configuration Files
#
acl number 4000
rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101
#
traffic classifier tc1 operator and
if-match acl 4000
#
traffic behavior tb1

deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
traffic-policy tp1 inbound
#
return

Configuration Guide 6 Configuration Guide-Reliability
6 Configuration Guide-Reliability
This topic describes configuration methods and scenarios for reliability services of
a device. The configurations, including Smart Link and Monitor Link
configurations, are described by using examples.
6.1 Smart Link and Monitor Link Configuration

This chapter describes the principle, configuration procedure, and configuration
example of the Smart Link and Monitor Link.
6.1 Smart Link and Monitor Link Configuration

This chapter describes the principle, configuration procedure, and configuration
example of the Smart Link and Monitor Link.
6.1.1 Smart Link and Monitor Link

This section describes the concepts of Smart Link and Monitor Link.
The dual-homing networking is often used. In this networking, STP blocks

redundant links, providing redundancy. When the active link fails, the traffic is
switched to the standby link. Although this scheme can implement redundancy,
the performance cannot meet the requirements of users. Route convergence is
performed within several seconds even if the Rapid Spanning Tree Protocol (RSTP)
is used. The convergence speed is unfavorable for the high-end Ethernet switch
used on the core of the carrier-class network.
To address the preceding problem, Huawei introduces Smart Link in dual-homing

networking to implement redundancy of active and standby links and fast
transition. In this manner, the high performance is ensured and the configuration
is simplified.
The Monitor Link is introduced as a supplement to the Smart Link. This technology
supports the association of interfaces. A Monitor Link group consists of an uplink
interface and several downlink interfaces. If the uplink interface fails, the Monitor
Link group automatically disables the downlink interfaces. When the uplink
interface recovers, the downlink interfaces also recover.

NOTE
● The Smart Link uplink switch must support flush packets; otherwise, the network may
have some defects such as slow network failover if MAC addresses are not cleared in a
timely manner.
● Smart Link and MSTP cannot be used together.
● Both Smart Link and Monitor Link perform detection based on physical link status.
6.1.2 Configuring a Smart Link Group

This section describes how to create a Smart Link group, enable the Smart Link
group, configure the master and slave interfaces, enable the revertive switching,
and configure functions related to Flush packets.
As shown in Figure 6-1, either Switch D or Switch E at the access and convergence
layer is connected to two uplink devices. This networking mode provides higher
security and reduces the duration of service interruption caused by the link failure.
Figure 6-1 Application scenario of the Smart Link

As shown in Figure 6-1, Switch D and Switch E are connected to user devices, and
both are connected to Switch B and Switch C. Configure the Smart Link on Switch
D and Switch E and add the two uplink interfaces to the respective Smart Link
group to avoid loops. In this manner, interrupted services can be restored in
milliseconds.
Before configuring the basic functions of a Smart Link group, ensuring that the
Multiple Spanning Tree Protocol (MSTP) Rapid Ring Protection Protocol (RRPP)
and Smart Ethernet Protection (SEP) are not enabled on the master and slave
interfaces of the Smart Link group.
Data Preparation
To configure basic functions of the Smart Link group, you need the following data:
● Number of the interface added to the Smart Link group.

● ID of the Smart Link group.
● IDs of VLANs bound to the instance.
● Control VLAN ID contained in the Flush packet.
● (Optional)Password contained in the Flush packet.
6.1.2.2 Creating and Enabling a Smart Link Group
Procedure
Step 1 Run:
system-view
Step 2 Run:
smart-link group group-id
A Smart Link group is created and the Smart Link group view is displayed.
The CX91x series supports a maximum of 16 Smart Link groups.
Step 3 Run:
protected-vlan reference-instance instance-id [ to instance-id2 ]
An instance is bound to the Smart Link group as the protected instance. The
functions of the Smart link group takes effect only on the VLANs bound to the
protected instance. By default, a Smart Link group protects all VLANs and the
protected-vlan reference-instance command is applicable only to multicast
services.
----End

6.1.2.3 Configuring the Master and Slave Interfaces in a Smart Link Group
Context
The slave interface of a Smart Link group is blocked when the group is started.
An interface cannot be added to a Smart Link group in the following situations:
● Spanning Tree Protocol (STP) is enabled on the interface.

● The interface has been added to an Eth-Trunk.
● The interface has been added to a Monitor Link group.
● The interface has been added to another Smart Link group.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp disable
STP is disabled on the interface.
Step 4 Run:
quit
Return to the interface view.
Step 5 Run:
The Smart Link group view is displayed.
Step 6 Run:
port interface-type interface-number master
An interface is added to the Smart Link group and is specified as the master
interface.
Step 7 Run:
port interface-type interface-number slave
Another interface is added to the Smart Link group and is specified as the slave
interface.
A Smart Link group consists of a master interface and a slave interface. By default,
a Smart Link group does not have interfaces.
----End

6.1.2.4 Enabling the Sending of Flush Packets
Context
When the active and standby links of the Smart Link group switch, the existing
forwarding entries no longer apply to the new topology. All the MAC address
entries and ARP entries on the network need to be updated. Then the Smart Link
group sends Flush packets to ask other devices to update the MAC address table
and ARP entries.
Because manufacturers define the format of Flush packets differently, the Flush
packets described here are used only for the intercommunication between Huawei
S-series switches. In addition, the function of receiving Flush packets must be
enabled on the remote switch.
If you run flush send control-vlan vlan-id [ password simple password ]

command in the Smart Link group view, the Smart Link group is enabled to send
Flush packets that contain the specified control VLAN ID and password. The VLAN
ID specified by vlan-id must already exist and added to Smart Link group on the
CX91x series. If the specified VLAN ID does not exist on the CX91x series, Flush
packets cannot be sent.
Do as follows on the Switch D and Switch E in Figure 6-1.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
flush send control-vlan vlan-id [ password simple password ]
The CX91x series is enabled to send Flush packets, and the control VLAN ID and
password contained in Flush packets are set.
A control VLAN cannot be a VLAN mapping a load-balancing instance.
The control VLAN ID and password contained in Flush packets on both devices
must be the same. That is, the control VLAN ID and password in Flush packets
sent by the device must be the same as the control VLAN ID and password in
Flush packets received by the device.
NOTE
After the flush send control-vlan command is run, the interface cannot be added to the control
VLAN. You need to configure the interface to allow the packets of the control VLAN to pass
through.
----End

6.1.2.5 (Optional) Configuring Load Balancing in a Smart Link Group
Procedure
Step 1 Run:
system-view
Step 2 Run:
The Multiple Spanning Tree (MST) region view is displayed.
Step 3 Run:
instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
The mapping between an instance and VLANs is set.
A domain supports up to 49 instances, among which Instance 0 is the default

instance and does not need to be created.
By default, all VLANs are mapped to Instance 0.
Step 4 Run:
The configuration of the MST region is activated.
After configuring the domain name, VLAN mapping table, or MSTP revision level,
you must run the active region-configuration command for the configuration to
take effect.
Step 5 Run:
quit
Step 6 Run:
Step 7 Run:
load-balance instance { instance-id1 [ to instance-id2 ] } &<1-10> slave
Packets of the VLANs bound to the specified instance are sent from the slave
interface to implement load balancing.
----End
6.1.2.6 (Optional) Enabling Revertive Switching and Setting the WTR Time
Context
When the active link in a Smart Link group fails, the traffic is automatically
switched to the standby link. The original active link does not preempt the traffic

but remains blocked after recovering from the fault. To switch the traffic back to
the active link, you can adopt either of the following methods:
● Enable the revertive switching of a Smart Link group. The switching is
automatically performed after the revertive switching timer times out.
● Run the smart-link manual switch command to perform the link switching
forcibly.
NOTE
The link switching is performed only when the two member interfaces in a group are both
Up.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
restore enable
Revertive switching is enabled for the Smart Link group.

Be default, the revertive switching of the Smart Link group is disabled.
timer wtr wtr-time
The wait to recover (WTR) time of the Smart Link group is set.
By default, the WTR time of a Smart Link group is 60 seconds.
----End
6.1.2.7 (Optional) Enabling the Receiving of Flush Packets
Context
An interface receives Flush packets only when it is configured with the control
VLAN ID and added to this VLAN.
Do as follows on SwitchA, SwitchB, and SwitchC shown in Figure 6-1.
Procedure
Step 1 Run:
system-view

Step 2 Run:

interface { gigabitethernet | eth-trunk| xgigabitethernet } interface-number
The view of the downlink interface of the SwitchA, SwitchB, or SwitchC is

displayed.
Step 3 Run:
smart-link flush receive control-vlan vlan-id [ password simple password ]
The interface is enabled to receive Flush packets, and the control VLAN ID and
password contained in Flush packets are set.
The password is optional. If no password is specified, no password is used for

authentication. When the control VLAN ID is changed, the password must also be
changed.
The control VLAN ID and password contained in Flush packets on both devices
must be the same. That is, the control VLAN ID and password in Flush packets
sent by the device must be the same as the control VLAN ID and password in
Flush packets received by the device.
----End
6.1.2.8 (Optional) Setting the Holdtime of the Smart Link Switchover
Context
If the Smart Link switchover is performed because of temporary interruption,
packet forwarding and system performance are affected. To address this problem,
you can set the holdtime of the Smart Link switchover. If the interface of the
Smart Link group repeatedly alternates between Up and Down states, the status
of the Smart Link group is not immediately changed, but is changed according to
the Up or Down status obtained by an interface of the Smart Link group until the
holdtime expires. In this manner, Smart Link switchover caused by link interruption
is suppressed.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
smart-link hold-time hold-time
The holdtime of the Smart Link switchover is set.
----End
6.1.2.9 Enabling the Functions of the Smart Link Group

Context
After the functions of the Smart Link group are enabled, the standby interface in
the group is blocked. After the functions of the Smart Link group are disabled, the
blocked standby interface is recovered.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
smart-link enable
The functions of the Smart Link group are enabled.
----End
Procedure
Step 1 Run:
display smart-link group { all | group-id }
The information about a Smart Link group is checked.

Step 2 Run:
display smart-link flush
The information about the received Flush packets are checked.
----End
Example
Run the display smart-link group { all | group-id } command to check
information about a Smart Link group. The following information is displayed:
<Base> display smart-link group 1
Smart Link group 1 information :
Smart Link group was enabled
Wtr-time is: 30 sec.
Load-Balance Instance: 1 to 2
There is no protected-vlan reference-instance
DeviceID: 0018-2000-0083 Control-vlan ID: 20
Member Role State Flush Count Last-Flush-Time
------------------------------------------------------------------------
GigabitEthernet0/0/1 Master Active 1 2008/11/21 16:37:20 UTC+05:00
GigabitEthernet0/0/2 Slave Inactive 2 2008/11/21 17:45:20 UTC+05:00
If the configuration is correct, the following information is displayed:

● The functions of the Smart Link group are enabled. Therefore, "Smart link
group was enabled" is displayed.
● The status of the interfaces in the Smart Link group is displayed, including the
role of each interface in the group, number of sent Flush packets, and time
when the last Flush packets are sent. As shown in the preceding information,
GigabitEthernet0/0/1 is the master interface in the Smart Link group; this
interface is in the Forwarding state; it sent a Flush packet at 16:37 on
2008-11-21.
● The control VLAN ID contained in the sent Flush packets is 20.
Run the display smart-link flush command, and you can view information about
received Flush packets.
<Base> display smart-link flush
Receive flush packets count: 1191
Receive last flush interface: GigabitEthernet0/0/1
Receive last flush packet time: 16:48:53 UTC+05:00 2009/02/23
Receive last flush packet source mac: 0018-0202-0088
Receive last flush packet control vlan ID: 20
6.1.3 Configuring a Flow Control Policy in a Smart Link Group

This section describes how to configure the advanced functions of the Smart Link
group, such as lock of data flows and manual switchover between links.
As shown in Figure 6-2, the basic functions and revertive switching of the Smart
Link group are enabled on Switch D. During maintenance, the active link in the
Smart Link group needs to be inspected. To prevent the inspection from affecting
normal services, you need to configure a flow control policy for the Smart Link
group. Through the configuration, you can forcibly lock the data flows to the
standby link and switch them back to the active link after the inspection is
complete.

Figure 6-2 Data flow control policy
Before configuring a flow control policy for the Smart Link group, complete 6.1.2
Configuring a Smart Link Group.
Data Preparation
None.
6.1.3.2 Locking Data Flows on the Master Interface
NOTICE
If data flows are locked on the master interface, they cannot be switched to the
slave interface automatically when the master interface fails. Thus, traffic is
interrupted.
Do as follows on SwitchD shown in Figure 6-2.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
smart-link lock

Data flows are locked on the master interface.
----End
6.1.3.3 Locking Data Flows on the Slave Interface
NOTICE
If data flows are locked on the slave interface, they cannot be switched to the
master interface automatically when the slave interface fails. Thus, traffic is
interrupted.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
smart-link force
Data flows are locked on the slave interface.
----End
6.1.3.4 Switching Data Flows Manually

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
smart-link manual switch
Data flows are switched to the other link.

To implement active/standby switchover between links, ensure that:

● The master interface and slave interface exist and are both in Up state.
● The smart-link command is not run to lock data streams.
The smart-link manual switch command can be repeatedly used in the Smart
Link group view. Each time you run the command, the active/standby switchover is
performed between links. Packet loss occurs during the switchover. The duration is
measured in milliseconds.
----End
Procedure
Run the display smart-link group { all | group-id } command to check
information about a Smart Link group.
Example
Run the display smart-link group { all | group-id } command. If lock is displayed,
it indicates that data flows are locked on the master interface. If force is
displayed, it means that data flows are locked on the slave interface.
<Base> display smart-link group 1
Link status:lock
Wtr-time is: 30 sec.
Load-Balance Instance: 1 to 2
DeviceID: 0018-2000-0083 Control-vlan ID: 20
------------------------------------------------------------------------
6.1.4 Configuring a Monitor Link Group

This section describes how to create a Monitor Link group, configure the uplink
and downlink interfaces, and enable the revertive switching.
As shown in Figure 6-3, the uplink of Switch A is faulty. Although Smart Link is
enabled on Switch C, link switching is not performed because the active link is not
faulty. In this case, services are interrupted. To enable the Smart Link group to
respond more quickly to the faults of the uplink, you need to configure the
Monitor Link function on the device connected to the active link to monitor the
status of the uplink. When a fault occurs on an uplink, the active link of the Smart
Link group is rapidly blocked. Thus, the Smart Link group can detect the fault and
switch the traffic to the standby link to reduce the service interruption duration.

When the uplink interface belongs to a Smart Link group, the uplink interface is
considered as faulty only if the master and slave interfaces of the Smart Link
group are in standby state (including the Down state).
Figure 6-3 Application scenario of the Monitor Link
Before configuring the basic functions of the Monitor Link group, complete the
following tasks:
● 6.1.2 Configuring a Smart Link Group.

● Ensuring that no interface in the Monitor Link group is added to a Eth-Trunk,
Smart Link group and other Monitor Link group.
Data Preparation
To configure the basic functions of the Monitor Link group, you need the following
data:
● ID of the Monitor Link group.

● Number of each interface added to the Monitor Link group.

● Revertive switching interval of the Monitor Link group.
● ID of the Smart Link group.
6.1.4.2 Creating a Monitor Link Group

Do as follows on SwitchA and SwitchB.
Procedure
Step 1 Run:
system-view
Step 2 Run:
monitor-link group group-id
A Monitor Link group is created and the Monitor Link group view is displayed.
----End
6.1.4.3 Configuring the Uplink and Downlink Interfaces in a Monitor Link

Group
Procedure
Step 1 Run:
system-view
Step 2 Run:
The Monitor Link group view is displayed. The CX91x series supports a maximum
of 16 Monitor Link groups.
Step 3 Run:
port interface-type interface-number { downlink [ downlink-id ] | uplink }
An interface is configured as the downlink interface or uplink interface of the

Monitor Link group.
Or run:
smart-link group group-id uplink
A Smart Link group is configured as the uplink interface of the Monitor Link
group.
An interface cannot be added to a Monitor Link group in the following situations:
● The interface is added to an Eth-Trunk.

