01-06 Typical Ethernet Switching Configuration

Sx300 Series Switches
Typical Configuration Examples 6 Typical Ethernet Switching Configuration
6 Typical Ethernet Switching

Configuration
6.1 Typical MAC Configuration

6.2 Link Aggregation Configuration
6.3 Typical VLAN Configuration
6.4 Typical QinQ Configuration
6.5 Typical Examples of MSTP/RRPP/SEP/VBST
6.6 Typical Loopback Detection Configuration
6.1 Typical MAC Configuration
6.1.1 Example for Configuring Static MAC Address Entries
Overview
MAC address entries are automatically generated when the switch learns the
source MAC addresses of packets. Static MAC address entries are manually
configured.
A network administrator manually adds MAC address entries of authorized users

into the MAC address table. The static MAC address entries are often used to
prevent unauthorized users from intercepting data of authorized users.
If a large number of static MAC address entries are manually configured, network
maintenance can be difficult. You can enable port security to dynamically bind
MAC addresses to interfaces.
Configuration Notes
This example applies to all versions of all S series switches.
Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 344

Networking Requirements
In Figure 6-1, the server connects to the switch through GE1/0/2. To prevent the
switch from broadcasting packets destined for the server, the static MAC address
entry of the server needs to be configured on the switch. This ensures that the
switch unicasts packets destined for the server through GE1/0/2. The MAC address
of the PC is statically bound to GE1/0/1 to ensure secure communication between
the PC and server.
Figure 6-1 Networking for configuring static MAC address entries
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN on the switch and add an interface to the VLAN to implement
Layer 2 forwarding.
2. Configure the static MAC address entry of the server on the switch.
3. Configure the static MAC address entry of the PC on the switch.
Procedure
Step 1 Create VLAN 2 on the switch and add GE1/0/1 and GE1/0/2to VLAN 2.
<Quidway> system-view
[Quidway] sysname Switch
[Switch] vlan batch 2 //Create VLAN 2.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access //The interface connected to the PC must be the
access interface. The default link type of an interface is not access, so you need to manually configure the
access interface.
[Switch-GigabitEthernet1/0/1] port default vlan 2 //Add GE1/0/1 to VLAN 2.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2 //The configuration of GE1/0/2 is similar to that of GE1/0/1.
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 2

Step 2 Configure the static MAC address entry of the server on the switch.
[Switch] mac-address static xxxx-xxxx-xxx4 gigabitethernet 1/0/2 vlan 2
Step 3 Configure the static MAC address entry of the PC on the switch.
[Switch] mac-address static xxxx-xxxx-xxx2 gigabitethernet 1/0/1 vlan 2
Step 4 Verify the configuration.

# Run the display mac-address static vlan 2 command in any view to check
whether static MAC address entries were successfully added to the MAC address
table.
[Switch] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
xxxx-xxxx-xxx2 2/- GE1/0/1 static
xxxx-xxxx-xxx4 2/- GE1/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 2
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
port default vlan 2
#
mac-address static xxxx-xxxx-xxx2 GigabitEthernet1/0/1 vlan 2
mac-address static xxxx-xxxx-xxx4 GigabitEthernet1/0/2 vlan 2
#
return
6.1.2 Example for Configuring Blackhole MAC Address Entries

Overview
Blackhole MAC address entries can be used to prevent attacks from unauthorized
users. The switch discards packets from or destined to blackhole MAC addresses.
Configuration Notes
As shown in Figure 6-2, the switch receives a packet from an unauthorized PC
whose MAC address is 0005-0005-0005 and belongs to VLAN 3. This MAC address

can be configured as a blackhole MAC address to filter packets from the

unauthorized user.
Figure 6-2 Networking for configuring blackhole MAC address entries
1. Create a VLAN to implement Layer 2 forwarding.
2. Configure a blackhole MAC address to block packets from this MAC address.
Procedure
Step 1 Configure a blackhole MAC address entry.
[Switch] vlan 3 //Create VLAN 3.
[Switch-vlan3] quit
[Switch] mac-address blackhole xxxx-xxxx-xxx5 vlan 3 //Configure MAC address 0005-0005-0005 as the
blackhole MAC address in VLAN 3.

# Run the display mac-address blackhole command in any view to check
whether the blackhole MAC address entry was successfully added to the MAC
address table.
[Switch] display mac-address blackhole
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
xxxx-xxxx-xxx5 3/- - blackhole
-------------------------------------------------------------------------------
Total items displayed = 1
----End
Configuration Files

#
sysname Switch
#
vlan batch 3
#
mac-address blackhole xxxx-xxxx-xxx5 vlan 3
#
return
6.1.3 Example for Configuring MAC Address Limiting in a

VLAN
Overview
The switch limits the number of MAC address entries based on VLANs or
interfaces. In offices where clients seldom change, you can configure MAC address
limiting to control user access. This can protect against certain attacks. For
example, if an attacker forges a large number of packets with different source
MAC addresses and sends the packets to the device, finite MAC address entries in
the MAC address table of the device may be exhausted. When the MAC address
table is full, the device cannot learn source MAC addresses of valid packets. As a
result, the device broadcasts the valid packets, wasting bandwidth resources.
MAC address limiting in a VLAN can limit the number of MAC address entries on
multiple interfaces in a VLAN.
Configuration Notes
● After the port-security enable command is configured on an interface, MAC
address limiting cannot take effect on the interface. Do not configure port
security and MAC address limiting on the same interface simultaneously.
● This example applies to all versions of all S series switches.
● After the number of learned MAC address entries reaches the limit, SA cards
of S series and F series cards of chassis devices and box devices (excluding the
S5320-EI) cannot discard packets with nonexistent source MAC addresses.
In Figure 6-3, user network 1 is connected to GE1/0/1 of the switch through
LSW1, user network 2 is connected to GE1/0/2 of the switch through LSW2, and
GE1/0/1 and GE1/0/2 belong to VLAN 2. To control the number of access users,
configure MAC address limiting in VLAN 2.

Figure 6-3 Networking of MAC address limiting in a VLAN
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2

forwarding.
2. Configure MAC address limiting in a VLAN to prevent MAC address attacks
and control the number of access users.
Procedure
Step 1 Create VLAN 2 and add GE1/0/1 and GE1/0/2 to VLAN 2.
[Switch] vlan batch 2
[Switch-GigabitEthernet1/0/1] port link-type trunk //Configure the link type of the interface as trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 //Add GE1/0/1 to VLAN 2.
[Switch] interface gigabitethernet 1/0/2 //The configuration of GE1/0/2 is similar to the configuration of
GE1/0/1.
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 2
Step 2 Configure the following MAC address limiting rule in VLAN 2: A maximum of 100
MAC addresses can be learned. When the number of learned MAC address entries
reaches the limit, the device forwards the packets with new source MAC address
entries and generates an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 action forward //The default action taken for packets in
different versions is different. You are advised to manually configure the action. For fixed switches, the
action parameter can be set in the VLAN view only on the S5320-EI. On other fixed switches, the forward
action is used in the VLAN view by default, and the action parameter does not need to be set. The alarm
function is enabled by default, so you do not need to configure the alarm function manually.
[Switch-vlan2] quit

# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
[Switch] display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
- 2 - 100 - forward enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100 action forward
#
port link-type trunk
port trunk allow-pass vlan 2
#
#
return
6.1.4 Example for Configuring MAC Address Limiting on an

Interface
Overview
The switch limits the number of MAC address entries based on VLANs or
interfaces. In offices where clients seldom change, you can configure MAC address
limiting to control user access. This can protect against certain attacks. For
example, if an attacker forges a large number of packets with different source
MAC addresses and sends the packets to the device, finite MAC address entries in
the MAC address table of the device may be exhausted. When the MAC address
table is full, the device cannot learn source MAC addresses of valid packets. As a
result, the device broadcasts the valid packets, wasting bandwidth resources.
MAC address limiting on an interface can be used in scenarios where users

connected to an interface in small and medium-sized enterprises are fixed and
seldom change.
Configuration Notes
● After port-security enable is configured on an interface, MAC address
limiting cannot be configured on the interface.

In Figure 6-4, user network 1 and user network 2 connect to the switch through
the LSW, and GE1/0/1 of the switch connects to the LSW. User network 1 and user
network 2 belong to VLAN 10 and VLAN 20 respectively. On the switch, MAC
address limiting can be configured on GE1/0/1 to control the number of access
users.
Figure 6-4 Networking of MAC address limiting on an interface
1. Create VLANs and add interfaces to the VLANs to implement Layer 2

forwarding.
2. Configure MAC address limiting on an interface to control the number of
access users.
Procedure
Step 1 Create VLAN 10 and VLAN 20 and add GE1/0/1 to VLAN 10 and VLAN 20.
[Switch] vlan batch 10 20 //Create VLAN 10 and VLAN 20.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add GE1/0/1 to VLAN 10 and VLAN 20.

Step 2 Configure the switch to learn a maximum of 100 MAC address entries on GE1/0/1.
When the number of learned MAC address entries reaches the limit, the switch
discards the packets with new source MAC address entries and generates an
alarm.
[Switch-GigabitEthernet1/0/1] mac-limit maximum 100 action discard //The default action taken for
packets in different versions is different. You are advised to manually specify the action. The alarm function
is enabled by default, so you do not need to specify it manually.

# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
[Switch] display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
GE1/0/1 - - 100 - discard enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
port trunk allow-pass vlan 10 20
mac-limit maximum 100
#
return
6.2 Link Aggregation Configuration
6.2.1 Precautions for Inter-Card Eth-Trunk Deployment

Interfaces on different cards on a modular switch may be added to an Eth-Trunk
to improve reliability. If cards with Eth-Trunk specification extension are involved in
an inter-card Eth-Trunk, the following requirements apply to the hash mode of the
cards:
● If an Eth-Trunk is configured between cards with and without Eth-Trunk
specification extension, the cards with Eth-Trunk specification extension must
work in normal mode.
● If an Eth-Trunk is configured between cards with Eth-Trunk specification
extension, the hash mode of the cards must be the same.
Cards are classified into cards with and without Eth-Trunk specification extension,
as described in Table 6-1.

Table 6-1 Card series and Eth-Trunk specification extension

Eth-Trunk Specification Extension Card Series
Extensible EE series
FC series
SC series
X series
LE1D2S04SEC0, LE1D2X32SEC0,
LE1D2H02QEC0, and LE2D2X48SEC0 in
the EC series
Non-extensible BC series
EA series
ED series
FA series
SA series
EC1series
EA1series
EC series (excluding the LE1D2S04SEC0,
LE1D2X32SEC0, LE1D2H02QEC0, and
LE2D2X48SEC0)
Precautions for an Inter-Card Eth-Trunk Without Eth-Trunk Specification

Extension
● Upgrade
After a version earlier than V200R010C00 is upgraded to V200R010C00 or a
later version, the card hash mode is as follows:
– If the configuration is not saved before the card is started or installed, the
installed FC series, SC series, EE series, or LE2D2X48SEC0 card works in
advanced mode and the corresponding configuration is generated.
– If the configuration is saved before the card is started or installed, the
normal mode.
After the S9300X-4, S9300X-8, and S9300X-12 is upgraded from a version
earlier than V200R019C00SPC300 to V200R019C00SPC300 or a later version:
– If the hash mode of a card is not configured before the upgrade and the
card registers with the switch before configurations are saved after the
upgrade, the hash mode of the card is normal and the corresponding
configuration information is generated.
card registers with the switch after the upgrade and after configurations
are saved, the hash mode of the card is advanced and the corresponding
configuration information is not generated.

– If the hash mode of a card is set to advanced before the upgrade, the
hash mode of the card remains advanced after the upgrade and no
● Card replacement
Table 6-2 lists the hash modes of cards in a slot before and after card
replacement.
Table 6-2 Hash modes of cards in a slot before and after card replacement
Replaced Card Hash Mode New Card Hash
of the Mode of
Replaced the
Card New
Card
Card with Eth-Trunk advanced Card with Eth-Trunk advance

specification extension specification extension d
Card with Eth-Trunk advanced Card without Eth-Trunk N/A

specification extension specification extension
Card with Eth-Trunk normal Card with Eth-Trunk normal

Card with Eth-Trunk normal Card without Eth-Trunk N/A

Card without Eth-Trunk N/A Card with Eth-Trunk normal

● Card removal
When the card with Eth-Trunk specification extension in advanced mode is
removed, the configuration of the hash mode is reserved in the system. You
can run the undo eth-trunk load-balance hash-mode command to clear the
configuration of the hash mode.
● Other
– When interfaces on the card with Eth-Trunk specification extension form
an inter-card Eth-Trunk with interfaces on other cards, the hash mode of
the card with Eth-Trunk specification extension cannot be changed. To
change the hash mode of the card with Eth-Trunk specification extension,
first delete the inter-card Eth-Trunk member interfaces of the card with
Eth-Trunk specification extension from the inter-card Eth-Trunk.
– When interfaces on the FC series, SC series, EE series, or LE2D2X48SEC0
card, card without Eth-Trunk specification extension, and LE1D2S04SEC0,
LE1D2X32SEC0, LE1D2H02QEC0, or X series card working in normal
mode form an inter-card Eth-Trunk, first run the unknown-unicast load-
balance command to set the load balancing mode of unknown unicast
packets to lbid. After the inter-card Eth-Trunk is created, the load
balancing mode of unknown unicast packets cannot be changed.
– If interfaces on the card with Eth-Trunk specification extension in normal
mode or card without Eth-Trunk specification extension are added to the
same Eth-Trunk with interfaces on the card with Eth-Trunk specification

extension in advanced mode, load balancing of the Eth-Trunk is uneven,

packet loss or excess packets may occur for non-known unicast traffic,
and the alarm IFPDT_1.3.6.1.4.1.2011.5.25.157.2.211
hwNotSameBoardInTrunk is triggered.
Precautions for an Inter-Card Eth-Trunk with Eth-Trunk Specification

Extension
● Upgrade
After a version earlier than V200R010C00 is upgraded to V200R010C00 or a
later version, the card hash mode is as follows:
– If the configuration is not saved before the card is started or installed, the
advanced mode and the corresponding configuration is generated.
– If the configuration is saved before the card is started or installed, the
normal mode.
After the S9300X-4, S9300X-8, and S9300X-12 is upgraded from a version
earlier than V200R019C00SPC300 to V200R019C00SPC300 or a later version:
card registers with the switch before configurations are saved after the
upgrade, the hash mode of the card is normal and the corresponding
card registers with the switch after the upgrade and after configurations
are saved, the hash mode of the card is advanced and the corresponding
configuration information is not generated.
– If the hash mode of a card is set to advanced before the upgrade, the
hash mode of the card remains advanced after the upgrade and no
● Configuration effectiveness
– When the assign trunk command is used to change Eth-Trunk
specifications on a switch of V200R003, V200R005, or V200R006, you
need to restart the switch to make the configuration take effect.
– When the assign trunk command is used to change Eth-Trunk
specifications on a switch of V200R007 or later, you need to save the
configuration and restart the switch to make the configuration take
effect.
● Configuration ineffectiveness
If you use the assign trunk command to modify Eth-Trunk specifications, the
existing Eth-Trunk configuration will be invalid or lost. Exercise caution when
you run this command.
– When the configured Eth-Trunk specifications are reduced and the Eth-
Trunks that exceed the specifications are configured, the configuration of
excess Eth-Trunks is invalid.
– When the configured value of group-number is larger than 128 or the
configured value of member-number is larger than 16, the switch can
only use the enhanced mode to load balance known unicast packets. The
common mode is invalid for the known unicast packets.

● Load balancing
– When interfaces on the FC series, SC series, EE series, or LE2D2X48SEC0
card, card without Eth-Trunk specification extension, and LE1D2S04SEC0,
LE1D2X32SEC0, LE1D2H02QEC0, or X series card working in normal
mode form an inter-card Eth-Trunk, first run the unknown-unicast load-
balance command to set the load balancing mode of unknown unicast
packets to lbid. After the inter-card Eth-Trunk is created, the load
balancing mode of unknown unicast packets cannot be changed.
– If incoming traffic enters the Eth-Trunk on the card without Eth-Trunk
specification extension, outgoing traffic goes out of the card with Eth-
Trunk specification extension, and the Eth-Trunk on the card with Eth-
Trunk specification extension has more than eight member interfaces,
traffic may be unevenly load balanced on the Eth-Trunk of the card with
Eth-Trunk specification extension and known unicast traffic can be only
sent out from the eight Eth-Trunk member interfaces.
– If interfaces on the card with Eth-Trunk specification extension in normal
mode or card without Eth-Trunk specification extension are added to the
same Eth-Trunk with interfaces on the card with Eth-Trunk specification
extension in advanced mode, load balancing of the Eth-Trunk is uneven
and the alarm IFPDT_1.3.6.1.4.1.2011.5.25.157.2.211
hwNotSameBoardInTrunk is triggered.
● Card installation
On the switches except the S9300X-4, S9300X-8, and S9300X-12, if only cards
with Eth-Trunk specification extension are installed on a switch and the
configuration specified by the assign trunk command takes effect, the hash
mode of cards that are installed later is as follows:
– Card with Eth-Trunk specification extension: If the Eth-Trunk index is
larger than 127, cards with Eth-Trunk specification extension work in
advanced mode, and the corresponding configuration is generated. If the
Eth-Trunk index does not exceed 127, cards with Eth-Trunk specification
extension work in normal mode.
– Card without Eth-Trunk specification extension: The Eth-Trunk index
cannot exceed 127. However, if the Eth-Trunk index exceeds 127, the card
without Eth-Trunk specification extension fails to be registered, and the
L2IFPPI_1.3.6.1.4.1.2011.5.25.219.2.2.13_hwBoardPowerOff alarm is
triggered. If the Eth-Trunk index does not exceed 127 but the value of
member-number is larger than 8, the
IFPDT_1.3.6.1.4.1.2011.5.25.157.2.247_hwBoardNotSupportAssignTrunk
alarm is triggered.
NOTE
The index is the internal number that the switch allocates to each Eth-Trunk, and
is different from the Eth-Trunk ID. If the configured number of Eth-Trunks
supported by the switch is larger than 128 and many Eth-Trunks are created on
the switch, the index larger than 127 may be occupied. The card without Eth-
Trunk specification extension can only use the index of 127 or smaller, the system
checks the index and limits its registration. If the non-registered card without
Eth-Trunk specification extension is reserved, this card cannot be registered even
if the switch restarts.
– You can run the display reset-reason command to check the registration
failure cause. The system displays the message "This LPU only supports
the trunks with index 127 or smaller than 127.". If the card without Eth-

Trunk specification extension must be used, you must delete the Eth-
Trunk with the index larger than 127.
● Card replacement
Table 6-3 lists the hash modes of cards in a slot before and after card
replacement.
Table 6-3 Hash modes of cards in a slot before and after card replacement
Replaced Card Hash New Card Hash
Mode of Mode of
the the
Replaced New
Card Card
Card with Eth-Trunk advanced Card with Eth-Trunk advance

specification extension specification extension d
Card with Eth-Trunk advanced Card without Eth-Trunk N/A

Card with Eth-Trunk normal Card with Eth-Trunk normal

Card with Eth-Trunk normal Card without Eth-Trunk N/A

Card without Eth-Trunk N/A Card with Eth-Trunk normal

● Card removal
When the card with Eth-Trunk specification extension in advanced mode is
removed, the configuration of the hash mode is reserved in the system. You
can run the undo eth-trunk load-balance hash-mode command to clear the
configuration of the hash mode.
● Other
– When interfaces on the card with Eth-Trunk specification extension form
an inter-card Eth-Trunk with interfaces on other cards, the hash mode of
the card with Eth-Trunk specification extension cannot be changed. To
change the hash mode of the card with Eth-Trunk specification extension,
first delete the inter-card Eth-Trunk member interfaces of the card with
Eth-Trunk specification extension from the inter-card Eth-Trunk.
– The card without Eth-Trunk specification extension and the card with Eth-
Trunk specification extension working in normal mode do not support
Eth-Trunk specification extensions. If the switch that is configured with
Eth-Trunk specification extensions is equipped with these cards, a
maximum of eight Eth-Trunk member interfaces are allowed on these
cards.

6.2.2 Example for Configuring Link Aggregation in Manual

Mode When Switches Are Directly Connected
Overview
Ethernet link aggregation increases link bandwidth by bundling multiple physical
links to form a logical link. Link aggregation can work in manual mode or Link
Aggregation Control Protocol (LACP) mode.
In manual mode, you must manually create an Eth-Trunk and add member
interfaces to the Eth-Trunk. In this mode, LACP is not required. If a high link
bandwidth between two directly connected devices is required but the remote
device does not support LACP, you can use the manual mode. The manual mode
can increase bandwidth, enhance reliability, and implement load balancing.
In manual mode, all active links forward data and load balance traffic.
Configuration Notes
● Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
● Both devices of the Eth-Trunk must use the same number of physical
interfaces, interface rate, duplex mode, and flow control mode.
● If an interface of the local device is added to an Eth-Trunk, an interface of the
remote device directly connected to the interface of the local device must also
be added to an Eth-Trunk. Otherwise, the two ends cannot communicate.
● Both devices of an Eth-Trunk must use the same link aggregation mode.
In Figure 6-5, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20
through Ethernet links, and heavy traffic is transmitted between SwitchA and
SwitchB.
SwitchA and SwitchB can provide higher link bandwidth to implement inter-VLAN
communication. Data transmission and link reliability need to be ensured.
Figure 6-5 Networking for configuring link aggregation in manual mode

1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase

link bandwidth.
2. Create VLANs and add interfaces to the VLANs.
3. Set the load balancing mode to ensure that traffic is load balanced between
member interfaces of the Eth-Trunk and enhance reliability.
Procedure
Step 1 Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to the
Eth-Trunk.
[Quidway] sysname SwitchA
[SwitchA] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3 //Add GE1/0/1, GE1/0/2, and GE1/0/3 to
Eth-Trunk 1.
[SwitchA-Eth-Trunk1] quit
[Quidway] sysname SwitchB
[SwitchB] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3 //Add GE1/0/1, GE1/0/2, and GE1/0/3 to
Eth-Trunk 1.
[SwitchB-Eth-Trunk1] quit
Step 2 Create VLANs and add interfaces to the VLANs.
# Create VLAN 10 and VLAN 20 and add interfaces to them. The configuration of
SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type trunk //Configure the interface as a trunk interface. The
default link type of an interface is not trunk.
[SwitchA-GigabitEthernet1/0/4] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/4] quit
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass

through. The configuration of SwitchB is similar to the configuration of SwitchA,
and is not mentioned here.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] port link-type trunk //Configure the interface as a trunk interface. The default link
type of an interface is not trunk.
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
Step 3 Set the load balancing mode of Eth-Trunk 1. The configuration of SwitchB is
similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA-Eth-Trunk1] load-balance src-dst-mac //Configure load balancing based on the source and
destination MAC addresses on Eth-Trunk 1.

Run the display eth-trunk 1 command in any view to check whether the Eth-
Trunk is created and whether member interfaces are added.
[SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet1/0/1 Up 1
The preceding information shows that Eth-Trunk 1 contains three member

interfaces: GigabitEthernet1/0/1, GigabitEthernet1/0/2, and GigabitEthernet1/0/3.
The member interface status is Up and the value of Operate status of Eth-Trunk 1
is up.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
interface Eth-Trunk1
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10 20
#
load-balance src-dst-mac
#
eth-trunk 1
#

eth-trunk 1
#
eth-trunk 1
#
#
#
return
6.2.3 Example for Configuring Link Aggregation in LACP Mode

When Switches Are Directly Connected
Overview
Ethernet link aggregation increases link bandwidth by bundling multiple physical
links to form a logical link. Link aggregation can work in manual mode or Link
Aggregation Control Protocol (LACP) mode.
If a high link bandwidth between two directly connected devices is required and
devices support LACP, the LACP mode is recommended. The LACP mode increases
bandwidth, improves reliability, implements load balancing, enhances Eth-Trunk
fault tolerance, and provides backup.
In LACP mode, some links are active links and other links are backup links. All the
active links participate in data forwarding. If an active link becomes faulty, a
backup link is selected to replace the faulty link. That is, the number of links
participating in data forwarding remains unchanged.
Configuration Notes
● Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
● Both devices of the Eth-Trunk must use the same number of physical
interfaces, interface rate, duplex mode, and flow control mode.
● If an interface of the local device is added to an Eth-Trunk, an interface of the
remote device directly connected to the interface of the local device must also
be added to an Eth-Trunk. Otherwise, the two ends cannot communicate.
● Both devices of an Eth-Trunk must use the same link aggregation mode.
In Figure 6-6, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20
through Ethernet links, and heavy traffic is transmitted between SwitchA and
SwitchB. The link between SwitchA and SwitchB is required to provide high
bandwidth to implement inter-VLAN communication. Link aggregation in LACP
mode is configured on SwitchA and SwitchB to improve the bandwidth and
reliability. The following requirements must be met:

● Two active links implement load balancing.

● One link functions as the backup link. When a fault occurs on an active link,
the backup link replaces the faulty link to maintain reliable data transmission.
● Devices in the same VLAN can communicate.
Figure 6-6 Networking diagram for configuring link aggregation in LACP mode
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to
implement link aggregation.
2. Add member interfaces to the Eth-Trunk.
3. Set the LACP system priority and determine the Actor so that the Partner
selects active interfaces based on the Actor interface priority.
4. Set the upper threshold for the number of active interfaces to improve
reliability.
5. Set LACP interface priorities and determine active interfaces so that interfaces
with higher priorities are selected as active interfaces.
6. Create VLANs and add interfaces to the VLANs.
Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode.
The configuration of SwitchB is similar to that of SwitchA, and is not mentioned
here.
[SwitchA] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchA-Eth-Trunk1] mode lacp //Configure link aggregation in LACP mode.
Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration of SwitchB is

similar to that of SwitchA, and is not mentioned here.


[SwitchA-GigabitEthernet1/0/1] eth-trunk 1 //Add GE1/0/1 to Eth-Trunk 1.
Step 3 Set the LACP system priority of SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100 //The default LACP system priority is 32768. Change the LACP priority of
SwitchA to be higher than that of SwitchB so that SwitchA functions as the Actor.
Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[SwitchA-Eth-Trunk1] max active-linknumber 2 //The default upper threshold for the number of active
interfaces in the LAG is 8. Change the upper threshold for the number of active interfaces to 2.
Step 5 Set the LACP system priority and determine active links on SwitchA.
[SwitchA-GigabitEthernet1/0/1] lacp priority 100 //The default LACP interface priority is 32768. Change
the LACP priority of GE1/0/1 to 100 so that GE1/0/1 serves as the active interface.
[SwitchA-GigabitEthernet1/0/2] lacp priority 100 //The default LACP interface priority is 32768. Change
the LACP priority of GE1/0/2 to 100 so that GE1/0/2 serves as the active interface.
Step 6 Create VLANs and add interfaces to the VLANs.

# Create VLAN 10 and VLAN 20 and add interfaces to them. The configuration of
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass

through. The configuration of SwitchB is similar to the configuration of SwitchA,
and is not mentioned here.
[SwitchA-Eth-Trunk1] port link-type trunk //Configure the interface as a trunk interface. The default link
type of an interface is not trunk.
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20

# Check information about the Eth-Trunk on each Switch and check whether link
negotiation is successful.
[SwitchA] display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP

System Priority: 100 System ID: 00e0-fca8-0417

Least Active-linknumber: 1 Max Active-linknumber: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet1/0/1 Selected 1GE 100 6145 2865 11111100 1
GigabitEthernet1/0/3 Unselect 1GE 32768 6147 2865 11100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet1/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
[SwitchB] display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768 System ID: 00e0-fca6-7f85
Least Active-linknumber: 1 Max Active-linknumber: 8
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet1/0/3 Unselect 1GE 32768 6147 2609 11110000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet1/0/1 100 00e0-fca8-0417 100 6145 2865 11111100
The preceding information shows that the LACP system priority of SwitchA is 100
and is higher than the LACP system priority of SwitchB. GigabitEthernet1/0/1 and
GigabitEthernet1/0/2 are active interfaces and are in Selected state.
GigabitEthernet1/0/3 is in Unselect state. In addition, load balancing and
redundancy are implemented.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
lacp priority 100
#
mode lacp
max active-linknumber 2
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
lacp priority 100

#
eth-trunk 1
#
#
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
mode lacp
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
6.2.4 Example for Connecting an E-Trunk to a VPLS Network
Overview
Enhanced Trunk (E-Trunk) is an extension to LACP (a link aggregation protocol for
a single device) and implements link aggregation among multiple devices. E-Trunk
achieves device-level link reliability but not card-level link reliability.
When a CE is dual-homed to a VPLS, VLL, or PWE3 network, an E-Trunk can be

configured to protect the links between the CE and PEs and implement backup
between PEs. If no E-Trunk is configured, a CE can be connected to only one PE
using an Eth-Trunk. If the Eth-Trunk or the PE fails, the CE cannot communicate
with the PE. After the E-Trunk is used, the CE can be dual-homed to two PEs to
implement backup.
Configuration Notes
● Devices must use link aggregation in LACP mode.

● In Figure 6-7, the E-Trunk configuration on PE1 and PE2 must be the same.
The Eth-Trunks between PE1 and CE1 and between PE2 and CE1 must use the
same rate and duplex mode (key values must be the same) and join the same
E-Trunk. After the Eth-Trunks are added to the E-Trunk, ensure that the LACP
priorities and system IDs of PE1 and PE2 are the same. On CE1, interfaces
directly connected to PE1 and PE2 must be added to the same Eth-Trunk. The
Eth-Trunk can have a different Eth-Trunk ID from that on the PEs. For
example, the CE is configured with Eth-Trunk 20, while both PEs are
configured with Eth-Trunk 10.
● You must specify an IP address (loopback address recommended) for each PE
to ensure Layer 3 connectivity. Ensure that the peer IP address of a PE is the
local IP address of the other PE.
● The E-Trunk must be bound to a BFD session.
● You must set the same protocol packet password for PE1 and PE2.
● This example applies to the following products:
– S5300-HI, S5310-EI, S5320-EI, S5320-HI, S5330-HI, S5331-S, S5331-H,
S5332-H
– S6300-EI, S6320-EI, S6320-HI, S6330-H
– S9303, S9306, S9312, S9310
– S9310X, S9300X-4, S9300X-8, S9300X-12
– S9303E, S9306E, S9312E
● For the product models whose applicable versions are not listed above, see
Table 1-1 in "Applicable Products and Versions" for details.
NOTE
For details about software mappings, visit Hardware Center and select the desired
product model.
If no E-Trunk is configured, a CE can be connected to only one PE using an Eth-
Trunk. If the Eth-Trunk or the PE fails, the CE cannot communicate with the PE.
After an E-Trunk is configured, the CE can be dual-homed to PEs. E-Trunk achieves
device-level link reliability but not card-level link reliability.
In Figure 6-7, CE1 is connected to PE1 and PE2 using two Eth-Trunks in LACP
mode and is dual-homed to a VPLS network.
Initially, CE1 communicates with CE2 on the VPLS network through PE1. If PE1 or
the Eth-Trunk between CE1 and PE1 fails, CE1 cannot communicate with CE2. To
prevent service interruption, configure an E-Trunk on PE1 and PE2. When
communication between CE1 and PE1 fails, traffic is switched to PE2 so that CE1
can communicate with CE2 through PE2. When PE1 or the Eth-Trunk between CE1
and PE1 recovers, traffic is switched back to PE1.
The E-Trunk implements backup of link aggregation groups (LAGs) between PE1
and PE2 and therefore improves network reliability.

