AC6605 V200R002C00 Configuration Guide 04 PDF

AC6605 Access Controller
V200R002C00
Configuration Guide
Issue
04
Date
2013-06-15
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://enterprise.huawei.com
Issue 04 (2013-06-15)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

Configuration Guide
About This Document
About This Document

Intended Audience
This document provides the concepts, configuration procedures, and configuration examples
supported by the AC6605.
The AC6605 provides the LSW unit and AC unit. The LSW unit proivides switch features. This
document descirbes the AC system configuration and WLAN configuration on the AC unit. The
basic configurations are similar to those of the LSW unit. Other configurations in the document
are configurations of the LSW unit.
This document is intended for:
l
Network planning engineers
Hardware installation engineers
Commissioning engineers
Data configuration engineers
Onsite maintenance engineers
Network monitoring engineers
System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
TIP
Issue 04 (2013-06-15)
Indicates a hazard with a high level or medium level of risk

which, if not avoided, could result in death or serious injury.
Indicates a hazard with a low level of risk which, if not
avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation that, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
Provides a tip that may help you solve a problem or save time.

ii

Configuration Guide
About This Document
Symbol
Description
Provides additional information to emphasize or supplement
important points in the main text.
NOTE
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by

vertical bars. You can select one or several items, or select
no item.
&<1-n>
The parameter before the & sign can be repeated 1 to n times.
A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Password Setting Conventions

l
If a password is set in plain text mode, the password is saved as the plain text in the
configuration file, which brings security risks. Therefore, the cipher text mode is
recommended for password setting. You are advised to change passwords regularly to
ensure device security.
If a password is set to a valid cipher text (can be decrypted on the device) string that starts
and ends both with %$%$, the same cipher text is displayed when you check the
Issue 04 (2013-06-15)

iii

Configuration Guide
About This Document
configuration file on the device. Therefore, this password setting method is not
recommended.
Change History
Changes between document issues are cumulative. The latest document issue contains all
changes made in previous issues.
Issue 04 (2013-06-15)
This version has the following updates:
The following information is modified:
l
Descriptions and figures are optimized, improving availability.
Issue 03 (2013-03-01)
The third commercial release has the following updates.
l
Configuring Interface Security
Issue 02 (2013-01-30)
The second commercial release has the following updates.
l
Configuring a VAP QoS Policy
Delivering Parameters to AP
WLAN WDS Features Supported by the Device
Example for Configuring WLAN WDS
Checking the Configuration
Configuring a Radio
Configuring a WLAN Service Set and Binding an ESS interface, a Traffic Profile, and a
Security Profile
Optional) Configuring an AP Profile
Issue 01 (2012-10-31)
Initial commercial release.
Issue 04 (2013-06-15)

iv

Configuration Guide
Contents
Contents
About This Document.....................................................................................................................ii
1 Configuration Guide - Basic Configuration.............................................................................1
1.1 Logging In to the System for the First Time..................................................................................................................2
1.1.1 Introduction.................................................................................................................................................................2
1.1.2 Logging In to the Device Through the Console Port...................................................................................................2
1.1.3 Logging In to the AC6605 Through a Mini USB Port................................................................................................6
1.2 CLI Overview...............................................................................................................................................................13
1.2.1 CLI Introduction........................................................................................................................................................13
1.2.2 Online Help................................................................................................................................................................17
1.2.3 CLI Features..............................................................................................................................................................19
1.2.4 Shortcut Keys............................................................................................................................................................25
1.2.5 Configuration Examples............................................................................................................................................26
1.3 How to Use Interfaces..................................................................................................................................................27
1.3.1 Introduction to Interfaces...........................................................................................................................................27
1.3.2 Setting Basic Parameters of an Interface...................................................................................................................30
1.3.3 Configuring the Loopback Interface..........................................................................................................................34
1.3.4 Maintaining the Interface...........................................................................................................................................35
1.4 Basic Configuration......................................................................................................................................................35
1.4.1 Configuring the Basic System Environment.............................................................................................................36
1.4.2 Displaying System Status Messages..........................................................................................................................45
1.5 Configuring User Interfaces.........................................................................................................................................46
1.5.1 User Interface Overview............................................................................................................................................46
1.5.2 Configuring the Console User Interface....................................................................................................................48
1.5.3 Configuring the VTY User Interface.........................................................................................................................55
1.6 Configuring User Login................................................................................................................................................66
1.6.1 Overview of User Login............................................................................................................................................66
1.6.2 Logging in to the Devices Through the Console Port...............................................................................................68
1.6.3 Logging in to Devices Using Telnet..........................................................................................................................74
1.6.4 Logging in to Devices Using STelnet........................................................................................................................80
1.6.5 Common Operations After Login..............................................................................................................................92
1.7 Managing the File System..........................................................................................................................................104
Issue 04 (2013-06-15)


Configuration Guide
Contents
1.7.1 File System Overview.............................................................................................................................................104

1.7.2 Managing Files Using the File System....................................................................................................................106
1.7.3 Managing Files Using FTP......................................................................................................................................111
1.7.4 Managing Files Using SFTP....................................................................................................................................119
1.7.5 Performing File Operations by Means of FTPS......................................................................................................129
1.7.6 Configuration Examples..........................................................................................................................................133
1.8 Configuring System Startup.......................................................................................................................................142
1.8.1 System Startup Overview........................................................................................................................................142
1.8.2 Managing Configuration Files.................................................................................................................................144
1.8.3 Specifying a File for System Startup.......................................................................................................................151
1.9 Accessing Another Device.........................................................................................................................................155
1.9.1 Accessing Another Device......................................................................................................................................155
1.9.2 Logging in to Other Devices Using Telnet..............................................................................................................161
1.9.3 Logging in to Another Device Using STelnet.........................................................................................................163
1.9.4 Accessing Files on Another Device Using TFTP....................................................................................................167
1.9.5 Accessing Files on Another Device Using FTP......................................................................................................171
1.9.6 Accessing Files on Another Device Using SFTP....................................................................................................177
1.9.7 Accessing Files on Another Device by Using FTPS...............................................................................................183
2 Configuration Guide - Device Management........................................................................228

2.1 Using display commands to check the status of the device........................................................................................229
2.1.1 Introduction.............................................................................................................................................................229
2.1.2 Checking the Status of the AC6605........................................................................................................................229
2.2 Hardware Management...............................................................................................................................................233
2.2.1 Hardware Management Overview...........................................................................................................................234
2.2.2 Hardware Management Features Supported by the AC6605..................................................................................234
2.2.3 Backing Up the Electronic Label.............................................................................................................................234
2.2.4 Configuring Electrical Port Sleep............................................................................................................................235
2.2.5 Configuring the Power-Saving Mode......................................................................................................................236
2.2.6 Configuring the Alarm Function for Optical Modules............................................................................................238
2.3 Monitoring the Device Through the Information Center...........................................................................................240
2.3.1 Information Center Overview..................................................................................................................................240
2.3.2 Configuring the Information Center........................................................................................................................246
2.3.3 Sending Information to the Information Center......................................................................................................249
2.3.4 Maintaining the Information Center........................................................................................................................253
2.4 Configuring a Monitoring Interface...........................................................................................................................255
2.4.1 Overview of a Monitoring Interface........................................................................................................................255
2.4.2 Configuring the Association Between a Monitoring Interface and the NMS.........................................................256
2.4.3 Configuring the Association Between a Monitoring Interface and Audible and Visual Trap Devices..................257
Issue 04 (2013-06-15)

vi

Configuration Guide
Contents
2.5 Mirroring....................................................................................................................................................................262
2.5.1 Introduction.............................................................................................................................................................262
2.5.2 Configuring Local Port Mirroring...........................................................................................................................265
2.5.3 Configuring Remote Port Mirroring........................................................................................................................267
2.5.4 Canceling Port Mirroring.........................................................................................................................................270
2.5.5 Configuring Local VLAN Mirroring.......................................................................................................................272
2.5.6 Configuring Remote VLAN Mirroring...................................................................................................................273
2.5.7 Canceling VLAN Mirroring....................................................................................................................................275
2.5.8 Configuring MAC Address-based Local Mirroring................................................................................................276
2.5.9 Configuring RSPAN Based on MAC Addresses....................................................................................................278
2.5.10 Canceling Mirroring Based on MAC Addresses...................................................................................................280
2.5.11 Configuring Local Flow Mirroring........................................................................................................................281
2.5.12 Configuring Remote Flow Mirroring....................................................................................................................283
2.5.13 Canceling Flow Mirroring.....................................................................................................................................286
2.5.14 Changing or Deleting an Observing Port..............................................................................................................288
2.5.15 Configuration Examples........................................................................................................................................289
2.6 PoE Configuration......................................................................................................................................................302
2.6.1 PoE Overview..........................................................................................................................................................302
2.6.2 PoE Features Supported by the AC6605.................................................................................................................302
2.6.3 Configuring PoE Functions.....................................................................................................................................303
2.7 ALS Configuration.....................................................................................................................................................310
2.7.1 ALS Overview.........................................................................................................................................................310
2.7.2 ALS Features Supported by the AC6605................................................................................................................310
2.7.3 Configuring ALS.....................................................................................................................................................311
2.8 Restarting and Resetting.............................................................................................................................................317
2.8.1 Introduction.............................................................................................................................................................317
2.8.2 Restarting the AC6605 Immediately.......................................................................................................................319
2.8.3 Restarting the AC6605 at a Fixed Time..................................................................................................................320
3 Configuration Guide - Ethernet..............................................................................................322

3.1 Ethernet Interface Configuration................................................................................................................................324
3.1.1 Introduction to Ethernet Interfaces..........................................................................................................................324
3.1.2 Ethernet Interface Features Supported by the AC6605...........................................................................................324
3.1.3 Configuring Basic Attributes of an Ethernet Interface............................................................................................325
3.1.4 Configuring Advanced Attributes of an Ethernet Interface.....................................................................................329
3.1.5 Maintaining Ethernet Interfaces..............................................................................................................................335
3.2 Link Aggregation Configuration................................................................................................................................337
3.2.1 Introduction to Link Aggregation............................................................................................................................337
3.2.2 Link Aggregation Supported by the AC6605..........................................................................................................337
3.2.3 Configuring Link Aggregation in Manual Load Balancing Mode..........................................................................339
Issue 04 (2013-06-15)

vii

Configuration Guide
Contents
3.2.4 Configuring Link Aggregation in Static LACP Mode............................................................................................344

3.2.5 Maintaining Link Aggregation................................................................................................................................352
3.3 VLAN Configuration..................................................................................................................................................359
3.3.1 Introduction.............................................................................................................................................................359
3.3.2 VLAN Features Supported by the AC6605.............................................................................................................366
3.3.3 Dividing a LAN into VLANs..................................................................................................................................368
3.3.4 Configuring a VLANIF Interface............................................................................................................................370
3.3.5 Configuring Inter-VLAN Communication..............................................................................................................374
3.3.6 Configuring VLAN Aggregation to Save IP Addresses..........................................................................................377
3.3.7 Configuring a MUX VLAN to Separate Layer 2 Traffic........................................................................................381
3.3.8 Configuring a Voice VLAN to Transmit Voice Data..............................................................................................386
3.3.9 Configuring an mVLAN to Implement Integrated Management............................................................................394
3.3.10 Maintaining VLAN................................................................................................................................................396
3.4 GVRP Configuration..................................................................................................................................................413
3.4.1 GVRP Overview......................................................................................................................................................413
3.4.2 GVRP Features Supported by the AC6605.............................................................................................................416
3.4.3 Configuring GVRP..................................................................................................................................................417
3.4.4 Maintaining GVRP..................................................................................................................................................420
3.5 MAC Address Table Configuration...........................................................................................................................424
3.5.1 MAC Address Table Overview...............................................................................................................................424
3.5.2 MAC Address Features Supported by the AC6605.................................................................................................425
3.5.3 Configuring a Static MAC Address Entry...............................................................................................................427
3.5.4 Configuring a Blackhole MAC Address Entry........................................................................................................428
3.5.5 Setting the Aging Time of Dynamic MAC Address Entries...................................................................................429
3.5.6 Disabling MAC Address Learning..........................................................................................................................430
3.5.7 Limiting the Number of Learned MAC Addresses.................................................................................................433
3.5.8 Configuring Port Security........................................................................................................................................436
3.5.9 Configuring the Switch to Discard Packets with an All-Zero MAC Address.........................................................439
3.5.10 Enabling MAC Address-triggered ARP Entry Update..........................................................................................440
3.6 STP/RSTP Configuration...........................................................................................................................................447
3.6.1 STP/RSTP Overview...............................................................................................................................................448
3.6.2 Configuring Basic STP/RSTP Functions................................................................................................................454
3.6.3 Configuring STP/RSTP Parameters on an Interface...............................................................................................460
3.6.4 Configuring RSTP Protection Functions.................................................................................................................467
3.6.5 Configuring STP/RSTP Interoperability Between Huawei Devices and Non-Huawei Devices.............................472
3.6.6 Maintaining STP/RSTP...........................................................................................................................................474
3.7 MSTP Configuration..................................................................................................................................................484
Issue 04 (2013-06-15)

viii

Configuration Guide
Contents
3.7.1 MSTP Overview......................................................................................................................................................484

3.7.2 Configuring Basic MSTP Functions........................................................................................................................494
3.7.3 Configuring MSTP Parameters on an Interface......................................................................................................502
3.7.4 Configuring MSTP Protection Functions................................................................................................................508
3.7.5 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices....................................513
3.7.6 Maintaining MSTP..................................................................................................................................................516
3.8 VoIP Access Configuration........................................................................................................................................523
3.8.1 VoIP Access Overview............................................................................................................................................524
4 Configuration Guide - IP Service ..........................................................................................536

4.1 IP Addresses Configuration........................................................................................................................................537
4.1.1 Introduction to IP Addresses...................................................................................................................................537
4.1.2 Features of IP Addresses Supported by the AC6605..............................................................................................537
4.1.3 Configuring IP Addresses for Interfaces.................................................................................................................538
4.2 ARP Configuration.....................................................................................................................................................542
4.2.1 Overview of ARP....................................................................................................................................................542
4.2.2 ARP Features Supported by the AC6605................................................................................................................542
4.2.3 Configuring Static ARP...........................................................................................................................................543
4.2.4 Optimizing Dynamic ARP.......................................................................................................................................545
4.2.5 Configuring Routed Proxy ARP..............................................................................................................................548
4.2.6 Configuring Proxy ARP Within a VLAN...............................................................................................................550
4.2.7 Configuring Proxy ARP Between VLANs..............................................................................................................552
4.2.8 Maintaining ARP.....................................................................................................................................................554
4.3 DHCP Configuration..................................................................................................................................................567
4.3.1 DHCP Overview......................................................................................................................................................567
4.3.2 DHCP Features Supported by the Switch................................................................................................................568
4.3.3 Default Configuration..............................................................................................................................................570
4.3.4 Configuring a DHCP Server Based on the Global Address Pool............................................................................570
4.3.5 Configuring a DHCP Server Based on an Interface Address Pool..........................................................................577
4.3.6 Configuring a DHCP Relay Agent..........................................................................................................................584
4.3.7 Configuring the DHCP/BOOTP Client Function....................................................................................................589
4.3.8 Maintaining DHCP..................................................................................................................................................592
4.3.10 Common Configuration Errors..............................................................................................................................610
4.4 IP Performance Configuration....................................................................................................................................612
4.4.1 Introduction to IP Performance...............................................................................................................................612
4.4.2 IP Performance Supported by the AC6605.............................................................................................................612
4.4.3 Optimizing IP Performance.....................................................................................................................................613
4.4.4 Maintaining IP Performance....................................................................................................................................617
Issue 04 (2013-06-15)

ix

Configuration Guide
Contents

4.5 DHCP Policy VLAN Configuration...........................................................................................................................623
4.5.1 Introduction.............................................................................................................................................................623
4.5.2 DHCP Policy VLAN Supported by the AC6605....................................................................................................623
4.5.3 Configuring DHCP Policy VLAN Based on MAC Addresses...............................................................................623
4.5.4 Configuring the DHCP Policy VLAN Based on Interfaces....................................................................................625
4.5.5 Configuring Generic DHCP Policy VLAN.............................................................................................................627
4.5.6 Maintaining DHCP Policy VLAN...........................................................................................................................628
4.6 UDP Helper Configuration.........................................................................................................................................632
4.6.1 Introduction to UDP Helper....................................................................................................................................632
4.6.2 UDP Helper Features Supported by the AC6605....................................................................................................632
4.6.3 Configuring UDP Helper.........................................................................................................................................633
4.6.4 Maintaining UDP Helper.........................................................................................................................................636
4.7 DNS Configuration.....................................................................................................................................................638
4.7.1 Introduction to DNS................................................................................................................................................639
4.7.2 DNS Supported by the AC6605..............................................................................................................................639
4.7.3 Configuring DNS.....................................................................................................................................................639
4.7.4 Maintaining DNS.....................................................................................................................................................642
5 Configuration Guide - IP Routing ........................................................................................648

5.1 IP Static Route Configuration.....................................................................................................................................649
5.1.1 Static Route..............................................................................................................................................................649
5.1.2 Static Routing Features Supported by the AC6605.................................................................................................649
5.1.3 Configuring an IPv4 Static Route............................................................................................................................650
5.1.4 Configuring BFD for IPv4 Static Routes on the Public Network...........................................................................652
5.2 RIP Configuration.......................................................................................................................................................663
5.2.1 Overview of RIP......................................................................................................................................................663
5.2.2 RIP Features Supported by the AC6605..................................................................................................................664
5.2.3 Configuring Basic RIP Functions............................................................................................................................664
5.2.4 Configuring RIP Route Attributes...........................................................................................................................668
5.2.5 Controlling the Advertising of RIP Routing Information.......................................................................................671
5.2.6 Controlling the Receiving of RIP Routing Information..........................................................................................675
5.2.7 Configuring RIP-2 Features.....................................................................................................................................678
5.2.8 Optimizing a RIP Network......................................................................................................................................681
5.2.9 Configuring BFD for RIP........................................................................................................................................687
5.2.10 Configuring Static BFD for RIP............................................................................................................................689
5.2.11 Configuring the Network Management Function in RIP......................................................................................692
5.3 OSPF Configuration...................................................................................................................................................713
Issue 04 (2013-06-15)


Configuration Guide
Contents
5.3.1 OSPF Overview.......................................................................................................................................................713

5.3.2 OSPF Features Supported by the AC6605..............................................................................................................717
5.3.3 Configuring Basic OSPF Functions........................................................................................................................720
5.3.4 Configuring OSPF on the NBMA or P2MP Network.............................................................................................728
5.3.5 Configuring an OSPF Route Selection Rule...........................................................................................................733
5.3.6 Controlling OSPF Routing Information..................................................................................................................738
5.3.7 Configuring an OSPF Stub Area.............................................................................................................................746
5.3.8 Configuring an NSSA..............................................................................................................................................748
5.3.9 Configuring BFD for OSPF.....................................................................................................................................751
5.3.10 Improving Security of an OSPF Network.............................................................................................................755
5.3.11 Configuring the Network Management Function of OSPF...................................................................................759
5.3.12 Maintaining OSPF.................................................................................................................................................762
5.4 IS-IS Configuration....................................................................................................................................................811
5.4.1 Basic Concepts of IS-IS...........................................................................................................................................811
5.4.2 IS-IS Features Supported by the AC6605...............................................................................................................813
5.4.3 Configuring Basic IPv4 IS-IS Functions.................................................................................................................819
5.4.4 Establishing or Maintaining IS-IS Neighbor Relationships or Adjacencies...........................................................830
5.4.5 Configuring IPv4 IS-IS Route Selection.................................................................................................................836
5.4.6 Configuring IPv4 IS-IS Route Summarization........................................................................................................840
5.4.7 Configuring IPv4 IS-IS to Interact with Other Routing Protocols..........................................................................841
5.4.8 Configuring the IPv4 IS-IS Route Convergence Speed..........................................................................................845
5.4.9 Configuring Static IPv4 BFD for IS-IS...................................................................................................................852
5.4.10 Configuring Dynamic IPv4 BFD for IS-IS............................................................................................................854
5.4.11 Configuring IS-IS GR............................................................................................................................................857
5.4.12 Maintaining IS-IS..................................................................................................................................................859
5.5 BGP Configuration.....................................................................................................................................................897
5.5.1 BGP Overview.........................................................................................................................................................897
5.5.2 BGP Features Supported by the AC6605................................................................................................................898
5.5.3 Configuring Basic BGP Functions..........................................................................................................................903
5.5.4 Configuring BGP Route Attributes.........................................................................................................................909
5.5.5 Configuring BGP to Advertise Routes....................................................................................................................918
5.5.6 Configuring BGP to Receive Routes.......................................................................................................................929
5.5.7 Configuring BGP Route Aggregation.....................................................................................................................941
5.5.8 Configuring BGP Peer Groups................................................................................................................................943
5.5.9 Configuring BGP Route Reflectors.........................................................................................................................946
5.5.10 Configuring a BGP Confederation........................................................................................................................952
5.5.11 Configuring BGP Community Attributes..............................................................................................................953
5.5.12 Configuring to Adjust the BGP Network Convergence Speed.............................................................................956
5.5.13 Configuring BGP Route Dampening.....................................................................................................................963
5.5.14 Configuring a BGP Device to Send a Default Route to Its Peer...........................................................................965
Issue 04 (2013-06-15)

xi

Configuration Guide
Contents
5.5.15 Configuring BGP Load Balancing........................................................................................................................966

5.5.16 Configuring the BGP Next Hop Delayed Response..............................................................................................968
5.5.17 Configuring BFD for BGP....................................................................................................................................970
5.5.18 Configuring BGP Security.....................................................................................................................................973
5.5.19 Maintaining BGP...................................................................................................................................................977
5.6 MBGP Configuration...............................................................................................................................................1030
5.6.1 MBGP Overview...................................................................................................................................................1030
5.6.2 MBGP Features Supported by the AC6605..........................................................................................................1030
5.6.3 Configuring Basic MBGP Functions.....................................................................................................................1030
5.6.4 Configuring the Policy for Advertising MBGP Routes.........................................................................................1036
5.6.5 Configuring the Policy for Exchanging Routes Between MBGP Peers................................................................1041
5.6.6 Configuring MBGP Route Attributes....................................................................................................................1048
5.6.7 Configuring MBGP Route Dampening.................................................................................................................1053
5.6.8 Maintaining MBGP...............................................................................................................................................1055
5.7 Routing Policy Configuration...................................................................................................................................1065
5.7.1 Overview of the Routing Policy............................................................................................................................1065
5.7.2 Routing Policy Features Supported by the AC6605..............................................................................................1066
5.7.3 Configuring the IP-Prefix List...............................................................................................................................1068
5.7.4 Configuring the Route-Policy................................................................................................................................1070
5.7.5 Applying Filters to Received Routes.....................................................................................................................1074
5.7.6 Applying Filters to Advertised Routes..................................................................................................................1079
5.7.7 Applying Filters to Imported Routes.....................................................................................................................1083
5.7.8 Controlling the Valid Time of the Routing policy................................................................................................1086
5.7.9 Maintaining the Routing Policy.............................................................................................................................1088
5.7.10 Configuration Examples......................................................................................................................................1088
6 Configuration Guide - Multicast..........................................................................................1099

6.1 IP Multicast Configuration Guide............................................................................................................................1101
6.1.1 IP Multicast Overview...........................................................................................................................................1101
6.1.2 IP Multicast Features Supported by the AC6605..................................................................................................1101
6.1.3 IPv4 Multicast Configuration Guide.....................................................................................................................1101
6.2 IGMP Snooping Configuration................................................................................................................................1104
6.2.1 IGMP Snooping Overview....................................................................................................................................1104
6.2.2 IGMP Snooping Supported by the AC6605..........................................................................................................1105
6.2.3 Configuring IGMP Snooping................................................................................................................................1107
6.2.4 Configuring a Layer 2 Multicast Policy................................................................................................................1117
6.2.5 Configuring Layer 2 Multicast SSM Mapping......................................................................................................1122
6.2.6 Maintaining Layer 2 Multicast..............................................................................................................................1125
6.2.7 Configuration examples.........................................................................................................................................1127
6.3 Multicast VLAN Replication Configuration............................................................................................................1133
6.3.1 Multicast VLAN Replication Overview................................................................................................................1133
Issue 04 (2013-06-15)

xii

Configuration Guide
Contents
6.3.2 Multicast VLAN Replication Supported by the AC6605......................................................................................1133

6.3.3 Configuring Multicast VLAN Replication Based on User VLANs......................................................................1135
6.3.4 Configuring Multicast VLAN Replication Based on Interfaces............................................................................1138
6.3.5 Configuring Many-to-Many Multicast VLAN Replication...................................................................................1141
6.4 IGMP Configuration.................................................................................................................................................1153
6.4.1 Introduction to IGMP............................................................................................................................................1153
6.4.2 IGMP Features Supported by the AC6605............................................................................................................1153
6.4.3 Configuring Basic IGMP Functions......................................................................................................................1155
6.4.4 Setting the Parameters of IGMP Features.............................................................................................................1159
6.4.5 Configuring SSM Mapping...................................................................................................................................1167
6.4.6 Configuration IGMP Limit Function.....................................................................................................................1170
6.4.7 Maintaining IGMP.................................................................................................................................................1171
6.5 PIM-DM (IPv4) Configuration.................................................................................................................................1183
6.5.1 PIM-DM Overview................................................................................................................................................1183
6.5.2 PIM-DM Features Supported by the AC6605....................................................................................................... 1184
6.5.3 Configuring Basic PIM-DM Functions.................................................................................................................1185
6.5.4 Adjusting Control Parameters of a Multicast Source............................................................................................1188
6.5.5 Adjusting Control Parameters for Maintaining Neighbor Relationships..............................................................1190
6.5.6 Adjusting Control Parameters for Prune...............................................................................................................1195
6.5.7 Adjusting Control Parameters for State-Refresh...................................................................................................1199
6.5.8 Adjusting Control Parameters for Graft................................................................................................................1203
6.5.9 Adjusting Control Parameters for Assert...............................................................................................................1205
6.5.10 Configuring PIM Silent Function........................................................................................................................1207
6.5.11 Maintaining PIM-DM (IPv4)...............................................................................................................................1210
6.5.12 Configuration Example........................................................................................................................................1212
6.6 PIM-SM (IPv4) Configuration.................................................................................................................................1217
6.6.1 PIM-SM Overview................................................................................................................................................1217
6.6.2 PIM-SM Features Supported by the AC6605........................................................................................................1218
6.6.3 Configuring Basic PIM-SM Functions..................................................................................................................1220
6.6.4 Adjusting Control Parameters for a Multicast Source...........................................................................................1226
6.6.5 Adjusting Control Parameters of the C-RP and C-BSR........................................................................................1229
6.6.6 Configuring a BSR Administrative Domain.........................................................................................................1234
6.6.7 Adjusting Control Parameters for Establishing the Neighbor Relationship..........................................................1237
6.6.8 Adjusting Control Parameters for Source Registering..........................................................................................1243
6.6.9 Adjusting Control Parameters for Forwarding......................................................................................................1246
6.6.10 Adjusting Control Parameters for Assert.............................................................................................................1252
6.6.11 Configuring the SPT Switchover.........................................................................................................................1255
6.6.12 Configuring PIM BFD.........................................................................................................................................1257
6.6.13 Configuring PIM Silent.......................................................................................................................................1259
6.6.14 Maintaining PIM-SM (IPv4)...............................................................................................................................1262
Issue 04 (2013-06-15)

xiii

Configuration Guide
Contents

6.7 MSDP Configuration................................................................................................................................................1277
6.7.1 MSDP Overview....................................................................................................................................................1277
6.7.2 MSDP Features Supported by the AC6605...........................................................................................................1278
6.7.3 Configuring PIM-SM Inter-domain Multicast......................................................................................................1280
6.7.4 Configuring an Anycast RP in a PIM-SM Domain...............................................................................................1284
6.7.5 Managing MSDP Peer Connections......................................................................................................................1290
6.7.6 Configuring SA Cache...........................................................................................................................................1293
6.7.7 Configuring the SA Request..................................................................................................................................1295
6.7.8 Configuring the Filtering Rules for SA Messages.................................................................................................1298
6.7.9 Configuring MSDP Authentication.......................................................................................................................1303
6.7.10 Maintaining MSDP..............................................................................................................................................1305
6.8 IPv4 Multicast Routing Management.......................................................................................................................1317
6.8.1 Overview of IPv4 Multicast Routing Management...............................................................................................1317
6.8.2 IPv4 Multicast Routing Management Features Supported by the AC6605..........................................................1318
6.8.3 Configuring a Static Multicast Route....................................................................................................................1319
6.8.4 Configuring the Multicast Routing Policy.............................................................................................................1322
6.8.5 Configuring the Multicast Forwarding Scope.......................................................................................................1325
6.8.6 Configuring Control Parameters of the Multicast Forwarding Table....................................................................1326
6.8.7 Maintaining the Multicast Policy..........................................................................................................................1329
7 Configuration Guide - QoS...................................................................................................1338

7.1 Class-based QoS Configuration................................................................................................................................1339
7.1.1 Introduction to Class-based QoS...........................................................................................................................1339
7.1.2 Class-based QoS Features Supported by the AC6605...........................................................................................1339
7.1.3 Creating a Traffic Policy Based on Complex Traffic Classification.....................................................................1341
7.1.4 Maintaining Class-based QoS...............................................................................................................................1352
7.2 Traffic Policing and Traffic Shaping Configuration................................................................................................1360
7.2.1 Traffic Policing and Traffic Shaping Overview....................................................................................................1360
7.2.2 Configuring Traffic Policing Based on an Interface..............................................................................................1363
7.2.3 Configuring Traffic Policing Based on a Traffic Classifier..................................................................................1365
7.2.4 Configuring Traffic Shaping.................................................................................................................................1369
7.2.5 Maintaining Traffic Policing and Traffic Shaping................................................................................................1372
7.3 Congestion Avoidance and Congestion Management Configuration......................................................................1383
7.3.1 Overview of Congestion Avoidance and Congestion Management......................................................................1383
7.3.2 Configuring Congestion Avoidance on the AC6605.............................................................................................1386
7.3.3 Configuring Congestion Management...................................................................................................................1389
7.3.4 Maintaining Congestion Avoidance and Congestion Management......................................................................1392
8 Configuration Guide - Security............................................................................................1393

Issue 04 (2013-06-15)

xiv

Configuration Guide
Contents
8.1 AAA Configuration..................................................................................................................................................1395

8.1.1 AAA Overview......................................................................................................................................................1395
8.1.2 AAA Features Supported by the Device...............................................................................................................1396
8.1.3 Configuring Local Authentication and Authorization...........................................................................................1397
8.1.4 Configuring RADIUS AAA..................................................................................................................................1404
8.1.5 Configuring HWTACACS AAA...........................................................................................................................1413
8.1.6 Maintaining AAA..................................................................................................................................................1422
8.2 NAC Configuration(for wired users)........................................................................................................................1430
8.2.1 NAC Overview......................................................................................................................................................1430
8.2.2 NAC Features Supported by the Device................................................................................................................1430
8.2.3 Default Configuration............................................................................................................................................1432
8.2.4 Configuring 802.1x Authentication.......................................................................................................................1433
8.2.5 Configuring MAC Address Authentication...........................................................................................................1445
8.2.6 Configuring Portal Authentication........................................................................................................................1450
8.2.7 Maintaining NAC..................................................................................................................................................1455
8.3 NAC Configuration(for wireless users)....................................................................................................................1466
8.3.1 NAC Overview......................................................................................................................................................1466
8.3.2 NAC Features Supported by the Device................................................................................................................1467
8.3.3 Default Configuration............................................................................................................................................1469
8.3.4 Configuring 802.1x Authentication.......................................................................................................................1470
8.3.5 Configuring MAC Address Authentication...........................................................................................................1475
8.3.6 Configuring Portal Authentication........................................................................................................................1477
8.4 DHCP Snooping Configuration................................................................................................................................1490
8.4.1 Introduction to DHCP Snooping...........................................................................................................................1490
8.4.2 DHCP Snooping Features Supported by the AC6605...........................................................................................1490
8.4.3 Preventing Bogus DHCP Server Attacks..............................................................................................................1493
8.4.4 Preventing DoS Attacks by Changing the CHADDR Field..................................................................................1496
8.4.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.....................1499
8.4.6 Setting the Maximum Number of DHCP Snooping Users....................................................................................1505
8.4.7 Limiting the Rate of Sending DHCP Messages....................................................................................................1509
8.4.8 Configuring the Packet Discarding Alarm Function.............................................................................................1513
8.4.9 Maintaining DHCP Snooping................................................................................................................................1517
8.5 ARP Security Configuration.....................................................................................................................................1534
8.5.1 ARP Security Overview........................................................................................................................................1534
8.5.2 ARP Security Supported by the AC6605..............................................................................................................1535
8.5.3 Checking Source MAC Addresses of ARP Packets..............................................................................................1537
8.5.4 Configuring Defense Against ARP DoS Attacks..................................................................................................1538
8.5.5 Configuring ARP Anti-Spoofing...........................................................................................................................1544
Issue 04 (2013-06-15)

xv

Configuration Guide
Contents
8.5.6 Maintaining ARP Security.....................................................................................................................................1551

8.6 Source IP Attack Defense Configuration.................................................................................................................1560
8.6.1 Overview of IP Source Guard...............................................................................................................................1560
8.6.2 IP Source Guard Features Supported by the AC6605...........................................................................................1561
8.6.3 Configuring IP Source Guard................................................................................................................................1562
8.6.4 Configuring URPF.................................................................................................................................................1565
8.7 Local Attack Defense Configuration........................................................................................................................1569
8.7.1 Local Attack Defense Overview............................................................................................................................1569
8.7.2 Local Attack Defense Features Supported by the AC6605...................................................................................1569
8.7.3 Configuring an Attack Defense Policy..................................................................................................................1572
8.7.4 Configuring Attack Source Tracing......................................................................................................................1576
8.7.5 Maintaining the Attack Defense Policy.................................................................................................................1580
8.8 Traffic Suppression Configuration...........................................................................................................................1583
8.8.1 Introduction to Traffic Suppression.......................................................................................................................1583
8.8.2 Traffic Suppression Features Supported by the AC6605......................................................................................1584
8.8.3 Configuring Traffic Suppression...........................................................................................................................1584
8.9 ACL Configuration...................................................................................................................................................1588
8.9.1 ACL Overview......................................................................................................................................................1588
8.9.2 ACL Features Supported by the AC6605..............................................................................................................1588
8.9.3 Configuring an ACL..............................................................................................................................................1589
8.9.4 Maintaining an ACL..............................................................................................................................................1595
9 Configuration Guide - Reliability........................................................................................1605

9.1 Ethernet OAM Configuration...................................................................................................................................1606
9.1.1 Introduction to Ethernet OAM..............................................................................................................................1606
9.1.2 Ethernet OAM Supported by the AC6605............................................................................................................1607
9.1.3 Configuring Basic EFM OAM..............................................................................................................................1608
9.1.4 Configuring EFM OAM Link Monitoring............................................................................................................1612
9.1.5 Testing the Packet Loss Ratio on the Physical Link.............................................................................................1617
9.1.6 Configuring Associating between EFM OAM and an Interface...........................................................................1622
9.1.7 Maintaining Ethernet OAM...................................................................................................................................1625
9.2 BFD Configuration...................................................................................................................................................1632
9.2.1 BFD Overview.......................................................................................................................................................1632
9.2.2 BFD Features Supported by the AC6605..............................................................................................................1633
9.2.3 Configuring Single-hop BFD................................................................................................................................1634
9.2.4 Configuring the Multi-Hop BFD...........................................................................................................................1638
9.2.5 Configuring a BFD Session with Automatically Negotiated Discriminators........................................................1641
Issue 04 (2013-06-15)

xvi

Configuration Guide
Contents
9.2.6 Adjusting BFD Parameters....................................................................................................................................1644

9.2.7 Configuring the Interval for Trap Messages Are Sent...........................................................................................1648
9.2.8 Maintaining BFD...................................................................................................................................................1650
9.3 VRRP Configuration................................................................................................................................................1660
9.3.1 VRRP Overview....................................................................................................................................................1660
9.3.2 VRRP Features Supported by the AC6605...........................................................................................................1661
9.3.3 Configuring the VRRP Backup Group..................................................................................................................1662
9.3.4 Configuring VRRP to Track the Status of an Interface.........................................................................................1667
9.3.5 Configuring VRRP Security..................................................................................................................................1670
9.3.6 Adjusting and Optimizing VRRP..........................................................................................................................1672
9.3.7 Configuring mVRRP Backup Groups...................................................................................................................1678
9.3.8 Configuring VRRP Version Upgrade....................................................................................................................1681
9.3.9 Maintaining VRRP................................................................................................................................................1683
10 Configuration Guide - Network Management................................................................1700

10.1 SNMP Configuration..............................................................................................................................................1701
10.1.1 Introduction to SNMP.........................................................................................................................................1701
10.1.2 Configuring a Device to Communicate with an NM Station by Running SNMPv1...........................................1706
10.1.3 Configuring a Device to Communicate with an NM Station by Running SNMPv2c.........................................1713
10.1.4 Configuring a Device to Communicate with an NM Station by Running SNMPv3...........................................1722
10.1.5 SNMP Configuration Examples..........................................................................................................................1730
10.2 LLDP Configuration...............................................................................................................................................1741
10.2.1 Introduction to LLDP..........................................................................................................................................1742
10.2.2 LLDP Feature Supported by the AC6605...........................................................................................................1745
10.2.3 Configuring LLDP...............................................................................................................................................1748
10.2.4 Maintaining LLDP...............................................................................................................................................1757
10.3 NTP Configuration.................................................................................................................................................1775
10.3.1 Introduction to NTP.............................................................................................................................................1775
10.3.2 NTP Supported by the AC6605...........................................................................................................................1778
10.3.3 Configuring Basic NTP Functions......................................................................................................................1779
10.3.4 Configuring NTP Security Mechanisms..............................................................................................................1789
10.3.5 Maintaining NTP.................................................................................................................................................1795
10.4 Ping and Tracert......................................................................................................................................................1812
10.4.1 Ping......................................................................................................................................................................1812
10.4.2 Tracert..................................................................................................................................................................1813
10.4.3 Configuring Ping/Tracert to Locate a Connection Fault in an IP Network.........................................................1814
10.4.4 Debugging Ping and Tracert................................................................................................................................1816
10.5 NQA Configuration................................................................................................................................................1818
Issue 04 (2013-06-15)

xvii

Configuration Guide
Contents
10.5.1 Introduction to NQA............................................................................................................................................1818

10.5.2 Comparisons Between NQA and Ping................................................................................................................1819
10.5.3 NQA Server and NQA Clients............................................................................................................................1819
10.5.4 NQA Supported by the AC6605..........................................................................................................................1820
10.5.5 Configuring the ICMP Test.................................................................................................................................1821
10.5.6 Configuring the FTP Download Test..................................................................................................................1824
10.5.7 Configuring the FTP Upload Test.......................................................................................................................1827
10.5.8 Configuring the HTTP Test.................................................................................................................................1830
10.5.9 Configuring the DNS Test...................................................................................................................................1833
10.5.10 Configuring the Traceroute Test........................................................................................................................1836
10.5.11 Configuring the SNMP Query Test...................................................................................................................1839
10.5.12 Configuring the TCP Test..................................................................................................................................1841
10.5.13 Configuring the UDP Test.................................................................................................................................1845
10.5.14 Configuring the Jitter Test.................................................................................................................................1848
10.5.15 Configuring Universal NQA Test Parameters...................................................................................................1852
10.5.16 Configuring Round-Trip Delay Thresholds......................................................................................................1857
10.5.17 Configuring the Trap Function..........................................................................................................................1859
10.5.18 Maintaining NQA..............................................................................................................................................1864
10.5.19 Configuration Examples....................................................................................................................................1866
10.6 RMON Configuration.............................................................................................................................................1892
10.6.1 Introduction to RMON........................................................................................................................................1892
10.6.2 RMON Suported by the AC6605........................................................................................................................1893
10.6.3 Configuring RMON.............................................................................................................................................1894
10.6.4 Maintaining RMON.............................................................................................................................................1901
10.7 Packet Capture Configuration................................................................................................................................1905
10.7.1 Packet Capture Overview....................................................................................................................................1905
10.7.2 Packet Capture Functions Supported by the AC6605.........................................................................................1905
10.7.3 Capturing Service Packets...................................................................................................................................1906
10.7.4 Capturing Packets Sent to the CPU.....................................................................................................................1907
11 Configuration Guide - System Management (AC).........................................................1912

11.1 Configuring User Login..........................................................................................................................................1913
11.1.1 Logging In to the Device Through a Console Port..............................................................................................1913
11.1.2 Logging In to the Device Through Telnet...........................................................................................................1917
11.2 Configuring User Interfaces...................................................................................................................................1921
11.2.1 Configuring the Console User Interface..............................................................................................................1921
11.2.2 Configuring the VTY User Interface...................................................................................................................1924
11.3 Configuring System Startup...................................................................................................................................1928
11.3.1 Configuring System Startup Files on the Wireless Side......................................................................................1928
11.3.2 Restarting the Device...........................................................................................................................................1929
11.4 Upgrading the Devices...........................................................................................................................................1930
Issue 04 (2013-06-15)

xviii

Configuration Guide
Contents
11.4.1 Upgrading the AC................................................................................................................................................1931

11.4.2 Configuring the Automatic AP Upgrade Function..............................................................................................1932
11.4.3 Verifying the Configuration................................................................................................................................1936
11.5 Displaying the Device Status..................................................................................................................................1937
11.5.1 Displaying Information About the Device..........................................................................................................1937
11.5.2 Displaying the Version........................................................................................................................................1937
11.5.3 Displaying the Current Configuration.................................................................................................................1938
11.6 (Optional) Activating a License.............................................................................................................................1938
12 Configuration Guide - WLAN............................................................................................ 1940

12.1 Precautions for the Configuration...........................................................................................................................1941
12.2 WLAN Service Configuration................................................................................................................................1946
12.2.1 Overview.............................................................................................................................................................1946
12.2.2 Default Configuration..........................................................................................................................................1949
12.2.3 Configuration Process..........................................................................................................................................1949
12.2.4 Configuring AC System Parameters....................................................................................................................1950
12.2.5 Managing APs on the AC....................................................................................................................................1955
12.2.6 Configuring the WLAN Service VAP.................................................................................................................1984
12.2.7 Maintaining WLANs...........................................................................................................................................2009
12.3 WLAN Security Configuration..............................................................................................................................2039
12.3.1 WLAN Security Overview..................................................................................................................................2040
12.3.2 WLAN Security Features Supported by the Device............................................................................................2040
12.3.4 Configuring WIDS and WIPS.............................................................................................................................2046
12.3.5 Configuring a WLAN Security Policy................................................................................................................2049
12.3.6 Configuring the STA Blacklist or Whitelist........................................................................................................2056
12.3.7 Configuring User Isolation..................................................................................................................................2060
12.3.8 Maintaining WLAN Security..............................................................................................................................2062
12.4 Radio Resource Management.................................................................................................................................2139
12.4.1 Overview.............................................................................................................................................................2139
12.4.2 Radio Resource Management Features Supported by the Device.......................................................................2139
12.4.4 Configuring Radio Calibration............................................................................................................................2143
12.4.5 Configuring Load Balancing...............................................................................................................................2145
12.4.6 Configuring 5G-Prior Access..............................................................................................................................2148
12.4.7 Configuring Interference Detection.....................................................................................................................2149
12.4.8 Restricting Access from Weak-Signal or Low-Rate STAs.................................................................................2150
12.4.9 Maintaining Radio Resource Management.........................................................................................................2152
12.4.10 Configuration Examples....................................................................................................................................2153
12.5 WLAN Reliability Configuration...........................................................................................................................2177
12.5.1 Overview.............................................................................................................................................................2178
Issue 04 (2013-06-15)

xix

Configuration Guide
Contents
12.5.2 WLAN Reliability Features Supported by the Device........................................................................................2178

12.5.4 Configuring Dual-Link Backup...........................................................................................................................2182
12.5.5 Configuring Service Holding upon CAPWAP Link Disconnection...................................................................2185
12.5.6 (Optional) Configuring Channel Switching Without Service Interruption.........................................................2186
12.6 Roaming Configuration..........................................................................................................................................2217
12.6.1 Overview.............................................................................................................................................................2217
12.6.2 Roaming Features Supported by the Device.......................................................................................................2218
12.6.3 Configuring Roaming Between APs in the Same Service VLAN......................................................................2219
12.6.4 Configuring Roaming Between APs in Different Service VLANs.....................................................................2222
12.7 WLAN QoS Configuration.....................................................................................................................................2260
12.7.1 Overview.............................................................................................................................................................2260
12.7.2 WLAN QoS Features Supported by the Device..................................................................................................2261
12.7.4 Configuring WMM..............................................................................................................................................2264
12.7.5 Configuring Priority Mapping.............................................................................................................................2266
12.7.6 Configuring Traffic Policing...............................................................................................................................2269
12.8 WDS Configuration................................................................................................................................................2294
12.8.1 WLAN WDS Overview.......................................................................................................................................2294
12.8.2 Configuration Notes............................................................................................................................................2298
12.8.4 Configuring WDS................................................................................................................................................2299
12.8.5 Maintaining WDS................................................................................................................................................2324
Issue 04 (2013-06-15)

xx

Configuration Guide
1 Configuration Guide - Basic Configuration
Configuration Guide - Basic Configuration
About This Chapter

This document describes features of theAC6605 based on configuration procedures and
examples.
1.1 Logging In to the System for the First Time
You can log in to a new Switch through the console port to configure the Switch.
1.2 CLI Overview
The command line interface (CLI) is used to configure and maintain devices.
1.3 How to Use Interfaces
This chapter describes the concept of the interface and the basic configuration about the interface.
1.4 Basic Configuration
This chapter describes how to configure the Switch to work properly in the network environment
and to suit your needs.
1.5 Configuring User Interfaces
When a user uses a console port, Telnet, or SSH (STelnet) to log in to the Switch, the system
manages the session between the user and the Switchon the corresponding user interface.
1.6 Configuring User Login
A user can log in to the Switch through a console port, or by using Telnet or SSH (STelnet). The
user can maintain the Switch locally or remotely after login.
1.7 Managing the File System
The file system manages the files and directories on the storage devices of the Switch. It can
move or delete a file or directory, or display the contents of a file.
1.8 Configuring System Startup
When the Switch is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the Switch, you need to manage system software and configuration
files efficiently.
1.9 Accessing Another Device
To manage configurations or operate files of another device, you can access the device by using
Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.
Issue 04 (2013-06-15)


Configuration Guide
1.1 Logging In to the System for the First Time

You can log in to a new Switch through the console port to configure the Switch.
1.1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port.
The console port is a linear port on the main control board.
A main control board provides a console port To configure a device, connect the user terminal
serial port to the device console port.
NOTE
The first time a device is powered, you must use the console port to log in to the device. It is a prerequisite
for other login modes. For example, first log in to the device through the console port before configuring
an IP address to log in to the device using Telnet.
1.1.2 Logging In to the Device Through the Console Port

This section describes how to establish the configuration environment by using the console port
to connect a terminal to a AC6605.
Establishing the Configuration Task

Before logging in to the AC6605 through the console port, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain any data required for
the configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
When the AC6605 is powered on for the first time, you must use the console port to log in to
the AC6605 to configure and manage the AC6605.
Pre-configuration Tasks
Before logging in to the AC6605 through the console port, complete the following tasks:
l
Installing terminal emulation program on the PC (for example, Windows XP

HyperTerminal)
Preparing the RS-232 cable
Data Preparation
To log in to the AC6605 through the console port, you need the following data.
Issue 04 (2013-06-15)


Configuration Guide
No.
Data
Terminal communication parameters

l Baud rate
l Data bit
l Parity
l Stop bit
l Flow-control mode
NOTE
The system automatically uses default parameter values for the first login.
Establishing the Physical Connection

The console port of the AC6605 must be connected to the COM port of a terminal using a console
cable.
Procedure
Step 1 Power on all devices to perform a self-check.
Step 2 Connect the COM port on the PC and the console port on the AC6605 by a cable.
----End
Logging In to the Device

To manage a Switch that is powered on for the first time, you can log in to it using the console
port.
Context
PC terminal attributes, including the transmission rate, data bit, parity bit, stop bit, and flow
control mode must be configured to match those configured for the console port. Default values
for terminal attributes are used during the first login to the device.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 1-1.
Issue 04 (2013-06-15)


Configuration Guide
Figure 1-1 Connection creation
Step 2 Set an interface, as shown in Figure 1-2.

Figure 1-2 Interface settings
Step 3 Set communication parameters to match the Switch defaults, as shown in Figure 1-3.
Issue 04 (2013-06-15)


Configuration Guide
Figure 1-3 Communication parameter settings
Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the set password.
An initial password is required for the first login via the console.
Set a password and keep it safe! Otherwise you will not be able to login via the
console.
Please configure the login password (6-16)
Enter Password:
Confirm Password:
<Quidway>
You can run commands to configure the device. Enter a question mark (?) whenever you need
help.
Step 5 Run the display device command to check whether you have logged in to the LSW or AC unit.
The following information indicates that you have logged in to the LSW unit.
<Quidway> display device
AC6605-26-PWR's Device status:
Slot Sub Type
Online
Power
Register
Status
Role
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0
AC6605-26
Present
PowerOn
Registered
Normal
Master
4
POWER
Present
PowerOn
Registered
Normal
NA
Step 6 Run the console switch command or press Ctrl+Y to switch from the LSW unit to the AC unit.
After the preceding configurations are complete, press Enter. At the following command-line
prompt, set an authentication password. The system automatically saves the set password.
<Quidway> console switch
Info: Switch console to AC.
Issue 04 (2013-06-15)


Configuration Guide
console.
Enter Password:
Confirm Password:
<Quidway>
Step 7 Run the display device command to check AC unit information.

AC6605-AC's Device status:
Slot Sub Type
Online
Power
Register
Status
Role
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0
AC6605-26
Present
PowerOn
Registered
Normal
Master
Step 8 Run the console switch command or press Ctrl+Y to switch from the AC unit to the LSW unit.
Info: Switch console to LSW.
<Quidway>
The LSW unit and AC unit of the AC6605 use the same physical serial port. You can press Ctrl
+Y to switch between the LSW unit and AC unit if you have logged in to the device through the
console port. When you press Ctrl+Y, either of the following information is displayed:
l Info: Switch console to AC. This information indicates that you have logged in to the AC
unit.
l Info: Switch console to LSW. This information indicates that you have logged in to the LSW
unit.
NOTE
When you log in to the device on the console port, the device status determines which side you log in to,
the wired side or wireless side. By default, you log in to the wired side when the device is powered on for
the first time. If you want to switch the account, disconnect the console port. When you connect the console
port and attempt to log in, you log in to the side where you are last time. If the wireless side restarts
separately, the console port automatically connects to the wired side.
----End
1.1.3 Logging In to the AC6605 Through a Mini USB Port

This section describes how to connect a terminal to the AC6605 through a mini USB port.

Before logging in to the AC6605 through a mini USB port, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the data required for
the configuration. This will help you complete the configuration task quickly and accurately.
When the AC6605 is powered off for the first time, log in to the AC6605 through a mini USB
port to configure and manage the AC6605.
Pre-Configuration Tasks
Before logging in to the AC6605 through a mini USB port, complete the following tasks:
Issue 04 (2013-06-15)


Configuration Guide
Installing the terminal emulation program such as the HyperTerminal in the Windows XP
operating system on the PC
Preparing mini USB cables
Data Preparation
To log in to the AC6605 through a mini USB port, you need the following data.
No.
Data
Terminal communication parameters including the baud rate, data bit, parity bit, stop
bit, and flow control mode
Establishing a Physical Connection

This section describes how to use a mini USB cable to connect the AC6605 mini USB port to a
PC USB port.
Procedure
Step 1 Power on all the devices and perform self-check.
Step 2 Use a mini USB cable to connect a PC USB port to the AC6605 mini USB port.
----End
Installing the MiniUSB Driver

This section describes how to install the MiniUSB driver on a PC so that the PC can discover
and identify the AC6605.
Context
The AC6605 driver supports only the Windows XP, Windows Vista, and Windows 7 operating
systems.
NOTE
To obtain the MiniUSB driver, log in to http://support.huawei.com/enterprise, choose SUPPROT >

Product Software > Enterprise Networking > WLAN > AC > AC6605, and download AC6605MiniUSB-driver.001.zip for the required version of the AC6605.
Procedure
Step 1 Double-click the diver installation file on the PC and click Next, as shown in Figure 1-4.
Issue 04 (2013-06-15)


Configuration Guide
Figure 1-4 Running a driver on the PC
Step 2 Select I accept the terms of the License Agreement and click Next, as shown in Figure 1-5.
Issue 04 (2013-06-15)


Configuration Guide
Figure 1-5 Accepting the terms in the license agreement
Step 3 Click Browse to change the driver directory, and click Install, as shown in Figure 1-6.
Issue 04 (2013-06-15)


Configuration Guide
Figure 1-6 Specifying the driver directory
Step 4 Click Install and decompress the driver. When the system finishes decompressing the driver,
click Finish, as shown in Figure 1-7.
Issue 04 (2013-06-15)

10

Configuration Guide
Figure 1-7 Finishing decompressing the driver
Step 5 Find the TUSB3410 Single Driver Installer folder in the specified driver directory, and doubleclick setup.exe.
Step 6 Click Next. Select I accept the terms of the License Agreement and click Next to install the
driver.
Step 7 Click Finish to finish installing the driver.
Step 8 Right-click My Computer, and choose Manage -> Device Manager -> Ports(COM&LPT).
The TUSB3410 Device is displayed, indicating an AC6605.
NOTE
If there is no TUSB3410 device in the device manager, reinstall the driver or use another mini USB cable
to connect the AC6605 to the PC.
----End
Logging In to the AC6605

You can log in to the AC6605 from a PC through a mini USB port to configure and manage the
AC6605 that is powered on for the first time.
Procedure
Step 1 Run the terminal emulation program such as the HyperTerminal of Windows XP on the PC and
establish a connection, as shown in Figure 1-8.
Issue 04 (2013-06-15)

11

Configuration Guide
Figure 1-8 Establishing a connection
Step 2 Specify a connection port. If the connection port is a mini USB port, select COM3, as shown
in Figure 1-9.
Figure 1-9 Configuring the connection port
Step 3 Set parameters for the connection port. Click RestoreDefaults to restore parameters to default
settings, as shown in Figure 1-10.
Issue 04 (2013-06-15)

12

Configuration Guide
Figure 1-10 Setting communication parameters
Please configure the login password (maximum length 16)
Enter Password:
Confirm Password:
NOTE
After the password for the user interface is set successfully during the first login, you must enter this
password for authentication when you relog in to the system in password authentication mode using this
user interface.
----End
1.2 CLI Overview

The command line interface (CLI) is used to configure and maintain devices.
1.2.1 CLI Introduction

After you log in to the Switch, a prompt is displayed and you can use the command line interface
(CLI). Users can interact with the Switch through the CLI.
Issue 04 (2013-06-15)

13

Configuration Guide
Command Line Interface

You can use CLI commands to configure and manage the Switch.
The CLI provides users access to a number of features and capabilities:
l
Local configuration through the console port.
Local or remote configuration through Telnet or Secure Shell (SSH).
The telnet command for directly logging in to and managing other Switchs.
FTP service for file uploads and downloads.
A user interface view for specific configuration management.
Hierarchical command protection structure giving certain levels of users permission to run
certain levels of commands.
Entering "?" for online help at any time.
Two authentication modes are supported, namely, password authentication, and

Authentication, Authorization, and Accounting (AAA) authentication. Password and AAA
authentication protect system security by prohibiting unauthorized users from logging in
to the Switch.
Entering "?" for online help at any time.
A command line interpreter provides intelligent text entry methods such as key word fuzzy
match and context conjunction. These methods help users to enter commands easily and
correctly.
Network test commands such as tracert and ping for fast network diagnostics.
Abundant debugging information to with network diagnostics.
Running a command used previously on the device, like DosKey.

NOTE
l The system supports commands that contain a maximum of 512 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to use the display current-configuration command, entering d cu, di cu, or dis cu will run
the command. Entering d c or dis c will not run the command, because these entries are not unique to
the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 512 characters. When the system is restarted, incomplete commands cannot be
restored. Therefore, pay attention to the length of incomplete commands before saving them.
Command Levels
The system structures access to command functions hierarchically to protect system security.
The system administrator sets user access levels that grant specific users access to specific
command levels.
By default, the command level of a user is a value ranging from 0 to 3, and the user access level
is a value ranging from 0 to 15. Table 1-1 lists the association between user access levels and
command levels.
Issue 04 (2013-06-15)

14

Configuration Guide
Table 1-1 Association between user access levels and command levels
User
Level
Com
man
d
Level
Level
Name
Description
Visit
level
This level gives access to commands that run network diagnostic

tools (such as ping and tracert) and commands that start from a
local device, visit external devices (such as Telnet client side ),
and a part of display commands.
0 and
1
Monitor
ing
level
This level gives access to commands, like the display command,

that are used for system maintenance and fault diagnosis.
NOTE
Some display commands are not at this level. For example, the display
current-configuration and display saved-configuration commands
are at level 3. For details about command level, see AC6605 Command
Reference.
0, 1,
and 2
Configu
ration
level
This level gives access to commands that configure network

services provided directly to users, including routing and
network layer commands.
3-15
0, 1,
2, and
3
Manage
ment
level
This level gives access to commands that control basic system

operations and provide support for services. These commands
include file system commands, FTP commands, TFTP
commands, configuration file switching commands, power
supply control commands, backup board control commands,
user management commands, level setting commands, system
internal parameter setting commands, and debugging commands
for fault diagnosis.
To implement efficient management, you can increase the command levels to 0-15. For the
increase in the command levels, refer to Chapter 4 "Basic Configuration" Configuring
Command Levels in the AC6605 Configuration Guide - Basic Configurations.
NOTE
l The default command level may be higher than the command level defined according to the command
rules in application.
l Login users have 16 levels. The login users can use only the command of the levels that are equal to
or lower than their own levels. The user privilege level level command sets the user level.
Command Views
The command line interface has different command views. All the commands must register in
one or more command views. You can run a command only when you enter the corresponding
command view.
Basic Concepts of Command Views

# Establish connection with the Switch. If the Switch adopts the default configuration, you can
enter the user view with the prompt of <Quidway>.
Issue 04 (2013-06-15)

15

Configuration Guide
<Quidway>
# Type system-view, and you can enter the system view.

<Quidway> system-view
[Quidway]
# Type aaa in the system view, and you can enter the AAA view.
[Quidway] aaa
[Quidway-aaa]
NOTE
The prompt <Quidway> indicates the default Switch name. The prompt <> indicates the user view and the
prompt [] indicates other views.
Some commands that are implemented in the system view can also be implemented in the other
views; however, the functions that can be implemented are command view-specific.
Common Views
The AC6605 provides various command line views. For the methods of entering the command
line views except the following views, see the Quidway AC6605 Access Controller Command
Reference.
l
Issue 04 (2013-06-15)
User View
Item
Description
Function
Displays the running status and statistics of the AC6605.
Entry command
Enters the user view after the connection is set up.
Prompt upon
entry
<Quidway>
Quit command
<Quidway>quit
Prompt upon
quit
None.
System View
Item
Description
Function
Sets the system parameters of the AC6605, and enters other function
views from this view.
Entry command
Prompt upon
entry
[Quidway]
Quit command
[Quidway] quit
Prompt upon
quit
<Quidway>

16

Configuration Guide
Ethernet Interface View

GE interface view
Item
Description
Function
Configures related parameters about the GE interfaces of the

AC6605 and manages the GE interfaces.
Entry
command
[Quidway] interface GigabitEthernet X/Y/Z
Prompt upon
entry
[Quidway-GigabitEthernetX/Y/Z]
Quit command
[Quidway-GigabitEthernetX/Y/Z] quit
Prompt upon
quit
[Quidway]
NOTE
X/Y/Z indicates the number of a GE interface that needs to be configured. It is in the format of
slot number/sub card number/interface sequence number.
1.2.2 Online Help

When inputting command lines or configuring services, you can use the online help to obtain
real-time help.
Full Help
When you enter a command line, you can view the description of keywords or parameters in the
command line through the Full Help.
You can obtain full help from a command view in the following methods:
l
In a command view, enter ? to obtain all the commands in this command view and
descriptions of the commands.
<Quidway> ?
Enter a command and a ? separated by a space. If a keyword is in place of the ?, all keywords
and their descriptions are listed. Here is an example.
[Quidway-ui-vty0] authentication-mode ?
aaa
AAA authentication
password Authentication through the password of a user terminal interface
[Quidway-ui-vty0] authentication-mode aaa ?
<cr>
[Quidway-ui-vty0] authentication-mode aaa
aaa and password are keywords. AAA authentication and Authentication through the
password of a user terminal interface are the descriptions of the two keywords.
<cr> indicates that no key word or parameter is in this position and you can press Enter to
repeat the command in the next command line.
l
Enter a command and a ? separated by a space. If a parameter is in place of the ?, all

parameters and their descriptions are listed. Here is an example.
Issue 04 (2013-06-15)

17

Configuration Guide
[Quidway] sysname ?
TEXT Host name(1 to 246 characters)
TEXT is a parameter and Host name (1 to 246 characters) is the description.
Partial Help
If you enter only the first or first several characters of a command, partial help provides keywords
that begin with this character or character string.
Procedure
l
Use any of the following methods to obtain partial help from a command line.
Enter a character string followed directly by a question mark (?) to display all commands
that begin with this character string.
<Quidway> d?
debugging
dir
delete
display
Enter a command and a character string followed directly by a question mark (?) to
display all key words that begin with this character string.
<Quidway> display b?
bfd
bootrom
bpdu-tunnel
buffer
bgp
bpdu
bridge
Enter the first several letters of a key word in the command and then press Tab to display
a complete key word. A complete keyword is displayed only if the partial string of letters
uniquely identifies a specific key word. If they do not identify a specific key work,
continuing to press Tab will display different key words. You can select the needed key
word.
----End
Error Messages of the Command Line Interface

If a command is entered and passes the syntax check, the system executes it. Otherwise, the
system reports an error message.
Table 1-2 lists common error messages.
Table 1-2 Common error messages of the command line
Issue 04 (2013-06-15)
Error messages
Cause of the error
Error: Unrecognized command

found at '^' position.
The command cannot be found
Error: Wrong parameter found

at '^' position.
Parameter type error
Error:Incomplete command
Incomplete command entered
Error: Too many parameters

Too many parameters entered
The key word cannot be found
Parameter value out of range

18

Configuration Guide
Error messages
Cause of the error
Error:Ambiguous command
Ambiguous parameters entered
1.2.3 CLI Features

The CLI provides several features to help users flexibly use it.
Editing
The command line editing function allows you to edit command lines or obtain help by using
certain keys.
The command line of AC6605 supports multi-line edition. The maximum length of each
command is 512 characters.
Keys for editing that are often used are shown in Table 1-3.
Table 1-3 Keys for editing
Key
Function
Common key
Inserts a character at the current position of the cursor if the editing

buffer is not full. The cursor then moves to the right. If the buffer
is full, an alarm is generated.
Backspace
Moves the cursor to the left and deletes the character at that
position. When the cursor reaches the head of the command, an
alarm is generated.
Left cursor key or

Ctrl_B
Moves the cursor to the left a single space at a time. When the
cursor reaches the head of the command, an alarm is generated.
Right cursor key or

Ctrl_F
Moves the cursor to the right a single space at a time. When the
cursor reaches the end of the command, an alarm is generated.
Tab
Press Tab after typing a partial key word and the system runs
partial help:
l If the matching key word is unique, the system replaces the
typed character string with a complete key word and displays
it in a new line with the cursor placed at the end of the word.
l If there are several matches or no match, the system displays
the prefix first. Then you can press Tab to view any matching
key words one at a time. The cursor directly follows the end of
the word. You can press the spacebar to enter the next word.
l If a non-existent or incorrect key word is entered, press Tab
and the word is displayed on a new line.
Issue 04 (2013-06-15)

19

Configuration Guide
Displaying
Command lines have a feature to control how they are displayed. You can set the command line
display mode as required.
You can control the display of information on the CLI as follows:
l
If output information cannot be displayed on a full screen, you have three viewing options,
as shown in Table 1-4.
Table 1-4 Display keys

Key
Function
Ctrl_C
Stops the display and the running of a command.

NOTE
You can also press any of the keys except the spacebar and Enter key
to stop the display and the running of a command.
Space
Allows information to be displayed on the next screen.
Enter
Allows information to be displayed on the next line.
Regular Expressions
A regular expression describes a set of strings. It consists of common characters (such as letters
from "a" to "z") and special characters (called metacharacters). The regular expression is a
template upon which you can base to search for required strings. Users can use regular
expressions to filter output to locate needed information quickly.
A regular expression provides the following functions:
l
Search for sub-strings that match a rule in the main string.
String substitution based on specific matching rules.
Formal Language Theory of the Regular Expression

A regular expression consists of common characters and special characters.
l
Common characters
Common characters, including all upper-case and lower-case letters, digits, punctuation
marks, and special symbols, match themselves in a string. For example, "a" matches the
letter "a" in "abc", "202" matches the digit "202" in "202.113.25.155", and "@" matches
the symbol "@" in "xxx@xxx.com".
Special characters
Special characters are used together with common characters to match complex or special
string combination. Table 1-5 describes special characters and their syntax.
Issue 04 (2013-06-15)

20

Configuration Guide
Table 1-5 Description of special characters

Special
characte
r
Syntax
Example
Defines an escape character, which

is used to mark the next character
(common or special) as the common
character.
\* matches "*".
Matches the starting position of the

string.
^10 matches "10.10.10.1" instead of

"20.10.10.1".
Matches the ending position of the

string.
1$ matches "10.10.10.1" instead of

"10.10.10.2".
Matches the preceding element zero

or more times.
10* matches "1", "10", "100", and

"1000".
(10)* matches "null", "10", "1010",
and "101010".
Matches the preceding element one

or more times
10+ matches "10", "100", and

"1000".
(10)+ matches "10", "1010", and
"101010".
Matches the preceding element zero

or one time.
10? matches "1" and "10".

(10)? matches "null" and "10".
NOTE
Huawei datacom devices do not support
regular expressions with ?. When
regular expressions with ? are entered
on Huawei datacom devices, helpful
information is provided.
Matches any single character.
0.0 matches "0x0" and "020".

.oo matches "book", "look", and
"tool".
()
Defines a subexpression, which can

be null. Both the expression and the
subexpression should be matched.
100(200)+ matches "100200" and

"100200200".
x|y
Matches x or y.
100|200 matches "100" or "200".

1(2|3)4 matches "124" or "134",
instead of "1234", "14", "1224", and
"1334".
Issue 04 (2013-06-15)
[xyz]
Matches any single character in the

regular expression.
[123] matches the character 2 in

"255".
[^xyz]
Matches any character that is not

contained within the brackets.
[^123] matches any character except

for "1", "2", and "3".

21

Configuration Guide
Special
characte
r
Syntax
Example
[a-z]
Matches any character within the

specified range.
[0-9] matches any character ranging

from 0 to 9.
[â-z]
Matches any character beyond the

specified range.
[^0-9] matches all non-numeric

characters.
Matches a comma "," left brace "{",

right brace "}", left parenthesis "(",
and right parenthesis ")".
_2008_ matches "2008", "space

2008 space", "space 2008", "2008
space", ",2008,", "{2008}",
"(2008)", "{2008", and "(2008}".
Matches the starting position of the

input string.
Matches the ending position of the
input string.
Matches a space.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Degeneration of special characters

Special characters are characters listed in Table 1-5. A special character becomes a
common character when following \. In the following situations, the special characters
listed in Table 1-6 function as common characters.
The special characters "*", "+", and "?" placed at the starting position of the regular
expression, a special character becomes a common character. For example, +45 matches
"+45" and abc(*def) matches "abc*def".
The special character "^" placed at any position except for the start of the regular
expression, a special character becomes a common character. For example, abc^
matches "abc^".
The special character "$" placed at any position except for the end of the regular
expression, a special character becomes a common character. For example, 12$2
matches "12$2".
A right parenthesis ")" or right bracket "]" is not paired with a corresponding left
parenthesis "(" or bracket "[", a special character becomes a common character. For
example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules also apply when preceding regular expressions are
subexpressions within parentheses.
Combinations of common and special characters

In actual usage, regular expressions combine multiple common and special characters to
match certain strings.
Issue 04 (2013-06-15)

22

Configuration Guide
Regular Expression Examples

The key to using regular expressions is to design accurate regular expressions. Table 1-6 shows
how to design regular expressions using special characters and describes the meaning of those
regular expressions.
Table 1-6 Regular expression examples
Regular
Expression
Description
^100
Matches strings beginning with 100, for example, 100085.
200$
Matches strings ending with 200, for example, 255.255.100.200.
[0-9]+
Matches strings of repeated digits ranging from 0 to 9, for example,

007
(abc)*
Matches strings with abc occurring zero or more times, for example,
d and dabc.
^100([0-9]+)*200$
Matches strings beginning with 100 and ending with 200, and with
zero or several digits in the middle, for example, 100200.
Windows_(95|98|
2000|XP))
Matches Windows 95, Windows 98, Windows 2000, or Windows XP.
100[^0-9]?
Matches strings beginning with 100 followed by zero or one non-digit

character, for example, 100 or 100@.
.\.\*
Matches a string beginning with a single character except \n followed

by . and *, for example, 1.* or a.*.
^172\.18\.(10)\.
([0-9]+)$
Matches an IP address in a line, for example, 172.18.10.X.
Specifying a Filtering Mode in a Command
CAUTION
The AC6605 uses a regular expression to implement the pipe character filtering function. A
display command supports the pipe character only when there is excessive output information.
When filtering conditions are set to query output, the first line of the command output starts with
information containing the regular expression.
Some commands can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For commands that support regular expressions, three filtering methods are as follows:
Issue 04 (2013-06-15)

23

Configuration Guide
| begin regular-expression: displays information that begins with the line that matches
regular expression.
| exclude regular-expression: displays information that excludes the lines that match
regular expression.
| include regular-expression: displays information that includes the lines that match regular
expression.
NOTE
The value of regular-expression is a string of 1 to 255 characters.
Specify a Filtering Mode When Information Is Displayed Screen by Screen

NOTE
When the output of the following commands is displayed screen by screen, you can specify a filtering
mode:
l
display current-configuration
display interface
display arp
When a lot of information is displayed screen by screen, you can specify a filtering mode in the
prompt "---- More ----".
l
/regular-expression: displays the information that begins with the line that matches regular
expression.
-regular-expression: displays the information that excludes lines that match regular
expression.
+regular-expression: displays the information that includes lines that match regular
expression.
Previously-Used Commands
The CLI provides a function similar to DosKey that automatically saves any command used on
the device. If you need to run a command that has been previously executed, you can use this
function to call up the command.
By default, the system saves 10 previously-used commands for each user. You can run the
history-command max-size size-value command in the user view to set the number of
previously-used commands saved by the system. A maximum of 256 previously-used commands
can be saved.
NOTE
Setting the number of saved previously-used commands to a reasonably low value is recommended. If a
large number of previously-used commands are saved, locating a command can be time-consuming and
affect efficiency.
The operations are shown in Table 1-7
Issue 04 (2013-06-15)

24

Configuration Guide
Table 1-7 Access the previously-used commands

Action
Key or Command
Result
Display
previouslyused
commands.
display historycommand [ allusers ]
Display previously-used commands entered by

users.
Access the last

previouslyused
command.
Up cursor key () or Display the last previously-used command if there

is an earlier previously-used command. Otherwise,
Ctrl_P
an alarm is generated.
Access the next

previouslyused
command.
Down cursor key

() or Ctrl_N
Display the next previously-used command if there

is a later previously-used command. Otherwise, the
command is cleared and an alarm is generated.
NOTE
Windows 9X defines keys differently and the cursor key is cannot be used with Windows 9X
HyperTerminals. You may use Ctrl_P instead.
When you use previously-used commands, note the following points:

l
Previously-used commands are saved exactly as they are entered by users. For example, if
a user enters an incomplete command, the saved command is also incomplete.
A command is saved the first time it is run and subsequent runnings are not saved. If a
command is entered in different forms or with different parameters, each entry is considered
to be a different command.
For example, if the display ip routing-table command is run several times, only one
previously-used command is saved. If the disp ip routing command and the display ip
routing-table command are run, two previously-used commands are saved.
1.2.4 Shortcut Keys

System or user-defined shortcut keys make it easier to enter commands.
System Shortcut Keys

System-defined shortcut keys with fixed functions are defined by the system. Table 1-8 lists the
system-defined shortcut keys.
NOTE
Different terminal software defines these keys differently. The shortcut keys on your terminal may be
different than those listed in this section.
Issue 04 (2013-06-15)

25

Configuration Guide
Table 1-8 System-defined shortcut keys

Key
Function
CTRL_A
The cursor moves to the beginning of the current line.
CTRL_B
The cursor moves to the left one space at a time.
CTRL_C
Terminates the running function.
CTRL_D
Deletes the character where the cursor lies.
CTRL_E
The cursor moves to the end of the current line.
CTRL_F
The cursor moves to the right one space at a time.
CTRL_H
Deletes one character to the left of the cursor.
CTRL_K
Stops the creation of the outbound connection.
CTRL_N
Displays the next command in the previously-used command

buffer.
CTRL_P
Displays the previous command in the previously-used

command buffer.
CTRL_R
Repeats the display of the information of the current line.
CTRL_T
Terminates the outbound connection.
CTRL_V
Pastes the contents on the clipboard.
CTRL_W
Deletes a character string or character to the left of the cursor.
CTRL_X
Deletes all the characters to the left of the cursor.
CTRL_Y
Deletes all the characters to the right of the cursor.
CTRL_Z
Returns to the user view.
CTRL_]
Terminates the inbound or redirection connections.
ESC_B
The cursor moves to the left by one word.
ESC_D
Deletes a word to the right of the cursor.
ESC_F
The cursor moves to the right to the end of next word.
ESC_N
The cursor moves downward to the next line.
ESC_P
The cursor moves upward to the previous line.
ESC_SHIFT_<
Sets the position of the cursor to the beginning of the clipboard.
ESC_SHIFT_>
Sets the position of the cursor to the end of the clipboard.
1.2.5 Configuration Examples

This section provides several examples that illustrate the use of command lines.
Issue 04 (2013-06-15)

26

Configuration Guide
Example for Using the Tab Key

You can obtain prompts on keywords or check whether the entered keywords are correct by
pressing Tab.
Procedure
l
If only one keyword contains the incomplete keyword,

do as follows on the AC6605.
1.
Enter an incomplete keyword.

[Quidway] info-
2.
Press Tab.
The system replaces the incomplete keyword with a complete keyword and displays
the complete keyword in another line. There is only one space between the cursor and
the end of the keyword.
[Quidway] info-center
If more than one keyword contains the incomplete keyword,

do as follows on the AC6605.
# The keyword info-center can be followed by the following keywords.
[Quidway] info-center log?
logbuffer
1.
loghost
Enter an incomplete keyword.

[Quidway] info-center l
2.
Press Tab.
The system displays the prefix of all the matched keywords. The prefix in this example
is log.
[Quidway] info-center log
3.
Continue to press Tab to display all the keywords. There is no space between the
cursor and the end of the keywords.
[Quidway] info-center loghost
[Quidway] info-center logbuffer
Stop pressing Tab when you find the required keyword logbuffer.
4.
Enter a space and enter the next keyword channel.

[Quidway] info-center logbuffer channel
----End
1.3 How to Use Interfaces

This chapter describes the concept of the interface and the basic configuration about the interface.
1.3.1 Introduction to Interfaces

This section describes different types of interfaces. The interfaces are provided by the
AC6605 to receive and send data.
Issue 04 (2013-06-15)

27

Configuration Guide
Interfaces are classified into management interfaces and service interfaces based on their
functions; interfaces are classified into physical interfaces and logical interfaces based on their
physical forms.
NOTE
A physical interface is sometimes called a port. Both physical interfaces and logical interfaces are called
interfaces in this document.
Management Interface
Management interfaces are used to manage and configure a device. You can log in to the
AC6605 through a management interface to configure and manage the AC6605. Management
interfaces do not transmit service data.
The AC6605 provides a console interface and an MEth interface as the management interface.
Table 1-9 Description of management interfaces
Name
Description
Usage
Console
interface
The console interface complies

with the EIA/TIA-232 standard
and the interface type is DCE.
The console interface is connected to the

COM series port of a configuration
terminal. It is used to set up the onsite
configuration environment.
MEth
interface
The MEth interface complies with

the 10/100BASE-TX standard.
The MEth interface can be connected to

the network interface of a configuration
terminal or network management
workstation. It is used to set up the onsite
or remote configuration environment.
The following table shows the rule for numbering management interfaces.
Table 1-10 Management interface numbers
Name
Number
Console interface
Console 0
MEth interface
MEth 0/0/1
Classification of Service Interfaces

Service interfaces are used to transmit service data. They are classified into 100 Mbit/s interfaces,
1 Gbit/s interfaces and 10 Gbit/s interfaces according to their rates; they are classified into
electrical interfaces and optical interfaces according to their electrical properties.
The rules for numbering service interfaces are as follows:
Interfaces are numbered in the format slot ID/subcard ID/interface sequence number.
l
Issue 04 (2013-06-15)
Slot ID: indicates the slot where an interface is located. The value is 0.
28

Configuration Guide
Subcard ID: indicates the subcard where an interface is located. The value is 0.
Interface sequence number: indicates the sequence number of an interface.
Table 1-11 FE and GE interface numbering rule

Figure of Interface Numbering
2
...
...
...
Description
The AC6605 has two rows of service
interfaces with the lower-left interface
numbered 1. The other interfaces are
numbered in ascending order from
bottom to up, and then from left to right.
For example, the upper-left interface
numbered 0/0/2.
Physical Interfaces
Physical interfaces are interfaces that actually exist on the AC6605.
Physical interfaces include management interfaces and service interfaces.
The AC6605 supports the following physical interfaces:
l
Console interface
MEth interface
Fast Ethernet interface
Gigabit Ethernet interface
Logical Interfaces
Logical interfaces do not exist and are set up by configurations.
The AC6605 supports the following logical interfaces:
l
Eth-Trunk
The Eth-Trunk consists of Ethernet links only.
The Eth-Trunk technique has the following advantages:
Increased bandwidth: The bandwidth of an Eth-Trunk is the total bandwidth of all
member interfaces.
Improved reliability: When a link fails, traffic is automatically switched to other
available links. This ensures link reliability.
For details about the Eth-Trunk configuration, see "Configuring the Eth-Trunk" in the
AC6605 Access Controller Configuration Guide - Ethernet.
Loopback interface
A loopback interface is a virtual interface. The TCP/IP protocol suite defines IP address
127.0.0.0 as a loopback address. When the system starts, it automatically creates an
interface using the loopback address 127.0.0.1 to receive all data packets sent to the local
device.
Some applications such as mutual access between virtual private networks need a local
interface with a specified IP address without affecting the configuration of physical
Issue 04 (2013-06-15)

29

Configuration Guide
interfaces. This IP address has a 32-bit mask (to save IP addresses) and can be advertised
by routing protocols.
The status of a loopback interface is always Up; therefore, the IP address of the loopback
interface can be used as the router ID, the label switching router (LSR) ID, or be land to a
tunnel.
For details, see 1.3.3 Configuring the Loopback Interface.
l
Null interface
Null interfaces are similar to null devices supported by certain operating systems. Any data
packets sent to a null interface are discarded. Null interfaces are used for route selection
and policy-based routing (PBR). For example, if a packet matches no route during route
selection, the packet is sent to the null interface.
Tunnel interface
Tunnel interfaces are used to establish IPv6 over IPv4 tunnels.
VLANIF interface
When the AC6605 needs to communicate with devices at the network layer, you can create
a logical interface of the Virtual Local Area Network (VLAN) on the AC6605, namely, a
VLANIF interface. You can assign IP addresses to VLANIF interfaces because VLANIF
interfaces work at the network layer. The AC6605 then communicates with devices at the
network layer through VLANIF interfaces.
For details about the configuration, see "Creating a VLANIF Interface" in the AC6605
Access Controller Configuration Guide - Ethernet.
1.3.2 Setting Basic Parameters of an Interface

This section describes how to set the basic parameters of an interface.

Before configuring advanced functions of an interface such as the working mode and routes,
you need to complete the basic configuration of the interface.
To facilitate the configuration and maintenance of an interface, the AC6605 provides interface
views. The commands related to the interface are valid only in the interface views.
The basic interface configurations include entering an interface view, configuring interface
description, enabling an interface, and disabling an interface.
Installing the LPU on the AC6605
Data Preparation
To set parameters of an interface, you need the following data.
Issue 04 (2013-06-15)

30

Configuration Guide
No.
Data
Type and number of the interface to be configured
Description of the interface
Entering the Interface View

To configure an interface, you need to enter the interface view.
Context
Do as follows on the AC6605.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
interface interface-type interface-number
The view of a specified interface is displayed.

interface-type specifies the type of the interface and interface-number specifies the number of
the interface.
----End
Viewing All the Commands in the Interface View

After entering the interface view, you can view all the commands in the interface view.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
?
Issue 04 (2013-06-15)

31

Configuration Guide
All the commands in the view of the specified interface are displayed.
----End
Configuring the Description for an Interface

The description configured for an interface on the AC6605 helps you identify and memorize the
usage of the interface, which facilitates the management.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
description description
The description is configured for the interface.

----End
Starting and Shutting Down an Interface

When a physical interface is idle and is not connected to a cable, shut down this interface to
protect the interface against interference. To use a shutdown interface, you need to start the
interface.
Context
NOTE
l A null interface is always Up and cannot be shut down by command.

l A loopback interface is always Up and cannot be shut down by command.
Procedure
l
Shutting down the interface

1.
Run:
system-view

2.
Run:

3.
Run:
shutdown
Issue 04 (2013-06-15)

32

Configuration Guide
The interface is shut down.

NOTE
By default, an interface is enabled.
Starting an interface
1.
Run:
system-view

2.
Run:

3.
Run:
undo shutdown
The interface is started.

----End
Completing Advanced Configurations on an Interface

After configuring basic parameters on an interface, configure other interface parameters as
required.
Context
To access a network through an interface, configure advanced interface parameters based on the
networking requirements in addition to basic configurations on the interface.
Advanced configurations of an interface include:
l
Working mode
Routing configuration
For details about advanced configurations of an interface, see the AC6605 Access Controller
Configuration Guide - Ethernet and AC6605 Access Controller Configuration Guide - IP
Routing.

After completing the basic configuration of an interface, you can use the display commands to
check the configuration.
Procedure
Step 1 Run the display interface [ interface-type [ interface-number ] ] command to check the running
status of the interface and the statistics on the interface.
Step 2 Run the display interface description command to check the brief information about the
interface
Issue 04 (2013-06-15)

33

Configuration Guide
Step 3 Run the display ip interface [ interface-type interface-number ] command to check the main
configurations of the interface.
Step 4 Run the display ip interface brief [ interface-type interface-number ] command to check the
brief state of the interface.
----End
1.3.3 Configuring the Loopback Interface

This section describes how to configure the loopback interface.

The users can create or delete a loopback interface. When being created, the loopback interface
remains in the Up state until you delete it.
Some applications such as mutual access between virtual private networks need to be configured
with a local interface with a specified IP address when the configuration of a physical interface
is not affected. In this case, the IP address of the local interface needs to be advertised by routing
protocols. Loopback interfaces are used to improve the reliability of the configuration.
Before configuring the loopback interface, complete the following task:
l
Switching on the AC6605
Data Preparation
To configure the loopback interface, you need the following data.
No.
Data
Number of the loopback interface
IP address of the loopback interface
Configuring IPv4 Parameters of the Loopback Interface

A loopback interface can be assigned an IPv4 address, bound to a VPN instance, and configured
to check the source IPv4 addresses of packets.
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

34

Configuration Guide
Step 2 Run:
interface loopback interface-number
A loopback interface is created.

The value of interface-number ranges from 0 to 1023. A maximum of 1024 loopback interfaces
can be created.
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
An IPv4 address is assigned to the loopback interface.

Step 4 (Optional) Run:
ip verify source-address
The loopback interface is configured to check the source IPv4 addresses of packets.
----End

After configuring a loopback interface, run the following commands to check the configuration.
Procedure
Step 1 Run the display interface loopback [ number ] command to check the status of the loopback
interface.
----End
1.3.4 Maintaining the Interface

This section describes how to maintain the interface.
Clearing Statistics Information on the Interface

The statistics on the interface cannot be restored after you clear them. So, confirm the action
before you use the command.
Procedure
Step 1 Run the reset counters interface [ interface-type [ interface-number ] ] command in the user
view to clear the statistics on the interface.
----End
1.4 Basic Configuration

This chapter describes how to configure the Switch to work properly in the network environment
and to suit your needs.
Issue 04 (2013-06-15)

35

Configuration Guide
1.4.1 Configuring the Basic System Environment

This section describes how to configure the basic system environment.

Before configuring the basic system environment, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.
Before configuring services, you need to configure the basic system environment (for example,
the language mode, system time, device name, login information, and command level) to meet
environmental requirements.
Before configuring the basic system environment, complete the following task:
l
Powering on the Switch
Data Preparation
To configure the basic system environment, you need the following data.
No.
Data
System time
Host name
Login information
Command level
Configuring the Equipment Name

If multiple devices on a network need to be managed, set equipment names to identify each
device.
Context
New equipment names take effect immediately.
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

36

Configuration Guide
Step 2 Run:
sysname host-name
The equipment name is set.

By default, the equipment name of the Switch is Quidway.
You can change the name of the Switch that appears in the command prompt.
----End
Setting the System Clock

The system clock must be correctly set to ensure synchronization with other devices.
Context
The system clock is the time indicated by the system timestamp. Because the rules governing
local time differ in different regions, the system clock can be configured to comply with the
rules of any given region.
The system clock is calculated using the following formula: System clock = Coordinated
Universal Time (UTC) + Time zone offset + Daylight saving time offset.
Set the system clock to the correct time to ensure that the device operates properly with other
devices.
Perform the following steps in the user view to set the system clock:
Procedure
Step 1 Run:
clock datetime HH:MM:SS YYYY-MM-DD
The current date and time is set.

NOTE
If the time zone has not been configured or is set to 0, the date and time set by this command are considered
to be UTC. Set the time zone and UTC correctly.
Step 2 Run:
clock timezone time-zone-name { add | minus } offset
The time zone is set.

l If add is configured, the current time is the UTC time plus the time offset. That is, the default
UTC time plus offset is equal to the time of time-zone-name.
l If minus is configured, the current time is the UTC time minus the time offset. That is, the
default UTC time minus offset is equal to the time of time-zone-name.
NOTE
UTC stands for the Universal Time Coordinated.
Step 3 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time
end-date offset
or
Issue 04 (2013-06-15)

37

Configuration Guide
clock daylight-saving-time time-zone-name repeating start-time { { first | second

| third | fourth | last } weekday month | start-date } end-time { { first |
second | third | fourth | last } weekday month | end-date } offset [ start-year
[ end-year ] ]
Daylight saving time is set.

By default, daylight saving time is not set.
Use one of these modes to configure the starting date and ending date for daylight saving time:
date+date, week+week, date+week, and week+date. For details, see clock daylight-savingtime.
----End
System Clock Display

The system clock is determined by the clock datetime, clock timezone, and clock daylightsaving-time commands.
l
If none of the preceding three commands have been run, the original system time will be
displayed after running the display clock command.
The preceding three commands can also be run in combination with one another to
configure the system clock, as listed in Table 1-12.
In the following examples, the original system time is 08:00:00 January 1, 2010.
l
1: The clock datetime command is run to set the current date and time to date-time.
2: The clock timezone command is run to configure the time zone with the time zone offset
zone-offset.
3: The clock daylight-saving-time command is run to configure the daylight saving time
with the offset offset.
[1]: The clock datetime command configuration is optional.
Table 1-12 System clock configuration examples

Operation
Configured System
Time
Example
date-time
Run the clock datetime 8:0:0 2011-11-12

command.
Configured system time:
2011-11-12 08:00:03
Saturday
Time Zone(DefaultZoneName): UTC
Original system time +/zone-offset
Run the clock timezone BJ add 8 command.

2010-01-01 16:00:20+08:00
Friday
Time Zone(BJ): UTC+08:00
Issue 04 (2013-06-15)

38

Configuration Guide
Operation
Configured System
Time
Example
1, 2
date-time +/- zone-offset
Run the clock datetime 8:0:0 2011-11-12 and

clock timezone BJ add 8 commands.
2011-11-12 16:00:13+08:00
Saturday
[1], 2, 1
date-time
Run the lock timezone NJ add 8 and clock

datetime 9:0:0 2011-11-12 commands.
2011-11-12 09:00:02+08:00
Saturday
Time Zone(NJ): UTC+08:00
Issue 04 (2013-06-15)
Original system time if

the original system time
is not during the
configured daylight
saving time period
Run the clock daylight-saving-time BJ one-year

6:0 2011-8-1 6:0 2011-10-01 1 command.
Original system time +

offset if the original
system time is during the
configured daylight
saving time period

6:0 2011-1-1 6:0 2011-9-1 2 command.

2010-01-01 08:00:51
Friday
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
Saving time : 01:00:00

2010-01-01 10:00:34 DST
Friday
Time Zone(BJ): UTC
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

39

Configuration Guide
Operation
Configured System
Time
Example
1, 3
date-time if date-time is
not during the configured
daylight saving time
period

clock daylight-saving-time BJ one-year 6:0
2012-8-1 6:0 2012-10-01 1 commands.
2011-11-12 09:00:26
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
date-time + offset if datetime is during the

configured daylight
saving time period

clock daylight-saving-time BJ one-year 9:0
2011-11-12 6:0 2011-12-01 2 commands.
2011-11-12 11:02:21 DST
Saturday
Time Zone(BJ): UTC
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 11-12 09:00:00
End time
: 12-01 06:00:00
[1], 3, 1
period

6:0 2012-8-1 6:0 2012-10-01 1 and clock datetime
9:0 2011-11-12 commands.
2011-11-12 09:00:02
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
Issue 04 (2013-06-15)

40

Configuration Guide
Operation
Configured System
Time
Example
during the configured
period

1:0 2011-1-1 1:0 2011-9-1 2 and clock datetime
3:0 2011-1-1 commands.
2011-01-01 03:00:19 DST
Saturday
Time Zone(BJ): UTC
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
2, 3 or 3, 2
Issue 04 (2013-06-15)
Original system time +/zone-offset if the value of

Original system time +/zone-offset is not during
the configured daylight
saving time period
Run the clock timezone BJ add 8 and clock

daylight-saving-time BJ one-year 6:0 2011-1-1
6:0 2011-9-1 2 commands.
Original system time +/zone-offset +/- offset if

the value of Original
system time +/- zoneoffset is during the
configured daylight
saving time period

1:0 2010-1-1 1:0 2010-9-1 2 and clock timezone
BJ add 8 commands.

2010-01-01 16:01:29+08:00
Friday
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

2010-01-01 18:05:31+08:00 DST
Friday
Name
: BJ
Start year : 2010
End year
: 2010
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00

41

Configuration Guide
Operation
Configured System
Time
Example
1, 2, 3, or 1,
3, 2

if the value of date-time
+/- zone-offset is not
period
Run the clock datetime 8:0:0 2011-11-12, clock

timezone BJ add 8, and clock daylight-savingtime BJ one-year 6:0 2012-1-1 6:0 2012-9-1 2
commands.

+ offset if the value of
is during the configured
period
Run the clock datetime 8:0:0 2011-1-1, clock

daylight-saving-time BJ one-year 6:0 2011-1-1
6:0 2011-9-1 2, and clock timezone BJ add 8
commands.
period

6:0 2012-1-1 6:0 2012-9-1 2, clock timezone BJ
add 8, and clock datetime 8:0:0 2011-11-12
commands.
[1], 2, 3, 1
or [1], 3, 2,
1

2011-11-12 16:01:40+08:00
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

2011-01-01 18:00:43+08:00 DST
Saturday
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

2011-11-12 08:00:03+08:00
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Issue 04 (2013-06-15)

42

Configuration Guide
Operation
Configured System
Time
Example
period
Run the clock timezone BJ add 8, clock daylightsaving-time BJ one-year 1:0 2011-1-1 1:0
2011-9-1 2, and clock datetime 3:0:0 2011-1-1
commands.
2011-01-01 03:00:03+08:00 DST
Saturday
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
Configuring a Header
If you need to provide information for users logging in, you can configure a header that the
system displays during or after login.
Context
A header is a text message displayed by the system at the time a user logs in to the Switch.
Procedure
Step 1 Run:
system-view

Step 2 Run:
header login { information text | file file-name }
A header displayed during login is set.

Step 3 Run:
header shell { information text | file file-name }
A header displayed after login is set.

To display the header when the terminal connection has been activated but the user has not been
authenticated, configure the parameter login.
To display the header after the user has logged in, configure the parameter shell.
Issue 04 (2013-06-15)

43

Configuration Guide
CAUTION
l The header message starts and ends with the same character. Enter the first character of the
header and press Enter. An interactive interface for setting the header is displayed. Input the
required information and end the header by entering the first character when you are finished.
The system then exits from the interactive interface.
l If a user logs in to the Switch using SSH1.X, the login header is not displayed during login,
but the shell header is displayed after login.
l If a user logs in to the Switch using SSH2.0, both login and shell headers are displayed.
----End
Configuring Command Levels

This section describes how to configure command levels to ensure device security or allow lowlevel users to run high-level commands. By default, commands are registered in the sequence
of Level 0 to Level 3. If refined rights management is required, you can divide commands in to
16 levels, that is, from Level 0 to Level 15.
Context
If the user does not adjust a command level separately, after the command level is updated, all
originally-registered command lines adjust automatically according to the following rules:
l
The commands of Level 0 and Level 1 remain unchanged.
The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated
to Level 15.
No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust
the command lines to these levels separately to refine the management of privilege.
CAUTION
Changing the default level of a command is not recommended. If the default level of a command
is changed, some users may be unable to use the command any longer.
Procedure
Step 1 Run:
system-view

Step 2 Run:
command-privilege level rearrange
Update the command level in batches.

When no password is configured for a Level 15 user, the system prompts the user to set a superpassword for the level 15 user. At the same time, the system asks if the user wants to continue
Issue 04 (2013-06-15)

44

Configuration Guide
with the update of command line level. Then, just select "N" to set a password. If you select "Y",
the command level can be updated in batches directly. This results in the user not logging in
through the Console port and failing to update the level.
Step 3 Run:
command-privilege level level view view-name command-key
The command level is configured. With the command, you can specify the level and view
multiple commands at one time (command-key).
All commands have default command views and levels. You do not need to reconfigure them.
----End
1.4.2 Displaying System Status Messages

This section describes how to use display commands to check basic system configurations.
Context
You can use display commands to collect information about system status. The display
commands perform the following functions:
l
Display system configurations.
Display system running status.
Display diagnostic information about a system.
Displays the restart information about the main control board.
See related sections concerning display commands for information on protocols and interfaces.
This section only shows system-level display commands.
Run the following commands in any view.
Displaying System Configuration

This section describes how to use command lines to check the system version, system time,
original configuration, and current configuration.
Procedure
l
Run the display version command to display the system version.
Run the display clock [ utc ] command to display the system time.
Run the display calendar command to display system calendar.
Run the display saved-configuration command to display the original configuration.
Run the display current-configuration command to display the current configuration.

NOTE
l The original configuration refers to information about configuration files used by the device when
it is powered on and initialized. The current configuration refers to the configuration files that
take effect when the device is in use. For details, see the chapter "Configuring System Startup"
in the AC6605 Basic-Configuration.
----End
Issue 04 (2013-06-15)

45

Configuration Guide
Displaying System Status

This section describes how to use command lines to check system operating status (the
configuration of the current view).
Procedure
l
Run the display this command to display the configuration of the current view.
----End
Collecting System Diagnostic Information

This section describes how to collect information about system modules.
Context
If you cannot perform routine maintenance, you must run the various display commands to
collect information needed to locate faults. The display diagnostic-information command
gathers information about all system modules currently running.
Procedure
l
Run:
display diagnostic-information [ file-name ]
System diagnostic information is displayed.

The display diagnostic-information command collects the same information as the
display clock, display version, display cpu-usage, display interface, display currentconfiguration, display saved-configuration, display history-command, and other
commands gather.
----End

When a user uses a console port, Telnet, or SSH (STelnet) to log in to the Switch, the system
manages the session between the user and the Switchon the corresponding user interface.
1.5.1 User Interface Overview

The system supports console and VTY user interfaces.
Each user interface has a user interface view. A user interface view is a command line view
provided by the system. It is used to configure and manage all the physical and logical interfaces
in asynchronous mode.
User Interfaces Supported by the System

l
Console port (CON)

The console port is a serial port provided by the main control board of the device.
The main control board provides one EIA/TIA-232 DCE console port. A terminal can use
this port to connect directly to a device in order to perform local configurations.
Issue 04 (2013-06-15)

46

Configuration Guide
Virtual type terminal (VTY)

A VTY is a logical terminal line. A VTY connection is set up when a device uses Telnet
to connect to a terminal by means of Telnet. This kind of connection is used for local or
remote access to a device. A maximum of 15 users can use the VTY user interface to log
in to the device.
Numbering of a User Interface

After a user logs in to the device, the system assigns the lowest numbered idle user interface to
the user. The type of interface assigned depends on the user's login mode. There are two ways
to number user interfaces:
l
Relative numbering
Relative numbering uses a user interface type + number format.
Relative numbering is used to specify user interfaces of a particular type. It can be used to
number single user interfaces or user interface groups and must adhere to the following
rules:
Number of the console port: CON 0
Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on
Absolute numbering
Absolute numbering is used to give a single user interface or a group of user interfaces a
unique number.
Absolute numbering starts with 0. Ports are numbered in a sequence beginning with CON
-> VTY. There is only one console port and 0-20 VTY interfaces (VTY interfaces 0 to 14
are reserved for Telnet/SSH users and VTY interfaces 16 to 20 are reserved for network
management users). You can use the user-interface maximum-vty command to set the
maximum number of user interfaces. The default number is five.
Table 1-13 shows absolute numbers for user interfaces in this system.
Table 1-13 Description of absolute and relative numbers for user interfaces
Issue 04 (2013-06-15)
User
interface
Description
Absolute
Number
Relative Number
Console user
interface
Manages and
monitors users
logging in through
the console port.

47

Configuration Guide
User
interface
Description
Absolute
Number
Relative Number
VTY user
interface
Manages and
monitors users
logging in using
Telnet or SSH.
34 to 48, and 50
to 54
l Absolute numbers 34 to
48 correspond to relative
numbers TTY 0 to TTY
14.
Among the
absolute
numbers, 49 is
reserved for
future use and
50 to 54 are
reserved for the
network
management
system.
l Absolute numbers 50 to
54 correspond to relative
numbers TTY 16 to TTY
20.
Among the relative numbers,
VTY 15 is reserved for
future use and VTY 16 to
VTY 20 are reserved for the
network management
system.
NOTE
The absolute numbers allocated for VTY interfaces are device-specific.
Run the display user-interface command to view the absolute number of user interfaces.
Authentication of a User Interface

After a user is configured, the system authenticates the user during user login.
There are two user authentication modes: password and AAA, which are described as follows:
l
Password authentication: Users must enter a password, but not a username, during the login
process.
AAA authentication: Users must enter a password and a username during the login process.
Telnet users are usually authenticated in this mode.
Priority of a User Interface

Users logged in to the Switch are managed according to their levels.
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher the
user level.
A user's level determines the level of commands that the user is authorized to run.
l
In the case of password authentication, the level of the command that the user can run is
determined by the level of the user interface.
In the case of AAA authentication, the command that the user can use is determined by the
level of the local user specified in the AAA configuration.
1.5.2 Configuring the Console User Interface

If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.
Issue 04 (2013-06-15)

48

Configuration Guide

Before configuring the console user interface, familiarize yourself with the applicable
If you need to log in to the Switch through a console port to perform local maintenance, you can
configure the corresponding console user interface, including the physical attributes, terminal
attributes, user priority, and user authentication mode. These parameters have default values that
require no additional configuration, but you may modify these parameters as needed.
Before configuring a console user interface, complete the following tasks:
l
Logging in to the Switch with a terminal
Data Preparation
To configure a console user interface, you need the following data.
No.
Data
Baud rate, flow-control mode, parity, stop bit, and data bit
Idle timeout period, terminal screen length, number of characters in each line
displayed in a terminal screen,and the size of history command buffer
User priority
User authentication method, username, and password
NOTE
All the default values (excluding the password and username) are stored on the Switch and do not need
additional configuration.
Setting Physical Attributes of the Console User Interface

You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console
port.
Context
Physical attributes of a console port have default values on the Switch and no additional
configuration is needed.
NOTE
When a user logs in to a Switch through a console port, the physical attributes set for the console port on
the HyperTerminal must be consistent with the attributes of the console user interface on the Switch, or
the user will not be able to log in.
Issue 04 (2013-06-15)

49

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface console interface-number
The console user interface view is displayed.

Step 3 Run:
speed speed-value
The baud rate is set.

By default, the baud rate is 9600 bit/s.
Step 4 Run:
flow-control { hardware | none | software }
The flow control mode is set. By default, the flow-control mode is none.
Step 5 Run:
parity { even | mark | none | odd | space }
The parity mode is set.

By default, the value is none.
Step 6 Run:
stopbits { 1.5 | 1 | 2 }
The stop bit is set.

By default, the value is 1 bit.
Step 7 Run:
databits { 5 | 6 | 7 | 8 }
The data bit is set.

By default, the data bit is 8.
----End
Setting Terminal Attributes of the Console User Interface

This section describes how to set terminal attributes of the console user interface, including the
user timeout disconnection function, number of lines or number of characters in each line
displayed in a terminal screen, and size of the history command buffer.
Context
Terminal attributes of the console user interface have default values on the Switch that you may
modify as needed.
Issue 04 (2013-06-15)

50

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
shell
The terminal service is started.

Step 4 Run:
idle-timeout minutes [ seconds ]
The idle timeout period is set.

If a connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the idle timeout period on the user interface is 10 minutes.
Step 5 Run:
screen-length screen-length [temporary]
The terminal screen length is set.

The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
screen-widthscreen-width
The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value
The history command buffer is set.

By default, the size of history command buffer is 10 entries.
----End
Configuring User Privilege of the Console User Interface

This section describes how to control a user' authority to log in to the Switch and how to improve
Switch security by configuring user priority.
Issue 04 (2013-06-15)

51

Configuration Guide
Context
l
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see "Command Level".
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
user privilege level level
The user privilege is set.

NOTE
l By default, users logging in through the console user interface can use commands at level 3, and users
logging in through other user interfaces can use commands at level 0.
l If the command level and user level are inconsistent, the user level takes precedence.
----End
Configuring the User Authentication Mode of the Console User Interface

The system provides two authentication modes: AAA, password. Configuring user
authentication modes improves Switch security.
Context
The system provides two authentication modes as shown in Table 1-14.
Table 1-14 Authentication Modes
Authen
tication
Mode
Advantage
Disadvantage
AAA
AAA provides user authentication with high

security.
The configuration is complex.

The user name and password for
AAA authentication must be
created.
The user name and password must be entered

for login.
Issue 04 (2013-06-15)

52

Configuration Guide
Authen
tication
Mode
Advantage
Disadvantage
Passwor
d
authenti
cation
Password authentication is based on VTY

channels, providing security. The
configuration is simple and only the login
password is needed.
It provides lower security

compared with AAA.
All users can log in to a device
using the login password for the
device.
CAUTION
If the user authentication mode for the console user interface is password authentication or AAA
authentication, a password or user name must be set.
Procedure
l
Configuring AAA authentication

1.
Run:
system-view

2.
Run:
aaa
The AAA view is displayed.

3.
Run:
local-user user-name password cipher password
A user name and password for the local user are created.
4.
Run:
quit
Exit from the AAA view.

5.
Run:

6.
Run:
authentication-mode aaa
The authentication mode is set to AAA authentication.

l
Configuring password authentication

1.
Run:
system-view

2.
Run:
Issue 04 (2013-06-15)

53

Configuration Guide

3.
Run:
authentication-mode password
The authentication mode is set to password authentication.

4.
Run:
set authentication password [ cipher password ]
A password for password authentication is set.

----End

After configuring the console user interface, you can view information about the user interface,
physical attributes and configurations of the user interface, local user list, and online users.
Prerequisites
The configurations of the user management function are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
Run the display user-interface console ui-number1 [ summary ] command to check

physical attributes and configurations of the user interface.
Run the display local-user command to check the local user list.
Run the display access-user command to check online users.
----End
Example
Run the display users command to view information about the current user interface.
<Quidway> display users
User-Intf
Delay
Type
0
CON 0
00:00:44
Username : Unspecified
Network Address
AuthenStatus
pass
AuthorcmdFlag
no
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Quidway> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
0
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Int
-
Run the display local-user command to view the local user list.
Issue 04 (2013-06-15)

54

Configuration Guide
<Quidway> display local-user

---------------------------------------------------------------------------User-name
State AuthMask AdminLevel
---------------------------------------------------------------------------aa
A
S
admin
A
H
huawei
A
F
---------------------------------------------------------------------------Total 3 user(s)
1.5.3 Configuring the VTY User Interface

If you need to log in to the Switch using Telnet or SSH to perform local or remote maintenance,
you can configure the VTY user interface as needed.

Before configuring a VTY user interface, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.
If you need to log in to the Switch using Telnet or SSH to perform local or remote maintenance,
you can configure a VTY user interface. You can configure the maximum number of VTY user
interfaces, restrictions on incoming and outgoing calls, terminal property, user priority, and user
authentication mode. The preceding parameters have default values on the Switch. You can
modify these parameters as needed.
Before configuring a VTY user interface, complete the following tasks:
l
Logging in to the Switch by using a terminal
Data Preparation
To configure a VTY user interface, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Maximum VTY user interfaces
(Optional) ACL code to restrict incoming and outgoing calls on VTY user interfaces
Idle timeout period, number of characters in each line displayed on a terminal

screen, and the size of history command buffer
User priority
User authentication method, username, and password

55

Configuration Guide
NOTE
All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user
interfaces, user authentication method, username, and password) have default values that require no
additional configuration.
Configuring the Maximum Number of VTY User Interfaces

This section describes how to limit the number of users logging in to the Switch by configuring
the maximum number of VTY user interfaces.
Context
The maximum number of VTY user interfaces equals the total number of users allowed to log
in to the Switch using Telnet or SSH.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface maximum-vty number
The maximum number of VTY user interfaces is set.

NOTE
When the maximum number of VTY user interfaces is set to zero, no user (including the network
administrator) can use a VTY user interface to log in to the Switch.
If the set maximum number of VTY user interfaces is smaller than the maximum number of
online users, a message is displayed indicating that the configuration failed.
If the set maximum number of VTY user interfaces is greater than the maximum number of
current interfaces, the authentication mode and password must be set for newly added user
interfaces.
The default authentication mode for newly added user interfaces is non-authentication.
Consider, for example, a system that allows a maximum of five users to be online. To allow 15
VTY users online at the same time, you must run the authentication-mode command to
configure authentication modes for VTY user interfaces from 5 to 14. The commands are run
as follows:
[Quidway] user-interface maximum-vty 15
[Quidway] user-interface vty 5 14
[Quidway-ui-vty5-14] authentication-mode password
----End
(Optional) Setting Restrictions for Incoming and Outgoing Calls on VTY User
Interfaces
This section describes how to configure an ACL to restrict access of incoming and outgoing
calls on a VTY user interface to specific IP addresses or address segments.
Issue 04 (2013-06-15)

56

Configuration Guide
Context
Before setting restrictions for incoming and outgoing calls on a VTY user interface, run the
acl command in the system view to create an ACL. Enter the ACL view and run the rule
command to add rules to the ACL.
NOTE
l The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging
from 3000 to 3999.
l For ACL configuration details, refer to the AC6605 Access Controller Configuration Guide Security.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.

Step 3 Run:
acl acl-number { inbound | outbound }
Restrictions for incoming and outgoing calls on the VTY interface are configured.
l If you want to prevent a user with a specific address or segment address from logging in to
the Switch, use the inbound command.
l If you want to prevent a user who logs in to a Switch from accessing other Switchs, use the
outbound command.
----End
Setting Terminal Attributes of the VTY User Interface

This section describes how to configure terminal attributes of a VTY user interface, including
user idle timeout, number of lines or number of characters in each line displayed in a terminal
screen, and size of the history command buffer.
Context
Terminal attributes of a VTY user interface have default values on the Switch and you can set
them as needed.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface vty number1 [ number2 ]
Issue 04 (2013-06-15)

57

Configuration Guide

Step 3 Run:
shell
VTY terminal service is enabled.

Step 4 Run:
User idle timeout is enabled.

If the connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the timeout period is 10 minutes.
Step 5 Run:
screen-length screen-length [temporary]
The terminal screen length is set.

The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
Set the size of the history command buffer.

By default, a maximum number of 10 commands can be cached in the history command buffer.
----End
Setting User Priority of the VTY User Interface

This section describes how to control a user' authority to log in to the Switch and how to improve
Switch security by configuring user priority.
Context
l
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
level determines the level of commands the user is authorized to run.
For details about command levels, see "Command Level".
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface vty interface-number
Issue 04 (2013-06-15)

58

Configuration Guide

Step 3 Run:
The user priority is set.

By default, users logging in through the VTY user interface can use commands at level 0.
NOTE
If the command level configured in the VTY user interface view and user priority are inconsistent, user
priority takes precedence.
----End
Setting the User Authentication Mode of the VTY User Interface

The system provides two authentication modes: AAA, password. Configuring user
authentication modes improves Switch security.
Context
The system provides two authentication modes as shown in Table 1-15.
Table 1-15 Authentication Modes
Authen
tication
Mode
Advantage
Disadvantage
AAA
AAA provides user authentication with high

security.
The configuration is complex.

The user name and password for
AAA authentication must be
created.
The user name and password must be entered

for login.
Passwor
d
authenti
cation
Issue 04 (2013-06-15)
Password authentication is based on VTY

channels, providing security. The
configuration is simple and only the login
password is needed.

It provides lower security

compared with AAA.
All users can log in to a device
using the login password for the
device.
59

Configuration Guide
CAUTION
l By default, the user authentication mode of the VTY user interface is not configured.
Administrators must manually set a user authentication mode for the VTY user interface. If
no user authentication mode is set for the VTY user interface, users cannot log in to the device
using the VTY user interface.
l If the user authentication mode of the VTY user interface is password authentication or AAA
authentication, a password or user name must be set for logging in to the system. In this case,
without password or user name set, users cannot log in to the device using the VTY user
interface.
CAUTION
If the user authentication mode for the VTY user interface is password or AAA, you must set
the password or user name for logging in to the device.
Procedure
l
Configuring AAA authentication

1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:
quit
Exit from the VTY user interface view.

5.
Run:
aaa

6.
Run:
A user name and password for the local user are created.
l
Configuring password authentication

1.
Run:
system-view

Issue 04 (2013-06-15)

60

Configuration Guide
2.
Run:

3.
Run:

4.
Run:
A password in the encrypted text for password authentication is set.

----End

After configuring a VTY user interface, you can view information about user interfaces, the
maximum number of VTY user interfaces, and physical attributes and configurations of user
interfaces.
Prerequisites
The configurations of the VTY user interface are complete.
Procedure
l
Run the display users [ all ] command to check information about user interfaces.
Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.
Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]

command to check the physical attributes and configurations of user interfaces.
Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command to view information about current user interfaces.
User-Intf
Delay
Type
34 VTY 0
00:00:12 TEL
+ 35 VTY 1
00:00:00 TEL
Network Address
10.138.77.38
AuthenStatus
10.138.77.57
AuthorcmdFlag
no
no
Run the display user-interface maximum-vty command to view the maximum number of VTY
user interfaces.
<Quidway> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check
the physical attributes and configurations of user interfaces.
<Quidway> display user-interface vty 0
Issue 04 (2013-06-15)

61

Configuration Guide
Idx Type
Tx/Rx
+ 34
VTY 0
14
14
N
+
F
Int
-
---------------------------------------------------------------------------User-name
---------------------------------------------------------------------------aa
A
S
admin
A
H
huawei
A
F
---------------------------------------------------------------------------Total 3 user(s)
Run the display vty mode command to view the message indicating that the machine-to-machine
interface is enabled. For example:
<Quidway> display vty mode
current VTY mode is Machine-Machine interface

This section provides examples for configuring console and VTY user interfaces. These
configuration examples explain networking requirements, and provides configuration roadmaps
and configuration notes.
Example for Configuring Console User Interface

In this example, a console user interface is configured to allow a user in password authentication
mode to log in to the Switch. The physical attributes, terminal attributes, user priority, user
authentication mode, and password are set for the interface.
Networking Requirements
A user uses the console user interface to log in to the Switch to initialize Switch configurations
or perform local router maintenance. You can set console user interface attributes as needed (for
example, security considerations) to allow user logins.
In the console user interface view, the user priority is set to 15, and the password authentication
mode is set (the password is huawei).
If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
Issue 04 (2013-06-15)

62

Configuration Guide
1.
Enter the interface view and set physical attributes of the console user interface.
2.
Set terminal attributes of the console user interface.
3.
Set the user priority of the console user interface.
4.
Set the user authentication mode and password of the console user interface.
Data Preparation
To complete the configuration, you need the following data:
l
Transmission rate of the console user interface: 4800 bit/s
Flow control mode of the console user interface: None
Parity of the console user interface: even
Stop bit of the console user interface: 2
Data bit of the console user interface: 6
Timeout period for disconnecting from the console user interface: 30 minutes
Number of lines that a terminal screen displays: 30
Number of characters that a terminal screen displays: 60
Size of the history command buffer: 20
User priority: 15
User authentication mode: password (password: huawei)
Procedure
Step 1 Set physical attributes of the console user interface.
[Quidway] user-interface console 0
[Quidway-ui-console0] speed 4800
[Quidway-ui-console0] flow-control none
[Quidway-ui-console0] parity even
[Quidway-ui-console0] stopbits 2
[Quidway-ui-console0] databits 6
Step 2 Set terminal attributes of the console user interface.

[Quidway-ui-console0]
shell
idle-timeout 30
screen-length 30
screen-width 60
history-command max-size 20
Step 3 Set the user priority of the console user interface.

[Quidway-ui-console0] user privilege level 15
Step 4 Set the user authentication mode in the console user interface to password.
[Quidway-ui-console0] authentication-mode password
[Quidway-ui-console0] set authentication password cipher huawei
[Quidway-ui-console0] quit
After the console user interface is configured, a user in password authentication mode can use
a console port to log in and perform local maintenance on the Switch. For details on how a user
logs in to the Switch, see the 1.6 Configuring User Login.
----End
Issue 04 (2013-06-15)

63

Configuration Guide
Configuration Files
#
sysname Quidway
#
user-interface con 0
user privilege level 15
set authentication password cipher %$%$>tGNLl~,2=8vhc%-9O_B:[RI^3}]Ln;
[qJRbm_OzqGiLhaXS%$%$
idle-timeout 30 0
screen-length 30
databits 6
parity even
stopbits 2
speed 9600
#
return
Example for Configuring a VTY User Interface

In this example, a VTY user interface is configured to allow a user in password authentication
mode to use Telnet to log in to the Switch. The maximum number of VTY user interfaces
allowed, restrictions for incoming and outgoing calls, terminal attributes, authentication mode,
and password are set for the interface.
A user uses Telnet to log in to the Switch using a VTY channel. You can set VTY user interface
attributes as needed (for example, security considerations) to allow user logins.
In the VTY user interface, the user priority is set to 15, the authentication mode is set to password
authentication, with the password of "huawei", and a user with the IP address of 10.1.1.1 is
prohibited from logging in to the Switch.
If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.
1.
Enter the interface view and set the maximum number of VTY user interfaces to 15.
2.
Set restrictions for incoming and outgoing calls on the VTY user interface to prevent an IP
address or an IP address segment for accessing the Switch.
3.
Set terminal attributes of the VTY user interface.
4.
Set the user priority of the VTY user interface.
5.
Set the authentication mode and password of the VTY user interface.
Data Preparation
l
Maximum number of VTY user interfaces: 15
ACL applied to restrict incoming calls on the VTY user interface: 2000
Timeout period for disconnecting from the VTY user interface: 30 minutes
Issue 04 (2013-06-15)

64

Configuration Guide
Number of characters that a terminal screen displays: 60
User priority: 15
User authentication mode: password, password: huawei
Procedure
Step 1 Set the maximum number of VTY user interfaces.
Step 2 Set the limit on call-in and call-out in the VTY user interface.
[Quidway] acl 2000
[Quidway-acl-basic-2000]
[Quidway-acl-basic-2000]
[Quidway] user-interface
[Quidway-ui-vty0-14] acl
rule deny source 10.1.1.1 0

quit
vty 0 14
2000 inbound
Step 3 Set terminal attributes of the VTY user interface.

[Quidway-ui-vty0-14]
shell
idle-timeout 30
screen-length 30
screen-width 60
Step 4 Set the user priority of the VTY user interface.

[Quidway-ui-vty0-14] user privilege level 15
Step 5 Set the authentication mode and password of the VTY user interface.
[Quidway-ui-vty0-14] authentication-mode password
[Quidway-ui-vty0-14] set authentication password cipher huawei
[Quidway-ui-vty0-14] quit
After the VTY user interface is configured, a user authenticated in password mode can use Telnet
to log in to the Switch and perform local or remote maintenance on the Switch. For details on
how a user logs in to the Switch, see the 1.6 Configuring User Login.
----End
Configuration Files
#
sysname Quidway
#
acl number 2000
rule 5 deny source 10.1.1.1 0
rule permit source any
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2000 inbound
set authentication password cipher %$%$>tGNLl~,2=8vhc%-9O_B:[RI^3}]Ln;
[qJRbm_OzqGiLhaXS%$%$
idle-timeout 30 0
screen-length 30
#
return
Issue 04 (2013-06-15)

65

Configuration Guide

A user can log in to the Switch through a console port, or by using Telnet or SSH (STelnet). The
user can maintain the Switch locally or remotely after login.
1.6.1 Overview of User Login

A user must successfully log in to the device to manage and maintain it. The user can log in to
the device using the console port, Telnet, or STelnet.
Table 1-16 lists the modes by which a user can log in to the device to configure and manage it.
Table 1-16 User login modes
Login Mode
Applicable Scenario
Remarks
1.6.2 Logging in
to the Devices
Through the
Console Port
A user logs in to the device

using the console port on the
user terminal to power on
and configure the device for
the first time.
By default, a user can directly log in to

the device using the console port. The
authentication mode is password
authentication, indicating that a
password is required for authentication.
The command access level is 3.
l If a user cannot access

the device remotely, the
user can log in to the
device locally using the
console port.
l A user can log in using
the console port to
diagnose a fault if the
device fails to start or to
enter the BootROM to
upgrade the system.
Issue 04 (2013-06-15)

66

Configuration Guide
Login Mode
Applicable Scenario
Remarks
1.6.3 Logging in
to Devices Using
Telnet
A user accesses the network

using a user terminal and
logs in to the device using
Telnet to perform local or
remote configuration. The
target device authenticates
the user using the
configured login
parameters.
By default, a user cannot log in to the

device directly using Telnet. To enable
Telnet login, log in to the device locally
using the console port and perform the
following configuration tasks:
The Telnet login mode

facilitates remote device
management and
maintenance.
l Configure the IP address of the

management network port on the
device and ensure that a reachable
route exists between the user terminal
and the device. By default, an IP
address is not configured on the
device.
l Configure the user authentication
mode of the VTY user interface. (By
default, the user authentication mode
of the VTY user interface is not
configured. Administrators must
manually set a user authentication
mode for the VTY user interface.)
l Configure the user access level of the
VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Enable the Telnet server function. By
default, the Telnet server function is
enabled.
Issue 04 (2013-06-15)

67

Configuration Guide
Login Mode
Applicable Scenario
Remarks
1.6.4 Logging in
to Devices Using
STelnet
A user accesses the network

using a user terminal. If the
network is insecure, use the
Secure Shell (SSH) protocol
to increase the security of
the transmission and utilize
a powerful authentication
mechanism. SSH protects
the device system against
attacks, such as IP proofing
and plain text password
interception.
By default, a user cannot log in to the

device directly using STelnet. To enable
STelnet login, log in to the device locally
using the console port and perform the
following configuration tasks:
The STelnet login mode

better ensures the security of
the exchanged data.
l Configure the user authentication

mode of the VTY user interface. (By
default, the user authentication mode
of the VTY user interface is not
configured. Administrators must
manually set a user authentication
mode for the VTY user interface.)
l Configure the IP address of the

management network port on the
device and ensure that a reachable
route exists between the user terminal
and the device. By default, an IP
address is not configured on the
device.
l Configure the user access level of the

VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Configure the VTY user interface to
support the SSH protocol. By default,
the VTY user interface supports the
Telnet protocol.
l Configure the SSH user and specify
STelnet as a service mode. By default,
the SSH user is not configured on the
device, and the service mode of SSH
users is null (no service mode is
supported).
l Enable the STelnet server function.
By default, the STelnet server
function is disabled.
NOTE
Logging in using Telnet is insecure because a secure authentication mechanism is not used and data is
transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts data in
both directions to guarantee secure transmissions on a conventional insecure network. SSH supports
security Telnet (STelnet).
For detailed information about SSH, see AC6605 Feature Description - Basic Configurations.
1.6.2 Logging in to the Devices Through the Console Port

When a user needs to configure a Switch that is powered on for the first time or maintain a
Switch locally, the user can log in through a console port.
Issue 04 (2013-06-15)

68

Configuration Guide

Before configuring user login through a console port, familiarize yourself with the applicable
A user can log in to a device locally through a console port. The user must log in through a
console port when a device is powered on for the first time.
l
If a user cannot access the device remotely, the user can log in to the device locally using
the console port.
A user can log in using the console port to diagnose a fault if the device fails to start or to
enter the BootROM to upgrade the system.
Before configuring user login through a console port, complete the following tasks:
l
Configuring the PC/terminal (including the serial port and RS-232 cable)
Installing the terminal emulator (for example, the Windows XP HyperTerminal) to the PC
Data Preparation
To configure user login through a console port, you need the following data.
No.
Data
l Transmission rate, flow control mode, parity mode, stop bit, data bit
l Number of lines displayed in a terminal screen, number of characters displayed
in a terminal screen, size of the history command buffer
l User priority
l User authentication mode, username, and password
(Optional) Configuring the Console User Interface

If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.
Context
Console user interface attributes have default values on the device, and generally need no
modification. To meet specific user requirements or ensure network security, you can modify
console user interface attributes, such as terminal attributes and user authentication mode.
For detailed settings, see Configuring Console User Interface.
Issue 04 (2013-06-15)

69

Configuration Guide
NOTE
Changes to console user interface attributes take effect immediately. Therefore, the connection may be
interrupted if console user interface attributes are modified when logged in to the device through the console
port. For this reason, logging into the device using another login mode is recommended when modifying
console user interface attributes. To log in to the device through the console port after changing the default
console user interface attributes, ensure that the configuration of the terminal emulator running on the PC
is consistent with the console user interface attributes configured on the device.
Logging In to the Device Using a Console Port

A user can log in by connecting a terminal to the device using a console port.
Context
l
Communication parameters of the user terminal must match physical attribute parameters
of the console user interface on the device.
A user authentication mode must be configured on the console user interface, a user can
log in to the device only after being successfully authenticated. Authentication enhances
network security.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 1-11.
Step 2 Set an interface, as shown in Figure 1-12.
Issue 04 (2013-06-15)

70

Configuration Guide
Step 3 Set communication parameters to match the Switch defaults, as shown in Figure 1-13.
Issue 04 (2013-06-15)

71

Configuration Guide
console.
Enter Password:
Confirm Password:
<Quidway>
You can run commands to configure the device. Enter a question mark (?) whenever you need
help.
Step 5 Run the display device command to check whether you have logged in to the LSW or AC unit.
The following information indicates that you have logged in to the LSW unit.
AC6605-26-PWR's Device status:
Slot Sub Type
Online
Power
Register
Status
Role
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0
AC6605-26
Present
PowerOn
Registered
Normal
Master
4
POWER
Present
PowerOn
Registered
Normal
NA
Step 6 Run the console switch command or press Ctrl+Y to switch from the LSW unit to the AC unit.
After the preceding configurations are complete, press Enter. At the following command-line
prompt, set an authentication password. The system automatically saves the set password.
Info: Switch console to AC.
console.
Enter Password:
Confirm Password:
<Quidway>
Step 7 Run the display device command to check AC unit information.

AC6605-AC's Device status:
Slot Sub Type
Online
Power
Register
Status
Role
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0
AC6605-26
Present
PowerOn
Registered
Normal
Master
Step 8 Run the console switch command or press Ctrl+Y to switch from the AC unit to the LSW unit.
<Quidway>
l Info: Switch console to AC. This information indicates that you have logged in to the AC
unit.
l Info: Switch console to LSW. This information indicates that you have logged in to the LSW
unit.
Issue 04 (2013-06-15)

72

Configuration Guide
NOTE
----End

After logging in through a console port, a user can view the usage information, physical attributes
and configurations, local user list, and online users on the console user interface.
Prerequisites
Configurations for user login through a console port are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
Run the display user-interface console ui-number1 [ summary ] command to check

physical attributes and configurations of the user interface.
Run the display access-user command to check online users.
----End
Example
Run the display users command to view information about the current user interface.
User-Intf
Delay
Type
0
CON 0
00:00:44
Network Address
AuthenStatus
pass
AuthorcmdFlag
no
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Quidway> display user-interface console 0
Idx Type
Tx/Rx
0
CON 0
9600
3
N
+
F
Int
-
---------------------------------------------------------------------------User-name
----------------------------------------------------------------------------
Issue 04 (2013-06-15)

73

Configuration Guide
aa
A
S
admin
A
H
huawei
A
F
---------------------------------------------------------------------------Total 3 user(s)
1.6.3 Logging in to Devices Using Telnet

When multiple Switchs need to be configured and managed, there is no need to maintain each
Switch locally. Instead, you can use Telnet to log in to the Switchs remotely to perform
maintenance. This greatly facilitates device management.

Before configuring user login using Telnet, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for configuration. This will
help you complete the configuration task quickly and correctly.
If you know the IP address of a remote Switch, you can use Telnet to log in to the Switch from
a local terminal. Telnet login allows you to maintain multiple remote Switchs from one local
terminal, greatly facilitating device management.
Note that Switch IP addresses must be preset through console ports.
Before configuring users to log in using Telnet, you must log in to the device through the console
port to change the default configurations on the device, so that users can remotely log in to the
device using Telnet to manage and maintain the device. The following default configurations
must be changed:
l
Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
Configuring the User Access Level and User Authentication Mode of the VTY User
Interface for remote device management and maintenance
Enabling the Telnet Service so that users can remotely log in to the device through Telnet
Data Preparation
BBefore configuring Telnet user login, you need the following data.
No.
Data
l User priority
l User authentication mode, username, password
l (Optional) Maximum number of VTY user interfaces allowed
l (Optional) ACL to restrict incoming and outgoing calls on VTY user interfaces
l (Optional) Connection timeout period of terminal users, number of lines displayed
in a terminal screen, number of characters displayed in a terminal screen and size
of the history command buffer
Issue 04 (2013-06-15)

74

Configuration Guide
No.
Data
IPv4 address or host name of the Switch
TCP port number used by the remote device to provide Telnet services, VPN instance
name
Interface
By default, the user access level of the VTY user interface is 0. To enable a user terminal to log
in to the device remotely using Telnet for maintenance and management, log in to the device
using the console port, change the user access level and , and set a user authentication mode for
the VTY user interface.
Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.
Procedure
l
Configure the user access level of the VTY user interface.

1.
Run:
system-view

2.
Run:

3.
Run:
The user access level is set.

By default, the user access level of the VTY user interface is 0. Table 1-17 describes
the relationship between the user access levels and command levels.
Issue 04 (2013-06-15)
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
Visit
level
This level gives access to commands that run network

diagnostic tools (such as ping and tracert) and commands
that start from a local device and visit external devices
(such as Telnet client side).

75

Configuration Guide
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
0 and
1
Monit
oring
level
This level gives access to commands, like the display

command, that are used for system maintenance and fault
diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display savedconfiguration commands are at level 3. For details about
command level, see AC6605 Command Reference.
0, 1,
and 2
Config
uration
level
This level gives access to commands that configure

network services provided directly to users, including
routing and network layer commands.
3-15
0, 1,
2,
and 3
Manag
ement
level
This level gives access to commands that control basic

system operations and provide support for services. These
commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
backup board control commands, user management
commands, level setting commands, system internal
parameter setting commands, and debugging commands
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
Configure the user authentication mode of the VTY user interface.

Two authentication modes are available: password authentication, and AAA
authentication. Select one of them as needed.
Configuring Password Authentication
1.
Run:
system-view

2.
Run:

3.
Run:

Issue 04 (2013-06-15)

76

Configuration Guide
4.
Run:
A password in the encrypted text for password authentication is set.

Configuring AAA Authentication
When the user authentication mode of the VTY user interface is set to AAA
authentication, the access type of the local user must be specified.
1.
Run:
system-view

2.
Run:
aaa

3.
Run:
A username and password for the local user are created.

4.
Run:
local-user user-name service-type telnet
The access type of the local user is set to Telnet.

5.
Run:
quit

6.
Run:

7.
Run:

----End
Enabling the Telnet Service

Before a user terminal establishes a Telnet connection with the device, log in to the device
through the console interface to enable the Telnet server function on the device, so that the user
terminal can remotely log in to the device using Telnet.
Context
By default, the Telnet server function is enabled.
Do as follows on the device that serves as an Telnet server.
Procedure
l
For the IPv4 network

1.
Run:
system-view
Issue 04 (2013-06-15)

77

Configuration Guide

2.
Run:
telnet server enable
The Telnet service is enabled.

----End
Logging in to the Device Using Telnet

After a remote device is configured, use Telnet to log in to the device from a terminal and perform
remote maintenance on the device.
Context
Use either the Windows CLI or third-party software in the terminal to log in to the Switch through
Telnet. This section describes use of the Windows command line prompt.
Do as follows on the user terminal:
NOTE
When multiple users operate the device concurrently, configurations may conflict, which causes system
errors. Therefore, it is recommended that only a user operate the device at a time.
Procedure
Step 1 Open the Windows CLI.
Step 2 Run the telnet ip-address command to telnet the device.
1.
Input the IP address of the Telnet server.
Figure 1-14 Windows CLI
2.
Press Enter to display the command line prompt, such as <HUAWEI>, for the system
view. This indicates that you have accessed the Telnet server.
If the password or AAA authentication mode has been set on the device, you must enter
the login user name and password, and press Enter. The command line prompt of the user
view is displayed, as shown in Figure 1-15.
Issue 04 (2013-06-15)

78

Configuration Guide
Figure 1-15 Login
----End
(Optional) Configuring Listening Port Number for Telnet Server

A user can configure or change the listening port number of a Telnet server. Changing the
listening port number ensures network security, because only the user that knows the current
listening port number can log in to the Switch.
Context
By default, the listening port number of a Telnet server is 23. Users can directly log in to the
Switch using the default listening port number. Attackers may access the default listening port,
consuming bandwidth, deteriorating server performance, and causing authorized users unable
to access the server. After the listening port number of the Telnet server is changed, attackers
do not know the new listening port number. This effectively prevents attackers from accessing
the listening port.
Do as follows on the Switch that functions as a Telnet server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
telnet server port port-number
The listening port number of the Telnet server is set.

If a new listening port number is set, the Telnet server terminates all established Telnet
connections, and then uses the new port number to listen to new requests for Telnet connections.
----End
Issue 04 (2013-06-15)

79

Configuration Guide

After logging in to the system using Telnet, you can view the connection status of each user
interface including the current user interface, and status of all established TCP connections.
Prerequisites
Configurations for Telnet logins are complete.
Procedure
l
Run the display users [ all ] command to check information about users logged in to user
interfaces.
Run the display tcp status command to check TCP connections.
Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the currently-used user interface.
User-Intf
Delay
Type
34 VTY 0
00:00:12 TEL
+ 35 VTY 1
00:00:00 TEL
Network Address
10.138.77.38
AuthenStatus
10.138.77.57
AuthorcmdFlag
no
no
Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<Quidway> display tcp status
TCPCB
Tid/Soid
Local Add:port
State
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
VPNID
0.0.0.0:0
0.0.0.0:0
14849
10.164.6.13:1147
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<Quidway> display telnet server status
TELNET IPV4 server
TELNET IPV6 server
TELNET server port
:Enable
:Enable
:23
1.6.4 Logging in to Devices Using STelnet

STelnet provides secure remote access over an insecure network. After the client/server
negotiation is complete and a secure connection is established, STelnet login is similar to Telnet
login.
Issue 04 (2013-06-15)

80

Configuration Guide

Before configuring users to log in using STelnet, familiarize yourself with the applicable
Telnet logins bring security risks because no secure authentication mechanism exists and data
is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts
data in both directions to guarantee secure transmissions on a conventional insecure network.
SSH supports STelnet, and SFTP.
STelnet is a secure Telnet protocol. SSH users can use the STelnet service in the same way they
use the Telnet service.
Before configuring users to log in using STelnet, you must log in to the device through the
console port to change the default configurations on the device, so that users can remotely log
in to the device using Telnet to manage and maintain the device. The following default
configurations must be changed:
l
Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
Configuring the user access level and authentication mode of the VTY user
interface for remote device management and maintenance.
Configuring the VTY user interface to support the SSH protocol, configuring the SSH
user and specify STelnet as a service mode for the SSH user, and enabling the STelnet
server function so that the user can remotely log in to the device through STelnet
Data Preparation
To configure users to log in using STelnet, you need the following data:
Issue 04 (2013-06-15)
No.
Data
user authentication mode, username, and password, (optional)Maximum number of

VTY user interfaces allowed, (optional) ACL for restricting incoming and outgoing
calls on VTY user interfaces, (optional)connection timeout period for terminal users,
number of rows displayed in a terminal screen, size of the history command buffer
Username, password, authentication mode, and service type of an SSH user and
remote public RSA or DSA key pair allocated to the SSH user
(Optional) Name of an SSH server, number of the port monitored by the SSH server,
preferred encryption algorithm from the STelnet client to the SSH server, preferred
encryption algorithm from the SSH server to the STelnet client, preferred HMAC
algorithm from the STelnet client to the SSH server, preferred HMAC algorithm from
the SSH server to the STelnet client, preferred algorithm for key exchange

81

Configuration Guide
Interface
By default, the user access level is 0. Before logging in to the device using STelnet for
maintenance and management, you must log in to the device through the console port to change
the user access level and , and set a user authentication mode.
Context
Interface.
Procedure
l
Configure the user access level of the VTY user interface.

1.
Run:
system-view

2.
Run:

3.
Run:
The user access level is set.

By default, the user access level of the VTY user interface is 0. Table 1-18 describes
the relationship between the user access levels and command levels.
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
Visit
level
This level gives access to commands that run network

diagnostic tools (such as ping and tracert) and commands
that start from a local device and visit external devices
(such as Telnet client side).
0 and
1
Monit
oring
level
This level gives access to commands, like the display

command, that are used for system maintenance and fault
diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display savedconfiguration commands are at level 3. For details about
command level, see AC6605 Command Reference.
Issue 04 (2013-06-15)

82

Configuration Guide
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
0, 1,
and 2
Config
uration
level
This level gives access to commands that configure

network services provided directly to users, including
routing and network layer commands.
3-15
0, 1,
2,
and 3
Manag
ement
level
This level gives access to commands that control basic

system operations and provide support for services. These
commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
backup board control commands, user management
commands, level setting commands, system internal
parameter setting commands, and debugging commands
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
Configure the user authentication mode of the VTY user interface.

When the authentication mode of the VTY user interface is set to AAA authentication,
the access type of the local user must be specified.
1.
Run:
system-view

2.
Run:
aaa

3.
Run:
A username and password for the local user are created.

4.
Run:
local-user user-name service-type ssh
The access type of the local user is set to SSH.

5.
Run:
quit

6.
Issue 04 (2013-06-15)
Run:
83

Configuration Guide


7.
Run:

----End
Configuring SSH for the VTY User Interface

For users to log in to the device using STelnet, VTY user interfaces must be configured to support
SSH.
Context
By default, user interfaces support Telnet. A user interface must be configured to support SSH
for users to log in to the device using STelnet.
NOTE
A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.
Do as follows on the Switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.

Step 3 Run:
The AAA authentication mode is configured.

Step 4 Run:
protocol inbound ssh
The VTY user interface is configured to support SSH.