● The interface is added to a Smart Link group.

● The interface is added to another Monitor Link group.
NOTE
The status of the uplink interface determines the status of the Monitor Link group.
Therefore, after the downlink interface is added to the Monitor Link group, the result of the
shutdown or undo shutdown command can be retained before the status of the uplink
interface changes. When the status of the uplink interface changes, the status of the
downlink interfaces changes as follows:
● When an uplink interface in Up state is added to the Monitor Link group or when an
uplink interface in Down state becomes Up, all the downlink interfaces in the Monitor
Link group become Up.
● When an uplink interface is deleted from the Monitor Link group or when an uplink
interface in Up state becomes Down, all the downlink interfaces in the Monitor Link
group become Down.
To add a Smart Link group to a Monitor Link group, you need to delete the existing uplink
interface of the Monitor Link group. The Smart Link group and common interfaces are
incompatible when serving as the uplink interface for a Monitor Link group.
----End
6.1.4.4 Setting the Revertive Switching Interval of a Monitor Link group

Procedure
Step 1 Run:
system-view
Step 2 Run:
The Monitor Link group view is displayed.
Step 3 Run:
timer recover-time recover-time
The interval of revertive switching is set.
By default, the revertive switching of a Monitor Link group is enabled and the
interval of revertive switching is 3 seconds.
----End
Procedure
Run the display monitor-link group { all | group-id } command to check
information about a Monitor Link group.

Example
Run the display monitor-link group { all | group-id } [ | count ] [ | { begin |
include | exclude } regular-expression ], and you can view basic information
about the interfaces in the Monitor Link group, including the role and status of
the interfaces and the time when the interfaces become Up or Down for the last
time.
<Base> display monitor-link group 1
Monitor Link group 1 information :
Recover-timer is 5 sec.
Member Role State Last-up-time Last-down-time
GigabitEthernet0/0/1 UpLk UP 0000/00/00 00:00:00 UTC+00:00 0000/00/00 00:00:00 UTC+00:00
GigabitEthernet0/0/2 DwLk[1] DOWN 0000/00/00 00:00:00 UTC+00:00 0000/00/00 00:00:00 UTC+00:00

This section provides several configuration examples of the Smart Link.
6.1.5.1 Example for Configuring Basic Functions of Smart Link
As shown in Figure 6-4, the user-side network is connected to the metropolitan
area network (MAN) in dual-homing mode to guarantee the reliability of the
network. In addition, ensure rapid switching of traffic over the standby link when
the active link fails so that the duration of service interruption is limited to several
milliseconds.
Figure 6-4 Networking for configuring basic functions of Smart Link

1. Configure the Smart Link group on SwitchA and add the uplink interfaces to
the Smart Link group.
2. Enable revertive switching on SwitchA.
3. Enable SwitchA to send Flush packets.
4. Enable SwitchB and SwitchC to receive Flush packets.
5. Enable the Smart Link group on SwitchA.
Data Preparation
● Smart Link group ID
● Number of the uplink interface of SwitchA
● Control VLAN ID and password contained in Flush packets
Procedure
Step 1 On SwitchA, configure the control VLAN and add interfaces to the control VLAN.
[SwitchA] vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
The configurations of SwitchB and SwitchC are similar to the configuration of

SwitchA, and are not mentioned here.
Step 2 Add the STP-disabled uplink interface to the Smart Link group and specify it as
the master or slave interface.
[SwitchA-GigabitEthernet0/0/1] stp disable
[SwitchA] smart-link group 1
[SwitchA-smlk-group1] port gigabitethernet 0/0/1 master
[SwitchA-smlk-group1] port gigabitethernet 0/0/2 slave
Step 3 Enable revertive switching and set the WTR time.

[SwitchA-smlk-group1] restore enable
[SwitchA-smlk-group1] timer wtr 30
Step 4 Enable the function of sending Flush packets.

[SwitchA-smlk-group1] flush send control-vlan 10 password simple 123
Step 5 Enable the Smart Link group on SwitchA.

[SwitchA-smlk-group1] smart-link enable
Step 6 Enable the function of receiving Flush packets.

[SwitchB-GigabitEthernet0/0/1] smart-link flush receive control-vlan 10 password simple 123
# Configure SwitchC.
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] smart-link flush receive control-vlan 10 password simple 123

# Run the display smart-link group command to view information about the
Smart Link group on SwitchA. If the following information is displayed, it indicates
that the configuration is successful:
● The Smart Link group is enabled.
● The control VLAN ID is 10.
● GigabitEthernet 0/0/1 is the master interface and is in Active state, and
GigabitEthernet 0/0/2 is the slave interface and is in Inactive state.
<SwitchA> display smart-link group 1
There is no Load-Balance
DeviceID: 0025-9e80-2494 Control-vlan ID: 10
----------------------------------------------------------------------
# Run the shutdown command to shut down GigabitEthernet 0/0/1, and you can
find that GigabitEthernet 0/0/1 is in Inactive state and GigabitEthernet 0/0/2 is in
Active state.
[SwitchA-GigabitEthernet0/0/1] shutdown
[SwitchA-GigabitEthernet0/0/1]display smart-link group 1
----------------------------------------------------------------------
GigabitEthernet0/0/1 Master Inactive 1 0000/00/00 00:00:00 UTC+00:00
GigabitEthernet0/0/2 Slave Active 1 0000/00/00 00:00:00 UTC+00:00
# Run the undo shutdown command to shut down GigabitEthernet 0/0/1, and
you can find that GigabitEthernet 0/0/1 is in Active state and GigabitEthernet
0/0/2 is in Inactive state.
[SwitchA-GigabitEthernet0/0/1] undo shutdown
[SwitchA-GigabitEthernet0/0/1] display smart-link group 1

----------------------------------------------------------------------
----End
Configuration Files
#
vlan 10
#
stp disable
#
stp disable
#
smart-link group 1
restore enable
smart-link enable
port GigabitEthernet0/0/1 master
port GigabitEthernet0/0/2 slave
timer wtr 30
flush send control-vlan 10 password simple 123
#
return
#
vlan 10
#
smart-link flush receive control-vlan 10 password simple 123
#
return
#
vlan 10
#
#
return
6.1.5.2 Example for Configuring Load Balancing Between Active and Standby
Links of a Smart Link Group
As shown in Figure 6-5, packets of VLAN 100 and VLAN 500 are transmitted
through the standby link, and packets of other VLANs are transmitted through the
active link. To ensure network reliability, the customer network is dual-homed to
the MAN. When the active link fails, packets on the active link can be switched to
the standby link quickly. When the standby link fails, packets of VLAN 100 and

VLAN 500 can be switched to the active link quickly. The service interruption
duration is restricted to millisecond level.
Figure 6-5 Networking diagram for configuring load balancing between active
and standby links of a Smart Link group
1. On SwitchA, configure Smart Link multi-instance and add the uplink

interfaces to the Smart Link group.
2. Configure load balancing on SwitchA.
3. Enable revertive switching on SwitchA.
4. Enable SwitchA to send Flush packets.
5. Enable SwitchB and SwitchC to receive Flush packets.
6. Enable Smart Link on SwitchA.
Data Preparation
● IDs of instances and IDs of the VLANs bound to the instances on SwitchA.
● ID of a Smart Link group.
● Numbers of the uplink interfaces on SwitchA.
● Control VLAN ID and password contained in Flush packets.

Procedure
Step 1 On SwitchA, configure the control VLAN and add the uplink interfaces to the
control VLAN.
[SwitchA] vlan batch 10 100 500
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100 500
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 100 500
The configurations of SwitchB and SwitchC are similar to the configuration of

SwitchA, and are not mentioned here.
Step 2 Configure VLAN mapping on SwitchA.
[SwitchA] stp region-configuration
[SwitchA-mst-region] instance 10 vlan 100 500
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
Step 3 Add the uplink interfaces to the Smart Link group and specify the master and
slave interfaces. Ensure that STP is disabled on the uplink interfaces.
Step 4 Configure load balancing on SwitchA.

[SwitchA-smlk-group1] load-balance instance 10 slave
Step 5 Enable the revertive switching and set the wait-to-restore (WTR) time.
Step 6 Enable the sending of Flush packets.

Step 7 Enable Smart Link on SwitchA.

Step 8 Enable the receiving of Flush packets.

# Configure SwitchC.


[SwitchC-GigabitEthernet0/0/1] smart-link flush receive control-vlan 10 password simple 123
# Run the display smart-link group command to view information about the
Smart Link group on SwitchA. If the following information is displayed, it indicates
that the configuration is successful.
● The Smart Link function is enabled.

● The control VLAN ID is 10.
● GigabitEthernet0/0/1 is the master interface and is in Active state, and
GigabitEthernet0/0/2 is the slave interface and is in Inactive state. The load
balancing function is configured.
Load-Balance Instance: 10
----------------------------------------------------------------------
# Run the shutdown command to shut down GigabitEthernet0/0/1, and you can
find that GigabitEthernet0/0/1 is in Inactive state and GigabitEthernet0/0/2 is in
Active state.
[SwitchA-GigabitEthernet0/0/1] shutdown
----------------------------------------------------------------------
GigabitEthernet0/0/1 Master Inactive 1 0000/00/00 00:00:00 UTC+00:00
GigabitEthernet0/0/2 Slave Active 1 0000/00/00 00:00:00 UTC+00:00
# Run the undo shutdown command to enable GigabitEthernet0/0/1and wait for

30 seconds. Then you can find that GigabitEthernet0/0/1 is in Active state and
GigabitEthernet0/0/2 is in Inactive state.
[SwitchA-GigabitEthernet0/0/1] undo shutdown
----------------------------------------------------------------------
----End
Configuration Files

#
#
instance 10 vlan 10 100 500
#
stp disable
#
stp disable
#
smart-link group 1
load-balance instance 10 slave
restore enable
smart-link enable
timer wtr 30
#
return

#
#
#
return

#
#
#
return
6.1.5.3 Example for Applying the Smart Link Functions
As shown in Figure 6-6, Switch C on the MAN is connected to user networks. It
accesses the backbone network through uplink devices Switch A and Switch B in
dual-homed mode.
Switch A and Switch C are connected to uplink devices in dual-homed mode. One
out of each link pair needs to be blocked to prevent loops. When the active link
fails, the data flows can be rapidly switched to the standby link to ensure normal
services.
A monitoring mechanism is required to prevent service interruption caused by
faults of the uplink. This monitoring mechanism enables the downlink to quickly

detect the fault of the uplink. When the uplink fails, link switching can be
performed immediately to shorten the duration of service interruption.
Figure 6-6 Networking of Smart Link application
1. Configure Smart Link groups on Switch A and Switch C, and add uplink
interfaces to the groups.
2. Configure Monitor Link groups on Switch A and Switch B.
3. Enable Switch A and Switch C to send Flush packets.
4. Enable Switch A and Switch C to receive Flush packets.
Data Preparation
● Numbers of interfaces on Switch A, Switch B, and Switch C

● IDs of the Smart Link groups

● Control VLAN ID and password contained in Flush packets
● IDs of the Monitor Link groups and the numbers of the downlinks
Procedure
Step 1 Configure the same control VLAN on Switch A, Switch B, and Switch C. Add the
interfaces of the Smart Link group or Monitor Link group to this VLAN.
The configuration procedures are not mentioned here. For details, see section
VLAN Configuration in Chapter Configuration Guide - Ethernet in the CX91x
Series Switch Modules V100R001C00 Configuration Guide.
Step 2 Create Smart Link groups and enable the functions of the groups.
# Configure Switch A.
[SwitchA-smlk-group1] quit
# Configure Switch C.
<SwitchC> system-view
[SwitchC] smart-link group 2
[SwitchC-smlk-group2] quit
Step 3 Add interfaces to Smart Link groups and specify the master and slave interfaces of
each Smart Link group
[SwitchA]smart-link group 1
[SwitchC-GigabitEthernet0/0/1] stp disable
[SwitchC-GigabitEthernet0/0/2] stp disable
[SwitchC-smlk-group2] port gigabitethernet 0/0/1 master
[SwitchC-smlk-group2] port gigabitethernet 0/0/2 slave
Step 4 Enable revertive switching and set the interval of revertive switching.
[SwitchC-smlk-group2] restore enable
[SwitchC-smlk-group2] timer wtr 30

Step 5 Enable the sending and receiving of Flush packets.

[SwitchA-GigabitEthernet0/0/3] smart-link flush receive control-vlan 10 password simple 123
# Configure Switch B.
<SwitchB> system-view
[SwitchC-smlk-group2] flush send control-vlan 10 password simple 123
Step 6 Enabling the Functions of the Smart Link Group

[SwitchC-smlk-group2] smart-link enable
[SwitchC-smlk-group2] quit
Step 7 Create Monitor Link groups and add the uplink and downlink interfaces to the
Monitor Link groups.
[SwitchA] monitor-link group 1
[SwitchA-mtlk-group1] smart-link group 1 uplink
[SwitchA-mtlk-group1] port gigabitethernet 0/0/3 downlink 1
[SwitchB] monitor-link group 2
[SwitchB-mtlk-group2] port gigabitethernet 0/0/1 uplink
[SwitchB-mtlk-group2] port gigabitethernet 0/0/3 downlink 1
Step 8 Set the revertive switching interval of the Monitor Link groups.
[SwitchA-mtlk-group1] timer recover-time 10
[SwitchB-mtlk-group2] timer recover-time 10

----------------------------------------------------------------------

<SwitchA> display monitor-link group 1

Monitor Link group 1 information :
Recover-timer is 10 sec.
Member Role State Last-up-time Last-down-time
Smart-link1 UpLk DOWN 0000/00/00 00:00:00 UTC+00:00 0000/0
0/00 00:00:00 UTC+00:00
GigabitEthernet0/0/3 DwLk[1] DOWN 0000/00/00 00:00:00 UTC+00:00 0000/0
0/00 00:00:00 UTC+00:00
----End
Configuration Files
● Configuration file of Switch A
#
vlan 10
#
stp disable
#
stp disable
#
#
smart-link group 1
smart-link enable
timer wtr 30
restore enable
#
monitor-link group 1
smart-link group 1 uplink
port GigabitEthernet0/0/3 downlink 1
timer recover-time 10
#
return
● Configuration file of Switch B

#
vlan 10
#
#
#
monitor-link group 2
port GigabitEthernet0/0/1 uplink
port GigabitEthernet0/0/3 downlink 1
timer recover-time 10
#
return
● Configuration file of Switch C

#
vlan 10
#
stp disable
#
stp disable
#
smart-link group 2
smart-link enable
timer wtr 30
restore enable
#
return

Configuration Guide 7 Configuration Guide-Device Management
7 Configuration Guide-Device
Management
This topic describes how to view the device status, restart a device, and configure
a device by using the information center, monitoring, and mirroring functions.
NOTE
The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual are
mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.
7.1 Using display commands to check the status of the device

This chapter describes the maintenance, usage of the display commands and the
regular expression.
7.2 Monitoring the Device Through the Information Center
This chapter describes the basics of the information center, introduces the
procedure for managing the information center and monitoring the CX91x series
device, and provides configuration examples.
7.3 Mirroring
The mirroring function is used to monitor packets that meet certain requirements.
7.4 Restarting
This chapter describes how to restart the CX91x series.
7.1 Using display commands to check the status of the

device
This chapter describes the maintenance, usage of the display commands and the
regular expression.
7.1.1 Introduction
This topic describes function of the display commands.

