Configuration Guide - LAN (V200R002C00 - 02)

Huawei AR1200-S Series Enterprise Routers
V200R002C00
Configuration Guide - LAN
Issue 02
Date 2012-03-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 02 (2012-03-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
i
About This Document
Intended Audience
This document describes how to configure the components for LAN services, including link
aggregation groups, VLANs, voice VLANs, MAC address tables, transparent bridging, as well
as GVRP, STP/RSTP, and MSTP protocols.
This document provides procedures and examples to illustrate the methods and application
scenarios for the service configurations.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
DANGER
Indicates a hazard with a high level of risk, which if not
avoided, will result in death or serious injury.
WARNING
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
CAUTION
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
TIP
Indicates a tip that may help you solve a problem or save
time.
NOTE
Provides additional information to emphasize or supplement
important points of the main text.

Configuration Guide - LAN About This Document
ii
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by vertical
bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by vertical
bars. One item is selected or no item is selected.
{ x | y | ... }
*
Optional items are grouped in braces and separated by vertical
bars. A minimum of one item or a maximum of all items can be
selected.
[ x | y | ... ]
*
Optional items are grouped in brackets and separated by vertical
bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.

Interface Numbering Conventions
Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 02 (2012-03-30)
Based on issue 01 (2011-12-30), the document is updated as follows:
The following information is modified:
l 3.8.2 Example for Configuring Communication Between VLANs Using VLANIF
Interfaces
Changes in Issue 01 (2011-12-30)
Initial commercial release.
Configuration Guide - LAN About This Document
iii
Contents
About This Document.....................................................................................................................ii
1 Link Aggregation Configuration................................................................................................1
1.1 Introduction to Link Aggregation.......................................................................................................................2
1.2 Link Aggregation Supported by the AR1200-S.................................................................................................2
1.3 Configuring Link Aggregation in Manual Load Balancing Mode.....................................................................3
1.3.1 Establishing the Configuration Task.........................................................................................................3
1.3.2 Creating an Eth-Trunk Interface................................................................................................................4
1.3.3 Configuring an Eth-Trunk to Work in Manual Load Balancing Mode.....................................................5
1.3.4 Adding Member Interfaces to an Eth-Trunk.............................................................................................6
1.3.5 (Optional) Limiting the Number of Active Interfaces...............................................................................7
1.3.6 Checking the Configuration.......................................................................................................................8
1.4 Configuring Link Aggregation in Static LACP Mode.......................................................................................9
1.4.1 Establishing the Configuration Task.........................................................................................................9
1.4.2 Creating an Eth-Trunk Interface..............................................................................................................10
1.4.3 Configuring an Eth-Trunk to Work in Static LACP Mode.....................................................................11
1.4.4 Adding Member Interfaces to an Eth-Trunk...........................................................................................11
1.4.5 (Optional) Limiting the Number of Active Interfaces.............................................................................13
1.4.6 (Optional) Setting the LACP Priority of the System...............................................................................14
1.4.7 (Optional) Setting the LACP Priority for an Interface............................................................................14
1.4.8 (Optional) Enabling LACP Preemption and Setting the Preemption Delay...........................................15
1.4.9 (Optional) Setting the Timeout Interval for Receiving LACP Packets...................................................16
1.4.10 Checking the Configuration...................................................................................................................16
1.5 Maintaining Link Aggregation.........................................................................................................................17
1.5.1 Clearing Statistics of LACP Packets.......................................................................................................17
1.5.2 Debugging the Link Aggregation Group.................................................................................................18
1.5.3 Monitoring the Operating Status of the Link Aggregation Group..........................................................18
1.6 Configuration Examples...................................................................................................................................19
1.6.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode.....................................19
1.6.2 Example for Configuring Link Aggregation in Static LACP Mode.......................................................21
1.6.3 Example for Configuring Layer 3 Link Aggregation..............................................................................24
2 Transparent Bridging Configuration.......................................................................................28
2.1 Overview of Transparent Bridging...................................................................................................................29
Configuration Guide - LAN Contents
iv
2.2 Transparent Bridging Supported by the AR1200-S.........................................................................................32
2.3 Configuring Local Bridging.............................................................................................................................33
2.3.1 Establishing the Configuration Task.......................................................................................................33
2.3.2 Creating a Bridge Group..........................................................................................................................34
2.3.3 Adding Local Interfaces to a Bridge Group............................................................................................35
2.3.4 (Optional) Disabling a Bridge Group from Bridging Specified Protocol Packets..................................36
2.3.5 Checking the Configuration.....................................................................................................................36
2.4 Configuring Local Bridging Integrated with IP Routing..................................................................................37
2.4.3 Adding Local Interfaces to a Bridge Group............................................................................................39
2.4.4 Configuring a Bridge-if Interface for a Bridge Group.............................................................................41
2.4.5 Enabling IP Routing for a Bridge Group.................................................................................................41
2.5 Configuring Remote Bridging..........................................................................................................................43
2.5.3 Adding User-side Interfaces to a Bridge Group......................................................................................45
2.5.4 Adding Network-side Interfaces to a Bridge Group................................................................................46
2.5.6 (Optional) Configuring VLAN ID Transparent Transmission................................................................49
2.6 Configuring Remote Bridging Integrated with IP Routing..............................................................................50
2.6.3 Adding User-side Interfaces to a Bridge Group......................................................................................52
2.6.4 Adding Network-side Interfaces to a Bridge Group................................................................................53
2.6.5 Configuring a Bridge-if Interface for a Bridge Group.............................................................................55
2.6.6 Enabling IP Routing for a Bridge Group.................................................................................................56
2.7 Maintaining Transparent Bridging...................................................................................................................58
2.7.1 Monitoring the Operation of Bridge Groups...........................................................................................58
2.7.2 Clearing the Traffic Statistics of a Bridge Group....................................................................................59
2.7.3 Clearing the Traffic Statistics on the Bridge-if Interface of a Bridge Group..........................................59
2.8 Configuration Example.....................................................................................................................................60
2.8.1 Example for Configuring Local Bridging...............................................................................................60
2.8.2 Example for Configuring Local Bridging with IP Routing.....................................................................63
2.8.3 Example for Configuring Remote Bridging............................................................................................65
2.8.4 Example for Configuring Remote Bridging with IP Routing..................................................................68
2.8.5 Example for Configuring Remote Bridging with VLAN ID Transparent Transmission........................71
v
3 VLAN Configuration..................................................................................................................76
3.1 Introduction to VLAN......................................................................................................................................77
3.2 VLAN Features Supported by the AR1200-S..................................................................................................77
3.3 Creating VLANs...............................................................................................................................................79
3.3.2 Creating a VLAN.....................................................................................................................................79
3.3.3 (Optional) Creating VLANs in a Batch...................................................................................................80
3.3.4 (Optional) Configuring the Priority for a VLAN....................................................................................80
3.4 Adding Interfaces to a VLAN..........................................................................................................................81
3.4.2 Adding an Access Interface to a VLAN..................................................................................................82
3.4.3 Adding a Trunk Interface to a VLAN......................................................................................................83
3.4.4 Adding a Hybrid Interface to a VLAN....................................................................................................84
3.4.5 (Optional) Specifying the Default VLAN for a Trunk Interface.............................................................84
3.4.6 (Optional) Specifying the Default VLAN for a Hybrid Interface...........................................................85
3.5 Configuring VLANIF Interfaces to Implement Layer-3 Communication.......................................................87
3.5.2 Creating a VLANIF Interface..................................................................................................................88
3.5.3 Assigning an IP Address to a VLANIF Interface....................................................................................88
3.5.4 (Optional) Setting the MTU of a VLANIF Interface...............................................................................88
3.5.5 (Optional) Configuring VLAN Damping................................................................................................89
3.6 Configuring VLAN Aggregation......................................................................................................................90
3.6.2 Configuring Sub-VLANs........................................................................................................................91
3.6.3 Creating a Super-VLAN..........................................................................................................................92
3.6.4 Assigning an IP Address to the VLANIF Interface of the Super-VLAN................................................93
3.6.5 Configuring Proxy ARP for the Super-VLAN........................................................................................93
3.7 Configuring a Management VLAN..................................................................................................................95
3.7.2 Configuring Management VLAN Functions...........................................................................................95
3.8 Configuration Examples...................................................................................................................................96
3.8.1 Example for Configuring Interface-based VLAN Assignment...............................................................96
3.8.2 Example for Configuring Communication Between VLANs Using VLANIF Interfaces......................99
3.8.3 Example for Configuring VLAN Damping...........................................................................................101
3.8.4 Example for Configuring VLAN Aggregation......................................................................................103
3.8.5 Example for Configuring Communication Across a Layer 3 Network Using VLANIF Interfaces......106
4 Voice VLAN Configuration.....................................................................................................111
vi
4.1 Voice VLAN Overview..................................................................................................................................112
4.2 Voice VLAN Features Supported by the AR1200-S......................................................................................112
4.3 Configuring a Voice VLAN...........................................................................................................................113
4.3.1 Establishing the Configuration Task.....................................................................................................113
4.3.2 Enabling the Voice VLAN Function on an Interface............................................................................115
4.3.3 Setting the OUI of the Voice VLAN.....................................................................................................115
4.3.4 (Optional) Setting the Mode for Adding an Interface to the Voice VLAN...........................................116
4.3.5 (Optional) Setting the Voice VLAN Aging Time.................................................................................117
4.3.6 (Optional) Setting the Working Mode of the Voice VLAN..................................................................117
4.3.7 (Optional) Enabling an Interface to Communicate with Non-Huawei Voice Devices.........................118
4.4 Configuration Examples.................................................................................................................................119
4.4.1 Example for Configuring a Voice VLAN in Manual Mode..................................................................119
5 GVRP Configuration................................................................................................................124
5.1 GVRP Overview.............................................................................................................................................125
5.2 GVRP Features Supported by the AR1200-S.................................................................................................128
5.3 Configuring GVRP.........................................................................................................................................129
5.3.2 Enabling GVRP.....................................................................................................................................129
5.3.3 (Optional) Setting the Registration Mode for a GVRP Interface..........................................................130
5.3.4 (Optional) Setting the GARP Timers....................................................................................................131
5.4 Maintaining GVRP.........................................................................................................................................133
5.4.1 Clearing GARP Statistics......................................................................................................................133
5.5.1 Example for Configuring GVRP...........................................................................................................133
6 MAC Address Table Configuration.......................................................................................138
6.1 MAC Address Table Overview......................................................................................................................139
6.2 MAC Address Table Features Supported by the AR1200-S..........................................................................139
6.3 Configuring the MAC Address Table............................................................................................................140
6.3.2 Creating a Static MAC Address Entry..................................................................................................141
6.3.3 Creating a Blackhole MAC Address Entry...........................................................................................141
6.3.4 (Optional) Setting the Aging Time for Dynamic MAC Address Entries..............................................141
6.3.5 (Optional) Disabling MAC Address Learning......................................................................................142
6.4 Configuring Port Security...............................................................................................................................144
6.4.2 Enabling Port Security...........................................................................................................................144
6.4.3 Enabling the Sticky MAC Function on an Interface.............................................................................145
6.4.4 (Optional) Setting the Maximum Number of MAC Addresses Learned by an Interface......................146
6.4.5 (Optional) Configuring the Protective Action for an Interface.............................................................146
vii
6.4.6 (Optional) Setting the Aging Time for Secure Dynamic MAC Addresses on an Interface..................147
6.5 Configuring Limitation on MAC Address Learning......................................................................................148
6.5.2 Limiting MAC Address Learning on an Interface.................................................................................148
6.6 Configuring MAC Address Flapping Detecting Function.............................................................................150
6.6.2 Configuring MAC Address Flapping Detection....................................................................................150
6.6.3 Unblocking an Interface or a MAC Address.........................................................................................151
6.7 Configuring the Router to Discard Packets with an Invalid All-0 MAC Address.........................................152
6.7.2 Configuring the Router to Discarding Packets with All-0 MAC Addresses.........................................152
6.7.3 Triggering an Alarm for Packets with All-0 MAC Addresses..............................................................153
6.8 Maintaining the MAC Address Table............................................................................................................154
6.8.1 Debugging the MAC Address Table.....................................................................................................154
6.9.1 Example for Configuring the MAC Address Table...............................................................................154
6.9.2 Example for Configuring Port Security.................................................................................................157
6.9.3 Example for Configuring MAC Address Limiting Rules on Interfaces................................................159
7 STP/RSTP Configuration.........................................................................................................161
7.1 STP/RSTP Overview......................................................................................................................................162
7.2 STP/RSTP Features Supported by the AR1200-S..........................................................................................166
7.3 Configuring Basic STP/RSTP Functions.......................................................................................................168
7.3.2 Configuring the STP/RSTP Mode.........................................................................................................170
7.3.3 (Optional) Configuring Switching Device Priorities.............................................................................170
7.3.4 (Optional) Configuring the Path Cost for a Port....................................................................................171
7.3.5 (Optional) Configuring Port Priorities...................................................................................................172
7.3.6 Enabling STP/RSTP..............................................................................................................................173
7.4 Configuring STP/RSTP Parameters on an Interface......................................................................................174
7.4.2 Configuring System Parameters............................................................................................................177
7.4.3 Configuring Port Parameters.................................................................................................................179
7.5 Configuring RSTP Protection Functions........................................................................................................182
7.5.2 Configuring BPDU Protection on a Switching Device.........................................................................184
7.5.3 Configuring TC Protection on a Switching Device...............................................................................184
viii
7.5.4 Configuring Root Protection on a Port..................................................................................................185
7.5.5 Configuring Loop Protection on a Port.................................................................................................186
7.6 Maintaining STP/RSTP..................................................................................................................................187
7.6.1 Clearing STP/RSTP Statistics...............................................................................................................188
7.7.1 Example for Configuring Basic STP Functions....................................................................................188
7.7.2 Example for Configuring Basic RSTP Functions..................................................................................192
8 MSTP Configuration.................................................................................................................198
8.1 MSTP Introduction.........................................................................................................................................200
8.2 MSTP Features Supported by the AR1200-S.................................................................................................207
8.3 Configuring Basic MSTP Functions...............................................................................................................209
8.3.2 Configuring the MSTP Mode................................................................................................................212
8.3.3 Configuring and Activating an MST Region........................................................................................212
8.3.4 (Optional) Configuring a Priority for a Switching Device in an MSTI.................................................214
8.3.5 (Optional) Configuring a Path Cost of a Port in an MSTI.....................................................................215
8.3.6 (Optional) Configuring a Port Priority in an MSTI...............................................................................216
8.3.7 Enabling MSTP.....................................................................................................................................217
8.4 Configuring MSTP Parameters on an Interface.............................................................................................218
8.4.2 Configuring System Parameters............................................................................................................219
8.4.3 Configuring Port Parameters.................................................................................................................221
8.5 Configuring MSTP Protection Functions.......................................................................................................224
8.5.2 Configuring BPDU Protection on a Switching Device.........................................................................226
8.5.3 Configuring TC Protection on a Switching Device...............................................................................227
8.5.4 Configuring Root Protection on an Interface........................................................................................228
8.5.5 Configuring Loop Protection on an Interface........................................................................................229
8.6 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices...........................230
8.6.2 Configuring a Proposal/Agreement Mechanism...................................................................................231
8.6.3 Configuring the MSTP Protocol Packet Format on an Interface...........................................................232
8.6.4 Enabling the Digest Snooping Function................................................................................................233
8.7 Maintaining MSTP.........................................................................................................................................234
8.7.1 Clearing MSTP Statistics.......................................................................................................................234
ix
8.8.1 Example for Configuring Basic MSTP Functions.................................................................................235
x
1 Link Aggregation Configuration
About This Chapter
This chapter describes link aggregation concepts and how to configure link aggregation groups
while also providing configuration examples.
1.1 Introduction to Link Aggregation
This section describes the concept of link aggregation.
1.2 Link Aggregation Supported by the AR1200-S
This section describes the link aggregation features supported by the AR1200-S.
1.3 Configuring Link Aggregation in Manual Load Balancing Mode
This section describes how to configure link aggregation in manual load balancing mode.
1.4 Configuring Link Aggregation in Static LACP Mode
This section describes how to configure link aggregation in static LACP mode.
1.5 Maintaining Link Aggregation
This section describes how to clear the statistics of received and sent LACP packets, debug the
link aggregation group, and monitor the running status of the link aggregation group.
1.6 Configuration Examples
This section provides configuration examples of link aggregation in manual load balancing mode
and in static LACP mode.
Configuration Guide - LAN 1 Link Aggregation Configuration
1
1.1 Introduction to Link Aggregation
This section describes the concept of link aggregation.
Link aggregation refers to a method of bundling a group of physical interfaces into a logical
interface to increase bandwidth and improve reliability. These types of groupings are also called
multi-interface load sharing groups or link aggregation groups (LAGs). For details, refer to
IEEE802.3ad.
Link aggregation provides redundancy protection for communication channels among between
devices without upgrading the hardware to higher capacities.
1.2 Link Aggregation Supported by the AR1200-S
This section describes the link aggregation features supported by the AR1200-S.
Manual Load Balancing Mode
In load balancing mode, you can manually add member interfaces to a link aggregation group
(LAG). All the interfaces configured with load balancing are in forwarding state. The AR1200-
S can perform load balancing based on Exclusive-Or of source and destination MAC addresses,
or Exclusive-Or of source and destination IP addresses.
The manual load balancing mode does not use the Link Aggregation Control Protocol (LACP).
The AR1200-S can use this mode if the peer device does not support LACP.
Static LACP Mode
In static LACP mode, devices at two ends of a link negotiate aggregation parameters by
exchanging LACP packets. After the negotiation is complete, the two devices determine the
active interface and the inactive interface. In this mode, you need to manually create an Eth-
Trunk and add members to it. LACP negotiation determines which interfaces are active and
which ones are inactive.
The static LACP mode is also called the M:N mode. In this mode, links load balance traffic and
provide redundancy backup at the same time. In an LAG, M links are active and they forward
data in load balancing mode. N links are inactive and they function as backup links. The backup
links do not forward data. If an active link fails, data forwarding is switched to the backup link
with the highest priority, and the status of the backup link changes to active.
In static LACP mode, some links function as backup links. In manual load balancing mode, all
member interfaces work in forwarding state to share the traffic. This is the main difference
between the two modes.
Active and Inactive Interfaces
Active interfaces refer to the interfaces in active state that forward data. The interfaces that do
not forward data and are in inactive state are called inactive interfaces. Depending on the link
aggregation mode the interfaces use, active and inactive interfaces are classified as follows:
l Manual load balancing mode: Generally, all member interfaces are active interfaces unless
a fault occurs.
2
l Static LACP mode: The interfaces connected to M links are active interfaces that forward
data; the interfaces connected to N links are inactive interfaces that are used for redundancy
backup.
Actor and Partner
In static LACP mode, the device in the link aggregation group with a higher LACP priority is
the Actor and the device with a lower LACP priority is the Partner.
If the two devices have the same LACP priority, the Actor is selected based on the MAC
addresses of the devices. The device with a smaller MAC address becomes the Actor.
Differentiating the Actor and the Partner keeps the active interfaces at both ends consistent. If
both ends select active interfaces according to the priorities of their own interfaces, the active
interfaces may be different at two ends. To prevent this problem, devices at two ends determine
the Actor first, and the Partner selects active interfaces according to priorities of the interfaces
on the Actor. Figure 1-1 shows the process of selecting active interfaces.
Figure 1-1 Determining the active links in static LACP mode
RouterA RouterB
RouterB RouterA
The Actor determines
the active link
Device with high
priority
Device with low
priority
Active interface selected by RouterA
Active interface selected by RouterB

1.3 Configuring Link Aggregation in Manual Load
Balancing Mode
This section describes how to configure link aggregation in manual load balancing mode.
1.3.1 Establishing the Configuration Task
Applicable Environment
When the bandwidth or the reliability of two devices should be increased and either of the two
devices does not support LACP, create an Eth-Trunk in manual load balancing mode on the
devices and add member interfaces to the Eth-Trunk, as shown in Figure 1-2.
3
Figure 1-2 Network diagram of link aggregation in manual load balancing mode
RouterA RouterB
Eth-Trunk 1 Eth-Trunk 1
Eth-Trunk

Pre-configuration Tasks
Before configuring an Eth-Trunk in manual load balancing mode, complete the following tasks:
l Powering on the AR1200-S
l Creating an Eth-Trunk
Data Preparation
To configure an Eth-Trunk in manual load balancing mode, you need the following data.
No. Data
1 Number of the Eth-Trunk in manual load balancing mode
2 Types and numbers of the member interfaces

1.3.2 Creating an Eth-Trunk Interface
Context
Eth-Trunk interfaces increase bandwidth and improve transmission reliability. You can
configure Layer 2 and Layer 3 Eth-Trunk interfaces for different applications on a network.
Procedure
l Creating a Layer 2 Eth-Trunk interface
1. Run:
system-view
The system view is displayed.
2. Run:
interface eth-trunk trunk-id
A Layer 2 Eth-Trunk interface is created.
By default, an Eth-Trunk interface works in Layer 2 mode.
1. Run:
system-view
4
2. Run:
3. Run:
undo portswitch
The Eth-Trunk interface is configured to work in Layer 3 mode.
4. Run:
ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the Layer 3 Eth-Trunk interface.
5. (Optional) Run:
mtu mtu
The maximum transmission unit (MTU) of the Eth-Trunk interface is set.
The default MTU of an interface is 1500 bytes.
CAUTION
l The mtu command cannot be used on Layer 2 Eth-Trunk interfaces.
l Directly connected interfaces must use the same MTU. If you change the MTU of
an interface, you must use the mtu command to change the MTU of the peer
interface to the same value; otherwise, services may be interrupted.
l After changing the MTU on an interface, run the shutdown command and then
the undo shutdown command on the interface to make the setting take effect.
----End
1.3.3 Configuring an Eth-Trunk to Work in Manual Load Balancing
Mode
Context
Perform the following steps on the AR1200-S to configure an Eth-Trunk in manual load
balancing mode.
NOTE
Check whether the Eth-Trunk contains member interfaces before you configure the operation mode of the
Eth-Trunk. If the Eth-Trunk contains member interfaces, the operation mode of the Eth-Trunk cannot be
changed. To delete member interfaces from the Eth-Trunk, run the undo eth-trunk command in the
interface view or run the undo trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8> command in the Eth-Trunk view.
Procedure
Step 1 Run:
system-view
5
Step 2 Run:
The Eth-Trunk interface view is displayed.
Step 3 Run:
mode manual load-balance
The operation mode of the Eth-Trunk is set to manual load balancing.
By default, an Eth-Trunk works in manual load balancing mode.
If the local device is configured with an Eth-Trunk in manual load balancing mode, configure
the Eth-Trunk in manual load balancing mode on the peer device.
----End
1.3.4 Adding Member Interfaces to an Eth-Trunk
Context
Perform the following steps on the AR1200-S to configure member interfaces of an Eth-Trunk.
Procedure
l Configuration in the Eth-Trunk interface view
1. Run:
system-view
2. Run:
3. Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
Member interfaces are added to the Eth-Trunk.
l Configuration in the member interface view
1. Run:
system-view
2. Run:
interface interface-type interface-number
The interface view is displayed.
3. Run:
eth-trunk trunk-id
The interface is added to the Eth-Trunk.
When adding an interface to an Eth-Trunk, pay attention to the following points:
6
Member interfaces of a Layer 2 Eth-Trunk must be Layer 2 interfaces, and member
interfaces of a Layer 3 Eth-Trunk must be Layer 3 interfaces.
An Eth-Trunk supports a maximum of eight member interfaces.
A member interface cannot have any service or static MAC address configured.
Ensure that interfaces added to an Eth-Trunk are hybrid interfaces (the default interface
type).
An Eth-Trunk interface cannot have other Eth-Trunk interfaces as member interfaces.
An Ethernet interface can be added to only one Eth-trunk interface. To add the Ethernet
interface to another Eth-trunk, delete the Ethernet interface from the current Eth-Trunk
first.
Member interfaces of an Eth-trunk must be the same type. For example, an FE interface
and a GE interface cannot be added to the same Eth-trunk interface.
Ethernet interfaces on different LPUs can be added to the same Eth-Trunk.
The peer interface directly connected to a member interface of the local Eth-Trunk must
also be added to an Eth-Trunk; otherwise, the two ends cannot communicate.
When member interfaces have different rates, the interfaces with lower rates may
become congested and packet loss may occur.
After an interface is added to an Eth-Trunk, MAC address learning is performed by the
Eth-Trunk rather than the member interfaces.
G.SHDSL interfaces that work in PTM mode cannot be added to an Eth-Trunk.
----End
1.3.5 (Optional) Limiting the Number of Active Interfaces
Context
Perform the following steps on the AR1200-S to limit the number of active interfaces.
Procedure
l Setting the maximum number of interfaces that determine bandwidth for an Eth-Trunk
1. Run:
system-view
2. Run:
3. Run:
max bandwidth-affected-linknumber link-number
The maximum number of interfaces that determine bandwidth for the Eth-Trunk is
set.
By default, the maximum number of interfaces that determine bandwidth for an Eth-
Trunk is 8.
7
NOTE
l The maximum number of interfaces that determine bandwidth for an Eth-Trunk on the local
AR1200-S and that on the remote AR1200-S can be different. If the values of this setting at the
two ends are different, the smaller value is used.
l Setting the minimum number of active interfaces
1. Run:
system-view
2. Run:
3. Run:
least active-linknumber link-number
The minimum number of active interfaces is set.
By default, the minimum number of active interfaces is 1.
In manual load balancing mode, you can determine the minimum number of active
interfaces in the Eth-Trunk. If the number of active interfaces is smaller than the minimum
value, the status of the Eth-Trunk becomes Down.
NOTE
l The minimum number of active interfaces on the local AR1200-S and that on the remote AR1200-
S can be different. If the values of this setting at the two ends are different, the larger value is
used.
----End
1.3.6 Checking the Configuration
Procedure
l Run the display trunkmembership eth-trunk trunk-id command to display the member
interfaces of the Eth-Trunk.
l Run the display eth-trunk [ trunk-id ] command to display the load balancing status of the
Eth-Trunk.
----End
Example
Run the display trunkmembership eth-trunk command to view the operation mode, total
number of member interfaces, number of member interfaces in Up state, and information about
the member interfaces.
<Huawei> display trunkmembership eth-trunk 1
Trunk ID: 1
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 2
Number Of Up Ports in Trunk = 0
Operate status: down
8
Interface Ethernet0/0/1, valid, operate down, weight=1
Run the display eth-trunk command to check the load balancing mode of the Eth-Trunk. By
default, the load balancing mode of the Layer 2 Eth-Trunk is displayed as "SA-XOR-DA" in the
output information.
<Huawei> display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: down Number Of Up Port In Trunk: 0
--------------------------------------------------------------------------------
PortName Status Weight
Ethernet0/0/1 Down 1
Ethernet0/0/2 Down 1
1.4 Configuring Link Aggregation in Static LACP Mode
This section describes how to configure link aggregation in static LACP mode.
To increase the bandwidth and improve the connection reliability, you can configure a link
aggregation group on two directly connected routers. The requirements are as follows:
l The links between two devices can implement redundancy backup. When a fault occurs on
one or more links, the backup links replace the faulty ones to help ensure uninterrupted
data transmission.
l The active links have the load balancing capability.
Figure 1-3 Networking of link aggregation in static LACP mode
RouterB
Eth-Trunk 1
RouterA
Eth-Trunk 1
Eth-Trunk
Active link
Standby link

Before configuring an Eth-Trunk in static LACP mode, complete the following tasks:
l Powering on the AR1200-S
l Creating an Eth-Trunk
Data Preparation
To configure an Eth-Trunk in static LACP mode, you need the following data.
9
No. Data
1 Number of the Eth-Trunk in static LACP mode
2 Types and numbers of the member interfaces
3 Maximum number of active interfaces

1.4.2 Creating an Eth-Trunk Interface
Context
Eth-Trunk interfaces increase bandwidth and improve transmission reliability. Depending on
the type of network application, configure Layer 2 or Layer 3 Eth-Trunk interfaces.
Procedure
1. Run:
system-view
2. Run:
By default, an Eth-Trunk interface works in Layer 2 mode.
1. Run:
system-view
2. Run:
3. Run:
undo portswitch
The Eth-Trunk interface is configured to work in Layer 3 mode.
4. Run:
An IP address is configured for the Layer 3 Eth-Trunk interface.
5. (Optional) Run:
mtu mtu
The maximum transmission unit (MTU) of the Eth-Trunk interface is set.
The default MTU is 1500 bytes.
10
CAUTION
l The mtu command cannot be used on Layer 2 Eth-Trunk interfaces.
l Directly connected interfaces must use the same MTU. If you change the MTU of
an interface, you must use the mtu command to change the MTU of the peer
interface to the same value; otherwise, services may be interrupted.
l After changing the MTU on an interface, run the shutdown command and then
the undo shutdown command on the interface to make the setting take effect.
----End
1.4.3 Configuring an Eth-Trunk to Work in Static LACP Mode
Context
NOTE
Check whether the Eth-Trunk contains member interfaces before you configure the operation mode of the
Eth-Trunk. If the Eth-Trunk contains member interfaces, the operation mode of the Eth-Trunk cannot be
changed. To delete member interfaces from the Eth-Trunk, run the undo eth-trunk command in the
interface view or run the undo trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8> command in the Eth-Trunk view.
Perform the following steps on the AR1200-S.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
mode lacp-static
The Eth-Trunk is configured to work in static LACP mode.
By default, an Eth-Trunk works in manual load balancing mode.
If the local device is configured with an Eth-Trunk in static LACP mode, configure the Eth-
Trunk in static LACP mode on the peer device.
----End
1.4.4 Adding Member Interfaces to an Eth-Trunk
Context
11
Procedure
l Configuration in the Eth-Trunk interface view
1. Run:
system-view
2. Run:
3. Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
Member interfaces are added to the Eth-Trunk.
l Configuration in the member interface view
1. Run:
system-view
2. Run:
3. Run:
eth-trunk trunk-id
The interface is added to the Eth-Trunk.
When adding an interface to an Eth-Trunk, pay attention to the following points:
Member interfaces of a Layer 2 Eth-Trunk must be Layer 2 interfaces, and member
interfaces of a Layer 3 Eth-Trunk must be Layer 3 interfaces.
An Eth-Trunk contains a maximum of eight member interfaces.
A member interface cannot be configured with any service or static MAC address.
Ensure that interfaces added to an Eth-Trunk are hybrid interfaces (the default interface
type).
An Eth-Trunk interface cannot have other Eth-Trunk interfaces as member interfaces.
An Ethernet interface can be added to only one Eth-trunk interface. To add the Ethernet
interface to another Eth-trunk, delete the Ethernet interface from the current Eth-Trunk
first.
The member interfaces of an Eth-trunk must be the same type, that is, an FE interface
and a GE interface cannot be added to the same Eth-trunk.
Ethernet interfaces on different LPUs can be added to the same Eth-Trunk.
The peer interface directly connected to a member interface of the local Eth-Trunk must
also be added to an Eth-Trunk; otherwise, the two ends cannot communicate.
When member interfaces have different rates, the interfaces with lower rates may
become congested and packet loss may occur.
12
After an interface is added to an Eth-Trunk, MAC address learning is performed by the
Eth-Trunk rather than the member interfaces.
----End
1.4.5 (Optional) Limiting the Number of Active Interfaces
Context
Perform the following steps on the AR1200-S to limit the number of active interfaces.
Procedure
l Setting the maximum number of active interfaces
1. Run:
system-view
2. Run:
3. Run:
max active-linknumber link-number
The maximum number of active interfaces is set.
In static LACP mode, you can limit the maximum number (M) of active interfaces in the
Eth-Trunk. The other member interfaces function as backups.
If the maximum number of active interfaces is not set, up to eight interfaces in the Eth-
Trunk can be active.
NOTE
l The maximum number of active interfaces must be larger than or equal to the minimum number
of active interfaces.
l The maximum number of active interfaces on the local AR1200-S and that on the remote
AR1200-S can be different. If the values of this setting at the two ends are different, the smaller
value is used.
l Setting the minimum number of active interfaces
1. Run:
system-view
2. Run:
3. Run:
least active-linknumber link-number
The minimum number of active interfaces is set.
By default, the minimum number of active interfaces is 1.
13
In static LACP mode, you can determine the minimum number of active interfaces in the
Eth-Trunk. If the number of active interfaces is smaller than the minimum value, the status
of the Eth-Trunk becomes Down.
NOTE
l The minimum number of active interfaces must be smaller than or equal to the maximum number
of active interfaces.
l The minimum number of active interfaces on the local AR1200-S and that on the remote AR1200-
S can be different. If the values of this setting at the two ends are different, the larger value is
used.
----End
1.4.6 (Optional) Setting the LACP Priority of the System
Context
Perform the following steps on the AR1200-S to set the LACP priority of the system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
lacp priority priority
The system LACP priority is set for the AR1200-S.
A smaller LACP priority value indicates a higher priority. By default, the LACP priority of the
system is 32768.
The end with smaller priority value functions as the Actor. If the two ends have the same priority,
the end with a smaller MAC address functions as the Actor.
----End
1.4.7 (Optional) Setting the LACP Priority for an Interface
Context
Perform the following steps on the AR1200-S to set the LACP priority for an interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
14
Step 3 Run:
lacp priority priority
The LACP priority is set for the interface.
By default, the LACP priority of an interface is 32768.
----End
1.4.8 (Optional) Enabling LACP Preemption and Setting the
Preemption Delay
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
lacp preempt enable
The LACP preemption function is enabled on the Eth-Trunk interface.
By default, the LACP preemption function is disabled.
NOTE
To ensure normal running of an Eth-Trunk, it is recommended that you enable or disable LACP preemption
on both ends of the Eth-Trunk.
Step 4 Run:
lacp preempt delay delay-time
The preemption delay is set for the Eth-Trunk.
By default, the preemption delay is 30 seconds.
LACP preemption function ensures that the interface with the highest LACP priority serves as
an active interface. If this function is enabled, the interface with the highest priority automatically
becomes an active interface after recovering from a failure. If this function is enabled, the
interface cannot automatically become an active interface again after it goes Down due to a
failure.
The delay for LACP preemption refers to the period in which an inactive interface of the Eth-
Trunk in static LACP mode waits before it becomes active.
----End
15
1.4.9 (Optional) Setting the Timeout Interval for Receiving LACP
Packets
Context
Perform the following steps on the AR1200-S to set the timeout interval for receiving LACP
packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
lacp timeout { fast | slow }
The timeout interval for receiving LACP protocol packets is set on the Eth-Trunk.
NOTE
l After the lacp timeout command is configured, the local end informs the peer end of the configured
timeout interval through LACP packets. The peer end then sends LACP packets at the specified interval.
If the fast keyword is used, the peer end sends LACP packets at an interval of 1 second. If the slow
keyword is used, the peer end sends LACP packets at an interval of 30 seconds.
l The timeout interval for receiving LACP packets on the local end is three times the interval at which
the peer end sends LACP packets. That is, when the fast keyword is used, the timeout interval for
receiving LACP packets is 3s; when the slow keyword is used, the timeout interval for receiving LACP
packets is 90s.
l You can select different keywords on the two ends. However, it is recommended that you select the
same keyword on both ends to facilitate maintenance.
----End
Procedure
l Run the display eth-trunk [ trunk-id [interface interface-type interface-number ] ]
command to display information about the Eth-Trunk and member interfaces.
----End
Example
Run the display trunkmembership eth-trunk command to view the operation mode, total
number of member interfaces, number of member interfaces in Up state, and information about
member interfaces of an Eth-Trunk.
16
<Huawei> display trunkmembership eth-trunk 1
Trunk ID: 1
Used status: VALID
TYPE: ethernet
Working Mode : Static
Number Of UP Ports in Trunk = 0
operate status: down
Run the display eth-trunk command to view information about an Eth-Trunk. The following
information shows that the Eth-Trunk work in static LACP mode.
<Huawei> display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 50 System ID: 000b-09d3-dc62
Least Active-linknumber: 3 Max Active-linknumber: 8
Operate status: down Number Of Up Port In Trunk: 0
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
Ethernet0/0/1 Unselect 100M 10 1547 561 11100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
Ethernet0/0/1 0 0000-0000-0000 0 0 0 11100000
Ethernet0/0/2 0 0000-0000-0000 0 0 0 11100011
Ethernet0/0/3 0 0000-0000-0000 0 0 0 11100011
1.5 Maintaining Link Aggregation
This section describes how to clear the statistics of received and sent LACP packets, debug the
link aggregation group, and monitor the running status of the link aggregation group.
1.5.1 Clearing Statistics of LACP Packets
Context
CAUTION
The statistics of LACP packets cannot be restored after being cleared.
Procedure
Step 1 Run the reset lacp statistics eth-trunk [ trunk-id [ interface interface-type interface-
number ] ] command in the user view to clear statistics of received and sent LACP packets.
----End
17
1.5.2 Debugging the Link Aggregation Group
Context
CAUTION
Debugging affects system performance. Run the undo debugging all command immediately
after debugging is completed.
When a running fault occurs in the link aggregation group, run the following debugging
commands in the user view to check the debugging information, and locate and analyze the fault.
Procedure
l Run the debugging trunk error command to enable the debugging of Eth-Trunk errors.
l Run the debugging trunk event command to enable the debugging of Eth-Trunk events.
l Run the debugging trunk lacp-pdu command to enable the debugging of LACP packets.
l Run the debugging trunk lagmsg command to enable the debugging of LACP protocol
messages.
l Run the debugging trunk msg command to enable the debugging of Eth-Trunk messages.
l Run the debugging trunk state-machine command to enable the debugging of Eth-Trunk
status machine.
l Run the debugging trunk updown command to enable the debugging of Eth-Trunk Up
and Down messages.
l Run the debugging trunk command to enable the debugging of Eth-Trunk messages.
----End
1.5.3 Monitoring the Operating Status of the Link Aggregation
Group
Context
During the routine maintenance, you can run the following commands in any view to check the
operating status of the link aggregation group.
Procedure
l Run the display eth-trunk command to display the status of the link aggregation group.
l Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type interface-
number ] ] command to display the statistics of sent and received LACP packets.
----End
18
This section provides configuration examples of link aggregation in manual load balancing mode
and in static LACP mode.
1.6.1 Example for Configuring Link Aggregation in Manual Load
Balancing Mode
Networking Requirements
As shown in Figure 1-4, the Router is connected to the broadband remote access server (BRAS)
through an Eth-Trunk. The link between the Router and BRAS must ensure high reliability, and
data traffic needs to be load balanced among the LPUs of the Router. To meet this requirement,
you need to configure an Eth-Trunk on the Router.
Figure 1-4 Network diagram of link aggregation in manual load balancing mode
BRAS
Router
Eth-Trunk 1
DSLAM DSLAM
Eth0/0/1
VLAN 100-150
E
t
h
-
T
r
u
n
k
Eth-Trunk 1
Eth0/0/4 Eth0/0/3
Eth0/0/2
VLAN 151-200

Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk.
2. Add member interfaces to the Eth-Trunk.
19
Data Preparation
To complete the configuration, you need the following data:
l Number of the Eth-Trunk
l Types and numbers of the member interfaces in the Eth-Trunk
Procedure
Step 1 Create an Eth-Trunk.
# Create Eth-Trunk 1.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface eth-trunk 1
[Router-Eth-Trunk1] quit
Step 2 Add member interfaces to the Eth-Trunk.
# Add Ethernet 0/0/3 to Eth-Trunk 1.
[Router] interface ethernet 0/0/3
[Router-Ethernet0/0/3] eth-trunk 1
[Router-Ethernet0/0/3] quit
# Add Ethernet 0/0/4 to Eth-Trunk 1.
[Router-Ethernet0/0/4] eth-trunk 1
Step 3 Configure Eth-Trunk 1.
# Configure Eth-Trunk 1 to allow packets of VLANs 100 to 200 to pass through.
[Router] interface eth-trunk 1
[Router-Eth-Trunk1] port link-type trunk
[Router-Eth-Trunk1] port trunk allow-pass vlan 100 to 200
[Router-Eth-Trunk1] quit
Step 4 Verify the configuration.
Run the display trunkmembership eth-trunk trunk-id command in any view to check whether
Eth-Trunk 1 is created and whether member interfaces are added.
[Router] display trunkmembership eth-trunk 1
Trunk ID: 1
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of UP Ports in Trunk = 2
operate status: up
Interface Ethernet0/0/3, valid, operate up, weight=1,
Interface Ethernet0/0/4, valid, operate up, weight=1,
# Display the configuration of Eth-Trunk 1.
[Router] display eth-trunk 1
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2
--------------------------------------------------------------------------------
20
Ethernet0/0/3 Up 1
Ethernet0/0/4 Up 1
The preceding information indicates that Eth-Trunk 1 consists of member interfaces Ethernet
0/0/3 and Ethernet 0/0/4. The member interfaces are both in Up state.
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 to 200
#
interface Ethernet0/0/3
eth-trunk 1
#
eth-trunk 1
#
return
1.6.2 Example for Configuring Link Aggregation in Static LACP
Mode
To increase the bandwidth and improve the connection reliability, you can configure a link
aggregation group on two directly connected routers, as shown in Figure 1-5. The requirements
are as follows:
l The link aggregation group contains three member links. Two links function as active links
to implement load balancing, and the other link functions as the backup link.
l When a fault occurs on an active link, the backup link replaces the faulty one to help ensure
uninterrupted data.
Figure 1-5 Network diagram of link aggregation in static LACP mode
RouterA RouterB
Eth-Trunk 1
Eth-Trunk 1
Eth-Trunk
Eth 0/0/1
Eth 0/0/2
Eth 0/0/3
Eth 0/0/1
Eth 0/0/2
Eth 0/0/3
Active link
Backup link

1. Create an Eth-Trunk on each Router and configure the Eth-Trunk to work in static LACP
mode.
21
2. Add member interfaces to the Eth-Trunk.
3. Set the system priority and determine the Actor.
4. Set the maximum number of active interfaces in the Eth-Trunk.
5. Set the priority of the interface and determine the active link.
Data Preparation
l Number of the link aggregation group
l System priority of RouterA
l Maximum number of active interfaces in the Eth-Trunk
l LACP priorities of the active interfaces
Procedure
Step 1 Create Eth-Trunk 1 and set the load balancing mode of the Eth-Trunk to static LACP mode.
# Configure RouterA.
[Huawei] sysname RouterA
[RouterA] interface eth-trunk 1
[RouterA-Eth-Trunk1] mode lacp-static
[RouterA-Eth-Trunk1] quit
# Configure RouterB.
[Huawei] sysname RouterB
[RouterB] interface eth-trunk 1
[RouterB-Eth-Trunk1] mode lacp-static
[RouterB-Eth-Trunk1] quit
Step 2 Add member interfaces to the Eth-Trunk.
# Configure RouterA.
[RouterA] interface ethernet 0/0/1
[RouterA-Ethernet0/0/1] eth-trunk 1
[RouterA-Ethernet0/0/1] quit
# Configure RouterB.
[RouterB] interface ethernet 0/0/1
[RouterB-Ethernet0/0/1] eth-trunk 1
[RouterB-Ethernet0/0/1] quit
Step 3 Set the system priority on RouterA to 100 so that RouterA becomes the Actor.
22
[RouterA] lacp priority 100
Step 4 Set maximum number of active interfaces in the Eth-Trunk on RouterA to 2.
[RouterA-Eth-Trunk1] max active-linknumber 2
Step 5 Set the priority of the interface and determine active links on RouterA.
[RouterA-Ethernet0/0/1] lacp priority 100
[RouterA-Ethernet0/0/2] lacp priority 100
# Check information about the Eth-Trunk of the Routers and check whether the negotiation is
successful on the link.
[RouterA] display eth-trunk 1
Local:
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 100 System ID: 00e0-fca8-0417
Operate status: Up Number Of Up Port In Trunk: 2
------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState
Weight
Ethernet0/0/1 Selected 100M 100 6145 2865 11111100
1
1
Ethernet0/0/3 Unselect 100M 32768 6147 2865 11100000
1
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey PortState
Ethernet0/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
Ethernet0/0/2 32768 00e0-fca6-7f85 32768 6146 2609 11111100
Ethernet0/0/3 32768 00e0-fca6-7f85 32768 6147 2609 11110000
[RouterB] display eth-trunk 1
Local:
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 32768 System ID: 00e0-fca6-7f85
Operate status: Up Number Of Up Port In Trunk: 2
------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState
Weight
1
1
Ethernet0/0/3 Unselect 100M 32768 6147 2609 11100000
1
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey
PortState
Ethernet0/0/1 100 00e0-fca8-0417 100 6145 2865
11111100
23
Ethernet0/0/2 100 00e0-fca8-0417 100 6146 2865
11111100
Ethernet0/0/3 100 00e0-fca8-0417 32768 6147 2865
11110000
The preceding information shows that the system priority of RouterA is 100, which is higher
than the system priority of RouterB. Member interfaces Ethernet0/0/1 and Ethernet0/0/2 are
active interfaces and are in Selected state. Interface Ethernet0/0/3 is in Unselect state.
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
lacp priority 100
#
mode lacp-static
max active-linknumber 2
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
#
return
l Configuration file of RouterB
#
sysname RouterB
#
mode lacp-static
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
return
1.6.3 Example for Configuring Layer 3 Link Aggregation
RouterA and RouterB are connected by two pairs of Layer 3 GE interfaces. To increase link
bandwidth and improve reliability, you can create an Eth-Trunk interface on each router and add
the Layer 3 GE interfaces to the Eth-Trunk interface.
24
Figure 1-6 Network diagram of Layer 3 link aggregation
RouterA RouterB
GE1/0/0
GE2/0/0
GE1/0/0
GE2/0/0
Eth-Trunk1
Eth-Trunk1
100.1.1.1/24
100.1.1.2/24

1. Create a Layer 3 Eth-Trunk interface on each device and configure an IP addresses for each
Eth-Trunk interface.
2. Add GE interfaces to the Eth-Trunk.
Data Preparation
l Numbers of Layer 3 GE interfaces between RouterA and RouterB
l IP address of the Eth-Trunk interface on RouterA
l IP address of the Eth-Trunk interface on RouterB
Procedure
Step 1 Configure RouterA.
# Create a Layer 3 Eth-Trunk interface (Eth-Trunk 1) and configure an IP addresses for the Eth-
Trunk interface.
[RouterA-Eth-Trunk1] undo portswitch
[RouterA-Eth-Trunk1] ip address 100.1.1.1 24
# Add GE1/0/0 and GE2/0/0 to Eth-Trunk 1.
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] eth-trunk 1
[RouterA-GigabitEthernet1/0/0] quit
[RouterA-GigabitEthernet2/0/0] eth-trunk 1
Step 2 Configure RouterB.
# Create a Layer 3 Eth-Trunk interface Eth-Trunk 1 and configure an IP addresses for the Eth-
Trunk interface.
[RouterB] interface eth-trunk 1
[RouterB-Eth-Trunk1] undo portswitch
[RouterB-Eth-Trunk1] ip address 100.1.1.2 24
25
[RouterB-Eth-Trunk1] quit
# Add GE1/0/0 and GE2/0/0 to Eth-Trunk 1.
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] eth-trunk 1
[RouterB-GigabitEthernet1/0/0] quit
[RouterB] interface gigabitethernet 2/0/0
[RouterB-GigabitEthernet2/0/0] eth-trunk 1
[RouterB-GigabitEthernet2/0/0] quit
Run the display interface eth-trunk command on RouterA or RouterB to verify that the Eth-
Trunk is in Up state.
Take the display on Router A as an example.
[RouterA] display interface eth-trunk 1
Eth-Trunk1 current state : UP
Line protocol current state : UP
Description:HUAWEI, AR Series, Eth-Trunk1 Interface
Route Port, Hash arithmetic : According to SIP-XOR-DIP,The Maximum Transmit Unit
is 1500
Internet Address is 100.1.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc09-9722
Current system time: 2011-4-14 14:51:01
Input bandwidth utilization : 0.00%
Output bandwidth utilization : 0.00%
-----------------------------------------------------
-----------------------------------------------------
GigabitEthernet1/0/0 UP 1
GigabitEthernet2/0/0 UP 1
-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
The Eth-Trunk interfaces on RouterA and RouterB can ping each other.
[RouterA] ping -a 100.1.1.1 100.1.1.2
PING 100.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms
--- 100.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/49/62 ms
----End
Configuration Files
#
sysname RouterA
#
undo portswitch
ip address 100.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
eth-trunk 1
#
26
eth-trunk 1
#
return
#
sysname RouterB
#
undo portswitch
ip address 100.1.1.2 255.255.255.0
#
eth-trunk 1
#
eth-trunk 1
#
return
27
2 Transparent Bridging Configuration
About This Chapter
Transparent bridges are widely used in Ethernet LANs because they are easy to configure and
operate.
2.1 Overview of Transparent Bridging
This section describes the background, advantages, and working principles of transparent
bridges applications in a LAN
2.2 Transparent Bridging Supported by the AR1200-S
This section describes transparent bridging features that the AR1200-S supports in various usage
scenarios. Familiarizing yourself with the usage scenarios will help you complete the
configuration task quickly and accurately.
2.3 Configuring Local Bridging
Configuring local bridging allows users in the same geographical location and on the same
network segment to communicate with each other.
2.4 Configuring Local Bridging Integrated with IP Routing
Configuring local bridging integrated with IP routing allows users in the same geographical
location but on different network segments to communicate with each other.
2.5 Configuring Remote Bridging
Configuring remote bridging allows users in different geographical locations and on the same
2.6 Configuring Remote Bridging Integrated with IP Routing
Configuring remote bridging integrated with IP routing allows users in different geographical
locations and on different network segments to communicate with each other.
2.7 Maintaining Transparent Bridging
This section describes how to clear traffic statistics on a bridge group to help locate faults in the
bridge group.
2.8 Configuration Example
This section describes the typical application scenarios of transparent bridging and provides
configuration roadmaps.
Configuration Guide - LAN 2 Transparent Bridging Configuration
28
2.1 Overview of Transparent Bridging
This section describes the background, advantages, and working principles of transparent
bridges applications in a LAN
Background
Ethernet LANs have become the dominant type of LAN technology due to their robust
expandability and cost effectiveness. On some small-scale networks especially on those scattered
networks, how to achieve communication within a LAN and between LANs remains a problem
that needs to be addressed urgently.
Switches can be used to connect LANs but cannot effectively implement Layer 3
communication. Traditional routers are not ideal for Ethernet LAN interconnections because
they are expensive and entail complex configurations.
Transparent bridging can be used on an Ethernet network to connect LANs with the same
physical medium and transmit data between the LANs. The forwarding behaviors of transparent
bridges are transparent to network users. Transparent bridging achieves Layer 2 data
communication between the LANs on the same network segment and also Layer 3 data
communication between the LANs on different network segments. Transparent bridging extends
distances between network devices and expands networks without requiring end users to perform
additional configurations on devices. Transparent bridging, which is easy to configure, easy to
use, and cost-effective, is a viable solution for small-scale networks, especially scattered
networks.
Local Bridging
A device can be configured with multiple transparent bridges. Interfaces added to a bridge group
can forward and broadcast traffic in the bridge group based on the destination MAC address.
Interfaces usually use dynamic MAC address entries for traffic forwarding. Dynamic MAC
address entries are generated based on the mapping relationship between the MAC address and
the interface. Alternatively, interfaces use static MAC address entries for traffic forwarding.
Static MAC address entries are manually configured and will not age.
As shown in Figure 2-1, LAN 1 and LAN 2 each have three hosts. Bridge groups are created
and interfaces of hosts in different LANs are added to the same bridge group. In this manner,
hosts in different LANs can communicate with each other at the link layer.
29
Figure 2-1 Networking diagram for local bridging
RouterA
User 2
User 3
User 1
LAN 1
User 5
User 6
User 4
LAN 2

After local bridging of the transparent bridge has been configured, the bridge group configured
for the transparent bridge is able to:
l Learn MAC forwarding entries (the mapping relationship between the MAC address and
interface) by default.
l Be configured with static and blackhole MAC entries.
l Be enabled with or disabled from dynamic MAC entry learning.
l Be configured with the aging time for dynamic MAC entries.
l Bridge all packets by default, including IP and non-IP packets.
Remote Bridging
Remote bridging allows LANs at different geographic locations to communicate with each other.
The intermediate network two bridged devices (on which bridge groups are created) can be an
Ethernet or a non-Ethernet network.
As shown in Figure 2-2, User 1, User 2, and User 3 belong to LAN 1; User 4, User 5, and User
6 belong to LAN 2. Two bridged devices are connected to the intermediate network using
Ethernet links or non-Ethernet links (such as PPP, HDLC, MP, FR, ATM, or MFR). When
remote bridging is enabled, hosts in LAN 1 and LAN 2 can communicate with each other.
30
Figure 2-2 Networking diagram for remote bridging
RouterB
Network
User 2
User 3
User 1
LAN 1
User 5
User 6
User 4
LAN 2
RouterA

To support remote bridging, the transparent bridge provides the following functions:
l Allow Ethernet interfaces, Ethernet sub-interfaces, VLANIF, VT, Dialer, serial, and ATM
interfaces, ATM sub-interfaces, FR interfaces, FR sub-interfaces, MFR interfaces, and
MLPP interfaces to be added to bridge groups.
l Support link encapsulation protocols, such as Ethernet, PPP, HDLC, FR, and ATM.
l Support 802.1q VLAN ID transparent transmission.
l Support bridging IP packets and non-IP packets.
Integrated Bridging and Routing
Integrated bridging and routing processes protocol packets as follows:
l Bridges protocol packets between member interfaces in a bridge group.
l Uses Bridge-if interfaces of bridge groups to route packets between LANs on different
network segments.
As shown in Figure 2-3, a bridge group is created on RouterA, a Bridge-if interface is added to
the bridge group and configured with an IP address. IP packet routing and integrated bridging
and routing are enabled. User 1 and User 2 are added to the bridge group, and can use integrated
bridging and routing to communicate with User 3. Two bridged devices are connected to the
intermediate network using Ethernet links or non-Ethernet links (such as PPP, HDLC, MP, FR,
ATM, or MFR). Router A and Router B are configured with IP packet routing as well as
integrated bridging and routing so that User 1 and User 4 can communicate with each other.
31
Figure 2-3 Networking diagram for integrated bridging and routing
RouterA
Bridge-if
1.1.1.1/24
Network
RouterB
User 4
2.1.1.16/24
User 1
1.1.1.12/24
User 2
1.1.1.13/24
User 3
3.1.1.14/24

VLAN ID Transparent Transmission
By default, an outbound interface in a bridge group removes the VLAN IDs of the packets to be
sent out. VLAN ID transparent transmission allows users in the same VLAN to communicate
with each other and isolates users in different VLANs.
After VLAN ID transparent transmission is enabled:
l The outbound interface in a bridge group will send out packets without changing or
removing their VLAN IDs.
l A non-Ethernet interface (outbound interface) in a bridge group can also forward packets
with VLAN IDs, and will not change the VLAN IDs of the packets even if the outbound
interface has its own VLAN ID.
2.2 Transparent Bridging Supported by the AR1200-S
This section describes transparent bridging features that the AR1200-S supports in various usage
scenarios. Familiarizing yourself with the usage scenarios will help you complete the
Transparent bridging allows communication between different LANs. Transparent bridging can
be configured in four usage scenarios depending on the geographical locations and network
segments of LANs. Table 2-1 lists the four usage scenarios and selection rules. You can
configure transparent bridging for the specific scenarios and functionality requirements for your
site.
32
Table 2-1 Transparent bridging usage scenarios
Scenar
io
Users in the
Same
Geographical
Location and
Network
Segment
Users in the
Same
Geographical
Location but
Different
Network
Segments
Users in
Different
Geographical
Locations but
Same Network
Segment
Users in
Different
Geographical
Locations and
Network
Segments
Functio
n
Requir
ed
Local bridging Local bridging
integrated with IP
routing
Remote bridging
and VLAN ID
transparent
transmission (if
communication
within VLANs
and isolation
between VLANs
are required)
Remote bridging
integrated with IP
routing

2.3 Configuring Local Bridging
Configuring local bridging allows users in the same geographical location and on the same
Before configuring local bridging, familiarize yourself with applicable environment, complete
the pre-configuration tasks, and obtain the data required for the configuration. This will help
you complete the configuration task quickly and accurately.
To allow users in the same geographical location and on the same network segment to
communicate with each other, you can configure local bridging. A device can be configured
with multiple bridge groups. Interfaces added to a bridge group can forward and broadcast traffic
in the bridge group based on the destination MAC address.
Before configuring local bridging, complete the following task:
l Configuring physical parameters for interfaces to ensure that the interfaces are physically
Up
Data Preparation
To configure local bridging, you need the following data.
33
No. Data
1 Number of a bridge group
2 (Optional) Static MAC address entry, blackhole MAC address entry, or aging
time for the dynamic MAC entry of the bridge group
3 Numbers of interfaces to be added to the bridge group

2.3.2 Creating a Bridge Group
A bridge group is a virtual group. It can forward packets only after interfaces have been added
to the group.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bridge bridge-id
A bridge group is created and the bridge group view is displayed.
If the bridge group specified by bridge-id exists, the bridge group view is displayed.
Multiple devices can use the same bridge number.
----End
Follow-up Procedure
By default, dynamic MAC address learning is enabled for a bridge group. When a network is
insecure and vulnerable to attacks, you can disable dynamic MAC address learning and use static
MAC address entries for traffic forwarding. Perform one or more of the following operations
depending on the type of MAC address entries to be added:
l Configure a static MAC address entry for a bridge group.
Run:
mac-address static mac-address interface-type interface-number bridge
bridge-id
A static MAC address entry is configured for a bridge group.
By default, no static MAC address entry is configured. In a bridge group, each MAC
address entry can be configured as only one static entry. If the MAC address entry is
configured as a static entry repeatedly, the last configuration overwrites the previous
configuration.
(Optional) Run:
mac-address blackhole mac-address bridge bridge-id
A blackhole MAC address entry is configured for a bridge group.
34
By default, no blackhole MAC address entry is configured.
l Configure attributes for dynamic MAC address entries of a bridge group.
Run:
undo mac-address learning disable
Dynamic MAC address learning is enabled.
By default, dynamic MAC address learning is enabled for a bridge group.
(Optional) Run:
mac-address aging-time seconds bridge
The aging time is configured for a dynamic MAC entry.
The configured aging time takes effect on the dynamic MAC address entries of all bridge
groups. The aging time can be 0 or ranges from 60 to 3825, in seconds. The value 0
indicates that a dynamic MAC address entry will not age.
2.3.3 Adding Local Interfaces to a Bridge Group
Adding local interfaces to a bridge group allows the local LANs to communicate with each other.
Context
to the group.
As shown in Figure 2-4, the following methods can be used to add users to a bridge group:
l Directly add users to the bridge group. User 3 uses this method.
l Use a VLAN to add users to the bridge group. Create a VLAN on a bridge and add users
to the VLAN. Users then connect to the bridge group through the VLANIF interface. User
1 and User 2 use this method.
l Use Ethernet sub-interfaces to add users to the bridge group. This method is used when
flows on a physical interface need to be differentiated using sub-interfaces. User 4 uses this
method.
Figure 2-4 Networking diagram for adding users to bridge groups
RouterA User 3
User 4
VLAN 11
User 1 User 2

Perform the following steps on the user-side interface of the device.
35
Procedure
Step 1 Run:
system-view
Step 2 Run:
The user-side interface view is displayed.
Step 3 Run:
bridge bridge-id
An interface is added to a bridge group.
A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can
be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
QinQ termination Ethernet sub-interfaces and QinQ termination GE sub-interfaces do not
support transparent bridging.
----End
2.3.4 (Optional) Disabling a Bridge Group from Bridging Specified
Protocol Packets
If a bridge group is disabled from bridging specified protocol packets, the bridge group will
discard the protocol packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bridge bridge-id
The bridge group view is displayed.
Step 3 Run:
bridging { ip | others } disable
The bridge group is disabled from bridging specified protocol packets.
To allow a bridge group to forward specified protocol packets, enable the function that bridges
the protocol packets on the bridge group. By default, a bridge group bridges all protocol packets.
----End
After configuring local bridging, you can view the traffic statistics on a bridge group or a
specified interface in the bridge group.
36
Prerequisites
The configurations for local bridging are complete.
Procedure
l Run the display bridge [ bridge-id ] information command to view information about the
bridge group.
l Run the display bridge traffic [ bridge birdge-id | interface interface-type interface-
number ] command to view the traffic statistics on a specified interface in the bridge group.
----End
Example
Run the display bridge [ bridge-id ] information command to view information about the bridge
group.
<Huawei> display bridge information
Bridge 1 :
Status : Undo Shutdown
Bridging : IP, Others
Routing : -
MAC learning : Enable
interface :total 2 interface(s) in the bridge
GigabitEthernet1/0/0 : Up
Vlanif11 : Up
Bridge 2 :
Routing : -
Vlanif12 : Up
Run the display bridge traffic [ bridge birdge-id | interface interface-typeinterface-number ]
command to view the traffic statistics on a specified interface in the bridge group.
<Huawei> display bridge traffic
Bridge 1 :
Input :
34 total, 0 bpdu, 27 single,
0 multi, 7 broadcast,
Output :
Bridge 2 :
Input :
Output :
2.4 Configuring Local Bridging Integrated with IP Routing
Configuring local bridging integrated with IP routing allows users in the same geographical
location but on different network segments to communicate with each other.
37
Before configuring local bridging integrated with IP routing, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the data required for
the configuration. This will help you complete the configuration task quickly and accurately.
To allow LAN users in the same geographical location and on the same network segment to
communicate with each other, you can enable local bridging. To allow LAN users in the same
geographical location but on different network segments to communicate with each other, you
need to enable local bridging integrated with IP routing.
The integrated routing function uses Bridge-if interfaces for routing packets.
Before configuring local bridging integrated with IP routing, complete the following task:
Up
Data Preparation
To configure local bridging integrated with IP routing, you need the following data.
No. Data
2 Numbers of interfaces to be added to the bridge group
3 IP address of the Bridge-if interface that represents the bridge group

to the group.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bridge bridge-id
38
----End
Follow-up Procedure
Run:
bridge-id
configuration.
(Optional) Run:
Run:
(Optional) Run:
2.4.3 Adding Local Interfaces to a Bridge Group
Adding local interfaces to a bridge group allows the local LANs to communicate with each other.
Context
to the group.
39
method.
RouterA User 3
User 4
VLAN 11
User 1 User 2

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
bridge bridge-id
QinQ termination Ethernet sub-interfaces and QinQ termination GE sub-interfaces do not
support transparent bridging.
----End
40
2.4.4 Configuring a Bridge-if Interface for a Bridge Group
LANs on different network segments can communicate with each other by using a Bridge-if
interface.
Context
A Bridge-if interface is a virtual routed interface.
Interfaces in a bridge group can only bridge protocol packets within the bridge group. To allow
LANs on different network segments to communicate with each other, create a Bridge-if
interface for the bridge group to route the communication data.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface bridge-if bridge-id
A Bridge-if interface is created and the Bridge-if interface view is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }
An IP address is configured for the Bridge-if interface.
Step 4 (Optional) Run:
mac-address mac-address
A MAC address is configured for the Bridge-if interface.
----End
2.4.5 Enabling IP Routing for a Bridge Group
A bridge group can route protocol packets after IP routing is enabled.
Context
IP routing enables a bridge group to bridge and route packets. If IP routing is not enabled, all
protocol packets can only be bridged. After IP routing is enabled, specified protocol packets can
be bridged or routed depending on the configuration.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bridge bridge-id
41
Step 3 Run:
routing ip
IP routing is enabled for the bridge group.
The IP routing function cannot be configured if any of member interfaces in the bridge group
has an IP address. Before configuring the IP routing function, delete the IP addresses of these
member interfaces.
----End
Protocol Packets
Procedure
Step 1 Run:
system-view
Step 2 Run:
bridge bridge-id
Step 3 Run:
----End
After configuring local bridging integrated with IP routing, you can view the traffic statistics on
a bridge group or a specified interface in the bridge group.
Prerequisites
The configurations for local bridging integrated with IP routing are complete.
Procedure
l Run the display interface bridge-if [ bridge-id ] command to check information about the
Bridge-if interface.
l Run the display bridge [ bridge-id ] information command to check information about
the remote bridge group.
42
l Run the display bridge traffic [ bridge bridge-id | interface interface-type interface-
----End
Example
Run the display interface bridge-if [ bridge-id ] command to view information about the
<Huawei> display interface bridge-if 1
Bridge-if1 current state : UP
Last line protocol up time : 2010-10-09 18:50:53 UTC-08:00
Description:HUAWEI, AR Series, Bridge-if1 Interface
Route Port,The Maximum Transmit Unit is 1500
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-0e0b-0100
Physical is BRIDGE-IF
Current system time: 2010-10-11 08:52:21-08:00
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Realtime 18 seconds input rate 0 bits/sec, 0 packets/sec
Realtime 18 seconds output rate 0 bits/sec, 0 packets/sec
Input: 396 packets,0 bytes,
190 unicast,206 broadcast,0 multicast
Output:731 packets,0 bytes,
Run the display bridge traffic [ bridge bridge-id | interface interface-type interface-number ]
command to view the traffic statistics on the local bridge group.
Bridge 1 :
Input :
Output :
Bridge 2 :
Input :
Output :
2.5 Configuring Remote Bridging
Configuring remote bridging allows users in different geographical locations and on the same
Before configuring remote bridging, familiarize yourself with applicable environment, complete
the pre-configuration tasks, and obtain the data required for the configuration. This will help
43
To allow LANs on the same network segment but in different geographic locations to
communicate with each other at the link layer, you can configure remote bridging. To allow
users in the same VLAN to communicate with each other and isolate users in different VLANs,
VLAN ID transparent transmission needs to be enabled.
Before configuring remote bridging, complete the following task:
Up
Data Preparation
To configure remote bridging, you need the following data.
No. Data
2 Number of an interface added to a bridge group

to the group.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bridge bridge-id
----End
Follow-up Procedure
44
Run:
bridge-id
configuration.
(Optional) Run:
Run:
(Optional) Run:
2.5.3 Adding User-side Interfaces to a Bridge Group
Adding user-side interfaces to a bridge group allows LANs to communicate with each other.
Context
to the group.
method.
45
RouterB
User 5
Network
RouterA
User 1
User 4
User 2 User 3
VLAN 11

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
bridge bridge-id
Ethernet sub-interfaces and GE sub-interfaces configured to terminate QinQ tags do not support
transparent bridging.
----End
2.5.4 Adding Network-side Interfaces to a Bridge Group
Using intermediate links to connect two devices allows different LANs to communicate with
each other.
46
Context
Two devices can be connected using different types of intermediate links to bridge data between
different LANs.
To implement remote bridging between different LANs, add the user-side interface connecting
to a LAN and the network-side interface connecting to the intermediate link to the same bridge
group.
Perform the following steps on the devices at both ends of the intermediate link.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the network-side interface is displayed.
Step 3 Perform the following operations depending on the type of interface:
l Add an Ethernet interface to a bridge group.
1. Run:
bridge bridge-id
The Ethernet interface is added to the bridge group.
l Add an HDLC interface to a bridge group.
1. Run:
link-protocol hdlc
HDLC is enabled on the interface.
2. Run:
bridge bridge-id
The HDLC interface is added to the bridge group.
l Add a PPP interface to a bridge group.
1. Run:
link-protocol ppp
PPP is enabled on the interface.
2. Run:
bridge bridge-id
The PPP interface is added to the bridge group.
l Add an MP group interface to a bridge group.
1. Run:
bridge bridge-id
The VT interface is added to the bridge group.
2. Run:
quit
Return to the system view.
3. Run:
47
The MP group interface view is displayed.
4. Run:
link-protocol ppp
l Add an FR interface to a bridge group.
1. Run:
fr dlci dlci
A frame relay DLCI is created.
2. Run:
bridge bridge-id
The FR interface to the bridge group.
3. Run:
fr map bridge dlci-number broadcast
A mapping between the frame relay DLCI and the bridge group is configured.
l Add an ATM interface to a bridge group.
1. Run:
bridge bridge-id
The ATM interface is added to the bridge group.
2. Run:
A specified PVC is configured to send and receive bridge packets.
3. Run:
map bridge broadcast
A mapping between the ATM PVC and the bridge group is configured.
To add an MFR interface to a bridge group, ensure that the FR interfaces bound to the MFR
interface have the same bandwidth; otherwise, packet loss may occur.
----End
Protocol Packets
Procedure
Step 1 Run:
system-view
Step 2 Run:
bridge bridge-id
Step 3 Run:
48
----End
2.5.6 (Optional) Configuring VLAN ID Transparent Transmission
VLAN ID transparent transmission allows the devices in the same VLAN in different locations
to communicate with each other.
Context
By default, an outbound interface of a bridge group removes the VLAN IDs of the packets to
be sent out. After VLAN ID transparent transmission is configured on an outbound interface of
a bridge group, the outbound interface does not remove the VLAN IDs of the packets to be sent
out.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
bridge vlan-transmit enable
VLAN ID transparent transmission is enabled.
NOTE
l VLANIF interfaces do not support VLAN ID transparent transmission.
l It is not recommended to use the VLAN ID transparent transmission for sub-interfaces.
Step 4 Run:
quit
----End
After configuring remote bridging, you can view the traffic statistics on a bridge group or a
specified interface in the bridge group.
Prerequisites
The configurations for remote bridging are complete.
49
Procedure
l Run the display bridge [ bridge-id ] information command to view information about the
bridge group.
----End
Example
Run the display bridge [ bridge-id ] information command to view information about bridge
group 1.
[Huawei] display bridge 1 information
Bridge 1 :
Routing : -
command to view the traffic statistics on bridge group 1.
[Huawei] display bridge traffic bridge 1
Bridge 1 :
Input :
Output :
2.6 Configuring Remote Bridging Integrated with IP
Routing
Configuring remote bridging integrated with IP routing allows users in different geographical
locations and on different network segments to communicate with each other.
Before configuring remote bridging integrated with IP routing, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the data required for
the configuration. This will help you complete the configuration task quickly and accurately.
To allow LAN users in different geographical locations and on different network segments to
communicate with each other, you need to enable remote bridging integrated with IP routing.
The integrated routing function uses Bridge-if interfaces for routing packets.
50
Before configuring remote bridging integrated with IP routing, complete the following task:
Up
Data Preparation
To configure remote bridging integrated with IP routing, you need the following data.
No. Data
2 Number of an interface added to a bridge group
3 IP address of the Bridge-if interface that represents the bridge group

to the group.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bridge bridge-id
----End
Follow-up Procedure
Run:
bridge-id
51
configuration.
(Optional) Run:
Run:
(Optional) Run:
2.6.3 Adding User-side Interfaces to a Bridge Group
Adding user-side interfaces to a bridge group allows LANs to communicate with each other.
Context
to the group.
method.
52
RouterB
User 5
Network
RouterA
User 1
User 4
User 2 User 3
VLAN 11