Figure 6-7 Connecting an E-Trunk to a VPLS network
Switch Interface Layer 3 Interface IP Address
PE1 GigabitEthernet1/0 - -
/1
- GigabitEthernet1/0 - -
/2
- GigabitEthernet1/0 VLANIF 100 10.1.1.1/24

/3
- Loopback1 - 1.1.1.9/32
PE2 GigabitEthernet1/0 - -
/1
/2

/3
- Loopback1 - 2.2.2.9/32
PE3 GigabitEthernet1/0 VLANIF 100 10.1.1.2/24

/1

Switch Interface Layer 3 Interface IP Address

/2
- GigabitEthernet1/0 GigabitEthernet1/0 -
/3 /3.1
- Loopback1 - 3.3.3.9/32
CE1 GigabitEthernet1/0 - -
/1
/2
/3
/4
CE2 GigabitEthernet1/0 - -
/3
1. Configure an E-Trunk.
– Create Eth-Trunks in LACP mode between CE1 and PE1 and between CE1
and PE2. Add member interfaces to the Eth-Trunks.
– Create an E-Trunk on PE1 and PE2 and add the two Eth-Trunks in LACP
mode to the E-Trunk.
– Set E-Trunk parameters:
▪ E-Trunk priority
▪ LACP system ID and LACP priority of the E-Trunk
▪ Interval at which Hello packets are sent
▪ Time multiplier for detecting Hello packets
▪ IP addresses of the local and remote ends

– Bind the E-Trunk to a BFD session.
2. Configure CE1 to connect to the VPLS network as follows:
– Configure a routing protocol on the backbone network to implement the
interworking between devices.

– Configure basic MPLS functions and LDP.

– Enable MPLS L2VPN on PEs.
– Configure a VSI and specify LDP as the signaling protocol.
– Create Eth-Trunk sub-interfaces and bind the VSI to the sub-interfaces.
Procedure
Step 1 Configure VLANs and IP addresses on the PW-side interfaces according to Figure
6-7. Configure a routing protocol on the backbone network to implement the
interworking between devices. OSPF is used in this example.
# Configure aggregation switch PE1.

[Quidway] sysname PE1
[PE1] vlan batch 100
[PE1] interface gigabitethernet 1/0/3
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/3] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] ip address 10.1.1.1 24
[PE1-Vlanif100] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

[PE2] vlan batch 200
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

[PE3] vlan batch 100 200


[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
After the configuration is complete, PE1, PE2, and PE3 use OSPF to discover IP
routes to each other's Loopback1 interface, and can ping one another. Run the
display ip routing-table command on PE1, PE2, and PE3 to determine whether
the PEs have learned the routes to one another.
NOTE
● The AC-side interface and PW-side interface of a PE cannot be added to the same VLAN;
otherwise, a loop may occur.
● When configuring OSPF, configure PE1, PE2, and PE3 to advertise 32-bit loopback
addresses.
Step 2 Configure Eth-Trunks in LACP mode on user-side switch CE1, PE1, and PE2, and
add member interfaces to the Eth-Trunks. Configure Layer 2 forwarding on CE1.
# Configure CE1.
[Quidway] sysname CE1
[CE1] vlan batch 10
[CE1] interface eth-trunk 20 //Create Eth-Trunk 20 and enter the view of Eth-Trunk 20.
[CE1-Eth-Trunk20] port link-type trunk //Set the link type of the interface to trunk.
[CE1-Eth-Trunk20] port trunk allow-pass vlan 10 //Add Eth-Trunk 20 to VLAN 10.
[CE1-Eth-Trunk20] mode lacp //Configure Eth-Trunk 20 to work in LACP mode.
[CE1-Eth-Trunk20] trunkport GigabitEthernet 1/0/1 to 1/0/4 //Add GE1/0/1 to GE1/0/4 to Eth-Trunk20.
[CE1-Eth-Trunk20] quit
# Configure PE1.
[PE1] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk 10.
[PE1-Eth-Trunk10] port link-type trunk //Set the link type of the interface to trunk.
[PE1-Eth-Trunk10] mode lacp //Configure Eth-Trunk 10 to work in LACP mode.
[PE1-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 //Add GE1/0/1 and GE1/0/2 to Eth-Trunk10.
[PE1-Eth-Trunk10] quit
# Configure PE2.
[PE2] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk 10.
[PE2-Eth-Trunk10] port link-type trunk //Set the link type of the interface to trunk.
[PE2-Eth-Trunk10] mode lacp //Configure Eth-Trunk 10 to work in LACP mode.
[PE2-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 //Add GE1/0/1 and GE1/0/2 to Eth-Trunk10.
Step 3 Create an E-Trunk and set the LACP priority, LACP system ID, E-Trunk priority, time
multiplier for detecting hello packets, interval at which hello packets are sent, and
local and remote IP addresses.

# Configure PE1.
[PE1] e-trunk 1 //Create E-Trunk 1 and enter the view of E-Trunk 1.
[PE1-e-trunk-1] quit
[PE1] lacp e-trunk priority 1 //Set the LACP priority of E-Trunk 1 to 1.
[PE1] lacp e-trunk system-id 00e0-fc12-3450 //Set the LACP system ID of E-Trunk 1 to 00e0-fc12-3450.
[PE1] e-trunk 1 //Enter the view of E-Trunk 1.
[PE1-e-trunk-1] priority 10 //Set the priority of E-Trunk 1 to 10.
[PE1-e-trunk-1] timer hold-on-failure multiplier 3 //Set the time multiplier for detecting hello packets to
3.
[PE1-e-trunk-1] timer hello 9 //Set the interval at which hello packets are sent to 9 ms.
[PE1-e-trunk-1] peer-address 2.2.2.9 source-address 1.1.1.9 //Set the remote IP address to 2.2.2.9 and
local IP address to 1.1.1.9.
# Configure PE2.
[PE2] e-trunk 1 //Create E-Trunk 1 and enter the view of E-Trunk 1.
[PE2] lacp e-trunk priority 1 //Set the LACP priority of E-Trunk 1 to 1.
[PE2] lacp e-trunk system-id 00e0-fc12-3450 //Set the LACP system ID of E-Trunk 1 to 00e0-fc12-3450.
[PE2-e-trunk-1] priority 20 //Set the priority of E-Trunk 1 to 20.
[PE2-e-trunk-1] timer hold-on-failure multiplier 3 //Set the time multiplier for detecting hello packets to
3.
[PE2-e-trunk-1] timer hello 9 //Set the interval at which hello packets are sent to 9 ms.
[PE2-e-trunk-1] peer-address 1.1.1.9 source-address 2.2.2.9 //Set the remote IP address to 1.1.1.9 and
local IP address to 2.2.2.9.
Step 4 Add the Eth-Trunks in LACP mode to the E-Trunk.

# Configure PE1.
[PE1] interface eth-trunk 10 //Enter the view of Eth-Trunk 10.
[PE1-Eth-Trunk10] e-trunk 1 //Add Eth-Trunk 10 to E-Trunk 1.
# Configure PE2.
[PE2] interface eth-trunk 10 //Enter the view of Eth-Trunk 10.
[PE2-Eth-Trunk10] e-trunk 1 //Add Eth-Trunk 10 to E-Trunk 1.
Step 5 Bind the E-Trunk to a BFD session.

● Create a BFD session.
# Configure PE1.
[PE1] bfd //Enable BFD.
[PE1-bfd] quit
[PE1] bfd hello1 bind peer-ip 2.2.2.9 source-ip 1.1.1.9 //Create a BFD session named hello1 and
bind the BFD session to remote IP address 2.2.2.9 and local IP address 1.1.1.9.
[PE1-bfd-session-hello1] discriminator local 1 //Set the local discriminator to 1.
[PE1-bfd-session-hello1] discriminator remote 2 //Set the remote discriminator to 2.
[PE1-bfd-session-hello1] commit //Commit the BFD session configuration.
[PE1-bfd-session-hello1] quit
The IP addresses of the local and remote ends of a BFD session must be the
same as those of the E-Trunk.
# Configure PE2.
[PE2] bfd
[PE2-bfd] quit
[PE2] bfd hello2 bind peer-ip 1.1.1.9 source-ip 2.2.2.9 //Create a BFD session named hello2 and
bind the BFD session to remote IP address 1.1.1.9 and local IP address 2.2.2.9.
[PE2-bfd-session-hello2] discriminator local 2 //Set the local discriminator to 2.
[PE2-bfd-session-hello2] discriminator remote 1 //Set the remote discriminator to 1.
[PE2-bfd-session-hello2] commit //Commit the BFD session configuration.
[PE2-bfd-session-hello2] quit

● Bind E-Trunk 1 to the BFD session.

# Configure PE1.
[PE1-e-trunk-1] e-trunk track bfd-session session-name hello1 //Bind E-Trunk 1 to the BFD session
hello1.
# Configure PE2.
[PE2-e-trunk-1] e-trunk track bfd-session session-name hello2 //Bind E-Trunk 1 to the BFD session
hello2.
Step 6 Configure PEs so that CE1 can access the VPLS network.
1. Configure basic MPLS functions and LDP on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9 //Set the LSR ID to 1.1.1.9.
[PE1] mpls //Enable global MPLS.
[PE1-mpls] quit
[PE1] mpls ldp //Enable global LDP.
[PE1-mpls-ldp] quit
[PE1-Vlanif100] mpls //Enable MPLS on an interface.
[PE1-Vlanif100] mpls ldp //Enable LDP on an interface.
# Configure PE2.
[PE2-mpls] quit
[PE2-mpls-ldp] quit
# Configure PE3.
[PE3-mpls] quit
[PE3-mpls-ldp] quit
After the configuration is complete, run the display mpls ldp session
command on PEs to determine whether the status of the remote LDP peer
relationship is Operational. This indicates that remote LDP sessions are set
up.
2. Enable MPLS L2VPN on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls l2vpn //Enable global MPLS L2VPN.
[PE1-l2vpn] quit
# Configure PE2.
[PE2-l2vpn] quit

# Configure PE3.
[PE3-l2vpn] quit
3. Create a VSI ldp1 on PE1, PE2, and PE3 and specify LDP as the signaling
protocol in the VSI.
# Configure PE1.
[PE1] vsi ldp1 static //Create a VSI named ldp1 and configure static member discovery.
[PE1-vsi-ldp1] pwsignal ldp //Set the signaling mode to LDP.
[PE1-vsi-ldp1-ldp] vsi-id 2 //Set the ID of the VSI to 2.
[PE1-vsi-ldp1-ldp] peer 3.3.3.9 //Set the peer address of the VSI to 3.3.3.9.
[PE1-vsi-ldp1-ldp] quit
[PE1-vsi-ldp1] quit
# Configure PE2.
[PE2-vsi-ldp1] quit
# Configure PE3.
[PE3-vsi-ldp1] quit
4. Configure Eth-Trunk sub-interfaces on PE1 and PE2, and bind the VSI to the
Eth-Trunk sub-interfaces.
# Configure PE1.
[PE1] vcmp role silent
[PE1] interface Eth-Trunk 10.1 //Create Eth-Trunk 10.1 and enter the view of Eth-Trunk 10.1.
[PE1-Eth-Trunk10.1] dot1q termination vid 10 //Set the single VLAN ID for dot1q encapsulation on
Eth-Trunk 10.1 to VLAN 10.
[PE1-Eth-Trunk10.1] l2 binding vsi ldp1 //Bind Eth-Trunk 10.1 to the VSI ldp1.
[PE1-Eth-Trunk10.1] quit
# Configure PE2.
[PE2] interface Eth-Trunk 10.1 //Create Eth-Trunk 10.1 and enter the view of Eth-Trunk 10.1.
[PE2-Eth-Trunk10.1] dot1q termination vid 10 //Set the single VLAN ID for dot1q encapsulation on
Eth-Trunk 10.1 to VLAN 10.
[PE2-Eth-Trunk10.1] l2 binding vsi ldp1 //Bind Eth-Trunk 10.1 to the VSI ldp1.
[PE2-Eth-Trunk10.1] quit
5. Configure a sub-interface on PE3 and bind the VSI to the sub-interface.

# Configure PE3.
[PE3] interface gigabitethernet 1/0/3.1 //Create GE1/0/3.1 and enter the view of GE1/0/3.1.
[PE3-GigabitEthernet1/0/3.1] dot1q termination vid 10 //Set the single VLAN ID for dot1q
encapsulation on GE1/0/3.1 to VLAN 10.
[PE3-GigabitEthernet1/0/3.1] l2 binding vsi ldp1 //Bind GE1/0/3.1 to the VSI ldp1.
[PE3-GigabitEthernet1/0/3.1] quit

● Run the display eth-trunk command on CE1 to check the Eth-Trunk
configuration.
● Run the display e-trunk command to check information about the E-Trunk.
# Check information about E-Trunk 1 on PE1.

[PE1] display e-trunk 1

The E-Trunk information
E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120
Priority : 10 System-ID : 00e0-fc12-3450
Peer-IP : 2.2.2.9 Source-IP : 1.1.1.9
State : Master Causation : PRI
Send-Period (100ms) : 9 Fail-Time (100ms) : 27
Receive : 41 Send : 42
RecDrop : 0 SndDrop : 0
Peer-Priority : 20 Peer-System-ID : 00e0-fc6c-6100
Peer-Fail-Time (100ms) : 27 BFD-Session : hello1
Description : -
Sequence : Enable
--------------------------------------------------------------------------------
The Member information
Type ID LocalPhyState Work-Mode State Causation Remote-ID
Eth-Trunk 10 Up auto Master ETRUNK_MASTER 10
# Check information about E-Trunk 1 on PE2.

[PE2] display e-trunk 1
The E-Trunk information
E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120
Priority : 20 System-ID : 00e0-fc12-3450
Peer-IP : 1.1.1.9 Source-IP : 2.2.2.9
State : Backup Causation : PRI
Send-Period (100ms) : 9 Fail-Time (100ms) : 27
Receive : 43 Send : 42
RecDrop : 3 SndDrop : 0
Peer-Priority : 10 Peer-System-ID : 00e0-fc74-eb00
Peer-Fail-Time (100ms) : 27 BFD-Session : hello2
Description : -
Sequence : Enable
--------------------------------------------------------------------------------
The Member information
Type ID LocalPhyState Work-Mode State Causation Remote-ID
Eth-Trunk 10 Down auto Backup ETRUNK_BACKUP 10
The preceding information shows that the E-Trunk priority on PE1 is 10, and
the E-Trunk status is Master; the E-Trunk priority on PE2 is 20, and the E-
Trunk status is Backup. Device backup is implemented.
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
mode lacp
#
eth-trunk 20
#
eth-trunk 20
#
eth-trunk 20
#
eth-trunk 20

#
return
● PE1 configuration file
#
sysname PE1
#
vcmp role silent
#
vlan batch 100
#
lacp e-trunk system-id 00e0-fc12-3450
lacp e-trunk priority 1
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
e-trunk 1
priority 10
peer-address 2.2.2.9 source-address 1.1.1.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello1
#
mode lacp
e-trunk 1
#
interface Eth-Trunk10.1
dot1q termination vid 10
l2 binding vsi ldp1
#
eth-trunk 10
#
eth-trunk 10
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bfd hello1 bind peer-ip 2.2.2.9 source-ip 1.1.1.9
discriminator local 1
discriminator remote 2
commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0

network 10.1.1.0 0.0.0.255

#
return
#
sysname PE2
#
vcmp role silent
#
vlan batch 200
#
lacp e-trunk system-id 00e0-fc00-0000
lacp e-trunk priority 1
#
bfd
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
mpls
mpls ldp
#
e-trunk 1
priority 20
peer-address 1.1.1.9 source-address 2.2.2.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello2
#
mode lacp
e-trunk 1
#
interface Eth-Trunk10.1
l2 binding vsi ldp1
#
eth-trunk 10
#
eth-trunk 10
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bfd hello2 bind peer-ip 1.1.1.9 source-ip 2.2.2.9
commit
#
ospf 1
area 0.0.0.0

network 2.2.2.9 0.0.0.0

network 10.1.2.0 0.0.0.255
#
return

#
sysname PE3
#
vcmp role silent
#
vlan batch 100 200
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
peer 2.2.2.9
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif200
ip address 10.1.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface GigabitEthernet1/0/3.1
l2 binding vsi ldp1
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return
6.2.5 Example for Configuring an Eth-Trunk to Preferentially

Forward Local Traffic in a CSS or Stack
Overview
In a CSS or stack, an Eth-Trunk is configured as the outbound interface of traffic to
ensure reliable transmission. Member interfaces of the Eth-Trunk are located on

different chassis. When devices in the CSS or stack forward traffic, the Eth-Trunk
may select an inter-chassis member interface based on a hash algorithm. The
cable bandwidth between devices in the CSS or stack is limited, so inter-chassis
traffic forwarding occupies bandwidth resources between devices, lowering traffic
forwarding efficiency. To address this issue, you can enable an Eth-Trunk to
preferentially forward local traffic.
Configuration Notes
● If active interfaces of an Eth-Trunk on the local device have sufficient
bandwidth to forward traffic, you can configure the Eth-Trunk to preferentially
forward local traffic. This improves traffic forwarding efficiency and increases
bandwidth capacity between devices in the CSS.
● If active interfaces of an Eth-Trunk on the local device do not have sufficient
bandwidth to forward traffic, you can configure the Eth-Trunk not to
preferentially forward local traffic. In this case, some traffic on the local
device is forwarded through member interfaces of an Eth-Trunk on another
device, preventing packet loss.
● This example applies to the following products and versions:
– S2350-EI, S2320-EI, S5320-EI, S5320-SI, S5320-HI, S5320-LI, S5330-SI,
S5330-HI, S5331-S, S5331-H,
S5332-H: For the applicable versions, see TableTable 1-1.
– S6320-EI, S6320-SI, S6320-HI, S6330-H: For the applicable versions, see
TableTable 1-1.
– S5300-LI, S5310-EI, S5300-HI, S6300-EI: running V200R003C00 and later
versions.
– S5300-SI, S5300-EI: running V200R002C00 and later versions.
– S5335-L, S5335-S: V200R019C10 and later versions.
– S5335-L1: For the applicable versions, see TableTable 1-1.
– S9306, S9312, S9310: For the applicable versions, see TableTable 1-1.
– S9310X, S9300X-4, S9300X-8, S9300X-12: For the applicable versions, see
TableTable 1-1.
– S9306E, S9312E: For the applicable versions, see TableTable 1-1.
NOTE
product model.
On the network shown in Figure 6-8, CSS technology is used to increase the total
capacity of switches. Switch3 and Switch4 are connected through stack cables to
form a logical switch. To implement backup between switches and improve
reliability, physical interfaces on the two switches are added to an Eth-Trunk. In
normal situations, traffic from VLAN 2 and VLAN 3 is forwarded through GE1/0/1
and GE1/0/2 respectively. This increases bandwidth capacity between switches and
reduces traffic forwarding efficiency.

To ensure that traffic from VLAN 2 is forwarded through GE1/0/1 and traffic from
VLAN 3 is forwarded through GE1/0/2, you can configure the Eth-Trunk to
preferentially forward local traffic.
Figure 6-8 Preferentially forwarding local traffic
1. Create an Eth-Trunk.
2. Add member interfaces to the Eth-Trunk.
3. Enable the Eth-Trunk to preferentially forward local traffic.
4. Add interfaces to VLANs to implement Layer 2 connectivity.

Procedure
Step 1 Create an Eth-Trunk and configure the ID of a VLAN from which packets can pass
through the Eth-Trunk.
# Configure the CSS.
[Quidway] sysname CSS
[CSS] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk 10.
[CSS-Eth-Trunk10] port link-type trunk //Set the link type of the interface to trunk.
[CSS-Eth-Trunk10] port trunk allow-pass vlan all //Configure the interface to allow all VLANs.
[CSS-Eth-Trunk10] quit
# Configure the aggregation switch PE.

[Quidway] sysname PE
[PE] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk 10.
[PE-Eth-Trunk10] port link-type trunk //Set the link type of the interface to trunk.
[PE-Eth-Trunk10] port trunk allow-pass vlan all //Configure the interface to allow all VLANs.
[PE-Eth-Trunk10] quit
Step 2 Add member interfaces to the Eth-Trunk.

[CSS] interface gigabitethernet 1/1/0/4
[CSS-GigabitEthernet1/1/0/4] eth-trunk 10 //Add GE1/1/0/4 to Eth-Trunk 10.
[CSS-GigabitEthernet1/1/0/4] quit
[CSS-GigabitEthernet2/1/0/4] eth-trunk 10 //Add GE2/1/0/4 to Eth-Trunk 10.
# Configure the PE.

[PE] interface gigabitethernet 1/0/1
[PE-GigabitEthernet1/0/1] eth-trunk 10 //Add GE1/0/1 to Eth-Trunk 10.
[PE-GigabitEthernet1/0/1] quit
[PE] interface gigabitethernet 1/0/2
[PE-GigabitEthernet1/0/2] eth-trunk 10 //Add GE1/0/2 to Eth-Trunk 10.
[PE-GigabitEthernet1/0/2] quit
Step 3 Configure the Eth-Trunk on devices in the CSS to preferentially forward local
traffic.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] local-preference enable //Enable Eth-Trunk 10 to preferentially forward local traffic.
[CSS-Eth-Trunk10] quit
NOTE
By default, an Eth-Trunk is enabled to preferentially forward local traffic. If you run the
local-preference enable command, the system displays the message "Error: The local
preferential forwarding mode has been configured."
Step 4 Configure Layer 2 forwarding.

[CSS] vlan batch 2 3
[CSS-GigabitEthernet1/1/0/3] port link-type trunk
[CSS-GigabitEthernet1/1/0/3] port trunk allow-pass vlan 2
[CSS-GigabitEthernet2/1/0/3] port link-type trunk
[CSS-GigabitEthernet2/1/0/3] port trunk allow-pass vlan 3

# Configure access switch Switch1.

[Quidway] sysname Switch1
[Switch1] vlan 2
[Switch1-vlan2] quit
[Switch1] interface gigabitethernet 1/0/1
[Switch1-GigabitEthernet1/0/1] port link-type trunk
[Switch1-GigabitEthernet1/0/1] port trunk allow-pass vlan 2
[Switch1-GigabitEthernet1/0/1] quit
# Configure access switch Switch2.

[Switch2] vlan 3

After the configuration is complete, run the display trunkmembership eth-trunk
command in any view to check information about member interfaces of the Eth-
Trunk.
The display on the CSS is used as an example.
<CSS> display trunkmembership eth-trunk 10
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 2
Number Of Up Ports in Trunk = 2
Operate status: up
Interface GigabitEthernet1/1/0/4, valid, operate up, weight=1

Interface GigabitEthernet2/1/0/4, valid, operate up, weight=1
----End
Configuration Files
● CSS configuration file
#
sysname CSS
#
vlan batch 2 3
#
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet1/1/0/3


#
#
eth-trunk 10
#
eth-trunk 10
#
return
● PE configuration file
#
sysname PE
#
#
eth-trunk 10
#
eth-trunk 10
#
return
● Switch1 configuration file

#
sysname Switch1
#
vlan batch 2
#
#
#
return
● Switch2 configuration file

#
sysname Switch2
#
vlan batch 3
#
#
#
return

6.2.6 Example for Configuring an Eth-Trunk and Association

Between VRRP and the Interface Status
Association Between VRRP and the Interface Status

Additional technologies are required to enhance the VRRP active/standby function.
For example, when the link from the master to a network is disconnected, VRRP
cannot detect the fault and an active/standby switchover cannot be performed. As
a result, hosts cannot remotely access the network through the master. To address
this issue, you can configure association between VRRP and the interface status.
When the master detects that the uplink interface fails, the master reduces its
priority to be lower than the priority of the backup and immediately sends VRRP
packets. After the backup receives the VRRP packets, it detects that the priority in
the VRRP packets is lower than its priority and switches to the master. This ensures
correct traffic forwarding.
Configuration Notes
● In V200R003 and earlier versions, VRRP can be configured only on the VLANIF
interface.
In V200R005 and later versions, VRRP can be configured on the VLANIF
interface and Layer 3 Ethernet interface.
For a modular switch in V200R006 and later versions, VRRP can be configured
on the VLANIF interface, Layer 3 Ethernet interface, Dot1q termination sub-
interface, and QinQ termination sub-interface.
For a fixed switch in V200R009 and later versions, VRRP can be configured on
the VLANIF interface, Layer 3 Ethernet interface, and sub-interface.
● Ensure that each device of the same VRRP group is configured with the same
VRID.
● VRRP groups must use different virtual IP addresses. The virtual IP address of
a VRRP group must be on the same network segment as the IP address of the
interface where the VRRP group is configured.
● A VRRP group can be associated with a maximum of eight interfaces.
Association between a VRRP group and the interface status cannot be
configured on the device as the IP address owner.
– S2320-EI
– S3300-EI, S3300-HI
– S5320-LI, S5320-SI, S5300-EI, S5300-HI, S5310-EI, S5320-EI, S5320-HI,
S5330-SI, S5330-HI, S5331-S, S5331-H, S5332-H, S5335-S, S5335-L,
S5335-L1, S5336-S
– S6300-EI, S6320-EI, S6320-SI, S6320-HI, S6330-H
– S9300X-4, S9300X-8, S9300X-12, S9303, S9303E, S9306, S9306E, S9310,
S9310X, S9312, S9312E

NOTE
product model.
As shown in Figure 6-9, the user hosts are dual-homed to SwitchA and SwitchB
through the switch. The requirements are as follows:
● The hosts use SwitchA as the default gateway to connect to the Internet.
When SwitchA or the downlink/uplink fails, SwitchB functions as the gateway
to implement gateway backup.
● The bandwidth of the link between SwitchA and SwitchB is increased to
implement link backup and improve link reliability.
● After SwitchA recovers, it becomes the gateway within 20s.
Figure 6-9 Networking of association between VRRP and the interface status
A VRRP group in active/standby mode is used to implement gateway backup. The
configuration roadmap is as follows:
1. Assign an IP address to each interface and configure a routing protocol to
ensure network connectivity.
2. Configure VLAN aggregation on SwitchA and SwitchB to implement Layer 2
isolation and Layer 3 connectivity of VLANs 101 to 180 and save IP addresses.
3. Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to
the Eth-Trunk to increase the link bandwidth and implement link backup.
4. Configure a VRRP group between SwitchA and SwitchB. Set a higher priority
for SwitchA so that SwitchA functions as the master to forward traffic, and set
the preemption delay to 20s on SwitchA. Set a lower priority for SwitchB so
that SwitchB functions as the backup.

5. Associate VRRP with GE1/0/1 and GE1/0/2 on SwitchA so that the VRRP group
can detect the fault of the master and perform an active/standby switchover
immediately.
NOTE
SwitchA and SwitchB are core switches, and the switch is an aggregation switch.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface on core devices. SwitchA is used as an
example. The configuration of SwitchB is similar to the configuration of SwitchA,
and is not mentioned here. For details, see the configuration files.
[SwitchA] vlan batch 11 to 15 101 to 180 301 to 305 400
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 101 to 180
[SwitchA] interface vlanif 11
[SwitchA-Vlanif11] ip address 10.1.1.2 24
[SwitchA-Vlanif11] quit
# Configure Layer 2 transparent transmission on the switch.

[Switch] vlan batch 11 to 15 101 to 180
[Switch-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 11 to 15 101 to 180
[Switch-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 11 to 15 101 to 180
# Configure OSPF on SwitchA, SwitchB, and switch. SwitchA is used as an

example. The configurations of SwitchB and SwitchC are similar to the

configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
Step 2 Configure a super-VLAN on SwitchA and SwitchB.
# Configure a super-VLAN on SwitchA. The configuration of SwitchB is similar to

the configuration of SwitchA, and is not mentioned here. For details, see the
[SwitchA] vlan 11
[SwitchA-vlan11] aggregate-vlan
[SwitchA-vlan11] access-vlan 101 to 116 301
[SwitchA-vlan11] quit
[SwitchA] vlan 12
[SwitchA] vlan 13
[SwitchA] vlan 14
[SwitchA] vlan 15
Step 3 Configure link aggregation on SwitchA and SwitchB.
# Create Eth-Trunk 1 in LACP mode on SwitchA. The configuration of SwitchB is

similar to the configuration of SwitchA, and is not mentioned here. For details, see
the configuration files.
[SwitchA-Eth-Trunk1] mode lacp
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 301 to 305
# Add member interfaces on SwitchA to Eth-Trunk 1. The configuration of SwitchB

is similar to the configuration of SwitchA, and is not mentioned here. For details,
see the configuration files.
[SwitchA-GigabitEthernet1/0/3] eth-trunk 1
[SwitchA-GigabitEthernet1/0/4] eth-trunk 1
Step 4 Configure VRRP groups on SwitchA and SwitchB.

# Configure a VRRP group on SwitchA, and set the priority of SwitchA to 120 and
the preemption delay to 20s.
[SwitchA-Vlanif11] vrrp vrid 1 virtual-ip 10.1.1.1
[SwitchA-Vlanif11] vrrp vrid 1 priority 120 //The default priority of the device
in a VRRP group is 100. Change the priority of the master to be higher than that of the backup.
[SwitchA-Vlanif11] vrrp vrid 1 preempt-mode timer delay 20 //The device in a VRRP
group uses the immediate preemption mode by default. Change the preemption delay of the master to
prevent traffic interruptions when the master and backup frequently preempt the bandwidth on an
unstable network.
[SwitchA-Vlanif11] vrrp vrid 1 track interface gigabitethernet 1/0/1 reduced 100 //Associate the VRRP
group with the uplink interface. Set the decreased priority to ensure that the priority of the backup is higher
than the priority of the master. Then an active/standby switchover can be triggered.
[SwitchA-Vlanif11] vrrp vrid 1 track interface gigabitethernet 1/0/2 reduced 100 //Associate the VRRP
group with the downlink interface. Set the decreased priority to ensure that the priority of the backup is
higher than the priority of the master. Then an active/standby switchover can be triggered.
[SwitchA-Vlanif11] vrrp advertise send-mode 301 //Specify VLAN 301 where
VRRP packets are transmitted to save the network bandwidth.
[SwitchA-Vlanif12] vrrp vrid 2 priority 120
[SwitchA-Vlanif12] vrrp vrid 2 preempt-mode timer delay 20
[SwitchA-Vlanif12] vrrp vrid 2 track interface gigabitethernet 1/0/1 reduced 100
[SwitchA-Vlanif12] vrrp advertise send-mode 302
# Configure a VRRP group on SwitchB. SwitchB uses the default priority of 100.
[SwitchB] interface vlanif 11
[SwitchB-Vlanif11] vrrp vrid 1 virtual-ip 10.1.1.1
[SwitchB-Vlanif11] vrrp advertise send-mode 301
[SwitchB-Vlanif11] quit


# After the configuration is complete, run the display vrrp command on SwitchA.
You can see that SwitchA is the master in VRRP group 1. VRRP group 1 is used as
an example. Information of other VRRP groups is similar to information of VRRP
group 1.
[SwitchA] display vrrp 1
Vlanif11 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track IF : GigabitEthernet1/0/1 Priority reduced : 100
IF state : UP
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# Run the display vrrp command on SwitchB. You can see that SwitchB is the
backup. VRRP group 1 is used as an example.
[SwitchB] display vrrp 1
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# Run the shutdown command on GE1/0/1 of SwitchA to simulate a link fault.