The CX91x series provides two independent switching systems: Base and Fabric.
You need to manage and maintain devices in the two switching systems
separately.
Either switch system provides two independent file systems: flash system (Flash:/)
and FlashVX system (flashVx:/). The flash system stores the switching software
programs and configuration file. The FlashVX system stores temporary data.
● After the CX91x series is powered off, the data on the FlashVX system will be
lost.
● After you use the reboot command to restart the board, the data will not be
lost.
NOTE
The data in the flash file system is not lost after the CX91x series is powered off or you
execute the reboot command.
You can use display commands to view the status of a device and check whether
the device runs normally.
NOTE
The management module manages all the hardware in the E9000 chassis, including the
chassis, management modules, boards, and fan trays. For details about management
module functions, see the MM910 Management Module V100R001 User Guide.
7.1.2 Checking the Status of the CX91x series

This topic describes how to check the status of the CX91x series by using the
display commands.
7.1.2.1 Checking Information About the CX91x series

This topic describes how to check device information.
Context
You can run the following command in any view to check the device infomation of
the CX91x series.
Procedure
Step 1 Run:
display device
Information about the device of the CX91x series is displayed.
----End
7.1.2.2 Checking the Version of the CX91x series

This topic describes how to check device hardware version and software version
information.

Context
You can run the display version command in any view to check the hardware
version and software version of the CX91x series.
Procedure
Step 1 Run:
display version
The hardware version and software version of the CX91x series is displayed.
----End
7.1.2.3 Checking the CPU Usage

You can check the CPU utilization statistics and CPU configurations.
Procedure
Step 1 Run:
display cpu-usage [ configuration]
The CPU utilization statistics and CPU configurations are displayed.
----End
7.1.2.4 Checking the Memory Usage

This topic describes how to view memory information, including the statistics time,
total memory capacity, occupied memory, and memory usage.
Context
You can run the following command in any view to check the memory usage of
the CX91x series.
If the memory usage exceeds 80%, contact Huawei technical support.
Procedure
Step 1 Run:
display memory-usage
The memory usage is displayed.
----End
7.2 Monitoring the Device Through the Information

Center
This chapter describes the basics of the information center, introduces the
procedure for managing the information center and monitoring the CX91x series
device, and provides configuration examples.

7.2.1 Information Center Overview

The information center controls the output of logs, traps, and debugging
messages.
7.2.1.1 Introduction to the Information Center

The information center works as the information hub of a Switch Module. It
classifies and filters the output of a system. The information center helps network
administrator and developers monitor network operation and analyze network
faults.
7.2.1.2 Information Center Supported by the CX91x series

In the CX91x series, the information center outputs logs, traps, and debugging
messages with eight severity levels to different directions through 10 information
channels.
Information Classification
The information receives and processes the following types of information:
● Logs
● Debugging information
● Trap information
Severity Levels of Information

Information is classified into eight severity levels as shown in Table 7-1. The
severer the information level is, the lower the severity level value is.
Table 7-1 Description of the severity levels of information
Threshold Severity Level Description
0 Emergency A fatal fault, such as a programme exception

or incorrect use of the memory, occurs on the
device. The system must restart.
1 Alert An important fault, such as the device

memory usage reaching the highest limit,
occurs in device. The fault then needs to be
removed immediately.
2 Critical A crucial fault occurs, such as the memory

usage or temperature reaches the lowest limit,
the BFD device is unreachable, or an internal
fault that is generated by the device itself. The
fault then needs to be analyzed and removed.

Threshold Severity Level Description
3 Error A fault caused by an improper operation or a

wrong process occurs, such as entering a
wrong command or wrong user password or
receiving wrong protocol packets from other
devices.
The faults do not affect services, but you need
to check the faults and perform cause
analysis.
4 Warning An abnormal situation of the running device

occurs, such as the user disables the routing
process, BFD detects packet loss, or the wrong
protocol packet is received.
The fault should be paid attention to because
it may affect services.
5 Notice Indicates the key operations used to ensure

that the device runs normally, such as the
shutdown command, neighbor discovery, or
the state machine.
6 Informational Indicates the common operations to ensure

that the device runs normally, such as the
display command.
7 Debugging Indicates the common information of the

device that need not be paid attention to.
When information filtering based on severity levels is enabled, only the

information whose severity level threshold is less than or equal to the configured
value is output.
For example, if the severity level value is configured to 6, only the information
with the severity level value from 0 to 6 is output.
Working Process of an Information Center

The working process of the information center is as follows:
● The information center receives logs, traps, and debugging information from
all modules.
● The information center outputs information with different severity levels to
different information channels according to the configurations of users.
● The information is transmitted to different directions based on the association
relationship between the information channel and the output direction.
Generally, the information center distributes the three types of information that
can be classified into eight levels to ten information channels. The information is
then output to different directions.
As shown in Figure 7-1, logs, traps, and debugging information have default
output channels. You can, however, customize them to be output from other

channels. For example, you can configure logs to be output to the log cache
through Channel 6 rather than Channel 3.
Figure 7-1 Functions of the information channel
Information Channels and Output Directions

The system supports ten channels. The first six channels (Channel 0 to Channel 5)
have their default channel names, and are associated with six output directions.
For details of association relationship between default channels and output
directions, see Table 7-2.
Table 7-2 Association relationship between the information channels and output
directions
Channel Default Output Description
Number Channel Name Direction
0 Console Console Outputs the information to the local

Console that can receive logs, traps,
and debugging information.
1 Monitor Monitor Outputs the information to the VTY

terminals that can receive logs, traps,
and debugging information and then
perform remote maintenance.

Channel Default Output Description

Number Channel Name Direction
2 Loghost Log host Outputs the information to the log

host that can receive logs, traps, and
debugging information. The
information is saved to a log host in
the file format for easy reference.
3 Trapbuffer Trap buffer Outputs information to the trap

buffer that can receive traps. An area
is specified inside a device as the trap
buffer to record traps.
4 Logbuffer Log buffer Outputs the information to the log

buffer area that can receive logs. The
Switch Module assigns a specified
area in itself to be the log buffer area
that can record the information.
5 Snmpagent SNMP Outputs the information to the

agent SNMP agent that can receive traps.
6 Unspecified Unspecifie Reserved.

d

d

d

d
When multiple log hosts are configured, you can configure logs to be output to
different log hosts through one channel or several channels. For example,
configure parts of logs to be output to a log host either through Channel 2
(loghost) or through Channel 6. You can also change the name of Channel 6 for
managing channel conveniently.
Format of Logs
Syslog is a sub-function of the information center. It transmits information to a log
host using port 514 over UDP.
Figure 7-2 shows the format of logs.
Figure 7-2 Format of the output logs
Table 7-3 describes each field in the log format.

Table 7-3 Description of each field in the format of logs

Field Indication Description
<Int_16> Leading character Before logs are output to log hosts, leading
characters are added.
Logs saved in the local device do not
contain leading characters.
TIMESTAMP Time to send out Timestamp has five formats.

the information ● boot: indicates the relative time.
● date: indicates the time of the system.
Logs, traps and debugging information
adopt this format by default.
● short-date: The only difference between
date format and short-date is that
short-date does not include the year.
● format-date: It is another time format of
the system time.
● none: indicates that the information
does not contain timestamp.
There is a space between the timestamp
and the host name.
HOSTNAME Host name The default host name varies according to

planes:
● Onboard GE switching plane: Base
● 10GE switching plane: Fabric
%% Log information Indicates that this piece of log is output by

the device produced by Huawei.
dd Version number Identifies the version of the log format.
AAA Module name Indicates the name of the module that

outputs information to an information
center.
B Log level Indicates the severity levels of logs.
CCC Brief description Describes the information type.
(l) Information type l: indicates the user log identifier.
slot=XXX Location Slot indicates the number of the slot that

information sends the location information.
YYYY Descriptor Indicates the detailed information output

from each module to the information
center.
Each module fills in this field before
outputting logs to describe the detailed
contents of logs.

Format of Traps
Figure 7-3 shows the format of the output traps.
Figure 7-3 Format of the output traps
Table 7-4 describes each field of the trap format.
Table 7-4 Description of each field of the format of traps

TimeStamp Time to send out Five timestamp formats are available:

the information ● boot: indicates relative time.
● date: indicates the timestamp in the
format of system time. Logs, traps and
debugging information adopt this
format by default.
● short-date: indicates system time. The
short-date format does not contain year
information.
● format-date: indicates another format of
system time.
● none: indicates that no timestamp is
contained in traps.
The timestamp and the host name are
separated by a blank space.
HostName Host name The default host name varies according to

planes:
● Onboard GE switching plane: Base
● 10GE switching plane: Fabric
There is a space between the sysname and
module name.
ModuleNam Module name Indicates the name of the module that

e generates a trap.

Severity Severity level Indicates the severity levels of traps:

● Critical
● Major
● Minor
● Warning
● Indeterminate
● Cleared
Brief Brief information Brief information about a trap.
Description Description Description of a trap.
7.2.2 Configuring the Information Center

This topic describes how to manage and configure the information center.

This topic describes the information to be understood before establishing a
configuration task, including the applicable environment, pre-configuration tasks,
and data preparation.
To collect debugging information, logs, and traps during the operation of the
CX91x series, and to send them to the terminal for display, or to the buffer or the
host for storage, you need to configure the information center.
None.
Data Preparation
To manage the information center, you need the following data.
No. Data
1 Numbers and names of the information channels
2 (Optional) Format of the timestamp
3 Severity level
4 Language used in the logs and the address of the log host
5 (Optional) Size of the log buffer and the trap buffer

7.2.2.2 Enabling the Information Center

This topic describes how to enable the information center. System output
information can be sent to the log host and console only after the information
center is enabled.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center enable
The information center function is enabled.
----End
7.2.2.3 (Optional) Naming the Information Channel

This topic describes how to name a information channel.
Prerequisites
You must have the adminitrator rights to perform the operation.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center channel channel-number name channel-name
Channels are named to send debugging information, logs, and traps.
----End
7.2.2.4 Defining the Information to Be Sent to the Information Center

This topic describes how to specify a module for sending information to
information channels.
Prerequisites
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center source { module-name| default } channel { channel-number | channel-name } [ { debug | log
| trap } { state { off | on } | level severity } * ] *
A module (or modules) is specified to send debugging information, logs, or traps

to the information channels.
NOTE
Run the undo info-center source { module-name | default } channel { channel-number |

channel-name } command to disable the unnecessary modules and select one or more
modules to send information to the information channels.
----End
7.2.2.5 (Optional) Configuring the Timestamp for the Output Information

This topic describes how to configure the timestamp for output information.
Prerequisites
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center timestamp debugging { boot | none | { short-date | format-date | date } [ precision-time
{ tenth-second | second } ] }
The format of the timestamp is set for the debugging information.
Step 3 Run:
info-center timestamp { trap | log } { boot | none | { short-date | format-date | date } [ precision-time
{ tenth-second | millisecond } ] }
The format of the timestamp is set for the output logs or traps information.
----End

This topic describes how to check the information center configuration.
NOTE
Run the following commands to check the previous configuration.

Action Command
Check the configuration of the display channel [ channel-number | channel-

channel. name ]
Check the information recorded display info-center [ statistics ]
by the information center.
Check the information in the display logbuffer [ level severity | module

log buffer of the memory. module-name | size value | slot slot-id ]*
Check the summary of the display logbuffer summary [ level severity |
information in the log buffer. slot slot-id ]
Check the information in the display trapbuffer [ size value ]

trap buffer of the memory.
7.2.3 Sending Information of the Information Center

This topic describes how to send information to the specified direction.
7.2.3.1 Sending Information to the Console

This topic describes how to configure the information to be sent to the console.
Prerequisites
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center console channel { channel-number | channel-name }
Set the channel for writing information to the console.

Step 3 Run:
quit

Step 4 Run:
terminal monitor
The terminal is enabled to display information.

By default, the terminal is enabled to display information.
Step 5 Run:
terminal debugging

or
terminal logging
or
terminal trapping
The terminal is enabled to display debugging information, logs, and traps.
NOTE
Step 4 and Step 5 are not listed in sequence.
----End
7.2.3.2 Sending Information to the Telnet Terminal

This topic describes how to configure the information to be sent to the telnet
terminal.
Prerequisites
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center monitor channel { channel-number | channel-name }
Set the channel for writing information to the Telnet terminal.
Step 3 Run:
quit
Step 4 Run:
terminal monitor
The terminal is enabled to display information.
Step 5 Run:
terminal debugging
or
terminal logging
or
terminal trapping
The terminal is enabled to display debugging information, logs, and traps.
NOTE
Step 4 and Step 5 are not listed in sequence.
----End

7.2.3.3 Sending Information to the SNMP Agent

This topic describes how to configure information to be sent to the Simple
Network Management Protocol (SNMP) agent.
Prerequisites
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center snmp channel { channel-number | channel-name }
Set the channel for writing information to the SNMP agent.

Step 3 Run:
snmp-agent
The SNMP agent is enabled.

For details on configuring the SNMP agent, see section SNMP Configuration in
Chapter Network Management in the CX91x Series Switch Modules
----End
7.2.3.4 Sending Information to the Log Buffer

This topic describes how to configure information to be sent to the log buffer.
Prerequisites
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center logbuffer [ channel { channel-number | channel-name } | size buffersize ] *
Set the channel for writing information to the log buffer.
----End
7.2.3.5 Sending Information to the Trap Buffer

This topic describes how to configure information to be sent to the trap buffer.

Prerequisites
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ] *
Set the channel for writing information to the trap buffer.
----End
7.2.3.6 Sending Information to the Log Host

This topic describes how to configure information to be sent to the log host.
Prerequisites
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center loghost ip-address [ channel { channel-number | channel-name } | facility local-number |
{ language language-name | binary [ port ] } | { public-net } ] *
Set the channel for writing information to the IPv4 log host.
Step 3 Run:
info-center loghost source interface-type interface-number
The source interface for sending logs is specified.
----End
7.2.3.7 Writing Information to the Log File

This topic describes how to configure the channel and maximum file size for
writing log information.
Prerequisites

Context
All operating logs are stored in the log.log file in R:/logfile.
NOTE
For CX91x series, you can run the save logfile command to save the logs in the log buffer
to the log file, and run the copy command to copy the log.log file to Flash:/. For details
about save logfile, see the CX91x Series Switch Modules V100R001C00 Command
Reference.
Procedure
Step 1 Run the command system-view to go to the system view.
Step 2 Run info-center logfile [ channel { channel-number | channel-name } | size

logfilesize ] * to set the channel and maximum file size for writing log information.
----End

This topic describes how to check the configuration.
Action Command
Check statistics in the display info-center [ statistics ]

information center.
Run the preceding command. If the information center can send the statistics to
the destination terminal, it means that the configuration succeeds.
7.2.4 Maintaining the Information Center

This section describes how to clear the statistics.
NOTICE
Statistics cannot be restored after being cleared. So, confirm the action before you
run the command.
Action Command
Clear the statistics in the reset info-center statistics

information center.
Clear the information in the reset logbuffer

log buffer.

Action Command
Clear the information in the reset trapbuffer

trap buffer.

This section provides examples for configuring the information center.
7.2.5.1 Example for Configuring the Information Center

This topic describes an example for configuring the information center.
Figure 7-4 Network diagram of sending logs to the log host
1. Enable the information center.

2. Configure the information channel to ensure that the CX91x series can
correctly send logs to the log host. Disable the sending of the traps and
debugging information to the log host.
3. Configure the log host.
Data Preparation
● The IP address of the log host is specified as 1.0.0.1/8.

Configuration Procedure
NOTE
In the example, only the commands related to monitoring are listed. For details on
configuring the log host, see the help files on the log host.
Step 1 Enable the information center.

# Enable the information center. By default, the information center on the CX91x
series is enabled.
<Base>system-view
[Base]info-center enable
Info:Information center is enabled
Step 2 Configure the information to be sent to the information center.