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
bridge bridge-id
Ethernet sub-interfaces and GE sub-interfaces configured to terminate QinQ tags do not support
transparent bridging.
----End
2.6.4 Adding Network-side Interfaces to a Bridge Group
Using intermediate links to connect two devices allows different LANs to communicate with
each other.
53
Context
Two devices can be connected using different types of intermediate links to bridge data between
different LANs.
To implement remote bridging between different LANs, add the user-side interface connecting
to a LAN and the network-side interface connecting to the intermediate link to the same bridge
group.
Perform the following steps on the devices at both ends of the intermediate link.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the network-side interface is displayed.
Step 3 Perform the following operations depending on the type of interface:
l Add an Ethernet interface to a bridge group.
1. Run:
bridge bridge-id
The Ethernet interface is added to the bridge group.
l Add an HDLC interface to a bridge group.
1. Run:
link-protocol hdlc
HDLC is enabled on the interface.
2. Run:
bridge bridge-id
The HDLC interface is added to the bridge group.
l Add a PPP interface to a bridge group.
1. Run:
link-protocol ppp
2. Run:
bridge bridge-id
The PPP interface is added to the bridge group.
l Add an MP group interface to a bridge group.
1. Run:
bridge bridge-id
The VT interface is added to the bridge group.
2. Run:
quit
3. Run:
54
The MP group interface view is displayed.
4. Run:
link-protocol ppp
l Add an FR interface to a bridge group.
1. Run:
fr dlci dlci
A frame relay DLCI is created.
2. Run:
bridge bridge-id
The FR interface to the bridge group.
3. Run:
fr map bridge dlci-number broadcast
A mapping between the frame relay DLCI and the bridge group is configured.
l Add an ATM interface to a bridge group.
1. Run:
bridge bridge-id
The ATM interface is added to the bridge group.
2. Run:
A specified PVC is configured to send and receive bridge packets.
3. Run:
map bridge broadcast
A mapping between the ATM PVC and the bridge group is configured.
To add an MFR interface to a bridge group, ensure that the FR interfaces bound to the MFR
interface have the same bandwidth; otherwise, packet loss may occur.
----End
2.6.5 Configuring a Bridge-if Interface for a Bridge Group
LANs on different network segments can communicate with each other by using a Bridge-if
interface.
Context
A Bridge-if interface is a virtual routed interface.
Interfaces in a bridge group can only bridge protocol packets within the bridge group. To allow
LANs on different network segments to communicate with each other, create a Bridge-if
interface for the bridge group to route the communication data.
Procedure
Step 1 Run:
system-view
55
Step 2 Run:
interface bridge-if bridge-id
A Bridge-if interface is created and the Bridge-if interface view is displayed.
Step 3 Run:
An IP address is configured for the Bridge-if interface.
mac-address mac-address
A MAC address is configured for the Bridge-if interface.
----End
2.6.6 Enabling IP Routing for a Bridge Group
A bridge group can route protocol packets after IP routing is enabled.
Context
IP routing enables a bridge group to bridge and route packets. If IP routing is not enabled, all
protocol packets can only be bridged. After IP routing is enabled, specified protocol packets can
be bridged or routed depending on the configuration.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bridge bridge-id
Step 3 Run:
routing ip
IP routing is enabled for the bridge group.
The IP routing function cannot be configured if any of member interfaces in the bridge group
has an IP address. Before configuring the IP routing function, delete the IP addresses of these
member interfaces.
----End
Protocol Packets
56
Procedure
Step 1 Run:
system-view
Step 2 Run:
bridge bridge-id
Step 3 Run:
----End
After configuring remote bridging integrated with IP routing, you can view the traffic statistics
on a bridge group or a specified interface in the bridge group.
Prerequisites
The configurations for remote bridging integrated with IP routing are complete.
Procedure
l Run the display interface bridge-if [ bridge-id ] command to check information about the
l Run the display bridge [ bridge-id ] information command to check information about
the remote bridge group.
number ] command to view the traffic statistics on the bridge group.
----End
Example
Run the display interface bridge-if [ bridge-id ] command to view information about the
<Huawei> display interface bridge-if 1
Bridge-if1 current state : UP
Last line protocol up time : 2010-10-09 18:50:53 UTC-08:00
Description:HUAWEI, AR Series, Bridge-if1 Interface
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-0e0b-0100
Physical is BRIDGE-IF
Current system time: 2010-10-11 08:52:21-08:00
57
Realtime 18 seconds input rate 0 bits/sec, 0 packets/sec
Realtime 18 seconds output rate 0 bits/sec, 0 packets/sec
Input: 396 packets,0 bytes,
Output:731 packets,0 bytes,
Run the display bridge [ bridge-id ] information command to view information about the
remote bridge group.
<Huawei> display bridge information
Bridge 2 :
Routing : IP
command to view the traffic statistics of the local bridge group.
Bridge 1 :
Input :
Output :
Bridge 2 :
Input :
Output :
command to view the traffic statistics of the remote bridge group.
<Huawei> display bridge traffic bridge 2
Bridge 2 :
Input :
Output :
2.7 Maintaining Transparent Bridging
This section describes how to clear traffic statistics on a bridge group to help locate faults in the
bridge group.
2.7.1 Monitoring the Operation of Bridge Groups
58
Context
During routine maintenance, you can run the following commands in any view to monitor the
operation of bridge groups.
Procedure
number ] command in any view to check whether the traffic statistics on a bridge group
have been cleared.
l Run the display bridge [ bridge-id ] information command in any view to check
information about a bridge group.
l Run the display interface bridge-if [ bridge-id ] command in any view to check
information about the Bridge-if interface of a specified bridge group, including the protocol
status, interface description, and IP address.
l Run the display mac-address [ mac-address | blackhole | static | dynamic ] [ bridge
bridge-id ] [ verbose ] command in any view to check the static, dynamic, or blackhole
MAC address entry of a specified bridge group.
l Run the display mac-address [ mac-address | interface-type interface-number ] bridge
bridge-id [ verbose ] command or display mac-address { static | dynamic } [ interface-
type interface-number ] bridge bridge-id verbose command in any view to check the static
or dynamic MAC address entry of a specified bridge group and interface.
----End
2.7.2 Clearing the Traffic Statistics of a Bridge Group
This section describes how to clear the current traffic statistics on a bridge group so that you can
collect new statistics to help locate faults.
Context
Before collecting traffic statistics on a bridge group, clear the previous statistics.
CAUTION
The traffic statistics cannot be restored after being cleared.
Procedure
l Run the reset bridge bridge-id statistics command in the user view to clear the traffic
statistics of a bridge group.
----End
2.7.3 Clearing the Traffic Statistics on the Bridge-if Interface of a
Bridge Group
This section describes how to clear the traffic statistics on the Bridge-if interface of a bridge
group to help locate faults in the bridge group.
59
Context
To locate faults in a bridge group, you can clear the traffic statistics on the Bridge-if interface.
CAUTION
The traffic statistics cannot be restored after being cleared.
Procedure
l Run the reset counters interface bridge-if [ bridge-id ] command in the user view to clear
the traffic statistics on the Bridge-if interface of the bridge group.
----End
2.8 Configuration Example
This section describes the typical application scenarios of transparent bridging and provides
configuration roadmaps.
2.8.1 Example for Configuring Local Bridging
Configuring local bridging allows the communication between the LANs on the same network
segment and in the same geographical location.
An enterprise has multiple departments located in the same office building but on different floors.
As business expands for the enterprise, data communication is required between terminals within
the same department, and between some departments. To keep information secure, information
in some departments needs to be isolated from that in the other departments. Users that require
communication with each other need to be added to the same bridge group so that they can
communicate with each other and are isolated from other departments.
As shown in Figure 2-8, User 1 and User 2 belong to the same department, and both of them
are added to VLAN 11. User 4 and User 5 belong to the same department and are added to VLAN
12. User 3 belongs to another department. User 1, User 2, and User 3 need to communicate with
each other. After bridge groups are created on RouterA, departments in the same bridge group
can communicate with each other and those in different bridge groups are isolated from each
other.
60
Figure 2-8 Networking diagram of local bridging configuration
RouterA
User 2 User 1
VLAN 11
User 3 User 4
GE0/0/1
1.1.1.1/24 1.1.1.2/24 1.1.1.4/24 1.1.1.3/24
Eth0/0/1
GE0/0/0
Eth0/0/2

1. Configure bridge groups.
2. Add User 1 and User 2 to VLAN 11 and then add them to bridge group 1 on VLANIF 11.
Add User 3 to bridge group 1. This allows communication between User 1, User 2, and
User 3.
3. Add User 4 to bridge group 2 to isolate User 4 from User 1, User 2, and User 3.
Data Preparation
l Interfaces used to connect LANs
l Number of each bridge group to which the LANs that need to communicate with each other
are added
l ID of each VLAN of which interfaces are added to a bridge group
Configuration Procedure
1. Create bridge group 1.
[RouterA] bridge 1
[RouterA-bridge1] quit
2. Add Eth0/0/1 and Eth0/0/2 to VLAN 11.
[RouterA] vlan 11
[RouterA-vlan11] quit
[RouterA-Ethernet0/0/1] port link-type access
[RouterA-Ethernet0/0/1] port default vlan 11
61
3. Add VLANIF 11 and GE0/0/1 to bridge group 1.
[RouterA-GigabitEthernet0/0/1] bridge 1
[RouterA] interface vlanif 11
[RouterA-Vlanif11] bridge 1
[RouterA-Vlanif11] quit
4. Create bridge group 2.
[RouterA] bridge 2
5. Add GE 0/0/0 to bridge group 2.
[RouterA-GigabitEthernet0/0/0] bridge 2
6. Verify the configuration.
# Run the display bridge information command to view the configuration of the bridge
groups.
[RouterA] display bridge information
Bridge 1 :
Routing : -
Vlanif11 : Up
Bridge 2 :
Routing : -
# After the preceding configuration is complete, User 1, User 2, and User 3 can ping each
other, whereas they cannot ping User 4.
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
bridge 1
bridge 2
#
interface Vlanif11
bridge 1
#
port link-type access
port default vlan 11
#
#
bridge 1
#
62
bridge 2
#
return
2.8.2 Example for Configuring Local Bridging with IP Routing
Configuring local bridging and IP routing allows LANs on different network segments to
communicate with each other.
Departments of Enterprise A need to communicate with each other and with local Enterprise B.
Departments of Enterprise A belong to the LANs on the same network segment and can be
bridged, but Enterprise B belongs to a LAN on a different network segment. As a result, link-
layer bridging cannot be used to communicate between Enterprise A and Enterprise B.
In this scenario, local bridging integrated with IP routing offers a viable solution.
As shown in Figure 2-9, bridge groups are configured on RouterA and RouterB, and interfaces
are added to different bridge groups. After Bridge-if interfaces are created and assigned IP
addresses, and the IP routing function is enabled, the two hosts of Enterprise A can communicate
with the hosts of Enterprises B.
Figure 2-9 Networking diagram of local bridging integrated with IP routing
RouterA
Eth0/0/1
User 1 User 2
1.1.1.1/24 1.1.1.2/24
Eth0/0/2
Eth1/0/0
User 3
3.1.1.3/24
Enterprise B Enterprise A
Bridge-if

1. Create a bridge group on RouterA.
2. Add Eth0/0/1 and Eth0/0/2 on Router A to the created bridge group to allow the two hosts
of Enterprise A to communicate with each other.
3. Create a Bridge-if interface and enable IP routing for the bridge group on RouterA to allow
Enterprise A to communicate with Enterprise B.
63
Data Preparation
are added
l Configure the IP routing function.
1. Configure RouterA.
# Create bridge group 1 and enable local bridging and IP routing for the bridge group.
[RouterA] bridge 1
[RouterA-bridge1] routing ip
# Add Eth0/0/1 and Eth0/0/2 to VLAN 11.
[RouterA] vlan 11
#Add VLANIF 11 to bridge group 1.
# Configure an IP address for Eth1/0/0 on RouterA.
[RouterA-Ethernet1/0/0] ip address 3.1.1.1 255.255.255.0
# Create Bridge-if interface 1 and configure an IP address for it.
[RouterA] interface bridge-if 1
[RouterA-Bridge-if1] ip address 1.1.1.3 255.255.255.0
[RouterA-Bridge-if1] quit
# After the preceding configurations are complete, User 1 and User 3 can ping each
other.
Configuration Files
#
sysname RouterA
#
bridge 1
routing ip
#
interface Vlanif11
64
bridge 1
#
#
#
ip address 3.1.1.1 255.255.255.0
#
interface Bridge-if1
ip address 1.1.1.3 255.255.255.0
#
return
2.8.3 Example for Configuring Remote Bridging
Configuring remote bridging allows LANs on the same network segment but in different
geographical locations to communicate with each other.
An enterprise has multiple departments in different locations. As business expands for the
enterprise, data communication is required between terminals within the same department and
between other departments located in different geological areas.
As shown in Figure 2-10, intermediate links are used to connect RouterA and RouterB, which
are located in different locations. Users 1 to 4 are on the same network segment. User 3 and User
4 are in a different location than User 1 and User 2. Configuring remote bridging allows User 1
and User 2 to communicate with User 3 and User 4.
Figure 2-10 Networking diagram of remote bridging
RouterB RouterA
Eth1/0/0 Eth1/0/0 Eth0/0/1
IP Core
Network
User 1
1.1.1.1/24
User 2
1.1.1.2/24
User 4
1.1.1.4/24
User 3
1.1.1.3/24
Eth0/0/2
Eth0/0/1
Eth0/0/2

1. Configure bridge groups on RouterA and RouterB.
65
2. Add User 1 and User 2 to VLAN 11 on RouterA, and add User 3 and User 4 to VLAN 11
on RouterB so that users can communicate with each other.
3. Add VLANIF 11 and Eth 1/0/0 to bridge group 1 on RouterA and add VLANIF 11 and
Eth 1/0/0 to bridge group 1 on RouterB. Enable remote bridging.
Data Preparation
are added
# Create bridge group 1.
[RouterA] bridge 1
# Add Eth0/0/2 and Eth0/0/1 to VLAN 11 to allow the communication between User 1 and
User 2.
[RouterA] vlan 11
# Add Eth 1/0/0 to bridge group 1.
[RouterA-Ethernet1/0/0] bridge 1
2. Configure RouterB.
[RouterB] bridge 1
[RouterB-bridge1] quit
# Add Eth0/0/2 and Eth0/0/1 to VLAN 11 to allow the communication between User 3 and
User 4.
[RouterB] vlan 11
[RouterB-vlan11] quit
[RouterB-Ethernet0/0/2] port link-type access
[RouterB-Ethernet0/0/2] port default vlan 11
66
[RouterB] interface vlanif 11
[RouterB-Vlanif11] bridge 1
[RouterB-Vlanif11] quit
# Add Eth 1/0/0 to bridge group 1.
[RouterB-Ethernet1/0/0] bridge 1
# After the preceding configurations are complete, User 1, User 2, User 3, and User 4 can
ping each other.
Configuration Files
#
sysname RouterA
#
bridge 1
#
interface Vlanif11
bridge 1
#
#
#
bridge 1
#
return
Configuration file of RouterB
#
sysname RouterB
#
bridge 1
#
interface Vlanif11
bridge 1
#
#
#
bridge 1
#
return
67
2.8.4 Example for Configuring Remote Bridging with IP Routing
Configuring remote bridging with IP routing allows LANs in different geographical locations
and on different network segments to communicate.
Departments of Enterprise A need to communicate with other and with Enterprises C (in a
different geographical location).
Departments of Enterprise A belong to the LANs on the same network segment and can be
bridged, but Enterprise C belongs to a different network segment. As a result, link-layer bridging
cannot be used to communicate between Enterprise A and Enterprise C.
In this scenario, local bridging integrated with IP routing offers a viable solution.
As shown in Figure 2-11, bridge groups are configured on RouterA and RouterB, and interfaces
are added to different bridge groups. After Bridge-if interfaces are created and assigned IP
addresses, and the IP routing function is enabled, the two hosts of Enterprise A can communicate
with the hosts of Enterprises C.
Figure 2-11 Networking diagram of remote bridging integrated with IP routing
RouterA
Eth1/0/0
Bridge-if
Eth0/0/1
RouterB
Eth1/0/0
User 4 User 1 User 2
1.1.1.1/24 1.1.1.2/24 2.1.1.4/24
Network
Eth0/0/2
Eth0/0/0
Enterprise A Enterprise C

1. Configure bridge groups on RouterA and RouterB.
2. Add Eth 0/0/1 and Eth 0/0/2 on Router A to a bridge group so that the two hosts of Enterprise
A can communicate with each other.
3. Add Eth 1/0/0 to another bridge group on Router A, and add Eth 1/0/0 to the bridge group
on Router B.
4. Create Bridge-if interfaces and enable the IP routing function for the bridge groups on
Router A and Router B. This allows Enterprise A and Enterprise C to communicate with
each other.
68
Data Preparation
are added
l Configure the IP routing function.
# Create bridge group 1 and bridge group, then enable the IP routing function for the
bridge groups.
[RouterA] bridge 1
[RouterA] bridge 2
# Add Eth0/0/1 and Eth0/0/2 to VLAN 11 to allow the communication between User
1 and User 2.
[RouterA] vlan 11
# Add Eth1/0/0 on Router A to bridge group 2.
# Create Bridge-if interface 1 for bridge group 1 and Bridge-if interface 2 for bridge
group 2, and then configure IP addresses for the two Bridge-if interfaces.
2. Configure RouterB.
# Create bridge group 2 and enable the IP routing function for the bridge groups.
[RouterB] bridge 2
[RouterB-bridge2] routing ip
69
# Add Eth0/0/0 to VLAN11.
[RouterB] vlan 11
[RouterB-vlan11] quit
[RouterB-Vlanif11] bridge 2
# Add Eth1/0/0 on Router B to bridge group 2.
# After the preceding configuration is complete, User 1 and User 4 can successfully
ping each other.
Configuration Files
#
sysname RouterA
#
bridge 1
routing ip
bridge 2
routing ip
#
interface Vlanif11
bridge 1
#
#
#
ip address 1.1.1.3 255.255.255.0
#
ip address 2.1.1.3 255.255.255.0
#
bridge 2
#
return
#
sysname RouterB
#
bridge 2
routing ip
#
interface Vlanif11
70
bridge 2
#
#
bridge 2
#
return
2.8.5 Example for Configuring Remote Bridging with VLAN ID
Transparent Transmission
Remote bridging with VLAN ID transparent transmission allows the devices in the same VLAN
but different in locations to communicate with each other.
An enterprise has multiple departments in different locations. To allow the communication
between departments in different locations, remote bridging can be used. To allow users in the
same department (the same VLAN) to communicate with each other, while isolating users in
different departments (different VLANs), VLAN ID transparent transmission must be enabled.
As shown in Figure 2-12, User 1, User 2, User 3, and User 4 are on the same network segment.
User 1 and User 3 belong to a VLAN; User 2 and User 4 belong to the other VLAN. To allow
users in the same VLAN to communicate with each other and isolate users in different VLANs,
remote bridging and VLAN ID transparent transmission can be enabled. In this manner, User 1
can only communicate with User 3, and User 2 can only communicate with User 4.
Figure 2-12 Networking diagram for remote bridging
RouterB
User 2 User 1
RouterA
Eth2/0/0
User 3 User 4
Eth1/0/0
VLAN 11 VLAN 12 VLAN 11 VLAN 12
Switch 1 Switch 2
Eth1/0/2
Eth1/0/2 Eth1/0/1
Eth1/0/3 Eth1/0/3
Eth1/0/1
IP Core
Network
1.1.1.1/24 1.1.1.2/24 1.1.1.3/24 1.1.1.4/24
Eth1/0/0
Eth2/0/0

71
l On Switch 1 and Switch 2:
1. Create VLANs.
2. Add interfaces to the VLANs.
3. Configure interfaces to allow the packets from VLAN 11 and VLAN 12 to pass
through.
l On Router A and Router B:
1. Configure bridge groups.
2. Add WAN interfaces Ethernet1/0/0 and Ethernet2/0/0 to the same bridge group.
3. Enable VLAN ID transparent transmission on user-side interfaces and network-side
interfaces to allow users in the same VLAN to communicate with each other and
isolate users in different VLANs.
Data Preparation
l Number of each interface connecting a switch to a user
l Number of each VLAN to which users are added
l Number of the user-side interface and number of the network-side interface on each router
l Number of each bridge group to which a user-side interface and a network-side interface
are added
1. Configure Router A.
[RouterA-bridge1] bridge 1
# Add Ethernet1/0/0 and Ethernet2/0/0 to bridge group 1, and enable VLAN ID transparent
transmission on the two interfaces.
[RouterA-Ethernet1/0/0] bridge vlan-transmit enable
[RouterA-Ethernet2/0/0] bridge vlan-transmit enable
2. Configure Switch 1.
# Create VLANs.
[Huawei] sysname Switch1
[Switch1] vlan 11
[Switch1-vlan11] quit
[Switch1] vlan 12
# Add Eth1/0/1 to VLAN 11 and Eth1/0/2 to VLAN 12.
72
[Switch1] interface ethernet 1/0/1
[Switch1-Ethernet1/0/1] port link-type access
[Switch1-Ethernet1/0/1] port default vlan 11
[Switch1-Ethernet1/0/1] quit
# Configure Eth 1/0/3 to allow the packets from VLAN 11 and VLAN 12 to pass through.
[Switch1-Ethernet1/0/3] port link-type trunk
[Switch1-Ethernet1/0/3] port trunk allow-pass vlan 11 to 12
3. Configure Router B.
[RouterB-bridge2] bridge 2
# Add Ethernet1/0/0 and Ethernet2/0/0 to bridge group 2, and enable VLAN ID transparent
transmission on the two interfaces.
[RouterB-Ethernet1/0/0] bridge vlan-transmit enable
[RouterB-Ethernet2/0/0] bridge vlan-transmit enable
4. Configure Switch 2.
# Create VLANs.
[Huawei] sysname Switch2
[Switch2] vlan 11
[Switch2] vlan 12
# Add Eth1/0/1 to VLAN 11 and Eth1/0/2 to VLAN 12.
# Configure Eth1/0/3 to allow the packets from VLAN 11 and VLAN 12 to pass through.
[Switch2-Ethernet1/0/3] port link-type trunk
[Switch2-Ethernet1/0/3] port trunk allow-pass vlan 11 to 12
After the preceding configurations are complete, User 1 and User 3 can ping each other;
User 2 and User 4 can ping each other.
Configuration Files
Configuration file of Router A
73
#
sysname RouterA
#
vlan batch 11 to 12
#
bridge 1
#
bridge 1
#
bridge 1
#
return
Configuration file of Router B
#
sysname RouterB
#
vlan batch 11 to 12
#
bridge 2
#
#
bridge 2
#
bridge 2
#
return
Configuration file of Switch 1
#
sysname Switch1
#
vlan batch 11 to 12
#
#
#
#
return
Configuration file of Switch 2
#
sysname Switch2
#
vlan batch 11 to 12
#
#
74
#
#
#
return
75
3 VLAN Configuration
About This Chapter
This chapter describes the concepts and configurations of VLANs, while also providing
configuration examples.
3.1 Introduction to VLAN
This section describes the concept of the VLAN.
3.2 VLAN Features Supported by the AR1200-S
This section describes the VLAN features supported by the AR1200-S.
3.3 Creating VLANs
This section describes how to create one or multiple VLANs.
3.4 Adding Interfaces to a VLAN
This section describes how to add an access interface, a hybrid interface, or a trunk interface to
a VLAN.
3.5 Configuring VLANIF Interfaces to Implement Layer-3 Communication
This section describes how to configure VLANIF interfaces to implement Layer 3
communication.
3.6 Configuring VLAN Aggregation
This section describes how to configure VLAN aggregation to minimize IP addresses occupied
by VLANs.
3.7 Configuring a Management VLAN
This section describes how to configure a management VLAN.
This section provides VLAN configuration examples.
Configuration Guide - LAN 3 VLAN Configuration
76
3.1 Introduction to VLAN
This section describes the concept of the VLAN.
Definition of a VLAN
A local area network (LAN) can be divided into several logical LANs. Each logical LAN is a
broadcast domain, which is called a virtual LAN (VLAN). That is, the devices in a LAN are
logically divided into different LAN segments, namely, different VLANs, irrespective of their
physical locations. In this manner, the broadcast domains within a LAN are separated from each
other.
Functions of a VLAN
In VLAN networking, the devices that need to communicate with each other are added to a
VLAN; the devices that do not need to communicate with each other are added to different
VLANs. This type of networking isolates broadcast domains, eliminates broadcast storms, and
improves the security of data transmission.
As network scales expand, the entire network is becoming more susceptible to faults that
originate on local networks. VLAN networking minimizes the impact of the fault to each VLAN,
which improves network robustness.
3.2 VLAN Features Supported by the AR1200-S
This section describes the VLAN features supported by the AR1200-S.
Port-based VLAN
The AR1200-S supports port-based VLANs.
Ports on the AR1200-S are classified into the following types:
l Access: An access port can join only one VLAN (the default VLAN). Access ports are
usually connected to user devices.
l Trunk: A trunk port can join multiple VLANs and is usually connected to a network device.
l Hybrid: A hybrid port can join multiple VLANs and can be connected to a network device
or a user device.
The differences between hybrid and trunk ports are as follows:
Hybrid ports can forward packets from multiple VLANs in untagged mode.
Trunk ports can forward only the packets from the default VLAN in untagged mode.
Table 3-1 describes how various ports process packets depending on the VLAN ID.
77
Table 3-1 Processing of packets on different ports
Port Type Untagged Packet
Received
Tagged Packet
Received
Packet to Be Sent
Access port Accepts and adds the
default VLAN tag to the
packet.
l When the VLAN ID
of the packet is the
same as the default
VLAN ID, the access
port accepts the
packet.
l When the VLAN ID
of the packet is
different from the
default VLAN ID,
the access port
discards the packet.
Removes the tag and
sends the packet.
Trunk port l Adds the default
VLAN tag to the
packet. If the default
VLAN ID is in the
list of allowed
VLAN IDs, the port
accepts the packet.
l Adds the default
VLAN tag to the
packet. If the default
VLAN ID is not in
the list of allowed
VLAN IDs, the port
l If the VLAN ID of
the packet is in the
list of allowed
VLAN IDs, the port
accepts the packet.
l If the VLAN ID of
the packet is not in
the list of allowed
VLAN IDs, the port
l If the VLAN ID of
the packet is the
same as the default
VLAN ID and is in
the list of allowed
VLAN IDs, the
port removes the
tag and sends the
packet.
l If the VLAN ID of
the packet is
different from the
default VLAN ID
and is in the list of
allowed VLAN
IDs, the port retains
the tag and sends
the packet.
Hybrid port If the VLAN ID of the
packet is in the list of
allowed VLAN IDs,
the port sends the
packet. You can run
the port hybrid
untagged/tagged
vlan command to
determine whether the
port sends the packet
with the tag.

78
VLAN Aggregation
To implement inter-VLAN communication on routers, you need to configure IP addresses for
the VLANIF interfaces. When many VLANs are deployed, a large number of IP addresses are
occupied. VLAN aggregation can be used to conserve IP addresses.
VLAN aggregation means that multiple VLANs are aggregated into a super-VLAN. The VLANs
that form the super-VLAN are called sub-VLANs.
You can create a VLANIF interface for a super-VLAN. Then, you can configure an IP address
for just this interface. All sub-VLANs share the same IP network segment, which minimizes the
use of IP addresses.
3.3 Creating VLANs
This section describes how to create one or multiple VLANs.
VLANs isolates hosts that do not need to communicate with each other. Dividing a LAN into
VLANs improves network security, reduces broadcast traffic, and suppresses broadcast storms.
None.
Data Preparation
To create a VLAN, you need the following data.
No. Data
1 VLAN ID

3.3.2 Creating a VLAN
Context
Perform the following steps on the AR1200-S to create a VLAN.
Procedure
Step 1 Run:
system-view
79
Step 2 Run:
vlan vlan-id
A VLAN is created and the VLAN view is displayed.
description description
The description of the VLAN is set.
Enter a description of the VLAN that is easy to remember to facilitate network management.
The default description of a VLAN shows the VLAN ID. For example, the description of VLAN
15 is "VLAN 0015".
----End
3.3.3 (Optional) Creating VLANs in a Batch
Context
Perform the following steps on the AR1200-S to configure VLANs in a batch.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan batch { vlan-id1 [ to vlan-id2 ] }&<1-10>
Multiple VLANs are created in a batch.
----End
3.3.4 (Optional) Configuring the Priority for a VLAN
Context
By configuring 802.1p priorities for VLANs, you can ensure that packets from VLANs with the
highest priority are transmitted first when congestion occurs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id priority priority-mode-id
The 802.1p priority is configured for packets in a VLAN.
80
The vlan priority command takes effect only for VLANs containing interfaces on the main
control board of the AR1220.
----End
Procedure
Step 1 Run the display vlan [ vlan-id [ verbose ] ] command to check information about a VLAN.
----End
Example
Run the display vlan command to view information about VLANs.
<Huawei> display vlan
* : management-vlan
---------------------
The total number of vlans is : 5
VLAN ID Type Status MAC Learning Broadcast/Multicast/Unicast Property
--------------------------------------------------------------------------------
1 common enable enable forward forward forward default
Run the display vlan vlan-id verbose command to check the description of a VLAN.
<Huawei> display vlan 10 verbose
* : Management-VLAN
---------------------
VLAN ID : 10
VLAN Name :
VLAN Type : Common
Description : VLAN 0010
Status : Enable
Broadcast : Enable
MAC Learning : Enable
Smart MAC Learning : Disable
Current MAC Learning Result : Enable
Statistics : Disable
Property : Default
VLAN State : Up
----------------
Untagged Port: Ethernet0/0/0 Ethernet0/0/4
----------------
Active Untag Port: Ethernet0/0/0 Ethernet0/0/4
-------------------
Interface Physical
Ethernet0/0/0 UP
Ethernet0/0/4 DOWN
3.4 Adding Interfaces to a VLAN
This section describes how to add an access interface, a hybrid interface, or a trunk interface to
a VLAN.
81
You can use VLANs to isolate interfaces that process different services. For example, if interface
1 and interface 2 connect to broadband access users and interface 3 connects to users of video
services, you can add interface 1 and interface 2 to a VLAN and add interface 3 to another VLAN.
NOTE
Before changing the interface type, delete the VLAN configuration for the previous interface type to restore
the default VLAN configuration of the interface. That is, make the interface belong to only VLAN 1.
Before adding interfaces to a VLAN, complete the following task:
l Creating a VLAN
Data Preparation
To add interfaces to a VLAN, you need the following data.
No. Data
1 Types and numbers of the interfaces to be added to a VLAN
2 VLAN ID

3.4.2 Adding an Access Interface to a VLAN
Context
Use either of the following methods to add an access interface to a VLAN.
Procedure
l Adding an access interface to a VLAN in the VLAN view
1. Run:
system-view
2. Run:
3. Run:
The link type of the interface is set to access.
82
By default, the link type of an interface is hybrid.
4. Run:
quit
5. Run:
vlan vlan-id
The VLAN view is displayed.
6. Run:
port interface-type { interface-number1 [ to interface-number2 ] }&<1-10>
The access interface is added to the VLAN, which becomes the default VLAN of the
interface.
By default, VLAN 1 is the default VLAN for all interfaces.
l Adding an access interface to a VLAN in the interface view
1. Run:
system-view
2. Run:
3. Run:
By default, the link type of an interface is hybrid.
4. Run:
port default vlan vlan-id
The default VLAN of the interface is configured.
By default, VLAN 1 is the default VLAN for all interfaces.
----End
3.4.3 Adding a Trunk Interface to a VLAN
Context
Perform the following steps on the AR1200-S to add a trunk interface to a VLAN.
Procedure
Step 1 Run:
system-view
Step 2 Run:
83
Step 3 Run:
The link type of the interface is set to trunk.
By default, the interface type is hybrid.
Step 4 Run:
port trunk allow-pass vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
The trunk interface is added to a VLAN or multiple VLANs.
By default, VLAN 1 is the default VLAN of a trunk interface.
----End
3.4.4 Adding a Hybrid Interface to a VLAN
Context
Perform the following steps on the AR1200-S to add a hybrid interface to a VLAN.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
port link-type hybrid
The link type of the interface is set to hybrid.
Step 4 Run one of the following commands depending on the mode being used:
l To add the hybrid interface to a VLAN or multiple VLANs in tagged mode, run port hybrid
tagged vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>.
l To add the hybrid interface to a VLAN or multiple VLANs in untagged mode, run port
hybrid untagged vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>.
By default, a hybrid interface is added to VLAN 1 in untagged mode.
----End
3.4.5 (Optional) Specifying the Default VLAN for a Trunk Interface
84
Context
Perform the following steps on the AR1200-S to specify the default VLAN for a trunk interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
Step 4 Run:
port trunk pvid vlan vlan-id
The default VLAN of the trunk interface is specified.
By default, VLAN 1 is the default VLAN of trunk interfaces.
An interface does not belong to the default VLAN after the default VLAN is specified. To enable
the interface to forward packets of the default VLAN, add the interface to the default VLAN.
----End
3.4.6 (Optional) Specifying the Default VLAN for a Hybrid
Interface
Context
Perform the following steps on the AR1200-S to specify the default VLAN for a hybrid interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
port link-type hybrid
The link type of the interface is set to hybrid.
85
Step 4 Run:
port hybrid pvid vlan vlan-id
The default VLAN of the hybrid interface is specified.
By default, VLAN 1 is the default VLAN of hybrid interfaces.
An interface does not belong to the default VLAN after the default VLAN is specified. To enable
the interface to forward packets of the default VLAN, add the interface to the default VLAN.
----End
Procedure
l Run the display interface [ interface-type [ interface-number ] ] command to check the
PVID of the interface.
l Run the display vlan [ vlan-id ] command to check information about the VLAN.
----End
Example
Run the display interface [ interface-type [ interface-number ] ] command to view the PVID
of an interface.
<Huawei> display interface ethernet 0/0/0
Ethernet0/0/0 current state : DOWN
Line protocol current state : DOWN
Description:HUAWEI, AR Series, Ethernet0/0/0 Interface
Switch Port,PVID : 6, TPID : 8100(Hex), The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-2000-0083
Last physical up time : -
Last physical down time : 2009-04-19 18:25:51
Port Mode: COMMON FIBER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : NORMAL
Input peak rate 0 bits/sec,Record time: -
Output peak rate 0 bits/sec,Record time: -
Input: 0 packets, 0 bytes
Unicast: 0, Multicast: 0
Broadcast: 0, Jumbo: 0
Discard: 0, Total Error: 0

CRC: 0, Giants: 0
Jabbers: 0, Throttles: 0
Runts: 0, DropEvents: 0
Alignments: 0, Symbols: 0
Ignoreds: 0, Frames: 0

Output: 0 packets, 0 bytes
Unicast: 0, Multicast: 0
Broadcast: 0, Jumbo: 0
Discard: 0, Total Error: 0

Collisions: 0, ExcessiveCollisions: 0
86
Late Collisions: 0, Deferreds: 0
Buffers Purged: 0

Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%
Run the display vlan [ vlan-id ] command to view interfaces in a VLAN. The following
information shows that Ethernet0/0/1 is added to VLAN 2.
<Huawei> display vlan 2
* : management-vlan
---------------------
----------------------------------------------------------
----------------
Untagged Port: Ethernet0/0/1
----------------
Active Untag Port: Ethernet0/0/1
----------------
Interface Physical
Ethernet0/0/1 UP
3.5 Configuring VLANIF Interfaces to Implement Layer-3
Communication
This section describes how to configure VLANIF interfaces to implement Layer 3
communication.
When the AR1200-S needs to communicate with devices at the network layer, you can create
VLANIF interfaces (logical interfaces) on the AR1200-S. VLANIF interfaces can be assigned
IP addresses because they work at the network layer. The AR1200-S communicates with the
devices at the network layer through VLANIF interfaces.
Before creating a VLANIF interface, complete the following task:
l Creating VLANs
Data Preparation
To create a VLANIF interface, you need the following data.
No. Data
1 VLAN ID
2 IP address of a VLANIF interface

87
3.5.2 Creating a VLANIF Interface
Context
Perform the following steps on the AR1200-S to create a VLANIF interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif vlan-id
A VLANIF interface is created and the VLANIF interface view is displayed.
NOTE
A VLANIF interface can be Up only when the corresponding VLAN contains physical interfaces in Up
state.
----End
3.5.3 Assigning an IP Address to a VLANIF Interface
Context
Perform the following steps on the AR1200-S to assign an IP address to a VLANIF interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
The IP address of the VLANIF interface is configured.
----End
3.5.4 (Optional) Setting the MTU of a VLANIF Interface
Context
l After using the mtu command on a specified interface to change the maximum transmission
unit (MTU), restart the interface to make the new MTU take effect. To restart the interface,
88
run the shutdown command and then the undo shutdown command, or run the restart
command in the interface view.
l If you change the MTU of an interface, you must use the mtu command to change the MTU
of the peer interface to the same value; otherwise, services may be interrupted.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The VLANIF interface view is displayed.
Step 3 Run:
mtu mtu
The MTU of the VLANIF interface is set.
The MTU of a VLANIF interface ranges from 46 to 1500, in bytes. The default value is 1500.
NOTE
If the MTU is too small whereas the packet size is large, the packet will probably split into many fragments.
As a result, the packet may be discarded due to insufficient QoS queue length. To avoid this situation,
lengthen the QoS queue accordingly.
----End
3.5.5 (Optional) Configuring VLAN Damping
Context
Perform the following steps on the AR1200-S to configure VLAN damping.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif interface-number
The VLAN associated with the VLANIF interface is created.
Step 3 Run:
damping time delay-time
The delay for VLAN damping is set.
The value ranges from 0 to 20, in seconds.
89
By default, the damping time is 0 seconds, indicating that VLAN damping is not performed.
----End
Procedure
Step 1 Run the display interface vlanif [ vlan-id ] command to check information about a VLANIF
interface.
----End
Example
Run the display interface vlanif command to check the IP address of a VLANIF interface.
<Huawei> display interface vlanif
Vlanif5 current state : DOWN
Description:HUAWEI, AR Series, Vlanif5 Interface
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc01-00e1
Input bandwidth utilization : --
Output bandwidth utilization : --
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc01-00e1
3.6 Configuring VLAN Aggregation
This section describes how to configure VLAN aggregation to minimize IP addresses occupied
by VLANs.
When many VLANs are deployed, numerous IP addresses are occupied. VLAN aggregation
helps solve this problem.
As shown in Figure 3-1, multiple VLANs are aggregated into a super-VLAN. The VLANs that
form the super-VLAN are called sub-VLANs, which use the same network segment.
90
Figure 3-1 Application scenario of VLAN aggregation
Sub-VLAN 2 Sub-VLAN 3
Super VLAN4
Router

When numerous VLANs exist on the Ethernet, VLAN aggregation can simplify the
configuration.
Before configuring VLAN aggregation, complete the following task:
l Connecting interfaces and setting the physical parameters of each interface to bring the
physical layer in Up state
Data Preparation
To configure VLAN aggregation, you need the following data.
No. Data
1 Sub-VLAN IDs and interface numbers
2 Super-VLAN ID
3 IP addresses and masks of the VLANIF interfaces

3.6.2 Configuring Sub-VLANs
Context
Perform the following steps on the AR1200-S to configure VLAN aggregation.
91
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
Step 4 Run:
quit
Step 5 Run:
vlan vlan-id
Step 6 Run:
port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
The interfaces are added to the VLAN.
----End
3.6.3 Creating a Super-VLAN
Context
Perform the following steps on the AR1200-S to create a super-VLAN.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
Step 3 Run:
aggregate-vlan
The VLAN is configured as a super-VLAN.
92
The super-VLAN and sub-VLANs must use different VLAN IDs. A super-VLAN cannot contain
any physical interfaces.
Step 4 Run:
access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
The AR1200-S supports 8 sub-VLANs in a super-VLAN.
----End
3.6.4 Assigning an IP Address to the VLANIF Interface of the Super-
VLAN
Context
Perform the following steps on the AR1200-S to assign an IP address to the VLANIF interface
of the super-VLAN.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The VLANIF interfaces can be configured only for a super-VLAN. Therefore, vlan-id specifies
the VLAN ID of the super-VLAN.
Step 3 Run:
The IP address of the VLANIF interface is configured.
The IP address of the VLANIF interface must be in the same network segment as users in the
sub-VLANs.
----End
3.6.5 Configuring Proxy ARP for the Super-VLAN
Context
Perform the following steps on the AR1200-S to configure proxy ARP for the super-VLAN.
Procedure
Step 1 Run:
system-view
93
Step 2 Run:
The vlan-id parameter specifies the ID of the super-VLAN.
Step 3 Run:
arp-proxy inter-sub-vlan-proxy enable
Proxy ARP is enabled between sub-VLANs.
----End
Procedure
l Run the display vlan [ vlan-id [ verbose ] ] command to check information about a VLAN.
l Run the display interface vlanif [ vlan-id ] command to check information about a
VLANIF interface.
l Run the display sub-vlan command to check mappings between sub-VLANs and super-
VLANs.
l Run the display super-vlan command to check sub-VLANs contained in a super-VLAN.
----End
Example
Run the display vlan verbose command to view the VLAN type.
<Huawei> display vlan 2 verbose
* : Management-VLAN
---------------------
VLAN ID : 2
VLAN Name :
VLAN Type : Super
Description : VLAN 0002
Status : Enable
Broadcast : Enable
MAC Learning : Enable
Smart MAC Learning : Disable
Current MAC Learning Result : Enable
Statistics : Disable
Property : Default
VLAN State : Down
---------------
sub-VLAN List: 20
Run the display interface vlanif command to view the physical status, link protocol status, IP
address, and mask of a VLANIF interface.
<Huawei> display interface vlanif 2
94
Run the display sub-vlan command. The command output shows mappings between sub-
VLANs and super-VLANs.
<Huawei> display sub-vlan
VLAN ID Super-vlan
-----------------------------
10 40
20 40
30 40
Run the display super-vlan command. The command output shows sub-VLANs contained in
a super-VLAN.
<Huawei> display super-vlan
VLAN ID Sub-vlan
--------------------------
40 10 20 30
3.7 Configuring a Management VLAN
This section describes how to configure a management VLAN.
To improve device security, only add trunk or hybrid interfaces (not access interfaces) to a
management VLAN.
Users usually log in to and manage the device through the VLANIF interface corresponding to
the management VLAN.
Before configuring a management VLAN, complete the following task:
l Creating a VLAN
Data Preparation
To configure a management VLAN, you need the following data.
No. Data
1 VLAN ID

3.7.2 Configuring Management VLAN Functions
Context
Perform the following steps on the AR1200-S to configure a management VLAN.
95
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
Step 3 Run:
management-vlan
The VLAN is configured as a management VLAN.
----End
Procedure
Step 1 Run the display vlan command to check the configuration of the management VLAN.
----End
Example
Run the display vlan command to view the configuration of VLANs. The VLAN marked with
* is the management VLAN.
<Huawei> display vlan
* : management-vlan
---------------------
The total number of vlans is : 6
--------------------------------------------------------------------------------
100 super enable enable forward forward forward default
202 mux enable enable forward forward forward default
1000 *common enable enable forward forward forward default
This section provides VLAN configuration examples.
3.8.1 Example for Configuring Interface-based VLAN Assignment
An enterprise requires departments in charge of the same service to communicate with each
other while isolating departments in charge of different services.
96
As shown in Figure 3-2, an enterprise has four departments. Department 1 is connected to
RouterA, which is connected to Ethernet 0/0/1 of the Router. Department 2 is connected to
RouterB, which is connected to Ethernet 0/0/2 of the Router. Department 3 is connected to
RouterC, which is connected to Ethernet 0/0/3 of the Router. Department 4 is connected to
RouterD, which is connected to Ethernet 0/0/4 of the Router. The requirements are as follows:
l Department 1 and Department 2 in VLAN 2 are isolated from Department 3 and Department
4 in VLAN 3.
l Department 1 and Department 2 in VLAN 2 can communicate with each other.
l Department 3 and Department 4 in VLAN 3 can communicate with each other.
Figure 3-2 Network diagram of interface-based VLAN assignment
Eth0/0/1
RouterA
Eth0/0/2 Eth0/0/3
Eth0/0/4
Department 1
VLAN2 VLAN3
RouterB RouterC RouterD
Router
Department 2 Department 3 Department 4

1. Create VLANs.
2. Add interfaces to the VLAN.
Data Preparation
l Ethernet 0/0/1 and Ethernet 0/0/2 belong to VLAN 2.
Procedure
Step 1 Configure the Router.
# Create VLAN 2.
[Huawei] vlan 2
[Huawei-vlan2] quit
# Set the link type of Ethernet 0/0/1 to trunk and add Ethernet 0/0/1 to VLAN 2.
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] port link-type trunk
97
[Huawei-Ethernet0/0/1] port trunk allow-pass vlan 2
[Huawei-Ethernet0/0/1] quit
[Huawei]interface ethernet 0/0/2
# Create VLAN 3.
[Huawei] vlan 3
[Huawei-vlan3] quit
Ping any host in VLAN 3 from a host in VLAN 2. The ping operation fails, indicating that
Department 1 and Department 2 are isolated from Department 3 and Department 4.
Ping any host in Department 2 from a host in Department 1. The ping operation is successful,
indicating that Department 1 and Department 2 can communicate with each other.
Ping any host in Department 4 from a host in Department 3. The ping operation is successful,
indicating that Department 3 and Department 4 can communicate with each other.
----End
Configuration Files
#
vlan batch 2 to 3
#
port trunk allow-pass vlan 2
#
#
#
#
return
98
3.8.2 Example for Configuring Communication Between VLANs
Using VLANIF Interfaces
As shown in Figure 3-3, Ethernet 0/0/1 of the Router is connected to the uplink interface of
SwitchA.
On SwitchA, the downlink interface Ethernet 0/0/1 is added to VLAN 10 and the downlink
interface Ethernet 0/0/2 is added to VLAN 20.
PC1 in VLAN 10 and PC2 in VLAN 20 need to communicate with each other.
Figure 3-3 Network diagram for communication between VLANs through VLANIF interfaces
SwitchA
Router
Eth0/0/1
Eth0/0/3
VLAN 10 VLAN 20
Eth0/0/1 Eth0/0/2
PC1 PC2
10.10.10.2/24 20.20.20.2/24

1. Add Ethernet interfaces to the VLAN.
2. Configure VLANIF interfaces.
Data Preparation
l Ethernet 0/0/1 of the Router belongs to VLAN 10 and VLAN 20.
l IP address of VLANIF 10 on the Router is 10.10.10.1/24.
l IP address of VLANIF 20 on the Router is 20.20.20.1/24.
l Ethernet 0/0/1 of SwitchA belongs to VLAN 10.
l Ethernet 0/0/2 of SwitchA belongs to VLAN 20.
l Ethernet 0/0/3 of SwitchA belongs to VLAN 10 and VLAN 20.
99
Procedure
Step 1 Configure the Router.
# Create VLANs.
[Router] vlan batch 10 20
# Add interfaces to the VLANs.
[Router-Ethernet0/0/1] port link-type trunk
[Router-Ethernet0/0/1] port trunk allow-pass vlan 10 20
# Assign IP addresses to the VLANIF interfaces.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.10.10.1 24
[Router-Vlanif10] quit
[Router-Vlanif20] quit
Step 2 Configure SwitchA.
# Create VLANs.
[RouterA] vlan batch 10 20
[SwitchA] interface ethernet 0/0/1
[SwitchA-Ethernet0/0/1] port link-type access
[SwitchA-Ethernet0/0/1] port default vlan 10
[SwitchA-Ethernet0/0/1] quit
[SwitchA-Ethernet0/0/2] port link-type access
[SwitchA-Ethernet0/0/2] port default vlan 20
[RouterA-Ethernet0/0/3] port link-type trunk
[SwitchA-Ethernet0/0/3] port trunk allow-pass vlan 10 20
On PC1 in VLAN 10, configure the default gateway address as the IP address of VLANIF 10
(in this example: 10.10.10.1/24).
On PC2 in VLAN 20, configure the default gateway address as the IP address of VLANIF 20
(in this example: 20.20.20.1/24).
After the configuration is complete, PC1 in VLAN 10 can communicate with PC2 in VLAN 20.
----End
Configuration Files
#
sysname Router
100
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif20
ip address 20.20.20.1 255.255.255.0
#
port trunk allow-pass vlan 10 20
#
return
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 20
#
#
#
port trunk allow-pass vlan 10 20
#
return
3.8.3 Example for Configuring VLAN Damping
As shown in Figure 3-4, the hosts in VLAN 10 communicate with the hosts outside VLAN 10
through VLANIF 10.
The VLAN damping feature is configured on VLANIF 10 to prevent route flapping caused by
changes in the status of the VLANIF interface.
101
Figure 3-4 Networking diagram of VLAN damping configuration
Router
E
t
h
0
/
0
/
0
E
t
h
0
/
0
/
1
VLANIF10
10.100.100.100/24
10.100.100.111/24 10.100.100.110/24
VLAN 10
IP
network

1. Create a VLAN.
2. Add interfaces to the VLAN.
3. Create a VLANIF interface and set the IP address of the VLANIF interface.
4. Set the VLAN damping delay.
Data Preparation
l VLAN ID
l Interface number
l Number of the VLANIF interface
l IP address of the VLANIF interface: 10.100.100.100/24
l VLAN damping delay: 20 seconds
Procedure
Step 1 Create a VLAN.
# Create VLAN 10.
[Router] vlan batch 10
Step 2 Add interfaces to the VLAN.
102
# Add Ethernet 0/0/0 to VLAN 10.
[Router-Ethernet0/0/0] port link-type access
[Router-Ethernet0/0/0] port default vlan 10
# Add Ethernet 0/0/1 to VLAN 10.
[Router-Ethernet0/0/1] port link-type access
[Router-Ethernet0/0/1] port default vlan 10
Step 3 Create VLANIF 10.
# Create VLANIF 10 and configure the IP address.
Step 4 Set the VLAN damping delay.
# Set the VLAN damping delay to 20 seconds.
[Router-Vlanif10] damping time 20
Run the display interface vlanif command on Router to view the VLAN damping delay.
<Router> display interface vlanif 10
Vlanif10 current state : UP
Last line protocol up time : 2008-01-25 09:05:13
Route Port,The Maximum Transmit Unit is 1500, The Holdoff Timer is 20(sec)
----End
Configuration Files
#
sysname Router
#
vlan batch 10
#
interface Vlanif10
ip address 10.100.100.100 255.255.255.0
damping time 20
#
#
#
return
3.8.4 Example for Configuring VLAN Aggregation
103
As shown in Figure 3-5, VLAN 2 and VLAN 3 are combined into a super-VLAN, VLAN 4.
The sub-VLANs (VLAN 2 and VLAN 3) cannot ping each other.
After proxy ARP is configured, VLAN 2 and VLAN 3 can ping each other.
Figure 3-5 Network diagram of VLAN aggregation
VLAN 2 VLAN 3
Router
Eth0/0/3
Eth0/0/4
Eth0/0/1
Eth0/0/2
VLAN3 VLAN2
VLANIF4:100.1.1.1/24

1. Add interfaces of the Router to sub-VLANs.
2. Add the sub-VLANs to the super-VLAN.
3. Configure the IP address for the super-VLAN.
4. Configure proxy ARP for the super-VLAN.
Data Preparation
l The VLAN ID of the super-VLAN is 4.
l The IP address of the super-VLAN is 100.1.1.1.
Procedure
Step 1 Set the interface type.
104
# Configure Ethernet 0/0/1 as an access interface.
[Huawei-Ethernet0/0/1] port link-type access
Step 2 Configure VLAN 2.
# Create VLAN 2.
[Huawei] vlan 2
# Add Ethernet 0/0/1 and Ethernet 0/0/2 to VLAN 2.
[Huawei-vlan2] port ethernet 0/0/1 0/0/2
[Huawei-vlan2] quit
# Create VLAN 3.
[Huawei] vlan 3
# Add Ethernet 0/0/3 and Ethernet 0/0/4 to VLAN 3.
[Huawei-vlan3] port ethernet 0/0/3 0/0/4
[Huawei-vlan3] quit
# Configure the super-VLAN.
[Huawei] vlan 4
[Huawei-vlan4] aggregate-vlan
[Huawei-vlan4] access-vlan 2 to 3
# Configure the VLANIF interface.
[Huawei] interface vlanif 4
[Huawei-Vlanif4] ip address 100.1.1.1 255.255.255.0
[Huawei-Vlanif4] quit
Step 5 Configure the personal computers.
Configure the IP address for each personal computer and ensure that they reside in the same
network segment as VLAN 4.
105
After the preceding configuration is complete, the personal computers and the Router can ping
each other, but the computers in VLAN 2 and the computers in VLAN 3 cannot ping each other.
Step 6 Configure proxy ARP.
[Huawei-Vlanif4] arp-proxy inter-sub-vlan-proxy enable
After the preceding configuration is complete, the computers in VLAN 2 and the computers in
VLAN 3 can ping each other.
----End
Configuration Files
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 100.1.1.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
return
3.8.5 Example for Configuring Communication Across a Layer 3
Network Using VLANIF Interfaces
As shown in Figure 3-6, RouterA and RouterB connect to Layer 2 networks on VLAN 10.
RouterA and RouterB communicate with each other through an OSPF-enabled Layer 3 network.
The computers on the two Layer 2 networks need to be isolated at Layer 2 and communicate at
Layer 3.
106
Figure 3-6 Network diagram of communication across a Layer 3 network through VLANIF
interfaces
E
t
h
0
/
0
/
1
Eth0/0/1 Eth0/0/2
E
t
h
0
/
0
/
2
VLAN 10 VLAN 10
OSPF
RouterA
RouterB
VLANIF10 VLANIF10
10.10.10.2/24 20.20.20.2/24

1. Add interfaces to the VLANs.
2. Assign IP addresses to VLANIF interfaces.
3. Configure basic OSPF functions.
Data Preparation
l Ethernet 0/0/1 of RouterA belongs to VLAN 10, and IP address of VLANIF 10 is
10.10.10.1/24.
l Ethernet 0/0/2 of RouterB belongs to VLAN 10, and IP address of VLANIF 10 is
20.20.20.1/24
l Ethernet 0/0/2 of RouterA belongs to VLAN 30, and IP address of VLANIF 30 is
30.30.30.1/24.
l Ethernet 0/0/1 of RouterB belongs to VLAN 30, and IP address of VLANIF 30 is
30.30.30.2/24.
l IP address of the computer on the Layer 2 network connected to RouterA is 10.10.10.2/24.
l IP address of the computer on the Layer 2 network connected to RouterB is 20.20.20.2/24.
Procedure
# Create VLANs.
107
[RouterA] vlan batch 10 30
[RouterA-Ethernet0/0/1] port trunk allow-pass vlan 10
[RouterA-Ethernet0/0/2] port trunk allow-pass vlan 30
[RouterA-Vlanif10] ip address 10.10.10.1 24
[RouterA-Vlanif30] ip address 30.30.30.1 24
# Configure basic OSPF functions.
[RouterA] router id 1.1.1.1
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] network 30.30.30.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
Step 2 Configure RouterB.
# Create VLANs.
[RouterB] vlan batch 10 30
[RouterB-Ethernet0/0/2] port link-type trunk
[RouterB-Ethernet0/0/2] port trunk allow-pass vlan 10
[RouterB-Ethernet0/0/1] port link-type trunk
[RouterB-Ethernet0/0/1] port trunk allow-pass vlan 30
[RouterB-Vlanif10] ip address 20.20.20.1 24
[RouterB-Vlanif30] ip address 30.30.30.2 24
# Configure basic OSPF functions.
[RouterB] router id 2.2.2.2
[RouterB] ospf
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 20.20.20.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 30.30.30.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
108
On the computer on the Layer 2 network connected to RouterA, set the default gateway address
to the IP address of VLANIF 10 (10.10.10.1/24 in this example).
On the computer on the Layer 2 network connected to RouterB, set the default gateway address
to the IP address of VLANIF 10 (20.20.20.1/24 in this example).
After the configurations are complete, computers on the two Layer 2 networks are isolated at
Layer 2 and can communicate at Layer 3.
----End
Configuration Files
#
sysname RouterA
#
router id 1.1.1.1
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif30
ip address 30.30.30.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 30.30.30.0 0.0.0.255
#
return
#
sysname RouterB
#
router id 2.2.2.2
#
vlan batch 10 30
#
interface Vlanif10
ip address 20.20.20.1 255.255.255.0
#
interface Vlanif30
ip address 30.30.30.2 255.255.255.0
#
#
109
#
ospf 1
area 0.0.0.0
network 20.20.20.0 0.0.0.255
network 30.30.30.0 0.0.0.255
#
return
110
4 Voice VLAN Configuration
About This Chapter
This chapter describes voice VLAN concepts and how to configure voice VLAN.
4.1 Voice VLAN Overview
This section describes the voice VLAN concepts.
4.2 Voice VLAN Features Supported by the AR1200-S
This section describes the voice VLAN features supported by the AR1200-S.
4.3 Configuring a Voice VLAN
This chapter describes how to configure a voice VLAN.
This section provides configuration examples for voice VLAN.
Configuration Guide - LAN 4 Voice VLAN Configuration
111
4.1 Voice VLAN Overview
This section describes the voice VLAN concepts.
Data flows of the high speed Internet (HSI), voice over IP (VoIP), and Internet protocol television
(IPTV) services are transmitted on a network. Users require high-quality VoIP services;
therefore, voice data flows must be given a high-priority and transmitted through a dedicated
path.
A voice VLAN transmits voice data flows. You can create a voice VLAN and add an interface
connected to a voice device to the voice VLAN. Then voice data flows can be transmitted in the
voice VLAN. By configuring a voice VLAN, you can set quality of service (QoS) parameters
for the voice data flows to increase the priority of the voice service and improve the call quality.
4.2 Voice VLAN Features Supported by the AR1200-S
This section describes the voice VLAN features supported by the AR1200-S.
Voice Data Flow Identification
The AR1200-S identifies voice data flows based on the source MAC addresses of incoming data
flows. If the source MAC address of a data flow matches the Organizationally Unique Identifier
(OUI), the AR1200-S identifies the data flow as a voice data flow.
The OUI is the first 24 bits of a MAC address. The Institute of Electrical and Electronics
Engineers (IEEE) assigns an OUI to each vendor, so you can identify the vendor of a device
according to the OUI.
The AR1200-S supports a maximum of 16 OUIs. You can set the mask of the OUI on the
AR1200-S to adjust the length of the MAC address that the AR1200-S matches with the OUI.
Mode for Adding an Interface to the Voice VLAN
You can use either of the following modes to add an interface to the voice VLAN according to
the data flows on the interface:
l Auto mode
In auto mode, the system adds an interface connected to a voice device to the voice VLAN
if the source MAC address of packets sent from the voice device matches the OUI. The
interface is automatically deleted from the voice VLAN if the interface does not receive
any voice data packets from the voice device within the aging time.
l Manual mode
In manual mode, the interface connected to a voice device can forward voice data packets
only after the interface is added to the voice VLAN manually.
The SRU of the AR1200-S supports only the manual mode. Auto mode can be supported when
board of 8FE1GE is installed on AR1200-S.
112
Working Mode of the Voice VLAN
NOTE
It is recommended that only voice data flows be transmitted in the voice VLAN. If it is necessary to transmit
non-voice data flows in the voice VLAN, set the working mode of the voice VLAN to normal mode.
The voice VLAN supports the secure mode and normal mode for transmitting different data
flows. Table 4-1 describes the two working modes.
The AR1200-S supports only the normal mode.
Table 4-1 Packet processing in different working modes of the voice VLAN
Working Mode Processing Method
Secure mode The AR1200-S checks whether the source MAC
addresses of packets match the OUI.
l If so, the AR1200-S changes the priority of the
packets and forwards the packets.
l If not, the AR1200-S does not change the priority
or forward the packets in the voice VLAN.
Normal mode The AR1200-S checks whether the source MAC
addresses of packets match the OUI.
l If so, the AR1200-S changes the priority of the
packets and forwards the packets.
l If not, the AR1200-S forwards the packets in the
voice VLAN without changing the priority of the
packets.

4.3 Configuring a Voice VLAN
This chapter describes how to configure a voice VLAN.
Before configuring a voice VLAN, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This helps you complete the
As shown in Figure 4-1, terminals of the high speed Internet (HSI), voice over IP (VoIP), and
Internet protocol television (IPTV) services are connected to the Router through a home gateway
(HG). Users require high-quality VoIP services; therefore, voice data flows must be given a high
priority to ensure the call quality.
You can configure a voice VLAN on the Router to meet QoS requirements for VoIP services.
113
Figure 4-1 Application scenario of the voice VLAN
Router
HG
Internet
DHCP Server
HSI VoIP IPTV

After the voice VLAN is configured on the Router, the Router identifies voice data flows based
on the source MAC addresses of incoming data flows. If the source MAC address of a flow
matches the OUI configured on the Router, the flow is identified as a voice data flow. After the
Router receives a voice data flow, it changes the priority of the flow and transmits the flow in
the voice VLAN to ensure the call quality.
Before configuring a voice VLAN, complete the following task:
l Creating a VLAN
Data Preparation
To configure a voice VLAN, you need the following data.
No. Data
1 ID of the voice VLAN
2 Type and number of the interface on which the voice VLAN is enabled
3 Mode used to add the interface to the voice VLAN
4 OUI and mask of the voice VLAN
5 (Optional) Voice VLAN aging time
6 (Optional) Working mode of the voice VLAN
114

4.3.2 Enabling the Voice VLAN Function on an Interface
After the voice VLAN is configured on the AR1200-S, the AR1200-S identifies voice data flows
based on the source MAC addresses of incoming data flows. If the source MAC address of a
flow matches the OUI configured on the AR1200-S, the flow is identified as a voice data flow.
After the AR1200-S receives a voice data flow, it changes the priority of the flow and transmits
the flow in the voice VLAN to ensure the call quality.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
voice-vlan vlan-id enable
The specified VLAN is configured as a voice VLAN and the voice VLAN function is enabled.
By default, the voice VLAN function is disabled.
NOTE
l When the voice VLAN function is enabled on an interface of the main control board, configure the
default VLAN for the interface. The voice VLAN and default VLAN of an interface must be different
VLANs to ensure efficient transmission of different types of service traffic.
l Before deleting a VLAN that has been configured as a voice VLAN, run the undo voice-vlan
enable command to disable the voice VLAN function.
l Only one VLAN can be configured as the voice VLAN on an interface.
----End
4.3.3 Setting the OUI of the Voice VLAN
The AR1200-S identifies voice data flows based on the source MAC addresses of incoming data
flows. If the source MAC address of a data flow matches the Organizationally Unique Identifier
(OUI) configured on the AR1200-S, the AR1200-S identifies the data flow as a voice data flow.
Context
The OUI is the first 24 bits of a MAC address. The Institute of Electrical and Electronics
Engineers (IEEE) assigns an OUI to each vendor, so you can identify the vendor of a device
according to the OUI. You can set the mask of the OUI on the AR1200-S to adjust the length of
the MAC address that the AR1200-S matches with the OUI. Perform the following steps to set
the OUI of a voice VLAN.
115
Procedure
Step 1 Run:
system-view
Step 2 Run:
voice-vlan mac-address mac-address mask oui-mask [ description text ]
The OUI of the voice VLAN is set.
By default, no OUI is set.
You can set a maximum of 16 OUIs on the AR1200-S. When the maximum is reached, new
OUIs cannot be set.
----End
4.3.4 (Optional) Setting the Mode for Adding an Interface to the
Voice VLAN
An interface can be added to the voice VLAN in manual mode.
Context
In manual mode, the interface connected to a voice device can forward voice data packets only
after the interface is added to the voice VLAN manually.
Procedure
l Configuring the manual mode
1. Run:
system-view
2. Run:
3. Run:
voice-vlan mode manual
The mode used to add the interface to the voice VLAN is set to manual.
4. Depending on the type of interface, refer to the following sections to add the interface
to the voice VLAN:
To add an access interface to the voice VLAN, see 3.4.2 Adding an Access
Interface to a VLAN.
To add a trunk interface to the voice VLAN, see 3.4.3 Adding a Trunk Interface
to a VLAN.
To add a hybrid interface to the voice VLAN, see 3.4.4 Adding a Hybrid Interface
to a VLAN.
----End
116
4.3.5 (Optional) Setting the Voice VLAN Aging Time
The voice VLAN aging time can only be set when the VLAN is in auto mode.
Context
You can set the voice VLAN aging time so that interfaces are automatically deleted from the
voice VLAN if packets are not received from the voice device within the specified aging time.
If the interface receives voice data packets from the voice device again, the interface is re-added
to the voice VLAN.
Procedure
Step 1 Run:
system-view
Step 2 Run:
voice-vlan aging-time minutes
The voice VLAN aging time is set.
By default, the voice VLAN aging time is 1440 minutes.
----End
4.3.6 (Optional) Setting the Working Mode of the Voice VLAN
The voice VLAN can work in normal mode.
Context
In normal mode, the interface on which voice VLAN is enabled forwards both voice data packets
and service data packets. The interface does not check the source MAC addresses of received
packets. Therefore, the voice VLAN is vulnerable to attacks from malicious data flows.
Procedure
l Configuring the normal mode
1. Run:
system-view
2. Run:
3. Run:
undo voice-vlan security enable
The voice VLAN is configured to work in normal mode.
----End
117
4.3.7 (Optional) Enabling an Interface to Communicate with Non-
Huawei Voice Devices
IP phones of some vendors send proprietary protocol packets instead of DHCP packets to apply
for an IP address. To enable a Huawei device to communicate with non-Huawei voice devices,
you can use the voice-vlan legacy command to enable the Huawei device to identify proprietary
protocol packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
voice-vlan legacy enable
The interface is enabled to communicate with non-Huawei voice devices that use proprietary
protocols to request IP addresses.
By default, an interface cannot communicate with non-Huawei voice devices that use proprietary
protocols to request IP addresses.
----End
You can check the voice VLAN configuration, including the OUI, working mode, aging time,
and interface on which the voice VLAN is enabled.
Procedure
l Run the display voice-vlan oui command to check the OUI, OUI mask, OUI description
set in the system.
l Run the display voice-vlan [ vlan-id ] status command to check information about a voice
VLAN, including the status, working mode, and aging time of the voice VLAN.
----End
Example
Run the display voice-vlan oui command to check the OUI of the voice VLAN.
<Huawei> display voice-vlan oui
---------------------------------------------------
OuiAddress Mask Description
---------------------------------------------------
0022-0033-0044 ffff-ff00-0000
Run the display voice-vlan 10 status command to check the status, working mode, and aging
time of voice VLAN 10.
118
<Huawei> display voice-vlan 10 status
Voice VLAN Configurations:
---------------------------------------------------
Voice VLAN ID : 10
Voice VLAN status : Enable
Voice VLAN aging time : 4000(minutes)
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark : 46
----------------------------------------------------------
Port Information:
-----------------------------------------------------------
Port Add-Mode Security-Mode Legacy
-----------------------------------------------------------
Ethernet0/0/1 Auto Security Disable
This section provides configuration examples for voice VLAN.
4.4.1 Example for Configuring a Voice VLAN in Manual Mode
In manual voice VLAN mode, an interface must be added to the voice VLAN manually after
the voice VLAN function is enabled on the interface. The interface connected to a voice device
can forward voice data packets only after the interface is added to the voice VLAN manually.
Data flows of the HSI, VoIP, and IPTV services are transmitted on the network. Users require
high quality of VoIP services; therefore, voice data flows must be transmitted with a high
priority.
As shown in Figure 4-2, the voice VLAN function is configured on the Router. The Router
determines whether a data packet received by Ethernet0/0/1 is a voice data packet based on the
source MAC address. If the source MAC address matches the OUI, the Router changes the packet
priority and transmits the packet in the voice VLAN. Otherwise, the Router does not change the
packet priority and transmits the packet in a common VLAN. Ethernet0/0/1 connects to the
WAN through Eth1/0/0 and needs to be added to or deleted from the voice VLAN manually.
119
Figure 4-2 Networking diagram of a voice VLAN in manual mode
Router
HG
Internet
DHCP Server
HSI VoIP IPTV
Eth0/0/1
Eth1/0/0

1. Create VLANs and VLANIF interfaces on the Router and configure interfaces so that
enterprise users can access the WAN through the Router.
2. Enable the voice VLAN function on Ethernet0/0/1 and configure the voice VLAN.
3. Configure a traffic policy and apply it to the inbound interface of voice data packets.
Data Preparation
l ID of the voice VLAN: VLAN 2
l ID of the VLAN that the IP phone uses to request an IP address: VLAN 6
l IP address of the VLANIF interface corresponding to the voice VLAN: 192.168.2.1/24
l OUI and mask of the voice VLAN: 0011-2200-0000 and ffff-ff00-0000
l Default VLAN of Ethernet0/0/1: VLAN 6
l IP address of the WAN-side interface: 192.168.4.1/24
l Re-marked DSCP priority for voice data packets with the source MAC address
0011-2200-0000 or VLAN ID 2: 46
l Type and number of the interface and direction to which the traffic policy is applied:
inbound direction of Ethernet0/0/1 on the Router
120
Procedure
Step 1 Create VLANs and configure interfaces on the Router.
# Create VLAN 2 and VLAN 6.
[Huawei] vlan batch 2 6
# Configure the link type and default VLAN of Ethernet0/0/1.
[Huawei-Ethernet0/0/1] port hybrid pvid vlan 6
[Huawei-Ethernet0/0/1] port hybrid untagged vlan 6
# Create VLANIF 2 and assign IP address 192.168.2.1/24 to VLANIF 2.
[Huawei-Vlanif2] ip address 192.168.2.1 24
[Huawei-Vlanif2] quit
# Assign IP address 192.168.4.1/24 to Ethernet1/0/0.
[Huawei-Ethernet1/0/0] ip address 192.168.4.1 24
Step 2 Configure the voice VLAN on the Router.
# Configure the priority of the voice VLAN.
[Huawei] vlan 2 priority 6
# Enable the voice VLAN on Ethernet0/0/1.
[Huawei-Ethernet0/0/1] voice-vlan 2 enable
# Configure the mode in which Ethernet0/0/1 is added to the voice VLAN.
[Huawei-Ethernet0/0/1] voice-vlan mode manual
[Huawei-Ethernet0/0/1] port hybrid tagged vlan 2
# Configure the OUI of the voice VLAN.
[Huawei] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
# Configure the working mode of the voice VLAN.
[Huawei-Ethernet0/0/1] undo voice-vlan security enable
Step 3 Configure a traffic policy and apply it to the inbound interface of voice data packets.
# Configure traffic classifier c1 on the Router.
[Huawei] traffic classifier c1 operator and
[Huawei-classifier-c1] if-match source-mac 0011-2200-0000 mac-address-mask ffff-
ff00-0000
[Huawei-classifier-c1] if-match vlan-id 2
[Huawei-classifier-c1] quit
# Configure traffic behavior b1 on the Router to re-mark the priority of voice data packets.
[Huawei] traffic behavior b1
[Huawei-behavior-b1] remark dscp 46
[Huawei-behavior-b1] quit
121
# Create traffic policy p1 on the Router, bind the traffic behavior and traffic classifier to the
traffic policy, and apply the traffic policy to the inbound direction of Ethernet0/0/1.
[Huawei] traffic policy p1
[Huawei-trafficpolicy-p1] classifier c1 behavior b1
[Huawei-trafficpolicy-p1] quit
[Huawei-Ethernet0/0/1] traffic-policy p1 inbound
[Huawei] quit
Run the display voice-vlan oui command to check whether OUI of the voice VLAN.
<Huawei> display voice-vlan oui
---------------------------------------------------
OuiAddress Mask Description
---------------------------------------------------
0011-2200-0000 ffff-ff00-0000
Run the display voice-vlan 2 status command to check the voice VLAN configuration,
including the status, aging time, and mode in which the interface is added to the voice VLAN.
<Huawei> display voice-vlan 2 status
Voice VLAN Configurations:
---------------------------------------------------
Voice VLAN ID : 2
Voice VLAN status : Enable
Voice VLAN aging time : 1440(minutes)
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark : 46
----------------------------------------------------------
Port Information:
-----------------------------------------------------------
Port Add-Mode Security-Mode Legacy
-----------------------------------------------------------
Ethernet0/0/1 Manual Normal Disable
Run the display traffic policy user-defined command to view details about the traffic policy
configuration.
<Huawei> display traffic policy user-defined p1
User Defined Traffic Policy Information:
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Marking:
Remark DSCP 46