----End
Configuring an SSH User and Specifying the Service Types

For a user to log in to the device using STelnet, you must configure an SSH user, configure the
device to generate a local RSA or DSA key pair, configure a user authentication mode, and
specify a service type for the SSH user.
Issue 04 (2013-06-15)

84

Configuration Guide
Context
l
There are six SSH user authentication modes: RSA, DSA, password, password-RSA,
password-DSA, and all. Password authentication depends on Authentication,
Authorization and Accounting (AAA). Before a user logs in to the device in password,
password-RSA, or password-DSA authentication mode, you must create a local user with
the specified username in the AAA view.
The device must be configured to generate local RSA or DSA key pairs, which are a key
part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA or DSA key pair. If an
SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the
server and the client to generate local RSA or DSA key pairs.
RSA key and DSA key are an algorithm for user authentication in SSH, respectively.
Compared with RSA authentication, DSA authentication adopts the DSA encryption mode
and is widely used. In many cases, SSH only supports DSA to authenticate the server and
the client. When the RSA or DSA authentication mode is used, the priority of users depends
on the priority of the VTY user interfaces used for login.
NOTE
l Password-RSA authentication depends on both password authentication and RSA authentication.

l Password-DSA authentication depends on both password authentication and DSA authentication.
l All authentication depends on either of the following authentications: password authentication, or DSA
authentication and RSA authentication.
Do as follows on the Switch that functions as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh user user-name
An SSH user is created. If password or password-RSA authentication, or password-DSA is

configured for the SSH user, create the same SSH user in the AAA view and set the local user
access type to SSH.
1.
Run the aaa command to enter the AAA view.
2.
Run the local-user user-name password cipher password command to configure a local
username and a password.
3.
Run the local-user user-name service-type ssh command to set the local user access type
to SSH.
By default, a local user can use any access type. You can specify an access type to allow only
users configured with the specified access type to log in to the Switch.
Step 3 Run: RSA or DSA key-pair create
l Run the rsa local-key-pair create command to generate the RSA local-key-pair.
Issue 04 (2013-06-15)

85

Configuration Guide

NOTE
l You must configure the rsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The minimum length of the server key pair and the host key
pair is 512 bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
to view the public key in the local key pair.
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
NOTE
l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1,024 bits and 2,048 bits. By default, the length of the key pair is 512 bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all | dsa
| password-dsa }
The authentication mode for SSH users is configured.

Perform the following as required:
l Configure password authentication for the SSH user.
Run:
ssh user user-name authentication-type password
Password authentication is configured.

Run:
ssh authentication-type default password
The default password authentication is configured.

For the local authentication or HWTACACS authentication, if the number of SSH users
is small, you can adopt the former command; if the number of SSH users is large, adopt
the later command to simplify the configuration.
l Configure RSA authentication or DSA authentication for the SSH user.
Configure RSA authentication for the SSH user.
1.
Run the ssh user user-name authentication-type rsa to configure RSA

authentication for the SSH user.
2.
Run the rsa peer-public-key key-name to enter the RSA public key view.
3.
Run the public-key-code begin command to enter the public key edit view.
4.
Enter hex-data to edit the public key.

NOTE
l In the public key edit view, enter the hexadecimal digits or letters in the public key format,
which is randomly generated by the client software that supports SSH. For details, see the help
information of the client software that supports SSH.
l In the public key edit view, you can send the RSA public key that is generated on the client to
the server. Copy and paste the RSA public key to the device that functions as the SSH server.
Configure DSA authentication for the SSH user.

1.
Issue 04 (2013-06-15)
Run the ssh user user-name authentication-type dsa to configure DSA

86

Configuration Guide
2.
Run the dsa peer-public-key key-name encoding-type { der | pem }command to

enter the DSA public key view.
3.
4.
After the preceding operations are complete, do the following as required to quit the public
key edit view.
1.
Run the public-key-code end to quit the public key edit view.
2.
Run the peer-public-key end command to quit the public key view and the system
view is displayed.
NOTE
l If the specified hex-data is invalid, the public key cannot be generated after the peerpublic-key end command is run.
l If the specified key-name is deleted in other views in step b, the system prompts that the
key does not exist after the peer-public-key end command is run and the system view
is displayed.
3.
Run the ssh user user-name assign { rsa-key | dsa-key } key-name command to
configure the public key for SSH users.
Step 5 (Optional) Configure basic authentication information for SSH users.

1.
Run:
ssh server rekey-interval interval
The interval for updating the server key pair is configured.

By default, the interval for updating the SSH server key pair is 0, indicating that the key
pair is never updated.
2.
Run:
ssh server timeout seconds
The timeout period for SSH authentication is set.

By default, the timeout period is 60 seconds.
3.
Run:
ssh server authentication-retries times
The number of retry times for SSH authentication is set.

By default, the retry times is 3.
Step 6 (Optional) Authorize SSH users using command lines.
Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 7 Run:
ssh user username service-type { stelnet | all }
The service type for the SSH user is configured.

Issue 04 (2013-06-15)

87

Configuration Guide
By default, the service type of the SSH user is not configured.

----End
Enabling the STelnet Server Function

By default, the STelnet server function is disabled. Before a user terminal logs in to the device
using STelnet, you must log in to the device through the console interface to enable the STelnet
server function on the device.
Context
By default, no device is enabled with the STelnet server function. Users can establish connections
to the device using STelnet only after the device is enabled with the STelnet server function.
Do as follows on the device that serves as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
stelnet server enable
The STelnet server function is enabled.

By default, the STelnet server function is disabled.
----End
Logging in to the Device Using STelnet

After you log in to the device through the console interface to complete relevant configurations,
users can remotely log in to the device using the Secure Shell (SSH) protocol from remote user
terminals to remotely maintain the device.
Context
Third-party software can be used on a terminal for STelnet login. This section describes the use
of third-party software OpenSSH and the Windows CLI.
After installing OpenSSH on the user terminal, do as follows on the user terminal:
NOTE
When multiple users operate the device concurrently, configurations may conflict, which causes system
errors. Therefore, it is recommended that only a user operate the device at a time.
For details on how to install OpenSSH, refer to the software installation guide.
For details about how to use OpenSSH commands to log in to the system, see the help document of the
software.
Issue 04 (2013-06-15)

88

Configuration Guide
Procedure
Step 2 Run relevant OpenSSH commands to log in to the Switch in STelnet mode.
Figure 1-16 Logging in to the device in STelnet mode
----End
(Optional) Configuring the STelnet Server Parameters

You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated.
Context
Table 1-19 lists server parameters.
Issue 04 (2013-06-15)

89

Configuration Guide
Table 1-19 Server parameters

Server
Parameter
Description
Earlier SSH
version
compatibility
There are two SSH versions: SSH1.X (earlier than SSH2.0) and SSH2.0.
SSH2.0 has an extended structure and supports more authentication modes
and key exchange methods than SSH1.X. SSH2.0 also supports more
advanced services such as SFTP. The AC6605 supports SSH versions
ranging from 1.3 to 2.0.
Listening port
number of an
SSH server
The default listening port number of an SSH server is 22. Users can log in to
the device by using the default listening port number. Attackers may access
the default listening port, consuming bandwidth, deteriorating server
performance, and causing authorized users unable to access the server. After
the listening port number of the SSH server is changed, attackers do not know
the new port number. This effectively prevents attackers from accessing the
listening port and improves security.
Interval for
updating the
SSH server
key pair
If this interval is set, the SSH server key pair will be updated periodically to
improve security.
Procedure
Step 1 Run:
system-view

Step 2 Perform one or both of the operations shown in Table 1-20 as needed.
Table 1-20 Configurations of server parameters
Issue 04 (2013-06-15)
Server
Parameter
Operation
Earlier SSH
version
compatibility
Run the ssh server compatible-ssh1x enable command.

By default, an SSH server running SSH2.0 is compatible with SSH1.X. To
prevent clients running SSH1.3 to SSH1.99 from logging in, run the undo
ssh server compatible-ssh1x enable command to disable support for earlier
SSH protocol versions.
Listening port
number of the
SSH server
Run the ssh server port port-number command.
Interval for
updating the
SSH server
key pair
Run the ssh server rekey-interval rekey-interval command.
If a new listening port is set, the SSH server cuts off all established STelnet
and SFTP connections, and uses the new port number to listen to connection
requests. By default, the listening port number is 22.
By default, the interval is 0, indicating that the key pair is never updated.

90

Configuration Guide
----End

After configuring users to log in using STelnet, you can view the SSH server configuration.
Prerequisites
Configurations for STelnet login are complete.
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about SSH users.
Run the display ssh server status command on the SSH server to check its configurations.
Run the display ssh server session command on the SSH server to check sessions for SSH
users.
----End
Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<Quidway> display ssh user-information client001
User Name
: client001
Authentication-type
: password
User-public-key-name
: User-public-key-type
: RSA
Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: Yes
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view configurations of an SSH server.
<Quidway> display ssh server status
SSH version
:1.99
SSH connection timeout
:60 seconds
SSH server key generating interval :0 hours
SSH authentication retries
:3 times
SFTP server
:Disable
Stelnet server
:Enable
Scp server
: Enable
Run the display ssh server session command. The command output shows information about
a session between the SSH server and client.
<Quidway> display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
Issue 04 (2013-06-15)

91

Configuration Guide

CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
:
:
:
:
:
hmac-md5
hmac-md5
diffie-hellman-group-exchange-sha1
stelnet
password
1.6.5 Common Operations After Login

After logging in to the Switch, you can perform user priority switching, terminal window locking,
and other operations as needed.

Before performing operations after login, familiarize yourself with the applicable environment,
Configure user level switching and enable messaging between user interfaces to ensure that
operators can manage Switchs safely.
Before performing operations after login, complete the following tasks:
l
Connecting the terminal to the Switch
Data Preparations
Before performing operations after login, you need the following data:
No.
Data
Password used for switching user levels
Type and number of the user interface
Contents of the message to be sent
Switching User Levels

A user who wants to upgrade from a lower to a higher level after logging in to the Switch must
have a password already configured.
Context
A password is required to increase user level. This prevents unauthorized users from gaining
access to high-level commands.
Issue 04 (2013-06-15)

92

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
super password [ level user-level ] [ cipher password ]
The password for switching user levels is configured.

By default, the password for the user is set to Level 3.
Step 3 Run:
quit
Return to the user view.

Step 4 Run:
super [ level ]
User levels are switched.

By default, the level is 3.
Step 5 Follow the prompt and enter a password.
If the password entered is correct, the user can switch to a higher level. If an incorrect password
is entered three times in a row, the user is returned to the user view at the original level.
NOTE
When the super command is used to switch a user from a lower to a higher level, the system automatically
sends trap messages and records the switchover in a log. When a user is switched from a higher to a lower
level, the system only records the switchover in a log.
----End
Locking User Interfaces

If you must be away from your work area, you can lock the user interface on a terminal to prevent
unauthorized access.
Context
The user interface can be a console user interface or a VTY user interface.
Procedure
Step 1 Run:
lock
The user interface is locked.

Step 2 Follow the system prompts and input a password to unlock the user interface.
<Quidway> lock
Enter Password:
Confirm Password:
If the locking is successful, the system prompts that the user interface is locked.
Issue 04 (2013-06-15)

93

Configuration Guide
You must enter the password previously set to unlock the user interface.
----End
Sending Messages to Other User Interfaces

Users logged in to different interfaces can send messages to each other.
Context
Users logged in to the Switch can send messages from their user interface to users on other user
interfaces.
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
You can enable message sending between user interfaces.

Step 2 Follow the prompt to view the message to be sent. You can press Ctrl_Z or Enter to end the
display, and press Ctrl_C to abort the display.
----End
Displaying Login Users

You can query information about login users.
Context
User name, address, and authentication and authorization information can be queried.
Procedure
l
Run the display users [ all ] command to view information about logged-in users.
If all is configured, information about users logged in to all user interfaces is displayed.
----End
Clearing Logged-in Users

If you want to force a logged-in user to log out of the Switch, you can tear down the connection
between the Switch and the user.
Context
You can run the display users command to view users logging in to the Switch.
Procedure
Step 1 Run:
kill user-interface { ui-number | ui-type ui-number1 }
Issue 04 (2013-06-15)

94

Configuration Guide
Online users are cleared.

Step 2 Based on displayed information, you can confirm whether specified logged-in users have been
cleared.
----End
Configuring Configuration Locking

When multiple users log in to the Switch to configure the device, configuration conflict may
occur. To prevent configuration conflict from affecting services, you can enable the function of
configuration locking. This allows only one user to configure the device at a time.
Context
Before configuring configuration locking, check whether the configuration set is locked by
another user. If no user locks the configuration set, you can exclusively lock the configuration.
Procedure
Step 1 Run:
configuration exclusive
The user obtains exclusive configuration access.

After enabling the configuration locking function, you can exclusively enjoy the configuration
authority in an explicit manner.
NOTE
This command can be run in any view.

You can run the display configuration-occupied user command to check information about the user who
locks the configuration set at the moment.
If the configuration set is already locked, an prompt message is displayed after this command is run.
Step 2 Run:
system-view

Step 3 Run:
configuration-occupied timeout timeout-value
The timeout period for automatically unlocking the configuration set is set.
After the timeout period expires, the configuration set is automatically unlocked, allowing other
users to configure the device.
By default, the timeout period is 30s.
NOTE
l When a user without exclusive configuration access runs this command, the system prompts an error
message.
l If the configuration set is locked by another user, this command cannot be configured, and the system
prompts an error message.
l If the configuration set is locked by the current user, the current user can run this command.
----End
Issue 04 (2013-06-15)

95

Configuration Guide

This section provides several examples describing how to configure users to log in through a
console port, Telnet, or STelnet. The configuration examples provide information and diagrams
for networking requirements, configuration notes, and configuration roadmaps.
Example for Configuring User Login Using a Console Port

This example describes how to configure user login using a console port. Login settings that
enable access to the Switch using a console port are configured on a PC.
If default values for console user interface parameters are modified, corresponding parameters
on the PC must be reset before another login to the Switch can be implemented.
Figure 1-17 Networking diagram of user login using a console port
PC
Switch
1.
Connect a PC to the Switch through a console port.
2.
Set login parameters on the PC.
3.
Log in to the Switch.

NOTE
In this example, a terminal emulator is used.
Data Preparation
Communication parameters for the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit:
2, flow control mode: none)
Procedure
Step 1 Use a standard RS-232 cable to connect the serial port of the PC to the console port of the
Switch.
Step 2 Run the terminal emulator on the PC. As shown in Figure 1-18, set communication parameters
for the PC to Figure 1-20. Set the transmission rate to 4800 bit/s, data bit to 6, parity bit to even,
stop bit to 2, and flow control mode to none.
Issue 04 (2013-06-15)

96

Configuration Guide
Figure 1-19 Interface setting
Issue 04 (2013-06-15)

97

Configuration Guide
Step 3 Power on the Switch. The system starts an automatic configuration and a self-check. After the
self-check is complete, at the prompt "Password:," enter the correct authentication password and
press Enter. If the message (such as <Quidway>) is displayed, the login in to the system
succeeds.
Then, you can enter a command to view the operating status of the Switch or configure the
Switch.
----End
Example for Configuring User Login Through Telnet

This example describes how to set parameters for using Telnet to log in to the Switch. In this
configuration example, a user logs in to the Switch after setting the VTY user interface and user
login parameters.
You can use a PC or other terminal to log in to the a Switch on another network segments through
the PC or other terminals to perform remote maintenance.
Issue 04 (2013-06-15)

98

Configuration Guide
Figure 1-21 Networking diagram for login using Telnet
NetWork
VLANIF 2
10.137.217.221/16
PC
Switch
After a Telnet user logs in to the Switch in AAA authentication mode, the Telnet user is
prohibited from logging in to another Switch through the Switch.
1.
Establish a physical connection.
2.
Assign IP addresses to interfaces on the Switch.
3.
Set parameters of the VTY user interface, including limit on call-in and call-out.
4.
Set user login parameters.
5.
Log in to the Switch.
Data Preparation
l
IP address of the PC
IP address of the the Switch: 10.137.217.221/16
Maximum number of VTY user interfaces: 10
Number of the ACL that is used to prohibit users from logging into another Switch: 3001
Timeout period for disconnecting from the VTY user interface: 20 minutes
Telnet user information (authentication mode: AAA, username: huawei, password: hello)
Procedure
Step 1 Respectively connect the PC and the Switch to the network.
Step 2 Configure a login address.
[Quidway] vlan 2
[Quidway-vlan2] quit
[Quidway] interface gigabitethernet 0/0/1
[Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 2
[Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 2
[Quidway-GigabitEthernet0/0/1] quit
[Quidway] interface vlanif 2
[Quidway-Vlanif2] ip address 10.137.217.221 255.255.0.0
[Quidway-Vlanif2] quit
[Quidway]
Step 3 Configure the VTY user interface on the Switch.

# Set the maximum number of VTY user interfaces.
Issue 04 (2013-06-15)

99

Configuration Guide
# Configure an ACL that is used to prohibit users from logging into another Switch.
[Quidway]acl 3001
[Quidway-acl-adv-3001]rule deny tcp source any destination-port eq telnet
[Quidway-acl-adv-3001]quit
[Quidway-ui-vty0-9] acl 3001 outbound
# Set terminal attributes of the VTY user interface.

[Quidway-ui-vty0-9]
[Quidway-ui-vty0-9]
[Quidway-ui-vty0-9]
[Quidway-ui-vty0-9]
shell
idle-timeout 20
screen-length 30
# Set the user authentication mode of the VTY user interface.

[Quidway-ui-vty0-9] authentication-mode aaa
Step 4 Set user login parameters on the Switch.

# Specify the user authentication mode.
[Quidway] aaa
[Quidway-aaa]
[Quidway-aaa]
[Quidway-aaa]
[Quidway-aaa]
local-user huawei password cipher hello

local-user huawei service-type telnet
local-user huawei privilege level 3
quit
Step 5 # Configure user login.

Use the windows command line to telnet the Switch. The Telnet login window is shown in the
following figure.
Figure 1-22 Telnet login window on the PC
Press Enter, and then input the username and password in the login window. If user
authentication succeeds, a command line prompt of the system view is displayed. It indicates
that you have entered the user view.
Issue 04 (2013-06-15)

100

Configuration Guide
Figure 1-23 Window after login of the Switch
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
vlan batch 2
#
interface Vlanif2
ip address 10.137.217.221 255.255.0.0
#
interface gigabitethernet 0/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
aaa
local-user huawei password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$
local-user huawei service-type telnet
#
user-interface maximum-vty 10
user-interface con 0
acl 3001 outbound
idle-timeout 20 0
screen-length 30
#
return
Example for Configuring User Login by Using STelnet

This example describes how to configure user login through STelnet. After generating the local
key pair, configuring the SSH user name and password, and enabling the STelnet service on the
SSH server, you can connect the Stelnet client to the SSH server.
Issue 04 (2013-06-15)

101

Configuration Guide
As shown in Figure 1-24, after the STelnet service is enabled on the SSH server, an STelnet
client can use any authentication mode (password, RSA, password-rsa, or all) to log in to the
SSH server.
This example uses the password authentication mode.
Figure 1-24 Networking diagram of configuring user login through STelnet
Network
VLANIF 2
10.164.39.210/24
SSH Server
PC
1.
Configure a local key pair on the SSH server for secure data exchange between the STelnet
client and the SSH server.
2.
Configure a VTY user interface on the SSH server.
3.
Configure an SSH client, which involves setting a user authentication mode, a username,
and a password.
4.
Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
l
SSH user authentication mode: password, username: client001, password: huawei
User level of client001: 3
IP address of the SSH server: 10.164.39.210
Procedure
Step 1 Generate a local key pair on the server.
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Issue 04 (2013-06-15)

102

Configuration Guide
Step 2 Configure a VTY user interface.

[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4

Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
Step 3 Configure the password of the SSH user Client001 as huawei.

[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
local-user client001 password cipher huawei

local-user client001 privilege level 3
local-user client001 service-type ssh
quit
Step 4 Enable the STelnet service on the SSH server.

[SSH
[SSH
[SSH
[SSH
Server]
Server]
Server]
Server]
ssh user client001 service-type stelnet

quit
Step 5 Verify the configuration.

# Log in to the device through the software putty, and specify the IP address of the device being
10.164.39.210 and the login protocol being SSH.
Figure 1-25 Putty configuration
# Log in to the device through the software putty, and enter the username client001 and the
password huawei.
Issue 04 (2013-06-15)

103

Configuration Guide
Figure 1-26 Log in to the device through the software putty
----End
Configuration Files
l
SSH server configuration file

#
sysname SSH Server
#
vlan batch 2
#
interface Vlanif2
ip address 10.164.39.210 255.255.255.0
#
interface gigabitethernet 0/0/1
#
aaa
local-user client001 password cipher %$%$PoPK$x&v~12^g\0]Y$u3"'{r%$%$
#
ssh user client001 authentication-type password
ssh user client001
#
#
return
1.7 Managing the File System

The file system manages the files and directories on the storage devices of the Switch. It can
move or delete a file or directory, or display the contents of a file.
1.7.1 File System Overview

The Switch uses the file system to manage all files.
Issue 04 (2013-06-15)

104

Configuration Guide
File System
The file system manages files and directories on the storage devices. It can create, delete, modify,
or rename a file or directory, or display the contents of a file.
The file system has two functions: managing storage devices and managing the files that are
stored on those devices.
Managing Files Using the File System

After logging in to the Switch by using the console port, Telnet, or STelnet, you can manage
storage devices, directories, and files.
l
Storage devices
Storage devices are hardware devices for storing data.
Different products support different storage devices. Currently, the AC6605 supports the
flash memory.
Files
A file is resources for storing and managing data.
Directories
A directory is a logical container that the system uses to organize files.
Methods of File Management

You can use the FTP, SFTP or FTPS to manage files.
Managing Files Using FTP

FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode,
one for control (the server port number is 21) and the other for data transmission (the sever port
number is 20).
l
Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
Data connection: transmits data between the client and server, maximizing the throughput.
FTP has two file transfer modes:

l
Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.
ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions:

l
FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.
FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
Issue 04 (2013-06-15)

105

Configuration Guide
Managing Files Using SFTP

SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device
functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client needs
to detect the fault in time and removes the connection proactively. To help the client detect such
a fault in time, configure an interval at which Keepalive packets are sent if no packet is received
and the maximum number of times that the server does not respond for the client:
l
If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
Managing Files Using FTPS

FTPS that adds support for SSL is an extension to the commonly used FTP. Using SSL to
authenticate the identities of the client and server and encrypt data to be transmitted, FTPS
implements security management of devices.
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats.An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
By default, a user cannot log in to the device using FTPS. To log into the device using FTPS,
perform the following steps:
l
Logging in to the device through the console port and loading a digital certificate to the
sub-directory named security of the system directory on the FTPS server
Installing the FTP client software that supports SSL on the PC
1.7.2 Managing Files Using the File System

You can use the file system to manage storage devices, directories, and files.

Before using the file system to manage files, familiarize yourself with the applicable
configuration. This will help you complete the configuration tasks quickly and correctly.
Use the file system to manage files or directories on the Switch. If the Switch is unable to save
or obtain data, log in to the file system to repair the faulty storage devices.
Before logging in to the file system to manage files, complete the following tasks:
Issue 04 (2013-06-15)

106

Configuration Guide
Connecting the client with the server correctly
Data Preparation
To manage files by logging in to the file system, you need the following data:
No.
Data
Storage device name
Directory name
File name
Managing Storage Devices

When a storage device file system on the Switch does not function properly, you must repair
and format the file system before managing the storage device.
Context
When the file system on a storage device fails, the terminal of the Switch prompts you to rectify
the fault.
You can format a storage device if you are unable to repair the file system or do not need any
data saved on the storage device.After Formatting the storage devices, the files and directories
in the specified storage device are cleared and cannot be restored.
CAUTION
Formatting storage devices can lead to data loss. Exercise caution when performing this
operation.
Procedure
l
Run:
fixdisk device-name
A storage device with file system problems is repaired.

NOTE
If, after running this command, the prompt still says the system should be repaired, there may be
damage to the physical storage medium.
Run:
format device-name
The storage device is formatted.

Issue 04 (2013-06-15)

107

Configuration Guide

NOTE
If the storage device does not work after you run this command, there may be a hardware fault.
----End
Managing Directories
You can manage directories to store files in logical hierarchy.
Context
You can manage directories by changing or displaying directories, displaying files in directories
or sub-directories, and creating or deleting directories.
Procedure
l
Run:
cd directory
A directory is specified.
l
Run:
pwd
The current directory is displayed.

l
Run:
dir [ /all ] [ filename | flash: ]
A list of files and sub-directories in the directory is displayed..

Either the absolute path or relative path is applicable.
l
Run:
mkdir directory
The directory is created.

l
Run:
rmdir directory
The directory is deleted.

----End
Managing Files
You can log in to the file system to view, delete, or rename files on the Switch.
Context
l
Managing files includes: displaying contents, copying, moving, renaming, compressing,

deleting, undeleting, deleting files in the recycle bin, running files in batch and configuring
prompt modes.
You can run the cd directory command to enter the directory you want from the current
directory.
Issue 04 (2013-06-15)

108

Configuration Guide
Procedure
l
Run:
more file-name [ offset ] [ all ]
The content of a file is displayed.

Specify parameters in the more command for file viewing options:
Running the more file-name command to view the file named file-name. Contents of a
text file are displayed screen by screen. Hold and press the spacebar on the current
terminal to display all contents of the current file.
Two preconditions must be set to display the contents of a text file screen by screen:
The value configured by screen-length screen-length temporary command must
be larger than 0.
The total number of lines in the file must be greater than the value configured by
screen-length command.
Running the more file-name offset command to view the file named file-name. Contents
of a text file are displayed screen by screen beginning with the line specified by offset.
Hold and press the spacebar on the current terminal to display all contents of the current
file.
Two preconditions must be met to display the contents of a text file screen by screen:
The value configured by screen-length screen-length command must be greater than
0.
The result difference between the number of file characters subtracted and the value
of offset must be greater than the value configured by the screen-length command.
Running the more file-name all command to view the file named file-name. Contents
of a text file are completely displayed without pausing after each screen of information.
l
Run:
copy source-filename destination-filename
The file is copied.

l
Run:
move source-filename destination-filename
The file is moved.

l
Run:
rename source-filename destination-filename
The file is renamed.

l
Run:
zip source-filename destination-filename
The file is compressed.

l
Run:
delete [ /unreserved ] [ /quiet ] { filename | device-name }
The file is deleted.
Issue 04 (2013-06-15)

109

Configuration Guide
CAUTION
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.
l
Run:
undelete filename
The deleted file is recovered.

l
Run:
reset recycle-bin [ filename ]
The file is deleted.

You can use this command to permanently delete files in the recycle bin.
l
Running Files in Batches

You can process uploaded files in batches. The edited batch files need to be saved to a
storage device on the Switch.
You can create and run a batch file to implement routine tasks.
1.
Run:
system-view

2.
Run:
execute filename
The batched file is executed.

l
Configuring Prompt Modes

The system displays prompts or warning messages when you operate the device (especially
if these operations lead to data loss). If you need to change the prompt mode for file
operations, you can configure the file system prompt mode.
1.
Run:
system-view

2.
Run:
file prompt { alert | quiet }
The file system prompt mode is configured.

The default prompt mode is alert.
CAUTION
If the prompt mode is set to quiet, no prompt appears when data is lost due to
inappropriate operating procedures.
----End
Issue 04 (2013-06-15)

110

Configuration Guide
1.7.3 Managing Files Using FTP

FTP can transmit files between local and remote hosts. It is widely used for version upgrade,
log downloading, file transmission, and configuration saving.

Before using FTP to manage files, familiarize yourself with the applicable environment,
When an FTP client logs in to a Switch serving as an FTP server, the user can transfer files
between the client and the server.
Before using FTP to manage files, complete the following task:
l
Connecting the FTP client to the server
Data Preparation
To use FTP to manage files, you need the following data:
No.
Data
FTP username and password, and authorized FTP file directory name
(Optional) Listening port number specified on the FTP server
(Optional) Source IP address or source interface of the FTP server

(Optional) Timeout period for disconnection from the FTP server
IP address or host name of the FTP server
Configuring a Local FTP User

You can configure a user authorization mode and an authorized directory for FTP users to access.
Unauthorized users cannot access the specified directory, reducing security risks.
Context
To use FTP to manage files, you must configure a local username and a password on the
Switch and specify a service type and the directories that can be accessed.
Perform the following operations on the Switch that functions as the FTP server:
Issue 04 (2013-06-15)

111

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
set default ftp-directory directory
The default FTP working directory is configured.

NOTE
The configuration in this step takes effect only with TACACS users.
Step 3 Run:
aaa

Step 4 Run:
The local user name and password are configured.

Step 5 Run:
local-user user-name service-type ftp
The FTP service type is configured.

Step 6 Run:
local-user user-name privilege level level
The local user level is set.

NOTE
The local user level must be set to 3 or higher.
Step 7 Run:
local-user user-name ftp-directory directory
The authorized directory for the FTP user is configured.

----End
(Optional) Specifying a Port Number for the FTP Server

You can configure or change the listening port number for an FTP server. After the port number
is changed, only the user knows the current port number and this protects system security.
Context
The default listening port number for an FTP server is 21. Users can log in to the Switch directly
by using the default listening port number. Attackers can also access the default listening port
to launch attacks that reduce available bandwidth and affect server performance, preventing
valid users from accessing the server. Changing the FTP server listening port number effectively
prevents attackers from accessing the server through the listening port.
Issue 04 (2013-06-15)

112

Configuration Guide
NOTE
If FTP is not enabled, change the FTP port as required.

If FTP is enabled, run the undo ftp server command to disable FTP, and then change the FTP port.
Do as follows on the Switch that serves as the FTP server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp server port port-number
The port number of the FTP server is configured.

Once a new listening port number is configured, the FTP server interrupts all existing FTP
connections and begins to use the new listening port.
----End
Enabling the FTP Server

You must enable an FTP sever on the Switch before using FTP to manage files.
Context
The FTP server is disabled by default on the Switch. It must be enabled before FTP can be used.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp server enable
The FTP server is enabled.

NOTE
When file operations between clients and the Switch are complete, run the undo ftp server command to
disable the FTP server function. This protects Switch security.
----End
(Optional) Configuring the FTP Server Parameters

FTP server parameters include the FTP server source address and the timeout period for FTP
connections.
Issue 04 (2013-06-15)

113

Configuration Guide
Context
l
You can configure a source IP address for the FTP server. The FTP client can only access
this address and this protects system security.
You can configure the timeout period for FTP connections on the FTP server. When the
timeout period for an FTP connection expires, the system terminates the connection to
release resources.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp server-source { -a ip-address | -i
interface-type interface-number }
The source IP address and source interface of an FTP server is configured.

To log in to the FTP server, you must specify the source IP address for the server in the ftp
command, or you cannot log in to the FTP server.
Step 3 Run:
ftp timeout minutes
The timeout period for the FTP server is configured.

If the client is idle for the configured time, the connection to the FTP server is terminated.
By default, the timeout value is 30 minutes.
----End
(Optional) Configuring an FTP ACL

After an FTP ACL is configured, only specified clients can access the deviceSwitch.
Context
When the Switchfunctions as an FTP server, you can configure an ACL to allow the clients that
meet matching rules to access the FTP server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
Issue 04 (2013-06-15)

114

Configuration Guide
The ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address
source-wildcard | any } | time-range time-name ] *
The ACL rule is configured.

NOTE
FTP supports only the basic ACL.
Step 4 Run:
quit

Step 5 Run:
ftp acl acl-number
The basic FTP ACL is configured.

----End
Accessing the System by Using FTP

After the FTP server is configured, you can use FTP to access the Switch from a PC and manage
the files on the Switch.
Context
You can use either the Windows command line prompt or third-party software to log in to the
Switch. The example here uses the Windows command line prompt as an example.
Do as follows on the PC:
Procedure
Step 2 Run the ftp ip-address command to log in to the Switch using FTP.
Enter a username and password at the prompt, and press Enter. When the Windows command
line prompt are displayed in the FTP client view, such as ftp>, you have entered the working
directory of the FTP server.
Issue 04 (2013-06-15)

115

Configuration Guide
Figure 1-27 Using FTP to log in to the device
----End
Managing Files Using FTP Commands

After logging in to the Switch that functions as an FTP server using FTP, you can upload and
download files to and from the Switch, or manage the directories on the Switch.
Context
After logging in to the FTP server, you can perform the following operations:
l
Configuring data type for the file
Uploading or downloading files
Creating directories or deleting directories on the FTP server
Displaying information about a specific remote directory or a file of the FTP server, or
deleting a specific file from the FTP server
After logging in to the FTP server and entering the FTP client view, you can perform the
following operations:
Procedure
l
Configuring the data type and transmission mode for a file

Run:
ascii or binary
The data type of the file to be transmitted is ascii or binary.
Issue 04 (2013-06-15)

116

Configuration Guide

NOTE
FTP supports ASCII and the binary files. The difference the two is:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
An FTP transmission mode can be set for each client. The system uses ASCII transmission mode
by default, but a mode switch command can switch a client between ASCII and binary modes.The
ASCII mode is used to transfer text files, and the binary mode is used to transfer programs, system
software(such as files with name extension .cc, .bin, and .pat.), and database files.
Uploading or downloading files

Upload or download a file.
Run:
put local-filename [ remote-filename ]
The local file is uploaded to the remote FTP server.

Run:
get remote-filename [ local-filename ]
The FTP file is downloaded from the FTP server and saved to the local file.
Upload or download multiple files.
Run the mput local-filenames command to upload multiple local files
synchronously to the remote FTP server.
Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
NOTE
l When you are uploading or downloading files, and the prompt command is run in the FTP client
view to enable the file transmission prompt function, the system will prompt you to confirm the
uploading or downloading operation.
l If the prompt command is run again in the FTP client view, the file transmission prompt function
will be disabled.
Running one or more of the following commands to manage directories

Run:
cd pathname
The working path of the remote FTP server is specified.

Run:
pwd
The specified directory of the FTP server is displayed.

Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.

Run:
mkdir remote-directory
A directory is created on the FTP server.

Run:
rmdir remote-directory
A directory is removed from the FTP server.

Issue 04 (2013-06-15)

117

Configuration Guide
Running one or more of the following commands to manage files

Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.

If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.

Run:
delete remote-filename
The specified file on the FTP server is deleted.

When local-filename is set, related information about the file can be downloaded locally.
NOTE
If you need more information about FTP operations, run the help [ command ] command in the
Windows CLI.
----End

After the configuration is complete, you can view the configuration and status of the FTP server
as well as login information about FTP users.
Prerequisites
All configurations for managing files using FTP are complete.
Procedure
l
Run the display ftp-server command to check the configuration of the FTP server.
Run the display ftp-users command to check how many users are currently logged in FTP
server.
----End
Example
Run the display ftp-server to view the status of the FTP server.
<Quidway> display ftp-server
FTP server is running
Max user number
User count
Timeout value(in minute)
Listening Port
Acl number
FTP SSL policy
Issue 04 (2013-06-15)
5
1
30
1080
0

118

Configuration Guide
FTP Secure-server is stopped
Run the display ftp-users command to view the username, port number, authorization directory
of the FTP user configured.
<Quidway> display ftp-users
username host
zll
100.2.150.226
port
1383
idle
3
topdir
flash:
1.7.4 Managing Files Using SFTP

SFTP allows you to log in to the Switch securely from a remote device to manage files. This
makes transmission of data to the remote end more secure.

Before using SFTP to manage files, familiarize yourself with the applicable environment,
SSH authenticates clients and encrypts data in both directions to guarantee secure data
transmission on conventional networks. SSH supports SFTP.
SFTP is a secure FTP service that enables users to log in to the FTP server for data transmission.
Before using SFTP to manage files, complete the following task:
l
Configuring reachable routes between the terminal and the device
Data Preparation
Before using SFTP to manage files, you need the following data.
No.
Data
Maximum number of VTY user interfaces, (optional) ACL for restricting incoming
and outgoing calls on VTY user interfaces, connection timeout period of terminal
users, number of rows displayed in a terminal screen, size of the history command
buffer, user authentication mode, username, and password
Username, password, authentication mode, and service type of an SSH user, remote
public RSA or DSA key pair allocated to the SSH user, and SFTP working directory
of the SSH user
(Option) Number of the port monitored by the SSH server

(Option) The interval for updating the key pair on the SSH server
Issue 04 (2013-06-15)

119

Configuration Guide
No.
Data
Name of the SSH server, number of the port monitored by the SSH server, preferred
encryption algorithm from the SFTP client to the SSH server, preferred encryption
algorithm from the SSH server to the SFTP client, preferred HMAC algorithm from
the SFTP client to the SSH server, preferred HMAC algorithm from the SSH server
to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address
Directory name and File name
Configuring VTY User Interface

To allow a user to log in to the device by using SFTP, you need to configure attributes of the
VTY user interface.
Context
Before a user logs in to the device by using SFTP, the user authentication mode in the VTY user
interface must be set. Otherwise, the user cannot log in to the device.
Interface.
Configuring SSH for the VTY User Interface

Before users can log in to the Switch using SFTP, you must configure VTY user interfaces to
support SSH.
Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH, you
cannot log in to the Switch using SFTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.

Step 3 Run:
The AAA authentication mode is configured.

Step 4 Run:
Issue 04 (2013-06-15)

120

Configuration Guide
The VTY user interface is configured to support SSH.

----End
Configuring an SSH User and Specifying SFTP as One of Service Types

Before logging in to the Switch using SFTP, you must configure an SSH user, configure the
Switch to generate a local RSA or DSA key pair, configure a user authentication mode, and
specify a service type and authorized directory for the SSH user.
Context
l
There are six SSH user authentication modes: RSA, DSA, password, password-RSA,
password-DSA, and all. Password authentication depends on Authentication,
Authorization and Accounting (AAA). Before a user logs in to the device in password,
password-RSA, or password-DSA authentication mode, you must create a local user with
the specified username in the AAA view.
The device must be configured to generate local RSA or DSA key pairs, which are a key
part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA or DSA key pair. If an
SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the
server and the client to generate local RSA or DSA key pairs.
RSA key and DSA key are an algorithm for user authentication in SSH, respectively.
Compared with RSA authentication, DSA authentication adopts the DSA encryption mode
and is widely used. In many cases, SSH only supports DSA to authenticate the server and
the client. When the RSA or DSA authentication mode is used, the priority of users depends
on the priority of the VTY user interfaces used for login.
NOTE
l Password-RSA authentication depends on both password authentication and RSA authentication.

l Password-DSA authentication depends on both password authentication and DSA authentication.
l All authentication depends on either of the following authentications: password authentication, or DSA
authentication and RSA authentication.
Do as follows on the Switch that functions as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh user user-name
An SSH user is created. If password or password-RSA authentication, or password-DSA is

configured for the SSH user, create the same SSH user in the AAA view and set the local user
access type to SSH.
1.
Run the aaa command to enter the AAA view.
2.
Run the local-user user-name password cipher password command to configure a local
username and a password.
Issue 04 (2013-06-15)

121

Configuration Guide
3.
Run the local-user user-name service-type ssh command to set the local user access type
to SSH.
By default, a local user can use any access type. You can specify an access type to allow only
users configured with the specified access type to log in to the Switch.
Step 3 Run:
local-user user-name privilege level level
The SSH user level is set.

NOTE
The SSH user level must be set to 3 or higher.
Step 4 Run: RSA or DSA key-pair create

l Run the rsa local-key-pair create command to generate the RSA local-key-pair.
NOTE
l You must configure the rsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The minimum length of the server key pair and the host key
pair is 512 bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
NOTE
l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1,024 bits and 2,048 bits. By default, the length of the key pair is 512 bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
Step 5 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all | dsa
| password-dsa }
The authentication mode for SSH users is configured.

Perform the following as required:
l Configure password authentication for the SSH user.
Run:
ssh user user-name authentication-type password
Password authentication is configured.

Run:
The default password authentication is configured.

For the local authentication or HWTACACS authentication, if the number of SSH users
is small, you can adopt the former command; if the number of SSH users is large, adopt
the later command to simplify the configuration.
l Configure RSA authentication or DSA authentication for the SSH user.
Configure RSA authentication for the SSH user.
1.
Issue 04 (2013-06-15)
Run the ssh user user-name authentication-type rsa to configure RSA

122

Configuration Guide
2.
Run the rsa peer-public-key key-name to enter the RSA public key view.
3.
4.

NOTE
l In the public key edit view, enter the hexadecimal digits or letters in the public key format,
which is randomly generated by the client software that supports SSH. For details, see the help
information of the client software that supports SSH.
l In the public key edit view, you can send the RSA public key that is generated on the client to
the server. Copy and paste the RSA public key to the device that functions as the SSH server.
Configure DSA authentication for the SSH user.

1.
Run the ssh user user-name authentication-type dsa to configure DSA

2.
Run the dsa peer-public-key key-name encoding-type { der | pem }command to

enter the DSA public key view.
3.
4.
After the preceding operations are complete, do the following as required to quit the public
key edit view.
1.
Run the public-key-code end to quit the public key edit view.
2.
Run the peer-public-key end command to quit the public key view and the system
view is displayed.
NOTE
l If the specified hex-data is invalid, the public key cannot be generated after the peerpublic-key end command is run.
l If the specified key-name is deleted in other views in step b, the system prompts that the
key does not exist after the peer-public-key end command is run and the system view
is displayed.
3.
Run the ssh user user-name assign { rsa-key | dsa-key } key-name command to
configure the public key for SSH users.
Step 6 (Optional) Configure basic authentication information for SSH users.

1.
Run:
ssh server rekey-interval interval
The interval for updating the server key pair is configured.

By default, the interval for updating the SSH server key pair is 0, indicating that the key
pair is never updated.
2.
Run:
ssh server timeout seconds
The timeout period for SSH authentication is set.

By default, the timeout period is 60 seconds.
3.
Run:
ssh server authentication-retries times
The number of retry times for SSH authentication is set.

By default, the retry times is 3.
Issue 04 (2013-06-15)

123

Configuration Guide
Step 7 (Optional) Authorize SSH users using command lines.

Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 8 Run:
ssh user username service-type { SFTP | all }
The service type of an SSH user is set to SFTP or all.

By default, the service type of the SSH user is not configured.
Step 9 Run:
ssh user username sftp-directory directoryname
The authorized directory of the SFTP service for the SSH user is configured.
By default, the authorized directory of the SFTP service for the SSH user is flash:.
----End
Enabling the SFTP Service

The STelnet service must be enabled before it can be used.
Context
By default, the SFTP server function is not enabled on the Switch. You can use SFTP to establish
connections with the router only after the SFTP server function is enabled on the Switch.
Do as follows on the Switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
sftp server enable
The SFTP service is enabled.

By default, the SFTP service is disabled.
----End
(Optional) Configuring the SFTP Server Parameters

You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated.
Issue 04 (2013-06-15)

124

Configuration Guide
Context
Table 1-21 lists server parameters.
Table 1-21 Server parameters
Server
Parameter
Description
Earlier SSH
version
compatibility
There are two SSH versions: SSH1.X (earlier than SSH2.0) and SSH2.0.
SSH2.0 has an extended structure and supports more authentication modes
and key exchange methods than SSH1.X. SSH2.0 also supports more
advanced services such as SFTP. The AC6605 supports SSH versions
ranging from 1.3 to 2.0.
Listening port
number of an
SSH server
The default listening port number of an SSH server is 22. Users can log in to
the device by using the default listening port number. Attackers may access
the default listening port, consuming bandwidth, deteriorating server
performance, and causing authorized users unable to access the server. After
the listening port number of the SSH server is changed, attackers do not know
the new port number. This effectively prevents attackers from accessing the
listening port and improves security.
Interval for
updating the
SSH server
key pair
If this interval is set, the SSH server key pair will be updated periodically to
improve security.
Procedure
Step 1 Run:
system-view

Step 2 Perform one or both of the operations shown in Table 1-22 as needed.
Table 1-22 Configurations of server parameters
Server
Parameter
Operation
Earlier SSH
version
compatibility
Run the ssh server compatible-ssh1x enable command.
Listening port
number of the
SSH server
Issue 04 (2013-06-15)
By default, an SSH server running SSH2.0 is compatible with SSH1.X. To

prevent clients running SSH1.3 to SSH1.99 from logging in, run the undo
ssh server compatible-ssh1x enable command to disable support for earlier
SSH protocol versions.
Run the ssh server port port-number command.
If a new listening port is set, the SSH server cuts off all established STelnet
and SFTP connections, and uses the new port number to listen to connection
requests. By default, the listening port number is 22.
125

Configuration Guide
Server
Parameter
Operation
Interval for
updating the
SSH server
key pair
Run the ssh server rekey-interval rekey-interval command.

By default, the interval is 0, indicating that the key pair is never updated.
----End
Accessing the System Using SFTP

After the configuration is complete, you can use SFTP to log in to the Switch from a user terminal
and manage files on the Switch.
Context
Third-party software can be used to access the Switch from the user terminal using SFTP. The
example here uses third-party software OpenSSH and the Windows CLI.
Install OpenSSH on the user terminal and then do as follows:
NOTE
For details on how to install OpenSSH, see the software installation guide.
For details on how to use OpenSSH commands to log in to the Switch, see help documentation for the
software.
Procedure
Step 2 Run relevant OpenSSH commands to log in to the Switch in SFTP mode.
When a command line prompt, such as sftp>, is displayed in the SFTP client view, you have
entered the working directory of the SFTP server.
Issue 04 (2013-06-15)

126

Configuration Guide
Figure 1-28 Using SFTP to log in to the device
----End
Managing Files Using SFTP

You can log in to the SSH server from an SFTP client to create or delete directories on the SSH
server.
Context
After logging in to the SFTP server, you can perform the following operations:
l
Displaying the SFTP client command help
Managing directories on the SFTP server
Managing files on the SFTP server
After logging in to the SFTP server and entering the SFTP client view, you can perform one or
more of the following operations.
Procedure
l
Run:
help [ all | command-name ]
The SFTP client command help is displayed.

Issue 04 (2013-06-15)

127

Configuration Guide
Perform one or multiple of the following operations as required.

Run:
cd [ remote-directory ]
The current operating directory of users is changed.

Run:
pwd
The current operating directory of users is displayed.

Run:
dir/ls [ path ]
A list of files in the specified directory is displayed.

Run:
rmdir remote-directory &<1-10>
The directory on the server is deleted.

Run:
A directory is created on the server.

l
Perform one or multiple of the following operations as required.

Run:
rename old-name new-name
The name of the specified file on the server is changed.

Run:
The file on the remote server is downloaded.

Run:
The local file is uploaded to the remote server.

Run:
rmdir remote-directory &<1-10>
The file on the server is removed.

----End

After using SFTP to manage files, you can view SSH user information and global configurations
for the SSH server.
Prerequisites
The configurations of SSH users are complete.
Procedure
l
Issue 04 (2013-06-15)
Run the display ssh user-information username command on the SSH server to check
information about the SSH client.
128

Configuration Guide
Run the display ssh server status command on the SSH server to check its global
configurations.
Run the display ssh server session command on the SSH server to check information about
connection sessions with SSH clients.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password.
[Quidway] display ssh user-information client001
User Name
: client001
Authentication-type
: password
User-public-key-name
: User-public-key-type
: RSA
Sftp-directory
: Service-type
: sftp
Authorization-cmd
: Yes
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view global configurations of an SSH server.
SSH version
SSH server key generating interval
SSH Authentication retries
SFTP server
Stelnet server
Scp server
SSH server port
:
:
:
:
:
:
:
:
1.99
60 seconds
2 hours
5 times
Enable
Enable
Enable
55535
NOTE
If the default interception port is in use, information about the current interception port is not displayed.
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<Quidway> display ssh server session
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-md5
STOC Hmac
: hmac-md5
Kex
: diffie-hellman-group-exchange-sha1
Service Type
: sftp
Authentication Type : password
1.7.5 Performing File Operations by Means of FTPS

Issue 04 (2013-06-15)

129

Configuration Guide

Before using FTPS to manage files, familiarize yourself with the applicable environment,
bringing security threats.An SSL policy can be configured on the FTP server to improve security.
As shown in Figure 1-29, an SSL policy is configured on the FTP server. After a digital
certificate is loaded and the FTPS server function is enabled on the server, you can log in to the
server from a terminal on which the SSL-capable FTP client software is installed to securely
operate files transmitted between the terminal and the server.
Figure 1-29 Networking diagram for a PC to log in to an FTPS server
Network
VLANIF10
192.168.0.1/24
FTP-Server
PC
Before using FTPS to manage files, complete the following tasks:
l
Configuring an FTP user on the FTPS server
Loading a digital certificate to the sub-directory named security of the system directory
on the FTPS server
Installing the SSL-capable FTP client software on the PC
Data Preparation
Before using FTPS to manage files, you need the following data.
No.
Data
SSL policy name and digital certificate
IP address of the FTPS server
Configuring an SSL Policy and Loading a Digital Certificate

A client uses a digital certificate to authenticate the identity of a server for secure communication.
Issue 04 (2013-06-15)

130

Configuration Guide
Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.
NOTE
A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
FTPS server must be obtained from a corresponding CA.
A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l
The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem.
The PEM format is applicable to text transmission between systems.
The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der.
The ASN1 format is the default format for most browsers.
The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx.
The PFX format is a binary format that can be converted into the PEM or ASN1 format.
Perform the following steps on the device that functions as an FTPS server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssl policy policy-name
An SSL policy is configured and the SSL policy view is displayed.

Step 3 Load a digital certificate.
Run one of the following commands as required:
l Run:
certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file keyfilename auth-code auth-code
A PEM digital certificate is loaded.

l Run:
certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file keyfilename
An ASN1 digital certificate is loaded.

l Run:
certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code |
key-file key-filename } auth-code auth-code
A PFX digital certificate is loaded.

l Run:
certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file keyfilename auth-code auth-code
Issue 04 (2013-06-15)

131

Configuration Guide
A PEM digital certificate chain is loaded.

NOTE
Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.
----End
Enabling the FTPS Function

After a device is configured with an SSL policy and enabled with the FTPS server function, the
device functions as an FTPS server to provide SSL-based FTP services.
Context
NOTE
Before enabling the FTPS server function, disable the FTP server function.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp secure-server ssl-policy policy-name
An SSL policy is configured for the device.

Step 3 Run:
ftp secure-server enable
The FTPS server function is enabled.

By default, the FTPS server function is disabled.
----End
Accessing an FTPS Server

You can use a PC with the SSL-capable FTP client software or an FTPS client to access an FTPS
server for secure management of files on the FTPS server.
Before accessing an FTPS server, install the SSL-capable FTP client software on a PC, and then
use a third-party software to log in to the FTPS server from the PC to securely manage files on
the FTPS server.

After the configuration of login to an FTPS server from a user terminal is complete, you can
view the SSL policy, digital certificate, and status of the FTPS server.
Issue 04 (2013-06-15)

132

Configuration Guide
Prerequisites
The configurations of login to the devices by using FTPS are complete.
Procedure
l
Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
Run the display ftp-server command to check the SSL policy name and the FTPS server
status.
----End
Example
Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
<Quidway> display ssl policy
SSL Policy Name: ftp_server
Policy Applicants: FTP secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
FTP server is stopped
Max user number
User count
Listening port
Acl number
FTP server's source address
FTP SSL policy
FTP Secure-server is running
5
1
30
21
0
0.0.0.0
ftp_server

The examples in this section show how to use FTP, SFTP or FTPS to access the system and
manage files. These configuration examples explain networking requirements and provide
configuration roadmaps and configuration notes.
Example for Managing Files Using FTP

This example shows how to use FTP to manage files. In the example, a user uses FTP to log in
to the Switch from a PC and then download files to the FTP client.
As shown in Figure 1-30, the local PC functions as the FTP client of which the IP address is
10.1.1.1/24.
Issue 04 (2013-06-15)

133

Configuration Guide
The Switch acts as the FTP server, and IP address of the FTP server is 10.1.1.2/24.
The PC uploads files to the Switch.
Figure 1-30 Networking diagram of the Switch functioning as the FTP server
VLAN10
FTP Client FTP Session
PC
Ethernet
FTP Server
L2 Switch
Ethernet
Switch
Switch
Interface
VLANIF interface
IP address
FTP Server
GigabitEthernet0/0/1
VLANIF 10
10.1.1.2/24
1.
Set the correct FTP user name and password on the Switch that functions as the FTP server.
2.
Log in to the Switch through FTP from the PC.
3.
Upload files to the FTP server.
Data Preparation
l
IP address of the FTP server
Name of the FTP user set as u1 and the password set as ftppwd on the server
Correct path of the source file on the PC
Name of the destination file and position where the destination files are located on the
Switch
Procedure
Step 1 Create VLAN 10 on the Switch and assign the IP address 10.1.1.2/24 to VLANIF 10.
[Quidway] vlan 10
[Quidway-Vlanif10] ip address 10.1.1.2 24
Step 2 Start the FTP server on the Switch, and set the FTP user name to u1 and password to ftpwd.
[Quidway] ftp server enable
[Quidway] aaa
[Quidway-aaa] local-user u1 password cipher ftppwd
Issue 04 (2013-06-15)

134

Configuration Guide
[Quidway-aaa]
[Quidway-aaa]
[Quidway-aaa]
[Quidway-aaa]

local-user u1 service-type ftp
local-user u1 privilege level 15
local-user u1 ftp-directory flash:/
return
Step 3 On the PC, initiate a connection to the Switch with the user name u1 and the password
ftppwd.
Use Windows XP on the FTP client to illustrate the preceding operations.
C:\WINDOWS\Desktop> ftp 10.1.1.2
Connected to 10.1.1.2.
220 FTP service ready.
User (10.1.1.1:(none)): u1
331 Password required for u1
Password:
230 User logged in.
ftp>
Step 4 Set the mode of transferring files to binary and the local directory on the PC.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now C:\temp.
Step 5 Upload d006.cc and vrpcfg.cfg to the Switch on the PC.

ftp> put d006.cc d006.cc
200 Port command okay.
150 Opening BINARY mode data connection for d006.cc.
ftp> put vrpcfg.cfg vrpcfg.cfg
150 Opening BINARY mode data connection for vrpcfg.cfg.
ftp> quit
C:\WINDOWS\Desktop>
----End
Configuration Files
#
sysname Quidway
#
FTP server enable
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
aaa
local-user u1 password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$
local-user u1 privilege level 15
local-user u1 ftp-directory flash:/
local-user u1 service-type ftp
#
Return
Example for Managing Files Using SFTP

This example shows how to use SFTP to manage files. In the example, a local key pair, and a
username and a password are configured on the SSH server for an SSH user. After SFTP services
Issue 04 (2013-06-15)

135

Configuration Guide
are enabled on the server and the SFTP client is connected to the server, you can manage files
between the client and the server.
As shown in Figure 1-31, after SFTP services are enabled on the Switch functioning as an SSH
server, you can log in to the server from an SFTP client PC in password, RSA, password-rsa,
DSA, password-DSA or all authentication mode.
Configure a user to log in to the SSH server in password authentication mode.
Figure 1-31 Networking diagram for managing files using SFTP
Network
VLANIF 2
10.164.39.210/24
SSH Server
PC
1.
Configure a local key pair on the SSH server to exchange data securely between the SFTP
client and the SSH server.
2.
Configure VTY user interfaces on the SSH server.
3.
Configure an SSH user, including user authentication mode, username, password, and
authorization directory.
4.
Enable SFTP services on the SSH server and configure a user service type.
Data Preparation
l
SSH user authentication mode: password, username: client001, password: huawei
User level of client001: 3
IP address of the SSH server: 10.137.217.225
Procedure
Step 1 Configure a local key pair on the SSH server.
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
Generating keys...
.......++++++++++++
..........++++++++++++
Issue 04 (2013-06-15)

136

Configuration Guide
...................................++++++++
......++++++++
Step 2 Configure VTY user interfaces on the SSH server.

[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4

Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
Step 3 Configure the SSH username and password on the SSH server.
[SSH Server] aaa
[SSH Server-aaa]
huawei
[SSH Server-aaa]
[SSH Server-aaa]
[SSH Server-aaa]
local-user client001 password cipher

quit
Step 4 Enable SFTP and configure the user service type to be SFTP.
[SSH Server] sftp server enable
[SSH Server] ssh user client001 authentication-type password
[SSH Server] ssh user client001 service-type sftp
Step 5 Configure the authorization directory for the SSH user.

[SSH Server] ssh user client001 sftp-directory flash:
Step 6 Verify the configurations.

Figure 1-32 Access interface
----End
Configuration Files
l
Configuration file of the SSH server

#
sysname SSH Server
#
vlan batch 10
Issue 04 (2013-06-15)

137

Configuration Guide
#
aaa
local-user client001 password cipher %$%$PoPK$x&v~12^g\0]Y$u3"'{r%$%$
#
interface Vlanif10
ip address 10.137.217.225 255.255.255.0
#
#
sftp server enable
ssh user client001
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
#
return
Example for Performing File Operations by Means of FTPS

You can use a terminal on which the SSL-capable FTP client software is installed to log in to
an FTPS server to securely operate files transmitted between the terminal and the server.
bringing security threats. An SSL policy can be configured on the FTP server to improve security.
As shown in Figure 1-33, an SSL policy is configured on the FTP server. After a digital
certificate is loaded and the FTPS server function is enabled on the server, you can log in to the
server from a terminal on which the SSL-capable FTP client software is installed to securely
operate files transmitted between the terminal and the server.
Figure 1-33 Operating files using FTPS
Network
VLANIF10
192.168.0.1/24
FTP-Server
PC
Issue 04 (2013-06-15)

138

Configuration Guide
1.
Upload a digital certificate.

Upload the digital certificate saved on the PC to the FTP server.
2.
Load the digital certificate.

Copy the digital certificate from the system directory of the FTP server to the sub-directory
named security, configure an SSL policy, and load the digital certificate.
3.
Enable the FTPS server function.
4.
Install the SSL-capable FTP client software on the PC
Data Preparation
l
FTP user name and password
SSL digital certificate
Procedure
Step 1 Upload a digital certificate.
# Configure an IP address for the FTP server so that the PC and FTP server are reachable.
[Quidway] sysname FTP-Server
[FTP-Server] vlan 10
[FTP-Server-vlan10] quit
[FTP-Server] interface gigabitethernet0/0/1
[FTP-Server-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[FTP-Server-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[FTP-Server-GigabitEthernet0/0/1] quit
[FTP-Server] interface vlanif 10
[FTP-Server-Vlanif10] ip address 192.168.0.1 24
[FTP-Server-Vlanif10] quit
# Enable the FTP server function.

[FTP-Server] ftp server enable
# Configure the authentication information, authorization mode, and authorized directory for an
FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] local-user
[FTP-Server-aaa] quit
[FTP-Server] quit
huawei
huawei
huawei
huawei
password cipher huawei

service-type ftp
privilege level 15
ftp-directory flash:
# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the correct
user name and password to set up an FTP connection to the FTP server, as shown in Figure
1-34.
Issue 04 (2013-06-15)

139

Configuration Guide
Figure 1-34 Logging in to an FTP server from a user terminal
Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
1-35.
Figure 1-35 Uploading a digital certificate
After the preceding configurations are complete, run the dir command on the FTP server. The
command output shows that the digital certificate has been successfully uploaded to the server.
<FTP-Server> dir
Directory of flash:/
Idx
Issue 04 (2013-06-15)
Attr
Size(Byte)
Date
Time(LMT)
FileName

140

Configuration Guide
0
1
2
3
4

drw-rw-rw-rw-rw-
524,575
446
1,302
951
May
May
May
May
May
10
10
10
10
10
2011
2011
2011
2011
2011
05:05:40
05:05:53
05:05:51
05:32:05
05:32:44
src
private-data.txt
vrpcfg.zip
1_servercert_pem_rsa.pem
1_serverkey_pem_rsa.pem
304,292 KB total (303,770 KB free)
Step 2 Configure an SSL policy and load the digital certificate.

# Create a sub-directory named security and copy the digital certificate to this sub-directory.
<FTP-Server> mkdir security/
<FTP-Server> copy 1_servercert_pem_rsa.pem security/
<FTP-Server> copy 1_serverkey_pem_rsa.pem security/
After the preceding configurations are complete, run the dir command in the security subdirectory on the FTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<FTP-Server> cd security/
<FTP-Server> dir
Directory of flash:/security/
Idx
0
1
Attr
-rw-rw-
Size(Byte)
1,302
951
Date
Time(LMT)
May 10 2011 05:44:34
May 10 2011 05:45:22
FileName
304,292 KB total (303,766 KB free)
# Create an SSL policy and load the PEM digital certificate.

<FTP-Server> system-view
[FTP-Server] ssl policy ftp_server
[FTP-Server-ssl-policy-ftp_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code
123456
[FTP-Server-ssl-policy-ftp_server] quit
Step 3 Enable the FTPS server function.

NOTE
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable
Step 4 Install the SSL-capable FTP client software on the PC.

For details about the operation procedure, see the help document about the third-party software.
# Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the loaded certificate.
[FTP-Server] display ssl policy
Key-pair Type: RSA
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
Issue 04 (2013-06-15)

141

Configuration Guide
[FTP-Server] display ftp-server

Max user number
User count
Listening port
Acl number
FTP SSL policy
5
1
30
21
0
0.0.0.0
ftp_server
You can establish a connection with the FTPS server using the SSL-capable FTP client software
and upload files to and download files from the server.
----End
Configuration Files
Configuration file of the FTPS server
#
sysname FTP-Server
#
FTP secure-server enable
ftp secure-server ssl-policy ftp_server
#
vlan batch 10
#
ssl policy ftp_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code 123456
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
local-user huawei service-type ftp
local-user huawei ftp-directory flash:/
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
#
return

When the Switch is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the Switch, you need to manage system software and configuration
files efficiently.
1.8.1 System Startup Overview

When the Switch is powered on, system software starts and configuration files are loaded.
Issue 04 (2013-06-15)

142

Configuration Guide
System Software
System software provides an operating system for the Switch. System software must be set up
correctly for the Switch to run properly and provide services.
The extension for the system software file is .cc. The file must be saved in the root directory of
the storage device.
Configuration Files
The configuration file is the add-in configuration item when restarting the Switch this time or
next time.
The configuration file is a text file in the following formats:
l
The configuration file of V200R002 must begin with the message like "!Software Version
V200R002C00."
It is saved in the command format.
To save space, default parameters are not saved.
Commands are organized on the basis of the command view. All commands of the identical
command view are grouped into a section. Every two command sections are separated by
one or several blank lines or comment lines (beginning with "#").
The sequence of command sections is global configuration, physical interface

configuration, logic interface configuration, routing protocol configuration and so on.
The filename extension of the configuration file must be .cfg or .zip, and must be stored in
the root directory of a storage device.
NOTE
l The system can run the command with the maximum length of 512 characters, including the command
in an incomplete form.
l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, the
command length in the configuration file may exceed 512 characters. When the system restarts, these
commands cannot be restored.
Configuration Files and Current Configurations

When the Switch is running, current configurations differ from configuration files.
The concepts of configuration files and current configurations are as follows.
Concept
Identifying Method
Configuration files
Issue 04 (2013-06-15)
Initial configurations: When

powered on, the Switch
retrieves configuration files
from a default save path to
initialize itself. If
configuration files do not
exist in the default save path,
the Switch uses default
initialization parameters.

l Run the display startup

command to view the
configuration files for the
current startup and next
startup on the Switch.
l Run the display savedconfiguration command
to view the configuration
file for the next startup on
the Switch.
143

Configuration Guide
Concept
Identifying Method
Current configurations
Current configurations:
indicates the configurations
in effect on the Switch when
it is actually running.
Run the display currentconfiguration command to

view current configurations
on the Switch.
You can use the command line interface to modify current Switch configurations. Use the
save command to save modified configurations to the configuration file on the default storage
devices. This configuration file will be used to initialize the Switch when the Switch is powered
on next time.
1.8.2 Managing Configuration Files

You can manage the configuration files for the current and next startup operations on the
Switch.

Before managing configuration files, familiarize yourself with the applicable environment,
Configuration files can be saved, cleared, compared, backed up, and restored. Configuration file
management is required to upgrade the Switch, take preventive measures, repair configuration
files, and view configurations after the Switch starts.
Before managing configuration files, complete the following task:
l
Installing and powering on the Switch
Data Preparation
To manage configuration files, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Configuration file and its name
Configuration file saving interval and delay interval
Number of the start line from which the comparison of the configuration files
begins

144

Configuration Guide
Saving Configuration Files

The configurations completed by using command lines are valid for only the current operation
on the Switch. To allow the configurations to be valid for the next startup, you need to save the
current configurations to configuration files before restarting the Switch.
Context
Configuration files can be saved on demand or the system can be set to save configuration files
at regular intervals. This prevents data loss if the Switch restarts without warning or when it is
powered off.
Run one of the following commands to save configuration files.
Procedure
l
Run:
1.
system-view

2.
set save-configuration [ interval interval | cpu-limit cpu-usage |delay

delay-interval ] *
The configuration file is saved at intervals.

After the parameter interval interval is specified, the system saves the current
configuration if the configuration has changed; if the configuration has not changed,
the system does not save the current configuration.
If the set save-configuration command is not run, the system does not
automatically save configurations.
If the set save-configuration command without specified interval is run, the
system automatically saves configurations at an interval of 30 minutes.
When you configure the automatic saving function, to prevent that function from
affecting system performance, you can set the upper limit of the CPU usage for the
system during automatic saving. When automatic saving is triggered by the expiry of
the timer, the CPU usage is checked. If the CPU usage is higher than the set upper
limit, automatic saving will be canceled.
After delay delay-interval is specified, if the configuration is changed, the device
automatically saves the configuration after the specified delay.
After automatic saving of configurations is configured, the system automatically saves
the changed configurations to the configuration file for the next startup and
configuration files are changed accordingly with the saved configurations.
Before configuring the automatic configure file saving on the server, you need to run
the set save-configuration backup-to-server server server-ip [ transport-type
{ ftp | sftp } ] user user-name password password [ path folder ] or set saveconfiguration backup-to-server server server-ip transport-type tftp [ path
folder ] command to configure the server, including the IP address, username,
password of the server, destination path, and mode of transporting the configuration
file to the server.
NOTE
If TFTP is used, run the tftp client-source command to configure a loopback interface address as a
client source IP address on the Switch, improving security.
Issue 04 (2013-06-15)

145

Configuration Guide
Run:
save [ all ] [ configuration-file ]
The current configurations are saved.

The extension for the configuration file must be .cfg or .zip. The system startup
configuration file must be saved in the root directory of a storage device.
You can modify the current configuration through the CLI. To set the current configuration
as initial configuration when the Switch starts next time, you can use the save command
to save the current configuration in the flash memory.
You can use the save all command to save all the current configurations, including the
configurations of the boards that are not inserted, to the default directory.
NOTE
When saving the configuration file for the first time, if you do not specify the optional parameter
configuration-file, the Switch asks you whether to save the file as "vrpcfg.zip" or not. "vrpcfg.zip"
is the default configuration file and initially contains no configuration.
----End
Clearing a Configuration File

You can clear a configuration file that has been loaded to a device.
Context
The configuration file stored in the flash memory needs to be cleared in the following cases:
l
The system software does not match the configuration file after the Switch has been
upgraded.
The configuration file is destroyed or an incorrect configuration file has been loaded.
Do as follows to clear the contents of a configuration file:
Procedure
l
Clear the currently loaded configuration file.

Run the reset saved-configuration command to clear the currently loaded configuration
file.
If the configuration file used for the current startup of the Switch is the same as the file
to be used for the next startup, running the reset saved-configuration command clears
both files. The Switch will use the default configuration file for the next startup.
If the configuration file used for the current startup of the Switch is different from the
file to be used for the next startup, running the reset saved-configuration command
clears the configuration file used for the current startup.
If you run the reset saved-configuration command and the configuration file used for
the current startup of the Switch is empty, the system will prompt that the configuration
file does not exist.
Issue 04 (2013-06-15)

146

Configuration Guide
CAUTION
l After the contents of a configuration file are cleared, the empty configuration file with
the original file name is left.
l After the configuration file is cleared, if you do not run the startup savedconfiguration configuration-file command to specify a new configuration file, or do
not run the save command to save the configuration file, the Switch will use the default
configuration file at the next startup.
l Exercise caution when running this command. If necessary, do it under the guidance of
Huawei technical support personnel.
l
Clear the configurations of a specified interface.

1.
Run the system-view command to enter the system view.
2.
Run the clear configuration interface interface-type interface-number command to

clear the configurations of the specified interface.
----End
Comparing Configuration Files

You can determine whether the current configuration file is the same as the one for the next
startup or a specified one on the Switch by comparing them.
Context
You can determine whether to specify the current configuration file as the one for the next startup
by comparing the current configuration file with the one for the next startup.
Procedure
l
Run:
compare configuration [ configuration-file ] [ current-line-number save-linenumber ]
The current configuration is compared with the configuration file for next startup.
If configuration-file is configured, the system checks whether the current configuration
file is the same as the specified configuration file.
If no parameter is set, the comparison begins with the first lines of configuration files.
If values for current-line-number and save-line-number are set, the comparison
continues by ignoring differences between the configuration files.
The system begins to display the content of a current and a saved configuration file from
the first line of the two files that is different. Beginning with this line, 150 characters are
displayed by default for each of the files. If there are fewer than 150 characters remaining
after the first line with a difference, all remaining content in the files is displayed.
NOTE
When trying to compare configuration files, if the configuration file for next startup is unavailable
or its content is empty, the system prompts that reading files fails.
----End
Issue 04 (2013-06-15)

147

Configuration Guide
Backing Up the Configuration Files

Context
You can back up the configuration files by using the following ways:
Procedure
l
Copying the screen directly

In the CLI, run the display current-configuration command. Copy all the display to txt
documents, then back up the configuration files to the hard disk of the maintenance terminal.
Backing up the configuration files through TFTP

1.
Copy the configuration files in the Flash directly.

This action is to back up the current configuration files that are stored in the Flash of
the device.
After startup of the device, use the following commands to back up the configuration
files in the Flash of the device.
<Quidway> save flash:/config.cfg
The current configuration will be written to the device.<BR>Are you sure
to cont
inue?[Y/N]y
Now saving the current configuration to the slot 0....
Save the configuration successfully.
<Quidway> copy config.cfg flash:/backup.cfg
Copy flash:/config.cfg to flash:/backup.cfg?[Y/N]:y
100% complete/
Info: Copied file flash:/config.cfg to flash:/backup.cfg...Done.
2.
Assign an IP address for the device.

The device acts as the TFTP client.
Connect the device to the maintenance terminal. Establish the Telnet environment and
assign an IP addresses for the interface. A reachable route must exist between the
TFTP client and the TFTP server.
3.
Start the TFTP server application program.

Start the TFTP server application in the PC. Set the path, the IP address, and the port
number of the TFTP server to download the configuration files.
4.
Transfer the configuration files.

In the user view, run the tftp command.
<Quidway> tftp 10.110.24.209 put config.cfg
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait.../
TFTP: Uploading the file successfully.
3501 bytes send in 1 second.
Backing up the configuration files through FTP

1.
Connect the device to the maintenance terminal, establish the Telnet environment and
assign an IP address for the interface.
2.
Start the FTP service.

The device acts as the FTP server.
Issue 04 (2013-06-15)

148

Configuration Guide
Start the FTP server on the device. Create an FTP user whose username is huawei and
password is huawei.The user level must be set to 3 or higher. Authorize the user to
visit flash:\.
[Quidway] ftp server enable
[Quidway] aaa
[Quidway-aaa] local-user huawei
3.

privilege level 3
ftp-directory flash:/
service-type ftp
Initiate an FTP connection to the device from the maintenance terminal.

On the PC, establish an FTP connection with the device through the FTP client. For
example, the IP address of the device is 10.110.24.254.
C:\Documents and Setting\Administrator> ftp 10.110.24.254
User (10.110.24.254:(none)): huawei
331 Password required for huawei.
Password:
230 User logged in.
4.
Set the parameters.

After the FTP user passes authentication, the FTP client prompts "ftp>". Enter
binary and specify the directory for storing the configuration files on the FTP client.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now C:\temp.
5.
Transfer the configuration files.

Run the get command on the PC to download the configuration files to the local
specified directory and save them as backup.cfg.
ftp> get config.cfg backup.cfg
150 Opening ASCII mode data connection for config.cfg.
226 Transfer complete.
ftp: 1021 bytes received in 0.06Seconds 60.02Kbytes/sec.
ftp>
6.
Check whether the config.cfg and backup.cfg files are of the same size. If they are
of the same size, the backup is successful.
----End
Restoring the Configuration Files

Context
You can restore the configuration files through the following ways:
NOTE
After restoring the configuration files, restart the device to make the configuration files take effect. Run
the startup saved-configuration command to specify the configuration file for next startup. If the
configuration file name is unchanged, you do not need to run this command. Then run the reboot command
to restart the device.
Issue 04 (2013-06-15)

149

Configuration Guide
Procedure
l
Restoring the configuration files saved in the Flash

This operation is to restore the configuration files saved in the Flash of the device as the
configuration files of the current system.
Run the following commands when the device works normally.
<Quidway> copy flash:/backup.cfg flash:/vrpcfg.zip
Copy flash:/backup.cfg to flash:/vrpcfg.zip?[Y/N]:y
100% complete/
Info: Copied file flash:/backup.cfg to flash:/vrpcfg.zip...Done.
Restoring the configuration files saved in the PC through TFTP

The device works as the TFTP client. The restoration procedure is similar to that of backing
up the configuration files through TFTP. Run the tftp get command to download the
configuration files saved in the PC to the Flash of the device.
Restoring the configuration files saved in the PC through FTP

The device acts as the FTP server. The restoration procedure is similar to that of backing
up the configuration files through FTP. Run the put command to upload the
configuration files saved in the PC to the Flash of the device.
----End

After managing configuration files, you can view the current configuration files and files in the
storage device.
Prerequisites
The configurations for managing configuration files are complete.
Procedure
l
Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display
current-configuration [ all | inactive ]command to check current configurations.
Run the display startup command to check files for startup.
Run the dir [ /all ] [ filename ] command to check files saved in the storage device.
Run the display saved-configuration configuration command to view configurations of

the autosave function, including the status of the autosave function, time for autosave check,
threshold for the CPU usage, and period during which configurations are unchanged (when
the period expires, configurations are automatically saved).
Run the display changed-configuration time command to check the time of the last
configuration change.
----End
Example
Run the display startup command to check files for startup.
<Quidway> display startup
Issue 04 (2013-06-15)

150

Configuration Guide
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
flash:/AC6605v200r002.cc
flash:/vrpcfg1.cfg
flash:/vrpcfg1.cfg
NULL
NULL
NULL
NULL
NULL
NULL
1.8.3 Specifying a File for System Startup

You can specify a file to be used for system startup by specifying the system software and
configuration file for the next startup of the Switch.

Before specifying a file for system startup, familiarize yourself with the applicable environment,
To enable the Switch to provide user-defined configurations during the next startup, you need
to correctly specify the system software and configuration file for the next startup.
Before specifying a file for system startup, complete the following task:
l
Installing the Switch and powering it on properly
Data Preparation
To specify a file for system startup, you need the following data.
No.
Data
System software and its file name on the AC6605
Configuration file and its file name on the device
Configuring System Software for a Switch to Load for the Next Startup
If you need to upgrade system software of a Switch, you can specify the Switch system software
to be loaded at the next startup.
Context
The system will continue to load the current system software at each startup until different system
software is specified for the next system startup. To change system software for the next startup,
you need to specify the system software you require.
Issue 04 (2013-06-15)

151

Configuration Guide
The filename extension of the system software must be .cc and the file must be stored in the root
directory of a storage device.
Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]
The AC6605 system software to be loaded at the next startup of the Switch is configured.
The system software package must use .cc as the extension and be saved to the root directory of
the flash memory.
If the BootROM version of next startup software that you specify is different from the current
BootROM version, the system prompts you to upgrade the BootRom.
----End
Configuring the Configuration File for Switch to Load at the Next Startup
Before restarting a Switch, you can specify which configuration files will be loaded at the next
startup.
Context
Run the display startup command on the Switch to check whether a specific configuration file
is set to be loaded at the next startup. If a specific configuration file is not specified, the default
configuration file will be loaded at the next startup.
The filename extension of the configuration file must be .cfg or .zip, and the file must be stored
in the root directory of a storage device.
When the Switch is powered on, it reads the configuration file from the flash memory by default
to initialize. The data in this configuration file is the initial configuration. If no configuration
file is saved in the flash memory, the Switch uses default parameters to initiate.
Procedure
l
Run:
startup saved-configuration configuration-file
A configuration file is saved for the Switch to load at next startup.

----End

After specifying a configuration file for system startup, you can check the content of the
configuration file and information about the files to be used at the next startup on the Switch.
Prerequisites
A configuration file has been specified for system startup.
Issue 04 (2013-06-15)

152

Configuration Guide
Procedure
l
Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] command to
check current configurations.
Run the display saved-configuration [ last | time | configuration ] command to check the
contents of the configuration file to be loaded at next startup.
Run the display startup command to check information about the files to be used at next
startup.
----End
Example
Run the display startup command to check information about the files to be used at next startup.
MainBoard:
Startup paf file:
flash:/vrpcfg1.cfg
flash:/vrpcfg1.cfg
NULL
NULL
NULL
NULL
NULL
NULL

The example in this section shows how to configure system startup. The example explains
networking requirements, and provides a configuration roadmap and configuration notes.
Example for Configuring System Startup

This example shows how to configure system startup. In the example, a configuration file is
saved and the system software and configuration file to be loaded at the next startup are specified
so that the Switch can start in a required manner.
After the Switch is configured, new configurations take effect at next system startup.
1.
Save the current configuration.
2.
Specify the configuration file to be loaded at the next startup of the Switch.
3.
Specify the system software to be loaded at the next startup of the Switch.
Issue 04 (2013-06-15)

153

Configuration Guide
Data Preparation
l
Name of the configuration file
File name of the system software
Procedure
Step 1 Check the configuration file and system software that were used during the current startup.
MainBoard:
Startup paf file:
flash:/AC6605v200r002c00b01.cc
flash:/test.cfg
flash:/test.cfg
NULL
NULL
NULL
NULL
NULL
NULL
Step 2 Save the current configuration to the specified file.

<Quidway> save vrpcfg.cfg
The system asks you whether you want to save the current configuration to the file named
vrpcfg.cfg. Enter y to save the configuration.
Step 3 Specify the configuration file to be loaded at the next startup of the Switch.
<Quidway> startup saved-configuration vrpcfg.cfg
Step 4 Specify the system software to be loaded at the next startup of the Switch.
<Quidway> startup system-software AC6605v200r002c00.cc

After the configuration is complete, run the following command to check which configuration
file and system software will be loaded at the next startup of the Switch.
MainBoard:
Startup paf file:
flash:/AC6605v200r002c00.cc
flash:/test.cfg
flash:/vrpcfg.cfg
NULL
NULL
NULL
NULL
NULL
NULL
----End
Configuration Files
None.
Issue 04 (2013-06-15)

154

Configuration Guide
1.9 Accessing Another Device

To manage configurations or operate files of another device, you can access the device by using
Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.
1.9.1 Accessing Another Device

To manage configurations or use files on a device other than the device you are logged in to,
you can use Telnet, FTP, TFTP, or SSH to access that device.
Figure 1-36 Networking diagram for accessing another device from the Switch
Network
Network
Server
Client
PC
As shown in Figure 1-36, when you run a terminal emulation or Telnet program on a PC to
connect to the Switch, the Switch can still function as a client to access another device on the
network. There are several ways to accomplish this.
Telnet Method
To configure and manage a remote device on the network, you can use the Switch that you have
logged in to as a client to log in to that device.
Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login and
a virtual terminal service.
The AC6605 provides the following Telnet services:
l
Telnet server: You can run the Telnet client program on a PC to log in to a Switch to
complete configuration and management tasks. The Switch acts as a Telnet server.
Telnet client: You can run the terminal emulation program or the Telnet client program on
a PC to connect with the Switch. You can then run the telnet command to log in to other
Switchs to configure and manage them. As shown in Figure 1-37,Switch A serves as both
a Telnet server and a Telnet client.
Figure 1-37 Telnet client services
Telnet Session2
Telnet Session 1
Telnet Server
PC
Issue 04 (2013-06-15)
SwitchA

SwitchB
155

Configuration Guide
Interruption of Telnet services

In Telnet connection, two shortcut key combinations can terminate the connection.
As shown in Figure 1-38, Switch A logs in to Switch B through Telnet, and Switch B
logs in to Switch C through Telnet. Thus, a cascade network is formed. In this case, Switch
A is the client of Switch B and Switch B is the client of Switch C. Figure 1-38 illustrates
the usage of shortcut keys.
Figure 1-38 Usage of Telnet shortcut keys
Telnet Session 1
Telnet Session2
Telnet
Client
Telnet
Server
SwitchA
SwitchB
SwitchC
Ctrl_]: The server interrupts the connection.

If the network connection is normal and you press Ctrl_], the Telnet server terminates the
current Telnet connection. For example:
<SwitchC>
Press Ctrl_] to return to the prompt of Switch B.

Info: The max number of VTY users is 20, and the number
of current VTY users on line is 2.
Info: The connection was closed by the remote host.
<SwitchB>
Press Ctrl_] to return to the prompt of Switch A.

Info: The connection was closed by the remote host.
<SwitchA>
NOTE
If a router becomes disconnected from the network, these shortcut keys are invalid. Instructions
cannot be sent to the server.
Ctrl_]: The client interrupts the connection.

If the server fails and the client is unaware of the failure, the client continues to transmit
data but the server does not respond. In this case, press Ctrl_T to terminate the Telnet
connection.
For example:
<SwitchC>
Press Ctrl_T to terminate and quit a Telnet connection.

<SwitchA>
Issue 04 (2013-06-15)

156

Configuration Guide
CAUTION
If remote login users are using all of the maximum number of VTY user interfaces allowed,
the system prompts that all user interfaces are in use and does not allow additional Telnet
logins.
FTP Method
To access files on a remote FTP server, you can use FTP to establish a connection between the
Switch that you have logged in to and the remote FTP server.
FTP can transmit files between hosts and it provides users with common FTP commands for file
system management. That is, using an FTP client program not residing on the Switch, you can
upload or download the files and access the directories on the router; using an FTP client program
residing on the Switch, you can transfer files to the FTP servers of other devices.
FTP can transmit files between local and remote hosts, and is widely used for version upgrade,
log downloading, file transmission, and configuration saving.
TFTP Method
If network client/server interaction requirements are relatively simple, you can enable the TFTP
service on the Switch that functions as a TFTP client to access files on a TFTP server.
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.
Unlike FTP, TFTP does not have a complex interactive access interface and authentication
control. TFTP is for use in environments where there is no complex interaction between the
client and the server. For example, TFTP is used to obtain a memory image of the system when
the system starts up.
Implementation of TFTP is based on the User Datagram Protocol (UDP).
The client initiates a TFTP transfer. To download files, the client sends a read request packet to
the TFTP server, receives packets from the server, and returns an acknowledgement to the server.
To upload files, the client sends a write request packet to the TFTP server, sends packets to the
server, and receives acknowledgement from the server.
TFTP uses two formats for file transfer:
l
Binary format: transfers program files.
ASCII format: transfers text files.
At present, the AC6605 can only serve as a TFTP client and can only transfer files in binary
format.
SSH Method
Logging in to a remote device using SSH (including STelnet,SFTP) provides secure
communications between the remote device and the Switch you are logged in to.
SSH Overview
When users on an insecure network use Telnet to log in to the Switch, the Secure Shell (SSH)
feature provides authentication and keeps data secure. SSH defends the Switch from IP address
Issue 04 (2013-06-15)

157

Configuration Guide
spoofing and other such attacks, and protects the Switch against the interception of plain text
passwords.
The SSH client function allows users to establish SSH connections with Switchs serving as SSH
servers or with UNIX hosts.
SSH Client Function

The AC6605 supports the STelnet client function and SFTP client function.
l
STelnet client
STelnet is short for Secure Telnet.
Telnet does not provide secure authentication and TCP transmits data in plain text. This
creates security vulnerabilities. Denial of service (DOS) attacks, host IP address spoofing,
and route spoofing also threaten system security. Telnet services are vulnerable to network
attacks.
SSH implements secure remote access on insecure networks and has the following
advantages compared with Telnet:
SSH supports Remote Subscriber Access (RSA) authentication and Digital Signature
Algorithm authentication (DSA). SSH uses RSA authentication or DSA authentication
to generate and exchange public and private keys compliant with an asymmetric
encryption system that protects session security.
SSH supports Data Encryption Standard (DES), 3DES, and AES authentications.
SSH usernames and the passwords are encrypted in communication between an SSH
client and server. This prevents password interception.
SSH encrypts transmitted data.
If the STelnet server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
SFTP client
SFTP is short for Secure FTP. You can log in to a device from a secure remote end to
manage files. This improves data transmission security when the remote system is updated.
The client function allows you to use SFTP to log in to the remote device for secure file
transmission.
If the SFTP server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
SSL Mode
Logging in to a remote device using SSL provides secure communications between the remote
FTPS server and the local device you are logged in to.
Issue 04 (2013-06-15)

158

Configuration Guide
Overview
SSL is a cryptographic protocol that provides communication security over the Internet. It allows
a client and a server to communicate across a network in a way designed to prevent
eavesdropping by authenticating the server or the client. SSL has the following advantages:
l
Provides high security assurance. It uses data encryption, authentication, and a message
integrity check to ensure secure data transmission over the network.
Supports various application layer protocols. SSL is originally designed for securing World
Wide Web traffic. As SSL functions between the application layer and the transport layer,
it secures data transmission based on TCP connections for any application layer protocol.
Is easy to deploy. Currently, SSL has become a world-wide communications standard for
authenticating Web site and Web page users and encrypting data transmitted between
browser users and Web servers.
SSL improves device security from the following aspects:

l
Helps authorized users to securely access servers and prevents unauthorized users from
accessing servers.
Encrypts data transmitted between a client and a server for data transmission security and
computes a digest for data integrity, which implements security management for devices.
Defines an access control policy on a device based on certificate attributes to control the
access rights of clients, which prevents unauthorized users from attacking the device.
Basic Concepts
l
Certificate Authority (CA)

A CA is an entity that issues, manages, and abolishes digital certificates. A CA checks the
validity of digital certificate owners, signs digital certificates to prevent eavesdropping and
tampering, and manages certificates and keys. The world-wide trusted CA is called a root
CA. The root CA can authorize other CAs as subordinate CAs. The CA identity is described
in a trusted-CA file.
For example, CA1 functions as the root CA and issues a certificate for CA2, CA2 then
issues a certificate for CA3 and so on, until CAn issues the final server certificate.
If CA3 issues the server certificate, certificate authentication on the client starts from server
certificate authentication. The CA3 certificate is used to authenticate the server certificate.
If authentication succeeds, the CA2 certificate is used to authenticate the CA3 certificate.
Finally, the CA1 certificate is used to authenticate the CA2 certificate. Server certificate
authentication succeeds only when the CA2 certificate has been authenticated by the CA1
certificate.
Figure 1-39 shows the certificate issuing and authentication processes.
Figure 1-39 Schematic diagram for certificate issuing and authentication
Issue 04 (2013-06-15)

159

Configuration Guide
Digital certificate
A digital certificate is an electronic document which uses a digital signature to bind a public
key with an identity. The digital certificate includes information such as the name of a
person or an organization that applies for the certificate, public key, digital-signed signature
of the CA that issues the digital certificate, and validity period of the digital certificate. A
digital certificate validates the identities of two communicating parties, improving
communication reliability.
A user must obtain the public key certificate of the information sender in advance to decrypt
and authenticate information in the certificate. In addition, the user also needs the CA
certificate of the information sender to verify the identity of the information sender.
Certificate Revocation List (CRL)

A CRL is a list of certificates that have been revoked, and therefore should not be relied
upon. The CRL is issued by a CA.
The lifetime of a digital certificate is limited. A CA can revoke a digital certificate to shorten
its lifetime. The lifetime of a CRL is usually shorter than the lifetime of certificates in the
CRL. If a CA revokes a digital certificate, the key pair defined in the certificate can no
longer be used even if the digital certificate does not expire. After a certificate in a CRL
expires, the certificate is deleted from the CRL to shorten the CRL.
Before using a digital certificate, the client checks the CRL. If the digital certificate is in
the CRL, the corresponding CA marks the digital certificate as expired, and adds a
certificate expiration list (CEL) when issuing a new CRL. After the CEL expires, it is
automatically deleted from the CRL.
Application
Currently, SSL is only used for FTPS and HTTPS applications (secure Web network
management is an HTTPS application).
l
FTPS
FTPS that adds support for SSL is an extension to the commonly used FTP.
Using SSL to authenticate the identities of the client and server, encrypt data to be
transmitted, and check message integrity, FTPS provides a secure FTP server access.
Login to an FTPS server from a user terminal
an SSL policy is configured on the FTP server. After a digital certificate is loaded and
the FTPS server function is enabled on the server, you can log in to the server from a
terminal on which the SSL-capable FTP client software is installed to securely operate
files transmitted between the terminal and the server.
Login to an FTPS server from an FTPS client
An SSL policy needs to be configured and a trusted-CA file needs to be loaded to
an FTP client to verify the identify of the certificate owner, sign a digital certificate
to prevent eavesdropping and tampering, and manage the certificate and key.
An SSL policy needs to be configured on and a digital certificate needs to be loaded
to an FTP server to verify the validity of the trusted-CA file. This ensures that only
authorized clients can log in to the server.
HTTPS
HTTPS that adds support for SSL is an extension to the commonly used HTTP.
Using SSL to authenticate the identities of the client and server, encrypt data to be
transmitted, and check message integrity, HTTPS provides a secure Web access.
Issue 04 (2013-06-15)

160

Configuration Guide
An SSL policy is configured on the device that functions as an HTTP server. After a digital
certificate is loaded to and the HTTPS server function is enabled on the server, users can
log in to the server to remotely manage the server using web pages.
1.9.2 Logging in to Other Devices Using Telnet

On most networks, multiple Switchs need to be managed and maintained, but it may be
impossible to connect some of these Switchs to a PC terminal. In other cases, there may be no
reachable route between a router and a PC terminal. You can log in to a local Switch and then
use Telnet to log in to remote Switchs to complete management and maintenance tasks.

Before configuring login to another device from the device that you have logged in to, familiarize
yourself with the applicable environment, complete the pre-configuration tasks, and obtain any
data required for the configuration. This will help you complete the configuration task quickly
and correctly.
Figure 1-40 Networking diagram for accessing another device from the device that you have
logged in to
Network
PC
Network
SwitchA
SwitchB
As shown in Figure 1-40, you can use Telnet to log in to Switch A from a PC. You cannot,
however, manage Switch B remotely, because there is no reachable route between the PC and
Switch B. To manage Switch B remotely, you must use Telnet to log in to it from Switch A.
In this situation, Switch A functions as a Telnet client and Switch B functions as a server.
Before using Telnet to log in to another device on the network, complete the following tasks:
l
1.6.3 Logging in to Devices Using Telnet
Configuring a reachable route between the client and Telnet server
Data Preparation
To log in to another device by using Telnet, you need the following data:
Issue 04 (2013-06-15)
No.
Data
IP address or host name of SwitchB

161

Configuration Guide
No.
Data
Number of the TCP port used by the SwitchB to provide Telnet services
(Optional) Configuring a Source IP Address for a Telnet Client

You can configure a source IP address for a Telnet client and then use this address to set up a
Telnet connection from the client to server along a specific route.
Context
An IP address is configured for an interface on the Switch and functions as the source IP address
of a Telnet connection. This allows for implementation of security checks.
The source of a client can be a source interface or a source IP address.
Do as follows on a Switch that functions as a Telnet client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
telnet client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a Telnet client is configured.

After the configuration, the source IP address of the Telnet client displayed on the Telnet server
must be the same as the configured one.
----End
Logging in to Another Device by Using Telnet

You can use Telnet to log in to and manage another Switch.
Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can first use Telnet
to log in to a host, and then remotely use Telnet again to log in to a remote host. This host can
then be remotely configured and managed. Not all hosts need to be connected directly to a
hardware terminal.
Do as follows on the Switch that serves as a Telnet client:
Procedure
l
Run:
telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i
interface-type interface-number ] host-name [ port-number ]
Issue 04 (2013-06-15)

162

Configuration Guide
Log in to the Switch and manage other Switchs.

----End

When you log in to another Switch successfully from the Switch that you have logged in to, you
can check information about the established TCP connection.After you have logged in to another
Switch from the Switch that you have logged in to, you can check information about the
established TCP connection.
Prerequisites
All configurations for logging in to another device are complete.
Procedure
l
Run the display tcp status command to check the status of all TCP connections.
----End
Example
Run the display tcp status command to view the status of TCP connections. The Established
status indicates that a TCP connection has been established.
<Quidway> display tcp status
TCPCB
Tid/Soid
Local Add:port
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
0.0.0.0:0
VPNID
0
0.0.0.0:0
14849
10.164.6.13:1147
State
1.9.3 Logging in to Another Device Using STelnet

STelnet provides secure Telnet services. You can use STelnet to log in to another Switch from
the Switch that you have logged in to and manage the device remotely.

Before configuring login to another device using Stelnet, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any date required for the
Telnet logins are insecure because no secure authentication mechanism is available and data is
transmitted over TCP connections in plain text mode.
STelnet is a secure Telnet protocol. STelnet is based on SSH. SSH users can use STelnet services
in place of ordinary Telnet services.
In this configuration, the device that you have logged in to functions as a Telnet client, and the
device that you want to log in to functions as an SSH server.
Issue 04 (2013-06-15)

163

Configuration Guide
Before logging in to another device by using STelnet, complete the following tasks:
l
1.6.4 Logging in to Devices Using STelnet
Configuring a reachable route between the client and SSH server
Data Preparation
To log in to another device using STelnet, you need the following data.
No.
Data
Name of the SSH server, and public key that is assigned by the client to the SSH server
IPv4 address or host name of the SSH server, number of the port monitored by the
SSH server, preferred encryption algorithm for data from the SFTP client to the SSH
server, preferred encryption algorithm for data from the SSH server to the SFTP client,
preferred HMAC algorithm for data from the SFTP client to the SSH server, preferred
HMAC algorithm for data from the SSH server to the SFTP client, preferred algorithm
of key exchange
The user information for logging in to the SSH server
Configuring the First Successful Login to Another Device (Enabling the First-Time
Authentication on the SSH Client)
After first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA or DSA public key when logging in to the SSH server for the first time.
Context
If first-time authentication on the SSH client is enabled, the STelnet client does not check the
validity of the RSA or DSA public key when logging in to the SSH server for the first time.
After the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at next login.
Do as follows on the Switch that serves as an SSH client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh client first-time enable
First-time authentication on the SSH client is enabled.

By default, first-time authentication on the SSH client is disabled.
Issue 04 (2013-06-15)

164

Configuration Guide
NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA or DSA public key validity and
cannot log in to the server.
TIP
To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA or
DSA public key in advance to the SSH server on the SSH client in addition to enabling first-time
authentication on the SSH client.
----End
Configuring the First Successful Login to Another Device (Allocating an Public

Key to the SSH Server)
To configure the first successful login to another device on an SSH client, you must allocate an
RSA or DSA public key to the SSH server before the login.
Context
If first-time authentication is not enabled on the SSH client, when the STelnet client logs in to
the SSH server for the first time, the STelnet client fails to pass the RSA or DSA public key
validity check and cannot log in to the server. You must allocate an RSA or DSA public key to
the SSH server before the STelnet client logs in to the SSH server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rsa peer-public-key key-name or dsa peer-public-key key-name encoding-type { der |
pem }
The public key view is displayed.

Step 3 Run:
public-key-code begin
The public key editing view is displayed.

Step 4 Run:
hex-data
The public key is edited.

The public key is a string of hexadecimal alphanumeric characters automatically generated by
an SSH client.
Issue 04 (2013-06-15)

165

Configuration Guide
NOTE
l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise,
the validity check for the RSA or DSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA public key generated on the server to
the Switch that functions as the client.
Step 5 Run:
public-key-code end
Quit the public key editing view.

l If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
Return to the system view from the public key view.

Step 7 Run:
ssh client servername assign { rsa-key | dsa-key } keyname
The RSA or DSA public key is assigned to the SSH server

NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server.
Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new
RSA or DSA public key to the SSH server.
----End
Logging in to Another Device Using STelnet

You can use STelnet to log in to an SSH server from an SSH client.
Context
When accessing an SSH server, an STelnet client can carry the source address and the VPN
instance name, can choose the key exchange algorithm, encryption algorithm, or HMAC
algorithm, and can configure the keepalive function.
Procedure
Step 1 Run:
system-view

Step 2 According to the address type of the SSH server, select and run one of the following two
commands.
For IPv4 addresses,
Issue 04 (2013-06-15)

166

Configuration Guide
Run the stelnet host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] | [ identity-key { dsa

| rsa } ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des |
3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1
| sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ ki aliveinterval ] | [ -kc alivecountmax ] ] * command. You can log in to the SSH server through
STelnet.
----End

After configuring login to another device using STelnet, you can check the mappings between
all SSH servers of the STelnet client and the RSA or DSA public keys on the client, the global
configurations of the SSH servers, and information about sessions between the SSH servers and
the STelnet client.
Prerequisites
The configurations for logging in to another device by using STelnet are complete.
Procedure
l
Run the display ssh server-info command to check the mappings between all SSH servers
of the SSH client and the RSA or DSA public keys on the client.
----End
Example
Run the display ssh server-info to view the mappings between all servers of the SSH client and
the RSA or DSA public keys on the SSH client.
<Quidway> display ssh server-info
Server Name(IP)
Server Public Key Type Server public key name
______________________________________________________________________________
10.137.128.216
RSA
10.137.128.217
RSA
10.137.128.217
DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1
RSA
127.0.0.1
DSA
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA
0ffff:ffff:
1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2
RSA
10.137.128.216
10.137.128.217
127.0.0.1
10.137.128.217
1fff:00ffff:00ffff:
1fff:00ffff:ffff:00ffff:
1fff:ffff:ffff:00ffff:
8.1.1.2
1.9.4 Accessing Files on Another Device Using TFTP

You can configure the Switch as a TFTP client, and log in to the TFTP server to upload and
download files.
Issue 04 (2013-06-15)

167

Configuration Guide

Before configuring access to another device using TFTP, familiarize yourself with the applicable
You can use TFTP to in a simple interaction environment to transfer files between a server and
a client.
The current Switch functions as a TFTP client, and theSwitch to be accessed functions as a TFTP
server.
Before configuring access to another device using TFTP, complete the following tasks:
l
Configuring a reachable route between the client and TFTP server
Data Preparation
To access another device using TFTP, you need the following data.
No.
Data
(Optional) Source address or source interface of the Switch that functions as a TFTP
client
IP address or host name of the TFTP server
Name of the specific file in the TFTP server and the file directory
(Optional) Configuring a Source IP Address for a TFTP Client

You can configure a source IP address for a TFTP client and then use the source IP address to
set up a TFTP connection from the TFTP client to the server along a specific route.
Context
of a TFTP connection. This allows implementation of security checks.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a Switch that functions as a TFTP client.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

168

Configuration Guide

Step 2 Run:
tftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a TFTP client is configured.

After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.
----End
(Optional) Configuring TFTP Access Authority

This section describes how to use an ACL rule to specify which TFTP servers can be accessed
by using TFTP from the Switch that you have logged in to.
Context
An Access Control List (ACL) is a set of sequential rules. Rule descriptions are based on the
source addresses, destination addresses, and port numbers of packets. Switchs use ACL rules to
filter packets. When a rule is applied to an interface on a Switch, the Switch permits or denies
packets based on the rule.
An ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL,
and advanced ACL based on the functions of ACL rules.
NOTE
TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).
Do as follows on the Switch that serves as the TFTP client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number

Step 3 Run:
source-wildcard | any } | time-range time-name ] *
The ACL rule is configured.

Step 4 Run:
quit

Step 5 Run the tftp-server acl acl-number command. You can use the ACL to limit the access to the
TFTP server.
----End
Issue 04 (2013-06-15)

169

Configuration Guide
Downloading Files Using TFTP

You can download files from a TFTP server to a TFTP client.
Procedure
l
Run the following commands according to the type of the server IP addresses.
The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] get source-filename
[ destination-filename ]
The Switch is configured to download files through TFTP.

----End
Uploading Files Using TFTP

You can upload files from a TFTP client to a TFTP server.
Procedure
l
Run the following commands according to the type of the server IP addresses.
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]
The Switch is configured to upload files using TFTP.

----End

When a device is configured as a TFTP client, you can check the source address of the client
and the configured ACL rule.
Prerequisites
Configurations for using the device as a TFTP client are complete.
Procedure
l
Run the display tftp-client command to check the device address that is set to the source
address of the TFTP client.
Run the display acl { name acl-name | acl-number | all } command to check the ACL rule
that is configured on the TFTP client.
----End
Issue 04 (2013-06-15)

170

Configuration Guide
Example
Run the display tftp-client command to view the source address of the TFTP client.
<Quidway> display tftp-client
The source address of TFTP client is 1.1.1.1.
Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured
on the TFTP client.
<Quidway> display acl 2001
Basic ACL 2001, 2 rules,
Acl's step is 5
rule 5 permit
rule 10 permit source 2.2.2.2 0
1.9.5 Accessing Files on Another Device Using FTP

This section describes how to configure a Switch as an FTP client to log in to a FTP server, and
to upload files to or download files from the server.

Before configuring the use of FTP to access files on another device, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain any data required
for the configuration. This will help you complete the configuration task quickly and correctly.
Before transmitting files between a client and a remote FTP server or managing directories on
the server, you can configure the Switch that you have logged in to as an FTP client. You can
then use FTP to access the FTP server for file transmission or directory management.
Before configuring the use of FTP to access files on another device, complete the following
tasks:
l
Configuring a reachable route between the Switch and the FTP server
Data Preparation
To configure the use of FTP to access files on another device, you need the following data:
Issue 04 (2013-06-15)
No.
Data
(Optional) Source IP address or source interface of the Switch functioning as an FTP

client
Host name or IP address of the FTP server, port number of connecting FTP, login
username and password
Local file names and file names on the remote FTP server, name of the working
directory on the remote FTP server, name of the working directory on the local FTP
client, or directory name of the remote FTP server

171

Configuration Guide
(Optional) Configuring the Source IP Address and Interface of the FTP Client
This section describes how to configure the source IP address and interface of an FTP client to
connect to an FTP server.
Prerequisites
for an FTP connection. This allows implementation of security checks.
The source of a client can be a source interface or a source IP address.
Configuring a source interface as the source for a client is possible only if the system has a
loopback interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp client-source { -a source-ip-address | -i interface-type interface-number }
The source address of the FTP client is configured.

After the source address of the FTP client is configured, you can run the display ftp-users
command on the FTP server to check that the displayed source address of the FTP client is the
same as the configured one.
----End
Connecting to Other Devices Using FTP Commands

You can run FTP commands to log in to other devices from the Switch that functions as the FTP
client.
Context
You can log in to the FTP server in the user view or the FTP view.
Do as follows on the Switch that serves as the client:
Procedure
Step 1 Run the following commands according to types of the server IP address.
l If the IP address of the server is an IPv4 address, do as follows:
In the user view, establish a connection to the FTP server.
Run:
ftp [ -a source-ip-address | -i interface-type interface-number ] host [ portnumber ] [ public-net | vpn-instance vpn-instace-name ]
The Switch is connected to the FTP server.

In the FTP view, establish a connection to the FTP server.
Issue 04 (2013-06-15)

172

Configuration Guide
1.
In the user view,Run:

ftp
The FTP view is displayed.

2.
Run:
open [ -a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ public-net | vpn-instance vpn-instace-name ]
The Switch is connected to the FTP server.

NOTE
Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After a default VPN instance is configured,
it will be used for FTP operations.
----End
Managing Files Using FTP Commands

After logging in to an FTP server, you can use FTP commands to manage files. File operations
include configuring a file transmission method, checking online help about FTP commands,
uploading or downloading files, and managing directories and files.
Context
After logging in to an FTP server, you can perform the following operations:
l
Configure a data type for transmission files and a file transmission method.
Check the online help about FTP commands in the FTP client view.
Upload local files to the remote FTP server, or download files from the FTP server and
save them locally.
Create directories on or delete directories from the FTP server.
Display information about a specified remote directory or a file of the FTP server, or delete
a specified file from the FTP server.
After logging in to the Switch that functions as a client and entering the FTP client view, you
can perform the following steps:
Procedure
l
Configuring data type and transmission mode for the file.

Run:
ascii | binary
The data type of the file to be transmitted is ascii or binary mode.
Issue 04 (2013-06-15)

173

Configuration Guide

NOTE
FTP supports both ASCII and binary files. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
Clients can select an FTP transmission mode ad required. The system defaults to the ASCII
transmission mode. The client can use a mode switch command to switch between the ASCII
mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is
used to transmit binary files.
Run:
passive
The passive file transfer mode is configured.

Run:
verbose
The verbose mode for FTP is enabled.

When verbose is enabled, all FTP responses are displayed. After file transmission
efficiency statistics will be displayed.
l
View online help for FTP commands.

remotehelp [ command ]
The online help of the FTP command is displayed.

l
Upload or download files.

Upload or download a file.
Run:
The local file is uploaded to the remote FTP server.

Run:
The FTP file is downloaded from the FTP server and saved to the local file.
Upload or download multiple files.
Run the mput local-filenames command to upload multiple local files
synchronously to the remote FTP server.
Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
NOTE
l When you are uploading or downloading files, and the prompt command is run in the FTP client
view to enable the file transmission prompt function, the system will prompt you to confirm the
uploading or downloading operation.
l If the prompt command is run again in the FTP client view, the file transmission prompt function
will be disabled.
Run one or more of the the following commands order to manage directories.
Run:
cd pathname
The working path of the remote FTP server is specified.

Run:
Issue 04 (2013-06-15)

174

Configuration Guide

cdup
The working path of the FTP server is switched to the upper-level directory.
Run:
pwd
The specified directory of the FTP server is displayed.

Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.

Run:
A directory is created on the FTP server.

Run:
rmdir remote-directory
A directory is removed from the FTP server.

NOTE
l A directory name can use letters and digits, but not special characters such as <, >, ?, \ and :.
l When running the mkdir /abc command, you create a sub-directory named "abc".
Run one or more of the the following commands to manage files.

Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.

If local-filename is configured, the remote file can be saved in another local file.
Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.

If local-filename is configured, the remote file can be saved in another local file.
Run:
delete remote-filename
The specified file on the FTP server is deleted.

----End
Changing Login Users

After logging in to an FTP server, you can change the username on the client and re-log in to
the server with the new username.
Issue 04 (2013-06-15)

175

Configuration Guide
Context
If you are logged in to the AC6605 functioning as an FTP client, you can switch to a different
username and log in to the FTP server without logging out of the FTP client view. The FTP
connection established in this way is identical to that established by running the ftp command.
Perform the following steps on the Switch that functions as a client:
Procedure
l
Run:
user user-name [ password ]
The user that logged in to the FTP server earlier is changed and the new user logs in to the
server.
When the username that is used to log in to the FTP server is changed, the original
connection between the user and the FTP server is interrupted.
----End
Disconnecting from the FTP Server

You can terminate the connection with an FTP server and return to the user view or FTP view.
Context
Various commands can be used from the FTP client view to terminate a connection with an FTP
server.
Do as follows on the Switch that serves as the client.
Procedure
l
Run one of the following commands depending on your system configurations.

Run:
bye
Or,
quit
The client Switch is disconnected from the FTP server.

Run:
close
Or,
disconnect
The client Switch is disconnected from the FTP server.

Return to the FTP view.
----End

After the configurations for accessing other devices using FTP are complete, you can view the
source parameters configured on the FTP client.
Issue 04 (2013-06-15)

176

Configuration Guide
Prerequisites
The configurations for accessing other devices using FTP are complete.
Procedure
l
Run the display ftp-client command to view the source parameters of the FTP client.
----End
Example
Run the display ftp-client command to view the source parameters of the FTP client.
<Quidway> display ftp-client
The source address of FTP client is 1.1.1.1.
1.9.6 Accessing Files on Another Device Using SFTP

SFTP is a secure FTP service. After the Switch is configured as an SFTP client, the SFTP server
authenticates the client and encrypts data in both directions to provide secure data transmission.

Before configuring the use of SFTP to access files on another device, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain any data required
for the configuration. This will help you complete the configuration task quickly and correctly.
SFTP is a secure FTP protocol. SFTP is based on SSH. It allows users to log in to a remote
device and transmit or manage files securely. You can log in to a remote SSH server from the
Switch that functions as an SFTP client.
Before configuring the use of SFTP to access files on another device, complete the following
tasks:
l
Configuring a reachable route between the client and SSH server
Data Preparation
To use SFTP to access files on another device, you need the following data:
Issue 04 (2013-06-15)
No.
Data
(Optional) Name of the SSH server
(Optional) Public key that is assigned by the client to the SSH server
IPv4 or IPv6 address or host name of the SSH server

177

Configuration Guide
No.
Data
Number of the port monitored by the SSH server, preferred encryption algorithm for
data from the SFTP client to the SSH server, preferred encryption algorithm for data
from the SSH server to the SFTP client, preferred HMAC algorithm for data from the
SFTP client to the SSH server, preferred HMAC algorithm for data from the SSH
server to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address
User information for logging in to the SSH server
Name and directory of a specified file on the SSH server
Configuring the First Successful Login to Another Device (Enabling the First-Time
Authentication on the SSH Client)
After first-time authentication on the SSH client is enabled, the SFTP client does not check the
Context
If first-time authentication on the SSH client is enabled, the SFTP client does not check the
After the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at next login.
Procedure
Step 1 Run:
system-view

Step 2 Run:
First-time authentication on the SSH client is enabled.

By default, first-time authentication on the SSH client is disabled.
NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA or DSA public key validity and
cannot log in to the server.
Issue 04 (2013-06-15)

178

Configuration Guide
TIP
To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA or
DSA public key in advance to the SSH server on the SSH client in addition to enabling first-time
authentication on the SSH client.
----End
Configuring the First Successful Login to Another Device (Allocating an Public

Key to the SSH Server)
To configure the first successful login to another device on an SSH client, you must allocate an
RSA or DSA public key to the SSH server before the login.
Context
If first-time authentication is not enabled on an SSH client, when the SFTP client logs in to an
SSH server for the first time, the SFTP client fails to pass the RSA or DSA public key validity
check and cannot log in to the server.
Do as follows on the Switch functioning as an SSH client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
rsa peer-public-key key-name or dsa peer-public-key key-name encoding-type { der |
pem }
The public key view is displayed.

Step 3 Run:
The public key editing view is displayed.

Step 4 Run:
hex-data
The public key is edited.

The public key is a string of hexadecimal alphanumeric characters automatically generated by
an SSH client.
NOTE
l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise,
the validity check for the RSA or DSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA public key generated on the server to
the Switch that functions as the client.
Step 5 Run:
public-key-code end
Quit the public key editing view.

Issue 04 (2013-06-15)

179

Configuration Guide
l If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
Return to the system view from the public key view.

Step 7 Run:
ssh client servername assign { rsa-key | dsa-key } keyname
The RSA or DSA public key is assigned to the SSH server

NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server.
Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new
RSA or DSA public key to the SSH server.
----End
Connecting to Other Devices by Using SFTP

You can use SFTP to log in to an SSH server from an SSH client.
Context
The command for enabling an SFTP client is similar to that of STelnet. When accessing an SSH
server, SFTP can carry the source address and the name of the VPN instance and choose the key
exchange algorithm, encryption algorithm, and HMAC algorithm, and configure the keepalive
function.
Do as follows on the Switch that serves as an SSH client.
Procedure
Step 1 Run:
system-view

Step 2 According to the address type of the SSH server, select and perform one of the two configurations
below.
l For IPv4 addresses,
Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4
[ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex
{ dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des |
aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac
{ sha1 | sha1_96 | md5 | md5_96 } ] | [ -ki aliveinterval ] | [ -kc
alivecountmax ] | [ identity-key { dsa | rsa } ] ] *
You can log in to the SSH server through SFTP.

----End
Issue 04 (2013-06-15)

180

Configuration Guide
Managing Files Using SFTP Commands

You can use an SFTP client to manage directories and files on the SSH server, and check the
command help on the SFTP client.
Context
After logging in to an SSH server from an SFTP client, you can use the SFTP client to perform
the following operations:
l
Create or delete directories on the SSH server, display the current working directory, or
display the specified directory and information about the file in the specified directory.
Change file names, delete files, display a file list, and upload or download files.
Display the SFTP client command help.
After logging in to the Switch that functions as an SSH client and entering the SFTP client view,
you can perform the following steps:
Procedure
l
Manage directories.
Perform the following steps as required:
Run:
cd [ remote-directory ]
The current operating directory of users is changed.

Run:
cdup
The view is switched to a directory one level up.

Run:
pwd
The current operating directory of users is displayed.

Run:
dir / ls [ remote-directory ]
A list of files in the specified directory is displayed.

Run:
rmdir remote-directory & <1-10>
The directory on the server is deleted.

Run:
A directory is created on the server.

l
Manage files.
Perform the following steps as required:
Run:
rename old-name new-name
The name of the specified file on the server is changed.

Run:
Issue 04 (2013-06-15)

181

Configuration Guide

get remote-filename [local-filename]
The file on the remote server is downloaded.

Run:
put local-filename [remote-filename]
The local file is uploaded to the remote server.

Run:
remove remote-filename
The file on the server is removed.

l
Display the SFTP client command help.

help [all | command-name ]
The SFTP client command help is displayed.

----End

After using SFTP to log in to another device, you can view the source address of the SSH client,
mappings between all SSH servers and the RSA, or DSA public keys on the client, global
configurations of the SSH servers, and sessions between the SSH servers and the client.
Prerequisites
The configuration for using SFTP to access files on another device is complete.
Procedure
l
Run the display ssh server-info command to check the mapping between the SSH server
and the RSA or DSA public key on the SSH client.
----End
Example
Run the display ssh server-info command to view the mappings between all servers and the
RSA or DSA public keys on the SSH client.
<Quidway> display ssh server-info
Server Name(IP)
______________________________________________________________________________
10.137.128.216
RSA
10.137.128.217
RSA
10.137.128.217
DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1
RSA
127.0.0.1
DSA
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA
0ffff:ffff:
1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA
Issue 04 (2013-06-15)

10.137.128.216
10.137.128.217
127.0.0.1
10.137.128.217
1fff:00ffff:00ffff:
1fff:00ffff:ffff:00ffff:
1fff:ffff:ffff:00ffff:
182

Configuration Guide
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2
RSA
8.1.1.2
Server Name(IP)
______________________________________________________________________________
10.1.1.1
RSA
key1
1.9.7 Accessing Files on Another Device by Using FTPS

The FTPS client and FTPS server authenticate each other's identities to ensure that only
authorized users can access the FTPS server, improving access security.

Before configuring the use of FTPS to access files on another device, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain the data required
for the configuration. This will help you complete the configuration task quickly and accurately.
bringing security threats.
l
Configure an SSL policy on the FTP client and load a trusted-CA file to the client.
Configure an SSL policy on the FTP server and load a digital certificate to the server.
The client uses the trusted-CA file and digital certificate to authenticate the server so that the
authorized client can access the correct server.
As shown in Figure 1-41,
l
An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP
client to verify the identify of the certificate owner, sign a digital certificate to prevent
eavesdropping and tampering, and manage the certificate and key.
An SSL policy needs to be configured on and a digital certificate needs to be loaded to an

FTP server to verify the validity of the trusted-CA file. This ensures that only authorized
clients can log in to the server.
Figure 1-41 Accessing Files on Another Device by Using FTPS

FTP-Client
VLANIF20
1.1.1.1/24
Network
FTP-Server
VLANIF30
1.1.1.2/24
VLANIF40
192.168.0.2/24
PC1
Issue 04 (2013-06-15)

183

Configuration Guide
If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.
Before configuring the use of FTPS to access files on another device, complete the following
tasks:
l
Loading a trusted-CA file to the sub-directory named security of the system directory on
the FTPS client
Loading a digital certificate to the sub-directory named security of the system directory
on the FTPS server
Data Preparation
To use FTPS to access files on another device, you need the following data:
No.
Data
SSL policy name, trusted-CA file, (optional) CRL file, and IP address of the FTPS
client
Digital certificate and IP address of the FTPS server
Configuring the FTPS Client

An SSL policy needs to be configured on and a trusted-CA file needs to be loaded to an FTP
client. The FTPS client can use the trusted-CA file to authenticate an FTPS server to ensure that
only authorized users can log in to the FTPS server.
Context
A trusted-CA file can be in the PEM, ASN1, or PFX format. Details are as follows:
l
A CRL file can be in either the ASN1 or PEM format. These two formats represent the same
contents.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

184

Configuration Guide

Step 3 Load a trusted-CA file.
l Run:
trusted-ca load pem-ca ca-filename
A PEM trusted-CA file is loaded.

l Run:
trusted-ca load asn1-ca ca-filename
An ASN1 trusted-CA file is loaded.

l Run:
trusted-ca load pfx-ca ca-filename auth-code auth-code
A PFX trusted-CA file is loaded.

A maximum of four trusted-CA files can be loaded to an SSL policy. If multiple trusted-CA
files are loaded, these files will be added to the existing trusted-CA file list.
NOTE
l If the trusted-CA file configured on the FTPS server contains only one certificate, configure all the
trusted-CA certificates of upper levels to the root CA certificate on the client.
l If a certificate chain is configured on the FTPS server, configure only the root CA certificate on the
client.

crl load { pem-crl | asn1-crl } crl-filename
A CRL is loaded.
A maximum of two CRL files can be loaded to an SSL policy. If multiple CRL files are loaded,
these files will be added to the existing CRL file list.
----End
Configuring the FTPS Server

Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.
NOTE
A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
FTPS server must be obtained from a corresponding CA.
A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l
Issue 04 (2013-06-15)
185

Configuration Guide
The PEM format is applicable to text transmission between systems.

l
The ASN1 format is the default format for most browsers.
The PFX format is a binary format that can be converted into the PEM or ASN1 format.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Load a digital certificate.
l Run:
certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file keyfilename auth-code auth-code
A PEM digital certificate is loaded.

l Run:
certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file keyfilename
An ASN1 digital certificate is loaded.

l Run:
certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code |
key-file key-filename } auth-code auth-code
A PFX digital certificate is loaded.

l Run:
certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file keyfilename auth-code auth-code
A PEM digital certificate chain is loaded.

NOTE
Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.
Step 4 Run:
quit
Return to the system view.

Step 5 Run:
ftp secure-server ssl-policy policy-name
Issue 04 (2013-06-15)

186

Configuration Guide
An SSL policy is configured for the device.

Step 6 Run:
ftp secure-server enable
The FTPS server function is enabled.

By default, the FTPS server function is disabled.
NOTE
----End
Accessing an FTPS Server

You can use specified commands to log in to an FTPS server from an FTPS client to remotely
manage the FTPS server.
Procedure
l
On an IPv4 network:
In the user view, run:
ftp ssl-policy policy-name [ [ -a source-ip-address | -i interface-type
interface-number ] host [ port-number ] [ public-net | vpn-instance vpninstance-name ] ]
A control connection is established with a remote FTPS server and the FTP client view is
displayed.
----End
Follow-up Procedure
The client can log in to the server only after the entered user name and password are authenticated
by the server. After logging in to the FTPS server, you can operate files on the FTPS server in
the same way as that on an FTP server. Table 1-23 lists file operations on an FTP server.
Table 1-23 File operations
File Operation
Operation
Managin
g files
l Run the ascii command to set the file type to ASCII.
Configuring the
file type
l Run the binary command to set the file type to binary.

The FTP file type is determined by the client. By default,
the ASCII type is used.
Configuring the
data connection
mode
l Run the passive command to set the data connection

mode to PASV.
l Run the undo passive command to set the data
connection mode to PORT.
By default, the PASV mode is used.
Issue 04 (2013-06-15)

187

Configuration Guide
File Operation
Uploading files
Operation
l Run the put local-filename [ remote-filename ]
command to upload a file from the local device to a
remote server.
l Run the mput local-filenames command to upload files
from the local device to a remote server.
Downloading
files
l Run the get remote-filename [ local-filename ] command

to download a file from a remote server and save the file
on the local device.
l Run the mget remote-filenames command to download
files from a remote server and save the files on the local
device.
Enabling the file

transfer prompt
function
l If the prompt command is run in the FTP client view to

enable the file transfer prompt function, the system
prompts you to confirm the uploading or downloading
operation during file uploading or downloading.
l If the prompt command is run again in the FTP client
view, the file transfer prompt function is disabled.
NOTE
The prompt command is applicable to the scenario where the
mput or mget command is used to upload or download files. If the
local device has the files to be downloaded by running the mget
command, the system prompts you whether to override the existing
ones regardless of whether the file transfer prompt function is
enabled.
Enabling the FTP

verbose function
Managin
g
directori
es
Issue 04 (2013-06-15)
Run the verbose command.

After the verbose function is enabled, all FTP response
information is displayed. After file transfer is complete,
statistics about the transmission rate are displayed.
Changing the
working path of a
remote FTP server
Run the cd pathname command.
Changing the
working path of an
FTP server to the
parent directory
Run the cdup command.
Displaying the
working path of an
FTP server
Run the pwd command.
Displaying files in
the directory and
the list of subdirectories
Run the dir [ remote-directory [ local-filename ] ] command.

If no path name is specified for a specified remote file, the
system will search the file in the authorized directory of the
user.

188

Configuration Guide
File Operation
Operation
Displaying a
specified remote
directory or file on
an FTP server
Run the ls [ remote-directory [ local-filename ] ] command.
Displaying or
changing the
working path of an
FTP client
Run the lcd [ directory ] command.
Creating a
directory on an
FTP server
Run the mkdir remote-directory command.
Deleting a
directory from an
FTP server
Run the rmdir remote-directory command.
The lcd command displays the local working path of the FTP
client, whereas the pwd command displays the working path
of the remote FTP server.
The directory can be a combination of letters and numbers,

excluding special characters such as "<", ">", "?", "\", or ":".
Displaying online help for an

FTP command
Run the remotehelp [ command ] command.
Changing an FTP user
Run the user username [ password ] command.

After using FTPS to log in to another device, you can view the FTPS client, SSL policy
configured on the FTPS server, trusted-CA file loaded to the FTPS client, and digital certificate
loaded to the FTPS server.
Prerequisites
The configuration for using FTPS to access files on another device is complete.
Procedure
l
Run the display ssl policy command to check the SSL policy configured on and trustedCA certificate loaded to the FTPS client as well as the SSL policy configured on and digital
certificate loaded to the FTPS server.
Run the display ftp-server command to check the SSL policy name and the FTPS server
status.
----End
Example
Run the display ssl policy command on the FTPS client. The command output shows detailed
information about the configured SSL policy and loaded trusted-CA file.
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Issue 04 (2013-06-15)

189

Configuration Guide
Certificate File Type:

Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem
Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
Key-pair Type: RSA
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
Max user number
User count
Listening port
Acl number
FTP SSL policy
5
1
30
21
0
0.0.0.0
ftp_server

This section describes examples for access another device. The examples explain networking
requirements, configuration notes, and configuration roadmap.
Example for Logging in to Another Device by Using Telnet

This section provides an example for logging in to another device by using Telnet.In this
example, the authentication mode and password are configured for users to log in through Telnet.
As shown in Figure 1-42, after logging in to Switch A, the user logs in to Switch B through
Telnet by using the default interface 23.
Issue 04 (2013-06-15)

190

Configuration Guide
Figure 1-42 Networking diagram of the remote login of the Ethernet user
PC
SwitchA
10.10.10.8/24
SwitchB
10.10.10.9/24
Switch
Interface
VLANIF interface
IP address
SwitchA
VLANIF 2
10.10.10.8/24
SwitchB
VLANIF 2
10.10.10.9/24
1.
Assign IP addresses to Switch A and Switch B.
2.
Configure an authentication mode and password on Switch B.
3.
Log in to Switch B from Switch A.
Data Preparation
l
ID of the VLAN
IP address and number of the interface on the Switch A that functions as the Telnet client
IP address and number of the interface on the Switch B that functions as the Telnet server
Authentication mode and the password for a user to log in to Switch B through Telnet
Procedure
Step 1 Assign IP addresses.
# Assign IP address to Switch A that functions as the Telnet client.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 2
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 2
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.10.10.8 255.255.255.0
[SwitchA-Vlanif2] quit
[SwitchA]
# Assign an IP address to Switch B that functions as the Telnet server.

<SwitchB> system-view
[SwitchB] vlan 2
[SwitchB-vlan2] quit
Issue 04 (2013-06-15)

191

Configuration Guide
[SwitchB] interface gigabitethernet 0/0/1

[SwitchB-GigabitEthernet0/0/1] port hybrid pvid vlan 2
[SwitchB-GigabitEthernet0/0/1] port hybrid untagged vlan 2
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface vlanif 2
[SwitchB-Vlanif2] ip address 10.10.10.9 255.255.255.0
[SwitchB-Vlanif2] quit
[SwitchB]
Step 2 Configure the authentication mode and password for Switch B.

[SwitchB] user-interface vty 0 4
[SwitchB-ui-vty0-4] authentication-mode password
[SwitchB-ui-vty0-4] set authentication password cipher huawei
[SwitchB-ui-vty0-4] quit
[SwitchB]

# Log in to Switch B on Switch A through Telnet.
<SwitchA> telnet 10.10.10.9
Trying 10.10.10.9 ...
Press CTRL+K to abort
Connected to 10.10.10.9 ...
Login authentication
Password:
The current login time is 2012-03-20 11:04:45.
<SwitchB>
----End
Configuration Files
l
Configuration file of Switch A

#
sysname SwitchA
#
vlan batch 2
#
interface Vlanif2
ip address 10.10.10.8 255.255.255.0
#
#
return
Configuration file of Switch B

#
sysname SwitchB
#
vlan batch 2
#
interface Vlanif2
ip address 10.10.10.9 255.255.255.0
#
#
Issue 04 (2013-06-15)

192

Configuration Guide
set authentication password cipher %$%$axs[$3*Q;+hUY:0YxNS;X.%

y]:elTpar].gl2eHPIZEDE4+&%$%$
#
return
Example for Configuring the Device as the STelnet Client to Connect to the SSH
Server
This section provides an example for logging in to another device by using STelnet.In this
example, the local key pairs are generated on the STelnet client and the SSH server; the public
RSA key is generated on the SSH server and then bound to the STelnet client. In this manner,
the STelnet client can connect to the SSH server.
As shown in Figure 1-43, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode. In this example, the Huawei Switch functions as an SSH server.
The following login users need to be configured.
l
Client001, with the password as huawei and the authentication mode as password
Client002, with the password as rsakey001 and the authentication mode as RSA
The user interface supports only the SSH protocol.

Figure 1-43 Networking diagram for logging in to another device by Using STelnet
SSH Server
10.164.39.222/24
10.164.39.221/24
10.164.39.220/24
Client001 Client002
Switch
Interface
VLANIF interface IP address
SSH server
VLANIF 10
10.164.39.222/24
Client001
VLANIF 10
10.164.39.220/24
Client002
VLANIF 10
10.164.39.221/24
1.
Issue 04 (2013-06-15)
Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
193

Configuration Guide
2.
Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
3.
Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bind
the client client002 to an RSA key to authenticate the client when the client attempts to log
in to the server.
4.
Enable STelnet service on the SSH server.
5.
Set the service type of Client001 and Client002 to STelnet.
6.
Enable first-time authentication on the SSH client.
7.
Users Client001 and Client002 log in to the SSH server through STelnet.
Data Preparation
l
IP addresses of the FTP server and client, as shown in Figure 1-43
Client001 with the password as huawei and adopt the password authentication.
Client002, adopt the RSA authentication and assign the public key RsaKey001 to
Client002.
IP address of the SSH server is 10.164.39.222.
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to interface VLANIF10.
[Quidway] vlan 10
Assigning an IP address to the Switch that functions as Client001 or Client002 is the same as
assigning an IP address to VLANIF 10, and is not mentioned here.
Step 2 Create a local key pair on the SSH server.
[Quidway] rsa local-key-pair create
NOTES:If the key modulus is greater than 512,
Input the bits in the modulus[default = 512]:
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 3 Create an SSH user on the server.

Issue 04 (2013-06-15)

194

Configuration Guide
NOTE
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.
# Configure a VTY user interface.

[Quidway-ui-vty0-4] protocol inbound ssh
l Create an SSH user named Client001.

# Create an SSH user named Client001 and configure the authentication mode as
password for the user.
[Quidway] ssh user client001
[Quidway] ssh user client001 authentication-type password
# Set the password of Client001 to huawei.

[Quidway] aaa
[Quidway-aaa] local-user client001 password cipher huawei
[Quidway-aaa] local-user client001 service-type ssh
l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.
[Quidway] ssh user client002 authentication-type rsa
Step 4 Configure the RSA public key on the server.

# Create a local key pair on the client.
[Quidway] sysname client002
[client002] rsa local-key-pair create
# Check the RSA public key generated on the client.

[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
Issue 04 (2013-06-15)

195

Configuration Guide
=====================================================
Key name: client002_Server
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
Step 5 Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002 assign rsa-key RsaKey001
Step 6 Enable the STelnet service on the SSH server.

# Enable the STelnet service.
[Quidway] stelnet server enable
Step 7 Set the service type of Client001 and Client002 to STelnet.

[Quidway] ssh user client001 service-type stelnet
Step 8 Connect the STelnet and the SSH server.

# You must enable the initial authentication on the SSH client for the first login.
Enabling the first authentication on Client001.
[client001] ssh client first-time enable

# Client001 logs in to the SSH server in password authentication mode by entering the user
name and password.
<client001> system-view
[client001] stelnet 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Issue 04 (2013-06-15)

196

Configuration Guide

Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
<Quidway>
# Client002 logs in to the SSH server in RSA authentication mode.

[client002] stelnet 10.164.39.222
Please input the username: client002
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.137.217.202. Please wait.
..
<Quidway>

After the configuration, run the commands of display ssh server status and display ssh server
session on the SSH server. You can view that the STelnet service is enabled, and that the STelnet
client logs in to the server successfully.
# Check the status of the SSH server.
[Quidway] display ssh server status
SSH version
SFTP server
Stelnet server
Scp server
:1.99
:60 seconds
:0 hours
:3 times
:Disable
:Enable
:Disable
# Check the connection of the SSH server.

[Quidway] display ssh server session
Session 1:
Conn
: VTY 1
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
CTOS Compress
: none
STOC Compress
: none
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : password
Session 2:
Conn
: VTY 2
Issue 04 (2013-06-15)

197

Configuration Guide

Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
CTOS Compress
STOC Compress
Kex
Service Type
Authentication Type
:
:
:
:
:
:
:
:
:
:
:
:
:
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
none
none
diffie-hellman-group1-sha1
stelnet
rsa
# Check information about the SSH user.

[Quidway] display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : rsa
User-public-key-name : RsaKey001
Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No
----End
Configuration Files
l
Configuration file of the Quidway, the SSH server

#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
rsa peer-public-key rsakey001
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
#
ssh user client001
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
Issue 04 (2013-06-15)

198

Configuration Guide
#
#
#
return
Configuration file of Client001, the SSH client

#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
#
#
return

#
sysname client002
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
#
#
return
Example for Accessing Files on Another Device by Using TFTP

In this example, the TFTP application is run on the TFTP server and the location of the source
file on the server is set. After that, you can upload and download files.
As shown in Figure 1-44, The remote server at 10.1.1.2 functions as the TFTP server.
The Switch acts as a TFTP client,and the IP address is 10.1.1.1/24.
The Switch downloads files from the TFTP server.
Issue 04 (2013-06-15)

199

Configuration Guide
Figure 1-44 Networking diagram for accessing files on another device by using TFTP
TFTP session
PC
Configuration
cable
TFTP
Client
TFTP
Server
1.
Run the TFTP software on the TFTP server and set the position where the source file is
located on the Switch.
2.
Download files through TFTP commands on the Switch.
Data Preparation
l
TFTP software installed on the TFTP server
Path of the source file on the TFTP server
Name of the destination file and position where the destination file is located on the Switch
Procedure
Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is started.
Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1/24 to VLANIF 10.
[Quidway] vlan 10
Step 3 On the Switch, initiate a connection to the TFTP server and download the 8031.cc file.
<Quidway> tftp 10.1.1.2 get 8031.cc 8031new.cc
Info: Transfer file in binary mode.
Downloading the file from the remote tftp server, please wait...
----End
Issue 04 (2013-06-15)

200

Configuration Guide
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
Return
Example for Accessing Files on Another Device by Using FTP

This section provides an example for accessing files on another device by using FTP. In this
example, a user logs in to the FTP server from the Switch to download system software and
configuration software from the FTP server.
As shown in Figure 1-45, the remote server at 10.1.1.2 serves as the FTP server. The Switch
and the FTP server are directly connected and on the same network segment. The Switch has a
reachable route to the FTP server.
The Switch acts as the FTP client. Interfaces ranging from GigabitEthernet0/0/1 to
GigabitEthernet0/0/4 can be used to set up FTP connections and they share the IP address
10.1.1.1.
The Switch downloads files from the FTP server.
Figure 1-45 Networking diagram for accessing files on another device by using FTP
FTP session
PC
Configuration
FTP Client
Cable
FTP Server
1.
Log in to the FTP server from the FTP client.
2.
Download files from the server to the storage device of the client.
Data Preparation
l
Issue 04 (2013-06-15)

201

Configuration Guide
Name of the destination file and position where the destination files are located on the
Switch
Name of the FTP user set as u1 and the password set as ftppwd on the client
Procedure
Step 1 Enable FTP on the remote FTP server. Add an FTP user named u1 and set the password to
ftppwd.
Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1 to VLANIF10.
[Quidway] vlan 10
[Quidway-GigabitEthernet0/0/1] port hybrid
pvid vlan 10
untagged vlan 10
pvid vlan 10
untagged vlan 10
pvid vlan 10
untagged vlan 10
pvid vlan 10
untagged vlan 10
Step 3 On the Switch, initiate a connection to the FTP server with the user name tpuser and the password
ftppwd.
<Quidway> ftp 10.1.1.2
Trying 10.1.1.2 ...
User(10.1.1.2:(none)):u1
331 Password required for u1.
Enter password:
230 User logged in.
[ftp]
Step 4 On the Switch, set the mode of transferring files to binary and the flash directory.
[ftp] binary
200 Type set to I.
[ftp] lcd flash:/
The current local directory is flash:.
Step 5 Download the vrpcfg.cfg file from the remote FTP server on the Switch.
[ftp] get vrpcfg.cfg vrpcfg.cfg
150 Opening BINARY mode data connection for vrpcfg.cfg.
226 Transfer complete.
FTP: 9124 byte(s) received in 3.100 second(s) 2.94Kbyte(s)/sec.
[ftp] quit
<Quidway>
----End
Issue 04 (2013-06-15)

202

Configuration Guide
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.3 255.255.255.0
#
#
#
#
#
return
Example for Accessing Files on Another Device by Using SFTP

In this example, the local key pairs are generated on the SFTP client and the SSH server
respectively; the public RSA key is generated on the SSH server and bind the RSA public key
to the SFTP client. In this manner, the SFTP client can connect to the SSH server.
As shown in Figure 1-46, after the SFTP service is enabled on the SSH server, the SFTP Client
can log in to the SSH server with the password, RSA, password-rsa, or all authentication. In this
example, the Huawei Switch functions as an SSH server.
Two users client001 and client002 are configured to log in to the SSH server in the authentication
mode of password and RSA respectively.
Figure 1-46 Networking diagram for accessing files on another device by using SFTP
SSH Server
10.164.39.222/24
10.164.39.220/24
10.164.39.221/24
Client001 Client002
Switch
Interface
VLANIF interface
IP address
SSH server
VLANIF 10
10.164.39.222/24
Client001
VLANIF 10
10.164.39.220/24
Issue 04 (2013-06-15)

203

Configuration Guide
Client002

VLANIF 10
10.164.39.221/24
1.
interface.
2.
Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
3.
Create a local RSA key pair on the client Client002 and the SSH server, and bind the client
client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.
4.
Enable the SFTP service on the SSH server.
5.
Configure the service mode and authorization directory for the SSH user.
6.
Client001 and Client002 log in to the SSH server by using SFTP to access files on the
server.
Data Preparation
l
Client001 with the password as huawei and adopt the password authentication.
Client002, adopt the RSA authentication and assign the public key RsaKey001 to
Client002.
IP address of the SSH server is 10.164.39.222.
Procedure
Create VLAN 10 on the AC6605 that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
[Quidway] vlan 10
[Quidway] quit
Assigning an IP address to the AC6605 that functions as Client001 or Client002 is the same as
Step 2 Create a local key pair on the SSH server.
Issue 04 (2013-06-15)

204

Configuration Guide

Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++

NOTE
l In password ,password-rsa or password-dsa authentication mode, you must configure a local user.
l In RSA,DSA,password-rsa,password-dsa or all authentication mode, you must copy the RSA or DSA

l Create an SSH user named Client001.

# Create an SSH user named Client001 and configure the authentication mode as
password for the user.

[Quidway] aaa
[Quidway-aaa] local-user client001 privilege level 3
l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.