# Send logs of severity levels 0 to 7 from all modules on the CX91x series through
the channel to the log host. Disable the sending of the debugging information and
traps through the channel to the log host.
[Base] info-center source default channel loghost log level debugging state on trap state off debug
state off
# Verify the configuration.

[Base] display channel loghost
channel number:2, channel name:loghost
MODU_ID NAME ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL
ffff0000 default Y debugging N debugging N debugging
Step 3 Configure the log host.

# Set the IP address of the log host to 1.0.0.1.
[Base] info-center loghost 1.0.0.1
# Set VLANIF 10 as the interface for sending information to the log host on the
CX91x series.
[Base] vlan 10
[Base-vlan10] quit
[Base] interface GigabitEthernet0/0/1
[Base-GigabitEthernet0/0/1] port link-type hybrid
[Base] interface vlanif 10 [Base-vlanif10] ip address 2.0.0.1 255.0.0.0
[Base-vlanif10] quit
[Base] info-center loghost source vlanif 10
# Verify the configuration.

[Base] display info-center
Information Center:enabled
Log host:
the interface name of the source address:vlanif 10
1.0.0.1, channel number 2, channel name loghost,
language English , host facility local7
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:

enabled,max buffer size 1024, current buffer size 512,

current messages 440, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 0
Trap buffer:
enabled,max buffer size 1024, current buffer size 256,
current messages 1, channel number:3, channel name:trapbuffer
dropped messages 0, overwritten messages 0
Information timestamp setting:
log - date, trap - date, debug - boot
Sent messages = 499, Received messages = 499
IO Reg messages = 0 IO Sent messages = 0
Step 4 Enable the terminal display of the console.
# Enable the terminal display of the console. Enable the corresponding terminal
display to check the information type as required.
[Base] info-center console channel 0
[Base] quit
<Base> terminal monitor
Info:Current terminal monitor is on
<Base> terminal logging
Info:Current terminal logging is on
----End
Configuration Files
#
info-center source default channel loghost log level debugging state on trap state off debug state off
info-center loghost source vlanif 10
info-center loghost 1.0.0.1
info-center console channel 0
#
#
vlan batch 10
#
interface vlanif10
ip address 2.0.0.1 255.0.0.0
#
#
return
7.3 Mirroring
The mirroring function is used to monitor packets that meet certain requirements.
7.3.1 Introduction
This section describes the basics of mirroring.
7.3.1.1 Mirroring Functions

This topic describes the mirroring in terms of its concept and functions.

Mirroring is to copy packets to an observing port to monitor packets without

affecting packet forwarding. You can use the mirroring function for network check
and troubleshooting.
This topic describes port mirroring.
Concepts
● Observing port
An observing port on the CX91x series is connected to a monitoring host. It is
used to export the packets copied from a mirrored port.
● Mirrored port
A mirrored port is the interface to be observed. Incoming packets or outgoing
packets passing through a mirrored port is copied to an observing port.
● Local mirroring
The observing port and mirrored port are on the same switch.
Port Mirroring
In the process of port mirroring, the CX91x series copies the packets passing
through a mirrored port and then sends the copy to a specified observing port.
Figure 7-5 shows the diagram of port mirroring.
Figure 7-5 Schematic diagram of port mirroring
7.3.1.2 Logical Relationships Between Configuration Tasks

This topic describes the logical relationships between configuration tasks.
Before performing 7.3.4 Changing or Deleting an Observing Port, complete7.3.3
Canceling Port-based Mirroring.
7.3.2 Configuring Local Port Mirroring

This topic describes how to configure local port mirroring.

When all incoming or outgoing packets passing through a specified interface of
the CX91x series need to be monitored, you can configure local port mirroring if
the mirrored port is located on the same CX91x series as the observing port.
in
None.
Data Preparation
To configure local port mirroring, you need the following data.
No. Data
1 Type and number of the observing port
2 Type and number of the mirrored port
7.3.2.2 Configuring a Mirrored Port
Context
A mirrored port can be a physical interface or an Eth-Trunk interface.
To configure an Eth-Trunk as a mirrored port, you must run the interface eth-
trunk trunk-id command to create the Eth-Trunk first.
● If an Eth-Trunk is configured as a mirrored port, its member interfaces cannot
be configured as mirrored ports.
● If a member interface of an Eth-Trunk is configured as a mirrored prot, the
Eth-Trunk cannot be configured as a mirrored port.
Procedure
Step 1 Run:
system-view

Step 2 Run:
observe-port index interface interface-type interface-number
An observing port is configured.

Step 3 Run:
The view of the mirrored port is displayed.

Step 4 Run:
port-mirroring to observe-port index { both | inbound | outbound }
Port mirroring is configured on the mirrored port.

To monitor packets on multiple interface, repeat Step 3 and Step 4.
----End

Action Command
Check information about display port-mirroring

port mirroring.
Check information about the display observe-port

observing port.
If the following results are obtained, it indicates that the configuration succeeds:
● The observing port is configured properly.
● The mirrored port and the mirroring direction are configured properly.
7.3.3 Canceling Port-based Mirroring

This section describes how to cancel port mirroring.
When port mirroring is enabled on an interface of the CX91x series, and the
incoming or outgoing packets passing through this interface do not need to be
monitored, you can cancel port mirroring on that interface. You must cancel port
mirroring on the bound observing port before deleting or changing this observing
port.
None.
Data Preparation
To cancel port mirroring, you need the following data.
No. Data
1 Type and number of the mirrored port to be deleted

7.3.3.2 Canceling Port Mirroring
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
undo port-mirroring { both | inbound | outbound }
Port mirroring is canceled.
----End

Action Command

observing port.

port mirroring.
Run the display port-mirroring command. If port mirroring is cancelled properly,

it indicates that the configuration succeeds.
7.3.4 Changing or Deleting an Observing Port

This section describes how to change or delete an observing port.
When you do not need to monitor the flow passing through the CX91x series, you
can delete the current observing port; when you need to specify another interface
on the CX91x series as an observing port, you can change the current observing
port.
Before changing or deleting an observing port, complete the following task:

● 7.3.3 Canceling Port-based Mirroring
Data Preparation
To change or delete an observing port, you need the following data.
No. Data
1 Type and number of the new observing port
7.3.4.2 (Optional) Deleting an Observing Port
Prerequisites
Before deleting an observing port, make sure that the observing port is not used
in any mirroring configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
undo port-mirroring { both | inbound | outbound }
Port mirroring is canceled.

Step 4 Run:
quit

Step 5 Run:
undo observe-port index
The observing port is deleted.
----End
7.3.4.3 (Optional) Changing an Observing Port
Procedure
Step 1 Run:
system-view

Step 2 Run:
observe-port index interface interface-type interface-number
Another interface is specified as an observing port.
----End

Action Command

observing port.

port mirroring.
If the observing port is deleted or a new observing port is specified, it indicates

that the configuration succeeds.

This section provides several configuration examples for mirroring.
7.3.5.1 Example for Configuring Local Port Mirroring
As shown in Figure 7-6, a Layer 2 (L2) switch is connected to GigabitEthernet
0/0/1 on the Switch, and the incoming packets on GigabitEthernet 0/0/1 needs to
be monitored. In this case, you can configure local port mirroring with
GigabitEthernet 0/0/1 as a mirrored port and GigabitEthernet 0/0/2 as an
observing port.
Figure 7-6 Networking diagram of local port mirroring

1. Configure GigabitEthernet 0/0/2 as an observing port.
2. Configure GigabitEthernet 0/0/1 as a mirrored port.
Data Preparation
None.
Step 1 Create a VLAN on the Switch and add interfaces to the VLAN in trunk mode.
# Add GigabitEthernet 0/0/1 and GigabitEthernet 0/0/3 to a same VLAN in trunk
mode. The following takes the configuration of GigabitEthernet 0/0/1 as an
example. The configuration of GigabitEthernet 0/0/3 is the same as the
configuration of GigabitEthernet 0/0/1 and is not mentioned here.
<Base> system-view
[Base] vlan 10
[Base-vlan10] quit
[Base-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
Step 2 Configure an observing port.

# Set GigabitEthernet 0/0/2 as the observing port.
<Base> system-view
[Base] observe-port 1 interface GigabitEthernet 0/0/2
Step 3 Configure a mirrored port.

# Set GigabitEthernet 0/0/1 as the mirrored port.
[Base-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound

# Run the display port-mirroring command. You can check the configurations on
the observing port and mirrored port.
[Switch] display port-mirroring
Port-mirror:
----------------------------------------------------------
Mirror-port Direction Observe-port
----------------------------------------------------------
GigabitEthernet0/0/1 Inbound GigabitEthernet0/0/2
----End
Configuration Files

#
sysname Base
#
vlan batch 1
#
observing-port 1 interface GigabitEthernet0/0/2
#
……
#
port-mirroring to observe-port 1 inbound
#
#
……
7.3.5.2 Example for Changing an Observing Port
As shown in Figure 7-7,GigabitEthernet 0/0/1 on the Switch is connected to an L2
switch; GigabitEthernet 0/0/3 is connected to host 1; GigabitEthernet 0/0/4 is
connected to host 2. To monitor incoming traffic on GigabitEthernet 0/0/1, port
mirroring is configured on the Switch. Configure GigabitEthernet 0/0/1 as a
mirrored port, and GigabitEthernet 0/0/3 connected to host 1 as an observing
port. Enable host 1 to receive incoming traffic from GigabitEthernet 0/0/1.
At present, host 2 needs to receive incoming traffic from GigabitEthernet 0/0/1.

Thus, the observing port needs to switch from GigabitEthernet 0/0/3 to
GigabitEthernet 0/0/4.
Figure 7-7 Networking for changing the observing port

1. Delete the mirrored port GigabitEthernet 0/0/1.
2. Set GigabitEthernet 0/0/4 instead of GigabitEthernet 0/0/3 as the observing
port.
3. Reset GigabitEthernet 0/0/1 as the mirrored port.
Data Preparation
You need to obtain the type and number of the port, for example, GigabitEthernet
0/0/4.
Step 1 Check the configurations on the current observing port and mirrored port.
# Run the display port-mirroring command to check the configurations on the
current observing port and mirrored port.
<Base> display port-mirroring
Port-mirror:
----------------------------------------------------------
----------------------------------------------------------
Step 2 Delete the mirrored port.

# Delete the mirrored port GigabitEthernet 0/0/1.
<Base> system-view
[Base-GigabitEthernet0/0/1] undo port-mirroring inbound
Step 3 Delete the observing port.

# Delete the observing port GigabitEthernet 0/0/3.
<Base> system-view
[Base] undo observe-port 1
Step 4 Change the observing port.

# Change the observing port to GigabitEthernet 0/0/4.
[Base] observe-port 1 interface GigabitEthernet 0/0/4
Step 5 Configure a mirrored port.

# Reset GigabitEthernet 0/0/1 as the mirrored port.
[Base-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound

# Run the display port-mirroring command. You can check the configurations on
the current observing port and mirrored port.
[Base] display port-mirroring

Port-mirror:
----------------------------------------------------------
----------------------------------------------------------
----End
Configuration Files
#
sysname Base
#
observe-port 1 interface GigabitEthernet0/0/4
#
……
#
port-mirroring to observe-port 1 inbound
#
……
7.4 Restarting
This chapter describes how to restart the CX91x series.
7.4.1 Restarting the CX91x series Immediately Through

Command Lines
This topic describes how to restart the CX91x series by running commands.
Context
NOTICE
The reboot command can paralyze the network for a while. Therefore, run the
reboot command with caution.
Before restarting the CX91x series, check whether to save the configuration file
and whether the file contents are correct. For details on saving the configuration
file, see section Basic Configuration in the CX91x Series Switch Modules
NOTE
Running the reboot command restarts only the current plane.
Procedure
Step 1 Open the CLI of the onboard GE switching plane, and run the reboot command to
restart the onboard GE switching plane.
<Base>reboot

Info: The system is now comparing the configuration, please wait.

Warning: All the configuration will be saved to the configuration file for the next startup:flash:/vrpcfg.cfg,
Continue?[Y/N]:
Step 2 Press y to save the configurations or press n to cancel the operation, and then
press Enter.
Step 3 Press y. The system restarts.
System will reboot! Continue?[Y/N]:y
Apr 4 2011 00:25:48 Base %%01CMD/4/REBOOT(l)[1]:The user chose Y when deciding whether to reboot
the system.
.
..
...
Soft Reset.....done.
----End
7.4.2 Restarting the CX91x series Using the Ejector Levers

This topic describes how to restart the CX91x series by using the ejector levers.
Context
NOTICE
● The action can paralyze the network for a while. Therefore, perform this action
with caution.
● Before restarting the CX91x series, check whether to save the configuration file
and whether the file contents are correct. For details about how to save the
configuration file, see section Basic Configuration in the CX91x Series Switch
NOTE
Both onboard GE switching plane and 10 GE switching plane restart when you restart the
CX91x series by using the ejector levers.
Procedure
Step 1 Raise both ejector levers to power off the CX91x series.
Step 2 Lower both ejector levers to power on and start the CX91x series.
----End

Configuration Guide 8 Configuration Guide-Network Management
8 Configuration Guide-Network
Management
This topic describes how to configure the Simple Network Management Protocol
(SNMP), Ping, and Tracert by using examples based on the basic device features.
8.1 SNMP Configuration

This chapter describes how to configure the NM Station to communicate with the
device through SNMP.
8.2 Ping and Tracert
This chapter describes basic concepts and applications of the ping and tracert
commands.
8.1 SNMP Configuration

This chapter describes how to configure the NM Station to communicate with the
device through SNMP.
8.1.1 Introduction to SNMP

This topic describes the NM Station, SNMP agent, and MIB, and their relationships.
Simple Network Management Protocol (SNMP) consists of the Network

Management Station (NMS) and the agent. SNMP is an application protocol that
defines transmission of management information between the NM Station and
the agent.
NM Station
The NM Station is a station on which the client program runs.
The NM Station has the following functions:
● Sends various request packets to network devices.

● Receives response packets and trap messages from the managed devices and
shows the results.

Agent
The agent is a process that is running on the managed devices.
The agent has the following functions:
● Receives and analyzs request packets from the NM Station.
● Performs read or write operation on management variables based on the type
of packet and generates a packet to respond to the NM Station.
● Sends a trap message to the NM Station to report the events such as entering
or restarting the device once the triggering conditions configured on each
protocol module are met.
Relationship Between the NM Station and the Agent

Figure 8-1 shows the relationship between the NM Station and the agent.
Figure 8-1 Schematic diagram of the SNMP architecture
MIB
SNMP uses a hierarchical naming convention to identify managed objects and to
distinguish between managed objects. This hierarchical structure is similar to a
tree with the nodes representing managed objects. Figure 8-2 shows a managed
object that can be identified by the path from the root to the node representing it.

Figure 8-2 MIB tree structure
In Figure 8-2, the managed object B can be determined by a string of digits

{1.2.1.1}. This string is the Object Identifier of the managed object. The MIB
describes the hierarchical structure of the tree and is a definite collection of
standard variables on monitored network devices.
SNMP Operation
SNMP applies a GET-SET mode instead of a complex command set. It makes use
of the basic operations to deduce all other operations.
You can adopt the standard MIB or standard mode to define your individual MIB.
This reduces the cost of the entire network management by reducing the cost of
most of the agent components in the network management system.
Table 8-1 lists the basic SNMP operations.
Table 8-1 Basic SNMP operations

Action Function
GetRequest Gets the value from a variable
GetNextRequest Gets the next value from the table
GetResponse Responds to GetRequest, GetNextRequest

and SetRequest operations
GetBulk Equals continuously performing GetNext

operations not for SNMPv1.
SetRequest Sets one or more parameters of the agent
Trap Reports event information
8.1.2 SNMP Supported by the CX91x series

This part describes the support for SNMPv1, SNMPv2c, and SNMPv3 on the CX91x
series.
The CX91x series supports SNMPv1, SNMPv2c, and SNMPv3.