Then run the display vrrp command on SwitchA and SwitchB. You can see that
SwitchA is in Backup state, SwitchB enters the Master state, and the associated
interface becomes Down.
[SwitchA-GigabitEthernet1/0/1] shutdown


State : Backup
PriorityRun : 20
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IF state : DOWN
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
State : Master
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
# Run the undo shutdown command on GE1/0/1 of SwitchA.

[SwitchA-GigabitEthernet1/0/1] undo shutdown
# After 20s, run the display vrrp command on SwitchA and SwitchB. You can see
that SwitchA is restored as the master and SwitchB is restored as the backup, and
the associated interface is in Up state.
State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

IF state : UP
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 11 to 15 101 to 180 301 to 305 400
#
vlan 11
aggregate-vlan
access-vlan 101 to 116 301
vlan 12
aggregate-vlan
vlan 13
aggregate-vlan
vlan 14
aggregate-vlan
vlan 15
aggregate-vlan
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
vrrp vrid 1 track interface gigabitethernet1/0/1 reduced 100
vrrp advertise send-mode 301
#
interface Vlanif12
ip address 10.1.2.2 255.255.255.0


#
interface Vlanif13
ip address 10.1.3.2 255.255.255.0
#
interface Vlanif14
ip address 10.1.4.2 255.255.255.0
#
interface Vlanif15
ip address 10.1.5.2 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.1 255.255.255.0
#
undo port trunk allow-pass vlan 1
mode lacp
#
#
#
eth-trunk 1
#
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
● Configuration file of SwitchB
#
sysname SwitchB
#

vlan batch 11 to 15 101 to 180 200 301 to 305

#
vlan 11
aggregate-vlan
vlan 12
aggregate-vlan
vlan 13
aggregate-vlan
vlan 14
aggregate-vlan
vlan 15
aggregate-vlan
#
interface Vlanif11
ip address 10.1.1.3 255.255.255.0
#
interface Vlanif12
ip address 10.1.2.3 255.255.255.0
#
interface Vlanif13
ip address 10.1.3.3 255.255.255.0
#
interface Vlanif14
ip address 10.1.4.3 255.255.255.0
#
interface Vlanif15
ip address 10.1.5.3 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
mode lacp
#
#
#
eth-trunk 1
#
eth-trunk 1
#
ospf 1

area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 200 300 400
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 172.16.1.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.2 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Configuration file of the switch
#
sysname Switch
#
vlan batch 11 to 15 101 to 180
#
port trunk allow-pass vlan 11 to 15 101 to 180
#
#
return
6.3 Typical VLAN Configuration

6.3.1 Example for Configuring Interface-based VLAN

Assignment
Overview
VLANs can be assigned based on interfaces, MAC addresses, IP subnets, protocols,
and policies (MAC addresses, IP addresses, and interfaces). Table 6-4 compares
different VLAN assignment modes.
Table 6-4 Comparisons among VLAN assignment modes
VLAN Implementation Advantage Disadvan Usage

Assignme tage Scenario
nt Mode
Interface- VLANs are assigned It is simple to The Applies to

based based on interfaces. define VLAN network networks
VLAN A network members. administr of any
assignmen administrator ator scale and
t preconfigures a PVID needs to with
for each interface on a reconfigur devices at
switch. When an e VLANs fixed
untagged frame arrives when locations.
at an interface, the VLAN
switch adds the PVID of members
the interface to the change.
frame. The frame is
then transmitted in the
VLAN specified by the
PVID.
MAC VLANs are assigned When physical The Applies to

address- based on source MAC locations of network small-
based addresses of frames. users change, administr scale
VLAN A network the network ator must networks
assignmen administrator administrator predefine where
t preconfigures mappings does not need VLANs for user
between MAC to reconfigure all terminals
addresses and VLAN VLANs for the members often
IDs. When receiving an users. This on a change
untagged frame, the improves network. physical
switch adds the VLAN security and locations
tag mapping the MAC access flexibility but their
address of the frame to on a network. NICs
the frame. Then the seldom
frame is transmitted in change,
the specified VLAN. for
example,
mobile
computer
s.


nt Mode
IP subnet- VLANs are assigned ● When Users are Applies to

based based on source IP physical evenly scenarios
VLAN addresses and subnet locations of spread where
assignmen masks. users and there are
t A network change, the multiple high
administrator network users are requireme
preconfigures mappings administrato on the nts for
between IP addresses r does not same mobility
and VLAN IDs. When need to network and
receiving an untagged reconfigure segment. simplified
frame, the switch adds VLANs for managem
the VLAN tag mapping the users. ent and
the IP address of the ● This mode low
frame to the frame. reduces requireme
Then the frame is communicati nts for
transmitted in the on traffic security.
specified VLAN. and allows a For
broadcast example,
domain to this mode
span can be
multiple used if a
switches. PC with
multiple
IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a
new
VLAN
automatic
ally after
the PC's
IP address
changes.


nt Mode
Protocol- VLANs are assigned This mode ● The Applies to

based based on protocol binds service networ networks
VLAN (suite) types and types to VLANs, k using
assignmen encapsulation formats facilitating admini multiple
t of frames. management strator protocols.
A network and must
administrator maintenance. preconf
preconfigures mappings igure
between protocol types mappi
and VLAN IDs. When ngs
receiving an untagged betwee
frame, the switch adds n all
the VLAN tag mapping protoc
the protocol type of the ol
frame to the frame. The types
frame is then and
transmitted in the VLAN
specified VLAN. IDs.
● The
switch
needs
to
analyz
e
protoc
ol
addres
s
format
s and
conver
t the
format
s,
which
consu
mes
excessi
ve
resourc
es.
Theref
ore,
this
mode
slows
down
switch


nt Mode
respon
se
time.
Policy- VLANs are assigned ● This mode Each Applies to

based based on policies such provides policy complex
VLAN as combinations of high security. needs to networks.
assignmen interfaces, MAC MAC be
t (MAC addresses, and IP addresses or manually
addresses, addresses. IP addresses configure
IP A network of users who d.
addresses, administrator have been
and preconfigures policies. bound to
interfaces) When receiving an VLANs
untagged frame that cannot be
matches a configured changed.
policy, the switch adds ● The network
a specified VLAN tag to administrato
the frame. The frame is r can flexibly
then transmitted in the select which
specified VLAN. policies to
use
according to
the
managemen
t mode and
requirements
.
Interface-based VLAN assignment is the simplest and most commonly used

method.
Configuration Notes
This example applies to all versions of all switches.
In Figure 6-10, the switch of an enterprise connects to many users, and users
accessing the same service connect to the enterprise network through different
devices. To ensure communication security and prevent broadcast storms, the
enterprise requires that users using the same service communicate with each
other and users accessing different services be isolated. You can configure
interface-based VLAN assignment on the switch so that the switch adds interfaces
connected to users using the same service to the same VLAN. Users in different
VLANs cannot communicate with each other at Layer 2, and users in the same
VLAN can communicate with each other.

Figure 6-10 Networking of interface-based VLAN assignment
1. Create VLANs and add interfaces that connect users to VLANs to isolate Layer
2 traffic of different services.
2. Configure link types of interfaces between SwitchA and SwitchB and VLANs
allowed by interfaces so that users accessing the same service can
communicate with each other through SwitchA and SwitchB.
Procedure
Step 1 Create VLAN 2 and VLAN 3 on SwitchA and add interfaces that are connected to
users to VLANs. The configuration of SwitchB is similar to the configuration of
SwitchA, and is not mentioned here.
[SwitchA] vlan batch 2 3 //Create VLAN 2 and VLAN 3 in a batch.
[SwitchA-GigabitEthernet1/0/1] port link-type access //The interface connected to the access device must
be the access interface. The default link type of an interface is not access, so you need to manually
configure the access interface.
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add GE1/0/1 to VLAN 2.
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 3 //Add GE1/0/2 to VLAN 3.
Step 2 Configure the link type of the interface on SwitchA that is connected to SwitchB
and VLAN allowed by the interface. The configuration of SwitchB is similar to the
configuration of SwitchA, and is not mentioned here.
[SwitchA-GigabitEthernet1/0/3] port link-type trunk //The link type of interfaces connecting switches
must be trunk. The default link type of an interface is not trunk, so you need to manually configure the
trunk interface.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 2 3 //Add GE1/0/3 to VLAN 2 and VLAN 3.
User1 and User2 are on the same network segment, for example,
192.168.100.0/24; User3 and User4 are on the same network segment, for
example, 192.168.200.0/24.

User1 and User2 can ping each other, but cannot ping User3 or User4. User3 and
User4 can ping each other, but cannot ping User1 or User2.
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return
SwitchB configuration file

#
sysname SwitchB
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return

Assignment (Access Device Used as the Gateway)
Overview
and policies (MAC addresses, IP addresses, and interfaces). Interface-based VLAN
assignment is the simplest and commonly used.
Interface-based VLAN assignment indicates that VLANs are assigned based on

interfaces. A network administrator preconfigures a PVID for each interface on a
switch. When an untagged frame arrives at an interface, the switch adds the PVID
of the interface to the frame. Then the frame is transmitted in a specified VLAN.

In typical hierarchical networking, when the access switch is a Layer 3 switch, the
access switch can be used as the gateway of PCs to simplify the configuration of
the aggregation switch.
Configuration Notes
In Figure 6-11, PC1 and PC2 belong to VLAN 2 and VLAN 3, respectively. PC1 and
PC2 connect to the aggregation switch SW1 through the access switch SW2. PC3
belongs to VLAN 4 and connects to SW1 through SW3. SW2 functions as the
gateway of PC1 and PC2, and SW3 is used as the gateway of PC3. Static routes are
configured on switches so that PCs can communicate with each other and can be
connected to the router.
Figure 6-11 Configuring access devices as gateways
1. Configure interface-based assignment on the access switch to implement

Layer 2 interworking.
2. Configure access switches as gateways of PCs to implement communication
between PCs on different network segments.
3. Configure static routes on the aggregation switch so that PCs can
communicate with the router.

Procedure
Step 1 Configure SW2.
# Create VLANs.
[Quidway] sysname SW2 //Change the device name to SW2 for easy identification.
[SW2] vlan batch 2 to 3 //Create VLAN 2 and VLAN 3 in a batch.
# Add interfaces to VLANs.

[SW2] interface gigabitethernet 1/0/23
[SW2-GigabitEthernet1/0/23] port link-type access //Configure the interface connected to the PC as the
access interface.
[SW2-GigabitEthernet1/0/23] port default vlan 2 //Add PC1 to VLAN 2.
[SW2-GigabitEthernet1/0/23] quit
[SW2-GigabitEthernet1/0/24] port link-type access
# Configure VLANIF interfaces and configure IP addresses for VLANIF interfaces as

gateway addresses of PCs.
[SW2] interface vlanif 2 //Create VLANIF 2.
[SW2-Vlanif2] ip address 192.168.2.1 24 //Configure an IP address for VLANIF 2. The IP address is the
gateway address of PC1.
[SW2-Vlanif2] quit
[SW2-Vlanif3] quit
# Connect SW2 to SW1.

[SW2] vlan batch 5 //Create VLAN 5.
[SW2-GigabitEthernet1/0/1] port default vlan 5 //Configure SW2 and SW1 to communicate in untagged
mode.
[SW2-Vlanif5] ip address 192.168.5.2 24 //Configure an IP address for VLANIF 5. The IP address is the IP
address of the interconnected interface between SW1 and SW2.
[SW2-Vlanif5] quit
[SW2] ip route-static 0.0.0.0 0.0.0.0 192.168.5.1 //Configure a default route so that the PC can access the
router. The next hop address is the IP address of the interface connected to SW1.
# Create VLANs.
[Quidway] sysname SW3 //Change the device name to SW3.

access interface.



[SW3-Vlanif4] quit
# Connect SW3 to SW1.

[SW3-GigabitEthernet1/0/1] port default vlan 5 //Configure SW3 and SW1 to communicate in untagged
mode.
address of interconnected interface between SW3 and SW1.
[SW3-Vlanif5] quit
[SW3] ip route-static 0.0.0.0 0.0.0.0 192.168.5.1 //Configure a default route so that the PC can access the
router. The next hop address is the IP address of the interface connected to SW1.

# Create VLANs.
# Add interfaces connected to PCs to VLANs.

[SW1-GigabitEthernet1/0/1] port link-type access //Configure the interface connected to the router as the
access interface.
[SW1-GigabitEthernet1/0/1] port default vlan 5
[SW1-GigabitEthernet1/0/2] port link-type access //Configure the interface connected to SW2 as the
access interface.
[SW1-GigabitEthernet1/0/3] port link-type access //Configure the interface connected to SW3 as the
access interface.
# Configure VLANIF interfaces so that PCs can connect to the router.

address of the interface connected to the router.
[SW1-Vlanif5] quit
# Configure a static route so that PCs on different network segments can

communicate with each other.
[SW1] ip route-static 192.168.2.0 255.255.255.0 192.168.5.2 //Configure a static route. Packets with the
destination IP address of 192.168.2.0/24 are forwarded to the next hop address of 192.168.5.2. The next hop
address is the IP address of the VLANIF interface connected to SW2.
# Configure a default route so that PCs can communicate with the router.
[SW1] ip route-static 0.0.0.0 0.0.0.0 192.168.5.4 //The IP address is the IP address of the interface
connected to SW1.


PC1, PC2, and PC3 can access each other, and they can communicate with the
router.
----End
Configuration Files
SW1 configuration file
#
sysname SW1
#
vlan batch 5
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
port default vlan 5
#
port default vlan 5
#
port default vlan 5
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.4
ip route-static 192.168.2.0 255.255.255.0 192.168.5.2
ip route-static 192.168.3.0 255.255.255.0 192.168.5.2
ip route-static 192.168.4.0 255.255.255.0 192.168.5.3
#
return

#
sysname SW2
#
vlan batch 2 to 3 5
#
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.2 255.255.255.0
#
port default vlan 5
#
port default vlan 2
#
port default vlan 3
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.1

#
return

#
sysname SW3
#
vlan batch 4 to 5
#
interface Vlanif4
ip address 192.168.4.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.3 255.255.255.0
#
port default vlan 5
#
port default vlan 4
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.1
#
return

Assignment (Aggregation Device Used as the Gateway)
Overview
and policies (MAC addresses, IP addresses, and interfaces). Interface-based VLAN
assignment is the simplest and commonly used.
Interface-based VLAN assignment indicates that VLANs are assigned based on

interfaces. A network administrator preconfigures a PVID for each interface on a
switch. When an untagged frame arrives at an interface, the switch adds the PVID
of the interface to the frame. Then the frame is transmitted in a specified VLAN.
In typical hierarchical networking, when the access switch is a Layer 2 switch, the
aggregation switch can be used as the gateway of PCs. The configuration of the
access switch is simplified, and PCs access the external network through one
outbound interface, thereby facilitating maintenance and management.
Configuration Notes
In Figure 6-12, PC1 and PC2 belong to VLAN 2 and VLAN 3, respectively. PC1 and
PC2 connect to the aggregation switch SW1 through the access switch SW2. PC3
belongs to VLAN 4 and connects to SW1 through SW3. No configuration is
performed on SW3, and SW3 functions as the hub and is plug-and-play. SW1
functions as the gateway of PC1, PC2, and PC3 so that PCs can communicate with
each other and can be connected to the router.

Figure 6-12 Configuring the aggregation device as the gateway
1. Configure interface-based assignment on the access switch to implement

Layer 2 interworking.
2. Configure the aggregation switch as the gateway of PCs to implement Layer 3
interworking between PCs on different network segments.
3. Configure the interface connecting the aggregation switch and router.
Procedure
# Create VLANs.
[Quidway] sysname SW2 //Change the device name to SW2 for easy identification.
[SW2] vlan batch 2 3 //Create VLAN 2 and VLAN 3 in a batch.

access interface.
[SW2-GigabitEthernet1/0/1] port link-type trunk //Configure the interface connected to the aggregation
switch as the trunk interface.

[SW2-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 3 //Add the interface to VLAN 2 and VLAN 3.

# Create VLANs.
[SW1] vlan batch 2 to 5 //Create VLANs 2 to 5.
# Add interfaces connected to PCs to VLANs.

[SW1-GigabitEthernet1/0/2] port link-type trunk //Configure the interface connected to SW1 as the trunk
interface.
[SW1-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 3 //Add the interface to VLAN 2 and VLAN 3.
[SW1-GigabitEthernet1/0/3] port link-type access //Configure the interface connected to PC3 as the
access interface.

[SW1-Vlanif2] quit
[SW1-Vlanif3] quit
[SW1-Vlanif4] quit
# Add interfaces connected to routers to VLANs.

[SW1-GigabitEthernet1/0/1] port link-type access //Configure the interface connected to the router as the
access interface. The interface communicates with the router in untagged mode.
[SW1-GigabitEthernet1/0/1] port default vlan 5 //Add the router to VLAN 5.
# Configure VLANIF interfaces so that PCs can connect to the router.

[SW1-Vlanif5] ip address 192.168.5.1 24 //Configure an IP address for VLANIF 5. The IP address is used for
interoperation with the router.
[SW1-Vlanif5] quit

PC1, PC2, and PC3 can access each other, and they can communicate with the
router.
----End
Configuration Files
#
sysname SW1

#
vlan batch 2 to 5
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif4
ip address 192.168.4.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
port default vlan 5
#
#
port default vlan 4
#
return

#
sysname SW2
#
vlan batch 2 to 3
#
#
port default vlan 2
#
port default vlan 3
#
return
6.3.4 Example for Configuring MAC Address-based VLAN

Assignment
Overview
MAC address-based VLAN assignment applies to small-scale networks where user
terminals often change physical locations but their NICs seldom change, for
example, mobile computers.


nt Mode

frame. The frame is
PVID.

example,
mobile
computer
s.


nt Mode

broadcast example,
domain to this mode
span can be
multiple used if a
switches. PC with
multiple
IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a
new
VLAN
automatic
ally after
the PC's
IP address
changes.


nt Mode

A network and must
frame is then and
● The
switch
needs
to
analyz
e
protoc
ol
addres
s
format
s and
conver
t the
format
s,
which
consu
mes
excessi
ve
resourc
es.
Theref
ore,
this
mode
slows
down
switch


nt Mode
respon
se
time.

use
according to
the
managemen
t mode and
requirements
.
Configuration Notes
In Figure 6-13, GE1/0/1 interfaces on SwitchA and SwitchB connect to two
conference rooms, respectively. Laptop1 and Laptop2 are portal computers used in
the two conferences rooms. Laptop1 and Laptop2 belong to two departments,
which belong to VLAN 100 and VLAN 200, respectively. Regardless of which
conference room in which Laptop1 and Laptop2 are used, Laptop1 and Laptop2
are required to access the servers of their respective departments (Server1 and
Server2, respectively). The MAC addresses of Laptop1 and Laptop2 are 00e0-
fcef-00c0 and 00e0-fcef-00c1.

Figure 6-13 Networking of MAC address-based VLAN assignment
1. Create VLANs on SwitchA and SwitchB and add interfaces to VLANs to
implement Layer 2 connectivity.
2. Configure MAC address-based VLAN assignment on SwitchA and SwitchB.
3. Configure transparent transmission of VLAN tagged-packets on the switch so
that Laptop1 and Laptop2 can access Server1 and Server2 of their respective
departments.
Procedure
Step 1 Configure SwitchA. The configuration of SwitchB is similar to the configuration of
SwitchA, and is not mentioned here.
[SwitchA] vlan batch 100 200 //Create VLAN 100 and VLAN 200.
[SwitchA-GigabitEthernet1/0/2] port link-type trunk //The link type of interfaces connecting switches
must be trunk. The default link type of an interface is not trunk, so you need to manually configure the
trunk interface.
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200 //Add GE1/0/2 to VLAN 100 and
VLAN 200.
[SwitchA] vlan 100
[SwitchA-vlan100] mac-vlan mac-address 00e0-fcef-00c0 //Packets with the MAC address of 00e0-
fcef-00c0 are transmitted in VLAN 100.
[SwitchA] vlan 200
[SwitchA-vlan200] mac-vlan mac-address 00e0-fcef-00c1 //Packets with the MAC address of 00e0-
fcef-00c1 are transmitted in VLAN 200.


[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100 200 //The default link type of an
interface is hybrid, so you do not need to configure the link type.
[SwitchA-GigabitEthernet1/0/1] mac-vlan enable //Enable MAC address-based VLAN assignment on the
interface.
Step 2 Configure the switch. The configurations of GE1/0/2, GE1/0/3, and GE1/0/4 are
similar to the configuration of GE1/0/1, and are not mentioned here.
[Switch] vlan batch 100 200
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 200 //Add GE1/0/1 to VLAN 100 and VLAN
200.

# Run the display mac-vlan mac-address all command in any view to check the
configuration of MAC address-based VLAN assignment.
[SwitchA] display mac-vlan mac-address all
---------------------------------------------------
MAC Address MASK VLAN Priority
---------------------------------------------------
00e0-fcef-00c0 ffff-ffff-ffff 100 0
00e0-fcef-00c1 ffff-ffff-ffff 200 0
Total MAC VLAN address count: 2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
port hybrid untagged vlan 100 200
mac-vlan enable
#
#
vlan 100
mac-vlan mac-address 00e0-fcef-00c0 priority 0
vlan 200
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
port hybrid untagged vlan 100 200

mac-vlan enable
#
#
vlan 100
vlan 200
#
return

#
sysname Switch
#
vlan batch 100 200
#
#
#
#
#
return
6.3.5 Example for Configuring IP Subnet-based VLAN

Assignment
Overview of IP Subnet-based VLAN Assignment
IP subnet-based VLAN assignment applies to scenarios where there are high
requirements for mobility and simplified management and low requirements for
security. For example, this mode can be used if a PC with multiple IP addresses
needs to access servers on different network segments or a PC needs to join a new
VLAN automatically after the PC's IP address changes.


nt Mode

frame. The frame is
PVID.

example,
mobile
computer
s.


nt Mode

broadcast example,
domain to this mode
span can be
multiple used if a
switches. PC with
multiple
IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a
new
VLAN
automatic
ally after
the PC's
IP address
changes.


nt Mode

A network and must
frame is then and
● The
switch
needs
to
analyz
e
protoc
ol
addres
s
format
s and
conver
t the
format
s,
which
consu
mes
excessi
ve
resourc
es.
Theref
ore,
this
mode
slows
down
switch


nt Mode
respon
se
time.

use
according to
the
managemen
t mode and
requirements
.
Configuration Notes
In Figure 6-14, an enterprise has multiple services, including IPTV, VoIP, and
Internet access. Each service uses a different IP subnet. To facilitate management,
the company requires that packets of the same service be transmitted in the same
VLAN and packets of different services in different VLANs. The switch receives
packets of multiple services such as data, IPTV, and voice services, and user devices
of these services use IP addresses on different IP subnets. The switch needs to
assign VLANs to packets of different services so that the router can transmit
packets with different VLAN IDs to different servers.

Figure 6-14 Networking of IP subnet-based VLAN assignment
1. Create VLANs and add interfaces to VLANs so that the interfaces allow the IP
subnet-based VLANs.
2. Enable IP subnet-based VLAN assignment and associate IP subnets with
VLANs so that the switch determines VLANs based on source IP addresses or
network segments of packets.
Procedure
Step 1 Create VLANs.
[Switch] vlan batch 100 200 300 //Create VLAN100, VLAN 200, and VLAN 300 in a batch.
Step 2 Configure interfaces.

[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 100 200 300 //The default link type of an
interface is hybrid, so you do not need to configure the link type.
[Switch-GigabitEthernet1/0/1] ip-subnet-vlan enable //Enable IP subnet-based VLAN assignment.
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200 300
Step 3 Configure IP subnet-based VLAN assignment.

[Switch] vlan 100
[Switch-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2 //Configure the device to forward packets
with the IP address of 192.168.1.2/24 and priority of 2 in VLAN 100.
[Switch-vlan100] quit
[Switch] vlan 200

[Switch] vlan 300

# Run the display ip-subnet-vlan vlan all command on the switch. The following
information is displayed:
[Switch] display ip-subnet-vlan vlan all
----------------------------------------------------------------
Vlan Index IpAddress SubnetMask Priority
----------------------------------------------------------------
100 1 192.168.1.2 255.255.255.0 2
200 1 192.168.2.2 255.255.255.0 3
300 1 192.168.3.2 255.255.255.0 4
----------------------------------------------------------------
ip-subnet-vlan count: 3 total count: 3
----End
Configuration Files
#
sysname Switch
#
vlan batch 100 200 300
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2
vlan 200
vlan 300
#
port hybrid untagged vlan 100 200 300
ip-subnet-vlan enable
#
port trunk allow-pass vlan 100 200 300
#
return
6.3.6 Example for Directly Connecting a Terminal to a Layer 3

Gateway to Implement Inter-VLAN Communication
Overview
After VLANs are assigned, broadcast packets are only forwarded within the same
VLAN. That is, hosts in different VLANs cannot communicate at Layer 2 because
VLAN technology isolates broadcast domains. In real-world applications, hosts in
different VLANs often need to communicate, so inter-VLAN communication needs
to be implemented to resolve this. Layer 3 routing or VLAN technology is required
to implement inter-VLAN communication.
Huawei provides a variety of technologies to implement inter-VLAN

communication. The following two technologies are commonly used:

● VLANIF interface
A VLANIF interface is a Layer 3 logical interface. You can configure an IP
address for a VLANIF interface to implement inter-VLAN Layer 3
communication.
● Dot1q termination sub-interface
Similar to a VLANIF interface, a sub-interface is also a Layer 3 logical
interface. You can configure dot1q termination and an IP address for a sub-
interface to implement inter-VLAN Layer 3 communication.
VLANIF interfaces are the most commonly used for inter-VLAN communication
due to their simple configurations. However, a VLANIF interface needs to be
configured for each VLAN and each VLANIF interface requires an IP address, which
wastes IP addresses.
The VLANIF interface and Dot1q termination sub-interface can only allow hosts
on different network segments in different VLANs to communicate, whereas
super-VLAN (VLAN aggregation) and the VLAN Switch function allow hosts on the
same network segment in different VLANs to communicate.
Configuration Notes
● The default gateway address of hosts in a VLAN must be the IP address of the
VLANIF interface that corresponds to the VLAN.
● This example applies to all versions of all switches.
Different user hosts of an enterprise transmit the same service, and are located on
different network segments. User hosts transmitting the same service belong to
different VLANs and need to communicate.
In Figure 6-15, User1 and User2 access the same service but belong to different
VLANs and are located on different network segments. User1 and User2 need to
communicate.
Figure 6-15 Networking for configuring inter-VLAN communication using VLANIF

interfaces

1. Create VLANs and determine the VLANs to which users belong.

2. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces
to implement Layer 3 connectivity.
Procedure
Step 1 Configure the switch.
# Create VLANs, and configure interfaces on the switch connected to user hosts as
access interfaces and add them to VLANs.
[Switch] vlan batch 10 20
[Switch-GigabitEthernet1/0/1] port link-type access //Configure the link type of the interface as access.
[Switch-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN 10.
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
# Assign IP addresses to VLANIF interfaces.

[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.10.10.2 24 //Set the IP address of VLANIF 10 to 10.10.10.2/24.
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.10.20.2 24 //Set the IP address of VLANIF 20 to 10.10.20.2/24.
[Switch-Vlanif20] quit

Configure the IP address of 10.10.10.3/24 and default gateway address as
10.10.10.2/24 (VLANIF 10's IP address) for User1 in VLAN 10.
Configure the IP address of 10.10.20.3/24 and default gateway address as
10.10.20.2/24 (VLANIF 20's IP address) for User2 in VLAN 20.
After the configuration is complete, User1 in VLAN 10 and User2 in VLAN 20 can
communicate.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#

port default vlan 10

#
#
return
6.3.7 Example for Connecting a Terminal to a Layer 3 Gateway

Through a Layer 2 Switch
Overview
After VLANs are assigned, broadcast packets are only forwarded within the same
VLAN. That is, hosts in different VLANs cannot communicate at Layer 2 because
VLAN technology isolates broadcast domains. In real-world applications, hosts in
different VLANs often need to communicate, so inter-VLAN communication needs
to be implemented to resolve this. Layer 3 routing or VLAN technology is required
to implement inter-VLAN communication.
Huawei provides a variety of technologies to implement inter-VLAN

communication. The following two technologies are commonly used:
● VLANIF interface
A VLANIF interface is a Layer 3 logical interface. You can configure an IP
address for a VLANIF interface to implement inter-VLAN Layer 3
communication.
● Dot1q termination sub-interface
Similar to a VLANIF interface, a sub-interface is also a Layer 3 logical
interface. You can configure dot1q termination and an IP address for a sub-
interface to implement inter-VLAN Layer 3 communication.
Inter-VLAN communication through a dot1q termination sub-interface is used in

scenarios where an Ethernet interface connects to many VLANs. Because data
flows from different VLANs preempt the bandwidth of the primary Ethernet
interface, communication bottlenecks may occur when the network is busy.
The VLANIF interface and Dot1q termination sub-interface can only allow hosts
on different network segments in different VLANs to communicate, whereas
super-VLAN (VLAN aggregation) and the VLAN Switch function allow hosts on the
same network segment in different VLANs to communicate.
Configuration Notes
● Only E series cards, X series cards, F series cards, and SC cards among S series
support the termination sub-interface. For details, see the card classification
in Hardware Description.
X1E cards among X series support the termination sub-interface in
V200R007C00 and later versions.
● For Layer 2 interfaces, only hybrid and trunk interfaces support termination
sub-interfaces.
● The VLAN IDs terminated by a sub-interface cannot be created in the system
view or be displayed.