# Check the RSA public key created on the client.

=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
Issue 04 (2013-06-15)

205

Configuration Guide
010001
=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]
# Send the RSA public key created on the client to the server.
Step 5 Bind the RSA public key of the SSH client to Client002.
Step 6 Enable the SFTP service on the SSH server.

# Enable the SFTP service.
[Quidway] sftp server enable
Step 7 On the SSH server, set the type of service for the SSH user and the authorized directory.
Two SSH users are configured on the SSH server: Client001 in the password authentication
mode and Client002 in the RSA authentication mode.
[Quidway]
[Quidway]
[Quidway]
[Quidway]
ssh
ssh
ssh
ssh
user
user
user
user
client001
client001
client002
client002
service-type sftp
sftp-directory flash:/
service-type sftp
sftp-directory flash:/
Step 8 Connect the SFTP client and the SSH server.

Issue 04 (2013-06-15)

206

Configuration Guide


# Client001 logs in to the SSH server in password authentication mode.

[client001] sftp 10.164.39.222
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
..
Enter password:
sftp-client>
# Client002 logs in to the SSH server in RSA authentication mode.

[client002] sftp 10.164.39.222
Please input the username: client002
Trying 10.164.39.222 ...
Connected to 10.137.217.207 ...
..
sftp-client>

After the configuration, run the display ssh server status and display ssh server session
commands on the SSH server. You can view that the SFTP service is enabled, and that the SFTP
client logs in to the server successfully.
SSH version
SFTP server
Stelnet server
Scp server
:1.99
:60 seconds
:0 hours
:3 times
:Enable
:Disable
:Disable

Session 1:
Conn
: VTY 1
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
CTOS Compress
: none
Issue 04 (2013-06-15)

207

Configuration Guide
STOC Compress
Kex
Public Key
Service Type
Authentication Type
Session 2:
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
CTOS Compress
STOC Compress
Kex
Public Key
Service Type
Authentication Type
:
:
:
:
:
none
rsa
sftp
password
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
VTY 2
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
none
none
rsa
sftp
rsa
# Check information about the SSH user.

[Quidway] display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : User-public-key-type : Sftp-directory
: flash:/
Service-type
: sftp
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : rsa
User-public-key-name : RsaKey001
User-public-key-type : rsa
Sftp-directory
: flash:/
Service-type
: sftp
Authorization-cmd
: No
----End
Configuration Files
l

#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
Issue 04 (2013-06-15)

208

Configuration Guide

#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 sftp-directory flash:/
#
#
#
return

#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
#
#
return

#
sysname client002
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
#
#
return
Example for Accessing Files on Another Device by Using FTPS

You can log in to an FTPS server from an FTPS client to operate files transmitted between the
server and the client.
Issue 04 (2013-06-15)

209

Configuration Guide
bringing security threats. An SSL policy can be configured on the FTP server to improve security.
l
An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP
client to verify the identify of the certificate owner, sign a digital certificate to prevent
eavesdropping and tampering, and manage the certificate and key.
An SSL policy needs to be configured on and a digital certificate needs to be loaded to an

FTP server to verify the validity of the trusted-CA file. This ensures that only authorized
clients can log in to the server.
Figure 1-47 Accessing Files on Another Device by Using FTPS

FTP-Client
VLANIF20
1.1.1.1/24
Network
FTP-Server
VLANIF30
1.1.1.2/24
VLANIF40
192.168.0.2/24
PC1
If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.
1.
Upload certificates.
l Upload the digital certificate saved on PC2 to the FTP server.
l Upload the trusted-CA file saved on PC1 to the FTP client.
2.
Load the certificates and configure SSL policies.

l Copy the digital certificate from the system directory of the FTP server to the
security sub-directory, configure an SSL policy, and load the digital certificate.
l Copy the trusted-CA file from the system directory of the FTP client to the security
sub-directory, configure an SSL policy, and load the trusted-CA file.
3.
Issue 04 (2013-06-15)
Enable the FTPS server function on the FTP server.

210

Configuration Guide
4.
Configure IP addresses for the interfaces that interconnect the FTP client and server to
ensure that the client and server are routable.
5.
Run the ftp command on the FTP client to log in to the FTPS server to remotely manage
files.
Data Preparation
l
IP addresses of the FTP client and server
SSL trusted-CA file and digital certificate
Procedure
Step 1 Upload certificates.
l Perform the following steps on the FTP server:
# Configure an IP address for the FTP server so that the PC and FTP server are reachable.
[Quidway] sysname FTP-Server
[FTP-Server] interface gigabitethernet0/0/1
# Enable the FTP server function.

[FTP-Server] ftp server enable
# Configure the authentication information, authorization mode, and authorized directory for
an FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] quit
[FTP-Server] quit
huawei
huawei
huawei
huawei

service-type ftp
privilege level 15
ftp-directory flash:
# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the
correct user name and password to set up an FTP connection to the FTP server, as shown in
Figure 1-48.
Issue 04 (2013-06-15)

211

Configuration Guide
Figure 1-48 Logging in to an FTP server from a user terminal
Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
1-49.
Figure 1-49 Uploading a digital certificate
After the preceding configurations are complete, run the dir command on the FTP server.
The command output shows that the digital certificate has been successfully uploaded to the
server.
<FTP-Server> dir
Issue 04 (2013-06-15)

212

Configuration Guide

Idx
0
1
2
3
4
5
Attr
drw-rw-rw-rw-rwdrw-
Size(Byte)
524,575
446
1,302
951
-
Date
May 10
May 10
May 10
May 10
May 10
May 10
2011
2011
2011
2011
2011
2011
Time(LMT)
05:05:40
05:05:53
05:05:51
05:32:05
05:32:44
05:43:39
FileName
src
private-data.txt
vrpcfg.zip
security
304,292 KB total (303,766 KB free)
l Perform the following steps on the FTP client:

The procedure for uploading the trusted-CA file to the FTP client is similar to the procedure
for uploading the digital certificate to the FTP server. For detailed configurations, see the
configuration file of the FTP client in this example.
After the trusted-CA file is uploaded to the FTP client, run the dir command on the FTP
client. The command output shows that the trusted-CA file has been successfully uploaded
to the FTP client.
<FTP-Client> dir
Idx
0
1
2
3
4
5
6
7
8
9
Attr
-rw-rw-rwdrw-rw-rwdrw-rwdrwdrw-
Size(Byte)
524,558
1,237
1,241
421
1,308,478
4
-
Date
May 10
May 10
May 10
Apr 09
Apr 09
Apr 14
Apr 10
Apr 19
Apr 11
Apr 13
2011
2011
2011
2011
2011
2011
2011
2011
2011
2011
Time(LMT)
04:50:39
05:55:33
05:55:44
19:46:14
19:46:14
19:22:45
01:35:54
04:24:28
16:18:53
11:37:40
FileName
private-data.txt
1_cacert_pem_rsa.pem
1_rootcert_pem_rsa.pem
src
vrpcfg.zip
web.zip
logfile
snmpnotilog.txt
security
lam
304,292 KB total (300,270 KB free)
Step 2 Load the certificates and configure SSL policies.

l Perform the following steps on the FTP server:
# Create a sub-directory named security and copy the digital certificate to this sub-directory.
<FTP-Server> mkdir security/
<FTP-Server> copy 1_servercert_pem_rsa.pem security/
<FTP-Server> copy 1_serverkey_pem_rsa.pem security/
After the preceding configurations are complete, run the dir command in the security subdirectory on the FTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<FTP-Server> cd security/
<FTP-Server> dir
Idx
0
1
Attr
-rw-rw-
Size(Byte)
1,302
951
Date
Time(LMT)
May 10 2011 05:44:34
May 10 2011 05:45:22
FileName
304,292 KB total (303,766 KB free)
# Create an SSL policy and load the PEM digital certificate.

<FTP-Server> system-view
[FTP-Server] ssl policy ftp_server
[FTP-Server-ssl-policy-ftp_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem authcode 123456
[FTP-Server-ssl-policy-ftp_server] quit
After the preceding configurations are complete, run the display ssl policy command on the
FTP server. The command output shows detailed information about the loaded certificate.
[FTP-Server] display ssl policy
Issue 04 (2013-06-15)

213

Configuration Guide
SSL Policy Name:

Policy Applicants:
Key-pair Type:
Certificate Type:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
ftp_server
FTP secure-server
RSA
PEM
certificate
123456
l Configure the FTP client.

# Create a sub-directory named security and copy the trusted-CA file to this sub-directory.
The configuration procedure is similar to that on the FTP server. For detailed configurations,
see the configuration file of the FTP client in this example.
After the trusted-CA file is copied to the security sub-directory, run the dir command in this
sub-directory. The command output shows that the trusted-CA file has been successfully
copied to this sub-directory.
<FTP-Client> cd security/
<FTP-Client> dir
Idx
0
1
Attr
-rw-rw-
Size(Byte)
1,237
1,241
Date
Time(LMT)
May 10 2011 05:57:15
May 10 2011 05:57:29
FileName
1_cacert_pem_rsa.pem
1_rootcert_pem_rsa.pem
304,292 KB total (300,266 KB free)
# Create an SSL policy and load the trusted-CA file.

<FTP-Client> system-view
[FTP-Client] ssl policy ftp_client
[FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_cacert_pem_rsa.pem
[FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_rootcert_pem_rsa.pem
[FTP-Client-ssl-policy-ftp_client] quit
After the preceding configurations are complete, run the display ssl policy command on the
FTP client. The command output shows detailed information about the trusted-CA file.
[FTP-Client] display ssl policy
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate Type:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem
Step 3 Enable the FTPS server function.

NOTE
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable
Step 4 Configure IP addresses for the interfaces that interconnect the FTP client and server.
# Configure the FTP server.
Issue 04 (2013-06-15)

214

Configuration Guide
[FTP-Server] interface gigabitethernet 0/0/2
# Configure the FTP client.

[FTP-Client] vlan 20
[FTP-Client-vlan20] quit
[FTP-Client] interface gigabitethernet 0/0/2
[FTP-Client-GigabitEthernet0/0/2] port hybrid pvid vlan 20
[FTP-Client-GigabitEthernet0/0/2] port hybrid untagged vlan 20
[FTP-Client-GigabitEthernet0/0/2] quit
[FTP-Client] interface vlanif 20
[FTP-Client-Vlanif20] ip address 1.1.1.1 24
[FTP-Client-Vlanif20] quit
[FTP-Client] quit
Step 5 Run the ftp command on the FTP client to log in to the FTPS server to remotely manage files.
<FTP-Client> ftp ssl-policy ftp_client 1.1.1.2
Trying 1.1.1.2 ...
234 AUTH command successfully, Security mechanism accepted.
200 PBSZ is ok.
200 Data channel security level is changed to private.
User(1.1.1.2:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
The client can log in to the FTP server only after the correct user name and password are entered.
# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
[FTP-Server] display ftp-server
Max user number
User count
Listening port
Acl number
FTP SSL policy
5
1
30
21
0
0.0.0.0
ftp_server
You can use the FTP client to remotely manage files on the FTPS server.
----End
Configuration Files
l
Configuration file of the FTP server

#
sysname FTP-Server
#
Issue 04 (2013-06-15)

215

Configuration Guide
FTP secure-server enable

ftp secure-server ssl-policy ftp_server
#
vlan batch 10 30
#
ssl policy ftp_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code 123456
#
aaa
local-user huawei password cipher %$%$xl8:AIK&k*X.D6$JN#rF-\SJ%$%$
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif30
ip address 1.1.1.2 255.255.255.0
#
#
#
return
Configuration file of the FTP client

#
sysname FTP-Client
#
FTP server enable
#
vlan batch 20 40
#
ssl policy ftp_client
trusted-ca load pem-ca 1_cacert_pem_rsa.pem
trusted-ca load pem-ca 1_rootcert_pem_rsa.pem
#
aaa
#
interface Vlanif20
ip address 1.1.1.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.0.2 255.255.255.0
#
#
Issue 04 (2013-06-15)

216

Configuration Guide
#
return
Example for Configuring the SSH Server to Support the Access from Another Port
In this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.
The standard listening port is numbered 22, as defined in the SSH protocol. If attackers access
the standard port continuously, the bandwidth is consumed and the performance of the server is
degraded. As a result, other valid users cannot access the port.
If the listening port on the SSH server is changed to a non-default one, attackers will not aware
of this change and continue to send a request for the socket connection to port 22. In this case,
the SSH server detects that it is not the listening port, and then denies the the request for
establishing the socket connection.
Therefore, only valid users can use the specified listening port to set up a socket connection
through the following procedures:
l
Negotiating the version of the SSH protocol
Negotiating the algorithm
Generating the session key
Authenticating
Sending a request for a session
Performing the interactive session
Figure 1-50 Networking diagram for configuring the SSH server to support the access from
another port
SSH Server
10.164.39.222/24
10.164.39.220/24
10.164.39.221/24
Client001 Client002
Switch
Interface
VLANIF interface
IP address
SSH server
VLANIF 10
10.164.39.222/24
Client001
VLANIF 10
10.164.39.220/24
Client002
VLANIF 10
10.164.39.221/24
Issue 04 (2013-06-15)

217

Configuration Guide
1.
interface.
2.
Configure Client001 and Client002 on the SSH server.
3.
Create a local key pair on the SFTP client and SSH server separately.
4.
Generate an RSA public key on the SSH server and bind the RSA public key of the SSH
client to Client002.
5.
Enable the STelnet and SFTP services on the SSH server.
6.
Configure the type of the service and authenticated directory for the SSH user.
7.
Set the listening port number on the SSH server.
8.
Client001 and Client002 log in to the SSH server through STelnet and SFTP separately.
Data Preparation
l
SSH user name and authentication mode
Password or RSA public key of the SSH user
Server name
Listening port number on the SSH server
Procedure
Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
[Quidway] vlan 10
Assigning an IP address to theSwitch that functions as Client001 or Client002 is the same as

Step 2 A local key pair generated on the SSH server
Generating keys...
...........++++++++++++
Issue 04 (2013-06-15)

218

Configuration Guide
..................++++++++++++
...++++++++
...........++++++++

# Check the RSA public key generated on the client.

=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
# Send the RSA public key generated on the client to the server.
Issue 04 (2013-06-15)

219

Configuration Guide


NOTE
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA

# Create an SSH user named Client001, and configure the authentication mode as password
for the user.

[Quidway] aaa
[Quidway-aaa] quit
# Set the type of service of Client001 to STelnet.

# Create an SSH user named Client002, and configure the authentication mode as RSA for the
user. Bind the RSA public key of the SSH client to Client002.
# Set the type of service of Client002 to SFTP and the authorized directory as flash:/.
[Quidway] ssh user client002 service-type sftp
[Quidway] ssh user client002 sftp-directory flash:/
Step 5 Enable the STelnet and SFTP services on the SSH server.
Step 6 Configure the new listening port number on the SSH server.
[Quidway] ssh server port 1025
Step 7 Connect the SSH client and the SSH server.

Issue 04 (2013-06-15)

220

Configuration Guide

# The STelnet client logs in to the SSH server by using the new listening port.
[client001] stelnet 10.164.39.222 1025
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
..
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
<Quidway>
# The SFTP client logs in to the SSH server by using the new listening port.
[client002]sftp 10.164.39.222 1025
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
..
sftp-client>

Attackers fail to log in to the SSH server by using port 22.
[client002] sftp 10.164.39.222
Trying 10.164.39.222 ...
Can't establish tcp connection to server
After the configuration, run the commands of display ssh server status and display ssh server
session on the SSH server. You can check the current listening port number on the SSH server,
and that the STelnet or SFTP client logs in to the server successfully.
SSH version
SFTP server
Stelnet server
Scp server
SSH server port
:1.99
:60 seconds
:0 hours
:3 times
:Enable
:Enable
:Disable
:1025

Session 1:
Issue 04 (2013-06-15)

221

Configuration Guide
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
Session 2:
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
:
:
:
:
:
:
:
:
:
:
:
:
VTY 3
2.0
started
client001
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
stelnet
password
:
:
:
:
:
:
:
:
:
:
:
:
VTY 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
sftp
rsa
----End
Configuration Files
l

#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
#
sftp server enable
ssh server port 1025
ssh user client001
ssh user client002
#
Issue 04 (2013-06-15)

222

Configuration Guide

#
#
return

#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
#
#
return

#
sysname client002
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
#
#
return
Example for Authenticating SSH Through RADIUS

In this example, a user that attempts to access the SSH server is authenticated by the RADIUS
server, and the SSH server determines whether to set up a connection with the user according
to the authentication result.
When an RADIUS user is connected to an SSH server, the SSH server sends the user name and
password of the SSH client to the RADIUS server (compatible with the TACACS server) for
authentication.
The RADIUS server authenticates the user and sends the result (passed or failed) back to the
SSH server. If the authentication is successful, the user level is sent along with the result. The
SSH server determines whether the SSH client is allowed to set up a connection according to
the authentication result.
Figure 1-51 shows the networking diagram.
Issue 04 (2013-06-15)

223

Configuration Guide
Figure 1-51 Networking diagram of authenticating the SSH through RADIUS
10.164.39.221/24
10.164.6.41/24
10.164.39.222/24
SSH Client
SSH Server
10.164.6.49/24
Radius Server
1.
Configure the RADIUS template on the SSH server.
2.
Configure a domain on the SSH server.
3.
Create a user on the RADIUS server.
4.
Generate the local key pair on SSH server respectively. The SSH server monitors the port
number.
5.
Enable the STelnet and SFTP services on the SSH server.
6.
Configure the service mode and authorization directory of the SSH user.
7.
Users ssh1@ssh.com and ssh2@ssh.com log in to the SSH server through STelnet and
SFTP respectively.
Data Preparation
l
Configure the password authentication for the two SSH users .
RADIUS authentication
Name of the RADIUS template
Name of the RADIUS domain
Name and password of the RADIUS user
Procedure
Step 1 Generate a local key pair on the SSH server.
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Create the SSH user.

Issue 04 (2013-06-15)

224

Configuration Guide
On the RADIUS server, add two users named ssh1@ssh.com and ssh2@ssh.com ; in addition,
designate the NAS address 10.164.39.222 and the key huawei. The NAS address refers to the
address of the SSH server that connects to the RADIUS server.
# Configure the VTY user interface on the SSH server.
# Create SSH users asssh1@ssh.com and ssh2@ssh.com on the SSH server.

[Quidway]
[Quidway]
[Quidway]
[Quidway]
[Quidway]
[Quidway]
[Quidway]
ssh
ssh
ssh
ssh
ssh
ssh
ssh
user
user
user
user
user
user
user
ssh1@ssh.com
ssh1@ssh.com authentication-type password
ssh1@ssh.com service-type stelnet
ssh2@ssh.com
ssh2@ssh.com authentication-type password
ssh2@ssh.com service-type sftp
client001 sftp-directory flash:/
Step 3 Configure the RADIUS template.

# Configure the authentication scheme newscheme and authentication mode RADIUS.
[Quidway] aaa
[Quidway-aaa] authentication-scheme newscheme
[Quidway-aaa-authen-newscheme] authentication-mode radius
[Quidway-aaa-authen-newscheme] quit
# Configure the RADIUS template of SSH server as ssh.

[Quidway] radius-server template ssh
# Configure the IP address as 10.164.6.49 and port of the RADIUS authentication server as 1812.
[Quidway-radius-ssh] radius-server authentication 10.164.6.49 1812
# Configure the key of RADIUS server as huawei.

[Quidway-radius-ssh] radius-server shared-key huawei
[Quidway-radius-ssh] quit
Step 4 Configure RADIUS domain name.

# Configure the RADIUS domain of SSH server as ssh.com, applying authentication scheme
newscheme and RADIUS template ssh.
[Quidway] aaa
[Quidway-aaa] domain ssh.com
[Quidway-aaa-domain-ssh.com] authentication-scheme newscheme
[Quidway-aaa-domain-ssh.com] radius-server ssh
[Quidway-aaa-domain-ssh.com] quit
[Quidway-aaa] quit
Step 5 Connect the SSH client and the SSH server.

# Enable STelnet and SFTP services on the SSH server.
# For the first login, you need to enable the first authentication on SSH client.
[client] ssh client first-time enable
[client] quit
# Connect the STelnet client to the SSH server in the RADIUS authentication.
Issue 04 (2013-06-15)

225

Configuration Guide
<client> system-view
[client] stelnet 10.164.39.222
Please input the username:ssh1@ssh.com
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
..
Enter password:
Enter the password Huawei and view as follows:

<Quidway>
# Connect the SFTP client to the SSH server in the RADIUS authentication.
<client> system-view
[client] sftp 10.164.39.222
Please input the username:ssh2@ssh.com
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
Enter password:
sftp-client>

After the configuration, run the display radius-server configuration and display ssh server
session commands on the SSH server. You can view the configuration of the RADIUS server
on the SSH server. You can also view that the STelnet or SFTP client is connected to the SSH
server successfully with RADIUS authentication.
# Display the configuration of the RADIUS server.
[Quidway-aaa] display radius-server configuration
------------------------------------------------------------------Server-template-name
: ssh
Protocol-version
: standard
Traffic-unit
: B
Shared-secret-key
: huawei
Timeout-interval(in second)
: 5
Primary-authentication-server
: 10.164.6.49
:1812
LoopBack:NULL
Primary-accounting-server
: 0.0.0.0
:0
LoopBack:NULL
Secondary-authentication-server : 0.0.0.0
:0
LoopBack:NULL
Secondary-accounting-server
: 0.0.0.0
:0
LoopBack:NULL
Retransmission
: 3
Domain-included
: YES
Calling-station-id MAC-format
: xxxx-xxxx-xxxx
------------------------------------------------------------------Total of radius template :1
# Display the connection of the SSH server.

Session 1:
Conn
: VTY 0
Version
: 2.0
State
: started
Username
: ssh1@ssh.com
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Issue 04 (2013-06-15)

226

Configuration Guide
Kex
Service Type
Authentication Type
Session 2:
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
: diffie-hellman-group1-sha1
: stelnet
: password
:
:
:
:
:
:
:
:
:
:
:
:
VTY 1
2.0
started
ssh2@ssh.com
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
sftp
password
----End
Configuration Files
Configuration file of the SSH server
#
sysname Quidway
#
radius-server template ssh
radius-server authentication 10.164.6.49 1812
#
aaa
authentication-scheme newscheme
authentication-mode radius
#
domain ssh.com
authentication-scheme newscheme
radius-server ssh
#
#
sftp server enable
ssh user ssh1@ssh.com
ssh user ssh2@ssh.com
ssh user ssh1@ssh.com authentication-type password
ssh user ssh2@ssh.com authentication-type password
ssh user ssh1@ssh.com service-type stelnet
ssh user ssh2@ssh.com service-type sftp
#
#
Return
Issue 04 (2013-06-15)

227

Configuration Guide
2 Configuration Guide - Device Management
Configuration Guide - Device Management
About This Chapter

This document describes procedures and provides examples for configuring the Device
Management features of the AC6605.
2.1 Using display commands to check the status of the device
This chapter describes the maintenance, usage of the display commands and the regular
expression.
2.2 Hardware Management
This chapter describes the hardware management configurations on the AC6605.
2.3 Monitoring the Device Through the Information Center
This chapter describes the basics of the information center, introduces the procedure for
managing the information center and monitoring the device, and provides configuration
examples.
2.4 Configuring a Monitoring Interface
This chapter describes how to configure a monitoring interface to monitor the device
environment.
2.5 Mirroring
The mirroring function is used to monitor packets that meet certain requirements.
2.6 PoE Configuration
This chapter describes the basic concepts and configuration methods of PoE.
2.7 ALS Configuration
This chapter describes the Automatic Laser Shutdown (ALS) configuration on the AC6605.
2.8 Restarting and Resetting
This chapter introduces the basics of the BootROM software and the Versatile Routing Platform
(VRP) system software, and describes how to restart the AC6605.
Issue 04 (2013-06-15)

228

Configuration Guide
2.1 Using display commands to check the status of the device

This chapter describes the maintenance, usage of the display commands and the regular
expression.
2.1.1 Introduction
This section describes function of display commands.
You can use display commands to view the status of a device and check whether the device runs
normally.
2.1.2 Checking the Status of the AC6605

This section describes how to check the status of the AC6605 by using the display commands.
Checking Information About the AC6605

Context
You can run the following command in any view to check the type and status of a component
on the AC6605.
Procedure
Step 1 Run:
display device [ slot slot-id ]
Information about a component on the AC6605 is displayed.

----End
Checking the Version of the AC6605

Context
You can run the display version command in any view to check the version of the AC6605.
The displayed information includes the type of a card, startup duration, version of the hardware,
and version of the software.
Procedure
Step 1 Run:
display version [ slot slot-id ]
The version of the specified card is displayed.

----End
Issue 04 (2013-06-15)

229

Configuration Guide
Checking the Electronic Labels

Context
You can run the display elabel command in any view to check the electronic labels.
You can run the display elabel command to check information about the hardware code. The
hardware code provides necessary basis for such services as network installation, network
upgrade, network expansion, device management and maintenance, and device replacement in
batches.
The displayed information includes: type of the card, bar code, Bill of Material (BOM) code,
English description, production date, supplier name, issuing number, Common Language
Equipment Identification (CLEI) code, and sales BOM code.
Procedure
Step 1 Run:
display elabel [ slot slot-id [ subcard-id ] ]
The electronic labels are displayed.

<Quidway> display elabel slot 0
/$[System Integration Version]
/$SystemIntegrationVersion=3.0
[Slot_0]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=AC6605-26-PWR
BarCode=210235396810C7000051
Item=02353968
Description=AC6605-26-PWR,AC6605-26-PWR,AC6605-26-PWR Mainframe(20 GE RJ45,4 GE
Combo,2 10GE SFP+,Dual Slots of power,POE,Without Power Module)
Manufactured=2012-07-13
VendorName=Huawei
IssueNumber=00
CLEICode=
BOM=
[Port_25]
[Board Properties]
BoardType=
BarCode=
Item=
Description=
Manufactured=
Issue 04 (2013-06-15)

230

Configuration Guide
/$VendorName=
IssueNumber=
CLEICode=
BOM=
[Port_26]
[Board Properties]
BoardType=
BarCode=
Item=
Description=
Manufactured=
/$VendorName=
IssueNumber=
CLEICode=
BOM=
[Port_27]
[Board Properties]
BoardType=
BarCode=
Item=
Description=
Manufactured=
/$VendorName=
IssueNumber=
CLEICode=
BOM=
[Board Properties]
BoardType=ES0W2PSA0150
BarCode=2102310JFA10C6000009
Item=02310JFA
Description=S5710 Series,ES0W2PSA0150,150W AC Power Module
Manufactured=2012-06-19
VendorName=Huawei
IssueNumber=
CLEICode=
BOM=
----End
Checking Temperature
Context
You can run the following command in any view to check the working temperature of the
AC6605.
Issue 04 (2013-06-15)

231

Configuration Guide
Procedure
Step 1 Run:
display environment [ slot slot-id ]
The temperature of a temperature-sending SIC is displayed.

----End
Checking the Fan Status

When the device temperature is high, you can check whether the fan is functioning normally.
Procedure
Step 1 Run:
display fan [ slot slot-id | verbose ]
The fan status is displayed.

----End
Checking the Power Supply Status

Before replacing a power supply, you need to check the status of the power supply.
Procedure
Step 1 Run the following command in any view:
display power
The status of each power supply is displayed.

----End
Checking the CPU Usage

You can check the CPU utilization statistics and CPU settings.
Procedure
Step 1 Run:
display cpu-usage [ configuration | slave | slot slot-id ]
The CPU utilization statistics and CPU settings are displayed.

----End
Checking the Memory Usage

Context
You can run the following command in any view to check the memory usage of the AC6605.
Issue 04 (2013-06-15)

232

Configuration Guide
Procedure
Step 1 Run:
display memory-usage [ slave | slot slot-id ]
The memory usage is displayed.

----End
Checking Alarms
Context
You can run the following command in any view to check alarms on the AC6605.
Procedure
Step 1 Run:
display alarm urgent [ slot slot-id | time interval ]
The alarms generated during device operation are displayed.

----End
Checking the Status of an Interface

Checking the Status of a Specified Interface
1.
Run:
display interface interface-type interface-number
The status of a specified interface is displayed.

Information about the status of an interface contains the running status, basic configuration of
the interface, and statistics of the transmission of packets.
Checking the Status of an Interface in the Current Interface View

1.
Run:
system-view

2.
Run:
The interface view is displayed.

3.
Run:
display this interface
The status of the interface in the current interface view is displayed.
2.2 Hardware Management

This chapter describes the hardware management configurations on the AC6605.
Issue 04 (2013-06-15)

233

Configuration Guide
2.2.1 Hardware Management Overview

This section explains the definition of hardware management.
Hardware management refers to operating the installed hardware of the AC6605 by using
commands.
2.2.2 Hardware Management Features Supported by the AC6605

This section describes the hardware management features supported by the AC6605.
The AC6605 supports the following hardware management features:
l
Electronic label backup;
Electrical port sleep;
Configuring the Power-Saving Mode;
Configuring the alarm function for optical modules.
2.2.3 Backing Up the Electronic Label

This section describes how to back up the electronic label of the AC6605.

Before backing up the electronic label, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This helps you complete the
configuration task quickly and accurately.
Electronic labels of network devices play an important role in troubleshooting. When faults
occur on a network, you can obtain hardware information quickly from electronic labels.
Therefore, you need to back up electronic labels.
Before backing up the electronic label of the AC6605, complete the following task:
l
Connecting the AC6605 to an FTP server and ensuring that there is a reachable route
between them
Data Preparation
To back up the electronic label of the AC6605, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Name of the electronic label backup file
Stack ID of the AC6605 whose electronic label needs to be backed up
FTP server address, FTP user name, and password (only applicable to saving the
electronic label to an FTP server)

234

Configuration Guide
Backing Up the Electronic Label

You can back up the electronic label of the AC6605 to an FTP server or the Flash card of the
AC6605.
Procedure
l
Back up the electronic label to the Flash card.

1.
Run the following command in the user view:

backup elabel [ slot slot-id ]
The electronic label is backed up to the Flash card.

l
Back up the electronic label to an FTP server.

1.
Run the following command in the user view:

backup elabel [ ftp ip-address filename username password ] [ slot slotid [ subcard-id ] ]
The electronic label is backed up to an FTP server.

----End
2.2.4 Configuring Electrical Port Sleep

This section describes how to configure electrical port sleep to save energy.

Before configuring electrical port sleep, familiarize yourself with the applicable environment,
When a device is working normally, you can enable electrical port sleep to save energy.
None.
Data Preparation
To configure electrical port sleep, you need the following data.
No.
Data
Number of the electrical port where the sleep function is to be enabled
Enabling Electrical Port Sleep

To save energy on a device, you can enable electrical port sleep on the device.
Issue 04 (2013-06-15)

235

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface { interface-type interface-number }

Step 3 Run:
port-auto-sleep enable
Electrical port sleep is enabled.

By default, the sleep function is disabled on an Ethernet port.
----End

After enabling electrical port sleep, you can run the following command to check the
configuration.
Procedure
l
Run:
system-view

l
Run:
interface { interface-type interface-number }

l
Run:
display this
Check whether port sleep is enabled.

----End
2.2.5 Configuring the Power-Saving Mode

This section describes how to configure the power-saving mode on the Switch.

Before configuring the power-saving mode, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This can help you complete the configuration task quickly and accurately.
You can configure the power-saving mode as required to reduce power consumption on the
Switch.
Issue 04 (2013-06-15)

236

Configuration Guide
None
Data Preparation
None
Configuring the Power-Saving Mode

Select an appropriate power-saving mode based on the service requirements.
Context
The following power-saving modes are available:
l
User-defined mode: uses the user-defined power saving settings.
Standard mode: uses the factory power-saving settings.
Basic mode: shuts down idle components or switched them the dormant state. This mode
increases the system response speed when new services are configured or new users go
online.
Deep mode: shuts down idle components or switched them the dormant state, and
dynamically adjusts the power consumption based on the actual situation of services. This
mode is not recommended when the service traffic changes frequently or the power is
unstable.
NOTE
l Currently, the AC6605 does not support the user-defined mode. You can use the other three modes as
required.
l The power-saving measures are not delivered after you set the power-saving mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:
set power manage mode mode-id
The power-saving mode is set.

----End

After configuring the power-saving mode, you can run the following command to verify the
configuration.
Context
The configuration of the power-saving mode is complete.
Issue 04 (2013-06-15)

237

Configuration Guide
Procedure
l
Run the display power manage mode command to check the power-saving mode of the
Switch.
----End
2.2.6 Configuring the Alarm Function for Optical Modules

This section describes how to configure the alarm function for optical modules and configure
the alarm threshold.

Before configuring the alarm function for optical modules, familiarize yourself with the
the configuration. This can help you complete the configuration task quickly and accurately.
The rules for determining when to generate alarms for optical modules vary according to the
environment where devices run. You can define the rules for determining when to generate
alarms according to service requirements to help monitor devices.
None
Data Preparation
To configure the alarm function for optical modules, you need the following data.
No.
Data
Upper and lower alarm thresholds for the transmit power of the optical module
Upper and lower alarm thresholds for the receive power of the optical module
Upper and lower alarm thresholds for the bias current of the optical module
Upper and lower alarm thresholds for the temperature of the optical module
Upper and lower alarm thresholds for the voltage of the optical module
Configuring the Alarm Function for Optical Modules

You can configure the alarm function for optical modules according to the environment where
devices run.
Issue 04 (2013-06-15)

238

Configuration Guide
Context
You can configure the alarm thresholds for the power, temperature, voltage, and current of
optical modules and configure the alarm function for non-Huawei-customized optical modules
to shield unnecessary alarms.
Procedure
l
Disable the alarm function for non-Huawei-customized optical modules.

1.
Run:
system-view

2.
Run:
transceiver phony-alarm-disable
The alarm function is disabled for non-Huawei-customized optical modules.

Non-Huawei-customized optical modules can work properly on devices. However,
an alarm is generated when non-Huawei-customized optical modules are used on
devices manufactured since January 1, 2013. You can disable the alarm function to
shield this alarm without affecting services.
l
Configure alarm thresholds for optical modules.

1.
Run:

2.
Run:
transceiver diagnosis threshold rx-power { default | low-alarm low-alarm
high-alarm high-alarm }
Upper and lower alarm thresholds are set for the receive power of optical modules.
3.
Run:
transceiver diagnosis threshold tx-power { default | low-alarm low-alarm
Upper and lower alarm thresholds are set for the transmit power of optical modules.
4.
Run:
transceiver diagnosis threshold current
{ default | low-alarm low-alarm
Upper and lower alarm thresholds are set for the bias current of optical modules.
5.
Run:
transceiver diagnosis threshold temperature { default | low-alarm lowalarm high-alarm high-alarm }
Upper and lower alarm thresholds are set for the temperature of optical modules.
6.
Run:
transceiver diagnosis threshold voltage { default | low-alarm low-alarm
Upper and lower alarm thresholds are set for the voltage of optical modules.
----End
Issue 04 (2013-06-15)

239

Configuration Guide

After the alarm function is configured for optical modules, you can view the thresholds for the
voltage, current, power, and temperature of optical modules.
Prerequisites
Optical modules have been installed on devices.
Procedure
Step 1 Run the display transceiver command on the AC6605 to check basic information,
manufacturing information, and alarms about optical modules.
Step 2 Run the display transceiver diagnosis interface [ interface-type interface-number ] command
to check diagnostic information about a specified optical module.
----End
2.3 Monitoring the Device Through the Information Center

This chapter describes the basics of the information center, introduces the procedure for
managing the information center and monitoring the device, and provides configuration
examples.
2.3.1 Information Center Overview

The information center controls the output of logs, alarms, and debugging messages.
Introduction to the Information Center

The information center works as the information hub of a Switch. It classifies and filters the
output of a system. The information center uses a debugging program to help network
administrator and developers monitor network operation and analyze network faults.
Information Center Supported by the AC6605

In the AC6605, the information center outputs logs, alarms, and debugging messages with eight
severity levels to different directions through 10 information channels.
Information Classification
The information receives and processes the following types of information:
l
Logs
Debugging information
Alarm information
Issue 04 (2013-06-15)

240

Configuration Guide
Severity Levels of Information

Information is classified into eight severity levels as shown in Table 2-1. The severer the
information level is, the lower the severity level value is.
Table 2-1 Description of the severity levels of information
Threshold
Severity Level
Description
Emergency
A fatal fault, such as a program exception or incorrect

use of the memory, occurs on the device. The system
must restart.
Alert
An important fault occurs on the device. For example,

the device memory reaches the upper limit. The fault
then needs to be removed immediately.
Critical
A crucial fault occurs, such as the memory or

temperature reaches the lowest limit, the BFD device
is unreachable, or an internal fault that is generated by
the device itself. The fault then needs to be analyzed
and removed.
Error
A fault caused by an improper operation or a wrong

process occurs, such as entering the wrong user
password or receiving wrong protocol packets from
other devices.
The faults do not affect service but should be paid
attention to.
Warning
An abnormal situation of the running device occurs,

such as the user disables the routing process, BFD
detects packet loss, or the wrong protocol packet is
received.
The fault should be paid attention to because it may
affect services.
Notice
Indicates the key operations used to ensure that the

device runs normally, such as the shutdown
command, neighbor discovery, or the state machine.
Informational
Indicates the common operations to ensure that the

device runs normally, such as the display command.
Debugging
Indicates the common information of the device that

need not be paid attention to.
When information filtering based on severity levels is enabled, only the information whose
severity level threshold is less than or equal to the configured value is output.
For example, if the severity level value is configured to 6, only the information with the severity
level value from 0 to 6 is output.
Issue 04 (2013-06-15)

241

Configuration Guide
Working Process of an Information Center

The working process of the information center is as follows:
l
The information center receives logs, traps, and debugging information from all modules.
The information center outputs information with different severity levels to different
information channels according to the configurations of users.
The information is transmitted to different directions based on the association relationship

between the information channel and the output direction.
Generally, the information center distributes the three types of information that can be classified
into eight levels to ten information channels. The information is then output to different
directions.
As shown in Figure 2-1, logs, alarms, and debugging information have default output channels.
You can, however, customize them to be output from other channels. For example, you can
configure logs to be output to the log cache through Channel 6 rather than Channel 4.
Figure 2-1 Functions of the information channel
Infomation type
Infomation channel
0
Console
1
Logs
Traps
3
4
Debugs
Console
Monitor
Remote
terminal
Loghost
Loghost
Trapbuffer
Trap buffer
Logbuffer
Log buffer
5 SNMP agent
Direction of logs
Direction of alarms
Direction of debugging
information
Output direction
channel6
channel7
channel8
channel9
SNMP agent
Information Channels and Output Directions

The system supports ten channels. The first six channels (Channel 0 to Channel 5) have their
default channel names, and are associated with six output directions.
For details of association relationship between default channels and output directions, see Table
2-2.
Issue 04 (2013-06-15)

242

Configuration Guide
Table 2-2 Association relationship between the information channels and output directions
Channel
Number
Default
Channel Name
Output
Direction
Description
Console
Console
Outputs information to the local Console

that can receive logs, alarms, and debugging
information.
Monitor
Monitor
Outputs information to the VTY terminals

that can receive logs, alarms, and debugging
information and then perform remote
maintenance.
Loghost
Log host
Outputs information to the log host that can

receive logs, alarms, and debugging
information. The information is saved to a
log host in the file format for easy reference.
Trapbuffer
Trap buffer
Outputs information to the trap buffer that

can receive traps. An area is specified inside
a device as the trap buffer to record traps.
Logbuffer
Log buffer
Outputs information to the log buffer area

that can receive logs. The Switch assigns a
specified area in itself to be the log buffer
area that can record the information.
Snmpagent
SNMP agent
Outputs information to the SNMP agent that

can receive alarms.
Unspecified
Unspecified
Reserved.
Unspecified
Unspecified
Reserved.
Unspecified
Unspecified
Reserved.
Unspecified
Unspecified
Reserved.
When multiple log hosts are configured, you can configure logs to be output to different log
hosts through one channel or several channels. For example, configure parts of logs to be output
to a log host either through Channel 2 (loghost) or through Channel 6. You can also change the
name of Channel 6 for managing channel conveniently.
Format of Logs
Syslog is a sub-function of the information center. It outputs information to a log host through
port 514.
Figure 2-2 shows the format of logs.
Figure 2-2 Format of the output logs
<Int_16>TIMESTAMP HOSTNAME %%ddAAA/B/CCC(l):slot=XXX; YYYY

Issue 04 (2013-06-15)

243

Configuration Guide
Table 2-3 describes each field in the log format.

Table 2-3 Description of each field in the format of logs
Field
Indication
Description
<Int_16>
Leading character
Before logs are output to log hosts, leading

characters are added.
Logs saved in the local device do not contain
leading characters.
TIMESTAMP
Time to send out the

information
Timestamp has five formats.

l short-date: The only difference between date
format and short-date is that short-date does not
include the year.
l format-date: It is another time format of the
system time.
l none: indicates that the information does not
contain timestamp.
There is a space between the timestamp and the
host name.
HOSTNAME
Host name
By default, the name is Quidway.
%%
Log information
Indicates that this piece of log is output by the

device produced by Huawei.
dd
Version number
Identifies the version of the log format.
AAA
Module name
Indicates the name of the module that outputs

information to an information center.
Log level
Indicates the severity levels of logs.
CCC
Brief description
Describes the information type.
(l)
Information type
l: indicates the user log identifier.
slot=XXX
Location information
Slot indicates the number of the slot that sends the

location information.
YYYY
Descriptor
Indicates the detailed information output from each

module to the information center.
Each module fills in this field before outputting
logs to describe the detailed contents of logs.
Format of Alarms
Figure 2-3 shows the format of the output alarms.
Issue 04 (2013-06-15)

244

Configuration Guide
Figure 2-3 Format of the output alarms
TimeStamp HostName ModuleName/Severity/BriefDescription
Table 2-4 describes each field of the alarm format.

Table 2-4 Description of each field in the format of alarms
Field
Indication
Description
TimeStamp
Time to send out the

information
Five timestamp formats are available:

l boot: indicates relative time. By default,
debugging information adopts this timestamp
format.
l date: indicates the timestamp in the format of
system time. By default, logs and traps adopt
this timestamp format.
l short-date: indicates system time. The shortdate format does not contain year information.
l format-date: indicates another format of system
time.
l none: indicates that no timestamp is contained
in traps.
The timestamp and the host name are separated by
a blank space.
HostName
Host name
By default, the name is Quidway.

There is a space between the sysname and module
name.
ModuleName
Module name
Indicates the name of the module that generates an

alarm.
Severity
Severity of
information
Indicates the severity of alarms:

l Critical
l Major
l Minor
l Warning
l Indeterminate
l Cleared
Issue 04 (2013-06-15)
Brief
Brief information
Provides brief information of the alarms.
Description
Description
Provides a detailed description of the alarms.

245

Configuration Guide
2.3.2 Configuring the Information Center

This section describes how to manage and configure the information center.

To collect debugging information, logs, and traps during the operation of the AC6605, and to
send them to the terminal for display, or to the buffer or the host for storage, you need to configure
the information center.
None.
Data Preparation
To manage the information center, you need the following data.
No.
Data
(Optional) Numbers and names of the information channels
(Optional) Format of the timestamp
(Optional) Information severity
(Optional) Language used in the logs and the address of the log host
(Optional) Size of the log buffer and the trap buffer
Enabling the Information Center

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center enable
The information center view is displayed.

Issue 04 (2013-06-15)

246

Configuration Guide
NOTE
The system sends the system information to the log host and the console only after the information center
is enabled.
----End
(Optional) Naming the Information Channel

Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center channel channel-number name channel-name
Channels are specified to send debugging information, logs, and traps.

----End
Defining the Information Channel

Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center source { module-name| default } channel { channel-number | channelname } [ { debug | log | trap } { state { off | on } | level severity } * ] *
A module (or modules) is specified to send debugging information, logs, or traps to the
information channels.
NOTE
Run the undo info-center source { module-name | default } channel { channel-number | channelname } command to disable the unnecessary modules and select one or more modules to send information
to the information channels.
----End
(Optional) Configuring the Timestamp for the Output Information

Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

247

Configuration Guide
Step 2 Run:
info-center timestamp debugging { boot | none | { short-date | format-date | date }
[ precision-time { tenth-second | second } ] }
The format of the timestamp is set for the debugging information.

Step 3 Run:
info-center timestamp { trap | log } { boot | none | { short-date | format-date |
date } [ precision-time { tenth-second | millisecond } ] }
The format of the timestamp is set for the output logs or traps information.
----End
(Optional) Configuring the Suppression of the Log Processing Rate

You can set thresholds for all logs.
Context
During the running of a device, if too many logs with the same log ID are generated, the
information center is too busy processing these logs to process logs with other log IDs, which
may even affect the running service. The information center monitors the traffic of logs with
different log IDs. When the traffic of logs with a specific log ID repeatedly exceeds the threshold
during the monitoring period, the information center suppresses the processing rate of these
specified logs by processing only the conforming traffic and discarding the non-conforming
traffic; when the traffic of logs with the specific log ID falls below the threshold and remains
below the threshold for five monitoring periods, the suppression is removed.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center rate-limit threshold value [ byinfoID infoID | bymodule-alias modname
alias ]
The maximum number of logs with the same log ID that the information center can process
every second is set.
By default, the information center processes a maximum of 50 logs with the same log ID in
every second. In certain application scenarios, the information center is required to defaultly
process a maximum of more than 30 logs with the same log ID in every second. You can set
thresholds for logs with different log IDs.
NOTE
l If the threshold is too low, some logs may be discarded.

l If the threshold is too high, the information center cannot identify the log ID under which too many
logs are generated.
Step 3 Run:
info-center rate-limit global-threshold
The total number of logs that the information center can process each second is set.
Issue 04 (2013-06-15)

248

Configuration Guide
Step 4 Run:
info-center rate-limit monitor-period
The period for the information center to limit the log processing rate is set.
Step 5 Run:
info-center rate-limit except
(Optional) Cancel the log processing rate limit for logs with the specified ID or module name.
If logs with the specified ID or module name will never be generated in a huge number, you can
run this command to cancel the log processing rate limit for the logs. After this command is run,
the configured log processing rate limit will not be effective for logs with the specified ID or
module name.
----End

Run the following commands to check the previous configuration.
Action
Command
Check the configuration of the

channel.
display channel [ channel-number | channel-name ]
Check the information recorded by

the information center.
display info-center [ statistics ]
Check the information in the log

buffer of the memory.
display logbuffer [ level severity | module modulename | size value | slot slot-id ]*
Check the summary of the

information in the log buffer.
display logbuffer summary [ level severity | slot slotid ]*
Check the information in the trap

buffer of the memory.
display trapbuffer [ size value ]
Check the threshold of the log

processing rate.
display info-center rate-limit threshold
Check the suppression of the log

processing rate in the information
center.
display info-center rate-limit record
2.3.3 Sending Information to the Information Center

This section describes how to send information to the specified direction.
Sending Information to the Console
Issue 04 (2013-06-15)

249

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center console channel { channel-number | channel-name }
Information is sent to the console.

Step 3 Run:
quit

Step 4 Run:
terminal monitor
The terminal is enabled to display information.

By default, the terminal is enabled to display information.
Step 5 Run:
terminal debugging
or
terminal logging
or
terminal trapping
The terminal is enabled to display debugging information, logs, and traps.

NOTE
Step 4 and Step 5 are not listed in sequence.
----End
Sending Information to the Telnet Terminal

Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center monitor channel { channel-number | channel-name }
Information is sent to the Telnet terminal.

Step 3 Run:
quit

Step 4 Run:
terminal monitor
Issue 04 (2013-06-15)

250

Configuration Guide
The terminal is enabled to display information.

Step 5 Run:
terminal debugging
or
terminal logging
or
terminal trapping
The terminal is enabled to display debugging information, logs, and traps.

NOTE
Step 4 and Step 5 are not listed in sequence.
----End
Sending Information to the SNMP Agent

Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center snmp channel { channel-number | channel-name }
Information is sent to the SNMP agent.

Step 3 Run:
snmp-agent
The SNMP agent is enabled.

For details on configuring the SNMP agent, refer to chapter "SNMP Configuration" in the
Configuration Guide - Network Management.
----End
Sending Information to the Log Buffer

Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center logbuffer [ channel { channel-number | channel-name } | size
buffersize ] *
Information is sent to the log buffer.

----End
Issue 04 (2013-06-15)

251

Configuration Guide
Sending Information to the Trap Buffer

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center trapbuffer [ channel { channel-number | channel-name } | size
buffersize ] *
Information is sent to the trap buffer.

----End
Sending Information to the Log Host

Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center loghost ip-address [ channel { channel-number | channel-name } |
facility local-number | { language language-name | binary [ port ] } | { vpninstance vpn-instance-name | public-net } ] *
Information is sent to the IPv4 log host.

Step 3 Run:
info-center loghost source interface-type interface-number
The source interface for sending logs is specified.

----End

Issue 04 (2013-06-15)
Action
Command
Check statistics in the

information center.
display info-center [ statistics ]

252

Configuration Guide
Run the preceding command. If the information center can send the statistics to the destination
terminal, it means that the configuration succeeds.
2.3.4 Maintaining the Information Center

This section describes how to clear the statistics.
CAUTION
Statistics cannot be restored after being cleared. So, confirm the action before you run the
command.
Action
Command
Clear the statistics in the

information center.
reset info-center statistics
Clear the information in the log

buffer.
reset logbuffer
Clear the information in the trap

buffer.
reset trapbuffer

This section provides examples for configuring the information center.
Example for Configuring the Information Center

Figure 2-4 Networking of sending logs to the log host
Switch
Log Host
Network
VLANIF10
2.0.0.1/8
1.0.0.1/8
1.
Issue 04 (2013-06-15)
Enable the information center.

253

Configuration Guide
2.
Configure the information channel to ensure that the AC6605 can correctly send logs to
the log host. Disable the sending of the traps and debugging information to the log host.
3.
Configure the log host.
Data Preparation
l
The IP address of the log host is specified as 1.0.0.1/8.
Configuration Procedure
NOTE
In the example, only the commands related to monitoring are listed. For details on configuring the log host,
see the help files on the log host.
1.
Enable the information center.

# Enable the information center. By default, the information center on the AC6605 is
enabled.
[Quidway] info-center enable
Info:Information center is enabled.
2.
Configure the information channel.

# Send logs of severity levels 0 to 7 from all modules on the AC6605 through the channel
to the log host. Disable the sending of the debugging information and traps through the
channel to the log host.
[Quidway] info-center source default channel loghost log level debugging state
on trap state off debug state off
# Verify the configuration.

[Quidway] display
channel number:2,
MODU_ID NAME
ffff0000 default
3.
channel loghost
channel name:loghost
ENABLE LOG_LEVEL
ENABLE TRAP_LEVEL
Y
debugging
N
debugging
ENABLE DEBUG_LEVEL
N
debugging
Configure the log host.

# Set the IP address of the log host to 1.0.0.1.
[Quidway] info-center loghost 1.0.0.1
# Set VLANIF 10 as the interface for sending information to the log host on the AC6605.
[Quidway] vlan 10
[Quidway] interface gigabitethernet0/0/1
[Quidway-GigabitEthernet0/0/1] port link-type hybrid
[Quidway] info-center loghost source vlanif 10

[Quidway] display info-center
Information Center:enabled
Log host:
the interface name of the source address:Vlanif 10
1.0.0.1, channel number 2, channel name loghost,
language English , host facility local7
Console:
channel number : 0, channel name : console
Issue 04 (2013-06-15)

254

Configuration Guide
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 512,
current messages 440, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 0
Trap buffer:
enabled,max buffer size 1024, current buffer size 256,
current messages 1, channel number:3, channel name:trapbuffer
dropped messages 0, overwritten messages 0
Information timestamp setting:
log - date, trap - date, debug - boot
Sent messages = 499, Received messages = 499
IO Reg messages = 0 IO Sent messages = 0
4.
Enable the terminal display of the console.

# Enable the terminal display of the console. Enable the corresponding terminal display to
check the information type as required.
[Quidway] info-center console channel 0
[Quidway] quit
<Quidway> terminal monitor
Info:Current terminal monitor is on.
<Quidway> terminal logging
Info:Current terminal logging is on.
Configuration Files
#
info-center source default channel 2 log level debugging state on trap state off
debug state off
info-center loghost source vlanif 10
info-center loghost 1.0.0.1
#
#
vlan batch 10
#
interface vlanif10
ip address 2.0.0.1 255.0.0.0
#
#
return
2.4 Configuring a Monitoring Interface

This chapter describes how to configure a monitoring interface to monitor the device
environment.
2.4.1 Overview of a Monitoring Interface

The monitoring interface of the AC6605 connects four input lines. These four input lines monitor
the cabinet door, device power supply, battery power, and power supply of the air conditioner.
You can decide which devices to be monitored. When the status of the four input lines changes,
the AC6605 generates related traps and sends them to the network management system (NMS).
In this case, it is not necessary to define output rules. The monitoring interface of the AC6605
Issue 04 (2013-06-15)

255

Configuration Guide
connects three output lines. These output lines can connect audible and visual trap devices. In
this manner, device environment monitoring is implemented.
2.4.2 Configuring the Association Between a Monitoring Interface

and the NMS
Based on the status of the four input lines, the AC6605 generates related traps and sends them
to the NMS. In this case, it is not necessary to define output rules. Each input line corresponds
to two traps.
Line ID
Normal Status
Trap(Warning)
Trap(Cancel)
low-level
InputLine1 abnormal
InputLine1 normal
high-level
InputLine2 abnormal
InputLine2 normal
low-level
InputLine3 abnormal
InputLine3 normal
low-level
InputLine4 abnormal
InputLine4 normal
Before configuring a monitoring interface, complete the following tasks:
l
The device is normally started.
The monitoring card runs normally.
Data Preparation
To configure a monitoring interface, you need the following data.
No.
Data
Normal levels of input lines 1 to 4 connected to a monitoring interface
Names of input lines
Configuring an Input Line Connected to a Monitoring Interface

Procedure
Step 1 Run:
Issue 04 (2013-06-15)

256

Configuration Guide
system-view

Step 2 Run:
monitor input id-number enable
The monitoring function is enabled on an input line.

Step 3 Run:
monitor input id-number name line-name normal-state { low-level | high-level }
The name and the normal level of a monitored input line are set.
----End

Prerequisites
All configurations of the input lines connected to a specified monitoring interface are complete.
Procedure
l
Run the display monitor input { id-number | all } command to check the previous
configuration.
----End
Example
Run the display monitor input all command. If you can view information about all input lines
connected to the monitoring interface, it means that the configuration succeeds. For example:
<Quidway> display monitor input all
--------------------------------------------------------------------------LineID LineName
Enable NormalStatus CurrentStatus
--------------------------------------------------------------------------1
Inputline1
enable low-level
abnormal
2
Inputline2
enable high-level
normal
3
Inputline3
enable high-level
normal
4
Inputline4
enable low-level
normal
---------------------------------------------------------------------------
Change the high or low levels of input lines 1 to 4. Traps indicating that the status of the input
lines is normal are generated.
l
When input lines 1 and 4 are of high level, traps indicating that the two input lines are
abnormal are generated; when input lines 1 and 4 are of low level, traps indicating that the
two input lines restore the normal status are generated.
When input lines 2 and 3 are of low level, traps indicating that the two input lines are
abnormal are generated; when input lines 2 and 3 are of high level, traps indicating that the
two input lines restore the normal status are generated.
2.4.3 Configuring the Association Between a Monitoring Interface

and Audible and Visual Trap Devices
Issue 04 (2013-06-15)

257

Configuration Guide

The monitoring interface also connects three output lines. These three output lines can connect
audible and visual trap devices. When an exception occurs, audible and visual trap devices
generate alarms. Based on the changes of the status of the four input lines, the AC6605 controls
the three output lines. The relationships between input lines and output lines can be configured
with related commands.
Before configuring a monitoring interface, complete the following tasks:
l
The device is normally started.
The monitoring card runs normally.
Data Preparation
To configure a monitoring interface, you need the following data.
No.
Data
Normal levels of input lines 1 to 4 connected to a monitoring interface
Configuring an Input Line

Procedure
Step 1 Run:
system-view

Step 2 Run:
monitor input id-number enable
The monitoring function is enabled on an input line.

Step 3 Run:
monitor input id-number name line-name normal-state { low-level | high-level }
The name and the normal level of a monitored input line are configured.
----End
Configuring an Output Line

Issue 04 (2013-06-15)

258

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
monitor output id-number
An output control list is created for an output line and the output view is displayed.
Step 3 Run:
rule rule-id match-input line-mask key level-value
The input interface monitored by the output interface is configured and the logical relationship
between the two interfaces is set up.
----End

Prerequisites
All configurations of the input lines and output lines connected to a specified monitoring
interface are complete.
Procedure
l
Run the display monitor output id-number command to check the previous configuration.
----End
Example
Run the display monitor output 1 command. If you can view the matching rule of the output
line of a specified monitoring interface, it means that the configuration succeeds. For example:
<Quidway> display monitor output 1
------------------------------------------------------------------------------------------------RuleID
InputMask
LevelValue
------------------------------------------------------------------------------------------------1
1001
1000
2
1100
0100
-------------------------------------------------------------------------------------------------

This section provides an example for configuring a monitoring interface.
Example for Configuring a Monitoring Interface

As shown in Figure 2-5, the monitoring interface of the AC6605 connects four input lines. These
four input lines monitor the cabinet door, device power supply, battery power, and power supply
Issue 04 (2013-06-15)

259

Configuration Guide
of the air conditioner. The monitoring interface also connects three output lines. These three
output lines can connect audible and visual trap devices. When an exception occurs, audible and
visual trap devices generate alarms. Based on the changes of the status of the four input lines,
the Switch controls the three output lines. The relationships between input lines and output lines
can be configured with related commands.
Input lines 1 to 4 connect the cabinet door, device power supply, battery power, and power supply
of the air conditioner respectively. Assume that the four input lines are of high level in normal
cases. The four input lines are considered as abnormal when the input lines are of low level.
Assume that the monitored cabinet door and device power supply correspond to output lines 1
and 2 respectively. Output lines 1 and 2 connect two audible and visual trap devices separately.
When a line is abnormal, the corresponding indicator is on. The battery power and power supply
of the air conditioner correspond to output line 3. When either of the battery power and power
supply of the air conditioner is abnormal, the indicator to which output line 3 corresponds is on.
Figure 2-5 Networking diagram of monitoring interface configuration
Audible and Visual

Trap Devices
NMS
Trap
Switch
Metro
CX600
cabinet
door
device
power
supply
battery power supply

of air
power
conditioner
IP/MPLS
Core
1.
Configure input lines.
2.
Configure output lines.
3.
Configure the logical relationships between input lines and output lines.
Data Preparation
l
Normal levels of the input lines, that is, input lines 1 to 4 being of high level in the normal
state
Issue 04 (2013-06-15)

260

Configuration Guide
Procedure
Step 1 Configure input lines on the Switch.
# Enable the monitoring function on input lines 1 to 4.
<Quidway>
[Quidway]
[Quidway]
[Quidway]
[Quidway]
system-view
monitor input
monitor input
monitor input
monitor input
1
2
3
4
enable
enable
enable
enable
# Set the names and normal levels of the input lines.

[Quidway]
[Quidway]
[Quidway]
[Quidway]
monitor
monitor
monitor
monitor
input
input
input
input
1
2
3
4
name
name
name
name
input1
input2
input3
input4
normal-state
normal-state
normal-state
normal-state
high-level
high-level
high-level
high-level
Step 2 Configure output lines on the Switch.

# Configure the association between output line 1 and input line 1 and set the lines in the normal
state to be of high level.
[Quidway] monitor output 1
[Quidway-monitor-output1] rule 1 match-input 1000 key 1000
[Quidway-monitor-output1] quit
# Configure the association between output line 2 and input line 2 and set the lines in the normal
state to be of high level.
# Configure the association between output line 3 and input lines 3 and 4, and then set the lines
in the normal state to be of high level.

# Verify that the configuration takes effect through audible and visual trap devices.
l When input line 1 changes from high level to low level, the trap indicating that input line 1
is abnormal is generated and the indicator of output line 1 is on.
l When input line 2 changes from high level to low level, the trap indicating that input line 2
is abnormal is generated and the indicator of output line 2 is on.
l When either of input lines 3 and 4 is of low level, the trap indicating that input line 3 is
abnormal is generated and the indicator of output line 3 is on.
----End
Configuration Files
#
sysname Quidway
#
monitor input 1 enable
Issue 04 (2013-06-15)

261

Configuration Guide
monitor input 1 name input1 normal-state

#
monitor output 1
rule 1 match-input 1000 key 1000
monitor output 2
monitor output 3
#
return
high-level
high-level
high-level
high-level
2.5 Mirroring
The mirroring function is used to monitor packets that meet certain requirements.
2.5.1 Introduction
This section describes the basics of mirroring.
Mirroring Functions
Mirroring is to copy packets to an observing port to monitor packets without affecting packet
forwarding. You can use the mirroring function for network check and troubleshooting.
Mirroring functions are classified into port mirroring, flowing mirroring, VLAN mirroring,
MAC address mirroring, and CPU mirroring.
Concepts
l
Observing port
An observing port on the AC6605 is connected to a monitoring host. It is used to export
the traffic copied from a mirrored port or a flow mirroring port.
Mirrored port
A mirrored port is the interface to be observed. Incoming traffic or outgoing traffic passing
through a mirrored port is copied to an observing port.
Flow mirroring port

A flow mirroring port is a port to which traffic policies are applied. On such a port, the
incoming traffic that matches the traffic classifier in the traffic policy is copied to an
observing port.
Mirrored flow
A mirrored flow is a packet flow that runs to a flow mirroring port and is observed. When
a flow becomes a mirrored flow, it is copied to an observing port.
Mirrored VLAN
A mirrored VLAN is a VLAN to be observed. Incoming traffic or outgoing traffic passing
through a mirrored VLAN is copied to an observing port.
Issue 04 (2013-06-15)

262

Configuration Guide
Mirrored MAC address

A mirrored MAC address is the source or destination MAC address of the packets to be
mirrored. The AC6605 copies the traffic matching this MAC address to an observing port.
RSPAN VLAN
A Remote Switched Port Analyzer (RSPAN) VLAN is a VLAN used for remote mirroring.
When the mirrored port and the observing port are located on different Switches, packets
from the mirrored port must be broadcast to the observing port through the RSPAN VLAN.
Local mirroring
The observing port and mirrored port are on the same switch.
Remote mirroring
The observing port and mirrored port are on different switches.
NOTE
The AC6605 does not support the function of mirroring a flow to multiple observing ports.
Port Mirroring
In the process of port mirroring, the AC6605 copies the packets passing through a mirrored port
and then sends the copy to a specified observing port. Figure 2-6 shows the diagram of interface
mirroring.
Figure 2-6 Schematic diagram of port mirroring
Mirror
port
Switch
Mirror
port
Observe
port
Sniffer host
Port
Data flow
Copy of data flow
Flow Mirroring
In the process of flow mirroring, the AC6605 copies the mirroring flow passing one or more
interfaces and sends the copy to an observing port. Figure 2-7 shows the diagram of flow
mirroring.
Issue 04 (2013-06-15)

263

Configuration Guide
Figure 2-7 Schematic diagram of flow mirroring
Mirror
port
Switch
Mirror
port
Observe
port
Sniffer host
Port
Match traffic classification
Data flow
Copy of data flow
Flow mirroring is a type of action in traffic behaviors. When a traffic policy configured with
flow mirroring is applied to an interface, the AC6605 copies the inbound data flow on this
interface that matches the traffic classifier and sends the copy to the observing port.
VLAN Mirroring
In the process of VLAN mirroring, the AC6605 mirrors the packets passing through all active
interfaces in a specified VLAN to a specified observing port. Compared with interface mirroring,
VLAN mirroring mirrors packets in a wider range. You can monitor packets in one or more
VLANs.
MAC Address Mirroring

MAC address mirroring allows you to monitor the packets received by or sent from a specified
device on a network. The AC6605 mirrors the packets matching a specified source or destination
MAC address in a VLAN to a specified observing port.
CPU Mirroring
CPU mirroring is used to mirror all the packets received by the CPU. CPU mirroring is
implemented as follows:
l
If an ACL rule is specified, the packets that match the ACL rule are mirrored to a specified
observing port.
If no ACL rule is specified, all the packets received by the CPU are mirrored to a specified
observing port.
CPU mirroring facilitates debugging and fault location.
RSPAN
A switch can copy incoming or outgoing packets on a mirrored port to an observing port. When
the observing port and the mirrored port are on different switches, packets can be copied to the
observing port through the RSPAN function, which is also called remote mirroring.
Issue 04 (2013-06-15)

264

Configuration Guide
Figure 2-8 Networking diagram of RSPAN

Destination
Switch
Source
Switch
Observe port
Mirror
port
Observe
port
Sniffer host
Intermediate Switch
Port
Data flow
Copy of data flow
In Figure 2-8:
l
The source switch is the Switch where the mirrored port is located.
The destination switch is the Switch where the observing port is located.
The intermediate switch is a device between the source switch and destination switch.
NOTE
The source switch and destination switch can also be directly connected to implement the RSPAN
function.
The RSPAN function broadcasts mirrored packets from the source switch to the destination
switch in the RSPAN VLAN. Interfaces between the source switch, intermediate switch, and
destination switch must be added to the RSPAN VLAN.
Mirrored packets are forwarded to the intermediate switch through the observing port on the
source switch. Then the intermediate switch broadcasts mirrored packets to the observing port
on the destination switch in the RSPAN VLAN.
The observing port on the destination switch receives mirrored packets.
Through the RSPAN function, packets on a specified interface or VLAN, with a specified source
or destination MAC address, or matching a classifier can be copied to an observing port on a
remote device.
2.5.2 Configuring Local Port Mirroring

This section describes how to configure local port mirroring.

When all incoming or outgoing packets passing through a specified interface of the AC6605
need to be monitored, you can configure local port mirroring if the mirrored port is located on
the same AC6605 as the observing port.
Issue 04 (2013-06-15)

265

Configuration Guide
None.
Data Preparation
To configure local port mirroring, you need the following data.
No.
Data
Type and number of the observing port
Type and number of the mirrored port
Configuring Local Port Mirroring

Context
A mirrored port can be a physical interface or an Eth-Trunk interface.
To configure an Eth-Trunk as a mirrored port, you must run the interface eth-trunk trunk-id
command to create the Eth-Trunk first.
l
If an Eth-Trunk is configured as a mirrored port, its member interfaces cannot be configured

as mirrored ports.
If a member interface of an Eth-Trunk is configured as a mirrored port, the Eth-Trunk

cannot be configured as a mirrored port.
Procedure
Step 1 Run:
system-view

Step 2 Run:
observe-port index interface interface-type interface-number
An observing port is configured.

Step 3 Run:
The view of the mirrored port is displayed.

Step 4 Run:
port-mirroring to observe-port index { both | inbound | outbound }
Interface mirroring is configured on the mirrored port.

To monitor packets on multiple interface, repeat Step 3 and Step 4.
----End
Issue 04 (2013-06-15)

266

Configuration Guide

Action
Command
Check information about port

mirroring.
display port-mirroring
Check information about the

observing port.
display observe-port
If the following results are obtained, the configuration is successful:

l
The observing port is configured properly.
The mirrored port and the mirroring direction are configured properly.
2.5.3 Configuring Remote Port Mirroring

This section describes how to configure remote port mirroring.

When incoming or outgoing packets passing through one or more ports of the AC6605 need to
be monitored, you can configure remote port mirroring if the monitored ports are not located on
the same AC6605 as the observing port.
None.
Data Preparation
To configure remote port mirroring, you need the following data.
No.
Data
Number of the mirrored port
ID of the RSPAN VLAN
Configuring Remote Port Mirroring

Context
A mirrored port can be a physical interface or an Eth-Trunk interface.
Issue 04 (2013-06-15)

267

Configuration Guide
To configure an Eth-Trunk as a mirrored port, you must run the interface eth-trunk trunk-id
command to create the Eth-Trunk first.
l
If an Eth-Trunk is configured as a mirrored port, its member interfaces cannot be configured

as mirrored ports.
If a member interface of an Eth-Trunk is configured as a mirrored port, the Eth-Trunk

cannot be configured as a mirrored port.
Specify a mirrored port and an RSPAN VLAN on the source switch.
Procedure
NOTE
The mirrored port cannot be added to the RSPAN VLAN.
1.
Run:
system-view

2.
Run:
vlan vlan-id
An RSPAN VLAN is created and the RSPAN VLAN view is displayed.

3.
Run:
mac-address learning disable
The MAC address learning is disabled.

NOTE
If MAC address learning is disabled in the VLAN, other services cannot be configured in the VLAN.
4.
Run:
quit

5.
Run:
observe-port index interface interface-type interface-number [ vlan vlanid ]
An observing port is configured, and the RSPAN VLAN is specified.

6.
Run:

7.
Run:
port-mirroring to observe-port index { both | inbound | outbound }
Remote port mirroring is configured.

To observe incoming and outgoing packets on multiple interfaces, repeat Step 6 and
Step 7.
l
Configure the RSPAN VLAN and add the interfaces connected to the source switch and
destination switch to the RSPAN VLAN.
NOTE
Issue 04 (2013-06-15)

268

Configuration Guide
Do as follows on the intermediate switch. The configurations on the interfaces connected

to the source switch and destination switch are similar. If no intermediate switch exists,
skip this step.
1.
Run:
system-view

2.
Run:
vlan vlan-id
The RSPAN VLAN is created and the RSPAN VLAN view is displayed.
3.
Run:
quit

4.
Run:
The view of the interface connected to the source switch or destination switch is
displayed.
5.
Run:
port link-type trunk
The interface is configured as a trunk interface.

6.
Run:
port trunk allow-pass vlan vlan-id
The interface is added to the RSPAN VLAN.

7.
Run:
quit

l
Configure the remote observing port on the destination switch.

1.
Run:
system-view

2.
Run:
vlan vlan-id
The RSPAN VLAN is created and the RSPAN VLAN view is displayed.
3.
Run:
quit

4.
Run:
The view of the interface connected to the intermediate switch is displayed.

NOTE
If no intermediate switch exists, you enter the view of the interface connected to the source
switch.
Issue 04 (2013-06-15)

269

Configuration Guide
5.
Run:
The interface is configured as a trunk interface.

6.
Run:
port trunk allow-pass vlan vlan-id
The interface is added to the RSPAN VLAN.

7.
Run:
The observing port view is displayed.

8.
Run:
port hybrid untagged vlan vlan-id
The observing port is configured as a hybrid interface and it allows packets of the
RSPAN VLAN to pass.
9.
Run:
quit

----End

Action
Command

observing port.

mirroring.

l
The RSPAN VLAN is configured properly.
The number of the observing port is configured properly.
The type of the observing port is configured properly.
The number of the mirrored port and the mirroring direction are configured properly.
2.5.4 Canceling Port Mirroring

This section describes how to cancel port mirroring.

When port mirroring is enabled on an interface of the AC6605, and the incoming or outgoing
packets passing through this interface do not need to be monitored, you can cancel port mirroring
Issue 04 (2013-06-15)

270

Configuration Guide
on that interface. You must cancel port mirroring on the bound observing port before deleting
this observing port.
None.
Data Preparation
To cancel port mirroring, you need the following data.
No.
Data
Type and number of an observing port
Type and number of the mirrored port to be deleted
Canceling Port Mirroring

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
undo port-mirroring { both | inbound | outbound }
Interface mirroring is canceled.

----End

Action
Command

observing port.

mirroring.
Run the display port-mirroring command. If port mirroring is cancelled properly, the
configuration is successful.
Issue 04 (2013-06-15)

271

Configuration Guide
2.5.5 Configuring Local VLAN Mirroring

This section describes how to configure local VLAN mirroring.

When incoming packets passing through all active interfaces of the AC6605 in a specified VLAN
or some VLANs need to be monitored, you can configure local VLAN mirroring if all interfaces
receiving these monitored incoming packets are located on the same AC6605 as the observing
port.
Before configuring local VLAN mirroring, complete the following tasks:
l
Creating a VLAN as the monitored VLAN
Adding physical interfaces to the monitored VLAN
Data Preparation
To configure local VLAN mirroring, you need the following data.
No.
Data
ID of a mirrored VLAN
Configuring Local VLAN Mirroring

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
vlan vlan-id
The view of the mirrored VLAN is displayed.

Step 4 Run:
mirroring to observe-port index inbound
VLAN mirroring is configured.

Issue 04 (2013-06-15)

272

Configuration Guide
To observe incoming packets from multiple VLANs, repeat Step 3 and Step 4.
----End

Action
Command

observing port.

mirroring.

l
2.5.6 Configuring Remote VLAN Mirroring

This section describes how to configure remote VLAN mirroring.

When incoming packets passing through any active interfaces of the AC6605 in a specified
VLAN or some VLANs need to be monitored, you can configure remote VLAN mirroring if
the interface added to the monitored VLAN is not located on the same AC6605 as the observing
port.
Before configuring remote VLAN mirroring, complete the following tasks:
l
Creating a VLAN as the monitored VLAN
Adding physical interfaces to the monitored VLAN
Data Preparation
To configure remote VLAN mirroring, you need the following data.
Issue 04 (2013-06-15)
No.
Data
ID of the mirrored VLAN

273

Configuration Guide
No.
Data
Configuring Remote VLAN Mirroring

Procedure
l
Configure remote VLAN mirroring on the source switch.

NOTE
1.
Run:
system-view

2.
Run:
vlan vlan-id

3.
Run:

NOTE
4.
Run:
quit

5.
Run:

6.
Run:
vlan vlan-id
The RSPAN VLAN view is displayed.

7.
Run:
mirroring to observe-port index inbound
Remote VLAN mirroring is configured.

To observe incoming and outgoing packets of multiple VLANs, repeat Step 6 and
Step 7.
l
Configure the RSPAN VLAN on the intermediate switch and add interfaces to the RSPAN
VLAN.
The configuration is the same as that for remote port mirroring. For details, see Configuring
Remote Port Mirroring.
Issue 04 (2013-06-15)

274

Configuration Guide

----End

Action
Command

observing port.

mirroring.

l
2.5.7 Canceling VLAN Mirroring

This section describes how to cancel local VLAN mirroring and remote VLAN mirroring.

When VLAN mirroring is enabled in a specified VLAN and all incoming packets in this VLAN
do not need to be monitored on the AC6605, or before deleting or changing the bound observing
port, you need to cancel VLAN mirroring.
None.
Data Preparation
To cancel VLAN mirroring, you need the following data.
No.
Data
ID of the mirrored VLAN to be deleted
Canceling VLAN Mirroring

Issue 04 (2013-06-15)

275

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
The view of the monitored VLAN is displayed.

Step 3 Run:
undo mirroring inbound
VLAN mirroring is canceled.

----End

Action
Command

observing port.

mirroring.
If VLAN mirroring is cancelled, the configuration is successful.
2.5.8 Configuring MAC Address-based Local Mirroring

This section describes how to configure local MAC address mirroring.

When incoming packets with the specified source or destination MAC address in a VLAN need
to be monitored on the AC6605, you can configure local MAC address mirroring if the
monitoring interface receiving these incoming packets is located on the same AC6605 as the
observing port.
None.
Data Preparation
To configure local MAC address mirroring, you need the following data.
Issue 04 (2013-06-15)

276

Configuration Guide
No.
Data
MAC address of the packets to be mirrored
ID of the VLAN that the observed MAC address belongs to
Configuring Local SPAN Based on MAC Addresses

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
vlan vlan-id
The VLAN view is displayed.

Step 4 Run:
mac-mirroring mac-address to observe-port index inbound
Local SPAN based on MAC addresses is configured.

You can repeatedly perform Step 3 and Step 4 to monitor the incoming packets with multiple
MAC addresses in multiple VLANs.
----End

Action
Command

observing port.

mirroring.

l
Issue 04 (2013-06-15)

277

Configuration Guide
2.5.9 Configuring RSPAN Based on MAC Addresses

This section describes how to configure RSPAN based on MAC addresses.

When incoming packets with the specified source or destination MAC address in a VLAN need
to be monitored on the AC6605, you can configure RSPAN based on MAC addresses if the
monitoring interface receiving these incoming packets is not located on the same AC6605 as
the observing port.
None.
Data Preparation
To configure RSPAN based on MAC addresses, you need the following data.
No.
Data
MAC address of the packet to be mirrored
ID of the VLAN that the packet with the MAC address to be mirrored belongs to
ID of an RSPAN VLAN
Configuring Remote MAC Address Mirroring

This section describes how to configure remote MAC address mirroring.
Procedure
l
Configure remote MAC address mirroring on the source switch.

NOTE
1.
Run:
system-view

2.
Run:
vlan vlan-id

3.
Issue 04 (2013-06-15)
Run:
278

Configuration Guide


NOTE
4.
Run:
quit

5.
Run:

6.
Run:
vlan vlan-id
The view of the VLAN that the observed MAC address belongs to is displayed.
7.
Run:
mac-mirroring mac-address to observe-port index inbound
Remote MAC address mirroring is configured and the RSPAN VLAN is specified.
To observe incoming packets from or destined for multiple MAC addresses, repeat
Step 6 and Step 7.
l
VLAN.

----End

Action
Command

observing port.
Check information about MAC

address mirroring.

l
Issue 04 (2013-06-15)

279

Configuration Guide
2.5.10 Canceling Mirroring Based on MAC Addresses

This section describes how to cancel mirroring based on MAC addresses.

When mirroring based on MAC addresses is enabled and incoming packets with specified MAC
addresses in this VLAN do not need to be monitored on the AC6605, or before deleting or
changing the bound observing port, you need to cancel mirroring based on MAC addresses.
None.
Data Preparation
To cancel mirroring based on MAC addresses, you need the following data.
No.
Data
MAC address of the mirrored packet to be deleted
Canceling Mirroring Based on MAC Addresses

Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
The view of the VLAN that monitored MAC address belongs to is displayed.
Step 3 Run:
undo mac-mirroring mac-address inbound
Mirroring based on MAC addresses is canceled.

----End

Issue 04 (2013-06-15)

280

Configuration Guide
Action
Command

observing port.

mirrored port.
If MAC address mirroring on the VLANIF interface is cancelled, the configuration is successful.
2.5.11 Configuring Local Flow Mirroring

This section describes how to configure local flow mirroring.

When incoming flows passing through the AC6605 with the same attribute need to be monitored,
you can configure local flow mirroring if the monitored interface receiving these incoming flows
is located on the same AC6605 as the observing port.
None.
Data Preparation
To configure local flow mirroring, you need the following data.
No.
Data
Type and number of the flow mirroring interface
Names of the traffic classifier, traffic behavior, and traffic policy
Configuring Traffic Classification Rules

NOTE
There is no specified order among the matching rules in a traffic classifier. You can combine these rules.
For details on configuring traffic classification rules, see Configuring Complex Traffic
Classification in the AC6605 Access Controller Configuration Guide - QoS.
Configuring Flow Mirroring

Issue 04 (2013-06-15)

281

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed.

Step 4 Run:
mirroring to observe-port index
Flow mirroring is configured.

----End
Follow-up Procedure
After configuring flow mirroring in a traffic behavior, you need to bind the behavior to a traffic
classifier in a traffic policy and then apply the policy to the interface. For detailed configuration
procedures, see Creating and Applying a Traffic Policy.
Creating and Applying a Traffic Policy

Context
Do as follows on the AC6605 that needs to be configured with flow mirroring.
Procedure
Step 1 Run:
system-view

Step 2 Run:
traffic policy policy-name
A traffic policy is created and the policy view is displayed.

Step 3 Run:
classifier classifier-name behavior behavior-name
A traffic behavior is configured for a specified class in the traffic policy.

class-name in this step must be the same as the name of the traffic class created in Configuring
Traffic Classification Rules.
Issue 04 (2013-06-15)

282

Configuration Guide
In this step, behavior-name must be the same as that specified in Step 3 when you configure the
traffic behavior.
Step 4 Run:
quit

Step 5 Run:

Step 6 Run:
traffic-policy policy-name inbound
The traffic policy that contains flow mirroring is applied to the interface.
You can repeatedly perform Step 5 and Step 6 to monitor the incoming flows, with the same
attributes, passing through multiple interfaces.
----End

Action
Command

observing port.

mirroring.
Check the flow mirroring

display traffic policy interface [ interface-type
configuration in the traffic policy interface-number ] [ inbound ]
on an interface.

l
The observing port is configured properly.
A proper traffic policy is applied to the interface where incoming flows need to be
monitored.
The traffic policy contains a proper traffic classifier and a traffic behavior and the traffic
behavior contains a flow mirroring action.
2.5.12 Configuring Remote Flow Mirroring

This section describes how to configure remote flow mirroring.
Issue 04 (2013-06-15)

283

Configuration Guide

When incoming flows passing through the AC6605 with the same attribute need to be monitored,
you can configure remote flow mirroring if the monitored interface receiving these incoming
flows is not located on the same AC6605 as the observing port.
None.
Data Preparation
To configure remote flow mirroring, you need the following data.
No.
Data
Type and number of the flow mirroring interface
Names of the traffic classifier, traffic behavior, and traffic policy
Setting Traffic Classification Rules

Context
For how to configure traffic classification rules, see Configuring Traffic Classification
Rules.
Configuring Remote Flow Mirroring

Procedure
l
Configure remote flow mirroring on the source switch.

NOTE
1.
Run:
system-view

2.
Run:
vlan vlan-id

3.
Run:
Issue 04 (2013-06-15)

284

Configuration Guide

NOTE
4.
Run:
quit

5.
Run:

6.
Run:

7.
Run:
Remote flow mirroring is configured.

After configuring flow mirroring in a traffic behavior, you need to bind the behavior
to a traffic classifier in a traffic policy and then apply the policy to the interface. For
details, see Creating and Applying a Traffic Policy.
l
VLAN.
Configure the remote observing Interface on the destination switch.

----End
Creating and Applying a Traffic Policy

Context
For how to configure traffic classification rules on the source AC6605, see Creating and
Applying a Traffic Policy.

Issue 04 (2013-06-15)
Action
Command

observing port.

285

Configuration Guide
Action
Command

mirroring.
Check the configuration of flow

mirroring in the traffic policy on
an interface.

interface-number ] [ inbound ]
If the following results are obtained, the configuration succeeds:

l
A proper traffic policy is applied to the interface where incoming flows need to be
monitored.
The traffic policy contains a proper traffic classifier and a traffic behavior, and the traffic
behavior contains the flow mirroring action.
2.5.13 Canceling Flow Mirroring

This section describes how to cancel flow mirroring.

When flow mirroring is enabled and the flow, with the same attributes, passing through the
AC6605 does not need to be monitored, you can cancel flow mirroring.
None.
Data Preparation
To cancel flow mirroring, you need the following data.
No.
Data
Type and number of the interface where flow mirroring needs to be cancelled
Name of the traffic policy
Canceling Flow Mirroring

Issue 04 (2013-06-15)

286

Configuration Guide
Context
Do as follows on the AC6605 that is configured with flow mirroring.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The traffic behavior view is displayed.

Step 3 Run:
undo mirroring
The flow mirroring action is cancelled.

Step 4 Run:
quit
Exit from the traffic behavior view.

Step 5 Run:

Step 6 Run:
undo traffic-policy inbound
The traffic policy and flow mirroring action on the interface are canceled.
To cancel a traffic policy, you must cancel the traffic policy on all the interfaces where the traffic
policy is applied, and then run the undo traffic policy policy-name command to cancel the traffic
policy in the system view.
----End

Action
Command

observing port.

mirroring.
Check the flow mirroring

configuration in the traffic policy interface-number ] [ inbound ]
on an interface.
Issue 04 (2013-06-15)

287

Configuration Guide
If the following result is obtained, the configuration is successful:

The traffic policy applied on an interface is cancelled.
2.5.14 Changing or Deleting an Observing Port

This section describes how to change or delete an observing port.

When you do not need to monitor the flow passing through the AC6605, you can delete the
current observing port; when you need to specify another interface on the AC6605 as an
observing port, you can change the current observing port.
Before changing or deleting an observing port, complete the following tasks:
l
2.5.4 Canceling Port Mirroring
2.5.7 Canceling VLAN Mirroring
2.5.10 Canceling Mirroring Based on MAC Addresses
2.5.13 Canceling Flow Mirroring
Data Preparation
To change or delete an observing port, you need the following data.
No.
Data
Type and number of the new observing port
(Optional) Deleting an Observing Port

Prerequisites
Before deleting an observing port, make sure that the observing port is not used in any mirroring
configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 04 (2013-06-15)

288

Configuration Guide
Step 3 Run:
undo port-mirroring { both | inbound | outbound }
Interface mirroring is canceled.

Step 4 Run:
quit

Step 5 Run:
undo observe-port index
The observing port is deleted.

----End
(Optional) Changing an Observing Port

Procedure
Step 1 Run:
system-view

Step 2 Run:
Another interface is specified as an observing port.

----End

Action
Command

observing port.

mirroring.
If the observing port is deleted or a new observing port is specified, the configuration is
successful.

This section provides several configuration examples for mirroring.
Example for Configuring Local Port Mirroring

Issue 04 (2013-06-15)

289

Configuration Guide
As shown in Figure 2-9, the Switch is connected to an L2 switch, a PC, and a router. Packets
sent from the L2 switch to the Switch need to be monitored on the PC. You can configure local
port mirroring on the Switch to implement this function.
You need to configure GigabitEthernet 0/0/1 as a mirrored port and GigabitEthernet 0/0/24 as
an observing port.
Figure 2-9 Networking diagram of local port mirroring
Router
Switch
GE 0/0/1
L2 Switch
GE 0/0/3
GE 0/0/24
Mirroring host
1.
Configure GigabitEthernet 0/0/24 as an observing port.
2.
Configure GigabitEthernet 0/0/1 as a mirrored port.
Data Preparation
l
IDs of the VLANs to which the interfaces need to be added
1.
Create a VLAN on the Switch and add interfaces to the VLAN in trunk mode.
# Add GigabitEthernet 0/0/1 and GigabitEthernet 0/0/3 to a same VLAN in trunk mode.
The following is the configuration of GigabitEthernet 0/0/1. The configuration of
GigabitEthernet 0/0/3 is the same as the configuration of GigabitEthernet 0/0/1 and is not
mentioned here.
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
Issue 04 (2013-06-15)

290

Configuration Guide
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10

[Switch-GigabitEthernet0/0/1] quit
2.
Configure an observing port.

# Configure GigabitEthernet 0/0/24 as the observing port.
[Switch] observe-port 1 interface gigabitethernet 0/0/24
3.
Configure a mirrored port.

# Configure GigabitEthernet 0/0/1 as a mirrored port.
[Switch-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound
4.
Verify the configuration.

# Run the display port-mirroring command, and you can view the configurations on the
observing port and mirrored port.
[Switch] display port-mirroring
Port-mirror:
---------------------------------------------------------------------Mirror-port
Direction
Observe-port
---------------------------------------------------------------------GigabitEthernet0/0/1
Inbound
----------------------------------------------------------------------
Configuration Files
#
sysname Switch
#
observe-port 1 interface GigabitEthernet0/0/24
#
port trunk allow-pass vlan 10
port-mirroring to observe-port 1 inbound
#
#
return
Example for Configuring Local VLAN Mirroring

As shown in Figure 2-10, GigabitEthernet 0/0/1 is connected to PC1; GigabitEthernet 0/0/2 is
connected to PC2. PC1 and PC2 belong to VLAN 10. Now, incoming traffic of all active
interfaces in VLAN 10 needs to be monitored. In this case, you can configure local VLAN
mirroring.
GigabitEthernet 0/0/3 serves as an observing port.
Issue 04 (2013-06-15)

291

Configuration Guide
Figure 2-10 Networking diagram of local VLAN mirroring
Router
Switch
GE 0/0/3
GE 0/0/1
PC1
GE 0/0/2
PC3
PC2
1.
Configure GigabitEthernet 0/0/3 as an observing port.
2.
Configure VLAN 10 as a mirrored VLAN.
Data Preparation
None.
1.

# Set GigabitEthernet 0/0/3 as an observing port.
<Switch> interface GigabitEthernet 0/0/3
<Switch-GigabitEthernet0/0/3> quit
2.
Configure a mirrored VLAN.

# Configure VLAN 10 as a mirrored VLAN.
[Switch] vlan 10
[Switch-vlan10] mirroring to observe-port 1 inbound
3.

# Run the display port-mirroring command. You can view the configuration of the
observing port.
Vlan-mirror:
---------------------------------------------------------------------Mirror-vlan
Direction
Observe-port
---------------------------------------------------------------------10
Inbound
----------------------------------------------------------------------
Issue 04 (2013-06-15)

292

Configuration Guide
Configuration Files
#
sysname Switch
#
vlan batch 1 10
#
#
vlan 10
mirroring to observe-port 1 inbound
#
port link-type access
port default vlan 10
#
#
#
return
Example for Configuring MAC Address-based Local Mirroring

As shown in Figure 2-11, GigabitEthernet 0/0/1 is connected to PC1; GigabitEthernet 0/0/2 is
connected to PC2; GigabitEthernet 0/0/4 is connected to a router. GigabitEthernet 0/0/1,
GigabitEthernet 0/0/2, and GigabitEthernet 0/0/4 belong to VLAN 10. Now, incoming traffic
with the source or destination MAC as the MAC address of GigabitEthernet 1/0/1 on the router
in VLAN 10 needs to be monitored. In this case, you can configure local MAC address mirroring
on the Switch.
GigabitEthernet 0/0/3 serves as an observing port. The MAC address of GigabitEthernet 1/0/1
is 0001-0001-0001.
Figure 2-11 Networking diagram of local MAC address mirroring
Router
GE 1/0/1
GE 0/0/4
Switch
GE 0/0/1
PC1
Issue 04 (2013-06-15)
GE 0/0/3
GE 0/0/2
PC3
PC2

293

Configuration Guide
1.
Set GigabitEthernet 0/0/3 as an observing port.
2.
Configure local MAC address mirroring in the view of VLAN 10.
Data Preparation
None.
1.
Configure VLAN 10 and then add GigabitEthernet 0/0/1, GigabitEthernet 0/0/2, and
GigabitEthernet 0/0/4 to VLAN 10. The configuration procedure is not mentioned here.
2.
# Configure GigabitEthernet 0/0/3 as an observing port.

3.
Configure a mirroring MAC.

# Configure local MAC address mirroring in the view of VLAN 10.
[Switch] vlan 10
[Switch-vlan10] mac-mirroring 0001-0001-0001 to observe-port 1 inbound
4.

# Run the display port-mirroring command to view the configuration of the observing
port.
Mac-mirror:
---------------------------------------------------------------------Mirror-mac
Vlan
Direction
Observe-port
---------------------------------------------------------------------0001-0001-0001
10
Inbound
----------------------------------------------------------------------
Configuration Files
#
sysname Switch
#
vlan batch 1 10
#
#
vlan 10
mac-mirroring 0001-0001-0001 to observe-port 1 inbound
#
#
#
port default vlan 1
Issue 04 (2013-06-15)

294

Configuration Guide
#
#
return
Example for Configuring Local Flow Mirroring

As is shown in Figure 2-12, the Switch is connected to two L2 switches through
GigabitEthernet 0/0/1 and GigabitEthernet 0/0/5. Packets with the same attributes received by
GigabitEthernet 0/0/1 and GigabitEthernet 0/0/5 and transmitted from GigabitEthernet 0/0/3
need to be monitored. In this example, packets with the 802.1p priority as 6 need to be monitored.
GigabitEthernet 0/0/24 is configured as an observing port.
Figure 2-12 Networking diagram of local flow mirroring
Router
Switch
GE 0/0/1
GE 0/0/3
GE 0/0/24
GE
0/0/5
L2 Switch
L2 Switch
Mirroring host
1.
Set GigabitEthernet 0/0/24 as an observing port.
2.
Create a traffic classifier and set the traffic classification rule that only the packets with the
802.1p priority as 6 can be matched.
3.
Create a traffic behavior and configure flow mirroring in the traffic behavior.
4.
Create a traffic policy and bind the traffic classifier to the traffic behavior.
5.
Apply the traffic policy to GigabitEthernet 0/0/1 and GigabitEthernet 0/0/5.
6.
Create a VLAN on the Switch. Add GigabitEthernet 0/0/1, GigabitEthernet 0/0/3, and
GigabitEthernet 0/0/5 to the same VLAN in trunk mode.
Issue 04 (2013-06-15)

295

Configuration Guide
Data Preparation
l
Name of the traffic classifier: c1
Name of the traffic behavior: b1
Name of the traffic policy: p1
ID of the VLAN created on the Switch: 10
1.
Create a VLAN on the Switch and add interfaces to the VLAN in trunk mode.
# Add GigabitEthernet 0/0/1, GigabitEthernet 0/0/3, and GigabitEthernet 0/0/5 to the same
VLAN in trunk mode. The following takes the configuration of GigabitEthernet 0/0/1 as
an example. The configurations of GigabitEthernet 0/0/3 and GigabitEthernet 0/0/5 are the
same as the configuration of GigabitEthernet 0/0/1 and are not mentioned here.
[Switch] vlan 10
2.

# Set GigabitEthernet 0/0/24 as the observing port.
3.
# Create a traffic classifier.

# Create traffic classifier c1 and set the traffic classification rule that only the packets with
the 802.1p priority as 6 can be matched.
[Switch] traffic classifier c1
[Switch-classifier-c1] if-match 8021p 6
[Switch-classifier-c1] quit
4.
# Create a traffic behavior.

# Create traffic behavior b1 and configure flow mirroring in the traffic behavior.
[Switch] traffic behavior b1
[Switch-behavior-b1] mirroring to observe-port 1
[Switch-behavior-b1] quit
5.
Create a traffic policy.

# Create a traffic policy and bind traffic classifier c1 to traffic behavior b1.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
6.
Apply the traffic policy and enable the interface to trust the 802.1p priority of packets.
# Apply traffic policy p1 to GigabitEthernet 0/0/1 and GigabitEthernet 0/0/5, and enable
GigabitEthernet 0/0/1 and GigabitEthernet 0/0/5 to trust the 802.1p priority of packets.
[Switch-GigabitEthernet0/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet0/0/1] trust 8021p
[Switch]interface gigabitethernet 0/0/5
Issue 04 (2013-06-15)

296

Configuration Guide
7.

# Run the display port-mirroring command. You can check the observing port.
Stream-mirror:
---------------------------------------------------------------------Behavior
Direction
Observe-port
---------------------------------------------------------------------b1
----------------------------------------------------------------------
# Run the display traffic policy interface command. You can check the traffic policy
applied to GigabitEthernet 0/0/1 and GigabitEthernet 0/0/5.
[Switch] display traffic policy interface
Interface: GigabitEthernet0/0/1
Direction: Inbound
Policy: p1
Classifier: c1
Operator: AND
Rule(s) :
if-match 8021p 6
Behavior: b1
Mirroring to observe-port 1
Direction: Inbound
Policy: p1
Classifier: c1
Operator: AND
Rule(s) :
if-match 8021p 6
Behavior: b1
Mirroring to observe-port 1
Configuration Files
#
sysname Switch
#
vlan batch 10
#
#
traffic classifier c1 operator and
if-match 8021p 6
#
traffic behavior b1
mirroring to observe-port 1
#
traffic policy p1
classifier c1 behavior b1
#
traffic-policy p1 inbound
trust 8021p
#
#
trust 8021p
Issue 04 (2013-06-15)

297

Configuration Guide
#
#
return
Example for Configuring Remote Port Mirroring

As shown in Figure 2-13, Switch A is connected to PC1; Switch C is connected to PC2. Now,
incoming traffic of GigabitEthernet 0/0/2 on Switch A needs to be monitored on PC2. In this
case, you can configure remote port mirroring on Switch A.
Figure 2-13 Networking diagram of remote port mirroring
SwitchA
GE 0/0/1
GE 0/0/2
SwitchB
GE 0/0/1
GE 0/0/2
SwitchC
GE 0/0/2
PC1
GE 0/0/1
PC2
1.
Configure GigabitEthernet 0/0/1 of Switch A as an observing port, and set the observing
port as an FR interface.
2.
Configure GigabitEthernet 0/0/2 of Switch A as a mirrored port.
3.
Configure GigabitEthernet 0/0/1 of Switch C as an observing port.
Data Preparation
l
Index number of the observing port on Switch A: 1
ID of the RSPAN VLAN on Switch A, Switch B, and Switch C: 2
Index number of the observing port on Switch C: 1
1.
Configure Switch A.
# Configure the RSPAN VLAN.
[SwitchA] vlan 2
# Configure GE 0/0/1 as an observing port and specify VLAN 2 as the RSPAN VLAN.
Issue 04 (2013-06-15)

298

Configuration Guide
[SwitchA] observe-port 1 interface gigabitethernet 0/0/1 vlan 2
# Add GE 0/0/1 to the RSPAN VLAN as a trunk interface.

[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 2
# Configure remote port mirroring for incoming traffic on GE 0/0/2.

[SwitchA-GigabitEthernet0/0/2] port-mirroring to observe-port 1 inbound
2.
Configure Switch B.
# Create the RSPAN VLAN.
[SwitchB] vlan 2
# Add GE 0/0/1 and GE 0/0/2 to the RSPAN VLAN as trunk interfaces.

[SwitchB] interface GigabitEthernet
[SwitchB-GigabitEthernet0/0/1] port
[SwitchB] interface GigabitEthernet
3.
0/0/1
link-type trunk
trunk allow-pass vlan 2
0/0/2
link-type trunk
Configure Switch C.
# Create the RSPAN VLAN.
<SwitchC> system-view
[SwitchC] vlan 2
[SwitchC-vlan2] quit
# Add GE 0/0/2 to the RSPAN VLAN as a trunk interface.

[SwitchC] interface GigabitEthernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] port link-type trunk
[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 2
[SwitchC-GigabitEthernet0/0/2] quit
# Configure GE 0/0/1 as a hybrid interface and configure it to allow packets of the RSPAN
VLAN to pass.
[SwitchC-GigabitEthernet0/0/1] port hybrid untagged vlan 2
Configuration Files
#
sysname SwitchA
#
vlan 2
#
observe-port 1 interface GigabitEthernet0/0/1 vlan 2
#
#
#
Issue 04 (2013-06-15)

299

Configuration Guide
#
return

#
sysname SwitchB
#
vlan 2
#
#
#
#
return
Configuration file of Switch C

#
sysname SwitchC
#
vlan 2
#
#
#
#
return
Example for Changing an Observing Port

As shown in Figure 2-14,GigabitEthernet 0/0/1 on the Switch is connected to an L2 switch;
GigabitEthernet 0/0/24 is connected to host 1; GigabitEthernet 0/0/5 is connected to host 2. To
monitor incoming traffic on GigabitEthernet 0/0/1, interface mirroring is configured on the
Switch. Configure GigabitEthernet 0/0/1 as a mirrored port, and GigabitEthernet 0/0/24
connected to host 1 as an observing port. Enable host 1 to receive incoming traffic from
GigabitEthernet 0/0/1.
At present, host 2 needs to receive incoming traffic from GigabitEthernet 0/0/1. Therefore, the
observing port needs to switch from GigabitEthernet 0/0/24 to GigabitEthernet 0/0/5.
Issue 04 (2013-06-15)

300

Configuration Guide
Figure 2-14 Networking for changing the observing port
Router
Switch
GE 0/0/3
GE 0/0/24
GE 0/0/1
GE 0/0/5
Mirroring
host1
L2 Switch
Mirroring
host2
1.
Delete the mirrored port GigabitEthernet 0/0/1.
2.
Set GigabitEthernet 0/0/5 instead of GigabitEthernet 0/0/24 as the observing port.
3.
Reset GigabitEthernet 0/0/1 as a mirrored port.
Data Preparation
l
Type and number of the new observing port, that is, GigabitEthernet 0/0/5
1.
Check the configurations on the current observing port and mirrored port.
# Run the display port-mirroring command to check the configurations on the current
observing port and mirrored port.
<Switch> display port-mirroring
Port-mirror:
---------------------------------------------------------------------Mirror-port
Direction
Observe-port
Inbound
----------------------------------------------------------------------
2.
Delete the mirrored port.

# Delete the mirrored port GigabitEthernet 0/0/1.
[Switch-GigabitEthernet0/0/1] undo port-mirroring inbound
Issue 04 (2013-06-15)

301

Configuration Guide
3.
Change the observing port.

# Change the observing port to GigabitEthernet 0/0/5.
4.
Configure a mirrored port.

# Configure GigabitEthernet 0/0/1 as the mirrored port again.
[Switch-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound
5.

# Run the display port-mirroring command. You can check the configurations on the
current observing port and mirrored port.
Port-mirror:
---------------------------------------------------------------------Mirror-port
Direction
Observe-port
Inbound
----------------------------------------------------------------------
Configuration Files
#
sysname Switch
#
#
#
return
2.6 PoE Configuration

This chapter describes the basic concepts and configuration methods of PoE.
2.6.1 PoE Overview

This section describes the basic concepts of PoE.
Power over Ethernet (PoE) refers to power supply over a 10Base-T, 100Base-TX, or 1000BaseT twisted pair cable. PoE can be used to effectively provide power for terminals such as IP
phones, Access Points (APs), chargers of portable devices, point-of-sale (POS) machines,
cameras, and data collection. Terminals are powered when they access the network. Therefore,
the indoor cabling of power supply need not be considered. Currently, PoE supports the unified
standard IEEE 802.3af and 802.3at, which enables devices developed by different vendors to be
compatible with each other.
2.6.2 PoE Features Supported by the AC6605

This section describes the PoE features supported by the AC6605.
The downstream electrical interfaces of the AC6605 support PoE. Each downstream interface
provides a maximum of 30 W power and a maximum power supply distance of 100 m. The
AC6605 can transmit current and data on the same pair of signal cables.
Issue 04 (2013-06-15)

302

Configuration Guide
PoE power supplies are classified into the following types: 500 W constant current power supply
and 250 W constant current power supply. A 500 W power supply provides 369.6 W power for
the PoE function, and a 250 W power supply provides 123.2 W for the PoE function.
The following AC6605 models support PoE:
l
AC6605
Each switch has two power supply slots. Each slot supports a 500 W or 250 W power
supply. When two PoE power supplies are used, determine their working mode according
to the following table.
Power Supply Combination
Available PoE Power
250 W constant current
123.2W
369.6W
246.4W
492.8W
739.2W
2.6.3 Configuring PoE Functions

This section describes how to configure PoE functions.

The AC6605 can detect whether a device connected to it needs the remote power supply and
provide power for the device that requires the remote power supply.
According to the actual requirements on the network, you can:
l
Set the maximum power and reserved power of the PoE power supply on the AC6605
through commands.
Control the remote power supply features of PoE interfaces separately, for example, enable
or disable the remote power supply function, and set the maximum output power, the power
supply mode, and the power supply priority through commands.
Before configuring the PoE functions, complete the following task:
Installing the PoE power supply on the AC6605.
Configuring the PoE Function Globally

Procedure
l
Issue 04 (2013-06-15)
(Optional) Setting the maximum output power of the device.

303

Configuration Guide
1.
Run:
system-view

2.
Run:
poe max-power maximum-power [ slot slot-id ]
The maximum output power of a board is set.

The value of maximum-power ranges from 15400 to 739200, in mW.
l
(Optional) Configuring the PoE power supply management mode

1.
Run:
system-view

2.
Run:
poe power-management { auto | manual } [ slot slot-id ]
The power supply management mode is configured.

l
(Optional) Manually powering on or powering off the PD connected to an interface

NOTE
When the manual power management mode is adopted, you must manually power on or power off
PDs on interfaces.
1.
Run:
system-view

2.
Run:
poe power-on interface interface-type interface-number or poe power-off
The PD connected to an interface is powered on or powered off manually.

l
(Optional) Configuring a board to allow high inrush current during power-on

If a PD does not comply with IEEE 802.3at or 802.3af, high inrush current is generated
when the PD is powered on. In this case, the PSE cuts off the power of the PD to protect
itself. If the PSE is required to provide power for the PD, the PSE must allow high inrush
current.
1.
Run:
system-view

2.
Run:
poe high-inrush enable
A PoE board is configured to allow high inrush current during power-on.

By default, a board does not allow high inrush power during power-on.
l
(Optional) Setting the percentage of the reserved PoE power against the total PoE power
The AC6605 can dynamically allocate power to each interface according to the power
consumption of each interface. The power consumption of a PD keeps changing when the
PD is running. The AC6605 periodically calculates the total power consumption of all the
PDs connected to the device. If the total power consumption exceeds the upper threshold
Issue 04 (2013-06-15)

304

Configuration Guide
of the board, the AC6605 cuts off the power of the PDs on the interfaces of low priority to
ensure that other PDs can run normally.
Sometimes, the power consumption increases sharply and the available power of the device
cannot support the burst increase of power. At this time, the software system has not found
that the total power consumption exceeded the upper threshold; therefore, the AC6605 does
not power off interfaces of low priority in time. As a result, the PoE power supply is shut
down for overload protection, and hence all PDs are powered off.
This problem can be solved by setting proper reserved power. When the power consumption
increases sharply, the reserved power can support the system running. Then the system
software has time to power off interfaces of low priority to ensure stable running of other
PDs.
1.
Run:
system-view

2.
Run:
poe power-reserved reserved-power-percent [ slot slot-id ]
The percentage of the reserved PoE power against the total PoE power is set.
By default, 20% of the total PoE power is reserved.
l
(Optional) Setting the alarm threshold of power consumption percentage

1.
Run:
system-view

2.
Run:
poe power-threshold thresholdvalue [ slot slot-id ]
The alarm threshold of power consumption percentage is set.

By default, the alarm threshold is 90%. That is, an alarm is generated when the
consumed power accounts for 90% of the total power.
----End
Configuring the PoE Function on an Interface

In an interface view, you can enable the PoE function, set the maximum output power, set the
power supply priority, and specify the power-off time segment.
Procedure
Step 1 Enable the PoE function on an interface.
1.
Run:
system-view

2.
Run:

Issue 04 (2013-06-15)

305

Configuration Guide
3.
Run:
poe enable
The PoE function is enabled.

By default, the PoE function is enabled on all interfaces.
Step 2 Optional: Set the maximum output power of an interface.
1.
Run:
system-view

2.
Run:

3.
Run:
poe power maximum-power
The maximum output power of the interface is set.

By default, the maximum output power of an interface is 30000 mW.
Step 3 Optional: Set the power supply priority of an interface.
1.
Run:
system-view

2.
Run:

3.
Run:
poe priority { critical | high | low }
The power supply priority of the interface is set.

By default, the power supply priority of an interface is low.
The priorities in descending order are critical, high, and low.
Step 4 Optional: (Optional) Set the power-off time range of a PoE interface.
1.
Run:
system-view

2.
Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to
time2 date2 ] }
The power-off time range of a PoE interface is set.

3.
Run:

4.
Issue 04 (2013-06-15)
Run:
306

Configuration Guide
poe power-off time-range time-range-name
The power-off time range takes effect on the interface.

Step 5 Optional: Enable an interface to check compatibility of PDs.
NOTE
Before enabling an interface to check compatibility of PDs, you must enable PoE on the PSE. After this
function is enabled, the interface can detect the PDs that do not comply with IEEE 802.3af.
1.
Run:
system-view

2.
Run:

3.
Run:
poe legacy enable
The interface is enabled to check compatibility of PDs.

By default, an interface does not check compatibility of PDs.
Step 6 Optional: Power on an interface forcibly.
If the PSE cannot identify the PD connected to an interface, you can forcibly power on the
interface. Before powering on the interface, ensure that the system power is sufficient.
1.
Run:
system-view

2.
Run:

3.
Run:
poe force-power
The interface is forcibly powered on.

By default, an interface cannot provide power for unidentified PDs.
----End

Prerequisites
The PoE power supply and PoE board are installed, and the PoE function is configured.
Procedure
Step 1 Run the display poe-power command to view the status of the PoE power supply.
Issue 04 (2013-06-15)

307

Configuration Guide
Step 2 Run the display poe device command to view information about the devices that support the
PoE function.
Step 3 Run the display poe information command to view the PoE information.
Step 4 Run the display poe power interface interface-type interface-number command to view the
output power of an interface.
Step 5 Run the display poe power-state interface interface-type interface-number command to view
the status of PoE power supply on an interface.
----End

This section provides an example for configuring PoE on the AC6605.
Example for Configuring PoE on the Switch

As shown in Figure 2-15, Switch supports PoE. Switch A, Switch B, and the AP can be powered
through PoE.
NOTE
Switch A, Switch B, and the AP are devices of other vendors and need to be powered through PoE.
Switch provides power for Switch A, Switch B, and the AP in automatic mode, and is enabled
with compatibility detection for PDs.
Figure 2-15 Networking diagram of PoE configurations
Switch
GE 0/0/1
SwitchA
GE 0/0/24
GE 0/0/2
AP
SwitchB
1.
Issue 04 (2013-06-15)
Enable PoE on GE 0/0/1 of Switch, and configure the maximum power and the power
supply priority of GE 0/0/1.
308

Configuration Guide
2.
Enable PoE on GE 0/0/2 of Switch, and set the maximum power consumption of GE 0/0/2.
3.
Enable PoE on GE 0/0/3 of Switch, and set the maximum power consumption of GE 0/0/3.
4.
Configure the maximum power consumption of the interface connecting the AP on

Switch.
5.
Configure the power supply management of Switch to be in automatic mode.
Data Preparation
l
Number of an interface on which PoE is to be enabled
Maximum power consumption of an interface
1.
# Enable PoE on GE 0/0/1 of Switch, and configure the maximum power and the power
supply priority GE 0/0/1.
[Switch-GigabitEthernet0/0/1] poe enable
[Switch-GigabitEthernet0/0/1] poe power 12000
[Switch-GigabitEthernet0/0/1] poe priority critical
2.
# Enable PoE on GE 0/0/2 of Switch, and set the maximum power consumption of GE 0/0/2
to 20000 mW.
3.
# Enable PoE on GE 0/0/3 of Switch, and set the maximum power consumption of GE 0/0/3
to 2500 mW.
4.
# Configure the power supply management of Switch to be in automatic mode.

[Switch] poe power-management auto
Configuration Files
Configuration file of Switch
#
sysname Switch
#
poe power 12000
poe priority critical
#
poe power 20000
#
poe power 2500
#
#
return
Issue 04 (2013-06-15)

309

Configuration Guide
2.7 ALS Configuration

This chapter describes the Automatic Laser Shutdown (ALS) configuration on the AC6605.
2.7.1 ALS Overview

The ALS mechanism controls the pulse of the laser of an optical module by detecting the Loss
of Signal (LOS) on an optical interface.
When ALS is disabled, if the fiber link is faulty, the optical interface is not disabled and the laser
of an optical module is enabled though data communication is interrupted. If the laser of an
optical module still sends pulses after data communication is interrupted, energy is wasted and
eyes of operators may be hurt.
When ALS is enabled, if the fiber link is faulty, the software automatically disables the laser of
an optical module from sending pulses on the optical interface after detecting the LOS on the
optical interface. When the faulty fiber link is recovered, the software detects that the LOS of
the optical interface is cleared. Then the software enables the laser to send pulses. The ALS
mechanism protects operators against laser injury and saves energy.
2.7.2 ALS Features Supported by the AC6605

This section describes the ALS features supported by the AC6605.
Applicable Environment of ALS

l
The switches are connected through fibers.

When switches are connected through fibers, the ALS function can be enabled on interfaces
of switches to protect users against laser radiation to eyes, as shown in Figure 2-16.
Figure 2-16 Connecting switches through fibers
SwitchA
l
TX
RX
RX
TX
SwitchB
The switch and the optical network terminal (ONT) are connected through fibers.
In the application of fiber to the home (FTTH), if ONT users perform improper operations
on the fiber because of lack of knowledge about radiation or children touch the fiber, the
radiation of the laser harms eyes. To solve this problem, you can enable the ALS function
on the switch to protect safety of users. Figure 2-17 shows the connection.
Issue 04 (2013-06-15)

310

Configuration Guide
Figure 2-17 Connecting the switch and ONT through the fiber
TX
RX
RX
TX
Switch
ONT
Influence of the ALS Function on Link Data Communication Recovery

When ALS is disabled, the optical module laser of the switch is still working. After the fiber
link is recovered, the LOS is cleared and the interface becomes Up rapidly. When ALS is enabled,
the switch controls the laser by detecting the LOS on the interface. This delays the recovery of
data communication on the link.
l
ALS is enabled on both ends of the fiber link.

As shown in Figure 2-16, two switches are connected through the fiber. The interfaces of
the two switches are enabled with ALS and work in automatic restart mode. After the fiber
link is recovered, the process for interfaces of Switch A and Switch B changing from Down
to Up is as follows:
1.
Switch A sends pulses periodically.
2.
Switch B receives pulses of Switch A after the fiber link is recovered.
3.
The LOS on the interface of Switch B is cleared, and the interface becomes Up and
sends signals.
4.
Switch A receives signals of Switch B.
5.
The LOS on the interface of Switch A is cleared, the interface becomes Up, and data
communication is recovered.
ALS is enabled on one end of the fiber link.

As shown in Figure 2-16, two switches are connected through the fiber. ALS is disabled
on the interface of Switch A and enabled on the interface of Switch B, and the interface
work in automatic restart mode. After the fiber link is recovered, the process for interfaces
of Switch A and Switch B changing from Down to Up is as follows:
1.
The optical module laser of Switch A is still working.
2.
Switch B receives optical signals of Switch A immediately after the fiber link is
recovered.
3.
The LOS on the interface of Switch B is cleared, and the interface becomes Up and
sends signals.
4.
Switch A receives signals of Switch B.
5.
The LOS on the interface of Switch A is cleared, the interface becomes Up, and data
communication is recovered.
After ALS is enabled on an interface, the communication recovery speed on the interface is
reduced. Packets are discarded if traffic is transmitted on the interface.
2.7.3 Configuring ALS

Configuring ALS of the laser of an optical module in the interface view provides security
protection and saves energy.
Issue 04 (2013-06-15)

311

Configuration Guide

Before configuring ALS, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data. This helps you complete the configuration
task quickly and accurately.
The AC6605 detects LOSs on optical interfaces to control the laser of optical modules, ensuring
security and saving energy.
According to the actual networking requirements, after ALS is enabled, you can:
l
Set the restart mode of the laser of an optical module through a command.
Set the ALS pulse interval and width of the laser of an optical module through commands.
View the ALS configuration on interfaces of different optical modules through commands.
Before configuring ALS, complete the following task:
Ensure that the AC6605 has an optical module.
Data Preparation
To configure ALS, you need the following data.
No.
Data
ALS pulse interval of the laser

ALS pulse width of the laser
Enabling ALS on an Interface

The ALS configuration takes effect only after ALS is enabled on an interface.
Context
The constraints on ALS are as follows:
l
Only optical interfaces support ALS. Electrical interfaces do not support ALS.
When optical interfaces transmit services unidirectionally, they do not support ALS.
The hardware must provide support for the software to detect the LOS on an optical
interface and control the laser on an interface.
The link aggregation group does not support ALS.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

312

Configuration Guide

Step 2 Run:

Step 3 Run:
als enable
ALS is enabled on the interface.

By default, ALS is disabled on an interface.
----End
(Optional) Setting the Restart Mode of the Laser

The laser can work in automatic restart mode or manual restart mode. By default, the laser works
in automatic restart mode.
Prerequisites
ALS is enabled on the interface.
Context
If the laser of an optical module works in automatic restart mode, the laser starts automatically
at ALS pulse intervals. If the laser of an optical module is set to work in manual restart mode,
you must start the laser manually. Then the laser sends a pulse.
If the fiber link recovery is detected in time, you can use the manual restart mode so that the
laser can send pulses immediately. Therefore, data communication can be recovered rapidly.
By default, the laser works in automatic restart mode after ALS is enabled on all the interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
als restart mode manual
The restart mode of the laser is set to manual.

The ALS pulse width of the interface in manual restart mode is the same as that in automatic
restart mode.
----End
Issue 04 (2013-06-15)

313

Configuration Guide
(Optional) Starting the Laser Manually

When the laser works in automatic restart mode, you need to manually open the laser so that the
laser sends one pulse.
Prerequisites
The interface is enabled with ALS and works in manual restart mode.
Context
When an interface detects the LOS, the laser of the optical module stops sending pulses. If the
als restart command is not used, the laser will not be restarted. If the interface still detects the
LOS after the laser is started manually, the laser is stopped again. If the interface detects that
the LOS is cleared, the laser of an optical module sends pulses and data communication is
recovered.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
als restart
The laser of an optical module is started manually. Then the laser sends a pulse.
----End
(Optional) Setting the ALS Pulse Interval and Width of the Laser
You can set the proper laser pulse interval and width to ensure energy conservation and emission
deduction and timely detection of fiber link recovery.
Prerequisites
The interface is enabled with ALS and works in automatic restart mode.
Context
The ALS pulse width refers to the duration in which a laser sends pulses; the ALS pulse interval
refers to the period between rising edges of pulses. A smaller pulse width and a greater pulse
interval save more energy but reduce the speed of fiber link recovery.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

314

Configuration Guide

Step 2 Run:

Step 3 Run:
als restart pulse-interval pulse-interval
The ALS pulse interval of the laser on the interface is set.

By default, the ALS pulse interval is 100s.
Step 4 Run:
als restart pulse-width pulse-width
The ALS pulse width of the laser on the interface is set.

By default, the ALS pulse width is 2s.
----End

After ALS is configured, you can the ALS configuration on a specified interface or in a specified
slot, including the ALS status, laser status, ALS restart mode, and ALS pulse interval and width.
Prerequisites
The ALS configurations are complete on the AC6605.
Procedure
l
Run the display als configuration slot slot-id command to view the ALS configurations
of member switches.
Run the display als configuration interface interface-type interface-number command to

check the ALS configuration on the specified interface.
----End

This section provides a configuration example of ALS.
Example for Configuring ALS

Through the ALS function, a laser can automatically stop sending pulses when a link is faulty
and recover pulse transmission after the link is recovered.
As shown in Figure 2-18, the LPUs that support ALS are installed in slot 1 of Switch A and
Switch B, GE 0/0/1 of Switch A and Switch B are connected through a fiber.
When data transmission is interrupted by faults occurred on the fiber link, if the laser of the
optical module sends pulses continuously, the energy is wasted and potential risks are caused.
Issue 04 (2013-06-15)

315

Configuration Guide
After ALS is enabled on both interfaces of the fiber link, the laser stops sending pulses if a fault
occurs on the fiber link. If the faulty link is recovered, the laser starts to send pulses.
Figure 2-18 ALS application
GE0/0/1
SwitchA
GE0/0/1
SwitchB
1.
Enable ALS on GE 0/0/1 on Switch A and Switch B.
2.
Configure the lasers of GE 0/0/1 on Switch A and Switch B to work in automatic restart
mode.
3.
Set the ALS pulse intervals and widths of the lasers of GE 0/0/1 on Switch A and Switch
B.
Data Preparation
l
ALS pulse interval and width of the laser of the optical module on GE 0/0/1 of Switch A
ALS pulse interval and width of the laser of the optical module on GE 0/0/1 of Switch B
Procedure
Step 1 Enable ALS on GE 0/0/1 of Switch A, configure the laser of the interface to work in automatic
restart mode, and set the ALS pulse interval and width to 200s and 3s.
# Enable ALS.
[SwitchA-GigabitEthernet0/0/1] als enable
# Set the ALS pulse interval and width of the laser.

[SwitchA-GigabitEthernet0/0/1] undo als restart mode manual
[SwitchA-GigabitEthernet0/0/1] als restart pulse-interval 200
[SwitchA-GigabitEthernet0/0/1] als restart pulse-width 3
Step 2 Enable ALS on GE 0/0/1 of Switch B, configure the laser of the interface to work in automatic
restart mode, and set the ALS pulse interval and width to 200s and 3s.
# Enable ALS.
[SwitchB-GigabitEthernet0/0/1] als enable
# Set the ALS pulse interval and width of the laser.

Issue 04 (2013-06-15)

316

Configuration Guide
[SwitchB-GigabitEthernet0/0/1] undo als restart mode manual

[SwitchB-GigabitEthernet0/0/1] als restart pulse-interval 200
[SwitchB-GigabitEthernet0/0/1] als restart pulse-width 3

# Run the display als configuration interface interface-type interface-number command on
Switch A and Switch B to view the ALS configuration.
<SwitchA> display als configuration interface gigabitethernet0/0/1
------------------------------------------------------------------------------Interface
ALS
Laser
Restart
Interval(s)
Width(s)
Status
Status
Mode
------------------------------------------------------------------------------GigabitEthernet0/0/1
Enable
Off
Auto
200
3
------------------------------------------------------------------------------<SwitchB> display als configuration interface gigabitethernet0/0/1
------------------------------------------------------------------------------Interface
ALS
Laser
Restart
Interval(s)
Width(s)
Status
Status
Mode
------------------------------------------------------------------------------GigabitEthernet0/0/1
Enable
Off
Auto
200
3
-------------------------------------------------------------------------------
----End
Configuration Files
l

#
sysname SwitchA
#
als enable
als restart pulse-interval 200
als restart pulse-width 3
#
return

#
sysname SwitchB
#
als enable
als restart pulse-interval 200
als restart pulse-width 3
#
return
2.8 Restarting and Resetting

This chapter introduces the basics of the BootROM software and the Versatile Routing Platform
(VRP) system software, and describes how to restart the AC6605.
2.8.1 Introduction
This section introduces the required knowledge in restarting and resetting the AC6605.
Issue 04 (2013-06-15)

317

Configuration Guide
Process of Starting the AC6605

The software of the AC6605 consists of the BootROM and the VRP. After the AC6605 is
powered on, the BootROM and the VRP start the system in turn as shown in Figure 2-19.
Figure 2-19 Process of starting the AC6605
Start
BootROM starts
Press Ctrl+B
Yes
Enter the BootROM

menu
Upgrade the VRP
No
Quit the BootROM menu

VRP starts
Enter the
command line
interface
End
The advanced BootROM starts the VRP.
Process of Starting the BootROM

NOTE
To check the BootROM startup process, you need to connect the Console port of the switch to a terminal
by using a serial cable.
The BootROM compares the current configuration with the configuration file. If they are the
same, the BootROM asks you whether to reboot the system. The message is as follows:
Info: The system is now comparing the configuration, please wait.
System will reboot! Continue?[Y/N]:y
BIOS LOADING ...
Copyright (c) 2008-2010 HUAWEI TECH CO., LTD.
CX22EFFE (Ver124, Jun 9 2010, 17:41:46)
Press Ctrl+B to enter BOOTROM menu ... 0
Press Ctrl+B within 2 seconds. The system prompts you to enter the password of the advanced
BootROM menu as follows:
Issue 04 (2013-06-15)

318

Configuration Guide
The default password is Admin@huawei.com.

NOTE
This password can be reset to Admin@huawei.com,using the reset boot password command in the system
view. After resetting the password, restart the device. When the system displays a message "Press Enter
to get started:", wait for 3 seconds and then press Enter to make the reset password take effect.
password:
BOOTROM
MENU
1. Boot with default mode

2. Enter serial submenu
3. Enter startup submenu
4. Enter ethernet submenu
5. Enter filesystem submenu
6. Modify BOOTROM password
7. Clear password for console user
8. Reboot
Enter your choice(1-8):
In the advanced BootROM menu, you can choose to upgrade the VRP or specify the VRP version
to be loaded when the AC6605 is started.
The BootROM initializes the serial interface and the console interface, decompresses the logical
files on the logical chip and the VRP, and then starts the VRP. The terminal displays information
as follows:
Decompressing Image file ... done
PPI DEV SysInit......OK
Hard system init.................OK
Begin to start the system, please waiting ......
VOS
VOS
CFM
PAT
VOS
VFS init.....................OK
monitor init.................OK
init advance.................OK
init ........................OK
VFS init hind ...............OK
VRP_Root begin...
VRP_InitializeTask begin...
Init the Device Link.............OK
CFG_PlaneInit begin..............OK
CFM_Init begin...................OK
CLI_CmdInit begin................OK
VRP_RegestAllLINKCmd begin.......OK
create task begin................
task init begin...
Recover configuration...OK!done
Press ENTER to get started.
When the terminal displays the preceding information, the VRP has started. Press Enter to enter
the command line interface (CLI).
2.8.2 Restarting the AC6605 Immediately

This section describes how to restart the AC6605 immediately.
Restarting the AC6605 Immediately Through Command Lines
Issue 04 (2013-06-15)

319

Configuration Guide
Context
CAUTION
The reboot [ fast ] command can paralyze the network for a while. Therefore, run the reboot
command with caution.
Before restarting the AC6605, check whether to save the configuration file and whether the file
contents are correct. For details on saving the configuration file, refer to the AC6605 Access
Controller Configuration Guide - Basic Configuration.
Procedure
Step 1 Run:
reboot
The AC6605 is restarted immediately.

----End
Restarting the AC6605 by Pressing the Power Button on the AC6605

Context
CAUTION
The action can paralyze the network for a while. Therefore, perform this action with caution.
Before restarting the AC6605, check whether to save the configuration file and whether the
startup file contents are correct. For details on saving the configuration file, see the AC6605
Access Controller Configuration Guide - Basic Configuration.
Procedure
Step 1 Press the power button on the AC6605 to power off the running AC6605.
Step 2 Press the power button on the AC6605 again to restart the AC6605.
----End
2.8.3 Restarting the AC6605 at a Fixed Time

This section describes how to restart the AC6605 at a fixed time.
Procedure
Step 1 Run:
schedule reboot { at time | delay interval [ force ] }
The function of restarting the AC6605 at a fixed time is enabled.

Issue 04 (2013-06-15)

320

Configuration Guide
The AC6605 does not support the function of restarting the AC6605 at a fixed time by default.
----End
Issue 04 (2013-06-15)

321

Configuration Guide
3 Configuration Guide - Ethernet
Configuration Guide - Ethernet
About This Chapter

This document describes the configuration of Ethernet services, including Ethernet interfaces,
link aggregation, VLANs, GVRP, MAC address table, STP/RSTP, MSTP.
The document provides the configuration procedures and configuration examples to illustrate
the service configuration methods and application scenario.
3.1 Ethernet Interface Configuration
This chapter describes the basic knowledge, methods, and examples for configuring the Ethernet
interface.
3.2 Link Aggregation Configuration
This chapter describes the concepts, configuration procedures, and configuration examples of
link aggregation.
3.3 VLAN Configuration
Virtual Local Area Networks (VLANs) have advantages of broadcast domain isolation, security
enhancement, flexible networking, and good extensibility.
3.4 GVRP Configuration
This chapter describes basic GVRP concepts, GVRP configuration procedures, and concludes
with a GVRP configuration example.
3.5 MAC Address Table Configuration
This chapter provides the basics for MAC address table configuration, configuration procedure,
and configuration examples.
3.6 STP/RSTP Configuration
The Spanning Tree Protocol (STP) trims a ring network into a loop-free tree network. It prevents
replication and circular propagation of packets, provides multiple redundant paths for virtual
LAN (VLAN) data traffic, and enables load balancing. The Rapid Spanning Tree Protocol
(RSTP) was developed based on STP to implement faster convergence. RSTP defines edge ports
and provides protection functions.
3.7 MSTP Configuration
The Multiple Spanning Tree Protocol (MSTP) trims a ring network into a loop-free tree network.
It prevents replication and circular propagation of packets, provides multiple redundant paths
for Virtual LAN (VLAN) data traffic, and enables load balancing.
Issue 04 (2013-06-15)

322

Configuration Guide
3.8 VoIP Access Configuration
Issue 04 (2013-06-15)

323

Configuration Guide
3.1 Ethernet Interface Configuration

This chapter describes the basic knowledge, methods, and examples for configuring the Ethernet
interface.
3.1.1 Introduction to Ethernet Interfaces

This section describes the types and attributes of Ethernet interfaces.
Ethernet is an important local area network (LAN) networking technology because it is flexible,
simple, and easy to implement.
Ethernet interfaces are classified into Ethernet electrical interfaces and optical interfaces.
Table 3-1 shows the attributes of Ethernet electrical interfaces and optical interfaces.
Table 3-1 Attributes of Ethernet interfaces
Interface
Type
Rate (Mbit/
s)
Auto-negotiation
Non-negotiation
Full
Duplex
Half
Duplex
Full
Duplex
Half
Duplex
Ethernet
electrical
interface
10
Yes
Yes
Yes
Yes
100
Yes
Yes
Yes
Yes
1000
Yes
No
Yes
No
100
No
No
Yes
No
1000
Yes
No
Yes
No
Ethernet
optical
interface
If the local interface works in auto-negotiation mode, the peer interface must also work in autonegotiation mode; otherwise, packet loss occurs.
3.1.2 Ethernet Interface Features Supported by the AC6605

The AC6605 supports the following features that you can configure for Ethernet interfaces: port
grouping, auto-negotiation, and port isolation.
Port Group
A port group allows you to configure multiple interfaces at the same time. After you run a
command in the port group view, the configuration applies to all the interfaces in the group.
Auto-Negotiation
The auto-negotiation function allows interfaces on both ends of a link to select the same operating
parameters. Each interface sends its capability information to the remote end and checks the
capabilities of the remote end. After both interfaces receive capability information from each
other, they adopt the highest capability they both support to communicate with each other.
Issue 04 (2013-06-15)

324

Configuration Guide
The interfaces negotiate the duplex mode, speed, and flow control parameters. After a successful
negotiation, the interfaces use the same duplex mode, speed, and flow control parameters.
Port Isolation
The port isolation function isolates Layer 2 and Layer 3 communication between ports in the
same VLAN. This function restricts packet transmission between ports flexibly, to provide a
secure and flexible network solution.
3.1.3 Configuring Basic Attributes of an Ethernet Interface

This section describes how to configure the description, cable type, duplex mode, rate, and autonegotiation for an Ethernet interface. The section also explains how to change the interface type
(optical or electrical) of combo interfaces.

The task to configure basic attributes includes setting the following parameters:
l
Interface description. You can configure interface descriptions to facilitate interface

identification, maintenance, and configuration.
Cable type. By default, a fast Ethernet (FE) electrical interface automatically identifies the
network cable type. If the interface cannot identify the cable type, set the cable type for the
interface.
Duplex mode. By default, an FE electrical interface negotiates the duplex mode and rate
with the equipment that is directly connected to the interface. If the connected device does
not have auto-negotiation capability, set the duplex mode and rate for the FE interface so
that the interface can communicate with the connected device.
None.
Data Preparation
To configure the basic attributes of an Ethernet interface, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Number of the Ethernet interface
(Optional) Description of the interface
(Optional) Cable type of the Ethernet electrical interface
(Optional) Duplex mode of the Ethernet electrical interface
(Optional) Rate of the Ethernet interface

325

Configuration Guide
(Optional) Configuring an Interface Description

Context
Perform the following steps on the Switch to configure the description of an interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
A description is configured for the interface.

By default, an interface has no description.
----End
(Optional) Configuring the Cable Type on an Interface

Context
Perform the following steps on the Switch to configure the cable type on an interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The Ethernet electrical interface view is displayed.

Step 3 Run:
mdi { across | auto | normal }
The cable type is configured for the Ethernet electrical interface.

By default, an Ethernet electrical interface automatically identifies the cable type. Use this
command when the actual cable type does not match the cable type supported by the interface.
An electrical interface can use a crossover cable or a straight-through cable. If across is specified,
the interface can only use a crossover cable. If normal is specified, the interface can only use a
Issue 04 (2013-06-15)

326

Configuration Guide
straight-through cable. If auto is specified, the interface can use either a straight-through cable
or a crossover cable.
----End
(Optional) Setting the Duplex Mode

Context
Perform the following steps on the Switch to set the duplex mode for an Ethernet interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The Ethernet electrical interface view is displayed.

Step 3 Run:
undo negotiation auto
Auto-negotiation is disabled on the Ethernet electrical interface.

Step 4 Run:
duplex { full | half }
The duplex mode is set for the Ethernet electrical interface.

By default, an Ethernet electrical interface works in full-duplex mode when auto-negotiation is
disabled on the interface.
----End
(Optional) Setting the Interface Rate

Context
Perform the following steps on the Switch to set the interface rate.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 04 (2013-06-15)

327

Configuration Guide
Step 3 Run:
undo negotiation auto
Auto-negotiation is disabled on the interface.

Step 4 Run:
speed { 10 | 100 | 1000 }
The interface rate is set.

By default, an Ethernet interface works at its maximum rate when auto-negotiation is disabled
on the interface.
----End
(Optional) Enabling Auto-Negotiation

Context
Perform the following steps on the Switch to enable auto-negotiation on an Ethernet interface.
The local interface and remote interface must work in the same mode, that is, both or neither
work in auto-negotiation mode.
NOTE
100M optical interfaces do not support auto-negotiation.

1000M optical interfaces do not support rate negotiation.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
negotiation auto
Auto-negotiation is enabled on the interface.

By default, an interface works in auto-negotiation mode.
----End
(Optional) Switching Between Optical and Electrical Interfaces

Context
Perform the following steps on the Switch to change the combo interface type.
Issue 04 (2013-06-15)

328

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface gigabitethernet interface-number
The GigabitEthernet interface view is displayed.

Step 3 Run:
combo-port { auto | copper | fiber }
The interface is changed to an optical interface or an electrical interface.

By default, a combo interface automatically selects the working mode according to the
transmission media.
----End

Procedure
Step 1 Run the display interface [ interface-type [ interface-number ] ] command to check the
description, duplex mode, and rate of an Ethernet interface.
----End
3.1.4 Configuring Advanced Attributes of an Ethernet Interface

This section describes how to configure the advanced attributes of an Ethernet interface,
including loopback test, port group, maximum frame size, flow control, flow control autonegotiation, cable test, loopback test, and port isolation.

Advanced attributes of an Ethernet interface include:
l
Port group. The AC6605 provides the interface group function, which enables you to
configure multiple interfaces at the same time.
Flow control. If the rate of traffic received on an interface is likely to exceed the interface
processing capability, and the directly connected interface supports flow control, enable
flow control on the local interface. When the rate of received traffic reaches the threshold,
the interface sends a Pause frame (in full duplex mode) or a back pressure signal (in half
duplex mode) to notify the remote interface. If the remote interface supports flow control,
it sends traffic at a lower rate so that the local interface can process received traffic.
Port isolation. The port isolation function prevents interfaces in the same VLAN from
communicating with each other. Interfaces with port isolation enabled cannot communicate
Issue 04 (2013-06-15)

329

Configuration Guide
with each other. This function provides secure and flexible networking solutions for
customers.
None.
Data Preparation
To configure the advanced functions of an Ethernet interface, you need the following data.
No.
Data
Interface number
(Optional) Maximum frame length allowed on the interface
(Optional) Configuring the Loopback Function

Context
Perform the following steps on the Switch to configure the loopback function on an Ethernet
interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
loopback internal
The loopback function is configured on the Ethernet interface.

By default, the loopback function is disabled on an Ethernet interface.
----End
(Optional) Configuring a Port Group

Context
Perform the following steps on the Switch to configure a port group.
Issue 04 (2013-06-15)

330

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
port-group port-group-name
The port group view is displayed.

Step 3 Run:
group-member interface-type interface-number
An Ethernet interface is added to the port group.

----End
(Optional) Setting the Maximum Frame Length

Context
Perform the following steps on the Switch to set the maximum frame length on an Ethernet
interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The Ethernet interface view is displayed.

Step 3 Run:
jumboframe enable [ value ]
The maximum frame length is set on the Ethernet interface.

By default, the maximum frame length allowed by an interface of the AC6605 is 9216 bytes.
----End
(Optional) Enabling Flow Control

Context
To implement flow control, you must enable this function on both the local interface and peer
interface. Perform the following steps on the Switch to enable flow control.
NOTE
On a double-chip device, traffic control cannot be performed between the ports using different chips.
Issue 04 (2013-06-15)

331

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
flow-control
Flow control is enabled on the interface.

By default, flow control is disabled on an Ethernet interface.
----End
(Optional) Enabling Auto-Negotiation of Flow Control

Context
Perform the following steps on the Switch to configure auto-negotiation of flow control.
GE interfaces support auto-negotiation of flow control, but FE interfaces do not.
NOTE
On a double-chip device, auto-negotiation of flow control cannot be performed between the ports using different
chips.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The GE interface view is displayed.

Step 3 Run:
flow-control negotiation
Auto-negotiation of flow control is enabled on the GE interface.

By default, auto-negotiation of flow control is disabled on a GE interface.
You must also configure auto-negotiation of flow control on the peer interface.
----End
(Optional) Enabling Port Isolation

Issue 04 (2013-06-15)

332

Configuration Guide
Context
Perform the following steps on the Switch to enable port isolation.
Procedure
Step 1 Run:
system-view

Step 2 Run:
port-isolate mode { l2 | all }
The port isolation mode is set.

By default, ports are isolated on Layer 2 but can communicate on Layer 3.
Step 3 Run:

am isolate interface-type interface-number [ to interface-number ]
The Ethernet interface is unidirectionally isolated from the specified interface.

NOTE
After interface A is unidirectionally isolated from interface B, packets sent by interface A cannot reach
interface B, whereas packets sent from interface B can reach interface A.
Step 5 Run:
port-isolate enable [ group group-id ]
Port isolation is enabled.