----End
Configuration Files
#
vlan batch 2 6
#
voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
#
traffic classifier c1 operator and
if-match source-mac 0011-2200-0000 mac-address-mask ffff-ff00-0000
if-match vlan-id 2
#
122
traffic behavior b1
remark dscp 46
#
traffic policy p1
classifier c1 behavior b1
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
port hybrid pvid vlan 6
port hybrid tagged vlan 2
port hybrid untagged vlan 6
voice-vlan 2 enable
voice-vlan mode manual
undo voice-vlan security enable
traffic-policy p1 inbound
#
ip address 192.168.4.1 255.255.255.0
#
return
123
5 GVRP Configuration
About This Chapter
This chapter describes basic GVRP concepts, GVRP configuration procedures, and concludes
with a GVRP configuration example.
5.1 GVRP Overview
This section explains the concept of Generic Attribute Registration Protocol (GARP) and GARP
VLAN Registration Protocol (GVRP), and how they relate to each another.
5.2 GVRP Features Supported by the AR1200-S
This section describes the GVRP features supported by the AR1200-S.
5.3 Configuring GVRP
This section describes how to configure the GVRP function.
5.4 Maintaining GVRP
This section describes how to clear the GARP statistics.
This section provides a configuration example for GVRP.
Configuration Guide - LAN 5 GVRP Configuration
124
5.1 GVRP Overview
This section explains the concept of Generic Attribute Registration Protocol (GARP) and GARP
VLAN Registration Protocol (GVRP), and how they relate to each another.
GVRP
GVRP is an application of GARP that maintains and propagates VLAN registration information
to other devices.
GARP
GARP enables member routers on a LAN to distribute, transmit, and register information such
as VLAN information and multicast addresses with one another.
GARP is not an entity on a device. GARP-compliant entities are called GARP participants.
GVRP is a GARP application. When a GARP application runs on an interface, the interface is
considered a GARP participant.
GARP members transmit VLAN registration information by exchanging GARP messages. The
three main GARP messages are Join, Leave, and LeaveAll.
l Join messages: When a GARP participant expects other devices to register its attributes, it
sends Join messages to other devices. When the GARP participant receives a Join message
from another participant or is statically configured with attributes, it also sends Join
messages to other devices for the devices to register the new attributes.
l Leave messages: When a GARP participant expects other devices to deregister its attributes,
it sends Leave messages to other devices. When the GARP participant receives a Leave
message from another participant or some of its attributes are statically deregistered, it also
sends Leave messages to other devices.
l LeaveAll messages: When a GARP participant is enabled, the LeaveAll timer is started.
When the LeaveAll timer expires, the GARP participant sends LeaveAll messages to
request other GARP participants to deregister all the attributes of the sender. Then other
participants can re-register the attributes.
The Join, Leave, and LeaveAll messages are used to control registration and deregistration of
attributes.
Through GARP messages, all attributes that need to be registered are sent to all the GARP-
enabled devices on the same LAN.
The intervals for sending GARP messages are controlled by GARP timers. GARP defines four
timers to control the intervals for sending GARP messages.
l Hold timer: When a GARP participant receives a registration message from another
participant, it does not send the registration message in a Join message to other participants
immediately. Instead, the participant starts the Hold timer. When the Hold timer expires,
the participant packs all the registration messages received within this period in a Join
message and sends the Join message to other participants. Hold timers help economize
bandwidth.
l Join timer: To ensure reliable transmission of Join messages, a participant can send each
Join message twice. If the participant does not receive a response after sending the Join
125
message the first time, it sends the Join message again. The Join timer specifies the interval
between the two Join messages.
l Leave timer: When a GARP participant expects other participants to deregister its attribute,
it sends Leave messages to other participants. When another participant receives the Leave
message, it starts the Leave timer. If the participant does not receive any Join message
before the Leave timer expires, it deregisters the attributes of the Leave message sender.
l LeaveAll timer: When a GARP participant is enabled, the LeaveAll timer is started. When
the LeaveAll timer expires, the GARP participant sends LeaveAll messages to request other
GARP participants to re-register all its attributes. Then the LeaveAll timer restarts.
NOTE
l The GARP timers apply to all GARP participants (such as GVRP) on the same LAN.
l The Hold timer, Join timer, and Leave timer must be set individually on each interface, whereas the
LeaveAll timer is set globally and takes effect on all interfaces of a device.
l Devices on a network may have different settings for the LeaveAll timer. In this case, all the devices
use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a device expires,
the device sends LeaveAll messages to other devices. After other devices receive the LeaveAll
messages, they reset their LeaveAll timers. Therefore, only the LeaveAll timer with the smallest value
takes effect even if devices have different settings for the LeaveAll timer.
l GARP operation process
Through GARP, the configuration information of a GARP member can be propagated on
the entire LAN. A GARP member may be a terminal workstation or a bridge. A GARP
member sends an attribute declaration or an attribute reclaim declaration to request other
GARP members to register or deregister its attributes. The GARP member can also register
or deregister attributes of other members when receiving attribute declarations or attribute
reclaim declarations from other members. When an interface receives an attribute
declaration, it registers the attribute. When the interface receives an attribute reclaim
declaration, the interface deregisters the attribute.
PDUs sent from a GARP participant use a multicast MAC address as the destination MAC
address. When a device receives a packet from a GARP participant, the device identifies
the packet according to the destination MAC address of the packet and sends the packet to
the corresponding GARP participant (such as GVRP).
l Format of a GARP packet
Figure 5-1 shows the format of a GARP packet.
126
Figure 5-1 Format of a GARP packet
DA SA length DSAP SSAP Ctrl PDU
Protocol ID Message 1

Message N End Mark
Attribute Type Attribute List
Attribute 1 End Mark Attribute N
Attribute Length Attribute Event Attribute Value

Ethernet Frame
GARP PDU structure
1
1
1
1
N
N
N
N
3
2
2
3
Message structure
Attribute List structure
Attribute structure

The following table describes the fields in a GARP packet.
Field Description Value
Protocol ID Indicates the protocol ID. The value is 1.
Message Indicates the messages in
the packet. A message
consists of the Attribute
Type and Attribute List
fields.
-
Attribute Type Indicates the type of an
attribute, which is defined
by the GARP application.
The value is 0x01 for
GVRP, indicating that the
attribute value is a VLAN
ID.
Attribute List Indicates the attribute list,
which consists of multiple
attributes.
-
Attribute Indicates an attribute,
which consists of the
Attribute Length, Attribute
Event, and Attribute Value
fields.
-
Attribute Length Indicates the length of an
attribute.
The value ranges from 2 to
255, in bytes.
127
Field Description Value
Attribute Event Indicates the event that an
attribute describes.
The value can be:
l 0: LeaveAll event
l 1: JoinEmpty event
l 2: JoinIn event
l 3: LeaveEmpty event
l 4: LeaveIn event
l 5: Empty event
Attribute Value Indicates the value of an
attribute.
The value is a VLAN ID for
GVRP. This field is invalid
in a LeaveAll attribute.
End Mark Indicates the end of a
GARP PDU.
The value is 0x00.

5.2 GVRP Features Supported by the AR1200-S
This section describes the GVRP features supported by the AR1200-S.
GVRP is an application of GARP. Based on the working mechanism of GARP, GVRP maintains
dynamic VLAN registration information in a device and propagates the registration information
to other devices.
After GVRP is enabled on the AR1200-S, the AR1200-S can receive VLAN registration
information from other devices and dynamically update local VLAN registration information.
VLAN registration information includes which VLAN members are on the VLAN and through
which interfaces their packets can be sent to the AR1200-S. The AR1200-S can also send the
local VLAN registration information to other devices. By exchanging VLAN registration
information, all the devices on the same LAN have the same VLAN information. The VLAN
registration information transmitted through GVRP contains both static local registration
information that is manually configured and the dynamic registration information from other
devices.
A GVRP interface supports three registration modes:
l Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs,
and transmit dynamic VLAN registration information and static VLAN registration
information.
l Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static registration information. If the
registration mode is set to fixed for a trunk interface, the interface allows only the manually
configured VLANs to pass even if it is configured to allow all the VLANs to pass.
l Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only information about VLAN 1. If the registration
mode is set to forbidden for a trunk interface, the interface allows only VLAN 1 to pass
even if it is configured to allow all the VLANs to pass.
128
NOTE
The AR1200-S supports a maximum of 256 dynamic VLANs when using default GARP timers. When the
recommended GARP timer settings are used, the AR1200-S supports a maximum of 4094 dynamic VLANs.
GVRP can run only in the instances corresponding to the port-based VLANs. In addition, the ports blocked
by MSTP, cannot send or receive GVRP packets.
5.3 Configuring GVRP
This section describes how to configure the GVRP function.
On a complicated Layer 2 network, you can enable interfaces to dynamically join or leave
VLANs by configuring the GVRP function. The GVRP function simplifies VLAN
configuration.
Before configuring the GVRP function, complete the following task:
l Adding the GVRP interfaces to all VLANs
Data Preparation
To configure the GVRP function, you need the following data.
No. Data
1 (Optional) Registration mode for GVRP interfaces
2 (Optional) Values of the GARP timers

5.3.2 Enabling GVRP
Context
Perform the following steps on the AR1200-S to enable GVRP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
gvrp
129
GVRP is enabled globally.
Step 3 Run:
Step 4 Run:
Step 5 Run:
port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The interface is added to the specified VLANs.
Step 6 Run:
gvrp
GVRP is enabled on the interface.
By default, GVRP is disabled globally and on each interface.
NOTE
l Before enabling GVRP on an interface, you must enable GVRP globally.
l Before enabling GVRP on an interface, you must set the link type of the interface to trunk.
----End
5.3.3 (Optional) Setting the Registration Mode for a GVRP Interface
Context
A GVRP interface supports three registration modes:
l Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs,
and transmit dynamic VLAN registration information and static VLAN registration
information.
l Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static registration information. If the
registration mode is set to fixed for a trunk interface, the interface allows only the manually
configured VLANs to pass even if it is configured to allow all the VLANs to pass.
l Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only information about VLAN 1. If the registration
mode is set to forbidden for a trunk interface, the interface allows only VLAN 1 even if it
is configured to allow all the VLANs to pass.
Perform the following steps on the AR1200-S to set the registration mode for an interface.
Procedure
Step 1 Run:
system-view
130
Step 2 Run:
Step 3 Run:
gvrp registration { fixed | forbidden | normal }
The registration mode is set for the interface.
By default, the registration type for a GVRP interface is normal.
NOTE
Before setting the registration mode for an interface, enable GVRP on the interface.
----End
5.3.4 (Optional) Setting the GARP Timers
Context
When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timer
expires, the GARP participant sends LeaveAll messages to request other GARP participants to
re-register all its attributes. Then the LeaveAll timer restarts.
Devices on a network may have different settings for the LeaveAll timer. In this case, all the
devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a
device expires, the device sends LeaveAll messages to other devices. After other devices receive
the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeaveAll timer
with the smallest value takes effect even if devices have different settings for the LeaveAll timer.
When using the garp timer command to set the GARP timers, pay attention to the following
points:
l The undo garp timer command restores the default values of the GARP timers. If the
default value of a timer is out of the valid range, the undo garp timer command does not
take effect.
l The value range of each timer changes with the values of the other timers. If a value set for
a timer is not within the allowed range, you can change the value of the timer that determines
the value range of this timer.
l To restore the default values of all the GARP timers, restore the Hold timer to the default
value, and then sequentially restore the Join timer, Leave timer, and LeaveAll timer to the
default values.
NOTE
It is recommended that you use the following values for the GVRP timers:
l GARP Hold timer: 100 centiseconds (1 second)
l GARP Join timer: 600 centiseconds (6 seconds)
l GARP Leave timer: 3000 centiseconds (30 seconds)
l GARP LeaveAll timer: 12000 centiseconds (2 minutes)
When more than 100 dynamic VLANs are created or more than three devices are running GVRP on the
network, use the preceding recommended values. When the number of dynamic VLANs or GVRP devices
increases, increase lengths of the GARP timers.
131
Procedure
Step 1 Run:
system-view
Step 2 Run:
garp timer leaveall timer-value
The value of the LeaveAll timer is set.
The default value of the LeaveAll timer is 1000 centiseconds (10 seconds).
The Leave timer length on an interface is restricted by the global LeaveAll timer length. When
configuring the global LeaveAll timer, ensure that all the interfaces configured with a GARP
Leave timer are working properly.
Step 3 Run:
Step 4 Run:
garp timer { hold | join | leave } timer-value
The value of the Hold timer, Join timer, or Leave timer is set.
By default, the value of the Hold timer is 40 centiseconds, the value of the Join timer is 80
centiseconds, and the value of the Leave timer is 240 centiseconds.
----End
Procedure
l Run the display gvrp status command to view the status of global GVRP.
l Run the display gvrp statistics [ interface { interface-type interface-number [ to interface-
type interface-number ] }&<1-5> ] command to view the GVRP statistics on an interface.
l Run the display garp timer [ interface { interface-type interface-number [ to interface-
type interface-number ] }&<1-5> ] command to view the values of the GARP timers.
----End
Example
Run the display gvrp status command to check whether global GVRP is enabled.
<Huawei> display gvrp status
Info: GVRP is enabled.
Run the display gvrp statistics command to view GVRP statistics on GVRP interfaces,
including the GVRP status on each interface, number of GVRP registration failures, source MAC
address of the last GVRP PDU, and registration type of each interface.
<Huawei> display gvrp statistics
132
GVRP statistics on port Ethernet0/0/1
GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0000-0000-0000
GVRP registration type : Normal
Run the display garp timer interface ethernet 0/0/1 command to view the values of the GARP
timers on Ethernet 0/0/1.
<Huawei> display garp timer interface ethernet 0/0/1
GARP timers on port Ethernet0/0/1
GARP JoinTime : 20 centiseconds
GARP LeaveTime : 60 centiseconds
GARP LeaveAllTime : 1000 centiseconds
GARP HoldTime : 10 centiseconds
5.4 Maintaining GVRP
This section describes how to clear the GARP statistics.
5.4.1 Clearing GARP Statistics
Context
CAUTION
GARP statistics cannot be restored after being cleared.
Procedure
Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type
interface-number ] }&<1-5> ] command in the user view to clear GARP statistics on the specified
interfaces.
----End
This section provides a configuration example for GVRP.
5.5.1 Example for Configuring GVRP
As shown in Figure 5-2, a branch of Company A communicates with the headquarters through
RouterA and RouterB. To simplify the configuration, you need to enable GVRP on all routers
of Company A and set the registration mode to normal on interfaces.
Company B communicates with Company A through RouterB and RouterC. To configure
Company B's routers to transmit only packets from VLANs specified by Company B, enable
133
GVRP on all routers of Company B and set the registration mode to fixed on the interfaces
connected to Company A's routers.
Figure 5-2 Networking diagram of GVRP configuration
RouterA
RouterB
RouterC
Branch of
company A
Company A
Company B
Eth0/0/1
Eth0/0/1 Eth0/0/2
Eth0/0/1
Eth0/0/2
Eth0/0/2
Company A
Company A

1. Enable GVRP globally.
2. Set the link type of the interfaces to trunk.
3. Enable GVRP on the interfaces.
4. Set the registration mode for the interfaces.
Data Preparation
l VLANs allowed by interfaces of RouterA, RouterB, and RouterC: all VLANs
l Interface registration mode on RouterA and RouterB: normal
l Registration mode on Ethernet 0/0/1 and Ethernet 0/0/2 of RouterC: fixed and normal
respectively
l VLANs of Company B on RouterC: VLAN 101 to VLAN 200
Procedure
# Create VLAN 101 to VLAN 200.
<RouterA> system-view
[RouterA] vlan batch 101 to 200
# Enable GVRP globally.
[RouterA] gvrp
# Set the link type of Ethernet 0/0/1 and Ethernet 0/0/2 to trunk, and configure the interfaces to
allow all VLANs to pass through.
134
[RouterA-Ethernet0/0/1] port trunk allow-pass vlan all
[RouterA-Ethernet0/0/2] port trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes for the interfaces.
[RouterA-Ethernet0/0/1] gvrp
[RouterA-Ethernet0/0/1] gvrp registration normal
[RouterA-Ethernet0/0/2] gvrp
[RouterA-Ethernet0/0/2] gvrp registration normal
The configuration of RouterB is similar to that of RouterA.
Step 2 Configure RouterC.
# Create VLAN 101 to VLAN 200.
<RouterC> system-view
[RouterC] vlan batch 101 to 200
# Enable GVRP globally.
[RouterC] gvrp
# Set the link type of Ethernet 0/0/1 and Ethernet 0/0/2 to trunk, and configure the interfaces to
allow all VLANs to pass through.
[RouterC] interface ethernet 0/0/1
[RouterC-Ethernet0/0/1] port link-type trunk
[RouterC-Ethernet0/0/1] port trunk allow-pass vlan all
[RouterC-Ethernet0/0/1] quit
[RouterC-Ethernet0/0/2] port link-type trunk
[RouterC-Ethernet0/0/2] port trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes for the interfaces.
[RouterC-Ethernet0/0/1] gvrp
[RouterC-Ethernet0/0/1] gvrp registration fixed
[RouterC-Ethernet0/0/2] gvrp
[RouterC-Ethernet0/0/2] gvrp registration normal
After the configuration is complete, the branch of Company A can communicate with the
headquarters, and users of Company A in VLAN 101 to VLAN 200 can communicate with users
in Company B.
Run the display gvrp status command on RouterA to check whether GVRP is enabled globally.
The following information is displayed:
<RouterA> display gvrp status
Info: GVRP is enabled.
135
Run the display gvrp statistics command on RouterA to view GVRP statistics, including the
GVRP state of each interface, number of GVRP registration failures, source MAC address of
the last GVRP PDU, and registration type for each interface.
<RouterA> display gvrp statistics interface ethernet 0/0/1
GVRP statistics on port Ethernet0/0/1
GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0001-0001-0001
GVRP registration type : Normal
Verify the configurations of RouterB and RouterC in the same way.
----End
Configuration Files
#
sysname RouterA
#
vlan batch 101 to 200
#
gvrp
#
gvrp
#
gvrp
#
return
#
sysname RouterB
#
#
gvrp
#
gvrp
#
gvrp
#
return
l Configuration file of RouterC
#
sysname RouterC
#
#
gvrp
#
136
gvrp
gvrp registration fixed
#
gvrp
#
return
137
6 MAC Address Table Configuration
About This Chapter
This chapter describes the concepts and configurations of the MAC address table. This chapter
also provides configuration examples.
6.1 MAC Address Table Overview
This section describes the concept of the MAC address table.
6.2 MAC Address Table Features Supported by the AR1200-S
This section describes the MAC address table features supported by the AR1200-S.
6.3 Configuring the MAC Address Table
This section describes how to configure the static entries, blackhole entries, and dynamic entries
for a MAC address table.
6.4 Configuring Port Security
This section describes how to configure the port security function.
6.5 Configuring Limitation on MAC Address Learning
This section describes how to limit MAC learning based on interfaces and VLANs.
6.6 Configuring MAC Address Flapping Detecting Function
This section describes how to configure MAC address flapping detecting function.
6.7 Configuring the Router to Discard Packets with an Invalid All-0 MAC Address
This section describes how to configure the router to discard packets with an invalid all-0 MAC
address.
6.8 Maintaining the MAC Address Table
This section describes how to maintain the MAC address table.
This section provides examples showing how to configure the MAC address table.
Configuration Guide - LAN 6 MAC Address Table Configuration
138
6.1 MAC Address Table Overview
This section describes the concept of the MAC address table.
Each Line Processing Unit (LPU) on the AR1200-S has a MAC address table. The MAC address
table stores the MAC addresses of other devices learned by the AR1200-S, the VLAN IDs, and
the outbound interfaces that are used to send data. Before forwarding the data, the AR1200-S
searches the MAC address table based on the destination MAC address and the VLAN ID of
the data to find the corresponding interface rapidly. The MAC address table reduces the number
of broadcast packets.
The network administrator can manually configure the static entries in the MAC address table
to bind user devices to interfaces. Static MAC address entries improve the security of interfaces,
preventing unauthorized users from accessing the network.
6.2 MAC Address Table Features Supported by the AR1200-
S
This section describes the MAC address table features supported by the AR1200-S.
Classification of MAC Address Entries
MAC address entries are classified into the following types:
l Dynamic MAC address entries that interfaces learn from source MAC addresses in packets.
These entries are aged out after a specified period of time.
l Static MAC entries that are manually configured. These entries are never aged out.
l Blackhole MAC address entries that are manually configured. A data frame is discarded if
the source or destination MAC address matches a blackhole MAC address entry. These
entries are never aged out.
l Secure dynamic MAC address entries that interfaces learn after port security is enabled.
These entries can be aged out or not.
l Sticky MAC address entries that interfaces learn after the sticky MAC function is enabled.
These entries are never aged out.
Port Security and Sticky MAC
The port security function changes the MAC addresses learned by an interface to secure dynamic
MAC addresses. By default, secure dynamic MAC addresses are not aged out. You can set the
aging time for secure dynamic MAC addresses. After the AR1200-S restarts, secure dynamic
MAC addresses are lost and need to be relearned.
The sticky MAC function changes the MAC addresses learned by an interface to sticky MAC
addresses. Sticky MAC addresses are never aged out and still exist after you save the
configuration and restart the AR1200-S.
The port security and sticky MAC functions enhance device security by preventing access from
hosts with untrusted MAC addresses.
139
MAC Address Limiting
The capacity of a MAC address table is limited; therefore, if hackers forge a large number of
packets with different source MAC addresses and send the packets to the AR1200-S, the MAC
address table of the AR1200-S may be full. When the MAC address table is full, the AR1200-
S cannot learn the source MAC addresses in the valid packets.
The AR1200-S can limit the number of MAC addresses on an interface, or a VLAN. When the
number of learned MAC entries reaches the limit, the AR1200-S discards or forwards the packets
with unknown source MAC addresses. In addition, the AR1200-S sends a trap if it is configured
to do so. By using the port security and sticky MAC functions, you can flexibly control the
number of access users and prevent hackers from using MAC addresses to attack user devices
or networks.
6.3 Configuring the MAC Address Table
This section describes how to configure the static entries, blackhole entries, and dynamic entries
for a MAC address table.
Depending on the situations at your site, you can:
l Configure static MAC address entries so that packets with specified destination MAC
addresses are forwarded through specified outbound interfaces.
l Configure blackhole MAC address entries to discard the packets with the specified
destination MAC addresses or source MAC addresses to. Blackhole MAC address entries
prevent invalid MAC address entries from consuming the capacity of the MAC address
table, and prevent hackers from using MAC addresses to attack user devices or networks.
l Change the aging time of dynamic MAC address entries to prevent an explosive increase
in MAC address entries.
None.
Data Preparation
To configure the MAC address table, you need the following data.
No. Data
1 (Optional) Destination MAC address, outbound interface number, and VLAN ID of
the outbound interface on the destination device
2 (Optional) Aging time of dynamic MAC address entries

140
6.3.2 Creating a Static MAC Address Entry
Context
Perform the following steps on the AR1200-S to configure a static MAC address entry.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address static mac-address interface-type interface-number { vlan vlan-id |
bridge bridge-id }
A static MAC address entry is created.
----End
6.3.3 Creating a Blackhole MAC Address Entry
Context
Perform the following steps on the AR1200-S to configure a blackhole MAC address entry.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address blackhole mac-address { vlan vlan-id | bridge bridge-id }
A blackhole MAC address entry is created.
----End
6.3.4 (Optional) Setting the Aging Time for Dynamic MAC Address
Entries
Context
Perform the following steps on the AR1200-S to set the aging time for dynamic MAC address
entries.
Procedure
Step 1 Run:
141
system-view
Step 2 Run:
mac-address aging-time aging-time
The aging time is set for dynamic MAC address entries.
By default, the aging time of dynamic MAC address entries is 300 seconds.
----End
6.3.5 (Optional) Disabling MAC Address Learning
Context
Perform the following steps on the AR1200-S to disable MAC address learning.
Procedure
l Disabling MAC address learning on an interface
1. Run:
system-view
2. Run:
3. Run:
mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.
By default, MAC address learning is enabled on an interface.
By default, the AR1200-S performs the forward action after MAC address learning
is disabled. That is, the AR1200-S forwards packets according to the MAC address
table. When the action is configured to discard, the AR1200-S matches the source
MAC addresses of packets with the MAC address entries. If the inbound interface and
source MAC address of a packet matches a MAC address entry, the AR1200-S
forwards the packet. Otherwise, the AR1200-S discards the packet.
----End
Procedure
l Run the display mac-address command to view information about the MAC address table.
l Run the display mac-address static [ vlan vlan-id ] command to view static MAC address
entries.
142
l Run the display mac-address dynamic [ slot-id ] [ interface-type interface-number |
vlan vlan-id ] command to view dynamic MAC address entries.
l Run the display mac-address blackhole [ vlan vlan-id ] command to view blackhole MAC
address entries.
l Run the display mac-address aging-time command to view the aging time of dynamic
MAC address entries.
l Run the display mac-address summary command to view the statistics about MAC
address entries.
----End
Example
Run the display mac-address command to view the destination MAC addresses, outbound
interface numbers, and VLAN IDs of outbound interface in all MAC address entries.
<Huawei> display mac-address
-------------------------------------------------------------------------------
MAC Address VLAN/Bridge Learned-From Type
-------------------------------------------------------------------------------
0000-3333-3333 2/- Eth0/0/2 static
00e0-1234-5678 2/- - blackhole
-------------------------------------------------------------------------------
Total items displayed = 2
Run the display mac-address static command to view the destination MAC addresses,
outbound interface numbers, and VLAN IDs of outbound interface in static MAC address entries.
<Huawei> display mac-address static
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
0000-3333-3333 2/- Eth0/0/2 static
-------------------------------------------------------------------------------
Run the display mac-address dynamic command to view the destination MAC addresses,
outbound interface numbers, and VLAN IDs of outbound interface in dynamic MAC address
entries.
<Huawei> display mac-address dynamic
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
00e0-fc01-0005 1/- Eth0/0/1 dynamic
-------------------------------------------------------------------------------
Run the display mac-address blackhole command to view the destination MAC addresses,
outbound interface numbers, and VLAN IDs of outbound interface in blackhole MAC address
entries.
<Huawei> display mac-address blackhole
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
00e0-1234-5678 2/- - blackhole
-------------------------------------------------------------------------------
143
Run the display mac-address aging-time command to view the aging time of dynamic MAC
address entries.
<Huawei> display mac-address aging-time
Aging time: 300 seconds
Run the display mac-address summary command to view the statistics about MAC address
entries.
<Huawei> display mac-address summary
Mac Item of Lan Switch
---------------------------------------------------------------------
Slot Total Blackhole Static DynLoc DynRmt Secure Sticky Block Authen
---------------------------------------------------------------------
0 2 1 1 0 0 0 0 0 0
---------------------------------------------------------------------
sum: 2 1 1 0 0 0 0 0 0
Mac Item of Transparent Bridge
---------------------------------
Total Blackhole Static Dynamic
---------------------------------
0 0 0 0
6.4 Configuring Port Security
This section describes how to configure the port security function.
The port security function can prevent hosts with untrusted MAC addresses from connecting to
an interface of the AR1200-S. This function is applicable to networks that require high access
security.
None.
Data Preparation
To configure port security, you need the following data.
No. Data
1 Interface type and number
2 Maximum number of MAC addresses learned on the interface
3 (Optional) Action to perform when the number of MAC addresses reaches the limit

6.4.2 Enabling Port Security
144
Context
After port security is enabled on an interface, the MAC addresses learned by the interface are
considered as secure dynamic MAC addresses and will never age. After the device restarts, the
secure dynamic MAC addresses are lost and need to be relearned.
You can set the limit on the number of secure dynamic MAC addresses, specify the action to
perform when the number of MAC addresses reaches the limit, and enable the sticky MAC
function only after port security is enabled.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
port-security enable
The port security function is enabled.
By default, the port security function is disabled on interfaces of the AR1200-S.
----End
6.4.3 Enabling the Sticky MAC Function on an Interface
Context
The sticky MAC function converts a dynamic MAC address learned by an interface into a static
MAC address. It seems that the MAC address is attached to the interface. When the number of
MAC addresses learned by an interface reaches the maximum, the interface cannot learn new
MAC addresses and allows only the hosts with the sticky MAC addresses to communicate with
the AR1200-S. When this function is enabled, the AR1200-S does not need to learn the MAC
addresses again after restart. In addition, hosts using untrusted MAC addresses are prevented
from communicating with the AR1200-S through this interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
145
port-security mac-address sticky
The sticky MAC function is enabled on the interface.
By default, the sticky MAC function is disabled on an interface.
port-security mac-address sticky mac-address vlan vlan-id
A sticky MAC entry is configured.
----End
6.4.4 (Optional) Setting the Maximum Number of MAC Addresses
Learned by an Interface
Context
l If the sticky MAC function is disabled, this task can limit the maximum number of MAC
addresses dynamically learned by an interface.
l If the sticky MAC function is enabled, this task can limit the maximum number of sticky
MAC addresses learned by an interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
port-security max-mac-num max-number
The maximum number of MAC addresses learned on the interface is set.
After the port security function is enabled, the maximum number of MAC addresses learned by
an interface is 1 by default.
----End
6.4.5 (Optional) Configuring the Protective Action for an Interface
Procedure
Step 1 Run:
system-view
Step 2 Run:
146
Step 3 Run:
port-security protect-action { protect | restrict | shutdown }
The protective action is configured for the interface.
The router performs the protective action when the number of MAC addresses learned on the
interface exceeds the limit. The default action is restrict.
----End
6.4.6 (Optional) Setting the Aging Time for Secure Dynamic MAC
Addresses on an Interface
Context
After the port security function is enabled on an interface, the MAC addresses learned by the
interface are secure dynamic MAC addresses and will not be aged out.
If the MAC addresses learned by an interface can be trusted for a specific period of time, you
can run the port-security aging-time command to set an aging time for the secure dynamic
MAC addresses. When the aging time expires, the secure dynamic MAC addresses are aged out.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
port-security aging-time aging-time
The aging time for the secure dynamic MAC addresses learned by the interface is set.
By default, secure dynamic MAC addresses will not be aged out after the port security function
is enabled.
NOTE
Before setting the aging time of secure dynamic MAC addresses, you must enable port security.
----End
Procedure
l Run the display current-configuration interface interface-type interface-number
command to check the configuration of an interface.
147
l Run the display mac-address command to check the secure dynamic MAC address entries
and sticky MAC address entries.
----End
Example
Run the display mac-address command to view the secure dynamic MAC address entries and
sticky MAC address entries.
<Huawei> display mac-address sticky
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
0000-1111-3333 2/- Eth0/0/2 sticky
-------------------------------------------------------------------------------
6.5 Configuring Limitation on MAC Address Learning
This section describes how to limit MAC learning based on interfaces and VLANs.
This function is applicable to networks that have fixed access users but are vulnerable to attacks
from hackers, for example, the network of a residential community or an intranet that lacks
security management.
None
Data Preparation
To configure the limitation on MAC address learning, you need the following data.
No. Data
1 (Optional) Rules for limiting MAC address learning on an interface

6.5.2 Limiting MAC Address Learning on an Interface
Context
Perform the following steps on the AR1200-S to limit MAC address learning on an interface.
148
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
mac-limit maximum max-number
The maximum number of MAC addresses learned on the interface is set.
By default, MAC address learning is not limited.
Step 4 Run:
mac-limit action { discard | forward }
The action to be taken on the packets when the number of learned MAC addresses reaches the
limit is set.
By default, the packets received after the number of learned MAC addresses reaches the limit
are directly discarded.
Step 5 Run:
mac-limit alarm { disable | enable }
The alarm generated when the number of learned MAC addresses reaches the limit is enabled
or disabled.
By default, an alarm is generated when the packets received after the number of learned MAC
addresses reaches the limit.
----End
Procedure
Step 1 Run the display mac-limit [ interface-type interface-number ] command to view the rule of
limiting MAC address learning.
----End
Example
Run the display mac-limit command to check the configuration for limiting MAC address
learning.
<Huawei> display mac-limit
-----------------------------------------------------------------------
PORT VLAN Maximum Action Alarm
-----------------------------------------------------------------------
Eth0/0/2 - 100 discard enable
149
-----------------------------------------------------------------------
6.6 Configuring MAC Address Flapping Detecting Function
This section describes how to configure MAC address flapping detecting function.
After MAC address flapping detection is configured in a VLAN, the router checks all the MAC
addresses in the VLAN to detect MAC address flapping. If MAC address flapping occurs on an
interface, the router takes actions (for example, blocks the interface or reports a trap) to prevent
loops and attacks on the network.
None.
Data Preparations
To configure MAC flapping detection, you need the following data.
No. Data
1 ID of the VLAN in which MAC address flapping needs to be configured
2 Blocking time for the interface on which MAC address flapping occurs
3 Number of retries before an interface is permanently blocked