● When IP packets need to be sent out from the termination sub-interface and
there is no corresponding ARP entry on the device. If ARP broadcast is not
enabled on the termination sub-interface through the command arp
broadcast enable, the system does not send or forward broadcast ARP
packets to learn ARP entries. In this case, the IP packets are discarded directly.
● This example applies to all versions of the modular switches.
In Figure 6-16, Host A and Host B belong to the R&D department, and Host C and
Host D belong to the quality department. The two departments are connected
through a Layer 2 switch, and require Layer 2 isolation and Layer 3 connectivity.
Figure 6-16 Networking for connecting a terminal to a Layer 3 gateway through a

Layer 2 switch
1. Configure interface-based assignment on the Layer 2 switch to implement

Layer 2 isolation.
2. Configure sub-interface termination on the Layer 3 switch to implement Layer
3 connectivity.
Procedure
Step 1 Configure Layer 2 switch SwitchA.
# Create VLANs.

[Quidway] sysname SwitchA //Change the device name to SwitchA for easy identification.
[SwitchA] vlan batch 2 to 3 //Create VLAN 2 and VLAN 3 in a batch.
# Add the interface connected to the host to VLANs.

[SwitchA-GigabitEthernet1/0/1] port link-type access //Configure the interface connected to the PC as the
access interface.
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add Host A to VLAN 2.
[SwitchA-GigabitEthernet1/0/2] port default vlan 2 //Add Host B to VLAN 2.
[SwitchA-GigabitEthernet1/0/3] port link-type access //Configure the interface connected to the PC as the
access interface.
[SwitchA-GigabitEthernet1/0/3] port default vlan 3 //Add Host C to VLAN 3.
[SwitchA-GigabitEthernet1/0/4] port default vlan 3 //Add Host D to VLAN 3.
# Enable the interface connected to the Layer 3 switch to transparently transmit

packets from a specified VLAN.
[SwitchA-GigabitEthernet1/0/5] port link-type trunk //Configure the interface connected to the switch as
the trunk interface.
[SwitchA-GigabitEthernet1/0/5] port trunk allow-pass vlan 2 to 3 //Add the interface to VLAN 2 and
VLAN 3.
Step 2 Configure Layer 3 switch SwitchB.

[Quidway] sysname SwitchB //Change the device name to SwitchB.
[SwitchB] interface gigabitethernet 1/0/1.1 //Create a sub-interface and enter the sub-interface view.
[SwitchB-GigabitEthernet1/0/1.1] dot1q termination vid 2 //Set the VLAN ID for dot1q termination on
GE1/0/1.1 to VLAN 2.
[SwitchB-GigabitEthernet1/0/1.1] ip address 1.1.1.1 24
[SwitchB-GigabitEthernet1/0/1.1] arp broadcast enable //A termination sub-interface directly discards
broadcast packets, so the sub-interface needs to be configured to forward ARP broadcast packets.
[SwitchB-GigabitEthernet1/0/1.1] quit
[SwitchB] interface gigabitethernet 1/0/1.2 //Create a sub-interface and enter the sub-interface view.
[SwitchB-GigabitEthernet1/0/1.2] dot1q termination vid 3 //Set the VLAN ID for dot1q termination on
GE1/0/1.2 to VLAN 3.
[SwitchB-GigabitEthernet1/0/1.2] ip address 2.2.2.1 24
[SwitchB-GigabitEthernet1/0/1.2] arp broadcast enable
[SwitchB-GigabitEthernet1/0/1.2] quit
Configure the IP address 1.1.1.2/24 for Host A and the default gateway address as
the IP address 1.1.1.1.1/24 of GE1/0/1.1.
Configure the IP address 1.1.1.3/24 for Host B and the default gateway address as
the IP address 1.1.1.1.1/24 of GE1/0/1.1.
Configure the IP address 2.2.2.2/24 for Host C and the default gateway address as
the IP address 2.2.2.1/24 of GE1/0/1.2.
Configure the IP address 2.2.2.3/24 for Host D and the default gateway address as
the IP address 2.2.2.1/24 of GE1/0/1.2.

After the configuration is complete, Host A, Host B, Host C, and Host D can ping
each other and communicate at Layer 3.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
#
return

#
sysname SwitchB
#
ip address 1.1.1.1 255.255.255.0
arp broadcast enable
#
ip address 2.2.2.1 255.255.255.0
arp broadcast enable
#
return
6.3.8 Example for Configuring Communication Between

Different Network Segments Through Static Routes
Overview
In addition to configuring an IP address for a VLANIF interface, you need to
configure a static route or a dynamic routing protocol when PCs on different
network segments across several switches need to communicate. This is because
only a direct route is generated for the VLANIF interface's IP address on the switch
and a VLANIF interface can only impalement interworking between PCs on
different network segments through one switch.

Static routes can be easily configured and have low requirements on the system.
They are applicable to simple, stable, and small-scale networks. However, static
routes cannot automatically adapt to changes in the network topology, and
manual intervention is required.
With routing algorithms, dynamic routing protocols can automatically adapt to
changes in the network topology. They are applicable to the network where some
Layer 3 devices are deployed. The configurations of dynamic routes are complex.
Dynamic routes have higher requirements on the system than static ones and
consume more network and system resources.
Configuration Notes
In Figure 6-17, to ensure security and facilitate management, an enterprise
assigns a VLAN for a server. The user device belongs to VLAN 10, and the server
belongs to VLAN 20. Access, aggregation, and core switches are deployed between
the user and server. Access switches are layer 2 switches, and aggregation and
core switches are Layer 3 switches. The user and server need to communicate with
each other due to service requirements.
Figure 6-17 Networking for configuring communication between different

network segments through static routes

1. Configure interface-based VLAN assignment to implement Layer 2

communication.
2. Configure VLANIF 10 on the aggregation switch AGG and configure an IP
address for VLANIF 10 as the gateway address of the user; configure VLANIF
20 on the core switch CORE and configure an IP address for VLANIF 20 as the
gateway address of the server.
3. On the aggregation switch AGG, configure a static route from AGG to the
network segment of VLANIF 20; on the core switch CORE, configure a static
route from CORE to the network segment of VLANIF 10. The communication
across network segments is therefore implemented.
Procedure
Step 1 Configure the access switch ACC1.
# Create VLANs.
[Quidway] sysname ACC1 //Change the device name to ACC1 for easy identification.
[ACC1] vlan batch 10 //Create VLAN 10 in a batch.

[ACC1] interface gigabitethernet 1/0/1
[ACC1-GigabitEthernet1/0/1] port link-type access //Configure the interface connected to a user host as
the access interface.
[ACC1-GigabitEthernet1/0/1] port default vlan 10 //Add the user device to VLAN 10.
[ACC1-GigabitEthernet1/0/1] quit
[ACC1-GigabitEthernet1/0/2] port link-type trunk //Configure the interface connected to the aggregation
switch as the trunk interface.
[ACC1-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 //Add the interface connected to the
aggregation switch to VLAN 10.
Step 2 Configure the access switch ACC2.

# Create VLANs.
[Quidway] sysname ACC2 //Change the device name to ACC2.
[ACC2] vlan batch 20 //Create VLAN 20 in a batch.

[ACC2-GigabitEthernet1/0/1] port link-type access //Configure the interface connected to the server as
the access interface.
[ACC2-GigabitEthernet1/0/1] port default vlan 20 //Add the user device to VLAN 20.
[ACC2-GigabitEthernet1/0/2] port link-type trunk //Configure the interface connected to the core switch
as the trunk interface.
[ACC2-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 //Add the interface connected to the core
switch to VLAN 20.
Step 3 Configure the aggregation switch AGG.

# Create VLANs.
[Quidway] sysname AGG //Change the device name to AGG.
[AGG] vlan batch 10 30 //Create VLAN 10 and VLAN 30 in a batch.


[AGG] interface gigabitethernet 1/0/2
[AGG-GigabitEthernet1/0/2] port link-type trunk //Configure the interface as the trunk interface.
[AGG-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 //Add the interface to VLAN 10.
[AGG-GigabitEthernet1/0/2] quit
[AGG] interface gigabitethernet 1/0/3
[AGG-GigabitEthernet1/0/3] port link-type trunk //Configure the interface as the trunk interface.
[AGG-GigabitEthernet1/0/3] port trunk allow-pass vlan 30 //Add the interface connected to the core
switch to VLAN 30.
[AGG-GigabitEthernet1/0/3] quit
# Create VLANIF 10 and configure an IP address for VLANIF 10 as the gateway

address.
[AGG] interface vlanif 10 //Create VLANIF 10.
[AGG-Vlanif10] ip address 10.1.1.1 24 //Configure an IP address for VLANIF 10. The IP address is the
gateway address.
[AGG-Vlanif10] quit
# Create VLANIF 30 and configure an IP address for VLANIF 30.

[AGG] interface vlanif 30 //Create VLANIF 30.
[AGG-Vlanif30] ip address 10.10.30.1 24 //Configure an IP address for VLANIF 30. The IP address cannot
conflict with IP addresses of the user and server.
[AGG-Vlanif30] quit
# Configure a static route so that the PC can access the server.

[AGG] ip route-static 192.168.1.0 255.255.255.0 10.10.30.2 //Configure a static route. The packets with
the destination IP address of 192.168.1.0/24 are forwarded to the IP address 10.10.30.2 of VLANIF 30 on the
core switch.
Step 4 Configure the core switch CORE.
# Create VLANs.
[Quidway] sysname CORE //Change the device name to CORE.
[CORE] vlan batch 20 30 //Create VLAN 20 and VLAN 30 in a batch.

[CORE] interface gigabitethernet 1/0/2
[CORE-GigabitEthernet1/0/2] port link-type trunk //Configure the interface as the trunk interface.
[CORE-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 //Add the interface to VLAN 20.
[CORE-GigabitEthernet1/0/2] quit
[CORE] interface gigabitethernet 1/0/3
[CORE-GigabitEthernet1/0/3] port link-type trunk //Configure the interface as the trunk interface.
[CORE-GigabitEthernet1/0/3] port trunk allow-pass vlan 30 //Add the interface to VLAN 30.
[CORE-GigabitEthernet1/0/3] quit
# Create VLANIF 20 and configure an IP address for VLANIF 20 as the gateway

address of the server.
[CORE] interface vlanif 20 //Create VLANIF 20.
[CORE-Vlanif20] ip address 192.168.1.1 24 //Configure an IP address for VLANIF 20. The IP address is the
gateway address of the server.
[CORE-Vlanif20] quit
# Create VLANIF 30 and configure an IP address for VLANIF 30.

[CORE] interface vlanif 30 //Create VLANIF 30.
[CORE-Vlanif30] ip address 10.10.30.2 24 //Configure an IP address for VLANIF 30.
[CORE-Vlanif30] quit
# Configure a static route so that the server and PC can access each other.

[CORE] ip route-static 10.1.1.0 255.255.255.0 10.10.30.1 //Configure a static route. The packets with the
destination IP address of 10.1.1.0/24 are forwarded to the IP address 10.10.30.1 of VLANIF 30 on the
aggregation switch.

Configure the IP address of 10.1.1.2/24 for the PC in VLAN 10 and the default
gateway address as 10.1.1.1 (VLANIF 10's IP address).
Configure the IP address of 192.168.1.2/24 for the server in VLAN 20 and the
default gateway address as 192.168.1.1 (VLANIF 20's IP address).
After the configuration is complete, the PC in VLAN 10 and the server in VLAN 20
can access each other.
----End
Configuration Files
ACC1 configuration file
#
sysname ACC1
#
vlan batch 10
#
#
#
return
ACC2 configuration file

#
sysname ACC2
#
vlan batch 20
#
#
#
return
AGG configuration file

#
sysname AGG
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#


#
#
ip route-static 192.168.1.0 255.255.255.0 10.10.30.2
#
return
CORE configuration file

#
sysname CORE
#
vlan batch 20 30
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 10.10.30.1
#
return
6.3.9 Example for Configuring the Super-VLAN

Super-VLAN Overview
Super-VLAN, also called VLAN aggregation, reduces the number of required IP
addresses, isolates broadcast storms, and controls Layer 2 access on interfaces. A
super-VLAN can be associated with multiple sub-VLANs, which are isolated at
Layer 2. All sub-VLANs use the IP address of the corresponding VLANIF interface
for the super-VLAN to implement Layer 3 connectivity with an external network,
thereby reducing the number of IP addresses required.
The super-VLAN applies to scenarios where many users and VLANs exist, IP
addresses of devices in many VLANs are on the same network segment, and inter-
VLAN Layer 2 isolation needs to be implemented. Inter-VLAN proxy ARP can be
enabled to implement inter-VLAN communication. For example, this can be used
in hotels and residential buildings requiring broadband access. A room or
household is assigned a VLAN and isolated. An IP network segment cannot be
allocated to each VLAN because IP addresses are finite and there are many VLANs.
The VLANs can only share an IP network segment. Assume that the IP network
segment of VLAN 10 is 10.10.10.0/24. A household may use only one or two IP
addresses; however, over 200 IP addresses are consumed. Super-VLAN technology
allows users in VLANs 11 to 100 to share the IP network segment of 10.10.10.0/24,
thereby reducing the number of IP addresses required.
Super-VLAN is Layer 3 technology configured on a Layer 3 switch, whereas MUX
VLAN is configured on a Layer 2 switch. The MUX VLAN is more complex to

configure than super-VLAN, but its access control is more flexible. When the
switch queries temporarily offline users in the super-VLAN, the gateway needs to
broadcast packets in each sub-VLAN, consuming many CPU resources.
Configuration Notes
● VLAN 1 cannot be configured as a super-VLAN.
● No physical interface can be added to a VLAN configured as a super-VLAN.
– S2352P-EI
– S3300-SI, S3300-EI, S3300-HI
– S5300-EI, S5300-SI, S5300-HI, S5310-EI, S5320-EI, S5320-SI, S5320-HI,
S5330-SI, S5330-HI, S5331-S, S5331-H, S5332-H, S5335-S
– S6300-EI, S6320-EI, S6320-SI, S6320-HI, S6330-H
– S9303, S9306, S9312, S9310
– S9310X, S9300X-4, S9300X-8, S9300X-12
– S9303E, S9306E, S9312E
NOTE
product model.
In Figure 6-18, a company has many departments on the same network segment.
To improve service security, the company assigns different departments to
different VLANs. VLAN 2 and VLAN 3 belong to different departments. Each
department wants to access the Internet, and PCs in different departments need
to communicate.

Figure 6-18 Networking of the super-VLAN
Configure VLAN aggregation on SwitchB to add VLANs of different departments
to a super-VLAN so that PCs in different departments can access the Internet
using the super-VLAN. Deploy proxy ARP in the super-VLAN so that PCs in
different departments can communicate. The configuration roadmap is as follows:
1. Configure VLANs and interfaces on SwitchA and SwitchB, add PCs of different
departments to different VLANs, and configure interfaces on SwitchA and
SwitchB to transparently transmit packets from VLANs.
2. Configure a super-VLAN, a VLANIF interface, and a static route on SwitchB so
that PCs in different departments can access the Internet.
3. Configure proxy ARP in the super-VLAN on SwitchB so that PCs in different
departments can communicate at Layer 3.
Procedure
Step 1 Configure SwitchA.
# Add GE1/0/1, GE1/0/2, GE1/0/3, and GE1/0/4 to VLANs.
[SwitchA] vlan batch 2 to 3
[SwitchA-GigabitEthernet1/0/1] port link-type access //Configure the link type of the interface as access.
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add the interface to VLAN 2.
[SwitchA-GigabitEthernet1/0/2] port default vlan 2


[SwitchA-GigabitEthernet1/0/3] port default vlan 3 //Add the interface to VLAN 3.
# Configure GE1/0/5 to transparently transmit packets from VLAN 2 and VLAN 3.

Step 2 Configure SwitchB.
# Create VLAN 2, VLAN 3, VLAN 4, and VLAN 10 and configure the interface of
SwitchB connected to SwitchA to transparently transmit packets from VLAN 2 and
VLAN 3 to SwitchB.
[SwitchB] vlan batch 2 3 4 10
[SwitchB] interface gigabitethernet 1/0/5
[SwitchB-GigabitEthernet1/0/5] port link-type trunk
[SwitchB-GigabitEthernet1/0/5] port trunk allow-pass vlan 2 3
[SwitchB-GigabitEthernet1/0/5] quit
# Configure super-VLAN 4 on SwitchB and add VLAN 2 and VLAN 3 to super-VLAN

4 as sub-VLANs.
[SwitchB] vlan 4
[SwitchB-vlan4] aggregate-vlan
[SwitchB-vlan4] access-vlan 2 to 3
[SwitchB-vlan4] quit
# Create and configure VLANIF 4 so that PCs in different departments can access
the Internet using super-VLAN 4.
[SwitchB-Vlanif4] ip address 10.1.1.1 24
# Configure the uplink interface GE1/0/1 to transparently transmit packets from

the VLAN that SwitchB and router belong to.
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
# Create and configure VLANIF 10 and specify the IP address of VLANIF 10 as the
IP address for connecting SwitchB and the router. (Assume that the IP address
used by the router to communicate with SwitchB is 10.10.1.2, and VLAN 10 is
allowed to pass through the port through which the router communicates with
SwitchB in tag mode.)
[SwitchB-Vlanif10] ip address 10.10.1.1 24
# Configure a static route to the router on SwitchB so that users can access the
Internet.
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2

NOTE
Configure the router interface connected to SwitchB and assign the IP address of 10.10.1.2
to the router interface. See the router configuration manual.
Step 3 Assign IP addresses to PCs.

Configure IP addresses for PCs and ensure that their IP addresses are on the same
network segment as 10.1.1.1/24 (IP address of VLANIF 4).
After the configuration is complete, PCs in each department can access the
Internet, but PCs in VLAN 2 and VLAN 3 cannot ping each other.
Step 4 Configure proxy ARP.
# Configure proxy ARP in super-VLAN 4 on SwitchB so that users in different
departments can communicate at Layer 3.
[SwitchB-Vlanif4] arp-proxy inter-sub-vlan-proxy enable

After the configuration is complete, users in VLAN 2 and VLAN 3 can ping each
other and access the Internet.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 4 10

#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.1.1.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
interface Vlanif10
ip address 10.10.1.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
#
return
6.3.10 Example for Configuring MUX VLAN to Isolate Users in

the Same VLAN
MUX VLAN Overview

Multiplex VLAN (MUX VLAN) provides a mechanism to control network resources
using VLANs. It can implement inter-VLAN communication and intra-VLAN
isolation. The MUX VLAN is often used in enterprises and in hotels and residential
buildings requiring broadband access. An enterprise, hotel, or residential building
shares the same VLAN, but each department, room, or household is isolated.
MUX VLAN is configured on a Layer 2 switch, whereas super-VLAN technology is

configured on a Layer 3 switch. MUX VLAN is more flexible in access control, but
its configuration is complex.
Configuration Notes
● The VLAN ID assigned to a principal VLAN cannot be used to configure the
super-VLAN or sub-VLAN. Additionally, it is not recommended that this VLAN
ID be used to configure VLAN mapping and VLAN stacking.
● The VLAN ID assigned to a group or separate VLAN cannot be used to
configure a VLANIF interface, super-VLAN, or sub-VLAN. Additionally, it is not
recommended that this VLAN ID be used to configure VLAN mapping and
VLAN stacking.
● Disabling MAC address learning or limiting the number of learned MAC
addresses on an interface affects the MUX VLAN function on the interface.
● MUX VLAN and port security cannot be configured on the same interface
simultaneously.
● MUX VLAN and MAC address authentication cannot be configured on the
same interface simultaneously.
● MUX VLAN and 802.1x authentication cannot be configured on the same
interface simultaneously.

● If the MUX VLAN function is enabled on an interface, VLAN mapping and

VLAN stacking cannot be configured on the interface.
● This example applies to all versions of all switches.
All employees of an enterprise can access servers on the enterprise network. The
enterprise allows some employees to communicate but isolates other employees.
In Figure 6-19, Switch1 is deployed at the aggregation layer and used as the
gateway for downstream hosts. Switch2, Switch3, Switch4, Switch5, and Switch6
are access switches. Their GE1/0/1 interfaces connect to downstream hosts, and
their GE1/0/2 interfaces connect to Switch1. You can configure MUX VLAN on
Switch1. This reduces the number of VLAN IDs on the enterprise network and
facilitates network management.
Figure 6-19 Networking of MUX VLAN
1. Configure the principal VLAN and a VLANIF interface. The IP address of the
VLANIF interface is used as the gateway IP address for downstream hosts and
servers.
2. Configure the group VLAN.
3. Configure the separate VLAN.

4. Add interfaces to VLANs and enable the MUX VLAN function on the
interfaces.
5. Add interfaces of access switches to VLANs.
Procedure
Step 1 Enable the MUX VLAN function on Switch1.
# On Switch1, create VLAN 2, VLAN 3, and VLAN 4, and a VLANIF interface for
VLAN 2. The IP address of the VLANIF interface is used as the gateway IP address
for downstream hosts and servers.
[Switch1] vlan batch 2 3 4
[Switch1] interface vlanif 2
[Switch1-Vlanif2] ip address 192.168.100.100 24
[Switch1-Vlanif2] quit
# Configure the group VLAN and separate VLAN of the MUX VLAN on Switch1.
[Switch1] vlan 2
[Switch1-vlan2] mux-vlan
[Switch1-vlan2] subordinate group 3 //Configure VLAN 3 as the group VLAN.
[Switch1-vlan2] subordinate separate 4 //Configure VLAN 4 as the separate VLAN.
# Add interfaces to the VLANs on Switch1 and enable the MUX VLAN function on
interfaces.
[Switch1-GigabitEthernet1/0/2] port mux-vlan enable vlan 2 //In V200R003C00 and earlier versions, you
do not need to specify the VLAN. An interface can only join the MUX VLAN or Separate VLAN, or a group
VLAN.
[Switch1-GigabitEthernet1/0/3] port mux-vlan enable vlan 3
Step 2 Configure interfaces of access switches and add them to VLANs. The
configurations of Switch3, Switch4, Switch5, and Switch6 are similar to the
configuration of Switch2, and are not mentioned here.
[Switch2] vlan batch 2

[Switch2-GigabitEthernet1/0/1] port link-type access //Configure the link type of the interface as access.
[Switch2-GigabitEthernet1/0/1] port default vlan 2
[Switch2-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 //Configure the link type of the interface as
trunk.

The server can communicate with HostB, HostC, HostD, and HostE.
HostB can communicate with HostC.
HostD cannot communicate with HostE.
HostB and HostC cannot communicate with either HostD or HostE.
----End
Configuration Files
Switch1 configuration file
#
sysname Switch1
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface Vlanif2
ip address 192.168.100.100 255.255.255.0
#
port mux-vlan enable vlan 2
#
#
#
#
#
return

#
sysname Switch2

#
vlan batch 2
#
port default vlan 2
#
#
return

#
sysname Switch3
#
vlan batch 3
#
port default vlan 3
#
#
return

#
sysname Switch4
#
vlan batch 3
#
port default vlan 3
#
#
return

#
sysname Switch5
#
vlan batch 4
#
port default vlan 4
#
#
return

#
sysname Switch6
#
vlan batch 4

#
port default vlan 4
#
#
return
6.4 Typical QinQ Configuration
6.4.1 Example for Configuring Basic QinQ

QinQ Overview
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q
tag to 802.1Q tagged packets. It allows services in a private VLAN to be
transparently transmitted over a public network.
Basic QinQ, also called QinQ tunneling, is performed on interfaces. When an
interface enabled with basic QinQ receives a packet, the device adds the default
VLAN tag of its interface to the packet. If the received packet is tagged, it has
double VLAN tags. If the received packet is untagged, it has the default VLAN tag
of the interface.
When too many VLANs are required, you can configure basic QinQ. Basic QinQ, by
adding an outer tag, expands VLAN space and solves the VLAN shortage problem.
Configuration Notes
As shown in Figure 6-20, a network has two enterprises: enterprise 1 and
enterprise 2. Both enterprises have two branches. Enterprise 1 and enterprise 2
networks connect to SwitchA and SwitchB, respectively, of the ISP network. In
addition, there are non-Huawei devices on the public network and the TPID in the
outer VLAN tag is 0x9100.
The requirements are as follows:
● VLANs need to be independently assigned to enterprise 1 and enterprise 2.
● Traffic between the two branches of each enterprise is transparently
transmitted through the public network. Users accessing the same service in
different branches of each enterprise are allowed to communicate, and users
accessing different services must be isolated.
QinQ can be used to meet the preceding requirements. Configure VLAN 100 and
VLAN 200 to implement connectivity of enterprise 1 and enterprise 2 respectively
and to isolate enterprise 1 and enterprise 2; configure the TPID in the outer VLAN
tag on switch interfaces connected to non-Huawei devices so that Huawei
switches can communicate with the non-Huawei devices.

Figure 6-20 Networking of basic QinQ
1. Create VLAN 100 and VLAN 200 on SwitchA and SwitchB, configure
connected interfaces as QinQ interfaces, and add the interfaces to VLANs so
that different VLAN tags are added to packets of different services.
2. Add interfaces of SwitchA and SwitchB that are connected to the public
network to VLANs so that packets from VLAN 100 and VLAN 200 are allowed
to pass through.
3. Configure the TPID in the outer VLAN tag on interfaces of SwitchA and
SwitchB that are connected to the public network so that SwitchA and
SwitchB can communicate with non-Huawei devices.
Procedure
# Create VLAN 100 and VLAN 200 on SwitchA.
# Create VLAN 100 and VLAN 200 on SwitchB.

[SwitchB] vlan batch 100 200
Step 2 Set the link type of interfaces to QinQ.

# Configure GE1/0/1 and GE1/0/2 of SwitchA as QinQ interfaces, and set the
default VLAN of GE1/0/1 to VLAN 100 and the default VLAN of GE1/0/2 to VLAN

200. VLAN 100 and VLAN 200 are added to outer tags. The configuration of
[SwitchA-GigabitEthernet1/0/1] port link-type dot1q-tunnel //Configure the link type of the interface as
QinQ.
[SwitchA-GigabitEthernet1/0/2] port link-type dot1q-tunnel //Configure the link type of the interface as
QinQ.
Step 3 Configure switch interfaces connected to the public network.

# Add GE1/0/3 on Switch A to VLAN 100 and VLAN 200. The configuration of
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200
Step 4 Configure the TPID in the outer VLAN tag.

# Set the TPID in the outer VLAN tag to 0x9100 on SwitchA.
[SwitchA-GigabitEthernet1/0/3] qinq protocol 9100 //Set the TPID in the outer VLAN tag to 0x9100.
# Set the TPID in the outer VLAN tag to 0x9100 on SwitchB.

[SwitchB-GigabitEthernet1/0/3] qinq protocol 9100 //Set the TPID in the outer VLAN tag to 0x9100.

On a PC in a VLAN of a branch in enterprise 1, ping a PC in the same VLAN of the
other branch in enterprise 1. The ping operation succeeds, indicating that branches
of enterprise 1 can communicate with each other.
On a PC in a VLAN of a branch in enterprise 2, ping a PC in the same VLAN of the
other branch in enterprise 2. The ping operation succeeds, indicating that branches
of enterprise 2 can communicate with each other.
On a PC in a VLAN of a branch in enterprise 1, ping a PC in the same VLAN of a
branch in enterprise 2. The ping operation fails, indicating that enterprise 1 and
enterprise 2 are isolated.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
port link-type dot1q-tunnel
#


#
qinq protocol 9100
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
#
#
qinq protocol 9100
#
return
6.4.2 Example for Configuring VLAN ID-based Selective QinQ

QinQ Overview
Selective QinQ, also called VLAN stacking or QinQ stacking, is an extension of
QinQ. Selective QinQ is performed based on interfaces and VLAN IDs. In addition
to functions of basic QinQ, selective QinQ takes different actions for packets
received by the same interface based on VLANs.
VLAN ID-based selective QinQ adds different outer VLAN tags to packets with
different inner VLAN IDs.
Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following
points:
● Before configuring selective QinQ on a fixed switch, you must run the qinq
vlan-translation enable command to enable VLAN translation.
● You are advised to configure selective QinQ on a hybrid interface. Selective
QinQ can take effect on the interface only in the inbound direction.
● The outer VLAN must be created before Selective QinQ is performed.
● When an interface configured with VLAN stacking needs to remove the outer
tag from outgoing frames, the interface must join the VLAN specified by
stack-vlan in untagged mode. If the outer VLAN does not need to be

removed, the interface must join the VLAN specified by stack-vlan in tagged
mode.
● The device configured with selective QinQ can add only one outer VLAN tag
to a frame with an inner VLAN tag on an interface.
● If only single-tagged packets from a VLAN need to be transparently
transmitted, do not specify the VLAN as the inner VLAN of selective QinQ.
● VLAN mapping (for example, port vlan-mapping vlan 20 map-vlan 20)
must be configured to map the VLAN to itself from which single-tagged
packets need to be transparently transmitted after selective QinQ is
configured on the following cards and devices:
– LE0MG24CA and LE0MG24SA cards
– S5300-EI, S3300-EI, and S3300-SI
As shown in Figure 6-21, Internet access users (using PCs) and VoIP users (using
VoIP phones) connect to the ISP network through SwitchA and SwitchB and
communicate with each other through the ISP network.
In the enterprise, VLAN 100 is allocated to PCs and VLAN 300 is allocated to VoIP
phones.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3
respectively when the packets are transmitted through the ISP network.
Figure 6-21 Networking of VLAN ID-based selective QinQ
1. Create VLANs on SwitchA and SwitchB.
2. Configure link types of interfaces and add interfaces to VLANs on SwitchA
and SwitchB.

3. Configure selective QinQ on interfaces of SwitchA and SwitchB.
Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN
tag to be added.
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag
to be added.
Step 2 Configure selective QinQ on interfaces.

NOTE
When a fixed switch is used, you must run the qinq vlan-translation enable command in the
interface view to enable VLAN translation.
# Configure GE1/0/1 on SwitchA.

[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 //Add the hybrid interface to VLANs in
untagged mode.
[SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 2 //Configure the inner VLAN tag
as VLAN 100 and add VLAN 2 in the outer VLAN tag.
[SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 300 stack-vlan 3 //Configure the inner VLAN tag
# Configure GE1/0/1 on SwitchB.

[SwitchB-GigabitEthernet1/0/1] port link-type hybrid
[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 //Add the hybrid interface to VLANs in
untagged mode.
[SwitchB-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 2 //Configure the inner VLAN tag
[SwitchB-GigabitEthernet1/0/1] port vlan-stacking vlan 300 stack-vlan 3 //Configure the inner VLAN tag
Step 3 Configure other interfaces.
# Add GE1/0/2 on SwitchA to VLAN 2 and VLAN 3.