NOTE
Interfaces in a port isolation group are isolated from each other, and interfaces in different port isolation
groups can communicate with each other. If group-id is not specified, an interface is added to port isolation
group 1.
----End
(Optional) Performing a Cable Test

Context
A cable test detects faults on the cable connected to an interface. If the cable is working properly,
the test result displays the total length of the cable. If the cable cannot work properly, he test
result displays the distance between the interface and the failure point.
Issue 04 (2013-06-15)

333

Configuration Guide
NOTE
l Before performing a cable test, shut down the remote interface or remove the network cable from the
remote interface. Otherwise, signals from the remote interface may make the test result inaccurate.
l Running the virtual-cable-test command affect services on the interface in a short period of time.
l Combo electrical interfaces support cable tests.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
virtual-cable-test
A cable test is performed on the interface.

NOTE
The test result is for reference only.
----End
(Optional) Configuring a Loopback Test on an Interface

Context
Perform the following steps on the AC6605 where a loopback test needs to be performed.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
loopbacktest internal
A loopback test is configured on the interface.

By default, no loopback test is configured on an interface.
----End
Issue 04 (2013-06-15)

334

Configuration Guide

Procedure
l
Run the display port-group [ all | port-group-name ] command to check information about
a port group.
Run the display interface [ interface-type [ interface-number ] ] command to check autonegotiation capability on an Ethernet interface.
Run the display virtual-cable-test interface-type interface-number command to check the

cable test result on an Ethernet interface.
----End
3.1.5 Maintaining Ethernet Interfaces

This section describes how to maintain Ethernet interfaces.
Debugging Ethernet Interfaces

Context
CAUTION
Debugging affects the performance of the system. Therefore, run the undo debugging all
command to disable debugging immediately after the debugging is complete.
When an Ethernet interface or Eth-Trunk fault occurs, run the following debugging command
in the user view to locate the fault.
Procedure
Step 1 Run the debugging l2if [ error | event | msg | updown ] command to enable the debugging of
link layer features.
----End

This section provides a configuration example of port isolation.
Example for Configuring Port Isolation

As shown in Figure 3-1, it is required that PC1 and PC2 cannot communicate with each other,
but they can communicate with PC3.
Issue 04 (2013-06-15)

335

Configuration Guide
Figure 3-1 Networking diagram for port isolation configuration
Switch
GE 0/0/3
GE 0/0/2
GE 0/0/1
PC1
PC2
PC3
10.10.10.1/24 10.10.10.2/24 10.10.10.3/24
1.
Enable port isolation on the ports connected to PC1 and PC2 respectively to prevent PC1
and PC2 from communicating with each other.
Data Preparation
l
Number of the port connected to PC1
Number of the port connected to PC2
Port isolation mode: Layer 2 isolation and Layer 3 communication (default configuration)
ID of the VLAN to which the ports connected to PC1, PC2, and PC3 belong (VLAN 1 by
default)
Port isolation group to which the ports connected to PC1 and PC2 belong (group 1 by
default)
Procedure
Step 1 Enable port isolation.
# Isolate ports on Layer 2 and allow them to communicate on Layer 3.
[Quidway] port-isolate mode l2
# Enable port isolation on GigabitEthernet 0/0/1.

[Quidway-GigabitEthernet0/0/1] port-isolate enable
# Enable port isolation on GigabitEthernet 0/0/2.

Issue 04 (2013-06-15)

336

Configuration Guide


PC1 and PC2 cannot ping each other.
PC1 and PC3 can ping each other.
PC2 and PC3 can ping each other.
----End
Configuration Files
#
sysname Quidway
#
port-isolate enable group 1
#
#
#
return
3.2 Link Aggregation Configuration

This chapter describes the concepts, configuration procedures, and configuration examples of
link aggregation.
3.2.1 Introduction to Link Aggregation

This section describes the definition and function of link aggregation.
Link aggregation is a method of bundling a group of physical interfaces into a logical interface
to increase link bandwidth. It is also called load sharing group or link aggregation group. For
details, refer to IEEE802.3ad.
By setting up a link aggregation group between two devices, you can obtain higher bandwidth
and reliability. Link aggregation provides redundancy protection without the need for upgrading
the hardware.
3.2.2 Link Aggregation Supported by the AC6605

This AC6605 supports link aggregation in manual load balancing mode and static Link
Aggregation Control Protocol (LACP) mode.
Manual Load Balancing Mode

In load balancing mode, you can add member interfaces to the link aggregation group. All the
interfaces in the link aggregation group are in forwarding state. The AC6605 can perform load
balancing based on destination MAC addresses, source MAC addresses, source MAC address
Issue 04 (2013-06-15)

337

Configuration Guide
Exclusive-Or destination MAC address, source IP addresses, destination IP addresses, source

address Exclusive-Or destination IP address.
In manual load balancing mode, you must create an Eth-Trunk interface and add member
interfaces to the Eth-Trunk. The Link Aggregation Control Protocol (LACP) is not used in this
mode.
The manual load balancing mode is usually used when the peer device does not support LACP.
Static LACP Mode

In static LACP mode, two devices exchange LACP packets to negotiate aggregation parameters
and determine the active interfaces and inactive interfaces. In this mode, you must create an EthTrunk interface and add member interfaces to the Eth-Trunk interface. The active interfaces and
inactive interfaces are determined by LACP negotiation.
The static LACP mode is also called the M:N mode, where links implement load balancing and
redundancy at the same time. In a link aggregation group, M links are active and load balance
data traffic. N links are inactive and function as backup links. When an active link fails, the
backup link with the highest priority replaces the failed link to forward data and its status changes
to active.
In static LACP mode, some links function as backup links. In manual load balancing mode, all
member interfaces work in forwarding state to share the traffic. This is the main difference
between the two modes.
Active Interface and Inactive Interface

Active interfaces are the interfaces that are responsible for forwarding data. The interfaces that
do not forward data are called inactive interfaces. Active and inactive interfaces are classified
according to the operation modes, as follows:
l
Manual load balancing mode: All member interfaces are active interfaces unless a fault
occurs.
Static LACP mode: The interfaces connected to M links are active interfaces responsible
for forwarding data. The interfaces connected to N links are inactive interfaces used for
redundancy backup.
Actor and Partner

In static LACP mode, the device in the link aggregation group with a higher LACP priority is
the Actor, and the device with a lower LACP priority is the Partner.
If the two devices have the same LACP priority, the Actor is selected based on the MAC
addresses of the devices. The device with a smaller MAC address becomes the Actor.
Differentiating the Actor and the Partner keeps the active interfaces at both ends consistent. If
the devices select active interfaces according to the priorities of their own interfaces, the two
ends may have different number of the active interfaces and the active links cannot be set up.
Therefore, the Actor is determined first. The Partner selects active interfaces according to the
interface priorities on the Actor. Figure 3-2 shows the process to select active interfaces.
Issue 04 (2013-06-15)

338

Configuration Guide
Figure 3-2 Determining active links in static LACP mode
SwitchA
SwitchB
Device with high

priority
Device with low

priority
The Actor determines
the active link
SwitchB
SwitchA
Active interface selected by SwitchA

Active interface selected by SwitchB
3.2.3 Configuring Link Aggregation in Manual Load Balancing

Mode
This section describes how to configure link aggregation in manual load balancing mode.

When you need to increase the bandwidth or reliability of two devices and one of the two devices
does not support LACP, create an Eth-Trunk interface in manual load balancing mode on the
two devices and add member interfaces to the Eth-Trunk interface.
As shown in Figure 3-3, an Eth-Trunk is established between SwitchA and SwitchB.
Figure 3-3 Link aggregation in load balancing mode
Eth-Trunk 1
Eth-Trunk 1
Eth-Trunk
SwitchA
SwitchB
Before configuring link aggregation in manual load balancing mode, complete the following
tasks:
l
Powering on the Switch
Creating an Eth-Trunk interface
Issue 04 (2013-06-15)

339

Configuration Guide
Data Preparation
To configure link aggregation in manual load balancing mode, you need the following data.
No.
Data
Number of the Eth-Trunk interface in manual load balancing mode
Types and numbers of the member interfaces
Configuring an Eth-Trunk Interface to Work in Manual Load Balancing Mode

Context
NOTE
Before you configure the operation mode of an Eth-Trunk interface, check whether the Eth-Trunk interface
contains member interfaces. If the Eth-Trunk contains member interfaces, you cannot change the operation
mode of the Eth-Trunk interface. To delete member interfaces from the Eth-Trunk interface, run the undo
eth-trunk command in the member interface view or run the undo trunkport interface-type interfacenumber command in the Eth-Trunk interface view.
Perform the following steps on the Switch to configure an Eth-Trunk interface in manual load
balancing mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.

Step 3 Run:
mode manual load-balance
The operation mode of the Eth-Trunk interface is set to load balancing.

By default, an Eth-Trunk interface works in manual load balancing mode.
If local Eth-Trunk interface works in manual load balancing mode, the peer Eth-Trunk interface
must also work in manual load balancing mode.
----End
Adding Member Interfaces to an Eth-Trunk Interface

Context
Perform the following steps on the Switch to add member interfaces to an Eth-Trunk interface.
Issue 04 (2013-06-15)

340

Configuration Guide
Procedure
l
Configuration in the Eth-Trunk interface view

1.
Run:
system-view

2.
Run:

3.
Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
Member interfaces are added to the Eth-Trunk.

NOTE
If one of the specified member interfaces cannot be added to the Eth-Trunk, interfaces following
this interface cannot be added to the Eth-Trunk.
Configuration in the member interface view

1.
Run:
system-view

2.
Run:

3.
Run:
eth-trunk trunk-id
The interface is added to the Eth-Trunk interface.

When adding an interface to an Eth-Trunk interface, pay attention to the following points:
An Eth-Trunk contains a maximum of eight member interfaces.
A member interface cannot be configured with any service or static MAC address.
When adding an interface to an Eth-Trunk interface, ensure that the interface is a hybrid
interface (default interface type).
An Eth-Trunk cannot be nested, that is, its member interfaces cannot be Eth-Trunk.
An Ethernet interface can be added to only one Eth-Trunk interface. To add the Ethernet
interface to another Eth-Trunk interface, delete it from the current Eth-Trunk first.
An Eth-Trunk interface contains member interfaces of the same type. For example, an
FE interface and a GE interface cannot be added to the same Eth-Trunk interface.
Ethernet interfaces on different LPUs can be added to the same Eth-Trunk interface.
The peer interfaces directly connected to the local Eth-Trunk member interfaces must
also be bundled into an Eth-Trunk interface; otherwise, the two ends cannot
communicate.
When the member interfaces work at different rates, the interfaces with a smaller rate
may be congested, and packets may be lost on these interfaces.
Issue 04 (2013-06-15)

341

Configuration Guide
After interfaces are added to an Eth-Trunk interface, MAC addresses are learned on the
Eth-Trunk interface but not the member interfaces.
----End
(Optional) Configuring the Load Balancing Mode

Context
Perform the following steps on the Switch to configure an Eth-Trunk interface in load balancing
mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
The load balancing mode is configured for the Eth-Trunk interface.

The default load balancing mode of the AC6605 is src-dst-ip.
The AC6605 supports the following load balancing modes:
l dst-ip: based on the destination IP address. In this mode, the system obtains the specified
three bits from each of the destination IP address and the TCP/UDP port number in outgoing
packets to perform the Exclusive-OR calculation, and then selects the outbound interface
from the Eth-Trunk table according to the calculation result.
l dst-mac: based on the destination MAC address. The system obtains the specified three bits
from each of the destination MAC address, VLAN ID, Ethernet type, and inbound interface
information to perform the Exclusive-OR calculation, and then selects the outbound interface
l src-ip: based on the source IP address. The system obtains the specified three bits from each
of the source IP address and the TCP or UDP port number in incoming packets to perform
the Exclusive-OR calculation, and then selects the outbound interface from the Eth-Trunk
table according to the calculation result.
l src-mac: based on the source MAC address. The system obtains the specified three bits from
each of the source MAC address, VLAN ID, Ethernet type, and inbound interface information
to perform the Exclusive-OR calculation, and then selects the outbound interface from the
Eth-Trunk table according to the calculation result.
l src-dst-ip: based on the Exclusive-OR result of the source IP address and destination IP
address. The system performs the Exclusive-OR calculation between the Exclusive-OR
results of the dip and dmac modes, and then selects the outbound interface from the EthTrunk table according to the calculation result.
Issue 04 (2013-06-15)

342

Configuration Guide
l src-dst-mac: based on the Exclusive-OR result of the source MAC address and destination
MAC address. The system obtains three bits from each of the source MAC address,
destination MAC address, VLAN ID, Ethernet type, and inbound interface information to
perform the Exclusive-OR calculation, and then selects the outbound interface from the EthTrunk table according to the calculation result.
Member interfaces of an Eth-Trunk interface perform per-flow load balancing. The local end
and the remote end can use different load balancing modes. The load balancing mode on one
end does not affect load balancing on the other end.
----End
(Optional) Limiting the Number of Active Interfaces

Context
Perform the following steps on the Switch to limit the number of active interfaces in an EthTrunk interface.
Procedure
l
Setting the maximum number of interfaces that determine bandwidth of the Eth-Trunk
interface
1.
Run:
system-view

2.
Run:

3.
Run:
max bandwidth-affected-linknumber link-number
The maximum number of interfaces that determine bandwidth of the Eth-Trunk

interface is set.
By default, the maximum number of interfaces that determine bandwidth of an EthTrunk interface is 8.
NOTE
l The maximum number of interfaces that determine bandwidth of the Eth-Trunk interface on the
local Switch can be different from that on the remote Switch. If the two values are different, the
smaller one is used.
Setting the minimum number of active interfaces

1.
Run:
system-view

2.
Run:

Issue 04 (2013-06-15)

343

Configuration Guide
3.
Run:
least active-linknumber link-number
The minimum number of active interfaces is set.

By default, the minimum number of active interfaces is 1.
In manual load balancing mode, you can determine the minimum number of active
interfaces in an Eth-Trunk interface. If the number of active interfaces is smaller than the
value, the status the Eth-Trunk interface becomes Down.
NOTE
l The minimum number of active interfaces on the local Switch can be different from that on the
remote Switch. If the two values are different, the larger one is used.
----End

Procedure
l
Run the display trunkmembership eth-trunk trunk-id command to check the member
interfaces of the Eth-Trunk interface.
Run the display eth-trunk trunk-id command to check the load balancing status of the EthTrunk interface.
----End
3.2.4 Configuring Link Aggregation in Static LACP Mode

This section describes how to configure link aggregation in static LACP mode.

To increase the bandwidth and improve connection reliability, you can configure a link
aggregation group on two directly connected Switches. The requirements for the link aggregation
group are:
l
The links between two devices implement redundancy backup. When a fault occurs on
some links, the backup links replace the faulty ones to maintain uninterrupted data
transmission.
The active links have the load balancing capability.
To meet these requirements, configure link aggregation in static LACP mode.

Figure 3-4 Typical networking of link aggregation in static LACP mode
Eth-Trunk 1
Eth-Trunk 1
Eth-Trunk
SwitchA
Issue 04 (2013-06-15)
Active link
Standby link
SwitchB
344

Configuration Guide
Before configuring link aggregation in static LACP mode, complete the following tasks:
l
Powering on the AC6605
Creating an Eth-Trunk interface
Data Preparation
To configure link aggregation in static LACP mode, you need the following data.
No.
Data
Number of the Eth-Trunk interface
Types and numbers of the member interfaces
Maximum number of active interfaces
Configuring an Eth-Trunk Interface to Work in Static LACP Mode

Context
NOTE
Before you configure the operation mode of an Eth-Trunk interface, check whether the Eth-Trunk interface
contains member interfaces. If the Eth-Trunk contains member interfaces, you cannot change the operation
mode of the Eth-Trunk interface. To delete member interfaces from the Eth-Trunk interface, run the undo
eth-trunk command in the member interface view or run the undo trunkport interface-type interfacenumber command in the Eth-Trunk interface view.
Perform the following steps on the Switch to configure an Eth-Trunk interface in static LACP
mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
mode lacp-static
The Eth-Trunk interface is configured to work in static LACP mode.

By default, an Eth-Trunk interface works in manual load balancing mode.
Issue 04 (2013-06-15)

345

Configuration Guide
If the Eth-Trunk interface works in static LACP mode, the remote Eth-Trunk interface must also
work in static LACP mode.
----End
Adding Member Interfaces to an Eth-Trunk Interface

Context
Perform the following steps on the Switch to add member interfaces to an Eth-Trunk interface.
Procedure
l
Configuration in the Eth-Trunk interface view

1.
Run:
system-view

2.
Run:

3.
Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
Member interfaces are added to the Eth-Trunk interface.

NOTE
If one of the specified member interfaces cannot be added to the Eth-Trunk, interfaces following
this interface cannot be added to the Eth-Trunk.
Configuration in the member interface view

1.
Run:
system-view

2.
Run:

3.
Run:
eth-trunk trunk-id
The interface is added to the Eth-Trunk interface.

When adding an interface to an Eth-Trunk interface, pay attention to the following points:
An Eth-Trunk contains a maximum of eight member interfaces.
A member interface cannot be configured with any service or static MAC address.
When adding an interface to an Eth-Trunk, ensure that the interface is a hybrid interface
(default interface type).
An Eth-Trunk interface cannot have other Eth-Trunk interfaces as its member interfaces.
Issue 04 (2013-06-15)

346

Configuration Guide
An Ethernet interface can be added to only one Eth-Trunk interface. To add the Ethernet
interface to another Eth-Trunk interface, delete it from the current Eth-Trunk first.
An Eth-Trunk interface contains member interfaces of the same type. For example, an
FE interface and a GE interface cannot be added to the same Eth-Trunk.
Ethernet interfaces on different LPUs can be added to the same Eth-Trunk interface.
The peer interfaces directly connected to the local Eth-Trunk member interfaces must
also be bundled into an Eth-Trunk interface; otherwise, the two ends cannot
communicate.
When the member interfaces work at different rates, the interfaces with a smaller rate
may be congested, and packets may be lost on these interfaces.
After interfaces are added to an Eth-Trunk interface, MAC addresses are learned on the
Eth-Trunk interface but not the member interfaces.
----End
(Optional) Configuring the Load Balancing Mode

Context
Perform the following steps on the AC6605to configure the Eth-Trunk load balancing mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
The load balancing mode is configured for the Eth-Trunk interface.

The default load balancing mode of the AC6605 is src-dst-ip.
The AC6605 supports the following load balancing modes:
l dst-ip: based on the destination IP address. In this mode, the system obtains the specified
three bits from each of the destination IP address and the TCP/UDP port number in outgoing
packets to perform the Exclusive-OR calculation, and then selects the outbound interface
l dst-mac: based on the destination MAC address. The system obtains the specified three bits
from each of the destination MAC address, VLAN ID, Ethernet type, and inbound interface
information to perform the Exclusive-OR calculation, and then selects the outbound interface
l src-ip: based on the source IP address. The system obtains the specified three bits from each
of the source IP address and the TCP or UDP port number in incoming packets to perform
Issue 04 (2013-06-15)

347

Configuration Guide
the Exclusive-OR calculation, and then selects the outbound interface from the Eth-Trunk
table according to the calculation result.
l src-mac: based on the source MAC address. The system obtains the specified three bits from
each of the source MAC address, VLAN ID, Ethernet type, and inbound interface information
to perform the Exclusive-OR calculation, and then selects the outbound interface from the
Eth-Trunk table according to the calculation result.
l src-dst-ip: based on the Exclusive-OR result of the source IP address and destination IP
address. The system performs the Exclusive-OR calculation between the Exclusive-OR
results of the dip and dmac modes, and then selects the outbound interface from the EthTrunk table according to the calculation result.
l src-dst-mac: based on the Exclusive-OR result of the source MAC address and destination
MAC address. The system obtains three bits from each of the source MAC address,
destination MAC address, VLAN ID, Ethernet type, and inbound interface information to
perform the Exclusive-OR calculation, and then selects the outbound interface from the EthTrunk table according to the calculation result.
Member interfaces of an Eth-Trunk interface perform per-flow load balancing. The local end
and the remote end can use different load balancing modes. The load balancing mode on one
end does not affect load balancing on the other end.
----End
(Optional) Limiting the Number of Active Interfaces

Context
Perform the following steps on the Switch to limit the number of active interfaces.
Procedure
l
Setting the maximum number of active interfaces

1.
Run:
system-view

2.
Run:

3.
Run:
max active-linknumber link-number
The maximum number of active interfaces is set.

By default, the maximum number of active interfaces is 8.
You can set the maximum number (M) of active interfaces for an Eth-Trunk interface in
static LACP mode. The other member interfaces function as backup.
If you do not set the maximum number, a maximum of eight interfaces in the Eth-Trunk
interface can be active.
Issue 04 (2013-06-15)

348

Configuration Guide

NOTE
l The maximum number of active interfaces must be larger than or equal to the minimum number
of active interfaces.
l The maximum number of active interfaces on the local Switch can be different from that on the
remote Switch. If the two values are different, the smaller one is used.
Setting the minimum number of active interfaces

1.
Run:
system-view

2.
Run:

3.
Run:
least active-linknumber link-number
The minimum number of active interfaces is set.

By default, the minimum number of active interfaces is 1.
You can set the minimum number of active interfaces for an Eth-Trunk interface in static
LACP mode. If the number of active interfaces is smaller than minimum number, the status
of the Eth-Trunk interface becomes Down.
NOTE
l The minimum number of active interfaces must be smaller than or equal to the maximum number
of active interfaces.
l The minimum number of active interfaces on the local Switch can be different from that on the
remote Switch. If the two values are different, the larger one is used.
----End
(Optional) Setting the System LACP Priority

Context
The system LACP priority determines which end of an Eth-Trunk link becomes the Actor.
Perform the following steps on the Switch to set the system LACP priority.
Procedure
Step 1 Run:
system-view

Step 2 Run:
lacp priority priority
The system LACP priority is set.

A smaller LACP priority value indicates a higher priority. By default, the system LACP priority
is 32768.
Issue 04 (2013-06-15)

349

Configuration Guide
The end with a smaller priority value functions as the Actor. If the two ends have the same
priority, the end with a smaller MAC address functions as the Actor.
----End
(Optional) Setting the LACP Priority for an Interface

Context
In an Eth-Trunk interface, interfaces with higher LACP priorities are selected as active
interfaces. Perform the following steps on the Switch to set the LACP priority for an interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
lacp priority priority
The LACP priority is set for the interface.

By default, the interface LACP priority is 32768. A smaller priority value indicates a higher
LACP priority.
----End
(Optional) Enabling LACP Preemption and Setting the Preemption Delay

Context
The LACP preemption function ensures that the interface with the highest LACP priority always
functions as an active interface. For example, when the interface with the highest priority
becomes inactive due to a failure, the LACP preemption function enables the interface to become
active again after it recovers. If the LACP preemption function is disabled, the interface cannot
become an active interface again.
The LACP preemption delay is the period during which an inactive interface waits before it
becomes active.
Perform the following steps on the Switch to enable LACP preemption and set the preemption
delay.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

350

Configuration Guide

Step 2 Run:

Step 3 Run:
lacp preempt enable
The LACP preemption function is enabled on the Eth-Trunk interface.

By default, the LACP preemption function is disabled.
NOTE
To ensure normal running of an Eth-Trunk interface, enable or disable LACP preemption on both ends of
the Eth-Trunk interface.
Step 4 Run:
lacp preempt delay delay-time
The LACP preemption delay is set.

By default, the LACP preemption delay is 30 seconds.
----End
(Optional) Setting the Timeout Interval for Receiving LACP Packets

Context
Perform the following steps on the Switch to set the timeout interval for receiving LACP packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
lacp timeout { fast | slow }
The timeout interval for receiving LACP protocol packets is set.
Issue 04 (2013-06-15)

351

Configuration Guide
NOTE
l After you run the lacp timeout command, the local end informs the peer end of the timeout interval
through LACP packets. If the fast keyword is used, the interval for sending LACP packets is 1 second.
If the slow keyword is used, the interval for sending LACP packets is 30 seconds.
l The timeout interval for receiving LACP packets is three times the interval for sending LACP packets.
In other words, when the fast keyword is used, the timeout interval for receiving LACP packets is 3
seconds. When the slow keyword is used, the timeout interval for receiving LACP packets is 90 seconds.
l You can select different keywords on the two ends. However, it is recommended that you select the
same keyword on both ends to facilitate the maintenance.
----End

Procedure
l
interfaces of an Eth-Trunk interface.
Run the display eth-trunk [ trunk-id [interface interface-type interface-number ] ]

command to check information about an Eth-Trunk interfaced and its member interfaces.
----End
3.2.5 Maintaining Link Aggregation

This section describes how to clear the statistics of received and sent LACP packets, debug the
link aggregation group, and monitor the running status of the link aggregation group.
Clearing LACP Packet Statistics

Context
CAUTION
The LACP packet statistics cannot be restored after you clear them.
Procedure
l
Run the reset lacp statistics eth-trunk [ trunk-id ] command to clear statistics about LACP
packets received and sent.
----End
Debugging a Link Aggregation Group

Issue 04 (2013-06-15)

352

Configuration Guide
Context
CAUTION
Debugging affects the performance of the system. Therefore, run the undo debugging all
command to disable debugging immediately after the debugging is complete.
When a running fault occurs in the link aggregation group, run the following debugging
commands in the user view to check the debugging information, and locate and analyze the fault.
Procedure
l
Run the debugging trunk error command to enable the debugging of Eth-Trunk errors.
Run the debugging trunk event command to enable the debugging of Eth-Trunk events.
Run the debugging trunk lacp-pdu command to enable the debugging of LACP packets.
Run the debugging trunk lagmsg command to enable the debugging of LACP protocol
messages.
Run the debugging trunk msg command to enable the debugging of Eth-Trunk messages.
Run the debugging trunk state-machine command to enable the debugging of Eth-Trunk
status machine.
Run the debugging trunk updown command to enable the debugging of Eth-Trunk Up
and Down messages.
Run the debugging trunk command to enable the debugging of Eth-Trunk messages.
----End
Monitoring the Operating Status of a Link Aggregation Group

Context
During daily maintenance, run the following commands in any view to check the operating status
of link aggregation groups.
Procedure
l
Run the display eth-trunk [ trunk-id [ interface interface-type interface-number ] ]

command to check the status of a link aggregation group.
Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type interfacenumber ] ] command to check the statistics about LACP packets sent and received.
interfaces of an Eth-Trunk interface.
----End

This section provides several configuration examples of link aggregation in manual load
balancing mode and static LACP mode.
Issue 04 (2013-06-15)

353

Configuration Guide
Example for Configuring Link Aggregation in Manual Load Balancing Mode

As shown in Figure 3-5, the Switch is connected to the SwitchA through an Eth-Trunk link.
The link between the Switch and SwitchA must ensure high reliability.
Figure 3-5 Link aggregation in manual load balancing mode
SwitchA
Eth-Trunk 1
Eth-Trunk
Eth-Trunk 1
GE0/0/3
GE0/0/4
Switch
GE0/0/1
VLAN 100-150
LAN Switch
GE0/0/2
VLAN 151-200
LAN Switch
1.
Create an Eth-Trunk interface.
2.
Add member interfaces to the Eth-Trunk interface.
Data Preparation
l
Number of the Eth-Trunk interface
Types and numbers of the Eth-Trunk member interfaces
Issue 04 (2013-06-15)

354

Configuration Guide
Procedure
Step 1 Create an Eth-Trunk interface.
# Create Eth-Trunk 1.
[Quidway] sysname Switch
[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] quit
Step 2 Add member interfaces to the Eth-Trunk interface.

# Add GE 0/0/3 to Eth-Trunk 1.
[Switch-GigabitEthernet0/0/3] eth-trunk 1
# Add GE 0/0/4 to Eth-Trunk 1.

[Switch-GigabitEthernet0/0/4] eth-trunk 1
Step 3 Configure Eth-Trunk 1.

# Configure Eth-Trunk 1 to allow packets of VLANs 100 to 200 to pass through.
[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] port link-type trunk
[Switch-Eth-Trunk1] port trunk allow-pass vlan 100 to 200
[Switch-Eth-Trunk1] quit

Run the display trunkmembership command in any view to check whether Eth-Trunk 1 is
created and whether member interfaces are added.
[Switch] display trunkmembership eth-trunk 1
Trunk ID: 1
used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 2
Number Of UP Ports in Trunk = 2
operate status: up
Interface GigabitEthernet0/0/3, valid, operate up, weight=1,
Interface GigabitEthernet0/0/4, valid, operate up, weight=1,
# Display the configuration of Eth-Trunk 1.

[Switch] display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL
Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up
Number Of Up Port In Trunk: 2
-------------------------------------------------------------------------------PortName
Status
Weight
Up
1
Up
1
The preceding information indicates that Eth-Trunk 1 consists of member interfaces GE 0/0/3
and GE 0/0/4. The member interfaces are both in Up state.
----End
Issue 04 (2013-06-15)

355

Configuration Guide
Configuration Files
#
sysname Switch
#
interface Eth-Trunk1
port trunk allow-pass vlan 100 to 200
#
eth-trunk 1
#
eth-trunk 1
#
return
Example for Configuring Link Aggregation in Static LACP Mode

To improve bandwidth and connection reliability, configure a link aggregation group on two
directly connected Switches, as shown in Figure 3-6. The requirements are as follows:
l
M active links can implement load balancing.
N links between two Switches can carry out redundancy backup. When a fault occurs on
an active link, the backup link replaces the faulty link to maintain reliable data transmission.
Figure 3-6 Link aggregation in static LACP mode
Eth-Trunk 1
GE 0/0/1
GE 0/0/2
GE 0/0/3
Eth-Trunk
Eth-Trunk 1
GE 0/0/1
GE 0/0/2
GE 0/0/3
Active
link
Backup link
SwitchB
SwitchA
1.
Create an Eth-Trunk interface on the Switch and configure the Eth-Trunk interface to work
in static LACP mode.
2.
Add member interfaces to the Eth-Trunk interface.
3.
Set the system priority and determine the Actor.
4.
Set the upper threshold of the active interfaces.
5.
Set the priority of the interface and determine the active link.
Data Preparation
Issue 04 (2013-06-15)

356

Configuration Guide
Number of the link aggregation group on the Switches
System priority of SwitchA
Upper threshold of active interfaces
LACP priority of the active interface
Procedure
Step 1 Create Eth-Trunk 1 and set the load balancing mode of the Eth-Trunk to static LACP mode.
# Configure SwitchA.
[Quidway] sysname SwitchA
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] bpdu enable
[SwitchA-Eth-Trunk1] mode lacp-static
[SwitchA-Eth-Trunk1] quit
# Configure SwitchB.
[Quidway] sysname SwitchB
[SwitchB] interface eth-trunk 1
[SwitchB-Eth-Trunk1] bpdu enable
[SwitchB-Eth-Trunk1] mode lacp-static
[SwitchB-Eth-Trunk1] quit
Step 2 Add member interfaces to the Eth-Trunk.

[SwitchA-GigabitEthernet0/0/1] eth-trunk 1
[SwitchB-GigabitEthernet0/0/1] eth-trunk 1
Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100
Step 4 Set the upper threshold M of active interfaces on SwitchA to 2.
[SwitchA-Eth-Trunk1] max active-linknumber 2
Step 5 Set the priority of the interface and determine active links on SwitchA.
[SwitchA-GigabitEthernet0/0/1] lacp priority 100
Issue 04 (2013-06-15)

357

Configuration Guide
[SwitchA-GigabitEthernet0/0/2] lacp priority 100

# Check information about the Eth-Trunk of the Switches and check whether the negotiation is
successful on the link.
[SwitchA] display eth-trunk 1
Local:
LAG ID: 1
WorkingMode: STATIC
Preempt Delay: Disabled
System Priority: 100
System ID: 00e0-fca8-0417
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: Up
-----------------------------------------------------------------------------ActorPortName
Status
PortType PortPri
PortNo PortKey
PortState
Weight
Selected 100M
100
6145
2865
11111100
1
Selected 100M
100
6146
2865
11111100
1
Unselect 100M
32768
6147
2865
11100000
1
Partner:
-----------------------------------------------------------------------------PartnerPortName
SysPri
SystemID
PortPri PortNo PortKey
PortState
32768 00e0-fca6-7f85 32768
6145
2609
11111100
32768 00e0-fca6-7f85 32768
6146
2609
11111100
32768 00e0-fca6-7f85 32768
6147
2609
11110000
[SwitchB] display eth-trunk 1
Local:
LAG ID: 1
WorkingMode: STATIC
Preempt Delay: Disabled
System Priority: 32768
System ID: 00e0-fca6-7f85
Least Active-linknumber: 1
Max Active-linknumber: 8
Operate status: Up
-----------------------------------------------------------------------------ActorPortName
Status
PortType PortPri
PortNo PortKey
PortState
Weight
Selected 100M
32768
6145
2609
11111100
1
Selected 100M
32768
6146
2609
11111100
1
Unselect 100M
32768
6147
2609
11100000
1
Partner:
-----------------------------------------------------------------------------PartnerPortName
SysPri
SystemID
PortPri PortNo PortKey
PortState
100
00e0-fca8-0417 100
6145
2865
11111100
100
00e0-fca8-0417 100
6146
2865
11111100
100
00e0-fca8-0417 32768
6147
2865
11110000
The preceding information shows that the system priority of SwitchA is 100, which is higher
than the system priority of SwitchB. Member interfaces GE0/0/1 and GE0/0/2 become the active
Issue 04 (2013-06-15)

358

Configuration Guide
interfaces and are in Selected state. Interface GE0/0/3 is in Unselect state. M active links work
in load balancing mode and N links are the backup links.
----End
Configuration Files
l
Configuration file of SwitchA
#
sysname SwitchA
#
lacp priority 100
#
mode lacp-static
max active-linknumber 2
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
#
return
Configuration file of SwitchB
#
sysname SwitchB
#
mode lacp-static
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
return
3.3 VLAN Configuration

Virtual Local Area Networks (VLANs) have advantages of broadcast domain isolation, security
enhancement, flexible networking, and good extensibility.
3.3.1 Introduction
The VLAN technology is important for forwarding on Layer 2 networks. This section describes
the background, functions, and advantages of the VLAN technology.
Overview of VLAN
The Ethernet technology is for sharing communication mediums and data based on the Carrier
Sense Multiple Access/Collision Detect (CSMA/CD). If there are a large number of PCs on an
Issue 04 (2013-06-15)

359

Configuration Guide
Ethernet network, collision becomes a serious problem and can lead to broadcast storms. As a
result, network performance deteriorates. This can even cause the Ethernet network to become
unavailable. Switches can be used to interconnect local area networks (LANs). Switches forward
information received by inbound ports to specified outbound ports, thereby preventing access
collision in a shared medium. If no specified outbound port is found for information received
by an inbound port, the switch will forward the information from all ports except the inbound
port. This forms a broadcast domain.
To prevent broadcast domains from being too broad and causing problems, you can divide a
network into segments. In this manner, a large broadcast domain is divided into multiple small
broadcast domains to confine the possible scope of broadcast packets. Routers can be deployed
at the network layer to separate broadcast domains, but this method has disadvantages, which
include: complex network planning, inflexible networking, and high levels of expenditure. The
Virtual Local Area Network (VLAN) technology can divide a large Layer 2 network into
broadcast domains to prevent broadcast storms and protect network security.
Definition of VLAN
The VLAN technology is used to divide a physical LAN into multiple logical broadcast domains,
each of which is called a VLAN. Each VLAN contains a group of PCs that have the same
requirements. A VLAN has the same attributes as a LAN. PCs of a VLAN can be placed on
different LAN segments. If two PCs are located on one LAN segment but belong to different
VLANs, they do not broadcast packets to each other. With VLAN, the broadcast traffic volume
is reduced; fewer devices are required; network management is simplified; and network security
is improved.
Figure 3-7 shows a typical VLAN application. Three switches are placed in different locations,
for example, different stories of an office building. The VLAN technology allows enterprises to
share LAN facilities and ensures information security for each enterprise network.
Figure 3-7 Schematic diagram for a typical VLAN application
Router
Switch1
Switch2
Switch3
VLAN-A
VLAN-B
VLAN-C
This application shows the following VLAN advantages:

Issue 04 (2013-06-15)

360

Configuration Guide
Broadcast domains are confined. A broadcast domain is confined to a VLAN. This saves
bandwidth and improves network processing capabilities.
Network security is enhanced. Packets from different VLANs are separately transmitted.
PCs in one VLAN cannot directly communicate with PCs in another VLAN.
Network robustness is improved. A fault in a VLAN does not affect PCs in other VLANs.
Virtual groups are set up flexibly. With the VLAN technology, PCs in different
geographical areas can be grouped together. This facilitates network construction and
maintenance.
Basic VLAN Concepts and Principles

l
802.1Q and VLAN frame format

A conventional Ethernet frame is encapsulated with the Length/Type field for an upperlayer protocol following the Destination address and Source address fields, as shown in
Figure 3-8.
Figure 3-8 Conventional Ethernet frame format
6bytes
Destination
address
6bytes
2bytes
46-1500bytes 4bytes
Source
Data
FCS
Length/Type
address
IEEE 802.1Q is an Ethernet networking standard for a specified Ethernet frame format. It
adds a 32-bit field between the Source address and the Length/Type fields of the original
frame, as shown in Figure 3-9.
Figure 3-9 802.1Q frame format
6bytes
6bytes
4bytes
Destination Source 802.1Q

address
address
Tag
TPID
2bytes
PRI
2bytes 42-1500bytes 4bytes

Length/
Type
Data
FCS
CFI VID
3bits 1bit 12bits
Tag Protocol Identifier (TPID): a 16-bit field set to a value of 0x8100 in order to identify
the frame as an IEEE 802.1Q-tagged frame. If an 802.1Q-incapable device receives an
802.1Q frame, it will discard the frame.
Priority (PRI): a 3-bit field which indicates the frame priority. The value ranges from 0
to 7. The greater the value, the higher the priority. These values can be used to prioritize
different classes of traffic to ensure that frames with high priorities are transmitted first
when traffic is heavy.
Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC
address is in the non-canonical format. If the value is 0, the MAC address is in the
Issue 04 (2013-06-15)

361

Configuration Guide
canonical format. CFI is used to ensure compatibility between Ethernet networks and
Token Ring networks. It is always set to zero for Ethernet switches.
VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs.
On the AC6605, VLAN IDs range from 0 to 4095. The values 0 and 4095 are reserved,
and therefore VLAN IDs range from 1 to 4094.
Each frame sent by an 802.1Q-capable switch carries a VLAN ID. On a VLAN, Ethernet
frames are classified into the following types:
Tagged frames: frames with 32-bits 802.1Q tags.
Untagged frames: frames without 32-bits 802.1Q tags.
l
Type of VLAN links

Figure 3-10 Schematic diagram for VLAN links
VLAN3
PC3
VLAN3
PC4
Access link
3
3
2
Trunk link
CE1
3
2
Trunk link
PE
2
Access link
PC1
VLAN2
CE2
PC2
VLAN2
As shown in Figure 3-10, there are the following types of VLAN links:
Access link: connects a PC to a switch. Generally, a PC does not know which VLAN
it belongs to, and PC hardware cannot distinguish frames with VLAN tags. Therefore,
PCs send and receive only untagged frames.
Trunk link: connects a switch to another switch or to a router. Data of different VLANs
are transmitted along a trunk link. The two ends of a trunk link must be able to distinguish
frames with VLAN tags. Therefore, only tagged frames are transmitted along trunk
links.
l
Port types
Table 3-2 lists VLAN port types.
Issue 04 (2013-06-15)

362

Configuration Guide
Table 3-2 Port types

Port
Type
Method of
Processing
Received
Untagged Frames
Method of
Processing
Received
Tagged
Frames
Method of
Sending
Frames
Application
Access
port
Accepts an untagged
frame and adds a tag
with the default
VLAN ID to the
frame.
l Accepts a
tagged
frame if the
VLAN ID
carried in
the frame is
the same as
the default
VLAN ID.
Removes the tag

from a frame and
sends the frame.
An access port
connects a
switch to a PC
and can be
added to only
one VLAN.
l Discards a
tagged
frame if the
VLAN ID
carried in
the frame is
different
from the
default
VLAN ID.
Issue 04 (2013-06-15)

363

Configuration Guide
Port
Type
Method of
Processing
Received
Untagged Frames
Method of
Processing
Received
Tagged
Frames
Method of
Sending
Frames
Application
Trunk
port
l Adds a tag with

the default
VLAN ID to an
untagged frame
and accepts the
frame if the port
permits the
default VLAN
ID.
l Accepts a
tagged
frame if the
port permits
the VLAN
ID carried in
the frame.
l Removes the
tag from a
received
frame and
sends the
frame if the
VLAN ID
carried in the
frame is the
same as the
default
VLAN ID
and
permitted by
the port.
A trunk port
can be added to
multiple
VLANs to send
and receive
frames for these
VLANs. A
trunk port
connects a
switch to
another switch
or to a router.
l Adds a tag with

the default
VLAN ID to an
untagged frame
and discards the
frame if the port
denies the default
VLAN ID.
Hybrid
port
l Adds a tag with

the default
VLAN ID to an
untagged frame
and accepts the
frame if the port
permits the
default VLAN
ID.
l Adds a tag with
the default
VLAN ID to an
untagged frame
and discards the
frame if the port
denies the default
VLAN ID.
Issue 04 (2013-06-15)
l Discards a
tagged
frame if the
port denies
the VLAN
ID carried in
the frame.
l Directly
sends a
received
frame if the
VLAN ID
carried in the
frame is
different
from the
default
VLAN ID
but permitted
by the port.
l Accepts a
tagged
frame if the
port permits
the VLAN
ID carried in
the frame.
l Discards a
tagged
frame if the
port denies
the VLAN
ID carried in
the frame.
Sends a received
frame if the port
permits the
VLAN ID
carried in the
frame. A
specified
command can be
used to
determine
whether a hybrid
port sends
frames with or
without tags.

A hybrid port
can be added to
multiple
VLANs to send
and receive
frames for these
VLANs. A
hybrid port can
connect a
switch to a PC
or connect a
network device
to another
network
device.
364

Configuration Guide
Each access, trunk, or hybrid port can be configured with a default VLAN, namely, the port
default VLAN ID (PVID) to specify the VLAN to which the port belongs.
The PVID of an access port indicates the VLAN to which the port belongs.
As a trunk or hybrid port can be added to multiple VLANs, the port must be configured
with PVIDs.
By default, a port is added to VLAN 1.
l
Principle for data switching in a VLAN

Use the network shown in Figure 3-10 as an example. If PC 1 in VLAN 2 intends to send
data to PC 2, the data is forwarded as follows:
1.
An access port on CE 1 receives an untagged frame from PC 1 and adds a PVID

(VLAN 2) to the frame. CE 1 searches the MAC address table for an outbound port.
Then the frame is transmitted from the outbound port.
NOTE
Assume that VLANs are configured based on MAC addresses. After an access port on CE 1
receives an untagged frame from PC 1, the port checks the VLAN mapping table for a VLAN
ID corresponding to the source MAC address, and adds a tag with the obtained VLAN ID to
the frame.
2.
After the trunk port on PE receives the frame, the port checks whether the VLAN ID
carried in the frame is the same as that configured on the port. If the VLAN ID has
been configured on the port, the port transparently transmits the frame to CE 2. If the
VLAN ID is not configured on the port, the port discards the frame.
3.
After a trunk port on CE 2 receives the frame, the system searches the MAC address
table for an outbound port which connects CE 2 to PC 2.
4.
After the frame is sent to the access port connecting CE 2 to PC 2, the port checks that
the VLAN ID carried in the frame is the same as that configured on the port. The port
then removes the tag from the frame and sends the untagged frame to PC 2.
VLANIF interface
A VLANIF interface is a Layer 3 logical interface, which can be configured on either a
Layer 3 switch or a router.
Layer 3 switching combines routing and switching techniques to implement routing on a
switch, thus improving the overall network performance. After sending the first data flow,
a Layer 3 switch generates mappings between MAC addresses and IP addresses. To send
the same data flow, the switch directly sends the data flow at Layer 2 but not Layer 3 based
on this mapping table.
To allow that new data flows are correctly forwarded based on the routing table, be sure
that the routing table's routing entries are correct. Therefore, VLANIF interfaces and
routing protocols must be configured on Layer 3 switches for reachable Layer 3 routes.
Issue 04 (2013-06-15)

365

Configuration Guide
NOTE
Key points are summarized as follows:

l
A PC does not need to know the VLAN to which it belongs. It sends only untagged frames.
After receiving an untagged frame from a PC, a switching device determines the VLAN to which
the frame belongs. The determination is based on the configured VLAN division method such as port
information, and then the switching device processes the frame accordingly.
If the frame needs to be forwarded to another switching device, the frame must be transparently
transmitted along a trunk link. Frames transmitted along trunk links must carry VLAN tags to allow
other switching devices to properly forward the frame based on the VLAN information.
Before sending the frame to the destination PC, the switching device connected to the destination PC
removes the VLAN tag from the frame to ensure that the PC receives an untagged frame.
Generally, only tagged frames are transmitted on trunk links; only untagged frames are transmitted on
access links. In this manner, switching devices on the network can properly process VLAN information
and PCs are not concerned about VLAN information.
3.3.2 VLAN Features Supported by the AC6605

This section describes VLAN features that the AC6605 supports.
The VLAN technology helps separate broadcast domains and implement both intra-VLAN and
inter-VLAN communication.
l
AUsers in a VLAN can communicate with each other.
Users in different VLANs need to communicate with each other sometimes.

NOTE
Intra-VLAN communication and inter-VLAN communication are basic VLAN functions.
The AC6605 also supports following extended VLAN functions:

VLAN aggregation: prevents the waste of IP addresses and implements inter-VLAN
communication.
MUX VLAN: provides a mechanism to isolate Layer 2 traffic between interfaces in a
VLAN.
Voice VLAN: identifies voice data packets from various packets and changes the
priority of voice data packets to improve voice data transmission quality.
Management VLAN (mVLAN): helps implement integrated management using a
remote device. A user can log in to a switch by using Telnet to access the IP address of
the VLANIF interface corresponding to the mVLAN using Telnet.
Inter-VLAN Communication
Users in the same VLAN can communicate with each other, and users in different VLANs cannot
communicate with each other. To implement inter-VLAN communication, use the methods
listed in Table 3-3.
Issue 04 (2013-06-15)

366

Configuration Guide
Table 3-3 Inter-VLAN communication methods

Inter-VLAN
Communica
tion
Method
Advantage
Disadvantage
Usage Scenario
VLANIF
interface
Users in different
VLANs and network
segments can
communicate with
each other as long as
routes are reachable.
If multiple users on a
network belong to
different VLANs, each
VLAN requires a
VLANIF interface.
Each VLANIF interface
needs an IP address,
which increases
configuration workload
and uses a large number
of IP addresses.
This method is
applicable to small
scale networks on
which users belong to
different network
segments and IP
addresses of users are
seldom changed.
Inter-VLAN
communication can
also be implemented by
Layer 3 switches if
This method offers low
operating costs.
Use VLANIF
interfaces to
implement interVLAN communication
when a large number of
VLANs are configured
and both Layer 2 and
Layer 3 forwarding are
required.
VLAN Aggregation
To implement inter-VLAN communication, each VLANIF interface needs an IP address. When
many VLANs are deployed, a large number of IP addresses are used. VLAN aggregation helps
conserve IP addresses.
In VLAN aggregation, multiple VLANs are aggregated into a super-VLAN. The VLANs that
form the super-VLAN are called sub-VLANs.
You can create a VLANIF interface for the super-VLAN and configure an IP address for this
interface. All sub-VLANs share the same IP network segment so that fewer IP addresses are
used.
MUX VLAN
MUX VLAN isolates Layer 2 traffic between interfaces in a VLAN. For example, user interfaces
on an enterprise network can communicate with a server interface, but the user interfaces cannot
communicate with each other. MUX VLAN can be configured on this enterprise network.
In MUX VLAN implementation, VLANs are classified in to principal VLAN and subordinate
VLANs. Subordinate VLANs are classified into group VLANs and separate VLANs.
The principal VLAN can communicate with the subordinate VLANs, but the subordinate
VLANs cannot communicate with each other. Interfaces in a subordinate group VLAN can
communicate with each other, but interfaces in a subordinate separate VLAN cannot.
Inter-device MUX VLAN is implemented by configuring the same MUX VLAN on multiple
devices and configuring interfaces between the devices to allow packets of the MUX VLAN.
Implementation of inter-device MUX VLAN is the same as MUX VLAN on a single device.
Issue 04 (2013-06-15)

367

Configuration Guide
3.3.3 Dividing a LAN into VLANs

A LAN can be divided into several VLANs and users in each VLAN can communicate with
each other. Currently, the AC6605 supports several VLAN division modes. You can choose one
of them as required.

Before dividing a LAN into VLANs, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration. This
will help you complete the configuration task quickly and accurately.
Currently, the AC6605 supports Port-based VLAN division.
Before dividing a LAN into VLANs, complete the following task:
l
Connecting ports and configuring physical parameters of the ports, ensuring that the ports
are physically Up
Data Preparation
To dividing a LAN into VLANs, you need the following data.
No.
Data
VLAN ID, number of each Ethernet port to be added to the VLAN, and (optional)
attribute of Ethernet ports
VLAN ID, MAC address mapped to the VLAN and (optional) 802.1p priority
value related to the MAC address
VLAN ID, (optional) IP subnet index, IP address mapped to the VLAN and
(optional) 802.1p priority value related to the IP address or network segment
VLAN ID, (optional) protocol template index, protocol type mapped to the
VLAN, and (optional) 802.1p priority value related to the protocol
VLAN ID, MAC address and IP address mapped to the VLAN and (optional)
number of the Ethernet port added to a VLAN based on its MAC and IP addresses
Dividing a LAN into VLANs Based on Ports

Dividing a LAN into VLANs based on ports is the most simple and effective VLAN division
mode.
Context
After VLANs are configured based on ports, the VLANs can process tagged and untagged frames
in the following manners:
Issue 04 (2013-06-15)

368

Configuration Guide
After receiving an untagged frame, a port adds the PVID to the frame, searches the MAC
address table for an outbound port, and sends the tagged frame from the outbound port.
After a port receives a tagged frame, it checks the VLAN ID carried in the frame:
If the port allows frames with the specified VLAN ID to pass through, it forwards the
frame.
If the port does not allow frames with the specified VLAN ID to pass through, it discards
the frame.

1.
Create VLANs.
2.
Configure the port type and features.

a.
3.
Configure the port type (access, trunk, or hybrid).
Add ports to VLANs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run
the vlan vlan-id command to enter the view of a specified VLAN.
Step 3 Run:
quit

Step 4 Configure the port type and features.
1.
Run the interface interface-type interface-number command to enter the view of an

Ethernet port to be added to the VLAN.
2.
Run the port link-type { access | hybrid | trunk } command to configure the port type.
By default, the port type is hybrid.
l If a Layer 2 Ethernet port is directly connected to a terminal, set the port type to access
or hybrid.
l If a Layer 2 Ethernet port is connected to another switch, the port type can be set to
access, trunk, or hybrid.
Step 5 Add ports to the VLAN.

Run either of the following commands as needed:
l For access ports:
Run the port default vlan vlan-id command to add a port to a specified VLAN.
Issue 04 (2013-06-15)

369

Configuration Guide
To add ports to a VLAN in batches, run the port interface-type { interface-number1 [ to

interface-number2 ] } &<1-10> command in the VLAN view.
l For trunk ports:
Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command
to add the port to specified VLANs.
Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
command to add the port to specified VLANs.
(Optional) Run the port trunk pvid vlan vlan-id command to specify the default VLAN
for a trunk interface.
l For hybrid ports:
Run either of the following commands to add a port to VLANs in untagged or tagged
mode:
Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
command to add a port to VLANs in untagged mode.
In untagged mode, a port removes tags from frames and then forwards the frames.
This is applicable to scenarios in which Layer 2 Ethernet ports are connected to
terminals.
Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
command to add a port to VLANs in tagged mode.
In tagged mode, a port forwards frames without removing their tags. This is applicable
to scenarios in which Layer 2 Ethernet ports are connected to switches.
(Optional) Run the port hybrid pvid vlan vlan-id command to specify the default VLAN
of a hybrid interface.
By default, all ports are added to VLAN 1.
----End

After dividing a LAN into VLANs, you can view information about VLANs configured in
different modes.
Prerequisites
The configurations of VLAN division are complete.
Procedure
l
Run the display vlan [ vlan-id [ verbose ] ] command to check information about all
VLANs or a specified VLAN.
----End
3.3.4 Configuring a VLANIF Interface

VLANIF interfaces are Layer 3 logical interfaces. After creating VLANIF interfaces on Layer
2 devices, you can configure Layer 3 features on these interfaces.
Issue 04 (2013-06-15)

370

Configuration Guide

Before creating a VLANIF interface, familiarize yourself with the applicable environment,
Layer 3 switching combines routing and switching techniques to implement routing on a switch,
thus improving the overall network performance. After sending the first data flow, a Layer 3
switch generates mappings between MAC addresses and IP addresses. To send the same data
flow, the switch directly sends the data flow at Layer 2 but not Layer 3 based on this mapping
table.
To allow that new data flows are correctly forwarded based on the routing table, be sure that the
routing table's routing entries are correct. Therefore, VLANIF interfaces and routing protocols
must be configured on Layer 3 switches for reachable Layer 3 routes.
Before creating a VLANIF interface, complete the following task:
l
Creating a VLAN
Data Preparation
To create a VLANIF interface, you need to the following data.
No.
Data
VLAN ID and VLAN name
IP address to be assigned to the VLANIF interface
(Optional) Delay after which the VLANIF interface goes Down
(Optional) MTU of the VLANIF interface
Creating a VLANIF Interface

Before configure Layer 3 features on a Layer 2 device, you must create a VLANIF interface on
the device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface vlanif vlan-id
A VLANIF interface is created and the VLAIF interface view is displayed.

Issue 04 (2013-06-15)

371

Configuration Guide
The VLAN ID specified in this command must be the ID of an existing VLAN.

NOTE
A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.
----End
Assigning an IP Address to a VLANIF Interface

As a VLANIF interface is a Layer 3 logical interface, it can communicate with other interfaces
at the network layer only after being assigned an IP address.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The VLANIF interface view is displayed.

Step 3 Run:
An IP address is assigned to the VLANIF interface for communication at the network layer.
----End
(Optional) Setting a Delay After Which a VLANIF Interface Goes Down

Setting a delay after which a VLANIF interface goes Down prevents network flapping caused
by changes of VLANIF interface status. This function is also called VLAN damping.
Context
If a VLAN goes Down because all ports in the VLAN go Down, the system immediately reports
the VLAN Down event to the corresponding VLANIF interface, instructing the VLANIF
interface to go Down.
To prevent network flapping caused by changes of VLANIF interface status, enable VLAN
damping on the VLANIF interface. After the last Up port in a VLAN goes Down, the system
starts a delay timer and informs the corresponding VLANIF interface of the VLAN Down event
after the timer expires. If a port in the VLAN goes Up during the delay period, the VLANIF
interface remains Up.
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

372

Configuration Guide
Step 2 Run:

Step 3 Run:
damping time delay-time
The delay for VLAN damping is set.

The delay-time value ranges from 0 to 20, in seconds. By default, the value is 0 seconds,
indicating that VLAN damping is disabled.
----End
(Optional) Setting the MTU of a VLANIF Interface

Context
NOTE
l After changing the maximum transmission unit (MTU) by using the mtu command on a specified
interface, you need to restart the interface to make the new MTU take effect. To restart the interface,
run the shutdown command and then the undo shutdown command, or run the restart command in
the interface view.
l If you change the MTU of an interface, you need to change the MTU of the peer interface to the same
value by using the mtu command; otherwise, services may be interrupted.
l To ensure availability of Layer 3 functions, set the MTU value of the VLANIF interface to be smaller
than the maximum length of frames on the physical interface in the corresponding VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
mtu mtu
The MTU of the VLANIF interface is set.

The MTU of a VLANIF interface ranges from 128 to 9216, in bytes. The default value is 1500.
NOTE
If the MTU is too small whereas the packet size is large, the packet is probably split into many fragments.
Therefore, the packet may be discarded due to the insufficient QoS queue length. To avoid this situation,
lengthen the QoS queue accordingly.
----End
Issue 04 (2013-06-15)

373

Configuration Guide

After a VLANIF interface is configured for communication at the network layer, you can check
the IP address and status of a specified VLANIF interface.
Prerequisites
The configurations of a VLANIF interface are complete.
Procedure
l
Run the display interface vlanif [ vlan-id ] command to check the physical status, link
protocol status, description, and IP address of the VLANIF interface.
----End
3.3.5 Configuring Inter-VLAN Communication

Configuring inter-VLAN communication allows users in different VLANs to communicate with
each other. Currently, the AC6605 supports several inter-VLAN communication schemes.
Choose one of them as required.

Before configuring inter-VLAN communication, familiarize yourself with the applicable
configuration. This will help you complete the configuration task quickly and accurately.
Currently, schemes listed in Table 3-4 are provided for inter-VLAN communication. You can
choose one of them based on the real world situation.
Issue 04 (2013-06-15)

374

Configuration Guide
Table 3-4 Inter-VLAN communication methods

Inter-VLAN
Communica
tion
Method
Advantage
Disadvantage
Usage Scenario
VLANIF
interface
Users in different
VLANs and network
segments can
communicate with
each other as long as
If multiple users on a
network belong to
different VLANs, each
VLAN requires a
VLANIF interface.
Each VLANIF interface
needs an IP address,
which increases
configuration workload
and uses a large number
of IP addresses.
This method is
applicable to small
scale networks on
which users belong to
different network
segments and IP
addresses of users are
seldom changed.
Inter-VLAN
communication can
also be implemented by
Layer 3 switches if
This method offers low
operating costs.
Use VLANIF
interfaces to
implement interVLAN communication
when a large number of
VLANs are configured
and both Layer 2 and
Layer 3 forwarding are
required.
Before configuring inter-VLAN communication, complete the following task:
l
Creating VLANs
Data Preparation
To configure inter-VLAN communication, you need the following data.
No.
Data
VLAN ID, VLANIF interface number, IP address and mask of the VLANIF
interface
Configuring VLANIF Interfaces for Inter-VLAN Communication

Configuring VLANIF interfaces for inter-VLAN communication saves expenditure and helps
implement fast forwarding.
Context
VLAIF interfaces are Layer 3 logical interfaces. After being assigned IP addresses, VLANIF
interfaces are able to communicate at the network layer.
Issue 04 (2013-06-15)

375

Configuration Guide
By using VLANIF interfaces to implement inter-VLAN communication, you need to configure

a VLANIF interface for each VLAN and assign an IP address to each VLANIF interface.
Figure 3-11 Networking diagram for configuring VLANIF interfaces for inter-VLAN
communication
Switch
VLANIF2
VLAN2
VLANIF3
VLAN3
NOTE
The default gateway address of each PC in a VLAN must be the IP address of the corresponding VLANIF
interface. Otherwise, inter-VLAN communication will fail.
Procedure
Step 1 Run:
system-view

Step 2 Run:

NOTE
A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.
Step 3 Run:
An IP address is assigned to the VLANIF interface.

VLANIF interfaces must belong to different network segments.
----End
Issue 04 (2013-06-15)

376

Configuration Guide

After inter-VLAN communication is configured, you can check whether users in different
VLANs can communicate with each other and check information about VLANs to which users
belong.
Prerequisites
The configurations of inter-VLAN communication are complete.
Procedure
l
Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interfacetype interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -system-time | -t
timeout | -tos tos-value | -v | -vpn-instance vpn-instance-name ] * host command to check
whether users in different VLANs can communicate with each other.
If the ping fails, you can run the following commands to locate the fault:
Run the display vlan [ vlan-id [ verbose ] ] command to check information about all
VLANs or a specified VLAN.
Run the display interface vlanif [ vlan-id ] command to check information about
VLANIF interfaces.
Before running this command, ensure that VLANIF interfaces have been configured.
----End
3.3.6 Configuring VLAN Aggregation to Save IP Addresses

VLAN aggregation prevents the waste of IP addresses and implements inter-VLAN
communication.

Before configuring VLAN aggregation, familiarize yourself with the applicable environment,
As networks expand, address resources become insufficient. VLAN aggregation is developed
to save IP addresses.
In VLAN aggregation, one super-VLAN is associated with multiple sub-VLANs. Physical ports
cannot join a super-VLAN but a VLANIF interface can be created for the super-VLAN and an
IP address can be assigned to the VLANIF interface. Physical ports can join a sub-VLAN but
no VLANIF interface can be created for the sub-VLAN. All the ports in the sub-VLAN use the
same IP address with the VLANIF interface of the super-VLAN. This saves subnet IDs, default
gateway addresses of the subnets, and directed broadcast addresses of the subnets. In addition,
different broadcast domains can use the addresses in the same subnet segment. As a result, subnet
differences are eliminated, addressing becomes flexible, and the number of idle addresses is
reduced. VLAN aggregation allows each sub-VLAN to function as a broadcast domain and
reduces the waste of IP addresses to be assigned to ordinary VLANs.
Figure 3-12 shows the typical VLAN aggregation networking.
Issue 04 (2013-06-15)

377

Configuration Guide
Figure 3-12 Typical networking diagram for VLAN aggregation
PE
Super
VLAN4
CE1
CE2
Sub-VLAN 2
Sub-VLAN 3
Before configuring VLAN aggregation, complete the following task:
l
Connecting ports and configuring physical parameters of the ports, ensuring that the ports
are physically Up
Data Preparation
To configure VLAN aggregation, you need the following data.
No.
Data
ID of each sub-VLAN and number of each port belonging to the sub-VLAN
ID of a super-VLAN
IP address and mask of a VLANIF interface
Creating a Sub-VLAN
Each sub-VLAN functions as a broadcast domain.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

378

Configuration Guide

Step 2 Run:

Step 3 Run:
The link type of the interface is set to access.

Step 4 Run:
quit

Step 5 Run:
vlan vlan-id
A sub-VLAN is created and the sub-VLAN view is displayed.

Step 6 Run:
port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
A port is added to the sub-VLAN.

----End
Creating a Super-VLAN
A super-VLAN consists of several sub-VLANs. No physical port can be added to a super-VLAN,
but a VLANIF interface can be configured for the super-VLAN and an IP address can be assigned
to the VLANIF interface.
Context
NOTE
Before configuring a super-VLAN, ensure that sub-VLANs have been configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed.

The VLAN ID of a super-VLAN must be different from every sub-VLAN ID.
Step 3 Run:
aggregate-vlan
A super-VLAN is created.
A super-VLAN cannot contain any physical interfaces.
Issue 04 (2013-06-15)

379

Configuration Guide
VLAN 1 cannot be configured as a super-VLAN.

Step 4 Run:
access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
A sub-VLAN is added to a super-VLAN.

Before adding sub-VLANs to a super-VLAN in batches, ensure that these sub-VLANs are not
configured with VLANIF interfaces.
----End
Assigning an IP Address to the VLANIF Interface of a Super-VLAN

The IP address of the VLANIF interface of a super-VLAN must contain the subnet segments
where users in sub-VLANs reside. All the sub-VLANs use the IP address of the VLANIF
interface of the super-VLAN, thus saving IP addresses.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is
displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }
An IP address is assigned to the VLANIF interface.

----End
(Optional) Enabling Proxy ARP on the VLANIF Interface of a Super-VLAN

PCs in different sub-VLANs cannot directly communicate with each other in Layer2 network.
To allow these PCs to communicate with each other at Layer 3, enable proxy ARP on the
VLANIF interface of the super-VLAN.
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in
different sub-VLANs from communicating with each other at the network layer.
PCs in ordinary VLANs can communicate with each other at the network layer by using different
gateway addresses. In VLAN aggregation, PCs in a super-VLAN use the same subnet address
and gateway address. As PCs in different sub-VLANs belong to one subnet, they communicate
with each other only at Layer 2, not Layer 3. These PCs are isolated from each other at Layer
2. Consequently, PCs in different sub-VLANs cannot communicate with each other.
Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another subVLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are created,
Issue 04 (2013-06-15)

380

Configuration Guide
proxy ARP must be enabled to allow the super-VLAN to forward or process ARP request and
reply packets. Proxy ARP helps PCs in sub-VLANs communicate with each other at the network
layer.
NOTE
An IP address must have been assigned to the VLANIF interface corresponding to the super-VLAN.
Otherwise, proxy ARP cannot take effect.
VLAN aggregation simplifies configurations for the network where many VLANs are
configured and PCs in different VLANs need to communicate with each other.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the VLANIF interface of the super-VLAN is displayed.

Step 3 Run:
arp-proxy inter-sub-vlan-proxy enable
Inter-sub-VLAN proxy ARP is enabled.

----End

After VLAN aggregation is configured, you can view VLAN types and information about
VLANIF interfaces, such as the physical status, link protocol status, IP address, and mask.
Prerequisites
The VLAN aggregation configurations are complete.
Procedure
l
Run the display vlan [ vlan-id [ verbose ] ] command to check VLAN information.
Run the display interface vlanif [ vlan-id ] command to check information about a specific
VLANIF interface.
Run the display sub-vlan command to check mappings between sub-VLANs and superVLANs.
Run the display super-vlan command to check sub-VLANs contained in a super-VLAN.
----End
3.3.7 Configuring a MUX VLAN to Separate Layer 2 Traffic

Configuring a MUX VLAN allows users in different VLANs to communicate with each other,
and separates users in a certain VLAN.
Issue 04 (2013-06-15)

381

Configuration Guide

Before configuring a MUX VLAN, familiarize yourself with the applicable environment,
In an enterprise network, all employees of the enterprise can access the enterprise's server. It is
required that some employees be able to communicate with each other, whereas some employees
not communicate with each other.
Configuring a MUX VLAN on the switch connected to PCs helps to save VLAN ID resources,
reduce the configuration workload of the network administrator, and facilitate network
maintenance.
Figure 3-13 Networking diagram for a MUX VLAN
Switch
Principal PORT
Group PORT
Enterprise
employee1
Separate PORT Enterprise

server
Enterprise
employee2
In the MUX VLAN shown in Figure 3-13, the principal port connects the switch to the
enterprise's server; separate ports connect the switch to employees that do not communicate with
each other; group ports connect the switch to employees that need to communicate with each
other. A MUX VLAN consists of VLANs in different types listed in Table 3-5.
Table 3-5 Components of a MUX VLAN
Issue 04 (2013-06-15)
MUX
VLAN
VLAN
Type
Port Type
Communication Rights
Principal
VLAN
Principal port
A principal port can communicate with every

port in the MUX VLAN.

382

Configuration Guide
MUX
VLAN
VLAN
Type
Port Type
Communication Rights
Subordinate
VLAN
Separate
VLAN
Separate port
A separate port can only communicate with

principal ports.
Each separate VLAN must be associated with
a principal VLAN.
Group
VLAN
Group port
A group port can communicate with both

principal ports and other group ports in the
same group VLAN but cannot communicate
with group ports in other group VLANs or
separate ports.
Each group VLAN must be associated with a
principal VLAN.
Before configuring a MUX VLAN, complete the following task:
l
Creating VLANs
Data Preparation
To configure a MUX VLAN, you need the following data.
No.
Data
ID of each principal VLAN and number of each port belonging to the principal VLAN
ID of each group VLAN and number of each port belonging to the group VLAN
ID of each separate VLAN and number of each port belonging to the separate VLAN
Configuring a Principal VLAN for a MUX VLAN

Ports added to a principal VLAN can communicate with every port in the MUX VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
Issue 04 (2013-06-15)

383

Configuration Guide
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run
the vlan vlan-id command to enter the view of a specified VLAN.
Step 3 Run:
mux-vlan
The VLAN is configured as a principal VLAN.

The VLAN ID assigned to a principal VLAN can no longer be used to configure any VLANIF
interface, super-VLAN, or sub-VLAN.
----End
Configuring a Group VLAN for a Subordinate VLAN

A VLAN associated with a group port is called a group VLAN. Group ports in a group VLAN
can communicate with each other.
Context
In a MUX VLAN, group VLANs cannot share the same VLAN ID with a separate VLAN.
Do as follows on a switching device that requires a group VLAN:
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
The view of a created principal VLAN is displayed.

Step 3 Run:
subordinate group vlan-id1 [ to vlan-id2 ]
A group VLAN is configured for the subordinate VLAN.

In this command, vlan-id1 and vlan-id2 specify a range of VLAN IDs. The value is an integer
ranging from 1 to 4094. The value of vlan-id2 must be greater than the value of vlan-id1.
The VLAN ID assigned to a group VLAN can be assigned to no other VLANIF interface, superVLAN, or sub-VLAN.
----End
Configuring a Separate VLAN for a Subordinate VLAN

A VLAN associated with separate ports is called a separate VLAN. Ports in a separate VLAN
cannot communicate with each other.
Context
Group VLANs and separate VLANs in one MUX VLAN cannot use the same VLAN ID.
Issue 04 (2013-06-15)

384

Configuration Guide
Do as follows on a switching device that requires a separate VLAN:
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
The view of a created principal VLAN is displayed.

Step 3 Run:
subordinate separate vlan-id
A separate VLAN is configured for a subordinate VLAN.

Group VLANs and separate VLANs in one MUX VLAN cannot use the same VLAN ID.
----End
Enabling the MUX VLAN Function on a Port

After the MUX VLAN function is enabled on a port, the principal VLAN and subordinate VLAN
can communicate with each other; ports in a group VLAN can communicate with each other;
ports in a separate VLAN cannot communicate with each other.
Context
Before the MUX VLAN function is enabled on a port, ensure that:
l
The port has been added to only one ordinary VLAN. If the port has been added to multiple
VLANs, the MUX VLAN function cannot be enabled on this port.
The port has been added to a principal or subordinate VLAN.
Do as follows on the switching device on which a port needs to be enabled with the MUX VLAN
function:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of an Ethernet port connecting users is displayed.

Step 3 Run:
port mux-vlan enable
The MUX VLAN function is enabled.

The interface has been added only to a principal VLAN or a subordinate VLAN.
Issue 04 (2013-06-15)

385

Configuration Guide
After being enabled with the MUX VLAN function, the port can no longer be configured with
VLAN mapping or VLAN stacking.
NOTE
l Disabling MAC address learning or limiting the number of learned MAC addresses on an interface
affects the MUX VLAN function on the interface.
l The MUX VLAN and port security functions cannot be enabled on the same interface.
l The MUX VLAN and MAC address authentication cannot be enabled on the same interface.
l The MUX VLAN and 802.1x authentication cannot be enabled on the same interface.
----End

After a MUX VLAN is configured, you can check the principal VLAN ID, subordinate VLAN
ID, and VLAN type.
Prerequisites
The configurations of a MUX VLAN are complete.
Procedure
Step 1 Run the display mux-vlan command to check information about the MUX VLAN.
----End
3.3.8 Configuring a Voice VLAN to Transmit Voice Data

A voice VLAN is used to transmit voice data.

Before configuring a voice VLAN, familiarize yourself with the applicable environment,
Voice and non-voice data are transmitted on networks. Voice data is configured with a higher
priority than non-voice data to reduce the probability of the transmission delay and packet loss.
In most cases, an Access Control List (ACL) is configured to distinguish voice data from nonvoice data, and the Quality of Service (QoS) is used to ensure the transmission quality of voice
data.
Voice over IP (VoIP) phones are commonly used. If an ACL is configured to distinguish voice
data from non-voice data, and QoS is used to ensure the transmission quality of voice data, each
terminal needs to be configured with an ACL rule. This increases the network administrator's
workload and burdens maintenance.
The voice VLAN technique is introduced to solve the preceding problem.
After being enabled with the voice VLAN function, a device determines voice data based on
source MAC addresses of received frames, adds ports that receive voice data to a voice VLAN,
Issue 04 (2013-06-15)

386

Configuration Guide
and automatically applies priority rules to ensure high priorities and good qualities of voice data.
This simplifies user configuration and facilitates management on voice data.
On the network shown in Figure 3-14, a user's High Speed Internet (HSI), VoIP, and Internet
Protocol Television (IPTV) services are connected to a switch. A voice VLAN can be configured
on the switch to implement QoS for voice data, prioritize voice data, and ensure the
communication quality.
Figure 3-14 Networking diagram for configuring a voice VLAN
Server
Network
Voice VLAN
VLAN 10
Switch
LAN Switch2
LAN Switch1
HSI
VoIP
IPTV
HSI
VoIP
IPTV
Voice flow
Before configuring a voice VLAN, complete the following task:
l
Creating VLANs
Data Preparation
To configure a voice VLAN, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Type and number of the port enabled with the voice VLAN function, voice VLAN
ID
The Organizationally Unique Identifier (OUI) address and mask of the voice VLAN
(Optional) Aging timer value of the voice VLAN

387

Configuration Guide
No.
Data
(Optional) 802.1p priority and DSCP value for the voice VLAN
(Optional) Mode in which the port is added to the voice VLAN
(Optional) Security mode of the voice VLAN
Enabling the Voice VLAN Function

After being enabled with the voice VLAN function, a device is able to identify voice data based
on source MAC addresses of received frames.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of a port connecting the device to users' voice devices is displayed.
Step 3 Run:
voice-vlan vlan-id enable
A voice VLAN is configured and the voice VLAN function is enabled on the port.
By default, the voice VLAN function is disabled on ports.
NOTE
l VLAN 1 cannot be configured as a voice VLAN.

l The voice VLAN and default VLAN on a port must be assigned different VLAN IDs to ensure that
every function works properly.
l Only one VLAN on a port can be configured as a voice VLAN at a time.
l If the voice VLAN configured on an interface works in automatic mode, you need to run the port linktype command to set the interface type to trunk, or hybrid.
l Before deleting a voice VLAN, run the undo voice-vlan enable command to disable the voice VLAN
function.
l The port enabled with the voice VLAN function cannot be configured with VLAN mapping, VLAN
stacking, or traffic policies.
----End
Configuring an OUI for a Voice VLAN

A voice VLAN-enabled port checks source MAC addresses of received frames. If the source
MAC addresses match OUIs, the frames are considered voice data.
Issue 04 (2013-06-15)

388

Configuration Guide
Context
An OUI is a globally-unique identifier assigned by the Institute of Electrical and Electronics
Engineers (IEEE) to a specific equipment vendor. An OUI represents the first 24 bits of a binary
MAC address.
An OUI represents a MAC address segment that is obtained by performing the AND operation
between a 48-bit MAC address and a mask. For example, the MAC address is 1-1-1, and the
mask is FFFF-FF00-0000. The AND operation is performed between the MAC address and the
mask to obtain the OUI 0001-0000-0000. If the first 24 bits of the MAC address of a device are
the same as an OUI, a voice VLAN-enabled port considers the device as a voice device and data
from the device as voice data.
Procedure
Step 1 Run:
system-view

Step 2 Run:
voice-vlan mac-address
mac-address mask oui-mask [ description text ]
An OUI is configured.
l The mac-address value cannot be all 0s or a multicast or broadcast address.
l A device can be configured with a maximum of 16 OUIs. When the device is configured
with 16 OUIs, subsequent configurations will not take effect.
l When using the undo voice-vlan mac-address command to delete an OUI, specify the macaddress value in this command as the result of the AND operation by using the configured
MAC address and mask.
NOTE
l When the source MAC address of a packet matches the OUI, the AC6605 changes the priority of the
packet basing on the configuration of (Optional) Configuring an 802.1p Priority and a DSCP Value
for the Voice VLAN to improve the transmission quality.
----End
(Optional) Setting an Aging Timer for a Voice VLAN

In automatic mode, a voice VLAN-enabled port learns source MAC addresses of frames from
voice devices, adds ports connecting the device to voice devices to a voice VLAN, and uses the
voice VLAN aging timer to control the number of ports in the voice VLAN.
Context
The aging timer of a voice VLAN is effective only when ports are automatically added to the
voice VLAN.
If a voice VLAN-enabled port does not receive voice data from a voice device before the aging
timer expires, the port will be automatically deleted from the voice VLAN. If the port receives
voice data from the voice device again, the port will be automatically added to the voice VLAN
and the aging timer will be reset.
Issue 04 (2013-06-15)

389

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
voice-vlan aging-time minutes
The aging timer is set for a voice VLAN.

The aging timer value ranges from 5 to 43200, in minutes. The default value is 1440 minutes.
----End
(Optional) Configuring an 802.1p Priority and a DSCP Value for the Voice VLAN
Different 802.1p priorities and DiffServ Code Point (DSCP) values can be configured for
different voice VLANs, which makes voice service deployment more flexible.
Context
By default, the 802.1p priority and DSCP value for each voice VLAN are 6 and 46 respectively.
Manual configuration of the 802.1p priority and DSCP value will allow you to plan priorities
for different voice services at will.
NOTE
l The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN frame. This
field determines the transmission priority for data packets when a switching device is congested.
l The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4 packet header.
DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP networks. The traffic controller
on the network gateway takes actions merely based on the information carried by the 6 bits.
Procedure
Step 1 Run:
system-view

Step 2 Run:
voice-vlan remark { 8021p 8021p-value | dscp dscp-value }
An 802.1p priority and a DSCP value are configured for a voice VLAN.
By default, the 802.1p priority and DSCP value for a voice VLAN are 6 and 46 respectively.
----End
(Optional) Configuring the Mode in Which Ports Are Added to a Voice VLAN
On a switching device, only one VLAN on a port can be configured as a voice VLAN. Ports can
be added to the voice VLAN in either automatic or manual mode.
Issue 04 (2013-06-15)

390

Configuration Guide
Context
Ports can be added to a voice VLAN in either of the following modes:
l
Automatic mode
A voice VLAN-enabled port learns source MAC addresses of frames from voice devices,
adds ports connecting the device to voice devices to a voice VLAN, and uses the voice
VLAN aging timer to control the number of ports in the voice VLAN. If a voice VLANenabled port does not receive voice data from a voice device before the aging timer expires,
the port will be automatically deleted from the voice VLAN. If the port receives voice data
from the voice device again, the port will be automatically added to the voice VLAN.
Manual mode
After the voice VLAN function is enabled, ports connected to voice devices must be
manually added to a voice VLAN. Otherwise, the voice VLAN function does not take
effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
voice-vlan mode { auto | manual }
The mode in which ports are added to a voice VLAN is configured.

By default, ports are automatically added to a voice VLAN.
l If the auto parameter is configured, ports will be automatically added to a voice VLAN.
l If the manual parameter is configured, ports will be manually added to a voice VLAN.
If trunk ports are connected to voice devices, run the port trunk allow-pass vlan
{ { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to manually add these ports to a
voice VLAN.
If hybrid ports are connected to voice devices, do as follows as required:
Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
command to manually add these ports to a voice VLAN in untagged mode.
Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
command to manually add these ports to a voice VLAN in tagged mode.
NOTE
In Access ports cannot be automatically added to a voice VLAN. To add a port of the access type to the
voice VLAN, run the port link-type command to change the port type to trunk or hybrid.
----End
Issue 04 (2013-06-15)

391

Configuration Guide
(Optional) Configuring the Working Mode for a Voice VLAN

A voice VLAN works in either security or ordinary mode to transmit merely voice data or both
voice and non-voice data.
Context
Based on the data filtering mechanism, a voice VLAN works in either security or ordinary mode:
l
Security mode
A voice VLAN-enabled inbound port transmits only frames of which the source MAC
addresses match OUIs configured on the device, discards the voice data not belong to the
current voice VLAN and the other data can be forwarded normally.
The security mode prevents a voice VLAN from being attacked by malicious data flows,
but consumes system resources to check frames.
Ordinary mode
A voice VLAN-enabled inbound port transmits both voice and non-voice data. The port
does not compare source MAC addresses in received frames with configured OUIs,
exposing a voice VLAN to malicious attacks.
NOTE
Transmitting voice and service data at the same time in a voice VLAN is not recommended. If a voice
VLAN must transmit both voice and service data, ensure that the voice VLAN works in ordinary mode.
Table 3-6 shows how to process frames in different voice VLAN working modes.
Table 3-6 Frame processing in different voice VLAN working modes
Voice VLAN
Working Mode
Frame Processing Mode
Security mode
If the source MAC address of a frame and the OUI do not match,
the priority of the frame is not changed and the frame is prohibited
from forwarding in the voice VLAN.
Ordinary mode
If the source MAC address of a frame and the OUI do not match,
the priority of the frame is not changed and the frame is allowed to
be forwarded in the voice VLAN.
Procedure
l
Security mode
1.
2.
Run the interface interface-type interface-number command to enter the view of a

port connecting the device to users' voice devices.
3.
Run the voice-vlan security enable command to configure the voice VLAN work in
security mode.
By default, a voice VLAN works in security mode.
Ordinary mode
1.
Issue 04 (2013-06-15)

392

Configuration Guide
2.
Run the interface interface-type interface-number command to enter the view of a

port connecting the device to users' voice devices.
3.
Run the undo voice-vlan security enable command to configure the voice VLAN
work in ordinary mode.
By default, a voice VLAN works in security mode.
----End
(Optional) Configuring a Port to Communicate with a Voice Device of Another

Vendor
The voice VLAN legacy function can be configured to allow Huawei datacom devices to identify
packets of proprietary protocols of other vendors.
Context
After VoIP devices of some vendors are powered on, proprietary protocol packets but not DHCP
packets are sent to apply for IP addresses. To help Huawei datacom devices communicate with
voice devices of other vendors, you can enable the voice VLAN legacy function. This allows
Huawei devices to identify packets of proprietary protocols of other vendors.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
voice-vlan legacy enable
The port is configured to communicate with a voice device of another vendor.

By default, ports on Huawei devices cannot communicate with voice devices of other vendors.
----End

After a voice VLAN is configured, you can view information about the voice VLAN, including
the OUI, working mode, security mode or ordinary mode, aging timer value, the 802.1p priority
and DSCP value as well as the configuration of the port enabled with the voice VLAN function.
Prerequisites
The configurations of a voice VLAN are complete.
Procedure
l
Issue 04 (2013-06-15)
Run the display voice-vlan [ vlan-id ] status command to check information about the
voice VLAN, including the working mode, security mode, aging timer value and the 802.1p
393

Configuration Guide
priority and DSCP value as well as the configuration of the port enabled with the voice
VLAN function.
l
Run the display voice-vlan oui command to check information about the OUI of the voice
VLAN, including the mask and description of the OUI.
----End
3.3.9 Configuring an mVLAN to Implement Integrated

Management
Configuring an mVLAN allows users to use the IP address of the VLANIF interface
corresponding to the mVLAN to log in to a management switch to manage devices attached to
the switch.

Before configuring an mVLAN to implement integrated management, familiarize yourself with
An mVLAN can be configured to help a user use an NMS to manage indirectly-connected
devices.
After an mVLAN is configured, a user can use the IP address of the VLANIF interface
corresponding to the mVLAN to telnet to a management switch and manage devices attached
to the switch.
Before configuring an mVLAN, complete the following task:
l
Creating a VLAN
Data Preparation
To configure an mVLAN, you need the following data.
No.
Data
VLAN ID
Configuring an mVLAN
An mVLAN allows a user to use the IP address of the VLANIF interface corresponding to the
mVLAN to telnet to a management switch to manage devices attached to the switch.
Do as follows on the device that requires an mVLAN:
Issue 04 (2013-06-15)

394

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
management-vlan
An mVLAN is configured.
Only a trunk or hybrid port can be added to an mVLAN.
After the undo management-vlan command is used for an mVLAN, the mVLAN becomes an
ordinary VLAN, to which access, trunk, or hybrid ports can be added.
----End
Configuring a VLANIF Interface for an mVLAN

You need to use the IP address of the VLANIF interface corresponding to an mVLAN to telnet
to a management switch to manage attached devices.
Do as follows on the device that requires an mVLAN:
Procedure
Step 1 Run:
system-view

Step 2 Run:

The ID of the VLANIF interface must be the ID of a configured mVLAN.
Step 3 Run:
After assigning an IP address to the VLANIF interface, you can run the telnet command to log
in to a management switch to manage attached devices.
----End

After an mVLAN is configured, you can check information about the mVLAN.
Prerequisites
The configurations of an mVLAN are complete.
Issue 04 (2013-06-15)

395

Configuration Guide
Procedure
l
Run the display vlan command to check information about the mVLAN. The command
output shows information about the mVLAN in the line started with an asterisk sign (*).
----End
3.3.10 Maintaining VLAN

A command of clearing statistics helps to locate the faults in a VLAN.
Clearing the Statistics of VLAN Packets

Before collecting traffic statistics in a specified time period on an interface, you need to reset
the original statistics on the interface.
Context
CAUTION
Statistics about VLAN packets cannot be restored after you clear it. So, confirm the action before
you use the command.
To clear the Statistics of VLAN Packets, run the following reset command in the user view:
Procedure
l
Run the reset vlan vlan-id statistics command to clear packets of a specified VLAN
statistics.
----End

This section provides VLAN configuration examples in various usage scenarios.
Example for Assigning VLANs Based on Ports

It is easy to divide a LAN into VLANs based on ports. After ports are added to different VLANs,
users in the same VLAN can directly communicate with each other, whereas users in different
VLANs cannot directly communicate with each other.
As shown in Figure 3-15, an enterprise has multiple departments. The enterprise allows
departments in charge of the same service to communicate with each other, and want to isolate
the departments in charge of different services.
The requirements are as follows:
l
Issue 04 (2013-06-15)
Department 1 and Department 2 are isolated from Department 3 and Department 4.

396

Configuration Guide
Department 1 and Department 2 can communicate with each other.
Department 3 and Department 4 can communicate with each other.
Figure 3-15 Port-based VLAN assignment
Network
GE 0/0/4
GE 0/0/1
GE 0/0/2
Switch
GE 0/0/3
Group32 Department 4
Department 1 Department 2 Department
VLAN 3
VLAN 2
VLAN 3
1.
Create VLANs and determine mappings between employees and VLANs.
2.
Configure port types to determine the device connected to each port.
3.
Add the ports connected to department 1 and department 2 to VLAN 2 and the ports
connected to department 3 and department 4 to VLAN 3 to prevent employees in department
1 or department 2 from communicating with employees in department 3 or department 4.
Data Preparation
l
GE 0/0/1 and GE 0/0/2 belong to VLAN 2.
GE 0/0/3 and GE 0/0/4 belong to VLAN 3.
Procedure
Step 1 Configure the Switch.
# Create VLAN 2.
[Quidway] vlan 2
Issue 04 (2013-06-15)

397

Configuration Guide
# Set the link type of GE 0/0/1 to trunk and add GE 0/0/1 to VLAN 2.
[Quidway-GigabitEthernet0/0/1] port link-type trunk
[Quidway-GigabitEthernet0/0/1] port trunk allow-pass vlan 2
[Quidway]interface gigabitethernet 0/0/2
# Create VLAN 3.
[Quidway] vlan 3

Ping any host in VLAN 3 from a host in VLAN 2. The ping operation fails. This indicates that
Department 1 and Department 2 are isolated from Department 3 and Department 4.
Ping any host in Department 2 from a host in Department 1. The ping operation is successful.
This indicates that Department 1 and Department 2 can communicate with each other.
Ping any host in Department 4 from a host in Department 3. The ping operation is successful.
This indicates that Department 3 and Department 4 can communicate with each other.
----End
Configuration Files
The following lists the configuration file of the Switch.
#
sysname Quidway
#
vlan batch 2 to 3
#
#
#
#
Issue 04 (2013-06-15)

398

Configuration Guide
#
return
Example for Implementing Inter-VLAN Communication Using VLANIF Interfaces

A Layer 3 switch can replace a router to implement communication between VLANs using
VLANIF interfaces.
Departments of an enterprise are located on different network segments and use the same
services, such as Internet access and VoIP. The departments are different VLANs, so interVLAN communication must be implemented.
As shown in Figure 3-16, Department 1 and Department 2 use the same service, but they belong
to different VLANs and network segments. Users in Department 1 and Department 2 need to
communicate with each other.
Figure 3-16 Communication between VLANs using VLANIF interfaces
Switch
GE 0/0/1
SwitchA
GE 0/0/2
VLAN 10
Department1
GE 0/0/1
GE 0/0/3
VLAN 20
Department2
PC1
10.10.10.2/24
PC2
20.20.20.2/24
1.
Create VLANs on the switches for different departments.
2.
Add Layer 2 interfaces to the VLANs so that packets of the VLANs can pass through the
Layer 2 interfaces.
3.
On the Layer 3 switch (Switch), create VLANIF interfaces and configure IP addresses for
the VLANIF interfaces to implement Layer 3 communication.
Issue 04 (2013-06-15)

399

Configuration Guide
NOTE
To implement communication between VLANs, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as the gateway address.
Data Preparation
l
VLANs to which GE0/0/1 of the Switch belongs: VLAN 10 and VLAN 20
IP address of VLANIF 10 on the Switch: 10.10.10.2/24
IP address of VLANIF 20 on the Switch: 20.20.20.2/24
VLANs to which GE0/0/1of SwitchA belongs: VLAN 10 and VLAN 20
VLAN to which GE0/0/2 of SwitchA belongs: VLAN 10
VLANs to which GE0/0/3 of SwitchA belongs: VLAN 20
Procedure
Step 1 # Configure the Switch.
# Create VLANs.
[Quidway] vlan batch 10 20
# Add GE0/0/1 to VLANs.

[Quidway-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20
# Assign IP addresses to VLANIF interfaces.

Step 2 Configure SwitchA.

# Create VLANs.
# Add interfaces to VLANs.

[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet0/0/1] port
Issue 04 (2013-06-15)
0/0/1
link-type trunk
trunk allow-pass vlan 10 20
0/0/2
link-type access
default vlan 10
0/0/3
link-type access
default vlan 20

400

Configuration Guide

Configure the IP address 10.10.10.3/24 on user 1's host, configure the VLANIF 10 interface IP
address 10.10.10.2/24 as the gateway address, and configure the route to the network segment
20.20.20.0/24.
Configure the IP address 20.20.20.3/24 on user 1's host, configure the VLANIF 10 interface IP
address 20.20.20.2/24 as the gateway address, and configure the route to the network segment
10.10.10.0/24.
After the preceding configurations are complete, User 1 in VLAN 10 and User 2 in VLAN 20
can communicate.
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 20.20.20.2 255.255.255.0
#
port trunk allow-pass vlan 10 20
#
return

#
sysname Quidway
#
vlan batch 10 20
#
#
#
#
return
Example for Configuring VLAN Aggregation

This example illustrates how to implement communication between VLANs with fewer IP
addresses.
Issue 04 (2013-06-15)

401

Configuration Guide
An enterprise has multiple departments in the same network segment. To improve service
security, different departments are added to different VLANs. Employees in different
departments need to communicate with each other.
As shown in Figure 3-17, IP addresses of the R&D department and test department belong to
different VLANs. Employees in different VLANs need to communicate with each other.
Figure 3-17 VLAN aggregation
Switch
GE 0/0/1
GE 0/0/3
GE 0/0/2
GE 0/0/4
VLAN2
VLAN3
VLAN4
VLANIF4:100.1.1.12/24
VLAN 2
VLAN 3
Development
Department
Test
Department
1.
Add the Switch interfaces to sub-VLANs.
2.
Add the sub-VLANs to a super-VLAN.
3.
Configure the IP address for the super-VLAN.
4.
Configure proxy ARP for the super-VLAN.
Data Preparation
l
VLAN to which GE 0/0/1 and GE 0/0/2 belong: VLAN 2
Super-VLAN: VLAN 4
IP address of the super-VLAN: 100.1.1.12
Issue 04 (2013-06-15)

402

Configuration Guide
Procedure
Step 1 Set the interface type.
# Configure GE 0/0/1 as an access interface.
[Quidway-GigabitEthernet0/0/1] port link-type access



Step 2 Configure VLAN 2.

# Create VLAN 2.
[Quidway] vlan 2
# Add GE 0/0/1 and GE 0/0/2 to VLAN 2.

[Quidway-vlan2] port gigabitethernet 0/0/1 0/0/2

# Create VLAN 3.
[Quidway] vlan 3

[Quidway-vlan3] port gigabitethernet 0/0/3 0/0/4

# Configure the super-VLAN.
[Quidway] vlan 4
[Quidway-vlan4] aggregate-vlan
[Quidway-vlan4] access-vlan 2 to 3
# Configure the VLANIF interface.

Issue 04 (2013-06-15)

403

Configuration Guide
Step 5 Configure the PCs.

Configure an IP address for each PC. Ensure that the PC IP addresses are in the same network
segment as VLAN 4.
When the configuration is complete, the PCs and the Switch can ping each other, but the PCs in
VLAN 2 and the PCs in VLAN 3 cannot ping each other.
Step 6 Configure proxy ARP.
[Quidway-Vlanif4] arp-proxy inter-sub-vlan-proxy enable

When the configuration is complete, the PCs in VLAN 2 and VLAN 3 can ping each other.
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 100.1.1.12 255.255.255.0
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
return
Example for Configuring MUX VLAN

MUX VLAN isolates Layer 2 traffic of different interfaces in a VLAN. It allows some employees
of an enterprise to communicate with each other and isolates other employees from each other.
On an enterprise network shown in Figure 3-18, all employees can access the enterprise server.
Some employees need to communicate with each other, whereas some employees must be
isolated each other.
Issue 04 (2013-06-15)

404

Configuration Guide
To meet thes requirements, the administrator can add employees that need to be isolated to
different VLANs, and configure inter-VLAN communication to allow employees to access the
enterprise server. However, if the enterprise has a large number of employees, this method wastes
VLAN IDs and imposes additional configuration workload on the network administrator.
MUX VLAN can be configured on the Switch to meet the enterprise's requirements using fewer
VLAN IDs. In addition, MUX VLAN reduces the configuration workload of the network
administrator, and facilitates network maintenance.
Figure 3-18 MUX VLAN configuration
Switch
Eth0/0/1
Eth0/0/2
Eth0/0/3 Eth0/0/4
Eth0/0/5
HostB HostC
HostD HostE
HostA
VLAN3
VLAN4
VLAN2
1.
Configure the principal VLAN.
2.
Configure the group VLAN.
3.
Configure the separate VLAN.
4.
Add interfaces to the VLANs and enable the MUX VLAN function.
Data Preparation
l
VLAN to which GE 0/0/1 belongs: VLAN 2
Procedure
Step 1 Configure the MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4.
[Quidway] vlan batch 2 3 4
[Quidway] quit
Issue 04 (2013-06-15)

405

Configuration Guide
# Configure the principal VLAN, subordinate VLANs, and interfaces.

[Quidway] vlan 2
[Quidway-vlan2] mux-vlan
[Quidway-vlan2] subordinate group 3
[Quidway-vlan2] subordinate separate 4
[Quidway-GigabitEthernet0/0/1] port default vlan 2
[Quidway-GigabitEthernet0/0/1] port mux-vlan enable

l Host A can ping Hosts B to E. Hosts B to E can also ping Host A.
l Host B and Host C can ping each other.
l Host D and Host E cannot ping each other.
l Host B and Host C cannot ping Host D or host E. Host D and Host E cannot ping Host B or
Host C.
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate group 3
subordinate separate 4
#
port default vlan 2
#
Issue 04 (2013-06-15)

406

Configuration Guide
port default vlan 3

#
port default vlan 3
#
port default vlan 4
#
port default vlan 4
#
return
Example for Configuring a Voice VLAN in Auto Mode

In this example, voice traffic is transmitted within a specific VLAN (voice VLAN). If a voice
device fails or exits from the network, the interface connected to the voice device will exit from
the voice VLAN after a specified period of time.
Data flows of the high speed Internet (HSI), VoIP, and IPTV services are transmitted on a
network. Users require high quality of VoIP services; therefore, voice data flows must be
transmitted with a high priority.
As shown in Figure 3-19, after a voice VLAN is configured on the Switch, the Switch checks
whether a data flow received by GigabitEthernet0/0/1 is a voice data flow based on the source
MAC address of the flow. If the data flow is a voice data flow, the Switch changes the priority
of the flow and transmits it in the voice VLAN. If not, the Switch transmits the flow in a common
VLAN without changing the priority of the flow. GigabitEthernet0/0/1 needs to be automatically
added to or deleted from the voice VLAN.
Issue 04 (2013-06-15)

407

Configuration Guide
Figure 3-19 Configuring a voice VLAN in auto mode
DHCP Server
Internet
Switch
GE 0/0/1
LAN Switch
HSI
VoIP
IPTV
1.
Create VLANs.
2.
Configure the link type and default VLAN of the interface.
3.
Enable the voice VLAN on the interface.
4.
Set the voice VLAN mode to auto.
5.
Set the OUI of the voice VLAN.
6.
Set the aging time of the voice VLAN.
7.
Set the security mode of the voice VLAN.
Data Preparation
l
Voice VLAN and VLAN through which the IP phone applies for an IP address: VLAN 2
and VLAN 6
OUI and mask: 0011-2200-0000 and ffff-ff00-0000
Aging time of the voice VLAN: 100 minutes
The default VLAN of GigabitEthernet0/0/1: VLAN 6
Issue 04 (2013-06-15)

408

Configuration Guide
Procedure
Step 1 Create VLANs and configure the interface on the Switch.
# Create VLAN 2 and VLAN 6.
# Configure the link type and default VLAN of the interface.

Step 2 Configure the voice VLAN on the Switch.

# Configure the voice VLAN on the interface.
[Quidway-GigabitEthernet0/0/1] voice-vlan 2 enable
# Set the voice VLAN mode to auto so that the interface can be automatically added to or deleted
from the voice VLAN.
[Quidway-GigabitEthernet0/0/1] voice-vlan mode auto
# Set the OUI of the voice VLAN.

[Quidway] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
# Set the aging time of the voice VLAN.

[Quidway] voice-vlan aging-time 100
# Set the working mode of the voice VLAN.

[Quidway-GigabitEthernet0/0/1] voice-vlan security enable

Run the display voice-vlan oui command to check the OUI of the voice VLAN.
<Quidway> display voice-vlan oui
--------------------------------------------------OuiAddress
Mask
Description
--------------------------------------------------0011-2200-0000
ffff-ff00-0000
Run the display voice-vlan 2 status command to check the voice VLAN mode, voice VLAN
security mode, and voice VLAN aging time.
<Quidway> display voice-vlan 2 status
Voice VLAN Configurations:
--------------------------------------------------Voice VLAN ID
: 2
Voice VLAN status
: Enable
Voice VLAN aging time
: 100 (minutes)
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark
: 46
---------------------------------------------------------Port Information:
----------------------------------------------------------Port
Add-Mode Security-Mode Legacy
Issue 04 (2013-06-15)

409

Configuration Guide
----------------------------------------------------------GigabitEthernet0/0/1
Auto
Security
Disable
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2 6
#
voice-vlan aging-time 100
#
voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
#
voice-vlan 2 enable
#
return
Example for Configuring a Voice VLAN in Manual Mode

In manual voice VLAN mode, an interface with voice VLAN enabled can forward voice data
packets only after the interface is manually added to the voice VLAN.
Data flows of the high speed Internet (HSI), VoIP, and IPTV services are transmitted on a
network. Users require high quality of VoIP services; therefore, voice data flows must be
transmitted with a high priority.
As shown in Figure 3-20, after a voice VLAN is configured on the Switch, the Switch checks
whether a data flow received by GigabitEthernet0/0/1 is a voice data flow based on the source
MAC address of the data flow. If the data flow is a voice data flow, the Switch changes the
priority of the flow and transmits it in the voice VLAN. If not, the Switch transmits the flow in
a common VLAN without changing the priority of the flow. GigabitEthernet0/0/1 needs to be
manually added to or deleted from the voice VLAN.
Issue 04 (2013-06-15)

410

Configuration Guide
Figure 3-20 Configuring a voice VLAN in manual mode
DHCP Server
Internet
Switch
GE 0/0/1
LAN Switch
HSI
VoIP
IPTV
1.
Create VLANs.
2.
Configure the link type and default VLAN of the interface.
3.
Enable the voice VLAN on the interface.
4.
Set the voice VLAN mode to manual.
5.
Set the OUI of the voice VLAN.
6.
Set the security mode of the voice VLAN.
7.
Add the interface to the voice VLAN.
Data Preparation
l
and VLAN 6
OUI and mask: 0011-2200-0000 and ffff-ff00-0000
The default VLAN of GigabitEthernet0/0/1: VLAN 6
Procedure
Step 1 Create VLANs and configure the interface on the Switch.
Issue 04 (2013-06-15)

411

Configuration Guide
# Configure the link type and default VLAN of the interface.


# Configure the voice VLAN on the interface.
# Set the voice VLAN mode to manual and add the interface to the voice VLAN.
[Quidway-GigabitEthernet0/0/1] voice-vlan mode manual
[Quidway-GigabitEthernet0/0/1] port hybrid tagged vlan 2
# Set the OUI of the voice VLAN.

[Quidway] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
# Set the working mode of the voice VLAN.

[Quidway-GigabitEthernet0/0/1] voice-vlan security enable

Run the display voice-vlan oui command to check the OUI of the voice VLAN.
<Quidway> display voice-vlan oui
--------------------------------------------------OuiAddress
Mask
Description
--------------------------------------------------0011-2200-0000
ffff-ff00-0000
Run the display voice-vlan 2 status command to check voice VLAN mode, security mode, and
voice VLAN aging time.
--------------------------------------------------Voice VLAN ID
: 2
Voice VLAN status
: Enable
: 1440(minutes)
: 46
----------------------------------------------------------Port
Manual
Security
Disable
----End
Configuration Files
#
sysname Quidway
#
Issue 04 (2013-06-15)

412

Configuration Guide
vlan batch 2 6
#
voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
#
port hybrid tagged vlan 2
voice-vlan 2 enable
voice-vlan mode manual
#
return
3.4 GVRP Configuration

This chapter describes basic GVRP concepts, GVRP configuration procedures, and concludes
with a GVRP configuration example.
3.4.1 GVRP Overview

This section explains the concepts of Generic Attribute Registration Protocol (GARP) and GARP
VLAN Registration Protocol (GVRP), and how they relate to each another.
GVRP
GVRP is an application of GARP that maintains and propagates VLAN registration information
to other devices.
GARP
GARP enables member switches on a LAN to distribute, transmit, and register information such
as VLAN information and multicast addresses with one another.
GARP is not an entity on a device. GARP-compliant entities are called GARP participants.
GVRP is a GARP application. When a GARP application runs on an interface, the interface is
considered a GARP participant.
l
GARP messages
GARP members transmit VLAN registration information by exchanging GARP messages.
The three main GARP messages are Join, Leave, and LeaveAll.
Join messages: When a GARP participant expects other devices to register its attributes,
it sends Join messages to other devices. When the GARP participant receives a Join
message from another participant or is statically configured with attributes, it also sends
Join messages to other devices for the devices to register the new attributes.
Leave messages: When a GARP participant expects other devices to deregister its
attributes, it sends Leave messages to other devices. When the GARP participant
receives a Leave message from another participant or some of its attributes are statically
deregistered, it also sends Leave messages to other devices.
LeaveAll messages: When a GARP participant is enabled, the LeaveAll timer is started.
When the LeaveAll timer expires, the GARP participant sends LeaveAll messages to
request other GARP participants to deregister all the attributes of the sender. Then other
participants can re-register the attributes.
The Join, Leave, and LeaveAll messages are used to control registration and
deregistration of attributes.
Issue 04 (2013-06-15)

413

Configuration Guide
Through GARP messages, all attributes that need to be registered are sent to all the
GARP-enabled devices on the same LAN.
l
GARP timers
The GARP timers controls the interval at which GARP messages sent. GARP defines four
timers to control the intervals for sending GARP messages.
Hold timer: When a GARP participant receives a registration message from another
participant, it does not send the registration message in a Join message to other
participants immediately. Instead, the participant starts the Hold timer. When the Hold
timer expires, the participant packs all the registration messages received within this
period in a Join message and sends the Join message to other participants. Hold timers
helps reduce bandwidth usage on the network.
Join timer: To ensure reliable transmission of Join messages, a participant can send each
Join message twice. If the participant does not receive a response after sending the Join
message the first time, it sends the Join message again. The Join timer specifies the
interval between the two Join messages.
Leave timer: When a GARP participant expects other participants to deregister its
attribute, it sends Leave messages to other participants. When another participant
receives the Leave message, it starts the Leave timer. If the participant does not receive
any Join message before the Leave timer expires, it deregisters the attributes of the
Leave message sender.
LeaveAll timer: When a GARP participant is enabled, the LeaveAll timer is started.
When the LeaveAll timer expires, the GARP participant sends LeaveAll messages to
request other GARP participants to re-register all its attributes. Then the LeaveAll timer
restarts.
NOTE
l The GARP timers apply to all GARP participants (such as GVRP) on the same LAN.
l The Hold timer, Join timer, and Leave timer must be set individually on each interface,
whereas the LeaveAll timer is set globally and takes effect on all interfaces of a device.
l Devices on a network may have different settings for the LeaveAll timer. In this case, all the
devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of
a device expires, the device sends LeaveAll messages to other devices. After other devices
receive the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the
LeavelAll timer with the smallest value takes effect even if devices have different settings
for the LeaveAll timer.
GARP operation process

Through GARP, the configuration information of a GARP member can be propagated on
the entire LAN. A GARP member may be a terminal workstation or a bridge. A GARP
member sends an attribute declaration or an attribute reclaim declaration to request other
GARP members to register or deregister its attributes. The GARP member can also register
or deregister attributes of other members when receiving attribute declarations or attribute
reclaim declarations from other members. When an interface receives an attribute
declaration, it registers the attribute. When the interface receives an attribute reclaim
declaration, the interface deregisters the attribute.
PDUs sent from a GARP participant use a multicast MAC address as the destination MAC
address. When a device receives a packet from a GARP participant, the device identifies
the packet according to the destination MAC address of the packet and sends the packet to
the corresponding GARP participant (such as GVRP).
Format of a GARP packet

Figure 3-21 shows the format of a GARP packet.
Issue 04 (2013-06-15)

414

Configuration Guide
Figure 3-21 Format of a GARP packet
DA SA length DSAP SSAP Ctrl
PDU
Ethernet Frame
N
Protocol ID Message 1 Message N End Mark

1
2
Attribute Type
GARP PDU structure
Message structure
Attribute List
N
1
Attribute 1
1
Attribute List structure
Attribute N End Mark

3
Attribute Length Attribute Event Attribute Value
Attribute structure
The following table describes the fields in a GARP packet.
Issue 04 (2013-06-15)
Field
Description
Value
Protocol ID
Indicates the protocol ID.
The value is 1.
Message
Indicates the messages in

the packet. A message
consists of the Attribute
Type and Attribute List
fields.
Attribute Type
Indicates the type of an

attribute, which is defined
by the GARP application.
The value is 0x01 for

GVRP, indicating that the
attribute value is a VLAN
ID.
Attribute List
Indicates the attribute list,

which consists of multiple
attributes.
Attribute
Indicates an attribute,
which consists of the
Attribute Length, Attribute
Event, and Attribute Value
fields.
Attribute Length
Indicates the length of an

attribute.
The value ranges from 2 to

255, in bytes.

415

Configuration Guide
Field
Description
Value
Attribute Event
Indicates the event that an

attribute describes.
The value can be:

l 0: LeaveAll event
l 1: JoinEmpty event
l 2: JoinIn event
l 3: LeaveEmpty event
l 4: LeaveIn event
l 5: Empty event
Attribute Value
Indicates the value of an

attribute.
The value is a VLAN ID for

GVRP. This field is invalid
in a LeaveAll attribute.
End Mark
Indicates the end of a

GARP PDU.
The value is 0x00.
3.4.2 GVRP Features Supported by the AC6605

This section describes the GVRP features supported by the AC6605.
GVRP is an application of GARP. Based on the working mechanism of GARP, GVRP maintains
dynamic VLAN registration information in a device and propagates the registration information
to other devices.
After GVRP is enabled on the AC6605, the AC6605 can receive VLAN registration information
from other devices and dynamically update local VLAN registration information. VLAN
registration information includes which VLAN members are on the VLAN and through which
interfaces their packets can be sent to the AC6605. The AC6605 can also send the local VLAN
registration information to other devices. By exchanging VLAN registration information, all the
devices on the same LAN have the same VLAN information. The VLAN registration
information transmitted through GVRP contains both static local registration information that
is manually configured and the dynamic registration information from other devices.
A GVRP interface supports three registration modes:
l
Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs,
and transmit dynamic VLAN registration information and static VLAN registration
information.
Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static registration information. If the
registration mode of a trunk interface is set to fixed, the interface allows only the manually
configured VLANs to pass even if it is configured to allow all the VLANs to pass.
Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only information about VLAN 1. If the registration
mode of a trunk interface is set to forbidden, the interface allows only VLAN 1 to pass even
if it is configured to allow all the VLANs to pass.
NOTE
The AC6605 supports a maximum of 4094 dynamic VLANs.

The GVRP protocol can run only in the Common and Internal Spanning Tree (CIST) instance. The interface
blocked by MSTP in the CIST instance cannot send or receive GVRP packets.
Issue 04 (2013-06-15)

416

Configuration Guide
3.4.3 Configuring GVRP

This section describes how to configure the GVRP function.

On a complex Layer 2 network, GVRP enables interfaces to dynamically join or leave VLANs,
which reduces manual configuration workload.
Before configuring the GVRP function, complete the following tasks:
l
Adding the GVRP interfaces to all VLANs
Configuring the interface to send BPDUs to the CPU
Data Preparation
To configure the GVRP function, you need the following data.
No.
Data
(Optional) Registration mode of GVRP interfaces
(Optional) Values of the GARP timers
Enabling GVRP
Context
Perform the following steps on the AC6605 to enable GVRP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
gvrp
GVRP is enabled globally.

Step 3 Run:

Issue 04 (2013-06-15)

417

Configuration Guide
Step 4 Run:
The link type of the interface is set to trunk.

Step 5 Run:
port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The interface is added to the specified VLANs.

Step 6 Run:
gvrp
GVRP is enabled on the interface.

By default, GVRP is disabled globally and on each interface.
NOTE
l Before enabling GVRP on an interface, you must enable GVRP globally.

l Before enabling GVRP on an interface, you must set the link type of the interface to trunk.
----End
(Optional) Setting the Registration Mode for a GVRP Interface

Context
A GVRP interface supports three registration modes:
l
Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs,
and transmit dynamic VLAN registration information and static VLAN registration
information.
Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static registration information. If the
registration mode of a trunk interface is set to fixed, the interface allows only the manually
configured VLANs to pass even if it is configured to allow all the VLANs to pass.
Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only information about VLAN 1. If the registration
mode of a trunk interface is set to forbidden, the interface allows only VLAN 1 even if it
is configured to allow all the VLANs.
Perform the following steps on the AC6605 to set the registration mode for an interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
Issue 04 (2013-06-15)

418

Configuration Guide
gvrp registration { fixed | forbidden | normal }
The registration mode is set for the interface.

By default, the registration type of a GVRP interface is normal.
NOTE
Before setting the registration mode for an interface, enable GVRP on the interface.
----End
(Optional) Setting the GARP Timers

Context
When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timer
expires, the GARP participant sends LeaveAll messages to request other GARP participants to
re-register all its attributes. Then the LeaveAll timer restarts.
Devices on a network may have different settings for the LeaveAll timer. In this case, all the
devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a
device expires, the device sends LeaveAll messages to other devices. After other devices receive
the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeavelAll timer
with the smallest value takes effect even if devices have different settings for the LeaveAll timer.
When using the garp timer command to set the GARP timers, pay attention to the following
points:
l
The undo garp timer command restores the default values of the GARP timers. If the
default value of a timer is out of the valid range, the undo garp timer command does not
take effect.
The value range of each timer changes with the values of the other timers. If a value set for
a timer is not within the allowed range, change the value of the timer that determines the
value range of this timer.
To restore the default values of all the GARP timers, restore the Hold timer to the default
value, and then sequentially restore the Join timer, Leave timer, and LeaveAll timer to the
default values.
NOTE
It is recommended that you use the following values for the GVRP timers:
l
GARP Hold timer: 100 centiseconds (1 second)
GARP Join timer: 600 centiseconds (6 seconds)
GARP Leave timer: 3000 centiseconds (30 seconds)
GARP LeaveAll timer: 12000 centiseconds (2 minutes)
When the number of dynamic VLANs increases, the lengths of the GARP timers need to be increased.
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

419

Configuration Guide
Step 2 Run:
garp timer leaveall timer-value
The LeaveAll timer is set.

The default value of the LeaveAll timer is 1000 centiseconds (10 seconds).
Step 3 Run:

Step 4 Run:
garp timer { hold | join | leave } timer-value
The Hold timer, Join timer, or Leave timer is set.

By default, the value of the Hold timer is 10 centiseconds, the value of the Join timer is 20
centiseconds, and the value of the Leave timer is 60 centiseconds.
----End

Procedure
l
Run the display gvrp status command to view the status of global GVRP is enabled.
Run the display gvrp statistics [ interface { interface-type interface-number [ to interfacetype interface-number ] }&<1-10> ] command to view the GVRP statistics on an interface.
Run the display garp timer [ interface { interface-type interface-number [ to interfacetype interface-number ] }&<1-10> ] command to view the values of GARP timers.
----End
3.4.4 Maintaining GVRP

This section describes how to clear the GARP statistics.
Clearing GARP Statistics

Context
CAUTION
GARP statistics cannot be restored after being cleared.
Issue 04 (2013-06-15)

420

Configuration Guide
Procedure
Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type
interface-number ] }&<1-10> ] command in the user view to clear GARP statistics on the
specified interfaces.
----End

This section provides a GVRP configuration example.
Example for Configuring GVRP

As shown in Figure 3-22, a branch of Company A communicates with the headquarters through
SwitchA and SwitchB. To simplify the configuration, you need to enable GVRP on all switches
of Company A and set the registration mode to normal on interfaces of these switches.
Company B communicates with Company A through SwitchB and SwitchC. To configure
switches of Company B to transmit packets of only VLANs of Company B, you need to enable
GVRP on all switches of Company B and set the registration mode to fixed on the interfaces
connected to switches of Company A.
Figure 3-22 Configuring GVRP
SwitchB
GE 0/0/1
SwitchA GE 0/0/1
GE 0/0/2
GE 0/0/1 SwitchC
Company A
GE 0/0/2
GE 0/0/2
Branch of
company A
Company A
Company A
Company B
1.
Enable GVRP globally.
2.
Set the link type of the interfaces to trunk.
3.
Enable GVRP on interfaces.
4.
Set the registration mode of interfaces.
Issue 04 (2013-06-15)

421

Configuration Guide
Data Preparation
l
VLANs allowed by interfaces of SwitchA, SwitchB, and SwitchC: all VLANs
Registration mode for interfaces of SwitchA and SwitchB: normal
Registration modes of GE 0/0/1 and GE 0/0/2 of SwitchC: fixed and normal respectively
VLANS of Company B on SwitchC: VLAN 101 to VLAN 200
Procedure
# Enable GVRP globally.
[SwitchA] gvrp
# Set the link type of GE 0/0/1 and GE 0/0/2 to trunk and configure the interfaces to allow all
VLANs.
[SwitchA] interface gigabitethernet
[SwitchA-GigabitEthernet0/0/1] port
0/0/1
link-type trunk
trunk allow-pass vlan all
0/0/2
link-type trunk
trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes of the interfaces.
[SwitchA-GigabitEthernet0/0/1] gvrp
[SwitchA-GigabitEthernet0/0/1] bpdu
[SwitchA-GigabitEthernet0/0/2] bpdu
0/0/1
registration normal
enable
0/0/2
registration normal
enable
The configuration of SwitchB is similar to the configuration of SwitchA.

Step 2 Configure SwitchC.
# Create VLAN 101 to VLAN 200.
[Quidway] sysname SwitchC
[SwitchC] vlan batch 101 to 200
# Enable GVRP globally.

[SwitchC] gvrp
# Set the link type of GE 0/0/1 and GE 0/0/2 to trunk and configure the interfaces to allow all
VLANs.
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port trunk allow-pass vlan all
Issue 04 (2013-06-15)

422

Configuration Guide

[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes of the interfaces.
[SwitchC] interface gigabitethernet
[SwitchC-GigabitEthernet0/0/1] gvrp
[SwitchC-GigabitEthernet0/0/1] bpdu
[SwitchC] interface gigabitethernet
[SwitchC-GigabitEthernet0/0/2] bpdu
0/0/1
registration fixed
enable
0/0/2
registration normal
enable

After the configuration is complete, the branch of Company A can communicate with the
headquarters, and users of Company A in VLAN 101 to VLAN 200 can communicate with users
in Company B.
Run the display gvrp status command on SwitchA to check whether GVRP is enabled globally.
The following information is displayed:
<SwitchA> display gvrp status
GVRP is enabled
Run the display gvrp statistics command on SwitchA to view GVRP statistics on GVRP
interfaces, including the GVRP state, number of GVRP registration failures, source MAC
address of the last GVRP PDU, and registration mode.
<SwitchA> display gvrp statistics
GVRP statistics on port GigabitEthernet0/0/1
GVRP status
: Enabled
GVRP registrations failed
: 0
GVRP last PDU origin
: 0000-0000-0000
GVRP registration type
: Normal
Verify the configurations of SwitchB and SwitchC in the same way.

----End
Configuration Files
l
#
sysname SwitchA
#
gvrp
#
gvrp
#
gvrp
#
return
l
Issue 04 (2013-06-15)

423

Configuration Guide
#
sysname SwitchB
#
gvrp
#
gvrp
#
gvrp
#
return
Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 101 to 200
#
gvrp
#
gvrp
gvrp registration fixed
#
gvrp
#
return
3.5 MAC Address Table Configuration

This chapter provides the basics for MAC address table configuration, configuration procedure,
and configuration examples.
3.5.1 MAC Address Table Overview

This section describes the definition of the MAC address table, how MAC address entries are
generated, and how packets are forwarded based on the MAC address table.
Definition
A MAC address table is maintained on theAC6605. The MAC address table stores the MAC
addresses of other devices learned by the AC6605, the VLAN IDs, and the outbound interfaces
that are used to send data. Before forwarding a data packet, the AC6605 searches the MAC
address table based on the destination MAC address and the VLAN ID of the packet to find the
outbound interface quickly. This reduces the number of broadcast packets.
Creation of MAC Address Entries

MAC address entries can be created dynamically or manually.
Issue 04 (2013-06-15)

424

Configuration Guide
Automatic creation: MAC address entries are learned by the system automatically. The
MAC address table needs to be updated constantly because the network topology always
changes. The automatically created MAC address entries are not always valid and have an
aging time. If an entry is not updated within the aging time, it is deleted. If the entry is
updated before its aging time expires, the aging timer is reset.
Manual creation: Automatically created MAC address entries cannot distinguish attack
packets from packets of authorized users. If a hacker sets the source MAC address of attack
packets to the MAC address of an authorized user and connects to another interface of the
AC6605, the AC6605 learns an incorrect MAC address entry. The packets that should be
forwarded to the authorized user are forwarded to the hacker. To improve interface security,
you can manually create MAC address entries to bind MAC addresses of authorized users
to specified interfaces. This prevents hackers from intercepting data of authorized users.
Manually created MAC address entries take precedence over automatically created MAC
address entries.
Classification of MAC Address Entries

MAC address entries are classified into the following types:
l
Dynamic MAC address entries that are learned by an interface after MAC address learning
is enabled.
Static MAC address entries that are configured manually. Static MAC address entries take
precedence over dynamic MAC address entries.
Blackhole MAC address entries that are the manually configured and used to discard data
frames with the specified source or destination MAC addresses. Blackhole MAC address
entries take precedence over dynamic MAC address entries.
Packet Forwarding Based on the MAC Address Table

The AC6605 forwards packets based on the MAC address table in either of the following modes:
l
Unicast mode: If the destination MAC address of a packet can be found in the MAC address
table, the AC6605 forwards the packet through the outbound interface specified in the
matching entry.
Broadcast mode: If a packet is a broadcast or multicast packet or its destination MAC

address cannot be found in the MAC address table, the AC6605 broadcasts the packet to
all the interfaces except the inbound interface of the packet.
3.5.2 MAC Address Features Supported by the AC6605

This section describes the MAC address features supported by the AC6605 and provides usage
scenarios of the features to help you complete configuration.
You can configure the following MAC address features to improve device security and control
the number of entries in the MAC address table:
l
Create static MAC address entries for MAC addresses of fixed upstream devices or trusted
user devices to improve communication security.
Configure blackhole MAC address entries to protect the AC6605 from attacks.
Set a proper aging time for dynamic MAC addresses to prevent sharp increase of dynamic
MAC address entries.
You can use the following methods to improve security or meet special requirements:
Issue 04 (2013-06-15)

425

Configuration Guide
Disable MAC address learning. This method can be used on a network where the topology
seldom changes or forwarding paths are specified in static MAC address entries. This
method prevents users with unknown MAC addresses from accessing the network, protects
the network from MAC address attacks, and improves network security.
Limit the number of MAC addresses that can be learned. MAC address limiting protects
the AC6605 from MAC address attacks on an insecure network.
Enable port security. If a network requires high security, port security can be configured
on the interfaces connected to trusted devices. The port security function prevents devices
with untrusted MAC addresses from accessing these interfaces and improves device
security.
Configure MAC spoofing defense. This function ensures that a MAC address learned on
an interface will not be learned on other interfaces, protecting the system against MAC
spoofing attacks.
Configure MAC address flapping detection. This function reduces the impact of loops on
the AC6605.
Discard packets with an all-zero MAC address. A faulty device may send packets with an
all-zero source or destination MAC address to the AC6605. You can configure the
AC6605 to discard such packets and send a trap to the network management system (NMS).
You can locate the faulty device according to the trap message.
Enable MAC address-triggered ARP entry update. This function enables the AC6605 to
update the corresponding ARP entry when the outbound interface in a MAC address entry
changes.
Disabling MAC Address Learning

When an AC6605 with MAC address learning enabled receives an Ethernet frame, it records
the source MAC address and inbound interface of the Ethernet frame in a MAC address entry.
When receiving other Ethernet frames destined for this MAC address, the AC6605 forwards the
frames through the outbound interface according to the MAC address entry. The MAC address
learning function reduces broadcast packets on a network.
After MAC address learning is disabled on an interface, the AC6605 does not learn source MAC
addresses of packets received by the interface.
Limiting the Number of Learned MAC Addresses

The AC6605 can limit the number of MAC addresses learned on an interfaceor a VLAN. When
the number of learned MAC address entries reaches the limit, the AC6605 stops learning MAC
addresses. When the AC6605 receives packets with unknown source MAC addresses, it
generates an alarm to alert you if it is configured to do so. This method protects user devices
and the network from MAC address attacks.
Port Security
The port security function changes MAC addresses learned by an interface to secure dynamic
MAC addresses or sticky MAC addresses. It prevents devices with untrusted MAC addresses
from accessing an interface and improves device security.
Differences between secure dynamic MAC addresses and sticky MAC addresses are:
l
Issue 04 (2013-06-15)
Secure dynamic MAC addresses are learned after port security is enabled and are not aged
out by default. You can set the aging time for secure dynamic MAC addresses so that they
426

Configuration Guide
can be aged out. Secure dynamic MAC addresses are lost after the device restarts, so the
device needs to learn the MAC addresses again.
l
Sticky MAC addresses are learned after the sticky MAC function is enabled. Sticky MAC
addresses are not aged out and still exist after the AC6605 restarts.
MAC Address Flapping Detection

The AC6605 can detect MAC address flapping and perform a specified action, for example,
block the interface, to minimize the impact of MAC address flapping on the network. You can
also configure the AC6605 to only send trap messages to the network management system when
the AC6605 detects MAC address flapping.
3.5.3 Configuring a Static MAC Address Entry

A static MAC address entry specifies an outbound interface for packets destined for a specified
MAC address. Static MAC address entries protect the AC6605 from MAC address attacks.
You can configure a static MAC address entry if an interface is connected to an upstream device
or a server, as shown in Figure 3-23. Attackers may set the source MAC address of packets to
the server MAC address and send the packets to the Switch to intercept data of the server. To
protect the server and ensure communication between users and the server, you can configure a
static MAC address entry in which the destination MAC address is the server MAC address and
the outbound interface is the interface connected to the server.
Figure 3-23 Static MAC address entry configuration
Network
Server
Switch
VLAN2
LSW
PC1
VLAN4
PC2
None.
Issue 04 (2013-06-15)

427

Configuration Guide
Data Preparation
To configure a static MAC address entry, you need the following data.
No.
Data
Destination MAC address, destination outbound interface number, and ID of the

VLAN to which the outbound interface belongs
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address static mac-address interface-type interface-number vlan vlan-id1
A static MAC address entry is configured.

NOTE
Static MAC address entries take precedence over dynamic MAC address entries.
----End

Run the display mac-address static [ vlan vlan-id | interface-type interface-number ] *
[ verbose ] command to view static MAC address entries.
3.5.4 Configuring a Blackhole MAC Address Entry

You can configure a blackhole MAC address entry so that the AC6605 can discard packets with
the specified source or destination MAC address.
To protect user devices or network devices from MAC address attacks, you can configure
untrusted MAC addresses as blackhole MAC addresses. Packets with source or destination MAC
addresses matching the blackhole MAC address entries are discarded.
None.
Data Preparation
To configure a blackhole MAC address entry, you need the following data.
Issue 04 (2013-06-15)

428

Configuration Guide
No.
Data
Destination or source MAC address and ID of VLAN to which the outbound interface
belongs to
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address blackhole mac-address [ vlan vlan-id ]
A blackhole MAC address entry is configured.

----End

Run the display mac-address blackhole [ vlan vlan-id ] [ verbose ] command to view blackhole
3.5.5 Setting the Aging Time of Dynamic MAC Address Entries

Dynamic MAC address entries are created by the AC6605 and can be aged out. Setting an
appropriate aging time prevents sharp increase of MAC address entries.
Dynamic MAC address entries are learned by the AC6605 from source MAC addresses of
received packets. The system starts an aging timer for each dynamic MAC address entry. If a
dynamic MAC address entry is not updated within a certain period (twice the aging time), this
entry is deleted. If the entry is updated within this period, the aging timer of this entry is reset.
A shorter aging time enables the AC6605 to respond to network topology changes more quickly.
The network topology changes frequently, and the AC6605 will learn many MAC addresses.
After an aging time is set for dynamic MAC address entries, the AC6605 can delete unneeded
None.
Data Preparation
To set the aging time of dynamic MAC address entries, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Aging time

429

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address aging-time aging-time
The aging time is set for dynamic MAC address entries.

By default, the aging time of dynamic MAC address entries is 300 seconds.
----End

Run the display mac-address aging-time command to check the aging time of dynamic MAC
address entries.
3.5.6 Disabling MAC Address Learning

If a fixed device is connected to an interface, you can disable MAC address learning on the
interface. This prevents other devices from accessing the interface and improves device security.

Before disabling MAC address learning, familiarize yourself with the applicable environment,
As shown in Figure 3-24, an interface of the Switch is connected to a server. To protect the
server, configure the server MAC address as a static MAC address, disable MAC address
learning on the interface, and configure the interface to discard the packets with unknown MAC
addresses. This configuration prevents other servers or terminals from accessing the interface
and improves network stability and security.
Figure 3-24 Disabling MAC address learning
Server
mac-address
learning disable
Switch
Issue 04 (2013-06-15)

430

Configuration Guide
None.
Data Preparation
To disable MAC address learning, you need the following data.
No.
Data
Interface type and number
VLAN ID
Disabling MAC Address Learning on an Interface

Disabling MAC address learning on an interface can improve security of the device connected
to the interface.
Context
When an AC6605 with MAC address learning enabled receives an Ethernet frame, it records
the source MAC address and inbound interface of the Ethernet frame in a MAC address entry.
When receiving other Ethernet frames destined for this MAC address, the AC6605 forwards the
frames through the outbound interface according to the MAC address entry. The MAC address
learning function reduces broadcast packets on a network. After MAC address learning is
disabled on an interface, the AC6605 does not learn source MAC addresses of packets received
by the interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.

By default, MAC address learning is enabled on an interface.
You can configure an action for the AC6605 to perform when a packet with an unknown MAC
address is received on the interface. By default, the AC6605 forwards such packets based on the
MAC address table. When the action is set to discard, the AC6605 searches for the source MAC
address of the packet in the MAC address table. If the source MAC address is found, the
Issue 04 (2013-06-15)

431

Configuration Guide
AC6605 forwards the packet according to the MAC address entry. If the source MAC address
is not found, the AC6605 discards the packet.
NOTE
If you set the action to forward when disabling MAC address learning, untrusted terminals can still access
the network. This action only controls the number of learned MAC address entries.
----End
Disabling MAC Address Learning in a VLAN

Disabling MAC address learning in a VLAN can protect users in this VLAN from MAC address
attacks.
Context
After MAC address learning is disabled in a VLAN, the AC6605 checks source MAC addresses
of packets received by interfaces in the VLAN. If the source MAC address of a packet is in the
MAC address table, the AC6605 forwards the packet; otherwise, the AC6605 broadcasts the
packet.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
MAC address learning is disabled in the VLAN.

By default, MAC address learning is enabled in a VLAN.
----End

After disabling MAC address learning on an interface or in a VLAN, use the following
commands to verify the configuration.
Procedure
l
Run the display current-configuration interface interface-type interface-number

command to view the current configuration of an interface.
Run the display vlan command to check the VLAN configuration.
----End
Issue 04 (2013-06-15)

432

Configuration Guide
3.5.7 Limiting the Number of Learned MAC Addresses

This section describes how to limit the number of MAC addresses learned on an interface or in
a VLAN.

Before limiting the number of learned MAC addresses, familiarize yourself with the applicable
As shown in Figure 3-25, an insecure residential network or enterprise often receives packets
with bogus MAC addresses. The capacity of a MAC address table is limited. If hackers forge a
large number of packets with different source MAC addresses and send the packets to the
Switch, the MAC address table of the Switch becomes full quickly. When the MAC address
table is full, the Switch cannot learn source MAC addresses of valid packets. A limit can be set
for the number of learned MAC addresses. When the number of learned MAC addresses reaches
the limit, the Switch stops learning MAC addresses. When the Switch receives packets with
unknown source MAC addresses, it can generate an alarm. This protects the network from MAC
address attacks.
Figure 3-25 Limiting the number of MAC addresses on an insecure network
Internet
Switch
VLAN2
MAC- Limit
VLAN2
LSW1
LSW2
VLAN2
Before limiting the number of learned MAC addresses, complete the following task:
Issue 04 (2013-06-15)

433

Configuration Guide
Deleting the existing MAC address entries from the interface or VLAN where you want to
limit the number of learned MAC addresses
Data Preparation
To limit the number of learned MAC addresses, you need the following data.
No.
Data
Maximum number of MAC addresses that can be learned on an interface or a VLAN
Limiting the Number of MAC Addresses Learned on an Interface

When MAC address limiting is configured on an interface and the number of learned MAC
addresses on the interface reaches the limit, the Switch stops learning MAC addresses on this
interface. When the interface receives packets with unknown source MAC addresses, the
Switch can generate an alarm. This protects the network from MAC address attacks.
Context
When the number of learned MAC addresses reaches the limit, the Switch forwards the packets
with new source MAC addresses but does not add the new MAC addresses to the MAC address
table.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
mac-limit maximum max-num
The maximum number of MAC addresses learned on the interface is set.

By default, the number of MAC addresses learned on an interface is not limited.
Step 4 Run:
mac-limit alarm { disable | enable }
The Switch is configured to (or not to) send a trap to the NMS when the number of learned MAC
addresses reaches the limit.
By default, the Switch sends a trap to the NMS when the number of learned MAC addresses
reaches the limit.
----End
Issue 04 (2013-06-15)

434

Configuration Guide
Limiting the Number of MAC Addresses Learned in a VLAN

When MAC address limiting is configured in a VLAN and the number of learned MAC addresses
in the VLAN reaches the limit, the AC6605 stops learning MAC addresses in this VLAN. When
the interface receives packets with unknown source MAC addresses, the Switch can generate
an alarm. This protects the network from MAC address attacks.
Context
When the number of learned MAC addresses reaches the limit, the Switch forwards the packets
with new source MAC addresses but does not add the new MAC addresses to the MAC address
table.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
mac-limit maximum max-num
The maximum number of MAC addresses learned in the VLAN is set.

By default, the number of MAC addresses learned in a VLAN is not limited.
Step 4 Run:
mac-limit alarm { disable | enable }
The Switch is configured to (or not to) send a trap to the NMS when the number of learned MAC
By default, the Switch sends a trap to the NMS when the number of learned MAC addresses
reaches the limit.
----End

After completing the configuration of MAC address limiting, use the following command to
verify the configuration.
Procedure
Step 1 Run the display mac-limit [ interface-type interface-number | vlan vlan-id ] command to view
the MAC address limiting rule.
----End
Issue 04 (2013-06-15)

435

Configuration Guide
3.5.8 Configuring Port Security

The port security function prevents devices with untrusted MAC addresses from accessing an
interface. This function is applicable to the networks that require high access security.

The port security function changes MAC addresses learned by an interface to secure dynamic
MAC addresses or sticky MAC addresses. It prevents devices with untrusted MAC addresses
from accessing an interface and improves device security.
If a network requires high access security, you can configure port security on specified interfaces.
MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky
MAC addresses. When the number of learned MAC addresses reaches the limit, the interface
does not learn new MAC addresses and allows only the devices with the learned MAC addresses
to communicate with the AC6605. This prevents devices with untrusted MAC addresses from
accessing these interfaces, improving security of the AC6605 and the network.
Before configuring port security on an interface, complete the following tasks:
l
Disabling MAC address limiting on the interface
Disabling MUX VLAN on the interface
Disabling MAC address authentication on the interface
Disabling 802.1x authentication on the interface
Disabling MAC address security for DHCP snooping on the interface
Data Preparation
To configure port security on an interface, you need the following data.
No.
Data
Secure dynamic MAC: interface type and number, limit on the number of learned
MAC addresses, action to perform when the limit is exceeded, and aging time of
secure dynamic MAC addresses
Sticky MAC: interface type and number, limit on the number of learned MAC
addresses, and action to perform when the limit is exceeded
Configuring the Secure Dynamic MAC Function on an Interface

After port security is enabled on an interface, MAC addresses learned by the interface change
to secure dynamic MAC addresses. When the number of secure dynamic MAC addresses reaches
the limit, the interface does not learn new MAC addresses and allows only the devices with the
learned MAC addresses to communicate with the AC6605. You can configure a protection action
for the AC6605 to perform when it receives a packet with a new source MAC address.
Issue 04 (2013-06-15)

436

Configuration Guide
Context
By default, secure dynamic MAC addresses will not be aged out. You can set the aging time of
secure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addresses
are lost after the device restarts and the device needs to learn the MAC addresses again.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
port-security enable
Port security is enabled.

By default, port security is disabled on an interface.
NOTE
You can set the limit on the number of secure dynamic MAC addresses, aging time of secure dynamic
MAC addresses, and protection action only when port security is enabled.

port-security max-mac-num max-number
The limit on the number of secure dynamic MAC addresses is set.

By default, the limit on the number of secure dynamic MAC addresses is 1.
port-security protect-action { protect | restrict | shutdown }
The protection action is configured.

The default action is restrict.
l protect: discards packets with new source MAC addresses when the number of learned MAC
l restrict: discards packets with new source MAC addresses and sends a trap message when
the number of learned MAC addresses exceeds the limit.
l shutdown: shuts down the interface when the number of learned MAC addresses exceeds
the limit.
port-security aging-time time [ type { absolute | inactivity } ]
The aging time of secure dynamic MAC addresses is set.

By default, secure dynamic MAC addresses will not be aged out.
----End
Issue 04 (2013-06-15)

437

Configuration Guide
Configuring the Sticky MAC Function on an Interface

After the sticky MAC function is enabled on an interface, MAC addresses learned by the
interface change to sticky MAC addresses. When the number of sticky MAC addresses reaches
the limit, the interface does not learn new MAC addresses and allows only the devices with the
learned MAC addresses to communicate with the AC6605. You can configure a protection action
for the AC6605 to perform when it receives a packet with a new source MAC address.
Context
The sticky MAC function changes MAC addresses learned by an interface to sticky MAC
addresses. Sticky MAC addresses will not be aged out and will exist after the AC6605 restarts.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
Port security is enabled.

By default, port security is disabled on an interface.
Step 4 Run:
port-security mac-address sticky
The sticky MAC function is enabled on the interface.

By default, the sticky MAC function is disabled on an interface.
port-security max-mac-num max-number
The limit on the number of sticky MAC addresses is set.

By default, the limit on the number of sticky MAC addresses is 1.
port-security protect-action { protect | restrict | shutdown }
The protection action is configured.

The default action is restrict.
l protect: discards packets with new source MAC addresses when the number of learned MAC
l restrict: discards packets with new source MAC addresses and sends a trap message when
the number of learned MAC addresses exceeds the limit.
Issue 04 (2013-06-15)

438

Configuration Guide
l shutdown: shuts down the interface when the number of learned MAC addresses exceeds
the limit.
port-security mac-address sticky mac-address vlan vlan-id
A sticky MAC address entry is configured.