6.6.2 Configuring MAC Address Flapping Detection
Context
After MAC address flapping detection is configured in a VLAN, the router checks all the MAC
addresses in the VLAN to detect MAC address flapping. When MAC address flapping occurs
on an interface, the router blocks the interface, blocks the MAC address, or reports a trap
according to the configuration.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
150
Step 3 Run:
loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-times
| alarm-only }
MAC address flapping detection is configured in the VLAN.
When the AR1200-S detects MAC address flapping in the VLAN, it performs either of the
following actions:
l Blocks the interface or MAC address. When the block-mac keyword is used in the command,
the router does not block the interface but blocks the traffic from the flapping MAC address.
l Sends a trap to the NMS.
----End
6.6.3 Unblocking an Interface or a MAC Address
Context
After an interface or a MAC address is permanently blocked because of MAC address flapping,
you must run the reset loop-detect eth-loop command in the corresponding VLAN if you want
to restore the interface or MAC address.
Procedure
Step 1 Run:
system-view
Step 2 Run:
reset loop-detect eth-loop vlan vlan-id { all | interface { interface-type
interface-number } | mac-address mac-address }
The specified interface or MAC address is unblocked.
Before using the reset loop-detect eth-loop command, run the display loop-detect eth-loop
command to check the blocked interfaces or MAC addresses.
----End
Procedure
Step 1 Run the display loop-detect eth-loop [ vlan vlan-id ] command to check information about
MAC address flapping detection on a VLAN.
----End
151
Example
Run the display loop-detect eth-loop command to view the configuration of MAC address
flapping detection in addition to information about the permanently blocked interfaces and MAC
addresses.
<Huawei> display loop-detect eth-loop
VLAN Block-time RetryTimes Block-action
--------------- --------------- --------------- ---------------
111 111 1 block-port
628 118 1 block-mac

Total items:2

Blocked ports:

Total items:0

PortName Vlan Status Expire(s) Leave times
------------------------ -------- ------------- ------------- -------------

Blocked Mac Address:

Total items:2

Mac Address Vlan Status Expire(s) Leave times
------------------------ -------- ------------- ------------- -------------
0000-1111-01aa 628 Block forever - -
0000-1111-01b2 628 Block forever - -

6.7 Configuring the Router to Discard Packets with an
Invalid All-0 MAC Address
This section describes how to configure the router to discard packets with an invalid all-0 MAC
address.
You can configure the router to discard packets with an all-0 source or destination MAC address
to prevent invalid packets.
None.
Data Preparations
None.
6.7.2 Configuring the Router to Discarding Packets with All-0 MAC
Addresses
152
Context
Perform the following steps to configure the router to discard packets with all-0 MAC addresses.
Procedure
Step 1 Run:
system-view
Step 2 Run:
drop illegal-mac enable
The router is configured to discard packets with all-0 MAC addresses.
By default, the router does not discard packets with all-0 MAC addresses.
The main control board of the router does not support this function.
----End
6.7.3 Triggering an Alarm for Packets with All-0 MAC Addresses
Context
After receiving the first packet with an all-0 source MAC address or destination MAC address,
the AR1200-S router discards the packet and sends a trap to the NMS. When receiving packets
with the same MAC address, the router does not send a trap to the NMS and discards the packets
directly. To trigger the alarm on packets with an all-0 MAC address again, perform the following
steps.
Procedure
Step 1 Run:
system-view
Step 2 Run:
drop illegal-mac alarm
The router is configured to trigger an alarm when receiving a packet with an all-0 MAC address.
By default, the router triggers an alarm when receiving the first packet with an all-0 MAC
address.
----End
153
Procedure
Step 1 Run the display current-configuration command to check whether the AR1200-S router is
configured to discard the packets with all-0 MAC addresses.
----End
Example
Run the display current-configuration command.
<Huawei> display current-configuration | include drop
#
drop illegal-mac alarm
drop illegal-mac enable
#
6.8 Maintaining the MAC Address Table
This section describes how to maintain the MAC address table.
6.8.1 Debugging the MAC Address Table
Context
CAUTION
Debugging affects system performance. Run the undo debugging all command immediately
after debugging is completed.
When errors occur in MAC address based forwarding, run the following debugging command
in the user view to debug the MAC address table, view the debugging information, and locate
and analyze the fault.
Procedure
Step 1 Run the debugging ethernet packet mac { dest_mac mac-address | src_mac mac-address }
command to debug the Ethernet packets with the specified source MAC address or destination
address.
----End
This section provides examples showing how to configure the MAC address table.
6.9.1 Example for Configuring the MAC Address Table
154
As shown in Figure 6-1, the MAC address of PC1 is 0002-0002-0002, and the MAC address of
PC2 is 0003-0003-0003. The LSW connects the PCs to the Router. The LSW is connected to
Ethernet0/0/1 of the Router, which belongs to VLAN 2. The MAC address of the server is
0004-0004-0004. The server is connected to Ethernet0/0/2 of the Router, which belongs to
VLAN 2. LSW belongs to VLAN 4. The network requires the following configurations:
l To prevent hackers from using MAC addresses to attack the network, configure a static
MAC address entry for each user host on the Router. Set the aging time for the dynamic
MAC address entries to 500 seconds.
l To prevent hackers from stealing user information by forging the MAC address of the
server, configure a static MAC address entry on the Router for the server.
Figure 6-1 Network diagram
Server
Router
MAC:
0004-0004-0004
Eth0/0/2
VLAN2
Eth0/0/1
VLAN2 LSW
PC1 PC2
MAC:
0002-0002-0002
MAC:
0003-0003-0003

1. Create VLANs on the Router and add the interfaces to the VLANs.
2. Configure static MAC address entries.
3. Set the aging time for the dynamic MAC address entries.
Data Preparation
l MAC address of PC1: 0002-0002-0002
l MAC address of PC2: 0003-0003-0003
l MAC address of the server: 0004-0004-0004
l VLAN that the Router belongs to: VLAN 2
155
l Interface connected to the LSW: Ethernet0/0/1
l Interface connected to the server: Ethernet0/0/2
l Aging time for dynamic entries: 500 seconds
Procedure
Step 1 Add static MAC address entries.
# Create VLAN 2 and add Ethernet0/0/1 and Ethernet0/0/2 to VLAN 2.
[Huawei] vlan 2
[Huawei-vlan2] quit
[Huawei-Ethernet0/0/1] port hybrid tagged vlan 2
[Huawei-Ethernet0/0/2] port hybrid pvid vlan 2
[Huawei-Ethernet0/0/2] port hybrid untagged vlan 2
# Configure static MAC address entries.
[Huawei] mac-address static 0002-0002-0002 ethernet 0/0/1 vlan 2
Step 2 Set the aging time for the dynamic MAC address entries.
[Huawei] mac-address aging-time 500
# Run the display mac-address command in any view to check whether the static MAC address
entries are successfully added to the MAC address table.
[Huawei] display mac-address static vlan 2
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
0002-0002-0002 2/- Eth0/0/1 static
0003-0003-0003 2/- Eth0/0/1 static
0004-0004-0004 2/- Eth0/0/2 static
-------------------------------------------------------------------------------
# Run the display mac-address aging-time command to check whether the aging time for
dynamic entries is set successfully.
[Huawei] display mac-address aging-time
Aging time: 500 seconds
----End
Configuration Files
#
vlan batch 2
#
mac-address aging-time 500
#
156
port hybrid tagged vlan 2
#
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
mac-address static 0002-0002-0002 Ethernet0/0/1 vlan 2
#
return
6.9.2 Example for Configuring Port Security
As shown in Figure 6-2, a company wants to prevent non-employees from accessing the intranet.
To achieve this information security goal, the company needs to enable the sticky MAC function
on the Huawei interface connected to computers of employees and set the maximum number of
MAC addresses learned on the interface to the total number of trusted computers.
Figure 6-2 Network diagram of port security configuration
Router
Switch
Internet
PC1 PC2 PC3
VLAN 10
Eth0/0/1

1. Create a VLAN and set the link type of the interface to trunk.
2. Enable the port security function.
3. Enable the sticky MAC function on the interface.
4. Configure the protective action on the interface.
5. Set the maximum number of MAC addresses that can be learned on the interface.
157
Data Preparation
l Type and number of the interface connected to computers of employees
l VLAN allowed by the interface
l Protective action taken when the number of learned MAC addresses exceeds the limit
l Maximum number of MAC addresses learned on the interface
Procedure
Step 1 Create a VLAN and set the link type of the interface to trunk.
[Huawei] vlan 10
[Huawei-vlan10] quit
Step 2 Configure the port security function.
# Enable the port security function.
[Huawei-Ethernet0/0/1] port-security enable
Enable the sticky MAC function.
[Huawei-Ethernet0/0/1] port-security mac-address sticky
# Configure the protective action.
[Huawei-Ethernet0/0/1] port-security protect-action protect
# Set the maximum number of MAC addresses that can be learned on the interface.
[Huawei-Ethernet0/0/1] port-security max-mac-num 4
To enable the port security function on other interfaces, repeat the preceding steps.
If PC1 is replaced by another PC, this replacement PC cannot access the company intranet.
----End
Configuration Files
#
vlan batch 10
#
port-security enable
port-security protect-action protect
port-security mac-address sticky
port-security max-mac-num 4
#
return
158
6.9.3 Example for Configuring MAC Address Limiting Rules on
Interfaces
As shown in Figure 6-3, Ethernet0/0/1 and Ethernet0/0/2 of the Router are connected to LSWs.
One LSW is connected to individual users, and the other is connected to enterprise users. To
prevent MAC address attacks and limit the number of access users on the Router, configure
MAC address limiting rules on Ethernet0/0/1 and Ethernet0/0/2.
Figure 6-3 Network diagram for MAC address limiting on interfaces
Router
Eth0/0/2 Eth0/0/1
IP
network
LSW LSW
Individual
user
Enterprise
user

1. Set the limit on the number of MAC addresses learned by the interfaces.
2. Set the action performed when the limit is reached.
Data Preparation
l Limit on the number of MAC addresses learned by Ethernet0/0/1: 4
l Limit on the number of MAC addresses learned by Ethernet0/0/2: 100
l Action performed when the limit is reached: discard packets with new MAC addresses and
generate an alarm
Procedure
Step 1 Configure MAC address limiting rules on the interfaces.
159
[Huawei-Ethernet0/0/1] mac-limit maximum 4 action discard alarm enable
[Huawei-Ethernet0/0/2] mac-limit maximum 100 action discard alarm enable
# Run the display mac-limit command in any view to check whether the MAC address limiting
rules are successfully configured.
<Huawei> display mac-limit
-----------------------------------------------------------------------
PORT VLAN Maximum Action Alarm
-----------------------------------------------------------------------
-----------------------------------------------------------------------
----End
Configuration Files
#
sysname Huawei
#
mac-limit maximum 4
#
mac-limit maximum 100
#
return
160
7 STP/RSTP Configuration
About This Chapter
The Spanning Tree Protocol (STP) trims a ring network into a loop-free tree network. It prevents
replication and circular propagation of packets, provides multiple redundant paths for virtual
LAN (VLAN) data traffic, and enables load balancing. The Rapid Spanning Tree Protocol
(RSTP) was developed based on STP to implement faster convergence. RSTP defines edge ports
and provides protection functions.
7.1 STP/RSTP Overview
STP/RSTP is used to block redundant links on Layer 2 networks and trim a network into a loop-
free tree topology.
7.2 STP/RSTP Features Supported by the AR1200-S
Before configuring STP/RSTP, familiarize yourself with basic STP/RSTP functions, topology
convergence, STP/RSTP protection, and STP/RSTP interoperability between Huawei devices
and non-Huawei devices.
7.3 Configuring Basic STP/RSTP Functions
free tree topology.
7.4 Configuring STP/RSTP Parameters on an Interface
STP does not have a mechanism to confirm topology convergence, whereas RSTP provides a
feedback mechanism to implement rapid convergence.
7.5 Configuring RSTP Protection Functions
This section describes how to configure RSTP protection functions. You can configure one or
more functions.
7.6 Maintaining STP/RSTP
STP/RSTP maintenance includes clearing STP/RSTP statistics.
This section describes the networking requirements, configuration roadmap, data preparation,
and procedures for some typical application scenarios for STP/RSTP. This section also provides
the related configuration files.
Configuration Guide - LAN 7 STP/RSTP Configuration
161
7.1 STP/RSTP Overview
free tree topology.
Background
Network designers tend to deploy multiple physical links between two devices (one link is the
master and the others are backups) to fulfill network redundancy requirements. Loops are bound
to occur on such types of complex networks.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause MAC address flapping that damages MAC address entries.
Devices can run STP to discover loops on the network by exchanging information with each
other, and trim the ring topology into a loop-free tree topology by blocking an interface. These
capabilities help prevent replication and circular propagation of packets on the network which
in turn helps avoid degradation of switching device performance.
With all its merits, STP is not able to converge network topologies quickly. In 2001, the IEEE
published document 802.1w, which introduces an evolution in the Spanning Tree Protocol:
Rapid Spanning Tree Protocol (RSTP). Although based on the same principles, RSTP was
developed for rapid convergence and far outperforms STP.
Concepts
l Root bridge
A tree topology must have a root.
There is only one root bridge on the entire STP/RSTP-capable network. The root bridge is
the logical center but is not necessarily the physical center of the entire network. Another
switching device can serve as the root bridge following a change in the network topology.
l Bridge ID
As defined in IEEE 802.1D, a bridge ID (BID) is composed of a 2-byte bridge priority and
a 6-byte bridge MAC address.
On an STP-capable network, the device with the smallest BID is selected as the root bridge.
l Port ID
A 16-bit port ID (PID) is composed of a 4-bit port priority and a 12-bit port number.
PIDs are used to select a designated port. When the root path costs and the sender BIDs of
two ports are the same, the port with a smaller PID is selected as the designated port. As
shown in Figure 7-1, the root path costs and sender BIDs of port A and port B on S2 are
the same. Port A has a smaller PID, and is selected as the designated port.
l Path cost
A path cost is port-specific and is used by STP/RSTP to select a link. STP/RSTP calculates
the path cost to select robust links and blocks redundant links to trim the network into a
loop-free tree topology.
On an STP/RSTP-capable network, the accumulative cost of the path from a certain port
to the root bridge is the sum of the costs of the segment paths into which the path is separated
by the ports on the transit bridges.
162
l STP port roles
Root port
The root port is the port that is nearest to the root bridge. The root port is determined
based on the path cost. Among all the STP-capable ports on the network bridge, the port
with the lowest root path cost is the root port. There is only one root port on an STP-
capable device, but there is no root port on the root bridge.
Designated Port
The designated port on a switching device forwards bridge protocol data units (BPDUs)
to the downstream switching device. All ports on the root bridge are designated ports.
A designated port is selected for each network segment. The device on which the
designated port resides is called the designated bridge.
l RSTP port roles
Compared with STP, RSTP has two additional types of ports, the alternate port and backup
port. More port roles are defined to simplify deployment of STP.
Figure 7-1 Diagram of port roles
S2 S3
A
A B
A a
S2 S3
A
A B
A
a
B
b

163
As shown in Figure 7-1, RSTP defines four port roles: root port, designated port, alternate
port, and backup port.
The functions of the root port and designated port are the same as those defined in STP.
The functions of the alternate port and backup port are as follows:
From the perspective of configuration BPDU transmission:
The alternate port is blocked after learning the configuration BPDUs sent by other
bridges.
The backup port is blocked after learning the configuration BPDUs sent by itself.
From the perspective of user traffic:
The alternate port backs up the root port and provides an alternate path from the
designated bridge to the root bridge.
The backup port backs up the designated port and provides an alternate path from
the root node to the leaf node.
After all ports are assigned roles, topology convergence is completed.
l STP port state
Table 7-1 shows the port status of an STP-capable port.
Table 7-1 STP port state
Port state Purpose Description
Forwarding A port in the Forwarding state forwards
user traffic and BPDUs.
Only the root port and
designated port can enter the
Forwarding state.
Learning When a port is in the Learning state, a
device creates a MAC address table
based on the received user traffic but does
not forward the traffic.
This is a transition state,
which is designed to prevent
temporary loops.
Listening A port in the Listening state is
participating in election of the root
bridge, root port, or designated port.
This is a transition state.
Blocking A port in the Blocking state receives and
forwards only BPDUs but does not
forward user traffic.
This is the final state of a
blocked port.
Disabled A port in the Disabled state forwards
neither BPDUs nor user traffic.
The port is Down.

l RSTP port state
Table 7-2 shows the port status of an RSTP-capable port.
Table 7-2 RSTP port state
Port state Description
Forwarding A port in the Forwarding state can send and receive BPDUs as
well as forward user traffic.
164
Port state Description
Learning This is a transition state. A port in the Learning state learns MAC
addresses from user traffic to construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but
cannot forward user traffic.
Discarding A port in the Discarding state can only receive BPDUs.

CAUTION
MSTP is the default mode for all Huawei datacom devices. After a device experiences the
transition from the MSTP mode to the STP mode, an STP-capable port supports the same
port states as those supported by an MSTP-capable port, including the Forwarding,
Learning, and Discarding states. For details, see Table 7-2.
l Three timers
Hello Timer
Sets the interval at which BPDUs are sent.
Forward Delay Timer
Sets the time spent in the Listening and Learning states.
Max Age
Sets the maximum lifetime of a BPDU on the network. When the Max Age time is
reached, the connection to the root bridge is considered broken.
Comparison between STP, RSTP, and MSTP
Table 7-3 compares STP, RSTP, and MSTP in terms of the characteristics of each protocol and
their applicable environments.
Table 7-3 Comparison between STP, RSTP, and MSTP
Spanning
Tree
Protocol
Characteristics Applicable
Environment
Precautions
STP Ensures a loop-free tree
topology that helps
prevent broadcast storms
and allows for redundant
links between switches.
Irrespective of users or
services, all VLANs
share one spanning
tree.
l If the current
switching device
supports STP and
RSTP, RSTP is
recommended.
l If the current
switching device
supports STP/RSTP
and MSTP, MSTP
is recommended.
165
Spanning
Tree
Protocol
Characteristics Applicable
Environment
Precautions
RSTP l Ensures a loop-free
tree topology that helps
prevent broadcast
storms and allows for
redundant links
between switches.
l Provides a feedback
mechanism to confirm
topology convergence,
implementing rapid
convergence.
See MSTP
Configuration.
MSTP l Ensures a loop-free
tree topology that helps
prevent broadcast
storms and allows for
redundant links
between switches in an
MSTP region.
implementing rapid
convergence.
l Implements load
balancing among
VLANs. Traffic in
different VLANs is
transmitted along
different paths.
User or service-specific
load balancing is
required. Traffic for
different VLANs is
forwarded through
different spanning
trees, which are
independent of each
other.

7.2 STP/RSTP Features Supported by the AR1200-S
Before configuring STP/RSTP, familiarize yourself with basic STP/RSTP functions, topology
convergence, STP/RSTP protection, and STP/RSTP interoperability between Huawei devices
free tree topology.
STP/RSTP also supports the following features to meet the requirements of special applications
and extended functions:
l Provides a feedback mechanism to confirm topology convergence, implementing rapid
convergence.
l RSTP provides the protection functions listed in Table 7-4.
166
l Supports STP/RSTP interoperability between Huawei devices and non-Huawei devices.
Certain parameters must be set on Huawei devices to ensure uninterrupted communication.
Table 7-4 RSTP Protection Function
Protection
Function
Scenario Configuration Impact
BPDU
protection
An edge port changes into
a non-edge port after
receiving a BPDU, which
triggers spanning tree
recalculation. If an attacker
keeps sending pseudo
BPDUs to a switching
device, network flapping
occurs.
After BPDU protection is enabled, the
switching device shuts down the edge port
if the edge port receives an RST BPDU.
Then the device notifies the NMS of the
shutdown event. The attributes of the edge
port are not changed.
TC
protection
Generally, after receiving
TC BPDUs (packets for
advertising network
topology changes), a
switching device needs to
delete MAC entries and
ARP entries. Frequent
deletions exhaust CPU
resources.
TC protection is used to suppress TC
BPDUs. You can configure the number of
times a switching device processes TC
BPDUs within a given time period. If the
number of TC BPDUs that the switching
device receives within a given time
exceeds the specified threshold, the
switching device processes only the
specified number of TC BPDUs. After the
specified time period expires, the device
processes the excess TC BPDUs for once.
This function prevents the switching
device from frequently deleting MAC
entries and ARP entries, saving CPU
resources.
Root
protection
Due to incorrect
configurations or
malicious attacks on the
network, a root bridge may
receive BPDUs with a
higher priority than its own
priority. Consequently, the
legitimate root bridge is no
longer able to serve as the
root bridge and the
network topology is
changed, triggering
spanning tree
recalculation. This may
transfer traffic from high-
speed links to low-speed
links, causing traffic
congestion.
If a designated port is enabled with the root
protection function, the role of the port
cannot be changed. Once a designated port
that is enabled with root protection
receives RST BPDUs with a higher
priority, the port enters the Discarding state
and does not forward packets. If the port
does not receive any RST BPDUs with a
higher priority before a period (generally
two Forward Delay periods) expires, the
port automatically enters the Forwarding
state.
167
Protection
Function
Loop
protection
A root port or an alternate
port will age if link
congestion or a one-way
link failure occurs. After
the root port ages, a
switching device may re-
select a root port
incorrectly. After the
alternate port ages, the port
enters the Forwarding
state. Loops may occur in
such a situation.
After loop protection is configured, if the
root port or alternate port does not receive
RST BPDUs from the upstream switching
device for a long time, the switching device
notifies the NMS that the port enters the
Discarding state. The blocked port remains
in the Blocked state and no longer forwards
packets. This function helps prevent loops
on the network. The root port transitions to
the Forwarding state after receiving new
BPDUs.

7.3 Configuring Basic STP/RSTP Functions
free tree topology.
STP/RSTP is commonly configured on switching devices to trim a ring network into a loop-free
network. Devices start spanning tree calculation after the STP/RSTP working mode is set and
STP/RST is enabled. Use any of the following methods if you need to intervene in the spanning
tree calculation:
l Set a priority for a switching device: The lower the numerical value, the higher the priority
of the switching device and the more likely the switching device becomes a root bridge;
the higher the numerical value, the lower the priority of the switching device and the less
likely that the switching device becomes a root bridge.
l Set a path cost for a port: With the same calculation method, the lower the numerical value,
the smaller the cost of the path from the port to the root bridge and the more likely the port
becomes a root port; the higher the numerical value, the larger the cost of the path from the
port to the root bridge and the less likely that the port becomes a root port.
l Set a priority for a port: The lower the numerical value, the more likely the port becomes
a designated port; the higher the numerical value, the less likely that the port becomes a
designated port.
Before configuring basic STP/RSTP functions, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This will help
168
STP/RSTP can be deployed on a network to eliminate loops. If a loop is detected, STP/RSTP
blocks one port to eliminate the loop.
As shown in Figure 7-2, S1, S2, S3, and S4 form a ring network, and STP/RSTP is enabled on
the ring network to eliminate loops, enhancing reliability of the network.
Figure 7-2 Diagram of a ring network
RouterA
SwitchC
RouterB
SwitchD
PC1
PC2
Network
Blocked port
Root
Bridge

NOTE
If the current switching device supports STP and RSTP, RSTP is recommended.
Before configuring basic STP/RSTP functions, complete the following task:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
interfaces are physically Up
Data Preparation
To configure basic STP/RSTP functions, you need the following data.
No. Data
1 (Optional) Priority of a switching device
169
No. Data
2 (Optional) Priority of a port
3 (Optional) Path cost of a port

7.3.2 Configuring the STP/RSTP Mode
Before configuring basic STP/RSTP functions on a switching device, set the working mode to
STP or RSTP. RSTP is compatible with STP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp mode { stp | rstp }
The working mode of the switching device is set to STP or RSTP.
By default, the working mode of a switching device is MSTP. MSTP is compatible with STP
and RSTP.
On a ring network running only STP, set the working mode of a switching device to STP; on a
ring network running RSTP, set the working mode of a switching device to RSTP. In other cases,
use the default working mode MSTP.
----End
7.3.3 (Optional) Configuring Switching Device Priorities
Select a switching device (functioning as a root bridge) from switching devices for each spanning
tree. You can configure the priorities of the switching devices to preferentially select a root
bridge. The lower the numerical value is, the higher priority a switching device has and the more
likely the switching device will be selected as a root bridge.
Context
On an STP/RSTP-capable network, there is only one root bridge, which is the logic center of
the entire spanning tree. During root bridge selection, a high-performance switching device at
a high network layer should be selected as the root bridge; however, the priority of such a device
may not be the highest on the network. It is therefore necessary to set a high priority for the
switching device to ensure that the device functions as a root bridge.
Low-performance devices at lower network layers are not fit to serve as a root bridge. Therefore,
set low priorities for these devices.
Procedure
Step 1 Run:
170
system-view
Step 2 Run:
stp priority priority
The priority of a switching device is configured.
The default priority value of a switching device is 32768.
NOTE
l To configure a switching device as the primary root bridge, run the stp root primary command. The
priority value of this switching device is 0.
l To configure a switching device as a secondary root bridge, run the stp root secondary command. The
priority value of this switching device is 4096.
A switching device cannot act as a primary root bridge and as a secondary root bridge at the same time.
l If you want to change the priority of a switching device after you run the stp root primary command
or the stp root secondary command to configure the switching device as the primary root bridge or
secondary root bridge, disable the root bridge function or secondary root bridge function, and then run
the stp priority priority command to set a priority.
----End
7.3.4 (Optional) Configuring the Path Cost for a Port
The STP/RSTP path cost determines root port selection. The port from which to the root port
costs the least is selected as the root port.
Context
A path cost is port-specific and is used by STP/RSTP to select a link.
The path cost value range is determined by the calculation method. After the calculation method
is determined, it is recommended that you set a relatively small path cost value for the ports with
high link rates.
In the Huawei proprietary calculation method for example, the link rate determines the
recommended value for the path cost. Table 7-5 lists the recommended path costs for ports with
different link rates.
Table 7-5 Mappings between link rates and path cost values
Link Rate Recommended
Path Cost
Recommended
Path Cost Range
Path Cost Range
10 Mbit/s 2000 200 to 20000 1 to 200000
100 Mbit/s 200 20 to 2000 1 to 200000
1 Gbit/s 20 2 to 200 1 to 200000
10 Gbit/s 2 2 to 20 1 to 200000
Over 10 Gbit/s 1 1 to 2 1 to 200000

171
If a network has loops, it is recommended that you set a relatively large path cost for ports with
low link rates. STP/RSTP then blocks these ports.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.
By default, the IEEE 802.1t standard (dot1t) is used to calculate the default path cost.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run:
The Ethernet interface view is displayed.
Step 4 Run:
stp cost cost
A path cost is set for the interface.
l When the Huawei proprietary calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
7.3.5 (Optional) Configuring Port Priorities
In each spanning tree, select a designated port for each connection according to the bridge ID,
the cost of path and port IDs. The lower the numerical value, the more likely the port on a
switching device becomes a designated port; the higher the numerical value, the more likely the
port is to be blocked.
Context
Whether a port will be selected as a designated port is determined by its priority. For details, see
7.1 STP/RSTP Overview.
To block a port to eliminate loops, set the port priority value to be larger than the default value
when the devices have the same bridge ID and path cost. This port will be blocked during
designated port selection.
Procedure
Step 1 Run:
system-view
172
Step 2 Run:
The view of the Ethernet interface participating in STP calculation is displayed.
Step 3 Run:
stp port priority priority
The port priority is configured.
The default priority value of a port on a switching device is 128.
----End
7.3.6 Enabling STP/RSTP
After STP/RSTP is enabled, spanning trees are calculated.
Context
After STP/RSTP is enabled on a ring network, STP/RSTP immediately calculates spanning trees
on the network. Configurations on the switching device, such as the switching device priority
and port priority, will affect spanning tree calculation. Any change to the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform
basic configurations on the switching device and its ports, and enable STP/RSTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp enable
STP/RSTP is enabled on the switching device.
By default, STP/RSTP is enabled on a router.
----End
After basic STP/RSTP functions are configured, you can view the information such as the port
roles and port status to check the spanning tree calculation.
Prerequisites
All configurations for basic STP/RSTP functions are complete.
Procedure
l Run the display stp [ interface interface-typeinterface-number ] [ brief ] command to view
the spanning-tree status and statistics.
----End
173
Example
Run the display stp command to view the spanning-tree working mode, root bridge, priority of
the root bridge, convergence mode, path cost calculation method, and path cost of the root port.
<Huawei> display stp
-------[CIST Global Info][Mode RSTP]-------
CIST Bridge :32768.00e0-4e1f-b200
Config Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :0 .00e0-e70a-4d00 / 20
CIST RegRoot/IRPC :32768.00e0-4e1f-b200 / 0
CIST RootPortId :128.1
BPDU-Protection :disabled
TC or TCN received :0
TC count per hello :0
STP Converge Mode :Normal
Time since last TC :0 days 0h:26m:16s
----[Port1(Ethernet0/0/1)][FORWARDING]----
Port Protocol :enabled
Port Role :Root Port
Port Priority :128
Port Cost(Legacy) :Config=auto / Active=20
Designated Bridge/Port :0.00e0-e70a-4d00 / 128.5
Port Edged :Config=default / Active=disabled
Point-to-point :Config=auto / Active=true
Transit Limit :147 packets/hello-time
Protection Type :None
Port Stp Mode :RSTP
Port Protocol Type :Config=auto / Active=dot1s
PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 0
TC or TCN send :1
BPDU Sent :4
TCN: 0, Config: 0, RST: 4, MST: 0
BPDU Received :22
----[Port2()][DISCARDING]----
Port Protocol :enabled
Port Role :Alternate Port
Port Priority :160
Designated Bridge/Port :4096.00e0-6606-be00 / 128.1
Port Stp Mode :RSTP
TC or TCN send :1
BPDU Sent :2
BPDU Received :22
7.4 Configuring STP/RSTP Parameters on an Interface
STP does not have a mechanism to confirm topology convergence, whereas RSTP provides a
feedback mechanism to implement rapid convergence.
STP does not implement rapid convergence; however, STP parameters such as the network
diameter, Hello timer, Max Age timer, and Forward Delay timer, may affect network
174
convergence. RSTP is a refinement of STP and implements rapid convergence. In addition to
the preceding parameters, the link type, rapid transition mechanism, and maximum number of
sent BPDUs also affect STP/RSTP topology convergence.
Table 7-6 shows the STP/RSTP parameters that affect STP/RSTP topology convergence.
Table 7-6 Parameters affecting the STP/RSTP topology convergence
Paramete
r
Description Commands Remarks
System
parameter
Network
diameter, timer
values (Hello
timer, Forward
Delay timer,
Max Age
timer), and
timeout period
to wait for
BPDUs from
the upstream
device (3 x
Hello timer
value x Time
factor)
l stp bridge-diameter
diameter
l stp timer hello hello-time
l stp timer forward-delay
forward-delay
l stp timer max-age max-
age
l stp timer-factor factor
It is recommended that you
set the network diameter to
determine the timer value.
The switching device
automatically calculates
the Forward Delay period,
Hello time, and Max Age
time based on the network
diameter. Then, you can
run the stp timer-factor
factor command to set the
timeout period for waiting
for BPDUs from the
upstream (3 x Hello timer
value x Time factor).
Port
parameter
Link type of a
port
l stp point-to-point { auto |
force-false | force-true }
A P2P link helps
implement rapid
convergence.
l If the port works in full-
duplex mode, the link
connecting to the port is
a P2P link.
l If the port works in
half-duplex mode, you
can forcibly switch the
link connecting to the
port to a P2P link.
l In other cases, you can
enable the port to
automatically
determine whether to
connect to a P2P link.
175
Paramete
r
Description Commands Remarks
Port transition
to the RSTP
mode
l stp mcheck On a switching device
running RSTP, if an
interface is connected to a
device running STP, the
interface automatically
transitions to the STP
mode.
Enable MCheck on an
interface if the interface
fails to automatically
transition to the RSTP
mode.
Maximum
number of
BPDUs sent by
the interface
within each
Hello time
l stp transmit-limit packet-
number
If the maximum number of
BPDUs sent by the
interface within each Hello
time interval is set
properly, the rate at which
BPDUs are sent can be
restricted. This parameter
prevents RSTP from
consuming too much
bandwidth if network
flapping occurs.
Edge ports l stp edged-port enable The ports connected to
terminals do not participate
in STP/RSTP calculation.
If a port is configured as an
edge port, the port does not
participate in STP/RSTP
calculation.
After BPDU protection is
configured on a switching
device, an edge port is shut
down when receiving
BPDUs. You can
configure the port to go Up
after a specified delay has
elapsed.