# Add GE1/0/2 on SwitchB to VLAN 2 and VLAN 3.


If the configurations on SwitchA and SwitchB are correct, you can obtain the
following information:
● PCs can communicate with each other through the ISP network.
● VoIP phones can communicate with each other through the ISP network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port hybrid untagged vlan 2 to 3
port vlan-stacking vlan 100 stack-vlan 2
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 3
#
#
#
return
6.4.3 Example for Configuring Flow-based Selective QinQ
QinQ Overview
Selective QinQ, also called VLAN stacking or QinQ stacking, is an extension of

QinQ. Selective QinQ is performed based on interfaces and VLAN IDs. In addition
to functions of basic QinQ, selective QinQ takes different actions for packets
received by the same interface based on VLANs.
Flow-based selective QinQ adds outer VLAN tags based on traffic policies. It can
provide differentiated services based on service types.

Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following
points:
● You are advised to configure selective QinQ on a hybrid interface. Selective

QinQ can take effect on the interface only in the inbound direction.
● The outer VLAN must be created before Selective QinQ is performed.
● When an interface configured with VLAN stacking needs to remove the outer
tag from outgoing frames, the interface must join the VLAN specified by
stack-vlan in untagged mode. If the outer VLAN does not need to be
removed, the interface must join the VLAN specified by stack-vlan in tagged
mode.
● The device configured with selective QinQ can add only one outer VLAN tag
to a frame with an inner VLAN tag on an interface.
● If only single-tagged packets from a VLAN need to be transparently
transmitted, do not specify the VLAN as the inner VLAN of selective QinQ.
As shown in Figure 6-22, Internet access users (using PCs) and VoIP users (using
VoIP phones) connect to the ISP network through SwitchA and SwitchB and
communicate with each other through the ISP network.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3
respectively when the packets are transmitted through the ISP network. Flow-
based selective QinQ can be configured to meet the requirement.
Figure 6-22 Networking of flow-based selective QinQ

1. Create VLANs on SwitchA and SwitchB.
2. Configure traffic classifiers, traffic behaviors, and traffic policies on SwitchA
and SwitchB.
3. Configure link types of interfaces on SwitchA and SwitchB and add the
interfaces to VLANs.
4. Apply the traffic policies to interfaces on SwitchA and SwitchB to implement
selective QinQ.
Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN
tag to be added.
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag
to be added.
Step 2 Configure traffic classifiers, traffic behaviors, and traffic policies on SwitchA and
SwitchB.
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchA.
[SwitchA] traffic classifier name1 //Configure a traffic classifier named name1.
[SwitchA-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching rule to match packets
from VLANs 100 to 200.
[SwitchA-classifier-name1] quit
[SwitchA] traffic behavior name1 //Configure a traffic behavior named name1.
[SwitchA-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding VLAN 2 in an outer
VLAN tag in a traffic behavior. In V200R009 and later versions, the command is changed to add-tag vlan-id.
[SwitchA-behavior-name1] quit
[SwitchA] traffic classifier name2 //Configure a traffic classifier named name2.
[SwitchA-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching rule to match packets
[SwitchA-classifier-name2] quit
[SwitchA] traffic behavior name2 //Configure a traffic behavior named name2.
[SwitchA-behavior-name2] nest top-most vlan-id 3 //Configure an action of adding VLAN 3 in an outer
[SwitchA-behavior-name2] quit
[SwitchA] traffic policy name1 //Configure a traffic policy named name1.
[SwitchA-trafficpolicy-name1] classifier name1 behavior name1
[SwitchA-trafficpolicy-name1] classifier name2 behavior name2
[SwitchA-trafficpolicy-name1] quit
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchB.
[SwitchB] traffic classifier name1 //Configure a traffic classifier named name1.
[SwitchB-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching rule to match packets
[SwitchB-classifier-name1] quit
[SwitchB] traffic behavior name1 //Configure a traffic behavior named name1.
[SwitchB-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding VLAN 2 in an outer

[SwitchB-behavior-name1] quit
[SwitchB] traffic classifier name2 //Configure a traffic classifier named name2.
[SwitchB-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching rule to match packets
[SwitchB-classifier-name2] quit
[SwitchB] traffic behavior name2 //Configure a traffic behavior named name2.
[SwitchB-behavior-name2] nest top-most vlan-id 3 //Configure an action of adding VLAN 3 in an outer
[SwitchB-behavior-name2] quit
[SwitchB] traffic policy name1 //Configure a traffic policy named name1.
[SwitchB-trafficpolicy-name1] classifier name1 behavior name1
[SwitchB-trafficpolicy-name1] classifier name2 behavior name2
[SwitchB-trafficpolicy-name1] quit
Step 3 Apply the traffic policies to interfaces on SwitchA and SwitchB to implement
selective QinQ.
# Configure GE1/0/1 on SwitchA.
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchA-GigabitEthernet1/0/1] traffic-policy name1 inbound //Apply the traffic policy name1 to the
interface in the inbound direction.
# Configure GE1/0/1 on SwitchB.

[SwitchB-GigabitEthernet1/0/1] port link-type hybrid
[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchB-GigabitEthernet1/0/1] traffic-policy name1 inbound //Apply the traffic policy name1 to the
interface in the inbound direction.
Step 4 Configure other interfaces.



If the configurations on SwitchA and SwitchB are correct, you can obtain the
following information:
● PCs can communicate with each other through the ISP network.
● VoIP phones can communicate with each other through the ISP network.
----End
Configuration Files
#
sysname SwitchA

#
vlan batch 2 to 3
#
traffic classifier name1 operator or precedence 5
if-match vlan-id 100 to 200
#
traffic behavior name1
permit
nest top-most vlan-id 2
permit
#
traffic policy name1 match-order config
classifier name1 behavior name1
#
traffic-policy name1 inbound
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 3
#
#
permit
permit
#
traffic policy name1 match-order config
#
traffic-policy name1 inbound
#
#
return
6.5 Typical Examples of MSTP/RRPP/SEP/VBST

6.5.1 Example for Configuring STP

Overview
Generally, redundant links are used on an Ethernet switching network to provide
link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, the communication quality deteriorates, and
communication services may be interrupted. The Spanning Tree Protocol (STP) is
used to solve these problems. STP prevents loops. Devices running STP discover
loops on the network by exchanging information with each other, and block some
ports to eliminate loops.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP)
defined in IEEE 802.1w, and the Multiple Spanning Tree Protocol (MSTP) defined
in IEEE 802.1s.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table
6-7 compares STP, RSTP, and MSTP.
Table 6-7 Comparisons among STP, RSTP, and MSTP
Spannin Characteristics Application Scenario

g Tree
Protocol
STP ● Forms a loop-free tree to User or service traffic does not

prevent broadcast storms and need to be differentiated, and all
implement redundancy. VLANs share a spanning tree.
● Provides slow convergence.
RSTP ● Forms a loop-free tree to

prevent broadcast storms and
implement redundancy.
● Provides fast convergence.
MSTP ● Forms multiple loop-free User or service traffic needs to be

trees to prevent broadcast differentiated and load balanced.
storms and implement Traffic from different VLANs is
redundancy. forwarded through different
● Provides fast convergence. spanning trees that are
independent of each other.
● Implements load balancing
among VLANs and forwards
traffic in different VLANs
along different paths.
Configuration Notes
● The ports connected to terminals do not participate in STP calculation.
Therefore, configure the ports as edge ports or disable STP on the ports.

To implement redundancy on a complex network, network designers tend to
deploy multiple physical links between two devices, one of which is the primary
link and the others are backup links. Loops may occur, causing broadcast storms
or rendering the MAC address table unstable.
After a network designer deploys a network, STP can be deployed on the network
to prevent loops. When loops exist on a network, STP blocks a port to eliminate
the loops. In Figure 6-23, SwitchA, SwitchB, SwitchC, and SwitchD running STP
exchange STP BPDUs to discover loops on the network and block ports to prune
the network into a loop-free tree network. STP prevents infinite looping of packets
to ensure packet processing capabilities of switches.
Figure 6-23 STP networking
1. Configure the switching devices on the ring network to work in STP mode.
2. Configure the root bridge and secondary root bridge.
3. Configure the path cost of a port so that the port can be blocked.
4. Enable STP to eliminate loops.

Procedure
Step 1 Configure basic STP functions.
1. Configure the switching devices on the ring network to work in STP mode.
# Configure SwitchA to work in STP mode.
[SwitchA] stp mode stp
# Configure SwitchB to work in STP mode.

[SwitchB] stp mode stp
# Configure SwitchC to work in STP mode.

[Quidway] sysname SwitchC
[SwitchC] stp mode stp
# Configure SwitchD to work in STP mode.

[Quidway] sysname SwitchD
[SwitchD] stp mode stp

# Configure SwitchA as the root bridge.
[SwitchA] stp root primary
# Configure SwitchD as the secondary root bridge.

[SwitchD] stp root secondary
NOTE
– The path cost range depends on the algorithm. Huawei's proprietary algorithm is
used as an example. Set the path costs of the ports to be blocked to 20000.
– Switching devices on the same network must use the same algorithm to calculate
the path cost of ports.
# Configure SwitchA to use Huawei's proprietary algorithm to calculate the
path cost.
[SwitchA] stp pathcost-standard legacy
# Configure SwitchB to use Huawei's proprietary algorithm to calculate the

path cost.
[SwitchB] stp pathcost-standard legacy
# Configure SwitchC to use Huawei's proprietary algorithm to calculate the

path cost.
[SwitchC] stp pathcost-standard legacy
# Set the path cost of GigabitEthernet1/0/1 on SwitchC to 20000.

[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] stp cost 20000
[SwitchC-GigabitEthernet1/0/1] quit
# Configure SwitchD to use Huawei's proprietary algorithm to calculate the

path cost.
[SwitchD] stp pathcost-standard legacy
4. Enable STP to eliminate loops.

– Configure the ports connected to PCs as edge ports.

# Configure GigabitEthernet1/0/2 of SwitchB as an edge port.
[SwitchB-GigabitEthernet1/0/2] stp edged-port enable
(Optional) Configure BPDU protection on SwitchB.

[SwitchB] stp bpdu-protection
# Configure GigabitEthernet1/0/2 of SwitchC as an edge port.

[SwitchC-GigabitEthernet1/0/2] stp edged-port enable
(Optional) Configure BPDU protection on SwitchC.

[SwitchC] stp bpdu-protection
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU
protection is enabled, the edge ports will be shut down and their attributes
remain unchanged after they receive BPDUs.
– Enable STP globally on devices.
# Enable STP globally on SwitchA.
[SwitchA] stp enable
# Enable STP globally on SwitchB.

[SwitchB] stp enable
# Enable STP globally on SwitchC.

[SwitchC] stp enable
# Enable STP globally on SwitchD.

[SwitchD] stp enable

After the configuration is complete and the network topology becomes stable,
perform the following operations to verify the configuration.
# Run the display stp brief command on SwitchA to view the port status and
protection type. The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
After SwitchA is configured as the root bridge, GigabitEthernet1/0/2 and

GigabitEthernet1/0/1 connected to SwitchB and SwitchD are selected as designed
ports.
# Run the display stp interface gigabitethernet 1/0/1 brief command on
SwitchB to check the status of GigabitEthernet1/0/1. The following information is
displayed:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
GigabitEthernet1/0/1 becomes the designated port and is in FORWARDING state.

# Run the display stp brief command on SwitchC to check the port status.

[SwitchC] display stp brief

0 GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
GigabitEthernet1/0/3 becomes the root port and is in FORWARDING state.
GigabitEthernet1/0/1 becomes the alternate port and is in DISCARDING state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
stp enable
#
return

#
sysname SwitchB
#
stp mode stp
stp bpdu-protection
stp enable
#
stp edged-port enable
#
return
● SwitchC configuration file

#
sysname SwitchC
#
stp mode stp
stp bpdu-protection
stp enable
#
stp instance 0 cost 20000
#
#
return
● SwitchD configuration file

#
sysname SwitchD
#
stp mode stp
stp instance 0 root secondary
stp enable
#
return

6.5.2 Example for Configuring RSTP

Overview
in IEEE 802.1s.

g Tree
Protocol



Configuration Notes
● The ports connected to terminals do not participate in RSTP calculation.

or rendering the MAC address table unstable.
After a network designer deploys a network, RSTP can be deployed on the

network to prevent loops. When loops exist on a network, RSTP blocks a port to
eliminate the loops. In Figure 6-24, SwitchA, SwitchB, SwitchC, and SwitchD
running RSTP exchange RSTP BPDUs to discover loops on the network and block
ports to prune the network into a loop-free tree network. RSTP prevents infinite
looping of packets to ensure packet processing capabilities of switches.
Figure 6-24 RSTP networking
1. Configure basic RSTP functions on switching devices of the ring network.
a. Configure the switching devices on the ring network to work in RSTP
mode.
b. Configure the root bridge and secondary root bridge.
c. Configure the path cost of a port so that the port can be blocked.
d. Enable RSTP to eliminate loops.

2. Enable protection functions to protect devices or links. For example, enable

root protection on the designed port of the root bridge.
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the switching devices on the ring network to work in RSTP mode.
# Configure SwitchA to work in RSTP mode.
[SwitchA] stp mode rstp
# Configure SwitchB to work in RSTP mode.

[SwitchB] stp mode rstp
# Configure SwitchC to work in RSTP mode.

[SwitchC] stp mode rstp
# Configure SwitchD to work in RSTP mode.

[SwitchD] stp mode rstp

# Configure SwitchA as the root bridge.
[SwitchA] stp root primary
# Configure SwitchD as the secondary root bridge.

[SwitchD] stp root secondary
NOTE
used as an example. Set the path costs of the ports to be blocked to 20000.
path cost.

path cost.

path cost.
# Set the path cost of GigabitEthernet1/0/1 on SwitchC to 20000.

[SwitchC-GigabitEthernet1/0/1] stp cost 20000

path cost.

4. Enable RSTP to eliminate loops.

– Configure the ports connected to PCs as edge ports.
# Configure GigabitEthernet1/0/2 on SwitchB as an edge port.

# Configure GigabitEthernet1/0/2 on SwitchC as an edge port.


NOTE
– Enable RSTP globally on devices.
# Enable RSTP on SwitchA.
# Enable RSTP globally on SwitchB.

# Enable RSTP globally on SwitchC.

# Enable RSTP globally on SwitchD.

Step 2 Enable protection functions. The following uses root protection on the designated
port of the root bridge as an example.
# Configure root protection on GigabitEthernet1/0/1 of SwitchA.

[SwitchA-GigabitEthernet1/0/1] stp root-protection
# Configure root protection on GigabitEthernet1/0/2 of SwitchA.

# Run the display stp brief command on SwitchA to view the status and
protection type on the ports. The displayed information is as follows:

0 GigabitEthernet1/0/1 DESI FORWARDING ROOT

After SwitchA is configured as the root bridge, GigabitEthernet1/0/2 and

GigabitEthernet1/0/1 connected to SwitchB and SwitchD become designed ports
and configured with root protection.
# Run the display stp interface gigabitethernet 1/0/1 brief command on
SwitchB to check the status of GigabitEthernet1/0/1. The following information is
displayed:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
GigabitEthernet1/0/1 becomes the designated port and is in FORWARDING state.

# Run the display stp brief command on SwitchC to check the port status.
GE1/0/1 becomes the alternate port and is in DISCARDING state.

GE1/0/3 becomes the root port and is in FORWARDING state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode rstp
stp enable
#
stp root-protection
#
stp root-protection
#
return
#
sysname SwitchB
#
stp mode rstp
stp bpdu-protection
stp enable
#
#
return
#
sysname SwitchC

#
stp mode rstp
stp bpdu-protection
stp enable
#
#
#
return

#
sysname SwitchD
#
stp mode rstp
stp enable
#
return
6.5.3 Example for Configuring MSTP

Overview
in IEEE 802.1s.

g Tree
Protocol



g Tree
Protocol


Configuration Notes
● The ports connected to terminals do not participate in MSTP calculation.
or rendering the MAC address table unstable. MSTP can be used to prevent loops.
MSTP blocks redundant links and prunes a network into a tree topology free from
loops.
In Figure 6-25, SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. MSTP uses
multiple instances to implement load balancing of traffic in VLANs 2 to 10 and
VLANs 11 to 20. The VLAN mapping table that defines the mapping between
VLANs and MSTIs can be used.

Figure 6-25 MSTP networking
1. Configure basic MSTP functions on switching devices of the ring network.
root protection on the designed port of the root bridge in each MSTI.

NOTE
When the link between the root bridge and secondary root bridge goes Down, the port
enabled with root protection becomes Discarding because root protection takes effect.
To improve reliability, you are advised to bind the link between the root bridge and
secondary root bridge to an Eth-Trunk.
3. Configure Layer 2 forwarding on devices.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD (access switches) in the
MST region RG1 and create MSTI 1 and MSTI 2.
NOTE
Two switches belong to the same MST region when they have the same:
– Name of the MST region
– Mapping between VLANs and MSTIs
– Revision level of the MST region
# Configure an MST region of root bridge SwitchA in MSTI 1.
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchA-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchA-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchA-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchA-mst-region] quit
# Configure an MST region of root bridge SwitchB in MSTI 1.
[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchB-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchB-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchB-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchB-mst-region] quit
# Configure an MST region of SwitchC.
[SwitchC] stp region-configuration
[SwitchC-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchC-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchC-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchC-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchC-mst-region] quit
# Configure an MST region of SwitchD.
[SwitchD] stp region-configuration
[SwitchD-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchD-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchD-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchD-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchD-mst-region] quit
2. Configure root bridges and secondary root bridges of MSTI 1 and MSTI 2 in
the MST region RG1.

– Configure the root bridge and secondary root bridge in MSTI 1.

# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
# Configure SwitchB as the secondary root bridge in MSTI 1.

[SwitchB] stp instance 1 root secondary

# Configure SwitchB as the root bridge in MSTI 2.
[SwitchB] stp instance 2 root primary
# Configure SwitchA as the secondary root bridge in MSTI 2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be
larger than the default values.
NOTE
used as an example. Set the path costs of the ports to be blocked in MSTI 1 and
MSTI 2 to 20000.
Configure SwitchA to use Huawei's proprietary algorithm to calculate the
path cost.

path cost.

path cost and set the path cost of GE1/0/2 to 20000 in MSTI 2.
[SwitchC-GigabitEthernet1/0/2] stp instance 2 cost 20000

path cost and set the path cost of GE1/0/2 to 20000 in MSTI 1.
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] stp instance 1 cost 20000
[SwitchD-GigabitEthernet1/0/2] quit
4. Enable MSTP to eliminate loops.

– Enable MSTP globally on devices.
# Enable MSTP on SwitchB.

# Enable MSTP on SwitchC.

# Enable MSTP on SwitchD.

– Configure the ports connected to the terminal as edge ports.

# Configure GE1/0/1 of SwitchC as an edge port.


# Configure GE1/0/1 of SwitchC as an edge port.
[SwitchD-GigabitEthernet1/0/1] stp edged-port enable
(Optional) Configure BPDU protection on SwitchD.
[SwitchD] stp bpdu-protection
NOTE
Step 2 Enable protection functions. For example, enable root protection on the designed
port of the root bridge in each MSTI.
# Enable root protection on GE1/0/1 of SwitchA.
# Enable root protection on GE1/0/1 of SwitchB.

[SwitchB-GigabitEthernet1/0/1] stp root-protection
Step 3 Configure Layer 2 forwarding on switches of the ring network.

● Create VLANs 2 to 20 on SwitchA, SwitchB, SwitchC, and SwitchD.
# Create VLANs 2 to 20 on SwitchA.
# Create VLANs 2 to 20 on SwitchB.
[SwitchB] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchC.
[SwitchC] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchD.
[SwitchD] vlan batch 2 to 20
● Add ports connected to the ring to VLANs.
# Add GE1/0/1 on SwitchA to VLANs.
# Add Eth-Trunk1 on SwitchA to VLANs.
[SwitchA] interface Eth-Trunk 1
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/2
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/3
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 2 to 20
# Add GE1/0/1 on SwitchB to VLANs.


[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 20
# Add Eth-Trunk1 on SwitchB to VLANs.

[SwitchB] interface Eth-Trunk 1
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/2
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/3
[SwitchB-Eth-Trunk1] port link-type trunk
[SwitchB-Eth-Trunk1] port trunk allow-pass vlan 2 to 20
[SwitchB-Eth-Trunk1] quit
# Add GE1/0/1 on SwitchC to VLANs.

[SwitchC-GigabitEthernet1/0/1] port link-type access
[SwitchC-GigabitEthernet1/0/1] port default vlan 2

[SwitchC-GigabitEthernet1/0/2] port link-type trunk
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 20

# Add GE1/0/1 on SwitchD to VLANs.

[SwitchD-GigabitEthernet1/0/1] port link-type access
[SwitchD-GigabitEthernet1/0/1] port default vlan 11

[SwitchD-GigabitEthernet1/0/2] port link-type trunk
[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 20

[SwitchD-GigabitEthernet1/0/3] port trunk allow-pass vlan 2 to 20

NOTE
MSTI 1 and MSTI 2 are used as examples, so you do not need to check the port status in
MSTI 0.
0 Eth-Trunk1 DESI FORWARDING NONE


2 Eth-Trunk1 ROOT FORWARDING NONE
In MSTI 1, Eth-Trunk1 and GE1/0/1 on SwitchA are designed ports because

SwitchA is the root bridge. In MSTI 2, GE1/0/1 on SwitchA is the designed port and
Eth-Trunk1 is the root port.
# Run the display stp brief command on SwitchB. The following information is
displayed:
[SwitchB] display stp brief
In MSTI 2, GE1/0/1 and Eth-Trunk1 on SwitchB are designed ports because

SwitchB is the root bridge. In MSTI 1, GE1/0/1 on SwitchB is the designed port and
Eth-Trunk1 is the root port.
# Run the display stp interface brief command on SwitchC. The following
[SwitchC] display stp interface gigabitethernet 1/0/3 brief
GE1/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchC is
blocked in MSTI 2 and is the designated port in MSTI 1.
# Run the display stp interface brief command on SwitchD. The following
[SwitchD] display stp interface gigabitethernet 1/0/3 brief
[SwitchD] display stp interface gigabitethernet 1/0/2 brief
GE1/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchD is
blocked in MSTI 1 and is the designated port in MSTI 2.
----End
Configuration Files
#
sysname SwitchA

#
vlan batch 2 to 20
#
stp enable
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
active region-configuration
#
#
stp root-protection
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname SwitchB
#
vlan batch 2 to 20
#
stp enable
#
region-name RG1
#
#
stp root-protection
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname SwitchC
#
vlan batch 2 to 20

#
stp bpdu-protection
stp enable
#
region-name RG1
#
port default vlan 2
#
#
#
return
#
sysname SwitchD
#
vlan batch 2 to 20
#
stp bpdu-protection
stp enable
#
region-name RG1
#
#
#
#
return
6.5.4 Example for Configuring MSTP and VRRP

Overview
When VRRP is deployed on a network, multiple devices transmit services
simultaneously. Each virtual device consists of one master and several backups. If
redundant links need to be deployed for access backup, MSTP needs to be
deployed to eliminate loops and ensure load balancing of traffic.

Configuration Notes
● The ports connected to terminals do not participate in MSTP calculation.
– S2320-EI
– S3300-EI, S3300-HI
– S5320-LI, S5320-SI, S5300-EI, S5300-HI, S5310-EI, S5320-EI, S5320-HI,
S5330-SI, S5330-HI, S5331-S, S5331-H, S5332-H, S5335-S, S5335-L,
S5335-L1, S5336-S
– S6300-EI, S6320-EI, S6320-SI, S6320-HI, S6330-H
– S9300X-4, S9300X-8, S9300X-12, S9303, S9303E, S9306, S9306E, S9310,
S9310X, S9312, S9312E
NOTE
product model.
In Figure 6-26, hosts connect to the network through SwitchC. SwitchC is dual-
homed to SwitchA and SwitchB and connects to the Internet. Redundant links are
deployed for access backup. The use of redundant links, however, may produce
loops, causing broadcast storms and rendering the MAC address table unstable.
It is required that network loops be prevented when redundant links are deployed,
traffic be switched to another link when one link is disconnected, and network
bandwidth be effectively used.
MSTP can be configured on the network. MSTP blocks redundant links and prunes
a network into a tree topology free from loops. VRRP can be configured on
SwitchA and SwitchB. HostA connects to the Internet with SwitchA as the default
gateway and SwitchB as the backup gateway; HostB connects to the Internet with
SwitchB as the default gateway and SwitchA as the backup gateway. This setting
implements reliability and traffic load balancing.

Figure 6-26 Networking for configuring MSTP and VRRP
Device Interface VLANIF Interface IP Address
SwitchA GE1/0/1 and VLANIF 2 10.1.2.102/24

GE1/0/2
GE1/0/1 and VLANIF 3 10.1.3.102/24

GE1/0/2
GE1/0/3 VLANIF 4 10.1.4.102/24
SwitchB GE1/0/1 and VLANIF 2 10.1.2.103/24

GE1/0/2
GE1/0/1 and VLANIF 3 10.1.3.103/24

GE1/0/2
GE1/0/3 VLANIF 5 10.1.5.103/24

1. Configure basic MSTP functions on switching devices of the ring network.
a. Configure an MST region and create multi-instance, and map VLAN 2 to
MSTI 1 and VLAN 3 to MSTI 2 to load balance traffic.
b. Configure the root bridge and secondary root bridge in each MST region.
c. Configure the path cost of a port in each MSTI so that the port can be
blocked.
d. Enable MSTP to prevent loops.
▪ Enable MSTP globally.
▪ Enable MSTP on all ports except the ports connected to hosts.

root protection on the designed port of the root bridge in each MSTI.
3. Configure Layer 2 forwarding on devices.
4. Assign an IP address to each interface and configure a routing protocol to
ensure network connectivity.
NOTE
In this example, SwitchA and SwitchB need to support VRRP and OSPF. For details
about the models supporting VRRP and OSPF, see the documentation.
5. Create VRRP groups 1 and 2 on SwitchA and SwitchB. In VRRP group 1,
configure SwitchA as the master and SwitchB as the backup. In VRRP group 2,
configure SwitchB as the master and SwitchA as the backup.
Procedure
1. Configure SwitchA, SwitchB, and SwitchC in the MST region RG1 and create
MSTI 1 and MSTI 2.
# Configure an MST region on SwitchA.
[SwitchA] stp region-configuration //Enter the MST region view.
[SwitchA-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchA-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchA-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchA-mst-region] active region-configuration //Activate the MST region configuration.
# Configure an MST region on SwitchB.
[SwitchB] stp region-configuration //Enter the MST region view.
[SwitchB-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchB-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchB-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchB-mst-region] active region-configuration //Activate the MST region configuration.
# Configure an MST region on SwitchC.

[SwitchC] stp region-configuration //Enter the MST region view.

[SwitchC-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchC-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchC-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchC-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchC-mst-region] quit
2. Configure root bridges and secondary root bridges of MSTI 1 and MSTI 2 in
the MST region RG1.
# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
# Configure SwitchB as the secondary root bridge in MSTI 1.

[SwitchB] stp instance 1 root secondary

# Configure SwitchB as the root bridge in MSTI 2.
[SwitchB] stp instance 2 root primary
# Configure SwitchA as the secondary root bridge in MSTI 2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be
larger than the default values.
NOTE
used as an example. Set the path costs of the ports to be blocked in MSTI 1 and
MSTI 2 to 20000.
path cost.

path cost.

path cost, and set the path cost of GE1/0/1 in MSTI 2 to 20000 and path cost
of GE1/0/4 in MSTI 1 to 20000.
4. Enable MSTP to eliminate loops.

– Enable MSTP globally on devices.
# Enable MSTP on SwitchA.
# Enable MSTP on SwitchB.

# Enable MSTP on SwitchC.

– Configure the ports connected to hosts as edge ports.


– Configure the ports connected to the router as edge ports.

# Configure the SwitchA.
[SwitchA-GigabitEthernet1/0/3] stp edged-port enable
(Optional) Configure BPDU protection on SwitchA.

[SwitchA] stp bpdu-protection
# Configure the SwitchB.


NOTE
Step 2 Enable protection functions. For example, enable root protection on the designed
port of the root bridge in each MSTI.
# Enable root protection on GE1/0/1 of SwitchA.
# Enable root protection on GE1/0/1 of SwitchB.

[SwitchB-GigabitEthernet1/0/1] stp root-protection

● Create VLAN 2 and VLAN 3 on SwitchA, SwitchB, and SwitchC.
# Create VLAN 2 and VLAN 3 on SwitchA.
# Create VLAN 2 and VLAN 3 on SwitchB.

[SwitchB] vlan batch 2 to 3
# Create VLAN 2 and VLAN 3 on SwitchC.

[SwitchC] vlan batch 2 to 3




NOTE
MSTI 1 and MSTI 2 are used as examples, so you do not need to check the port status in
MSTI 0.

In MSTI 1, GE1/0/2 and GE1/0/1 on SwitchA are designed ports because SwitchA is
the root bridge. In MSTI 2, GE1/0/1 on SwitchA is the designed port and GE1/0/2 is
the root port.
# Run the display stp brief command on SwitchB. The displayed information is as
follows:
In MSTI 2, GE1/0/1 and GE1/0/2 on SwitchB are designed ports because SwitchB is
the root bridge. In MSTI 1, GE1/0/1 on SwitchB is the designed port and GE1/0/2 is
the root port.
# Run the display stp interface brief command on SwitchC. The displayed
information is as follows:
GE1/0/1 on SwitchC is the root port in MSTI 1 and is blocked in MSTI 2. GE1/0/4
on SwitchC is blocked in MSTI 1 and is the designated port in MSTI 2.
Step 5 Configure devices to ensure network connectivity.
# Assign an IP address to each interface. SwitchA is used as an example. The
configuration of SwitchB is similar to that of SwitchA, and is not mentioned here.
For details, see the configuration files.
[SwitchA] vlan batch 4
# Configure OSPF between SwitchA, SwitchB, and router. SwitchA is used as an

example. The configuration of SwitchB is similar to that of SwitchA, and is not
mentioned here. For details, see the configuration files.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0


[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
Step 6 Configure VRRP groups.