----End

After completing the port security configuration, you can verify the configuration and view
secure dynamic MAC address entries or sticky MAC address entries.
Procedure
l
Run the display current-configuration interface interface-type interface-number

command to view the current configuration of an interface.
Run the display mac-address sticky [ vlan vlan-id | interface-type interface-number ] *

[ verbose ] command to view sticky MAC address entries.
Run the display mac-address security [ vlan vlan-id | interface-type interface-number ]

[ verbose ] command to view secure dynamic MAC address entries.
----End
3.5.9 Configuring the Switch to Discard Packets with an All-Zero

MAC Address
You can configure the Switch to discard packets with an all-zero source or destination MAC
address.
A faulty network device may send packets with an all-zero source or destination MAC address
to the Switch. Configure the Switch to discard such packets and send a trap to the NMS. Then
you can locate the faulty device according to the trap message.
l
Powering on the Switch and ensuring that it functions properly
Data Preparation
None.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

439

Configuration Guide
drop illegal-mac enable
The Switch is configured to discard packets with an all-zero MAC address.

By default, the Switch does not discard packets with an all-zero MAC address.
drop illegal-mac alarm
The Switch is configured to send a trap to the NMS when receiving packets with an all-zero
MAC address.
By default, the Switch does not send a trap to the NMS when receiving packets with an all-zero
MAC address.
NOTE
The Switch sends only one trap after receiving packets with an all-zero MAC address. To enable the
Switch to send a trap again after receiving packets with an all-zero MAC address, run the drop illegalmac alarm command.
----End

Run the display current-configuration command to check whether the Switch is configured
to discard the packets with an all-zero MAC address.
3.5.10 Enabling MAC Address-triggered ARP Entry Update

The MAC address-triggered ARP entry update enables the Switch to update the corresponding
ARP entry when the outbound interface in a MAC address entry changes.
Each network device uses an IP address to communicate with other devices. On an Ethernet
network, a device sends and receives Ethernet data frames based on MAC addresses. The ARP
protocol maps IP addresses to MAC addresses. When a device communicates with a device on
a different network segment, it finds the MAC address and outbound interface of a packet
according to the corresponding ARP entry.
If a user host moves from one interface to another, the host MAC address is learned by the new
interface, so the outbound interface mapping the MAC address changes. The corresponding ARP
entry, however, is not updated until the aging time expires. Before the ARP entry aging time
expires, the device sends data frames based on the original ARP entry. This causes data frame
loss. The AC6605 provides the MAC address-triggered ARP entry update function to solve this
problem.
None.
Data Preparation
None.
Issue 04 (2013-06-15)

440

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address update arp
MAC address-triggered ARP entry update is enabled.

By default, the Switch does not update the corresponding ARP entry when the outbound interface
in a MAC address entry changes.
NOTE
l This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when
the corresponding MAC address entries change.
l The mac-address update arp command does not take effect after ARP anti-spoofing is enabled by
using the arp anti-attack entry-check enable command.
l After the mac-address update arp command is run, the Switch updates an ARP entry only if the
outbound interface in the corresponding MAC address entry changes.
----End

Run the display current-configuration command to check whether the MAC address triggered
ARP entry update function is enabled.

This section provides several examples of MAC address table configuration.
Example for Configuring the MAC Address Table

As shown in Figure 3-26, the MAC address of the user host PC1 is 0002-0002-0002 and the
MAC address of the user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the
Switch through the LSW. The LSW is connected to GE 0/0/1 of the Switch. Interface GE 0/0/1
belongs to VLAN 2. The MAC address of the server is 0004-0004-0004. The server is connected
to GE 0/0/2 of the Switch. Interface GE 0/0/2 belongs to VLAN 2.
l
To prevent hackers from attacking the network with MAC addresses, add a static entry to
the MAC table of the Switch for each user host. When sending packets through GE 0/0/1,
the Switch changes the VLAN ID to VLAN 4 to which the LSW belongs. In addition, you
need to set the aging time of the dynamic entries in the MAC address table to 500 seconds.
To prevent hackers from forging the MAC address of the server and stealing user
information, configure the packet forwarding based on static MAC address entries on the
Switch.
Issue 04 (2013-06-15)

441

Configuration Guide
Figure 3-26 Networking diagram of MAC address table configurations
Server
Network
Switch
MAC address: 4-4-4

GE 0/0/2
VLAN2
GE 0/0/1
LSW
VLAN4
PC1
PC2
MAC address: 2-2-2 MAC address: 3-3-3
1.
Create a VLAN and add interfaces to the VLAN.
2.
Add static MAC address entries.
3.
Set the aging time of dynamic MAC address entries.
Data Preparation
l
MAC address of PC1: 0002-0002-0002
MAC address of PC2: 0003-0003-0003
MAC address of the server: 0004-0004-0004
VLAN to which the Switch belongs: VLAN 2
Interface connecting the Switch to the LSW: GE 0/0/1
Interface connecting the Switch to the server: GE 0/0/2
VLAN ID required to be changed to when the Switch sends packets through the outbound
interface: VLAN 4
Aging time of dynamic entries in the MAC address table of the Switch: 500 seconds
Procedure
Step 1 Add static MAC address entries.
# Create VLAN 2; add GE 0/0/1 0/0/2 to VLAN 2; configure VLAN mapping on GE 0/0/1.
[Quidway] vlan 2
Issue 04 (2013-06-15)

442

Configuration Guide
0/0/1
hybrid pvid vlan 2
hybrid untagged vlan 2
vlan-mapping vlan 4 map-vlan 2
0/0/2
hybrid pvid vlan 2
# Configure static MAC address entries.

[Quidway] mac-address static 2-2-2 gigabitethernet 0/0/1 vlan 2
Step 2 Set the aging time of dynamic MAC address entries.

[Quidway] mac-address aging-time 500

# Run the display mac-address command in any view. You can check whether the static MAC
address entries are successfully added.
[Quidway] display mac-address static vlan 2
------------------------------------------------------------------------------MAC Address
VLAN/VSI
Learned-From
Type
------------------------------------------------------------------------------0002-0002-0002
2/GE0/0/1
static
0003-0003-0003
2/GE0/0/1
static
0004-0004-0004
2/GE0/0/2
static
------------------------------------------------------------------------------Total items displayed = 3
# Run the display mac-address aging-time command in any view. You can check whether the
aging time of dynamic entries is set successfully.
[Quidway] display mac-address aging-time
Aging time: 500 seconds
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2
#
mac-address aging-time 500
#
port vlan-mapping vlan 4 map-vlan
#
#
mac-address static 0002-0002-0002
Issue 04 (2013-06-15)
GigabitEthernet0/0/1 vlan 2

443

Configuration Guide
#
return
Example for Configuring MAC Address Limiting in a VLAN

As shown in Figure 3-27, user network 1 is connected to GE 0/0/1 on the Switch through an
LSW. User network 2 is connected to GE 0/0/2 on the Switch through another LSW. GE 0/0/1
and GE 0/0/2 belong to VLAN 2. To prevent MAC address attacks and control the number of
access users, limit the MAC address learning in VLAN 2.
Figure 3-27 Configuring MAC address limiting in a VLAN
Network
Switch
GE 0/0/1
GE 0/0/2
LSW
User
network 1
LSW
VLAN 2
User
network 2
1.
2.
Configure the limitation on MAC address learning based on VLANs.
Data Preparation
l
VLAN to which the interfaces belong: VLAN 2
User interfaces: GE 0/0/1 and GE 0/0/2
Maximum number of learned MAC addresses: 100
Issue 04 (2013-06-15)

444

Configuration Guide
Procedure
Step 1 Configure the limitation on MAC address learning.
[Quidway] vlan 2
0/0/1
hybrid pvid vlan 2
0/0/2
hybrid pvid vlan 2
# Configure the rule of limiting MAC address learning in VLAN 2: A maximum of 100 MAC
addresses can be learned; packets are still forwarded and an alarm is generated when the number
of learned MAC addresses reaches the limit, but new MAC addresses are not added to the MAC
address table.
[Quidway] vlan 2
[Quidway-vlan2] mac-limit maximum 100
alarm enable

# Run the display mac-limit command in any view. You can check whether the rule of limiting
MAC address learning is successfully configured.
<Quidway> display mac-limit
MAC Limit is enabled
Total MAC Limit rule count : 1
PORT
VLAN/VSI/SI
SLOT Maximum Rate(ms) Action Alarm
---------------------------------------------------------------------------2
100
forward enable
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2
#
vlan 2
mac-limit maximum 100
#
#
#
return
Example for Configuring Port Security

Issue 04 (2013-06-15)

445

Configuration Guide
As shown in Figure 3-28, a company wants to prevent the computers of non-employees from
accessing the company intranet to protect information security. To achieve this goal, the
company needs to enable the sticky MAC function on the interface connected to computers of
employees, and set the maximum number of MAC addresses learned by the interface to be the
same as the number of trusted computers.
Figure 3-28 Networking diagram of port security configuration
Internet
Switch
GE 0/0/1
VLAN 10
SwitchA
PC1
PC2
PC3
1.
Create a VLAN and set the link type of the interface to trunk.
2.
Enable the port security function.
3.
Enable the sticky MAC function on the interface.
4.
Configure the action to be taken when the number of learned MAC addresses exceeds the
limit.
5.
Set the maximum number of MAC addresses that can be learned by the interface.
Data Preparation
l
VLAN allowed by the interface
Type and number of the interface connected to computers of employees
Action to be taken when the number of learned MAC addresses exceeds the limit
Maximum number of MAC addresses learned by the interface
Issue 04 (2013-06-15)

446

Configuration Guide
Procedure
Step 1 Create a VLAN and set the link type of the interface to trunk.
[Quidway] vlan 10
Step 2 Configure the port security function.

# Enable the port security function.
[Quidway-GigabitEthernet0/0/1] port-security enable
Enable the sticky MAC function.

[Quidway-GigabitEthernet0/0/1] port-security mac-address sticky
# Configure the action to be taken when the number of learned MAC addresses exceeds the limit.
[Quidway-GigabitEthernet0/0/1] port-security protect-action protect
# Set the maximum number of MAC addresses that can be learned by the interface.
[Quidway-GigabitEthernet0/0/1] port-security max-mac-num 4
To enable the port security function on other interfaces, repeat the preceding steps.
If an employee's PC is replaced by another PC, the new PC cannot access the company intranet.
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
port-security protect-action protect
port-security mac-address sticky
port-security max-mac-num 4
#
return
3.6 STP/RSTP Configuration

The Spanning Tree Protocol (STP) trims a ring network into a loop-free tree network. It prevents
replication and circular propagation of packets, provides multiple redundant paths for virtual
LAN (VLAN) data traffic, and enables load balancing. The Rapid Spanning Tree Protocol
(RSTP) was developed based on STP to implement faster convergence. RSTP defines edge ports
and provides protection functions.
Issue 04 (2013-06-15)

447

Configuration Guide
3.6.1 STP/RSTP Overview

STP is a management protocol on the data link layer. It is used to block redundant links on Layer
2 networks and trim a network into a loop-free tree. RSTP is a supplement to STP and implements
rapid convergence.
Introduction to STP/RSTP
STP/RSTP is used to block redundant links on Layer 2 networks and trim a network into a loopfree tree topology.
Background
Network designers tend to deploy multiple physical links between two devices (one link is the
master and the others are backups) to fulfill network redundancy requirements. Loops are bound
to occur on such types of complex networks.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause MAC address flapping that damages MAC address entries.
Devices can run STP to discover loops on the network by exchanging information with each
other, and trim the ring topology into a loop-free tree topology by blocking an interface. These
capabilities help prevent replication and circular propagation of packets on the network which
in turn helps avoid degradation of switching device performance.
With all its merits, STP is not able to converge network topologies quickly. In 2001, the IEEE
published document 802.1w, which introduces an evolution in the Spanning Tree Protocol:
Rapid Spanning Tree Protocol (RSTP). Although based on the same principles, RSTP was
developed for rapid convergence and far outperforms STP.
Concepts
l
Root bridge
A tree topology must have a root.
There is only one root bridge on the entire STP/RSTP-capable network. The root bridge is
the logical center but is not necessarily the physical center of the entire network. Another
switching device can serve as the root bridge following a change in the network topology.
Bridge ID
As defined in IEEE 802.1D, a bridge ID (BID) is composed of a 2-byte bridge priority and
a 6-byte bridge MAC address.
On an STP-capable network, the device with the smallest BID is selected as the root bridge.
Port ID
A 16-bit port ID (PID) is composed of a 4-bit port priority and a 12-bit port number.
PIDs are used to select a designated port. When the root path costs and the sender BIDs of
two ports are the same, the port with a smaller PID is selected as the designated port. As
shown in Figure 3-29, the root path costs and sender BIDs of port A and port B on S2 are
the same. Port A has a smaller PID, and is selected as the designated port.
Path cost
A path cost is port-specific and is used by STP/RSTP to select a link. STP/RSTP calculates
the path cost to select robust links and blocks redundant links to trim the network into a
loop-free tree topology.
Issue 04 (2013-06-15)

448

Configuration Guide
On an STP/RSTP-capable network, the accumulative cost of the path from a certain port
to the root bridge is the sum of the costs of the segment paths into which the path is separated
by the ports on the transit bridges.
STP port roles
Root port
The root port is the port that is nearest to the root bridge. The root port is determined
based on the path cost. Among all the STP-capable ports on the network bridge, the port
with the lowest root path cost is the root port. There is only one root port on an STPcapable device, but there is no root port on the root bridge.
Designated Port
The designated port on a switching device forwards bridge protocol data units (BPDUs)
to the downstream switching device. All ports on the root bridge are designated ports.
A designated port is selected for each network segment. The device on which the
designated port resides is called the designated bridge.
RSTP port roles
Compared with STP, RSTP has two additional types of ports, the alternate port and backup
port. More port roles are defined to simplify deployment of STP.
Figure 3-29 Diagram of port roles
S1
Root bridge
S2
S3
S1
Root bridge
S2
A
B
b
S3
Root port
Designated port
Alternate port
Backup port
Issue 04 (2013-06-15)

449

Configuration Guide
As shown in Figure 3-29, RSTP defines four port roles: root port, designated port, alternate
port, and backup port.
The functions of the root port and designated port are the same as those defined in STP.
The functions of the alternate port and backup port are as follows:
From the perspective of configuration BPDU transmission:
The alternate port is blocked after learning the configuration BPDUs sent by other
bridges.
The backup port is blocked after learning the configuration BPDUs sent by itself.
From the perspective of user traffic:
The alternate port backs up the root port and provides an alternate path from the
designated bridge to the root bridge.
The backup port backs up the designated port and provides an alternate path from
the root node to the leaf node.
After all ports are assigned roles, topology convergence is completed.
l
STP port state

Table 3-7 shows the port status of an STP-capable port.
Table 3-7 STP port state
Port state
Purpose
Description
Forwarding
A port in the Forwarding state forwards

user traffic and BPDUs.
Only the root port and

designated port can enter the
Forwarding state.
Learning
When a port is in the Learning state, a

device creates a MAC address table
based on the received user traffic but does
not forward the traffic.
This is a transition state,

which is designed to prevent
temporary loops.
Listening
A port in the Listening state is

participating in election of the root
bridge, root port, or designated port.
This is a transition state.
Blocking
A port in the Blocking state receives and

forwards only BPDUs but does not
forward user traffic.
This is the final state of a

blocked port.
Disabled
A port in the Disabled state forwards

neither BPDUs nor user traffic.
The port is Down.
RSTP port state

Table 3-8 shows the port status of an RSTP-capable port.
Issue 04 (2013-06-15)

450

Configuration Guide
Table 3-8 RSTP port state

Port state
Description
Forwarding
A port in the Forwarding state can send and receive BPDUs as

well as forward user traffic.
Learning
This is a transition state. A port in the Learning state learns MAC

addresses from user traffic to construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but
cannot forward user traffic.
Discarding
A port in the Discarding state can only receive BPDUs.
CAUTION
MSTP is the default mode for all Huawei datacom devices. After a device experiences the
transition from the MSTP mode to the STP mode, an STP-capable port supports the same
port states as those supported by an MSTP-capable port, including the Forwarding,
Learning, and Discarding states. For details, see Table 3-8.
l
Three timers
Hello Timer
Sets the interval at which BPDUs are sent.
Forward Delay Timer
Sets the time spent in the Listening and Learning states.
Max Age
Sets the maximum lifetime of a BPDU on the network. When the Max Age time is
reached, the connection to the root bridge is considered broken.
Comparison between STP, RSTP, and MSTP

Table 3-9 compares STP, RSTP, and MSTP in terms of the characteristics of each protocol and
their applicable environments.
Table 3-9 Comparison between STP, RSTP, and MSTP
Issue 04 (2013-06-15)
Spanning
Tree
Protocol
Characteristics
Applicable
Environment
Precautions
STP
Ensures a loop-free tree

topology that helps
prevent broadcast storms
and allows for redundant
links between switches.
Irrespective of users or
services, all VLANs
share one spanning
tree.
l If the current
switching device
supports STP and
RSTP, RSTP is
recommended.

451

Configuration Guide
Spanning
Tree
Protocol
Characteristics
RSTP
l Ensures a loop-free
tree topology that helps
prevent broadcast
storms and allows for
redundant links
between switches.
Applicable
Environment
l If the current
switching device
supports STP/RSTP
and MSTP, MSTP
is recommended.
See MSTP
Configuration.
l Provides a feedback
mechanism to confirm
topology convergence,
implementing rapid
convergence.
MSTP
l Ensures a loop-free
tree topology that helps
prevent broadcast
storms and allows for
redundant links
between switches in an
MSTP region.
implementing rapid
convergence.
Precautions
User or service-specific
load balancing is
required. Traffic for
different VLANs is
forwarded through
different spanning
trees, which are
independent of each
other.
l Implements load
balancing among
VLANs. Traffic in
different VLANs is
transmitted along
different paths.
STP/RSTP Features Supported by the AC6605

Before configuring STP/RSTP, familiarize yourself with basic STP/RSTP functions, topology
convergence, STP/RSTP protection, and STP/RSTP interoperability between Huawei devices
and non-Huawei devices.
STP/RSTP also supports the following features to meet the requirements of special applications
and extended functions:
l
Provides a feedback mechanism to confirm topology convergence, implementing rapid

convergence.
RSTP provides the protection functions listed in Table 3-10.
Supports STP/RSTP interoperability between Huawei devices and non-Huawei devices.

Certain parameters must be set on Huawei devices to ensure uninterrupted communication.
Issue 04 (2013-06-15)

452

Configuration Guide
Table 3-10 RSTP Protection Function
Issue 04 (2013-06-15)
Protection
Function
Scenario
Configuration Impact
BPDU
protection
An edge port changes into

a non-edge port after
receiving a BPDU, which
triggers spanning tree
recalculation. If an attacker
keeps sending pseudo
BPDUs to a switching
device, network flapping
occurs.
After BPDU protection is enabled, the

switching device shuts down the edge port
if the edge port receives an RST BPDU.
Then the device notifies the NMS of the
shutdown event. The attributes of the edge
port are not changed.
TC
protection
Generally, after receiving

TC BPDUs (packets for
advertising network
topology changes), a
switching device needs to
delete MAC entries and
ARP entries. Frequent
deletions exhaust CPU
resources.
TC protection is used to suppress TC

BPDUs. You can configure the number of
times a switching device processes TC
BPDUs within a given time period. If the
number of TC BPDUs that the switching
device receives within a given time
exceeds the specified threshold, the
switching device processes only the
specified number of TC BPDUs. After the
specified time period expires, the device
processes the excess TC BPDUs for once.
This function prevents the switching
device from frequently deleting MAC
entries and ARP entries, saving CPU
resources.
Root
protection
Due to incorrect
configurations or
malicious attacks on the
network, a root bridge may
receive BPDUs with a
higher priority than its own
priority. Consequently, the
legitimate root bridge is no
longer able to serve as the
root bridge and the
network topology is
changed, triggering
spanning tree
recalculation. This may
transfer traffic from highspeed links to low-speed
links, causing traffic
congestion.
If a designated port is enabled with the root

protection function, the role of the port
cannot be changed. Once a designated port
that is enabled with root protection
receives RST BPDUs with a higher
priority, the port enters the Discarding state
and does not forward packets. If the port
does not receive any RST BPDUs with a
higher priority before a period (generally
two Forward Delay periods) expires, the
port automatically enters the Forwarding
state.

453

Configuration Guide
Protection
Function
Scenario
Loop
protection
A root port or an alternate

port will age if link
congestion or a one-way
link failure occurs. After
the root port ages, a
switching device may reselect a root port
incorrectly. After the
alternate port ages, the port
enters the Forwarding
state. Loops may occur in
such a situation.
After loop protection is configured, if the

root port or alternate port does not receive
RST BPDUs from the upstream switching
device for a long time, the switching device
notifies the NMS that the port enters the
Discarding state. The blocked port remains
in the Blocked state and no longer forwards
packets. This function helps prevent loops
on the network. The root port transitions to
the Forwarding state after receiving new
BPDUs.
3.6.2 Configuring Basic STP/RSTP Functions

STP/RSTP is commonly configured on switching devices to trim a ring network into a loop-free
network. Devices start spanning tree calculation after the STP/RSTP working mode is set and
STP/RST is enabled. Use any of the following methods if you need to intervene in the spanning
tree calculation:
l
Set a priority for a switching device: The lower the numerical value, the higher the priority
of the switching device and the more likely the switching device becomes a root bridge;
the higher the numerical value, the lower the priority of the switching device and the less
likely that the switching device becomes a root bridge.
Set a path cost for a port: With the same calculation method, the lower the numerical value,
the smaller the cost of the path from the port to the root bridge and the more likely the port
becomes a root port; the higher the numerical value, the larger the cost of the path from the
port to the root bridge and the less likely that the port becomes a root port.
Set a priority for a port: The lower the numerical value, the more likely the port becomes
a designated port; the higher the numerical value, the less likely that the port becomes a
designated port.

Before configuring basic STP/RSTP functions, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This will help
you complete the configuration task quickly and accurately.
Issue 04 (2013-06-15)

454

Configuration Guide
STP/RSTP can be deployed on a network to eliminate loops. If a loop is detected, STP/RSTP

blocks one port to eliminate the loop.
As shown in Figure 3-30, Switch A, Switch B, Switch C, and Switch D form a ring network,
and STP/RSTP is enabled on the ring network to eliminate loops, enhancing reliability of the
network.
Figure 3-30 Diagram of a ring network
Network
Root
Bridge
SwitchA
SwitchB
SwitchC
SwitchD
PC1
PC2
Blocked port
NOTE
If the current switching device supports STP and RSTP, RSTP is recommended.
Before configuring basic STP/RSTP functions, complete the following task:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
interfaces are physically Up
Data Preparation
To configure basic STP/RSTP functions, you need the following data.
Issue 04 (2013-06-15)
No.
Data
(Optional) Priority of a switching device
(Optional) Priority of a port

455

Configuration Guide
No.
Data
(Optional) Path cost of a port
Configuring the STP/RSTP Mode

Before configuring basic STP/RSTP functions on a switching device, set the working mode to
STP or RSTP. RSTP is compatible with STP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp mode { stp | rstp }
The working mode of the switching device is set to STP or RSTP.

By default, the working mode of the AC6605 is MSTP.
----End
(Optional) Configuring Switching Device Priorities

Select a switching device (functioning as a root bridge) from switching devices for each spanning
tree. You can configure the priorities of the switching devices to preferentially select a root
bridge. The lower the numerical value is, the higher priority a switching device has and the more
likely the switching device will be selected as a root bridge.
Context
On an STP/RSTP-capable network, there is only one root bridge, which is the logic center of
the entire spanning tree. During root bridge selection, a high-performance switching device at
a high network layer should be selected as the root bridge; however, the priority of such a device
may not be the highest on the network. It is therefore necessary to set a high priority for the
switching device to ensure that the device functions as a root bridge.
Low-performance devices at lower network layers are not fit to serve as a root bridge. Therefore,
set low priorities for these devices.
CAUTION
If an AC6605 switch is configured as the root switch or secondary root switch, the priority of
the AC6605 switch cannot be set. To set the priority for the AC6605 switch, disable the root
switch or secondary root switch.
Issue 04 (2013-06-15)

456

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp priority
priority
The priority of a switching device is configured.

The default priority value of a switching device is 32768.
NOTE
l To configure a switching device as the primary root bridge, run the stp root primary command. The
priority value of this switching device is 0.
l To configure a switching device as a secondary root bridge, run the stp root secondary command. The
priority value of this switching device is 4096.
A switching device cannot act as a primary root bridge and as a secondary root bridge at the same time.
----End
(Optional) Configuring the Path Cost for a Port

The STP/RSTP path cost determines root port selection. The port from which to the root port
costs the least is selected as the root port.
Context
A path cost is port-specific and is used by STP/RSTP to select a link.
The path cost value range is determined by the calculation method. After the calculation method
is determined, it is recommended that you set a relatively small path cost value for the ports with
high link rates.
In the Huawei proprietary calculation method for example, the link rate determines the
recommended value for the path cost. Table 3-11 lists the recommended path costs for ports
with different link rates.
Table 3-11 Mappings between link rates and path cost values
Issue 04 (2013-06-15)
Link Rate
Recommended
Path Cost
Recommended
Path Cost Range
Path Cost Range
10 Mbit/s
2000
200 to 20000
1 to 200000
100 Mbit/s
200
20 to 2000
1 to 200000
1 Gbit/s
20
2 to 200
1 to 200000
10 Gbit/s
2 to 20
1 to 200000
Over 10 Gbit/s
1 to 2
1 to 200000

457

Configuration Guide
If a network has loops, it is recommended that you set a relatively large path cost for ports with
low link rates. STP/RSTP then blocks these ports.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.

By default, the IEEE 802.1t standard (dot1t) is used to calculate the default path cost.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run:
The view of the Ethernet interface participating in STP calculation is displayed.

Step 4 Run:
stp cost cost
A path cost is set for the interface.

l When the Huawei proprietary calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
(Optional) Configuring Port Priorities

In each spanning tree, select a designated port for each connection according to the bridge ID,
the cost of path and port IDs. The lower the numerical value, the more likely the port on a
switching device becomes a designated port; the higher the numerical value, the more likely the
port is to be blocked.
Context
Whether a port will be selected as a designated port is determined by its priority. For details, see
Introduction to STP/RSTP.
To block a port to eliminate loops, set the port priority value to be larger than the default value
when the devices have the same bridge ID and path cost. This port will be blocked during
designated port selection.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

458

Configuration Guide

Step 2 Run:

Step 3 Run:
stp port priority priority
The port priority is configured.

The default priority value of a port on a switching device is 128.
----End
Enabling STP/RSTP
After STP/RSTP is enabled, spanning trees are calculated.
Context
After STP/RSTP is enabled on a ring network, STP/RSTP immediately calculates spanning trees
on the network. Configurations on the switching device, such as the switching device priority
and port priority, will affect spanning tree calculation. Any change to the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform
basic configurations on the switching device and its ports, and enable STP/RSTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp enable
STP/RSTP is enabled on the switching device.

By default, STP/RSTP is disabled on a Switch.
----End

After basic STP/RSTP functions are configured, you can view the information such as the port
roles and port status to check the spanning tree calculation.
Prerequisites
All configurations for basic STP/RSTP functions are complete.
Issue 04 (2013-06-15)

459

Configuration Guide
Procedure
l
Run the display stp [ interface interface-typeinterface-number ] [ brief ] command to view

the spanning-tree status and statistics.
----End
3.6.3 Configuring STP/RSTP Parameters on an Interface

STP does not have a mechanism to confirm topology convergence, whereas RSTP provides a
feedback mechanism to implement rapid convergence.
STP does not implement rapid convergence; however, STP parameters such as the network
diameter, Hello timer, Max Age timer, and Forward Delay timer, may affect network
convergence. RSTP is a refinement of STP and implements rapid convergence. In addition to
the preceding parameters, the link type, rapid transition mechanism, and maximum number of
sent BPDUs also affect STP/RSTP topology convergence.
Table 3-12 shows the STP/RSTP parameters that affect STP/RSTP topology convergence.
Table 3-12 Parameters affecting the STP/RSTP topology convergence
Issue 04 (2013-06-15)
Paramete
r
Description
Commands
Remarks
System
parameter
Network
diameter, timer
values (Hello
timer, Forward
Delay timer,
Max Age
timer), and
timeout period
to wait for
BPDUs from
the upstream
device (3 x
Hello timer
value x Time
factor)
l stp bridge-diameter
diameter
It is recommended that you

set the network diameter to
determine the timer value.
The switching device
automatically calculates
the Forward Delay period,
Hello time, and Max Age
time based on the network
diameter. Then, you can
run the stp timer-factor
factor command to set the
timeout period for waiting
for BPDUs from the
upstream (3 x Hello timer
value x Time factor).
l stp timer hello hello-time

l stp timer forward-delay
forward-delay
l stp timer max-age maxage
l stp timer-factor factor

460

Configuration Guide
Paramete
r
Description
Commands
Remarks
Port
parameter
Link type of a
port
l stp point-to-point { auto |

force-false | force-true }
A P2P link helps

implement rapid
convergence.
l If the port works in fullduplex mode, the link
connecting to the port is
a P2P link.
l If the port works in
half-duplex mode, you
can forcibly switch the
link connecting to the
port to a P2P link.
l In other cases, you can
enable the port to
automatically
determine whether to
connect to a P2P link.
Port transition
to the RSTP
mode
l stp mcheck
On a switching device
running RSTP, if an
interface is connected to a
device running STP, the
interface automatically
transitions to the STP
mode.
Enable MCheck on an
interface if the interface
fails to automatically
transition to the RSTP
mode.
Maximum
number of
BPDUs sent by
the interface per
second
Issue 04 (2013-06-15)
l stp transmit-limit packetnumber

If the maximum number of

BPDUs sent by the
interface per second is set
properly, the rate at which
BPDUs are sent can be
restricted. This parameter
prevents RSTP from
consuming too much
bandwidth if network
flapping occurs.
461

Configuration Guide
Paramete
r
Description
Commands
Remarks
Edge ports
l stp edged-port enable
The ports connected to

terminals do not participate
in STP/RSTP calculation.
If a port is configured as an
edge port, the port does not
participate in STP/RSTP
calculation.
l error-down autorecovery cause cause-item

interval interval-value
After BPDU protection is

configured on a switching
device, an edge port is shut
down when receiving
BPDUs. You can
configure the port to go Up
after a specified delay has
elapsed.

Before configuring parameters affecting STP/RSTP rapid convergence, familiarize yourself
with the applicable environment, complete the pre-configuration tasks, and obtain the required
data. This will help you complete the configuration task quickly and accurately.
On some specific networks, proper RSTP parameter settings will help implement rapid network
convergence.
NOTE
The default configurations for the parameters described in this section help implement RSTP rapid
convergence. Therefore, the configuration process and all involved procedures described in this section
are optional.
Before configuring STP/RSTP parameters, complete the following task:
l
Configuring basic STP/RSTP functions
Data Preparation
To configure STP/RSTP parameters, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Network diameter
Hello timer, Forward Delay timer, Max Age timer, and timeout period for waiting
for BPDUs from the upstream (3 x Hello timer value x Time factor)
Link type of a port

462

Configuration Guide
No.
Data
Whether a port is enabled with rapid transition mechanism
Whether a port needs to transition to the RSTP mode
Maximum number of sent BPDUs
Whether a port needs to be configured as an edge port
Whether auto recovery needs to be configured for an edge port being shut down
Whether a port needs to clear statistics of the spanning tree
10
Whether the edge port needs to be configured as a BPDU filter
Configuring System Parameters

STP/RSTP parameters that may affect network convergence include the network diameter, Hello
timer, and timeout period for waiting for BPDUs from the upstream device (3 x Hello timer
value x Time factor). Therefore, STP/RSTP parameters must be set properly to help implement
rapid network convergence.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bridge-diameter diameter
The network diameter is configured.

By default, the network diameter is 7.
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network
diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the
network diameter. Then, the switching device calculates the optimal Forward Delay period,
Hello timer value, and Max Age timer value based on the set network diameter.
Step 3 Run:
stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream device is set.
By default, the timeout period is 9 times the Hello timer value.
Step 4 (Optional) If the current device is at the edge of a network, run both or either of the following
commands as needed:
l To configure all ports on the devices as edge ports, run:
stp edged-port default
Issue 04 (2013-06-15)

463

Configuration Guide
By default, a port is a non-edge port.

After ports on a network edge device are configured as edge ports, the ports no longer
participate in spanning tree calculation. This speeds up network topology convergence and
improves network stability.
l To configure all ports on the devices as BPDU filter ports, run:
stp bpdu-filter default
By default, a port is a non-BPDU filter port.

After ports on a network edge device are configured as BPDU filter ports, the ports no longer
process or send BPDUs.
WARNING
After the stp bpdu-filter default and stp edged-port default commands are run in the system
view, all ports on the device no longer actively send BPDUs or negotiate with directly-connected
ports; instead, all the ports are in the Forwarding state. This may lead to a loop on the network,
causing broadcast storms. Exercise caution when running these commands.
Step 5 (Optional) To set the Forward Delay period, Hello timer, and Max Age timer, perform the
l Run the stp timer forward-delay forward-delay command to set the Forward Delay timer.
The default Forward Delay timer of a switching device is 1500 centiseconds.
l Run the stp timer hello hello-time command to set the Hello timer.
The default Hello timer of a switching device is 200 centiseconds.
l Run the stp timer max-age max-age command to set the Max Age timer.
The default Max Age timer of a switching device is 2000 centiseconds.
NOTE
The values of the Hello timer, Forward Delay timer, and Max Age timer must comply with the following
formulas; otherwise, network flapping occurs.
l 2 x (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1.0 second)
----End
Configuring Port Parameters

Port parameters that may affect RSTP topology convergence include the link type and maximum
number of sent BPDUs. Proper port parameter settings help implement rapid topology
convergence.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

464

Configuration Guide

stp point-to-point { auto | force-false | force-true }
The link type is configured for the interface.

By default, an interface automatically determines whether to connect to a P2P link. The P2P link
supports rapid network convergence.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this
case, force-true can be configured to implement rapid network convergence.
l If the Ethernet port works in half-duplex mode, you can run stp point-to-point force-true
to forcibly set the link type to P2P.
Step 4 Run:
stp mcheck
MCheck is enabled.
On a port of switching device running RSTP is connected to a device running STP, the port
automatically transitions to the STP interoperable mode.
Enabling MCheck on the port is required because the port may fail to automatically transition
to the RSTP mode in the following situations:
l The switching device running STP is shut down or moved.
l The switching device running STP transitions to the RSTP mode.
NOTE
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the
interfaces.
Step 5 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port per second is set.

By default, the maximum number of BPDUs that a port sends per second is 147.
stp edged-port enable
The port is configured as an edge port.

If a device port is connected to a terminal, you can run this command to configure the port as
an edge port.
If the current port has been configured as an edge port, the port can still send BPDUs. This may
cause BPDUs to be sent to other networks, leading to network flapping. To prevent this problem,
run the stp bpdu-filter enable command to configure the edge port as a BPDU filter port and
disable the port from processing or sending BPDUs.
Issue 04 (2013-06-15)

465

Configuration Guide
WARNING
After the stp bpdu-filter enable command is run on a port, the port no longer processes or sends
BPDUs. The port will not negotiate with the directly-connected port to establish an STP
connection.
Step 7 Run:
quit

error-down auto-recovery cause cause-item interval interval-value
The auto recovery function on an edge port is configured. This function enables a port in the
error-down state to automatically go Up after the specified delay.
There is no default value for the recovery time. Therefore, you must specify a delay when using
this command.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. STP/RSTP processes ARP entries in either fast or normal mode.
l
In fast mode, ARP entries to be updated are directly deleted.
In normal mode, ARP entries to be updated are rapidly aged.

The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidly
processes these aged entries. If the number of ARP aging probe attempts is not set to 0,
ARP implements aging probe for these ARP entries.
In either fast or normal mode, MAC entries are directly deleted.
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
By default, the normal STP/RSTP convergence mode is used.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping will frequently
occur.

After configuring STP/RSTP parameters that affect the topology convergence, you can verify
the configurations.
Prerequisites
The parameters that affect topology convergence have been configured.
Issue 04 (2013-06-15)

466

Configuration Guide
Procedure
l
Run the display stp [ interface interface-type interface-number ] [ brief ] command to

view spanning-tree status and statistics.
----End
3.6.4 Configuring RSTP Protection Functions

This section describes how to configure RSTP protection functions. You can configure one or
more functions.

Before configuring RSTP protection functions, familiarize yourself with the applicable
RSTP provides the protection functions listed in Table 3-13.
Table 3-13 RSTP Protection Function
Issue 04 (2013-06-15)
Protection
Function
Scenario
BPDU
protection
An edge port changes into a

non-edge port after
occurs.

switching device shuts down the edge port if
the edge port receives an RST BPDU. Then
the device notifies the NMS of the shutdown
event. The attributes of the edge port are not
changed.
TC protection

advertising network
delete MAC entries and ARP
entries. Frequent deletions
exhaust CPU resources.
TC protection is used to suppress TC BPDUs.

You can configure the number of times a
switching device processes TC BPDUs
within a given time period. If the number of
TC BPDUs that the switching device receives
within a given time exceeds the specified
threshold, the switching device processes
only the specified number of TC BPDUs.
After the specified time period expires, the
device processes the excess TC BPDUs for
once. This function prevents the switching
device from frequently deleting MAC entries
and ARP entries, saving CPU resources.

467

Configuration Guide
Protection
Function
Scenario
Root
protection
Due to incorrect
configurations or malicious
attacks on the network, a
root bridge may receive
BPDUs with a higher
priority than its own priority.
Consequently, the legitimate
root bridge is no longer able
to serve as the root bridge
and the network topology is
changed, triggering
spanning tree recalculation.
This may transfer traffic
from high-speed links to
low-speed links, causing
traffic congestion.
If a designated port is enabled with the root

protection function, the role of the port cannot
be changed. Once a designated port that is
enabled with root protection receives RST
BPDUs with a higher priority, the port enters
the Discarding state and does not forward
packets. If the port does not receive any RST
BPDUs with a higher priority before a period
(generally two Forward Delay periods)
expires, the port automatically enters the
Forwarding state.
Loop
protection

congestion or a one-way link
failure occurs. After the root
port ages, a switching device
may re-select a root port
incorrectly. After the
enters the Forwarding state.
Loops may occur in such a
situation.
After loop protection is configured, if the root

port or alternate port does not receive RST
BPDUs from the upstream switching device
for a long time, the switching device notifies
the NMS that the port enters the Discarding
state. The blocked port remains in the
Blocked state and no longer forwards packets.
This function helps prevent loops on the
network. The root port transitions to the
Forwarding state after receiving new BPDUs.
Before configuring basic RSTP functions, complete the following task:
l
Configuring basic RSTP functions

NOTE
Configure an edge port on the switching device before configuring BPDU protection.
Data Preparation
To configure basic RSTP functions, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Number of the port on which root protection is to be enabled
Number of the port on which loop protection is to be enabled

468

Configuration Guide
Configuring BPDU Protection on a Switching Device

After BPDU protection is enabled, a switching device shuts down an edge port if the edge port
receives a BPDU, and notifies the NMS of the shutdown event.
Context
Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers may
send pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, the
switching device configures the edge ports as non-edge ports and triggers a new spanning tree
calculation. Network flapping then occurs. BPDU protection can be used to protect switching
devices against malicious attacks.
Perform the following steps on a switching device that has an edge port.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bpdu-protection
BPDU protection is enabled on the switching device.

By default, BPDU protection is disabled on the switching device.
----End
Follow-up Procedure
To allow an edge port to automatically start after being shut down, you can run the error-down
auto-recovery cause cause-item interval interval-value command to configure the auto
recovery function and set the delay on the port. After the delay expires, the port automatically
goes Up. interval interval-value ranges from 30 to 86400, in seconds. Note the following when
setting this parameter:
l
There is no default value for the recovery time. Therefore, you must specify a delay when
configuring this command.
The smaller the interval-value is, the shorter it takes for the edge port to go Up, and the
more frequently the edge port alternates between Up and Down.
The larger the interval-value is, the longer it takes for the edge port to go Up, and the longer
the service interruption lasts.
Configuring TC Protection on a Switching Device

After TC protection is enabled, you can set the number of times a switching device processes
TC BPDUs within a given time. TC protection avoids frequent deletion of MAC address entries
and ARP entries, thereby protecting switching devices.
Issue 04 (2013-06-15)

469

Configuration Guide
Context
Attackers may send pseudo TC BPDUs to attack switching devices. Switching devices receive
a large number of TC BPDUs in a short time and delete entries frequently, which burdens system
processing and degrades network stability.
TC protection is used to suppress TC BPDUs. You can configure the number of times a switching
device processes TC BPDUs within a given time period. If the number of TC BPDUs that the
switching device receives within a given time exceeds the specified threshold, the switching
device processes only the specified number of TC BPDUs. After the specified time period
expires, the device processes the excess TC BPDUs for once. This function prevents the
switching device from frequently deleting MAC entries and ARP entries, saving CPU resources.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp tc-protection
TC protection is enabled for a switching device.

By default, TC protection is enabled on the switching device.
Step 3 Run:
stp tc-protection threshold threshold
The maximum number of times the switching device processes received TC BPDUs and updates
forwarding entries within a given time is set.
----End
Configuring Root Protection on a Port

The root protection function on a switching device protects a root bridge by preserving the role
of a designated port.
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
as the root bridge and the network topology is changed, triggering spanning tree recalculation.
This also may cause the traffic that should be transmitted over high-speed links to be transmitted
over low-speed links, leading to network congestion. The root protection function on a switching
device is used to protect the root bridge by preserving the role of the designated port.
NOTE
Root protection takes effect only on designated ports.
Perform the following steps on the root bridge.

Issue 04 (2013-06-15)

470

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
stp root-protection
Root protection is enabled on the interface.

By default, root protection is disabled.
----End
Configuring Loop Protection on a Port

The loop protection function suppresses loops caused by link congestion.
Context
On a network running RSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream device because of link congestion or unidirectionallink failure, the switching device re-selects a root port. The original root port becomes a
designated port and the original blocked ports change to the Forwarding state. This switching
may cause network loops, which can be mitigated by configuring loop protection.
After loop protection is configured, if the root port or alternate port does not receive BPDUs
from the upstream switching device, the root port is blocked and the switching device notifies
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state
and no longer forwards packets. This function helps prevent loops on the network. The root port
transitions to the Forwarding state after receiving new BPDUs.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Perform the following steps to configure loop protection on the root port and alternate port of a
switching device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

471

Configuration Guide

Step 3 Run:
stp loop-protection
Loop protection for the root port or the alternate port is configured on the switching device.
By default, loop protection is disabled.
----End

After RSTP protection functions are configured, you can verify that the configurations take
effect.
Prerequisites
All configurations for RSTP protection functions are complete.
Procedure
l

view the status of a spanning tree, including the status of protection functions on a switching
device.
----End
3.6.5 Configuring STP/RSTP Interoperability Between Huawei

Devices and Non-Huawei Devices
To supports STP/RSTP interoperability between Huawei devices and non-Huawei devices,
proper parameters are required on Huawei devices running STP/RSTP to ensure nonstop
communication.

Before configuring STP/RSTP interoperability between Huawei devices and non-Huawei
devices, familiarize yourself with the applicable environment, complete the pre-configuration
tasks, and obtain the required data. This will help you complete the configuration task quickly
and accurately.
On a network running STP/RSTP, inconsistent protocol packet formats and BPDU keys may
lead to a communication failure. Configuring proper STP/RSTP parameters on Huawei devices
ensures interoperability between Huawei devices and non-Huawei devices.
Before configuring STP/RSTP interoperability between Huawei devices and non-Huawei
devices, complete the following task:
l
Issue 04 (2013-06-15)
Configuring basic STP/RSTP functions

472

Configuration Guide
Data Preparation
To configure STP/RSTP interoperability between Huawei devices and non-Huawei devices, you
need the following data.
No.
Data
BPDU format
Configuring the Proposal/Agreement Mechanism

To enable Huawei Datacom devices to communicate with non-Huawei devices, a proper rapid
transition mechanism needs to be configured on Huawei devices based on the Proposal/
Agreement mechanism on non-Huawei devices.
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. Switching
devices currently support the following modes:
l
Enhanced mode: The current interface counts a root port when it counts the synchronization
flag bit.
An upstream device sends a Proposal message to a downstream device, requesting rapid
status transition. After receiving the message, the downstream device sets the port
connected to the upstream device to a root port and blocks all non-edge ports.
The upstream device then sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the Forwarding
state.
The downstream device responds the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the
downstream device as a designated port. The designated port then transitions to the
Forwarding state.
Common mode: The current interface ignores the root port when it counts the
synchronization flag bit.
connected to the upstream device to a root port and blocks all non-edge ports. The root
port then transitions to the Forwarding state.
The downstream device responds the Proposal message with an Agreement message.
Forwarding state.
When Huawei datacom devices are interworking with non-Huawei devices, select either mode
depending on the Proposal/Agreement mechanisms on non-Huawei devices.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

473

Configuration Guide

Step 2 Run:

Step 3 Run:
stp no-agreement-check
The common rapid transition mechanism is configured.

By default, the interface uses the enhanced rapid transition mechanism.
----End

After MSTP parameters are configured for the interoperability between Huawei devices and
non-Huawei devices, you can verify that the configurations take effect.
Prerequisites
Parameters have been configured to ensure MSTP interoperability between Huawei devices and
non-Huawei devices.
Procedure
l

view spanning-tree status.
----End
3.6.6 Maintaining STP/RSTP

STP/RSTP maintenance includes clearing STP/RSTP statistics.
Clearing STP/RSTP Statistics

You can run the reset commands to clear STP/RSTP statistics.
Context
CAUTION
STP/RSTP statistics cannot be restored after being cleared.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
----End
Issue 04 (2013-06-15)

474

Configuration Guide

This section describes the networking requirements, configuration roadmap, data preparation,
and procedures for some typical application scenarios for STP/RSTP. This section also provides
the related configuration files.
Example for Configuring Basic STP Functions

This example shows how to configure basic STP functions.
Loops will cause broadcast storms, which exhaust network resources and paralyze the network.
Loops also cause MAC address flapping that damages MAC address entries.
STP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 3-31, after SwitchA, SwitchB, SwitchC, and SwitchD running STP discover
loops by exchanging information, they trim the ring topology into a loop-free tree topology by
blocking a certain port. STP prevents replication and circular propagation of packets on the
network and the release the switching devices from processing duplicate packets, improving
their processing performance.
Figure 3-31 Configuring basic STP functions
Network
GE 0/0/3
SwitchD
GE 0/0/3
Root
GE 0/0/1 GE 0/0/1
Bridge
GE 0/0/2 SwitchA
GE 0/0/2
STP
GE 0/0/3
GE 0/0/3
SwitchC
GE 0/0/1
GE 0/0/2
SwitchB
GE 0/0/1
GE 0/0/2
PC1
PC2
Blocked port
Issue 04 (2013-06-15)

475

Configuration Guide
1.
Configure basic STP functions, including:

a.
Configure the STP mode for the ring network.
b.
Configure primary and secondary root bridges.
c.
Set path costs for ports to block certain ports.
d.
Enable STP to eliminate loops.

NOTE
STP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in STP calculation.
Data Preparation
l
GEInterface number, as shown in Figure 3-31
Primary root bridge SwitchA and secondary root bridge SwitchD
Path cost of a port to be blocked (20000 is used in this example)
Procedure
Step 1 Configure basic STP functions.
1.
Configure the STP mode for the devices on the ring network.
# Configure the STP mode on SwitchA.
[SwitchA] stp mode stp
# Configure the STP mode on SwitchB.

[SwitchB] stp mode stp
# Configure the STP mode on SwitchC.

[SwitchC] stp mode stp
# Configure the STP mode on SwitchD.

[Quidway] sysname SwitchD
[SwitchD] stp mode stp
2.

# Configure SwitchA as a primary root bridge.
[SwitchA] stp root primary
# Configure SwitchD as a secondary root bridge.

[SwitchD] stp root secondary
3.
Issue 04 (2013-06-15)
Set path costs for ports in each spanning tree to block certain ports.
476

Configuration Guide

NOTE
l The values of path costs depend on the path-cost calculation method. Huawei calculation method
is used in this example, and the path cost of the blocked port is set to 200000 (the highest value
in the range).
l All switching devices on a network must use the same path cost calculation method.
# Set the path cost of GE0/0/1 on SwitchC to 20000.

[SwitchC-GigabitEthernet0/0/1] stp cost 20000
4.
Enable STP to eliminate loops.

l Disable STP on interfaces connected to PCs.
# Disable STP on GE 0/0/2 on SwitchB.
[SwitchB-GigabitEthernet0/0/2] stp disable
# Disable STP on GE 0/0/2 on SwitchC.

[SwitchC-GigabitEthernet0/0/2] stp disable
l Enable STP globally.

# Enable STP globally on SwitchA.
[SwitchA] stp enable
# Enable STP globally on SwitchB.

[SwitchB] stp enable
# Enable STP globally on SwitchC.

[SwitchC] stp enable
# Enable STP globally on SwitchD.

[SwitchD] stp enable
l Enable BPDU on all the interfaces except the interfaces connected to terminals.
# Enable BPDU on GE 0/0/1 and GE 0/0/2 on SwitchA.
# Enable BPDU on GE 0/0/1 and GE 0/0/3 on SwitchB.

# Enable BPDU on GE 0/0/1 and GE 0/0/3 on SwitchC.

# Enable BPDU on GE 0/0/1 and GE 0/0/2 on SwitchD.

[SwitchD] interface gigabitethernet 0/0/1
[SwitchD-GigabitEthernet0/0/1] quit

Issue 04 (2013-06-15)

477

Configuration Guide
After the previous configurations, run the following commands to verify the configuration when
the network is stable:
# Run the display stp brief command on SwitchA to view the interface status and protection
type. The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port
0
0
Role
STP State
Protection
DESI FORWARDING
NONE
DESI FORWARDING
NONE
After SwitchA is configured as a root bridge, GE 0/0/2 and GE 0/0/1 connected to SwitchB and
SwitchD respectively are elected as designated ports in spanning tree calculation.
# Run the display stp interface gigabitethernet 0/0/1 brief command on SwitchB to view status
of GE 0/0/1. The displayed information is as follows:
[SwitchB] display stp interface gigabitethernet 0/0/1 brief
MSTID Port
Role STP State
Protection
0
DESI FORWARDING
NONE
GE 0/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding
state.
# Run the display stp brief command on SwitchC to view the interface status and protection
type. The displayed information is as follows:
[SwitchC] display stp brief
MSTID Port
0
0
Role
STP State
Protection
ALTE DISCARDING
NONE
ROOT FORWARDING
NONE
GE 0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state.
GE 0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.
----End
Configuration Files
l

#
sysname
SwitchA
#
stp mode
stp
stp instance 0 root
primary
stp enable
#
return

#
sysname
SwitchB
#
stp mode
stp
stp enable
#
stp disable
Issue 04 (2013-06-15)

478

Configuration Guide
#
return

#
sysname
SwitchC
#
stp mode
stp
stp enable
#
stp instance 0 cost
20000
#
stp disable
#
return
Configuration file of SwitchD

#
sysname
SwitchD
#
stp mode
stp
stp instance 0 root
secondary
stp enable
#
return
Example for Configuring Basic RSTP Functions

This example describes how to configure basic RSTP functions.
Loops will cause broadcast storms, which exhaust network resources and paralyze the network.
Loops also cause MAC address flapping that damages MAC address entries.
RSTP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 3-32, after SwitchA, SwitchB, SwitchC, and SwitchD running RSTP detect
loops by exchanging information, they trim the ring topology into a loop-free tree topology by
blocking a certain port. RSTP prevents replication and circular propagation of packets on the
network and the release the switching devices from processing duplicate packets, improving
their processing performance.
Issue 04 (2013-06-15)

479

Configuration Guide
Figure 3-32 Configuring basic RSTP functions
Network
GE 0/0/3
SwitchD
GE 0/0/3
Root
GE 0/0/1 GE 0/0/1
Bridge
GE 0/0/2 SwitchA
GE 0/0/2
RSTP
GE 0/0/3
GE 0/0/3
SwitchC
GE 0/0/1
SwitchB
GE 0/0/1
GE 0/0/2
GE 0/0/2
PC1
PC2
Blocked port
1.
Configure basic RSTP functions, including:

a.
Configure the RSTP mode for the ring network.
b.
c.
Set path costs for the ports in each MSTI to determine the port to be blocked.
d.
Enable RSTP to eliminate loops.

NOTE
RSTP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in RSTP calculation.
2.
Configure RSTP protection functions, for example, root protection on a designated port of
a root bridge in each MSTI.
Data Preparation
l
GE interface number, as shown in Figure 3-32
Primary root bridge SwitchA and secondary root bridge SwitchD
Issue 04 (2013-06-15)

480

Configuration Guide
Path cost of the port to be blocked (20000 is used in this example)
Procedure
Step 1 Configure basic RSTP functions.
1.
Configure the RSTP mode for the devices on the ring network.
# Configure the RSTP mode on SwitchA.
[SwitchA] stp mode rstp
# Configure the RSTP mode on SwitchB.

[SwitchB] stp mode rstp
# Configure the RSTP mode on SwitchC.

[SwitchC] stp mode rstp
# Configure the RSTP mode on SwitchD.

[Quidway] sysname SwitchD
[SwitchD] stp mode rstp
2.

# Configure SwitchA as the primary root bridge.
[SwitchA] stp root primary
# Configure SwitchD as the secondary root bridge.

[SwitchD] stp root secondary
3.
Set path costs for ports to block certain ports.

NOTE
l The values of path costs depend on the path-cost calculation method. Huawei calculation method
is used in this example, and the path cost of the blocked port is set to 200000 (the highest value
in the range).
l All switching devices on a network must use the same path cost calculation method.
# Set the path cost of GE0/0/1 on SwitchC to 20000.

[SwitchC-GigabitEthernet0/0/1] stp cost 20000
4.
Enable RSTP to eliminate loops.

l Disable RSTP on interfaces connected to PCs.
# Disable RSTP on GE 0/0/2 on SwitchB.
[SwitchB-GigabitEthernet0/0/2] stp disable
# Disable RSTP on GE 0/0/2 on SwitchC.

[SwitchC-GigabitEthernet0/0/2] stp disable
l Enable RSTP globally.

# Enable RSTP globally on SwitchA.
Issue 04 (2013-06-15)

481

Configuration Guide
# Enable RSTP globally on SwitchB.

# Enable RSTP globally on SwitchC.

# Enable RSTP globally on SwitchD.

l Enable BPDU on all the interfaces except the interfaces connected to terminals.
# Enable BPDU on GE 0/0/1 and GE 0/0/2 on SwitchA.
# Enable BPDU on GE 0/0/1 and GE 0/0/3 on SwitchB.

# Enable BPDU on GE 0/0/1 and GE 0/0/3 on SwitchC.

# Enable BPDU on GE 0/0/1 and GE 0/0/2 on SwitchD.

Step 2 Configure RSTP protection functions.

# Enable root protection on GE 0/0/1 on SwitchA.
[SwitchA-GigabitEthernet0/0/1] stp root-protection
# Enable root protection on GE 0/0/2 on SwitchA.


After the previous configurations, run the following commands to verify the configuration when
the network is stable:
# Run the display stp brief command on SwitchA to view the interface status and protection
type. Information similar to the following will be displayed:
[SwitchA] display stp brief
MSTID Port
0
0
Role
STP State
Protection
DESI FORWARDING
ROOT
DESI FORWARDING
ROOT
After SwitchA is configured as a root bridge, GE 0/0/2 and GE 0/0/1 connected to SwitchB and
SwitchD respectively are elected as designated ports in spanning tree calculation. The root
protection function is enabled on the designated ports.
Issue 04 (2013-06-15)

482

Configuration Guide
# Run the display stp interface gigabitethernet 0/0/1 brief command on SwitchB to view status
of GE 0/0/1. Information similar to the following will be displayed:
[SwitchB] display stp interface gigabitethernet 0/0/1 brief
MSTID Port
Role STP State
Protection
0
DESI FORWARDING
NONE
GE 0/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding
state.
# Run the display stp brief command on SwitchC to view the interface status and protection
type. Information similar to the following will be displayed:
[SwitchC] display stp brief
MSTID Port
0
0
Role
STP State
Protection
ALTE DISCARDING
NONE
ROOT FORWARDING
NONE
GE 0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state.
GE 0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.
----End
Configuration Files
l

#
sysname SwitchA
#
stp mode
rstp
stp instance 0 root
primary
stp enable
#
stp rootprotection
#
stp rootprotection
#
return

#
sysname SwitchB
#
stp mode
rstp
stp enable
#
stp disable
#
return

#
sysname SwitchC
#
stp mode
rstp
stp enable
#
Issue 04 (2013-06-15)

483

Configuration Guide
stp instance 0 cost
20000
#
stp disable
#
return

#
sysname SwitchD
#
stp mode
rstp
stp instance 0 root
secondary
stp enable
#
return
3.7 MSTP Configuration

The Multiple Spanning Tree Protocol (MSTP) trims a ring network into a loop-free tree network.
It prevents replication and circular propagation of packets, provides multiple redundant paths
for Virtual LAN (VLAN) data traffic, and enables load balancing.
3.7.1 MSTP Overview

MSTP enables multiple VLANs to be grouped into a spanning-tree instance, forming a VLAN
mapping table. Each instance has a spanning-tree topology independent of other spanning-tree
instances. This architecture provides multiple forwarding paths for data traffic and enables load
balancing.
MSTP Introduction
The Multiple Spanning Tree Protocol (MSTP) incorporates the functions of the Spanning Tree
Protocol (STP) and Rapid Spanning Tree Protocol (RSTP), and outperforms them. It enables
rapid convergence and provides load balancing across redundant paths.
Background
STP and RSTP are used in a LAN to prevent loops. Devices can run STP to discover loops on
the network by exchanging information with each other, and trim the ring topology into a loopfree tree topology by blocking an interface. These capabilities help prevent replication and
circular propagation of packets on the network which in turn helps avoid degradation of
switching device performance.
STP and RSTP share a similar limitation: All VLANs on a LAN use one spanning tree, which
means that inter-VLAN load balancing cannot be performed. A link will no longer transmit
traffic once it is blocked, which wastes bandwidth and causes forwarding failures in some
VLANs.
To address the deficiencies in STP and RSTP, the IEEE released the 802.1s standard in 2002,
which defines MSTP. MSTP is compatible with STP and RSTP. It implements rapid
convergence and provides multiple paths to load balance VLAN traffic.
Issue 04 (2013-06-15)

484

Configuration Guide
Table 3-14 compares STP, RSTP, and MSTP in terms of the characteristics of each protocol
and their applicable environments.
Table 3-14 Comparison between STP, RSTP, and MSTP
Spanning Tree
Protocols
Characteristics
Application
Scenarios
Precautions
STP
Ensures a loop-free tree

topology that helps prevent
broadcast storms and allows
for redundant links between
switches.
Irrespective of
users or services,
all VLANs share
one spanning tree.
RSTP
l Ensures a loop-free tree

topology that helps
links between switches.
l If the current
switching
device
supports only
STP, STP is
recommende
d. For details,
see STP/
RSTP
Configurati
on.
implementing rapid
convergence.
MSTP
l Ensures a loop-free tree

topology that helps
links between switches in
an MSTP region.
implementing rapid
convergence.
l Implements load
balancing among VLANs.
Traffic in different
VLANs is transmitted
along different paths.
User or servicespecific load

balancing is
required. Traffic
for different
VLANs is
forwarded
through different
spanning trees,
which are
independent of
each other.
l If the current
switching
device
supports both
STP and
RSTP, RSTP
is
recommende
d. For details,
see STP/
RSTP
Configurati
on.
l If the current
switching
device
supports STP
or RSTP, and
MSTP,
MSTP is
recommende
d.
Introduction
Issue 04 (2013-06-15)

485

Configuration Guide
MSTP, compatible with STP and RSTP, uses multiple instances to isolate service traffic and
provides multiple paths to load balance VLAN traffic.
If MSTP is deployed on a LAN, MSTIs are generated, as shown in Figure 3-33.
Figure 3-33 Multiple spanning trees in an MST region
SwitchD
SwitchA
VLAN3
VLAN2
VLAN2
VLAN2
VLAN3
VLAN3
Host C
(VLAN3)
Host A
(VLAN2)
SwitchB
SwitchE
VLAN2
Host B
(VLAN2)
VLAN2
VLAN2
VLAN3
VLAN2
VLAN3
Host D
(VLAN3)
VLAN3
SwitchC
VLAN3
SwitchF
MSTI1 (root switch: SwitchD)

MSTI2 (root switch: SwitchF)
VLAN2 --> MSTI1

VLAN3 --> MSTI2
MSTI 1 uses SwitchD as the root switching device to forward packets of VLAN 2.
MSTI 2 uses SwitchF as the root switching device to forward packets of VLAN 3.
Devices within the same VLAN can communicate with each other and packets of different
VLANs are load-balanced along different paths.
Basic MSTP Concepts

l
MST region
An MST region contains multiple switching devices and network segments between them.
The switching devices have the following characteristics:
MSTP-enabled
Same region name
Same VLAN-to-instance mapping
Same MSTP revision number
A LAN can comprise several MST regions that are directly or indirectly connected. You
can use MSTP configuration commands to group multiple switching devices into an MST
region.
As shown in Figure 3-34, the MST region D0 contains the switching devices S1, S2, S3,
and S4. The region has three MSTIs.
Issue 04 (2013-06-15)

486

Configuration Guide
Figure 3-34 MST region

AP1
D0
Master Bridge
MSTI1
root switch:S3
S1
MSTI2
root switch:S2
S2
S3
S4
MSTI0 (IST)
root switch:S1
VLAN1
MSTI1
VLAN2,VLAN3 MSTI2
other VLANs MSTI0
VLAN mapping table

The VLAN mapping table is an attribute of the MST region. It describes mappings between
VLANs and MSTIs.
Figure 3-34 shows the VLAN mapping table of the MST region D0:
VLAN 1 is mapped to MSTI 1.
VLAN 2 and VLAN 3 are mapped to MSTI 2.
Other VLANs are mapped to MSTI 0.
Regional root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In the region B0, C0, and D0 on the network shown in Figure 3-36, the switching devices
closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI
regional root is the root of the MSTI. On the network shown in Figure 3-35, each MSTI
has its own regional root.
Issue 04 (2013-06-15)

487

Configuration Guide
Figure 3-35 MSTI
MST Region
VLA
N
VLAN
10&20&30
10&
20
VLAN 20&30
VLAN
10&30
VLAN
30
VLAN
20
VLAN
10&30
VLAN 10
Root
Root
MSTI
corresponding to
VLAN 10
MSTI
corresponding to
VLAN 20
MSTI Root
corresponding to
VLAN 30
MSTI links
MSTI links blocked by the protocol
MSTIs are independent of each other. An MSTI can correspond to one or more VLANs,
but a VLAN can be mapped to only one MSTI.
l
CIST root
On the network shown in Figure 3-36, the CIST root is the root bridge of a CIST. The
CIST root is a device in A0.
Issue 04 (2013-06-15)

488

Configuration Guide
Figure 3-36 MSTP network
A0
CIST Root
D0
Region Root
B0
Region Root
C0
Region Root
IST
CST
CST
A Common Spanning Tree (CST) connects all the MST regions on a switching network.
Each MST region can be considered a node. A CST is calculated by using STP or RSTP
based on all the nodes.
As shown in Figure 3-36, the MST regions are connected to form a CST.
IST
An IST resides within an MST region.
An IST is a special MSTI with an MSTI ID of 0, called MSTI 0.
An IST is a segment of the CIST in an MST region.
As shown in Figure 3-36, the switching devices in an MST region are connected to form
an IST.
CIST
A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching
network.
As shown in Figure 3-36, the ISTs and the CST form a complete spanning tree (CIST).
SST
A Single Spanning Tree (SST) is formed in either of the following situations:
A switching device running STP or RSTP belongs to only one spanning tree.
Issue 04 (2013-06-15)

489

Configuration Guide
An MST region has only one switching device.

As shown in Figure 3-36, the switching device in B0 is an SST.
l
Port roles
Compared with RSTP which defined root ports, designated ports, alternate ports, backup
ports, and edge ports, MSTP has two additional port types: master ports and regional edge
ports.
Table 3-15 lists all port roles in MSTP.
NOTE
Except edge ports, all ports participate in MSTP calculation.

A port can play different roles in different MSTIs.
Table 3-15 Port roles

Port
Roles
Description
Root port
A root port is the non-root bridge port closest to the root bridge. Root bridges
do not have root ports.
Root ports are responsible for sending data to root bridges.
As shown in Figure 3-37, S1 is the root; CP1 is the root port on S3; BP1 is
the root port on S2; DP1 is the root port on S4.
Designat
ed port
The designated port on a switching device forwards bridge protocol data

units (BPDUs) to the downstream switching device.
As shown in Figure 3-37, AP2 and AP3 are designated ports on S1; BP2 is
a designated port on S2; CP2 is a designated port on S3.
Alternate
port
l An alternate port is blocked after it receives a BPDU sent by another

switching devices.
l An alternate port provides an alternate path to the root bridge. This path
is different than using the root port.
As shown in Figure 3-37, BP2 and AP4 are alternate ports.
Backup
port
l A backup port is blocked after it receives a BPDU sent by itself.

l A backup port provides a redundant path to a segment and is the backup
for the root port.
As shown in Figure 3-37, CP3 is a backup port.
Master
port
A master port is on the shortest path connecting MST regions to the CIST
root.
BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on
ISTs or CISTs and master ports in instances.
As shown in Figure 3-37, S1, S2, S3, and S4 form an MST region. AP1 on
S1, being the nearest port in the region to the CIST root, is the master port.
Issue 04 (2013-06-15)

490

Configuration Guide
Port
Roles
Description
Regional
edge port
A regional edge port is located at the edge of an MST region and connects
to another MST region or an SST.
During MSTP calculation, the roles of a regional edge port in the MSTI and
the CIST instance are the same. If the regional edge port is the master port
in the CIST instance, it is the master port in all the MSTIs in the region.
As shown in Figure 3-37, AP1, DP2, and DP3 in an MST region are directly
connected to other regions, and therefore they are all regional edge ports of
the MST region.
As shown in Figure 3-37, AP1 is a regional edge port and also a master port
in the CIST. Therefore, AP1 is the master port in every MSTI in the MST
region.
Edge
port
An edge port is located at the edge of an MST region and does not connect
to any switching device.
Generally, edge ports are directly connected to terminals.
As shown in Figure 3-37, BP3 is an edge port.
Figure 3-37 Port roles
S1
AP2
CP1
S3
CP2
CP3
Root bridge
AP3
BP1
S2
BP2
Root port
Designated port
Alternate port
Backup port
Port status
Table 3-16 lists the MSTP port status, which is the same as the RSTP port status.
Issue 04 (2013-06-15)

491

Configuration Guide
Table 3-16 Port status

Port
Status
Description
Forwardi
ng
A port in the Forwarding state can send and receive BPDUs as well as
Learning
This is a transition state. A port in the Learning state learns MAC addresses
from user traffic to construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but cannot
Discardi
ng
A port in the Discarding state can only receive BPDUs.
The port status is not determined by the port role. Table 3-17 lists the port status supported
by each port role.
Table 3-17 Status of port roles
Port
Status
Root Port/
Master
Port
Designate
d Port
Regional
Edge Port
Alternate
Port
Backup
Port
Forwardi
ng
Yes
Yes
Yes
No
No
Learning
Yes
Yes
Yes
No
No
Discardi
ng
Yes
Yes
Yes
Yes
Yes
Yes: The port supports this status.

No: The port does not support this status.
MSTP Features Supported by the AC6605

Before configuring MSTP, familiarize yourself with the concepts of basic MSTP functions,
topology convergence, MSTP protection, and MSTP interoperability between Huawei devices
and non-Huawei devices.
MSTP is used to block redundant links on the Layer 2 network and trim a network into a loopfree tree. In MSTP, multiple MSTIs can be created and VLANs are mapped into different
instances to load-balance VLAN traffic. The basic configuration roadmap for MSTP is as
follows:
1.
In a ring network, divide regions and create different instances for regions.
2.
Select a switching device to function as the root bridge for each instance.
Issue 04 (2013-06-15)

492

Configuration Guide
3.
In each instance, calculate the shortest paths from the other switching devices to the root
bridge, and select a root port for each non-root switching device.
4.
In each instance, select a designated port for each connection based on port IDs.
Some networks may have master ports and backup ports. For details about master ports and
backup ports, see MSTP Introduction.
MSTP also supports the following features to meet the requirements of special applications and
extended functions:
l
Proposal/Agreement mechanism to implement rapid convergence.
Protection functions listed in Table 3-18.
MSTP interoperability between Huawei devices and non-Huawei devices. Certain

parameters must be set on Huawei devices to ensure uninterrupted communication.
Table 3-18 MSTP protection
Issue 04 (2013-06-15)
MSTP
Protection
Scenario
BPDU
protection

non-edge port after
occurs.

changed.
TC protection

advertising network


493

Configuration Guide
MSTP
Protection
Scenario
Root
protection
Due to incorrect
BPDUs with a higher
changed, triggering
traffic congestion.
To address this issue, the root protection

function can be configured to protect the root
bridge by preserving the role of the
designated port. With this function, when the
designated port receives RST BPDUs with a
higher priority, the port enters the Discarding
state and does not forward the BPDUs. If the
port does not receive any RST BPDUs with a
higher priority for a certain period (double the
Forward Delay), the port transitions to the
Forwarding state.
Loop
protection

incorrectly and after the
situation.
The loop protection function can be used to

prevent such network loops. If the root port
or alternate port cannot receive RST BPDUs
from the upstream switching device, the root
port is blocked and the switching device
Discarding state. The blocked port remains in
the Blocked state and no longer forwards
packets. This function helps prevent loops on
the network. The root port transitions to the
Share-link
protection
When a switching device is

dual-homed to a network and
the share link of multiple
processes fails, loops may
occur.
Share-link protection can address such a

problem. This function forcibly changes the
working mode of the local switching device
to RSTP. Share-link protection needs to be
used together with root protection to avoid
network loops.
3.7.2 Configuring Basic MSTP Functions

MSTP based on the basic STP/RSTP function divides a switching network into multiple regions,
each of which has multiple spanning trees that are independent of each other. MSTP isolates
user traffic and service traffic, and load-balances VLAN traffic.
MSTP is commonly configured on switching devices to trim a ring network to a loop-free
network. Devices start spanning tree calculation after the working mode is set and MSTP is
enabled. Use any of the following methods if you need to intervene in the spanning tree
calculation:
l
Issue 04 (2013-06-15)
Set a priority for a switching device in an MSTI: The lower the numerical value, the higher
the priority of the switching device and the more likely the switching device becomes a
494

Configuration Guide
root bridge; the higher the numerical value, the lower the priority of the switching device
and the less likely that the switching device becomes a root bridge.
l
Set a path cost for a port in an MSTI: With the same calculation method, the lower the
numerical value, the smaller the cost of the path from the port to the root bridge and the
more likely the port becomes a root port; the higher the numerical value, the larger the cost
of the path from the port to the root bridge and the less likely that the port becomes a root
port.
Set a priority for a port in an MSTI: The lower the numerical value, the more likely the port
becomes a designated port; the higher the numerical value, the less likely that the port
becomes a designated port.

Before configuring basic MSTP functions, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This will help you complete
the configuration task quickly and accurately.
MSTP can be deployed on a network to eliminate loops. If a loop is detected, MSTP blocks one
or more ports to eliminate the loop. In addition, MSTIs can be configured to load balance VLAN
traffic.
As shown in Figure 3-38, switches A, B, C, and D all support MSTP. In this scenario, you need
to create MSTI 1 and MSTI 2, configure a root bridge for each MSTI, and set the ports to be
blocked to load balance traffic of VLANs 1 to 10 and VLANs 11 to 20 among different paths.
Issue 04 (2013-06-15)

495

Configuration Guide
Figure 3-38 Networking diagram of basic MSTP configurations
Network
MST Region
SwitchA
SwitchB
SwitchC
SwitchD
PC1
PC2
VLAN1~10
VLAN11~20
MSTI1
MSTI2
MSTI1:
Root Switch:SwitchA
Blocked port
MSTI2:
Root Switch:SwitchB
Blocked port
NOTE
If the current device supports MSTP, configuring MSTP is recommended.
Before configuring basic MSTP functions, complete the following task:
Issue 04 (2013-06-15)

496

Configuration Guide
interfaces are physically Up
Configuring VLAN features of the ports
Data Preparation
To configure basic MSTP functions, you need the following data.
No.
Data
MSTP working mode
MST region name, VLAN-to-instance mapping, and MSTP revision number
(Optional) ID of an MSTI
(Optional) Priority of a switching device in an MSTI
(Optional) Priority of a port in an MSTI
(Optional) Path cost of a port in an MSTI
Configuring the MSTP Mode

Before configuring basic MSTP functions, set the working mode of a switching device to MSTP.
MSTP is compatible with STP and RSTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp mode mstp
The working mode of the switching device is set to MSTP. By default, the working mode is
MSTP.
STP and MSTP cannot recognize packets of each other, but MSTP and RSTP can. If an MSTPenabled switching device is connected to switching devices running STP, interfaces of the
MSTP-enabled switching device connected to devices running STP automatically transition to
STP mode, and other interfaces still work in MSTP mode. This enables devices running different
spanning tree protocols to interwork with each other.
----End
Configuring and Activating an MST Region

MSTP divides a switching network into multiple MST regions. After an MST region name,
VLAN-to-instance mappings, and an MSTP revision number are configured, you must activate
the MST region to make the configurations effective.
Issue 04 (2013-06-15)

497

Configuration Guide
Context
An MST region contains multiple switching devices and network segments. These switching
devices are directly connected and have the same region name, same VLAN-to-instance
mapping, and the same configuration revision number after MSTP is enabled. One switching
network can have multiple MST regions. You can use MSTP commands to group multiple
switching devices into one MST region.
CAUTION
Two switching devices belong to the same MST region when they have the same:
l
Name of the MST region
Mapping between VLANs and MSTIs
Revision level of the MST region
Perform the following steps on a switching device that needs to join an MST region.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp region-configuration
The MST region view is displayed.

Step 3 Run:
region-name name
The name of an MST region is configured.

By default, the MST region name is the MAC address of the management network interface on
the MPU of the switching device.
Step 4 Perform either of the following steps to configure VLAN-to-instance mappings.
l Run the instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure
VLAN-to-instance mappings.
l Run the vlan-mapping modulo modulo command to enable VLAN-to-instance mapping
assignment based on a default algorithm.
By default, all VLANs in an MST region are mapped to MSTI 0.
Issue 04 (2013-06-15)

498

Configuration Guide
NOTE
l The VLAN-to-instance mappings generated using the vlan-mapping modulo modulo commands
cannot meet network requirements. It is recommended that you run the instance instance-id vlan
{ vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure VLAN-to-instance mappings.
l The vlan-mapping modulo specifies the formula (VLAN ID-1)%modulo+1. In the formula, (VLAN
ID-1)%modulo means the remainder of (VLAN ID-1) divided by the value of modulo. This formula
is used to map a VLAN to the corresponding MSTI. The calculation result of the formula is the ID of
the mapping MSTI.

revision-level level
The MSTP revision number is set.

By default, the MSTP revision number is 0.
If the revision number of the MST region is not 0, this step is necessary.
NOTE
Changing MST region configurations (especially change of the VLAN mapping table) triggers spanning
tree recalculation and causes route flapping. Therefore, after configuring an MST region name, VLAN-toinstance mappings, and an MSTP revision number, run the check region-configuration command in the
MST region view to verify the configuration. After confirming the region configurations, run the active
region-configuration command to activate MST region configurations.
Step 6 Run:
active region-configuration
MST region configurations are activated so that the configured region name, VLAN-to-instance
mappings, and revision number can take effect.
If this step is not done, the preceding configurations cannot take effect.
If you have changed MST region configurations on the switching device after MSTP starts, run
the active region-configuration command to activate the MST region so that the changed
configurations can take effect.
----End
(Optional) Configuring a Priority for a Switching Device in an MSTI

A switching device with a high priority is more likely to be selected as the root bridge in an
MSTI. A smaller priority value indicates a higher priority.
Context
In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During root
bridge selection, a high-performance switching device at a high network layer should be selected
as the root bridge; however, the priority of such a device may not be the highest on the network.
It is therefore necessary to set a high priority for the switching device to ensure that the device
functions as a root bridge.
Low-performance devices at lower network layers are not fit to serve as a root bridge. Therefore,
set low priorities for these devices.
Issue 04 (2013-06-15)

499

Configuration Guide
CAUTION
If an AC6605 switch is configured as the root switch or secondary root switch, the priority of
the AC6605 switch cannot be set. To set the priority for the AC6605 switch, disable the root
switch or secondary root switch.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.

The default priority value of the switching device is 32768.
If the instance is not designated, a priority is set for the switching device in MSTI0.
NOTE
l To configure a switching device as the primary root bridge, run the stp [ instance instance-id ] root
primary command directly. The priority value of this switching device is 0.
l To configure a switching device as the secondary root bridge, run the stp [ instance instance-id ] root
secondary command. The priority value of this switching device is 4096.
In an MSTI, a switching device cannot act as the primary root bridge and secondary root bridge at the
same time.
----End
(Optional) Configuring a Path Cost of a Port in an MSTI

The MSTP path cost determines root port selection in an MSTI. The port with the lowest path
cost to the root bridge is selected as the root port.
Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important basis for calculating spanning trees. If you set different path
costs for a port in different MSTIs, VLAN traffic can be transmitted along different physical
links for load balancing.
If a network has loops, it is recommended that you set a relatively large path cost for ports with
low link rates. MSTP then blocks these ports.
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

500

Configuration Guide
Step 2 Run:
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.

By default, the IEEE 802.1t standard (dot1t) is used to calculate the default path cost.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run:

Step 4 Run:
stp instance instance-id cost cost
A path cost is set for the port in the current MSTI.

l When the Huawei proprietary calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
(Optional) Configuring a Port Priority in an MSTI

A port with a smaller priority value is more likely to be selected as a designated port, and a port
with a larger priority value is more likely to be blocked.
Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected as
designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the default
value. This port will be blocked during designated port selection.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
stp
instance instance-id port priority priority
A port priority is set in an MSTI.

By default, the port priority is 128.
Issue 04 (2013-06-15)

501

Configuration Guide
The value range of the priority is from 0 to 240, in steps of 16.

----End
Enabling MSTP
After configuring basic MSTP functions on a switching device, enable MSTP function.
Context
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and port
priority, will affect spanning tree calculation. Any change to the configurations may cause
network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basic
configurations on the switching device and its ports and enable MSTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp enable
MSTP is enabled on the switching device.

By default, the MSTP function is disabled on the AC6605.
----End

After configuring basic MSTP functions, you can verify the configurations.
Prerequisites
All configurations for basic MSTP functions are complete.
Procedure
l
Run the display stp [ instance instance-id ][ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
Run the display stp region-configuration command to view configurations of activated

MST regions.
Run the display stp region-configuration digest command to view the digest
configurations of activated MST regions.
----End
3.7.3 Configuring MSTP Parameters on an Interface

Proper MSTP parameter settings achieve rapid convergence.
Issue 04 (2013-06-15)

502

Configuration Guide

Before configuring basic MSTP parameters, familiarize yourself with the applicable
On some networks, MSTP parameters will affect the speed of network convergence. Proper
MSTP parameter settings help implement rapid network convergence.
NOTE
The default parameters can also be used to complete MSTP rapid convergence. Therefore, the configuration
procedures and steps in this command task are all optional.
Before configuring MSTP parameters, complete the following task:
l
Configuring basic MSTP functions
Data Preparation
To configure MSTP parameters, you need the following data.
No.
Data
Network diameter
Hello time, forwarding delay time, maximum aging time, and timeout period for
waiting for BPDUs from the upstream (3 x hello time x time factor)
Maximum hop count in an MST region
Link type of a port
Whether the port uses the rapid state transition mechanism
Whether the port needs to transition to the RSTP mode
Maximum number of sent BPDUs
Whether the port needs to be configured as an edge port
Whether the edge port needs to be enabled to go Up automatically after being shut
down
10
Whether the port needs to clear the spanning tree statistics
11
Whether the edge port needs to be configured as a BPDU filter
Configuring System Parameters

MSTP parameters that may affect network convergence include the network diameter, Hello
timer, and timeout period for waiting for BPDUs from the upstream device (3 x Hello timer
Issue 04 (2013-06-15)

503

Configuration Guide
value x Time factor). Proper MSTP parameter settings help implement rapid network
convergence.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bridge-diameter diameter
The network diameter is configured.

By default, the network diameter is 7.
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network
diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the
network diameter. Then, the switching device calculates the optimal Forward Delay period,
Hello timer value, and Max Age timer value based on the set network diameter.
Step 3 Run:
stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream device is set.
By default, the timeout period is 9 times the Hello timer value.
Step 4 (Optional) If the current device is at the edge of a network, run both or either of the following
commands as needed:
l To configure all ports on the devices as edge ports, run:
stp edged-port default

After ports on a network edge device are configured as edge ports, the ports no longer
participate in spanning tree calculation. This speeds up network topology convergence and
improves network stability.
l To configure all ports on the devices as BPDU filter ports, run:
stp bpdu-filter default
By default, a port is a non-BPDU filter port.

After ports on a network edge device are configured as BPDU filter ports, the ports no longer
process or send BPDUs.
WARNING
After the stp bpdu-filter default and stp edged-port default commands are run in the system
view, all ports on the device no longer actively send BPDUs or negotiate with directly-connected
ports; instead, all the ports are in the Forwarding state. This may lead to a loop on the network,
causing broadcast storms. Exercise caution when running these commands.
Issue 04 (2013-06-15)

504

Configuration Guide
Step 5 (Optional) To set the Forward Delay period, Hello timer, and Max Age timer, perform the
l Run the stp timer forward-delay forward-delay command to set the Forward Delay timer.
The default Forward Delay timer of a switching device is 1500 centiseconds.
l Run the stp timer hello hello-time command to set the Hello timer.
The default Hello timer of a switching device is 200 centiseconds.
l Run the stp timer max-age max-age command to set the Max Age timer.
The default Max Age timer of a switching device is 2000 centiseconds.
NOTE
The values of the Hello timer, Forward Delay timer, and Max Age timer must comply with the following
formulas; otherwise, network flapping occurs.
l 2 x (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1.0 second)
Step 6 Run:
stp max-hops hop
The maximum hop count is set for the MST region.

By default, the maximum hop count in an MST region is 20.
Step 7 Run:
stp mcheck
MCheck is enabled.
On a switching device running MSTP, if an interface is connected to a device running STP, the
interface automatically transitions to the STP mode.
Enabling MCheck on the interface is required because the interface may fail to automatically
transition to the MSTP mode in the following situations:
l The switching device running STP transitions to the MSTP mode.
NOTE
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the
interfaces.
----End
Configuring Port Parameters

Port parameters that may affect MSTP topology convergence include the link type and maximum
number of sent BPDUs. Proper port parameter settings help implement rapid topology
convergence.
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

505

Configuration Guide
Step 2 Run:

stp point-to-point { auto | force-false | force-true }
The link type is configured for the interface.

By default, an interface automatically determines whether to connect to a P2P link. The P2P link
supports rapid network convergence.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this
case, force-true can be configured to implement rapid network convergence.
l If the Ethernet port works in half-duplex mode, you can run stp point-to-point force-true
to forcibly set the link type to P2P.
Step 4 Run:
stp mcheck
MCheck is enabled.
On a switching device running MSTP, if an interface is connected to a device running STP, the
interface automatically transitions to the STP mode.
You must enable MCheck on the interface because the interface may fail to automatically
transition to the MSTP mode in the following situations:
l The switching device running STP transitions to the MSTP mode.
Step 5 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port per second is set.

By default, the maximum number of BPDUs that a port sends per second is 147.
The port is configured as an edge port.

If a device port is connected to a terminal, you can run this command to configure the port as
an edge port.
If the current port has been configured as an edge port, the port can still send BPDUs. This may
cause BPDUs to be sent to other networks, leading to network flapping. To prevent this problem,
run the stp bpdu-filter enable command to configure the edge port as a BPDU filter port and
disable the port from processing or sending BPDUs.
Issue 04 (2013-06-15)

506

Configuration Guide
WARNING
After the stp bpdu-filter enable command is run on a port, the port no longer processes or sends
BPDUs. The port will not negotiate with the directly-connected port to establish an STP
connection.
Step 7 Run:
quit

error-down auto-recovery cause cause-item interval interval-value
The auto recovery function on an edge port is configured. This function enables a port in the
error-down state to automatically go Up after the specified delay.
There is no default value for the recovery time. Therefore, you must specify a delay when using
this command.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. MSTP processes ARP entries in either fast or normal mode.
l
In fast mode, ARP entries to be updated are directly deleted.
In normal mode, ARP entries to be updated are rapidly aged.

The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidly
processes these aged entries. If the number of ARP aging probe attempts is not set to 0,
ARP implements aging probe for these ARP entries.
In either fast or normal mode, MAC entries are directly deleted.
You can run the stp converge { fast | normal } command in the system view to configure the
MSTP convergence mode.
By default, the MSTP convergence is configured as normal.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping will frequently
occur.

After MSTP parameters are configured, you can verify the configurations.
Prerequisites
The configurations for MSTP parameters are complete.
Issue 04 (2013-06-15)

507

Configuration Guide
Procedure
l
Run the display stp [ instance instance-id ] [ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
----End
3.7.4 Configuring MSTP Protection Functions

This section describes how to configure MSTP protection functions. You can configure one or
more functions.

Before configuring MSTP protection functions, familiarize yourself with the applicable
MSTP provides the protection functions listed in Table 3-19.
Table 3-19 MSTP protection
Issue 04 (2013-06-15)
MSTP
Protection
Scenario
BPDU
protection

non-edge port after
occurs.

changed.
TC protection

advertising network


508

Configuration Guide
MSTP
Protection
Scenario
Root
protection
Due to incorrect
BPDUs with a higher
changed, triggering
traffic congestion.
To address this issue, the root protection

function can be configured to protect the root
bridge by preserving the role of the
designated port. With this function, when the
designated port receives RST BPDUs with a
higher priority, the port enters the Discarding
state and does not forward the BPDUs. If the
port does not receive any RST BPDUs with a
higher priority for a certain period (double the
Forward Delay), the port transitions to the
Forwarding state.
Loop
protection

incorrectly and after the
situation.
The loop protection function can be used to

prevent such network loops. If the root port
or alternate port cannot receive RST BPDUs
from the upstream switching device, the root
port is blocked and the switching device
Discarding state. The blocked port remains in
the Blocked state and no longer forwards
packets. This function helps prevent loops on
the network. The root port transitions to the
Share-link
protection
When a switching device is

dual-homed to a network and
the share link of multiple
processes fails, loops may
occur.
Share-link protection can address such a

problem. This function forcibly changes the
working mode of the local switching device
to RSTP. Share-link protection needs to be
used together with root protection to avoid
network loops.
NOTE
l Each device has a default MSTP process with the ID of 0. MSTP configurations in the system view
and interface view both belong to this process.
Before configuring MSTP protection functions on a switching device, complete the following
task:
l

NOTE
Configure an edge port on the switching device before configuring BPDU protection.
Issue 04 (2013-06-15)

509

Configuration Guide
Data Preparation
To configure MSTP protection functions on a switching device, you need the following data.
No.
Data
Number of the port on which root protection is to be enabled
Number of the port on which loop protection is to be enabled
Configuring BPDU Protection on a Switching Device

After BPDU protection is enabled on a switching device, the switching device shuts down an
edge port if the edge port receives a BPDU, and notifies the NMS of the shutdown event.
Context
Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers may
send pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, the
switching device configures the edge ports as non-edge ports and triggers a new spanning tree
calculation. Network flapping then occurs. BPDU protection can be used to protect switching
devices against malicious attacks.
Perform the following steps on a switching device that has an edge port.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bpdu-protection
BPDU protection is enabled on the switching device.

By default, BPDU protection is not enabled on the switching device.
----End
Configuring TC Protection on a Switching Device

After TC protection is enabled, you can set the number of times an MSTP process processes TC
BPDUs within a given time. TC protection avoids frequent deletion of MAC address entries and
ARP entries, thereby protecting switching devices.
Context
Attackers may send pseudo TC BPDUs to attack switching devices. Switching devices receive
a large number of TC BPDUs in a short time and delete entries frequently, which burdens system
processing and degrades network stability.
TC protection is used to suppress TC BPDUs. You can configure the number of times a switching
device processes TC BPDUs within a given time period. If the number of TC BPDUs that the
Issue 04 (2013-06-15)

510

Configuration Guide
switching device receives within a given time exceeds the specified threshold, the switching
device processes only the specified number of TC BPDUs. After the specified time period
expires, the device processes the excess TC BPDUs for once. This function prevents the
switching device from frequently deleting MAC entries and ARP entries, saving CPU resources.
Procedure
Step 1 Run:
system-view

Step 3 Run:
stp tc-protection
TC protection is enabled for the MSTP process.

By default, TC protection is enabled on the switching device.
Step 4 Run:
stp tc-protection threshold threshold
The number of times the MSTP process handles the received TC BPDUs and updates forwarding
entries within a given time is set.
----End
Configuring Root Protection on an Interface

The root protection function on a switching device protects a root bridge by preserving the role
of a designated port.
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
as the root bridge and the network topology is changed, triggering spanning tree recalculation.
This also may cause the traffic that should be transmitted over high-speed links to be transmitted
over low-speed links, leading to network congestion. The root protection function on a switching
device is used to protect the root bridge by preserving the role of the designated port.
NOTE
Root protection takes effect only on designated ports.
Perform the following steps on the root bridge in an MST region.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

511

Configuration Guide
The view of the Ethernet interface participating in STP calculation is displayed.

Step 3 Run:
stp root-protection
Root protection is configured on the switching device.

By default, root protection is disabled.
----End
Configuring Loop Protection on an Interface

The loop protection function suppresses loops caused by link congestion.
Context
On a network running MSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream device because of link congestion or unidirectionallink failure, the switching device re-selects a root port. The original root port becomes a
designated port and the original blocked ports change to the Forwarding state. This switching
may cause network loops, which can be mitigated by configuring loop protection.
After loop protection is configured, if the root port or alternate port does not receive BPDUs
from the upstream switching device, the root port is blocked and the switching device notifies
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state
and no longer forwards packets. This function helps prevent loops on the network. The root port
transitions to the Forwarding state after receiving new BPDUs.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Perform the following steps on the root port and alternate port on a switching device in an MST
region.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
stp loop-protection
Loop protection for the root port is configured on the switching device.
By default, loop protection is disabled.
----End
Issue 04 (2013-06-15)

512

Configuration Guide

After MSTP protection functions are configured, you can verify the configurations.
Prerequisites
All configurations for MSTP protection functions are complete.
Procedure
l
----End
3.7.5 Configuring MSTP Interoperability Between Huawei Devices

and Non-Huawei Devices
To enable Huawei devices to work with non-Huawei devices on an MSTP-capable network,
configure the BPDU format, MSTP protocol packet format, and digest snooping function on the
Huawei devices.

Before configuring MSTP interoperability between Huawei devices and non-Huawei devices,
familiarize yourself with the applicable environment, complete the pre-configuration tasks, and
obtain the data required for the configuration. This will help you complete the configuration task
quickly and accurately.
On an MSTP network, inconsistent protocol packet formats and BPDU keys may lead to a
communication failure. Setting MSTP parameters correctly on Huawei devices ensures
interoperability between Huawei devices and non-Huawei devices.
Before configuring MSTP interoperability between Huawei devices and non-Huawei devices,
complete the following task:
l
Data Preparation
To configure MSTP interoperability between Huawei devices and non-Huawei devices, you
Issue 04 (2013-06-15)
No.
Data
BPDU format
MSTP protocol packet format

513

Configuration Guide
Configuring a Proposal/Agreement Mechanism

To enable Huawei devices to communicate with non-Huawei devices, configure an appropriate
rapid transition mechanism on Huawei devices according to the Proposal/Agreement mechanism
on non-Huawei devices.
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. All switching
devices support the following modes:
l
Enhanced mode: The current interface counts the root port calculation when it computes
the synchronization flag bit.
connected to the upstream device as a root port and blocks all non-edge ports.
The upstream device then sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the Forwarding
state.
The downstream device responds to the Proposal message with an Agreement message.
downstream device as a designated port, and the designated port transitions to the
Forwarding state.
Common mode: The current interface ignores the root port when it computes the
synchronization flag bit.
connected to the upstream device as a root port and blocks all non-edge ports. The root
port then transitions to the Forwarding state.
The downstream device responds to the Proposal message with an Agreement message.
Forwarding state.
When Huawei devices are connected to non-Huawei devices, select the same mode as that used
on non-Huawei devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
stp no-agreement-check
The common rapid transition mechanism is configured.

Issue 04 (2013-06-15)

514

Configuration Guide
By default, the interface uses the enhanced rapid transition mechanism.

----End
Configuring the MSTP Protocol Packet Format on an Interface

MSTP protocol packets can be transmitted in auto, dot1s, or legacy mode. The default mode is
auto.
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets). The auto mode was designed to allow an interface to
automatically use the format of MSTP protocol packets sent from the remote interface. In this
manner, the two interfaces use the same MSTP protocol packet format.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
stp compliance { auto | dot1s | legacy }
The MSTP protocol packet format is configured on the interface.

The auto mode is used by default.
NOTE
The negotiation will fail if the format of MSTP packets is set to dot1s on one end and legacy on the other
end.
----End
Enabling the Digest Snooping Function

Interconnected Huawei and non-Huawei devices cannot communicate with each other if they
have the same region name, revision number, and VLAN-to-instance mappings but different
BPDU keys. To address this problem, enable the digest snooping function on the Huawei device.
Context
Perform the following steps on a switching device in an MST region to enable the digest snooping
function.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

515

Configuration Guide

Step 2 Run:

Step 3 Run:
stp config-digest-snoop
The digest snooping function is enabled.

----End

After MSTP parameters are configured for the interoperability between Huawei devices and
non-Huawei devices, you can verify the configurations.
Prerequisites
All the configurations for the interoperability between Huawei devices and non-Huawei devices
are complete.
Procedure
l
----End
3.7.6 Maintaining MSTP

MSTP maintenance includes clearing MSTP statistics.
Clearing MSTP Statistics

You can run the reset command to clear MSTP statistics.
Context
CAUTION
MSTP statistics cannot be restored after being cleared.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
----End
Issue 04 (2013-06-15)

516

Configuration Guide

This section provides an MSTP configuration example.
Example for Configuring Basic MSTP Functions

SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. In this example, MSTP runs on Layer 2
interfaces of the Switches.
Figure 3-39 Networking diagram of basic MSTP configurations
SwitchA
Eth0/0/2
Eth0/0/2
SwitchB
Eth0/0/1
Eth0/0/1
Eth0/0/3
Eth0/0/3
SwitchC
Eth0/0/1
SwitchD
Eth0/0/2
Eth0/0/2
Eth0/0/1
1.
Add SwitchA and SwitchC to MST region RG1, and create MSTI1.
2.
Add SwitchB and SwitchD to MST region RG2, and create MSTI1.
3.
Configure SwitchA as the CIST root.
4.
In RG1, configure SwitchA as the CIST regional root and regional root of MSTI1.
Configure the root protection function on GE 0/0/2 and the GE 0/0/1 on SwitchA.
5.
In RG2, configure SwitchB as the CIST regional root and SwitchD as the regional root of
MSTI1.
6.
On SwitchC and SwitchD, connect GE 0/0/1 to a PC and configure GE 0/0/1 as an edge

port. Enable BPDU protection on SwitchC and SwitchD.
7.
Configure the Switches to calculate the path cost by using the Huawei-proprietary
algorithm.
Data Preparation
Issue 04 (2013-06-15)

517

Configuration Guide
Region that SwitchA and SwitchC belong to: RG1
Region that SwitchB and SwitchD belong to: RG2
Numbers of the Eth interfaces, as shown in Figure 3-39
VLAN IDs: 1-20
Procedure
# Configure the MST region on SwitchA.
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 1 to 10
# Activate the configuration of the MST region.

[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
# Set the priority of SwitchA in MSTI0 to 0 to ensure that SwitchA functions as the CIST root.
[SwitchA] stp instance 0 priority 0
# Set the priority of SwitchA in MSTI1 to 1 to ensure that SwitchA functions as the regional
root of MSTI1.
[SwitchA] stp instance 1 priority 0
# Configure SwitchA to use the Huawei-proprietary algorithm to calculate the path cost.
[SwitchA] stp pathcost-standard legacy
# Create VLANs 2 to 20.

[SwitchA] vlan batch 2 to 20
# Add GE 0/0/2 to the VLANs.

[SwitchA] interface GigabitEthernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 20

# Enable root protection on the GE 0/0/1.

# Enable root protection on the GE 0/0/2.

# Enable MSTP.
Issue 04 (2013-06-15)

518

Configuration Guide
Step 2 Configure SwitchB.

# Configure the MST region on SwitchB.
[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name RG2
[SwitchB-mst-region] instance 1 vlan 1 to 10

[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
# Set the priority of SwitchB in MSTI0 to 4096 to ensure that SwitchB functions as the CIST
root.
[SwitchB] stp instance 0 priority 4096
# Configure SwitchB to use the Huawei-proprietary algorithm to calculate the path cost.
[SwitchB] stp pathcost-standard legacy

[SwitchB] vlan batch 2 to 20

[SwitchB] interface GigabitEthernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 1 to 20

[SwitchB] interface GigabitEthernet 0/0/2
# Enable MSTP.
Step 3 Configure SwitchC.

# Configure the MST region on SwitchC.
[SwitchC] stp region-configuration
[SwitchC-mst-region] region-name RG1
[SwitchC-mst-region] instance 1 vlan 1 to 10

[SwitchC-mst-region] active region-configuration
[SwitchC-mst-region] quit
# Configure SwitchC to use the Huawei-proprietary algorithm to calculate the path cost.
[SwitchC] stp pathcost-standard legacy
# Enable BPDU protection.

[SwitchC] stp bpdu-protection

[SwitchC] vlan batch 2 to 20
Issue 04 (2013-06-15)

519

Configuration Guide

[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 20

[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 1 to 20
# Configure GE 0/0/1 as an edge port.

[SwitchC-GigabitEthernet0/0/1] stp edged-port enable
[SwitchC-GigabitEthernet0/0/1] port hybrid pvid vlan 20
# Enable MSTP.
Step 4 Configure SwitchD.

# Configure the MST region on SwitchD.
[SwitchD] stp region-configuration
[SwitchD-mst-region] region-name RG2
[SwitchD-mst-region] instance 1 vlan 1 to 10

[SwitchD-mst-region] active region-configuration
[SwitchD-mst-region] quit
# Set the priority of SwitchD in MSTI1 to 0 to ensure that SwitchD functions as the regional
root of MSTI1.
[SwitchD] stp instance 1 priority 0
# Configure SwitchD to use the Huawei-proprietary algorithm to calculate the path cost.
[SwitchD] stp pathcost-standard legacy
# Enable BPDU protection.

[SwitchD] stp bpdu-protection

[SwitchD] vlan batch 2 to 20

[SwitchD] interface GigabitEthernet 0/0/2
[SwitchD-GigabitEthernet0/0/2] port link-type trunk
[SwitchD-GigabitEthernet0/0/2] port trunk allow-pass vlan 1 to 20

[SwitchD-GigabitEthernet0/0/3] port link-type trunk
[SwitchD-GigabitEthernet0/0/3] port trunk allow-pass vlan 1 to 20
Issue 04 (2013-06-15)

520

Configuration Guide
# Configure GE 0/0/1 as an edge port.

[SwitchD-GigabitEthernet0/0/1] stp edged-port enable
[SwitchD-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[SwitchD-GigabitEthernet0/0/1] port hybrid untagged vlan 10
# Enable MSTP.

After the preceding configurations are complete and the network topology becomes stable,
perform the following operations to verify the configuration.
# Run the display stp brief command on SwitchA to view the status and protection type on the
interfaces. The displayed information is as follows:
<SwitchA> display stp brief
MSTID
Port
0
0
1
1
Role
STP State
Protection
DESI FORWARDING
ROOT
DESI FORWARDING
ROOT
DESI FORWARDING
ROOT
DESI FORWARDING
ROOT
The priority of SwitchA is the highest in the CIST; therefore, SwitchA is elected as the CIST
root and regional root of RG1. GE 0/0/2 and GE 0/0/1 of SwitchA are designated ports in the
CIST.
The priority of SwitchA in MSTI1 is the highest in RG1; therefore, SwitchA is elected as the
regional root of SwitchA. GE 0/0/2 and GE 0/0/1 of SwitchA are designated ports in MSTI1.
# Run the display stp interface brief commands on SwitchC. The displayed information is as
follows:
<SwitchC> display stp interface GigabitEthernet 0/0/3 brief
MSTID
Port
Role STP State
Protection
0
ROOT FORWARDING
NONE
1
ROOT FORWARDING
NONE
<SwitchC> display stp interface GigabitEthernet 0/0/2 brief
MSTID
Port
Role STP State
Protection
0
DESI FORWARDING
NONE
1
DESI FORWARDING
NONE
GE 0/0/3 of SwitchC is the root port in the CIST and MSTI1. GE 0/0/2 of SwitchC is a designated
port in the CIST and MSTI1.
# Run the display stp brief command on SwitchB. The displayed information is as follows:
<SwitchB> display stp brief
MSTID
Port
0
0
1
1
Role
STP State
Protection
DESI FORWARDING
NONE
ROOT FORWARDING
NONE
ROOT FORWARDING
NONE
MAST FORWARDING
NONE
The priority of SwitchB in the CIST is lower than that of SwitchA; therefore, GE 0/0/2 of
SwitchB functions as the root port in the CIST. SwitchA and SwitchB belong to different regions;
therefore, GE 0/0/2 of SwitchB functions as the master port in MSTI1. In MSTI1, the priority
of SwitchB is lower than that of SwitchD; therefore, GE 0/0/1 of SwitchB functions as the root
port. The priority of SwitchB in the CIST is higher than that of SwitchB; therefore, GE 0/0/1 of
SwitchB functions as the designated port in the CIST.
Issue 04 (2013-06-15)

521

Configuration Guide
# Run the display stp interface brief commands on SwitchD. The displayed information is as
follows:
<SwitchD> display stp interface GigabitEthernet 0/0/3 brief
MSTID
Port
Role STP State
Protection
0
ROOT FORWARDING
NONE
1
DESI FORWARDING
NONE
<SwitchD> display stp interface GigabitEthernet 0/0/2 brief
MSTID
Port
Role STP State
Protection
0
ALTE DISCARDING
NONE
1
ALTE DISCARDING
NONE
On SwitchD, GE 0/0/2 functions as the alternate port in the CIST. SwitchD and SwitchC are in
different regions; therefore, GE 0/0/2 of SwitchD also functions as the alternate port in MSTI1.
GE 0/0/3 of SwitchD is the root port in the CIST. The priority of SwitchD is higher than that of
SwitchB in MSTI1; therefore, GE 0/0/3 also functions as the designated port in MSTI1.
----End
Configuration Files
l
#
sysname SwitchA
#
vlan batch 2 to 20
#
stp instance 0 priority 0
stp pathcost-standard legacy
stp enable
region-name RG1
instance 1 vlan 1 to 10
#
stp root-protection
#
stp root-protection
#
return
#
sysname SwitchB
#
vlan batch 2 to 20
#
stp enable
region-name RG2
#
#
Issue 04 (2013-06-15)

522

Configuration Guide
#
return
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp bpdu-protection
stp enable
region-name RG1
#
#
#
#
return
#
sysname SwitchD
#
vlan batch 2 to 20
#
stp bpdu-protection
stp enable
region-name RG2
#
#
#
#
return
3.8 VoIP Access Configuration

Issue 04 (2013-06-15)

523

Configuration Guide
3.8.1 VoIP Access Overview

As the voice over IP (VoIP) service becomes more popular, voice data and non-voice data are
usually transmitted on the same network. Voice data must have a higher priority than other
service data to minimize the delay and jitter during transmission. A commonly used method to
ensure preferred transmission of voice data is to configure an access control list (ACL) to identify
voice data flow, and use quality of service (QoS) mechanisms to ensure high quality of voice
services.
The following methods can be used to implement VoIP access:
l
Link Layer Discovery Protocol (LLDP): If a voice device supports LLDP and has a high
802.1p priority (for example, 5), you can configure LLDP and voice VLAN on the switch.
Then the switch uses the LLDP protocol to deliver the voice VLAN ID to the voice device
and does not change the packet priority.
Dynamic Host Configuration Protocol (DHCP): If a voice device supports DHCP and has
a high 802.1p priority (for example, 5), you can configure LLDP and voice VLAN on the
switch. Then the switch uses the DHCP protocol to deliver the voice VLAN ID to the voice
device and does not change the packet priority.
MAC address-based VLAN assignment: If a voice device does not support LLDP or DHCP,
you can configure MAC address-based VLAN assignment on the switch. Then the switch
can assign a VLAN to the voice device based on the MAC address of the voice device.
ACL: If a voice device does not support LLDP or DHCP, you can configure an ACL on
the switch so that the switch can assign the VLAN and priority for the VoIP service.

Example for Configuring LLDP on a Switch to Provide VoIP Access
Data flows of the HSI, VoIP, and IPTV services are transmitted on the network. Users require
high quality of the VoIP service. Therefore, voice data flows must be transmitted with a high
priority. If a voice device supports LLDP and has a high 802.1p priority (for example, 5), you
can configure LLDP and voice VLAN on the switch. Then the switch uses the LLDP protocol
to deliver the voice VLAN ID to the voice device and does not change the packet priority.
As shown in Figure 3-40, after a voice VLAN is configured on the Switch, the voice device
learns the voice VLAN ID using LLDP.
Issue 04 (2013-06-15)

524

Configuration Guide
Figure 3-40 Configuring LLDP to provide VoIP access

DHCP Server
Internet
Switch
GE0/0/1
LAN Switch
HSI
VoIP
IPTV
1.
Create VLANs.
2.
Configure the link type and default VLAN of the interface connected to the IP phone.
3.
Enable the voice VLAN function on the interface.
4.
Configure the interface to join the voice VLAN in manual mode.
5.
Set the working mode of the voice VLAN.
6.
Configure the interface to trust the 802.1p priority of packets.
7.
Enable LLDP globally and on the interface.
Data Preparation
l
and VLAN 6
Default VLAN of GigabitEthernet0/0/1: VLAN 6
Procedure
Step 1 Configure VLANs and interface on the Switch.
Issue 04 (2013-06-15)

525

Configuration Guide
# Configure the link type and default VLAN of GigabitEthernet0/0/1.


# Enable the voice VLAN on GigabitEthernet0/0/1.
# Configure the mode in which GigabitEthernet0/0/1 is added to the voice VLAN.

[Quidway-GigabitEthernet0/0/1] voice-vlan mode manual
[Quidway-GigabitEthernet0/0/1] port hybrid tagged vlan 2
# Configure the working mode of the voice VLAN.

[Quidway-GigabitEthernet0/0/1] undo voice-vlan security enable
Step 3 Configure the interface to trust the 802.1p priority of packets.

[Quidway-GigabitEthernet0/0/1] trust 8021p
Step 4 Enable LLDP.

[Quidway] lldp enable
[Quidway-GigabitEthernet0/0/1] lldp enable

Run the display voice-vlan 2 status command to check the voice VLAN configuration,
including the mode in which the interface is added to the voice VLAN, working mode, and aging
time of the voice VLAN.
--------------------------------------------------Voice VLAN ID
: 2
Voice VLAN status
: Enable
: 1440(minutes)
: 46
----------------------------------------------------------Port
Manual
Normal
Disable
----End
Configuration Files
#
sysname Quidway
#
Issue 04 (2013-06-15)

526

Configuration Guide
vlan batch 2 6
#
lldp enable
#
voice-vlan 2 enable
voice-vlan mode manual
undo voice-vlan security enable
trust 8021p
#
return
Example for Configuring a DHCP Server on a Switch to Provide VoIP Access

priority. If a voice device supports DHCP and has a high 802.1p priority (for example, 5), you
can configure LLDP and voice VLAN on the switch. Then the switch uses the DHCP protocol
to deliver the voice VLAN ID to the voice device and does not change the packet priority.
As shown in Figure 3-41, the voice device does not support VLAN configuration. In this case,
the DHCP server on the switch can deliver the VLANID to the voice device through Option
184.
Figure 3-41 Configuring a DHCP server to provide VoIP access
Internet
Switch
DHCP Server
GE0/0/1
LAN Switch
HSI
VoIP
IPTV
Issue 04 (2013-06-15)

527

Configuration Guide
1.
Create VLANs.
2.
3.
Configure the interface to trust the 802.1p priority of packets.
4.
Configure an IP address pool.
5.
Configure Option 184 in the address pool.
6.
Enable DHCP globally and configure the DHCP server on the VLANIF interface to allocate
IP addresses using the global IP address pool.
Data Preparation
l
and VLAN 6
Network segment of the IP address pool
Content of Option 184: voice-vlan 6
Procedure

0/0/1
hybrid pvid vlan 2
hybrid tagged vlan 6
Step 2 Configure an IP address pool on the Switch.

# Create an IP address pool.
[Quidway] ip pool ip_access
# Configure the address range in the IP address pool.

[Quidway-ip-pool-ip_access] network 192.168.10.1 mask 24
[Quidway-ip-pool-ip_access] gateway-list 192.168.10.254
[Quidway-ip-pool-ip_access] option184 voice-vlan 6
Step 3 Configure the interface to trust the 802.1p priority of packets.

[Quidway-GigabitEthernet0/0/1] trust 8021p
Step 4 Enable DHCP globally,

[Quidway] dhcp enable
Step 5 Create the VLANIF interface corresponding to the default VLAN of GigabitEthernet0/0/1.
Configure the DHCP server on the VLANIF interface to allocate IP addresses using the global
address pool.
Issue 04 (2013-06-15)

528

Configuration Guide
[Quidway] interface Vlanif2

[Quidway-Vlanif2] dhcp select global
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2 6
#
dhcp enable
#
ip pool ip_access
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
option184 voice-vlan 6
#
interface Vlanif2
ip address 192.168.10.1 255.255.255.0
dhcp select global
#
trust 8021p
#
return
Example for Configuring MAC Address-based VLAN Assignment on a Switch to

Provide VoIP Access
priority. If a voice device does not support LLDP or DHCP, you can configure MAC addressbased VLAN assignment on the switch. Then the switch can assign a VLAN to the voice device
based on the MAC address of the voice device.
As shown in Figure 3-42, the IP phone sends untagged packets. To ensure high-quality VoIP
service, the Switch associates the MAC address of the IP phone with VLAN 100, of which the
priority is 7.
Issue 04 (2013-06-15)

529

Configuration Guide
Figure 3-42 Configuring MAC address-based VLAN assignment to provide VoIP access
DHCP Server
Internet
Switch
GE0/0/1
LAN Switch
HSI
VoIP
IPTV
1.
Create VLANs.
2.
3.
Enable MAC address-based assignment on the interface.
4.
Associate the MAC address of the IP phone with a VLAN.
Data Preparation
l
VLAN associated with the MAC address of the IP phone: VLAN 100
OUI address of the IP phone and priority of packets sent from the IP phone:
1234-1234-1234/ffff-ff00-0000, 7
Default VLAN of GigabitEthernet0/0/1: VLAN 100
Procedure
Create VLAN 100 and VLAN 200.
[Quidway] vlan 100 200
Issue 04 (2013-06-15)

530

Configuration Guide

[Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 100 200
Step 2 Associate the MAC address of the IP phone with VLAN 100 and set the priority of VLAN 100
to7.
[Quidway] vlan 100
[Quidway-vlan100] mac-vlan mac-address 1234-1234-1234 ffff-ff00-0000 priority 7
Step 3 Enable MAC address-based VLAN assignment.

[Quidway-GigabitEthernet0/0/1] mac-vlan enable

Run the display mac-vlan mac-address all command to verify the configuration of MAC
address-based VLAN assignment.
<Quidway> display mac-vlan mac-address all
--------------------------------------------------MAC Address
MASK
VLAN
Priority
--------------------------------------------------1234-1234-1234 ffff-ff00-0000 100
7
Total MAC VLAN address count: 1
----End
Configuration Files
#
sysname Quidway
#
vlan batch 100 200
#
vlan 100
mac-vlan mac-address 1234-1234-1234 ffff-ff00-0000 priority 7
#
port hybrid untagged vlan 100 200
mac-vlan enable
#
return
Example for Configuring an ACL on a Switch to Provide VoIP Access(1)

priority. If a voice device connected to a switch does not support LLDP or DHCP, you can
configure an ACL on the switch to implement VoIP access.
Issue 04 (2013-06-15)

531

Configuration Guide
As shown in Figure 3-43, the voice device sends untagged packets. To ensure high-quality VoIP
service, the Switch identifies voice data packets based on the source MAC address, tags the
voice data packets with VLAN 200, and sets the priority of the voice data packets to 7.
Figure 3-43 Configuring an ACL to provide VoIP access
DHCP Server
Internet
Switch
GE0/0/1
LAN Switch
HSI
VoIP
IPTV
1.
Create a VLAN.
2.
Configure the link type and default VLAN of the interface connected to the voice device.
3.
Configure an ACL rule to match the MAC address of the voice device.
4.
Configure the Switch to add an outer VLAN tag to the packets matching the ACL rule and
change the priority of these packets.
Data Preparation
l
VLAN to be assigned to the VoIP service: 200
OUI address of the voice device: 1234-1234-1234/ffff-ffff-ff00
Re-marked 802.1p priority: 7
Procedure
Step 1 Configure VLAN and interface on the Switch.
Issue 04 (2013-06-15)

532

Configuration Guide
[Quidway] vlan 100 200
# Configure the link type and default VLAN of the interface connected to the voice device.
[Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 100 200
Step 2 Configure an ACL.

[Quidway] acl 4000
[Quidway-acl-L2-4000] rule permit source-mac 1234-1234-1234 ffff-ffff-ff00
[Quidway-acl-L2-4000] quit
Step 3 Apply the ACL to GE0/0/1.

[Quidway-GigabitEthernet0/0/1] port add-tag acl 4000 vlan 200 remark-8021p 7

Run the display acl 4000 command to check the ACL configuration.
L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 permit source-mac 1234-1234-1200 ffff-ffff-ff00
----End
Configuration Files
#
sysname Quidway
#
vlan batch 100 200
#
acl number 4000
#
200
port add-tag acl 4000 vlan 200 remark-8021p 7
#
return
Example for Configuring an ACL on a Switch to Provide VoIP Access(2)

priority. If a voice device connected to a switch does not support LLDP or DHCP, you can
configure an ACL on the switch to implement VoIP access.
As shown in Figure 3-44, the voice device sends untagged packets. To ensure high-quality VoIP
service, the Switch identifies voice data packets based on the source MAC address, tags the
voice data packets with VLAN 200, and sets the priority of the voice data packets to 7.
Issue 04 (2013-06-15)

533

Configuration Guide
Figure 3-44 Configuring an ACL to provide VoIP access

DHCP Server
Internet
Switch
GE0/0/1
LAN Switch
HSI
VoIP
IPTV
1.
Create a VLAN.
2.
Configure the link type and default VLAN of the interface connected to the voice device.
3.
Configure an ACL rule to match the MAC address of the voice device.
4.
Configure the Switch to change the priority of the packets matching the ACL rule.
Data Preparation
l
VLAN to be assigned to the VoIP service: 200
OUI address of the voice device:1234-1234-1234/ffff-ffff-ff00
Re-marked 802.1p priority: 7
Procedure
Step 1 Configure VLAN and interface on the Switch.
# Create VLAN 200.
[Quidway] vlan 200
# Configure the link type and default VLAN of the interface connected to the voice device.
Issue 04 (2013-06-15)

534

Configuration Guide

[Quidway-GigabitEthernet0/0/1] port link-type dot1q-tunnel

[Quidway] acl 4000
[Quidway-acl-L2-4000] rule permit source-mac 1234-1234-1234 ffff-ffff-ff00
Step 3 Apply the ACL to GE0/0/1 and re-mark the priority of the packets matching the ACL.
[Quidway-GigabitEthernet0/0/1] traffic-remark inbound acl 4000 8021p 7

Run the display acl 4000 command to check the ACL configuration.
L2 ACL 4000, 1 rule
Acl's step is 5
----End
Configuration Files
#
sysname Quidway
#
vlan 200
#
acl number 4000
#
port link-type dot1q-tunnel
traffic-remark inbound acl 4000 8021p 7
#
return
Issue 04 (2013-06-15)

535

Configuration Guide
4 Configuration Guide - IP Service
Configuration Guide - IP Service
About This Chapter

This document describes the configurations of the IP services of the AC6605, including the basic
knowledge and configurations of secondary IP addresses, DNS, ARP, DHCP, IP performance.
By reading this document, you can learn the concepts and configuration procedures of IP
services.
4.1 IP Addresses Configuration
By assigning IP addresses to network devices, you can enable data communications between
the network devices.
4.2 ARP Configuration
ARP can map an IP address to a MAC address and implements transmission of Ethernet frames.
4.3 DHCP Configuration
Dynamic Host Configuration Protocol (DHCP) dynamically manages and configures clients in
a concentrated manner. It ensures proper IP address allocation and improves IP address use
efficiency.
4.4 IP Performance Configuration
This chapter describes the basic concepts of IP performance, and provides configuration
procedures and examples of IP performance.
4.5 DHCP Policy VLAN Configuration
This chapter describes the concept, operating mode, and configuration of Dynamic Host
Configuration Protocol (DHCP) policy Virtual Local Area Network (VLAN), and provides
configuration examples.
4.6 UDP Helper Configuration
This chapter describes the principle of UDP helper, and provides configuration procedures and
examples of UDP helper.
4.7 DNS Configuration
By configuring the Domain Name System (DNS), you can enable network devices to
communicate with other through their domain names.
Issue 04 (2013-06-15)

536

Configuration Guide
4.1 IP Addresses Configuration

By assigning IP addresses to network devices, you can enable data communications between
the network devices.
4.1.1 Introduction to IP Addresses

IP is the core of the TCP/IP protocol suite. The packets of the Transmission Control Protocol
(TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and Internet
Group Membership Protocol (IGMP) are all transmitted in the format of IP datagrams. Devices
on different networks communicate with each other using their network layer addresses, namely
IP addresses.
To communicate with each other on Internet Protocol (IP) networks, each host must be assigned
an IP address.
An IP address is a 32-bit number that is composed of two parts, namely, the network ID and
host ID.
The network ID identifies a network and the host ID identifies a host on the network. If the
network IDs of hosts are the same, it indicates that the hosts are on the same network regardless
of their physical locations.
4.1.2 Features of IP Addresses Supported by the AC6605

IP addresses can be obtained through static manual configuration or DHCP.
The AC6605 supports IP address configuration through the following methods:
l
Manually configuring an IP address for an interface
Obtaining an IP address by DHCP
The AC6605 supports the space overlapping of network segment addresses to save the address
space.
l
Different IP addresses in the overlapped network segments but not same can be configured
on different interfaces of the same device. For example, after an interface on a device is
configured with the IP address 20.1.1.1/16, if another interface is configured with the IP
address 20.1.1.2/24, the system prompts a message. However, the configuration is still
successful; if another interface is configured with the IP address 20.1.1.2/16, the system
prompts an IP address conflict. The configuration fails.
The primary IP address and the secondary IP address in the overlapped network segments
but not same can be configured on the same interface. For example, after the interface is
configured with a primary IP address 20.1.1.1/24, if the secondary IP address is 20.1.1.2/16
sub, the system prompts a message. However, the configuration is still successful.
The primary IP address and the secondary IP address in the overlapped network segments
but not same can be configured on different interfaces of the same device. However, the
primary IP address and the secondary IP address cannot be the same. For example, after an
interface on a device is configured with the IP address 20.1.1.1/16, if another interface is
configured with the IP address 20.1.1.2/24 sub, the system prompts a message. However,
the configuration is still successful.
Issue 04 (2013-06-15)

537

Configuration Guide
The AC6605 supports 31-bit IP address masks. Therefore, there are only two IP addresses in a
network segment, that is, the network address and broadcast address.For example, 10.110.1.0/31
and 10.110.1.1/31. The two IP addresses can be used as host addresses.
4.1.3 Configuring IP Addresses for Interfaces

Assigning an IP address to a device on a network enables the device to communicate with the
other devices on the network.

This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for assigning an IP address to an interface.
To start IP services on an interface, configure the IP address for the interface. You can assign
several IP addresses to each interface. Among them, one is the primary IP address and the others
are secondary IP addresses.
Generally, you need to configure only a primary IP address for an interface. Secondary IP
addresses, however, are required in some cases. For instance, when a device connects to a
physical network through an interface, and computers on this network belong to two Class C
networks, you need to configure a primary IP address and a secondary IP address for this interface
to ensure that the device can communication with all computers on this network.
Before configuring an IP addresses for an interface, complete the following tasks:
l
Configuring the physical parameters for the interface and ensuring that the physical layer
status of the interface is Up
Configuring the link layer parameters for the interface and ensuring that the status of the
link layer protocol on the interface is Up
Data Preparation
Before configure IP addresses for an interface, you need the following data.
No.
Data
Interface number
Primary IP address and subnet mask of the interface
(Optional) Secondary IP address and subnet mask of the interface
Configuring a Primary IP Address for an Interface

An interface can have only one primary IP address.
Issue 04 (2013-06-15)

538

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan
vlan-id
Set up a new vlan.

Step 3 Run:
quit
Step 4 Run:

Step 5 Run:
A primary IP address is configured.

An interface has only one primary IP address. If the interface already has a primary IP address,
the newly configured primary IP address replaces the original one.
----End
(Optional) Configuring a Secondary IP Address for an Interface

To enable an interface to communicate with several networks with different network IDs, you
need to assign a secondary IP address to this interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ip address ip-address { mask | mask-length } sub
A secondary IP address is configured.

You can configure a maximum of 8 secondary IP addresses on an interface.
----End

You can view the configuration of the IP address for an interface.
Issue 04 (2013-06-15)

539

Configuration Guide
Prerequisites
The configurations of the IP addresses for the interface are complete.
Procedure
l
Run the display ip interface [ brief ] [ interface-type [ interface-number ] ] command to

check the IP configuration on the interface.
Run the display interface [ interface-type [ interface-number ] ] command to check

interface information.
----End

This section provides several examples of IP address configuration.
Example for Setting Primary and Secondary IP Addresses

This section provides a configuration example of setting primary and secondary IP addresses.
As shown in Figure 4-1, GigabitEthernet 0/0/1 of the Switch is connected to a LAN, in which
hosts belong to two different network segments, that is 172.16.1.0/24 and 172.16.2.0/24. It is
required that the Switch can access the two network segments but the host in 172.16.1.0/24
cannot interconnect with the host in 172.16.2.0/24.
Figure 4-1 Networking diagram for setting IP addresses
172.16.1.0/24
Switch
Ethernet 0/0/1
VLANIF 100
172.16.1.1/24
172.16.2.1/24 sub
172.16.2.0/24
1.
Issue 04 (2013-06-15)
Analyze the address of the network segment to which each interface is connected.
540

Configuration Guide
2.
Set the secondary IP addresses for an interface.
Data Preparation
To complete the configuration, you need the following data.
l
Primary IP address and subnet mask of the VLANIF interface
Secondary IP address and subnet mask of the VLANIF interface
Procedure
Step 1 Set the IP address for VLANIF 100 where GigabitEthernet 0/0/1 of the Switch belongs.
[Quidway] vlan 100
[Quidway-Vlan100] quit
[Quidway-Vlanif100] ip address 172.16.2.1 24 sub

# Ping a host on network segment 172.16.2.0 from Switch. The ping succeeds.
<Quidway> ping 172.16.1.2
PING 172.16.1.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=128
--- 172.16.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
time=25
time=27
time=26
time=26
time=26
ms
ms
ms
ms
ms
Ping a host on network segment 172.16.2.0 from the Switch. The ping succeeds.
Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=128 time=25
0.00% packet loss
ms
ms
ms
ms
ms
----End
Configuration Files
#
sysname Quidway
#
Issue 04 (2013-06-15)

541

Configuration Guide
vlan 100
#
interface Vlanif100
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#
#
return
4.2 ARP Configuration

ARP can map an IP address to a MAC address and implements transmission of Ethernet frames.
4.2.1 Overview of ARP

An Ethernet device must support ARP. ARP implements dynamic mapping between Layer 3 IP
addresses and Layer 2 MAC addresses.
Each host or device on the Local Area Network (LAN) can be configured a 32-bit IP address to
communicate with others. The assigned IP address is independent of the hardware address.
On the Ethernet, a host or a device transmits and receives Ethernet frames according to a 48-bit
Medium Access Control (MAC) address. The MAC address is also called the physical address
or the hardware address, which is assigned to an Ethernet interface when equipment is produced.
Therefore, on an interconnected network, an address resolution mechanism is required to provide
the mapping between MAC addresses and IP addresses.
The Address Resolution Protocol (ARP) maps an IP address to the corresponding MAC address.
4.2.2 ARP Features Supported by the AC6605

This section describes the ARP features supported by the AC6605.
The AC6605 supports dynamic ARP, static ARP, proxy ARP, and Layer 2 topology detection.
ARP
ARP is classified into the following types: dynamic ARP and static ARP.
l
Static ARP means the mapping between manually configured IP addresses and MAC
addresses.
Dynamic ARP means that the ARP mapping table is dynamically maintained by the ARP
protocol.
proxy ARP
The AC6605 supports the following types of proxy ARP:
l
Routed proxy ARP

Proxy ARP lets the PCs or switchs on the same network segment but in different physical
networks communicate.
In actual applications, if the current host connected with a switch is not configured with a
default gateway address (that is, the host does not know how to reach the intermediate
system of the network), the host cannot forward data packets.
Issue 04 (2013-06-15)

542

Configuration Guide
Routed proxy ARP is introduced to solve this problem. The host sends an ARP Request
message, requesting the MAC address of the destination host. After receiving such a
request, the switch enabled with proxy ARP answers with its own MAC address. By
"faking" its identity, the switch accepts responsibility for routing messages to the "real"
destination.
The switch enabled with proxy ARP can also hide the details of the physical networks and
implement the communication between hosts that are in different physical networks but on
the same network segment.
l
Intra-VLAN proxy ARP

In the scenario where two users belong to the same VLAN but user isolation is configured
in the VLAN, to implement communication between the two users, you need to enable
proxy ARP with a VLAN on the member interface of the VLAN.
The interface enabled with proxy ARP within a VLAN does not directly discard the ARP
Request messages that are not for themselves. Instead, it searches the ARP mappings table
for the corresponding ARP entries. In this case, if the switch is qualified to serve as a proxy,
the interface sends the MAC address of the switch to the sender of the ARP Request
message.
Proxy ARP within a VLAN implements the interworking between isolated users in the
same VLAN.
Inter-VLAN proxy ARP

In the scenario where two users belong to different VLANs, to implement communication
between the two users, you need to enable proxy ARP between VLANs on the member
interfaces of the VLANs.
The interfaces enabled with proxy ARP between VLANs do not directly discard the ARP
Request messages that are not for themselves. Instead, they search the ARP mappings tables
on themselves for the corresponding ARP entries. If the conditions for being a proxy are
met, the interface sends the MAC address of the switch to the sender of the ARP Request
message.
Proxy ARP between VLANs is mainly applied to the following situations:
Implementing Layer 3 interworking between users in different VLANs
Implementing interworking between sub-VLANs by enabling proxy ARP between
VLANs on the VLANIF interface of the super VLAN
4.2.3 Configuring Static ARP

Static ARP indicates that there is a fixed mapping between an IP address and a MAC address.
Static ARP needs to be configured by an administrator.

configuration procedure for configuring static ARP.
Static ARP is used in the following situations:
Issue 04 (2013-06-15)

543

Configuration Guide
For the packets whose destination IP address is on another network segment, static ARP
can help these packets traverse a gateway of the local network segment so that the gateway
can forward the packets to their destination.
When you need to filter out some packets with illegitimate destination IP addresses, static
ARP can bind these illegitimate addresses to a nonexistent MAC address.
Before configuring ARP, complete the following tasks:
l
Configuring link layer protocol parameters for the interface and ensuring that the status of
the link layer protocol on the interface is Up
Configuring the network layer protocol for the interface
Data Preparation
To configure ARP, you need the following data.
No.
Data
IP address and MAC address of the static ARP entry
VPN instance name and VLAN ID to which the static ARP entry belongs
Configuring Common Static ARP Entries

Static ARP entries are required for the communication between common interfaces.
Context
If static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a device
simultaneously, the virtual IP address of the VRRP backup group configured on the VLANIF
interface cannot be the IP address contained in the static ARP entries; otherwise, incorrect host
routes are generated and thus packets cannot be normally forwarded.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp static ip-address mac-address
Configure common static ARP entries.

NOTE
Static ARP entries keep valid when a device works normally.
----End
Issue 04 (2013-06-15)

544

Configuration Guide
Configuring Static ARP Entries in a VLAN

In the scenario where two users belong to the same VLAN but user isolation is configured in
the VLAN, to implement communications between the two users, you need to enable static ARP
within the VLAN on the interface of the VLAN.
Context
If static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a device
simultaneously, the virtual IP address of the VRRP backup group configured on the VLAN
interface cannot be the IP address contained in the static ARP entries; otherwise, incorrect host
routes are generated and thus packets cannot be normally forwarded.
Procedure
Step 1 Run:
system-view

Step 2 Configure static ARP entries in a Virtual Local Area Network (VLAN).
To configure static ARP entries in a VLAN, do as follows:
l Run the arp static ip-address mac-address vid vlan-id interface interface-type interfacenumber command.
It is required to set parameters vid vlan-id and interface interface-type interface-number when
you configure static ARP entries in the VLAN.
If the interface corresponding to the VLAN is bound to a Virtual Private Network (VPN),
the device can automatically associate the configured static ARP entry with the VPN. This
command is applicable to port-based VLANs.
NOTE
Static ARP entries keep valid when a device works normally.
----End

You can view the configuration of static ARP.
Prerequisites
The configurations of the ARP function are complete.
Procedure
l
Run the display arp statistics { all | interface interface-type interface-number } command
to check the statistics for ARP entries.
----End
4.2.4 Optimizing Dynamic ARP

If dynamic ARP is configured, the system automatically resolutes an IP address into an Ethernet
MAC address.
Issue 04 (2013-06-15)

545

Configuration Guide

configuration procedure for optimizing dynamic ARP.
Dynamic ARP is one of functions owned by a device or host. You do not need to run a command
to enable dynamic ARP but you can modify some parameters of dynamic ARP.
None
Data Preparation
Optimizing dynamic ARP, you need the following data.
No.
Data
Aging detection times of the dynamic ARP entry
Aging time of the dynamic ARP entry
Modify the aging parameters of dynamic ARP

If the device needs to update ARP entries frequently, you can reduce the aging timeout period
of ARP entries, increase the number of aging detections for ARP entries, and reduce the aging
detection intervals of ARP entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp detect-times detect-times
The number of aging detection times of the dynamic ARP entries is configured.
Step 4 Run:
arp expire-time expire-times
The timeout period for aging dynamic ARP entries is configured.

Issue 04 (2013-06-15)

546

Configuration Guide
By default, the aging detection times of the dynamic ARP entries is three, and the aging timeout
period is 1200 seconds.
Step 5 Run:
arp detect-mode unicast
The interface is configured to send ARP Aging Detection packets in unicast mode.
By default, an interface sends ARP Aging Detection packets in broadcast mode.
----End
Enabling ARP Suppression Function

If the system receives a great number of ARP packets from the same source at a time, the system
needs to update ARP entries repeatedly. To ensure the performance of the system, you can enable
ARP suppression. In this manner, the system only responds to the ARP packets but does not
update ARP entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp-suppress enable
ARP suppression is enabled on the current device.

----End
Enabling Layer 2 Topology Detection Function

After Layer 2 topology detection is enabled, the system updates all the ARP entries
corresponding to the VLANs to which a Layer 2 interface belongs, if this Layer 2 interface goes
Up.
Procedure
Step 1 Run:
system-view

Step 2 Run:
l2-topology detect enable
The Layer 2 topology detection function is enabled.

By default, this function is not enabled.
----End

You can view the configuration of dynamic ARP.
Issue 04 (2013-06-15)

547

Configuration Guide
Prerequisites
The configurations of the ARP function are complete.
Procedure
l
Run the display arp interface interface-type interface-number command to check

information about ARP mapping tables based on interfaces.
Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command to

check information about ARP mapping tables based on VPN instances.
Run the display arp statistics { all | interface interface-type interface-number} command
to check the statistics for ARP entries.
----End
4.2.5 Configuring Routed Proxy ARP

Proxy ARP enables devices whose IP addresses belong to the same network segment but
different physical networks to communicate with each other.

configuration procedure for configuring routed proxy ARP.
The two physical networks of an enterprise are in different subnets of the same IP network, and
are separated by a device. You need to enable the proxy ARP on the device interface connected
to the physical networks. This enables communication between the two networks.
Network IDs of subnet hosts must be the same. You need not configure default gateways for
hosts.
Before configuring routed proxy ARP, complete the following tasks:
l
Configuring the physical parameters for the interface and ensuring that the status of the
physical layer of the interface is Up
Configuring the link layer parameters for the interface and ensuring that the status of the
link layer protocol on the interface is Up
Data Preparation
To configure routed proxy ARP, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Number of the interface to be enabled with routed proxy ARP
IP address of the interface to be enabled with routed proxy ARP

548

Configuration Guide
Configure an IP Addresses for the Interface

The IP address assigned to a routed proxy ARP-enabled interface must be on the same network
segment with the IP address of the host on the LAN to which this interface connects.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Routed proxy ARP can be enabled only on the VLANIF interface of the AC6605.
Step 3 Run:
The interface is configured with an IP address.

The IP address configured for the interface must be in the same network segment with that of
hosts in the LAN connected with this interface.
----End
Enabling the Routed Proxy ARP Function

To interconnect the subnets in the same IP network, you need to enable routed proxy ARP.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp-proxy enable
By default, the routed proxy ARP function is disabled on the interface.

After routed proxy ARP is enabled, you must reduce the aging time of ARP entries in the deviece
so that the number of packets received but cannot be forwarded by the device is decreased. To
configure the aging time of ARP entries.
----End

You can view the configuration of routed proxy ARP.
Issue 04 (2013-06-15)

549

Configuration Guide
Prerequisites
The configurations of the routed proxy ARP function are complete.
Procedure
l


Run the display arp statistics command to check statistics about ARP entries.
----End
4.2.6 Configuring Proxy ARP Within a VLAN

By configuring proxy ARP on a VLAN, you can interconnect isolated hosts on a VLAN.

configuration procedure for configuring proxy ARP on a VLAN.
If two users are in the same VLAN but they are isolated from each other, to ensure the two users
can communicate, you need to enable proxy ARP within the VLAN on the interface associated
with the VLAN.
Before configuring proxy ARP within a VLAN, complete the following tasks:
l
Configuring physical attributes for the interface and ensuring that the status of the physical
layer of the interface is Up
Configuring the VLAN
Configuring user isolation in the VLAN
Data Preparation
To configure proxy ARP within a VLAN, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Number of the interface to be enabled with proxy ARP in a VLAN
IP address of the interface to be enabled with proxy ARP in a VLAN
VLAN ID associated with the interface to be enabled with proxy ARP in a VLAN

550

Configuration Guide
Configure an IP Addresses for the Interface

The IP address assigned to an interface needs to be in the same network segment with the IP
addresses of the users of the VLANs associated to this interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Intra-VLAN proxy ARP can be enabled on only the VLANIF interface of the AC6605.
Step 3 Run:

hosts in the VLAN associated with this interface.
----End
Enabling Proxy ARP Within a VLAN

To interconnect isolated users on a VLAN, you need to enable intra-VLAN proxy ARP on the
interface associated to the VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp-proxy inner-sub-vlan-proxy enable
Proxy ARP within a VLAN is enabled.

----End

You can view the configuration of intra-VLAN proxy ARP.
Issue 04 (2013-06-15)

551

Configuration Guide
Prerequisites
The configurations of the proxy ARP within a VLAN function are complete.
Procedure
l


----End
4.2.7 Configuring Proxy ARP Between VLANs

By configuring inter-VLAN proxy ARP, you can interconnect hosts on different VLANs.

configuration procedure for configuring inter-VLAN proxy ARP.
If two users belong to different VLANs and they need to communicate, you need to enable proxy
ARP between VLANs on the sub-interface associated with the VLAN.
IP addresses of hosts in a VLAN must be in the same network segment.
Before configuring proxy ARP between VLANs, complete the following tasks:
l
Configuring physical attributes for the interface and ensuring that the status of the physical
layer of the interface is Up
Configuring VLAN aggregation
Data Preparation
To configure proxy ARP between VLANs, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Number of the interface to be enabled with proxy ARP between VLANs
IP address of the interface to be enabled with proxy ARP between VLANs
VLAN ID associated with the interface to be enabled with proxy ARP between
VLANs

552

Configuration Guide
Configuring an IP Addresses for the Interface

The IP address assigned to an interface needs to be in the same network segment with the IP
addresses of the users of all the VLANs associated to this interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Inter-VLAN proxy ARP can be enabled only on the VLANIF interface of the AC6605.
Step 3 Run:

hosts in the VLAN associated with this interface.
----End
Enabling Proxy ARP Between VLANs

To interconnect users on different VLANs, you need to enable inter-VLAN proxy ARP on the
VLANIF interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
Proxy ARP between VLANs is enabled.