SNMPv1
● Supporting community-name-based access control
● Supporting MIB-view-based access control
● Supporting Traps
SNMPv2c
● Supporting community-name-based access control
● Supporting MIB-view-based access control
● Supporting Traps and Informs
SNMPv3
SNMPv3 inherits basic operations in SNMPv2c. It defines a management frame,
imports Universal Server Manager (USM), and provides a security mechanism for
access users.
● Supporting user group
● Supporting group-based access control
● Supporting user-based access control
● Supporting authentication and encryption mechanisms
● Supporting Traps
8.1.3 Configuring Basic Functions of SNMPv1

This part describes how the NM Station accesses and manages the device through
SNMPv1.

Before configuring SNMPv1, familiarize yourself with the applicable environment,
To enable NM Station to manage the Switch Module, configure basic SNMPv1
functions on the Switch Module.
Before Configuring SNMPv1, complete the following tasks:
● Assigning an IP address to the Switch Module
● Configuring the routing protocol to make the Switch Module and the NM
Station accessible
Data Preparation
To configure SNMPv1, you need the following data.

No. Data
1 SNMP version
2 SNMP community name
8.1.3.2 Enabling Basic SNMP Functions

You can do as follows to enable SNMP.
Context
The SNMP agent is enabled on the target Switch Module.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent
The SNMP agent function is enabled.
----End
8.1.3.3 Configuring the SNMP Version

This topic describes how to configure the SNMP version to SNMPv1.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent sys-info version v1
The SNMP version is configured.
By default, SNMP v3 is enabled.
----End

8.1.3.4 Setting the SNMP Community Name

This part describes how to implement access right control by setting the read and
write properties for an SNMP community name.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent community { read | write } community-name
The read and write community names of the agent are configured.
NOTE
The community names for setting the read and write properties cannot be the same.
Otherwise, the read or write property of a community name will be overwritten.
----End

After SNMPv1 is configured, you can check SNMP configurations.
Prerequisites
The configurations of the Basic Functions of SNMPv1 are complete.
Procedure
● Run the display snmp-agent community command to view the community
name of the SNMP agent.
● Run the display snmp-agent sys-info version command to view the SNMP
version information.
----End
Example
Run the display snmp-agent community command. If information on the
community name is displayed, it means that the configuration succeeds.
<Base> display snmp-agent community
Community name:%$%$-yqBSyTXbNM8OIV)`6kHeri`%$%$
Group name:%$%$-yqBSyTXbNM8OIV)`6kHeri`%$%$
Storage-type: nonVolatile
Community name:%$%$k(1p/_Kz26BP~9I"7`]

Run the display snmp-agent sys-info version command. If the version of SNMP
run on the agent is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv1 SNMPv3
8.1.4 Configuring Community-Name-based Access Control in

SNMPv1
This topic describes how to implement the security feature of SNMPv1 through
access control lists (ACLs).

Before configuring community-name-based access control in SNMPv1, familiarize
yourself with the applicable environment, complete the pre-configuration tasks,
and obtain the required data. This can help you complete the configuration task
quickly and accurately.
To configure the specified NM Station to manage the Switch Module (SNMP
agent), configure access control lists (ACLs) on the Switch Module.
Before configuring community-name-based access control, complete the following
tasks:

Station accessible
Data Preparation
To configure community-name-based access control, you need the following data.
No. Data
1 ACL number

Context

Procedure
Step 1 Run:
system-view
Step 2 Run:
----End

This part describes how to configure the ACL to specify the IP address of the NMS
allowed to access the device.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
A basic ACL is created.
Step 3 Run:
name ] *
ACL rules are defined.
----End
8.1.4.4 Configuring the ACL

This part describes how to configure ACLs to enable a specific NM Station to
access the device.
Context

Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent community { read | write } community-name acl acl-number
The ACL is applied.
----End

After community-name-based access control in SNMPv1 is configured, you can
view configurations of SNMP and ACLs.
Prerequisites
The configurations of the Community-Name-based Access Control in SNMPv1 are
complete.
Procedure
● Run the display acl acl-number command to view the rules of the configured
ACL.
name of the agent.
----End
Example
Run the display acl acl-number command. If information on the rules of the
configured ACL is displayed, it means that the configuration succeeds.
Acl's step is 5
rule 5 permit source 1.1.1.1 0

Acl:2000


SNMPv1 SNMPv3
8.1.5 Configuring MIB-View-based Access Control in SNMPv1

In SNMPv1, you can implement the security feature by the MIB view.

Before configuring MIB-view-based access control in SNMPv1, familiarize yourself
the required data. This can help you complete the configuration task quickly and
accurately.
To set different authorities for NM Stations to access the Switch Module, configure
different MIB views on the Switch Module.
Before configuring MIB-view-based access control, complete the following tasks:
Station accessible
Data Preparation
To configure MIB-view-based access control, you need the following data.
No. Data
2 Information about MIB objects

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
----End
8.1.5.3 Creating a MIB View

This part describes how to create a MIB view, and add the MIB of the specified
feature into the MIB view or remove the MIB of the specified feature from the MIB
view.
Context
Do as follows on the Switch Module enabled with the SNMP agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent mib-view { excluded | included } view-name oid-tree
A MIB view is created.
----End
8.1.5.4 Configuring MIB-View-based Access Control

This part describes how the NM Station manages the specified feature of the
Switch Module in the MIB view.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent community { read | write } community-name1 mib-view view-name
MIB-view-based access control is configured.
----End


After MIB-view-based access control in SNMPv1 is configured, you can view
configurations of SNMP.
Prerequisites
The configurations of the MIB-View-based Access Control in SNMPv1 are
complete.
Procedure
● Run the display snmp-agent mib-view command to view the MIB view.
name of the agent.
----End
Example
Run the display snmp-agent mib-view command. If information on the MIB view
is displayed, it means that the configuration succeeds.
<Base> display snmp-agent mib-view
View name:ViewDefault
MIB Subtree:internet
Subtree mask:
View Type:included
View status:active
MIB Subtree:snmpUsmMIB
Subtree mask:
View Type:excluded
View status:active
MIB Subtree:snmpVacmMIB
Subtree mask:
View Type:excluded
View status:active
MIB Subtree:snmpModules.18
Subtree mask:
View Type:excluded
View status:active

Run the display snmp-agent sys-info version command to display the version of
SNMP run on the agent.


SNMPv1 SNMPv3
8.1.6 Configuring Basic Functions of SNMPv2c

This section describes how the NM Station accesses the device through SNMPv2c.

Before configuring SNMPv2c, familiarize yourself with the applicable environment,
To enable NM Station Station to access and manage devices, configure basic
SNMPv2c functions on the devices.
Before configuring SNMPv2c, complete the following tasks:

Station accessible
Data Preparation
To configure SNMP, you need the following data.
No. Data
1 SNMP version

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent
----End

This topic describes how to configure the SNMP version to SNMPv2c.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent sys-info version v2c

----End
8.1.6.4 Setting the SNMP Community Name

This part describes how to implement access right control by setting the SNMP
community name.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent community { read | write } community-name
The community name of the agent is configured.
NOTE
The community names for setting the read and write properties cannot be the same.
Otherwise, the read or write property of a community name will be overwritten.
----End


After SNMPv2c is configured, you can check the SNMP configurations, including
the community name and version information.
Prerequisites
The configurations of the Basic Functions of SNMPv2c are complete.
Procedure
name of the agent.
----End
Example
SNMPv2c SNMPv3
8.1.7 Configuring Community-Name-based Access Control in

SNMPv2c
This section describes how to configure ACLs to implement the security feature of
SNMPv2c.

Before configuring community-name-based access control in SNMPv2c, familiarize
To configure the specified NM Station to manage the Switch Module (SNMP
agent), configure access control lists on the Switch Module.

Before configuring community-name-based access control, complete the following
tasks:

Station accessible
Data Preparation
To configure community-name-based access control, you need the following data.
No. Data
1 ACL number

Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
----End

This topic describes how to configure an ACL to enable a specific NMS to access
the device.
Context

Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number

Step 3 Run:
name ] *
----End

This part describes how to configure an ACL to enable a specific NMSto access the
device.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent community { read | write } community-name acl acl-number
The ACL is applied.
----End

After community-name-based access control in SNMPv2c is configured, you can
view configurations of SNMP and ACLs.
Prerequisites
The configurations of the Community-Name-based Access Control in SNMPv2c are
complete.
Procedure
● Run the display acl acl-number command to view the rules of the configured
ACL.


name of the agent.
----End
Example
Run the display acl acl-number command. If information on the rules of the
configured ACL is displayed, it means that the configuration succeeds.
Acl's step is 5

Acl:2000
SNMPv2c SNMPv3
8.1.8 Configuring MIB-View-based Access Control in SNMPv2c

In SNMPv2c, you can control the NM Station to access the specified device by the
MIB view.

Before configuring MIB-view-based access control in SNMPv2c, familiarize yourself
accurately.
To set different authorities for NM Stations to access the Switch Module, configure
different MIB views on the Switch Module.
Before configuring MIB-view-based access control, complete the following tasks:
Station accessible

Data Preparation
To configure MIB-view-based access control, you need the following data.
No. Data

Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
----End

This part describes how to create a MIB view, and add the MIB of the specified
feature into the MIB view or remove the MIB of the specified feature from the MIB
view.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:

----End
8.1.8.4 Configuring MIB-View-based Access Control

This part describes how the NM Station manages the specified feature of the
device in the MIB view.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent community { read | write } community-name1 mib-view view-name
MIB-view-based access control is configured.
----End

After MIB-view-based access control in SNMPv2c is configured, you can view
configurations of SNMP.
Prerequisites
The configurations of the MIB-View-based Access Control in SNMPv2c are
complete.
Procedure
● Run the display snmp-agent mib-view command to view the MIB view.
name of the agent.
----End
Example
After the configurations, run the display snmp-agent mib-view command. If
information about the MIB view is displayed, it means that the configuration
succeeds.
Subtree mask:

View Type:included
View status:active
Subtree mask:
View Type:excluded
View status:active
Subtree mask:
View Type:excluded
View status:active
Subtree mask:
View Type:excluded
View status:active

SNMPv2c SNMPv3
8.1.9 Configuring Basic Functions of SNMPv3

This section describes how the NM Station accesses the device through SNMPv3.

Before configuring SNMPv3, familiarize yourself with the applicable environment,
To designate different groups for the NM Station, that is, to implement user
classification on the NM Station, configure SNMPv3.
Before configuring SNMPv3, complete the following tasks:
Station accessible

Data Preparation
To configure SNMPv3, you need the following data.
No. Data
1 SNMP group name
2 SNMP user name

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent
----End

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

----End

8.1.9.4 Configuring an SNMP User Group

This part describes how to create an SNMP access user group.
Context
Do as follows on the SNMP agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent group v3 group-name
An SNMP user group is configured.
----End
8.1.9.5 Configuring User Information

After user information about the NM Station is configured, you can configure NM
Station users in a specific group to access the device.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent usm-user v3 user-name group-name
User information is configured.
----End

After basic functions of SNMPv3 are configured, you can view configurations of
SNMPv3.
Prerequisites
The configurations of the basic functions of SNMPv3 are complete.

Procedure
● Run the display snmp-agent group [ group-name ] command to view
information about the SNMP user group.
● Run the display snmp-agent usm-user [ group group-name | username
user-name ] * command to view information about users in the group.
version information..
----End
Example
Run the display snmp-agent group command. If information on the user group is
displayed, it means that the configuration succeeds.
<Base> display snmp-agent group
Group name: a
Security model: v3 noAuthnoPriv
Readview: ViewDefault
Writeview: <no specified>
Notifyview :<no specified>
Storage-type: nonvolatile
Run the display snmp-agent usm-user command. If information on the SNMP

user is displayed, it means that the configuration succeeds.
<Base> display snmp-agent usm-user
User name: b
Engine ID: 000007DB7F00000100000772 active
SNMPv3
8.1.10 Configuring User Group-based Access Control in

SNMPv3
After user group-based access control in SNMPv3 is configured, only the NM
Station users in the specific group can access the device through SNMPv3.

Before configuring user group-based access control in SNMPv3, familiarize
To configure the specified NM Station in the group to manage the Switch Module
(SNMP agent), configure ACLs on the Switch Module.
Before configuring user group-based access control, complete the following tasks:


Station accessible
Data Preparation
To configure user group-based access control, you need the following data.
No. Data
1 SNMP user group name
2 SNMP user name
3 ACL number

After the SNMP version is disabled on the device, to enable the NMS to access the
device through SNMPv3, you need to configure SNMPv3 on the device.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

----End

Group information configured on the NMS and the device must be identical.
Otherwise, the NMS cannot access the device.
Context
Procedure
Step 1 Run:

system-view

Step 2 Run:
----End

NMS user information configured on the NMS and the device must be identical.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Users are added into the SNMPv3 user group.
----End

This part describes how to configure an ACL to enable a specific NMS to access
the device.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number

Step 3 Run:
name ] *

----End

This part describes how to use an ACL to filter the source address of the NMS user
group.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent group v3 group-name acl acl-number
The ACL is applied.
----End

After user group-based access control in SNMPv3 is configured, you can view
configurations of SNMP and an ACL.
Prerequisites
The configurations of the user group-based access control in SNMPv3 are
complete.
Procedure
● Run the display acl acl-number command to view ACL rules.
information about the SNMP user group.
● Run the display snmp-agent usm-user command to view information about
the SNMP user.
----End
Example
Run the display acl command. If information on the rules of the configured ACL is

Acl's step is 5
Group name: a
Acl:2000

User name: b
SNMPv3
8.1.11 Configuring User-based Access Control in SNMPv3

After user-based access control in SNMPv3 is configured, when the NM Station
accesses the device through SNMPv3, only the specified NM Station users can
access the device.

Before configuring user-based access control in SNMPv3, familiarize yourself with
accurately.
To configure the specified user in the user group to manage the Switch Module
(SNMP agent), configure access control lists on the Switch Module.
Before configuring user-based access control, complete the following tasks:

Station accessible
Data Preparation
To configure user-based access control, you need the following data.

No. Data
2 SNMP user name
3 ACL number

device through SNMPv3, you need to configure SNMPv3 on the device.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

----End

This part describes how to create an SNMP access user group.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
----End


This part describes how to create SNMP access users and add these users to the
user group.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
----End

This part describes how to configure an ACL to enable a specific NMS to access
the device.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
Step 3 Run:
name ] *
----End
8.1.11.6 Applying the ACL

This part describes how to use an ACL to filter the source address of the NMS user.

Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent usm-user v3 user-name group-name acl acl-number
The ACL is applied.
----End

After user-based access control in SNMPv3 is configured, you can view
configurations of SNMP and an ACL.
Prerequisites
The configurations of the user-based access control in SNMPv3 are complete.
Procedure
● Run the display acl acl-number command to view ACL rules.
information about the SNMP group.
● Run the display snmp-agent usm-user [ engineid engineid | group group-
name | username user-name ] * command to view information about users in
the SNMP group.
● Run the display snmp-agent sys-info version command to View the SNMP
----End
Example
Run the display acl command. If information on the rules of the configured ACL is
Acl's step is 5
Group name: a


User name: b
Acl:2000
<Base> display snmp-agent sys-info
SNMPv3
8.1.12 Configuring Authentication and Encryption Functions

in SNMPv3
This section describes how to meet the higher requirement of the NMS on the
access security through authentication and encryption mechanisms of SNMPv3.