# Configure VRRP group 1 on SwitchA and SwitchB, set the priority of SwitchA to
120 and the preemption delay to 20s, and set the default priority for SwitchB.
[SwitchA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100 //Create VRRP group 1 and set the virtual IP address to
10.1.2.100.
[SwitchA-Vlanif2] vrrp vrid 1 priority 120 //Set the priority of VRRP group 1 to 120.
[SwitchA-Vlanif2] vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption delay of VRRP group 1
to 20s.
[SwitchB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100 //Create VRRP group 1 and set the virtual IP address to
10.1.2.100.
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to
120 and the preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100 //Create VRRP group 2 and set the virtual IP address to
10.1.3.100.
[SwitchB-Vlanif3] vrrp vrid 2 priority 120 //Set the priority of VRRP group 2 to 120.
[SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20 //Set the preemption delay of VRRP group 2
to 20s.
[SwitchA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100 //Create VRRP group 2 and set the virtual IP address to
10.1.3.100.
# Set virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of

HostA, and virtual IP address 10.1.3.100 of VRRP group 2 as the default gateway
of HostB.
# After the configuration is complete, run the display vrrp command on SwitchA.
The following output shows that SwitchA is the master in VRRP group 1 and the
backup in VRRP group 2.
[SwitchA] display vrrp
State : Master
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

State : Backup
Virtual IP : 10.1.3.100

Master IP : 10.1.3.103
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
# After the configuration is complete, run the display vrrp command on SwitchB.
The following output shows that SwitchB is the backup in VRRP group 1 and the
master in VRRP group 2.
[SwitchB] display vrrp
State : Backup
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

State : Master
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 4
#

stp bpdu-protection
stp enable
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
#
interface Vlanif4
ip address 10.1.4.102 255.255.255.0
#
stp root-protection
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 2 to 3 5
#
stp bpdu-protection
stp enable
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.103 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.103 255.255.255.0


#
interface Vlanif5
ip address 10.1.5.103 255.255.255.0
#
stp root-protection
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 2 to 3
#
stp bpdu-protection
stp enable
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
#
port default vlan 2
#
port default vlan 3
#
#
return

6.5.5 Example for Configuring a Single RRPP Ring with a

Single Instance
Overview
In most situations, the ring network topology is applied to MANs and enterprise
networks to improve network reliability. When a fault occurs on a node or on a
link between nodes, data services are switched to the standby link to ensure
service continuity. However, broadcast storms may occur on a ring network.
Many protocols can prevent broadcast storms on ring networks. However, if a fault
occurs on a ring network, it takes time for the devices to switch data services to
the standby link. If the convergence time is too long, services are interrupted.
To shorten the convergence time and eliminate the impact of network scale on
convergence time, Huawei developed the Rapid Ring Protection Protocol (RRPP).
Compared with other Ethernet ring technologies, RRPP has the following
advantages:
● RRPP is suitable for networks composed of many network nodes because the
number of nodes does not affect convergence time.
● RRPP prevents broadcast storms caused by data loops when an Ethernet ring
is complete.
● When a link on an Ethernet ring network fails, the standby link can rapidly
restore the communication among the Ethernet ring network nodes.
Configuration Notes
● STP and Smart Link must be disabled on the interface added to an RRPP
domain.
● DHCP and MAC address limiting rules cannot be configured in an RRPP
control VLAN.
● When the mapping between the protected instance and MUX VLAN needs to
be configured, you are advised to configure the principal VLAN, subordinate
group VLAN, and subordinate separate VLAN in the MUX VLAN in the
protected instance. Otherwise, loops may occur.
In Figure 6-27, SwitchA, SwitchB, and SwitchC constitute a ring network. The
network is required to prevent loops when the ring is complete and to implement
fast convergence to rapidly restore communication between nodes in the ring
when the ring fails. You can enable RRPP on SwitchA, SwitchB, and SwitchC to
meet this requirement.

Figure 6-27 Networking of a single RRPP ring
1. Create an RRPP domain and its control VLAN.
2. Map VLANs from which data needs to pass through in the RRPP ring to
instance 1, including data VLANs 100 to 300 and control VLANs 20 and 21
(VLAN 21 is the sub-control VLAN generated by the device).
3. Configure interfaces to be added to the RRPP domain on the devices so that
data can pass through the interfaces. Disable protocols that conflict with
RRPP, such as STP.
4. In the RRPP domain, configure a protected VLAN, create an RRPP ring and
configure SwitchA, SwitchB, and SwitchC as nodes in ring 1 in domain 1.
Configure SwitchA as the master node in ring 1 and configure SwitchB and
SwitchC as transit nodes in ring 1.
5. Enable the RRPP ring and RRPP on devices.
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] control-vlan 20 //Each RRPP domain has a major control VLAN and a
sub-control VLAN. You only need to specify the major control VLAN. The system uses the VLAN whose ID is
one greater than the ID of the major control VLAN as the sub-control VLAN.
[SwitchA-rrpp-domain-region1] quit
Step 2 Map instance 1 to control VLANs 20 and 21 and data VLANs 100 to 300.

[SwitchA-mst-region] instance 1 vlan 20 21 100 to 300 //Add the major control VLAN, sub-control VLAN,
and data VLANs to instance 1.
[SwitchA-mst-region] active region-configuration
Step 3 Configure the interfaces to be added to the RRPP ring as trunk interfaces,
configure the interfaces to allow VLANs 100 to 300 to pass through, and disable
STP on the interfaces.
[SwitchA-GigabitEthernet2/0/1] stp disable
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
# Configure SwitchA.
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure instance 1 as the
protected instance of the RRPP domain.
[SwitchA-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet 2/0/1
secondary-port gigabitethernet 2/0/2 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
# Configure SwitchB.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 2/0/1 secondary-
port gigabitethernet 2/0/2 level 0
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure SwitchC.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 2/0/1 secondary-
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
Step 5 Enable RRPP.
[SwitchA] rrpp enable

perform the following operations to verify the configuration. The display on
SwitchA is used as an example.
# Run the display rrpp brief command on SwitchA. The following information is
displayed:
[SwitchA] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
RRPP Protocol Status: Enable

RRPP Working Mode: HW
RRPP Linkup Delay Timer: 0 sec (0 sec default)
Number of RRPP Domains: 1
Domain Index : 1
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is

ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
1 0 M GigabitEthernet2/0/1 GigabitEthernet2/0/2 Yes
According to the preceding information, RRPP is enabled on SwitchA. The major

control VLAN of RRPP domain 1 is VLAN 20 and the sub-control VLAN is VLAN 21.
SwitchA is the master node in ring 1. The primary interface is
GigabitEthernet2/0/1 and the secondary interface is GigabitEthernet2/0/2.
# Run the display rrpp verbose domain command on SwitchA. The following
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring :1
Ring Level :0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: BLOCKED
The command output shows that the RRPP ring is complete.
----End
Configuration Files
#
sysname SwitchA
#
#
rrpp enable
#
instance 1 vlan 20 to 21 100 to 300
#

rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet2/0/1 secondary-port GigabitEthernet2/0/2
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 20
ring 1 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port GigabitEthernet2/0/2
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 20

level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
6.5.6 Example for Configuring Tangent RRPP Rings
Overview
Generally, a metro Ethernet network uses two-layer rings:
● One layer is the aggregation layer between aggregation devices PE-AGGs, for
example, RRPP domain 1 in Figure 6-28.
● The other layer is the access layer between PE-AGGs and UPEs, for example,
RRPP domain 2 and RRPP domain 3 in Figure 6-28.
In Figure 6-28, intersecting RRPP rings can be used. RRPP rings are configured at
aggregation and access layers, and the two layers are connected through tangent
RRPP rings.
Figure 6-28 Tangent RRPP rings

Two tangent rings cannot belong to the same RRPP domain. The tangent point of
the two tangent rings belongs to two RRPP domains, and the major node can be
located in the tangent point.
When there are multiple tangent RRPP rings, a fault on a ring does not affect
other domains and the convergence process of RRPP rings in a domain is the same
as that of a single ring.
Configuration Notes
● STP and Smart Link must be disabled on the interface added to an RRPP
domain.
● DHCP and MAC address limiting rules cannot be configured in an RRPP
control VLAN.
● When the mapping between the protected instance and MUX VLAN needs to
be configured, you are advised to configure the principal VLAN, subordinate
group VLAN, and subordinate separate VLAN in the MUX VLAN in the
protected instance. Otherwise, loops may occur.
In Figure 6-28, the network is required to prevent loops when the ring is complete
and to implement fast convergence to rapidly restore communication between
nodes in the ring when the ring fails. RRPP can meet this requirement. RRPP
supports multiple rings. You can configure RRPP rings at the aggregation and
access layers. The two rings are tangent, simplifying the network configuration.
SwitchA, SwitchB, SwitchC, SwitchD, and SwitchE in Figure 6-29 correspond to

UPE1, UPE2, PE-AGG3, PE-AGG2, and PE-AGG1 in Figure 6-28, respectively. Figure
6-29 is used as an example to describe how to configure tangent RRPP rings with
a single instance.
Figure 6-29 Networking of tangent RRPP rings

1. Map the VLANs that need to pass through ring 1 to instance 1, including data
VLANs and control VLANs, which are used for configuring protected VLANs.
Map the VLANs that need to pass through ring 2 to instance 2, including data
VLANs and control VLANs, which are used for configuring protected VLANs.
2. Create RRPP domains, control VLANs and configure protected VLANs for
configuring RRPP rings.
3. Configure interfaces to be added to the RRPP domain on the devices so that
data can pass through the interfaces. Disable protocols that conflict with
RRPP, such as STP.
4. Create RRPP rings in RRPP domains.
a. Configure SwitchA, SwitchB, and SwitchC to be in ring 2 of RRPP domain
2.
b. Configure SwitchC, SwitchD, and SwitchE to be in ring 1 of RRPP domain
1.
c. Configure SwitchA as the master node in ring 2, and configure SwitchB
and SwitchC as transit nodes in ring 2.
d. Configure SwitchE as the master node in ring 1, and configure SwitchC
and SwitchD as transit nodes in ring 1.
5. Enable the RRPP ring and RRPP on devices.
Procedure
Step 1 Configure instance 2 and map it to the data VLANs and control VLANs allowed by
the RRPP interface.
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, and

SwitchE are similar to the configuration of SwitchA, and are not mentioned here.
[SwitchA-mst-region] instance 2 vlan 20 to 21 ///Add the major control VLAN and sub-control VLAN to
instance 1.
Step 2 Create RRPP domains and configure control VLANs and protected VLANs of the
RRPP domains.
# Configure SwitchE. The configurations of SwitchA, SwitchB, SwitchC, and

SwitchD are similar to the configuration of SwitchE, and are not mentioned here.
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] control-vlan 10 //Each RRPP domain has a major control VLAN and a sub-
control VLAN. You only need to specify the major control VLAN. The system uses the VLAN whose ID is one
greater than the ID of the major control VLAN as the sub-control VLAN.
[SwitchE-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure instance 1 as the
[SwitchE-rrpp-domain-region1] quit

Step 3 Configure the interfaces to be added to RRPP rings as trunk interfaces and disable
STP on the interfaces.

Step 4 Create and enable the RRPP ring.

● Configure nodes in ring 2.
# Configure SwitchA as the master node in ring 2 and specify the primary and
secondary interfaces.
# Configure SwitchB as a transit node in ring 2 (major ring) and specify the
primary and secondary interfaces.
[SwitchB-rrpp-domain-region2] ring 2 node-mode transit primary-port gigabitethernet 2/0/1
# Configure SwitchC as a transit node in ring 2 and specify the primary and
[SwitchC-rrpp-domain-region2] ring 2 node-mode transit primary-port gigabitethernet 2/0/1
● Configure nodes in ring 1.

# Configure SwitchE as the master node in ring 1 (major ring) and specify the
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet 1/0/1
[SwitchE-rrpp-domain-region1] ring 1 enable
[SwitchE-rrpp-domain-region1] quit
# Configure SwitchC as a transit node in ring 1 and specify the primary and
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1
# Configure SwitchD as a transit node in ring 1 and specify the primary and

[SwitchD] rrpp domain 1

[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1
[SwitchD-rrpp-domain-region1] ring 1 enable
[SwitchD-rrpp-domain-region1] quit
Step 5 Enable RRPP.


perform the following operations to verify the configuration. The tangent point
SwitchC is used as an example.
# Run the display rrpp brief command on SwitchC. The following information is
displayed:
[SwitchC] display rrpp brief

Domain Index : 1
----------------------------------------------------------------------------
1 0 T GigabitEthernet1/0/1 GigabitEthernet1/0/2 Yes
Domain Index : 2
----------------------------------------------------------------------------
2 0 T GigabitEthernet2/0/1 GigabitEthernet2/0/2 Yes
According to the preceding information, RRPP is enabled on SwitchC. The major

control VLAN of RRPP domain 1 is VLAN 10 and the sub-control VLAN is VLAN 11.
SwitchC is a transit node in ring 1. The primary interface is GigabitEthernet1/0/1
and the secondary interface is GigabitEthernet1/0/2.
The major control VLAN of SwitchC in RRPP domain 2 is VLAN 20 and the sub-
control VLAN is VLAN 21. SwitchC is a transit node in ring 2. The primary interface
is GigabitEthernet2/0/1 and the secondary interface is GigabitEthernet2/0/2.
On SwitchC, run the display rrpp verbose domain command. The following
information is displayed.
# Check detailed information about RRPP domain 1 on SwitchC.
[SwitchC] display rrpp verbose domain 1
Domain Index : 1


RRPP Ring :1
Ring Level :0
Node Mode : Transit
Ring State : LinkUp
Secondary port : GigabitEthernet1/0/2 Port status: UP
# Check detailed information about RRPP domain 2 on SwitchC.

[SwitchC] display rrpp verbose domain 2
Domain Index : 2
RRPP Ring :2
Ring Level :0
Node Mode : Transit
Ring State : LinkUp
Secondary port : GigabitEthernet2/0/2 Port status: UP
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 20 to 21
#
rrpp enable
#
#
rrpp domain 2
control-vlan 20
level 0
ring 2 enable
#
stp disable
#
stp disable
#
return

#
sysname SwitchB

#
vlan batch 20 to 21
#
rrpp enable
#
#
rrpp domain 2
control-vlan 20
level 0
ring 2 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
level 0
ring 1 enable
rrpp domain 2
control-vlan 20
level 0
ring 2 enable
#
stp disable
#
stp disable
#


stp disable
#
stp disable
#
return
#
sysname SwitchD
#
vlan batch 10 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
● SwitchE configuration file
#
sysname SwitchE
#
vlan batch 10 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
level 0
ring 1 enable
#
stp disable
#

stp disable
#
return
6.5.7 Example for Configuring RRPP Snooping on a VPLS

Network
Overview
RRPP snooping notifies a VPLS network of changes in an RRPP ring. After RRPP
snooping is enabled on sub-interfaces or VLANIF interfaces, the VPLS network can
transparently transmit RRPP packets, detect changes in the RRPP ring, and update
forwarding entries. This ensures that traffic can be rapidly switched to a non-
blocking path.
In Figure 6-30, UPEs constitute an RRPP ring and connect to the VPLS network
where NPEs are located. NPEs are connected through a PW, so they cannot serve
as RRPP nodes to respond to RRPP packets. As a result, the VPLS network cannot
detect changes to the RRPP ring status. When the RRPP ring topology changes,
each node on the VPLS network forwards downstream data according to the MAC
address table generated before the RRPP ring topology changes. Consequently, the
downstream traffic cannot be forwarded
Figure 6-30 Networking for configuring RRPP snooping on a VPLS network
You can enable RRPP snooping on the sub-interface or VLANIF interface of NPED
and associate the interface with VSIs on the local device. When the RRPP ring is
faulty, NPED on the VPLS network deletes forwarding entries of VSIs (including
the associated VSIs) on the local node and forwarding entries of NPEB to re-learn

forwarding entries. This ensures that traffic can be switched to a normal path and
downstream traffic can be properly forwarded.
Configuration Notes
● RRPP and RRPP snooping cannot be configured on the same interface.
● SA series cards and XGE interfaces connected to LE1D2FW00S01 and ACU2
cards do not support RRPP snooping. In earlier versions of V200R007C00, X1E
series cards do not support RRPP snooping.
– S5300-HI, S5310-EI, S5320-EI, S5320-HI, S5330-HI, S5331-S, S5331-H,
S5332-H
– S6300-EI, S6320-EI, S6320-HI, S6330-H
– S9303, S9306, S9312, S9310
– S9310X, S9300X-4, S9300X-8, S9300X-12
– S9303E, S9306E, S9312E
NOTE
product model.
In Figure 6-31, SwitchA, SwitchB, SwitchC, and SwitchD constitute an RRPP ring.
The network is required to prevent loops when the ring is complete and to
implement fast convergence to rapidly restore communication between nodes in
the ring when the ring fails. The VPLS network can transparently transmit RRPP
packets, detect RRPP ring status changes, and update forwarding entries so that
traffic can be rapidly switched to a normal path according to the ring status.
Figure 6-31 Networking of RRPP snooping

1. Configure a VPLS network.

2. Configure an RRPP ring to prevent loops and implement fast convergence
when a device fails.
3. Enable RRPP snooping so that the VPLS network can transparently transmit
RRPP packets and detect RRPP ring status change.
4. Associate interfaces with VSIs so that SwitchC and SwitchD on the VPLS
network can delete the MAC address tables of their VSIs when a fault occurs
on the RRPP ring network.
NOTE
VLAN termination sub-interfaces can be created on a non-VCMP client.
Procedure
Step 1 Configure VPLS. SwitchC is used as an example. The configuration of SwitchD is
similar to the configuration of SwitchC, and is not mentioned here. For details, see
the configuration files.
NOTE
This example provides only configurations of sub-interfaces on SwitchC and SwitchD

connected to the RRPP ring. The configurations of devices on the VPLS network are not
mentioned.
# Configure GE2/0/0.10 on SwitchC to allow the packets of VLAN 10 to pass

through and bind GE2/0/0.10 to VSI 10.
[SwitchC-GigabitEthernet2/0/0] undo portswitch
[SwitchC] interface gigabitethernet 2/0/0.10
[SwitchC-GigabitEthernet2/0/0.10] dot1q termination vid 10
[SwitchC-GigabitEthernet2/0/0.10] l2 binding vsi VSI10 //Bind a VSI to the sub-interface.
[SwitchC-GigabitEthernet2/0/0.10] quit
# Configure GE2/0/0.20 on SwitchC to allow packets of VLAN 20 (control VLAN of

RRPP) to pass through and bind GE2/0/0.20 to VSI 20.
[SwitchC-GigabitEthernet2/0/0.20] dot1q termination vid 20
[SwitchC-GigabitEthernet2/0/0.20] l2 binding vsi VSI20
Step 2 Create an RRPP domain and its control VLAN.
# Create VLAN 10 on SwitchA.

[SwitchA] vlan batch 10
[SwitchA-mst-region] instance 1 vlan 10 20 21 //Add the major control VLAN, sub-control VLAN, and data
VLAN to instance 1.
# Configure SwitchA (master node in ring 1) in RRPP domain 1 and VLAN 20 as

the control VLAN.


[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure instance 1 as the
[SwitchA-rrpp-domain-region1] control-vlan 20 //Each RRPP domain has a major control
VLAN and a sub-control VLAN. You only need to specify the major control VLAN. The system uses the VLAN
whose ID is one greater than the ID of the major control VLAN as the sub-control VLAN.
# Create VLAN 10 on SwitchB.

[SwitchB] vlan batch 10
[SwitchB] stp region-configuration
[SwitchB-mst-region] instance 1 vlan 10 20 21
[SwitchB-mst-region] active region-configuration
# Configure SwitchB (transit node in ring 1) in RRPP domain 1 and VLAN 20 as

the control VLAN.
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] control-vlan 20
Step 3 Disable STP on the interfaces to be added to the RRPP ring.

# Disable STP on the interfaces to be added to the RRPP ring on SwitchA.
# Disable STP on the interfaces to be added to the RRPP ring on SwitchB.

[SwitchB-GigabitEthernet1/0/1] stp disable
[SwitchB-GigabitEthernet1/0/2] stp disable
Step 4 Create an RRPP ring.

# Configure SwitchA as the master node in ring 1 and specify the primary and
# Configure SwitchB as a transit node in ring 1 (major ring) and specify the
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1 secondary-


Step 5 Enable RRPP.
# Enable RRPP on SwitchA.

# Enable RRPP on SwitchB.

[SwitchB] rrpp enable
Step 6 Configure RRPP snooping.
# Enable RRPP snooping on GE2/0/0.20 of SwitchC.

[SwitchC-GigabitEthernet2/0/0.20] rrpp snooping enable
# Enable RRPP snooping on GE2/0/0.20 of SwitchD.

[SwitchD] interface gigabitethernet 2/0/0.20
[SwitchD-GigabitEthernet2/0/0.20] rrpp snooping enable
Step 7 Configure association between interfaces and VSIs.
# Associate VSI 10 with GE2/0/0.20 on SwitchC.

[SwitchC-GigabitEthernet2/0/0.20] rrpp snooping vsi VSI10
# Associate VSI 10 with GE2/0/0.20 on SwitchD.

[SwitchD-GigabitEthernet2/0/0.20] rrpp snooping vsi VSI10
[SwitchD-GigabitEthernet2/0/0.20] quit
perform the following operations to verify the configuration. SwitchA is used as an
example.
● Run the display rrpp brief command on SwitchA. The following information
is displayed:
[SwitchA] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
According to the preceding information, RRPP is enabled on SwitchA. The

major control VLAN of RRPP domain 1 is VLAN 20 and the sub-control VLAN

is VLAN 21. SwitchA is the master node in ring 1. The primary interface is
GE1/0/1 and the secondary interface is GE1/0/2.
● Run the display rrpp verbose domain command on SwitchA. The following
information is displayed.
# Check detailed information about RRPP domain 1 on SwitchA.
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring :1
Ring Level :0
Node Mode : Master
Is Enabled : Enable Is Active : Yes
# Check the RRPP snooping configuration on GE2/0/0.20 of SwitchC.

[SwitchC] display rrpp snooping enable interface gigabitethernet 2/0/0.20
Port VsiName Vlan
---------------------------------------------------------------------------
GigabitEthernet2/0/0.20 VSI20 20
The preceding information shows that VSI 20 and VLAN 20 are associated
with GE2/0/0.20.
# Check information about other VSIs associated with GE2/0/0.20 on SwitchC.
[SwitchC] display rrpp snooping vsi interface gigabitethernet 2/0/0.20
Port VsiName
---------------------------------------------------------------------
GigabitEthernet2/0/0.20 VSI10
GigabitEthernet2/0/0.20 VSI20
The preceding information shows that GE2/0/0.20 is associated with VSI 10

and VSI 20.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 to 21
#
rrpp enable
#
instance 1 vlan 10 20 to 21
#
rrpp domain 1
control-vlan 20
level 0
ring 1 enable
#
port trunk allow-pass vlan 10 20 to 21
stp disable

#
stp disable
#
return
#
sysname SwitchB
#
vlan batch 10 20 to 21
#
rrpp enable
#
instance 1 vlan 10 20 to 21
#
rrpp domain 1
control-vlan 20
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
undo portswitch
#
l2 binding vsi VSI10
#
rrpp snooping enable
rrpp snooping vsi VSI10
#
return
#
sysname SwitchD
#
undo portswitch
#
#


rrpp snooping enable
rrpp snooping vsi VSI10
#
return
6.5.8 Example for Configuring SEP and MSTP on a Network

Overview
Generally, redundant links are used to provide link backup and enhance network
reliability. The use of redundant links, however, may produce loops. Loops cause
infinite looping of packets, leading to broadcast storms and MAC address table
instability. As a result, the communication quality deteriorates, and
communication services may be interrupted. To block redundant links and ensure
that they can be restored immediately to resume communication when a link fault
occurs on a ring network, you can deploy SEP and MSTP on the ring network.
Configuration Notes
Company A needs to deploy multiple Layer 2 access devices. In Figure 6-32, Layer
2 switching devices form a ring at the access layer, and Layer 3 devices form a ring
at the aggregation layer. The aggregation layer uses MSTP to eliminate redundant
links. Company A requires that services be rapidly switched to prevent traffic
interruption when a link at the access layer fails.
You can deploy multiple Layer 2 devices in a ring and configure SEP to meet the
following requirements of company A:
● When there is no faulty link on the ring network, SEP can eliminate loops.
● When a link fails on the ring network, SEP can quickly restore communication
between nodes in the ring.
● The topology change notification function is configured on an edge device in
a SEP segment so that devices on the upper-layer network can promptly
detect topology changes on the lower-layer network. After receiving a
topology change notification from a lower-layer network, a device on an
upper-layer network sends a TC packet to instruct other devices to delete
original MAC addresses and learn new MAC addresses. This ensures nonstop
traffic forwarding.

Figure 6-32 SEP and MSTP networking
NOTE
In this example, NPE1 and NPE2 use NE40Es running V600R008C00.

To ensure reliability of the entire network, you are advised to configure the following
functions:
● VRRP group between NPE1 and NPE2 to improve device-level reliability
● BFD session between NPE1 and NPE2 to detect the link status and therefore
implement fast switchover in the VRRP group

1. Configure basic SEP functions.
a. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as
the control VLAN of SEP segment 1.
b. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles on
edge devices (LSW1 and LSW2) of the SEP segment.
NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of LSW1
and LSW2 connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located,
specify the interface in the middle of the SEP segment as the interface to
block.
d. Configure manual preemption.
e. Configure the topology change notification function so that the upper-
layer network running MSTP can be notified of topology changes in the
SEP segment.
2. Configure basic MSTP functions.
a. Add PE1 to PE4, LSW1, and LSW2 to the MST region RG1.
b. Create VLANs on PE1 to PE4, LSW1, and LSW2 and add interfaces on the
STP ring to the VLANs.
c. Configure PE3 as the root bridge and PE4 as the secondary root bridge.
3. Set up a single-hop BFD session between NPE1 and NPE2 to detect the status
of the interfaces configured with VRRP. Then, report the detection result to
VRRP to complete VRRP fast switching.
4. Configure VRRP.
a. Create VRRP group 1 on GE 1/0/1 of NPE1, and set a higher VRRP priority
for NPE1 to ensure that NPE1 functions as the master.
b. Create VRRP group 1 in the view of GE 1/0/1 interface of NPE2, and allow
NPE2 to use the default VRRP priority.
c. Bind a BFD session to VRRP group 1.
5. Configure Layer 2 forwarding on the CE and LSW1 to LSW3.
NOTE
PE1 and PE2 are aggregation switches, PE3 is the root bridge, PE4 is the secondary root bridge,
LSWs are access switches, and CEs are user-side switches.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the
control VLAN of SEP segment 1.
# Configure access switch LSW1.
[Quidway] sysname LSW1

[LSW1] sep segment 1 //Create SEP segment 1.

[LSW1-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN of SEP segment 1.
[LSW1-sep-segment1] protected-instance all //Configure all protected instances of SEP segment 1.
[LSW1-sep-segment1] quit


NOTE
– The control VLAN must be a VLAN that has not been created or used. However, the
command for creating a common VLAN is automatically displayed in the configuration
file after the control VLAN is created.
– Each SEP segment must have a control VLAN. After an interface is added to a SEP
segment that has a control VLAN, the interface is automatically added to the control
VLAN.
2. Add access switch LSW1 to LSW3 to SEP segment 1 and configure interface
roles.
NOTE
By default, STP is enabled on Layer 2 interfaces. Before adding an interface to a SEP

segment, disable STP on the interface.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor primary //Configure the interface as
the no-neighbor primary edge interface and add it to SEP segment 1.
[LSW1-GigabitEthernet1/0/1] quit
[LSW1-GigabitEthernet1/0/2] stp disable //Disable STP.
[LSW1-GigabitEthernet1/0/2] sep segment 1 //Add the interface to SEP segment 1.

[LSW2-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor secondary //Configure the interface
as the no-neighbor secondary edge interface and add it to SEP segment 1.


3. Specify a blocking interface.

# In SEP segment 1, set the mode of blocking an interface on access switch
LSW1 where the no-neighbor primary edge interface is located to block the
interface in the middle of the SEP segment.
[LSW1] sep segment 1
[LSW1-sep-segment1] block port middle
4. Configure a preemption mode.

# Configure manual preemption on access switch LSW1.
[LSW1-sep-segment1] preempt manual
5. Configure the SEP topology change notification function.

Configure devices in SEP segment 1 to notify the MSTP network of topology
changes.
[LSW1-sep-segment1] tc-notify stp

[LSW2] sep segment 1
[LSW2-sep-segment1] tc-notify stp

1. Configure an MST region.
[PE1] stp region-configuration //Enter the MST region view.
[PE1-mst-region] region-name RG1 //Configure the MST region name as RG1.
[PE1-mst-region] active region-configuration //Activate MST region configuration.
[PE1-mst-region] quit




[LSW1] stp region-configuration //Enter the MST region view.
[LSW1-mst-region] region-name RG1 //Configure the MST region name as RG1.
[LSW1-mst-region] active region-configuration //Activate MST region configuration.
[LSW1-mst-region] quit


[LSW2] stp region-configuration //Enter the MST region view.
[LSW2-mst-region] region-name RG1 //Configure the MST region name as RG1.
[LSW2-mst-region] active region-configuration //Activate MST region configuration.
[LSW2-mst-region] quit
2. Create a VLAN and add interfaces on the ring network to the VLAN.
# On aggregation switch PE1, create VLAN 100 and add GE1/0/1, GE1/0/2,
and GE1/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1]interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port hybrid tagged vlan 100
# On aggregation switch PE2, PE3, and PE4, create VLAN 100 and add
GE1/0/1, GE1/0/2, and GE1/0/3 to VLAN 100.
The configurations of aggregation switch PE2, PE3, and PE4 are similar to the
configuration of aggregation switch PE1, and are not mentioned here. For
details, see configuration files in this example.
On access switch LSW1 and LSW2, create VLAN 100 and add GE1/0/1 to
VLAN 100. The configurations of access switch LSW1 and LSW2 are similar to
the configuration of aggregation switch PE1, and are not mentioned here. For
details, see configuration files in this example.
3. Enable MSTP.
[PE1] stp enable
[PE2] stp enable
[PE3] stp enable
[PE4] stp enable
[LSW1] stp enable
[LSW2] stp enable
4. Configure aggregation switch PE3 as the root bridge and aggregation switch
PE4 as the secondary root bridge.
# Set the priority of aggregation switch PE3 to 0 in MSTI 0 to ensure that
aggregation switch PE3 functions as the root bridge.
[PE3] stp root primary
# Set the priority of aggregation switch PE4 to 4096 in MSTI 0 to ensure that
aggregation switch PE4 functions as the secondary root bridge.
[PE4] stp root secondary
Step 3 Configure VLAN 100 to transmit VRRP packets and VLAN 200 to transmit BFD
packets.


[PE3-GigabitEthernet1/0/2] port hybrid tagged vlan 100 200

Step 4 Configure a BFD session.