Before configuring parameters affecting STP/RSTP rapid convergence, familiarize yourself
with the applicable environment, complete the pre-configuration tasks, and obtain the required
data. This will help you complete the configuration task quickly and accurately.
176
On some specific networks, proper RSTP parameter settings will help implement rapid network
convergence.
NOTE
The default configurations for the parameters described in this section help implement RSTP rapid
convergence. Therefore, the configuration process and all involved procedures described in this section
are optional.
Before configuring STP/RSTP parameters, complete the following task:
l Configuring basic STP/RSTP functions
Data Preparation
To configure STP/RSTP parameters, you need the following data.
No. Data
1 Network diameter
2 Hello timer, Forward Delay timer, Max Age timer, and timeout period for waiting
for BPDUs from the upstream (3 x Hello timer value x Time factor)
3 Link type of a port
4 Whether a port is enabled with rapid transition mechanism
5 Whether a port needs to transition to the RSTP mode
6 Maximum number of sent BPDUs
7 Whether a port needs to be configured as an edge port
8 Whether auto recovery needs to be configured for an edge port being shut down
9 Whether a port needs to clear statistics of the spanning tree
10 Whether the edge port needs to be configured as a BPDU filter

7.4.2 Configuring System Parameters
STP/RSTP parameters that may affect network convergence include the network diameter, Hello
timer, and timeout period for waiting for BPDUs from the upstream device (3 x Hello timer
value x Time factor). Therefore, STP/RSTP parameters must be set properly to help implement
rapid network convergence.
Procedure
Step 1 Run:
system-view
177
Step 2 Run:
stp bridge-diameter diameter
The network diameter is configured.
By default, the network diameter is 7.
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network
diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the
network diameter. Then, the switching device calculates the optimal Forward Delay period,
Hello timer value, and Max Age timer value based on the set network diameter.
Step 3 Run:
stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream device is set.
By default, the timeout period is 9 times the Hello timer value.
Step 4 (Optional) If the current device is at the edge of a network, run both or either of the following
commands as needed:
l To configure all ports on the devices as edge ports, run:
stp edged-port default
By default, a port is a non-edge port.
After ports on a network edge device are configured as edge ports, the ports no longer
participate in spanning tree calculation. This speeds up network topology convergence and
improves network stability.
l To configure all ports on the devices as BPDU filter ports, run:
stp bpdu-filter default
By default, a port is a non-BPDU filter port.
After ports on a network edge device are configured as BPDU filter ports, the ports no longer
process or send BPDUs.
WARNING
After the stp bpdu-filter default and stp edged-port default commands are run in the system
view, all ports on the device no longer actively send BPDUs or negotiate with directly-connected
ports; instead, all the ports are in the Forwarding state. This may lead to a loop on the network,
causing broadcast storms. Exercise caution when running these commands.
Step 5 (Optional) To set the Forward Delay period, Hello timer, and Max Age timer, perform the
following operations:
l Run the stp timer forward-delay forward-delay command to set the Forward Delay timer.
The default Forward Delay timer of a switching device is 1500 centiseconds.
l Run the stp timer hello hello-time command to set the Hello timer.
The default Hello timer of a switching device is 200 centiseconds.
l Run the stp timer max-age max-age command to set the Max Age timer.
178
The default Max Age timer of a switching device is 2000 centiseconds.
NOTE
The values of the Hello timer, Forward Delay timer, and Max Age timer must comply with the following
formulas; otherwise, network flapping occurs.
l 2 x (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1.0 second)
----End
7.4.3 Configuring Port Parameters
Port parameters that may affect RSTP topology convergence include the link type and maximum
number of sent BPDUs. Proper port parameter settings help implement rapid topology
convergence.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp point-to-point { auto | force-false | force-true }
The link type is configured for the interface.
By default, an interface automatically determines whether to connect to a P2P link. The P2P link
supports rapid network convergence.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this
case, force-true can be configured to implement rapid network convergence.
l If the Ethernet port works in half-duplex mode, you can run stp point-to-point force-true
to forcibly set the link type to P2P.
Step 4 Run:
stp mcheck
MCheck is enabled.
On a port of switching device running RSTP is connected to a device running STP, the port
automatically transitions to the STP interoperable mode.
Enabling MCheck on the port is required because the port may fail to automatically transition
to the RSTP mode in the following situations:
l The switching device running STP is shut down or moved.
l The switching device running STP transitions to the RSTP mode.
179
NOTE
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the
interfaces.
Step 5 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port within each Hello time is set.
By default, the maximum number of BPDUs that a port sends within each Hello time is 147.
stp edged-port enable
The port is configured as an edge port.
If a device port is connected to a terminal, you can run this command to configure the port as
an edge port.
If the current port has been configured as an edge port, the port can still send BPDUs. This may
cause BPDUs to be sent to other networks, leading to network flapping. To prevent this problem,
run the stp bpdu-filter enable command to configure the edge port as a BPDU filter port and
disable the port from processing or sending BPDUs.
WARNING
After the stp bpdu-filter enable command is run on a port, the port no longer processes or sends
BPDUs. The port will not negotiate with the directly-connected port to establish an STP
connection.
Step 7 Run:
quit
error-down auto-recovery cause cause-item interval interval-value
The auto recovery function on an edge port is configured. This function enables a port in the
error-down state to automatically go Up after the specified delay.
There is no default value for the recovery time. Therefore, you must specify a delay when using
this command.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. STP/RSTP processes ARP entries in either fast or normal mode.
l In fast mode, ARP entries to be updated are directly deleted.
180
l In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidly
processes these aged entries. If the number of ARP aging probe attempts is not set to 0,
ARP implements aging probe for these ARP entries.
In either fast or normal mode, MAC entries are directly deleted.
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
By default, the normal STP/RSTP convergence mode is used.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping will frequently
occur.
After configuring STP/RSTP parameters that affect the topology convergence, you can verify
the configurations.
Prerequisites
The parameters that affect topology convergence have been configured.
Procedure
l Run the display stp [ interface interface-type interface-number ] [ brief ] command to
view spanning-tree status and statistics.
----End
Example
Run the display stp command to view the values of the Hello timer, Max Age timer, Forward
Delay timer, maximum number of sent BPDUs within each Hello time interval, and whether a
port is connected to a P2P link.
<Huawei> display stp interface ethernet 0/0/1
----[CIST][Port8(Ethernet0/0/1)][FORWARDING]----
Port Protocol :Enabled
Port Priority :128
Designated Bridge/Port :32768.0010-1220-0100 / 128.8
Port STP Mode :RSTP
TC or TCN send :2
BPDU Sent :10
BPDU Received :25
181
7.5 Configuring RSTP Protection Functions
This section describes how to configure RSTP protection functions. You can configure one or
more functions.
Before configuring RSTP protection functions, familiarize yourself with the applicable
RSTP provides the protection functions listed in Table 7-7.
Table 7-7 RSTP Protection Function
Protection
Function
BPDU
protection
An edge port changes into a
non-edge port after
occurs.
switching device shuts down the edge port if
the edge port receives an RST BPDU. Then
the device notifies the NMS of the shutdown
event. The attributes of the edge port are not
changed.
TC protection Generally, after receiving
advertising network
delete MAC entries and ARP
entries. Frequent deletions
exhaust CPU resources.
TC protection is used to suppress TC BPDUs.
You can configure the number of times a
switching device processes TC BPDUs
within a given time period. If the number of
TC BPDUs that the switching device receives
within a given time exceeds the specified
threshold, the switching device processes
only the specified number of TC BPDUs.
After the specified time period expires, the
device processes the excess TC BPDUs for
once. This function prevents the switching
device from frequently deleting MAC entries
and ARP entries, saving CPU resources.
182
Protection
Function
Root
protection
Due to incorrect
configurations or malicious
attacks on the network, a
root bridge may receive
BPDUs with a higher
priority than its own priority.
Consequently, the legitimate
root bridge is no longer able
to serve as the root bridge
and the network topology is
changed, triggering
spanning tree recalculation.
This may transfer traffic
from high-speed links to
low-speed links, causing
traffic congestion.
If a designated port is enabled with the root
protection function, the role of the port cannot
be changed. Once a designated port that is
enabled with root protection receives RST
BPDUs with a higher priority, the port enters
the Discarding state and does not forward
packets. If the port does not receive any RST
BPDUs with a higher priority before a period
(generally two Forward Delay periods)
expires, the port automatically enters the
Forwarding state.
Loop
protection
congestion or a one-way link
failure occurs. After the root
port ages, a switching device
may re-select a root port
incorrectly. After the
enters the Forwarding state.
Loops may occur in such a
situation.
After loop protection is configured, if the root
port or alternate port does not receive RST
BPDUs from the upstream switching device
for a long time, the switching device notifies
the NMS that the port enters the Discarding
state. The blocked port remains in the
Blocked state and no longer forwards packets.
This function helps prevent loops on the
network. The root port transitions to the
Forwarding state after receiving new BPDUs.

Before configuring basic RSTP functions, complete the following task:
l Configuring basic RSTP functions
NOTE
Configure an edge port on the switching device before configuring BPDU protection.
Data Preparation
To configure basic RSTP functions, you need the following data.
No. Data
1 Number of the port on which root protection is to be enabled
2 Number of the port on which loop protection is to be enabled

183
7.5.2 Configuring BPDU Protection on a Switching Device
After BPDU protection is enabled, a switching device shuts down an edge port if the edge port
receives a BPDU, and notifies the NMS of the shutdown event.
Context
Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers may
send pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, the
switching device configures the edge ports as non-edge ports and triggers a new spanning tree
calculation. Network flapping then occurs. BPDU protection can be used to protect switching
devices against malicious attacks.
Perform the following steps on a switching device that has an edge port.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp bpdu-protection
BPDU protection is enabled on the switching device.
By default, BPDU protection is disabled on the switching device.
----End
Follow-up Procedure
To allow an edge port to automatically start after being shut down, you can run the error-down
auto-recovery cause bpdu-protection interval interval-value command to configure the auto
recovery function and set the delay on the port. After the delay expires, the port automatically
goes Up. interval interval-value ranges from 30 to 86400, in seconds. Note the following when
setting this parameter:
l There is no default value for the recovery time. Therefore, you must specify a delay when
configuring this command.
l The smaller the interval-value is, the shorter it takes for the edge port to go Up, and the
more frequently the edge port alternates between Up and Down.
l The larger the interval-value is, the longer it takes for the edge port to go Up, and the longer
the service interruption lasts.
7.5.3 Configuring TC Protection on a Switching Device
After TC protection is enabled, you can set the number of times a switching device processes
TC BPDUs within a given time. TC protection avoids frequent deletion of MAC address entries
and ARP entries, thereby protecting switching devices.
184
Context
Attackers may send pseudo TC BPDUs to attack switching devices. Switching devices receive
a large number of TC BPDUs in a short time and delete entries frequently, which burdens system
processing and degrades network stability.
TC protection is used to suppress TC BPDUs. You can configure the number of times a switching
device processes TC BPDUs within a given time period. If the number of TC BPDUs that the
switching device receives within a given time exceeds the specified threshold, the switching
device processes only the specified number of TC BPDUs. After the specified time period
expires, the device processes the excess TC BPDUs for once. This function prevents the
switching device from frequently deleting MAC entries and ARP entries, saving CPU resources.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp tc-protection
TC protection is enabled for a switching device.
By default, TC protection is not enabled on the switching device.
Step 3 Run:
stp tc-protection threshold threshold
The maximum number of times the switching device processes received TC BPDUs and updates
forwarding entries within a given time is set.
NOTE
The given time is specified by the RSTP Hello timer set by using the stp timer hello hello-time command.
----End
7.5.4 Configuring Root Protection on a Port
The root protection function on a switching device protects a root bridge by preserving the role
of a designated port.
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
as the root bridge and the network topology is changed, triggering spanning tree recalculation.
This also may cause the traffic that should be transmitted over high-speed links to be transmitted
over low-speed links, leading to network congestion. The root protection function on a switching
device is used to protect the root bridge by preserving the role of the designated port.
NOTE
Root protection takes effect only on designated ports.
Perform the following steps on the root bridge.
185
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp root-protection
Root protection is enabled on the interface.
By default, root protection is disabled.
----End
7.5.5 Configuring Loop Protection on a Port
The loop protection function suppresses loops caused by link congestion.
Context
On a network running RSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream device because of link congestion or unidirectional-
link failure, the switching device re-selects a root port. The original root port becomes a
designated port and the original blocked ports change to the Forwarding state. This switching
may cause network loops, which can be mitigated by configuring loop protection.
After loop protection is configured, if the root port or alternate port does not receive BPDUs
from the upstream switching device, the root port is blocked and the switching device notifies
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state
and no longer forwards packets. This function helps prevent loops on the network. The root port
transitions to the Forwarding state after receiving new BPDUs.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Perform the following steps to configure loop protection on the root port and alternate port of a
switching device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
186
Step 3 Run:
stp loop-protection
Loop protection for the root port or the alternate port is configured on the switching device.
By default, loop protection is disabled.
----End
After RSTP protection functions are configured, you can verify that the configurations take
effect.
Prerequisites
All configurations for RSTP protection functions are complete.
Procedure
l Run the display stp [ interface interface-type interface-number ] [ brief ] command to
view the status of a spanning tree, including the status of protection functions on a switching
device.
----End
Example
Run the display stp command to view the status of BPDU protection on a switching device, and
the status of root protection on a specified port. For example:
<Huawei> display stp interface ethernet 0/0/1
----[CIST][Port8(Ethernet0/0/1)][FORWARDING]----
Port Priority :128
Designated Bridge/Port :32768.0010-1220-0100 / 128.8
Protection Type :Root
Port STP Mode :RSTP
TC or TCN send :2
BPDU Sent :10
BPDU Received :25
7.6 Maintaining STP/RSTP
STP/RSTP maintenance includes clearing STP/RSTP statistics.
187
7.6.1 Clearing STP/RSTP Statistics
You can run the reset commands to clear STP/RSTP statistics.
Context
CAUTION
STP/RSTP statistics cannot be restored after being cleared.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
----End
and procedures for some typical application scenarios for STP/RSTP. This section also provides
the related configuration files.
7.7.1 Example for Configuring Basic STP Functions
This example shows how to configure basic STP functions.
STP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 7-3, after RouterA, SwitchA, SwitchB, SwitchC and SwitchD running STP
discover loops on the network by exchanging information with each other, they trim the ring
topology into a loop-free tree topology by blocking an interface. These capabilities help prevent
replication and circular propagation of packets on the network which in turn helps improve
processing performance.
188
Figure 7-3 Networking diagram of basic STP configurations
RouterA
Eth0/0/1
Network
SwitchA
STP
Blocked port
SwitchB
Root
Bridge
Eth0/0/0
SwitchC SwitchD
Eth0/0/1
Eth0/0/2
Eth0/0/1
Eth0/0/2
Eth0/0/1
Eth0/0/2
Eth0/0/1
Eth0/0/3
Eth0/0/2
Eth0/0/3
E
t
h
0
/
0
/
4
E
t
h
0
/
0
/
4
E
t
h
0
/
0
/
3
E
t
h
0
/
0
/
3
PC1
PC2
PC3
PC4

1. Configure basic STP functions, including:
a. Configure the STP mode for the ring network.
b. Configure primary and secondary root bridges.
c. Set path costs for ports to block certain ports.
d. Enable STP to eliminate loops.
l Enable STP globally.
l Enable STP on all the interfaces except the interfaces connected to terminals.
NOTE
STP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in STP calculation.
189
Data Preparation
To complete the configuration, you need the following data.
l Ethernet interface number: as shown in Figure 7-3
l Primary root bridge: RouterA
l Secondary root bridge: SwitchA
l Path cost of the interface to be blocked: 200000
Procedure
Step 1 Configure basic STP functions.
1. Configure the STP mode for the devices on the ring network.
# Configure the STP mode on RouterA.
[RouterA] stp mode stp
# Configure the STP mode on SwitchA, SwitchB, SwitchC and SwitchD.
NOTE
l Huawei 2300 Series Switch is used in this example. If other types of switches are used, refer to
the documentation of the switches.
2. Configure primary and secondary root bridges.
# Configure RouterA as the primary root bridge.
[RouterA] stp root primary
# Configure SwitchA as the secondary root bridge.
3. Set path costs for ports in each spanning tree to block certain ports.
NOTE
l The values of path costs depend on path cost calculation methods. This example uses the Huawei
proprietary calculation method and sets the path cost to 200000.
l If the switches are not Huawei 2300 Series, all switches on a network must use the same path
cost calculation method. Refer to STP List of path costs to get standard of other calculation
methods.
# On RouterA, configure the path cost calculation method as the Huawei proprietary
method.
[RouterA] stp pathcost-standard legacy
# On SwitchA, SwitchB, SwitchC and SwitchD, configure the path cost calculation method
as the Huawei proprietary method.
# As shown in Figure 7-3, set the path cost of Eth0/0/4 on SwitchC and SwitchD to 200000.
4. Enable STP to eliminate loops.
l Disable STP on interfaces connected to PCs.
# Disable STP on interfaces connected to terminals for SwitchC and SwitchD.
l Enable STP globally.
# Enable STP globally on RouterA.
[RouterA] stp enable
# Enable STP globally on other switching devices.
l Enable STP on all the interfaces except the interfaces connected to terminals.
190
# Enable STP on RouterA Ethernet0/0/0 and Ethernet0/0/1.
[RouterA-Ethernet0/0/0] stp enable
Enable STP on all the interfaces except the interfaces connected to terminals for
SwitchA, SwitchB, SwitchC and SwitchD.
After the previous configurations, run the following commands to verify the configuration when
the network is stable:
# Run the display stp brief command on RouterA to view the interface status and protection
type. The displayed information is as follows:
[RouterA] display stp brief
MSTID Port Role STP State Protection
0 Ethernet0/0/0 DESI FORWARDING NONE
After RouterA is configured as a root bridge, Ethernet0/0/0 connected to SwitchA and
Ethernet0/0/1 connected to SwitchB are elected as designated ports during spanning tree
calculation.
----End
Configuration Files
#
sysname
RouterA
#
stp mode
stp
stp instance 0 root
primary
stp pathcost-standard
legacy
#
#
#
return
l Configuration file of SwitchA
#
stp mode
stp
stp instance 0 root secondary
stp pathcost-standard legacy
#
#
#
#
return
l Configuration file of SwitchB
191
#
stp mode
stp
#
#
#
#
return
l Configuration file of SwitchC
#
stp mode
stp
#
#
stp disable
#
stp disable
#
stp instance 0 cost
200000
#
return
l Configuration file of SwitchD
#
stp mode
stp
#
#
stp disable
#
stp disable
#
stp instance 0 cost
200000
#
return
7.7.2 Example for Configuring Basic RSTP Functions
This example shows how to configure basic RSTP functions.
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
network. Loops also cause flapping of MAC address tables and damages MAC address entries.
192
RSTP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 7-4, after RouterA, SwitchA, SwitchB, SwitchC and SwitchD running RSTP
discover loops on the network by exchanging information with each other, they trim the ring
topology into a loop-free tree topology by blocking an interface. In this manner, replication and
circular propagation of packets are prevented on the network and the switching devices are
released from processing duplicated packets, thereby improving their processing performance.
Figure 7-4 Networking diagram of configuring basic STP functions
RouterA
Eth0/0/1
Network
SwitchA
RSTP
Blocked port
SwitchB
Root
Bridge
Eth0/0/0
SwitchC SwitchD
Eth0/0/1
Eth0/0/2
Eth0/0/1
Eth0/0/2
Eth0/0/1
Eth0/0/2
Eth0/0/1
Eth0/0/3
Eth0/0/2
Eth0/0/3
E
t
h
0
/
0
/
4
E
t
h
0
/
0
/
4
E
t
h
0
/
0
/
3
E
t
h
0
/
0
/
3
PC1
PC2
PC3
PC4

1. Configure basic RSTP functions, including:
a. Configure the RSTP mode for the ring network.
b. Configure primary and secondary root bridges.
c. Set path costs for ports to block certain ports.
d. Enable RSTP to eliminate loops, including:
193
l Enable RSTP globally.
l Enable RSTP on all the interfaces except the interfaces connected to terminals.
NOTE
RSTP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in RSTP calculation.
2. Configure RSTP protection functions, for example, configure root protection on a
designated port of a root bridge.
Data Preparation
To complete the configuration, you need the following data.
l Ethernet interface number, as shown in Figure 7-4
l Primary root bridge RouterA and secondary root bridge SwitchA
l Path cost of a port to be blocked (200000 is used in this example)
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the RSTP mode for the devices on the ring network.
# Configure the RSTP mode on RouterA.
[RouterA] stp mode rstp
# Configure the RSTP mode on SwitchA, SwitchB, SwitchC and SwitchD.
NOTE
l Huawei 2300 Series Switch is used in this example. If other types of switches are used, refer to
the documentation of the switches.
2. Configure primary and secondary root bridges.
# Configure RouterA as the primary root bridge.
[RouterA] stp root primary
# Configure SwitchA as a second root bridge.
3. Set path costs for the interface to be blocked.
NOTE
l The values of path costs depend on path cost calculation methods. This example uses the Huawei
proprietary calculation method and sets the path cost to 200000.
methods.
method.
# As shown in Figure 7-4, set the path cost of Eth0/0/4 on SwitchC and SwitchD to 200000.
4. Enable RSTP to eliminate loops.
l Disable RSTP on interfaces connected to PCs.
194
# Disable RSTP on interfaces connected to terminals for SwitchC and SwitchD.
l Enable RSTP globally.
# Enable RSTP globally on RouterA.
# Enable RSTP globally on other switching devices.
l Enable RSTP on all the interfaces except the interfaces connected to terminals.
# Enable RSTP on RouterA Ethernet0/0/0 and Ethernet0/0/1.
Enable STP on all the interfaces except the interfaces connected to terminals for
SwitchA, SwitchB, SwitchC and SwitchD.
Step 2 Configure RSTP protection function.
# Enable root protection on Eth0/0/0 and Eth0/0/1 of RouterA.
[RouterA-Ethernet0/0/0] stp root-protection
# Run the display stp brief command on RouterA to view the interface status and protection
type. The displayed information is as follows:
0 Ethernet0/0/0 DESI FORWARDING ROOT
After RouterA is configured as a root bridge, Ethernet0/0/0 connected to SwitchA and
Ethernet0/0/1 connected to SwitchB are elected as designated ports during spanning tree
calculation.
----End
Configuration Files
#
sysname RouterA
#
stp mode
rstp
stp instance 0 root
primary
legacy
#
195
stp root-
protection
#
stp root-
protection
#
return
#
stp mode
rstp
stp instance 0 root secondary
#
#
#
#
return
#
stp mode
rstp
#
#
#
#
return
#
stp mode
rstp
#
#
stp disable
#
stp disable
#
stp instance 0 cost
200000
#
return
#
stp mode
rstp
#
#
stp disable
#
196
stp disable
#
stp instance 0 cost
200000
#
return
197
8 MSTP Configuration
About This Chapter
The Multiple Spanning Tree Protocol (MSTP) trims a ring network into a loop-free tree network.
It prevents replication and circular propagation of packets, provides multiple redundant paths
for Virtual LAN (VLAN) data traffic, and enables load balancing.
8.1 MSTP Introduction
The Multiple Spanning Tree Protocol (MSTP) incorporates the functions of the Spanning Tree
Protocol (STP) and Rapid Spanning Tree Protocol (RSTP), and outperforms them. It enables
rapid convergence and provides load balancing across redundant paths.
8.2 MSTP Features Supported by the AR1200-S
Before configuring MSTP, familiarize yourself with the concepts of basic MSTP functions,
topology convergence, MSTP protection, and MSTP interoperability between Huawei devices
8.3 Configuring Basic MSTP Functions
MSTP based on the basic STP/RSTP function divides a switching network into multiple regions,
each of which has multiple spanning trees that are independent of each other. MSTP isolates
user traffic and service traffic, and load-balances VLAN traffic.
8.4 Configuring MSTP Parameters on an Interface
Proper MSTP parameter settings achieve rapid convergence.
8.5 Configuring MSTP Protection Functions
This section describes how to configure MSTP protection functions. You can configure one or
more functions.
8.6 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices
To enable Huawei devices to work with non-Huawei devices on an MSTP-capable network,
configure the BPDU format, MSTP protocol packet format, and digest snooping function on the
Huawei devices.
8.7 Maintaining MSTP
MSTP maintenance includes clearing MSTP statistics.
Configuration Guide - LAN 8 MSTP Configuration
198
and procedures for some typical application scenarios for MSTP, and also provides the related
configuration files.
199
8.1 MSTP Introduction
The Multiple Spanning Tree Protocol (MSTP) incorporates the functions of the Spanning Tree
Protocol (STP) and Rapid Spanning Tree Protocol (RSTP), and outperforms them. It enables
rapid convergence and provides load balancing across redundant paths.
Background
STP and RSTP are used in a LAN to prevent loops. Devices can run STP to discover loops on
the network by exchanging information with each other, and trim the ring topology into a loop-
free tree topology by blocking an interface. These capabilities help prevent replication and
circular propagation of packets on the network which in turn helps avoid degradation of
switching device performance.
STP and RSTP share a similar limitation: All VLANs on a LAN use one spanning tree, which
means that inter-VLAN load balancing cannot be performed. A link will no longer transmit
traffic once it is blocked, which wastes bandwidth and causes forwarding failures in some
VLANs.
To address the deficiencies in STP and RSTP, the IEEE released the 802.1s standard in 2002,
which defines MSTP. MSTP is compatible with STP and RSTP. It implements rapid
convergence and provides multiple paths to load balance VLAN traffic.
Table 8-1 compares STP, RSTP, and MSTP in terms of the characteristics of each protocol and
their applicable environments.
Table 8-1 Comparison between STP, RSTP, and MSTP
Spanning Tree
Protocols
Characteristics Application
Scenarios
Precautions
STP Ensures a loop-free tree
topology that helps prevent
broadcast storms and allows
for redundant links between
switches.
Irrespective of
users or services,
all VLANs share
one spanning tree.
l If the current
switching
device
supports only
STP, STP is
recommende
d. For details,
see STP/
RSTP
Configurati
on.
l If the current
switching
device
supports both
STP and
RSTP, RSTP
is
recommende
d. For details,
RSTP l Ensures a loop-free tree
topology that helps
links between switches.
implementing rapid
convergence.
200
Spanning Tree
Protocols
Characteristics Application
Scenarios
Precautions
MSTP l Ensures a loop-free tree
topology that helps
links between switches in
an MSTP region.
implementing rapid
convergence.
l Implements load
balancing among VLANs.
Traffic in different
VLANs is transmitted
along different paths.
see STP/
RSTP
Configurati
on.
l If the current
switching
device
supports STP
or RSTP, and
MSTP,
MSTP is
recommende
d.
User or service-
specific load
balancing is
required. Traffic
for different
VLANs is
forwarded
through different
spanning trees,
which are
independent of
each other.

Introduction
MSTP, compatible with STP and RSTP, uses multiple instances to isolate service traffic and
provides multiple paths to load balance VLAN traffic.
If MSTP is deployed on a LAN, MSTIs are generated, as shown in Figure 8-1.
Figure 8-1 Multiple spanning trees in an MST region
VLAN2
VLAN2
Host A
Host B
S1 S4
S2
S5
S3 S6
VLAN2
VLAN2
(VLAN2)
(VLAN2)
Host C
(VLAN3)
Host D
(VLAN3)
VLAN2
VLAN3
VLAN3
VLAN3
VLAN3
VLAN3
MSTI1 (root switch: S4)
MSTI2 (root switch: S6)
VLAN2
VLAN3
MSTI1
MSTI2
VLAN2
VLAN3
VLAN2
VLAN3
201

l MSTI 1 uses S4 as the root switching device to forward packets of VLAN 2.
l MSTI 2 uses S6 as the root switching device to forward packets of VLAN 3.
Devices within the same VLAN can communicate with each other and packets of different
VLANs are load-balanced along different paths.
Basic MSTP Concepts
l MST region
An MST region contains multiple switching devices and network segments between them.
The switching devices have the following characteristics:
MSTP-enabled
Same region name
Same VLAN-to-instance mapping
Same MSTP revision number
A LAN can comprise several MST regions that are directly or indirectly connected. You
can use MSTP configuration commands to group multiple switching devices into an MST
region.
As shown in Figure 8-2, the MST region D0 contains the switching devices S1, S2, S3,
and S4. The region has three MSTIs.
Figure 8-2 MST region
D0
S1
other VLANs MSTI0
S2
S4
S3
VLAN1 MSTI1
VLAN2,VLAN3 MSTI2
MSTI1
root switch:S3
MSTI2
root switch:S2
MSTI0 (IST)
root switch:S1
AP1
Master Bridge

l VLAN mapping table
The VLAN mapping table is an attribute of the MST region. It describes mappings between
VLANs and MSTIs.
Figure 8-2 shows the VLAN mapping table of the MST region D0:
202
VLAN 1 is mapped to MSTI 1.
VLAN 2 and VLAN 3 are mapped to MSTI 2.
Other VLANs are mapped to MSTI 0.
l Regional root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In the region B0, C0, and D0 on the network shown in Figure 8-4, the switching devices
closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI
regional root is the root of the MSTI. On the network shown in Figure 8-3, each MSTI has
its own regional root.
Figure 8-3 MSTI
Root
VLAN
10&20&30
V
L
A
N
1
0
&
2
0
VLAN 20&30
VLAN
10&30
V
L
A
N
3
0
VLAN
10&30
V
L
A
N
2
0
VLAN 10
MST Region
Root
MSTI
corresponding to
VLAN 10
Root
MSTI
corresponding to
VLAN 20
MSTI
corresponding to
VLAN 30
MSTI links
MSTI links blocked by the protocol

MSTIs are independent of each other. An MSTI can correspond to one or more VLANs,
but a VLAN can be mapped to only one MSTI.
l CIST root
On the network shown in Figure 8-4, the CIST root is the root bridge of a CIST. The CIST
root is a device in A0.
203
Figure 8-4 MSTP network
CIST Root
A0
B0
C0
D0
Region Root
Region Root
Region Root
CST
IST

l CST
A Common Spanning Tree (CST) connects all the MST regions on a switching network.
Each MST region can be considered a node. A CST is calculated by using STP or RSTP
based on all the nodes.
As shown in Figure 8-4, the MST regions are connected to form a CST.
l IST
An IST resides within an MST region.
An IST is a special MSTI with an MSTI ID of 0, called MSTI 0.
An IST is a segment of the CIST in an MST region.
As shown in Figure 8-4, the switching devices in an MST region are connected to form an
IST.
l CIST
A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching
network.
As shown in Figure 8-4, the ISTs and the CST form a complete spanning tree (CIST).
l SST
A Single Spanning Tree (SST) is formed in either of the following situations:
A switching device running STP or RSTP belongs to only one spanning tree.
204
An MST region has only one switching device.
As shown in Figure 8-4, the switching device in B0 is an SST.
l Port roles
Compared with RSTP which defined root ports, designated ports, alternate ports, backup
ports, and edge ports, MSTP has two additional port types: master ports and regional edge
ports.
Table 8-2 lists all port roles in MSTP.
NOTE
Except edge ports, all ports participate in MSTP calculation.
A port can play different roles in different MSTIs.
Table 8-2 Port roles
Port
Roles
Description
Root port A root port is the non-root bridge port closest to the root bridge. Root bridges
do not have root ports.
Root ports are responsible for sending data to root bridges.
As shown in Figure 8-5, S1 is the root; CP1 is the root port on S3; BP1 is
the root port on S2; DP1 is the root port on S4.
Designat
ed port
The designated port on a switching device forwards bridge protocol data
units (BPDUs) to the downstream switching device.
As shown in Figure 8-5, AP2 and AP3 are designated ports on S1; BP2 is
a designated port on S2; CP2 is a designated port on S3.
Alternate
port
l An alternate port is blocked after it receives a BPDU sent by another
switching devices.
l An alternate port provides an alternate path to the root bridge. This path
is different than using the root port.
As shown in Figure 8-5, BP2 and AP4 are alternate ports.
Backup
port
l A backup port is blocked after it receives a BPDU sent by itself.
l A backup port provides a redundant path to a segment and is the backup
for the root port.
As shown in Figure 8-5, CP3 is a backup port.
Master
port
A master port is on the shortest path connecting MST regions to the CIST
root.
BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on
ISTs or CISTs and master ports in instances.
As shown in Figure 8-5, S1, S2, S3, and S4 form an MST region. AP1 on
S1, being the nearest port in the region to the CIST root, is the master port.
205
Port
Roles
Description
Regional
edge port
A regional edge port is located at the edge of an MST region and connects
to another MST region or an SST.
During MSTP calculation, the roles of a regional edge port in the MSTI and
the CIST instance are the same. If the regional edge port is the master port
in the CIST instance, it is the master port in all the MSTIs in the region.
As shown in Figure 8-5, AP1, DP2, and DP3 in an MST region are directly
connected to other regions, and therefore they are all regional edge ports of
the MST region.
As shown in Figure 8-5, AP1 is a regional edge port and also a master port
in the CIST. Therefore, AP1 is the master port in every MSTI in the MST
region.
Edge
port
An edge port is located at the edge of an MST region and does not connect
to any switching device.
Generally, edge ports are directly connected to terminals.
As shown in Figure 8-5, BP3 is an edge port.

Figure 8-5 Port roles
S1
AP2
S2 S3
AP3
CP2 CP3
BP2
CP1 BP1
S4
Root Bridge
MST Region
AP1
AP4
DP1
DP4
DP2
DP3
PC
Root port
Designated port
Alternate
port
Backup port
Master port
Edge port
Regional edge port
BP3

l Port status
Table 8-3 lists the MSTP port status, which is the same as the RSTP port status.
206
Table 8-3 Port status
Port
Status
Description
Forwardi
ng
A port in the Forwarding state can send and receive BPDUs as well as
Learning This is a transition state. A port in the Learning state learns MAC addresses
from user traffic to construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but cannot
Discardi
ng
A port in the Discarding state can only receive BPDUs.