----End

You can view the configuration of inter-VLAN proxy ARP.
Issue 04 (2013-06-15)

553

Configuration Guide
Prerequisites
The configurations of Proxy ARP Between VLANs are complete.
Procedure
l


----End
4.2.8 Maintaining ARP

The operations of ARP maintenance include clearing ARP statistics and monitoring ARP
operating status.
Clearing ARP Entries

This section describes ARP entries clearance through the reset command.
Context
CAUTION
l The mapping between the IP and MAC addresses is deleted after you clear ARP entries. So,
confirm the action before you use the command.
l The static ARP entries cannot restore after you clear it. So, confirm the action before you
use the command.
Procedure
Step 1 Run the reset arp { all | dynamic ip ip-address [ vpn-instance vpn-instace-name ] |
interface interface-type interface-number [ ip ip-address ] | static } command in the user view
to clear the ARP entries in the ARP mapping table.
----End
Monitoring Network Operation Status of ARP

This section describes ARP operation monitoring through the display command.
Context
In routine maintenance, you can run the following command in any view to check the operation
of ARP.
Issue 04 (2013-06-15)

554

Configuration Guide
Procedure
l
Run the display arp interface interface-type interface-number command in any view to
check the information about the ARP mapping table based on interfaces.
Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command in

any view to check the information about ARP mapping tables based on VPN instances.
----End
Debugging ARP
This section describes ARP debugging through the debugging command.
Context
CAUTION
Debugging affects the performance of the system. Thus, after debugging, run the undo
debugging all command to disable debugging immediately. When the CPU usage is close to
100%, debugging ARP may cause the board resetting. So, confirm the action before you use the
command.
When faults occur during ARP operation, run the following debugging command in the user
view to debug ARP and locate the fault.
For more information, see chapter "Information Center Configuration" in the AC6605 Access
Controller Configuration Guide-System Management.
Procedure
l
Run the debugging arp packet [ interface interface-type interface-number ] command in

the user view to debug ARP.
Run the debugging arp-proxy [ inner-sub-vlan-proxy | inter-sub-vlan-proxy ]

[ interface interface-type interface-number ] command in the user view to debug proxy
ARP.
Run the debugging arp process [ interface interface-type interface-number ] command

in the user view to debug the processing of ARP packets.
----End

This section provides several configuration examples of ARP.
Example for Configuring ARP

As shown in Figure 4-2, GE 0/0/1 of the Switch is connected to the host through the LAN switch
(LSW); GE 0/0/2 is connected to the server through the router. It is required that:
Issue 04 (2013-06-15)

555

Configuration Guide
GE 0/0/1 should be added to VLAN 2, and GE 0/0/2 should be added to VLAN 3.
To adapt to fast changes of the network and ensure correct forwarding of packets, dynamic
ARP parameters should be set on VLANIF 2 of the Switch.
To ensure the security of the server and prevent invalid ARP packets, a static ARP entry
should be created on GE 0/0/2 of the Switch, with the IP address of the router being 10.2.2.3
and the MAC address being 00e0-fc01-0000.
Figure 4-2 Networking diagram for configuring ARP
Server
Internet
Router
GE0/0/2
Switch
GE0/0/1
LSW
PC1
PC2
PC2
1.
Create a VLAN and add an interface to the VLAN.
2.
Set dynamic ARP parameters on a VLANIF interface at the user side.
3.
Create a static ARP entry.
Data Preparation
l
GE 0/0/1 added to VLAN 2 and GE 0/0/2 added to VLAN 3
VLANIF 2 with the IP address being 2.2.2.2 and subnet mask being 255.255.255.0, aging
time of ARP entries being 60s, and number of detection times being 2
VLANIF 3 with the IP address being 10.2.2.2 and subnet mask being 255.255.255.0
Issue 04 (2013-06-15)

556

Configuration Guide
Interface connecting the router and the Switch, with the IP address being 10.2.2.3, subnet
mask being 255.255.255.0, and MAC address being 00e0-fc01-0000
Procedure
Step 1 Create a VLAN and add an interface to the VLAN.
# Add GE 0/0/1 to VLAN 2 and add GE 0/0/2 to VLAN 3.

0/0/1
0/0/2
Step 2 Set dynamic ARP parameters on a VLANIF interface.

# Create VLANIF2.
# Assign an IP address to VLANIF 2.

# Set the aging time of ARP entries to 60s.

[Quidway-Vlanif2] arp expire-time 60
# Set the number of detection times before deleting ARP entries to 2.

[Quidway-Vlanif2] arp detect-times 2
# Create VLANIF 3.

Step 3 Create a static ARP entry.

# Create a static ARP entry with IP address 10.2.2.3, MAC address 00e0-fc01-0000, VLAN ID
3, and outgoing interface GE 0/0/2.
[Quidway] arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface gigabitethernet 0/0/2
[Quidway] quit

# Run the display current-configuration command. You can view the aging time of ARP
entries, the number of detection times before deleting ARP entries, and the ARP mapping table.
<Quidway> display current-configuration | include arp
arp expire-time 60
arp detect-times 2
arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2
----End
Issue 04 (2013-06-15)

557

Configuration Guide
Configuration Files
The following is the configuration file of the Switch.
#
sysname Quidway
#
vlan batch 2 to 3
#
interface Vlanif2
ip address 2.2.2.2 255.255.255.0
arp expire-time 60
arp detect-times 2
#
interface Vlanif3
ip address 10.2.2.2 255.255.255.0
#
#
#
arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2
#
return
Example for Configuring Routed Proxy ARP

As shown in Figure 4-3, GE 0/0/1 and GE 0/0/2 of the Switch are connected to a LAN
respectively, and the network IDs of the two LANs are 172.16.0.0/16. Host A and Host B are
not configured with the default gateway. It is required that routed proxy ARP should be enabled
on the Switch so that hosts in the two LANs can communicate.
Figure 4-3 Networking diagram for configuring routed proxy ARP
Host A
172.16.1.2/16
0000-5e33-ee20
Host B
172.16.2.2/16
0000-5e33-ee10
GE0/0/1
172.16.1.1/24
GE0/0/2
172.16.2.1/24
VLAN 2
VLAN 3
Switch
Ethernet A
Ethernet B
1.
Issue 04 (2013-06-15)
Assign an IP Address to an interface.

558

Configuration Guide
2.
Enable routed proxy ARP on the interface.
Data Preparation
l
IP addresses of the interfaces
IP addresses of the hosts
Procedure
Step 1 Create VLAN 2 and add GE 0/0/1 to VLAN 2.
[Quidway] vlan 2
Step 2 Create and configure VLANIF 2.

Step 3 Enable routed proxy ARP on VLANIF 2.

[Quidway-Vlanif2] arp-proxy enable
Step 4 Create VLAN 3 and add GE 0/0/2 to VLAN 3.

[Quidway] vlan 3

Step 6 Enable routed proxy ARP on VLANIF 3.

[Quidway-Vlanif3] arp-proxy enable
Step 7 Configure the hosts.

# Assign IP address 172.16.1.2/16 to Host A.
# Assign IP address 172.16.2.2/16 to Host B.
# Ping Host B from Host A. The ping operation is successful.
----End
Configuration Files
#
sysname Quidway
Issue 04 (2013-06-15)

559

Configuration Guide
#
vlan batch 2 to 3
#
interface Vlanif2
ip address 172.16.1.1 255.255.255.0
arp-proxy enable
#
interface Vlanif3
ip address 172.16.2.1 255.255.255.0
arp-proxy enable
#
port default vlan 2
#
port default vlan 3
#
return
Example for Configuring Intra-VLAN Proxy ARP

As shown in Figure 4-4, GE 0/0/2 and GE 0/0/1 of the Switch belong to Sub-VLAN 2. SubVLAN 2 belong to Super-VLAN 3. It is required that:
l
Host A and host B in VLAN 2 should be isolated at Layer 2.
Host A should communicate with host B at Layer 3 through intra-VLAN proxy ARP.
The IP address and subnet mask of the VLANIF interface in Super-VLAN 3 should be 10.10.10.1
and 255.255.255.0.
Figure 4-4 Networking diagram for configuring intra-VLAN proxy ARP
Internet
Switch
GE0/0/2
GE0/0/1
hostB
10.10.10.3/24
00-e0-fc-00-00-03
hostA
10.10.10.2/24
00-e0-fc-00-00-02
sub-VLAN2
Issue 04 (2013-06-15)

560

Configuration Guide
1.
Create and configure a Super-VLAN and a Sub-VLAN.
2.
Add an interface to the Sub-VLAN.
3.
Create a VLANIF interface of the Super-VLAN and assign an IP address to the VLANIF
interface.
4.
Enable intra-VLAN proxy ARP on the VLANIF interface of the Super-VLAN.
Data Preparation
l
VLAN IDs of the Super-VLAN and Sub-VLAN
GE 0/0/2 and GE 0/0/1 belonging to Sub-VLAN 2
IP address and subnet mask of VLANIF 3 of Super-VLAN 3 being 10.10.10.1 and

255.255.255.0
Procedure
Step 1 Configure the Super-VLAN and Sub-VLAN.
# Configure Sub-VLAN 2.
[Quidway] vlan 2
# Enable port isolation on GE 0/0/1 and GE 0/0/2.

[Quidway] port-isolate mode l2
# Add GE 0/0/1 and GE 0/0/2 to Sub-VLAN 2.

0/0/1
link-type access
default vlan 2
0/0/2
link-type access
default vlan 2
# Configure Super-VLAN 3 and add Sub-VLAN 2 to Super-VLAN 3.

[Quidway] vlan 3
[Quidway-vlan3] access-vlan 2

# Create VLANIF 3.

Step 3 Enable intra-VLAN proxy ARP on VLANIF 3.

Issue 04 (2013-06-15)

561

Configuration Guide
[Quidway-Vlanif3] arp-proxy inner-sub-vlan-proxy enable


# Run the display current-configuration command. You can view the configurations of the
Super-VLAN, Sub-VLAN, and VLANIF interface. For query results, see the following
configuration file.
# Run the display arp command to view all the ARP entries.
<Quidway> display arp
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN
-----------------------------------------------------------------------------10.10.10.1
0018-2000-0083
I Vlanif3
10.10.10.2
00e0-fc00-0002 19
D-0
GE0/0/1
2
10.10.10.3
00e0-fc00-0003 19
D-0
GE0/0/2
2
-----------------------------------------------------------------------------Total:3
Dynamic:2
Static:0
Interface:1
----End
Configuration Files
#
sysname Quidway
#
vlan batch 2 to 3
#
vlan 3
aggregate-vlan
access-vlan 2
#
interface Vlanif3
ip address 10.10.10.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
port default vlan 2
#
port default vlan 2
#
return
Example for Configuring Inter-VLAN Proxy ARP

As shown in Figure 4-5, VLAN 2 and VLAN 3 constitute Super-VLAN 4. It is required that:
l
Hosts in the Sub-VLANs 2 and 3 should not be pinged mutually.
Hosts in VLAN 2 and VLAN 3 should be pinged mutually after inter-VLAN proxy ARP
is enabled.
Issue 04 (2013-06-15)

562

Configuration Guide
Figure 4-5 Networking diagram for configuring inter-VLAN proxy ARP
Switch
VLAN2
VLAN3
VLAN4
VLAN2
VLAN3
1.
Configure a Super-VLAN and a Sub-VLAN.
2.
Add an interface to the sub-VLAN.
3.
Create an VLANIF interface of the Super-VLAN and assign an IP address to the VLANIF
interface.
4.
Enable inter-VLAN proxy ARP.
Data Preparation
l
VLAN IDs of the Super-VLAN and Sub-VLAN
IP address and subnet mask of VLANIF 4 in Super-VLAN 4 being 10.10.10.1 and

255.255.255.0
Procedure
Step 1 Configure the Super-VLAN and Sub-VLAN.
[Quidway] vlan 2
# Add GE 0/0/1 and GE 0/0/2 to Sub-VLAN 2.

Issue 04 (2013-06-15)

563

Configuration Guide
[Quidway] vlan 3
# Add GE0/0/3 and GE0/0/4 to Sub-VLAN 3.

0/0/3
link-type access
default vlan 3
0/0/4
link-type access
default vlan 3
# Configure Super-VLAN 4 and add Sub-VLAN 2 to Super-VLAN 4.

[Quidway] vlan 4

# Create VLANIF 4.

Step 3 Enable inter-VLAN proxy ARP on VLANIF 4.

[Quidway-Vlanif4] arp-proxy inter-sub-vlan-proxy enable

# Run the display current-configuration command. You can view the configurations of the
Super-VLAN, Sub-VLAN, and VLANIF interface. For query results, see the following
configuration file.
# Run the display arp command to view all the ARP entries.
<Quidway> display arp
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN
-----------------------------------------------------------------------------10.10.10.1
0018-2000-0083
I Vlanif4
10.10.10.2
00e0-fc00-0002 19
D-0
GE0/0/1
2/10.10.10.3
00e0-fc00-0003 19
D-0
GE0/0/2
2/10.10.10.4
00e0-fc00-0004 19
D-0
GE0/0/3
3/10.10.10.5
00e0-fc00-0005 19
D-0
GE0/0/4
3/-----------------------------------------------------------------------------Total:5
Dynamic:4
Static:0
Interface:1
----End
Issue 04 (2013-06-15)

564

Configuration Guide
Configuration Files
#
sysname Quidway
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.10.10.1 255.255.255.0
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
return
Example for Configuring Layer 2 Topology Detection

As shown in Figure 4-6, two GE interfaces are added to VLAN 100 in default mode and the IP
addresses of the two GE interfaces are shown in the figure.
Figure 4-6 Networking diagram for configuring Layer 2 topology detection
Switch
VLANIF100
10.1.1.2/24
PC A
10.1.1.1/24
Issue 04 (2013-06-15)
VLAN100
PC B
10.1.1.3/24

565

Configuration Guide
1.
Add two GE interfaces to VLAN 100 in default mode.
2.
Enable Layer 2 topology detection and view changes of ARP entries.
Data Preparation
l
Types and numbers of the interfaces to be added to a VLAN
IP addresses of the VLANIF interface and the PCs
Procedure
Step 1 Create VLAN 100 and add the two GE interfaces of the Switch to VLAN 100 in default mode.
# Create VLANIF 100 and assign an IP addresses to VLANIF 100.
[Quidway] vlan 100
[Quidway-vlanif100] ip address 10.1.1.2 24
[Quidway-vlanif100] quit
# Add the two GE interfaces to VLAN 100 in default mode.

0/0/1
link-type access
default vlan 100
0/0/2
link-type access
default vlan 100
Step 2 # Enable Layer 2 topology detection.

[Quidway] l2-topology detect enable
Step 3 Restart GE 0/0/1 and view changes of the ARP entries and aging time.
# View ARP entries on the Switch. You can find that the Switch has learnt the MAC address of
the PC.
[Quidway] display arp all
IP ADDRESS
MAC ADDRESS
INSTANCE
EXPIRE(M)
TYPE
INTERFACE
VPN-
VLAN
----------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.1
00e0-c01a-4901 20
D-0
GE0/0/1
10.1.1.3
00e0-de24-bf04 20
D-0
GE0/0/2
----------------------------------------------------------------------------Total:3
Dynamic:2
Static:0
Interface:1
# Run the shutdown command and then the undoshutdown command on GE 0/0/1 to view the
aging time of ARP entries.
[Quidway-GigabitEthernet0/0/1] shutdown
[Quidway-GigabitEthernet0/0/1] undo shutdown
[Quidway-GigabitEthernet0/0/1] display arp all
Issue 04 (2013-06-15)

566

Configuration Guide
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN
---------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.3
00e0-de24-bf04 0
D-0
GE0/0/2
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
NOTE
According to the displayed information, the ARP entry learned from GE 0/0/1 is deleted after GE 0/0/1 is
shut down. The aging time of ARP entries learned from GE 0/0/2 becomes 0 after GE0/0/1 is restored and
becomes Up again. When the aging time is 0, the Switch sends an ARP probe packet for updating ARP
entries.
[Quidway-GigabitEthernet0/0/1] display arp all
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN
---------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.3
00e0-de24-bf04 20
D-0
GE0/0/2
---------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
NOTE
After the ARP entry is updated, the aging time is restored to the default value, 20 minutes.
----End
Configuration Files
#
sysname Quidway
#
L2-topolgy detect enable
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
#
return
4.3 DHCP Configuration

a concentrated manner. It ensures proper IP address allocation and improves IP address use
efficiency.
4.3.1 DHCP Overview

a centralized manner. DHCP uses the client/server model. A client applies to the server for
Issue 04 (2013-06-15)

567

Configuration Guide
configurations such as the IP address, subnet mask, and default gateway; the server replies with
requested configurations based on policies.
As the network expands and becomes complex, the number of hosts often exceeds the number
of available IP addresses. As portable computers and wireless networks are widely used, the
positions of computers often change, causing IP addresses of the computers to be changed
accordingly. As a result, network configurations become increasingly complex. To properly and
dynamically assign IP addresses to hosts, DHCP is used.
DHCP rapidly and dynamically allocates IP addresses, which improves IP address usage.
4.3.2 DHCP Features Supported by the Switch

The device can function as the DHCP relay agent or DHCP server or DHCP/BOOTP client.
Using the Switch as a DHCP Server

Figure 4-7 Networking of the DHCP server
DHCP Server
DHCP Client
The device can function as the DHCP server to assign IP addresses to clients. After a DHCP
client sends a message to the DHCP server to request configuration parameters, the DHCP server
responds with a message carrying the requested configurations based on a policy.
When the device functions as the DHCP server, create an address pool on the device to provide
IP addresses to DHCP clients. The address pool can be a global address pool or an interface
address pool. The device allocates IP addresses to clients by using the global address pool or an
interface address pool:
l
If a DHCP server based on a global address pool is configured, all online users of the server
can obtain IP addresses from this address pool. The global address pool is used when the
DHCP server and client are located on different network segments.
If a DHCP server based on an interface address pool is configured, only users that go online
from this interface can obtain IP addresses from this address pool. The interface address
pool is used when the DHCP server and client are located on the same network segment.
Issue 04 (2013-06-15)

568

Configuration Guide
Using the Switch as a DHCP Relay Agent

Figure 4-8 Networking of the DHCP relay agent
DHCP Server
Internet
DHCP Relay
DHCP Client
The Switch supports the DHCP relay function. When the device functions as a DHCP relay
agent, the client can communicate with a DHCP server on another network segment through the
device, and obtain an IP address and other configuration parameters from the global address
pool on the DHCP server. In this manner, DHCP clients on multiple network segments can share
one DHCP server. This reduces costs and facilitates centralized management.
Using the Switch as a DHCP/BOOTP Client

Figure 4-9 Networking of the DHCP/BOOTP client
SwitchA
DHCP Client
SwitchC
DHCP Server
SwitchB
BOOTP Client
The device supports the DHCP/BOOTP client function. When the DHCP/BOOTP client
function is configured on the device Layer 3 interface, the device dynamically obtains IP
addresses and other network configuration parameters from the DHCP server. This operation
facilitates user configurations and management.
The DHCP server can communicate with the BOOTP client, so you do not need to configure
the BOOTP server. The DHCP server allocates IP addresses to BOOTP clients.
When the device functions as the DHCP client and successfully obtains an IP address, the DHCP
client can fast detect the gateway status. If the gateway address is incorrect or is faulty, the DHCP
client can send a DHCP Request message again.
NOTE
Only the device wired side supports the DHCP/BOOTP client function.
Issue 04 (2013-06-15)

569

Configuration Guide
4.3.3 Default Configuration

This section provides default DHCP configurations.
Table 4-1 DHCP default configuration
Parameter
Default Value
Time interval at which the DHCP server waits

for the response to ping packets to avoid IP
address conflicts
500 ms
IP address lease
1 day
Interval for saving DHCP data to the Flash

card
7200s
NetBIOS node type of the DHCP client
unspecified
4.3.4 Configuring a DHCP Server Based on the Global Address Pool

If a DHCP server based on a global address pool is configured, all online users of the server can
obtain IP addresses from this address pool.
Before configuring a DHCP server based on the global address pool, complete the following
tasks:
l
Ensuring that the link between the DHCP client and the device works properly and the
DHCP client can communicate with the device
(Optional) Configuring the DNS service for the DHCP client
(Optional) Configuring the NetBIOS service for the DHCP client
Configuring routes from the device to the DNS server and the NetBIOS server (The routes
are required only when the servers are configured.)
(Optional) Configuring the customized DHCP option
Configuring the Global Address Pool

Context
The global address pool attributes include the IP address range, IP address lease, IP addresses
not to be automatically allocated, and IP addresses to be statically bound to MAC addresses. IP
addresses in the global address pool can be assigned dynamically or bound manually as required.
A maximum of 128 address pools, including global address pools and interface address pools,
can be created on the Switch.
Issue 04 (2013-06-15)

570

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip pool ip-pool-name
A global address pool is created and the global address pool view is displayed.
By default, no global address pool exists on the Switch.
Step 3 Run:
network ip-address [ mask { mask | mask-length } ]
The range of IP addresses that can be allocated dynamically in the global address pool is
specified.
By default, no network segment address for a global address pool is specified.
An address pool can contain only one address segment. The address range of the address pool
is set by the mask.
NOTE
When configuring the range of dynamically assignable IP addresses in the global address pool, ensure that the
range is the same as the network segment on which the DHCP server interface address or the DHCP relay agent
interface address resides. This avoids incorrect assignment of IP addresses.

lease { day day [ hour hour [ minute minute ] ] | unlimited }
The IP address lease is set.

By default, the IP address lease is one day.
Different address pools on a DHCP server can be set with different IP address leases, but the IP
addresses in one address pool must be configured with the same lease.
excluded-ip-address start-ip-address [ end-ip-address ]
The IP addresses that cannot be automatically allocated in the global address pool are configured.
By default, all IP addresses in the address pool can be automatically assigned to clients.
Some IP addresses in the global address pool are reserved for other services, for example, the
IP address of the DNS server cannot be allocated to clients. If you run this command multiple
times, you can set multiple IP address ranges that cannot be automatically allocated in the DHCP
address pool.
Step 6 Run:
gateway-list ip-address &<1-8>
The egress gateway address is configured for the DHCP clients.

Issue 04 (2013-06-15)

571

Configuration Guide
NOTE
When a DHCP client connects to the DHCP server or host outside the network segment, data must be
forwarded through the egress gateway.
To load balance traffic and improve network reliability, configure multiple gateways. An address pool can
be configured with a maximum of eight gateway addresses. Gateway addresses cannot be subnet broadcast
addresses.

static-bind ip-address ip-address mac-address mac-address
An IP address in the global address pool is statically bound to the MAC address of a DHCP
client.
By default, the IP address in a global address pool is not bound to any MAC address.
When a client requires a fixed IP address, bind an idle IP address in the address pool to the client
MAC address.
NOTE
When the IP address in the global address pool is statically bound to a MAC address, the IP address must be in
the range of IP addresses that can be allocated dynamically.

next-server ip-address
The server IP address for DHCP clients is configured.

By default, no server IP address is specified.
lock
The IP address pool is locked.

By default, the IP address pool is unlocked.
----End
Configuring an Interface to Use the Global Address Pool

Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:

Issue 04 (2013-06-15)

572

Configuration Guide
VLANIF interfaces on the Switch can be configured to select the global address pool for IP
address allocation.
Step 4 Run:
An IP address is assigned to the interface.

When users connected to the interface that has an IP address configured request IP addresses:
l If the Switch used as the DHCP server is on the same network segment as DHCP clients, and
no relay agent is deployed between them, the Switch assigns IP addresses on the same
network segment as the interface to users who get online from the interface. If the interface
is not configured with an IP address or no address pool is on the same network segment as
the interface address, the clients cannot go online.
l If the Switch used as the DHCP server and DHCP clients are on different network segments,
and a DHCP relay agent is deployed between them, the Switch parses the giaddr field of a
DHCP Request message to obtain an IP address. If the IP address does not match the
corresponding address pool, the user cannot get online.
Step 5 Run:
dhcp select global
The interface is configured to use the global address pool.

After the configuration is complete, users who get online from this interface can obtain IP
addresses and other configuration parameters from the global address pool.
----End
(Optional) Configuring the Static DNS Service on a DHCP Client

Context
When a host connects to the Internet through the domain name, the domain name needs to be
resolved to the IP address. This is implemented by the DNS. To ensure that a DHCP client can
successfully connect to the Internet, the DHCP server needs to specify the DNS server address
when allocating the IP address to the client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The IP address pool view is displayed.

Step 3 Run:
domain-name domain-name
The domain name to be allocated to a DHCP client is configured.

On the DHCP server, you can specify a domain name for each address pool.
Issue 04 (2013-06-15)

573

Configuration Guide
Step 4 Run:
dns-list ip-address &<1-8>
The IP address of the DNS server is configured for a DHCP client.

To load balance the traffic and improve network reliability, configure multiple DNS servers.
Each address pool can be configured with a maximum of eight DNS server IP addresses.
----End
(Optional) Configuring the Static NetBIOS Service on a DHCP Client

Context
When a DHCP client uses the Network Basic Input Output System (NetBIOS) protocol for
communication, the host names must be mapped to IP addresses. Based on the modes of
obtaining mapping, NetBIOS nodes are classified into the following types:
l
b-node: indicates a node in broadcast mode. This node obtains mappings in broadcast mode.
p-node: indicates a node in peer-to-peer mode. This node obtains mappings by

communicating with the NetBIOS server.
m-node: indicates a node in mixed mode. An m-node has some broadcast features.
h-node: indicates a node in hybrid mode. An h-node is a b-type node enabled with the endto-end communication mechanism.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
nbns-list ip-address &<1-8>
The IP address of the NetBIOS server is configured for a DHCP client.

Each IP address pool can be configured with a maximum of eight NetBIOS server IP addresses.
Step 4 Run:
netbios-type { b-node | h-node | m-node | p-node }
The NetBIOS node type is configured for a DHCP client.

By default, no NetBIOS node type is specified for a DHCP client.
----End
(Optional) Configuring a Customized DHCP Option for the Global Address Pool
Issue 04 (2013-06-15)

574

Configuration Guide
Context
DHCP provides various options. To use these options, add them to the attribute list of the DHCP
server manually. If the DHCP server is configured with the Options field, the DHCP client
obtains the configuration of the Options field from the DHCP packet replied by the DHCP server
when the client requests an IP address from the server.
NOTE
The option command configures basic functions, such as the DNS service, NetBIOS service, and IP address
lease. The system also provides commands to configure these functions separately. The commands used
to configure these functions separately take precedence over the option command.
The related commands are as follows:
l
DNS service: domain-name and dns-list
NetBIOS service: nbns-list and netbios-type
Lease: lease
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
option code [ sub-option sub-code ] { ascii ascii-string | hex hex-string | ipaddress ip-address &<1-8> }
The customized DHCP option is configured.

After the option command is used, the specified option is carried by the DHCP Reply message
returned by the DHCP server. Before using this command, ensure that you know the functions
of the option to be configured. For details on DHCP options, see RFC 2132.
----End
(Optional) Preventing Repeated IP Address Allocation

Context
Before assigning an address to a client, the Switch used as the DHCP server needs to ping the
IP address to avoid address conflicts.
After the dhcp server ping command is executed, the DHCP server can prevent repeated IP
address allocation. The DHCP server pings an IP address to be allocated. If there is no response
to the ping packet within a certain period, the DHCP server continues to send ping packets to
this IP address until the number of ping packets reaches the maximum value. If there is still no
response, this IP address is not in use, and the DHCP server allocates the IP address to a client.
Duplicate IP address detection on the DHCP server should not be too long. Otherwise, the client
cannot obtain an IP address. It is recommended that the configured total detection time
(Maximum number of send ping packets x Maximum response time) be smaller than 8s.
Issue 04 (2013-06-15)

575

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server ping packet number
The maximum number of ping packets to be sent by the Switch is set.

By default, the DHCP server sends 2 ping packets.
Step 3 Run:
dhcp server ping timeout milliseconds
The period in which the Switch waits for the response is set.
By default, the period in which the Switch waits for the response is 500 ms.
----End
(Optional) Configuring Automatic Saving of DHCP Data

Context
When the device functions as the DHCP server, you can enable automatic saving of DHCP data
so that IP address information is saved to the storage device periodically.
You can configure the device to save DHCP data to the storage device. When a fault occurs,
you can restore data from the storage device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server database enable
The function that saves DHCP data to the Flash memory is enabled.
By default, DHCP data is not saved to the Flash memory.
After this command is executed, the system generates the lease.txt and conflict.txt files in the
Flash memory. The two files save the address lease information and address conflict information.
Step 3 Run:
dhcp server database write-delay interval
The interval for saving DHCP data is set.

After the device is configured to automatically save DHCP data, the device saves data every
7200 seconds by default and the latest data overwrites the previous data.
Step 4 Run:
Issue 04 (2013-06-15)

576

Configuration Guide
dhcp server database recover
The DHCP data in the storage device is restored.

After this command is executed, the device restores DHCP data from the Flash memory during
a restart.
----End
(Optional) Configuring the DHCP Server to trust Option 82

Procedure
Step 1 Run:
system-view

----End

Procedure
l
Run the display ip pool [ name ip-pool-name [ start-ip-address [ end-ip-address ] | all |

conflict | expired | used ] ] command to check information about the specified global
address pool.
Run the display dhcp server database command to check information about the DHCP
database.
----End
4.3.5 Configuring a DHCP Server Based on an Interface Address

Pool
After a DHCP server based on an interface address pool is configured, only users that go online
from this interface can obtain IP addresses from this address pool.
Before configuring a DHCP server based on an interface address pool, complete the following
tasks:
l
Ensuring that the link between the DHCP client and the device works properly and the
DHCP client can communicate with the device
(Optional) Configuring the DNS server
(Optional) Configuring the NetBIOS server
Configuring routes from the device to the DNS server and the NetBIOS server (The routes
are required only when the servers are configured.)
Configuring an Interface Address Pool

Issue 04 (2013-06-15)

577

Configuration Guide
Context
The interface address pool attributes include the IP address lease, IP addresses not to be
automatically allocated, and IP addresses to be statically bound to MAC addresses. IP addresses
in the interface address pool can be assigned dynamically or bound manually as required.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:

VLANIF interfaces can be configured to select interface address pools for IP address allocation.
Step 4 Run:

Step 5 Run:
dhcp select interface
The interface is configured to use the interface address pool.

The interface address pool is actually the network segment to which the interface belongs, and
such an interface address pool only applies to this interface.
dhcp server lease { day day [ hour hour [ minute minute ] ] | unlimited }
The IP address lease is set.

By default, the IP address lease is 1 day.
dhcp server excluded-ip-address start-ip-address [ end-ip-address ]
The IP addresses that cannot be automatically allocated in the interface address pool are
configured.
Some IP addresses in the interface address pool are reserved for other services, for example, the
IP address of the DNS server cannot be allocated to clients. If you run this command multiple
times, you can set multiple IP address ranges that cannot be automatically allocated in the DHCP
address pool.
dhcp server static-bind ip-address ip-address mac-address mac-address
An IP address in the interface address pool is statically bound to the MAC address of a DHCP
client.
Issue 04 (2013-06-15)

578

Configuration Guide
When a client requires a fixed IP address, bind an idle IP address in the address pool to the client
MAC address.
NOTE
When the IP address in the global address pool is statically bound to a MAC address, the IP address must be in
the range of IP addresses that can be allocated dynamically.
Step 9 Run:
dhcp server next-server ip-address
The server IP address for DHCP clients is specified.

By default, no server IP address is specified.
----End
(Optional) Configuring the Static DNS Service on a DHCP Client

Context
When a host connects to the Internet through the domain name, the domain name needs to be
resolved to the IP address. This is implemented by the DNS. To ensure that a DHCP client can
successfully connect to the Internet, the DHCP server needs to specify the DNS server address
when allocating the IP address to the client.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcp server domain-name domain-name
The domain name to be allocated to a DHCP client is configured.

Step 4 Run:
dhcp server dns-list ip-address &<1-8>
The IP address of the DNS server is configured for a DHCP client.

To load balance the traffic and improve network reliability, configure multiple DNS servers.
Each address pool can be configured with a maximum of eight DNS server IP addresses.
----End
Issue 04 (2013-06-15)

579

Configuration Guide
(Optional) Configuring the Static NetBIOS Service on a DHCP Client

Context
When a DHCP client uses the NetBIOS protocol for communication, the host names must be
mapped to IP addresses. Based on the modes of obtaining mapping, NetBIOS nodes are classified
into the following types:
l
b-node: indicates a node in broadcast mode. This node obtains mappings in broadcast mode.
p-node: indicates a node in peer-to-peer mode. This node obtains mappings by

communicating with the NetBIOS server.
m-node: indicates a node in mixed mode. An m-node is a p-type node with some broadcast
features.
h-node: indicates a node in hybrid mode. An h-node is a b-type node enabled with the endto-end communication mechanism.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcp server nbns-list ip-address &<1-8>
The IP address of the NetBIOS server is configured for a DHCP client.

Each IP address pool can be configured with a maximum of eight NetBIOS server IP addresses.
Step 4 Run:
dhcp server netbios-type { b-node | h-node | m-node | p-node }
The NetBIOS node type is configured for a DHCP client.

By default, no NetBIOS node type is specified for a DHCP client.
----End
(Optional) Configuring a Customized DHCP Option for an Interface Address Pool

Context
DHCP provides various options. To use these options, add them to the attribute list of the DHCP
server manually.
When a DHCP client requests an IP address from the DHCP server configured with the Options
field, the server returns a DHCP Reply message containing the Options field.
Issue 04 (2013-06-15)

580

Configuration Guide
NOTE
The dhcp server option command configures basic functions, such as the DNS service, NetBIOS service,
and IP address lease. The system also provides commands to configure these functions separately. The
commands used to configure these functions separately take precedence over the dhcp server option
command.
The related commands are as follows:
l
DNS service: dhcp server domain-name and dhcp server dns-list
NetBIOS service: dhcp server nbns-list and dhcp server netbios-type
Lease: dhcp server lease
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcp server option code [ sub-option sub-code ] { ascii ascii-string | hex hexstring | ip-address ip-address &<1-8> }
The customized DHCP option is configured.

After the dhcp server option command is run, the specified option is carried by the DHCP
Reply message returned by the DHCP server. Before using this command, ensure that you know
the functions of the option to be configured. For details on DHCP options, see RFC 2132.
----End
(Optional) Preventing Repeated IP Address Allocation

Context
Before assigning an address to a client, the Switch used as the DHCP server needs to ping the
IP address to avoid address conflicts.
After the dhcp server ping command is executed, the DHCP server can prevent repeated IP
address allocation. The DHCP server pings an IP address to be allocated. If there is no response
to the ping packet within a certain period, the DHCP server continues to send ping packets to
this IP address until the number of ping packets reaches the maximum value. If there is still no
response, this IP address is not in use, and the DHCP server allocates the IP address to a client.
Duplicate IP address detection on the DHCP server should not be too long. Otherwise, the client
cannot obtain an IP address. It is recommended that the configured total detection time
(Maximum number of send ping packets x Maximum response time) be smaller than 8s.
Issue 04 (2013-06-15)

581

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server ping packet number
The maximum number of ping packets to be sent by the Switch is set.

By default, the DHCP server sends 2 ping packets.
Step 3 Run:
dhcp server ping timeout milliseconds
The period in which the Switch waits for the response is set.
By default, the period in which the Switch waits for the response is 500 ms.
----End
(Optional) Configuring Automatic Saving of DHCP Data

Context
When the device functions as the DHCP server, you can enable automatic saving of DHCP data
so that IP address information is saved to the storage device periodically.
You can configure the device to save DHCP data to the storage device. When a fault occurs,
you can restore data from the storage device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server database enable
The function that saves DHCP data to the Flash memory is enabled.
By default, DHCP data is not saved to the Flash memory.
After this command is executed, the system generates the lease.txt and conflict.txt files in the
Flash memory. The two files save the address lease information and address conflict information.
Step 3 Run:
dhcp server database write-delay interval
The interval for saving DHCP data is set.

After the device is configured to automatically save DHCP data, the device saves data every
7200 seconds by default and the latest data overwrites the previous data.
Step 4 Run:
Issue 04 (2013-06-15)

582

Configuration Guide
dhcp server database recover
The DHCP data in the storage device is restored.

After this command is executed, the device restores DHCP data from the Flash memory during
a restart.
----End
(Optional) Configuring the DHCP Server to trust Option 82

Procedure
Step 1 Run:
system-view

----End
(Optional) Configuring the DHCP Server to Allocate IP Addresses to BOOTP

Clients
Context
When the device functions as a DHCP server, the device can allocate IP addresses to BOOTP
clients if the BOOTP clients reside on the same network as the DHCP server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server bootp
The DHCP server is configured to respond to BOOTP requests.

By default, a DHCP server does not respond to BOOTP requests.
Step 3 Run:
dhcp server bootp automatic
The DHCP server is configured to allocate IP addresses to BOOTP clients.

By default, a DHCP server does not allocate IP addresses to BOOTP clients.
----End
Issue 04 (2013-06-15)

583

Configuration Guide

Procedure
l
Run the display ip pool [ interface interface-pool-name [ start-ip-address [ end-ipaddress ] | all | conflict | expired | used ] ] command to view information about the IP
address pool.
----End
4.3.6 Configuring a DHCP Relay Agent

By using a DHCP relay agent, a DHCP client can communicate with a DHCP server on another
network segment to obtain an IP address and other configuration information.
Before configuring a DHCP relay agent, complete the following tasks:
l
Configuring a DHCP server
Configuring a route from the device used as the DHCP relay agent to the DHCP server
Configuration Process
Figure 4-10 shows the configuration process.
Figure 4-10 DHCP relay agent configuration process
Configuring DHCP Relay
Configuring DHCP Relay

on an Interface
Configuring a Destination
DHCP Server Group
Binding an Interface to a
DHCP Server Group
Configure the destination

DHCP server address
Configuring DHCP Relay on an Interface
Issue 04 (2013-06-15)

584

Configuration Guide
Context
When the network where a DHCP client resides does not have a DHCP server, a DHCP relay
agent can be configured to forward DHCP messages of the client to a DHCP server.
NOTE
A DHCP message is forwarded between a DHCP client and a DHCP server at most 16 times, and then the
DHCP message is discarded.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
dhcp relay detect enable
User entry detection is enabled on a DHCP relay agent.

By default, user entry detection is disabled on a DHCP relay agent.
If multiple DHCP relay agents exist on the network, run the dhcp relay detect enable command
to enable user entry detection on the DHCP relay agent to prevent the IP addresses assigned to
clients from conflicting with those of other clients.
ip relay address cycle
The DHCP server polling function on a DHCP relay agent is enabled.

By default, the DHCP server polling function is disabled on the DHCP relay agent.
Step 5 Run:

VLANIF interfaces on the device support the DHCP relay function.
Step 6 Run:

NOTE
The interface IP address must be the same as the DHCP client's egress gateway address configured on the
DHCP server. If the device functions as the DHCP server, you can run the gateway-list (IP address pool
view) command to configure the DHCP client's egress gateway address.
Step 7 Run:
dhcp select relay
The DHCP relay function is enabled on the interface.

Issue 04 (2013-06-15)

585

Configuration Guide
Step 8 Run:
quit

dhcp relay trust option82
The device is configured to trust Option 82.

By default, the device does not discard DHCP messages with Option 82 and giaddr field of the
packet is 0.
----End
Follow-up Procedure
When the DHCP relay function is enabled on an interface, specify the DHCP server IP address
on the interface in either of the following ways:
l
Configure a destination DHCP server group and bind the group to the interface. For details,
see Configuring a Destination DHCP Server Group and Binding an Interface to a
DHCP Server Group.
Run the dhcp relay server-ip ip-address command in the interface view to configure the
destination DHCP server address.
Configuring a Destination DHCP Server Group

Context
After a DHCP server group is created and server IP addresses are added to the group, the
Switch used as the DHCP relay agent can forward messages to multiple servers.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server group group-name
A DHCP server group is created and the DHCP server group view is displayed.
A maximum of 32 DHCP server groups can be configured globally.
Step 3 Run:
dhcp-server ip-address [ ip-address-index ]
A DHCP server is added to a DHCP server group.

A maximum of 20 DHCP servers can be added to a DHCP server group.
----End
Binding an Interface to a DHCP Server Group

Issue 04 (2013-06-15)

586

Configuration Guide
Context
After the DHCP relay function is enabled on an interface, bind a DHCP server group to the
interface so that DHCP clients can access DHCP servers in the bound server group.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcp relay server-select group-name
A DHCP server group is bound to the interface.

----End
(Optional) Configuring the DHCP Relay Agent to Send DHCP Release Messages
Context
If a user is forcibly disconnected, you can manually release the IP address assigned to the user
on the DHCP server. You can configure the DHCP relay agent to actively send DHCP Release
messages to the DHCP server. The DHCP server then releases the specified IP addresses.
Procedure
Step 1 Run:
system-view


Step 3 Run:
dhcp relay release client-ip-address mac-address [ server-ip-address ]
The DHCP relay agent is configured to send DHCP Release messages to the DHCP server.
l When you use the dhcp relay release command in the system view:
If no DHCP server is specified, the DHCP relay agent will send DHCP Release messages
to the servers in all DHCP server groups bound to the DHCP relay interfaces.
Issue 04 (2013-06-15)

587

Configuration Guide
If a DHCP server is specified, the DHCP relay agent sends DHCP Release messages to
only the specified DHCP server.
l When you use the dhcp relay release command in the VLANIF interface view:
If no DHCP server is specified, the DHCP relay agent will send DHCP Release messages
to all the servers in the DHCP server group bound to this VLANIF interface.
If a DHCP server is specified, the DHCP relay agent sends DHCP Release messages to
only the specified DHCP server.
----End
(Optional) Configuring Strategies for Processing Option 82 Information on the

DHCP Relay Agenet
Context
When DHCP Request messages carry Option 82 information, the DHCP server can locate user
positions accurately and assign IP addresses to users using different policies. You can configure
strategies that the DHCP relay agent uses to process Option 82 information.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The device supports VLANIF interfaces to work in DHCP relay mode.
Step 3 Run:
dhcp relay information enable
The Option 82 function is enabled on the DHCP relay agent.

By default, the Option 82 function is disabled for the DHCP relay agent.
Step 4 Run:
dhcp relay information strategy { drop | keep | replace }
Strategies used by the DHCP relay agent to process Option 82 information are configured.
By default, the strategy used by the DHCP relay agent to process Option 82 information is
replace.
----End
(Optional) Configuring User Entry Detection on a DHCP Relay Agent (for WLAN
Users)
Issue 04 (2013-06-15)

588

Configuration Guide
Context
After user entry detection is enabled on a DHCP relay agent, the DHCP relay agent creates a
user entry after a user obtains an IP address through DHCP relay.
l
When receiving a Release or Decline message from a DHCP client, the DHCP relay agent
deletes the matching user entry.
When receiving an ACK message from the DHCP server, the DHCP relay agent checks
whether the IP address and MAC address of the DHCP client match the user entry.
If the IP address and MAC address are the same as those in the user entry, the DHCP
relay agent continues to forward the ACK message.
If the IP address and MAC address are different from those in the user entry, the DHCP
relay agent sends a Decline message to the DHCP server and sends a NAK message to
the DHCP client to reject access of the client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp relay detect enable
User entry detection is enabled on a DHCP relay agent.

By default, user entry detection is disabled on a DHCP relay agent.
----End

Procedure
l
Run the display dhcp relay { all | interface interface-type interface-number } command
to view the DHCP server group or the DHCP servers on the DHCP relay interface.
Run the display dhcp relay statistics command to view packet statistics on the DHCP
relay agent.
Run the display dhcp server group [ group-name ] command to view the DHCP server
group configuration.
Run the display dhcp relay user-table { all | ip-address ip-address | mac-address macaddress } command to view user entries on a DHCP relay agent
NOTE
You can perform this operation for WLAN users only.
----End
4.3.7 Configuring the DHCP/BOOTP Client Function

When the DHCP/BOOTP client function is configured on the Switch Layer 3 interface, the
Switch dynamically obtains IP addresses and other network configuration parameters from the
DHCP server.
Issue 04 (2013-06-15)

589

Configuration Guide
Before configuring the DHCP/BOOTP client function, complete the following tasks:
l
Configuring a DHCP server
(Optional) Configuring a DHCP relay agent
Configuring a route from the Switch to the DHCP relay agent or server
(Optional) Configuring the DHCP/BOOTP Client Attributes

Context
The DHCP/BOOTP client attributes facilitate communication between the DHCP/BOOTP client
and the DHCP server.
Procedure
l
Configuring DHCP client attributes

1.
Run:
system-view

2.
Run:
dhcp enable
DHCP is enabled.
3.
Run:
dhcp client class-id class-id
The Option60 field in the DHCP request packet sent by the DHCP client is set.
The default value of the Option60 field depends on the device type.
4.
Run:

VLANIF interfaces support the DHCP client function.
5.
Run:
dhcp client hostname hostname
A host name for a DHCP client is configured.

6.
Run:
dhcp client client-id client-id
The identifier for a DHCP client is set.

7.
Run:
dhcp client class-id class-id
The Option60 field in the DHCP request packet sent by the DHCP client is set.
l
Configuring BOOTP client attributes

1.
Run:
system-view
Issue 04 (2013-06-15)

590

Configuration Guide

2.
Run:
dhcp enable
DHCP is enabled.
3.
Run:

VLANIF interfaces support the DHCP client function.
4.
Run:
dhcp client hostname hostname
A host name for a BOOTP client is configured.

----End
Enabling the DHCP/BOOTP Client Function

Context
The DHCP/BOOTP client function enables an interface to obtain an IP address and other
configurations from the DHCP server.
Procedure
l
Enabling the DHCP client function

1.
Run:
system-view

2.
Run:
dhcp enable
DHCP is enabled.
3.
Run:

4.
Run:
ip address dhcp-alloc
The DHCP client function is enabled on the Switch.

l
The BOOTP client function is enabled.

1.
Run:
system-view

2.
Run:
dhcp enable
DHCP is enabled.
Issue 04 (2013-06-15)

591

Configuration Guide
3.
Run:

4.
Run:
ip address bootp-alloc
The BOOTP client function is enabled on the Switch.

----End

Procedure
l
Run the display this command on the interface enabled with the DHCP client function to
view configurations of DHCP/BOOTP clients.
Run the display dhcp client command to view the DHCP/BOOTP client information.
----End
4.3.8 Maintaining DHCP

After DHCP configurations are complete, you can clear DHCP statistics and monitor DHCP
operation.
Clearing DHCP Statistics

Context
During routine maintenance, you can use the reset commands to clear DHCP statistics.
CAUTION
DHCP statistics cannot be restored after they are cleared. Exercise caution when running the
reset commands.
Procedure
l
Run the reset dhcp server statistics command in the user view to clear DHCP server
statistics.
Run the reset dhcp statistics command in the user view to clear the DHCP message
statistics.
Run the reset dhcp relay statistics [ server-group group-name ] command in the user
view to clear DHCP relay agent statistics.
Run the reset dhcp client statistics [ interface interface-type interface-number ]

command in the user view to clear DHCP client agent statistics.
Run the reset dhcp relay user-table { all | ip-address ip-address | mac-address macaddress } command in the user view to clear user entries on a DHCP relay agent.
Issue 04 (2013-06-15)

592

Configuration Guide

NOTE
You can perform this operation for WLAN users only.
----End
Monitoring DHCP Operation

Context
DHCP packet statistics contain only the number of packets received and sent by the DHCP
module.
Procedure
l
Run the display dhcp statistics command to view DHCP message statistics.
Run the display dhcp client statistics [ interface interface-type interface-number ]

command to view statistics on the DHCP Client.
Run the display dhcp relay statistics [ server-group group-name ] command to view
statistics on the DHCP Relay Agent.
Run the display dhcp server statistics command to view statistics on the DHCP Server.
Run the display dhcp relay { all | interface interface-type interface-number } command
to view the DHCP server group or the DHCP server on a VLANIF interface.
----End

This section provides DHCP configuration examples including networking requirements and
configuration roadmap.
Example for Configuring a DHCP Server Based on the Global Address Pool
As shown in Figure 4-11, an enterprise has two offices on the same network segment. To reduce
network construction cost, the enterprise uses one DHCP server to assign IP addresses for hosts
in the two offices.
All the hosts in Office1 are on the network segment 10.1.1.0/25 and added to VLAN 10. Hosts
in Office1 only use the DNS service with a lease of ten days. All the hosts in Office2 are on the
network segment 10.1.1.128/25 and added to VLAN 20. Hosts in Office2 use the DNS service
and NetBIOS service with a lease of two days.
You can configure a global address pool on SwitchA and enable the server to dynamically assign
IP addresses to hosts in the two offices.
Issue 04 (2013-06-15)

593

Configuration Guide
Figure 4-11 Networking diagram for configuring a DHCP server based on the global address
pool
NetBIOS
server
10.1.1.4/25
DHCP
client
DHCP
client
GE0/0/1
VLANIF10
10.1.1.1/25
DHCP
client
GE0/0/2
VLANIF20
10.1.1.129/25
SwtichC
SwtichB
SwtichA
DHCP server
10.1.1.2/25 DNS
server
DHCP
client
Network: 10.1.1.0/25
DHCP
client
DHCP
client
Network: 10.1.1.128/25
1.
Create two global address pools on the SwitchA and set attributes of the pools. Assign IP
addresses to Office1 and Office2 as required.
2.
Configure VLANIF interfaces to use the global address pool to assign IP addresses to
clients.
Procedure
Step 1 Enable DHCP
[SwitchA] dhcp enable
Step 2 Create address pools and set the attributes of the address pools
# Set the attributes of IP address pool 1, including the address pool range, DNS server address,
gateway address, and address lease.
[SwitchA] ip pool 1
[SwitchA-ip-pool-1]
[SwitchA-ip-pool-1]
[SwitchA-ip-pool-1]
[SwitchA-ip-pool-1]
[SwitchA-ip-pool-1]
[SwitchA-ip-pool-1]
[SwitchA-ip-pool-1]
network 10.1.1.0 mask 255.255.255.128

dns-list 10.1.1.2
excluded-ip-address 10.1.1.2
lease day 10
quit
# Set the attributes of IP address pool 2, including the address pool range, DNS server address,
egress gateway address, NetBIOS server address, and address lease
[SwitchA] ip pool 2
[SwitchA-ip-pool-2] network 10.1.1.128 mask 255.255.255.128
Issue 04 (2013-06-15)

594

Configuration Guide
[SwitchA-ip-pool-2]
[SwitchA-ip-pool-2]
[SwitchA-ip-pool-2]
[SwitchA-ip-pool-2]
[SwitchA-ip-pool-2]
dns-list 10.1.1.2
nbns-list 10.1.1.4
lease day 2
quit
Step 3 Set the address assignment mode on the VLANIF interfaces

# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to the corresponding VLANs.
[SwitchA] vlan batch 10 20
0/0/1
hybrid pvid vlan 10
0/0/2
hybrid pvid vlan 20
# Configure clients on VLANIF 10 to obtain IP addresses from the global address pool.
[SwitchA-Vlanif10] dhcp select global
# Configure clients on VLANIF 20 to obtain IP addresses from the global address pool.
[SwitchA-Vlanif20] dhcp select global
Step 4 Verify the configuration

Run the display ip pool command on the SwitchA to view the IP address pool configuration.
[SwitchA] display ip pool
----------------------------------------------------------------------Pool-name
: 1
Pool-No
: 0
Position
: Local
Status
: Unlocked
Gateway-0
: 10.1.1.1
Mask
: 255.255.255.128
VPN instance
: -----------------------------------------------------------------------Pool-name
: 2
Pool-No
: 1
Position
: Local
Status
: Unlocked
Gateway-0
: 10.1.1.129
Mask
: 255.255.255.128
VPN instance
: -IP address Statistic
Total
:250
Used
:6
Expired
:0
Idle
Conflict
:242
:0
Disable
:2
----End
Configuration Files
#
sysname SwitchA
Issue 04 (2013-06-15)

595

Configuration Guide
#
vlan batch 10 20
#
dhcp enable
#
ip pool 1
network 10.1.1.0 mask 255.255.255.128
lease day 10 hour 0 minute 0
dns-list 10.1.1.2
#
ip pool 2
network 10.1.1.128 mask 255.255.255.128
lease day 2 hour 0 minute 0
dns-list 10.1.1.2
nbns-list 10.1.1.4
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.128
dhcp select global
#
interface Vlanif20
ip address 10.1.1.129 255.255.255.128
dhcp select global
#
#
#
return
Example for Configuring a DHCP Server Based on the Interface Address Pool
As shown in Figure 4-12, an enterprise has two offices on the same network segment. To reduce
network construction cost, the enterprise uses one DHCP server to assign IP addresses for hosts
in the two offices.
All the hosts in Office1 are on the network segment 10.1.1.0/24 and added to VLAN 10. Hosts
in Office1 use the DNS service and NetBIOS service with a lease of thirty days. All the hosts
in Office2 are on the network segment 10.1.2.0/24 and added to VLAN 11. Hosts in Office2 do
not use the DNS service or NetBIOS service. The lease of the IP address is tweenty days.
Issue 04 (2013-06-15)

596

Configuration Guide
Figure 4-12 Networking diagram for configuring a DHCP server based on the VLANIF interface
address pool
NetBIOS Server
10.1.1.3/24
DHCP
Client
10.1.1.2/24
VLANIF10
10.1.1.1/24
GE0/0/1
SwitchB
GE0/0/2
VLANIF11
10.1.2.1/24
SwitchC
DHCP
Client
DNS Server
DHCP
Client
SwitchA
DHCP
Server
DHCP
Client
1.
Create two interface address pools on the SwitchA and set attributes of the address pool.
Configure the interface address pools to enable the DHCP server to assign IP addresses and
configuration parameters to hosts from different interface address pools.
2.
Configure VLANIF interfaces to assign IP addresses to hosts from the interface address
pool.
Procedure
Step 1 Enable DHCP
Step 2 Adds the interface to the VLAN

# Add GE0/0/1 to VLAN 10.
# Add GE0/0/2 to VLAN 11.

Issue 04 (2013-06-15)

597

Configuration Guide

Step 3 Assign IP addresses to VLANIF interfaces

[SwitchA-Vlanif10] ip address 10.1.1.1 24
# Allocate an IP address to VLANIF 11.

Step 4 Enable the VLANIF interface address pool

# Configure clients on VLANIF 10 to obtain IP addresses from the interface address pool.
[SwitchA-Vlanif10] dhcp select interface
# Configure clients on VLANIF 11 to obtain IP addresses from the interface address pool.
[SwitchA-Vlanif11] dhcp select interface
Step 5 Configure the DNS service and NetBIOS service for the interface address pool
# Configure the DNS service and NetBIOS service for the interface address pool on VLANIF
10.
[SwitchA-Vlanif10] dhcp server
domain-name huawei.com
dns-list 10.1.1.2
nbns-list 10.1.1.3
netbios-type b-node
Step 6 Set IP address leases of IP address pools

# Set the IP address lease of VLANIF 10 address pool to 30 days.
[SwitchA-Vlanif10] dhcp server lease day 30
# Set the IP address lease of VLANIF 11 address pool to 20 days.

[SwitchA-Vlanif11] dhcp server lease day 20
Step 7 Verify the configuration

Run the display ip pool interface command on SwitchA to view interface address pool
configuration.
[SwitchA] display ip pool interface vlanif 10
Pool-name
: Vlanif10
Pool-No
: 0
Lease
: 30 Days 0 Hours 0 Minutes
Domain-name
: huawei.com
Issue 04 (2013-06-15)

598

Configuration Guide
DNS-server0
: 10.1.1.2
NBNS-server0
: 10.1.1.3
Netbios-type
: b-node
Position
: Interface
Status
: Unlocked
Gateway-0
: 10.1.1.1
Mask
: 255.255.255.0
VPN instance
: -----------------------------------------------------------------------------Start
End
Total Used Idle(Expired) Conflict Disable
----------------------------------------------------------------------------10.1.1.1
10.1.1.254 253
1
250(0)
0
2
----------------------------------------------------------------------------[SwitchA] display ip pool interface vlanif 11
Pool-name
: Vlanif11
Pool-No
: 1
Lease
: 20 Days 0 Hours 0 Minutes
Domain-name
: DNS-server0
: NBNS-server0
: Netbios-type
: Position
: Interface
Status
: Unlocked
Gateway-0
: 10.1.2.1
Mask
: 255.255.255.0
VPN instance
: -----------------------------------------------------------------------------Start
End
Total Used Idle(Expired) Conflict Disable
----------------------------------------------------------------------------10.1.2.1
10.1.2.254
253
3
250(0)
0
0
-----------------------------------------------------------------------------
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10 to 11
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp server excluded-ip-address 10.1.1.2 10.1.1.3
dhcp server lease day 30 hour 0 minute 0
dhcp server dns-list 10.1.1.2
dhcp server netbios-type b-node
dhcp server nbns-list 10.1.1.3
dhcp server domain-name huawei.com
#
interface Vlanif11
ip address 10.1.2.1 255.255.255.0
dhcp server lease day 20 hour 0 minute 0
#
#
#
return
Issue 04 (2013-06-15)

599

Configuration Guide
Example for Configuring a DHCP Server and a DHCP Relay Agent

When the DHCP server and clients are on different network segments, a DHCP relay agent is
required.
As shown in Figure 4-13, an enterprise has multiple offices, which are distributed in different
office buildings. The offices in different buildings belong to different VLANs. The enterprise
uses SwitchB, which functions as the DHCP server, to assign IP addresses to hosts in different
offices.
Hosts in OfficeA are on 20.20.20.0/24 and the DHCP server is on 100.10.10.0/24. By using
SwitchA enabled with DHCP relay, the DHCP clients can obtain IP addresses from the DHCP
server.
On SwitchA, the public address of VLANIF200 is 100.10.20.1/24 and the interface address of
SwitchA connected to the carrier device is 100.10.20.2/24.
On SwitchB, the public address of VLANIF300 is 100.10.10.1/24 and the interface address of
SwitchB connected to the carrier device is 100.10.10.2/24.
Figure 4-13 DHCP relay agent
VLANIF300
SwitchB
DHCP Server
Internet
100.10.10.1/24
VLANIF200
100.10.20.1/24
SwitchA
DHCP Relay
GE0/0/2
DHCP
Client
VLANIF100
20.20.20.1/24
DHCP
Client
DHCP
Client
VLAN100
OfficeA
Issue 04 (2013-06-15)

600

Configuration Guide
1.
Configure DHCP relay on SwitchA to enable SwitchA to forward DHCP messages from
different network segments.
2.
Configure a global address pool at 20.20.20.0/24 to enable the DHCP server to assign IP
address to clients on different network segments.
Procedure
Step 1 Configure DHCP relay on SwitchA.
1.
Create a DHCP server group and add DHCP servers to the group.
# Create a DHCP server group.
[SwitchA] dhcp server group dhcpgroup1
# Add a DHCP server to the DHCP server group.

[SwitchA-dhcp-server-group-dhcpgroup1] dhcp-server 100.10.10.1
[SwitchA-dhcp-server-group-dhcpgroup1] quit
2.
Enable DHCP relay on the interface.

# Create a VLAN and add GE0/0/2 to the VLAN.
# Enable DHCP globally and DHCP relay on the interface.

[SwitchA-Vlanif100] dhcp select relay
3.
Bind an interface to a DHCP server group.

# Assign IP addresses to interfaces.
Bind the interface to the DHCP server group.

[SwitchA-Vlanif100] dhcp relay server-select dhcpgroup1
Step 2 Configure a default route on SwitchA.

[SwitchA] ip route-static 0.0.0.0 0.0.0.0 100.10.20.2
Step 3 Configure the DHCP server based on the global address pool on SwitchB.
# Enable DHCP.
Issue 04 (2013-06-15)

601

Configuration Guide
[SwitchB] dhcp enable
# Configure VLANIF300 to use the global address pool.

[SwitchB] vlan 300
[SwitchB-Vlanif300] ip address 100.10.10.1 24
[SwitchB-Vlanif300] dhcp select global
Create an address pool and set the attributes of the address pool.
[SwitchB] ip pool pool1
[SwitchB-ip-pool-pool1] network 20.20.20.0 mask 24
[SwitchB-ip-pool-pool1] gateway-list 20.20.20.1
[SwitchB-ip-pool-pool1] quit
Step 4 Configure a default route on SwitchB.

[SwitchB] ip route-static 0.0.0.0 0.0.0.0 100.10.10.2

# Run the display dhcp relay interface vlanif 100 command on SwitchA to view the DHCP
relay configuration on the interface.
[SwitchA] display dhcp relay interface vlanif 100
DHCP relay agent running information of interface Vlanif100 :
Server group name : dhcpgroup1
Gateway address in use : 20.20.20.1
# Run the display ip pool command on SwitchB to view the IP address pool configuration.
[SwitchB] display ip pool
----------------------------------------------------------------------Pool-name
: pool1
Pool-No
: 0
Position
: Local
Status
: Unlocked
Gateway-0
: 20.20.20.1
Mask
: 255.255.255.0
VPN instance
: -IP address Statistic
Total
:253
Used
:2
Expired
:0
Idle
Conflict
:251
:0
Disable
:0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
dhcp enable
#
dhcp server group dhcpgroup1
dhcp-server 100.10.10.1 0
#
interface Vlanif100
ip address 20.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-select dhcpgroup1
#
Issue 04 (2013-06-15)

602

Configuration Guide
interface Vlanif200
ip address 100.10.20.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 100.10.20.2
#
return

#
sysname SwitchB
#
vlan batch 300
#
dhcp enable
#
ip pool pool1
network 20.20.20.0 mask 255.255.255.0
#
interface Vlanif300
ip address 100.10.10.1 255.255.255.0
dhcp select global
#
ip route-static 0.0.0.0 0.0.0.0 100.10.10.2
#
return
Example for Configuring the DHCP and BOOTP Clients

As shown in Figure 4-14, SwitchA functions as a DHCP client, and SwitchB functions as a
DHCP server. SwitchA dynamically obtains an IP address, a DNS server address, and a gateway
address from SwitchB.
Figure 4-14 Networking diagram for configuring DHCP clients
VLANIF10
192.168.1.126/24
VLANIF10
192.168.1.1/24
GigabitEthernet
0/0/1
VLANIF10
192.168.1.2/24
SwitchB
DHCP Server
Issue 04 (2013-06-15)
DNS Server

Gateway
VLANIF10
GigabitEthernet
0/0/1
SwitchA
DHCP Client
603

Configuration Guide
1.
Enable the DHCP client function on SwitchA so that SwitchA can dynamically obtains an
IP address from the DHCP server.
2.
Create a global address pool on SwitchB and configure related attributes.
Configure the DHCP client function on SwitchA
Procedure
# Enable the DHCP service
# Create VLAN 10 and add GigabitEthernet0/0/1 to VLAN 10

[SwitchA] vlan 10
# Enable the DHCP client function on VLANIF 10

[SwitchA-Vlanif10] ip address dhcp-alloc
Create a global address pool on SwitchB and configure related attributes

1.
Enable the DHCP service

2.
Create VLAN 10 and add GigabitEthernet0/0/1 to VLAN 10

[SwitchB] vlan 10
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
3.
Configure Vlanif10 to select a global address pool for IP address allocation

4.
Create an address pool and configure related attributes

[SwitchB-ip-pool-pool1]
network 192.168.1.0 mask 24

dns-list 192.168.1.2
quit
Verify the configuration

# Run the display current-configuration command on SwitchA to view the configuration
of the DHCP client function
[SwitchA] display current-configuration
...
Issue 04 (2013-06-15)

604

Configuration Guide
#
interface Vlanif 10
ip address dhcp-alloc
#
...
# After VLANIF10 obtains an IP address, run the display dhcp client command on
SwitchA to check the status of the DHCP client on VLANIF10
[SwitchA] display dhcp client
DHCP client lease information on
Vlanif10 :
Current machine state
:
Bound
Internet address assigned via :
DHCP
Physical address
:
0018-8201-0987
IP address
:
192.168.1.254
Subnet mask
:
255.255.255.0
Gateway ip address
:
192.168.1.126
DHCP server
:
192.168.1.2
Lease obtained at
:
02:48:09
Lease expires at
:
03:48:09
Lease renews at
:
03:18:09
Lease rebinds at
:
03:40:39
DNS
:
interface
2008-11-06
2008-11-06
2008-11-06
2008-11-06
192.168.1.2
# Run the display ip pool command on SwitchC. You can view the configuration about
the IP address pool of SwitchC
----------------------------------------------------------------------Pool-name
:
pool1
Pool-No
:
0
Position
: Local
Status
:
Unlocked
Gateway-0
:
192.168.1.126
Mask
:
255.255.255.0
VPN instance
:
-IP address
Statistic
Total
253
Used
252
Expired
:
:1
Idle
:0
Conflict
:0
Disable
:0
----End
Example
Issue 04 (2013-06-15)

605

Configuration Guide
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
interface
port trunk allow-pass vlan
10
#
interface Vlanif10
ip address dhcpalloc
#
return

#
sysname SwitchB
#
vlan batch 10
#
dhcp enable
#
interface
10
#
interface Vlanif10
ip address 192.168.1.1 24
dhcp select global
#
ip pool pool1
dns-list 192.168.1.2
#
return
Example for Configuring the BOOTP Clients

As shown in Figure 4-15, SwitchA functions as a BOOTP client, and SwitchB functions as a
DHCP server. SwitchA obtains an IP address from an IP-MAC binding entry, a DNS server
address, and a gateway address from SwitchB functioning as a DHCP server.
Issue 04 (2013-06-15)

606

Configuration Guide
Figure 4-15 Networking diagram for configuring DHCP clients
VLANIF10
192.168.1.126/24
VLANIF10
192.168.1.1/24
GigabitEthernet
0/0/1
Gateway
VLANIF10
192.168.1.2/24
SwitchB
DHCP Server
DNS Server
VLANIF10
GigabitEthernet
0/0/1
SwitchA
BOOTP Client
1.
Enable the DHCP client function on SwitchA so that SwitchA can dynamically obtains an
IP address from the DHCP server.
2.
Create a global address pool on SwitchB and configure related attributes.
Configure the DHCP client function on SwitchA
Procedure
# Enable the DHCP service.
# Create VLAN 10 and add GigabitEthernet0/0/1 to VLAN 10

[SwitchA] vlan 10
# Enable the BOOTP client function on VLANIF interface

[SwitchA-Vlanif10] ip address bootp-alloc
Create a global address pool on SwitchB and configure related attributes

1.
Enable the DHCP service.

<Quidway>
[Quidway]
[SwitchB]
[SwitchB]
[SwitchB]
2.
Issue 04 (2013-06-15)
system-view
sysname SwitchB
dhcp enable
dhcp server bootp
Create VLAN 10 and add GigabitEthernet0/0/1 to VLAN 10

607

Configuration Guide

[SwitchB] vlan 10
[SwitchB-Vlan10] quit
3.
Configure VLANIF10 to select a global address pool for IP address allocation

4.
Create an address pool and configure related attributes


dns-list 192.168.1.2
quit

# Run the display current-configuration command on SwitchA. You can view the
configurations of the DHCP client function
[SwitchA] display current-configuration
...
#
interface Vlanif10
ip address bootp-alloc
#
...
# After VLANIF10 obtains an IP address, run the display dhcp client command on
SwitchA to check the status of the DHCP client on VLANIF10
[SwitchA] display dhcp client
BOOTP client lease information
Vlanif10 :
Current machine state
Bound
Internet address assigned via
BOOTP
Physical address
0018-8201-0987
IP address
192.168.1.254
Subnet mask
255.255.255.0
Gateway ip address
192.168.1.126
Lease obtained at
23:04:47
DNS
on interface
:
:
:
:
:
:
: 2008-11-06
: 192.168.1.2
# Run the display ip pool command on SwitchB. You can view the configuration about
the IP address pool of SwitchB
----------------------------------------------------------------------Pool-name
:
pool1
Pool-No
:
0
Position
: Local
Status
:
Unlocked
Gateway-0
:
192.168.1.126
Issue 04 (2013-06-15)

608

Configuration Guide
Mask
255.255.255.0
VPN instance
--
:
:
----------------------------------------------------------------------IP address
Statistic
Total
:
253
Used
:1
Idle
:
252
Expired
:0
Conflict
:0
Disable
:0
----End
Example
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
interface
10
#
interface Vlanif10
ip address bootpalloc
#
return

#
sysname SwitchB
#
vlan batch 10
#
dhcp enable
#
dhcp server bootp
#
interface
10
#
interface Vlanif10
ip address 192.168.1.1 24
dhcp select global
#
ip pool pool1
dns-list 192.168.1.2
#
return
Issue 04 (2013-06-15)

609

Configuration Guide
4.3.10 Common Configuration Errors

This section provides DHCP troubleshooting procedures.
DHCP Client Cannot Obtain IP Addresses When Switch Functions as the DHCP
Server
Fault Description
When the Switch functions as the DHCP server, the DHCP client cannot obtain IP addresses.
Procedure
Step 1 Run the display current-configuration | include dhcp enable command to check whether
DHCP is enabled. By default, DHCP is disabled.
l If no DHCP information is displayed, DHCP is disabled. Run the dhcp enable command to
enable DHCP.
l If dhcp enable is displayed, DHCP is enabled. Go to step 2.
Step 2 In the Switch interface view, run the display this command to check whether the DHCP address
assignment mode is set.
Command Output
Description
Follow-up Operation
dhcp select global
The DHCP server has

assigned IP addresses to
clients from the global
address pool.
Go to step 3.
The DHCP server has

assigned IP addresses to
clients from the interface
address pool.
Go to step 4.
The preceding information is

not displayed.
The DHCP address

assignment mode is not set on
the VLANIF interface.
Run the dhcp select global or

command to set the DHCP
address assignment mode on
the interface.
Step 3 Run the display ip pool command to check whether the global address pool has been created.
l If the global address pool has not been created, run the ip pool ip-pool-name and network
ip-address [ mask { mask | mask-length } ] commands to create a global address pool and
set the range of IP addresses that can be dynamically assigned.
l If the global address pool has been created, obtain the value of ip-pool-name. Then run the
display ip pool name ip-pool-name command to check whether the IP addresses in the global
address pool are on the same network segment with the IP address on the interface.
If the client and server are located on the same network segment and no relay agent is
deployed:
Issue 04 (2013-06-15)

610

Configuration Guide
If IP addresses in the global address pool and the VLANIF interface IP address are
located on different network segments, run the ip address ip-address { mask | masklength } [ sub ] command to change the VLANIF interface IP address to be on the
same network segment as IP addresses in the global address pool.
If IP addresses in the global address pool and the Switch interface IP address are
located on the same network segment, go to step 4.
If the client and server are located on different network segments and a relay agent is
deployed:
If IP addresses in the global address pool and the relay agent IP address are located
on different network segments, run the ip address ip-address { mask | mask-length }
[ sub ] command to change the IP address to be on the same network segment as IP
addresses in the global address pool.
If IP addresses in the global address pool and the relay agent interface IP address are
located on the same network segment, go to step 4.
Step 4 Run the display ip pool [ { interface interface-pool-name | name ip-pool-name } [ start-ipaddress [ end-ip-address ] | all | conflict | expired | used ] ] command to check the usage of IP
addresses in the global or interface address pool. If the value of Idle (Expired) is 0, IP addresses
in the address pool have been used up.
l If the server assigns IP addresses to clients from the global address pool on the interface, recreate a global address pool where the network segment can be connected to the previous
network segment but cannot overlap with the previous network segment.
l If the DHCP server allocates IP addresses to clients from the interface address pool, you can
reduce the mask length of IP address so that more IP addresses can be allocated.
----End
DHCP Client Cannot Obtain IP Addresses When Switch Functions as the DHCP
Relay Agent
Fault Description
When the Switch functions as the DHCP relay agent, the DHCP client cannot obtain IP addresses.
Procedure
Step 1 Run the display current-configuration | include dhcp enable command to check whether
DHCP is enabled. By default, DHCP is disabled.
l If no DHCP information is displayed, DHCP is disabled. Run the dhcp enable command to
enable DHCP.
l If dhcp enable is displayed, DHCP is enabled.
Step 2 In the Switch interface view, run the display this command to check whether the DHCP relay
function is enabled.
l If dhcp select relay is displayed, the DHCP relay function is enabled. Go to step 3.
l If no information is displayed, the DHCP relay function is disabled. Then run the dhcp select
relay command to enable the DHCP relay function.
Step 3 In the Switch interface view, run the display this command to check whether the DHCP server
is configured on the DHCP relay agent.
Issue 04 (2013-06-15)

611

Configuration Guide
l If dhcp relay server-ip ip-address is displayed, the DHCP server IP address is configured
on the DHCP relay agent.
l If dhcp relay server-select group-name is displayed, the interface on the DHCP relay agent
is bound to a DHCP server group. Go to step 4.
l If no information is displayed, the DHCP server IP address is not configured on the DHCP
relay agent. Configure the DHCP server using either of the following methods:
Run the dhcp relay server-ip ip-address command to configure the DHCP server IP
address on the DHCP relay agent.
Run the dhcp-server command to add DHCP servers to the DHCP server group and run
the dhcp relay server-select group-name command to bind the VLANIF interface to a
DHCP server group.
Step 4 Run the display dhcp server group group-name command to check whether DHCP servers are
configured in the DHCP server group.
l If the Server-IP field is displayed, DHCP servers are configured in the DHCP server group.
l If the Server-IP field is not displayed, DHCP servers are not configured in the DHCP server
group. Then run the dhcp-server command to add DHCP servers to the DHCP server group.
----End
4.4 IP Performance Configuration

This chapter describes the basic concepts of IP performance, and provides configuration
procedures and examples of IP performance.
4.4.1 Introduction to IP Performance

On certain networks, you need to change IP parameters to optimize the performance of networks.
Here, IP performance parameters supported by the AC6605 are described.
4.4.2 IP Performance Supported by the AC6605

ICMP
l
ICMP Host Unreachable Messages

When forwarding packets, the device discards the packets and returns an ICMP host
unreachable message to the source to notify that the source must stop sending packets to
this destination if the device encounters the following situations:
There is no route to the destination.
The packet is not for itself.
ICMP Packet Sending Switches

In normal circumstance, ICMP host unreachable messages can ensure normal packet
transmission. However, when devices encounter the preceding conditions frequently,
network traffic becomes heavy because devices send a large number of ICMP messages.
This increases the traffic burden. In the case of malicious attacks, network congestion
becomes worse.
To solve this problem, a control switch is added on the outgoing interface of ICMP
messages. This switch is used to respectively enable or disable the sending of ICMP host
Issue 04 (2013-06-15)

612

Configuration Guide
unreachable messages. If the switch is disabled, the device does not send out the ICMP
host unreachable packets. This can reduce the traffic burden and protect the network from
malicious attacks.
4.4.3 Optimizing IP Performance

This section describes how to optimize IP performance of a certain network by setting IP
performance parameters.

On certain networks, you need to change IP performance parameters to optimize the
performance. To optimize the performance, you need to set parameters.
Before optimizing IP performance, complete the following tasks:
l
Connecting interfaces and setting physical parameters of the interfaces to ensure that the
physical layer of the interfaces is in the Up state
Setting parameters of the link layer protocol for the interfaces to ensure that the status of
the link layer protocol on the interfaces is Up
Assigning IP addresses to interfaces
Configuring access control lists (ACLs)
Data Preparation
To optimize IP performance, you need the following data.
No.
Data
Number of the interface
Number of the interface which needs source address verification
Number of the interface which needs to forward broadcast packets and ACL number
which is used to specify the broadcast packets
Number of the interface which needs to configure ICMP host-unreachable
SYN-WAIT timer, FIN-WAIT timer, receiving and sending buffer size of the socket
Enabling an Interface to Check the Source IP Addresses of Packets

Context
Issue 04 (2013-06-15)

613

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created.
Step 3 Run:
quit

Step 4 Run:

Step 5 Run:
ip verify source-address
The interface is enabled to check the source IP addresses.

By default, the function is disabled on all interfaces.
----End
Configuring ICMP Attributes

Context
By default, the AC6605 is enabled to send ICMP redirection packets and ICMP host unreachable
packets. The fast ICMP reply function is disabled on a AC6605.
CAUTION
l If the AC6605 is disabled from sending ICMP redirection packets, the AC6605 does not send
ICMP redirection packets in any case.
l If the AC6605 is disabled from sending ICMP host unreachable packets, the AC6605 does
not send ICMP host unreachable packets in any case.
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

614

Configuration Guide
Step 2 Run:
icmp-reply fast
The fast ICMP reply function is enabled.

NOTE
After the fast ICMP reply function is enabled on the AC6605, the AC6605 can respond to ICMP Echo
request packets quickly in the following situations:
l The AC6605 does not have the ARP entry of the device that initiates the ping. However, the
AC6605 cannot learn the ARP entry of this device in this case.
l The AC6605 does not have a route to the device that initiates the ping.
l The checksum of the received ICMP Echo request packet is incorrect.
Step 3 Run:
icmp ttl-exceeded drop { slot slot-id
| all }
The LPU is configured to discard the ICMP packets whose TTL values are 1.
Step 4 Run:
icmp with-options drop { slot slot-id
| all }
The LPU is configured to discard the ICMP packets that carry options.
Step 5 Run:
icmp unreachable drop
The AC6605 is configured to discard the ICMP Destination Unreachable packets.

Step 6 Run:
icmp port-unreachable send
The AC6605 is configured to send ICMP Port Unreachable packets.

Step 7 Run:
icmp host-unreachable send
The AC6605 is configured to send ICMP Host Unreachable packets.

NOTE
The relationship between the icmp host-unreachable send (system view) and the icmp host-unreachable
send (interface view) commands are as follows:
l When the AC6605 is disabled from sending ICMP Host Unreachable packets, all the interfaces of the
AC6605 do not send the ICMP Host Unreachable packets even if you run the undo icmp host-unreachable
send (interface view) command in the interface view.
l When the AC6605 is enabled to send ICMP Host Unreachable packets, all the interfaces of the AC6605 can
send ICMP Host Unreachable packets, which conforms to the default setting. In this case, you can run the
undo icmp host-unreachable send (interface view) command to disable a specified interface from sending
the ICMP Host Unreachable packets.
l not support global ICMP packet suppression.
Step 8 Run:

Step 9 Run:
icmp redirect send
Issue 04 (2013-06-15)

615

Configuration Guide
The interface is enabled to send ICMP redirection packets.

Step 10 Run:
icmp host-unreachable send
The interface is enabled to send ICMP host unreachable packets.

----End
Setting TCP Parameters

Context
You can set the following TCP parameters:
l
SYN-Wait timer: When sending packets with the SYN flag, TCP starts the SYN-Wait timer.
If no response is received before the SYN-Wait timer expires, the TCP connection ends.
The timeout interval of the TCP SYN-Wait timer is an integer that ranges from 2 to 600,
in seconds. By default, the value is 75s.
FIN-Wait timer: When the TCP connection status changes from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer is enabled. If no packet with the FIN flag is received
before the FIN-Wait timer expires, the TCP connection ends. The timeout interval of the
TCP FIN-Wait timer is an integer that ranges from 76 to 3600, in seconds. By default, the
value is 675s.
Size of the packet receive or transmit buffer: The value is an integer that ranges from 1 to
32, in Kbytes. By default, the value is 8 Kbytes.
If you run the tcp window command repeatedly in the same system view, the latest configuration
overrides the previous configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp timer syn-timeout interval
The timeout interval of the TCP SYN-Wait timer is set.

Step 3 Run:
tcp timer fin-timeout interval
The timeout interval of the TCP FIN-Wait timer (FIN_WAIT_2) is set.

Step 4 Run:
tcp window window-size
The size of the packet receive or transmit buffer is set.

----End
Issue 04 (2013-06-15)

616

Configuration Guide

Prerequisites
The configurations of optimizing IP performance are complete.
Procedure
l
Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipaddress ] [ local-port local-port-number ] [ remote-ip ip-address ] [ remote-port remoteport-number ] ] command to check the TCP connection status.
Run the display tcp statistics command to check the statistics on TCP traffic.
Run the display udp statistics command to check the statistics on UDP traffic.
Run the display ip statistics command to check the statistics on IP traffic.
Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | sock-type
socket-type ] command to check information about the created IPv4 socket.
Run the display icmp statistics command to check the statistics on ICMP traffic.
Run the display fib [ slot-id ] command to check the Forwarding Information Base (FIB)
table on the Line Processing Unit (LPU).
Run the display fib [ slot-id ] [ vpn-instance vpn-instance-name ] [ verbose ] command

to check information about the FIB table.
Run the display fib [ vpn-instance vpn-instance-name ] acl acl-number [ verbose ]

command to check information about the FIB entries that match ACL rules in a certain
format.
Run the display fib [ vpn-instance vpn-instance-name ] interface interface-type interfacenumber command to check information about the FIB entries with the outgoing interface
as a specified interface.
Run the display fib [ vpn-instance vpn-instance-name ] ip-prefix prefix-name

[ verbose ] command to check information about the FIB entries that match a specified IP
prefix list.
Run the display fib [ slot-id ][ vpn-instance vpn-instance-name ] destination-address1

[ destination-mask1 ] [ longer ] [ verbose ] command to check information about the FIB
entries that match destination IP addresses in a specified range.
Run the display fib [ vpn-instance vpn-instance-name ] next-hop ip-address command

to check information about the FIB entries that match the specified next hop address.
Run the display fib [ slot-id ] [ vpn-instance vpn-instance-name ] statistics command to

check the total number of FIB entries.
----End
4.4.4 Maintaining IP Performance

This section describes how to maintain IP performance.
Issue 04 (2013-06-15)

617

Configuration Guide
Clearing IP Performance Statistics

Context
CAUTION
The statistics on IP, TCP, or UDP traffic cannot be restored after you clear them. So, confirm
the action before you use the command.
Procedure
l
Run the reset ip statistics [ interface interface-type interface-number ] command in the

user view to clear the statistics on IP traffic.
Run the reset ip socket monitor [ task-id task-id socket-id socket-id ] command in the
user view to clear the information about the socket monitor.
Run the reset tcp statistics command in the user view to clear the statistics on TCP traffic.
Run the reset udp statistics command in the user view to clear the statistics on UDP traffic.
----End
Monitoring the Running Status of IP Performance

Context
In routine maintenance, you can run the following command in any view to view the running
status of IP performance.
Procedure
l
Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipaddress ] [ local-port local-port-number ] [ remote-ip ip-address ] [ remote-port remoteport-number ] ] command to check the TCP connection status.
Run the display tcp statistics command to check the statistics on TCP traffic.
Run the display udp statistics command to check the statistics on UDP traffic.
Run the display ip statistics command to check the statistics on IP traffic.
Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | sock-type
socket-type ] command to check information about the created IPv4 socket.
Run the display icmp statistics command to check the statistics on ICMP traffic.
Run the display fib [ slot-id ] command to check the FIB table on the LPU.
Run the display fib [ slot-id ] [ vpn-instance vpn-instance-name ] [ verbose ] command

to check information about the FIB table.
Run the display fib [ vpn-instance vpn-instance-name ] acl acl-number [ verbose ]

command to check information about the FIB entries that match ACL rules in a certain
format.
Issue 04 (2013-06-15)

618

Configuration Guide
Run the display fib [ vpn-instance vpn-instance-name ] interface interface-type interfacenumber command to check information about the FIB entries with the outgoing interface
as a specified interface.
Run the display fib [ vpn-instance vpn-instance-name ] ip-prefix prefix-name

[ verbose ] command to check information about the FIB entries that match a specified IP
prefix list.
Run the display fib [ slot-id ][ vpn-instance vpn-instance-name ] destination-address1

[ destination-mask1 ] [ longer ] [ verbose ] command to check information about the FIB
entries that match destination IP addresses in a specified range.
Run the display fib [ vpn-instance vpn-instance-name ] next-hop ip-address command

to check information about the FIB entries that match the specified next hop address.
Run the display fib [ slot-id ] [ vpn-instance vpn-instance-name ] statistics command to

check the total number of FIB entries.
----End
Debugging IP Performance
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When an IP, TCP, UDP, RAWIP, or RAWLINK fault occurs, run the following debugging
commands in the user view to locate the fault.
Procedure
l
Run the debugging udp packet [ src-ip src-address ] [ src-port src-port ] [ dest-ip destaddress ] [ dest-port dest-port ] or debugging udp packet [ task-id task-id ] [ socket-id
socket-id ] command in the user view to debug UDP packets.
Run the debugging tcp packet [ src-ip src-address ] [ src-port src-port ] [ dest-ip destaddress ] [ dest-port dest-port ] [ flag flag-number ] or debugging tcp packet [ task-id
task-id ] [ socket-id socket-id ] [ flag flag-number ] command in the user view to debug
UDP packets.
Run the debugging tcp event [ local-ip local-address ] [ local-port local-port ] [ remoteip remote-address ] [ remote-port remote-port ] or debugging tcp event [ task-id taskid ] [ socket-id socket-id ] command in the user view to debug TCP events.
Run the debugging tcp md5 [ src-ip src-address ] [ src-port src-port ] [ dest-ip destaddress ] [ dest-port dest-port ] or debugging tcp md5 [ task-id task-id ] [ socket-id
socket-id ] command in the user view to debug TCP Message Digest Algorithm 5 (MD5)
authentication.
Run the debugging rawip packet [ src-ip src-address ] [ dest-ip dest-address ]

[ protocol protocol-number ] [ verbose verbose-number ] or debugging rawip packet
[ task-id task-id ] [ socket-id socket-id ] [ verbose verbose-number ] command in the user
view to debug RAWIP packets.
Issue 04 (2013-06-15)

619

Configuration Guide
Run the debugging rawlink packet [ src-mac src-mac ] [ dest-mac dest-mac ]

[ verbose verbose-number ] or debugging rawlink packet [ task-id task-id ] [ socket-id
socket-id ] [ verbose verbose-number ] command in the user view to debug RAWLINK
packets.
----End

This section provides several configuration examples of IP performance.
Example for Disabling the Sending of ICMP Host Unreachable Packets

This section provides a configuration example of disabling the sending of ICMP host
unreachable packets.
As shown in Figure 4-16, to limit the sending of ICMP redirection packets, Switch A, Switch
B, and Switch C are required and these devices are connected through their GigabitEthernet
interfaces.
Figure 4-16 Networking diagram for disabling the sending of ICMP host unreachable packets
GE0/0/2
VLANIF11
2.2.2.2/24
GE0/0/2
VLANIF11
2.2.2.1/24
SwitchB
GE0/0/1
SwitchC
VLANIF10
1.1.1.2/24
GE0/0/1
VLANIF10
1.1.1.1/24
SwitchA
1.
Assign IP addresses to interfaces on Switches.
2.
Configure static routes to indirectly connected devices.
3.
Enable the sending of ICMP host unreachable packets in the system view.
4.
Enable the sending of ICMP host unreachable packets in the interface view.
Issue 04 (2013-06-15)

620

Configuration Guide

NOTE
By default, the sending of ICMP host unreachable packets is enabled on the system view and on the
interface view. If the configuration is not changed, you can skip this configuration.
Data Preparation
l
Static routes to indirectly connected devices
IP address of the interface
Procedure
Step 1 Configure Switch A.
[SwitchA] vlan 10
[SwitchA] interface gigabitethernet0/0/1
[SwitchA-GigabitEthernet0/0/1] port hybrid tagged vlan 10
# Configure a static route on Switch A.

[SwitchA] ip route-static 2.2.2.0 24 1.1.1.2
Step 2 Configure Switch B.

# Assign an IP address to VLANIF 10 on Switch B and disable the sending of ICMP host
unreachable packets.
[SwitchB] icmp host-unreachable send
[SwitchB] vlan 10
[SwitchB] interface gigabitethernet0/0/1
[SwitchB-GigabitEthernet0/0/1] port hybrid tagged vlan 10
[SwitchB] vlan 11
[SwitchB] interface gigabitethernet0/0/2
[SwitchB-GigabitEthernet0/0/2] port hybrid tagged vlan 11
[SwitchB-Vlanif11] icmp host-unreachable send
Step 3 Configure Switch C.

# Assign an IP address to VLANIF 11 on Switch C.
[SwitchC] vlan 11
Issue 04 (2013-06-15)

621

Configuration Guide
[SwitchC-vlan11] quit
[SwitchC] interface gigabitethernet0/0/2
[SwitchC-GigabitEthernet0/0/2] port hybrid tagged vlan 11
[SwitchC] interface vlanif 11
[SwitchC-Vlanif11] ip address 2.2.2.2 24
[SwitchC-Vlanif11] quit
# Configure a static route on Switch C.


# Debug ICMP packets on Switch A.
<SwitchA> debugging ip icmp multicast
<SwitchA> terminal monitor
<SwitchA> terminal debugging
# Run the ping 2.2.2.2 command on Switch A. According to the received packet captured by
the tester on Switch A, Switch B sends host unreachable packets.
[SwitchA] ping 2.2.2.2
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
interface vlanif 10
ip address 1.1.1.1 255.255.255.0
#
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 10 to 11
#
interface vlanif 10
ip address 1.1.1.2 255.255.255.0
#
interface vlanif 11
ip address 2.2.2.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
Issue 04 (2013-06-15)

622

Configuration Guide
#
vlan batch 11
#
interface vlanif 11
ip address 2.2.2.2 255.255.255.0
#
#
return
4.5 DHCP Policy VLAN Configuration

This chapter describes the concept, operating mode, and configuration of Dynamic Host
Configuration Protocol (DHCP) policy Virtual Local Area Network (VLAN), and provides
4.5.1 Introduction
When the policy for VLANs is configured on the AC6605, the VLAN to which each host
connects to the interface on the AC6605 belongs is determined by the network segment to which
the IP address of the host belongs. When a host that accesses the network for the first time is
connected to an interface, the host cannot be added to its associated VLAN because it has no
valid IP address.
DHCP policy VLAN is thus introduced. With DHCP policy VLAN, hosts that access the network
for the first time can obtain valid IP addresses from the DHCP server and then be added to the
VLANs whose network segments the IP addresses belong to.
4.5.2 DHCP Policy VLAN Supported by the AC6605

The AC6605 supports the following types of DHCP policy VLAN:
l
DHCP policy VLAN based on MAC addresses
DHCP policy VLAN based on interfaces
Generic DHCP policy VLAN
4.5.3 Configuring DHCP Policy VLAN Based on MAC Addresses

This section describes how to configure DHCP Policy VLAN Based on MAC Addresses.

When multiple hosts access the network through an interface on the AC6605, you need to
configure DHCP policy VLAN based on MAC addresses so that the hosts can obtain IP addresses
from the DHCP server and be added to specific VLANs.
Issue 04 (2013-06-15)

623

Configuration Guide
Before configuring DHCP policy VLAN based on MAC addresses, complete the following
tasks:
l
Configuring the default VLAN for the interface on the AC6605 that connects to the newly
added hosts
Data Preparation
To configure DHCP policy VLAN based on MAC addresses, you need the following data.
No.
Data
MAC addresses of the newly added hosts
ID of the VLAN to which the DHCP server belongs
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface on the AC6605 that connects to multiple hosts is displayed.
Step 3 Run:
port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The interface is added to the specified VLANs, ensuring that frames from the VLANs pass
through the interface in untagged mode.
Step 4 Run:
vlan vlan-id
The view of the VLAN to which the DHCP server belongs is displayed.
Step 5 Run:
dhcp policy-vlan mac-address
priority ]
mac-address1 [ to mac-address2 ] [ priority
The DHCP policy VLAN based on MAC addresses is configured.

----End
Issue 04 (2013-06-15)

624

Configuration Guide

Run the following command to check the previous configuration.
Action
Command

AC6605 in the VLAN view.
display this
Run the display this command in the VLAN view of the AC6605 where DHCP policy VLAN
based on MAC addresses is configured, you can view that the configuration of DHCP policy
VLAN based on MAC addresses is correct.
[Quidway-vlan2] display this
#
vlan 2
dhcp policy-vlan mac-address 0002-0002-0002 priority 2
#
4.5.4 Configuring the DHCP Policy VLAN Based on Interfaces

This section describes how to configure the DHCP policy VLAN based on interfaces.

When multiple hosts access the network through different interfaces on the AC6605, you need
to configure DHCP policy VLAN based on interfaces so that the hosts can obtain IP addresses
from the DHCP server.
Before configuring DHCP policy VLAN based on interfaces, complete the following tasks:
l
Configuring the default VLAN for the interface that connects to the newly added host on
the AC6605
Configuring the interface that connects to the newly added host on the AC6605 as a hybrid
interface
Data Preparation
To configure DHCP policy VLAN based on interfaces, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Number of the interface that connects to the newly added host on the AC6605

625

Configuration Guide
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface that connects to the newly added host on the AC6605 is displayed.
Step 3 Run:
Step 4 Run:
vlan vlan-id
Step 5 Run:
dhcp policy-vlan port interface-type interface-number1 [ to interface-number2 ]
[ priority priority ]
The DHCP policy VLAN based on interfaces is configured.

----End

Action
Command

display this
Run the display this command in the VLAN view of the AC6605 where DHCP policy VLAN
based on interfaces is configured, you can view that the configuration of DHCP policy VLAN
based on interfaces is correct.
#
vlan 2
dhcp policy-vlan port GigabitEthernet 0/0/2 priority 2
#
Issue 04 (2013-06-15)

626

Configuration Guide
4.5.5 Configuring Generic DHCP Policy VLAN

This section describes how to configure Generic DHCP Policy VLAN.

When hosts that do not apply DHCP policy VLAN based on MAC addresses or DHCP policy
VLAN based on interfaces access the network for the first time, you need to configure generic
DHCP policy VLAN on the AC6605 so that the hosts can obtain valid IP addresses.
Before configuring generic DHCP policy VLAN, complete the following tasks:
l
Configuring the default VLAN for the interface that connects to the newly added host on
the AC6605
Data Preparation
To configure generic DHCP policy VLAN, you need the following data.
No.
Data
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface that connects to the newly added host on the AC6605 is displayed.
Step 3 Run:
Issue 04 (2013-06-15)

627

Configuration Guide
Step 4 Run:
vlan vlan-id
Step 5 Run:
dhcp policy-vlan generic [ priority priority ]
The generic DHCP policy VLAN is configured.

----End

Run the following command to check the previous configuration.
Action
Command

display this
Run the display this command in the VLAN view of the AC6605 where generic DHCP policy
VLAN is configured, you can view that the configuration of generic DHCP policy VLAN is
correct.
#
vlan 2
dhcp policy-vlan generic priority 2
#
4.5.6 Maintaining DHCP Policy VLAN

This section describes how to maintain DHCP policy VLAN.
Monitoring the Running Status

To check the running status of DHCP policy VLAN, run the following display command in the
corresponding VLAN view.
Action
Command
Check the configuration of DHCP

policy VLAN.
display this

This section provides several configuration examples of DHCP policy VLAN.
Issue 04 (2013-06-15)

628

Configuration Guide
Example for Configuring DHCP Policy VLAN Based on MAC Addresses

As shown in Figure 4-17, on the AC6605, GE 0/0/2 connects to PC1 and PC2 that access the
network for the first time; GE 0/0/4 connects to the DHCP server that belongs to VLAN 100.
The MAC address of PC1 is 001E-9089-C65A; the MAC address of PC2 is 00E0-4C84-0B44.
Figure 4-17 Networking for configuring DHCP policy VLAN based on MAC addresses
PC1
001E-9089-C65A
Switch
GE 0/0/4
VLAN100
GE 0/0/2
DHCP Server
192.168.31.251/16
PC2
00E0-4C84-0B44
1.
Enable DHCP globally.
2.
Determine to which VLAN the DHCP server belongs.
3.
Configure DHCP policy VLAN based on MAC addresses.
Data Preparation
l
MAC address of the newly added host
Default VLAN ID of the interfaces on the AC6605
1.
Configure the AC6605.

# Enable DHCP globally. Configure GE 0/0/2 and GE 0/0/4 on the AC6605 as a hybrid
interface, and configure frames from VLAN 100 to pass through GE 0/0/2 in untagged
mode.
Issue 04 (2013-06-15)

629

Configuration Guide

0/0/2
hybrid pvid vlan 2
hybrid untagged vlan 2 to 100
0/0/4
hybrid pvid vlan 100
# Configure DHCP policy VLAN based on MAC addresses.

[Quidway] vlan 100
[Quidway-vlan100] dhcp policy-vlan mac-address 001E-9089-C65A priority 5
[Quidway-vlan100] dhcp policy-vlan mac-address 00E0-4C84-0B44 priority 5
2.

# After PC1 and PC2 go online and obtain IP addresses, ping the DHCP server from PC1
and PC2. The ping operations are successful.
C:\>ping 192.168.31.251
Pinging 192.168.31.251 with 32 bytes of data:
Reply
Reply
Reply
Reply
from
from
from
from
192.168.31.251:
192.168.31.251:
192.168.31.251:
192.168.31.251:
bytes=32
bytes=32
bytes=32
bytes=32
time=126ms TTL=255
time=2ms TTL=255
time=2ms TTL=255
time=2ms TTL=255
Ping statistics for 192.168.31.251:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 126ms, Average = 33ms
Configuration Files
The following lists the configuration file of the AC6605.
#
dhcp enable
#
port hybrid untagged vlan 2 to 100
#
#
vlan 100
dhcp policy-vlan mac-address 001e-9089-c65a priority 5
dhcp policy-vlan mac-address 00e0-4c84-0b44 priority 5
#
return
Example for Configuring DHCP Policy VLAN Based on Interfaces

As shown in Figure 4-18, on the AC6605, GE 0/0/2 connects to an access switch; GE 0/0/1
connects to the DHCP server that belongs to VLAN 100; the access switch connects to 10 hosts.
Issue 04 (2013-06-15)

630

Configuration Guide
Figure 4-18 Networking for configuring DHCP policy VLAN based on interfaces
Switch
GE 0/0/1
VLAN100
GE 0/0/2
DHCP Server
192.168.31.251/16
...
PC1
PC10
1.
2.
Determine to which VLAN the DHCP server belongs.
3.
Configure DHCP policy VLAN based on interfaces.
Data Preparation
l
Number of the AC6605 interface that connects to the downstream access switch
Default VLAN ID of the interfaces on the AC6605
1.
Configure the AC6605.

# Enable DHCP globally. Configure GE 0/0/1 and GE 0/0/2 on the AC6605 as hybrid
interfaces, and configure frames from VLAN 100 to pass through GE 0/0/2 in untagged
mode.
2.
Issue 04 (2013-06-15)
0/0/1
hybrid pvid vlan 10
0/0/2
hybrid pvid vlan 20
# Configure DHCP policy VLAN based on interfaces.

631

Configuration Guide
[Quidway] vlan 100
[Quidway-vlan100] dhcp policy-vlan port gigabitethernet 0/0/2 priority 5
Configuration Files
The following lists the configuration file of the AC6605.
#
dhcp enable
#
#
#
vlan 100
dhcp policy-vlan port GigabitEthernet 0/0/2 priority 5
#
return
4.6 UDP Helper Configuration

This chapter describes the principle of UDP helper, and provides configuration procedures and
examples of UDP helper.
4.6.1 Introduction to UDP Helper

This section describes the principle of UDP helper.
The AC6605 on a network needs to obtain network configurations or query the name of another
device by sending broadcast packets. The AC6605, however, cannot obtain the required
information if the AC6605 and the server or the device to be queried are in different broadcast
domains.
To address the preceding problem, the AC6605 provides the UDP helper function. Through the
UDP helper function, the AC6605 can convert broadcast packets on a specified User Datagram
Protocol (UDP) port into unicast packets to be sent to a specified destination server, or forward
broadcast packets on a subnet to another subnet.
4.6.2 UDP Helper Features Supported by the AC6605

This section describes the UDP Helper features supported by the AC6605.
After the UDP helper function is enabled on the AC6605, the AC6605 forwards broadcast
packets of six default UDP ports to corresponding destination servers in unicast mode. Other
UDP ports must be configured manually.
Table 4-2 lists the default ports.
Issue 04 (2013-06-15)

632

Configuration Guide
Table 4-2 Lists of default UDP ports on which packets are forwarded after the UDP helper
function is enabled
Protocol
UDP Port Number
Trivial File Transfer

Protocol (TFTP)
69
Domain Name
System (DNS)
53
Time Service
37
NetBIOS Name
Service (NetBIOSNS)
137
NetBIOS Datagram
Service (NetBIOSDS)
138
Terminal Access
Controller Access
Control System
(TACACS)
49
The UDP helper function cannot be used to send DHCP messages, that is, the number of the
UDP port cannot be 67 or 68. To forward Dynamic Host Configuration Protocol (DHCP)
messages, you need to enable the DHCP relay function.
4.6.3 Configuring UDP Helper

This section describes how to configure UDP helper to forward IP broadcast packets of a
specified UDP port.

When an AC6605 on a network needs to obtain network configurations or query the name of
another device by sending broadcast packets, you can enable the UDP helper function if the
AC6605 and the device to be queried are in different broadcast domains.
Before configuring the UDP helper function, complete the following task:
l
Configuring a reachable route between the AC6605 and the server
Data Preparation
To configure the UDP helper function, you need the following data.
Issue 04 (2013-06-15)

633

Configuration Guide
No.
Data
UDP port on which packets are forwarded
VLANIF interface and IP address of the

destination server that sends packets of UDP
ports
Enabling the UDP Helper Function

Context
After the UDP Helper function is enabled, the AC6605 checks the destination UDP port of the
received packet and determines whether to relay the packet. Then the AC6605 performs the
operations as follows:
l
If the destination UDP port number of packets matches the UDP port number on which
packets need to be forwarded and the destination MAC address is the broadcast MAC
address, the AC6605 changes the destination IP address in the IP packet header and sends
them to a specified destination server.
If the destination UDP port number of packets does not match the UDP port number on
which packets need to be forwarded, the AC6605 discards them.
Procedure
Step 1 Run:
system-view

Step 2 Run:
udp-helper enable
The UDP helper function is enabled .

----End
Configuring the UDP Port on Which Packets Are Forwarded

Prerequisites
The UDP helper function is enabled.
Context
After the UDP helper function is enabled, the AC6605 forwards broadcast packets of UDP ports
37 (Time), 49 (TACACS), 53 (DNS), 69 (TFTP), 137 (NetBIOS-NS), and 138 (NetBIOS-DS)
by default. If the port number that needs to be configured is in the range of default UDP port
numbers, you can skip this configuration procedure.
The AC6605 does not forward DHCP messages of UDP ports 67 and 68.
Issue 04 (2013-06-15)

634

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp |
time }
The UDP port on which packets need to be forwarded are configured .

----End
Configuring the Destination Server to Which Packets of the UDP Port Need to Be
Forwarded
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
udp-helper server ip-address
The destination server to which UDP packets are forwarded is configured .

After the UDP Helper function is enabled, if the destination UDP port of the packet received by
the VLANIF interface is the same as the UDP port for packet relay, the packet is forwarded to
the destination server configured on the VLANIF interface.
----End

Prerequisites
The configurations of the UDP helper function are complete.
Issue 04 (2013-06-15)

635

Configuration Guide
Procedure
l
Run the display udp-helper server [ interface vlanif vlan-id ] command to check
information about UDP packets forwarded on the interface
----End
Example
Run the display udp-helper server command to check the number of the VLANIF interface
that relays UDP packets, the IP address of the destination server, and the number of forwarded
UDP packets.
<Quidway> display udp-helper server interface Vlanif 100
vlan-interface
Server-Ip
packet-num
Vlanif100
10.10.10.10
20
4.6.4 Maintaining UDP Helper

This section describes how to maintain UDP helper.
Clearing UDP Helper Statistics

Context
CAUTION
The UDP helper statistics cannot be restored after you clear them. So, confirm the action before
Procedure
Step 1 Run the reset udp-helper packet command in the user view to clear the UDP helper statistics.
----End
Monitoring the Running Status of UDP Helper

Context
In routine maintenance, you can run the following command in any view to view the running
status of UDP helper.
Procedure
Step 1 Run the display udp-helper server [ interface vlanif vlan-id ] command to check the number
of the VLANIF interface that forwards UDP packets, the IP address of the destination server,
and the number of forwarded UDP packets .
----End
Issue 04 (2013-06-15)

636

Configuration Guide

This section provides several configuration examples of UDP helper.
Example for Configuring UDP Helper

This section provides a configuration example of UDP helper.
As shown in Figure 4-19, the IP address of VLANIF 100 on the Switch is 10.110.1.1/16; the IP
address of the NetBIOS-NS name server is 10.2.1.1/16. The Switch and the NetBIOS-NS name
server are on different network segments, but the route between the Switch and the NetBIOSNS name server is reachable.
The Switch is configured to forward broadcast packets with the destination UDP port number
as 137 and the destination IP address as 255.255.255.255 and broadcast packets with the
destination IP address as 10.110.255.255 to the NetBIOS-NS name server.
When receiving broadcast packets of NetBIOS-NS Register, the Switch changes the packets
whose destination IP address is the IP address of the NetBIOS-NS name server. Then, the
Switch forwards the packets to the specified NetBIOS-NS name server.
Figure 4-19 Networking diagram for configuring UDP helper
Internet
VLANIF100
10.110.1.1/16
PC1
Switch
NETBIOS-NS
Name Server
10.2.1.1/16
PC2
1.
Enable the UDP helper function on the Switch.
2.
After the UDP helper function is enabled on the Switch, the Switch forwards broadcast
packets with the destination UDP port as 137 by default. The UDP port number, therefore,
does not need to be configured here.
Issue 04 (2013-06-15)

637

Configuration Guide
3.
Create a VLAN, assign the IP address and configure the destination server to which packets
of UDP ports are forwarded on the VLANIF interface.
Data Preparation
l
VLANIF interface of the destination server to which packets of UDP ports are forwarded
IP address of the destination server
Procedure
Step 1 Enable the UDP helper function.
[Quidway] udp-helper enable
Step 2 Configure the destination server to which packets of UDP ports are forwarded.
[Quidway] vlan 100
[Quidway-Vlan100] quit
[Quidway-Vlanif100] udp-helper server 10.2.1.1
[Quidway] quit

The destination server to which packets of UDP ports are forwarded on VLANIF 100 is the
NetBIOS-NS name server.
<Quidway> display udp-helper server interface Vlanif 100
vlan-interface
Server-Ip
packet-num
Vlanif100
10.2.1.1
0
----End
Configuration Files
#
sysname Quidway
#
vlan batch 100
#
udp-helper enable
#
interface Vlanif100
ip address 10.110.1.1 255.255.0.0
udp-helper server 10.2.1.1
#
return
4.7 DNS Configuration

By configuring the Domain Name System (DNS), you can enable network devices to
communicate with other through their domain names.
Issue 04 (2013-06-15)

638

Configuration Guide
4.7.1 Introduction to DNS

After each host on the Internet is assigned a domain name, you can set up a mapping between
the domain name and IP address of a host through. In this manner, you can use domain names,
which are easy to memorize and are of significance, instead of complicated IP addresses.
The Domain Name System (DNS) is a host naming mechanism provided by TCP/IP, with which
hosts can be named in the form of character string. This system assumes a hierarchical naming
structure. It designates a meaningful name for the device in the Internet and associates the name
with the IP address through a domain name resolution server. In this manner, you can use domain
names that are easy to remember instead of memorizing complex IP addresses.
4.7.2 DNS Supported by the AC6605

Domain name resolution can be performed in either dynamic mode or static mode.
DNS has two resolution modes: dynamic DNS resolution and static DNS resolution. To resolve
a domain name, the system first uses static DNS resolution. If this mode fails, the system uses
dynamic DNS resolution. To improve resolution efficiency, you can put common domain names
in a static domain name resolution table.
The AC6605 supports static resolution and dynamic resolution.
4.7.3 Configuring DNS

By configuring the DNS, you can set up a mapping between a domain name and an IP address.
In this manner, you can enable the device to communicate with other devices.

configuration procedure for configuring the DNS.
If local users accessing devices need to communicate with other devices by using domain names,
you can configure DNS on the device. An DNS entry is an mapping between a domain name
and an IP address.
If local users communicate with other devices hardly through the domain name or if the DNS
server is unavailable, configure static DNS. Prior to configuring static DNS, you must know the
mapping between the domain name and the IP address. In case of a change in the mapping, you
must modify the DNS entry manually.
You can configure dynamic DNS on the device if local users frequently use domain names for
communicating with other devices and the DNS server is available.
Before configuring DNS, complete the following tasks:
l
Issue 04 (2013-06-15)
Configuring physical attributes of the interface and ensuring that the physical layer status
of the interface is Up
639

Configuration Guide
Configuring parameters of the link layer protocol of the interface and ensuring that the link
layer protocol status of the interface is Up
Configuring routes between the local device and the DNS server
Configuring the DNS server
Data Preparation
To configure DNS, you need the following data.
No.
Data
Domain name and the corresponding IP address in a static DNS entry
IP address of a DNS server
Domain name or the domain name list of a dynamic DNS entry
Configuring Static DNS Entries

You can create a table of mappings between domain names and IP addresses and add commonlyused domain names to this table. When a client needs to use the IP address corresponding to a
domain name, the client can search the table for the required IP address. This improves the
efficiency of domain name resolution.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip host host-name ip-address
The IP address corresponding to the host name is configured.

A host name corresponds to only one IP address. When you configure an IP address for a host
for several times, only the IP address configured at the latest is valid. To resolve several host
names, repeat Step 2.
You can configure a maximum of 50 static DNS entries.
----End
Configuring Dynamic DNS

To perform dynamic domain name resolution, you need a special domain name resolution server,
which runs a server program. This server provides mappings between domain names and IP
addresses and receives resolution requests from the client.
Procedure
Step 1 Run:
Issue 04 (2013-06-15)

640

Configuration Guide
system-view

Step 2 Run:
dns resolve
Dynamic domain name resolution is enabled.

Step 3 Run:
dns server ip-address
A DNS server is specified.

dns server source-ip source-ip-address
The IP address of the local device is specified.

The local device uses the specified IP address to communicate with the DNS server, which
ensures communication security.
Step 5 Run:
dns domain domain-name
The suffix of the domain name is added.

----End
Follow-up Procedure
The system supports the configuration of a maximum of 6 domain name servers, 1 source
address, and 10 domain name suffixes.
To configure more than one domain name server, repeat Step 3.
To configure more than one domain name suffix, repeat Step 5.

You can view the configuration of the DNS.
Prerequisites
The configurations of the DNS function are complete.
Procedure
l
Run the display ip host command to check the information about the static DNS entry
table.
Run the display dns server command to check the configurations about DNS servers.
Run the display dns domain command to check the configurations about domain name
suffixes.
Run the display dns dynamic-host command to check the information about dynamic DNS
entries in the domain name cache.
----End
Issue 04 (2013-06-15)

641

Configuration Guide
Example
Run the display ip host command. If static DNS entries including the mappings between host
names and IP addresses, are displayed, it means that the configuration succeeds. For example:
<Quidway> display ip host
Host
Age
Flags
hw
0
static
gww
0
static
Address
10.1.1.1
192.168.1.1
Run the display dns server command. If IP addresses of all domain servers are displayed, it
means that the configuration succeeds. For example:
<Quidway> display dns server
IPv4 Dns Servers :
Domain-server
IpAddress
1
172.16.1.1
2
172.16.1.2
IPv6 Dns Servers :
No configured servers.
Run the display dns domain command. If the list of suffixes of domain names is displayed, it
means that the configuration succeeds. For example:
<Quidway> display dns domain
No
Domain-name
1
com
2
net
Run the display dns dynamic-host command. If information about the dynamic domain name
cache is displayed, it means that the configuration succeeds. For example:
<Quidway> display dns dynamic-host
No Domain-name
IpAddress
1
www.huawei.com
91.1.1.1
2
www.huawei.com.cn
87.1.1.1
TTL
3521
3000
Alias
4.7.4 Maintaining DNS

The operations of DNS maintenance include clearing DNS statistics and monitoring the DNS
operating status.
Clearing DNS Entries

This section describes DNS entry clearance through the reset command.
Context
CAUTION
DNS entries cannot be restored after being cleared. So, confirm the action before you use this
command.
Issue 04 (2013-06-15)

642

Configuration Guide
Procedure
Step 1 Run the reset dns dynamic-host command in the user view to clear dynamic DNS entries
statistics in the domain name cache.
----End
Monitoring Network Operation Status of DNS

This section describes DNS operation monitoring through the display command.
Context
In routine maintenance, you can run the following command in any view to check the operation
of DNS.
Procedure
l
Run the display ip host command to check the information about the static DNS entry
table.
Run the display dns server command to check configurations about DNS servers.
Run the display dns domain command to check configurations about domain name
suffixes.
Run the display dns dynamic-host command to check the information about dynamic DNS
entries in the domain name cache.
----End
Debugging DNS
This section describes DNS debugging through the debugging command.
Context
CAUTION
Debugging affects the performance of the system. So after debugging, run the undo debugging
Run the following debugging command in the user view to debug DNS and locate the fault.
For more information, refer to the chapter "Information Center Configuration" in the AC6605
Access Controller Configuration Guide - System Management.
Procedure
Step 1 Run the debugging dns command in the user view to debug dynamic DNS.
----End
Issue 04 (2013-06-15)

643

Configuration Guide

This section provides a configuration example of DNS.
Example for Configuring DNS

This section provides a configuration example of DNS.
As shown in Figure 4-20, Switch A acts as a DNS client, being required to access the host
2.1.1.3/16 by using the domain name huawei.com. You need to configure domain name suffixes
"com" and "net".
On Switch A, configure static DNS entries of Switch B and Switch C so that Switch A can
communicate with them by using domain names.
Figure 4-20 Networking diagram of DNS
Loopback0
4.1.1.1/32
GE0/0/1
VLANIF 100 SwitchB
1.1.1.2/16
DNS Client
SwitchA
GE0/0/2
VLANIF 101
1.1.1.1/16
Loopback0
4.1.1.2/32
GE0/0/2
VLANIF 101
3.1.1.1/16
SwitchC
GE0/0/1
VLANIF 100
2.1.1.1/16
GE0/0/1
VLANIF 100 DNS Server
2.1.1.2/16
3.1.1.2/16
huawei.com
2.1.1.3/16
1.
Configure static DNS entries.
2.
Enable DNS resolution.
3.
Configure an IP address for the DNS server.
4.
Configure suffixes of domain names.
Data Preparation
l
Domain names of Switch B and Switch C
IP address of the DNS server
Suffixes of domain names
Issue 04 (2013-06-15)

644

Configuration Guide
Procedure
Step 1 Configure Switch A.
# Configure static DNS entries.
[SwitchA] ip host SwitchB 4.1.1.1
[SwitchA] ip host SwitchC 4.1.1.2
# Enable DNS resolution.

[SwitchA] dns resolve
# Configure an IP address for the DNS server.

[SwitchA] dns server 3.1.1.2
# Configure a domain name suffix "net".

[SwitchA] dns domain net
# Configure a domain name suffix "com".

[SwitchA] dns domain com
[SwitchA] quit
NOTE
To complete DNS resolution, configuring routes from Switch A to the DNS server is mandatory. For
procedures for configuring routes, refer to the AC6605 Access Controller Configuration Guide - IP
Routing.

# Run the ping huawei.com command on Switch A to ping the IP address 2.1.1.3. The ping
succeeds.
<SwitchA> ping huawei.com
Trying DNS server (3.1.1.2)
PING huawei.com (2.1.1.3): 56
Reply from 2.1.1.3: bytes=56
data bytes, press CTRL_C to break

Sequence=1 ttl=126 time=6 ms
--- huawei.com ping statistics --5 packet(s) transmitted

0.00% packet loss
# Run the display ip host command on Switch A to view static DNS entries, including mappings
between host names and IP addresses.
<SwitchA> display ip host
Host
Age
SwitchB
0
SwitchC
0
Flags Address
static 4.1.1.1
static 4.1.1.2
# Run the display dns dynamic-host command on Switch A to view dynamic DNS entries in
the domain name cache.
<SwitchA> display dns dynamic-host
No Domain-name
IpAddress
1
huawei.com
2.1.1.3
Issue 04 (2013-06-15)
TTL
3579

Alias
645

Configuration Guide
NOTE
TTL value in the above display indicates the lifetime of an entry. It is in seconds.
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100
#
ip host SwitchB 4.1.1.1
ip host SwitchC 4.1.1.2
#
dns resolve
dns server 3.1.1.2
dns domain net
dns domain com
#
#
interface vlanif100
ip address 1.1.1.2 255.255.0.0
#
rip 1
network 1.0.0.0
#
return

#
sysname SwitchB
#
#
#
#
interface LoopBack0
ip address 4.1.1.1 255.255.255.255
#
interface vlanif100
ip address 2.1.1.1 255.255.0.0
#
interface vlanif101
ip address 1.1.1.1 255.255.0.0
#
rip 1
network 2.0.0.0
network 1.0.0.0
network 4.0.0.0
#
return

#
sysname SwitchC
#
Issue 04 (2013-06-15)

646

Configuration Guide

#
#
#
interface LoopBack0
ip address 4.1.1.2 255.255.255.255
#
interface vlanif100
ip address 2.1.1.2 255.255.0.0
#
interface vlanif101
ip address 3.1.1.1 255.255.0.0
#
rip 1
network 2.0.0.0
network 3.0.0.0
network 4.0.0.0
#
return
Issue 04 (2013-06-15)

647

Configuration Guide
5 Configuration Guide - IP Routing
Configuration Guide - IP Routing
About This Chapter

This document describes the IP routing features of the AC6605, including static routes, routing
protocols (RIP, OSPF,, IS-IS and BGP), and routing policies. The document provides the
configuration procedures and configuration examples of the IP routing features.
5.1 IP Static Route Configuration
Static routes are commonly used on simple networks. Properly configuring and using static
routes can improve network performance and help ensure enough bandwidth is available for
important services.
5.2 RIP Configuration
RIP can advertise and receive routes to affect the selection of data forwarding paths, and can
provide the network management function. RIP is commonly used on small-scale networks.
5.3 OSPF Configuration
OSPF, which is developed by the IETF, is a link-state IGP. OSPF is widely used in access
networks and MANs.
5.4 IS-IS Configuration
This chapter describes the basic principle of IS-IS and procedures for configuring IS-IS, and
provides configuration examples.
5.5 BGP Configuration
BGP is used between ASs to transmit routing information on large-scale and complex networks.
5.6 MBGP Configuration
MBGP is dedicated to transmitting multicast routing information across ASs.
5.7 Routing Policy Configuration
Routing policies are used to filter routes to change the path through which network traffic passes.
Issue 04 (2013-06-15)

648

Configuration Guide
5.1 IP Static Route Configuration

Static routes are commonly used on simple networks. Properly configuring and using static
routes can improve network performance and help ensure enough bandwidth is available for
important services.
5.1.1 Static Route

Static routes are special routes that network administrators must manually configure.
On a simple network topology, you only need to configure static routes so that the network can
run properly. Properly using static routes improves the network performance and provides the
guaranteed bandwidth for important applications.
The disadvantage of static routes is that if a fault occurs on the network or the network topology
changes, static routes cannot automatically change and must be changed manually by the
administrator.
5.1.2 Static Routing Features Supported by the AC6605

The system supports various static route features, including IPv4 static routes, default routes,
BFD for IPv4 static routes.
IPv4 Static Route

IPv4 static routes need to be manually configured by the administrator. IPv4 static routes are
applicable to simple IPv4 networks.
An IPv4 static route is an IPv4 default route if its destination address is 0.0.0.0 and the mask
length is 0.
If the destination address of an IPv4 packet fails to match any entry in the routing table, the
Switch uses the IPv4 default route to forward the IPv4 packet.
The AC6605 supports ordinary static routes .
Default Route
Default routes are a special type of routes. Generally, administrators can manually configure
default routes. Default routes can also be generated by dynamic routing protocols such as Open
Shortest Path First (OSPF) or Intermediate System-to-Intermediate System (IS-IS).
Default routes are used only when packets to be forwarded fail to match any entry in the routing
table. You can run the display ip routing-table command to check whether the default route is
configured.
If the destination address of a packet does not match any entry in the routing table, the Switch
uses the default route to forward the packet. If no default route exists, the packet is discarded,
and an Internet Control Message Protocol (ICMP) packet is sent to inform the originating host
that the destination host or network is unreachable.
BFD for IPv4 Static Route

Unlike dynamic routing, static routing does not have a detection mechanism. If a fault occurs
on the network, administrator involvement is required. Bidirectional Forwarding Detection
Issue 04 (2013-06-15)

649

Configuration Guide
(BFD) for IPv4 static route is used to bind BFD sessions to IPv4 static routes on the public
network. The BFD sessions are used to detect the link status of a static route. The system then
uses the detection results to determine whether to add static routes to its IP routing table.
After BFD for IPv4 static route is configured, each static route can be bound to a BFD session.
l
When the BFD session on the link of a static route detects that the link changes from Up
to Down, BFD reports the fault to the RM module, and then the RM module sets the route
to inactive. Subsequently, the route becomes unavailable and is deleted from the routing
table.
When a BFD session is established on the link of a static route (the link changes from Down
to Up), BFD reports the success to the RM module, and then the RM module sets the route
to active. Subsequently, the route becomes available and is added to the IP routing table.
5.1.3 Configuring an IPv4 Static Route

On an IPv4 network, you can accurately control route selection by configuring IPv4 static routes.

Before configuring an IPv4 static route, familiarize yourself with the applicable environment,
When configuring an IPv4 static route, note the following:
l
Destination address and mask

In the ip route-static command, the IPv4 destination address is in dotted decimal notation,
and the mask can be either expressed in dotted decimal notation or replaced by the mask
length (namely, the number of consecutive 1s in the mask).
Outbound interface and next-hop address

When configuring a static route, you can specify either interface-type interface-number or
nexthop-address depending on which parameter is better suited to your situation.
In real-world situations, each routing entry requires a next-hop address. When sending a
packet, the Switch first searches for the matched route in the routing table against the
destination address.
For example, in some cases, the link layer is encapsulated with PPP, you can also specify
outbound interfaces when configuring the Switch even if the remote address is not known.
In this manner, it is unnecessary to modify the Switch configuration if the remote address
changes.
Other attributes
Setting different preferences for static routes helps flexibly apply routing policies. For
example, when configuring multiple routes to the same destination address, you can set the
same preference for these routes to implement load balancing. You can also set different
preferences to implement routing redundancy.
When the ip route-static command is run to configure a static route, a default route is
configured if the destination address and the mask are set to all 0s (0.0.0.0 0.0.0.0 ).
Issue 04 (2013-06-15)

650

Configuration Guide
Before configuring an IPv4 static route, complete the following task:
l
Configuring link layer protocol parameters and IP addresses for interfaces to ensure that
the link layer protocol status of the interfaces is Up
Data Preparation
To configure an IPv4 static route, you need the following data.
No.
Data
Outbound interface or next-hop IPv4 address
Preference of the IPv4 static route
Configuring an IPv4 Static Route on the Public Network

When configuring an IPv4 static route, configure its destination address, outbound interface,
and next hop.
Context
Do as follows on the Switch to be configured with a static route:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route-static ip-address { mask | mask-length } { nexthop-address | interfacetype interface-number [ nexthop-address ] | vpn-instance vpn-instance-name nexthopaddress } [ preference preference | tag tag ] * [ description text ]
An IPv4 static route is configured.

By default, no IPv4 static route is configured.
NOTE
If you configure the next hop as the outbound interface, you must specify the next hop address.
----End
(Optional) Setting the Default Preference for IPv4 Static Routes

Setting the default preference for IPv4 static routes can affect route selection.
Issue 04 (2013-06-15)

651

Configuration Guide
Context
Do as follows on the Switches that need to be configured with static routes and change the default
preference for static routes:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route-static default-preference preference
The default preference is set for static routes.

By default, the preference of static routes is 60.
When a static route is configured, the default preference is used if no preference is explicitly
specified for the static route. After a default preference is specified, the new default preference
is valid for subsequent rather than existing IPv4 static routes.
----End

After an IPv4 static route is configured, you can check detailed information about the configured
IPv4 static route.
Prerequisites
The configurations for an IPv4 static route are complete.
Procedure
l
Run the display ip routing-table command to check brief information about the IPv4
routing table.
Run the display ip routing-table verbose command to check detailed information about
the IPv4 routing table.
----End
5.1.4 Configuring BFD for IPv4 Static Routes on the Public Network
On an IPv4 network, configuring BFD for IPv4 static routes on the public network can speed
up route convergence and improve network reliability.

Before configuring BFD for static routes, familiarize yourself with the applicable environment,
Issue 04 (2013-06-15)

652

Configuration Guide
BFD can quickly detect IPv4 forwarding failures, ensuring QoS for voice, video, and other videoon-demand (VoD) services on an IPv4 network. With BFD, service providers can provide voice
over IP (VoIP) and other real-time services with high availability and scalability.
By binding IPv4 static routes to BFD sessions, you can use BFD sessions to provide link
detection for IPv4 static routes on the public network. A static route can be bound to a BFD
session.
Before configuring BFD for IPv4 static routes on the public network, complete the following
task:
l
the link layer protocol status of the interfaces is Up
Data Preparation
To configure BFD for IPv4 static routes on the public network, you need the following data.
No.
Data
Outbound interface or next-hop IPv4 address
IP address of the peer detected by BFD
Local discriminator and remote discriminator of a BFD session
Configuring an IPv4 Static Route on the Public Network

When configuring an IPv4 static route, configure its destination address, outbound interface,
and next hop.
Context
Do as follows on the Switch to be configured with a static route:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route-static ip-address { mask | mask-length } { nexthop-address | interfacetype interface-number [ nexthop-address ] | vpn-instance vpn-instance-name nexthopaddress } [ preference preference | tag tag ] * [ description text ]
An IPv4 static route is configured.

Issue 04 (2013-06-15)

653

Configuration Guide
By default, no IPv4 static route is configured.

NOTE
If you configure the next hop as the outbound interface, you must specify the next hop address.
----End
Configuring a BFD Session

BFD sessions are used to quickly detect and monitor the connectivity of links on a network.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
BFD is enabled globally and the BFD view is displayed.

Step 3 Run:
quit

Step 4 Run the bfd cfg-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ] [ interface
interface-type interface-number ] [ source-ip source-ip ] command to configure a BFD session.
l When a BFD session is set up for the first time, you need to bind the peer IP address to it.
After the BFD session is set up, you cannot modify it.
l When the BFD configuration items are created, the system checks only the format of the IP
address rather than the correctness. The BFD session cannot be established if incorrect peer
IP address or source IP address is bound.
l When the IP address of the peer and the local interface are both specified, a single-hop link
is monitored. BFD monitors the route with the outbound interface specified and peer-ip as
the next-hop IP address specified. When only the IP address of the peer is specified, multihop routes are monitored.
l When the BFD and URPF are used together, URPF checks the source IP address of the
received packets. Therefore, when creating a BFD binding, you need to specify the source
IP address of the BFD packet in case the BFD packet is incorrectly discarded.
Step 5 Configure the discriminators.
l Run:
discriminator local discr-value
The local discriminator is configured.

l Run:
discriminator remote discr-value
The remote discriminator is configured.

Issue 04 (2013-06-15)

654

Configuration Guide
NOTE
The local discriminator of the local device corresponds to the remote discriminator of the remote device,
and the remote discriminator of the local device corresponds to the local discriminator of the remote device.
The local discriminator of the local device must be the same as the remote discriminator of the remote
device. Otherwise, the session cannot be correctly set up. After the local and remote discriminators are
configured, they cannot be modified.
Step 6 Run:
commit
The configurations are committed.

NOTE
When setting up a BFD session, you must run the commit command after configuring necessary
parameters, such as local and remote discriminators; otherwise, the session cannot be set up.
----End
Binding a Static Route to a BFD Session

When binding a static route to a BFD session, ensure that the static route resides on the same
link as the BFD session.
Context
Do as follows on the Switch to bind a static route to a BFD session:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route-static ip-address { mask | mask-length } { nexthop-address | interfacetype interface-number [ nexthop-address ] } [ preference preference | tag tag ] *
track bfd-session cfg-name [ description text ]
A BFD session is bound to the IPv4 static route on the public network.
NOTE
When binding a static route to a BFD session, ensure that the static route resides on the same link as the
BFD session.
----End

After BFD for static route is configured, you can check information about BFD sessions and
BFD for static route.
Prerequisites
BFD configurations for IPv4 static routes are complete.
Issue 04 (2013-06-15)

655

Configuration Guide
Procedure
l
Run the display current-configuration | include bfd command to check the configuration
of BFD for static routes.
You can check information about a BFD session only after parameters for the BFD session
are set and the BFD session is established.
If BFD session negotiation succeeds, the status of the BFD session is displayed as Up. You
can also check that the BFD session is bound to the static route by running the display
current-configuration | include bfd command in the system view.
----End

This section provides configuration examples of static routes and BFD for static routes.
Example for Configuring IPv4 Static Routes

The PCs that belong to different network segments are connected through several Switches. IPv4
static routes should be used so that any two PCs in different network segments can communicate
with each other.
Figure 5-1 Networking diagram for configuring IPv4 static routes
PC2
1.1.2.2/24
GE0/0/3
GE0/0/1
GE0/0/2
Switch B
Switch A
GE0/0/1
GE0/0/2
PC1
1.1.1.2/24
Switch C
GE0/0/1
GE0/0/2
PC3
1.1.3.2/24
Switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 10
1.1.4.1/30
SwitchA
GE 0/0/2
VLANIF 30
1.1.1.1/24
SwitchB
GE 0/0/1
VLANIF 10
1.1.4.2/30
SwitchB
GE 0/0/2
VLANIF 20
1.1.4.5/30
SwitchB
GE 0/0/3
VLANIF 40
1.1.2.1/24
Issue 04 (2013-06-15)

656

Configuration Guide
SwitchC
GE 0/0/1
VLANIF 20
1.1.4.6/30
SwitchC
GE 0/0/2
VLANIF 50
1.1.3.1/24
1.
Create a VLAN to which each interface belongs.
2.
Assign an IP address to each VLANIF interface.
3.
Configure a default IP gateway on each host.
4.
Configure static routes and default routes on each Switch.
Data Preparation
l
The IDs of the VLANs to which the interfaces belong are shown in Figure 5-1.
The VLANIF interfaces and the IP addresses of the hosts are shown in Figure 5-1.
The next hop address of the default route on Switch A is 1.1.4.2.
The destination address of Switch B is 1.1.1.0, and the next hop address of the static route
is 1.1.4.1.
The destination address of Switch B is 1.1.3.0, and the next hop address of the static route
is 1.1.4.6.
The next hop address of the default route on Switch C is 1.1.4.5.
1.

The configuration details are not mentioned here.
2.
Assign an IP address to each interface.

3.
Configure the hosts.

Configure default gateways of the hosts PC1, PC2, and PC3 as 1.1.1.1, 1.1.2.1, and 1.1.3.1
respectively.
4.
Configure static routes.

# Configure a default route on Switch A.
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2
# Configure two static routes on Switch B.

# Configure a default route on Switch C.

[SwitchC] ip route-static 0.0.0.0 0.0.0.0 1.1.4.5
Issue 04 (2013-06-15)

657

Configuration Guide
5.

# Check the routing table of Switch A.
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
0.0.0.0/0
1.1.1.0/24
1.1.1.1/32
1.1.4.0/30
1.1.4.1/32
127.0.0.0/8
127.0.0.1/32
Proto
Pre
Cost
Static
Direct
Direct
Direct
Direct
Direct
Direct
60
0
0
0
0
0
0
0
0
0
0
0
0
0
Flags
RD
D
D
D
D
D
D
NextHop
Interface
1.1.4.2
1.1.1.1
127.0.0.1
1.1.4.1
127.0.0.1
127.0.0.1
127.0.0.1
Vlanif10
Vlanif30
InLoopBack0
Vlanif10
InLoopBack
InLoopBack0
InLoopBack0
# Run the ping command to verify the connectivity.

[SwitchA] ping 1.1.3.1
ms
ms
ms
ms
ms

0.00% packet loss
# Run the tracert command to verify the connectivity.

[SwitchA] tracert 1.1.3.1
traceroute to 1.1.3.1(1.1.3.1), max hops: 30 ,packet length: 40 ,press CTRL_C
to break
1 1.1.4.2 31 ms 32 ms 31 ms
2 1.1.4.6 62 ms 63 ms 62 ms
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 1.1.4.1 255.255.255.252
#
interface Vlanif30
ip address 1.1.1.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 1.1.4.2
#
return
l
Issue 04 (2013-06-15)

658

Configuration Guide
#
sysname SwitchB
#
vlan batch 10 20 40
#
interface Vlanif10
ip address 1.1.4.2 255.255.255.252
#
interface Vlanif20
ip address 1.1.4.5 255.255.255.252
#
interface Vlanif40
ip address 1.1.2.1 255.255.255.0
#
#
#
#
ip route-static 1.1.1.0 255.255.255.0 1.1.4.1
ip route-static 1.1.3.0 255.255.255.0 1.1.4.6
#
return

#
sysname SwitchC
#
vlan batch 20 50
#
interface Vlanif20
ip address 1.1.4.6 255.255.255.252
#
interface Vlanif50
ip address 1.1.3.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 1.1.4.5
#
return
Example for Configuring BFD for IPv4 Static Routes

As shown in Figure 5-2, Switch A is connected to the network management system (NMS)
through Switch B. You need to configure static routes on Switch A so that Switch A can
communicate with the NMS. In addition, configure a BFD session between Switch A and Switch
B to detect link failure.
Issue 04 (2013-06-15)

659

Configuration Guide
Figure 5-2 Networking diagram for configuring BFD for static routes
GE 0/0/1
GE 0/0/2
GE 0/0/1
Switch A
Switch B
NMS
2.2.2.1/24
Switch
Interface
VLANIF interface
IP address
Switch A
VLANIF 10
1.1.1.1/24
Switch B
VLANIF 10
1.1.1.2/24
Switch B
VLANIF 20
2.2.2.2/24
1.
Create a BFD session on Switch A and Switch B to detect the link between Switch A and
Switch B.
2.
Configure a static route from Switch A to the NMS and bind the static route to the BFD
session.
Data Preparation
l
IDs of the VLANs that the interfaces belong to, as shown in Figure 5-2
VLANIF interfaces and the IP address of the NMS, as shown in Figure 5-2
Peer IP address of the BFD session
Local discriminator and remote discriminator of the BFD session
Static route from Switch A to the NMS
Procedure
Step 1 Create VLANs and add corresponding interfaces to the VLANs.
[SwitchA] vlan 10
The configuration on Switch B is similar to the configuration of Switch A, and is not mentioned
here.
Step 2 Assign an IP address to each VLANIF interface.
Issue 04 (2013-06-15)

660

Configuration Guide
The configuration on Switch B is similar to the configuration on Switch A and is not mentioned
here.
Step 3 Create a BFD session between Switch A and Switch B.
# On Switch A, create a BFD session with Switch B.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd aa bind peer-ip 1.1.1.2
[SwitchA-bfd-session-aa] discriminator local 10
[SwitchA-bfd-session-aa] discriminator remote 20
[SwitchA-bfd-session-aa] commit
[SwitchA-bfd-session-aa] quit
# On Switch B, create a BFD session with Switch A.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd bb bind peer-ip 1.1.1.1
[SwitchB-bfd-session-bb] discriminator local 20
[SwitchB-bfd-session-bb] discriminator remote 10
[SwitchB-bfd-session-bb] commit
[SwitchB-bfd-session-bb] quit
Step 4 Configure a static route and bind the route to the BFD session.
# On Switch A, configure a static route to the external network and bind the default static route
to the BFD session named aa.
[SwitchA]ip route-static 2.2.2.0 24 1.1.1.2 track bfd-session aa
[SwitchA]quit

# After the configuration is complete, run the display bfd session all command on Switch A
and Switch B, and you can find that the BFD session is set up and its status is Up.
Take Switch A for example. The display is as follows:
<SwitchA> display bfd session all
-------------------------------------------------------------------------------LocalRemote PeerIPAddressInterface NameStateType
-------------------------------------------------------------------------------10201.1.1.2--UpS_IP
-------------------------------------------------------------------------------Total UP/DOWN Session Number : 1/0
# Check the IP routing table on Switch A, and you can find that the static route exists in the
routing table.
<SwitchA> display ip routing-table
Destinations : 6
Routes : 6
Destination/Mask
1.1.1.0/24
1.1.1.1/32
1.1.1.255/32
2.2.2.0/24
127.0.0.0/8
127.0.0.1/32
Issue 04 (2013-06-15)
Proto
Pre
Cost
Direct
Direct
Direct
Static
Direct
Direct
0
0
0
60
0
0
0
0
0
0
0
0
Flags NextHop
D
D
D
RD
D
D
1.1.1.1
127.0.0.1
1.1.1.2
1.1.1.2
127.0.0.1
127.0.0.1

Interface
Vlanif10
Vlanif10
Vlanif10
Vlanif10
InLoopBack0
InLoopBack0
661

Configuration Guide
# Run the shutdown command on VLANIF 10 of Switch B to simulate a link fault.