1. Configure IP addresses for interfaces.
# Configure an IP address for an interface on NPE1 and create a sub-interface
for the interface.
[Quidway] sysname NPE1
[NPE1] vlan 100
[NPE1-vlan100] quit
[NPE1] interface gigabitethernet 1/0/1
[NPE1-GigabitEthernet1/0/1] undo shutdown
[NPE1-GigabitEthernet1/0/1] ip address 10.2.1.1 24
[NPE1-GigabitEthernet1/0/1] quit
[NPE1] interface gigabitethernet 1/0/1.1
[NPE1-GigabitEthernet1/0/1.1] undo shutdown
[NPE1-GigabitEthernet1/0/1.1] vlan-type dot1q 100
[NPE1-GigabitEthernet1/0/1.1] ip address 10.1.1.1 24
[NPE1-GigabitEthernet1/0/1.1] quit

for the interface.
[NPE2] vlan 100
[NPE2-vlan100] quit
2. Create a BFD session.

# Enable BFD on NPE1 and configure a BFD session between NPE1 and NPE2.
[NPE1] bfd
[NPE1-bfd] quit
[NPE1] bfd NPE2 bind peer-ip default-ip interface gigabitethernet 1/0/1 //Configure a static BFD
session to monitor the link of the VRRP group.
[NPE1-bfd-session-npe2] discriminator local 1
[NPE1-bfd-session-npe2] discriminator remote 2
[NPE1-bfd-session-npe2] commit
[NPE1-bfd-session-npe2] quit

[NPE2] bfd
[NPE2-bfd] quit
# After completing the configuration, run the display bfd session all on NPE1
and NPE2. The command output shows that the BFD session is set up
between NPE1 and NPE2 and its status is Up.
Use the display on NPE1 as an example.
[NPE1] display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 2 224.0.0.184 Up S_IP_IF GigabitEthernet1/0/1
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
3. Configure association between BFD status and sub-interface status.

# Configure NPE1.
[NPE1] bfd
[NPE1-bfd] quit
[NPE1] bfd NPE2
[NPE1-bfd-session-npe2] process-interface-status sub-if
# Configure NPE2.
[NPE2] bfd
[NPE2-bfd] quit
[NPE2] bfd NPE1
After completing the preceding configurations, run the display bfd session all
verbose command on NPE1 and NPE2. Check that the Proc interface status
field displays Enable (Sub-If).
[NPE1] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 257 (One Hop) State : Up Name : npe2
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : 2
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer IP Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet1/0/1
FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi :3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255
Proc Interface Status : Enable(Sub-If) Process PST : Disable
WTR Interval (ms) :- Local Demand Mode : Disable
Active Multi :3
Last Local Diagnostic : No Diagnostic
Bind Application : IFNET
Session TX TmrID : 93 Session Detect TmrID : 94
Session Init TmrID :- Session WTR TmrID :-

Session Echo Tx TmrID : -

PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------
Step 5 Configure VRRP.
● # Configure an IP address for an interface on NPE1, create VRRP group 1, and

set the VRRP priority of NPE1 to 120 so that NPE1 can function as the master.
[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 virtual-ip 10.1.1.10
[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 priority 120 //The default priority of a device in a VRRP
group is 100. Change the priority of the master to be higher than that of the backup.
[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 preempt-mode timer delay 10 //A device in a VRRP
group uses immediate preemption by default. Change the preemption delay of the master to prevent
service interruptions on an unstable network where devices in the VRRP group preempt to be the
master.

allow NPE2 to use the default value so that NPE1 can function as the backup.
● # On NPE1, bind the VRRP group and the BFD session.

[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 track bfd-session 1 peer

After completing the preceding configurations, run the display vrrp command on
NPE1. Check that the status of NPE1 is Master. Run the display vrrp command on
NPE2. Check that the status of NPE2 is Backup.
[NPE1] display vrrp
GigabitEthernet1/0/1.1 | Virtual Router 1
State : Master
PriorityRun : 120
Preempt : YES Delay Time : 10
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Config track link-bfd down-number : 0
Track BFD : 1 type: peer
BFD-session state : UP
Create time : 2013-12-29 22:46:32 UTC+07:00
Last change time : 2013-12-29 22:46:35 UTC+07:00
[NPE2] display vrrp
State : Backup
PriorityRun : 100
TimerRun : 1

TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Create time : 2013-12-29 22:46:32 UTC+07:00
Step 6 Configure the Layer 2 forwarding function on the user-side switch CE and access
switch LSW1 to LSW3.
The configuration details are not mentioned here. For details, see configuration
files in this example.
● # Run the shutdown command on GE1/0/1 of LSW2 to simulate a fault, and
then run the display sep interface command on LSW3 to check whether
GE1/0/2 on LSW3 changes from the discarding state to the forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
● Run the shutdown command on GE 1/0/1.1 on NPE1 to simulate an interface

fault, and then run the display vrrp command on NPE2 to check whether the
status of NPE2 changes from backup to master.
[NPE2] display vrrp
State : Master
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
BFD-session state : DOWN
Create time : 2013-12-29 22:46:32 UTC+07:00
----End
Configuration Files
● LSW1 configuration file
#
sysname LSW1

#
vlan batch 10 100
# stp enable
#
region-name RG1
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
protected-instance 0 to 4094
#
port hybrid tagged vlan 10 100
sep segment 1 edge no-neighbor primary
#
stp disable
sep segment 1
#
return
#
sysname LSW2
#
vlan batch 10 100
# stp enable
#
region-name RG1
#
sep segment 1
control-vlan 10
tc-notify stp
#
sep segment 1 edge no-neighbor secondary
#
stp disable
sep segment 1
#
return
#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable

sep segment 1
#
port hybrid tagged vlan vlan 100
#
return
#
sysname PE1
#
vlan batch 100
# stp enable
#
region-name RG1
#
port hybrid tagged vlan 100
#
#
#
return
#
sysname PE2
#
vlan batch 100
# stp enable
#
region-name RG1
#
#
#
#
return
#
sysname PE3
#
vlan batch 100
#
stp enable
#
region-name RG1
#
#
#

#
return
#
sysname PE4
#
vlan batch 100
#
stp enable
#
region-name RG1
#
#
#
#
return
● NPE1 configuration file
#
sysname NPE1
#
vlan batch 100
#
bfd
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
vlan-type dot1q 100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 track bfd-session 1 peer
#
bfd npe2 bind peer-ip default-ip interface GigabitEthernet1/0/1
process-interface-status sub-if
commit
#
return
#
sysname NPE2
#
vlan batch 100
#
bfd
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#

vlan-type dot1q 100

ip address 10.1.1.2 255.255.255.0
#
commit
#
return
● CE configuration file
#
sysname CE
#
vlan batch 100
#
#
return
6.5.9 Example for Configuring SEP and RRPP on a Network

Overview
Generally, redundant links are used to provide link backup and enhance network
reliability. The use of redundant links, however, may produce loops. Loops cause
infinite looping of packets, leading to broadcast storms and MAC address table
instability. As a result, the communication quality deteriorates, and
communication services may be interrupted. To block redundant links and ensure
that the blocked links can be restored immediately to resume communication
when a link fault occurs on a ring network, you can deploy SEP and RRPP on the
ring network.
Configuration Notes
In Figure 6-33, Layer 2 switching devices at access and aggregation layers
constitute a ring network and connect to the core layer. The aggregation layer
uses RRPP to eliminate redundant links, and the access layer uses SEP.
● When there is no faulty link on the ring network, SEP can eliminate loops on
the Ethernet network.
● When a link fails on the ring network, SEP can quickly restore communication
between nodes in the ring.
● The topology change notification function is configured on an edge device in
a SEP segment so that devices on the upper-layer network can promptly
detect topology changes on the lower-layer network.
After receiving a topology change notification from a lower-layer network, a
device on an upper-layer network sends a TC packet to instruct other devices
to delete original MAC addresses and learn new MAC addresses. This ensures
nonstop traffic forwarding.

Figure 6-33 SEP and RRPP networking
NOTE
In this example, NPE1 and NPE2 use NE40Es running V600R008C00.

To ensure reliability of the entire network, you are advised to configure the following
functions:
● VRRP group between NPE1 and NPE2 to improve device-level reliability
● BFD session between NPE1 and NPE2 to detect the link status and therefore
implement fast switchover in the VRRP group

1. Configure basic SEP functions.
a. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure
VLAN 10 as the control VLAN of SEP segment 1.
b. Add PE1, PE2, and LSW1 to LSW3 to SEP segment and configure interface
roles on edge devices (PE1 and PE2) of the SEP segment.
c. On the device where the primary edge interface is located, specify the
mode in which an interface is blocked.
d. Configure a SEP preemption mode to ensure that the specified blocked
interface takes effect when the fault is rectified.
e. Configure the topology change notification function so that the upper-
layer network running RRPP can be notified of topology changes in the
SEP segment.
2. Configure basic RRPP functions.
a. Add PE1 to PE4 to RRPP domain 1, configure VLAN 5 as the control VLAN
on PE1 to PE4, and configure the protected VLAN.
b. Configure PE1 as the master node and PE2 to PE4 as the transit nodes on
the major ring, and configure primary and secondary interfaces of the
master node.
c. Create VLANs on PE1 to PE4 and add interfaces on the RRPP ring to the
VLANs.
3. Set up a single-hop BFD session between NPE1 and NPE2 to detect the status
of the interfaces configured with VRRP. Then, report the detection result to
VRRP to complete VRRP fast switching.
4. Configure VRRP.
a. Create VRRP group 1 on GE 1/0/1 of NPE1, and set a higher VRRP priority
for NPE1 to ensure that NPE1 functions as the master.
b. Create VRRP group 1 in the view of GE 1/0/1 interface of NPE2, and allow
NPE2 to use the default VRRP priority.
c. Bind a BFD session to VRRP group 1.
5. Configure Layer 2 forwarding on the CE, LSW1 to LSW3, and PE1 to PE4.
NOTE
PEs are aggregation switches, LSWs are access switches, and CEs are user-side switches.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 and configure VLAN 10 as the control VLAN of SEP
segment 1.
[PE1] sep segment 1 //Create SEP segment 1.
[PE1-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN of SEP segment 1.

[PE1-sep-segment1] protected-instance all //Configure all protected instances of SEP segment 1.

[PE1-sep-segment1] quit
[PE2] sep segment 1 //Create SEP segment 1.
[PE2-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN of SEP segment 1.
[PE2-sep-segment1] protected-instance all //Configure all protected instances of SEP segment 1.
NOTE
– The control VLAN must be a VLAN that has not been created or used. However, the
command for creating a common VLAN is automatically displayed in the configuration
file after the control VLAN is created.
– Each SEP segment must have a control VLAN. After an interface is added to a SEP
segment that has a control VLAN, the interface is automatically added to the control
VLAN.
2. Add aggregation switch PE1, aggregation switch PE2, and access switch LSW1
to LSW3 to SEP segment 1 and configure interface roles.
NOTE
By default, STP is enabled on Layer 2 interfaces. Before adding an interface to a SEP

segment, disable STP on the interface.
[PE1-GigabitEthernet1/0/1] stp disable //Disable STP.
[PE1-GigabitEthernet1/0/1] sep segment 1 edge primary //Configure the interface as the primary
edge interface and add it to SEP segment 1.
[LSW1-GigabitEthernet1/0/1] port link-type trunk





[PE2-GigabitEthernet1/0/1] sep segment 1 edge secondary //Configure the interface as the
secondary edge interface and add it to SEP segment 1.
After the configuration is complete, run the display sep topology command
on aggregation switch PE1 to check the topology of the SEP segment. The
command output shows that the blocked interface is one of the two
interfaces on the link that last completes neighbor negotiation.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW1 GE1/0/1 common forwarding 2
PE2 GE1/0/1 secondary discarding 8
3. Specify a blocked interface.

# In SEP segment 1, set the mode of blocking an interface on aggregation
switch PE1 where the primary edge interface is located to block the interface
in the middle of the SEP segment.
[PE1] sep segment 1
[PE1-sep-segment1] block port middle
4. Configure a preemption mode.

# In SEP segment 1, configure the manual preemption mode on aggregation
switch PE1 where the primary edge interface is located.
[PE1-sep-segment1] preempt manual
5. Configure the SEP topology change notification function.

Configure devices in SEP segment 1 to notify the RRPP network of topology

changes.
[PE1-sep-segment1] tc-notify rrpp

[PE2] sep segment 1
[PE2-sep-segment1] tc-notify rrpp
After the configuration is complete, perform the following operations to verify the
configuration. Aggregation switch PE1 is used as an example.
● Run the display sep topology command on aggregation switch PE1 to check
the topology of the SEP segment.
The command output shows that GE1/0/2 of access switch LSW3 is in
discarding state and other interfaces are in forwarding state.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW3 GE1/0/2 common discarding 4
PE2 GE1/0/1 secondary forwarding 8
● Run the display sep interface verbose command on aggregation switch PE1
to check detailed information about interfaces in the SEP segment.
[PE1] display sep interface verbose
SEP segment 1
Control-vlan :10
Preempt Delay Timer :0
TC-Notify Propagate to :rrpp
----------------------------------------------------------------
Interface :GE1/0/1
Port Role :Config = primary / Active = primary
Port Priority :64
Port Status :forwarding
Neighbor Status :up
Neighbor Port :LSW1 - GE1/0/1 (00e0-0829-7c00.0000)
NBR TLV rx :2124 tx :2126
LSP INFO TLV rx :2939 tx :135
LSP ACK TLV rx :113 tx :768
PREEMPT REQ TLV rx :0 tx :3
PREEMPT ACK TLV rx :3 tx :0
TC Notify rx :5 tx :3
EPA rx :363 tx :397
Step 2 Configure basic RRPP functions.

1. Add aggregation switch PE1 to PE4 to RRPP domain 1, configure VLAN 5 as
the control VLAN on aggregation switch PE1 to PE4, and configure the
protected VLAN.
[PE1-mst-region] instance 1 vlan 5 6 100 //Map VLAN 5, VLAN 6, and VLAN 100 to MSTI 1.

[PE1] rrpp domain 1 //Create RRPP domain 1.
[PE1-rrpp-domain-region1] control-vlan 5 //Configure VLAN 5 as the control VLAN of RRPP domain
1.
[PE1-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure the protected VLAN in
protected instance 1.
1.
1.
1.
NOTE
The control VLAN must be a VLAN that has not been created or used. However, the
command for creating a common VLAN is automatically displayed in the configuration file
after the control VLAN is created.
2. Create a VLAN and add interfaces on the ring network to the VLAN.
[PE1] vlan 100
[PE1-vlan100] quit

[PE2] vlan 100

[PE2-vlan100] quit
# On aggregation switch PE3, create VLAN 100 and add GE1/0/1 and GE1/0/2
to VLAN 100.
[PE3] vlan 100
[PE3-vlan100] quit
# On aggregation switch PE4, create VLAN 100 and add GE1/0/1 and GE1/0/2
to VLAN 100.
[PE4] vlan 100
[PE4-vlan100] quit
3. Configure aggregation switch PE1 as the master node and aggregation switch
PE2 to PE4 as the transit nodes on the major ring, and configure primary and
secondary interfaces of the master node.
[PE1] rrpp domain 1 //Enter the view of RRPP domain 1.
[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet 1/0/2
secondary-port gigabitethernet 1/0/3 level 0 //Configure the master node on RRPP primary ring 1
in RRPP domain 1, and configure GE1/0/2 as the primary interface and GE1/0/3 as the secondary
interface.
[PE1-rrpp-domain-region1] ring 1 enable //Enable the RRPP ring.
[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/2
secondary-port gigabitethernet 1/0/3 level 0 //Configure the transit node on RRPP primary ring 1
interface.


[PE3-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1
secondary-port gigabitethernet 1/0/2 level 0 //Configure the transit node on RRPP primary ring 1
interface.
[PE4-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet1/0/1
secondary-port gigabitethernet1/0/2 level 0 //Configure the transit node on RRPP primary ring 1 in
RRPP domain 1, and configure GE1/0/1 as the primary interface and GE1/0/2 as the secondary
interface.
4. Enable RRPP.
[PE1] rrpp enable
[PE2] rrpp enable
[PE3] rrpp enable
[PE4] rrpp enable
After the configuration is complete, run the display rrpp brief or display rrpp
verbose domain command. Aggregation switch PE1 is used as an example.
[PE1] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
According to the preceding information, RRPP is enabled on aggregation switch

PE1. The major control VLAN is VLAN 5 and the sub-control VLAN is VLAN 6 in
RRPP domain 1. VLANs mapping Instance1 are protected VLANs. Aggregation
switch PE1 is the master node in ring 1. The primary interface is GE1/0/2 and the
secondary interface is GE1/0/3.
[PE1] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring :1
Ring Level :0
Node Mode : Master

The major control VLAN is VLAN 5 and the sub-control VLAN is VLAN 6 in RRPP
domain 1. VLANs mapping Instance1 are protected VLANs. Aggregation switch
PE1 is the master node in Complete state. The primary interface is GE1/0/2 and
the secondary interface is GE1/0/3.
Step 3 Configure VLAN 100 to transmit VRRP packets and VLAN 200 to transmit BFD
packets.
[PE3-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200

Step 4 Configure a BFD session.

1. Configure IP addresses for interfaces.
for the interface.
[NPE1] vlan 100
[NPE1-vlan100] quit

for the interface.
[NPE2] vlan 100
[NPE2-vlan100] quit


2. Create a BFD session.

[NPE1] bfd
[NPE1-bfd] quit
[NPE2] bfd
[NPE2-bfd] quit
# After completing the configuration, run the display bfd session all on NPE1
and NPE2. The command output shows that the BFD session is set up
between NPE1 and NPE2 and its status is Up.
[NPE1] display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 2 224.0.0.184 Up S_IP_IF GigabitEthernet1/0/1
--------------------------------------------------------------------------------
3. Configure association between BFD status and sub-interface status.

# Configure NPE1.
[NPE1] bfd
[NPE1-bfd] quit
[NPE1] bfd NPE2
# Configure NPE2.
[NPE2] bfd
[NPE2-bfd] quit
[NPE2] bfd NPE1
After completing the preceding configurations, run the display bfd session all
verbose command on NPE1 and NPE2. Check that the Proc interface status
field displays Enable (Sub-If).
[NPE1] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 257 (One Hop) State : Up Name : npe2
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : 2
Session Detect Mode : Asynchronous Mode Without Echo Function

BFD Bind Type : Interface(GigabitEthernet1/0/1)

Bind Session Type : Static
Bind Peer IP Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet1/0/1
FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi :3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255
Proc Interface Status : Enable(Sub-If) Process PST : Disable
WTR Interval (ms) :- Local Demand Mode : Disable
Active Multi :3
Last Local Diagnostic : No Diagnostic
Bind Application : IFNET
Session TX TmrID : 93 Session Detect TmrID : 94
Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------
Step 5 Configure VRRP.

set the VRRP priority of NPE1 to 120 so that NPE1 can function as the master.
[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 priority 120 //The default priority of a device in a VRRP
group is 100. Change the priority of the master to be higher than that of the backup.
[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 preempt-mode timer delay 10 //A device in a VRRP
group uses immediate preemption by default. Change the preemption delay of the master to prevent
service interruptions on an unstable network where devices in the VRRP group preempt to be the
master.

allow NPE2 to use the default value so that NPE1 can function as the backup.


After completing the preceding configurations, run the display vrrp command on
NPE1. Check that the status of NPE1 is Master. Run the display vrrp command on
NPE2. Check that the status of NPE2 is Backup.
[NPE1] display vrrp
State : Master
PriorityRun : 120
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101

Check TTL : YES

Create time : 2013-12-29 22:46:32 UTC+07:00
[NPE2] display vrrp
State : Backup
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Create time : 2013-12-29 22:46:32 UTC+07:00
Step 6 Configure Layer 2 forwarding on the user-side switch CE, access switch LSW1 to
LSW3, and aggregation switch PE1 to PE4.
The configuration details are not mentioned here. For details, see configuration
files in this example.
● # Run the shutdown command on GE1/0/1 of LSW2 to simulate a fault, and
then run the display sep interface command on LSW3 to check whether
GE1/0/2 on LSW3 changes from the discarding state to the forwarding state.
[LSW3] display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
● Run the shutdown command on GE 1/0/1.1 on NPE1 to simulate an interface
fault, and then run the display vrrp command on NPE2 to check whether the
status of NPE2 changes from backup to master.
[NPE2] display vrrp
State : Master
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101

Check TTL : YES

BFD-session state : DOWN
Create time : 2013-12-29 22:46:32 UTC+07:00
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW2
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1

control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
#
return
#
sysname PE1
#
vlan batch 5 to 6 10 100
#
rrpp enable
#
instance 1 vlan 5 to 6 100
#
rrpp domain 1
control-vlan 5
ring 1 node-mode master primary-port GigabitEthernet 1/0/2 secondary-port GigabitEthernet 1/0/3
level 0
ring 1 enable
#
sep segment 1
control-vlan 10
block port middle
tc-notify rrpp
#
stp disable
sep segment 1 edge primary
#
port trunk allow-pass vlan 5 to 6 100
stp disable
#
stp disable
#
return
#
sysname PE2
#
#

rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 node-mode transit primary-port GigabitEthernet 1/0/2 secondary-port GigabitEthernet 1/0/3
level 0
ring 1 enable
#
sep segment 1
control-vlan 10
tc-notify rrpp
#
stp disable
sep segment 1 edge secondary
#
stp disable
#
stp disable
#
return

#
sysname PE3
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
port trunk allow-pass 100 200
stp disable

#
return
#
sysname PE4
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
port trunk allow-pass 100 200
stp disable
#
return
#
sysname NPE1
#
vlan batch 100
#
bfd
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
vlan-type dot1q 100
ip address 10.1.1.1 255.255.255.0
#
commit
#
return
#
sysname NPE2

#
vlan batch 100
#
bfd
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
vlan-type dot1q 100
ip address 10.1.1.2 255.255.255.0
#
commit
#
return
● CE configuration file
#
sysname CE1
#
vlan batch 100
#
#
return
6.5.10 Example for Configuring VBST
Overview
VLAN-based Spanning Tree (VBST) constructs a spanning tree in each VLAN so
that traffic from different VLANs can be forwarded through different spanning
trees. VBST is a Huawei proprietary that is equivalent to the Spanning Tree
Protocol (STP) or Rapid Spanning Tree Protocol (RSTP) running in each VLAN.
Spanning trees in different VLANs are independent of each other.
Currently, the three standard spanning tree protocols are STP, RSTP, and Multiple
Spanning Tree Protocol (MSTP). STP and RSTP cannot implement VLAN-based
load balancing, because all the VLANs on a LAN share a spanning tree and
packets in all VLANs are forwarded along this spanning tree. In addition, the
blocked link does not carry any traffic, which wastes bandwidth and may prevent
some VLANs from forwarding packets. MSTP is generally preferred because it is
compatible with STP and RSTP, ensures fast convergence, and provides multiple
paths to load balance traffic.
On enterprise networks, enterprise users need functions that are easy to use and
maintain, whereas the configuration of MSTP multi-instance and multi-process is
complex and requires in-depth knowledge.
To address this issue, Huawei developed VBST. VBST constructs a spanning tree in
each VLAN so that traffic from different VLANs is load balanced along different
spanning trees. In addition, VBST is easy to configure and maintain.

Configuration Notes
This example applies to all models of V200R005C00 and later versions.
When configuring VBST on the switch, pay attention to the following points:
● When HVRP is enabled on a modular switch, do not change the STP mode to
VBST.
● When VBST is enabled on a ring network, VBST immediately starts spanning
tree calculation. Parameters such as the device priority and port priority affect
spanning tree calculation, and changes of these parameters may cause
network flapping. To ensure fast and stable spanning tree calculation, perform
basic configurations on the switch and interfaces before enabling VBST.
● If the protected instance has been configured in a SEP segment or ERPS ring
but the mapping between protected instances and VLANs is not configured,
VBST cannot be enabled.
● VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS,
RRPP, SEP, or Smart Link.
● If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the
switch, you must delete the mapping before changing the STP working mode
to VBST.
● If stp vpls-subinterface enable has been configured on the switch, you must
run the undo stp vpls-subinterface enable command on the interface before
changing the STP working mode to VBST.
● If the device has been configured as the root bridge or secondary root bridge,
run the undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to
disable the root bridge or secondary root bridge function and run the stp vlan
{ vlan-id1 [ to vlan-id2 ] } &<1-10> priority priority command to change the
device priority.
● When the number of MSTIs that are dynamically specified exceeds the
number of protected VLANs, STP is disabled in a created VLAN in the
configuration file, for example, stp vlan 100 disable.
● To prevent frequent network flapping, ensure that the values of Hello time,
Forward Delay, and Max Age conform to the following formulas:
– 2 x (Forward Delay - 1.0 second) >= Max Age
– Max Age >= 2 x (Hello Time + 1.0 second)
● It is recommended that fast convergence in normal mode be used. If the fast
mode is used, frequently deleting ARP entries may result in 100% CPU usage
of the MPU and LPU. As a result, packet processing expires and network
flapping occurs.
● After all ports are configured as edge ports and BPDU filter ports in the
system view, none of ports on the switch send BPDUs or negotiate the VBST
status with directly connected ports on the peer device. All ports are in
forwarding state. This may cause loops on the network, leading to broadcast
storms. Exercise caution when you configure a port as an edge port and BPDU
filter port.
● After a port is configured as an edge port and BPDU filter port in the
interface view, the port does not process or send BPDUs. The port cannot
negotiate the VBST status with the directly connected port on the peer device.
Exercise caution when you configure a port as an edge port and BPDU filter
port.

● Root protection takes effect only on designated ports.

● An alternate port is the backup of the root port. If a switch has an alternate
port, configure loop protection on both the root port and alternate port.
In Figure 6-34, SwitchC and SwitchD (access switches) are dual-homed to SwitchA
and SwitchB (aggregation switches). SwitchC transmits traffic from VLAN 10 and
VLAN 20, and SwitchD transmits traffic from VLAN 20 and VLAN 30. A ring
network is formed between the access layer and aggregation layer. The enterprise
requires that service traffic in each VLAN be correctly forwarded and service traffic
from different VLANs be load balanced to improve link use efficiency.
Figure 6-34 VBST networking

VBST can be used to eliminate loops between the access layer and aggregation
layer and ensures that service traffic in each VLAN is correctly forwarded. In
addition, traffic from different VLANs can be load balanced. The configuration
roadmap is as follows:
1. Configure Layer 2 forwarding on access and aggregation switches.
2. Configure basic VBST functions on SwitchA, SwitchB, SwitchC, and SwitchD.
Perform the following operations so that a spanning tree shown in Figure
6-34 is formed through calculation:
– Configure SwitchA and SwitchB as the root bridge and secondary root
bridge of VLAN 10 respectively, configure SwitchA and SwitchB as the
root bridge and secondary root bridge of VLAN 20 respectively, and
configure SwitchB and SwitchA as the root bridge and secondary root
bridge of VLAN 30 respectively.
– Set a larger path cost for GE1/0/2 on SwitchC in VLAN 10 and VLAN 20
so that GE1/0/2 is blocked in spanning trees of VLAN 10 and VLAN 20.
Set a larger path cost for GE1/0/2 on SwitchD in VLAN 20 and VLAN 30
so that GE1/0/2 is blocked in the spanning tree of VLAN 20 and VLAN 30.
3. Configure ports on SwitchC and SwitchD connected to terminals as edge ports
to reduce VBST topology calculation and improve topology convergence.
Procedure
● Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA, SwitchB, SwitchC, and
SwitchD.
# Create VLAN 10, VLAN 20, and VLAN 30 on aggregation switch SwitchA.
[SwitchA] vlan batch 10 20 30
# Create VLAN 10, VLAN 20, and VLAN 30 on aggregation switch SwitchB.
[SwitchB] vlan batch 10 20 30
# Create VLAN 10 and VLAN 20 on access switch SwitchC.
[SwitchC] vlan batch 10 20
# Create VLAN 20 and VLAN 30 on access switch SwitchD.
[SwitchD] vlan batch 20 30
# Add GE1/0/1 on SwitchA to VLAN 10, VLAN 20, and VLAN 30.
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30



# Add GE1/0/1 on SwitchB to VLAN 10, VLAN 20, and VLAN 30.
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30


# Add GE1/0/2 on SwitchC to VLAN 10 and VLAN 20.

[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 20
# Add GE1/0/3 on SwitchC to VLAN 10 and VLAN 20.

[SwitchC-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
# Add GE1/0/4 on SwitchC to VLAN 10 and GE1/0/5 to VLAN 20.

# Add GE1/0/2 on SwitchD to VLAN 20 and VLAN 30.

[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 30
# Add GE1/0/3 on SwitchD to VLAN 20 and VLAN 30.

[SwitchD-GigabitEthernet1/0/3] port trunk allow-pass vlan 20 30
# Add GE1/0/4 on SwitchD to VLAN 20 and GE1/0/5 to VLAN 30.



Step 2 Configure basic VBST functions.

1. Configure switches on the ring network to work in VBST mode.
# Configure SwitchA to work in VBST mode.
[SwitchA] stp mode vbst
# Configure SwitchB to work in VBST mode.
[SwitchB] stp mode vbst
# Configure SwitchC to work in VBST mode.
[SwitchC] stp mode vbst
# Configure SwitchD to work in VBST mode.
[SwitchD] stp mode vbst
– Configure the root bridge and secondary root bridge in VLAN 10.
# Configure SwitchA as the root bridge in VLAN 10.
[SwitchA] stp vlan 10 root primary
# Configure SwitchB as the secondary root bridge in VLAN 10.
[SwitchB] stp vlan 10 root secondary
# Configure SwitchA as the root bridge in VLAN 20.
[SwitchA] stp vlan 20 root primary
# Configure SwitchB as the secondary root bridge in VLAN 20.
[SwitchB] stp vlan 20 root secondary
# Configure SwitchB as the root bridge in VLAN 30.
[SwitchB] stp vlan 30 root primary
# Configure SwitchA as the secondary root bridge in VLAN 30.
[SwitchA] stp vlan 30 root secondary
3. Configure the path cost for a port in each VLAN so that the port can be
blocked.
NOTE
– The path cost range depends on the algorithm. IEEE 802.1t standard is used as an
example. Set the path costs of the ports to be blocked to 2000000.
– All switches on the same network must use the same path cost calculation
method.
# Set the path cost of GE1/0/2 on SwitchC to 2000000 in VLAN 10 and VLAN
20.
[SwitchC-GigabitEthernet1/0/2] stp vlan 10 cost 2000000
[SwitchC-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
# Set the path cost of GE1/0/2 on SwitchD to 2000000 in VLAN 20 and VLAN
30.
[SwitchD-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
[SwitchD-GigabitEthernet1/0/2] stp vlan 30 cost 2000000

4. Enable VBST to eliminate loops.

– Disable VBST in VLAN 1 on all devices.
NOTE
By default, all ports join VLAN 1 and VBST is enabled in VLAN 1. To reduce
spanning tree calculation, disable VBST in VLAN 1. To prevent loops in VLAN 1
after VBST is disabled, delete ports from VLAN 1.
# Disable VBST in VLAN 1 on SwitchA.
[SwitchA] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchB.
[SwitchB] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchC.
[SwitchC] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchD.
[SwitchD] stp vlan 1 disable
# Delete GE1/0/1, GE1/0/2, and GE1/0/3 on SwitchA from VLAN 1.
# Delete GE1/0/1, GE1/0/2, and GE1/0/3 on SwitchB from VLAN 1.
[SwitchB-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
# Delete GE1/0/2, and GE1/0/3 on SwitchB from VLAN 1.
[SwitchC-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchC-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
# Delete GE1/0/2, and GE1/0/3 on SwitchD from VLAN 1.
[SwitchD-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
– Enable VBST globally.
# Enable VBST on SwitchA globally.
# Enable VBST on SwitchB globally.
# Enable VBST on SwitchC globally.