The port status is not determined by the port role. Table 8-4 lists the port status supported
by each port role.
Table 8-4 Status of port roles
Port
Status
Root Port/
Master
Port
Designate
d Port
Regional
Edge Port
Alternate
Port
Backup
Port
Forwardi
ng
Yes Yes Yes No No
Learning Yes Yes Yes No No
Discardi
ng
Yes Yes Yes Yes Yes

Yes: The port supports this status.
No: The port does not support this status.
8.2 MSTP Features Supported by the AR1200-S
Before configuring MSTP, familiarize yourself with the concepts of basic MSTP functions,
topology convergence, MSTP protection, and MSTP interoperability between Huawei devices
MSTP is used to block redundant links on the Layer 2 network and trim a network into a loop-
free tree. In MSTP, multiple MSTIs can be created and VLANs are mapped into different
instances to load-balance VLAN traffic. The basic configuration roadmap for MSTP is as
follows:
1. In a ring network, divide regions and create different instances for regions.
2. Select a switching device to function as the root bridge for each instance.
207
3. In each instance, calculate the shortest paths from the other switching devices to the root
bridge, and select a root port for each non-root switching device.
4. In each instance, select a designated port for each connection based on port IDs.
Some networks may have master ports and backup ports. For details about master ports and
backup ports, see 8.1 MSTP Introduction.
MSTP also supports the following features to meet the requirements of special applications and
extended functions:
l Proposal/Agreement mechanism to implement rapid convergence.
l Protection functions listed in Table 8-5.
l MSTP interoperability between Huawei devices and non-Huawei devices. Certain
parameters must be set on Huawei devices to ensure uninterrupted communication.
Table 8-5 MSTP protection
MSTP
Protection
BPDU
protection
non-edge port after
occurs.
changed.
advertising network
208
MSTP
Protection
Root
protection
Due to incorrect
BPDUs with a higher
changed, triggering
traffic congestion.
To address this issue, the root protection
function can be configured to protect the root
bridge by preserving the role of the
designated port. With this function, when the
designated port receives RST BPDUs with a
higher priority, the port enters the Discarding
state and does not forward the BPDUs. If the
port does not receive any RST BPDUs with a
higher priority for a certain period (double the
Forward Delay), the port transitions to the
Forwarding state.
Loop
protection
incorrectly and after the
situation.
The loop protection function can be used to
prevent such network loops. If the root port
or alternate port cannot receive RST BPDUs
from the upstream switching device, the root
port is blocked and the switching device
Discarding state. The blocked port remains in
the Blocked state and no longer forwards
packets. This function helps prevent loops on
the network. The root port transitions to the

8.3 Configuring Basic MSTP Functions
MSTP based on the basic STP/RSTP function divides a switching network into multiple regions,
each of which has multiple spanning trees that are independent of each other. MSTP isolates
user traffic and service traffic, and load-balances VLAN traffic.
MSTP is commonly configured on switching devices to trim a ring network to a loop-free
network. Devices start spanning tree calculation after the working mode is set and MSTP is
enabled. Use any of the following methods if you need to intervene in the spanning tree
calculation:
l Set a priority for a switching device in an MSTI: The lower the numerical value, the higher
the priority of the switching device and the more likely the switching device becomes a
root bridge; the higher the numerical value, the lower the priority of the switching device
and the less likely that the switching device becomes a root bridge.
l Set a path cost for a port in an MSTI: With the same calculation method, the lower the
numerical value, the smaller the cost of the path from the port to the root bridge and the
more likely the port becomes a root port; the higher the numerical value, the larger the cost
209
of the path from the port to the root bridge and the less likely that the port becomes a root
port.
l Set a priority for a port in an MSTI: The lower the numerical value, the more likely the port
becomes a designated port; the higher the numerical value, the less likely that the port
becomes a designated port.
Before configuring basic MSTP functions, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This will help you complete
the configuration task quickly and accurately.
MSTP can be deployed on a network to eliminate loops. If a loop is detected, MSTP blocks one
or more ports to eliminate the loop. In addition, MSTIs can be configured to load balance VLAN
traffic.
As shown in Figure 8-6, S1, S2, S3, and S4 all support MSTP. In this scenario, you need to
create MSTI 1 and MSTI 2, configure a root bridge for each MSTI, and set the ports to be blocked
to load balance traffic of VLANs 1 to 10 and VLANs 11 to 20 among different paths.
210
Figure 8-6 Networking diagram of basic MSTP configurations
Eth0/0/1
Eth0/0/3
Eth0/0/1
S1
S3
Eth0/0/1
Eth0/0/3
Eth0/0/1
S2
S4
Eth0/0/2
Eth0/0/2 Eth0/0/2
Eth0/0/2
PC1
PC2
Root Switch:S1
Root Switch:S2
MSTI1:
MSTI2:
Blocked port
Blocked port
MST Region
Network
VLAN1~10
VLAN11~20
MSTI1
MSTI2

NOTE
If the current device supports MSTP, configuring MSTP is recommended.
Before configuring basic MSTP functions, complete the following task:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
interfaces are physically Up
211
Data Preparation
To configure basic MSTP functions, you need the following data.
No. Data
1 MSTP working mode
2 MST region name, VLAN-to-instance mapping, and MSTP revision number
3 (Optional) ID of an MSTI
4 (Optional) Priority of a switching device in an MSTI
5 (Optional) Priority of a port in an MSTI
6 (Optional) Path cost of a port in an MSTI

8.3.2 Configuring the MSTP Mode
Before configuring basic MSTP functions, set the working mode of a switching device to MSTP.
MSTP is compatible with STP and RSTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp mode mstp
The working mode of the switching device is set to MSTP. By default, the working mode is
MSTP.
STP and MSTP cannot recognize packets of each other, but MSTP and RSTP can. If an MSTP-
enabled switching device is connected to switching devices running STP, interfaces of the
MSTP-enabled switching device connected to devices running STP automatically transition to
STP mode, and other interfaces still work in MSTP mode. This enables devices running different
spanning tree protocols to interwork with each other.
----End
8.3.3 Configuring and Activating an MST Region
MSTP divides a switching network into multiple MST regions. After an MST region name,
VLAN-to-instance mappings, and an MSTP revision number are configured, you must activate
the MST region to make the configurations effective.
Context
An MST region contains multiple switching devices and network segments. These switching
devices are directly connected and have the same region name, same VLAN-to-instance
mapping, and the same configuration revision number after MSTP is enabled. One switching
212
network can have multiple MST regions. You can use MSTP commands to group multiple
switching devices into one MST region.
CAUTION
Two switching devices belong to the same MST region when they have the same:
l Name of the MST region
l Mapping between VLANs and MSTIs
l Revision level of the MST region
Perform the following steps on a switching device that needs to join an MST region.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp region-configuration
The MST region view is displayed.
Step 3 Run:
region-name name
The name of an MST region is configured.
By default, the MST region name is the MAC address of the management network interface on
the MPU of the switching device.
Step 4 Perform either of the following steps to configure VLAN-to-instance mappings.
l Run the instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure
VLAN-to-instance mappings.
l Run the vlan-mapping modulo modulo command to enable VLAN-to-instance mapping
assignment based on a default algorithm.
By default, all VLANs in an MST region are mapped to MSTI 0.
NOTE
l The VLAN-to-instance mappings generated using the vlan-mapping modulo modulo commands
cannot meet network requirements. It is recommended that you run the instance instance-id vlan
{ vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure VLAN-to-instance mappings.
l The vlan-mapping modulo specifies the formula (VLAN ID-1)%modulo+1. In the formula, (VLAN
ID-1)%modulo means the remainder of (VLAN ID-1) divided by the value of modulo. This formula
is used to map a VLAN to the corresponding MSTI. The calculation result of the formula is the ID of
the mapping MSTI.
revision-level level
The MSTP revision number is set.
213
By default, the MSTP revision number is 0.
If the revision number of the MST region is not 0, this step is necessary.
NOTE
Changing MST region configurations (especially change of the VLAN mapping table) triggers spanning
tree recalculation and causes route flapping. Therefore, after configuring an MST region name, VLAN-to-
instance mappings, and an MSTP revision number, run the check region-configuration command in the
MST region view to verify the configuration. After confirming the region configurations, run the active
region-configuration command to activate MST region configurations.
Step 6 Run:
active region-configuration
MST region configurations are activated so that the configured region name, VLAN-to-instance
mappings, and revision number can take effect.
If this step is not done, the preceding configurations cannot take effect.
If you have changed MST region configurations on the switching device after MSTP starts, run
the active region-configuration command to activate the MST region so that the changed
configurations can take effect.
----End
8.3.4 (Optional) Configuring a Priority for a Switching Device in an
MSTI
A switching device with a high priority is more likely to be selected as the root bridge in an
MSTI. A smaller priority value indicates a higher priority.
Context
In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During root
bridge selection, a high-performance switching device at a high network layer should be selected
as the root bridge; however, the priority of such a device may not be the highest on the network.
It is therefore necessary to set a high priority for the switching device to ensure that the device
functions as a root bridge.
Low-performance devices at lower network layers are not fit to serve as a root bridge. Therefore,
set low priorities for these devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.
The default priority value of the switching device is 32768.
If the instance is not designated, a priority is set for the switching device in MSTI0.
214
NOTE
l To configure a switching device as the primary root bridge, run the stp [ instance instance-id ] root
primary command directly. The priority value of this switching device is 0.
l To configure a switching device as the secondary root bridge, run the stp [ instance instance-id ] root
secondary command. The priority value of this switching device is 4096.
In an MSTI, a switching device cannot act as the primary root bridge and secondary root bridge at the
same time.
l To change the priority of a switching device after you run the stp root primary command or the stp
[ instance instance-id ] root secondary command to configure the switching device as a primary root
bridge or a secondary root bridge, disable the root bridge function or secondary root bridge function
and then run the stp [ instance instance-id ] priority priority command to re-set a priority.
----End
8.3.5 (Optional) Configuring a Path Cost of a Port in an MSTI
The MSTP path cost determines root port selection in an MSTI. The port with the lowest path
cost to the root bridge is selected as the root port.
Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important basis for calculating spanning trees. If you set different path
costs for a port in different MSTIs, VLAN traffic can be transmitted along different physical
links for load balancing.
In the Huawei proprietary calculation method for example, the link rate determines the
recommended value for the path cost. The following table lists the recommended path costs for
ports with different link rates.
Table 8-6 Mappings between link rates and path cost values
Link Rate Recommended
Path Cost
Recommended
Path Cost Range
Path Cost Range
10 Mbit/s 2000 200 to 20000 1 to 200000
100 Mbit/s 200 20 to 2000 1 to 200000
1 Gbit/s 20 2 to 200 1 to 200000
10 Gbit/s 2 2 to 20 1 to 200000
Higher than 10 Gbit/
s
1 1 to 2 1 to 200000

If a network has loops, it is recommended that you set a relatively large path cost for ports with
low link rates. MSTP then blocks these ports.
Procedure
Step 1 Run:
system-view
215
Step 2 Run:
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.
By default, the IEEE 802.1t standard (dot1t) is used to calculate the default path cost.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run:
Step 4 Run:
stp instance instance-id cost cost
A path cost is set for the port in the current MSTI.
l When the Huawei proprietary calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
8.3.6 (Optional) Configuring a Port Priority in an MSTI
A port with a smaller priority value is more likely to be selected as a designated port, and a port
with a larger priority value is more likely to be blocked.
Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected as
designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the default
value. This port will be blocked during designated port selection.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp instance instance-id port priority priority
A port priority is set in an MSTI.
By default, the port priority is 128.
216
The value range of the priority is from 0 to 240, in steps of 16.
----End
8.3.7 Enabling MSTP
After configuring basic MSTP functions on a switching device, enable MSTP function.
Context
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and port
priority, will affect spanning tree calculation. Any change to the configurations may cause
network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basic
configurations on the switching device and its ports and enable MSTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp enable
MSTP is enabled on the switching device.
By default, the MSTP function is enabled on the AR1200-S.
----End
After configuring basic MSTP functions, you can verify the configurations.
Prerequisites
All configurations for basic MSTP functions are complete.
Procedure
l Run the display stp [ instance instance-id ][ interface { interface-type interface-
number } ] [ brief ] command to view spanning-tree status and statistics.
l Run the display stp region-configuration command to view configurations of activated
MST regions.
l Run the display stp region-configuration digest command to view the digest
configurations of activated MST regions.
----End
Example
Run the display stp command to view the spanning-tree working mode, priorities of switching
devices, path cost calculation method, and path cost of a root port. For example:
217
<Huawei> display stp instance 0 interface ethernet 0/0/1
-------[CIST Global Info][ Mode MSTP ]-------
CIST Bridge :32768.00e0-fc0e-a421
CIST Root/ERPC :32768.00e0-fc0e-a421 / 0
CIST RegRoot/IRPC :32768.00e0-fc0e-a421 / 0
BPDU-Protection :disabled
----[Port3(Ethernet0/0/1)] [ FORWARDING ]----
Port Role :CIST Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=100 / Active=100
Designated Bridge/Port :32768.00e0-fc0e-a421 / 128.1229
Port Edged :Config=disabled / Active=disabled
Port Stp Mode :MSTP
Port Protocol Type :Config=auto / Active= dot1s
TC or TCN send :0
BPDU Sent :0
BPDU Received :0
Run the display stp region-configuration command to view configurations of an activated MST
region, including the region name, VLAN-to-instance mapping, and revision number. For
example:
<Huawei> display stp region-configuration
Oper Configuration
Format selector :0
Region name :huawei
revision level :0
Instance Vlans Mapped
0 21 to 4094
1 1 to 10
2 11 to 20
Run the display stp region-configuration digest command to view the digest configurations
of an activated MST region, including the region name, revision number and digest. For example:
<Huawei> display stp region-configuration digest
Oper Configuration
Format selector :0
Region name :huawei
Revision level :0
Digest :0x5F762D9A46311EFFB7A488A3267FCA9F
8.4 Configuring MSTP Parameters on an Interface
Proper MSTP parameter settings achieve rapid convergence.
218
Before configuring basic MSTP parameters, familiarize yourself with the applicable
On some networks, MSTP parameters will affect the speed of network convergence. Proper
MSTP parameter settings help implement rapid network convergence.
NOTE
The default parameters can also be used to complete MSTP rapid convergence. Therefore, the configuration
procedures and steps in this command task are all optional.
Before configuring MSTP parameters, complete the following task:
l Configuring basic MSTP functions
Data Preparation
To configure MSTP parameters, you need the following data.
No. Data
1 Network diameter
2 Hello time, forwarding delay time, maximum aging time, and timeout period for
waiting for BPDUs from the upstream (3 x hello time x time factor)
3 Maximum hop count in an MST region
4 Link type of a port
5 Whether the port uses the rapid state transition mechanism
6 Whether the port needs to transition to the RSTP mode
7 Maximum number of sent BPDUs
8 Whether the port needs to be configured as an edge port
9 Whether the edge port needs to be enabled to go Up automatically after being shut
down
10 Whether the port needs to clear the spanning tree statistics
11 Whether the edge port needs to be configured as a BPDU filter

8.4.2 Configuring System Parameters
MSTP parameters that may affect network convergence include the network diameter, Hello
timer, and timeout period for waiting for BPDUs from the upstream device (3 x Hello timer
219
value x Time factor). Proper MSTP parameter settings help implement rapid network
convergence.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp bridge-diameter diameter
The network diameter is configured.
By default, the network diameter is 7.
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network
diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the
network diameter. Then, the switching device calculates the optimal Forward Delay period,
Hello timer value, and Max Age timer value based on the set network diameter.
Step 3 Run:
stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream device is set.
By default, the timeout period is 9 times the Hello timer value.
Step 4 (Optional) If the current device is at the edge of a network, run both or either of the following
commands as needed:
l To configure all ports on the devices as edge ports, run:
stp edged-port default
After ports on a network edge device are configured as edge ports, the ports no longer
participate in spanning tree calculation. This speeds up network topology convergence and
improves network stability.
l To configure all ports on the devices as BPDU filter ports, run:
stp bpdu-filter default
By default, a port is a non-BPDU filter port.
After ports on a network edge device are configured as BPDU filter ports, the ports no longer
process or send BPDUs.
WARNING
After the stp bpdu-filter default and stp edged-port default commands are run in the system
view, all ports on the device no longer actively send BPDUs or negotiate with directly-connected
ports; instead, all the ports are in the Forwarding state. This may lead to a loop on the network,
causing broadcast storms. Exercise caution when running these commands.
220
Step 5 (Optional) To set the Forward Delay period, Hello timer, and Max Age timer, perform the
following operations:
l Run the stp timer forward-delay forward-delay command to set the Forward Delay timer.
The default Forward Delay timer of a switching device is 1500 centiseconds.
l Run the stp timer hello hello-time command to set the Hello timer.
The default Hello timer of a switching device is 200 centiseconds.
l Run the stp timer max-age max-age command to set the Max Age timer.
The default Max Age timer of a switching device is 2000 centiseconds.
NOTE
The values of the Hello timer, Forward Delay timer, and Max Age timer must comply with the following
formulas; otherwise, network flapping occurs.
l 2 x (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1.0 second)
Step 6 Run:
stp max-hops hop
The maximum hop count is set for the MST region.
By default, the maximum hop count in an MST region is 20.
Step 7 Run:
stp mcheck
MCheck is enabled.
On a switching device running MSTP, if an interface is connected to a device running STP, the
interface automatically transitions to the STP mode.
Enabling MCheck on the interface is required because the interface may fail to automatically
transition to the MSTP mode in the following situations:
l The switching device running STP transitions to the MSTP mode.
NOTE
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the
interfaces.
----End
8.4.3 Configuring Port Parameters
Port parameters that may affect MSTP topology convergence include the link type and maximum
number of sent BPDUs. Proper port parameter settings help implement rapid topology
convergence.
Procedure
Step 1 Run:
system-view
221
Step 2 Run:
stp point-to-point { auto | force-false | force-true }
The link type is configured for the interface.
By default, an interface automatically determines whether to connect to a P2P link. The P2P link
supports rapid network convergence.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this
case, force-true can be configured to implement rapid network convergence.
l If the Ethernet port works in half-duplex mode, you can run stp point-to-point force-true
to forcibly set the link type to P2P.
Step 4 Run:
stp mcheck
MCheck is enabled.
On a switching device running MSTP, if an interface is connected to a device running STP, the
interface automatically transitions to the STP mode.
You must enable MCheck on the interface because the interface may fail to automatically
transition to the MSTP mode in the following situations:
l The switching device running STP transitions to the MSTP mode.
Step 5 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port within each Hello time is set.
By default, the maximum number of BPDUs that a port sends within each Hello time is 147.
stp edged-port enable
The port is configured as an edge port.
If a device port is connected to a terminal, you can run this command to configure the port as
an edge port.
If the current port has been configured as an edge port, the port can still send BPDUs. This may
cause BPDUs to be sent to other networks, leading to network flapping. To prevent this problem,
run the stp bpdu-filter enable command to configure the edge port as a BPDU filter port and
disable the port from processing or sending BPDUs.
222
WARNING
After the stp bpdu-filter enable command is run on a port, the port no longer processes or sends
BPDUs. The port will not negotiate with the directly-connected port to establish an STP
connection.
Step 7 Run:
quit
error-down auto-recovery cause cause-item interval interval-value
The auto recovery function on an edge port is configured. This function enables a port in the
error-down state to automatically go Up after the specified delay.
There is no default value for the recovery time. Therefore, you must specify a delay when using
this command.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. MSTP processes ARP entries in either fast or normal mode.
l In fast mode, ARP entries to be updated are directly deleted.
l In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidly
processes these aged entries. If the number of ARP aging probe attempts is not set to 0,
ARP implements aging probe for these ARP entries.
In either fast or normal mode, MAC entries are directly deleted.
You can run the stp converge { fast | normal } command in the system view to configure the
MSTP convergence mode.
By default, the MSTP convergence is configured as normal.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping will frequently
occur.
After MSTP parameters are configured, you can verify the configurations.
Prerequisites
The configurations for MSTP parameters are complete.
223
Procedure
l Run the display stp [ instance instance-id ] [ interface { interface-type interface-
----End
Example
Run the display stp command to view values of MSTP parameters, including the Hello timer,
Forward Delay timer, Max Age timer, maximum hop count, and maximum number of BPDUs
allowed to be sent within each Hello time interval. You can also check whether the link connected
to the port is a P2P link. For example:
BPDU-Protection :Disabled
Port Priority :128
Port Cost(Dot1T ) :Config=100 / Active=100
Port Stp Mode :MSTP
BPDU Sent :0
BPDU Received :0
8.5 Configuring MSTP Protection Functions
This section describes how to configure MSTP protection functions. You can configure one or
more functions.
Before configuring MSTP protection functions, familiarize yourself with the applicable
MSTP provides the protection functions listed in Table 8-7.
224
Table 8-7 MSTP protection
MSTP
Protection
BPDU
protection
non-edge port after
occurs.
changed.
advertising network
Root
protection
Due to incorrect
BPDUs with a higher
changed, triggering
traffic congestion.
To address this issue, the root protection
function can be configured to protect the root
bridge by preserving the role of the
designated port. With this function, when the
designated port receives RST BPDUs with a
higher priority, the port enters the Discarding
state and does not forward the BPDUs. If the
port does not receive any RST BPDUs with a
higher priority for a certain period (double the
Forward Delay), the port transitions to the
Forwarding state.
225
MSTP
Protection
Loop
protection
incorrectly and after the
situation.
The loop protection function can be used to
prevent such network loops. If the root port
or alternate port cannot receive RST BPDUs
from the upstream switching device, the root
port is blocked and the switching device
Discarding state. The blocked port remains in
the Blocked state and no longer forwards
packets. This function helps prevent loops on
the network. The root port transitions to the

NOTE
Each device has a default MSTP process with the ID of 0. MSTP configurations in the system view and
interface view both belong to this process.
Before configuring MSTP protection functions on a switching device, complete the following
task:
NOTE
Configure an edge port on the switching device before configuring BPDU protection.
Data Preparation
To configure MSTP protection functions on a switching device, you need the following data.
No. Data
1 Number of the port on which root protection is to be enabled
2 Number of the port on which loop protection is to be enabled

8.5.2 Configuring BPDU Protection on a Switching Device
After BPDU protection is enabled on a switching device, the switching device shuts down an
edge port if the edge port receives a BPDU, and notifies the NMS of the shutdown event.
Context
Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers may
send pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, the
switching device configures the edge ports as non-edge ports and triggers a new spanning tree
226
calculation. Network flapping then occurs. BPDU protection can be used to protect switching
devices against malicious attacks.
Perform the following steps on a switching device that has an edge port.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp bpdu-protection
BPDU protection is enabled on the switching device.
By default, BPDU protection is not enabled on the switching device.
----End
Follow-up Procedure
To allow an edge port to automatically start after being shut down, you can run the error-down
auto-recovery cause bpdu-protection interval interval-value command to configure the auto
recovery function and set the delay on the port. After the delay expires, the port automatically
goes Up. interval interval-value ranges from 30 to 86400, in seconds. Note the following when
setting this parameter:
l There is no default value for the recovery time. Therefore, you must specify a delay when
configuring this command.
l The smaller the interval-value is, the shorter it takes for the edge port to go Up, and the
more frequently the edge port alternates between Up and Down.
l The larger the interval-value is, the longer it takes for the edge port to go Up, and the longer
the service interruption lasts.
8.5.3 Configuring TC Protection on a Switching Device
After TC protection is enabled, you can set the number of times an MSTP process processes TC
BPDUs within a given time. TC protection avoids frequent deletion of MAC address entries and
ARP entries, thereby protecting switching devices.
Context
Attackers may send pseudo TC BPDUs to attack switching devices. Switching devices receive
a large number of TC BPDUs in a short time and delete entries frequently, which burdens system
processing and degrades network stability.
TC protection is used to suppress TC BPDUs. You can configure the number of times a switching
device processes TC BPDUs within a given time period. If the number of TC BPDUs that the
switching device receives within a given time exceeds the specified threshold, the switching
device processes only the specified number of TC BPDUs. After the specified time period
expires, the device processes the excess TC BPDUs for once. This function prevents the
switching device from frequently deleting MAC entries and ARP entries, saving CPU resources.
227
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp tc-protection
TC protection is enabled for the MSTP process.
By default, TC protection is not enabled on the switching device.
Step 3 Run:
stp tc-protection threshold threshold
The number of times the MSTP process handles the received TC BPDUs and updates forwarding
entries within a given time is set.
NOTE
The given time is specified by the MSTP Hello timer set by using the stp timer hello hello-time command.
----End
8.5.4 Configuring Root Protection on an Interface
The root protection function on a switching device protects a root bridge by preserving the role
of a designated port.
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
as the root bridge and the network topology is changed, triggering spanning tree recalculation.
This also may cause the traffic that should be transmitted over high-speed links to be transmitted
over low-speed links, leading to network congestion. The root protection function on a switching
device is used to protect the root bridge by preserving the role of the designated port.
NOTE
Root protection takes effect only on designated ports.
Perform the following steps on the root bridge in an MST region.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
228
stp root-protection
Root protection is configured on the switching device.
By default, root protection is disabled.
----End
8.5.5 Configuring Loop Protection on an Interface
The loop protection function suppresses loops caused by link congestion.
Context
On a network running MSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream device because of link congestion or unidirectional-
link failure, the switching device re-selects a root port. The original root port becomes a
designated port and the original blocked ports change to the Forwarding state. This switching
may cause network loops, which can be mitigated by configuring loop protection.
After loop protection is configured, if the root port or alternate port does not receive BPDUs
from the upstream switching device, the root port is blocked and the switching device notifies
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state
and no longer forwards packets. This function helps prevent loops on the network. The root port
transitions to the Forwarding state after receiving new BPDUs.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Perform the following steps on the root port and alternate port on a switching device in an MST
region.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp loop-protection
Loop protection for the root port is configured on the switching device.
By default, loop protection is disabled.
----End
After MSTP protection functions are configured, you can verify the configurations.
229
Prerequisites
All configurations for MSTP protection functions are complete.
Procedure
----End
Example
Run the display stp command to view the BPDU protection status and configured protection
type on a switching device. For example:
-------[CIST Global Info][Mode MSTP]-------
BPDU-Protection :Enabled
STP Converge Mode :Fast
----[Port3(Ethernet0/0/1)][FORWARDING]----
Port Priority :128
Protection Type :Root
Port Stp Mode :MSTP
BPDU Sent :43
BPDU Received :3
8.6 Configuring MSTP Interoperability Between Huawei
Devices and Non-Huawei Devices
To enable Huawei devices to work with non-Huawei devices on an MSTP-capable network,
configure the BPDU format, MSTP protocol packet format, and digest snooping function on the
Huawei devices.
Before configuring MSTP interoperability between Huawei devices and non-Huawei devices,
familiarize yourself with the applicable environment, complete the pre-configuration tasks, and
obtain the data required for the configuration. This will help you complete the configuration task
quickly and accurately.
230
On an MSTP network, inconsistent protocol packet formats and BPDU keys may lead to a
communication failure. Setting MSTP parameters correctly on Huawei devices ensures
interoperability between Huawei devices and non-Huawei devices.
Before configuring MSTP interoperability between Huawei devices and non-Huawei devices,
complete the following task:
Data Preparation
To configure MSTP interoperability between Huawei devices and non-Huawei devices, you
need the following data.
No. Data
1 MSTP protocol packet format

8.6.2 Configuring a Proposal/Agreement Mechanism
To enable Huawei devices to communicate with non-Huawei devices, configure an appropriate
rapid transition mechanism on Huawei devices according to the Proposal/Agreement mechanism
on non-Huawei devices.
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. All switching
devices support the following modes:
l Enhanced mode: The current interface counts the root port calculation when it computes
the synchronization flag bit.
An upstream device sends a Proposal message to a downstream device, requesting rapid
status transition. After receiving the message, the downstream device sets the port
connected to the upstream device as a root port and blocks all non-edge ports.
The upstream device then sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the Forwarding
state.
The downstream device responds to the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the
downstream device as a designated port, and the designated port transitions to the
Forwarding state.
l Common mode: The current interface ignores the root port when it computes the
synchronization flag bit.
An upstream device sends a Proposal message to a downstream device, requesting rapid
status transition. After receiving the message, the downstream device sets the port
231
connected to the upstream device as a root port and blocks all non-edge ports. The root
port then transitions to the Forwarding state.
The downstream device responds to the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the
downstream device as a designated port. The designated port then transitions to the
Forwarding state.
When Huawei devices are connected to non-Huawei devices, select the same mode as that used
on non-Huawei devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp no-agreement-check
The common rapid transition mechanism is configured.
By default, the interface uses the enhanced rapid transition mechanism.
----End
8.6.3 Configuring the MSTP Protocol Packet Format on an Interface
MSTP protocol packets can be transmitted in auto, dot1s, or legacy mode. The default mode is
auto.
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets). The auto mode was designed to allow an interface to
automatically use the format of MSTP protocol packets sent from the remote interface. In this
manner, the two interfaces use the same MSTP protocol packet format.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp compliance { auto | dot1s | legacy }
232
The MSTP protocol packet format is configured on the interface.
The auto mode is used by default.
NOTE
The negotiation will fail if the format of MSTP packets is set to dot1s on one end and legacy on the other
end.
----End
8.6.4 Enabling the Digest Snooping Function
Interconnected Huawei and non-Huawei devices cannot communicate with each other if they
have the same region name, revision number, and VLAN-to-instance mappings but different
BPDU keys. To address this problem, enable the digest snooping function on the Huawei device.
Context
Perform the following steps on a switching device in an MST region to enable the digest snooping
function.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp config-digest-snoop
The digest snooping function is enabled.
----End
After MSTP parameters are configured for the interoperability between Huawei devices and
non-Huawei devices, you can verify the configurations.
Prerequisites
All the configurations for the interoperability between Huawei devices and non-Huawei devices
are complete.
Procedure
----End
233
Example
Run the display stp command to view the spanning-tree working mode, BPDU format and
MSTP protocol packet format, and configuration for the digest snooping function. For example:
BPDU-Protection :Disabled
Port Priority :128
Config-digest-snoop:snooped=false
Port Stp Mode :MSTP
BPDU Sent :0
BPDU Received :0
Run the display this command in the view of the interface participating in STP calculation to
view the fast transition mechanism configured on the interface. Use the following command
output as an example:
[Huawei-GigabitEthernet1/0/1] display this
#
portswitch
undo shutdown
stp no-agreement-check
return
8.7 Maintaining MSTP
MSTP maintenance includes clearing MSTP statistics.
8.7.1 Clearing MSTP Statistics
You can run the reset command to clear MSTP statistics.
Context
CAUTION
MSTP statistics cannot be restored after being cleared.
234
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
----End
and procedures for some typical application scenarios for MSTP, and also provides the related
configuration files.
8.8.1 Example for Configuring Basic MSTP Functions
This example shows how to configure basic MSTP functions.
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
network. Loops also cause flapping of MAC address tables and damages MAC address entries.
MSTP can be deployed to eliminate loops. MSTP blocks redundant links on a Layer 2 network
and trims the network into a loop-free tree.
As shown in Figure 8-7, to load balance traffic of VLANs 2 to 10 and traffic of VLANs 11 to
20, multiple MSTIs are created. MSTP defines a VLAN mapping table in which VLANs are
associated with spanning tree instances. Run MSTP on RouterA, SwitchA, SwitchB, SwitchC
and SwitchD.
235
Figure 8-7 Networking diagram of configuring basic MSTP functions
PC1
RouterA
Eth0/0/1
Network
SwitchA
RG1
SwitchB
PC2
Eth0/0/0
SwitchC SwitchD
PC3
PC4
VLAN2~10
VLAN11~20
MSTI1
MSTI2
Root Switch:RouterA
Root Switch:RouterA
MSTI1:
MSTI2:
Blocked port
Blocked port
Eth0/0/1
Eth0/0/2
Eth0/0/1
Eth0/0/3
Eth0/0/2
E
t
h
0
/
0
/
4
E
t
h
0
/
0
/
4
Eth0/0/3
Eth0/0/2
Eth0/0/1
Eth0/0/2
Eth0/0/1
E
t
h
0
/
0
/
3
E
t
h
0
/
0
/
3
MST
Region
236

1. Configure basic MSTP functions, including:
a. Configure the MSTP mode for the ring network.
b. Configure an MST region and create multiple MSTIs to implement load balancing.
c. In the MST region, configure a primary root bridge and a secondary root bridge for
each MSTI.
d. Set path costs for ports to be blocked in each MSTI.
e. Enable MSTP to eliminate loops, including:
l Enable MSTP globally.
l Enable MSTP on all the interfaces except the interfaces connected to terminals.
NOTE
MSTP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in MSTP calculation.
2. Configure MSTP protection functions, for example, configure root protection on a
designated port of a root bridge in each MSTI.
3. Configure the Layer 2 forwarding function on devices.
Data Preparation
l Region name RG1
l MSTIs, MSTI 1 and MSTI 2
l Ethernet interface numbers shown in Figure 8-7
l Primary and secondary root bridges of MSTI 1 (RouterA and SwitchA respectively) and
primary and secondary root bridges of MSTI 2 (RouterA and SwitchB respectively)
l Path costs of the ports to be blocked (2000000)
l VLAN IDs (2 to 20)
l VLAN to which PC1 and PC2 belongs (VLAN 10), VLAN to which PC3 and PC4 belongs
(VLAN 20)
l Add interfaces on SwitchC to VLAN (2 to 10). Add interfaces on SwitchD to VLAN (11
to 20). Add interfaces on other switching devices to VLAN (2 to 20)
Procedure
Step 1 Configure basic MSTP functions.
1. Configure the MSTP mode for the devices on the ring network.
# Configure the MSTP mode on RouterA.
[RouterA] stp mode mstp
# Configure the MSTP mode on SwitchA, SwitchB, SwitchC and SwitchD.
237
NOTE
l Huawei 2300 Series Switch is configured in this example. If the Switch devices are not Huawei
2300 Series, refer to the devices' manual of configuration guide.
2. Add all devices to MST region RG1, and create two MSTIs. MSTI1 maps to VLAN (2 to
10), and MSTI2 maps to VLAN (11 to 20).
# Configure RouterA to MST region.
[RouterA] stp region-configuration
[RouterA] region-name RG1
[RouterA] instance 1 vlan 2 to 10
[RouterA] instance 2 vlan 11 to 20
[RouterA] active region-configuration
[RouterA] quit
# Configure SwitchA, SwitchB, SwitchC and SwitchD to MST region RG1, and create two
MSTIs. MSTI1 maps to VLAN (2 to 10), and MSTI2 maps to VLAN (11 to 20).
3. In RG1, configure primary and secondary root bridges for MSTI1 and MSTI2.
# Configure primary root bridge on RouterA in MSTI1.
[RouterA] stp instance 1 root primary
# Configure secondary root bridge on SwitchA in MSTI1.
# Configure primary root bridge on RouterA in MSTI2.
[RouterA] stp instance 2 root primary
# Configure secondary root bridge on SwitchB in MSTI2.
4. Set the path costs of the ports to be blocked in MSTI1 and MSTI2 to be larger than the
default value.
NOTE
l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary
calculation method as an example to set the path costs of the ports to be blocked to 200000.
methods.
method.
# As shown in Figure 8-7, set the path cost of Eth0/0/4 on SwitchC to 200000 in MSTI1.
# As shown in Figure 8-7, set the path cost of Eth0/0/4 on SwitchD to 200000 in MSTI2.
5. Enable MSTP to eliminate loops.
l Disable MSTP on interfaces connected to PCs.
# As shown in Figure 8-7, disable MSTP on interface Eth0/0/2 and Eth0/0/3 of SwitchC.
# As shown in Figure 8-7, disable MSTP on interface Eth0/0/2 and Eth0/0/3 of SwitchD.
l Enable MSTP globally.
# Enable MSTP globally on RouterA.
# Enable MSTP globally on SwitchA, SwitchB, SwitchC and SwitchD.
l Enable MSTP on all the interfaces except the interfaces connected to terminals.
# Enable MSTP on RouterA Eth0/0/0 and Eth0/0/1.
238
# As shown in Figure 8-7, Enable MSTP on all interfaces except the interfaces
connected to terminals, for SwitchA, SwitchB, SwitchC and SwitchD.
Step 2 Configure MSTP protection function.
# Enable root protection on RouterA Eth0/0/0 and Eth0/0/1.
Step 3 Configure the Layer 2 forwarding function on devices in the ring.
l Create VLANs on RouterA, SwitchA, SwitchB, SwitchC and SwitchD.
# Create VLANs 2 to 20 on RouterA.
[RouterA] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchA and SwitchB.
# Create VLANs 2 to 10 on SwitchC.
# Create VLANs 11 to 20 on SwitchD.
l Add interfaces on the switching devices in the ring to VLANs.
# Add RouterA Eth0/0/0 and Eth0/0/1 to VLAN 2 to 20.
[RouterA-Ethernet0/0/0] port trunk allow-pass vlan 2 to 20
[RouterA-Ethernet0/0/1] port trunk allow-pass vlan 2 to 20
# Add interfaces Eth0/0/1, Eth0/0/2 and Eth0/0/3 on SwitchA and SwitchB to VLAN 2 to
20.
# Add interfaces Eth0/0/1, Eth0/0/2, Eth0/0/3 and Eth0/0/4 on SwitchC to VLAN 2 to 10.
# Add interfaces Eth0/0/1, Eth0/0/2, Eth0/0/3 and Eth0/0/4 on SwitchD to VLAN 11 to 20.
# run display stp brief on RouterA to view the interface status and protection type. The displayed
information is as follows:
239
In MSTI1, after RouterA is configured as a root bridge, RouterA Eth0/0/0 and Eth0/0/1 are
elected as designated ports during spanning tree calculation. In MSTI2, after RouterA is
configured as a root bridge, RouterA Eth0/0/0 and Eth0/0/1 are elected as designated ports during
spanning tree calculation.
# Verify the interface status and protection type on SwitchA. In MSTI1, interface Eth0/0/1 is
elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. In MSTI2,
interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as
designated ports.
# Verify the interface status and protection type on SwitchB. In MSTI1, interface Eth0/0/1 is
elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. In MSTI2,
interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as
designated ports.
# Verify the interface status and protection type on SwitchC. In MSTI1, interface Eth0/0/1 is
elected as root port, interface Eth0/0/4 is blocked. In MSTI2, interface Eth0/0/1 is elected as
root port, interface Eth0/0/4 is elected as designated port.
# Verify the interface status and protection type on SwitchD. In MSTI1, interface Eth0/0/1 is
elected as root port, interface Eth0/0/4 is elected as designated port. In MSTI2, interface
Eth0/0/1 is elected as root port, interface Eth0/0/4 is blocked.
----End
Configuration Files
#
sysname
RouterA
#
vlan batch 2 to
20
#
stp instance 1 root
primary
stp instance 2 root
primary
legacy
#
stp region-
configuration
region-name
RG1
instance 1 vlan 2 to
10
20
active region-
configuration
#
port trunk allow-pass vlan 2 to
20
stp root-
protection
#
240
20
stp root-
protection
#
return
#
sysname
SwitchA
#
vlan batch 2 to
20
#
stp instance 1 root
secondary
legacy
#
stp region-
configuration
region-name
RG1
10
20
active region-
configuration
#
20
#
20
#
20
#
return
#
sysname
SwitchB
#
vlan batch 2 to
20
#
stp instance 2 root
secondary
legacy
#
stp region-
configuration
region-name
RG1
10
20
active region-
configuration
241
#
20
#
20
#
20
#
return
#
sysname
SwitchC
#
vlan batch 2 to
10
#
legacy
#
stp region-
configuration
region-name
RG1
10
20
active region-
configuration
#
10
#
10
stp disable
#
10
stp disable
#
10
stp instance 1 cost
200000
#
return
#
sysname
SwitchD
242
#
vlan batch 11 to
20
#
legacy
#
stp region-
configuration
region-name
RG1
10
20
active region-
configuration
#
20
#
20
stp disable
#
20
stp disable
#
20
stp instance 2 cost
200000
#
return
243

Configuration Guide - LAN (V200R002C00 - 02)

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Configuration Guide - LAN (V200R002C00 - 02)

Загружено:

Авторское право:

Доступные форматы

Huawei AR1200-S Series Enterprise Routers

Attribute Length Attribute Event Attribute Value

Вам также может понравиться