[SwitchB-Vlanif10] shutdown
# Check the routing table on Switch A, and you can find that default route 2.2.2.0/24 does not
exist. The reason is that the default static route is bound to a BFD session, and BFD immediately
notifies that the bound static route is unavailable when a fault is detected.
Destinations : 5
Routes : 5
Destination/Mask
1.1.1.0/24
1.1.1.1/32
1.1.1.255/32
127.0.0.0/8
127.0.0.1/32
Proto
Pre
Cost
Direct
Direct
Direct
Direct
Direct
0
0
0
0
0
0
0
0
0
0
Flags NextHop
D
D
D
D
D
1.1.1.1
127.0.0.1
1.1.1.2
127.0.0.1
127.0.0.1
Interface
Vlanif10
Vlanif10
Vlanif10
InLoopBack0
InLoopBack0
# Run the undo shutdown command on VLANIF 10 of Switch B to simulate link recovery.
[SwitchB-Vlanif10]undo shutdown
# Check the routing table on Switch A, and you can find default route 2.2.2.0/24 in the routing
table. After BFD detects link recovery, it immediately notifies that the bound static route is
reachable.
Destinations : 6
Routes : 6
Destination/Mask
1.1.1.0/24
1.1.1.1/32
1.1.1.255/32
2.2.2.0/24
127.0.0.0/8
127.0.0.1/32
Proto
Pre
Cost
Direct
Direct
Direct
Static
Direct
Direct
0
0
0
60
0
0
0
0
0
0
0
0
Flags NextHop
D
D
D
RD
D
D
1.1.1.1
127.0.0.1
1.1.1.2
1.1.1.2
127.0.0.1
127.0.0.1
Interface
Vlanif10
Vlanif10
Vlanif10
Vlanif10
InLoopBack0
InLoopBack0
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 1.1.1.1 255.255.255.0
#
#
bfd aa bind peer-ip 1.1.1.2
discriminator local 10
Issue 04 (2013-06-15)

662

Configuration Guide
discriminator remote 20
commit
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2 track bfd-session aa
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 1.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 2.2.2.2 255.255.255.0
#
#
#
bfd bb bind peer-ip 1.1.1.1
commit
#
return
5.2 RIP Configuration

RIP can advertise and receive routes to affect the selection of data forwarding paths, and can
provide the network management function. RIP is commonly used on small-scale networks.
5.2.1 Overview of RIP

RIP is widely used on small-scale network because it is simple to deploy and easier to configure
and maintain than OSPF and IS-IS.
The Routing Information Protocol (RIP) is a simple Interior Gateway Protocol (IGP). RIP is
mainly used on small-scale networks such as campus networks and simple regional networks.
RIP uses the distance-vector routing algorithm and exchanges routing information by using User
Datagram Protocol (UDP) packets through port 520.
RIP uses the hop count to measure the distance to the destination. The distance is called the
routing metric. In RIP, the hop count from a Switch to its directly connected network is 0, and
the hop count from a Switch to a network, which can be reached through another Switch, is 1.
To speed up route convergence, RIP defines the cost as an integer that ranges from 0 to 15. If
the hop count is equal to or exceeds 16, the destination network or host is unreachable because
the path is considered to have an infinite metric. It is this limitation to the hop count that makes
RIP inapplicable to large-scale networks.
To improve network performance and prevent routing loops, RIP supports both split horizon
and poison reverse.
Issue 04 (2013-06-15)

663

Configuration Guide
Split horizon is a method of preventing routing loops in a network and reducing bandwidth
consumption. The basic principle is simple: Information about the routing for a particular
packet is never sent back in the direction from which it was received.
Poison reverse is that RIP sets the cost of the route learnt from an interface of a neighbor
to 16 (specifying the route as unreachable) and then sends the route from the interface back
to the neighbor. In this way, RIP can delete useless routes from the routing table of the
neighbor.
RIP has two versions:

l
RIPv1
RIPv2
RIPv1 is a classful routing protocol, whereas RIPv2 is a classless routing protocol. In RIPv2,
address 224.0.0.9 is the multicast address of a RIP router.
Compared with RIPv1, RIPv2 has the following advantages:
l
Supports route tag and can flexibly control routes on the basis of the tag in the routing
policy.
Provides packets that contain mask information and supports route aggregation and
Classless Inter-domain Routing (CIDR).
Supports the next hop address and can select the optimal next hop address in the broadcast
network.
Uses multicast routes to send update packets. Only RIPv2 routers can receive protocol
packets. This reduces the resource consumption.
To enhance the security, Provides two authentication modes to enhance security: plain-text
authentication and MD5 authentication.
5.2.2 RIP Features Supported by the AC6605

The RIP features supported by the AC6605 include RIPv1, RIPv2, split horizon, poison reverse,
and multi-instance.
The AC6605 supports the following RIP features:
l
RIPv1 and RIPv2
RIP multi-instance, which functions as an internal routing protocol for VPNs and runs
between CEs and PEs in MPLS L3VPN networks
5.2.3 Configuring Basic RIP Functions

To implement RIP features, configure basic RIP functions including enabling RIP, specifying
the network segment in which RIP runs, and setting the RIP version.

Before configuring basic RIP functions, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
Configuring basic RIP functions allows you to enjoy certain RIP features.
Issue 04 (2013-06-15)

664

Configuration Guide
Before configuring basic RIP functions, complete the following tasks:
l
Configuring the link layer protocol
Configuring IP addresses for interfaces to ensure that neighboring nodes are reachable at
the network layer
Data Preparation
To configure basic RIP functions, you need the following data.
No.
Data
RIP process ID
Network segment in which the RIP interface resides
RIP version number
Enabling RIP
Creating RIP processes is the prerequisite to performing RIP configurations.
Context
If you run RIP-related commands in the interface view before enabling RIP, the configurations
take effect only after RIP is enabled.
Do as follows on the Switch to be enabled with RIP:
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]
The RIP is enabled and the RIP view is displayed.

RIP supports multi-instance. To associate RIP processes with VPN instances, you can run the
rip [ process-id ] vpn-instance vpn-instance-name command.
Issue 04 (2013-06-15)

665

Configuration Guide
NOTE
For easy management and effective control, RIP supports multi-process and multi-instance. The multiprocess feature allows a set of interfaces to be associated with a specific RIP process and an interface can
be associated with only one RIP process. This ensures that the specific RIP process performs all the protocol
operations only on this set of interfaces. Thus, multiple RIP processes can work on a single router and each
process is responsible for a unique set of interfaces. In addition, the routing data is independent between
RIP processes; however, routes can be imported between processes.
For the routers that support the VPN, each RIP process is associated with a specific VPN instance. In this
case, all the interfaces attached to the RIP process should be associated with the RIP-process-related VPN
instance.

description
Descriptions for RIP processes are configured.

----End
Enabling RIP on the Specified Network Segment

After enabling RIP, you need to specify the network segment in which RIP runs. RIP runs only
on the interfaces on the specified network segment. RIP does not receive, send, or forward routes
on the interfaces that do not reside on the specified network segment.
Context
By default, after RIP is enabled, it is disabled on all interfaces.
Do as follows on the Switch to be enabled with RIP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]
The RIP process is enabled and the RIP view is displayed.

Step 3 Run:
network network-address
RIP is enabled in the specified network segment.

network-address specifies the address of a natural network segment.
NOTE
An interface can be associated with only one RIP process.

If any network segment in which an interface configured with multiple sub-interface IP addresses resides
is associated with a RIP process, the interface cannot be associated with any other RIP processes.
----End
Issue 04 (2013-06-15)

666

Configuration Guide
Configuring RIP Version Number

RIP versions include RIPv1 and RIPv2. The two versions have different functions.
Context
Do as follows on the RIP Switch.
Procedure
l
Configuring the Global RIP Version Number

1.
Run:
system-view

2.
Run:
rip [ process-id ]

3.
Run:
version { 1 | 2 }
The global RIP version number is specified.

l
Configuring the RIP Version Number for an Interface

1.
Run:
system-view

2.
Run:
interface vlanif interface-number

3.
Run:
rip version { 1 | 2 [ broadcast | multicast ] }
The RIP version number of the packets received by the interface is specified.
NOTE
By default, an interface receives both RIPv1 and RIPv2 packets but sends only RIPv1 packets.
When configuring RIPv2 on an interface, you can specify the mode in which the interface sends
packets. If no RIP version number is configured in the interface view, the global RIP version
is used. The RIP version set on an interface takes precedence over the global RIP version.
----End

After basic RIP functions are successfully configured, you can view the current running status,
configuration, and routing information of RIP.
Prerequisites
The configurations of basic RIP functions are complete.
Issue 04 (2013-06-15)

667

Configuration Guide
Procedure
l
Run display rip [ process-id | vpn-instance vpn-instance-name ] command to check the

running status and configuration of RIP.
Run display rip process-id route command to check all the RIP routes that are learned
from other Switchs.
Run display default-parameter rip command to check the default RIP configuration.
Run the display rip process-id statistics interface { all | interface-type interfacenumber [ verbose | neighbor neighbor-ip-address ] } command to check statistics about
RIP interfaces.
----End
5.2.4 Configuring RIP Route Attributes

By setting RIP route attributes, you can change RIP routing policies to meet the requirements
of complex networks.

RIP route attributes include the RIP preference, additional metrics of an interface, and maximum
number of equal-cost routes.
For complex networks, you can set RIP route attributes to change RIP routing policies. After
performing the configuration procedures in this section, you can:
l
Affect route selection by changing the additional metric of a RIP interface.
Change the matching order by configuring the RIP preference when multiple routing
protocols discover routes to the same destination.
Implement load balancing among multiple equal-cost routes.
Before configuring RIP route attributes, complete the following tasks:
l
the network layer
Configuring Basic RIP Functions
Data Preparation
To configure RIP route attributes, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Additional metric of the interface
RIP preference
Maximum number of equal-cost routes

668

Configuration Guide
Configuring Additional Metrics of an Interface

The additional metric is the metric (hop count) to be added to the original metric of a RIP route.
You can specify commands to set additional metrics for incoming and outgoing RIP routes.
Context
The additional metric is added to the original metric of the RIP route.
l
The rip metricin command is used to add an additional metric to an incoming route. After
this route is added to the routing table, its metric in the routing table changes.Running this
command affects route selection on the local device and other devices on the network.
The rip metricout command is used to add an additional metric to an outgoing route. When
this route is advertised, an additional metric is added to this route, but the metric of the
route in the routing table does not change.Running this command does not affect route
selection on the local device or other devices on the network.
Do as follows on the RIP Switch:
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface must be a VLANIF interface.
Step 3 Run:
rip metricin value
The metric added to an incoming route is set.

Step 4 Run:
rip metricout { value | { acl-number | acl-name acl-name | ip-prefix ip-prefixname } value1 }
The metric added to an outgoing route is set.

NOTE
You can specify the value of the metric to be added to the RIP route that passes the filtering policy by
specifying value1 through an ACL or an IP prefix list. If a RIP route does not pass the filtering, its metric
is increased by 1.
----End
Configuring RIP Preference

When there are routes discovered by multiple routing protocols on the same Switch, you can set
RIP preferences to instruct the Switch to prefer certain RIP routes over others.
Issue 04 (2013-06-15)

669

Configuration Guide
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Run:
preference { preference | route-policy route-policy-name } *
The RIP preference is set.

By default, the RIP preference is 100.
----End
Setting the Maximum Number of Equal-Cost Routes

By setting the maximum number of equal-cost RIP routes, you can change the number of routes
for load balancing.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Run:
maximum load-balancing number
The maximum number of equal-cost routes is set.

----End

After RIP route attributes are successfully set, you can view the current running status,
configuration, and routing information about RIP.
Issue 04 (2013-06-15)

670

Configuration Guide
Prerequisites
The configurations for RIP route attributes are complete.
Procedure
l
Run display rip [ process-id | vpn-instance vpn-instance-name ] command to check the

running status and configuration of RIP.
Run display rip process-id database command to check all activated routes in the RIP
database.
Run display rip process-id route command to check all the RIP routes that are learned
from other Switchs.
----End
5.2.5 Controlling the Advertising of RIP Routing Information

To meet the requirements of complex networks, accurately controlling the advertising of RIP
routing information is essential.

RIP routing information can be advertised through default routes, Update packets, and imported
external routes.
To meet the requirements of a network, you need to control the advertising of RIP routing
information accurately. After performing the configuration procedures in this section, you can:
l
Advertise default routes to neighbors.
Suppress interfaces from sending RIP Update packets.
Import external routes from various routing protocols and filter the routes to be advertised.
Before configuring the Switch to control the advertising of RIP routing information, complete
the following tasks:
l
the network layer
Data Preparation
To control the advertising of RIP routing information, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Metric of the default route to be advertised
Number of the interface that is suppressed from sending RIP Update packets
671

Configuration Guide
No.
Data
Protocol name and process ID of the external route to be imported
Configuring RIP to Advertise Default Routes

A default route is a route destined for 0.0.0.0. By default, RIP does not advertise default routes
to its neighbors.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Run:
default-route originate [ cost cost | { { match default | route-policy route-policyname } [ avoid-learning ] } ] *
RIP is configured to generate a default route only if route permitted by the route policy is present
as active in the routing table.
----End
Disabling an Interface from Sending Update Packets

Disabling interfaces from sending Update packets is a method of preventing routing loops and
can be implemented in two ways.
Context
Procedure
l
Configuration in a RIP Process (with a High Priority)

1.
Run:
system-view

2.
Run:
rip [ process-id ]
Issue 04 (2013-06-15)

672

Configuration Guide

3.
Run one of the following commands depending on the site requirements.

Run:
silent-interface all
All interfaces are disabled from sending Update packets.

Run:
silent-interface interface-type interface-number
An interface is disabled from sending Update packets.

You can set an interface to silent so that it only receives Update packets to update its
routing table. The silent-interface command takes precedence over the rip output
command in the interface view.
By default, an interface can receive and send Update packets.
l
Configuration in the Interface View (with a Low Priority)

1.
Run:
system-view

2.
Run:

3.
Run:
undo rip output
The interface is disabled from sending RIP Update packets.

By running this command, you can specify whether to send RIP Update packets on
an interface. The silent-interface command takes precedence over the undo rip
output command. By default, an interface is allowed to send RIP Update packets.
----End
Configuring RIP to Import External Routes

To enrich its routing information, RIP can import the routes learned by other processes or other
routing protocols.
Context
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

673

Configuration Guide
Step 2 Run:
rip [ process-id ]

default-cost cost
The default cost of imported routes is set.

If no cost is specified when external routes are imported, the default cost is used.
Step 4 Run:
import-route bgp [ permit-ibgp ] [ cost { cost | transparent } | route-policy routepolicy-name ] * or import-route { { static | direct | unr } | { { rip | ospf |
isis } [ process-id ] } } [ cost cost | route-policy route-policy-name ] *
NOTE
Import of IBGP routes in RIP process can lead to routing loops. Administrator should take care of routing
loops before configuring permit-ibgp.

filter-policy { acl-number | acl-name acl-name | ip-prefix ip-prefix-name } export
[ protocol [ process-id ] | interface-type interface-number ]
The imported routes are filtered when being advertised.

If the routing information to be advertised by RIP contains the routes imported from other routing
protocols, you can specify protocol to filter the specified routes. If protocol is not specified, all
the routing information to be advertised will be filtered, including the imported routes and local
RIP routes (directly connected routes).
NOTE
The Tag field in RIP is 16 bits in length, whereas the Tag field in other routing protocols is 32 bits in length.
If the routes of other routing protocols are imported and the tag is used in the routing policy, ensure that
the tag value does not exceed 65535. Otherwise, the routing policy becomes invalid or the matching result
is incorrect.
----End

After the function of controlling the advertising of RIP routing information is successfully
configured, you can view the current running status, configuration, and routing information
about RIP.
Prerequisites
The configurations for controlling the advertising of RIP routing information are complete.
Procedure
l
Run the display rip [ process-id | vpn-instance vpn-instance-name ] command to check

the running status and configuration of RIP.
Run the display rip process-id database command to check all activated routes in the RIP
database.
Issue 04 (2013-06-15)

674

Configuration Guide
Run the display rip process-id route command to check all the RIP routes that are learned
from other Switchs..
----End
5.2.6 Controlling the Receiving of RIP Routing Information

To meet the requirements of complex networks, accurately controlling the receiving of RIP
routing information is essential.

You can obtain RIP routing information by receiving Update packets and host routes.
In practice, to meet the requirements of a complex network, it is required to control the receiving
of RIP routing information accurately. After performing configuration procedures in this section,
you can:
l
Disable an interface from receiving RIP Update packets.
Filter the received routing information.
Import external routes from various routing protocols and filter the imported routes.
Before configuring a Switch to control the receiving of RIP routing information, complete the
following tasks:
l
the network layer
Data Preparation
To control the receiving of RIP routing information, you need the following data.
No.
Data
ACL used to filter the routing information
Disabling an Interface from Receiving RIP Update Packets

Disabling interfaces from receiving Update packets is a method of preventing routing loops.
Context
By default, an interface is allowed to receive RIP Update packets.
Issue 04 (2013-06-15)

675

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
undo rip input
The interface is disabled from receiving RIP Update packets.

----End
Disabling RIP from Receiving Host Routes

When you disable RIP from receiving host routes on a router, the router rejects to receive host
routes. This prevents the router from receiving a large number of unnecessary routes and thus
avoiding wasting network resources.
Context
In certain situations, a Switch may receive a large number of host routes from the same network
segment. These routes are not required in route addressing, but consume many network
resources. You can configure the Switch to refuse to accept host routes by disabling RIP from
accepting host routes.
By default, host routes are added to the routing table.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Run:
undo host-route
RIP is disabled from adding host routes to the routing table.

Issue 04 (2013-06-15)

676

Configuration Guide
NOTE
undo host-route command will not be effective in RIP version 2. By default, RIP version 2 always supports
host-route.
----End
Configuring RIP to Filter the Received Routes

By specifying ACLs and IP prefix lists, you can configure the inbound policy to filter the routes
to be received. You can also configure a router to receive only RIP packets from a specified
neighbor.
Context
The Switch can filter routing information. To filter the imported and advertised routes, you can
configure inbound and outbound routing policies by specifying ACLs and IP prefix lists.
You can also configure the Switch to receive RIP packets only from a specified neighbor.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Depending on type of desired filtering, run one of following commands to configure RIP to filter
the received routes:
l Run:
filter-policy { acl-number | acl-name acl-name } import
The learned routing information is filtered based on an ACL.

l Run:
filter-policy gateway ip-prefix-name import
The routing information advertised by neighbors is filtered based on the IP prefix list.
l Run:
filter-policy ip-prefix ip-prefix-name [ gateway ip-prefix-name ] import
[ interface-type interface-number ]
The routes learned by the specified interface are filtered based on the IP prefix list and
neighbors.
NOTE
To filter routes to be advertised, run the filter-policy { acl-number | acl-name acl-name | ip-prefix ipprefix-name } export [ protocol [ process-id ] | interface-type interface-number ] command.
----End
Issue 04 (2013-06-15)

677

Configuration Guide

After the receiving of RIP routing information is successfully controlled, you can view the
current running status, configuration, and routing information about RIP.
Procedure
l

Run the display rip process-id database [ verbose ] command to check all activated RIP
routes in the database.
Run the display rip process-id interface [ interface-type interface-number ] [ verbose ]

command to check information about the RIP interface.
Run the display rip process-id neighbor [ verbose ] command to check information about
RIP neighbors.
from other Switchs.
----End
5.2.7 Configuring RIP-2 Features

Different from RIP-1, RIP-2 supports VLSM, CIDR, and authentication to ensure higher
security.

Before configuring RIP-2 features, familiarize yourself with the applicable environment,
RIP-2 is a type of classless routing protocol. A RIP-2 packet carries subnet mask information.
Deploying a RIP-2 network saves IP addresses. For a network on which the IP addresses of
devices are not consecutive, only RIP-2 can be deployed, whereas RIP-1 cannot be deployed.
RIP-2 features include:
l
RIP-2 route summarization
RIP-2 authentication mode
Before configuring RIP-2 features, complete the following tasks:
l
Configuring the link layer protocol
the network layer
Data Preparation
To configure RIP-2 features, you need the following data.
Issue 04 (2013-06-15)

678

Configuration Guide
No.
Data
RIP-2 process ID
Network segment where the RIP-2 interface resides
Configuring RIP-2 Route Summarization

Route summarization is enabled in RIP-1 by default, and no need to be configured. RIP-2
supports VLSM and CIDR. You can configure route summarization in RIP-2 to improve the
flexibility of RIP-2. To broadcast all subnet routes, you can disable route summarization in
RIP-2.
Context
Route summarization indicates that multiple subnet routes on the same natural network segment
are summarized into one route with the natural mask when being advertised to other network
segments. Therefore, route summarization reduces the network traffic and the size of the routing
table.
Route summarization does not take effect in RIP-1. RIP-2 supports Variable Length Subnet
Mask (VLSM) and Classless Interdomain Routing (CIDR). To broadcast all subnet routes, you
can disable automatic route summarization of RIP-2.
NOTE
Route summarization is invalid when poison reverse is configured. When the summarized routes are sent
outside the natural network boundary, poison reverse in related views needs to be disabled.
Procedure
l
Enabling RIP-2 Automatic Route Summarization

1.
Run:
system-view

2.
Run:
rip [ process-id ]

3.
Run:
version 2
RIP-2 is configured.
4.
Run:
summary [ always ]
Enable the RIP-2 automatic route summarization when split horizon is disabled,
there is no need to configure always.
Enable the RIP-2 automatic route summarization irrespective of split horizon
configuration, always must be configured.
Issue 04 (2013-06-15)

679

Configuration Guide

NOTE
The summary command is used in the RIP view to enable classful network-based route
summarization.
Configuring RIP-2 to Advertise the Summary Address

1.
Run:
system-view

2.
Run:

3.
Run:
rip summary-address ip-address mask [ avoid-feedback ]
The local summary address of RIP-2 is advertised.

NOTE
The rip summary-address ip-address mask [ avoid-feedback ] command is run in the

interface view to enable classless network-based route summarization.
----End
Configuring Packet Authentication of RIP-2

RIP-2 supports the ability to authenticate protocol packets and provides two authentication
modes, Simple authentication and Message Digest 5 (MD5) authentication, to enhance security.
Context
RIP-2 supports two authentication modes:
l
Simple authentication
MD5 authentication
In simple authentication mode, the unencrypted authentication key is sent in every RIP-2 packet.
Therefore, simple authentication does not guarantee security, and cannot meet the requirements
for high security.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 04 (2013-06-15)

680

Configuration Guide

Step 3 Run the following command as required:
l Run:
rip authentication-mode simple { [ plain ] plain-text | cipher password-key }
Simple authentication is configured for RIP-2 packets.

l Run:
rip authentication-mode md5 usual { plain plain-text | [ cipher ] password-key }
MD5 usual authentication is configured for RIP-2 packets.

l Run:
rip authentication-mode md5 nonstandard { keychain keychain-name | { { plain
plain-text | [ cipher ] password-key } key-id } }
MD5 nonstandard authentication is configured for RIP-2 packets.

NOTE
The MD5 type must be specified if MD5 authentication is configured. The usual type supports private
standard authentication packets, and the nonstandard type supports IETF standard authentication packets.
The MD5 authentication password that starts and ends with $@$@ is invalid, because $@$@ is used to
distinguish old and new passwords.
----End

After RIP-2 features are successfully configured, you can view the current running status,
configuration, and routing information of RIP.
Prerequisites
The configurations of RIP-2 features are complete.
Procedure
l

from other Switchs.
----End
5.2.8 Optimizing a RIP Network

You can adjust and optimize the RIP network performance by configuring RIP functions in
special network environments, such as configuring RIP timers, setting the interval for sending
packets, and setting the maximum number of packets to be sent.

Before adjusting and optimizing the RIP network performance, familiarize yourself with the
Issue 04 (2013-06-15)

681

Configuration Guide
On certain networks, you need to configure RIP features and optimize the performance of a RIP
network. After performing configuration procedures in this section, you can:
l
Change the convergence speed of the RIP network by adjusting the values of RIP timers.
Reduce the consumption of device resources and network bandwidth by adjusting the
number of packets to be sent by interfaces and the interval at which packets are sent.
Configure split horizon or poison reverse to prevent routing loops.
After the replay-protect function is enabled, neighbors can communicate after a RIP process
is restarted.
Check the validity of packets and authenticate packets on a network demanding high
security.
Run RIP on a link that does not support broadcast or multicast packets.
Before optimizing a RIP network, complete the following tasks:
l
the network layer
Data Preparation
To optimize a RIP network, you need the following data.
No.
Data
Values of timers
Number of Update packets that an interface sends each time and interval for sending
an Update packet
Packet authentication mode and password
IP addresses of RIP neighbors
Configuring RIP Timers

RIP has three timers: Update timer, Age timer and Garbage-collect timer. Changing the values
of the three timers affects the RIP convergence speed.
Context
RIP has three timers: Update timer, Age timer and Garbage-collect timer. Changing the values
of the three timers affects the RIP convergence speed. For details on timers, see corresponding
description in the chapter "RIP" in the AC6605 Access Controller Feature Description - IP
Routing.
Issue 04 (2013-06-15)

682

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Run:
timers rip update age garbage-collect
RIP timers are configured.

NOTE
l RIP timers take effect immediately after being changed.

l Route flapping occurs if the values of the times are set improperly. The relationship between the values
is as follows: update must be smaller than age and update must be smaller than garbage-collect. For
example, if the update time is longer than the aging time, and a RIP route changes within the update
time, the Switch cannot inform its neighbors of the change on time.
l You must configure RIP timers based on the network performance and uniformly on all the Switches
running RIP. This avoids unnecessary network traffic or route flapping.
By default, the Update timer is 30s; the Age timer is 180s; the Garbage-collect timer is four
times the Update timer, namely, 120s.
In practice, the Garbage-collect timer is not fixed. If the Update timer is set to 30s, the Garbagecollect timer may range from 90s to 120s.
Before permanently deleting an unreachable route from the routing table, RIP advertises this
route (with the metric being set to 16) by periodically sending Update packets four times.
Subsequently, all the neighbors know that this route is unreachable. Because a route may not
always become unreachable at the beginning of an Update period, the Garbage-collect timer is
actually three or four times the Update timer.
----End
Setting the Interval for Sending Packets and the Maximum Number of the Sent
Packets
By setting the interval for sending RIP Update packets and the maximum number of Update
packets to be sent each time, you can effectively control the memory used by a Switch to process
RIP Update packets.
Context
Procedure
Step 1 Run:
Issue 04 (2013-06-15)

683

Configuration Guide
system-view

Step 2 Run:

Step 3 Run:
rip pkt-transmit { interval interval | number pkt-count }
The interval for sending Update packets and the maximum number of packets sent each time
are set on the interface.
----End
Configuring Split Horizon and Poison Reverse

You can configure split horizon and poison reverse to prevent routing loops.
Context
If both split horizon and poison reverse are configured, only poison reverse takes effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:

l Run:
rip split-horizon
Split horizon is enabled.

l Run:
rip poison-reverse
Poison reverse is enabled.

----End
Issue 04 (2013-06-15)

684

Configuration Guide
Configuring RIP to Check the Validity of Update Packets

The check on RIP Update packets includes the check on zero fields in RIPv1 packets and the
check on source addresses of RIP Update packets. The two types of check have different
functions and applications.
Context
Procedure
l
Configuring the Zero Field Check for RIPv1 Packets

1.
Run:
system-view

2.
Run:
rip [ process-id ]

3.
Run:
checkzero
The zero field check is configured for RIPv1 packets.

Certain fields in a RIPv1 packet must be 0s, and these fields are called zero fields.
RIPv1 checks the zero fields on receiving a packet. If the value of any zero field in a
RIPv1 packet is not 0, this packet is not processed.
As a RIPv2 packet does not contain any zero field, configuring the zero field check
is invalid in RIPv2.
l
Configuring the Source Address Check for RIP Update Packets

1.
Run:
system-view

2.
Run:
rip [ process-id ]

3.
Run:
verify-source
The source address check is configured for RIP Update packets.

When receiving a packet, RIP checks the source address of the packet. If the packet
fails in the check, it is not processed.
By default, the source address check is enabled.
----End
Issue 04 (2013-06-15)

685

Configuration Guide
Configuring RIP Neighbors

Generally, RIP sends packets by using broadcast or multicast addresses. To run RIP on the links
that do not support the forwarding of broadcast or multicast packets, you need to specify RIP
neighbors.
Context
Generally, RIP sends packets by using broadcast or multicast addresses. If RIP needs to run on
the links that do not support the forwarding of broadcast or multicast packets, you need to
configure the devices at both ends of the link as each other's neighbor.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Run:
peer ip-address
The RIP neighbor is configured.

----End

After the function of adjusting and optimizing the RIP network performance is successfully
configured, you can view the current running status, routing information, neighbor information,
and interface information of RIP.
Prerequisites
The configurations of optimizing a RIP network are complete.
Procedure
l

Run the display rip process-id interface [ interface-type interface-number ] [ verbose ]

command to check information about the RIP interface.
Run the display rip process-id neighbor [ verbose ] command to check information about
RIP neighbors.
Issue 04 (2013-06-15)

686

Configuration Guide
from other Switchs.
----End
5.2.9 Configuring BFD for RIP

On a network that runs high-rate data services, BFD for RIP can be configured to quickly detect
and respond to network faults.
Generally, RIP uses timers to receive and send Update messages to maintain neighbor
relationships. If a RIP device does not receive an Update message from a neighbor after the Age
timer expires, the RIP device will announce that this neighbor goes Down. The default value of
the Age timer is 180s. If a link fault occurs, RIP can detect this fault after 180s. If high-rate data
services are deployed on a network, a great deal of data will be lost during the aging time.
BFD provides millisecond-level fault detection. It can rapidly detect faults in protected links or
nodes and report them to RIP. This speeds up RIP processes's response to network topology
changes and achieves rapid RIP route convergence.
In BFD for RIP, BFD session establishment is triggered by RIP. When establishing a neighbor
relationship, RIP will send detection parameters of the neighbor to BFD. Then, a BFD session
will be established based on these detection parameters. If a link fault occurs, the local RIP
process will receive a neighbor unreachable message within seconds. Then, the local RIP device
will delete routing entries in which the neighbor relationship is Down and use the backup path
to transmit messages.
Either of the following methods can be used to configure BFD for RIP:
l
Enable BFD in a RIP process: This method is recommended when BFD for RIP needs to
be enabled on most RIP interfaces.
Enable BFD on RIP interfaces: This method is recommended when BFD for RIP needs
to be enabled on a small number of RIP interfaces.
Before configuring BFD for RIP, complete the following tasks:
l
Assigning an IP address to each interface to ensure reachability between neighboring nodes

at the network layer
Data Preparation
Issue 04 (2013-06-15)
No.
Data
ID of a RIP process to be enabled with BFD
Type and number of an interface to be enabled with BFD

687

Configuration Guide
No.
Data
(Optional) BFD session parameter values

NOTE
Default BFD session parameter values are recommended.
Procedure
l
Enable BFD in a RIP process.

1.
Run:
system-view

2.
Run:
bfd
BFD is enabled globally.

3.
Run:
quit

4.
Run:
rip process-id
The RIP view is displayed.

5.
Run:
bfd all-interfaces enable
BFD is enabled in the RIP process to establish a BFD session.

If BFD is enabled globally, RIP will use default BFD parameters to establish BFD
sessions on all the interfaces where RIP neighbor relationships are in the Up state.
6.
(Optional) Run:
bfd all-interfaces { min-rx-interval min-receive-value | min-tx-interval
min-transmit-value | detect-multiplier detect-multiplier-value } *
The values of BFD parameters used to establish the BFD session are set.
BFD parameter values are determined by the actual network situation and network
reliability requirement.
If links have a high reliability requirement, reduce the interval at which BFD
packets are sent.
If links have a low reliability requirement, increase the interval at which BFD
packets are sent.
Running the bfd all-interfaces command changes BFD session parameters on all RIP
interfaces. The default detection multiplier and interval at which BFD packets are sent
are recommended.
7.
(Optional) Perform the following operations to prevent an interface in the RIP process
from establishing a BFD session:
Run the quit command to return to the system view.
Issue 04 (2013-06-15)

688

Configuration Guide
Run the interface interface-type interface-number command to enter the view of

a specified interface.
Run the rip bfd block command to prevent the interface from establishing a BFD
session.
l
Enable BFD on RIP interfaces.

1.
Run:
system-view

2.
Run:
bfd

3.
Run:
quit

4.
Run:
The view of the specified interface is displayed.

5.
Run:
rip bfd enable
BFD is enabled on the interface to establish a BFD session.

6.
(Optional) Run:
rip bfd { min-rx-interval min-receive-value | min-tx-interval mintransmit-value | detect-multiplier detect-multiplier-value } *
The values of BFD parameters used to establish the BFD session are set.
----End

After enabling BFD for RIP at both ends of a link, run the display rip bfd session { interface
interface-type interface-number | neighbor-id | all } command. You can see that the BFDState
field value on the local Switch is displayed Up. For example:
<Quidway> display rip 1 bfd session all
LocalIp
:10.1.0.1
RemoteIp :10.1.0.2
TX
:1000
RX
:1000
BFD Local Dis:8192
Interface :Vlanif10
DiagnosticInfo: No diagnostic information
LocalIp
:20.1.0.1
RemoteIp :20.1.0.2
TX
:1000
RX
:1000
BFD Local Dis:8193
Interface :Vlanif20
DiagnosticInfo: No diagnostic information
BFDState :Up
Multiplier:3
BFDState :Up
Multiplier:3
5.2.10 Configuring Static BFD for RIP

BFD provides link failure detection featuring light load and high speed. Static BFD for RIP is
a mode to implement the BFD function.
Issue 04 (2013-06-15)

689

Configuration Guide
Context
Establishing BFD sessions between RIP neighbors can rapidly detect faults on links and speed
up response of RIP to network topology changes. Static BFD implements the following
functions:
l
One-arm BFD: If some devices on a network support BFD but some do not, configure onearm BFD to implement fault detection.
Two-arm BFD: If all the devices on a network support BFD, configure two-arm BFD to
implement fault detection.
Static BFD must be enabled using a command and session parameters are also set using
commands.
Before configuring static BFD for RIP, complete the following tasks:
l
Assigning an IP address to each interface to ensure IP connectivity
Configuring basic RIP functions
Data Preparation
No.
Data
ID of a RIP process
Type and number of the interface to be enabled with BFD
Procedure
Step 1 Enable BFD globally.
1.
Run:
system-view

2.
Run:
bfd

3.
Run:
quit

NOTE
To configure one-arm BFD, go to Step 2. To configure two-arm BFD, go to Step 3.
Step 2 Configure one-arm BFD.

1.
Run:
bfd cfg-name bind peer-ip peer-ip interface interface-type interface-number [
source-ip source-ip ] one-arm-echo
Issue 04 (2013-06-15)

690

Configuration Guide
BFD is enabled between the specified interface and peer router.

If a peer IP address and a local interface are specified, BFD detects only a single-hop link,
that is, a route with the interface specified in the bfd command as the outbound interface
and with the peer IP address specified in the peer-ip command as the next-hop address.
NOTE
When configuring the one-arm Echo function on the AC6605 switch, set the source-ip source-ip to
the IP address of an interface on the switch. Ensure that the peer device can ping this IP address.
2.
Run:
The local discriminator is set.

3.
(Optional) Run:
min-echo-rx-interval interval
The minimum interval at which BFD packets are received is configured.

4.
Run:
commit
The configuration is committed.

5.
Run:
quit

Step 3 Configure two-arm BFD.
1.
Run:
bfd cfg-name bind peer-ip ip-address [ interface interface-type interfacenumber ]
BFD binding is created.

If a peer IP address and a local interface are specified, BFD detects only a single-hop link,
that is, a route with the interface specified in the bfd command as the outbound interface
and with the peer IP address specified in the peer-ip command as the next-hop address.
2.
Set discriminators.
l Run:

l Run:
The remote discriminator is set.

The local discriminator must be the remote discriminator of the device on the other end;
otherwise, a BFD session cannot be established. The local and remote discriminators cannot
be modified after being configured.
NOTE
local discr-value set on the local device is the same as that of remote discr-value set on the remote
device.remote discr-value set on the local device is the same as that of local discr-value set on the
remote device.
3.
Run:
commit
Issue 04 (2013-06-15)

691

Configuration Guide

4.
Run:
quit

Step 4 Enable static BFD on an interface.
1.
Run:

2.
Run:
rip bfd static
Static BFD is enabled on the interface.

3.
Run:
quit

----End

After configuring static BFD for RIP, run the display rip process-id command to check BFD
for RIP configurations on the specified interface. interface [ interface-type interface-number ]
verbose
Run the display rip process-id interface interface-type interface-number verbosecommand.
The command output shows that static BFD has been enabled on VLANIF 10. For example:
<Quidway> display rip 1 interface vlanif 10 verbose
Vlanif10 (81.1.1.1)
State
: UP
MTU : 500
Metricin : 0
Metricout : 1
Input
: Enabled
Output
: Enabled
Protocol : RIPv1 Compatible (Non-Standard)
Send
: RIPv1 Packets
Receive : RIPv1 Packets, RIPv2 Multicast and Broadcast Packets
Poison-reverse
: Disabled
Split-Horizon
: Enabled
Authentication type : None
Replay Protection
: Disabled
BFD
: Enabled (Static)
Summary Address (es):
1.1.0.0/16
5.2.11 Configuring the Network Management Function in RIP

By binding RIP to MIBs, you can view and configure RIP through the NMS.

Before binding RIP to MIBs, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the data required for the configuration. This will help
Issue 04 (2013-06-15)

692

Configuration Guide
After performing configuration procedures in this section, you can bind RIP to a MIB.
Before configuring the network management function in RIP, complete the following tasks:
l
the network layer
Data Preparation
None.
Binding RIP to MIBs

Before binding RIP to MIBs, you need to specify the RIP process ID.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip mib-binding process-id
RIP is bound to MIBs.

This command is used to bind a RIP process ID to MIBs and specify the ID of the RIP process
that accepts Simple Network Management Protocol (SNMP) requests.
----End

After RIP and MIBs are successfully bound, you can view binding information in the current
RIP configuration.
Prerequisites
The configurations of the network management function in RIP are complete.
Issue 04 (2013-06-15)

693

Configuration Guide
Procedure
Step 1 Run the display current-configuration command to check the parameters that take effect on
the Switch.
----End

This section provides several configuration examples of RIP.
Example for Configuring the RIP Version

As shown in Figure 5-3, RIP needs to be enabled on all the interfaces of Switch A, Switch B,
Switch C, and Switch D. The Switches are interconnected through RIPv2.
Figure 5-3 Networking diagram for configuring the RIP version
Switch C
GE0/0/2
Switch A
Switch D
GE0/0/2
GE0/0/3
GE0/0/1
GE0/0/1
Switch B
GE0/0/3
Switch
Interface
Switch A
VLANIF 10
192.168.1.1/24
Switch B
VLANIF 10
192.168.1.2/24
Switch B
VLANIF 20
172.16.1.1/24
Switch B
VLANIF 30
10.1.1.1/24
Switch C
VLANIF 20
172.16.1.2/24
Switch D
VLANIF 30
10.1.1.2/24
1.
Assign IP addresses to all the interfaces to ensure network reachability.
2.
Enable RIP on each Switch and configure the basic RIP functions.
3.
Configure RIPv2 on each Switch and check the accurate subnet masks.
Issue 04 (2013-06-15)

694

Configuration Guide
Data Preparation
l
IP addresses of VLANIF interfaces, as shown in Figure 5-3
RIP version on the Switches, namely, RIPv2
Procedure
Step 1 Configure VLANs that the related interfaces belong to.
[SwitchA] vlan 10
The configurations of Switch B, Switch C, and Switch D are similar to the configuration of
Switch A, and are not mentioned here.
Switch A, and are not mentioned here.
Step 3 Configure the basic RIP functions.
Configure Switch A.
[SwitchA] rip
[SwitchA-rip-1] network 192.168.1.0
[SwitchA-rip-1] quit
Configure Switch B.
[SwitchB] rip
[SwitchB-rip-1]
[SwitchB-rip-1]
[SwitchB-rip-1]
[SwitchB-rip-1]
network 192.168.1.0
network 172.16.0.0
network 10.0.0.0
quit
Configure Switch C.
[SwitchC] rip
[SwitchC-rip-1] network 172.16.0.0
[SwitchC-rip-1] quit
Configure Switch D.
[SwitchD] rip
[SwitchD-rip-1] network 10.0.0.0
[SwitchD-rip-1] quit
# Check the RIP routing table of Switch A.

[SwitchA] display rip 1 route
Route Flags: R - RIP
A - Aging, G - Garbage-collect
Issue 04 (2013-06-15)

695

Configuration Guide
------------------------------------------------------------------------Peer 192.168.1.2 on Vlanif10

Destination/Mask
Nexthop
Cost
Tag
Flags
Sec
172.16.0.0/16
192.168.1.2
1
0
RA
14
10.0.0.0/8
192.168.1.2
1
0
RA
14
From the routing table, you can find that the routes advertised by RIPv1 use natural masks.
Step 4 Configure the RIP version.
# Configure RIPv2 on Switch A.
[SwitchA] rip
[SwitchA-rip-1] version 2
# Configure RIPv2 on Switch B.

[SwitchB] rip
[SwitchB-rip-1] version 2
[SwitchB-rip-1] quit
# Configure RIPv2 on Switch C.

[SwitchC] rip
[SwitchC-rip-1] version 2
# Configure RIPv2 on Switch D.

[SwitchD] rip
[SwitchD-rip-1] version 2

# Check the RIP routing table of Switch A.
[SwitchA] display rip 1 route
Route Flags: R - RIP
A - Aging, G - Garbage-collect
------------------------------------------------------------------------Peer 192.168.1.2 on Vlanif10
Destination/Mask
Nexthop
Cost
Tag
Flags
Sec
172.16.1.0/24
192.168.1.2
1
0
RA
32
10.1.1.0/24
192.168.1.2
1
0
RA
32
From the routing table, you can find that the routes advertised by RIPv2 contain more accurate
subnet masks.
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
rip 1
Issue 04 (2013-06-15)

696

Configuration Guide
version 2
network 192.168.1.0
#
return

#
sysname SwitchB
#
vlan batch 10 20 30
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 172.16.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
#
#
#
#
rip 1
version 2
network 192.168.1.0
network 172.16.0.0
network 10.0.0.0
#
return

#
sysname SwitchC
#
vlan batch 20
#
interface Vlanif20
ip address 172.16.1.2 255.255.255.0
#
#
rip 1
version 2
network 172.16.0.0
#
return
Configuration file of Switch D

#
sysname SwitchD
#
vlan batch 30
#
interface Vlanif30
ip address 10.1.1.2 255.255.255.0
#
Issue 04 (2013-06-15)

697

Configuration Guide

#
rip 1
version 2
network 10.0.0.0
#
return
Example for Configuring RIP to Import Routes

As shown in Figure 5-4, two RIP processes, RIP100 and RIP200, run on Switch B. Switch B
exchanges routing information with Switch A through RIP100 and exchanges routing
information with Switch C through RIP200.
You must configure route import on Switch B so that the two RIP processes can import RIP
routes of each other. By default, the metric of the imported routes of RIP200 is set to 3. In
addition, you must configure a filtering policy on Switch B. Thus, Switch B can filter out a route
imported from RIP200 (route to 192.168.4.0/24) and does not advertise the route to Switch A.
Figure 5-4 Networking diagram for configuring RIP to import external route
GE0/0/2
GE0/0/1
GE0/0/2
GE0/0/1
SwitchA
GE0/0/1
GE0/0/2
SwitchB
RIP
100
RIP
200
GE0/0/3
SwitchC
Switch
Interface
Switch A
VLANIF 10
192.168.1.1/24
Switch A
VLANIF 50
192.168.0.1/24
Switch B
VLANIF 10
192.168.1.2/24
Switch B
VLANIF 20
192.168.2.1/24
Switch C
VLANIF 20
192.168.2.2/24
Switch C
VLANIF 30
192.168.3.1/24
Switch C
VLANIF 40
192.168.4.1/24
1.
Enable RIP100 and RIP200 on Switch and specify the network segment.
2.
Configure Switch B to import routes of a RIP process into the routing table of the other
RIP process, and set the default metric of the routes imported from RIP200 to 3.
Issue 04 (2013-06-15)

698

Configuration Guide
3.
Configure an ACL on Switch B to filter the routes imported from RIP200.
Data Preparation
l
IP addresses of VLANIF interfaces, as shown in Figure 5-4
RIP100 enabled network segments on Switch A: 192.168.1.0 and 192.168.1.0
Network segments with RIP100 and RIP200 enabled on Switch B: 192.168.1.0 and
192.168.2.0.
RIP200 enabled network segments on Switch C: 192.168.2.0, 192.168.3.0, and 192.168.4.0
Default metric of routes that are imported to RIP100 from RIP200: 3
ACL 2000 for the routes that are imported to RIP100 from RIP200, which denies the routes
of network segment 192.168.4.0
Procedure
[Quidway] sysname Switch A
[Switch A] vlan 10
[Switch A-Vlan10] quit
[Switch A] interface gigabitethernet 0/0/1
[Switch A-GigabitEthernet0/0/1] port hybrid
[Switch A-GigabitEthernet0/0/1] quit
[Switch A] vlan 50
[Switch A-Vlan50] quit
[Switch A]interface gigabitethernet 0/0/2
[Switch A-GigabitEthernet0/0/2] quit
pvid vlan 10
untagged vlan 10
pvid vlan 50
untagged vlan 50
The configurations of Switch B and Switch C are similar to the configuration of Switch A, and
are not mentioned here.
[Switch
[Switch
[Switch
[Switch
[Switch
[Switch
A] interface vlanif 10
A-Vlanif10] ip address 192.168.1.1 24
A-Vlanif10] quit
A] interface vlanif 50
A-vlanif50] ip address 192.168.0.1 24
A-vlanif50] quit
Step 3 Configure the basic RIP functions.
# Enable RIP process 100 on Switch A.
[Switch
[Switch
[Switch
[Switch
A] rip 100
A-rip-100] network 192.168.0.0
A-rip-100] network 192.168.1.0
A-rip-100] quit
# Enable RIP processes 100 and 200 on Switch B.

[Switch B] rip 100
[Switch B-rip-100] network 192.168.1.0
Issue 04 (2013-06-15)

699

Configuration Guide
[Switch
[Switch
[Switch
[Switch

B-rip-100] quit
B] rip 200
B-rip-200] network 192.168.2.0
B-rip-200] quit
# Enable RIP process 200 on Switch C.

[Switch
[Switch
[Switch
[Switch
[Switch
C] rip 200
C-rip-200]
C-rip-200]
C-rip-200]
C-rip-200]
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
quit

[Switch A] display ip routing-table
Destinations : 7
Routes : 7
Destination/Mask
Proto
Pre
Cost
192.168.0.0/24
192.168.0.1/32
192.168.1.0/24
192.168.1.1/32
192.168.1.255/32
127.0.0.0/8
127.0.0.1/32
127.255.255.255/32
255.255.255.255/32
Direct
Direct
Direct
Direct
Direct
Direct
Direct
Direct
Direct
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Flags
D
D
D
D
D
D
D
D
D
NextHop
192.168.0.1
127.0.0.1
192.168.1.1
127.0.0.1
192.168.1.2
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
Interface
Vlanif50
Vlanif50
Vlanif10
Vlanif10
Vlanif10
InLoopBack0
InLoopBack0
InLoopBack0
InLoopBack0
Step 4 Configure the RIP processes to import external routes.

# On Switch B, set the default metric of imported routes to 3 and configure the RIP processes
to import routes into each other's routing table.
[Switch
[Switch
[Switch
[Switch
[Switch
[Switch
[Switch
B] rip 100
B-rip-100]
B-rip-100]
B-rip-100]
B] rip 200
B-rip-200]
B-rip-200]
default-cost 3
import-route rip 200
quit
quit
# View the routing table of Switch A after the routes are imported.
Destinations : 10
Routes : 10
Destination/Mask
Proto
Pre
Cost
192.168.0.0/24
192.168.0.1/32
192.168.1.0/24
192.168.1.1/32
192.168.1.255/32
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
127.0.0.0/8
127.0.0.1/32
127.255.255.255/32
255.255.255.255/32
Direct
Direct
Direct
Direct
Direct
RIP
RIP
RIP
Direct
Direct
Direct
Direct
0
0
0
0
0
100
100
100
0
0
0
0
0
0
0
0
0
4
4
4
0
0
0
0
Issue 04 (2013-06-15)
Flags
D
D
D
D
D
D
D
D
D
D
D
D
NextHop
192.168.0.1
127.0.0.1
192.168.1.1
127.0.0.1
192.168.1.2
192.168.1.2
192.168.1.2
192.168.1.2
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1

Interface
Vlanif50
Vlanif50
Vlanif10
Vlanif10
Vlanif10
Vlanif10
Vlanif10
Vlanif10
InLoopBack0
InLoopBack0
InLoopBack0
InLoopBack0
700

Configuration Guide
Step 5 Configure Switch B to filter the imported routes.

# Configure an ACL on Switch B and add a rule to the ACL. The rule denies the packets sent
from 192.168.4.0/24.
[Switch
[Switch
[Switch
[Switch
B] acl 2000
B-acl-basic-2000] rule deny source 192.168.4.0 0.0.0.255
B-acl-basic-2000] rule permit
B-acl-basic-2000] quit
# Configure Switch B to filter the route to 192.168.4.0/24 that is imported from RIP200 according
to the ACL rule.
[Switch B] rip 100
[Switch B-rip-100] filter-policy 2000 export
[Switch B-rip-100] quit

# View the RIP routing table of Switch A after the routes are filtered.
Destinations : 9
Routes : 9
Destination/Mask
Proto
Pre
Cost
192.168.0.0/24
192.168.0.1/32
192.168.1.0/24
192.168.1.1/32
192.168.1.255/32
192.168.2.0/24
192.168.3.0/24
127.0.0.0/8
127.0.0.1/32
127.255.255.255/32
255.255.255.255/32
Direct
Direct
Direct
Direct
Direct
RIP
RIP
Direct
Direct
Direct
Direct
0
0
0
0
0
100
100
0
0
0
0
0
0
0
0
0
4
4
0
0
0
0
Flags
D
D
D
D
D
D
D
D
D
D
D
NextHop
192.168.0.1
127.0.0.1
192.168.1.1
127.0.0.1
192.168.1.2
192.168.1.2
192.168.1.2
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
Interface
Vlanif50
Vlanif50
Vlanif10
Vlanif10
Vlanif10
Vlanif10
Vlanif10
InLoopBack0
InLoopBack0
InLoopBack0
InLoopBack0
----End
Configuration Files
l

#
sysname Switch A
#
vlan batch 10 50
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif50
ip address 192.168.0.1 255.255.255.0
#
#
#
rip 100
network 192.168.0.0
Issue 04 (2013-06-15)

701

Configuration Guide
network 192.168.1.0
#
return

#
sysname Switch B
#
vlan batch 10 20
#
acl number 2000
rule 5 deny source 192.168.4.0 0.0.0.255
rule 10 permit
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
#
#
rip 100
default-cost 3
network 192.168.1.0
filter-policy 2000 export
#
rip 200
network 192.168.2.0
#
return

#
sysname Switch C
#
vlan batch 20 30 40
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
#
#
#
#
rip 200
network 192.168.2.0
network 192.168.3.0
Issue 04 (2013-06-15)

702

Configuration Guide
network 192.168.4.0
#
return
Example for Configuring BFD for RIP

This section provides an example showing how to configure BFD on a RIP network to rapidly
detect and notify link faults.
A RIP device periodically sends Update packets to a neighbor to detect neighbor reachability.
By default, if a RIP device does not receive an Update packet from a neighbor within six Update
periods (180s), the RIP device will consider that the neighbor goes Down. This means that RIP
can detect a link fault only after 180s.
As technologies develop, voice, video, and other video on demand (VoD) services are widely
applied. These services are quite sensitive to the packet loss and delay. Long-time fault detection
will cause a large amount of data to be lost. As a result, the requirement of carrier-class networks
for high reliability cannot be met. BFD for RIP can be deployed to address this problem. After
BFD for RIP is configured, link fault detection can be completed in milliseconds. This speeds
up RIP convergence when link status changes.
On the network shown in Figure 5-5, active/standby links are deployed. Link Switch A>Switch B functions as the active link and link Switch A->Switch C->Switch B functions as the
standby link. Normally, service traffic is transmitted along the active link. It is required that
faults in the active link be quickly detected and services be rapidly switched to the standby link.
BFD for RIP can be configured. BFD is used to detect the RIP neighbor relationship between
Switch A and Switch B. When the link between Switch A and Switch B fails, BFD can rapidly
detect the failure and report it to RIP. This allows service traffic to be quickly switched to the
standby link.
Figure 5-5 Networking diagram for configuring BFD for RIP
SwitchA GE0/0/1
2.2.2.1/24
SwitchD
GE0/0/1 SwitchB GE0/0/3
2.2.2.2/24
172.16.1.1/24
GE0/0/2
3.3.3.1/24
GE0/0/2
4.4.4.1/24
GE0/0/2
3.3.3.2/24
GE0/0/1
172.16.1.2/24
GE0/0/1
4.4.4.2/24
SwitchC
Switch
Interface
VLANIF interface
IP address
SwitchA
VLANIF 10
2.2.2.1/24
SwitchA
VLANIF 20
3.3.3.1/24
SwitchB
VLANIF 10
2.2.2.2/24
SwitchB
VLANIF 30
4.4.4.1/24
SwitchB
VLANIF 40
172.16.1.1/24
SwitchC
VLANIF 20
3.3.3.2/24
Issue 04 (2013-06-15)

703

Configuration Guide
SwitchC
VLANIF 30
4.4.4.2/24
SwitchD
VLANIF 40
172.16.1.2/24
1.
Configure basic RIP functions on each Switch to ensure that RIP neighbor relationships
are properly established.
2.
Enable BFD globally.
3.
Configure BFD on interfaces at both ends of the link between Switchs A and B.
Data Preparation
l
RIP process ID (1), RIP version (2)
Switchs A and B: minimum interval (100 ms) at which BFD packets are sent or received
and local detection multiplier (10)
Procedure
Step 1 Configure an IP address for each interface.
As shown in Figure 5-5, configure an IP address for each interface based on Data
Preparation. For configuration details, see configuration files.
Step 2 Configure basic RIP functions.
# Configure Switch A.
[SwitchA] rip 1
[SwitchA-rip-1] version 2
# Configure Switch B.
[SwitchB] rip 1
[SwitchB-rip-1] version
[SwitchB-rip-1] network
2
2.0.0.0
4.0.0.0
172.16.0.0
# Configure Switch C.
[SwitchC] rip 1
# Configure Switch D.
<SwitchD> system-view
[SwitchD] rip 1
Issue 04 (2013-06-15)

704

Configuration Guide
# After completing the preceding operations, run the display rip neighbor command. The
command output shows that Switchs A, B, and C have established neighbor relationships with
each other. In the following example, the display on Switch A is used.
[SwitchA] display rip 1 neighbor
--------------------------------------------------------------------IP Address
Interface
Type
Last-Heard-Time
--------------------------------------------------------------------2.2.2.2
Vlanif10
RIP
0:0:14
Number of RIP routes : 2
3.3.3.2
Vlanif20
RIP
0:0:19
# Run the display ip routing-table command. The command output shows that the Switchs
have imported routes from each other. In the following example, the display on Switch A is
used.
Destinations : 9
Routes : 10
Destination/Mask
1.1.1.1/32
2.2.2.0/24
2.2.2.1/32
3.3.3.0/24
3.3.3.1/32
4.4.4.0/24
127.0.0.0/8
127.0.0.1/32
172.16.1.0/24
Proto
Pre
Cost
Direct
Direct
Direct
Direct
Direct
RIP
RIP
Direct
Direct
RIP
0
0
0
0
0
100
100
0
0
100
0
0
0
0
0
1
1
0
0
1
Flags NextHop
D
D
D
D
D
D
D
D
D
D
127.0.0.1
2.2.2.1
127.0.0.1
3.3.3.1
127.0.0.1
3.3.3.2
2.2.2.2
127.0.0.1
127.0.0.1
2.2.2.2
Interface
LoopBack0
Vlanif10
Vlanif10
Vlanif20
Vlanif20
Vlanif20
Vlanif10
InLoopBack0
InLoopBack0
Vlanif10
The preceding command output shows that the next-hop address and outbound interface of the
route to destination 172.16.1.0/24 are 2.2.2.2 and VLANIF10 respectively, and traffic is
transmitted over the active link Switch A->Switch B.
Step 3 Configure BFD in RIP processes.
# Configure BFD on all interfaces of Switch A.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] rip 1
[SwitchA-rip-1] bfd all-interfaces enable
[SwitchA-rip-1] bfd all-interfaces min-rx-interval 100 min-tx-interval 100 detectmultiplier 10
The configuration of Switch B is similar to that of Switch A, and is not provided here.
# After completing the preceding operations, run the display rip bfd session command on
Switch A. The command output shows that Switchs A and B have established a BFD session
and the BFDState field value is displayed as Up. In the following example, the display on
Switch A is used.
[SwitchA] display rip 1 bfd session all
LocalIp
:2.2.2.1
RemoteIp :2.2.2.2
TX
:100
RX
:100
BFD Local Dis :8194
Interface :Vlanif10
Issue 04 (2013-06-15)

BFDState :Up
Multiplier:3
705

Configuration Guide
Diagnostic Info:No diagnostic information

LocalIp
:3.3.3.1
RemoteIp :3.3.3.2
TX
:2800
RX
:2800
BFD Local Dis :8192
Interface :Vlanif20
BFDState :Down
Multiplier:0

# Run the shutdown command on GE 0/0/1 of Switch B to simulate a fault in the active link.
NOTE
The link fault is simulated to verify the configuration. In actual situations, the operation is not required.
[SwitchB-GigabitEthernet0/0/1] shutdown

Destinations : 9
Routes : 10
Destination/Mask
1.1.1.1/32
2.2.2.0/24
2.2.2.1/32
3.3.3.0/24
3.3.3.1/32
4.4.4.0/24
127.0.0.0/8
127.0.0.1/32
172.16.1.0/24
Proto
Pre
Cost
Direct
Direct
Direct
Direct
Direct
RIP
RIP
Direct
Direct
RIP
0
0
0
0
0
100
100
0
0
100
0
0
0
0
0
1
1
0
0
2
Flags NextHop
D
D
D
D
D
D
D
D
D
D
127.0.0.1
2.2.2.1
127.0.0.1
3.3.3.1
127.0.0.1
3.3.3.2
2.2.2.2
127.0.0.1
127.0.0.1
3.3.3.2
Interface
LoopBack0
Vlanif10
Vlanif10
Vlanif20
Vlanif20
Vlanif20
Vlanif10
InLoopBack0
InLoopBack0
Vlanif20
The preceding command output shows that the standby link Switch A->Switch C->Switch B is
used after the active link fails, and the next-hop address and outbound interface of the route to
destination 172.16.1.0/24 are 3.3.3.2 and VLANIF20 respectively.
----End
Configuration Files
l

#
sysname SwitchA
#
bfd
#
interface Vlanif10
ip address 2.2.2.1 255.255.255.0
rip bfd static
#
interface Vlanif20
ip address 3.3.3.1 255.255.255.0
#
#
#
Issue 04 (2013-06-15)

706

Configuration Guide
rip 1
version 2
network 2.0.0.0
network 3.0.0.0
bfd all-interfaces min-tx 100 min-rx-interval 100 detect-multiplier 10
#
return

#
sysname SwitchB
#
bfd
#
interface Vlanif10
ip address 2.2.2.2 255.255.255.0
#
interface Vlanif30
ip address 4.4.4.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
#
rip 1
version 2
network 2.0.0.0
network 4.0.0.0
network 172.16.0.0
bfd all-interfaces min-tx-interval 100 min-rx-interval 100 detect-multiplier
10
#
return

#
sysname SwitchC
#
interface Vlanif20
ip address 3.3.3.2 255.255.255.0
#
interface Vlanif30
ip address 4.4.4.2 255.255.255.0
#
#
#
rip 1
version 2
network 3.0.0.0
network 4.0.0.0
#
Issue 04 (2013-06-15)

707

Configuration Guide
return

#
sysname SwitchD
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
rip 1
version 2
network 172.16.0.0
#
return
Example for Configuring One-Arm Static BFD for RIP

RIP detects neighbor status by sending Update packets periodically. By default, if receiving no
Update packets from its neighbor within six update intervals (180s), RIP considers its neighbor
Down. That is, RIP needs to take 180s to detect a link fault.
With the development of technologies, voice, video, and other VOD services are widely used.
These services are quite sensitive to packet loss and delay. A long-time fault detection will cause
packet loss. This cannot meet high reliability requirements of the carrier-class network. BFD
for RIP is used to resolve the problem. After BFD for RIP is configured, the link status can be
rapidly detected and fault detection can be completed in milliseconds. This speeds up RIP
convergence when the link status changes.
Because some devices on the network do not support BFD, One-Arm static BFD becomes very
important. One-Arm static BFD enables a device supporting BFD to create a BFD session with
another device that does not support BFD. It detects link faults quickly and accelerate network
convergence.
Use Figure 5-6 as an example.
l
RIP is running between SwitchA, Switch B, Switch C, and Switch D.
Service traffic travels through the primary link Switch A Switch B Switch D.
One-Arm static BFD is enabled on the interface connecting Switch A and Switch B. When
the primary link fails, BFD can detect the fault quickly and notify the RIP module of the
fault. Service traffic is then switched to a secondary link.
Issue 04 (2013-06-15)

708

Configuration Guide
Figure 5-6 Networking diagram for One-Arm static BFD for RIP
SwitchD
GE0/0/1 SwitchB GE0/0/3
2.2.2.2/24
172.16.1.1/24
SwitchA GE0/0/1
2.2.2.1/24
GE0/0/2
3.3.3.1/24
GE0/0/2
4.4.4.1/24
GE0/0/2
3.3.3.2/24
GE0/0/1
172.16.1.2/24
GE0/0/1
4.4.4.2/24
SwitchC
Switch
Interface
VLANIF interface
IP address
SwitchA
VLANIF 10
2.2.2.1/24
SwitchA
VLANIF 20
3.3.3.1/24
SwitchB
VLANIF 10
2.2.2.2/24
SwitchB
VLANIF 30
4.4.4.1/24
SwitchB
VLANIF 40
172.16.1.1/24
SwitchC
VLANIF 20
3.3.3.2/24
SwitchC
VLANIF 30
4.4.4.2/24
SwitchD
VLANIF 40
172.16.1.2/24
1.
Configure basic RIP functions on each Switch to set up RIP neighbor relationships.
2.
Enable global BFD on Switch A. Enable One-Arm static BFD on the interface connecting
Switch A and Switch B.
Data Preparation
l
On each Switch: RIP process ID (1), RIP version number (2)
Local BFD discriminator on Switch A (local1)
Minimum interval at which Switch A receives BFD control packets from Switch B
Procedure
Step 1 Configure an IP address for each interface.
Configure IP addresses according to Figure 5-6 and Data Preparation. For details about the
configuration, see the configuration file.
Step 2 Configuring basic RIP functions.
Issue 04 (2013-06-15)

709

Configuration Guide
[SwitchA] rip 1
[SwitchA-rip-1]
[SwitchA-rip-1]
[SwitchA-rip-1]
[SwitchA-rip-1]
version 2
network 2.0.0.0
network 3.0.0.0
quit
[SwitchB] rip 1
[SwitchB-rip-1] version
2
2.0.0.0
4.0.0.0
172.16.0.0
[SwitchC] rip 1
[SwitchD] rip 1
# After the configurations are complete, run the display rip neighbor command, and you can
see that RIP neighbor relationships among Switch A, Switch B, and Switch C have been
established. Take the display on Switch A as an example.
[SwitchA] display rip 1 neighbor
--------------------------------------------------------------------IP Address
Interface
Type
Last-Heard-Time
--------------------------------------------------------------------2.2.2.2
Vlanif10
RIP
0:0:10
3.3.3.2
Vlanif20
RIP
0:0:8
# Run the display ip routing-table command, and you can see that Switchs have learned routes
from each other. Take the display on Switch A as an example.
Destinations : 9
Routes : 10
Destination/Mask
1.1.1.1/32
2.2.2.0/24
2.2.2.1/32
3.3.3.0/24
3.3.3.1/32
4.4.4.0/24
127.0.0.0/8
127.0.0.1/32
172.16.1.0/24
Issue 04 (2013-06-15)
Proto
Pre
Cost
Direct
Direct
Direct
Direct
Direct
RIP
RIP
Direct
Direct
RIP
0
0
0
0
0
100
100
0
0
100
0
0
0
0
0
1
1
0
0
1
Flags NextHop
D
D
D
D
D
D
D
D
D
D
127.0.0.1
2.2.2.1
127.0.0.1
3.3.3.1
127.0.0.1
3.3.3.2
2.2.2.2
127.0.0.1
127.0.0.1
2.2.2.2

Interface
LoopBack0
Vlanif10
Vlanif10
Vlanif20
Vlanif20
Vlanif20
Vlanif10
InLoopBack0
InLoopBack0
Vlanif10
710

Configuration Guide
The routing table shows that the next-hop IP address of the route destined for 172.16.1.0/24 is
2.2.2.2, the outbound interface is VLANIF10, and traffic is transmitted along the primary link
Switch A Switch B.
Step 3 Configure One-Arm static BFD on Switch A.
# Configure one-arm BFD on Switch A.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd 1 bind peer-ip 2.2.2.2 interface vlanif 10 source-ip 1.1.1.1 one-armecho
[SwitchA-session-1] discriminator local 1
[SwitchA-session-1] min-echo-rx-interval 200
[SwitchA-session-1] commit
[SwitchA-session-1] quit
# Enable static BFD on VLANIF10.

[SwitchA-Vlanif10] rip bfd static

# Run the shutdown command on GE 0/0/1 on Switch B to simulate a fault on the primary link.
NOTE
Fault simulation is for configuration verification. In actual application, it is not required.

[SwitchB] interface gigabitEthernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] shutdown

Destinations : 9
Routes :
10
Destination/Mask
1.1.1.1/32
2.2.2.0/24
2.2.2.1/32
3.3.3.0/24
3.3.3.1/32
4.4.4.0/24
127.0.0.0/8
127.0.0.1/32
172.16.1.0/24
Proto
Pre
Cost
Direct
Direct
Direct
Direct
Direct
RIP
RIP
Direct
Direct
RIP
0
0
0
0
0
100
100
0
0
100
0
0
0
0
0
1
1
0
0
2
Flags NextHop
D
D
D
D
D
D
D
D
D
D
127.0.0.1
2.2.2.1
127.0.0.1
3.3.3.1
127.0.0.1
3.3.3.2
2.2.2.2
127.0.0.1
127.0.0.1
3.3.3.2
Interface
LoopBack0
Vlanif10
Vlanif10
Vlanif20
Vlanif20
Vlanif20
Vlanif10
InLoopBack0
InLoopBack0
Vlanif20
The routing table shows that the secondary link Switch A Switch C Switch B starts to be
used after the primary link fails. The next-hop IP address of the route destined for 172.16.1.0/24
is 3.3.3.2 and the outbound interface is VLANIF20.
----End
Configuration files
l

#
sysname SwitchA
Issue 04 (2013-06-15)

711

Configuration Guide
#
bfd
#
interface Vlanif10
ip address 2.2.2.1 255.255.255.0
rip bfd static
#
interface Vlanif20
ip address 3.3.3.1 255.255.255.0
#
#
#
bfd 1 bind peer-ip 2.2.2.2 interface Vlanif10 source-ip 1.1.1.1 one-arm-echo
min-echo-rx-interval 200
commit
#
rip 1
version 2
network 2.0.0.0
network 3.0.0.0
#
return

#
sysname SwitchB
#
bfd
#
interface Vlanif10
ip address 2.2.2.2 255.255.255.0
#
interface Vlanif30
ip address 4.4.4.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
#
rip 1
version 2
network 2.0.0.0
network 4.0.0.0
network 172.16.0.0
#
return

#
sysname SwitchC
#
interface Vlanif20
Issue 04 (2013-06-15)

712

Configuration Guide
ip address 3.3.3.2 255.255.255.0

#
interface Vlanif30
ip address 4.4.4.2 255.255.255.0
#
#
#
rip 1
version 2
network 3.0.0.0
network 4.0.0.0
#
return

#
sysname SwitchD
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
rip 1
version 2
network 172.16.0.0
#
return
5.3 OSPF Configuration

OSPF, which is developed by the IETF, is a link-state IGP. OSPF is widely used in access
networks and MANs.
5.3.1 OSPF Overview

OSPF is a link-state IGP. At present, OSPFv2 is intended for IPv4.
Defined by the Internet Engineering Task Force (IETF), the Open Shortest Path First (OSPF)
protocol is an Interior Gateway Protocol (IGP) implemented on the basis of the link status.
NOTE
In this chapter, OSPF refers to OSPFv2, unless otherwise specified.
OSPF Features
OSPF has the following features:
l
Wide applications
OSPF is applicable to networks of various sizes and even to the network consisting of
hundreds of routers.
l
Issue 04 (2013-06-15)
Fast convergence
713

Configuration Guide
Once the network topology changes, Update packets are transmitted to synchronize the link
state databases (LSDBs) of all the routers within the Autonomous System (AS).
l
Loop-free
According to the collected link status, OSPF calculates routes with the shortest path tree
algorithm. This algorithm ensures the generation of loop-free routes.
Area division
An AS can be divided into different areas to facilitate AS management. After the area
partition, an LSDB stores routing information only of the local area. The reduce of LSDB
size dramatically reduces memory and CPU usage. In addition, less bandwidth is consumed
because of the decrease in routing information transmitted within the AS.
Equal-cost routes
OSPF supports multiple equal-cost routes to the same destination.
Routing hierarchy
Four types of routing are available. They are listed in the descending order of priority: intraarea routes, inter-area routes, Type 1 external routes, and Type 2 external routes.
Authentication
Area-based and interface-based packet authentication guarantees the security of packet
interaction.
Multicast
Multicast packets are transmitted only on certain types of links to reduce the interference
for some devices.
Process of OSPF Route Calculation

The process of calculating OSPF routes is as follows:
1.
Based on the surrounding network topology, each OSPF device originates a Link State
Advertisement (LSA). The Switch then transmits Update packets containing the LSAs to
other OSPF devices.
2.
Each OSPF device collects the LSAs from other devices, and all these LSAs compose the
LSDB. An LSA describes the network topology around a Switch, whereas an LSDB
describes the network topology of the whole AS.
3.
OSPF devices transform the LSDB into a weighted directed map. The weighted directed
map reflects the topology of the entire network. All Switchs in the same area have the same
map.
4.
According to the directed map, each Switch uses the Shortest Path First (SPF) algorithm
to calculate the shortest path tree, regarding itself as the root. The tree displays the routes
to each node in the AS.
Area Division
The number of Switchs increases with the unceasing expansion of the network scale. This leads
to a large LSDB on each Switch. As a result, the load of each Switch is very heavy. OSPF solves
this problem by dividing an AS into different areas. An area is regarded as a device group
logically. Each group is identified by an area ID. On the border of an area resides a Switch rather
than a link. A network segment (or a link) belongs to only one area. That is, the area to which
each OSPF interface belongs must be specified, as shown in Figure 5-7.
Issue 04 (2013-06-15)

714

Configuration Guide
Figure 5-7 OSPF area division
Area4
Area1
Area0
Area2
Area3
After area division, route aggregation can be performed on border routers to reduce the number
of LSAs advertised to other areas. Route aggregation also minimizes the influence caused by
changes in the topology.
Router Type
OSPF routers are classified into the following types according to their locations in the AS:
l
Internal routers
All interfaces of the Switchs of this type belong to the same OSPF area.
Area border routers (ABRs)

The Switchs of this type can belong to more than two areas, but one of the areas must be a
backbone area. An ABR is used to connect the backbone area to the non-backbone areas.
An ABR can be physically or logically connected to the backbone area.
Backbone routers
A minimum of one interface on the Switch of this type belongs to the backbone area.
Therefore, all ABRs and the internal nodes in Area 0 are backbone routers.
AS boundary routers (ASBRs)

The Switch that exchanges routing information with other ASs is called an ASBR. The
ASBR may not be located on the boundary of an AS. It can be an internal router or an ABR.
When an OSPF device imports the external routing information, the device becomes an
ASBR.
Issue 04 (2013-06-15)

715

Configuration Guide
Figure 5-8 Types of OSPF routers
IS-IS ASBR
Area4
Area1
Area0
Internal
Router
Area2
ABR
Backbone
Router
Area3
OSPF Network Types

OSPF classifies networks into four types according to the link layer protocol:
l
Broadcast: If the link layer protocol is Ethernet or FDDI, OSPF defaults the network type
to broadcast. In this type of networks, the following situations occur.
Hello packets and packets from the Designated Router (DR) are sent in multicast mode
(224.0.0.5: indicates the reserved IP multicast addresses for OSPF routers).
Link State Update (LSU) packets are sent to the DR in multicast mode (224.0.0.6:
indicates the reserved IP multicast address for the OSPF DR), and the DR forwards the
LSU packets to destination 224.0.0.5.
Database Description (DD) packets, Link State Request (LSR) packets, and all
retransmission packets are sent in unicast mode.
Link State Acknowledgement (LSAck) packets are usually sent in multicast mode
(224.0.0.5). When a Switch receives repeated LSAs, or the LSAs are deleted due to the
timeout of the maximum lifetime, LSAck packets are sent in unicast mode.
Non-Broadcast Multi-Access (NBMA): If the link layer protocol is Frame Relay, ATM, or
X.25, OSPF defaults the network type to NBMA. In this type of networks, protocol packets,
such as Hello packets, DD packets, LSR packets, LSU packets, and LSAck packet, are
transmitted in unicast mode.
Point-to-Multipoint (P2MP): A P2MP network must be forcibly changed from other

network types. In this type of networks, Hello packets are transmitted in multicast mode
(224.0.0.5); DD packets, LSR packets, LSU packets, and LSAck packets are transmitted
in unicast mode.
Point-to-Point (P2P): If the link layer protocol is PPP, HDLC, or LAPB, OSPF defaults the
network type to P2P. In this type of networks, protocol packets, such as Hello packets, DD
packets, LSR packets, LSU packets, and LSAck packets, are transmitted in multicast mode
(224.0.0.5).
Issue 04 (2013-06-15)

716

Configuration Guide
5.3.2 OSPF Features Supported by the AC6605

The AC6605 supports various OSPF features, including multi-process, authentication, hot
standby, Smart-discover, TE, VPN multi-instance, BFD, and GTSM.
Multi-process
OSPF supports multi-process. More than one OSPF process can run on the same Switch because
processes are mutually independent. Route interaction between different OSPF processes is
similar to the interaction between different routing protocols.
An interface of a Switch belongs to only a certain OSPF process.
A typical application of OSPF multi-process is to run OSPF between PEs and CEs in the VPN
where OSPF is also adopted in the backbone network. On the PEs, the two OSPF processes are
independent of each other.
Authentication
OSPF supports packet authentication. Only the OSPF packets that pass the authentication can
be received. If the packets fail to pass the authentication, the neighbor relationship cannot be
established.
The AC6605 supports two authentication modes:
l
Area authentication mode
Interface authentication mode
If both modes are available, the latter is preferred.
Hot Backup and GR

The Switch with a distributed structure supports OSPF hot standby (HSB). OSPF backs up
necessary information from the active main board (AMB) to the standby main board (SMB).
When the AMB fails, the SMB replaces it to ensure the normal operation of OSPF.
OSPF supports two types of HSB:
l
Backing up all OSPF data: After the switchover between the AMB and the SMB, OSPF
restores its normal work immediately.
Backing up only the OSPF configuration: After the switchover between the AMB and the
SMB, OSPF performs graceful restart (GR), obtains the adjacency relationship from
neighbors, and synchronizes the LSDBs.
Smart-discover
Generally, Switches periodically send Hello packets through interfaces that run OSPF,
Switches set up and maintain the neighbor relationship, and elect the DR and the Backup
Designated Router (BDR) on the multi-access network (broadcast or NBMA) by exchanging
Hello packets. When establishing the neighbor relationship or electing the DR and the BDR on
the multi-access network, interfaces can send Hello packets only when the Hello timer expires.
This affects the speed for establishing the neighbor relationship and electing the DR and the
BDR.
Issue 04 (2013-06-15)

717

Configuration Guide
NOTE
l The interval for sending Hello packets on an interface depends on the interval for sending Hello packets
set on the interface.
l The default value of the interval for sending Hello packets varies with the network type.
The Smart-discover function can solve the preceding problem.

l
In broadcast and NBMA networks, the neighbor relationship can be established rapidly and
a DR and a BDR on the networks can be elected rapidly.
When the neighbor status becomes 2-way for the first time, or it returns to Init from the 2way or higher state as shown in Figure 5-9, the interface enabled with the Smart-discover
function sends Hello packets to the neighbor without waiting for the timeout of the Hello
timer when the interface finds that the status of the neighbor changes.
When the interface status of the DR and the BDR in the multi-access network changes, the
interface enabled with the Smart-discover function sends Hello packets to the network
segment and takes part in the DR or BDR election.
Figure 5-9 Changes of the neighbor state machine
Down
Init
2-way
Exstart
Exchange
Loading
Full
Attempt
(NBMA)
On P2P and P2MP networks, the adjacency relationship can be established rapidly. The
principle is the same as that in broadcast and NBMA networks.
OSPF GR
When a Switch restarts or performs the active/standby switchover, it directly ages all routing
entries in the Forward Information Base (FIB) table. This results in route interruption. In
addition, neighboring Switchs remove this Switch from the neighbor list, and notify other
Switchs. This causes the re-calculation of SPF. If this Switch recovers within a few seconds, the
neighbor relationship becomes unstable. This results in route flapping.
After being enabled with OSPF Graceful Restart (GR), a Switch can ensure continuous packet
forwarding if it restarts just for abnormities. In such a case, route flapping is avoided during the
short restart of the Switch.
NOTE
Unless otherwise specified, "protocol restart" in this document refers to restarting OSPF in GR mode.
When a Switch restarts OSPF, the GR Restarter does not age the forwarding information. At the
same time, the GR Helper keeps the topology information or routes obtained from the GR
Restarter for a period. This ensures that traffic forwarding is not interrupted when protocol restart
occurs.
OSPF VPN Multi-instance

OSPF supports multi-instance, which can run between PEs and CEs in VPN networks.
Issue 04 (2013-06-15)

718

Configuration Guide
In BGP MPLS VPN, many sites of one VPN can use OSPF as the internal routing protocol. The
sites, however, are handled as being from different ASs. In this way, the OSPF routes learned
on one site are transmitted as external routes to another site. This causes a heavy OSPF traffic
and some avoidable network management problems.
In the AC6605 implementation, you can configure domain IDs on a PE to differentiate the VPNs
where different sites reside. Different sites in one VPN consider each other as if they were
connected directly. Thus, PEs exchange OSPF routing information as if they were directly
connected through a leased line. This improves network management and enhances the validity
of the OSPF application.
BFD for OSPF

By default, in broadcast networks, the interval for OSPF to send Hello packets is 10 seconds; in
NBMA networks, the interval for sending Hello packets is 30 seconds, and the period for
advertising that the neighbor is Down is four times the interval for sending Hello packets. If the
Switch does not receive the Hello packet from the neighbor before the neighboring Switch
becomes invalid, it deletes the neighbor. That is, the Switch detects the neighbor faults in
seconds. This leads to the loss of a large number of packets in a high-speed network.
To solve the preceding problem in the current detection mechanism, Bidirectional Forwarding
Detection (BFD) is developed. BFD can implement detection at the millisecond level. Instead
of replacing the Hello mechanism of OSPF, BFD works with OSPF to fast detect the adjacency
fault. BFD is used to notify OSPF of recalculating routes. This can correctly guide the packet
forwarding.
Routing Management (RM) module exchanges routing information with the BFD module.
Through RM, OSPF notifies BFD of dynamically setting up or deleting BFD sessions. The Event
message of BFD is delivered to OSPF through RM.
The process of establishing and deleting a BFD session is as follows:
l
Process of establishing a BFD session: If BFD feature is globally configured, BFD is

enabled on an interface or a process, and the status of the OSPF neighbor is Full, OSPF
uses RM to notify the BFD module of establishing the BFD session and negotiate related
parameters of BFD.
Process of deleting a BFD session: When BFD detects a link fault, BFD generates a Down
event and notifies the upper protocol of the fault through RM. OSPF then responds to the
event and immediately deletes the adjacency relationship on the link. At this time, the status
of the neighbor is not Full. This does not meet the requirements of establishing a BFD
session. OSPF then uses RM to notify the BFD module of deleting the BFD session.
OSPF supports dynamically establishing or deleting a BFD session on broadcast, P2P, P2MP,
and NBMA links.
Configure BFD according to the actual network environment. If time parameters are set
incorrectly, network flapping occurs.
GTSM
The Generalized TTL Security Mechanism (GTSM) refers to the generic TTL security protection
mechanism. GTSM protects services of the upper layer over the IP layer by checking whether
the TTL value in the IP header is in a pre-defined range. In applications, GTSM is designed to
protect the TCP/IP-based control plane (like routing protocols) from CPU-utilization attacks,
such as CPU overload attacks.
Issue 04 (2013-06-15)

719

Configuration Guide
OSPF CPCAR Precautions

When there are a large number of OSPF neighbors and LSAs, OSPF protocol packets are
transmitted at a rate higher than the default CIR rate. This may lead to many problems. For
example, Hello packets are discarded, it takes a long time to establish OSPF neighbor
relationships, or neighbor relationships cannot be established. To avoid the problems, set an
appropriate CIR value to prevent CPU overload. For details, see 8.7.2 Local Attack Defense
Features Supported by the AC6605 in Configuration Guide - Security.
5.3.3 Configuring Basic OSPF Functions

This section describes how to configure basic OSPF functions.

Before configuring basic OSPF functions, enable OSPF, specify the OSPF process and area, and
establish OSPF neighbor relationships.
When OSPF is configured on multiple Switches in the same area, most configuration data, such
as the timer, filter, and aggregation, must be planned uniformly in the area. Incorrect
configurations may cause neighboring Switches to fail to send messages to each other or even
causing routing information congestion and self-loops.
The OSPF-relevant commands that are configured in the interface view take effect regardless
of whether OSPF is enabled. After OSPF is disabled, the OSPF-relevant commands also exist
on interfaces.
Before configuring basic OSPF functions, complete the following tasks:
l
Configuring a link layer protocol
Configuring IP addresses for interfaces to ensure that neighboring Switches are reachable
Data Preparation
To configure basic OSPF functions, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Router ID
OSPF process ID
VPN instance name (if OSPF multi-instance is configured)
ID of the area to which an interface belongs
IP address of the network segment where an interface resides

720

Configuration Guide
Enabling OSPF
Create an OSPF process and specify a router ID to enable OSPF. After enabling OSPF, specify
an interface on which the OSPF protocol is running and the area to which the interface belongs.
After that, routes can be discovered and calculated in the AS.
Context
Before running OSPF on the Switch, specify a router ID for the Switch. The router ID is a 32bit unsigned integer, which identifies the Switch in the AS. To ensure OSPF stability, manually
set the router ID of each Switch during network planning.
This causes the link state database (LSDB) to unexpectedly grow. OSPF resolves this problem
by partitioning an AS into different areas. The area is regarded as a logical group and each group
is identified by an area ID. At the border of an area resides the Switch instead of a link. A network
segment (or a link) belongs to only one area. The area to which each OSPF interface belongs
must be specified.
There are two methods for enabling OSPF: creating an OSPF process and enabling OSPF on an
interface.
Procedure
l
Create an OSPF process.

1.
Run:
system-view

2.
Run:
ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ]
*
The OSPF process is started, and the OSPF view is displayed.

process-id specifies the process ID and the process-id value is 1 by default. The
AC6605 supports OSPF multi-process. Processes can be classified by service type.
The AC6605s exchange packets regardless of process IDs. Packets can be
exchanged between AC6605s with different process IDs.
Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect. By
default, the system automatically selects the IP address of an interface as the router
ID. Ensure that each router ID is unique in the AS when manually configuring
router IDs. The IP address of an interface on the AC6605 is generally configured
as the router ID of the AC6605.
If a VPN instance is specified, the OSPF process belongs to the VPN instance; if
a VPN instance is not specified, the OSPF process belongs to a public network
instance.
3.
Run:
area area-id
The OSPF area view is displayed.

The OSPF areas can be classified into a backbone area with the area ID of 0 and nonbackbone areas. The backbone area is responsible for forwarding inter-area routing
Issue 04 (2013-06-15)

721

Configuration Guide
information. The routing information between the non-backbone areas must be

forwarded through the backbone area.
4.
Run:
network ip-address wildcard-mask [ description text ]
The network segments are configured to belong to the area. description is used to
configure a description for the specified OSPF network segment.
OSPF can run on an interface properly only when the following conditions are met:
The mask length of the IP address of an interface is greater than or equal to that
specified by the network command.
The primary IP address of an interface is on the network segment specified by the
network command.
By default, OSPF uses a 32-bit host route to advertise the IP address of a loopback
interface. To advertise routes to the network segment of the loopback interface,
configure the network type as NBMA or broadcast in the interface view. For details,
see Configuring Network Types for OSPF Interfaces.
l
Enable OSPF on an interface.

1.
Run:
system-view

2.
Run:

3.
Run:
ospf enable [ process-id ] area area-id
OSPF is enabled on the interface.

An area ID can be input in the format of a decimal integer or an IPv4 address, but
displayed in the format of IPv4 address.
----End
(Optional) Creating OSPF Virtual Links

This section describes how to create logical links between backbone areas to ensure the OSPF
network connectivity.
Context
After OSPF areas are defined, OSPF route updates between non-backbone areas are transmitted
through a backbone area. Therefore, OSPF requires that all non-backbone areas maintain the
connectivity with the backbone area and the backbone areas in different OSPF areas maintain
the connectivity with each other. In real world situations, this requirement may not be met
because of some restrictions. To resolve this problem, you can configure OSPF virtual links.
Perform the following steps on the Switch running OSPF.
Issue 04 (2013-06-15)

722

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]
The OSPF process view is displayed.

Step 3 Run:
area area-id

Step 4 Run:
vlink-peer router-id [ smart-discover | hello hello-interval | retransmit
retransmit-interval | trans-delay trans-delay-interval | dead dead-interval |
[ simple [ plain plain-text | cipher cipher-text ] | { md5 | hmac-md5 } [ key-id
{ plain plain-text | cipher cipher-text } ] | authentication-null | keychain
keychain-name ] ] *
A virtual link is created.

This command must also be configured on the neighboring Switch.
----End
Follow-up Procedure
After virtual links are created, different default MTUs may be used on devices provided by
different vendors. To ensure consistency, the MTU is set to 0 by default when the interface sends
DD packets. For details, see Configuring an Interface to Fill in the DD Packet with the Actual
MTU.
(Optional) Configuring a Route Selection Rule on the Switch

You can configure the Switch to comply with the route selection rule defined in RFC 1583 or
RFC 2328.
Context
RFC 2328 and RFC 1583 define the route selection rule differently. After OSPF is enabled on
the Switch, specify a route selection rule based on the Switch configuration. The Switch complies
with the route selection rule defined in RFC 1583 by default. If the neighboring Switch complies
with the route selection rule defined in RFC 2328, configure the local Switch to comply with
that defined in RFC 2328. This allows all Switches in the OSPF area to comply with the same
route selection rule.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

723

Configuration Guide

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
undo rfc1583 compatible
The Switch is configured to comply with the route selection rule defined in RFC 2328, not RFC
1583.
By default, the Switch complies with route selection rule defined in RFC 1583.
----End
(Optional) Setting the OSPF Priority

When multiple routing protocols are used to select routes, you can set the OSPF priority to
maneuver route selection.
Context
The routing protocols may share and select the routing information because the Switch may run
multiple dynamic routing protocols at the same time. The system sets a priority for each routing
protocol. When multiple routing protocols are used to select routes, the route selected by the
routing protocol with a higher priority takes effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
preference [ ase ] { preference | route-policy route-policy-name }
The OSPF priority is set.

l ase: sets the priority of the AS-External route.
l preference: sets the priority for OSPF. The smaller the value, the higher the priority.
l route-policy-name: sets the priority for specified routes in the routing policy.
The default OSPF priority value is 10. When an ASE is specified, the default OSPF priority
value is 150.
----End
Issue 04 (2013-06-15)

724

Configuration Guide
(Optional) Restricting the Flooding of LSA Update Packets

When a large number of LSA update packets are flooded, the neighboring Switch may be busy
processing LSA update packets and has to discard the Hello packets that are used to maintain
neighbor relationships. This causes neighbor relationships to be interrupted. To resolve this
problem, you can restrict the flooding of LSA update packets to maintain neighbor relationships.
Context
When multiple neighboring Switches are configured or a large number of LSA update packets
are flooded, the neighboring Switch may receive a large number of LSA update packets in a
short period. This keeps the neighboring Switch busy processing a burst of LSA update packets
and causes the neighboring Switch to unexpectedly discard Hello packets that are used to
maintain the OSPF neighbor relationships. As a result, the neighbor relationships are interrupted.
After the neighbor relationships are reestablished, more packets are to be exchanged. This
intensifies neighbor relationship interruption. To resolve this problem, you can restrict the
flooding of LSA update packets to maintain neighbor relationships.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
flooding-control [ number transmit-number | timer-interval transmit-interval ]
The flooding of LSA update packets is restricted.

By default, the number of LSA update packets to be flooded each time is 50, and the interval at
which LSA update packets are flooded is 30s.
After the flooding-control command is run, the flooding of LSA update packets is immediately
restricted.
If the flooding-control command is not run, the function of restricting the flooding of LSA
update packets automatically takes effect when the number of neighboring Switches exceeds
256.
----End
(Optional) Configuring the Maximum Number of Packet Retransmission Attempts

When no response to DD packets, LSU packets, or LSR packets is received, the retransmission
mechanism is used and the maximum number of packet retransmission attempts is set.
Issue 04 (2013-06-15)

725

Configuration Guide
Context
If no response is received when the maximum number of packet retransmission attempts is
reached, the neighbor relationship will be interrupted.
By default, the retransmission mechanism is disabled.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
retransmission-limit [ max-number ]
The maximum number of OSPF packet retransmission attempts is set.

max-number specifies the maximum number of packet retransmission attempts and is 30 by
default.
----End
(Optional) Setting an Interval at Which an LSA Packet Is Retransmitted to the

Neighboring Switch
You can control packet retransmission and improve the convergence rate by setting an interval
at which an LSA packet is retransmitted to the neighboring Switch.
Context
After sending an LSA packet to the neighboring Switch, the Switch waits for a response. If no
response is received within the set interval, the Switch retransmits the LSA packet to the
neighboring Switch.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 04 (2013-06-15)

726

Configuration Guide
Step 3 Run:
ospf timer retransmit interval
An interval at which an LSA packet is retransmitted to the neighboring Switch is set.

Setting the interval to a proper value is recommended. A rather small interval will cause
unnecessary retransmission. The interval is generally longer than a round trip of one packet
transmitted between two Switches.
The default retransmission interval is 5s and is widely used.
----End
(Optional) Configuring an Interface to Fill in a DD Packet with the Interface MTU

You can configure an interface to fill in the Interface MTU field of a DD packet with the interface
MTU.
Context
The default MTU is 0.
After virtual links are created, different default MTUs may be used on devices provided by
different vendors. To ensure consistency, the MTU is set to 0 by default when the interface sends
DD packets.
CAUTION
Setting the MTU in a DD packet will have the neighbor relationship reestablished.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospf mtu-enable
The interface is configured to fill in a DD packet with the interface MTU and check whether the
MTU in the DD packet from the neighboring Switch exceeds the MTU of the local Switch.
----End
Issue 04 (2013-06-15)

727

Configuration Guide

After basic OSPF functions are successfully configured, you can check information about the
LSDB, neighbors in each area, and routing table.
Prerequisites
All configurations of basic OSPF functions are complete.
Procedure
l
Run the display ospf [ process-id ] peer command to check OSPF neighbor information.
Run the display ospf [ process-id ] routing command to check OSPF routing table
information.
Run the display ospf [ process-id ] lsdb command to check OSPF LSDB information.
----End
5.3.4 Configuring OSPF on the NBMA or P2MP Network

This section describes how to configure OSPF and modify attributes on the NBMA or point-tomultipoint (P2MP) network to flexibly construct the OSPF network.

To implement OSPF functions, configure OSPF on the NBMA or P2MP network.
As shown in Table 5-1, OSPF classifies networks into four types based on the types of link layer
protocols.
NOTE
Differentiated OSPF configurations that are applicable to the NBMA network and P2MP network are
provided in this section.The OSPF configurations not provided here are applicable to the four types of
networks.
Table 5-1 Network types supported by OSPF
Issue 04 (2013-06-15)
Network Type
Characteristic
Default Configuration
Broadcast
On the broadcast network, Hello

packets, LSU packets, and LSAck
packets are multicasted; DD
packets and LSR packets are
unicasted.
If the link layer protocol is

Ethernet or Fiber Distributed Data
Interface (FDDI), OSPF regards
the network as a broadcast
network by default.

728

Configuration Guide
Network Type
Characteristic
Non-broadcast
multiple access
(NBMA)
On an NBMA network, Hello

packets, DD packets, LSR
packets, LSU packets, and LSAck
packets are unicasted.
If the link layer protocol is ATM,

OSPF regards the network as an
NBMA network by default.
The NBMA network must be fully

meshed. Any two Switches on the
NBMA network must be directly
reachable.
Point-to-point
(P2P)
On a P2P network, Hello packets,

DD packets, LSR packets, LSU
packets, and LSAck packets are
multicasted.
Point-toOn a P2MP network, Hello

multipoint (P2MP) packets are multicasted; DD
packets, LSR packets, LSU
packets, and LSAck packets are
unicasted.
The mask lengths of the Switches
on the P2MP network must be the
same.
If the link layer protocol is PPP,

HDLC, or Link Access Procedure
Balanced (LAPB), OSPF regards
the network as a P2P network by
default.
OSPF does not regard a network as
a P2MP network by default
regardless of any link layer
protocol. A P2MP network is
forcibly changed from the network
of another type.
As shown in Table 5-1, OSPF sends packets in different manners on networks of different types.
Therefore, the difference between OSPF configurations on the networks lies in the packet
sending configurations.
Before configuring OSPF on the NBMA or P2MP network, complete the following tasks:
l
Configuring Basic OSPF Functions
Data Preparation
To configure OSPF on the NBMA or P2MP network, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Number of the interface running OSPF
Network type
DR priority of an interface
IP address of a neighbor on an NBMA network

729

Configuration Guide
No.
Data
Interval at which Hello packets are sent on an NBMA network
Configuring Network Types for OSPF Interfaces

OSPF classifies networks into four types based on the types of link layer protocols. You can
configure the network type for an OSPF interface to forcibly change its original network type.
Context
By default, the physical interface type determines the network type.
l
The network type of an Ethernet interface is Broadcast.
The network type of a serial interface or a POS interface running PPP or HDLC is P2P.
The network type of an ATM interface or a Frame Relay (FR) interface is NBMA.
NOTE
A P2MP network is forcibly changed from another other type of network.
The network types of the interfaces on both ends of a link must be the same; otherwise, the OSPF
neighbor relationship cannot be established.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospf network-type { broadcast | nbma | p2mp | p2p }
The network type of the OSPF interface is configured.

When the network type is configured for an interface, the original network type of the interface
is replaced.
The network type can be configured based on the real world situations.
l On an interface with the broadcast network type, if a router that does not support the multicast
address exists, change the network type of the interface to NBMA.
l On an interface with the NBMA network type, if the network is fully meshed or any two
routers are directly connected, change the network type of the interface to broadcast and do
not configure neighboring router information on the interface.
l On an interface with the NBMA network type, if the network is not fully meshed, change
the network type of the interface to P2MP. After that, two indirectly connected routers can
Issue 04 (2013-06-15)

730

Configuration Guide
communicate through one router that can directly reach both the two routers. After the
network type of the interface is changed to P2MP, configuring neighboring router
information on the interface is unnecessary.
l If only two routers run OSPF on the same network segment, changing the network type of
the interface to P2P is recommended.
NOTE
OSPF cannot be configured on a null interface.
----End
Configuring NBMA Network Attributes

To implement OSPF functions, configure NBMA network attributes.
Procedure
Step 1 (Optional) Set the network type to NBMA.
The NBMA network must be fully meshed. Any two Switches on the NBMA network must be
directly reachable. In most cases, however, this requirement cannot be met. To resolve this
problem, run specific commands to forcibly change the network type to NBMA. For details, see
Configuring Network Types for OSPF Interfaces.
1.
Run:
system-view

2.
Run:

3.
Run:
ospf network-type nbma
The network type of the OSPF interface is set to NBMA.

Step 2 (Optional) Set the interval at which Hello packets for polling are sent on the NBMA network.
On the NBMA network, after the neighbor relationship becomes invalid, the Switch sends Hello
packets at an interval defined in the polling mechanism.
1.
Run:
ospf timer poll interval
The interval at which Hello packets for polling are sent by an NBMA interface is set.
The default value is 120, in seconds.
Step 3 Configure a neighboring Switch on the NBMA network.
The interface with the network type of NBMA cannot broadcast Hello packets to discover
neighboring Switches. Therefore, the IP address of a neighboring Switch must be configured on
the interface and whether the neighboring Switch can participate in DR election must be
determined on the interface.
1.
Run:
quit
Issue 04 (2013-06-15)

731

Configuration Guide
Exit from the interface view.

2.
Run:
ospf [ process-id ]

3.
Run:
peer ip-address [ dr-priority priority ]
A neighboring Switch is configured.

----End
Configuring P2MP Network Attributes

To implement OSPF functions, configure P2MP network attributes.
Context
Procedure
Step 1 Disable OSPF from checking the network mask.
The OSPF neighbor relationship cannot be established between the Switches with different mask
lengths on the P2MP network. After OSPF is disabled from checking the network mask, the
OSPF neighbor relationship can be properly established.
1.
Run:
system-view

2.
Run:

3.
Run:
ospf network-type p2mp
The network type of the OSPF interface is configured.

A P2MP network is forcibly changed from another other type of network. For details, see
Configuring Network Types for OSPF Interfaces.
4.
Run:
ospf p2mp-mask-ignore
OSPF is disabled from checking the network mask on the P2MP network.
Step 2 (Optional) Configure the Switch to filter the LSA packets to be sent.
When multiple links exist between two Switches, you can configure the local Switch to filter
the LSA packets to be sent. This can reduce unnecessary LSA retransmission attempts and save
bandwidth resources.
1.
Run:
quit
Issue 04 (2013-06-15)

732

Configuration Guide
Exit from the interface view.

2.
Run:
ospf [ process-id ]

3.
Run:
filter-lsa-out peer ip-address { all | { summary [ acl{ acl-number | aclname } ] | ase [ acl{ acl-number | acl-name } ] | nssa [ acl{ acl-number | aclname } ] } * }
The local Switch is configured to filter the LSA packets to be sent on the P2MP network.
By default, the LSA packets to be sent are not filtered.
----End

After OSPF attributes on the NBMA network and P2MP network are set, you can check OSPF
statistics, LSDB information, neighbor information, and interface information.
Prerequisites
The configurations for OSPF attributes on the NBMA network and P2MP network are complete.
Procedure
l
Run the either of the following command to check LSDB information.

display ospf [ process-id ] lsdb [ brief ]
display ospf [ process-id ] lsdb [ router | network | summary | asbr | ase | nssa |
opaque-link | opaque-area | opaque-as ] [ link-state-id ] [ originate-router
[ advertising-router-id ] | self-originate ] [ age { min-value min-age-value | maxvalue max-age-value } * ]
Run the display ospf [ process-id ] peer [ [ interface-type interface-number ] neighborid | brief | last-nbr-down ] command to view neighbor information.
Run the display ospf [ process-id ] nexthop command to check next hop information.
Run the either of the following command to check routing table information.
display ospf [ process-id ] routing [ ip-address [ mask | mask-length ] ] [ interface
interface-type interface-number ] [ nexthop nexthop-address ]
display ospf [ process-id ] routing router-id [ router-id ]
Run the display ospf [ process-id ] interface [ all | interface-typeinterface-number ]

[ verbose ] command to check interface information.
----End
5.3.5 Configuring an OSPF Route Selection Rule

You can configure an OSPF route selection rule to meet requirements of complex networks.
Issue 04 (2013-06-15)

733

Configuration Guide

Before configuring an OSPF route selection rule, familiarize yourself with the applicable
configuration. This will help you complete the configuration task quickly and efficiently.
In real world situations, you can configure an OSPF route selection rule by setting OSPF route
attributes to meet the requirements of complex networks.
l
Set the cost of an interface. The link connected to the interface with a smaller cost value
preferentially transmits routing information.
Configure equal-cost routes to implement load balancing.
Configure a stub router during the maintenance operations such as upgrade to ensure stable
data transmission through key routes.
Suppress interfaces from sending or receiving packets to help select the optimal route.
Before configuring an OSPF route selection rule, complete the following tasks:
l
Data Preparation
To configure an OSPF route selection rule, you need the following data.
No.
Data
Interface cost
Equal-cost route preference
Setting the Interface Cost

You can adjust and optimize route selection by setting the OSPF interface cost.
Context
After the OSPF interface costs are set, the interface with a smaller cost value preferentially
transmits routing information. This helps select the optimal route.
The OSPF interface cost can be set manually or calculated based on the interface bandwidth.
Issue 04 (2013-06-15)

734

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospf cost cost
The OSPF interface cost is set.

The Switch generally transmits routing information using the link connected to the interface
with a smaller cost value.
If no interface cost is configured, the system automatically calculates the interface cost based
on the interface bandwidth. The calculation formula is as follows: Cost of the interface =
Bandwidth reference value/Interface bandwidth. The integer of the calculated result is the cost
of the interface. If the calculated result is smaller than 1, the cost value is 1. By default, the
bandwidth reference value is 100, in Mbit/s. Changing the bandwidth reference value can change
the cost of an interface.
Perform the following steps to change the bandwidth reference value:
1.
Run:
system-view

2.
Run:
ospf [ process-id ]

3.
Run:
bandwidth-reference value
The bandwidth reference value is set.

Ensure that the bandwidth reference values of Switches in an OSPF process are the same.
----End
Configuring Equal-Cost Routes

You can set the number of OSPF equal-cost routes and route preference to implement load
balancing and adjust route selection.
Context
If the destinations and costs of the multiple routes discovered by one routing protocol are the
same, load balancing can be implemented among the routes.
As shown in Figure 5-10, three routes between Switch A and Switch B that run OSPF have the
same costs. The three routes are equal-cost routes for load balancing.
Issue 04 (2013-06-15)

735

Configuration Guide
Figure 5-10 Networking diagram of equal-cost routes

IP Network
=5
os t
cost=10
Switch A
cos
IP Network
cos
t=1
0
cost=5
Switch B
t=8
co s
t =7
IP Network
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
The maximum number of equal-cost routes is set.

NOTE
The maximum number of equal-cost routes is 32, by default, it is 32. The value range and default value of
the maximum number of equal-cost routes may vary according to the product. You can change the
maximum number and default number by purchasing a license.

nexthop ip-address weight value
The route preferences are configured for load balancing.

When the number of equal-cost routes on the live network is greater than that specified in the
maximum load-balancing command, valid routes are randomly selected for load balancing. To
specify valid routes for load balancing, run the nexthop command to set the route preference.
Ensure that the preferences of valid routes to be used must be high.
The smaller the weight value, the higher the preference of the route. The default weight value
is 255, which indicates that load balancing is implemented regardless of the route preferences.
----End
Issue 04 (2013-06-15)

736

Configuration Guide
Configuring a Stub Router

To ensure that a route is not interrupted during flapping-triggering maintenance operations such
as upgrade, you can configure a Switch as a stub router to allow traffic to bypass the route on
the stub router.
Context
After a stub router is configured, the route on the stub router will not be preferentially selected.
After the route cost is set to the maximum value 65535, traffic generally bypasses the Switch.
This ensures an uninterrupted route on the Switch during maintenance operations such as
upgrade.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
stub-router [ on-startup [ interval ] ]
A stub router is configured.

By default, no Switch is configured as a stub router.
If a Switch is configured as a stub router, the Switch keeps functioning as a stub router for 500s.
NOTE
The stub router configured in this manner is irrelevant to the Switch in the stub area.
----End
Suppressing an Interface from Receiving and Sending OSPF Packets

After an interface is suppressed from receiving and sending OSPF packets, routing information
can bypass a specific Switch and the local Switch can reject routing information advertised by
another Switch.
Context
Suppressing an interface from receiving and sending OSPF packets helps routing information
to bypass a specific Switch and enables the local Switch to reject routing information advertised
by another Switch. This ensures that an optimal route is provided.
Issue 04 (2013-06-15)

737

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
silent-interface { all | interface-typeinterface-number }
An interface is suppressed from receiving and sending OSPF packets.

The same interface in different processes can be suppressed from sending and receiving OSPF
packets, but the silent-interface command is valid only for the OSPF interface in the local
process.
After an OSPF interface is configured to be in the silent state, the interface can still advertise its
direct routes. Hello packets on the interface, however, cannot be forwarded. Therefore, no
neighbor relationship can be established on the interface. This can enhance the networking
adaptability of OSPF and reduce system resource consumption.
----End

After an OSPF route selection rule is configured, you can check information about the OSPF
routing table, interface, and next hop.
Prerequisites
All OSPF route selection configurations are complete.
Procedure
l
Run the display ospf [ process-id ] routing [ ip-address [ mask | mask-length ] ]

[ interface interface-type interface-number ] [ nexthop nexthop-address ] command to
check the OSPF routing table information.
Run the display ospf [ process-id ] interface [ all | interface-type interface-number ]

[ verbose ] command to check OSPF interface information.
----End
5.3.6 Controlling OSPF Routing Information

You can control the advertising and receiving of OSPF routing information and import routes
of other protocols.

Before controlling OSPF routing information, familiarize yourself with the applicable
Issue 04 (2013-06-15)

738

Configuration Guide
You can control the advertising and receiving of OSPF routing information and import routes
of other protocols.
Before controlling OSPF routing information, complete the following tasks:
l
Data Preparation
To control OSPF routing information, you need the following data.
No.
Data
Link cost
ACL for route filtering
Name of the imported routing protocol, OSPF process ID, and default parameters
Configuring OSPF to Import External Routes

Importing the routes discovered by other routing protocols can enrich OSPF routing information.
Context
To access a Switch running a non-OSPF protocol, an OSPF-capable Switch needs to import
routes of the non-OSPF protocol into the OSPF network.
OSPF provides loop-free intra-area routes and inter-area routes; however, OSPF cannot prevent
external routing loops. Therefore, exercise caution when configuring OSPF to import external
routes.
Perform the following steps on the ASBR running OSPF.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
Issue 04 (2013-06-15)

739

Configuration Guide
import-route { limit limit-number | { bgp [ permit-ibgp ] | direct | unr | rip

[ process-id-rip ] | static | isis [ process-id-isis ] | ospf [ process-id-ospf ] }
[ cost cost | type type | tag tag | route-policy route-policy-name ] * }
Routes are imported from another protocol.

default { cost { cost | inherit-metric } | limit limit | tag tag | type type }
The default values of parameters (the cost, number of routes, tag, and type) are set for imported
routes.
When OSPF imports external routes, you can set default values for some additional parameters,
such as the cost, number of routes to be imported, route tag, and route type. The route tag is used
to identify the protocol-related information. For example, it can be used to differentiate AS
numbers carried in BGP routes imported by OSPF.
By default, the cost of the external routes imported by OSPF is 1; a maximum of 2147483647
routes can be imported each time; the type of the imported external routes is Type 2; the default
tag value of the imported routes is 1.
NOTE
You can run one of the following commands to set the cost of the imported route. The following commands
are listed in descending order of priorities.
l Run the apply cost command to set the cost of a route.
l Run the import-route command to set the cost of the imported route.
l Run the default command to set the default cost of the imported route.

filter-policy { acl-number | acl-nameacl-name | ip-prefixip-prefix-name } export
[ protocol [ process-id ] ]
Routes imported using Step 3 can be advertised only when meeting filtering conditions.
OSPF filters the imported routes. OSPF uses Type 5 LSAs to carry routes that meet the filtering
conditions and advertises these Type 5 LSAs.
You can specify the parameter protocol [ process-id ] to filter the routes of a certain routing
protocol or a certain OSPF process. If protocol [ process-id ] is not specified, OSPF filters all
imported routes.
The import-route command cannot be used to import the default route from another AS.
----End
Configuring OSPF to Import a Default Route

The default route is widely applied on the OSPF network to reduce routing entries in the routing
table and filter specific routing information.
Context
On the area border and AS border of an OSPF network generally reside multiple Switches for
next-hop backup or traffic load balancing. A default route can be configured to reduce routing
entries and improve resource usage on the OSPF network.
The default route is generally applied to the following scenarios:
Issue 04 (2013-06-15)

740

Configuration Guide
1.
An ABR in an area advertises Type 3 LSAs carrying the default route within the area.
Switches in the area use the received default route to forward inter-area packets.
2.
An ASBR in an AS advertises Type 5 or Type 7 LSAs carrying the default route within the
AS. Switches in the AS use the received default route to forward AS external packets.
When no exactly matched route is discovered, the Switch can forward packets through the default
route.
The preference of the default route in Type 3 LSAs is higher than that of the route in Type 5 or
Type 7 LSAs.
The advertising mode of the default route is determined by the type of the area to which the
default route is imported, as shown in Table 5-2.
Table 5-2 Default route advertising mode
Area
Type
Generated By
Advertise
d By
LSA Type
Floodi
ng
Area
Commo
n area
The default-route-advertise command
ASBR
Type 5 LSA
Comm
on area
Stub
area
Automatically
ABR
Type 3 LSA
Stub
area
NSSA
The nssa[ default-route-advertise ]

command
ASBR
Type 7 LSA
NSSA
Totally
NSSA
Automatically
ABR
Type 3 LSA
NSSA
Perform the following steps on the ASBR running OSPF.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
default-route-advertise [ [ always | permit-calculate-other ] | cost cost | type
type | route-policy route-policy-name ] *
The default route is imported into the OSPF process.

To configure the parameter cost to specify the default cost of Type-3 summary LSAs, enable
VPN first.
Before advertising a default route, OSPF compares the preferences of default routes. Therefore,
if a static default route is configured on an OSPF device, to add the default route advertised by
Issue 04 (2013-06-15)

741

Configuration Guide
OSPF to the current routing table, ensure that the preference of the configured static default route
is lower than that of the default route advertised by OSPF.
For details about how to configure the default route in the NSSA, see Configuring an NSSA.
----End
Configuring Route Summarization

When a large-scale OSPF network is deployed, you can configure route summarization to reduce
routing entries. Otherwise, a large number of routing entries are generated and consume system
resources unexpectedly.
Context
Route summarization on a large-scale OSPF network efficiently reduces routing entries. This
minimizes system resource consumption and maintains the system performance. In addition, if
a specific link frequently alternates between Up and Down, the links not involved in the route
summarization will not be affected. This prevents route flapping and improves the network
stability.
Procedure
l
Configure ABR route summarization.

1.
Run:
system-view

2.
Run:
ospf [ process-id ]

3.
Run:
area area-id

4.
Run:
abr-summary ip-address mask [ [ advertise | not-advertise ] | cost cost ]
*
ABR route summarization is configured.

l
Configure ASBR route summarization.

1.
Run:
system-view

2.
Run:
ospf [ process-id ]

3.
Run:
asbr-summary ip-address mask [ not-advertise | tag tag | cost cost |
distribute-delay interval ] *
Issue 04 (2013-06-15)

742

Configuration Guide
ASBR route summarization is configured.

NOTE
After route summarization is configured, the routing table on the local OSPF Switch remains the
same. The routing table on another OSPF Switch, however, contains only one summarized route, no
specific route. This summarized route is not removed until all specific routes are interrupted.
----End
Configuring OSPF to Filter Routes Received by OSPF

By configuring filtering conditions for the received routes, you can allow only the routes that
meet the filtering conditions to be added to the routing table.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
filter-policy { acl-number | acl-name acl-name | ip-prefix ip-prefix-name } import
Routes received by OSPF are filtered.

OSPF is a dynamic routing protocol based on the link state, and routing information is carried
in LSAs. The filter-policy import command cannot be used to filter the advertised and received
LSAs. Actually, this command is used to filter the routes calculated by OSPF. Only the routes
that meet the filtering conditions are added to the routing table. Therefore, the LSDB is not
affected regardless of whether the received routes meet the filtering conditions.
----End
Configuring the Switch to Filter LSAs to Be Sent

Filtering the LSAs to be sent on the local router can prevent unnecessary LSA transmission.
This reduces the size of the LSDB on the neighboring Switch and speeds up network
convergence.
Context
When multiple links exist between two Switches, you can configure the local Switch to filter
the LSAs to be sent. This prevents unnecessary LSA transmission and saves bandwidth
resources.
Issue 04 (2013-06-15)

743

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospf filter-lsa-out { all | { summary [ acl { acl-number | acl-name } ] | ase
[ acl { acl-number | acl-name } ] | nssa [ acl { acl-number | acl-name } ] } * }
The LSAs to be sent are filtered.

By default, the LSAs to be sent are not filtered.
----End
(Optional) Configuring OSPF to Filter LSAs in an Area

Filtering LSAs in an area can prevent unnecessary LSA transmission. This reduces the size of
the LSDB on the neighboring Switch and speeds up network convergence.
Context
After filtering conditions are set for the incoming or outgoing Type 3 LSAs (Summary LSAs)
in an area, only the Type 3 LSAs that meet the filtering conditions can be received or advertised.
This function is applicable only to the ABR.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
area area-id

Step 4 Filter incoming or outgoing Type 3 LSAs in the area.
l Filter incoming Type 3 LSAs in the area.
Run the filter { acl-number | acl-name acl-name | ip-prefix ip-prefix-name | route-policy
route-policy-name } export command to filter incoming Type 3 LSAs in the area.
Issue 04 (2013-06-15)

744

Configuration Guide
l Filter outgoing Type 3 LSAs in the area.

Run the filter { acl-number | acl-name acl-name | ip-prefix ip-prefix-name | route-policy
route-policy-name } import command to filter outgoing Type 3 LSAs in the area.
----End
(Optional) Enabling the Mesh-Group Function

The mesh-group function is used to prevent repeated flooding and save system resources.
Context
When concurrent links exist between two Switches, you can enable the mesh-group function to
reduce the load on the links.
The neighboring router ID identifies each mesh group. Several concurrent links are added to a
mesh group. Flooding is implemented once in the group. You can add interfaces that meet the
following conditions to the same mesh group.
l
The interfaces belong to the same area and OSPF process.
The interfaces begin to exchange DD packets.
The interfaces are connected to the same neighboring Switch.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
mesh-group enable
The mesh-group function is enabled.

By default, the mesh-group function is disabled.
----End
Setting the Maximum Number of External LSAs in the LSDB

You can set the maximum number of external LSAs in the LDSB to keep a proper number of
external LSAs.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

745

Configuration Guide

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
lsdb-overflow-limit number
The maximum number of external LSAs in the LSDB is set.

----End

After controlling OSPF routing information, you can check information about the OSPF routing
table, interface, and ASBR summarization.
Prerequisites
The configurations of controlling OSPF routing information are complete.
Procedure
l
Run either of the following commands to check routing table information.


Run the display ospf [ process-id ] asbr-summary [ ip-address mask ] command to check
OSPF ASBR summarization information.
----End
5.3.7 Configuring an OSPF Stub Area

Configuring a non-backbone area as a stub area can reduce routing entries in the area in an AS
does not transmit routes learned from other areas in the AS or AS external routes. This reduces
bandwidth and storage resource consumption.
The number of LSAs can be reduced by partitioning an AS into different areas. To reduce the
number of entries in the routing table and the number of LSAs to be transmitted in a nonbackbone area, configure the non-backbone area on the border of the AS as a stub area.
Configuring a stub area is optional. A stub area generally resides on the border of an AS. For
example, a non-backbone area with only one ABR can be configured as a stub area. In a stub
area, the number of entries in the routing table and the amount of routing information to be
transmitted greatly decrease.
Note the following points when configuring a stub area:
Issue 04 (2013-06-15)

746

Configuration Guide
The backbone area (Area 0) cannot be configured as a stub area.
If an area needs to be configured as a stub area, all the Switches in this area must be
configured with stub attributes using the stub command.
An ASBR cannot exist in a stub area. External routes are not transmitted in the stub area.
Virtual links cannot exist in the stub area.
Before configuring a stub area, complete the following tasks:
l
Data Preparation
To configure a stub area, you need the following data.
No.
Data
(Optional) Cost of the default route to the stub area

NOTE
By default, the cost of the default route to the stub area is 1.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
area area-id

Step 4 Run:
stub
The specified area is configured as a stub area.

NOTE
l All Switches in a stub area must be configured with stub attributes using the stub command.
l Configuring or deleting stub attributes will update routing information in the area. Stub attributes can
be deleted or configured again only after the routing update is complete.

stub [ no-summary ]
Issue 04 (2013-06-15)

747

Configuration Guide
The ABR is prevented from sending Type 3 LSAs to the stub area.
default-cost cost
The cost of the default route to the stub area is set.

To ensure the reachability of AS external routes, the ABR in the stub area generates a default
route and advertises the route to the non-ABR Switches in the stub area.
By default, the cost of the default route to the stub area is 1.
----End

Run either of the following commands to check LSDB information.
l
display ospf [ process-id ] lsdb [ router | network | summary | asbr | ase | nssa | opaquelink | opaque-area | opaque-as ] [ link-state-id ] [ originate-router [ advertising-routerid ] | self-originate ] [ age { min-value min-age-value | max-value max-age-value } * ]

l

Run the display ospf [ process-id ] abr-asbr [ router-id ] command to check ASBR and ABR
information.
5.3.8 Configuring an NSSA

Configuring a non-backbone area on the border of an AS as an NSSA does not transmit routes
learned from other areas in the AS but imports AS external routes. This reduces bandwidth and
storage resource consumption on the Switch.
An NSSA is configured in the scenario where AS external routes are to be imported but not
forwarded to save system resources.
The NSSA is a new type of OSPF area. Neither the NSSA nor the stub area transmits routes
learned from other areas in the AS it resides. The stub area does not allow AS external routes to
be imported, whereas the NSSA allows AS external routes to be imported and forwarded in the
entire AS.
Type 7 LSAs are used to carry imported AS external routing information in the NSSA. Type 7
LSAs are generated by the ASBRs of NSSAs and flooded only in the NSSAs where ASBRs
reside. The ABR in an NSSA selects certain Type 7 LSAs from the received ones and translates
them into Type 5 LSAs to advertise AS external routing information to the other areas over the
OSPF network.
To configure an area as an NSSA, configure NSSA attributes on all the Switches in this area.
Issue 04 (2013-06-15)

748

Configuration Guide
Before configuring an NSSA, complete the following tasks:
l
Data Preparation
To configure an NSSA, you need the following data.
No.
Data
(Optional) Cost of the default route to the NSSA

NOTE
By default, the cost of the default route to the NSSA is 1.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
area area-id

Step 4 Run:
nssa [ default-route-advertise | flush-waiting-timer interval-value | no-importroute | no-summary | set-n-bit | suppress-forwarding-address | translator-always |
translator-interval interval-value | zero-address-forwarding ] *
The specified area is configured as an NSSA.

NOTE
l All Switches in the NSSA must be configured with NSSA attributes using the nssa command.
l Configuring or deleting NSSA attributes may trigger routing update in the area. A second configuration
of NSSA attributes can be implemented or canceled only after routing update is complete.
The nssa command is applicable to the following scenarios:

l The parameter default-route-advertise is used to advertise Type 7 LSAs carrying the default
route on the ABR or ASBR to the NSSA.
Type 7 LSAs carrying the default route will be generated regardless of whether the default
route 0.0.0.0 exists in the routing table on the ABR. On the ASBR, however, the default Type
7 LSA is generated only when the default route 0.0.0.0 exists in the routing table.
Issue 04 (2013-06-15)

749

Configuration Guide
l When the area to which the ASBR belongs is configured as an NSSA, invalid Type 5 LSAs
from other Switches in the area where LSAs are flooded will be reserved. These LSAs will
be deleted only when the aging time reaches 3600s. The Switch performance is affected
because the forwarding of a large number of LSAs consumes the memory resources. To
resolve such a problem, you can set the parameter flush-waiting-timer to the maximum
value 3600s for Type 5 LSAs so that the invalid Type 5 LSAs from other Switches can be
deleted in time.
NOTE
l When the LS age field value (aging time) in the header of an LSA reaches 3600s, the LSA is deleted.
l If an ASBR also functions as an ABR, flush-waiting-timer does not take effect. This prevents
Type 5 LSAs in the non-NSSAs from being deleted.
l If an ASBR also functions as an ABR, set the parameter no-import-route to prevent external
routes imported using the import-route command from being advertised to the NSSA.
l To reduce the number of LSAs that are transmitted to the NSSA, set the parameter nosummary on an ABR. This prevents the ABR from transmitting Type 3 LSAs to the NSSA.
l After the parameter set-n-bit is configured, the Switch re-establishes neighbor relationships
with the neighboring Switches in the NSSA.
l If multiple ABRs are deployed in the NSSA, the system automatically selects an ABR
(generally the Switch with the largest router ID) as a translator to translate Type 7 LSAs into
Type 5 LSAs. You can also configure the parameter translator-always on an ABR to specify
the ABR as an all-the-time translator. To specify two ABRs for load balancing, configure
the parameter translator-always on two ABRs to specify the ABRs as all-the-time
translators. This prevents LSA flooding caused by translator role changes.
l The parameter translator-interval is used to ensure uninterrupted services when translator
roles change. The interval-value value must be greater than the flooding period.
Step 5 (Optional)Run:
default-cost cost
The cost of the default route to the NSSA is set.

To ensure the reachability of AS external routes, the ABR in the NSSA generates a default route
and advertises the route to the other Switches in the NSSA.
Type 7 LSAs can be used to carry default route information to guide traffic to other ASs.
Multiple ABRs may be deployed in an NSSA. To prevent routing loops, ABRs do not calculate
the default routes advertised by each other.
By default, the cost of the default route to the NSSA is 1.
----End

Run either of the following commands to check LSDB information.
l
display ospf [ process-id ] lsdb [ router | network | summary | asbr | ase | nssa | opaquelink | opaque-area | opaque-as ] [ link-state-id ] [ originate-router [ advertising-routerid ] | self-originate ]

Issue 04 (2013-06-15)

750

Configuration Guide


5.3.9 Configuring BFD for OSPF

After BFD for OSPF is enabled, when a link fails, the Switch rapidly detects the failure, notifies
the OSPF process or interface of the fault, and instructs OSPF to recalculate routes. This speeds
up OSPF network convergence.

Before configuring BFD for OSPF, familiarize yourself with the applicable environment,
will help you complete the configuration task quickly and efficiently.
OSPF enables the Switch to periodically send Hello packets to a neighboring Switch for fault
detection. Detecting a fault takes more than 1s. As technologies develop, voice, video, and other
VOD services are widely used. These services are quite sensitive to packet loss and delays. When
traffic is transmitted at gigabit rates, long-time fault detection will cause packet loss. This cannot
meet high reliability requirements of the carrier-class network.
BFD for OSPF is introduced to resolve this problem. After BFD for OSPF is configured in a
specified process or on a specified interface, the link status can be rapidly detected and fault
detection can be completed in milliseconds. This speeds up OSPF convergence when the link
status changes.
Before configuring BFD for OSPF, complete the following task:
l
Data Preparation
To configure BFD for OSPF, you need the following data.
No.
Data
Number of the OSPF process to be enabled with BFD for OSPF
Type and number of the interface to be enabled with BFD for OSPF
(Optional) Values of BFD session parameters

NOTE
The default parameter values are recommended.
Issue 04 (2013-06-15)

751

Configuration Guide
Configuring BFD for OSPF in a Specified Process

Configuring BFD for OSPF in a specified process helps the system to rapidly detect the link
status and speeds up OSPF convergence in the case of a link failure.
Context
After BFD for OSPF is configured, when detecting a link fault, BFD rapidly notifies the
Switches on both ends of the link of the fault, triggering rapid OSPF convergence. When the
OSPF neighbor relationship goes Down, the BFD session will be dynamically deleted.
Before configuring BFD for OSPF, enable BFD globally.
Perform the following steps on the Switches between which a BFD session is to be created.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
BFD is globally configured.

Step 3 Run:
quit

Step 4 Run:
ospf [ process-id ]

Step 5 Run:
BFD for OSPF is configured. The default parameter values are used to create a BFD session.
If all the interfaces in a certain process are configured with BFD and their neighbor relationships
are in the Full state, OSPF creates BFD sessions with default parameter values on all the
interfaces in the process.
bfd all-interfaces { min-rx-interval receive-interval | min-tx-interval transmitinterval | detect-multiplier multiplier-value | frr-binding } *
BFD session parameters are modified.

You can skip this step. The default interval at which BFD packets are transmitted and the default
detection multiplier are recommended.
The parameters are configured based on the network status and network reliability requirements.
A short interval at which BFD packets are transmitted can be configured for a link that has a
Issue 04 (2013-06-15)

752

Configuration Guide
higher requirement for reliability. A long interval at which BFD packets are transmitted can be
configured for a link that has a lower requirement for reliability.
NOTE
l Actual interval at which BFD packets are transmitted on the local Switch = Max { configured interval
transmit-interval at which BFD packets are transmitted on the local Switch, configured interval receiveinterval at which BFD packets are received on the peer Switch }
l Actual interval at which BFD packets are received on the local Switch = Max { configured interval transmitinterval at which BFD packets are transmitted on the peer Switch, configured interval receive-interval at
which BFD packets are received on the local Switch }
l Actual time for detecting BFD packets = Actual interval at which BFD packets are received on the local
Switch x Configured detection multiplier multiplier-value on the peer Switch
For example:
l On the local Switch, the configured interval at which BFD packets are transmitted is 200 ms; the configured
interval at which BFD packets are received is 300 ms; the detection multiplier is 4.
l On the peer Switch, the configured interval at which BFD packets are transmitted is 100 ms; the interval at
which BFD packets are received is 600 ms; the detection multiplier is 5.
Then:
l On the local Switch, the actual interval at which BFD packets are transmitted is 600 ms calculated by using
the formula max {200 ms, 600 ms}; the interval at which BFD packets are received is 300 ms calculated by
using the formula max {100 ms, 300 ms}; the detection period is 1500 ms calculated by multiplying 300
ms by 5.
l On the peer Switch, the actual interval at which BFD packets are transmitted is 300 ms calculated by using
the formula max {100 ms, 300 ms}, the actual interval at which BFD packets are received is 600 ms calculated
by using the formula max {200 ms, 600 ms}, and the detection period is 2400 ms calculated by multiplying
600 ms by 4.
Step 7 (Optional) Prevent an interface from dynamically creating a BFD session.

After BFD for OSPF is configured, all interfaces on which neighbor relationships are Full in the
OSPF process will create BFD sessions. To prevent specific interfaces from being enabled with
BFD, disable these interfaces from dynamically creating BFD sessions.
1.
Run:
quit

2.
Run:

3.
Run:
ospf bfd block
An interface is prevented from dynamically creating a BFD session.

----End
Configuring BFD for OSPF on a Specified Interface

Configuring BFD for OSPF on a specified interface helps speed up OSPF convergence in the
case of an interface failure.
Context
After BFD for OSPF is configured on a specified interface and the interface becomes faulty, the
Switch rapidly detects the fault and instructs OSPF to recalculate routes. This speeds up OSPF
Issue 04 (2013-06-15)

753

Configuration Guide
convergence. When the OSPF neighbor relationship goes Down, the BFD session between OSPF
neighbors is dynamically deleted.
Before configuring BFD for OSPF, enable BFD globally.
Perform the following steps on the Switch:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
BFD is globally configured.

Step 3 Run:
quit

Step 4 Run:

Step 5 Run:
ospf bfd enable
BFD for OSPF is configured. The default parameter values are used to create a BFD session.
If all the interfaces in a certain process are configured with BFD and their neighbor relationships
are in the Full state, OSPF creates BFD sessions with default parameter values on specified
interfaces in the process.
NOTE
The priority of BFD for OSPF configured on an interface is higher than that of BFD for OSPF configured
for a process.

ospf bfd { min-rx-interval receive-interval | min-tx-interval transmit-interval |
detect-multiplier multiplier-value | frr-binding } *

You can skip this step. The default interval at which BFD packets are transmitted and the default
detection multiplier are recommended.
The parameters are configured based on the network status and network reliability requirements.
A short interval at which BFD packets are transmitted can be configured for a link that has a
higher requirement for reliability. A long interval at which BFD packets are transmitted can be
configured for a link that has a lower requirement for reliability.
Issue 04 (2013-06-15)

754

Configuration Guide
NOTE
l Actual interval at which BFD packets are transmitted on the local Switch = Max { configured interval
transmit-interval at which BFD packets are transmitted on the local Switch, configured interval receiveinterval at which BFD packets are received on the peer Switch }
l Actual interval at which BFD packets are received on the local Switch = Max { configured interval transmitinterval at which BFD packets are transmitted on the peer Switch, configured interval receive-interval at
which BFD packets are received on the local Switch }
l Actual time for detecting BFD packets = Actual interval at which BFD packets are received on the local
Switch x Configured detection multiplier multiplier-value on the peer Switch
For example:
l On the local Switch, the configured interval at which BFD packets are transmitted is 200 ms; the interval at
which BFD packets are received is set to 300 ms; the detection multiplier is 4.
l On the peer Switch, the configured interval at which BFD packets are transmitted is 100 ms; the interval at
which BFD packets are received is 600 ms; the detection multiplier is 5.
Then:
l On the local Switch, the actual interval at which BFD packets are transmitted is 600 ms calculated by using
the formula max {200 ms, 600 ms}; the interval at which BFD packets are received is 300 ms calculated by
using the formula max {100 ms, 300 ms}; the detection period is 1500 ms calculated by multiplying 300
ms by 5.
l On the peer Switch, the actual interval at which BFD packets are transmitted is 300 ms calculated by using
the formula max {100 ms, 300 ms}, the actual interval at which BFD packets are received is 600 ms calculated
by using the formula max {200 ms, 600 ms}, and the detection period is 2400 ms calculated by multiplying
600 ms by 4.
----End

After configuring BFD for OSPF, you can view information about the BFD session between
two OSPF neighbors.
Prerequisites
All BFD for OSPF configurations are complete.
Procedure
l
Run the display ospf [process-id ] bfd session interface-type interface-number [ routerid ] or display ospf [process-id ] bfd session { router-id | all } command to check
information about the BFD session between two OSPF neighbors.
----End
5.3.10 Improving Security of an OSPF Network

On a network demanding high security, you can adopt the GTSM mechanism and configure
OSPF authentication to improve the security of the OSPF network.

Before improving the security of an OSPF network, familiarize yourself with the applicable
environment, complete pre-configuration tasks, and obtain the required data. This can help you
complete the configuration task quickly and accurately.
Issue 04 (2013-06-15)

755

Configuration Guide
In a network demanding high security, you can configure OSPF authentication and adopt the
GTSM mechanism to improve the security of the OSPF network.
Before improving the security of an OSPF network, complete the following tasks:
l
Configuring IP addresses for interfaces to make neighboring nodes reachable
Data Preparation
To improve the security of an OSPF network, you need the following data.
Configuring the OSPF GTSM Functions

The GTSM defends against attacks by checking the TTL value.
Context
To apply GTSM functions, enable GTSM on the two ends of the OSPF connection.
The valid TTL range of the detected packets is [255 -hops + 1, 255].
GTSM checks the TTL value of only the packet that matches the GTSM policy. For the packets
that do not match the GTSM policy, you can set them as "pass" or "drop". If the GTSM default
action performed on the packet is set as "drop", you need to configure all the Switch connections
for GTSM. If the packets sent from a Switch do not match the GTSM policy, they are dropped.
The connection thus cannot be established. This ensures security but reduces the ease of use.
You can enable the log function to record the information that the packets are dropped. This is
convenient for fault location.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf valid-ttl-hops hops [ vpn-instance vpn-instance-name ]
OSPF GTSM functions are configured.
Issue 04 (2013-06-15)

756

Configuration Guide
NOTE
The ospf valid-ttl-hops command has two functions:

l Enabling OSPF GTSM
l Configuring the TTL value to be detected
The parameter vpn-instance is valid only for the latter function.
Thus, if the private network policy or the public network policy is configured only, it is recommended to
set the default action performed on the packets that do not match the GTSM policy as pass. This prevents
the OSPF packets of other processes from being discarded incorrectly.

gtsm default-action { drop | pass }
The default action performed on the packets that do not match the GTSM policy is set.
By default, the packets that do not match the GTSM policy can pass the filtering.
NOTE
If the default action is configured but the GTSM policy is not configured, GTSM does not take effect.

gtsm log drop-packet { slot-id | all }
The log function is enabled on the specified board in the system view. The information that
GTSM drops packets is recorded in the log.
----End
Configuring the Authentication Mode

OSPF supports packet authentication. Only the packets that pass the authentication can be
received. If packets fail to pass the authentication, the neighbor relationship cannot be
established.
Context
In area authentication, all the Switches in an area must use the same area authentication mode
and password. For example, the authentication mode of all devices in Area 0 is simple
authentication and the password is abc.
The interface authentication mode is used among neighbor routers to set the authentication mode
and password. Its priority is higher than that of the area authentication mode.
Procedure
l
Configuring the Area Authentication Mode

1.
Run:
system-view

2.
Run:
ospf [ process-id ]

3.
Run:
area area-id
Issue 04 (2013-06-15)

757

Configuration Guide

4.
Run the following commands to configure the authentication mode of the OSPF area
as required:
Run:
authentication-mode simple [ [ plain ] plain-text | cipher ciphertext ]
The simple authentication is configured for the OSPF area.

Run:
authentication-mode { md5 | hmac-md5 } [ key-id { plain plain-text |
[ cipher ] cipher-text } ]
The MD5 authentication is configured for the OSPF area.

OSPF supports packet authentication. Only the OSPF packets passing the
authentication can be received; otherwise, the neighbor relationship cannot be
established normally.
All the Switches in an area must agree on the same area authentication mode and
password. For example, the authentication mode of all Switches in area 0 is simple
authentication, and the password is abc.
Run:
authentication-mode keychain keychain-name
The Keychain authentication is configured for the OSPF area.

NOTE
Before using the Keychain authentication, you need to configure Keychain information in
the system view. To establish the OSPF neighbor relationship, you need to ensure that the
key-id, algorithm, and key-string of the local ActiveSendKey are the same as those of
the remote ActiveRecvKey.
Configuring the Interface Authentication Mode

1.
Run:
system-view

2.
Run:

3.
Run the following commands to configure the interface authentication mode as

required:
Run:
ospf authentication-mode simple [ [ plain ] plain-text | cipher ciphertext ]
The simple authentication is configured for the OSPF interface.

Run:
ospf authentication-mode { md5 | hmac-md5 } [ key-id { plain plaintext | [ cipher ] cipher-text } ]
The MD5 authentication is configured for the OSPF interface.

Run:
ospf authentication-mode null
The non-authentication mode is configured for the OSPF interface.

Issue 04 (2013-06-15)

758

Configuration Guide
Run:
ospf authentication-mode keychain keychain-name
The Keychain authentication is configured for the OSPF area.

NOTE
Before using the Keychain authentication, you need to configure Keychain information in
the system view. To establish the OSPF neighbor relationship, you need to ensure that the
key-id, algorithm, and key-string of the local ActiveSendKey are the same as those of
the remote ActiveRecvKey.
The authentication mode and password of interfaces in the same network segment
must be consistent except the Keychain authentication mode. If the interfaces are in
different network segments, the authentication mode and password of the interfaces
can be different.
----End

After OSPF features are configured to improve the stability of an OSPF network, you can check
GTSM statistics and brief statistics.
Prerequisites
The configurations for Improving Security of an OSPF Network are complete.
Procedure
l
Run the display gtsm statistics all command to check the GTSM statistics.
Run the display ospf [ process-id ] request-queue [ interface-type interface-number ]

[neighbor-id ] command to check the OSPF request queue.
Run the display ospf [ process-id ] retrans-queue [ interface-type interface-number ]

[ neighbor-id ] command to check the OSPF retransmission queue.
Run the display ospf [ process-id ] error [ lsa ] command to check the OSPF error
information.
----End
5.3.11 Configuring the Network Management Function of OSPF

OSPF supports the network management function. You can bind the OSPF MIB to a certain
OSPF process, and configure the trap function and log function.