# Enable VBST on SwitchD globally.

– Enable VBST in a VLAN.

By default, VBST is enabled in a VLAN.
Run the display stp vlan vlan-id command to check the VBST status. If
the message "The protocol is disabled" is displayed, VBST is disabled in
the VLAN. Run the stp vlan vlan-id enable command in the system view
to enable VBST in the VLAN.
– Enable VBST on a port.
By default, VBST is enabled on a Layer 2 Ethernet interface.
Run the display stp interface interface-type interface-number command
to check the VBST status on a port. If the message "The protocol is
disabled" is displayed, VBST is disabled on the port. Run the stp enable
command in the interface view to enable VBST on the port.
Step 3 Configure ports connected to terminals as edge ports to improve topology
convergence.
# On SwitchC and SwitchD, configure GE1/0/4 and GE1/0/5 connected to
terminals as edge ports.

# Run the display stp bridge local command on SwitchA to check the STP
working mode.
[SwitchA] display stp bridge local
VLAN-ID Bridge ID Hello Max Forward Protocol
Time Age Delay
----- -------------------- ----- --- ------- ---------------------------
10 10.0200-0000-6703 2 20 15 VBST
20 20.0200-0000-6703 2 20 15 VBST
30 4126.0200-0000-6703 2 20 15 VBST
The preceding information shows that the VBST mode is used.

# Run the display stp brief command on SwitchA to check the port status.
VLAN-ID Port Role STP State Protection


The preceding information shows that SwitchA participates in spanning tree

calculation in VLAN 10, VLAN 20, and VLAN 30. For example, SwitchA is the root
bridge in VLAN 10 and VLAN 20, so GE1/0/1 and GE1/0/3 in VLAN 10 are selected
as designated ports. GE1/0/1, GE1/0/2, and GE1/0/3 in VLAN 20 are selected as
designated ports. SwitchA is the secondary root bridge in VLAN 30, so GE1/0/1 is
selected as the root port and GE1/0/2 is selected as the designated port in VLAN
30.
# Run the display stp vlan 10 command on SwitchA to check detailed
information about VLAN 10.
[SwitchA] display stp vlan 10
-------[VLAN 10 Global Info]-------
Bridge ID :10 .0200-0000-6703
Bridge Diameter :7
Config Times :Hello 2s MaxAge 20s FwDly 15s
Active Times :Hello 2s MaxAge 20s FwDly 15s
Root ID / RPC :10 .0200-0000-6703 / 0 (This bridge is the root)
RootPortId :0.0
Root Type :Primary
BPDU-Protection :Disabled
STP Converge Mode :Normal
Time since last TC :0 days 0h:10m:46s
Number of TC :1
----[Port4093(GigabitEthernet1/0/1)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=20000
Desg. Bridge/Port :10 .0200-0000-6703 / 128.4093
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Port Revert Slow :Disabled
Port Agreement Legacy :Disabled
Transit Limit :6 packets/hello
Protection Type :None
Port STP Mode :VBST
BPDU Encapsulation :Config=VBST / Active=VBST
----[Port4092(GigabitEthernet1/0/3)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=199999
Desg. Bridge/Port :10 .0200-0000-6703 / 128.4092
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Port Revert Slow :Disabled
Port Agreement Legacy :Disabled
Transit Limit :6 packets/hello
Protection Type :None
Port STP Mode :VBST
BPDU Encapsulation :Config=VBST / Active=VBST
The preceding information shows that SwitchA is selected as the root bridge in
VLAN 10 and GE1/0/1 and GE1/0/3 are selected as designated ports in
FORWARDING state.
# Run the display stp brief command on SwitchB, SwitchC, and SwitchD to check
the port status.


[SwitchD] display stp brief
The preceding information shows that SwitchB participates in spanning tree

calculation in VLAN 10, VLAN 20, and VLAN 30, SwitchC participates in spanning
tree calculation in VLAN 10 and VLAN 20, and SwitchD participates in spanning
tree calculation in VLAN 20 and VLAN 30. After the calculation is complete, ports
are selected as different roles to eliminate loops.
Different spanning trees are formed in VLAN 10, VLAN 20, and VLAN 30, and
traffic in VLAN 10, VLAN 20, and VLAN 30 is forwarded along different spanning
trees to implement load balancing.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
stp mode vbst
stp enable
#
stp vlan 1 disable
stp vlan 30 root secondary
stp vlan 10 20 root primary
#
#
#
#
return
#
sysname SwitchB

#
vlan batch 10 20 30
#
stp mode vbst
stp enable
#
stp vlan 1 disable
stp vlan 10 20 root secondary
stp vlan 30 root primary
#
#
#
#
return
#
sysname SwitchC
#
vlan batch 10 20
#
stp mode vbst
stp enable
#
stp vlan 1 disable
#
stp vlan 10 20 cost 2000000
#
#
#
#
return
#
sysname SwitchD
#
vlan batch 20 30
#
stp mode vbst
stp enable
#

stp vlan 1 disable

#
stp vlan 20 30 cost 2000000
#
#
#
#
return
6.6 Typical Loopback Detection Configuration
6.6.1 Example for Configuring LDT to Detect Loops on the

Downstream Network
Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast
packets are repeatedly transmitted on the network. This wastes network resources
and may even cause a network breakdown. To minimize the impact of loops on a
Layer 2 network, a detection technology that quickly notifies users of loops is
required. When a loop occurs, users are requested to check network connections
and configurations, and control the problematic interface.
Loop detection (LDT) periodically sends LDT packets on an interface to check

whether the packets return to the local device (receive and transmit interfaces can
be different), and determines whether loops occur on the interface, local network,
or downstream network.
● If LDT packets are received by the same interface, a loopback occurs on the
interface or a loop occurs on the network connected to the interface.
● If LDT packets are received by another interface on the same device, a loop
occurs on the network connected to the interface.
After loops are detected, the device can send alarms to the NMS and record logs,
and can control the interface status (the interface is shut down by default)
according to the device configuration so that the impact of loops on the device
and network is minimized. The device provides the following actions after LDT
detects a loop:
● Trap: The device reports a trap to the NMS and records a log, but does not
take any action on the interface.

● Block: The device blocks this interface, and can forward only BPDUs.
● No learning: The interface is disabled from learning MAC addresses.
● Shutdown: The device shuts down the interface.
● Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LDT packets. If the device receives no
LDT packets from the problematic interface within the recovery time, it considers
that the loop is eliminated on the interface and restores the interface.
LDT can only detect loops on a single node, but cannot eliminate loops on the
entire network in the same manner as ring network technologies of ERPS, RRPP,
SEP, Smart Link, and STP/RSTP/MSTP/VBST.
Configuration Notes
● In V200R008C00 and earlier versions, LDT does not take effect in dynamic
VLANs
● LDT and LBDT cannot be configured simultaneously.
● LDT needs to send a large number of LDT packets to detect loops, occupying
system resources. Therefore, disable LDT if loops do not need to be detected.
● When loops occur in multiple VLANs on many interfaces, LDT performance is
lowered due to limitations of security policies and CPU processing capability.
The greater the number of involved VLANs and interfaces, the lower the
performance. In particular, the performance of the standby chassis in the
cluster is lowered. Manually eliminating loops is recommended.
● LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart
Link, and STP/RSTP/MSTP/VBST. Do not configure ring network technologies
on an interface of a LDT-enabled VLAN. If LDT has been enabled globally and
ring network technologies need to be configured on an interface, disable LDT
on the interface first.
● LDT sends only tagged packets and can only detect loops based on VLANs.
LDT can detect loops in a maximum of 4094 VLANs.
● When a loop occurs on the network-side interface where the Block or
Shutdown action is configured, all services on the device are interrupted. Do
not deploy LDT on the network-side interface.
● The Quitvlan action cannot be used with GVRP, HVRP, or the action of
removing an interface from the VLAN where MAC address flapping occurs.
● The blocked ports of LDT cannot block GVRP packets. To ensure that GVRP
runs normally and prevent GVRP loops, do not enable GVRP on the blocked
port of LDT.
In Figure 6-35, a new branch network of an enterprise connects to the
aggregation switch Switch, and VLANs 10 to 20 are deployed on the branch
network. Loops occur due to incorrect connections or configurations. As a result,
communication on the Switch and uplink network is affected.
It is required that the Switch should immediately detect loops on the new branch
network to prevent the impact of loops on the Switch and uplink network.

Figure 6-35 Networking for configuring LDT to detect loops on the downstream
network
1. Enable LDT on GE1/0/1 of the Switch to detect loops in a specified VLAN so
that loops on the downstream network can be detected.
2. Configure an action after loops are detected so that the Switch can
immediately shut down the interface where a loop is detected. This prevents
the impact of the loop on the Switch and uplink network.
NOTE
Configure interfaces on other switching devices as trunk or hybrid interfaces and configure
these interfaces to allow packets from corresponding VLANs to pass through. This ensures
Layer 2 connectivity on the new network and between the new network and the Switch.
Procedure
Step 1 Enable global LDT.
[Switch] loop-detection enable //Enable LDT globally.
Step 2 Enable LDT in VLANs.

[Switch] vlan batch 10 to 20
[Switch] loop-detection enable vlan 10 to 20 //Enable the device to detect loops on all interfaces in
VLANs 10 to 20.
Step 3 Set the interval for sending LDT packets.

[Switch] loop-detection interval-time 10 //Set the interval for sending LDT packets to 10s.
Step 4 Configure an action taken after a loop is detected.

# Enable the trap function for LDT.
[Switch] snmp-agent trap enable feature-name ldttrap //Enable the LDT alarm function so that the
device can send LDT traps.

# Set the action to Shutdown.

[Switch-GigabitEthernet1/0/1] stp disable //Disable STP on the interface.
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 10 to 20
[Switch-GigabitEthernet1/0/1] loop-detection mode port-shutdown ///Configure the Shutdown action to
be taken on GE1/0/1 after a loop is detected.
# After the configuration is complete, run the display loop-detection command

to check global LDT information.
[Switch] display loop-detection
Loop Detection is enabled.
Detection interval time is 10 seconds.
Following VLANs enable loop-detection:
VLAN 10 to 20
Following ports are blocked for loop:
NULL
Following ports are shutdown for loop:
GigabitEthernet1/0/1 Include Vlans:
10
Following ports are nolearning for loop:
NULL
Following ports are trapped for loop:
NULL
Following ports are quitvlan for loop:
NULL
# Check LDT information on GE1/0/1.

[Switch] display loop-detection interface gigabitethernet 1/0/1
The port is enabled.
The port's status list:
Status WorkMode Recovery-time EnabledVLAN
-----------------------------------------------------------------------
Shutdown Shutdown 255 10
Normal Shutdown 255 11
The command output shows that LDT is enabled in VLANs 10 to 20 and the
Shutdown action is taken on GE1/0/1 in VLAN 10, indicating that loops are
detected in VLAN 10.
NOTE
After loops are detected in one or more VLANs, the system shuts down the involved
interface and loops are removed. In this case, LDT may be unable to detect all VLANs where
loops occur.
----End
Configuration Files

#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
port hybrid tagged vlan 10 to 20
stp disable
#
snmp-agent trap enable feature-name LDTTRAP
#
return
6.6.2 Example for Configuring LDT to Detect Loops on the

Local Network
Overview
Loop detection (LDT) periodically sends LDT packets on an interface to check

whether the packets return to the local device (receive and transmit interfaces can
be different), and determines whether loops occur on the interface, local network,
or downstream network.
● If LDT packets are received by the same interface, a loopback occurs on the
interface or a loop occurs on the network connected to the interface.
● If LDT packets are received by another interface on the same device, a loop
occurs on the network connected to the interface.
and network is minimized. The device provides the following actions after LDT
detects a loop:
The problematic interface continues to send LDT packets. If the device receives no
LDT packets from the problematic interface within the recovery time, it considers
that the loop is eliminated on the interface and restores the interface.

LDT can only detect loops on a single node, but cannot eliminate loops on the
Configuration Notes
● In V200R008C00 and earlier versions, LDT does not take effect in dynamic
VLANs
● LDT and LBDT cannot be configured simultaneously.
● LDT needs to send a large number of LDT packets to detect loops, occupying
system resources. Therefore, disable LDT if loops do not need to be detected.
● When loops occur in multiple VLANs on many interfaces, LDT performance is
lowered due to limitations of security policies and CPU processing capability.
The greater the number of involved VLANs and interfaces, the lower the
performance. In particular, the performance of the standby chassis in the
cluster is lowered. Manually eliminating loops is recommended.
● LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart
Link, and STP/RSTP/MSTP/VBST. Do not configure ring network technologies
on an interface of a LDT-enabled VLAN. If LDT has been enabled globally and
ring network technologies need to be configured on an interface, disable LDT
on the interface first.
● LDT sends only tagged packets and can only detect loops based on VLANs.
LDT can detect loops in a maximum of 4094 VLANs.
● When a loop occurs on the network-side interface where the Block or
Shutdown action is configured, all services on the device are interrupted. Do
not deploy LDT on the network-side interface.
● The Quitvlan action cannot be used with GVRP, HVRP, or the action of
removing an interface from the VLAN where MAC address flapping occurs.
● The blocked ports of LDT cannot block GVRP packets. To ensure that GVRP
port of LDT.
In Figure 6-36, an enterprise uses Layer 2 networking. The Switch is the
aggregation switch, and each switch allows packets from VLANs 10 to 20 to pass
through. Because employees often move, the network topology changes
frequently. Connections or configurations may be incorrect due to misoperations.
As a result, loops may occur in VLANs 10 to 20.
Loops cause broadcast storms and affect device and network communication. It is
required that loops be detected and eliminated in VLANs in a timely manner to
prevent broadcast storms.

Figure 6-36 Networking for configuring LDT to detect loops on the local network
Loops need to be detected in VLANs 10 to 20. Because there are more than eight
VLANs, you can configure LDT to detect loops and configure an action after loops
are detected to prevent broadcast storms. All VLANs share a link. To prevent loop
removal in a VLAN from affecting data forwarding in other VLANs, configure the
Quitvlan action. The configuration roadmap is as follows:
1. Enable LDT on GE1/0/0 and GE2/0/0 on the Switch to detect loops in VLANs
10 to 20.
2. Configure an action to be taken after a loop is detected on GE1/0/0 and
GE2/0/0, and set the recovery time so that the Switch can immediately take
the preconfigured action on the interface to prevent broadcast storms after a
loop is detected. In addition, the Switch can restore the interface after the
loop is eliminated.
NOTE
these interfaces to allow packets from corresponding VLANs to pass through to ensure
Layer 2 connectivity.
Procedure
Step 1 Enable global LDT.
[Switch] loop-detection enable //Enable LDT globally.
Step 2 Enable LDT in VLANs.

[Switch] vlan batch 10 to 20
[Switch] loop-detection enable vlan 10 to 20 //Enable the device to detect loops on all interfaces in
VLANs 10 to 20.
Step 3 Set the interval for sending LDT packets.

[Switch] loop-detection interval-time 10 //Set the interval for sending LDT packets to 10s.
Step 4 Configure an action to be taken after a loop is detected.

# Enable the trap function for LDT.
[Switch] snmp-agent trap enable feature-name ldttrap //Enable the LDT alarm function so that the
device can send LDT traps.

# Set the action to Quitvlan.

[Switch-GigabitEthernet1/0/0] loop-detection mode port-quitvlan //Configure the Quitvlan action to be
taken after a loop is detected.
[Switch-GigabitEthernet2/0/0] loop-detection mode port-quitvlan //Configure the Quitvlan action to be
Step 5 Set the interface recovery time.

[Switch-GigabitEthernet1/0/0] loop-detection recovery-time 30 //Set the recovery time to 30s.
[Switch-GigabitEthernet2/0/0] loop-detection recovery-time 30 //Set the recovery time to 30s.

1. Check the LDT configuration.
# After the configuration is complete, run the display loop-detection
command to check global LDT information.
[Switch] display loop-detection
Loop Detection is enabled.
Detection interval time is 10 seconds.
Following VLANs enable loop-detection:
VLAN 10 to 20
Following ports are blocked for loop:
NULL
Following ports are shutdown for loop:
NULL
Following ports are nolearning for loop:
NULL
Following ports are trapped for loop:
NULL
Following ports are quitvlan for loop:
10 11 12 16 19
13 14 15 17 18
20
# Check LDT information on GE1/0/0 and GE2/0/0.
-----------------------------------------------------------------------
Quitvlan Quitvlan 30 10
Normal Quitvlan 30 13


-----------------------------------------------------------------------
In the command output, LDT is enabled in VLANs 10 to 20, GE1/0/0 is

removed from VLANs 10, 11, 12, 16, and 19, and GE2/0/0 is removed from
VLANs 13, 14, 15, 17, 18, and 20.
NOTE
The VLANs that an interface is removed from are uncertain, but the interface will be
removed from all VLANs where loops occur.
2. After the loop is eliminated (for example, GE2/0/0 is shut down, and
connections between devices are corrected), check whether GE1/0/0 and
GE2/0/0 are restored.
-----------------------------------------------------------------------
-----------------------------------------------------------------------
The command output shows that GE1/0/0 and GE2/0/0 are restored.
----End
Configuration Files

#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
snmp-agent trap enable feature-name LDTTRAP
#
return
6.6.3 Example for Configuring LBDT to Detect Loopbacks on

an Interface
Overview
Loopback detection (LBDT) periodically sends LBDT packets on an interface to

check whether the packets return to the local device (receive and transmit
interfaces can be different), and determines whether loops occur on the interface,
local network, or downstream network.
● If LBDT packets are received and sent by the same interface, a loopback
occurs on the interface or a loop occurs on the network connected to the
interface.
● If LBDT packets are received by another interface on the same device, a loop
occurs on the network connected to the interface or device.
and network is minimized. The device provides the following actions after LBDT
detects a loop:


The problematic interface continues to send LBDT packets. After the configured
recovery time expires, the system attempts to restore the problematic interface. If
the device receives no LBDT packets from the problematic interface within the
next recovery time, it considers that the loop is eliminated on the interface and
restores the interface.
LBDT can only detect loops on a single node, but cannot eliminate loops on the
Configuration Notes
● In V200R008C00 and earlier versions, LBDT does not take effect in dynamic
VLANs. In V200R008C00 and later versions, the LBDT-enabled switch can
detect loops in dynamic VLANs, but the Quitvlan action is invalid for dynamic
VLANs.
● LBDT needs to send a large number of LBDT packets to detect loops,
occupying system resources. Therefore, disable LBDT if loops do not need to
be detected.
● In versions earlier than V200R019C00, LBDT cannot be configured on an Eth-
Trunk or its member interfaces. In V200R019C00 and later versions, LBDT can
be configured on an Eth-Trunk but cannot be configured on its member
interfaces.
● Manual LBDT can be configured on a maximum of 128 Eth-Trunks.
● An interface can send LBDT packets with the specified VLAN tag only when
the specified VLAN has been created.
● LBDT can detect loops in a maximum of 32 VLANs.
● When the PVID of the interface in the loop is the detected VLAN ID or the
interface joins the detected VLAN in untagged mode, VLAN tags of LBDT
packets are removed. As a result, the packet priority changes and the system
may fail to detect loops.
● When the Quitvlan action is used, the configuration file remains unchanged.
● The LBDT action and MAC address flapping action affect each other, and
cannot be configured simultaneously.
● The Quitvlan action of LBDT conflicts with dynamic removal from VLANs (for
example, GVRP and HVRP), and cannot be configured simultaneously.
● The blocked ports of LBDT cannot block GVRP packets. To ensure that GVRP
port of LBDT.
● On a modular switch, LBDT and loop detection (LDT) cannot be configured
simultaneously.
In Figure 6-37, aggregation switch SwitchA on an enterprise network connects to
access switch SwitchB. To prevent loopbacks on a TX-RX interface (GE1/0/0)

because optical fibers are connected incorrectly or the interface is damaged by

high voltage, SwitchA is required to detect loopbacks on GE1/0/0. Furthermore, it
is required that the interface be blocked to reduce the impact of the loopback on
the network when a loopback is detected, and the interface be restored after the
loopback is removed.
Figure 6-37 Networking for configuring LBDT to detect loopbacks on an interface
To detect loopbacks on downlink interface GE1/0/0 of SwitchA, configure LBDT on
GE1/0/0 of SwitchA. The configuration roadmap is as follows:
1. Enable LBDT on GE1/0/0 of SwitchA to detect loopbacks.
2. Configure an action to be taken after a loopback is detected and set the
recovery time. After a loopback is detected, the Switch blocks the interface to
reduce the impact of the loopback on the network. After a loop is eliminated,
the interface can be restored.
Procedure
Step 1 Enable LBDT on an interface.
[SwitchA-GigabitEthernet1/0/0] loopback-detect enable //Enable LBDT on the interface.
Step 2 Configure an action to be taken after a loop is detected and set the recovery time.
[SwitchA-GigabitEthernet1/0/0] loopback-detect action block //Configure the Block action to be taken
after a loop is detected.
[SwitchA-GigabitEthernet1/0/0] loopback-detect recovery-time 30 //Set the recovery delay to 30s.

1. Run the display loopback-detect command to check the LBDT configuration.
[SwitchA] display loopback-detect
Loopback-detect sending-packet interval:
5
----------------------------------------------------------------------------------

Interface RecoverTime Action Status

----------------------------------------------------------------------------------
GigabitEthernet1/0/0 30 block
NORMAL
----------------------------------------------------------------------------------
The preceding command output shows that the LBDT configuration is

successful.
2. After about 5s, run the display loopback-detect command to check whether
GE1/0/0 is blocked.
5
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
GigabitEthernet1/0/0 30 block BLOCK(Loopback

detected)
----------------------------------------------------------------------------------
The preceding command output shows that GE1/0/0 is blocked, indicating

that a loopback occurs on GE1/0/0.
3. Manually remove the loopback. Run the display loopback-detect command
to check whether GE1/0/0 is restored.
5
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
NORMAL
----------------------------------------------------------------------------------
The preceding command output shows that GE1/0/0 is restored.
----End
Configuration Files
#
sysname SwitchA
#
loopback-detect recovery-time 30
loopback-detect enable
loopback-detect action block
#
return

6.6.4 Example for Configuring LBDT to Detect Loops on the

Downstream Network
Overview
interface.
detects a loop:
Configuration Notes
VLANs.


be detected.
interfaces.
port of LBDT.
simultaneously.
In Figure 6-38, a new department of an enterprise connects to the aggregation
switch Switch. This department belongs to VLAN 100. Loops occur due to incorrect
connections or configurations. As a result, communication on the Switch and
uplink network is affected.
It is required that the Switch should detect loops on the new network to prevent
the impact of loops on the Switch and connected network.

Figure 6-38 Networking for configuring LBDT to detect loops on the downstream
network
1. Enable LBDT on GE1/0/1 of the Switch to detect loops in a specified VLAN so
that loops on the downstream network can be detected.
2. Set LBDT parameters so that the Switch can immediately shut down GE1/0/1
after a loop is detected. This prevents the impact of the loop on the Switch
and connected network.
NOTE
these interfaces to allow packets from corresponding VLANs to pass through. This ensures
Layer 2 connectivity on the new network and between the new network and the Switch.
Procedure
Step 1 Enable LBDT on the interface.
[Switch-GigabitEthernet1/0/1] loopback-detect enable //Enable LBDT on the interface.
Step 2 Specify the VLAN ID of LBDT packets.

[Switch] vlan 100
[Switch] interface gigabitEthernet 1/0/1
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 100
[Switch-GigabitEthernet1/0/1] loopback-detect packet vlan 100 //Enable LBDT to detect loops in VLAN
100.
Step 3 Configure LBDT parameters.

# Set the interval for sending LBDT packets.

[Switch] loopback-detect packet-interval 10
# Configure an action to be taken after a loop is detected.

[Switch-GigabitEthernet1/0/1] loopback-detect action shutdown //Configure the Shutdown action to be

[Switch] display loopback-detect
10
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
GigabitEthernet1/0/1 30 shutdown
NORMAL
----------------------------------------------------------------------------------

successful.
2. Construct loops on the downstream network and run the display loopback-
detect command to check whether GE1/0/1 is shut down.
10
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
GigabitEthernet1/0/1 30 shutdown SHUTDOWN(Loopback

detected)
----------------------------------------------------------------------------------
The preceding command output shows that GE1/0/1 is shut down.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
loopback-detect packet-interval 10
#
loopback-detect packet vlan 100
#
return

6.6.5 Example for Configuring LBDT to Detect Loops on the

Local Network
Overview
interface.
detects a loop:
Configuration Notes
VLANs.


be detected.
interfaces.
port of LBDT.
simultaneously.
In Figure 6-39, a small-scale enterprise uses Layer 2 networking and belongs to
VLAN 100. Because employees often move, the network topology changes
frequently. Loops occur due to incorrect connections or configurations during the
change. As a result, broadcast storms occur and affect communication of the
Switch and entire network.
The requirements are as follows:
● The Switch detects loops.
● When a loop exists, the interface is blocked to reduce the impact of the loop
on the Switch and network.
● When the loop is eliminated, the interface can be restored.

Figure 6-39 Networking for configuring LBDT to detect loops on the local network
To detect loops on the network where the Switch is deployed, configure LBDT on
GE1/0/1 and GE1/0/2 of the Switch. In this example, untagged LBDT packets sent
by the Switch will be discarded by other switches on the network. As a result, the
packets cannot be sent back to the Switch, and LBDT fails. Therefore, LBDT is
configured in a specified VLAN. The configuration roadmap is as follows:
1. Enable LBDT on interfaces and configure the Switch to detect loops in VLAN
100 to implement LBDT on the network where the Switch is located.
2. Configure an action to be taken after a loop is detected and set the recovery
time. After a loop is detected, the Switch blocks the interface to reduce the
impact of the loop on the network. After a loop is eliminated, the interface
can be restored.
NOTE
these interfaces to allow packets from corresponding VLANs to pass through to ensure
Layer 2 connectivity.
Procedure
Step 1 Enable LBDT on interfaces.
Step 2 Specify the VLAN ID of LBDT packets.

[Switch] vlan 100
100.

100.
Step 3 Configure an action to be taken after a loop is detected and set the recovery time.
[Switch-GigabitEthernet1/0/1] loopback-detect action block //Configure the Block action to be taken
[Switch-GigabitEthernet1/0/1] loopback-detect recovery-time 30 //Set the recovery time to 30s.
[Switch-GigabitEthernet1/0/2] loopback-detect action block //Configure the Block action to be taken
[Switch-GigabitEthernet1/0/2] loopback-detect recovery-time 30 //Set the recovery time to 30s.

5
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
NORMAL
GigabitEthernet1/0/2 30 block NORMAL
----------------------------------------------------------------------------------
successful.
2. After about 5s, run the display loopback-detect command to check whether
GE1/0/1 or GE1/0/2 is blocked.
5
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
NORMAL
GigabitEthernet1/0/2 30 block BLOCK(Loopback detected)
----------------------------------------------------------------------------------
The preceding command output shows that GE1/0/2 is blocked.
3. Shut down GE1/0/1. After 30s, run the display loopback-detect command to
check whether GE1/0/2 is restored.
5
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
NORMAL
GigabitEthernet1/0/2 30 block NORMAL
----------------------------------------------------------------------------------

The preceding command output shows that GE1/0/2 is restored.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#
#
return

01-06 Typical Ethernet Switching Configuration

Uploaded by

Copyright:

Available Formats

You might also like

01-06 Typical Ethernet Switching Configuration

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-06 Typical Ethernet Switching Configuration

Uploaded by

Copyright:

Available Formats

Sx300 Series Switches

Typical Configuration Examples 6 Typical Ethernet Switching Configuration

6 Typical Ethernet Switching

6.1 Typical MAC Configuration

6.1 Typical MAC Configuration

6.1.1 Example for Configuring Static MAC Address Entries

A network administrator manually adds MAC address entries of authorized users

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 344

Figure 6-1 Networking for configuring static MAC address entries

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 345

Step 4 Verify the configuration.

6.1.2 Example for Configuring Blackhole MAC Address Entries

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 346

can be configured as a blackhole MAC address to filter packets from the

Figure 6-2 Networking for configuring blackhole MAC address entries

Step 2 Verify the configuration.

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 347

6.1.3 Example for Configuring MAC Address Limiting in a

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 348

Figure 6-3 Networking of MAC address limiting in a VLAN

1. Create a VLAN and add interfaces to the VLAN to implement Layer 2

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 349

Step 3 Verify the configuration.

PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

6.1.4 Example for Configuring MAC Address Limiting on an

MAC address limiting on an interface can be used in scenarios where users

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 350

● This example applies to all versions of all S series switches.

Figure 6-4 Networking of MAC address limiting on an interface

1. Create VLANs and add interfaces to the VLANs to implement Layer 2

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 351

Step 3 Verify the configuration.

PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

6.2 Link Aggregation Configuration

6.2.1 Precautions for Inter-Card Eth-Trunk Deployment

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 352

Table 6-1 Card series and Eth-Trunk specification extension

Precautions for an Inter-Card Eth-Trunk Without Eth-Trunk Specification

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 353

Card with Eth-Trunk advanced Card with Eth-Trunk advance

Card with Eth-Trunk advanced Card without Eth-Trunk N/A

Card with Eth-Trunk normal Card with Eth-Trunk normal

Card with Eth-Trunk normal Card without Eth-Trunk N/A

Card without Eth-Trunk N/A Card with Eth-Trunk normal

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 354

extension in advanced mode, load balancing of the Eth-Trunk is uneven,

Precautions for an Inter-Card Eth-Trunk with Eth-Trunk Specification

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 355

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 356

Card with Eth-Trunk advanced Card with Eth-Trunk advance

Card with Eth-Trunk advanced Card without Eth-Trunk N/A

Card with Eth-Trunk normal Card with Eth-Trunk normal

Card with Eth-Trunk normal Card without Eth-Trunk N/A

Card without Eth-Trunk N/A Card with Eth-Trunk normal

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 357

6.2.2 Example for Configuring Link Aggregation in Manual

Figure 6-5 Networking for configuring link aggregation in manual mode

Issue 38 (2023-11-30) Copyright © Huawei Technologies Co., Ltd. 358