Before configuring authentication and encryption mechanisms of SNMPv3,
familiarize yourself with the applicable environment, complete the pre-
configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
In the case that users demand high security of the network, configure the security
mechanism of SNMPv3 to allow specified NM Stations to access the Switch
Module. That is, the NM Station can access the Switch Module only after it passes
authentication.
Before configuring authentication and encryption functions in SNMPv3, complete
the following tasks:

Station accessible
Data Preparation
To configure authentication and encryption functions in SNMPv3, you need the
following data.
No. Data
2 SNMP user name and password


After the SNMP version is disabled on the device, to enable the NM Station to
access the device through SNMPv3, you need to configure SNMPv3 on the device.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

----End

Group information configured on the NMS and the Switch Module must be
identical. Otherwise, the NMS cannot access the device.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
----End

NMS user information configured on the NMS and the Switch Module must be
identical. Otherwise, the NMS cannot access the device.
Context
Do as follows on the Switch enabled with the SNMP agent.

Procedure
Step 1 Run:
system-view
Step 2 Run:
----End
8.1.12.5 Configuring the Authentication Function for the SNMP User Group
After authentication is configured, only NM Station users in the group that passes
the authentication can access the device.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent group v3 group-name authentication
The SNMPv3 authentication function is configured.
----End
8.1.12.6 Configuring the Encryption Function for the SNMP User Group
Encryption keys configured on the NMS and the device must be identical.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent group v3 group-name privacy

The SNMPv3 encryption function is configured.
----End
8.1.12.7 Configuring Authentication and Encryption Functions for the SNMP

User
NMS users in a group can be configured with different authentication codes and
encryption keys for accessing the device.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent usm-user v3 user-name group-name authentication-mode { md5 | sha } password privacy-
mode des56 password
Authentication and encryption functions for the SNMP user are configured.
----End

After authentication and encryption mechanisms of SNMPv3 are configured, you
can view configurations of SNMP and ACLs.
Prerequisites
The configurations of the Authentication and Encryption Functions in SNMPv3 are
complete.
Procedure
● Run the display snmp-agent group [ group-name ]command to view the
USM-based group.
● Run the display snmp-agent usm-user [ group group-name | username
user-name ] * command to view information about users in the group.
----End
Example
Run the display snmp-agent group command. If information on the USM-based
group is displayed, it means that the configuration succeeds.

Group name: a
Security model: v3 AuthnoPriv

User name: b
Group name: a
run on the Agent is displayed, it means that the configuration succeeds.
SNMPv3
8.1.13 Configuring MIB-View-based Access Control in SNMPv3

This section describes how to configure MIB-view-based access control in SNMPv3
to control the NM Station to access the device.

Before configuring MIB-view-based access control in SNMPv3, familiarize yourself
accurately.
When the user has a higher requirement for network security, configure MIB views
on the USM to set different NM Stations with corresponding management
authorities.
Before configuring MIB views in the USM, complete the following tasks:

Station accessible
Data Preparation
To configure MIB views in the USM, you need the following data.
No. Data
2 SNMP user name

No. Data
4 ACL Number

device through SNMPv3, you need to configure SNMPv3 on the Switch Module.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

----End

By configuring different MIB views, you can configure different access authorities
for NM Stations.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

You can use the snmp-agent mib-view command to create or update a filter
view. The xx command supports variable OID strings and node names. You can

add asterisks to a variable OID string, but the variable OID string must not start or
end with asterisks.
----End
8.1.13.4 Assigning Permission to the SNMP User Group

By associating MIB views and user groups, you can configure different access
authorities for NM Stations.
Context
The SNMP agent is enabled and the ACL are properly configured on the target
Switch Module .
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view | write-view write-
view | notify-view notify-view ]* [ acl acl-number ]
Read and write permission is assigned to the user group.
----End

NM Station user information configured on the NM Station and the device must
be identical. Otherwise, the NM Station cannot access the device.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
----End


After MIB-view-based access control in SNMPv3 is configured, you can view
configurations of the MIB and users.
Prerequisites
The configurations of the MIB-View-based Access Control in SNMPv3 are
complete.
Procedure
information about the SNMP group.
● Run the display snmp-agent mib-view command to view the information on
the MIB view
● Run the display snmp-agent usm-user [ engineid engineid | group group-
name | username user-name ] * command to view information about users in
the SNMP group.
----End
Example
Run the display snmp-agent group command. If information on the SNMP group
Group name: gg
Writeview: ViewDefault
Notifyview : <no specified>
Run the display snmp-agent mib-view command. If information on the MIB view
Subtree mask:
View Type:included
View status:active

User name: u1
Group name:g1
run is displayed, it means that the configuration succeeds.
<Base> display snmp-agent sys-info
SNMPv3

8.1.14 Configuring SNMP Maintenance Information

This section describes how to maintain the device through SNMP maintenance
information.

Before configuring SNMP maintenance information, familiarize yourself with the
accurately.
When the Switch Module prompts errors that are urgent to be removed, contact
the local maintenance engineers.
Before configuring SNMP maintenance information, complete the following tasks:
Station accessible
Data Preparation
To configure SNMP maintenance information, you need the following data.
No. Data
1 Identity and contact method of the administrator
2 Location of the Switch Module
8.1.14.2 Configuring Contact Methods of the Administrator

This part describes how to configure the administrator information. In the case of
device failure, you can contact the administrator for help.
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent sys-info contact contact
The contact method of the administrator is configured.
----End

8.1.14.3 Configuring the Location of the Switch Module

This part describes how to assign an address to the device. In the case of device
failure, you can locate the faulty device in time.
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent sys-info location location
The location of the Switch Module is configured.
----End

After SNMP maintenance information is configured, you can view information
about the administrator and location of the device.
Prerequisites
The configurations of the SNMP Maintenance Information are complete.
Procedure
● Run the display snmp-agent sys-info contact command to view the contact
method of the administrator.
● Run the display snmp-agent sys-info location command to view the
location of the Switch Module.
----End
Example
Run the display snmp-agent sys-info contact command to view the contact
method of the administrator.
<Base> display snmp-agent sys-info contact
The contact person for this managed node:
R&D Beijing, Huawei Technologies co.,Ltd.
Run the display snmp-agent sys-info location location command to view the
location of the Switch Module.
<Base> display snmp-agent sys-info location
The physical location of this node:
Beijing China
8.1.15 Configuring the Maximum Size of the SNMP Packet

This section describes how to increase the maximum size of an SNMP packet for
the NM Station to obtain the complete information about the Switch Module
status.


Before configuring the maximum size of an SNMP packet, familiarize yourself with
accurately.
In case that the NM Station obtains only partial status information about the
Switch Module, increase the MTU of the SNMP packet.
Before configuring the maximize size of the SNMP packet, complete the following
tasks:

Station accessible
Data Preparation
To configure the maximize size of the SNMP packet, you need the following data.
No. Data
1 the maximum SNMP packets that the SNMP agent forwards
8.1.15.2 Configuring the Maximum Size of an SNMP Packet

The maximum size of an SNMP packet depends on the MTU of the network. If the
size of an SNMP packet exceeds the MTU of the network, the SNMP packet is
fragmented.
Context
NOTE
If the maximum size is not specified, by default, 12000 bytes are sent or received.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent packet max-size byte-count

The maximum size of the SNMP packet sent or received by the agent is
configured.
----End
8.1.15.3 Verifying the Configurations

After the maximum size of an SNMP packet is configured, you can view the
configurations.
Prerequisites
The maximum size of an SNMP packet is configured.
Procedure
Step 1 Run the display current-configuration | include max-size command to view the
current maximum size of an SNMP packet.
NOTE
If you retain the default value, no information is displayed.
----End
Example
Run the display current-configuration | include max-size command to view the
current maximum size of an SNMP packet.
<Base> display current-configuration | include max-size
snmp-agent packet max-size 1800
8.1.16 Configuring the Trap Function

A trap is a type of message used to report an alert or important event about a
managed device to the NM Station. A managed device can actively send trap
messages only after being configured with the trap function.

Before configuring the trap function, familiarize yourself with the applicable
To configure the managed device sends a Trap message to the NM Station
without being required to report urgent events, configure the Trap function on the
managed device first.
Before configuring the Trap function, complete the following tasks:


● Configuring the routing protocol to make the Switch Module and the NMS
accessible
Data Preparation
To configure the Trap function, you need the following data.
No. Data
1 (Optional) Name of the feature that generates alarms
2 (Optional) Name of the alarm that is generated by the feature
3 Destination host address of Trap messages
4 (Optional) Source address of Trap messages
5 (Optional) Queue length of Trap messages
6 (Optional) Saving time of Trap messages
7 (Optional)Port Number
8 Group Name
8.1.16.2 (Optional) Enabling the Switch Module to Send Alarms to the NM

Station
In the CX91x series system, you need to enable alarm modules for generating
alarms by running the snmp-agent trap enable command.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent trap enable
The Switch Module is enabled to send alarms.
----End

8.1.16.3 (Optional) Enabling the Switch Module to Send an Alarm Message

of a Specified Feature to the NM Station
Context
Do as follows on the Switch Module that requires an alarm to be enabled
separately:
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap enable feature-name feature-name
The Switch Module is enabled to send an alarm message of a specified feature to

the NM station.
To disable a specified trap function, you can run the undo snmp-agent trap
enable feature-name command.
----End
8.1.16.4 Setting the Destination Host of Trap Messages

This part describes how to configure the destination address (IP address of the
NM Station) for trap messages.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent target-host trap address udp-domain ip-address [ udp-port port-number ] [ public-net ]
params securityname security-string [ v1 | v2c | v3 [ authentication | privacy ] ] [ private-netmanager ]
The destination host of trap messages is configured.
----End
8.1.16.5 (Optional) Setting the Source Interface for Sending Trap Messages
To ensure device security, you need to configure the source interface for sending
the trap messages to the default address.

Context
NOTICE
A reachable route is configured between the source interface for sending trap
messages configured on the Switch Module and the NMS; otherwise, the NM
Station discards trap messages because of unmatched addresses.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap source interface-type interface-number
The source interface for sending trap messages is configured.
----End
Follow-up Procedure
NOTE
The IP address of the specified source interface is the source IP address of trap messages.
8.1.16.6 (Optional) Setting the Queue Length of Trap Messages

To ensure that trap messages can be sent to the NM Station, you are required to
adjust the length of the trap queue according to the number of trap messages.
Context
NOTE
Increase the queue length with the preceding command when the Switch Module
frequently sends Trap messages.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap queue-size size

The queue length of Trap messages sent to the destination host is set.
----End
8.1.16.7 (Optional) Setting the Lifetime of Trap Messages

To ensure that trap messages can be sent to the NM Station, you are required to
adjust the reservation period of the trap messages according to the number of
trap messages.
Context
NOTE
Shorten the lifetime of Trap messages by using the preceding command when the Switch
Module frequently sends Trap messages.
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent trap life seconds
The lifetime of Trap messages is set.
----End
8.1.16.8 Verifying the Configurations
Prerequisites
The trap function is properly configured.
Procedure
Step 1 Run the display current-configuration | include trap command to view the
configurations of trap messages.
NOTE
If you retain the default configurations, no information is displayed.
----End
Example
Run the display current-configuration | include trap command to view the
configurations of trap messages.
<Base> display current-configuration configuration | include trap

8.1.17 Propagating Alarms in the Inform Mode

In Inform mode, alarm logs can be recorded. When the communications between
the NM Station and the Switch Module fails, the Switch Module can record the
alarm log. After the fault is rectified, the NM Station synchronizes the alarm with
the alarm log on the Switch Module to avoid loss of the failure information.

Before sending traps in Inform mode, familiarize yourself with the applicable
In SNMP, a managed device propagates the alarms to the NM Station in two
modes:
● Trap: In this mode, the NM Station need not return acknowledgment

messages. This mode is not reliable.
● Inform: In this mode, the NM Station must return acknowledgment messages.
If receiving no acknowledgment messages in a certain period, the managed
device re-propagates the alarms. This mode is of higher reliability.
The Inform mode supports alarm logging. When the communication between the
NM Station and the managed device fails, the object can log the alarm. After the
fault is rectified, the NM Station synchronizes the alarm with the alarm log on the
managed device to avoid failure information loss.
The Inform mode applies to the large-scale network as well as the scenario where
high reliability of the NM Station is required.
NOTE
Only SNMPv2c support the Inform mode.
Before configuring the Inform mode, complete the following tasks:

● Configuring a routing protocol for the communication between the Switch
Module and the NM Station
● Enabling the SNMP agent
● Configuring the SNMP version
Data Preparation
To configure the Inform mode, you need the following data.

No. Data
1 IP address of the destination and UDP port number to which the Inform
messages are sent, security name, and security level
2 ● (Optional) Timeout period for waiting for the Inform ACK messages
● (Optional) Number of times to re-propagate alarms
● (Optional) Number of pending alarms (alarms waiting for being
acknowledged)
3 ● (Optional) Aging time of alarm logs

● (Optional) Limit pieces of alarm logs
8.1.17.2 (Optional) Enabling the Switch Module to Send Alarms to the NM

Station
In the CX91x series system, you need to enable alarm modules for generating
alarms by running the snmp-agent trap enable command.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The Switch Module is enabled to send alarms.
----End
8.1.17.3 (Optional) Enabling the Switch Module to Send an Alarm Message

of a Specified Feature to the NM Station
Context
Do as follows on the Switch Module that requires an alarm to be enabled
separately:
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent trap enable feature-name feature-name
The Switch Module is enabled to send an alarm message of a specified feature to

the NM station.
To disable a specified trap function, you can run the undo snmp-agent trap
enable feature-name command.
----End
8.1.17.4 Configuring the Destination Host of Informing Messages

This part describes how to configure the destination address (IP address of the
NM Station) for Inform messages.
Context
NOTE
When configuring the destination host, you must first ensure that the Switch Module and
the destination host are reachable.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent target-host inform address udp-domain ip-address [ udp-port port-number ] params
securityname security-string v2c
The destination host to which Inform messages are sent is configured.
Only SNMPv2c support the Inform mode.
To enable the Switch Module to propagate the alarms in Inform mode, you can
use the snmp-agent trap enable command in conjunction with the snmp-agent
target-host inform command.
----End
8.1.17.5 (Optional) Configuring Global Parameters for the Informing Mode

If the current network is unstable, you need to increase the timeout period for
confirming the alarm. At the same time, you need to increase the retransmission
times and the maximum number of pending alarms.
Context

Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent inform { timeout seconds | resend-times times | pending number }*
The timeout period for waiting for Informing ACK messages, the times to re-send
Informing messages, and the maximum pieces of pending alarms (alarms waiting
for being acknowledged) are set.
By default, the timeout period for waiting for Informing ACK messages is 15
seconds, the times to re-send Informing messages are set to 3, and the maximum
pieces of pending alarms (alarms waiting for being acknowledged) are 39.
----End
Follow-up Procedure
If the current network is unstable, you must set a longer timeout period for
waiting for Informing ACK messages and simultaneously increase the times to re-
send Informing messages and the maximum pieces of pending alarms (alarms
waiting for being acknowledged).
8.1.17.6 (Optional) Configuring the Parameters for the Informing Mode
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent inform { timeout seconds | resend-times times } * address udp-domain ip-address params
securityname security-string
The timeout period for the destination host to acknowledge Informing messages
and the times to re-send Inform messages are set.
By default, the timeout period for the destination host to acknowledge Informing
messages is 15 seconds and the times to re-send Informing messages are set to 3.
----End
8.1.17.7 (Optional) Configuring the Logging Function for the Informing

Mode
If the Switch Module and the destination host cannot communicate because of a
link failure, the Switch Module no longer sends Inform messages to send traps but

keeps generating trap logs. When the link recovers, the Switch Module updates
trap logs recorded during the link failure to the host destination.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent notification-log enable
The alarm logging function is enabled.
After the alarm logging function is enabled, the system records the alarms
propagated only through the Informing mode.
By default, the alarm logging function is disabled.
Step 3 Run:
snmp-agent notification-log { global-ageout ageout | global-limit limit } *
The aging time of alarm logs and the maximum pieces of alarm logs allowed to
be saved in the log buffer are set.
By default, the aging time of alarm logs is 24 hours. If the aging time expires, the
alarms logs are automatically deleted.
By default, the log buffer can save a maximum of 500 alarm logs. If the number
exceeds the limit, the alarm log saved earliest is deleted first.
----End

After sending traps in Inform mode is enabled, you can view corresponding
parameters.
Prerequisites
The configurations of the Alarms in the Inform Mode are complete.
Procedure
● Run the display snmp-agent target-host command to view the information
about destination host.
● Run the display snmp-agent inform [ address udp-domain ip-address
params securityname security-string ] command to view the parameters
about the Inform mode configured globally or on specified destination host
and statistics about the host.

● Run the display snmp-agent notification-log info command to view the

information about alarm logs in the alarm buffer.
----End
Example
Run the display snmp-agent target-host command, and you can view
information about the destination host.
<Base> display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
IP-address : 2.2.2.2
VPN instance : -
Security name : abc
Port : 23
Type : inform
Version : v2c
Level : No authentication and privacy
NMS type : NMS
-----------------------------------------------------------
Target-host NO. 2
-----------------------------------------------------------
VPN instance : -
Security name : aaa
Port : 22
Type : trap
Version : v2c
NMS type : HW NMS
-----------------------------------------------------------
Run the display snmp-agent inform command, and you can view the
configurations of the alarms sent in Inform mode.
<Base> display snmp-agent inform
Global config: resend-times 3, timeout 15s, pending 39
Global status: current notification count 0
Target-host ID: VPN instance/IP-Address/Security name
-/1.1.1.1/public:
Config: resend-times 3, timeout 15s
Status: retries 0, pending 0, sent 0, dropped 0, failed 0, confirmed 0
Run the display snmp-agent notification-log info command, and you can view
the logs generated by alarms in the log buffer.
<Base> display snmp-agent notification-log info
Notification log information :
Notification Admin Status : enable
GlobalNotificationsLogged : 0
GlobalNotificationsBumped : 0
GlobalNotificationsLimit : 500
GlobalNotificationsAgeout : 24
Total number of notification log : 0
8.1.18 Configuring the Extended Error Code Function on the

SNMP Agent
This section describes how to enable the extended SNMP error code function.
After this function is enabled, packets sent from the device to the NMS carry
extended error codes. The extended SNMP error code function is allowed only on
Huawei NMS.


Before enabling the extended SNMP error code function, familiarize yourself with
accurately.
The extended error code function can help the Switch Module to enrich the
information contained in the error codes sent to the NM station.
Before configuring the extended error code function, complete the following task:
● Configuring a reachable route between the Switch Module and the NM
station
Data Preparation
None
8.1.18.2 Enabling the Extended Error Code Function on the SNMP Agent
By default, packets sent from the device to the NMS carry standard SNMP error
codes. After the extended SNMP error code function is enabled, packets sent from
the device to the NMS carry extended error codes.
Context
Do as follows on the Switch Module.
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent extend error-code enable
The extended error code function on the SNMP agent is enabled.
----End

After the extended SNMP error code function is enabled, you can view the status
of extended SNMP error codes.
Prerequisites
The configurations of the extended error code function are complete.

Procedure
Step 1 Run the display snmp-agent extend error-code status command to check
whether the extended error code function is enabled on the SNMP agent.
----End
Example
Run the display snmp-agent extend error-code status command to check
whether the extended error code function is enabled on the SNMP agent.
<Base> display snmp-agent extend error-code status
Extend error-code status:enabled

This section provides several configuration examples of SNMP.
8.1.19.1 Example for Configuring Basic SNMPv1 Functions
As shown in Figure 8-3, the NMS accesses the Switch through SNMP and
manages the Switch.
Figure 8-3 Networking diagram for configuring basic SNMP functions
2. Set the version of SNMP.
3. Set the SNMP community name.
Data Preparation
● IP addresses of interfaces
● SNMP version
● Community name

Procedure
Step 1 Configure IP addresses of the interfaces. The configuration procedure is not
mentioned here.
Step 2 Enable the SNMP function.
# Enter the system view and enable the SNMP function.
<Base> system-view
[Base] sysname Switch
[Switch] snmp-agent
Step 3 Set the version of SNMP.

NOTE
By default, the SNMP version is v3.
# Set the version of SNMP to v1.

[Switch] snmp-agent sys-info version v1
Step 4 Set the SNMP community name.

# Set the name of SNMP read community.
[Switch] snmp-agent community read Huawei123$
# Set the name of SNMP write community.

[Switch] snmp-agent community write Huawei!@34

# Display the configured community names.
[Switch] display snmp-agent community
----End
Configuration Files
The configuration file on the Switch is as follows:
#
sysname Switch
#
vlan batch 100
#
interface Vlanif100
ip address 1.1.1.2 255.255.255.0
#
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100003598
snmp-agent community read cipher %$%$-yqBSyTXbNM8OIV)`6kHeri`%$%$

snmp-agent community write cipher %$%$k(1p/_Kz26BP~9I"7`]

snmp-agent sys-info version v1 v3
#
return
8.1.19.2 Example for Specifying an NMS to Manage the Switch
In Figure 8-4, a reachable route exists between the NMS and the Switch. The IP
address of the NMS is 1.1.1.1/24; the interface connecting the Switch to the
network resides on 2.2.2.2/24. The Switch can be remotely managed by the
specified NMS.
To rectify faults quickly, you need to add the contact information about the
administrator and the location information on the Switch.
The Switch needs to monitor the status of batch statistics collection. If the
statistics collection fails, the Switch sends a trap message to the NMS.
Figure 8-4 Networking diagram for specifying an NMS to manage the Switch
To configure the configuration roadmap, perperform the following steps:
1. Start the SNMP agent on the Switch.

2. Set the SNMP version.
3. Set the SNMP community name and access right.
4. Set the contact information about the administrator and the physical location
of the Switch.
5. Configure the trap function.
6. Configure the NMS.
Data Preparation
● SNMP version
● Community name and access right
● Administrator information and location of the Switch
● Number of an ACL

Procedure
Step 1 Configure reachable routes between the Switch and the NMS.
Step 2 Configure the access control function of SNMP.

# Enter the system view, delete the version number of SNMP used in the system.
[Switch] undo snmp-agent sys-info version all
# Start the SNMP agent, and set the SNMP version to SNMPv2c.
[Switch] snmp-agent sys-info version v2c
# Set the community name and the access right.

[Switch] snmp-agent community read Test12#$ acl 2000
[Switch] snmp-agent community write Huawei!@34 acl 2000
Step 3 Configure the SNMP maintenance information.
# Set the contact information about the administrator and the physical location of
the Switch.
[Switch] snmp-agent sys-info contact Mr.Wang-Tel:21657
[Switch] snmp-agent sys-info location telephone-closet,2rd-floor
Step 4 Configure the ACL.

[Switch] acl 2000
[Switch-acl-basic-2000] rule permit source 1.1.1.1 0
Step 5 Configure the trap function.

[Switch] snmp-agent trap enable
[Switch] snmp-agent target-host trap address udp-domain 1.1.1.1 params securityname public v2c
private-netmanager
Step 6 Configure the NMS.
For details on how to configure NMS, see the relevant NMS configuration guide.
Step 7 Verify the configurations.
# View the SNMP version and the maintenance information.

[Switch] display snmp-agent sys-info
Mr.Wang-Tel:21657
telephone-closet,2rd-floor
SNMPv2c
# View the community name.

[Switch] display snmp-agent community
Acl:2000
Acl:2000

# When a trap message is generated and reported to the NMS, you can run the
display trapbuffer command to view details about the trap.
[Switch] display trapbuffer
Trapping buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 256
Channel number : 3 , Channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 1
#Feb 1 08:49:55 2009 Switch ENTMIB/4/TRAP:1.3.6.1.2.1.47.2.0.1 Entity MIB change.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
acl number 2000
rule permit source 1.1.1.1 0
#
interface Vlanif100
ip address 2.2.2.2 255.255.255.0
#
#
snmp-agent
snmp-agent local-engineid 000007DB7F000001000031E7
snmp-agent community read cipher %$%$-yqBSyTXbNM8OIV)`6kHeri`%$%$ acl 2000
snmp-agent community write cipher %$%$k(1p/_Kz26BP~9I"7`] acl 2000
snmp-agent sys-info contact Mr.Wang-Tel:21657
snmp-agent sys-info location telephone-closet,2rd-floor
undo snmp-agent sys-info version v3
snmp-agent target-host trap address udp-domain 1.1.1.1 params securityname public v2c private-
netmanager
netmanager
netmanager
8.1.19.3 Example for Configuring Different NMSs to Access the Switch
As shown in Figure 8-5, reachable routes exist between NMS1 and the Switch,
and between NMS2 and the Switch. The IP address of the interface connecting
NMS1 to the network is on 1.1.1.1/24; the IP address of the interface connecting
NMS2 to the network is on 1.1.1.2/24. The IP address of the Ethernet interface
connecting the Switch to the network is on 1.1.2.1/24.
By using the security feature of SNMPv3, configure NMS1 to completely control

the network and configure NMS2 to manage only the interfaces on the Switch.

Figure 8-5 Networking diagram for configuring different NMSs to access the
Switch
1. Configure basic SNMP functions on the Switch, including enabling the SNMP
agent and setting the SNMP version.
2. Configure the access rights.
3. Configure the trap function.
4. Configure the NMS.
Data Preparation
● SNMP version
● User group name and user name
● Information about the MIB objects
● Passwords for authentication and encryption
Procedure
Step 1 Configure reachable routes between the Switch and the NMSs. The configuration
procedure is not mentioned.
Step 2 Enable SNMPv3.
# Start the SNMP agent and set the SNMP version to SNMPv3.
[Switch] snmp-agent sys-info version v3
# View the version of SNMP.

[Switch] display snmp-agent sys-info version

SNMPv3
Step 3 Configure the access rights.

# Configure user group information.
[Switch] snmp-agent group v3 test1
[Switch] snmp-agent group v3 test2
# Configure the access view of the user group.

[Switch] snmp-agent group v3 test1 read-view c write-view c notify-view c
[Switch] snmp-agent group v3 test2 read-view b write-view b notify-view b
# Configure encryption and authentication for the user group.

[Switch] snmp-agent group v3 test1 privacy
[Switch] snmp-agent group v3 test1 authentication
# Configure user information.

[Switch]snmp-agent usm-user v3 NMS1 test1 authentication-mode md5 Test123 privacy-mode des56
Test123
[Switch] snmp-agent usm-user v3 NMS1 test2 authentication-mode md5 Test123 privacy-mode des56
Test123
# Configure the MIB view.

[Switch] snmp-agent mib-view include b interfaces
[Switch] snmp-agent mib-view include c iso
NOTE
The default view is internet, excluding snmpUsmMIB, snmpVacmMIB, and snmpModules.18.

Modifying the attributes of snmpUsmMIB, snmpVacmMIB, or snmpModules.18 will lead to
security problem.
Step 4 Configure the trap function.

[Switch] snmp-agent trap enable
[Switch] snmp-agent target-host trap address udp-domain 1.1.1.1 params securityname NMS1 v3
privacy
[Switch] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname NMS2 v3
privacy

<Switch> display snmp-agent group
Group name: test1
Group name: test1
Security model: v3 AuthPriv
Group name: test2

Readview: b
Writeview: b
Notifyview :b
Group name: test2
Security model: v3 AuthPriv
# View information about the user.

<Switch> display snmp-agent usm-user
User name: NMS1
Engine ID: 000007DB7F000001000041BB active
User name: NMS2
Engine ID: 000007DB7F000001000041BB active
# Display the MIB view.

<Switch> display snmp-agent mib-view
View name:b
MIB Subtree:interfaces
Subtree mask:
View Type:included
View status:active
Subtree mask:
View Type:included
View status:active
Subtree mask:
View Type:excluded
View status:active
Subtree mask:
View Type:excluded
View status:active
Subtree mask:
View Type:excluded
View status:active
# When a trap is generated, you can run the display trapbuffer command to view
details about the trap.
[Switch] display trapbuffer
Trapping buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 256
Channel number : 3 , Channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 1
#Feb 1 08:49:55 2009 Switch ENTMIB/4/TRAP:1.3.6.1.2.1.47.2.0.1 Entity MIB change.
----End

Configuration Files
#
sysname Switch
#
vlan batch 100
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100000132
snmp-agent group v3 test1 read-view c write-view c notify-view c
snmp-agent group v3 test2 read-view b write-view b notify-view b
snmp-agent group v3 test1 privacy
snmp-agent group v3 test2 privacy
snmp-agent group v3 test1 authentication
snmp-agent group v3 test2 authentication
snmp-agent target-host trap address udp-domain 1.1.1.1 params securityname NMS1 v3 privacy
snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname NMS2 v3 privacy
snmp-agent mib-view included b interfaces
snmp-agent mib-view included c iso
snmp-agent usm-user v3 NMS1 test1 authentication-mode md5 %$%$qDz;-uvV^(=Az@NZw
$!!>xof%$%$ privacy-mode des56 %$%$qDz;-uvV^(=Az@NZw$!!>xof%$%$ acl 2000
$!!>xof%$%$ privacy-mode des56 %$%$qDz;-uvV^(=Az@NZw$!!>xof%$%$ acl 2000
#
return
8.1.19.4 Example for Configuring Different NMSs to Access the Switch

(Inform Mode)
As shown in Figure 8-6, reachable routes exist between NMS1 and the Switch,
and between NMS2 and the Switch. The IP address of the interface connecting
NMS1 to the network is on 1.1.1.1/24; the IP address of the interface connecting
NMS2 to the network is on 1.1.1.2/24. The IP address of the Ethernet interface
connecting the Switch to the network is on 1.1.2.1/24.
By using the security feature of SNMPv3, configure NMS1 to completely control
the network and configure NMS2 to manage only the interfaces on the Switch.
The NMSs manage the Switch remotely. The Switch sends trap messages to the
NMSs in Inform mode.

Figure 8-6 Networking diagram for configuring different NMSs to access the
Switch (inform mode)
1. Configure basic SNMP functions on the Switch, including enabling the SNMP
agent and setting the SNMP version.
2. Configure access rights.
3. Configure the Inform function.
4. Configure the NMSs.
Data Preparation
● SNMP version
● Information about the user group and users
● Information about the MIB objects
● Passwords for authentication and encryption
Procedure
Step 2 Configuring basic SNMP functions
# Enter the system view, start the SNMP agent, and set the SNMP version to
SNMPv2c and SNMPv3.
<Base> system-view
[Base] sysname Switch
[Switch] snmp-agent
[Switch] snmp-agent sys-info version v2c v3

Step 3 Configure the access rights.

# Configure user group information.
[Switch] snmp-agent group v3 test1 read-view a write-view a notify-view a
[Switch] snmp-agent group v3 test2 read-view b write-view b notify-view b
# Configure encryption and authentication for the user group.

# Configure user information.

[Switch] ssnmp-agent usm-user v3 NMS1 test1 authentication-mode md5 Test123 privacy-mode des56
Huawei123
[Switch] snmp-agent usm-user v3 NMS1 test2 authentication-mode md5 Test123 privacy-mode des56
Huawei123
# Configure the MIB view.

[Switch] snmp-agent mib-view include a iso
[Switch] snmp-agent mib-view include b interfaces
NOTE
The default MIB view is internet, excluding snmpUsmMIB, snmpVacmMIB, or snmpModules.

18. Modifying the attributes of snmpUsmMIB, snmpVacmMIB, or snmpModules.18 may
pose a threat to network security.
Step 4 Configure the Inform function.

# Enable the trap function.
[Switch]snmp-agent trap enable
# Configure the Switch to send trap messages to the NMSs in inform mode.
[Switch] snmp-agent target-host inform address udp-domain 1.1.1.1 params securityname NMS1 v2c
[Switch] snmp-agent target-host inform address udp-domain 1.1.1.2 params securityname NMS2 v2c

# View the version of SNMP.
<Switch> display snmp-agent sys-info
R&D Nanjing, Huawei Technologies co.,Ltd.

Nanjing China

SNMPv3
# View information about the user group.

<Switch> display snmp-agent group
Group name: test1
Readview: a
Writeview: a

Notifyview :a
Group name: test2

Readview: b
Writeview: b
Notifyview :b
# View information about the user.

[Switch] display snmp-agent usm-user
User name: NMS1
Engine ID: 000007DB7FFFFFFF00005BD0 active
User name: NMS2

Engine ID: 000007DB7FFFFFFF00005BD0 active
# View information about the Inform mode.

<Switch> display snmp-agent inform
Global config: resend-times 3, timeout 15s, pending 39
Global status: current notification count 3
Target-host ID: VPN instance/IP-Address/Security name
-/1.1.1.1/NMS1:
-/1.1.1.2/NMS2:
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
#
snmp-agent
snmp-agent local-engineid 000007DB7F000001000079AB
snmp-agent sys-info version v2c v3
snmp-agent group v3 test1 read-view a write-view a notify-view a
snmp-agent group v3 test2 read-view b write-view b notify-view b
snmp-agent target-host inform address udp-domain 1.1.1.2 params securityname NMS2 v2c
snmp-agent target-host inform address udp-domain 1.1.1.1 params securityname NMS1 v2c
snmp-agent mib-view included a iso
snmp-agent mib-view included b interfaces
$!!>xof%$%$ privacy-mode des56 %$%$qDz;-uvV^(=Az@NZw$!!>xof%$%$
$!!>xof%$%$ privacy-mode des56 %$%$qDz;-uvV^(=Az@NZw$!!>xof%$%$#
return

8.1.19.5 Example for Enabling the Extended Error Code Function on the
SNMP Agent
After configuring the SNMP error code function, the NMS can receive more
detailed information about the router.
As shown in Figure 8-7, a reachable Switch Module exists between the NM station
and the Switch Module. The NM station manages the Switch Module through the
SNMP agent.
Figure 8-7 Networking diagram of enabling the extended error code function on
the SNMP agent
1. Configure the SNMP version.

2. Enable the extended error code function on the SNMP agent.
Data Preparation
● Version number of SNMP
Procedure
Step 2 Configure the SNMP version.
# Configure the version of SNMPv2.
<Base> system-view
[Base] snmp-agent sys-info version v2c
Step 3 Enable the extended error code function on the SNMP agent.
# Enable the extended error code function on the SNMP agent.

[Base] snmp-agent extend error-code enable

Step 4 Check the configuration.
# Check whether the extended error code function is enabled on the SNMP agent.
[Base] display snmp-agent extend error-code status
Extend error-code status:enabled
----End
Configuration Files
#
sysname Switch
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
snmp-agent
snmp-agent extend error-code enable
snmp-agent local-engineid 000007DB7F0000010000393C
snmp-agent sys-info version v2c v3
#
return
8.1.19.6 Example for Configuring Alarm Messages to Be Sent to the Huawei

NMS
As shown in Figure 8-8, when the configuration changes or fault occurs on the
Switch Module, the Switch Module automatically sends an alarm message to the
specified NMS. The alarm message sent by Huawei devices to the Huawei NMS
contains the sending time and ID of the alarm message in addition to the
information defined in the protocol.
Figure 8-8 Networking diagram of configuring alarm messages to be sent to the

Huawei NMS

2. Configure the SNMP version.
3. Configure alarm messages to be sent to the Huawei NMS.
Data Preparation
● IP address of Interface.
● SNMP version
● Source interface for sending alarm messages
● IP address of the NMS
Procedure
Step 1 Assign an IP addresses to the interfaces. The configuration details are not
mentioned here.
Step 2 Configure the SNMP version.
# Configure the SNMP version to v2c.
<Base> system-view
[Base] snmp-agent sys-info version v2c
Step 3 Configure alarm messages to be sent to the NMS.

# Enable the SNMP agent to send alarm messages.
[Base] snmp-agent trap enable
# Configure the source interface that sends alarm messages to the NMS.
[Base] snmp-agent trap source Vlanif10
# Assign an IP address to the NMS that receives the alarm messages.

[Base] snmp-agent target-host trap address udp-domain 11.1.1.1 params securityname public v2c
private-netmanager

# Display the IP address assigned to the NMS that receives the alarm messages.
[Base] display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
VPN instance : -
Security name : a
Port : 162
Type : trap
Version : v2c
NMS type : HW NMS
-----------------------------------------------------------
----End

Configuration File
Configuration file of the Switch Module
#
sysname Base
#
vlan batch 10
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface Vlanif10
ip address 11.1.1.2 255.255.255.0
#
#
snmp-agent
snmp-agent local-engineid 800007DB03001882817A30FC
netmanager
snmp-agent trap source LoopBack0
#
return
8.2 Ping and Tracert

This chapter describes basic concepts and applications of the ping and tracert
commands.
8.2.1 Ping
This topic describes the functions and theory of the ping command.
Figure 8-9 shows the ping process.After you run the ping command, an Internet
Control Message Protocol (ICMP) Echo Request message is sent to the destination.
The destination then returns an ICMP Echo Reply message immediately when
receiving the ICMP Echo Request message.
Figure 8-9 Principle of the ping operation

Ping tests IP reachability and status of the link between the source and the
destination by checking whether the destination sends back an ICMP Echo Reply
message and measuring the interval between sending the ICMP Echo Request
message and receiving the ICMP Echo Reply message.
Figure 8-10 Format of ICMP Echo Request and Echo Reply messages
Figure 8-10 shows the format of ICMP Echo Request and Echo Reply messages.
The length of the Data field is a variable. You can specify the length of the Data
field in the ping command.
8.2.2 Tracert
This topic describes the functions and theory of the tracert command.
The CX91x series implements tracert based on ICMP. Tracert records the gateways
that the ICMP message passes along the path between a source host and a
destination. In this manner, you can check network connectivity and locate the
fault.
Figure 8-11 Principle of the tracert operation
Take the networking in Figure 8-11 as an example to show tracert

implementation on the CX91x series. On the CX91x series, run the tracert
command. The destination IP address is the IP address of the log host and other
parameters adopt the default values.
1. The CX91x series sends a UDP datagram to the log host, with the TTL value
being 1 and the destination UDP port number being 33434.

2. After receiving the UDP datagram from the CX91x series, Router-A finds that
the destination IP address carried in the datagram is not its own address.
Then, Router-A reduces the TTL value by 1. Finding that the TTL value reaches
0, Router-A sends an ICMP Time Exceeded message to the CX91x series.
3. After receiving the ICMP Time Exceeded message, the CX91x series increases
the TTL value and the UDP port number in the UDP datagram by 1
respectively and then sends out the UDP datagram again.
4. Repeat Step 2 and Step 3 until the log host receives the UDP datagram from
the CX91x series.
5. After receiving the UDP datagram from the CX91x series, the log host finds
that the destination is itself. It begins to process the datagram. The log host
tries to find the upper layer protocol corresponding to the destination UDP
port number carried in the datagram. In most cases, the UDP ports whose
number is greater than 30000 are not used by any protocols. Therefore, the
log host sends an ICMP Destination Unreachable message to the CX91x series
to notify the source that the destination port is unreachable.
6. After receiving the ICMP Destination Unreachable message from the log host,
the CX91x series knows that the UDP datagram has reached the destination
and thus stops running the tracert program.
In the preceding steps, the tracert program on the source records the IP addresses
of the gateways between the source and the destination through the ICMP Time
Exceeded message mentioned in Step 3.
8.2.3 Performing Ping and Tracert Operations

This section describes the execution of the ping and tracert commands.
Application Environment
The Customer Edge (CE) connected to the CX91x series cannot access the Internet.
You need to run the ping and tracert commands to check network connectivity.
Before performing ping and tracert operations, complete the following tasks:
● Checking the physical connections between the CE and the CX91x series
● Correctly configuring an IP address for the CE device
Data Preparation
To perform ping and tracert operations, you need the following data.
No. Data
1 IP address of the CE device

No. Data
2 IP address of the gateway
8.2.3.2 Checking Network Connectivity Through the Ping Operation
Context
Do as follows on the CX91x series:
Procedure
Step 1 Run:
ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-type interface-number | -m
time | -n | -p pattern | -q | -r | -s packetsize | -t timeout | -tos tos-value | -v ] * host
Network connectivity is tested.
Only some of the parameters are specified in the preceding ping command. For
details on more parameters, refer to the CX91x Series Switch Modules
V100R001C00 Command Reference.
The output of the ping command is as follows:
● Response to each ICMP Echo Request message: If no Echo Reply message is

received within a certain period, a message of "Request time out" is displayed
in the output. Otherwise, the bytes of the data, the sequence number of the
message, the TTL value and the response time carried in the Reply message
are displayed.
● Statistics: total number of sent and received messages, percentage of
message loss, and minimum value, average value, and maximum value of the
response time.
<Base> ping 202.38.160.244
PING 202.38.160.244 : 56 data bytes, press CTRL_C to break
Reply from 202.38.160.244 : bytes=56 sequence=1 ttl=255 time = 1ms
--202.38.160.244 ping statistics--
0.00% packet loss
----End
8.2.3.3 Locating Faults on the Network Through the Tracert Operation
Context
Do as follows on the CX91x series:

Procedure
Step 1 Run:
tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | -p port | -q nqueries | -w timeout ]* host
The tracert operation is performed to locate the fault on the network.

Only some of the parameters are specified in the preceding tracert command. For
details on more parameters, refer to the CX91x Series Switch Modules
V100R001C00 Command Reference.
The output of the tracert command displays a list of gateways traversed between
the source and the destination hosts.
<Base> tracert 18.26.0.115
traceroute to 18.26.0.115 (18.26.0.115), max hops: 30 ,packet length: 40
1 128.3.112.1 (128.3.112.1) 0 ms 0 ms 0 ms
2 128.32.216.1 (128.32.216.1) 19 ms 19 ms 19 ms
3 128.32.216.1 (128.32.216.1) 39 ms 19 ms 19 ms
4 128.32.136.23 (128.32.136.23) 19 ms 39 ms 39 ms
5 128.32.168.22) (128.32.168.22) 20 ms 39 ms 39 ms
6 128.32.197.4 (128.32.197.4) 59 ms 119 ms 39 ms
7 131.119.2.5 (131.119.2.5) 59 ms 59 ms 39 ms
8 129.140.70.13 (129.140.70.13) 80 ms 79 ms 99 ms
9 129.140.71.6 (129.140.71.6) 139 ms 139 ms 159 ms
10 129.140.81.7 (129.140.81.7) 199 ms 180 ms 300 ms
11 129.140.72.17 (129.140.72.17) 300 ms 239 ms 239 ms
12 * * *
13 128.121.54.72 (128.121.54.72) 259 ms 499 ms 279 ms
14 * * *
15 * * *
16 * * *
17 * * *
18 18.26.0.115 (18.26.0.115) 339 ms 279 ms 279 ms
----End

This section provides a configuration example of ping and tracert operations.
8.2.4.1 Example for Performing Ping and Tracert Operations
As shown in Figure 8-12, after configuring Switch A, you check the link between
Switch A and the log host. If Switch A and the log host are disconnected, you
cannot know which device fails because there are other network devices between
Switch A and the log host. To locate on which link segment the fault occurs, you
can perform ping and tracert operations.

Figure 8-12 Networking diagram of ping and tracert operations
1. Run the ping command on Switch A to check the connectivity between Switch
A and the log host.
2. Run the tracert command to locate the fault after you find that the link is
faulty.
Data Preparation
● IP addresses of the interfaces on Switch B (In this example, IP addresses of
the interfaces are 1.1.1.2/8 and 2.1.1.1/8.)
● IP addresses of the interfaces on Router (In this example, IP addresses of the
interfaces are 2.1.1.2/8 and 3.1.1.1/8.)
● IP address of the log host (In this example, the IP address of the log host is
3.1.1.2/8.)
Procedure
Step 1 Run the ping command.
# Run the ping command on Switch A to check the connectivity between Switch A
and the log host.
<Base> ping 3.1.1.2
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
The display on Switch A shows that the log host is unreachable, which indicates
that a fault occurs on some link segment between Switch A and the log host.

Step 2 Run the tracert command.

# Run the tracert command on Switch A to locate which link segment fails.
<Base> tracert 3.1.1.2
traceroute to 3.1.1.2(3.1.1.2) 30 hops max,40 bytes packet
1 1.1.1.2 4 ms 5 ms 5 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
¡
The preceding display shows that the ICMP Echo Request message passes Switch B
but does not reach Router. It indicates that the link between Switch B and Router
fails. After the link between Switch B and Router is recovered, you can repeat Step
1 and Step 2 to ensure that Switch A and the log host can communicate properly.
----End
Configuration Files
None.

CX91x Series Switch Modules V100R001C00 Configuration Guide 09

Uploaded by

Copyright:

Available Formats

You might also like

CX91x Series Switch Modules V100R001C00 Configuration Guide 09

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CX91x Series Switch Modules V100R001C00 Configuration Guide 09

Uploaded by

Copyright:

Available Formats

CX91x Series Switch Modules

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. i

About This Document

Huawei Support 10GE Switching Plane Reference Document

V100R001C00 or 1.1.0.200.3 See this document.

V100R001C10 or 1.2.1.0.39 See the CX11x, CX31x,

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. ii

● Data configuration engineers

Indicates an imminently hazardous situation which, if

Indicates a potentially hazardous situation which, if

Indicates a potentially hazardous situation which, if

Indicates a potentially hazardous situation which, if

Calls attention to important information, best

Boldface The keywords of a command line are in boldface.

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. iii

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are

{ x | y | ... } Optional items are grouped in braces and separated

[ x | y | ... ] Optional items are grouped in brackets and

{ x | y | ... }* Optional items are grouped in braces and separated

[ x | y | ... ]* Optional items are grouped in brackets and

&<1-n> The parameter before the & sign can be repeated 1

# A line starting with the # sign is comments.

Interface Numbering Conventions

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. iv

Issue Date Description

09 2022-06-30 Updated the document links.

08 2019-11-30 This issue is the eighth official release.

07 2017-09-04 This issue is the seventh official release,

06 2017-03-27 This issue is the sixth official release, and

05 2015-02-16 This issue is the fifth official release, and

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. v

Issue Date Description

04 2014-11-10 This issue is the fourth official release,

03 2014-09-15 This issue is the third official release, and

02 2014-07-30 This issue is the second official release,

01 2013-11-18 This issue is the first official release.

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. vi

About This Document................................................................................................................ ii

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. vii

1.3.2.4 Configuring the Description for an Interface....................................................................................................... 28

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. viii

1.6.3.3 Switching a Directory....................................................................................................................................................44

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. ix

1.8.3.3 Uploading Files Through TFTP.................................................................................................................................. 62

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. x

2.1.4.3 (Optional) Configuring the Interface Group........................................................................................................ 90

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xi

2.3.3.1 Establishing the Configuration Task......................................................................................................................122

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xii

2.4.6.1 Example for Configuring the MAC Address Table............................................................................................ 143

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xiii

2.6.6 Maintaining MSTP.......................................................................................................................................................... 180

3 Configuration Guide-IP Services...................................................................................... 189

4 Configuration Guide-QoS.................................................................................................. 195

Issue 09 (2022-06-30) Copyright © Huawei Technologies Co., Ltd. xiv