Before configuring the network management function for OSPF, familiarize yourself with the
applicable environment, complete pre-configuration tasks, and obtain the required data. This
can help you complete the configuration task quickly and accurately.
OSPF supports the network management function. You can bind OSPF MIB and a certain OSPF
process. In addition, OSPF also supports the trap function and the log function.
Issue 04 (2013-06-15)

759

Configuration Guide
Before configuring the network management function of OSPF, complete the following tasks:
l
Configuring IP addresses for interfaces to make neighboring nodes reachable
Data Preparation
To configuring the network management function of OSPF, you need the following data.
No.
Data
OSPF process ID
Configuring OSPF MIB Binding

The MIB is a virtual database of the device status maintained by the managed devices.
Context
When multiple OSPF processes are enabled, you can configure OSPF MIB to select the process
to be processed, that is, configure OSPF MIB to select the process to which it is bound.
Do as follows on the OSPF router:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf mib-binding process-id
OSPF MIB binding is configured.

----End
Configuring OSPF Trap

Traps are the notifications sent from a router to inform the NMS of the fault detected by the
system.
Context
Do as follows on the OSPF router.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

760

Configuration Guide

Step 2 Run:
snmp-agent trap enable feature-name ospf { non-excessive all | trap-name
{ ospfifauthfailure | ospfifconfigerror | ospfifrxbadpacket | ospfifstatechange |
ospflsdbapproachingoverflow | ospflsdboverflow | ospfmaxagelsa |
ospfnbrrestarthelperstatuschange | ospfnbrstatechange |
ospfnssatranslatorstatuschange | ospforiginatelsa | ospfrestartstatuschange |
ospftxretransmit | ospfvirtifauthfailure | ospfvirtifconfigerror |
ospfvirtifrxbadpacket | ospfvirtifstatechange | ospfvirtiftxretransmit |
ospfvirtnbrrestarthelperstatuschange | ospfvirtnbrstatechange } }
The trap function for the OSPF module is enabled.

To enable all non-excessive traps of OSPF module, you can run the non-excessiveall command;
to enable the traps of one or more events, you can specify type-name.
----End
Configuring OSPF Log

Logs record the operations (such as configuring commands) and specific events (such as the
network connection failure) on Switches.
Context
Do as follows on the OSPF Switch:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
enable log [ config | error | state | snmp-trap ]
The log function is enabled.

----End

After the network management function is configured for OSPF, you can check the contents of
the information channel, information recorded in the information center, log buffer, and trap
buffer.
Prerequisites
The configurations for the network management function of OSPF are complete.
Issue 04 (2013-06-15)

761

Configuration Guide
Procedure
l
Run the display ospf [ process-id ] brief command to view information about the binding
of OSPF MIBs and OSPF processes.
Run the display snmp-agent trap feature-name ospf all command to view all trap
messages of the OSPF module.
----End
5.3.12 Maintaining OSPF

Maintaining OSPF involves resetting OSPF and clearing OSPF statistics.
Resetting OSPF
Restarting OSPF can reset OSPF.
Context
CAUTION
The OSPF neighbor relationship is deleted after you reset OSPF connections with the reset
ospf command. Exercise caution when running this command.
To reset OSPF connections, run the following reset ospf commands in the user view.
Procedure
l
Run the reset ospf [ process-id ] process [ flush-waiting-timer time ] command in the
user view to Restart the OSPF process.
----End
Clearing OSPF
This section describes how to clear OSPF statistics, including OSPF counters, imported
routes, and GTSM statistics on the board.
Context
CAUTION
OSPF information cannot be restored after being cleared. Exercise caution when running this
command.
To clear the OSPF information, run the following reset ospf commands in the user view.
Issue 04 (2013-06-15)

762

Configuration Guide
Procedure
l
Run the reset ospf [ process-id ] counters [ neighbor [ interface-type interface-number ]

[ router-id ] ] command in the user view to clear OSPF counters.
Run the reset ospf [ process-id ] redistribution command in the user view to clear the
routes imported by OSPF.
Run the reset gtsm statistics all command in the user view to clear the GTSM statistics
on the board.
----End

This section provides several configuration examples of OSPF.
Example for Configuring Basic OSPF Functions

As shown in Figure 5-11, all Switches run OSPF, and the entire AS is partitioned into three
areas. Switch A and Switch B serve as ABRs to forward routes between areas.
After the configuration, each Switch should learn the routes to all network segments from the
AS.
Figure 5-11 Networking diagram of basic OSPF configurations
Area 0
Switch A
Switch B
GE 0/0/1
GE 0/0/2
GE 0/0/2
GE 0/0/1
Switch C
GE 0/0/1
Area 1
GE 0/0/2
GE 0/0/1
Switch D
Area 2
GE 0/0/2
GE 0/0/1
GE 0/0/1
Switch E
Switch F
Switch
Interface
VLANIF Interface
IP Address
Switch A
GE0/0/1
VLANIF 10
192.168.0.1/24
Switch A
GE 0/0/2
VLANIF 20
192.168.1.1/24
Switch B
GE 0/0/1
VLANIF 10
192.168.0.2/24
Switch B
GE 0/0/2
VLANIF 30
192.168.2.1/24
Switch C
GE 0/0/1
VLANIF 20
192.168.1.2/24
Issue 04 (2013-06-15)

763

Configuration Guide
Switch C
GE 0/0/2
VLANIF 40
172.16.1.1/24
Switch D
GE 0/0/1
VLANIF 30
192.168.2.2/24
Switch D
GE 0/0/2
VLANIF 50
172.17.1.1/24
Switch E
GE 0/0/1
VLANIF 40
172.16.1.2/24
Switch F
GE 0/0/1
VLANIF 50
172.17.1.2/24
1.
Create the ID of a VLAN to which each interface belongs.
2.
3.
Enable OSPF on each Switch and specify network segments in different areas.
4.
Check the routing table and LSDB.
Data Preparation
l
The ID of the VLAN that each interface belongs to is shown in Figure 5-11.
The IP address of each interface is shown in Figure 5-11.
The router ID of each Switch, the OSPF process ID, and the area to which each interface
belongs are as follows.
The router ID of Switch A is 1.1.1.1, the OSPF process ID is 1, the network segment
of Area 0 is 192.168.0.0/24, and the network segment of Area 1 is 192.168.1.0/24.
The router ID of Switch B is 2.2.2.2, the OSPF process ID is 1, the network segment of
Area 0 is 192.168.0.0/24, and the network segment of Area 2 is 192.168.2.0/24.
The router ID of Switch C is 3.3.3.3, the OSPF process ID is 1, the network segments
of Area 1 are 192.168.1.0/24 and 172.16.1.0/24.
The router ID of Switch D is 4.4.4.4, the OSPF process ID is 1, and the network segments
of Area 2 are 192.168.2.0/24 and 172.17.1.0/24.
The router ID of Switch E is 5.5.5.5, the OSPF process ID is 1, and the network segment
of Area 1 is 172.16.1.0/24.
The router ID of Switch F is 6.6.6.6, the OSPF process ID is 1, and the network segment
of Area 2 is 172.17.1.0/24.
1.

2.

3.
Configuring Basic OSPF Functions.

Issue 04 (2013-06-15)

764

Configuration Guide
[SwitchA] router id 1.1.1.1

[SwitchA] ospf
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0]
[SwitchA-ospf-1] quit
network 192.168.0.0 0.0.0.255

quit
network 192.168.1.0 0.0.0.255
quit
[SwitchB] router id 2.2.2.2
[SwitchB] ospf
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0]
[SwitchB-ospf-1] quit
network 192.168.0.0 0.0.0.255

quit
network 192.168.2.0 0.0.0.255
quit
[SwitchC] router id 3.3.3.3
[SwitchC] ospf
[SwitchC-ospf-1] area 1
[SwitchC-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.1] quit
[SwitchC-ospf-1] quit
[SwitchD] router id 4.4.4.4
[SwitchD] ospf
[SwitchD-ospf-1] area 2
[SwitchD-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.2] quit
[SwitchD-ospf-1] quit
# Configure Switch E.
[SwitchE] router id 5.5.5.5
[SwitchE] ospf
[SwitchE-ospf-1] area 1
[SwitchE-ospf-1-area-0.0.0.1] network 172.16.1.0 0.0.0.255
[SwitchE-ospf-1-area-0.0.0.1] quit
[SwitchE-ospf-1] quit
# Configure Switch F.
[SwitchF] router id 6.6.6.6
[SwitchF] ospf
[SwitchF-ospf-1] area 2
[SwitchF-ospf-1-area-0.0.0.2] network 172.17.1.0 0.0.0.255
[SwitchF-ospf-1-area-0.0.0.2] quit
[SwitchF-ospf-1] quit
4.

# Check OSPF neighbors of Switch A.
[SwitchA] display ospf peer
OSPF Process 1 with Router ID 1.1.1.1
Neighbors
Area 0.0.0.0 interface 192.168.0.1(Vlanif10)'s neighbors
Router ID: 2.2.2.2
Address: 192.168.0.2
GR State: Normal
State: Full Mode:Nbr is Master Priority: 1
DR: 192.168.0.1 BDR: 192.168.0.2 MTU: 0
Dead timer due in 36 sec
Neighbor is up for 00:15:04
Authentication Sequence: [ 0 ]
Issue 04 (2013-06-15)

765

Configuration Guide
Neighbors
Router ID: 3.3.3.3
Address: 192.168.1.2
GR State: Normal
DR: 192.168.1.1 BDR: 192.168.1.2 MTU: 0
# Check OSPF routing information of Switch A.

[SwitchA] display ospf routing
Routing Tables
Routing for Network
Destination
Cost
172.16.1.0/24
2
172.17.1.0/24
3
192.168.0.0/24
1
192.168.1.0/24
1
192.168.2.0/24
2
Total Nets: 5
Intra Area: 3
Type
Transit
Inter-area
Transit
Transit
Inter-area
Inter Area: 2
NextHop
192.168.1.2
192.168.0.2
192.168.0.1
192.168.1.1
192.168.0.2
ASE: 0
AdvRouter
3.3.3.3
2.2.2.2
1.1.1.1
1.1.1.1
2.2.2.2
Area
0.0.0.1
0.0.0.0
0.0.0.0
0.0.0.1
0.0.0.0
NSSA: 0
# View the LSDB of Switch A.

[SwitchA] display ospf lsdb
Link State Database
Type
Router
Router
Network
Sum-Net
Sum-Net
Sum-Net
Sum-Net
Type
Router
Router
Router
Router
Sum-Net
Network
Sum-Net
Sum-Net
Sum-Net
LinkState ID
2.2.2.2
1.1.1.1
192.168.0.1
172.16.1.0
172.17.1.0
192.168.2.0
192.168.1.0
LinkState ID
192.168.1.2
5.5.5.5
3.3.3.3
1.1.1.1
172.17.1.0
172.16.1.1
172.17.1.0
192.168.2.0
192.168.0.0
Area: 0.0.0.0
AdvRouter
2.2.2.2
1.1.1.1
1.1.1.1
1.1.1.1
2.2.2.2
2.2.2.2
1.1.1.1
Area: 0.0.0.1
AdvRouter
192.168.1.2
5.5.5.5
3.3.3.3
1.1.1.1
1.1.1.1
3.3.3.3
1.1.1.1
1.1.1.1
1.1.1.1
Age
317
316
316
250
203
237
295
Len
48
48
32
28
28
28
28
Age Len
188 48
214 36
217 60
289 48
202 28
670 32
202 28
242 28
300 28
Sequence
80000003
80000002
80000001
80000001
80000001
80000002
80000002
Metric
1
1
0
2
2
1
1
Sequence
Metric
80000002
1
80000004
1
80000008
1
80000002
1
80000002
3
80000001
0
80000001
3
80000001
2
80000001
1
# Check the routing table of Switch D and perform the ping operation to test the
connectivity.
[SwitchD] display ospf routing
Routing Tables
Routing for Network
Destination
Cost
172.16.1.0/24
4
172.17.1.0/24
1
192.168.0.0/24
2
192.168.1.0/24
3
Issue 04 (2013-06-15)
Type
NextHop
Inter-area 192.168.2.1
Transit
172.17.1.1

AdvRouter
2.2.2.2
4.4.4.4
2.2.2.2
2.2.2.2
Area
0.0.0.2
0.0.0.2
0.0.0.2
0.0.0.2
766

Configuration Guide

192.168.2.0/24
Total Nets: 5
Intra Area: 2
Transit
Inter Area: 3
ASE: 0
192.168.2.2
4.4.4.4
0.0.0.2
NSSA: 0
[SwitchD] ping 172.16.1.1

ms
ms
ms
ms
ms

0.00% packet loss
Configuration Files
l

#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 10 30
#
interface Vlanif10
ip address 192.168.0.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.2.1 255.255.255.0
#
#
#
Issue 04 (2013-06-15)

767

Configuration Guide
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.2
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return

#
sysname SwitchD
#
router id 4.4.4.4
#
vlan batch 30 50
#
interface Vlanif30
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif50
ip address 172.17.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.2
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
return
Configuration file of Switch E

#
sysname SwitchE
#
router id 5.5.5.5
#
vlan batch 40
#
interface Vlanif40
Issue 04 (2013-06-15)

768

Configuration Guide
ip address 172.16.1.2 255.255.255.0

#
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
#
return
Configuration file of Switch F

#
sysname SwitchF
#
router id 6.6.6.6
#
vlan batch 50
#
interface Vlanif50
ip address 172.17.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.2
network 172.17.1.0 0.0.0.255
#
return
Example for Configuring a Stub Area of OSPF

As shown in Figure 5-12, OSPF is enabled on all Switches and the entire AS is partitioned into
three areas. SwitchA and SwitchB function as ABRs to forward routes between areas. SwitchD
functions as the ASBR to import static routes.
The requirement is to configure Area 1 as the stub area, thus reducing the LSAs advertised to
this area without affecting the route reachability.
Issue 04 (2013-06-15)

769

Configuration Guide
Figure 5-12 Configuring OSPF stub areas
Switch A
Area 0
GE 0/0/1
GE 0/0/2
Switch C
Switch B
GE 0/0/2
GE 0/0/1
GE 0/0/1
Area 1
GE 0/0/2
GE 0/0/1
Switch D
Area 2
GE 0/0/2
GE 0/0/1
GE 0/0/1
Switch E
Switch F
S-switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 10
192.168.0.1/24
SwitchA
GE 0/0/2
VLANIF 20
192.168.1.1/24
SwitchB
GE 0/0/1
VLANIF 10
192.168.0.2/24
SwitchB
GE 0/0/2
VLANIF 30
192.168.2.1/24
SwitchC
GE 0/0/1
VLANIF 20
192.168.1.2/24
SwitchC
GE 0/0/2
VLANIF 40
172.16.1.1/24
SwitchD
GE 0/0/1
VLANIF 30
192.168.2.2/24
SwitchD
GE 0/0/2
VLANIF 50
172.17.1.1/24
SwitchE
GE 0/0/1
VLANIF 40
172.16.1.2/24
SwitchF
GE 0/0/1
VLANIF 50
172.17.1.2/24
1.
Enable OSPF on each Switch and configure basic OSPF functions.
2.
Configure static routes on SwitchD and import them.
3.
Configure Area 1 as a stub area. You need to run the stub command on all Switches in
Area 1.
4.
Do not advertise Type3 LSAs to the stub area on SwitchA.
Data Preparation
l
Issue 04 (2013-06-15)
The ID of the VLAN to which each interface belongs is shown in Figure 5-12.
770

Configuration Guide
belongs are as follows:
The router ID of SwitchA is 1.1.1.1, the OSPF process ID is 1, the network segment of
The router ID of SwitchB is 2.2.2.2, the OSPF process ID is 1, the network segment of
The router ID of SwitchC is 3.3.3.3, the OSPF process ID is 1, and the network segments
of Area 1 are 192.168.1.0/24 and 172.16.1.0/24.
The router ID of SwitchD is 4.4.4.4, the OSPF process ID is 1, and the network segments
of Area 2 are 192.168.2.0/24 and 172.17.1.0/24.
The router ID of SwitchE is 5.5.5.5, the OSPF process ID is 1, and the network segment
of Area 1 is 172.16.1.0/24.
The router ID of SwitchF is 6.6.6.6, the OSPF process ID is 1, and the network segment
of Area 2 is 172.17.1.0/24.
1.
Example for Configuring Basic OSPF Functions.
2.
Configure SwitchD to import static routes.

# Import static routes on SwitchD, as follows:
[SwitchD] ip route-static 200.0.0.0 8 null 0
[SwitchD] ospf
[SwitchD-ospf-1] import-route static type 1
# Display the ABR or ASBR of SwitchC.

[SwitchC] display ospf abr-asbr
Routing Table to ABR and ASBR
Type
Intra-area
Inter-area
Destination
1.1.1.1
4.4.4.4
Area
0.0.0.1
0.0.0.1
Cost Nexthop
1
192.168.1.1
3
192.168.1.1
RtType
ABR
ASBR
# Check the routing table of an OSPF process of SwitchC.

[SwitchC] display ospf routing
Routing Tables
Routing for Network
Destination
Cost
172.16.1.0/24
1
172.17.1.0/24
4
192.168.0.0/24
2
192.168.1.0/24
1
192.168.2.0/24
3
Routing for ASEs
Destination
200.0.0.0/8
Total Nets: 6
Intra Area: 2
Issue 04 (2013-06-15)
Cost
4
Type
Transit
Inter-area
Inter-area
Transit
Inter-area
Type
Type1
Inter Area: 3
ASE: 1
NextHop
172.16.1.1
192.168.1.1
192.168.1.1
192.168.1.2
192.168.1.1
Tag
1
AdvRouter
3.3.3.3
1.1.1.1
1.1.1.1
3.3.3.3
1.1.1.1
NextHop
192.168.1.1
Area
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
AdvRouter
4.4.4.4
NSSA: 0

771

Configuration Guide
If the area where SwitchC resides is the common area, you can view that AS external routes
exist in the routing table.
3.
Configure Area 1 as a stub area.

[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.1] stub
[SwitchA-ospf-1-area-0.0.0.1] quit
# Configure SwitchC.
[SwitchC] ospf
[SwitchC-ospf-1-area-0.0.0.1] stub
# Configure SwitchE.
[SwitchE] ospf
[SwitchE-ospf-1-area-0.0.0.1] stub
# Check the routing table of SwitchC.

Routing Tables
Routing for Network
Destination
Cost
0.0.0.0/0
2
172.16.1.0/24
1
172.17.1.0/24
4
192.168.0.0/24
2
192.168.1.0/24
1
192.168.2.0/24
3
Total Nets: 6
Intra Area: 2
Type
Inter-area
Transit
Inter-area
Inter-area
Transit
Inter-area
Inter Area: 4
NextHop
192.168.1.1
172.16.1.1
192.168.1.1
192.168.1.1
192.168.1.2
192.168.1.1
ASE: 0
AdvRouter
1.1.1.1
3.3.3.3
1.1.1.1
1.1.1.1
3.3.3.3
1.1.1.1
Area
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
NSSA: 0
When the area where SwitchC resides is configured as a stub area, you may not find the
AS external route but a default route external to the AS.
# Disable Router A from advertising Type3 LSAs to the stub area.
[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.1] stub no-summary
4.

# Check the OSPF routing table of SwitchC.
Routing Tables
Routing for Network
Destination
Cost
0.0.0.0/0
2
172.16.1.0/24
1
192.168.1.0/24
1
Type
Inter-area
Transit
Transit
NextHop
192.168.1.1
172.16.1.1
192.168.1.2
AdvRouter
1.1.1.1
3.3.3.3
3.3.3.3
Area
0.0.0.1
0.0.0.1
0.0.0.1
Total Nets: 3
Issue 04 (2013-06-15)

772

Configuration Guide

Intra Area: 2
Inter Area: 1
ASE: 0
NSSA: 0
After the advertisement of Summary-LSA to the stub area is disabled, the route entries are
further reduced. The AS external routes are invisible in the routing table. Instead, there is
a default route.
Configuration Files
l

#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
stub no-summary
#
return
NOTE
Configuration files of SwitchB and SwitchF are the same as the configuration file of SwitchA, and

#
sysname SwitchC
# router id 3.3.3.3
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
stub
#
return
Issue 04 (2013-06-15)

773

Configuration Guide

#
sysname SwitchD
#
vlan batch 30 50
#
router id 4.4.4.4
#
interface Vlanif30
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif50
ip address 172.17.1.1 255.255.255.0
#
#
#
ospf 1
import-route static type 1
area 0.0.0.2
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
ip route-static 200.0.0.0 255.0.0.0 NULL0
#
return
Configuration file of SwitchE

#
sysname SwitchE
#
router id 5.5.5.5
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
stub
#
return
Example for Configuring an OSPF NSSA Area

As shown in Figure 5-13, OSPF is enabled on all Switches and the entire AS is partitioned into
three areas. SwitchA and SwitchB function as ABRs to forward routes between areas. SwitchD
functions as the ASBR to import external routes (static routes).
The requirement is to configure Area 1 as an NSSA area and configure SwitchC as an ASBR to
import external routes (static routes). The routing information can be transmitted correctly in
the AS.
Issue 04 (2013-06-15)

774

Configuration Guide
Figure 5-13 Configuring OSPF NSSA areas
Switch A
Area 0
GE 0/0/1
GE 0/0/2
Switch C
Switch B
GE 0/0/2
GE 0/0/1
GE 0/0/1
Area 1
GE 0/0/2
GE 0/0/1
Switch D
Area 2
GE 0/0/2
GE 0/0/1
GE 0/0/1
Switch E
Switch F
S-switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 10
192.168.0.1/24
SwitchA
GE 0/0/2
VLANIF 20
192.168.1.1/24
SwitchB
GE 0/0/1
VLANIF 10
192.168.0.2/24
SwitchB
GE 0/0/2
VLANIF 30
192.168.2.1/24
SwitchC
GE 0/0/1
VLANIF 20
192.168.1.2/24
SwitchC
GE 0/0/2
VLANIF 40
172.16.1.1/24
SwitchD
GE 0/0/1
VLANIF 30
192.168.2.2/24
SwitchD
GE 0/0/2
VLANIF 50
172.17.1.1/24
SwitchE
GE 0/0/1
VLANIF 40
172.16.1.2/24
SwitchF
GE 0/0/1
VLANIF 50
172.17.1.2/24
1.
Enable OSPF on each Switch and configure basic OSPF functions.
2.
Configure static routes on SwitchD and import them into OSPF.
3.
Configure Area 1 as an NSSA area (run the nssa command on all routers in Area 1) and
check the OSPF routing information of SwitchC.
4.
Configure static routes on SwitchC, import them into OSPF, and check the OSPF routing
information of SwitchD.
Data Preparation
l
Issue 04 (2013-06-15)
775

Configuration Guide
The router ID of SwitchA is 1.1.1.1, the OSPF process ID is 1, the network segment of
The router ID of SwitchB is 2.2.2.2, the OSPF process ID is 1, the network segment of
of Area 1 are 192.168.1.0/24 and 172.16.1.0/24.
of Area 2 are 192.168.2.0/24 and 172.16.1.0/24.
The router ID of SwitchE is 5.5.5.5, the OSPF process ID is 1, and the network segment
of Area 1 is 172.16.1.0/24.
The router ID of SwitchF is 6.6.6.6, the OSPF process ID is 1, and the network segment
of Area 2 is 172.17.1.0/24.
1.
2.
Configure SwitchD to import static routes. See Example for Configuring a Stub Area of
OSPF.
3.
Configure Area 1 as an NSSA area.

[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.1] nssa default-route-advertise no-summary
[SwitchC] ospf
[SwitchC-ospf-1-area-0.0.0.1] nssa
# Configure SwitchE.
[SwitchE] ospf
[SwitchE-ospf-1-area-0.0.0.1] nssa
NOTE
You should run the default-route-advertise no-summary command on SwitchA. In this manner,
the size of the routing table of devices in the NSSA area can be reduced. For other devices in the
NSSA area, you need to use only the nssa command.
# Check the OSPF routing table of SwitchC.

Routing Tables
Routing for Network
Destination
Cost
0.0.0.0/0
2
Issue 04 (2013-06-15)
Type
Inter-area
NextHop
192.168.1.1

AdvRouter
1.1.1.1
Area
0.0.0.1
776

Configuration Guide

172.16.1.0/24
192.168.1.0/24
Total Nets: 3
Intra Area: 2
4.
1
1
Transit
Transit
Inter Area: 1
ASE: 0
172.16.1.1
192.168.1.2
3.3.3.3
3.3.3.3
0.0.0.1
0.0.0.1
AdvRouter
2.2.2.2
4.4.4.4
2.2.2.2
2.2.2.2
4.4.4.4
Area
0.0.0.2
0.0.0.2
0.0.0.2
0.0.0.2
0.0.0.2
NextHop
192.168.2.1
AdvRouter
1.1.1.1
NSSA: 0
Configure SwitchC to import static routes.

# Import static routes on SwitchC, as follows:
[SwitchC]ip route-static 100.0.0.0 8 null 0
[SwitchC] ospf
[SwitchC-ospf-1] import-route static
5.

# Check the OSPF routing table of SwitchD.
[SwitchD] display ospf routing
Routing Tables
Routing for Network
Destination
Cost
172.16.1.0/24
4
172.17.1.0/24
1
192.168.0.0/24
2
192.168.1.0/24
3
192.168.2.0/24
1
Routing for ASEs
Destination
Cost
100.0.0.0/8
1
Total Nets: 6
Intra Area: 2
Type
Inter-area
Transit
Inter-area
Inter-area
Transit
Inter Area: 3
NextHop
192.168.2.1
172.17.1.1
192.168.2.1
192.168.2.1
192.168.2.2
Type
Type2
ASE: 1
Tag
1
NSSA: 0
You can view one imported AS external route on SwitchD in the NSSA area.
Configuration Files
l

#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
nssa default-route-advertise no-summary
#
return
Issue 04 (2013-06-15)

777

Configuration Guide

NOTE
Configuration files of SwitchB, SwitchD, and SwitchF are the same as the configuration file of
SwitchA, and are not mentioned here.

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
ospf 1
import-route static
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
nssa
#
#
return
Configuration file of SwitchE

#
sysname SwitchE
#
router id 5.5.5.5
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
nssa
#
return
Example for Configuring DR Election of an OSPF Process

As shown in Figure 5-14, Switch A has the highest priority of 100 in the network and is selected
as DR. Switch C has the second highest priority, and is selected as BDR. The priority of Switch
B is 0, so Switch B cannot be selected as DR. The priority of Switch D is not configured and its
default value is 1.
Issue 04 (2013-06-15)

778

Configuration Guide
Figure 5-14 Networking diagram for configuring DR election of an OSPF process
Switch A
GE 0/0/1
GE 0/0/1
GE 0/0/1
Switch C
Switch B
GE 0/0/1
Switch D
Switch
Interface
VLANIF
IP address
SwitchA
GE 0/0/1
VLANIF 10
192.168.1.1/24
SwitchB
GE 0/0/1
VLANIF 10
192.168.1.2/24
SwitchC
GE 0/0/1
VLANIF 10
192.168.1.3/24
SwitchD
GE 0/0/1
VLANIF 10
192.168.1.4/24
1.
Create the ID of a VLAN to which each interface belongs.
2.
3.
Configure the router ID of each Switch, enable OSPF, and specify network segments.
4.
Check the DR or BDR status of each Switch.
5.
Set the DR priority of the interface and check the DR or BDR status.
Data Preparation
l
The router ID of each Switch, the OSPF process ID, the area to which each interface
belongs, and DR priority are as follows:
The router ID of Switch A is 1.1.1.1, the OSPF process ID is 1, the network segment
of Area 0 is 192.168.1.0/24, and the DR priority is 100.
Area 0 is 192.168.1.0/24, and the DR priority is 0.
The router ID of Switch C is 3.3.3.3, the OSPF process ID is 1, the network segment of
Issue 04 (2013-06-15)

779

Configuration Guide
1.

2.

3.

[SwitchA] router id 1.1.1.1
[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchB] router id 2.2.2.2
[SwitchB] ospf
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchC] router id 3.3.3.3
[SwitchC] ospf
[SwitchD] router id 4.4.4.4
[SwitchD] ospf
# Check the DR or BDR status.

Neighbors
Router ID: 2.2.2.2
Address: 192.168.1.2
State: 2-Way Mode:Nbr is Master Priority: 1
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Retrans timer interval: 5
Router ID: 3.3.3.3
Address: 192.168.1.3
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Router ID: 4.4.4.4
Address: 192.168.1.4
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Issue 04 (2013-06-15)

780

Configuration Guide

Check information about the neighbor of Switch A. You can view the DR priority and
neighbor status. By default, the DR priority is 1. Now Switch D is a DR and Switch C is a
BDR.
NOTE
When the priority is the same, the Switch with a higher router ID is selected as DR. If one Ethernet
interface of the Switch becomes DR, the other broadcast interfaces of the Switch have a high priority
of being selected as DRs in future DR selection. That is, select the DR Switch as DR. DR cannot be
preempted.
4.
Configure DR priorities on the interfaces.

[SwitchA] interface Vlanif 10
[SwitchA-Vlanif10] ospf dr-priority 100
[SwitchB] interface Vlanif 10
[SwitchB-Vlanif10] ospf dr-priority 0
[SwitchC] interface Vlanif 10
[SwitchC-Vlanif10] ospf dr-priority 2
# View the DR or BDR status.

[SwitchD] display ospf peer
Neighbors
Router ID: 1.1.1.1
Address: 192.168.1.1
State: Full Mode:Nbr is Slave Priority: 100
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Router ID: 2.2.2.2
Address: 192.168.1.2
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Router ID: 3.3.3.3
Address: 192.168.1.3
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
NOTE
The DR priority on the interface is invalid after it is configured.
5.
Issue 04 (2013-06-15)
Restart OSPF processes.

781

Configuration Guide
On each Switch, run the reset ospf 1 process command in the user view to restart the OSPF
process.
6.

# Check the status of OSPF neighbors.
[SwitchD] display ospf peer
Neighbors
Router ID: 1.1.1.1
Address: 192.168.1.1
DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0
Router ID: 2.2.2.2
Address: 192.168.1.2
State: 2-Way Mode:Nbr is Slave Priority: 0
DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0
Router ID: 3.3.3.3
Address: 192.168.1.3
DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0
# Check the status of an interface enabled with OSPF.

[SwitchA] display ospf interface
Interfaces
Area: 0.0.0.0
IP Address
192.168.1.1
Type
Broadcast
State
DR
Cost
1
Pri
100
DR
192.168.1.1
BDR
192.168.1.3
DR
192.168.1.1
BDR
192.168.1.3
[SwitchB] display ospf interface

Interfaces
Area: 0.0.0.0
IP Address
192.168.1.2
Type
Broadcast
State
DROther
Cost
1
Pri
0
All neighbors are in the full state. This indicates that SwitchA sets up neighbor relationships
with all its neighbors. If the neighbor remains "2-Way", it indicates both of them are not
DRs or BDRs. Thus, they need not exchange LSAs.
All other neighbors are DR Others. This indicates that they are neither DRs nor BDRs.
Configuration Files
l

#
sysname SwitchA
#
Issue 04 (2013-06-15)

782

Configuration Guide
router id 1.1.1.1
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
ospf dr-priority 100
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
ospf dr-priority 0
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.3 255.255.255.0
ospf dr-priority 2
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchD
#
router id 4.4.4.4
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.4 255.255.255.0
#
Issue 04 (2013-06-15)

783

Configuration Guide

#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
Example for Configuring OSPF Load Balancing

As shown in Figure 5-15:
l
SwitchA, SwitchB, SwitchC, and SwitchD connect to each other through OSPF.
SwitchA, SwitchB, SwitchC, and SwitchD belong to Area 0.
Load balancing is performed between SwitchB and SwitchC. The traffic of SwitchA is sent
to SwitchD by SwitchB and SwitchC.
Figure 5-15 Networking diagram for configuring OSPF load balancing

Switch B
GE 0/0/1
GE 0/0/3
Switch A
GE 0/0/2
GE 0/0/1
GE 0/0/1
Switch D
GE 0/0/3
Area 0
GE 0/0/2
GE 0/0/2
GE 0/0/1
GE 0/0/2
Switch C
Device
Interface
VLANIF Interface IP Address
SwitchA
GE 0/0/1
VLANIF 10
10.1.1.1/24
SwitchA
GE 0/0/2
VLANIF 20
10.1.2.1/24
SwitchA
GE 0/0/3
VLANIF 50
172.16.1.1/24
SwitchB
GE 0/0/1
VLANIF 10
10.1.1.2/24
SwitchB
GE 0/0/2
VLANIF 30
192.168.0.1/24
SwitchC
GE 0/0/1
VLANIF 20
10.1.2.2/24
SwitchC
GE 0/0/2
VLANIF 40
192.168.1.1/24
SwitchD
GE 0/0/1
VLANIF 30
192.168.0.2/24
SwitchD
GE 0/0/2
VLANIF 40
192.168.1.2/24
SwitchD
GE 0/0/3
VLANIF 60
172.17.1.1/24
Issue 04 (2013-06-15)

784

Configuration Guide
1.
Enable OSPF on each Switch to implement interconnection.
2.
Cancel load balancing and check the routing table.
3.
(Optional) Set the preferences for equal-cost routes on SwitchA.
Data Preparation
To configure OSPF load balancing, you need the following data:
l
The router ID of SwitchA is 1.1.1.1, the OSPF process ID is 1, and the network segments
of Area 0 are 10.1.1.0/24, 10.1.2.0/24, and 172.16.1.0/24.
The router ID of SwitchB is 2.2.2.2, the OSPF process ID is 1, and the network segments
of Area 0 are 10.1.1.0/24 and 192.168.0.0/24.
of Area 0 are 10.1.2.0/24 and 192.168.1.0/24.
of Area 0 are 172.17.1.0/24, 192.168.0.0/24, and 192.168.1.0/24.
The number of routes for load balancing on SwitchA is 1.
The preference of the equal-cost route of SwitchC is 1.
1.

2.

3.
4.
Cancel load balancing on SwitchA.

[SwitchA] ospf
[SwitchA-ospf-1] maximum load-balancing 1
Check the routing table of SwitchA.

Destinations : 13
Routes : 13
Issue 04 (2013-06-15)
Destination/Mask
Proto
Pre
10.1.1.0/24
10.1.1.1/32
InLoopBack0
Direct 0
Direct 0
Cost
0
Flags
D

NextHop
10.1.1.1
127.0.0.1
Interface
Vlanif10
785

Configuration Guide
10.1.1.2/32
10.1.2.0/24
10.1.2.1/32
InLoopBack0
10.1.2.2/32
127.0.0.0/8
InLoopBack0
127.0.0.1/32
InLoopBack0
172.16.1.0/24
172.16.1.1/32
InLoopBack0
172.17.1.0/24
192.168.0.0/24
192.168.1.0/24
Direct 0
Direct 0
Direct 0
0
0
Direct 0
Direct 0
Direct
Vlanif10
Vlanif20
10.1.1.2
10.1.2.1
127.0.0.1
10.1.2.2
127.0.0.1
Vlanif20
0
0
127.0.0.1
172.16.1.1
127.0.0.1
Vlanif50
10.1.1.2
10.1.1.2
10.1.2.2
Vlanif10
Vlanif10
Vlanif20
Direct 0
Direct 0
OSPF
OSPF
OSPF
3
2
2
10
10
10
D
D
D
D
0
D
D
D
As shown in the routing table, when the maximum number of the equal-cost routes is 1,
the next hop to the destination network segment 172.17.1.0 is 10.1.1.2.
NOTE
In the preceding example, 10.1.1.2 is selected as the optimal next hop. This is because OSPF selects
the next hop of the equal-cost route randomly.
5.
Restore the default number of routes for load balancing on SwitchA.

[SwitchA] ospf
[SwitchA-ospf-1] undo maximum load-balancing
# Check the routing table of SwitchA.

---------------------------------------------------------------------------Routing Tables: Public
Destinations : 11
Routes : 12
Destination/Mask
Proto
Pre
Cost Flags
NextHop
Interface
10.1.1.0/24
10.1.1.1/32
InLoopBack0
10.1.2.0/24
10.1.2.1/32
InLoopBack0
127.0.0.0/8
InLoopBack0
127.0.0.1/32
InLoopBack0
172.16.1.0/24
172.16.1.1/32
InLoopBack0
172.17.1.0/24
192.168.0.0/24
192.168.1.0/24
Direct 0
Direct 0
Direct 0
Direct 0
10.1.1.1
127.0.0.1
Vlanif10
D
D
10.1.2.1
127.0.0.1
Vlanif20
0
D
Direct
127.0.0.1
Direct
127.0.0.1
172.16.1.1
127.0.0.1
Vlanif50
10.1.1.2
10.1.2.2
10.1.1.2
10.1.2.2
Vlanif10
Vlanif2
Vlanif10
Vlanif20
Direct 0
Direct 0
OSPF
OSPF
OSPF
OSPF
3
3
2
2
10
10
10
10
D
0
D
D
D
D
As shown in the routing table, when the default setting of load balancing is restored, the
next hops of SwitchA, that is, 10.1.1.2 (SwitchB) and 10.1.2.2 (SwitchC), become valid
routes. This is because the default number of equal-cost routes is 4.
6.
(Optional) Set the preferences for equal-cost routes on SwitchA.

If you need not perform load balancing between SwitchB and SwitchC, set the preferences
for equal-cost routes and specify the next hop.
[SwitchA] ospf
[SwitchA-ospf-1] nexthop 10.1.2.2 weight 1

Issue 04 (2013-06-15)

786

Configuration Guide

Destinations : 11
Routes : 11
Destination/Mask
10.1.1.0/24
10.1.1.1/32
InLoopBack0
10.1.2.0/24
10.1.2.1/32
InLoopBack0
127.0.0.0/8
InLoopBack0
127.0.0.1/32
InLoopBack0
172.16.1.0/24
172.16.1.1/32
InLoopBack0
172.17.1.0/24
192.168.0.0/24
192.168.1.0/24
Proto
Pre
Direct 0
Direct 0
Cost
0
0
Flags
D
D
Direct 0
Direct 0
NextHop
10.1.1.1
127.0.0.1
Interface
Vlanif10
Vlanif20
10.1.2.1
127.0.0.1
Direct
127.0.0.1
Direct
127.0.0.1
172.16.1.1
127.0.0.1
Vlanif50
10.1.2.2
10.1.1.2
10.1.2.2
Vlanif20
Vlanif10
Vlanif20
Direct 0
Direct 0
OSPF
OSPF
OSPF
3
2
2
10
10
10
D
0
D
D
D
As shown in the routing table, OSPF selects the next hop 10.1.2.2 as the unique optimal
route. This is because the preference of the next hop 10.1.2.2 (SwitchC) is higher than that
of the next hop 10.1.1.2 (SwitchB) after the preferences of the equal-cost routes are set.
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 20 50
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.1.1 255.255.255.0
#
#
#
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return

sysname SwitchB
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
Issue 04 (2013-06-15)

787

Configuration Guide
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
#
#
#
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.1.1 255.255.255.0
#
#
#
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchD
#
vlan batch 30 40 60
#
interface Vlanif30
ip address 192.168.0.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.17.1.1 255.255.255.0
#
#
#
#
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 172.17.1.0 0.0.0.255
Issue 04 (2013-06-15)

788

Configuration Guide
#
return
Example for Configuring OSPF GR

As shown in Figure 5-16, Switch A and Switch B have two main control boards, which work
in active/standby mode. Switch A and Switch B belong to Area 0 and are connected through
OSPF. They also provide the GR feature.
Figure 5-16 Networking diagram for configuring OSPF GR
SwitchA
SwitchB
GE0/0/1
GE0/0/1
Area 0
Switch
Interface
VLANIF interface
IP address
Switch A
VLANIF 10
1.1.1.1/24
Switch B
VLANIF 10
1.1.1.2/24
1.
Configure the basic OSPF functions on each Switch to implement interconnection.
2.
Enable the Opaque LSA function.
3.
Configure GR on each Switch.
Data Preparation
l
ID of the VLAN that each interface belongs to, as shown in Figure 5-16
IP address of each VLANIF interface, as shown in Figure 5-16
Router ID and OSPF process ID of each Switch and area that each interface belongs to:
On Switch A, the router ID is 1.1.1.1; the OSPF process ID is 1; the network segment
of Area 0 is 1.1.1.0/24.
On Switch B, the router ID is 2.2.2.2; OSPF process ID is 1; the network segment of
Area 0 is 1.1.1.0/24.
Issue 04 (2013-06-15)

789

Configuration Guide
Procedure
Step 1 Configure the basic OSPF functions. See Example for Configuring Basic OSPF Functions.
Step 2 Configure the Opaque LSA function.
[SwitchA] ospf
[SwitchA-ospf-1] opaque-capability enable
[SwitchB] ospf
[SwitchB-ospf-1] opaque-capability enable
Step 3 Configure the OSPF GR feature.

[SwitchA] ospf
[SwitchA-ospf-1] graceful-restart
[SwitchB] ospf
[SwitchB-ospf-1] graceful-restart

# View the GR status of Switch A.
[SwitchA] display ospf graceful-restart
Graceful-restart capability
: enabled
Graceful-restart support
: planned and un-planned, totally
Helper-policy support
: planned and un-planned, strict lsa check
Current GR state
: normal
Graceful-restart period
: 120 seconds
Number of neighbors under helper:
Normal neighbors
: 0
Virtual neighbors
: 0
Sham-link neighbors : 0
Total neighbors
: 0
Number of restarting neighbors : 0
Last exit reason:
On graceful restart : none
On Helper
: none
# Verify the GR feature of Switch A.

[SwitchA] quit
<SwitchA> reset ospf process graceful-restart
# View the neighbor status on SwitchB.

[SwitchB] display ospf peer
Neighbors
Router ID: 1.1.1.1
Address: 1.1.1.1
State: Full Mode:Nbr is
Slave Priority: 1
DR: 1.1.1.2 BDR: 1.1.1.1
MTU: 0
Issue 04 (2013-06-15)

GR State: Doing GR
790

Configuration Guide
The status of the neighbor is Full.

----End
Configuration Files
l

#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10
#
interface Vlanif10
ip address 1.1.1.1 255.255.255.0
#
#
ospf 1
opaque-capability enable
graceful-restart
area 0.0.0.0
network 1.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 10
#
interface Vlanif10
ip address 1.1.1.2 255.255.255.0
#
#
ospf 1
opaque-capability enable
graceful-restart
area 0.0.0.0
network 1.1.1.0 0.0.0.255
#
return
Example for Configuring OSPF-BGP

Network Requirements
As shown in Figure 5-17, all Switches run BGP. An EBGP connection is established between
Switch D and Switch E. IBGP full connections are established between partial Switches in AS
10, and OSPF is used as an IGP protocol.
It is required to enable OSPF-BGP linkage on Switch B so that the traffic from Switch A to AS
20 is not interrupted after Switch B restarts.
Issue 04 (2013-06-15)

791

Configuration Guide
Figure 5-17 Networking diagram for configuring OSPF-BGP linkage
GE0/0/2
10.1.2.2/30
AS 20
SwitchF
SwitchC
GE0/0/1
10.1.4.1/30
GE0/0/1
10.1.4.2/30
GE0/0/2
10.1.2.1/30
SwitchA
SwitchD
GE0/0/3
10.2.1.1/30
GE0/0/2
10.1.3.2/30
GE0/0/1
10.1.1.1/30
GE0/0/1
EBGP
GE0/0/1
10.3.1.2/30
GE0/0/2
10.3.1.1/30
SwitchE
GE0/0/1
10.2.1.2/30
GE0/0/2
10.1.1.2/30 SwitchB 10.1.3.1/30
AS 10
Switch
Interface
VLANIF interface
IP address
SwitchA
GigabitEthernet 0/0/1
VLANIF 10
10.1.1.1/30
SwitchA
VLANIF 20
10.1.2.1/30
SwitchB
VLANIF 10
10.1.1.2/30
SwitchB
VLANIF 40
10.1.3.1/30
SwitchC
VLANIF 20
10.1.2.2/30
SwitchC
VLANIF 30
10.1.4.1/30
SwitchD
VLANIF 30
10.1.4.2/30
SwitchD
VLANIF 40
10.1.3.2/30
SwitchD
VLANIF 50
10.2.1.1/30
SwitchE
VLANIF 50
10.2.1.2/30
SwitchE
VLANIF 60
10.3.1.1/30
SwitchF
VLANIF 60
10.3.1.2/30
1.
Enable OSPF on Switch A, Switch B, Switch C, and Switch D (except 10.2.1.1/30) and
specify the same area for all OSPF interfaces.
2.
Establish IBGP full connections between Switch A, Switch B, Switch C, and Switch D
(except 10.2.1.1/30).
3.
Set the OSPF cost on Switch C.
4.
Establish the EBGP connection between Switch D and Switch E.
Issue 04 (2013-06-15)

792

Configuration Guide
5.
Configure the OSPF process and configure BGP to import directly connected routes on
Switch D.
6.
Configure BGP on Switch E.
Data Preparation
l
The router ID of Switch A is 1.1.1.1, the AS number is 10, the OSPF process number is 1,
and the network segments in Area 0 are 10.1.1.0/30 and 10.1.2.0/30.
The router ID of Switch B is 2.2.2.2, the AS number is 10, the OSPF process number is 1,
The router ID of Switch C is 3.3.3.3, the AS number is 10, the OSPF process number is 1,
The router ID of Switch D is 4.4.4.4, the AS number is 10, the OSPF process number is 1,
The router ID of Switch E is 5.5.5.5, and the AS number is 20.
Procedure
Step 1 Configure VLANs that interfaces belong to.
0/0/1
hybrid pvid vlan 10
0/0/2
hybrid pvid vlan 20
The configurations of SwitchB, SwitchC, SwitchD, SwitchE and SwitchF are similar to the
configuration of SwitchA, and are not mentioned here.
The configurations of SwitchB, SwitchC, SwitchD, SwitchE and SwitchF are similar to the
Step 3 Configure basic OSPF functions.
Step 4 Configure an IBGP full connection.
[SwitchA] interface LoopBack 0
[SwitchA-LoopBack0] ip address 1.1.1.1 32
[SwitchA-LoopBack0] quit
Issue 04 (2013-06-15)

793

Configuration Guide
[SwitchA] bgp
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]

10
router-id 1.1.1.1
peer 2.2.2.2 as-number 10
peer 2.2.2.2 connect-interface LoopBack 0
quit
[SwitchB] interface LoopBack 0
[SwitchB-LoopBack0] ip address 2.2.2.2 32
[SwitchB-LoopBack0] quit
[SwitchB] bgp 10
[SwitchB-bgp] router-id 2.2.2.2
[SwitchB-bgp] peer 1.1.1.1 as-number 10
[SwitchB-bgp] peer 1.1.1.1 connect-interface LoopBack 0
[SwitchB-bgp] quit
[SwitchC] interface LoopBack 0
[SwitchC-LoopBack0] ip address 3.3.3.3 32
[SwitchC-LoopBack0] quit
[SwitchC] bgp 10
[SwitchC-bgp] router-id 3.3.3.3
[SwitchC-bgp] peer 1.1.1.1 as-number 10
[SwitchC-bgp] peer 1.1.1.1 connect-interface LoopBack 0
[SwitchC-bgp] quit
[SwitchD] interface LoopBack 0
[SwitchD-LoopBack0] ip address 4.4.4.4 32
[SwitchD-LoopBack0] quit
[SwitchD] bgp 10
[SwitchD-bgp] router-id 4.4.4.4
[SwitchD-bgp] peer 1.1.1.1 as-number 10
[SwitchD-bgp] peer 1.1.1.1 connect-interface LoopBack 0
[SwitchD-bgp] quit
Step 5 Configure an EBGP connection.

[SwitchD] bgp
[SwitchD-bgp]
[SwitchD-bgp]
[SwitchD-bgp]
[SwitchD-bgp]
10
import-route direct
import-route ospf 1
quit
Issue 04 (2013-06-15)

794

Configuration Guide
[SwitchE] bgp 20
[SwitchE-bgp] peer 10.2.1.1 as-number 10
[SwitchE-bgp] ipv4-family unicast
[SwitchE-bgp-af-ipv4] network 10.3.1.0 30
[SwitchE-bgp-af-ipv4] quit
Step 6 Set the cost of OSPF on Switch C.

[SwitchC-Vlanif30] ospf cost 2
[SwitchC-Vlanif20] ospf cost 2
NOTE
After the cost of OSPF on Switch C is set to 2, Switch A chooses only Switch B as the intermediate router
to the network segment 10.2.1.0. Switch C becomes the backup router of Switch B.
# View the routing table of Switch A. As shown in the routing table, the route to the network
segment 10.3.1.0 can be learned through BGP, and the outgoing interface is Vlanif10.
Route Flags: R - relied, D - download to fib
Destinations : 16
Routes : 17
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
1.1.1.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
2.2.2.2/32 OSPF
10
3
D
10.1.1.2
Vlanif10
4.4.4.0/24 BGP
255 0
RD
4.4.4.4
Vlanif10
4.4.4.4/32 OSPF
10
3
D
10.1.1.2
Vlanif10
5.5.5.0/24 BGP
255 0
RD
10.2.1.2
Vlanif10
10.1.1.0/30 Direct 0
0
D
10.1.1.1
Vlanif10
10.1.1.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
10.1.1.2/32 Direct 0
0
D
10.1.1.2
Vlanif10
10.1.2.0/30 Direct 0
0
D
10.1.2.1
Vlanif20
10.1.2.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
10.1.2.2/32 Direct 0
0
D
10.1.2.2
Vlanif20
10.1.3.0/30 OSPF
10
2
D
10.1.1.2
Vlanif10
10.1.3.1/32 BGP
255 0
RD
4.4.4.4
Vlanif10
10.1.4.0/30 OSPF
10
3
D
10.1.1.2
Vlanif10
OSPF
10
3
D
10.1.2.2
Vlanif20
10.1.4.1/32 BGP
255 0
RD
4.4.4.4
Vlanif10
10.2.1.0/30 BGP
255 0
RD
4.4.4.4
Vlanif10
10.2.1.2/32 BGP
255 0
RD
4.4.4.4
Vlanif10
10.3.1.0/30 BGP
255 0
RD
4.4.4.4
Vlanif10
# View the routing table of Switch B.

[SwitchB] display ip routing-table
Destinations : 15
Routes : 15
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
2.2.2.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
1.1.1.1/32 OSPF
10
2
D 10.1.1.1
Vlanif10
4.4.4.0/24 BGP
255 0
RD 10.1.3.2
Vlanif40
4.4.4.4/32 OSPF
10
2
D 10.1.3.2
Vlanif40
5.5.5.0/24 BGP
255 0
RD 10.2.1.2
Vlanif40
10.1.1.0/30 Direct 0
0
D 10.1.1.2
Vlanif10
10.1.1.1/32 Direct 0
0
D 10.1.1.1
Vlanif10
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.1.2.0/30 OSPF
10
2
D 10.1.1.1
Vlanif10
10.1.3.0/30 Direct 0
0
D 10.1.3.1
Vlanif40
10.1.3.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.1.3.2/32 Direct 0
0
D 10.1.3.2
Vlanif40
10.1.4.0/30 OSPF
10
2
D 10.1.3.2
Vlanif40
10.1.4.1/32 BGP
255 0
RD 10.1.3.2
Vlanif40
Issue 04 (2013-06-15)

795

Configuration Guide

10.2.1.0/30
10.2.1.2/32
10.3.1.0/30
BGP
BGP
BGP
255
255
255
0
0
0
RD
RD
RD
10.1.3.2
10.1.3.2
10.1.3.2
Vlanif40
Vlanif40
Vlanif40
As shown in the routing table, Switch B learns the route to the network segment 10.3.1.0 through
BGP, and the outgoing interface is Vlanif40. The routes to the network segments 10.1.2.0 and
10.1.4.0 respectively can be learned through OSPF. The costs of the two routes are 2.
Step 7 Enable OSPF-BGP linkage on Switch B.
[SwitchB] ospf 1
[SwitchB-ospf-1] stub-router on-startup
[SwitchB] quit

# Restart Switch B.
NOTE
Confirm the action before you use the command because the command leads to the breakdown of the
network in a short time. In addition, when restarting a Switch, ensure that the configuration file of the
Switch is saved.
<SwitchB> reboot
System will reboot! Continue?[Y/N] y
# View the routing table of Switch A. As shown in the routing table, the route to the network
10.3.1.0 can be learned through BGP, and the outgoing interface is Vlanif40.
Destinations : 17
Routes : 17
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
1.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
2.2.2.2/32 OSPF
10
4
D 10.1.2.2
Vlanif40
4.4.4.0/24 BGP
255 0
RD 4.4.4.4
Vlanif40
4.4.4.4/32 OSPF
10
4
D 10.1.2.2
Vlanif40
5.5.5.0/24 BGP
255 0
RD 10.2.1.2
Vlanif40
10.1.1.0/30 Direct 0
0
D 10.1.1.1
Vlanif10
10.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.1.1.2/32 Direct 0
0
D 10.1.1.2
Vlanif10
10.1.2.0/30 Direct 0
0
D 10.1.2.1
Vlanif40
10.1.2.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.1.2.2/32 Direct 0
0
D 10.1.2.2
Vlanif40
10.1.3.0/30 OSPF
10
2
D 10.1.1.2
Vlanif10
10.1.3.1/32 BGP
255 0
RD 4.4.4.4
Vlanif40
10.1.4.0/30 OSPF
10
3
D 10.1.2.2
Vlanif40
10.1.4.1/32 BGP
255 0
RD 4.4.4.4
Vlanif40
10.2.1.0/30 BGP
255 0
RD 4.4.4.4
Vlanif40
10.2.1.2/32 BGP
255 0
RD 4.4.4.4
Vlanif40
10.3.1.0/30 BGP 255 0
RD 4.4.4.4
Vlanif40
# View the routing table of Switch B. As shown in the routing table, only OSPF routes exist in
the routing table temporarily and their costs are equal to or greater than 65535. This is because
IGP route convergence is faster than BGP route convergence.
Destinations : 13
Routes : 13
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
1.1.1.1/32 OSPF
10
65536
D 10.1.1.1
Vlanif10
2.2.2.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
4.4.4.4/32 OSPF
10
65536
D 10.1.3.2
Vlanif40
Issue 04 (2013-06-15)

796

Configuration Guide

10.1.1.0/30
10.1.1.1/32
10.1.1.2/32
10.1.2.0/30
10.1.3.0/30
10.1.3.1/32
10.1.3.2/32
10.1.4.0/30
127.0.0.0/8
127.0.0.1/32
Direct
Direct
Direct
OSPF
Direct
Direct
Direct
OSPF
Direct
Direct
0
0
0
10
0
0
0
10
0
0
0
0
0
65536
0
0
0
65536
0
0
D
D
D
D
D
D
D
D
D
D
10.1.1.2
10.1.1.1
127.0.0.1
10.1.1.1
10.1.3.1
127.0.0.1
10.1.3.2
10.1.3.2
127.0.0.1
127.0.0.1
Vlanif10
Vlanif10
InLoopBack0
Vlanif40
Vlanif40
InLoopBack0
Vlanif40
Vlanif40
InLoopBack0
InLoopBack0
# View the routing table of Switch B.

Destinations : 15
Routes : 15
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
2.2.2.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
1.1.1.1/32 OSPF
10
2
D 10.1.1.1
Vlanif10
4.4.4.0/24 BGP
255 0
RD 10.1.3.2
Vlanif40
4.4.4.4/32 OSPF
10
2
D 10.1.3.2
Vlanif40
5.5.5.0/24 BGP
255 0
RD 10.2.1.2
Vlanif40
10.1.1.0/30 Direct 0
0
D 10.1.1.2
Vlanif10
10.1.1.1/32 Direct 0
0
D 10.1.1.1
Vlanif10
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.1.2.0/30 OSPF
10
2
D 10.1.1.1
Vlanif10
10.1.3.0/30 Direct 0
0
D 10.1.3.1
Vlanif40
10.1.3.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.1.3.2/32 Direct 0
0
D 10.1.3.2
Vlanif40
10.1.4.0/30 OSPF
10
2
D 10.1.3.2
Vlanif40
10.1.4.1/32 BGP
255 0
RD 10.1.3.2
Vlanif40
10.2.1.0/30 BGP
255 0
RD 10.1.3.2
Vlanif40
10.2.1.2/32 BGP
255 0
RD 10.1.3.2
Vlanif40
10.3.1.0/30 BGP
255 0
RD 10.1.3.2
Vlanif40
As shown in the routing table, after BGP route convergence on Switch B is complete, the contents
of the routing information are the same as those before the Switch restarts.
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 20
#
router id 1.1.1.1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.252
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.252
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 10
router-id 1.1.1.1
Issue 04 (2013-06-15)

797

Configuration Guide

#
ipv4-family unicast
undo synchronization
peer 4.4.4.4 enable
peer 10.1.1.2 enable
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.1.2.0 0.0.0.3
#
return

#
sysname SwitchB
#
vlan batch 10 40
#
router id 2.2.2.2
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.252
#
interface Vlanif40
ip address 10.1.3.1 255.255.255.252
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 10
router-id 2.2.2.2
#
ipv4-family unicast
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.1.3.0 0.0.0.3
network 2.2.2.2 0.0.0.0
#
return

#
sysname SwitchC
#
vlan batch 30 20
#
router id 3.3.3.3
interface Vlanif30
ip address 10.1.4.1 255.255.255.252
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.252
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
Issue 04 (2013-06-15)

798

Configuration Guide
#
bgp 10
router-id 3.3.3.3
#
ipv4-family unicast
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.3
network 10.1.4.0 0.0.0.3
network 3.3.3.3 0.0.0.0
#
return

#
sysname SwitchD
#
vlan batch 30 40 50
#
router id 4.4.4.4
#
interface Vlanif30
ip address 10.1.4.2 255.255.255.252
#
interface Vlanif40
ip address 10.1.3.2 255.255.255.252
#
interface Vlanif50
ip address 10.2.1.1 255.255.255.252
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
bgp 10
router-id 4.4.4.4
#
ipv4-family unicast
import-route direct
import-route ospf 1
peer 2.2.2.2 enable
peer 1.1.1.1 enable
peer 5.5.5.5 enable
peer 3.3.3.3 enable
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 10.1.3.0 0.0.0.3
network 10.1.4.0 0.0.0.3
#
return
Issue 04 (2013-06-15)

799

Configuration Guide

#
sysname SwitchE
#
vlan batch 50 60
#
router id 5.5.5.5
#
interface Vlanif50
ip address 10.2.1.2 255.255.255.252
#
interface Vlanif60
ip address 10.3.1.1 255.255.255.252
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
bgp 20
router-id 5.5.5.5
#
ipv4-family unicast
network 10.3.1.0 255.255.255.252
#
return
Example for Configuring OSPF GTSM

As shown in Figure 5-18, OSPF is run between Switches, and GTSM is enabled on Switch C.
The following are the valid TTL ranges of the packets sent from each Switch to Switch C:
l
Switch A and Switch E are the neighboring Switches of Switch C. The valid TTL range of
packets is [255, 255].
The valid TTL ranges of the packets sent from Switch B, Switch D, and Switch F to Switch
C are [254, 255], [253, 255], and [252, 255] respectively.
Issue 04 (2013-06-15)

800

Configuration Guide
Figure 5-18 Networking diagram for configuring OSPF GTSM
Switch A
Area0
GE0/0/1
GE0/0/1
Switch B
192.168.0.1/24 192.168.0.2/24
GE0/0/2
192.168.2.1/24
GE0/0/1
192.168.2.2/24
GE0/0/2
192.168.1.1/24
GE0/0/1
192.168.1.2/24
Switch D
Switch C
GE0/0/2
172.17.1.1/24
GE0/0/2
172.17.1.2/24
GE0/0/2
172.16.1.1/24
GE0/0/2
172.16.1.2/24
Switch E
Area1
Switch F
Area2
PC
Switch
Interface
VLANIF interface
IP address
SwitchA
VLANIF 10
192.168.0.1/24
SwitchA
VLANIF 20
192.168.1.1/24
SwitchB
VLANIF 10
192.168.0.2/24
SwitchB
VLANIF 30
192.168.2.1/24
SwitchC
VLANIF 20
192.168.1.2/24
SwitchC
VLANIF 40
172.16.1.1/24
SwitchD
VLANIF 30
192.168.2.2/24
SwitchD
VLANIF 50
172.17.1.1/24
SwitchE
VLANIF 40
172.16.1.2/24
SwitchF
VLANIF 50
172.17.1.2/24
1.
Configure basic OSPF functions.
2.
Enable GTSM on each Switch and specify the valid TTL range of packets.
Data Preparation
l
Issue 04 (2013-06-15)
OSPF process number of each Switch

801

Configuration Guide
Valid TTL range of packets between Switches
Procedure
0/0/1
hybrid pvid vlan 10
0/0/2
hybrid pvid vlan 20
The configurations of SwitchB, SwitchC, SwitchD, SwitchE, and SwitchF are similar to the
The configurations of SwitchB, SwitchC, SwitchD, SwitchE, and SwitchF are similar to the
Step 3 Configure basic OSPF functions. The configuration details see Example for Configuring Basic
OSPF Functions.
Step 4 Configure OSPF GTSM.
# Configure the valid TTL range of packets from Switch C to other Switches as [252, 255].
[SwitchC] ospf valid-ttl-hops 4
# Configure the valid TTL range of packets from Switch A to Switch C as [255, 255].
[SwitchA] ospf valid-ttl-hops 1
# Configure the valid TTL range of packets from Switch B to Switch C as [254, 255].
[SwitchB] ospf valid-ttl-hops 2
# Configure the valid TTL range of packets from Switch D to Switch C as [253, 255].
[SwitchD] ospf valid-ttl-hops 3
# Configure the valid TTL range of packets from Switch E to Switch C as [255, 255].
[SwitchE] ospf valid-ttl-hops 1
# Configure the valid TTL range of packets from Switch F to Switch C as [252, 255].
[SwitchF] ospf valid-ttl-hops 4

# Check whether OSPF neighbors between Switches are established normally. Take Switch A
as an example. You can view the status of the neighbor relationship is Full, that is, neighbors
are established normally.
Issue 04 (2013-06-15)

802

Configuration Guide

Neighbors
Router ID: 2.2.2.2
Address: 192.168.0.2
DR: None
BDR: None
MTU: 0
Neighbors
Router ID: 3.3.3.3
Address: 192.168.1.2
DR: None
BDR: None
MTU: 0
# Run the display gtsm statistics all command on Switch C. You can view the GTSM statistics.
If the default action performed on packets is "pass" and all the packets are valid, the number of
dropped packets is 0.
<SwitchC> display gtsm statistics all
GTSM Statistics Table
---------------------------------------------------------------SlotId Protocol Total Counters Drop Counters Pass Counters
---------------------------------------------------------------1
BGP
0
0
0
1
BGPv6
0
0
0
1
OSPF
0
0
0
1
LDP
0
0
0
2
BGP
0
0
0
2
BGPv6
0
0
0
2
OSPF
0
0
0
2
LDP
0
0
0
3
BGP
0
0
0
3
BGPv6
0
0
0
3
OSPF
0
0
0
3
LDP
0
0
0
4
BGP
0
0
0
4
BGPv6
0
0
0
4
OSPF
0
0
0
4
LDP
0
0
0
5
BGP
0
0
0
5
BGPv6
0
0
0
5
OSPF
0
0
0
5
LDP
0
0
0
7
BGP
0
0
0
7
BGPv6
0
0
0
7
OSPF
0
0
0
7
LDP
0
0
0
----------------------------------------------------------------
If the host simulates the OSPF packets of Switch A to attack Switch C, the packets are dropped
because the TTL value is not 255 when the packets reach Switch C. In the GTSM statistics of
Switch C, the number of dropped packets also increases.
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 20
Issue 04 (2013-06-15)

803

Configuration Guide
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/1
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
ospf valid-ttl-hops 1
#
return

#
sysname SwitchB
#
vlan batch 10 30
#
router id 2.2.2.2
#
interface Vlanif10
ip address 192.168.0.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.2
network 192.168.2.0 0.0.0.255
#
#
return

#
sysname SwitchC
#
vlan batch 20 40
#
router id 3.3.3.3
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
Issue 04 (2013-06-15)

804

Configuration Guide
#
#
#
ospf 1
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
#
return

#
sysname SwitchD
#
vlan batch 30 50
#
router id 4.4.4.4
#
interface Vlanif30
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif50
ip address 172.17.1.1 255.255.255.0
#
interface GigabitEthernett 0/0/1
#
#
ospf 1
area 0.0.0.2
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
#
return

#
sysname SwitchE
#
vlan batch 40
#
router id 5.5.5.5
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
#
#
Issue 04 (2013-06-15)

805

Configuration Guide
return

#
sysname SwitchF
#
vlan batch 50
#
router id 6.6.6.6
#
interface Vlanif50
ip address 172.17.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.2
network 172.17.1.0 0.0.0.255
#
#
return
Example for Configuring BFD for OSPF

As shown in Figure 5-19, the networking requirements are as follows:
l
Switch A, Switch B, and Switch C run OSPF.
BFD for OSPF is enabled on Switch A, Switch B, and Switch C.
Service traffic is transmitted on the main link Switch ASwitch B. Link Switch ASwitch
CSwitch B is a backup link.
BFD is configured on the interfaces between Switch A and Switch B. When a fault occurs
on the link between the Switch s, BFD can quickly detect the fault and notify OSPF of the
fault. Then, the service flow is transmitted on the backup link.
Figure 5-19 Networking diagram for configuring BFD for OSPF
SwitchA
GE0/0/2
SwitchB
GE0/0/3
GE0/0/2
GE0/0/1
GE0/0/1
GE0/0/1
GE0/0/1
GE0/0/2
SwitchC
Switch
Interface
VLANIF interface
IP address
Switch A
GE0/0/1
VLANIF 10
1.1.1.1/24
Issue 04 (2013-06-15)

806

Configuration Guide
Switch A
GE0/0/2
VLANIF 20
3.3.3.1/24
Switch B
GE0/0/1
VLANIF 30
2.2.2.2/24
Switch B
GE0/0/2
VLANIF 20
3.3.3.2/24
Switch B
GE0/0/3
VLANIF 40
172.16.1.1/24
Switch C
GE0/0/1
VLANIF 10
1.1.1.2/24
Switch C
GE0/0/2
VLANIF 30
2.2.2.1/24
1.
Configure the basic OSPF functions on the Switch s.
2.
Enable the BFD feature globally.
3.
Enable BFD for OSPF on Switch A and Switch B.
Data Preparation
l
Router ID and OSPF process ID of each Switch and network segments that OSPF interfaces
belong to:
On Switch A, the router ID is 1.1.1.1; OSPF process ID is 1; the network segments of
Area 0 are 3.1.1.0/24 and 1.1.1.0/24.
On Switch B, the router ID is 2.2.2.2; OSPF process ID is 1; the network segments of
Area 0 are 3.1.1.0/24, 2.2.2.0/24, and 172.16.1.0/24.
On Switch C, the router ID is 3.3.3.3; the OSPF process ID is 1; the network segments
of Area 0 are 192.168.1.0/24 and 172.16.1.0/24.
Minimum interval for sending the BFD packets, minimum interval for receiving the BFD
packets, and local detection time multiplier on Switch A and Switch B
Procedure
Step 1 Create VLANs and add corresponding interfaces to the VLANs.
[SwitchA] vlan 10
[SwitchA] vlan 20
[SwitchA] interface GigabitEthernet
[SwitchA] interface GigabitEthernet
Issue 04 (2013-06-15)
0/0/1
hybrid pvid vlan 10
0/0/2
hybrid pvid vlan 20

807

Configuration Guide
Step 3 Configure the basic OSPF functions. See Example for Configuring Basic OSPF Functions.
Step 4 Configure BFD for OSPF.
# Enable BFD globally on Switch A.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] ospf
[SwitchA-ospf-1] bfd all-interfaces enable
# Enable BFD globally on Switch B.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] ospf
[SwitchB-ospf-1] bfd all-interfaces enable
# Run the display ospf bfd session all command on Switch A or Switch B. You can see that the
BFD state is Up.
[SwitchA] display ospf bfd session all
Area 0.0.0.0 interface 3.3.3.1(Vlanif20)'s BFD Sessions
NeighborId:2.2.2.2
BFDState:up
Multiplier:3
RemoteIpAdd:3.3.3.2
AreaId:0.0.0.0
Interface:Vlanif20
rx
:1000
tx
:1000
BFD Local Dis:8195
LocalIpAdd:3.3.3.1

NeighborId:3.3.3.3
BFDState:up
Multiplier:3
RemoteIpAdd:1.1.1.2
AreaId:0.0.0.0
Interface:Vlanif10
rx
:1000
tx
:1000
BFD Local Dis:8194
LocalIpAdd1:1.1.1.1
Step 5 Configure the BFD feature of interfaces.

# Configure BFD on VLANIF 20 of Switch A, set the minimum interval for sending the packets
and the minimum interval for receiving the packets to 100 ms, and set the local detection time
multiplier to 4.
[SwitchA-Vlanif20] ospf bfd enable
[SwitchA-Vlanif20] ospf bfd min-tx-interval 100 min-rx-interval 100 detectmultiplier 4
Issue 04 (2013-06-15)

808

Configuration Guide
# Configure BFD on VLANIF20 of Switch B and set the minimum interval for sending the
packets and the minimum interval for receiving the packets to 100 ms and the local detection
time multiplier to 4.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB-Vlanif20] ospf bfd enable
[SwitchB-Vlanif20] ospf bfd min-tx-interval 100 min-rx-interval 100 detectmultiplier 4
# Run the display ospf bfd session all command on Switch A or Switch B. You can see that the
BFD state is Up.
Take Switch B for example. The display is as follows:
[SwitchB] display ospf bfd session all
NeighborId:1.1.1.1
BFDState:up
Multiplier:4
RemoteIpAdd:3.3.3.1
AreaId:0.0.0.0
Interface: Vlanif20
rx
:100
tx
:100
BFD Local Dis:8198
LocalIpAdd:3.3.3.2

NeighborId:3.3.3.3
BFDState:up
Multiplier:3
RemoteIpAdd:2.2.2.1
AreaId:0.0.0.0
Interface: Vlanif30
rx
:1000
tx
:1000
BFD Local Dis:8199
LocalIpAdd:2.2.2.2

# Run the shutdown command on VLANIF 20 of Switch B to simulate a link fault.
# View the routing table of Switch A.

<SwitchA> display ospf routing
OSPF Process 1 with Router ID 1.1.1.1 Routing Tables
Routing for Network
Destination
Cost
172.16.1.1/24
3
3.3.3.0/24
1
2.2.2.0/24
2
1.1.1.0/24
1
Type
Stub
Stub
Transit
Transit
Total Nets: 4 Intra Area: 4
NextHop
1.1.1.2
3.3.3.1
1.1.1.2
1.1.1.1
Inter Area: 0
AdvRouter
2.2.2.2
1.1.1.1
3.3.3.3
1.1.1.1
ASE: 0
Area
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
NSSA: 0
As shown in the OSPF routing table, the backup link Switch ASwitch CSwitch B takes
effect after the main link fails. The next hop address of the route to 172.16.1.0/24 becomes
1.1.1.2.
----End
Configuration Files
l

#
sysname SwitchA
Issue 04 (2013-06-15)

809

Configuration Guide
#
router id 1.1.1.1
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 1.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 3.3.3.1 255.255.255.0
ospf bfd enable
ospf bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4
#
#
#
ospf 1
bfd all-interface enable
area 0.0.0.0
network 3.3.3.0 0.0.0.255
network 1.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 20 30 40
#
bfd
#
interface Vlanif20
ip address 3.3.3.2 255.255.255.0
ospf bfd enable
#
interface Vlanif30
ip address 2.2.2.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 3.3.3.0 0.0.0.255
network 2.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
Issue 04 (2013-06-15)

810

Configuration Guide
#
return

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 10 30
#
bfd
#
interface Vlanif10
ip address 1.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 2.2.2.1 255.255.255.0
ospf bfd enable
#
#
#
ospf 1
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
#
return
5.4 IS-IS Configuration

This chapter describes the basic principle of IS-IS and procedures for configuring IS-IS, and
5.4.1 Basic Concepts of IS-IS

As an IGP, IS-IS is used inside an AS. IS-IS is a link-state protocol. It uses the SPF algorithm
to calculate routes.
The Intermediate System-to-Intermediate System (IS-IS) is a dynamic routing protocol that was
originally created by the International Organization for Standardization (ISO) for its
Connectionless Network Protocol (CLNP).
To support the IP routing, the Internet Engineering Task Force (IETF) extended and modified
IS-IS in RFC 1195. IS-IS can thus be applied to both TCP/IP and OSI environments. This type
of IS-IS is called the Integrated IS-IS or Dual IS-IS.
As an Interior Gateway Protocol (IGP), IS-IS is used in Autonomous Systems (ASs). IS-IS is a
link-state protocol. It uses the Shortest Path First (SPF) algorithm to calculate routes. It resembles
the Open Shortest Path First (OSPF) protocol.
Issue 04 (2013-06-15)

811

Configuration Guide
IS-IS Areas
To support large-scale networks, the IS-IS adopts a two-level structure in a Routing Domain
(RD). A large RD is divided into one or more areas. The intra-area routes are managed by the
Level-1 routers, whereas the inter-area routes are managed by the Level-2 routers.
Figure 5-20 shows an IS-IS network. Its topology is similar to that of a multi-area OSPF network.
Area 1 is a backbone area. All routers in this area are Level-2 routers. The other four areas are
non-backbone areas. They are connected to Area 1 through Level-1-2 routers.
Figure 5-20 IS-IS topology
Area2
Area3
L1/2
L1
L1/2
L2
L2
L2
Area4
Area1
L2
Area5
L1/2
L1/2
L1
L1
L1
L1
L1
Figure 5-21 shows another type of IS-IS topology. The Level-1-2 routers are used to connect
the Level-1 and the Level-2 routers, and are used to establish the backbone network together
with the other Level-2 routers. In this topology, no area is specified as a backbone area. All the
Level-2 routers constitute an IS-IS backbone network. The devices may belong to different areas,
but the areas must be successive.
Figure 5-21 IS-IS topology II
Area1
L1
L1
L2
Area2
L1/L2
L1/L2
Area4 L1
L2
Issue 04 (2013-06-15)
L2
Area3

812

Configuration Guide
NOTE
The IS-IS backbone network does not refer to a specific area.
This type of networking shows differences between IS-IS and OSPF. For OSPF, the inter-area
routes are forwarded by the backbone area and the SPF algorithm is used in the same area. For
IS-IS, both Level-1 routers and Level-2 routers use the SPF algorithm to generate Shortest Path
Trees (SPTs).
Network Types
IS-IS supports only two network types, which can classified as follows according to physical
links:
l
Broadcast links such as Ethernet and Token-Ring.
Point-to-point links such as PPP and HDLC.

NOTE
For a Non-Broadcast Multi-Access (NBMA) network such as ATM, you need to configure sub-interfaces
for it. The type of subnets cannot be Point-to-Multipoint (P2MP). IS-IS cannot run on P2MP networks.
5.4.2 IS-IS Features Supported by the AC6605

The AC6605 supports various Intermediate System-to-Intermediate System (IS-IS) protocol
features, including multi-instance, multi-process, hot standby (HSB), multi-topology, local
multicast-topology (MT), traffic engineering (TE), DiffServ-aware traffic engineering (DS-TE),
administrative tags, Link State Protocol Data Unit (LSP) fragment extension, dynamic host name
exchange, fast convergence, Bidirectional Forwarding Detection (BFD), and three-way
handshake.
Multi-Instance and Multi-Process

IS-IS supports multi-process and multi-instance, facilitating management and improving control
efficiency of IS-IS.
l
Multi-process
Multi-process allows a group of interfaces to be associated with a specific IS-IS process.
This ensures that the specific IS-IS process performs all the protocol-based operations only
on the group of interfaces. Multiple IS-IS processes can run on a single Switch and each
process is responsible for a unique group of interfaces.
Multi-instance
After the VPN feature is enabled, multi-instance allows an IS-IS process to be associated
with a specific VPN instance so that all the interfaces of this IS-IS process will be associated
with the VPN instance.
IS-IS HSB
The Switch of a distributed architecture supports IS-IS HSB. In the IS-IS HSB process, IS-IS
backs up data from the active main board (AMB) to the standby main board (SMB). Whenever
the AMB fails, the SMB becomes active. This ensures uninterrupted running of IS-IS.
In the IS-IS HSB process, IS-IS configurations on the AMB and the SMB are consistent. After
a master/slave AMB/SMB switchover, IS-IS on the current AMB performs GR, obtains
Issue 04 (2013-06-15)

813

Configuration Guide
adjacencies from its neighbors, and synchronizes its link state database (LSDB) with the LSDB
on the SMB. This prevents service interruption.
Local MT
When multicast and Multi-Protocol Label Switching (MPLS) TE tunnels are deployed on a
network, multicast may be affected by TE tunnels, which causes multicast services to become
unavailable.
This is because the outbound interface of a route calculated by an Interior Gateway Protocol
(IGP) may not be the actual physical interface but a TE tunnel interface after the TE tunnel is
enabled with IGP Shortcut. Based on the unicast route to the multicast source address, a
Switch sends a Join message through a TE tunnel interface. In this situation, Switchs spanned
by the TE tunnel cannot detect the Join message, so they do not create any multicast forwarding
entry. A TE tunnel is unidirectional, so multicast data packets sent by the multicast source are
sent to the Switchs spanned by the tunnel through physical interfaces. These Switchs discard the
multicast data packets, because they do not have any multicast forwarding entry. As a result,
services become unavailable.
To solve this problem, you can enable local MT to create a separate Multicast IGP (MIGP)
routing table for multicast packets.
NOTE
For details about local MT, see the "IS-IS" chapter in the AC6605 Access Controller Feature DescriptionIP Routing.
IS-IS MT
IS-IS MT, a set of independent IP topologies, is an optional mechanism within IS-ISs used today
by many ISPs for IGP routing. This MT extension can be used for a variety of purposes, such
as an in-band management network "on top" of the original IGP topology, maintaining separate
IGP routing domains for isolated multicast, or forcing a subset of an address space to follow a
different topology. Complying with RFC 5120, IS-IS MT defines new type-length-values
(TLVs) in IS-IS packets to transmit multi-topology information. A physical network can be
divided into different logical topologies as needed. Each logical topology maintains its own
routing table and uses the Shortest Path First (SPF) algorithm to calculate routes. Traffic of
different services (including traffic of different IP topologies) can be forwarded along different
paths. With logical topologies, IS-IS MT can help customers better utilize network resources
and reduce network construction costs.
IS-IS MT has the following functions:
l
Separation between unicast and multicast topologies

If an MPLS TE tunnel is deployed in a unicast topology, the outbound interface of the route
calculated by IS-IS may not be a physical interface but a TE tunnel interface. If a client
sends a Join packet with the specified outbound interface as a TE tunnel interface, a router
that the TE tunnel traverses does not parse the Join packet, but adds an MPLS label to the
packet before forwarding it. No multicast forwarding entry is created on the router. The
router will discard packets sent from a multicast source, causing multicast service
interruption.
With IS-IS MT, a separate multicast topology can be set up for multicast services, and the
multicast topology is separated from the unicast topology. TE tunnels are excluded from a
multicast topology, ensuring continuity of multicast services.
Issue 04 (2013-06-15)

814

Configuration Guide
IS-IS TE
IS-IS TE supports MPLS to set up and maintain the label switched paths (LSPs).
When establishing constraint-based routed (CR) LSPs, MPLS needs to learn the traffic attributes
of all the links in the local area. CR-LSPs can acquire the TE information of the links using ISIS.
Administrative Tag
The use of administrative tags simplifies management. Administrative tags can advertise IP
address prefixes in the IS-IS area to control routes. The administrative tag carries the
administrative information about an IP address prefix. It is used to control the routes of different
levels and routes imported from different areas, various routing protocols, multiple IS-IS
instances running on a Switch, and carrying of tags.
Each administrative tag is associated with certain attributes. If the prefix of the reachable IP
address to be advertised by IS-IS has this attribute, IS-IS adds the administrative tag to the
reachability TLV in the prefix. In this manner, the tag is advertised throughout the entire IS-IS
area.
LSP Fragment Extension

When more information is carried in an LSP to be advertised by IS-IS, IS-IS advertises multiple
LSP fragments. Each LSP fragment is identified by the LSP identifier field of an LSP. The LSP
identifier field is 1 byte long. Therefore, the maximum number of fragments that can be generated
by an IS-IS router is 256.
The IS-IS fragment extension feature allows an IS-IS router to generate more LSP fragments.
To implement this feature, you can use the network manager to configure additional system IDs
for the Switch. Each system ID represents a virtual system, which can generate 256 LSP
fragments. With more additional system IDs (up to 50 virtual systems), an IS-IS router can
generate a maximum of 13056 LSP fragments.
l
Related terms are as follows:

Originating system
In this document, the originating system is the Switch that actually runs the IS-IS
protocol, and each IS-IS process is regraded as multiple virtual routers to generate LSP
fragments.
Normal system ID
It is the system ID of the originating system.
Additional System-ID
An additional system ID, assigned by the network administrator, represents a virtual
system. Each virtual system is allowed to generate up to 256 extended LSP fragments.
Like a normal system ID, an additional system ID must be unique in a routing domain.
Virtual system
It is a virtual system for generating extended LSP fragments. Each virtual system has a
unique additional system ID, and each extended LSP fragment carries an additional
system ID.
Operating mode
An IS-IS router can run the LSP fragment extension feature in the following modes:
Issue 04 (2013-06-15)

815

Configuration Guide
Mode 1: The originating system sends a link to each virtual system. Then each virtual
system sends a link to the originating system. The virtual systems function as the
Switchs that are connected to the originating system on the network. This mode is used
when some routers on the network do not support the LSP fragment extension feature.
In this mode, only the routing information can be advertised in the LSPs of the virtual
systems.
Mode 2: All the Switchs on the network can learn that the LSPs generated by the virtual
systems actually belong to the originating system. This mode is used when all the
Switchs on the network support the LSP fragment extension feature. In this mode, all
link state information can be advertised in the LSPs of the virtual systems.
Dynamic Host Name Exchange Mechanism

The dynamic host name exchange mechanism is introduced to conveniently manage and
maintain IS-IS networks. The mechanism provides a service of mapping host names to system
IDs for the IS-IS routers. The dynamic host name information is advertised in the form of a
dynamic host name TLV in an LSP.
The dynamic host name exchange mechanism also provides a service to associate a host name
with the designated intermediate system (DIS) on a broadcast network. Then LSPs of pseudo
nodes advertise this association in the form of a dynamic host name TLV.
It is easier to identify and memorize the host name than the system ID. After this function is
configured, the host name will displays when display command is used.
IS-IS Route Summarization

Route summarization is a function for summarizing routes with the same IP prefix into one route.
On a large-scale IS-IS network, you can configure route summarization to reduce the number
of IS-IS routes in the routing table. This improve the usage of system resources and facilitates
route management.
IP network segments are not affected when a link frequently alternates between Up and Down
on an IP network segment. This prevents route flapping and improves the network stability.
The Switch supports classless network-based route summarization.
IS-IS Load Balancing

If there are redundant links on an IS-IS network, there may be multiple equal-cost routes.
Configuring IS-IS load balancing can evenly distribute traffic to each link. This increases the
bandwidth usage of each link and prevents network congestion caused by some overloaded links.
IS-IS load balancing, however, may affect traffic management because traffic will be randomly
forwarded in this mode.
IS-IS Preference
If there are redundant links on an IS-IS network, there may be multiple equal-cost routes.
The Switch allows you to configure preference values for equal-cost IS-IS routes so that only
the route with the highest preference will be used and the others will function as backups.
This facilitates traffic management, improves the network reliability, and avoids configuration
change.
Issue 04 (2013-06-15)

816

Configuration Guide
IS-IS Fast Convergence

l
Incremental SPF (I-SPF)

I-SPF calculates only changed routes at a time, but not all routes.
ISO-10589 defines Dijkstra as the algorithm to calculate routes. When a node is added to
or removed from a network topology, all routes of all nodes need to be calculated if the
Dijkstra algorithm is adopted. As a result, it takes a long time and occupies excessive
resources, reducing the route convergence speed of the entire network.
I-SPF improves this algorithm. Except for the first time, only changed nodes instead of all
nodes are involved in calculation. The SPT generated at last is the same as that generated
by the Dijkstra algorithm. This decreases the CPU usage and speeds up route convergence.
Partial route calculation (PRC)

Similar to I-SPF, only changed nodes are involved in PRC. PRC, however, does not
calculate the shortest path but updates leaf routes based on the SPT calculated by I-SPF.
In route calculation, a leaf represents a route, and a node represents a Switch. If the SPT
calculated using I-SPF changes, PRC calculates all the leaves on only the changed node;
if the SPT calculated using I-SPF does not change, PRC calculates only the changed leaf.
For example, if an interface of a node is enabled with IS-IS, the SPT of the entire network
remains unchanged. In this case, PRC updates the routes on only the interface of this node,
reducing the CPU usage.
PRC working with I-SPF further improves the convergence performance of the network.
As an improvement of the original SPF algorithm, RPC and I-SPF replace the original
algorithm.
NOTE
In real world applications of AC6605s, only I-SPF and PRC are used to calculate IS-IS routes.
LSP fast flooding

Based on the RFC, when IS-IS receives LSPs from other routers and the LSPs are more
updated than those in its own LSDB, IS-IS uses a timer to flood out the LSPs in the LSDB
at specified intervals. Therefore, the LSDB synchronization is slow.
LSP fast flooding addresses the problem. When a Switch configured with this feature
receives one or more LSPs, it floods out the LSPs less than the specified number before
route calculation. This accelerates the LSDB synchronization and speeds up network
convergence to the great extent.
Intelligent timer
Although the route calculation algorithm is improved, the long interval for triggering route
calculation also affects the convergence speed. Using a millisecond timer can shorten the
interval, however, excessive CPU resources will be consumed if the network topology
changes frequently. An SPF intelligent timer can quickly respond to certain emergent events
and also prevent excessive CPU resource consumption.
An IS-IS network running normally is stable. The network seldom changes frequently, and
an IS-IS router does not calculate routes frequently. Therefore, you can set a short interval
(in milliseconds) for triggering the route calculation for the first time. If the network
topology changes frequently, the value of the intelligent timer increases with the calculation
times, and the interval for route calculation becomes longer. This prevents excessive CPU
resource consumption.
The LSP generation intelligent timer is similar to the SPF intelligent timer. In IS-IS, when
the LSP generation timer expires, the system regenerates its own LSP according to the
current topology. In the original implementation mechanism, a timer with a fixed value is
Issue 04 (2013-06-15)

817

Configuration Guide
used, which, however, cannot meet the requirements on fast convergence and low CPU
usage. Therefore, the LSP generation timer is designed as an intelligent timer so that it can
respond quickly to some emergent events (such as interface alternation between Up an
Down) to speed up network convergence. In addition, when the network changes
frequently, the value of the intelligent timer becomes greater automatically to prevent
excessive CPU resource consumption.
NOTE
Determine whether to configure intelligent timers based on actual network situations and
specifications of deployed routers.
BFD for IS-IS

The AC6605 supports BFD for IS-IS to detect IS-IS neighbor relationships. BFD can fast detect
the faults on links between IS-IS neighbors and reports them to IS-IS. Fast convergence of ISIS is then implemented.
NOTE
BFD detects only one-hop links between IS-IS neighbors. This is because IS-IS establishes only one-hop
neighbors.
Static BFD
To configure static BFD, use command lines to configure single-hop BFD parameters, such
as local and remote discriminators. Then configure the device to send BFD session setup
requests.
A static BFD session can only be established and released manually. A configuration error
will lead to a BFD failure. For example, if the configured local discriminator or remote
discriminator is incorrect, a BFD session will not work properly.
The AC6605 supports static IPv4 BFD for IS-IS.
Dynamic BFD
Dynamic BFD refers to the dynamic establishment of BFD sessions using routing protocols.
When a new IS-IS neighbor relationship is set up, BFD is notified of the parameters of the
neighbor and the detection parameters (including source and destination IP addresses).
Then a BFD session will be established based on the received parameters of the neighbor.
Dynamic BFD is more flexible than static BFD.
Connection status between an IS-IS device and its neighbors can be monitored by
exchanging Hello packets at intervals. The sending interval is usually set to 10s, and a
neighbor is declared Down after at least three intervals (during which no response Hello
packet is received from the neighbor). It takes IS-IS some seconds to sense a Down
neighbor, resulting in loss of a large amount of high-speed data.
Dynamic BFD can provide link failure detection with light load and high speed (at the
millisecond level). Dynamic BFD does not take the place of the Hello mechanism of ISIS, but helps IS-IS to detect the faults on neighbors or links more quickly, and instruct ISIS to recalculate routes to correctly guide packet forwarding.
The AC6605 supports dynamic IPv4 BFD for IS-IS.
NOTE
For details about IS-IS GR, see the "IS-IS" chapter in the AC6605 Access Controller Feature
Description-IP Routing.
Issue 04 (2013-06-15)

818

Configuration Guide
IS-IS Three-Way Handshake

A reliable link layer protocol is required when IS-IS runs on a point-to-point (P2P) link. Based
on ISO 10589, the two-way handshake mechanism of IS-IS uses Hello packets to set up P2P
adjacencies between neighboring Switchs. Once the Switch receives a Hello packet from its
peer, it regards the status of the peer as Up and sets up an adjacency with the peer.
This mechanism has obvious defects. For example, when an adjacency is set up, the unstable
link status causes the loss of Complete Sequence Number Packets (CSNPs). As a result, the
LSDB fails to be synchronized during the update period of an LSP. If two or more links exist
between two Switchs, an adjacency can still be set up when one link is Down and the other is
Up in the same direction. The parameters of the other link, however, are also used in SPF
calculation. TheSwitch does not detect any fault of the link that is in the Down state and still
tries to forward packets over this link.
The three-way handshake mechanism addresses the problem on the unreliable P2P link. In threeway handshake mode, the Switch regards the neighbor as Up only after confirming that the
neighbor receives the packet that it sends and then sets up an adjacency with the neighbor. In
addition, a 32-bit circuit ID is used in the three-way handshake mechanism, which is an extension
of the local 8-bit circuit ID that defines 255 P2P links.
5.4.3 Configuring Basic IPv4 IS-IS Functions

This section describes the procedures for configuring basic IPv4 IS-IS functions, including the
procedures for configuring IS-IS processes and interfaces, to implement communication
between nodes on an IPv4 IS-IS network.

Before configuring basic IPv4 IS-IS functions, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data.
To deploy IS-IS on an IPv4 network, configure basic IS-IS functions to implement
communication between different nodes on the network.
Other IS-IS functions can be configured only after basic IS-IS functions are configured.
Configuring basic IPv4 IS-IS functions includes the following operations:
1.
Create IPv4 IS-IS processes.
2.
Configure IPv4 IS-IS interfaces.
Before configuring basic IPv4 IS-IS functions, complete the following tasks:
l
Configure a link layer protocol.
Assign an IP address to each interface to ensure IP connectivity.
Data Preparation
To configure basic IPv4 IS-IS functions, you need the following data.
Issue 04 (2013-06-15)

819

Configuration Guide
No.
Data
IS-IS process ID
NTE of an IS-IS process
Level of each device and level of each interface
Creating IPv4 IS-IS Processes

Before configuring basic IPv4 IS-IS functions, create IPv4 IS-IS processes and then enable IPv4
IS-IS interfaces.
Context
To create an IPv4 IS-IS process, perform the following operations:
l
Create an IS-IS process and configure the NET of a device.
(Optional) Configure the level of a device.

The level of a device is level-1-2 by default.
Configure the device level based on the network planning. If no device level is configured,
IS-IS establishes separate neighbor relationships for Level-1 and Level-2 devices and
maintains two identical LSDBs, consuming excessive system resources.
(Optional) Configure IS-IS host name mapping.

After IS-IS host name mapping is configured, a host name but not the system ID of a device
will display by using display commands. This configuration improves the maintainability
on an IS-IS network.
(Optional) Enable the output of the IS-IS adjacency status.

If the local terminal monitor is enabled and the output of the IS-IS adjacency status is
enabled, IS-IS adjacency changes will be output to the router until the output of the
adjacency status is disabled.
Procedure
l
Create an IS-IS process and configure the NET of a device.

1.
Run:
system-view

2.
Run:
isis [ process-id ]
An IS-IS process is created, and the IS-IS process view is displayed.

The process-id parameter specifies the ID of an IS-IS process. The default value of
process-id is 1. To associate an IS-IS process with a VPN instance, run the isis
[ process-id ] [ vpn-instance vpn-instance-name ] command.
3.
Run:
network-entity net
A NET is configured.
Issue 04 (2013-06-15)

820

Configuration Guide
NET of IS-IS consists of three parts:

Part one is the area ID that is variable (1 to 13 bytes), and the area IDs of the devices
in the same area are identical.
Part two is the system ID (6 bytes) of this device, which must be unique in the
whole area and backbone area.
Part three is the last byte "SEL", whose value must be "00".
For example, the NET of IS-IS router can configured as 10.1234.6e9f.0001.00.
CAUTION
l An area ID is used to uniquely identify an area in the same IS-IS domain. All routers
in the same Level-1 area must share the same area ID, while routers in the same
Level-2 area can have different area IDs.
l The system ID must be unique in the whole area and backbone area.
l A maximum of three area IDs can be configured for an IS-IS process. Therefore,
a maximum of three NETs can be configured. When configuring multiple NETs,
ensure that they share the same system ID.
Configuring loopback interface addresses based on NETs is recommended to ensures
that a NET is unique on the network. If NETs are not unique, route flapping will easily
occur.
4.
(Optional) Run:
description
Descriptions for the IS-IS process are configured.

l
(Optional) Configure the level of a device.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
is-level { level-1 | level-1-2 | level-2 }
The level of the Switch is configured.

l
(Optional) Configure IS-IS host name mapping.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
is-name symbolic-name
Issue 04 (2013-06-15)

821

Configuration Guide
IS-IS dynamic host name mapping is configured. The system ID of the local device
is mapped to the specified host name.
The value of symbolic-name is contained in LSP packets and advertised to other ISIS devices.
On another IS-IS device displays the value of symbolic-name, but not the system ID,
of the local IS-IS device.
4.
Run:
is-name map system-id symbolic-name
IS-IS static host name mapping is configured. The system ID of a peer IS-IS device
is mapped to the specified host name.
This command configuration takes effect only on the local IS-IS device. The value of
symbolic-name will not be added to LSP packets.
If dynamic host name mappings is configured on an IS-IS network, the mappings on
the network overwrite the mappings configured on the local Switch.
l
(Optional) Enable the output of the IS-IS adjacency status.

1.
Run:
system-view

2.
Run:
isis [ process-id ]
An IS-IS process is created, and the IS-IS view is displayed.

3.
Run:
log-peer-change
The output of the adjacency status is enabled.

----End
Configuring IPv4 IS-IS Interfaces

To configure an interface on an IS-IS device to send Hello packets or flood LSPs, IS-IS must
be enabled on this interface.
Context
The level of an IS-IS device and level of an interface together determine the level of a neighbor
relationship. By default, Level-1 and Level-2 neighbor relationships will be established between
two Level-1-2 devices. If only one level of neighbor relationships is required, you can configure
the level of an interface to prevent the establishment of the other level of neighbor relationships.
After IS-IS is enabled on an interface, the interface will automatically send Hello packets,
attempting to establish neighbor relationships. If a peer device is not an IS-IS device or if an
interface is not expected to send Hello packets, suppress the interface. Then this interface only
advertises routes of the network segment where the interface reside, but does not send Hello
packets. This suppression improves the link bandwidth usage.
Issue 04 (2013-06-15)

822

Configuration Guide
Procedure
l
Configure an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
isis enable [ process-id ]
An IS-IS interface is configured.

After this command is run, the IS-IS device uses the specified interface to send Hello
packets and flood LSPs.
NOTE
No neighbor relationship needs to be established between loopback interfaces. Therefore, if

this command is run on a loopback interface, the routes of the network segment where the
loopback interface resides will be advertised through other IS-IS interfaces.
(Optional) Configure the level of an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
isis circuit-level [ level-1 | level-1-2 | level-2 ]
The level of the interface is configured.

By default, the level of an interface is level-1-2.
NOTE
Changing the level of an IS-IS interface is valid only when the level of the IS-IS device is
Level-1-2. If the level of the IS-IS device is not a Level-1-2, the level of the IS-IS device
determines the level of the adjacency to be established.
(Optional) Suppress an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
isis silent
Issue 04 (2013-06-15)

823

Configuration Guide
The IS-IS interface is suppressed.

A suppressed IS-IS interface does not send or receive IS-IS packets. The routes of the
network segment where the interface resides, however, can still be advertised to other
routers within the area.
----End
(Optional) Configuring the IPv4 IS-IS Interfaces

Configuring the IS-IS interface costs can control IS-IS route selection.
Context
The costs of IS-IS interfaces can be determined in the following modes in descending order by
priority:
l
Interface cost: is configured for a specified interface.
Global cost: is configured for all interfaces.
Automatically calculated cost: is automatically calculated based on the interface

bandwidth.
If none of the preceding configurations is performed, the default cost of an IS-IS interface is 10,
and the default cost style is narrow.
Procedure
l
Configure the IS-IS cost type.

1.
Run:
system-view

2.
Run:
isis [ process-id ]
The IS-IS view is displayed.

3.
Run:
cost-style { narrow | wide | wide-compatible | { { narrow-compatible |
compatible } [ relax-spf-limit ] } }
The IS-IS cost type is configured.

The cost range of an interface and a route received by the interface vary with the cost type.
If the cost type is narrow, the cost of an interface ranges from 1 to 63. The maximum
cost of a route received by the interface is 1023.
If the cost style is narrow-compatible or compatible, the cost of an interface ranges from
1 to 63. The cost of a received route is related to relax-spf-limit.
If relax-spf-limit is not specified, the cost of a route works as follows:
If the cost of a route is not greater than 1023 and the cost of every interface that the
route passes through is smaller than or equal to 63, the cost of the route received by
the interface is the actual cost.
If the cost of a route is not greater than 1023 but the costs of all interfaces that the
route passes through are greater than 63, the IS-IS device can learn only the routes
Issue 04 (2013-06-15)

824

Configuration Guide
to the network segment where the interface resides and the routes imported by the
interface. The cost of the route received by the interface is the actual cost. Subsequent
routes forwarded by the interface are discarded.
If the cost of a route is greater than 1023, the IS-IS device can learn only the interface
whose route cost exceeds 1023 for the first time. That is, the cost of each interface
before this interface is not greater than 63. The routes of the network segment where
the interface resides and the routes imported by the interface can all be learned. The
cost of the route is 1023. Subsequent routes forwarded by the interface are discarded.
If relax-spf-limit is specified, the cost of a route works as follows:
There is no limit on costs of interfaces or route costs. The cost of a route received
by an interface is the actual cost.
If the cost style is wide-compatible or wide, the cost of the interface ranges from 1 to
16777215. When the cost is 16777215, the neighbor TLV generated on the link cannot
be used for route calculation but for the transmission of TE information. The maximum
cost of a received route is 0xFFFFFFFF.
l
Configure the cost of an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
isis cost cost
[ level-1 | level-2 ]
The cost of the IS-IS interface is configured.

You can use the isis cost command to configure the cost of a specified interface.
l
Configure the global IS-IS cost.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
circuit-cost cost
The global IS-IS cost is configured.

You can use the circuit-cost command to configure the costs of all interfaces at a time.
l
Enable IS-IS to automatically calculate interface costs.

1.
Run:
system-view

2.
Run:
isis [ process-id ]
Issue 04 (2013-06-15)

825

Configuration Guide

3.
Run:
bandwidth-reference value
The reference value of the bandwidth is configured. By default, the bandwidth

reference value is 100 Mbit/s.
4.
Run:
auto-cost enable
The interface is configured to automatically calculate its cost.

The configuration of the bandwidth reference value takes effect only when the cost type is
wide or wide-compatible. In this case, Cost of each interface = (Value of bandwidthreference/Interface bandwidth) x 10.
If the cost-style is narrow, narrow-compatible, or compatible, the cost of each interface is
based on costs listed in Table 5-3.
Table 5-3 Mapping between IS-IS interface costs and interface bandwidth
Cost
Bandwidth Range
60
Interface bandwidth 10 Mbit/s
50
10 Mbit/s < interface bandwidth 100 Mbit/

s
40

s
30

s
20
622 Mbit/s < Interface bandwidth 2.5 Gbit/

s
10
Interface bandwidth > 2.5 Gbit/s
NOTE
To change the cost of a loopback interface, run the isis cost command only in the loopback interface
view.
----End
(Optional) Configuring IPv4 IS-IS Attributes for Interfaces on Different Types of

Networks
Different IS-IS attributes can be configured for different types of network interfaces.
Context
The establishment modes of IS-IS neighbor relationships are different on a broadcast network
and on a P2P network. Different IS-IS attributes can be configured for interfaces on different
types of networks.
Issue 04 (2013-06-15)

826

Configuration Guide
IS-IS is required to select a DIS on a broadcast network. Configure the DIS priorities of IS-IS
interfaces so that the interface with the highest priority will be selected as the DIS.
The network types of the IS-IS interfaces on both ends of a link must be the same; otherwise,
the IS-IS neighbor relationship cannot be established between the two interfaces. For example,
if the type of an interface on a peer device is P2P, you can configure the type of an interface on
the local device to P2P so that an IS-IS neighbor relationship can be established between the
two devices.
IS-IS on a P2P network is not required to select a DIS. Therefore, you do not need to configure
DIS priorities. To ensure the reliability of P2P links, configure IS-IS to use the three-way
handshake mode for IS-IS neighbor relationship establishment so that faults on a unidirectional
link can be detected.
Procedure
l
Configure the DIS priority of an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
isis dis-priority priority [ level-1 | level-2 ]
The DIS priority is configured on the interface. The greater the value, the higher the
priority.
4.
(Optional) Run:
isis dis-name symbolic-name
The name of the DIS is configured for easier maintenance and management.
l
Configure the network type of an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
isis circuit-type p2p
The network type of the interface is set to P2P.

The network type of an interface is determined by the physical type of the interface
by default.
When the network type of an IS-IS interface changes, interface configurations change
accordingly.
After a broadcast interface is configured as a P2P interface using the isis circuittype p2p command, the default settings are restored for the interval for sending
Issue 04 (2013-06-15)

827

Configuration Guide
Hello packets, the number of Hello packets that IS-IS fails to receive from a
neighbor before the neighbor is declared Down, interval for retransmitting LSPs
on a P2P link, and various IS-IS authentication modes. Consequently, other
configurations such as the DIS priority, DIS name, and interval for sending CSNPs
on a broadcast network become invalid.
After the undo isis circuit-type command is run to restore the network type, the
default settings are restored for the interval for sending Hello packets, the number
of Hello packets that IS-IS fails to receive from a neighbor before the neighbor is
declared Down, interval for retransmitting LSPs on a P2P link, various IS-IS
authentication modes, DIS priority, and interval for sending CSNPs on a broadcast
network.
l
Set the negotiation mode in which P2P neighbor relationships can be set up.
1.
Run:
system-view

2.
Run:

3.
Run:
isis ppp-negotiation { 2-way | 3-way [ only ] }
The negotiation mode is specified on the interface.

By default, the 3-way handshake negotiation mode is adopted.
The isis ppp-negotiation command can only be used for the establishment of the
neighbor relationships on P2P links. In the case of a broadcast link, you can run the
isis circuit-type p2p command to set the link type to P2P, and then run the isis pppnegotiation command to set the negotiation mode for the establishment of the
neighbor relationship.
l
Configure OSICP negotiation check on PPP interfaces.

1.
Run:
system-view

2.
Run:

3.
Run:
isis ppp-osicp-check
The OSICP negotiation status is checked on a PPP interface.

By default, the OSICP negotiation status of a PPP interface does not affect the status
of an IS-IS interface.
The isis ppp-osicp-check command is applicable only to PPP interfaces. This
command is invalid for other P2P interfaces.
After this command is run, the OSICP negotiation status of a PPP interface affects the
status of an IS-IS interface. When PPP detects that the OSI network fails, the link
Issue 04 (2013-06-15)

828

Configuration Guide
status of the IS-IS interface goes Down and the route to the network segment where
the interface resides is not advertised through LSPs.
l
Configure the scale of the Hello packets sent on the IS-IS interface.
1.
Run:
system-view

2.
Run:

NOTE
Step 3 and Step 4 are mutually exclusive. Run the command as needed.
3.
Run:
isis small-hello
The Hello packets without the padding field are configured to be sent on the interface.
4.
Run:
isis padding-hello
The standard Hello packets without the padding field are configured to be sent on the
interface.
l
Configure IS-IS not to check whether the IP addresses of received Hello packets are on the
same network segment.
1.
Run:
system-view

2.
Run:

3.
Run:
isis peer-ip-ignore
IS-IS is configured not to check whether the IP addresses of received Hello packets
are on the same network segment.
----End

After basic IPv4 IS-IS functions are configured, you can view information about IS-IS neighbors,
interfaces, and routes.
Prerequisites
The configurations of basic IPv4 IS-IS functions are complete.
Issue 04 (2013-06-15)

829

Configuration Guide
Procedure
Step 1 Run the display isis name-table [ process-id | vpn-instance vpn-instance-name ] command to
check the mapping from the name of the local device to the system ID.
Step 2 Run the display isis peer [ verbose ] [ process-id | vpn-instance vpn-instance-name ] command
to check information about IS-IS neighbors.
Step 3 Run the display isis interface [ verbose ] [ process-id | vpn-instance vpn-instance-name ]
command to check information about IS-IS interfaces.
Step 4 Run the display isis route [ process-id | vpn-instance vpn-instance-name ] [ ipv4 ] [ verbose |
[ level-1 | level-2 ] | ip-address [ mask | mask-length ] ] * command to check information about
IS-IS routes.
----End
5.4.4 Establishing or Maintaining IS-IS Neighbor Relationships or

Adjacencies
This section describes how to configure the parameters that affect the IS-IS neighbor
relationship.

Before configuring the parameters that affect the IS-IS neighbor relationship, familiarize
yourself with the applicable environment, complete the pre-configuration tasks, and obtain the
required data. This can help you complete the configuration task quickly and accurately.
This section describes how to establish or maintain the IS-IS neighbor relationship, covering:
l
Adjusting timers of various IS-IS packets, including Hello packets, CSNPs, and LSPs
Adjusting parameters of LSPs
Before establishing or maintaining IS-IS neighbor relationships or adjacencies, complete the
following tasks:
l
Configuring IP addresses of interfaces to make neighboring nodes reachable
5.4.3 Configuring Basic IPv4 IS-IS Functions
Data Preparation
To establish or maintain IS-IS neighbor relationships or adjacencies, you need the following
data.
Issue 04 (2013-06-15)
No.
Data
Parameters of IS-IS timers
LSP parameters
830

Configuration Guide
Configuring IS-IS Timers for Packets

This part describes how to set the intervals for sending Hello packets, Complete Sequence
Number PDUs (CSNPs), and Link State PDUs (LSPs).
Context
Do as follows on the Switch that runs IS-IS.
Procedure
l
Configuring the Interval for Sending Hello Packets

1.
Run:
system-view

2.
Run:

3.
Run:
isis timer hello hello-interval [ level-1 | level-2 ]
The interval for sending the Hello packets is set on an interface.

On a broadcast link, there are Level-1 and Level-2 Hello packets. For different types
of packets, you can set different intervals. If no level is specified, both the Level-1
timer and Level-2 timer are configured. On a P2P link, there are only one type of Hello
packets. Thus, neither level-1 nor level-2 is required.
NOTE
Parameters level-1 and level-2 are configured only on a broadcast interface.
Configuring the Invalid Number of Hello Packets

1.
Run:
system-view

2.
Run:

3.
Run:
isis timer holding-multiplier number [ level-1 | level-2 ]
The invalid number of Hello packets is set.

If no level is specified, both the Level-1 timer and Level-2 timer are configured.
NOTE
level-1 and level-2 can be found only on the broadcast interface.
Issue 04 (2013-06-15)

831

Configuration Guide
IS-IS maintains neighbor relationships with neighbors through Hello packets. If the local
router does not receive any Hello packet from a neighbor within holding time, the local
router declares that the neighbor is invalid.
In IS-IS, the period during which the local router and its neighbor keep the neighbor
relationship is determined by the invalid number of Hello packets and the interval for
sending Hello packets.
l
Configuring the Interval for Sending CSNPs

1.
Run:
system-view

2.
Run:

3.
Run:
isis timer csnp csnp-interval [ level-1 | level-2 ]
The interval for sending CSNPs is set.

CSNPs are transmitted by the Designated IS (DIS) to synchronize an LSDB in a broadcast
network. If the level is not specified, the timer of the current level is configured.
l
Configuring the Interval for Retransmitting LSPs

1.
Run:
system-view

2.
Run:

3.
Run:
isis enable
Enable IS-IS on the VLANIF interface

4.
Run:
Sets the interface network type as P2P.

5.
Run:
isis timer lsp-retransmit retransmit-interval
The interval for retransmitting LSPs on a P2P link is set.

On a P2P link, if the local router does not receive the response within a period of time after
it sends an LSP, it considers that the LSP is lost or dropped. To ensure the reliable
transmission, .the local router retransmits the LSP according to the retransmit-interval. By
default, the interval for retransmitting the LSP packet on the P2P link is 5 seconds.
The LSPs sent on a broadcast link do not need any response.
l
Configuring the Minimum Interval for Sending LSPs

1.
Run:
system-view
Issue 04 (2013-06-15)

832

Configuration Guide

2.
Run:

3.
Run:
isis timer lsp-throttle throttle-interval [ count count ]
The minimum interval for sending LSPs is set.

count: specifies the maximum number of LSP packets to be sent within the period
specified by throttle-interval. The value ranges from 1 to 1000.
You can set the minimum interval for sending LSPs on an IS-IS interface, that is, the delay
between two consecutive LSPs. The value is also the interval for sending fragments of a
CSNP.
----End
Configuring LSP Parameters

By configuring the LSP generation timer, you can adjust the time that an IS-IS network generates
LSPs. Setting the size of the LSP to be generated or received by IS-IS can affect the transmission
of LSPs.
Context
Procedure
l
Configuring the Interval for Refreshing LSPs

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
timer lsp-refresh refresh-time
The LSP refreshment period is set.

To synchronize all the LSPs in an area, the Switches in the area periodically send all the
current LSPs.
By default, the LSP refreshment period is 900 seconds, and the maximum lifetime of an
LSP is 1200 seconds. When performing configurations, ensure that the LSP refresh interval
is 300 seconds shorter than the maximum LSP Keepalive time. In this way, new LSPs can
reach all Switches in an area before existing LSPs expire.
Issue 04 (2013-06-15)

833

Configuration Guide

NOTE
It is recommended to adjust the difference between the LSP refresh period and the maximum
Keepalive time of the LSP depending on the network scale.
Configuring the Max Lifetime of an LSP

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
timer lsp-max-age age-time
The lifetime of an LSP is set.

When a Switch generates an LSP, it sets the max lifetime for the LSP. After the LSP is
received by other Switches, its lifetime decreases as time passes. If a Switch does not receive
any updated LSP and the lifetime of this LSP decreases to 0, the lifetime of the LSP lasts
60s. If a new LSP is still not received, this LSP is deleted from the LSDB.
l
Configuring the Intelligent Timer Used to Generate LSPs

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
timer lsp-generation max-interval [ init-interval [ incr-interval ] ]
The intelligent timer used to generate LSPs is set.

If no level is configured, both Level-1 and Level-2 are configured.
The initial delay for generating the same LSPs (or LSP fragments) is init-interval. The delay
for generating the same LSPs (or LSP fragments) secondly is incr-interval. When the routes
change each time, the delay for generating the same LSPs (or LSP fragments) is twice as
the previous value until the delay is up to max-interval. After the delay reaches maxinterval for three times or reset the IS-IS process, the interval is reduced to init-interval.
When incr-interval is not used and generating the same LSPs (or LSP fragments) for the
first time, init-interval is used as the initial delay. Then, the delay for generating the same
LSPs (or LSP fragments) is max-interval. After the delay reaches max-interval for three
times or the IS-IS process is reset, the interval is reduced to init-interval.
When only max-interval is used, the intelligent timer changes into a normal one-short timer.
l
Configuring the Size of an LSP

1.
Run:
system-view
Issue 04 (2013-06-15)

834

Configuration Guide

2.
Run:
isis [ process-id ]

3.
Run:
lsp-length originate max-size
The size of an LSP generated by the system is set.

4.
Run:
lsp-length receive max-size
The size of a received LSP is set.

NOTE
When using max-size, ensure that the value of the max-size of the generated LSP packet (or the
forwarded LSP packet) must be smaller than or equal to that of the received LSP packet.
The value of max-size set by using the lsp-length command must meet the following
conditions.
The MTU value of an Ethernet interface must be greater than or equal to the sum of
max-size and 3.
The MTU value of a P2P interface must be greater than or equal to the value of maxsize.
l
Adding an Interface to a Mesh Group

1.
Run:
system-view

2.
Run:

3.
Run:
isis mesh-group { mesh-group-number | mesh-blocked }
The interface is added to a mesh group.

On the Non Broadcast Multiple Access (NBMA) network, after receiving an LSP, the
interface of a Switch floods the LSP to the other interfaces. In a network with higher
connectivity and multiple P2P links, however, the flooding method causes repeated LSP
flooding and wastes bandwidth.
To avoid the preceding problem, you can configure several interfaces to form a mesh group.
The Switch in the mesh group does not flood the LSP received from an interface of the
group to the other interfaces of the group, but floods it to interfaces of other groups or
interfaces that do not belong to any group.
When mesh-blocked is configured on an interface, the interface is blocked and cannot
flood LSPs outside. All the interfaces added to a mesh group implement global LSDB
synchronization through CSNP and PSNP mechanisms.
l
Configuring LSP Fragments Extension

1.
Run:
system-view
Issue 04 (2013-06-15)

835

Configuration Guide

2.
Run:
isis [ process-id ]

3.
Run:
lsp-fragments-extend
mode-2 ] ] *
[ [ level-1 | level-2 | level-1-2 ] | [ mode-1 |
LSP fragments extension is enabled in an IS-IS process.

4.
Run:
virtual-system virtual-system-id
A virtual system is configured.

To configure a Switch to generate extended LSP fragments, you must configure at least
one virtual system. The ID of the virtual system must be unique in the domain.
An IS-IS process can be configured with up to 50 virtual system IDs.
If neither the mode nor the level is specified when LSP fragments extension is configured,
mode-1 and Level-1-2 are used by default.
----End

After configuring parameters that affect the IS-IS neighbor relationship, you can check
information about the IS-IS interface and statistics about the IS-IS process.
Prerequisites
The configurations of Establishing or Maintaining IS-IS Neighbor Relationships or Adjacencies
are complete.
Procedure
l
Run display isis interface [ verbose ] [ process-id | vpn-instance vpn-instance-name ]

command to check information about the interface enabled with IS-IS.
Check the statistics of the IS-IS process:

display isis statistics [ level-1 | level-2 | level-1-2 ] [ process-id | vpn-instance vpninstance-name ]
display isis statistics packet [ interface interface-type interface-number ]
display isis process-id statistics [ level-1 | level-2 | level-1-2 | packet ]
----End
5.4.5 Configuring IPv4 IS-IS Route Selection

Configuring IS-IS route selection can achieve refined control over route selection.
Issue 04 (2013-06-15)

836

Configuration Guide

Before configuring IPv4 IS-IS route selection, familiarize yourself with the applicable
After basic IPv4 IS-IS functions are configured, IS-IS routes will be generated, enabling
communication between different nodes on a network.
If multiple routes are available, a route discovered by IS-IS may not the optimal route. This does
not meet network planning requirements nor facilitates traffic management. Therefore, configure
IPv4 IS-IS route selection to implement refined control over route selection.
To implement refined control over IPv4 IS-IS route selection, perform the following operations:
l
Configuring the IPv4 IS-IS Interfaces.

NOTE
Changing the IS-IS cost for an interface can achieve the function of controlling route selection, but
requires routes on the interface to be recalculated and reconverged when a network topology changes,
especially on a large-scale network. In addition, the configuration result may not meet your
expectation.
Therefore, the configuration of changing IS-IS costs has best to be finished when configuring basic
IS-IS functions.
Configure IPv4 IS-IS route leaking.
Configure principles for selecting equal-cost IPv4 IS-IS routes.
Filter IPv4 IS-IS routes.
Configure an overload bit for an IPv4 IS-IS device.
Before configuring IPv4 IS-IS route selection, complete the following tasks:
l
the network layer
Configuring Basic IPv4 IS-IS Functions
Data Preparation
To configure IPv4 IS-IS route selection, you need the following data.
Issue 04 (2013-06-15)
No.
Data
ACL for filtering routes, IP prefix list, or routing policy
Maximum number of load-balancing equal-cost IS-IS routes
Preference of the next hop
Time when an IS-IS device enters the overload state

837

Configuration Guide
Configuring Principles for Using Equal-Cost IPv4 IS-IS Routes

If multiple equal-cost IS-IS routes are available on a network, configure the equal-cost IS-IS
routes to work in load-balancing mode to increase the bandwidth usage of each link, or configure
preference values for the equal-cost IS-IS routes to facilitate traffic management.
Context
If there are redundant IS-IS links, multiple routes may have an equal cost. Choose either of the
following methods to use these equal-cost IS-IS routes:
l
Configure load balancing for equal-cost IS-IS routes so that traffic will be evenly balanced
among these links.
This mechanism increases the link bandwidth usage and prevents network congestion
caused by link overload. However, this mechanism may make traffic management more
difficult because traffic will be randomly forwarded.
Configure preference values for equal-cost IS-IS routes so that only the route with the
highest preference will be used and the others function as backups.
This configuration facilitates traffic management and improves the network reliability,
without the need to change original configurations.
Procedure
l
Configure equal-cost IS-IS routes to work in load-balancing mode.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
The maximum number of load-balancing equal-cost IS-IS routes is set.

NOTE
If the number of IS-IS equal-cost routes is greater than the value of number, the number of ISIS equal-cost routes to work in load-balancing mode is determined by number. If the number
of IS-IS equal-cost routes is smaller than the value of number, IS-IS equal-cost routes of the
actual number work in load-balancing mode.
Configure preference values for equal-cost IS-IS routes.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
nexthop ip-address weight value
Issue 04 (2013-06-15)

838

Configuration Guide
A preference value is configured for an equal-cost IS-IS route.

NOTE
A larger value of the value parameter indicates a higher preference.
----End
Filtering IPv4 IS-IS Routes

If some IS-IS routes are not preferred, configure conditions to filter IS-IS routes. Only IS-IS
routes meeting the specified conditions can be added to an IP routing table.
Context
Only routes in an IP routing table can be used to forward IP packets. An IS-IS route can take
effect only after this IS-IS route has been successfully added to an IP routing table.
If an IS-IS route does not need to be added to a routing table, specify conditions, such as a basic
ACL, IP prefix, and routing policy, to filter routes so that only IS-IS routes that meet the specified
conditions can added to an IP routing table. IS-IS routes that do not meet the specified conditions
cannot be added to the IP routing table and cannot be selected to forward IP packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
filter-policy { acl-number | acl-name acl-name | ip-prefix ip-prefix-name | routepolicy route-policy-name } import
Conditions for filtering IS-IS routes are configured.

----End
Configuring an Overload Bit for an IPv4 IS-IS Device

If an IS-IS device needs to be temporarily isolated, configure the IS-IS device to enter the
overload state to prevent other devices from forwarding traffic to this IS-IS device and prevent
blackhole routes.
Context
If an IS (for example, an IS to be upgraded or maintained) needs to be temporarily isolated,
configure the IS to enter the overload state so that no device will forward traffic to this IS.
IS-IS routes converge more quickly than BGP routes. To prevent blackhole routes on a network
where both IS-IS and BGP are configured, set an overload bit to instruct an IS to enter the
overload state during its start or restart. After BGP convergence is complete, cancel the overload
bit.
Issue 04 (2013-06-15)

839

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
set-overload [ on-startup [ timeout1 | start-from-nbr system-id [ timeout1
[ timeout2 ] ] | wait-for-bgp [ timeout1 ] ] ] [ allow { interlevel | external }
* ]
The overload bit is configured.

----End

After configuring IPv4 IS-IS route selection, run the following commands to verify that the
configurations are correct.
Procedure
l
Run the display isis route [ process-id | vpn-instance vpn-instance-name ] [ ipv4 ]

[ verbose | [ level-1 | level-2 ] | ip-address [ mask | mask-length ] ] * command to check ISIS routing information.
Run the display isis lsdb [ { level-1 | level-2 } | verbose | { local | lsp-id | is-name symbolicname } ] * [ process-id | vpn-instance vpn-instance-name ] command to check information
in the IS-IS LSDB.
----End
5.4.6 Configuring IPv4 IS-IS Route Summarization

To improve the route searching efficiency and simplify route management on a large-scale ISIS network, configure IS-IS route summarization to reduce the number of IS-IS routes in a
routing table.
Context
Route summarization is used to summarize routes with the same IP prefix into one route.
On a large-scale IS-IS network, route summarization can be configured to reduce the number
of IS-IS routes in a routing table. This summarization improves the usage of system resources
and facilitates route management.
If a link on an IP network segment that is summarized frequently alternates between Up and
Down states, IP network segments that are not summarized will not be affected, preventing route
flapping and improving the network stability.
Issue 04 (2013-06-15)

840

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
summary ip-address mask [ avoid-feedback | generate_null0_route | tag tag |
[ level-1 | level-1-2 | level-2 ] ] *
The specified IS-IS routes are summarized into one IS-IS route.
NOTE
After route summarization is configured on an IS, the local routing table still contains all specific routes
before the summarization.
The routing tables on other ISs contain only the summary route, and the summary route is deleted only
after all its specific routes are deleted.
----End

After the route summarization function is configured, perform the following steps to check
whether the route summarization function has taken effect.
l
Run the display isis route command to check summary routes in the IS-IS routing table.
Run the display ip routing-table [ verbose ] command to check summary routes in the IP
routing table.
5.4.7 Configuring IPv4 IS-IS to Interact with Other Routing

Protocols
If other routing protocols are configured on an IS-IS network, you need to configure IS-IS to
interact with these protocols to ensure successful communication between them.

Before configuring IPv4 IS-IS to interact with other routing protocols, familiarize yourself with
for the configuration. This will help you complete the configuration task quickly and efficiently.
If other routing protocols are configured on an IS-IS network, the following issues need to be
considered:
l
Preference of IS-IS routes

If multiple routes to the same destination are discovered by different routing protocols
running on the same device, the route discovered by the protocol with the highest preference
Issue 04 (2013-06-15)

841

Configuration Guide
is selected. For example, if both OSPF and IS-IS are configured, the route discovered by
OSPF is used because OSPF enjoys a higher preference than IS-IS by default.
Therefore, if you want the route discovered by IS-IS to be used, configure IS-IS to have
the highest preference.
l
Communication between an IS-IS area and other areas

If other routing protocols are configured on an IS-IS network, you need to configure IS-IS
to interact with those routing protocols so that IS-IS areas can communicate with non-ISIS areas.
NOTE
The LSDBs of different IS-IS processes on a device are independent of each other. Therefore, each
IS-IS process on the device considers routes of the other IS-IS processes as external routes.
To ensure successful traffic forwarding, configure IS-IS to interact with other routing
protocols on a device where external routes are configured, for example, a Level-1-2 ISIS router. Available methods are as follows:
Configure IS-IS to advertise a default route.
This mode is easy to configure and does not require devices in IS-IS areas to learn
external routes. After a default route is advertised, all traffic in an IS-IS area is forwarded
through the default route.
Configure IS-IS to import external routes.
This mode enables all devices in IS-IS areas to learn external routes, implementing
refined control over traffic forwarding.
To ensure successful forwarding of traffic destined for IS-IS areas, you must also enable
the other routing protocols to interact with IS-IS.
Before configuring IPv4 IS-IS to interact with other routing protocols, complete the following
tasks:
l
Configuring the link layer protocol on interfaces
the network layer
Configuring basic functions of other routing protocols
Data Preparation
To configure the IPv4 IS-IS route convergence speed, you need the following data.
Issue 04 (2013-06-15)
No.
Data
ACL for filtering routes, IP prefix list, or routing policy
Preference value of IS-IS

842

Configuration Guide
Configuring a Preference Value for IPv4 IS-IS

If multiple routes to the same destination are discovered by different routing protocols,
configuring the highest preference value for IS-IS allows a route discovered by IS-IS to be
selected preferentially.
Context
If multiple routes to the same destination are discovered by different routing protocols running
on the same device, the route discovered by the protocol with the highest preference is selected.
For example, if both OSPF and IS-IS are configured on a network, the route discovered by OSPF
is used because OSPF has a higher preference than IS-IS by default.
To prefer a route discovered by IS-IS, configure a higher preference value for IS-IS. In addition,
a routing policy can be configured to increase the preferences of specified IS-IS routes, without
affecting route selection.
Procedure
l
Configure the IS-IS preference value.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
preference preference
The IS-IS preference value is configured.

NOTE
A smaller preference value indicates a higher preference.

The default IS-IS preference value is 15.
Configure preference values for specified IS-IS routes.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
preference preference route-policy route-policy-name
The preference values are configured for the specified IS-IS routes.
Issue 04 (2013-06-15)

843

Configuration Guide

NOTE
preference takes effect only for IS-IS routes that match the specified routing policy.
----End
Configuring IPv4 IS-IS to Advertise a Default Route

To forward all traffic in an IS-IS area through a default route, configure IS-IS on a Level-1-2
device to advertise the default route.
Context
Only the route 0.0.0.0/0 can be advertised as a default route on a Level-1-2 device. All traffic
destined for other areas is first forwarded to the Level-1-2 device.
To ensure successful traffic forwarding, external routes must be learned on the Level-1-2 device.
NOTE
Configuring static default routes can also achieve the function of interaction between different routing
protocols, but require large configurations and are difficult to manage.
If multiple Level-1-2 devices are deployed, a routing policy can be configured to allow only the Level-1-2
device that meets the specified conditions to advertise a default route, preventing blackhole routes.
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
default-route-advertise [ always | match default | route-policy route-policy-name ]
[ cost cost | tag tag | [ level-1 | level-1-2 | level-2 ] ] * [ avoid-learning ]
IS-IS is configured to advertise a default route.

----End

After IS-IS is enabled to import routes from other protocols, run the following commands to
verify that the configurations are correct.
Procedure
l
Issue 04 (2013-06-15)
Run the display isis lsdb [ { level-1 | level-2 } | verbose | { local | lsp-id | is-name symbolicname } ] * [ process-id | vpn-instance vpn-instance-name ] command to check IS-IS LSDB
information.
844

Configuration Guide

[ verbose | [ level-1 | level-2 ] | ip-address [ mask | mask-length ] ] * command to check ISIS routing information.
Run the display ip routing-table ip-prefix ip-prefix-name [ verbose ] command to check

the IP routing table.
----End
5.4.8 Configuring the IPv4 IS-IS Route Convergence Speed

Accelerating IS-IS route convergence can improve the fault location efficiency and improve the
network reliability.

Before configuring the IPv4 IS-IS route convergence speed, familiarize yourself with the
the configuration. This will help you complete the configuration task quickly and efficiently.
The procedure for implementing IS-IS is as follows:
l
Establishment of neighboring relationships: establishes neighboring relationships by

exchanging Hello packets between two devices.
LSP flooding: implements LSDB synchronization between devices in the same area.
SPF calculation: uses the SPF algorithm to calculate IS-IS routes, and delivers the IS-IS
routes to the routing table.
To accelerate the IS-IS route convergence speed, configure the following parameters:
l
Interval for detecting IS-IS neighboring device failures
Flooding parameters of CSNPs and LSPs
Interval for SPF calculation
You can also configure convergence priorities for IPv4 IS-IS routes so that key routes can be
converged by preference when a network topology changes. This minimizes adverse impacts on
key services.
Before configuring the IPv4 IS-IS route convergence speed, complete the following tasks:
l
Configuring the link layer protocol on interfaces
the network layer
Data Preparation
To configure the IPv4 IS-IS route convergence speed, you need the following data.
Issue 04 (2013-06-15)

845

Configuration Guide
No.
Data
Interval at which Hello packets are sent and the holding time of neighboring
devices
Flooding time of CSNPs and LSPs
Interval for SPF calculation
Route convergence priority
Configuring the Interval for Detecting IS-IS Neighboring Device Failures

To minimize the effects caused by neighboring device failures on an IS-IS network, accelerate
the speed of detecting IS-IS neighboring device failures.
Context
Connection status between an IS-IS device and its neighboring devices can be monitored by
exchanging Hello packets at intervals. An IS-IS neighboring device is considered Down if the
IS-IS device does not receive any Hello packets from the neighboring device within the specified
period (called the holding time). A failure in an IS-IS neighboring device will trigger LSP
flooding and SPF calculation, after which IS-IS routes are reconverged.
To speed up fault detection, use the following methods to accelerate the speed of detecting ISIS neighboring device failures:
l
Shorten the interval at which Hello packets are sent.
Shorten the holding time of neighboring devices.
Configuring Dynamic IPv4 BFD for IS-IS.

NOTE
Configuring IPv4 BFD for IS-IS is recommended because this method provides a faster fault detection
speed than the other two methods.
Procedure
l
Set an interval at which Hello packets are sent.

1.
Run:
system-view

2.
Run:

3.
Run:
isis timer hello hello-interval [ level-1 | level-2 ]
The interval at which Hello packets are sent is set.
Issue 04 (2013-06-15)

846

Configuration Guide

NOTE
A broadcast link can transmit both Level-1 and Level-2 Hello packets. You can set different
sending intervals for these two types of Hello packets. By default, both Level-1 and Level-2
Hello packets are sent.
A P2P link can transmit only one type of Hello packets. Therefore, there is no need to specify
the level-1 or level-2 parameter if a P2P link is used.
Set the holding multiplier for neighboring devices.

1.
Run:
system-view

2.
Run:

3.
Run:
isis timer holding-multiplier number [ level-1 | level-2 ]
The holding multiplier of neighboring devices is set.

NOTE
A broadcast link can transmit both Level-1 and Level-2 Hello packets. You can set different
sending intervals for these two types of Hello packets. By default, both Level-1 and Level-2
Hello packets are sent.
A P2P link can transmit only one type of Hello packets. Therefore, there is no need to specify
the level-1 or level-2 parameter if a P2P link is used.
----End
Setting Flooding Parameters of SNPs and LSPs

To speed up LSDB synchronization between devices, set flooding parameters of SNPs and LSPs
to proper values.
Context
SNPs consist of CSNPs and PSNPs. CSNPs carry summaries of all LSPs in LSDBs, ensuring
LSDB synchronization between neighboring routers. SNPs are processed differently on
broadcast links and P2P links.
l
On a broadcast link, CSNPs are periodically sent by a DIS device. If a router detects that
its LSDB is not synchronized with that on its neighboring router, the router will send PSNPs
to apply for missing LSPs.
On a P2P link, CSNPs are sent only during initial establishment of neighboring
relationships. If a request is acknowledged, a neighboring router will send a PSNP in
response to a CSNP. If a router detects that its LSDB is not synchronized with that on its
neighboring router, the router will also send PSNPs to apply for missing LSPs.
To speed up LSDB synchronization, modify the following parameters of SNPs and LSPs on the
AC6605:
l
Interval at which CSNPs are sent
Intelligent timer controlling LSP generation
Maximum length of LSPs
Issue 04 (2013-06-15)

847

Configuration Guide
Refresh interval of LSPs
Maximum lifetime of LSPs
Minimum interval at which LSPs are sent
LSP fast flooding
Interval at which LSPs are retransmitted over a P2P link
Set an interval at which CSNPs are sent.
Procedure
1.
Run:
system-view

2.
Run:

3.
Run:
isis timer csnp csnp-interval [ level-1 | level-2 ]
The interval at which CSNPs are sent is set on the specified interface.
NOTE
Configure Level-1 and Level-2 only when a broadcast interface is specified.
Configure the intelligent timer controlling LSP generation.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
timer lsp-generation max-interval [ init-interval [ incr-interval ] ]
The intelligent timer controlling LSP generation is configured.

If a level is not specified, both level-1 and level-2 are used by default.
The delay in generating an LSP or an LSP fragment for the first time is determined
by init-interval; the delay in generating an LSP or an LSP fragment for the second
time is determined by incr-interval. From the third time on, the delay in generating
an LSP increases twice every time until the delay reaches the value specified by maxinterval. After the delay remains at the value specified by max-interval for three times
or the IS-IS process is restarted, the delay decreases to the value specified by initinterval.
If incr-interval is not specified, the delay in generating an LSP or LSP fragment for
the first time is determined by init-interval. From the second time on, the delay in
generating an LSP is determined by max-interval. After the delay remains at the value
specified by max-interval for three times or the IS-IS process is restarted, the delay
decreases to the value specified by init-interval.
Issue 04 (2013-06-15)

848

Configuration Guide
When only max-interval is specified, the intelligent timer functions as an ordinary

one-time triggering timer.
l
Set the maximum length for LSPs.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
lsp-length originate max-size
The maximum length is set for each LSP to be generated.

4.
Run:
lsp-length receive max-size
The maximum length is set for each LSP to be received.

NOTE
Ensure that the value of max-size for LSPs to be generated must be smaller than or equal to the
value of max-size for LSPs to be received.
The value of max-size in the lsp-length command must meet the following conditions.
The MTU of an Ethernet interface must be greater than or equal to the sum of the
value of max-size and 3.
The MTU of a P2P interface must be greater than or equal to the value of maxsize.
l
Set the refresh interval for LSPs.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
timer lsp-refresh refresh-time
A refresh interval is set for LSPs.

To synchronize all LSPs in the areas, IS-IS regularly transmits all the current LSPs to
neighbors.
By default, the LSP refresh interval is 900s, and the maximum lifetime of an LSP is
1200s. Ensure that the LSP refresh interval is more than 300s shorter than the
maximum LSP lifetime. This allows new LSPs to reach all routers in an area before
existing LSPs expire.
Issue 04 (2013-06-15)

849

Configuration Guide

NOTE
The larger a network, the greater the deviation between the LSP refresh interval and the
maximum LSP lifetime.
Set the maximum lifetime for LSPs.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
timer lsp-max-age age-time
The maximum lifetime is set for LSPs.

When a router generates the system LSP, it fills in the maximum lifetime for this LSP.
After this LSP is received by other routers, the lifetime of the LSP is reduced gradually.
If the router does not receive any more update LSPs and the lifetime of the LSP is
reduced to 0, the LSP will be deleted from the LSDB 60s later if no more updated
LSPs are received.
l
Set the minimum interval at which LSPs are sent.

1.
Run:
system-view

2.
Run:

3.
Run:
isis timer lsp-throttle throttle-interval [ count count ]
The minimum interval at which LSPs are sent is set.

The count parameter specifies the maximum number of LSPs that can be sent within
the interval specified by throttle-interval. The value of count is an integer ranging
from 1 to 1000.
l
Enable LSP fast flooding.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
flash-flood [ lsp-count | max-timer-interval interval | [ level-1 |
level-2 ] ] *
The LSP fast flooding is enabled.

Issue 04 (2013-06-15)

850

Configuration Guide
Running the flash-flood command speeds up LSP flooding. The lsp-count parameter
specifies the number of LSPs flooded each time, which is applicable to all interfaces.
If the number of LSPs to be sent is greater than the value of lsp-count, lsp-count takes
effect. If the number of LSPs to be sent is smaller than the value of lsp-count, LSPs
of the actual number are sent. If a timer is configured and the configured timer does
not expire before the route calculation, the LSPs are flooded immediately when being
received; otherwise, the LSPs are sent when the timer expires.
When LSP fast flooding is enabled, Level-1 LSPs and Level-2 LSPs are fast flooded
by default if no level is specified.
l
Set an interval at which LSPs are retransmitted over a P2P link.

1.
Run:
system-view

2.
Run:

3.
(Optional) Run:
Emulate a broadcast interface to the P2P interface.

4.
Run:
isis timer lsp-retransmit retransmit-interval
The interval at which LSPs are retransmitted over a P2P link is set.
----End
Setting the SPF Calculation Interval

To improve the fault location efficiency on an IS-IS network and prevent SPF calculation from
consuming excessive system resources, set the SPF calculation interval to a proper value.
Context
A network change always triggers IS-IS to perform SPF calculation. Frequent SPF calculation
will consume excessive CPU resources, affecting services.
To solve this problem, configure an intelligent timer to control the interval for SPF calculation.
For example, to speed up IS-IS route convergence, set the interval for SPF calculation to a small
value, and set the interval to a large value after the IS-IS network becomes stable.
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Issue 04 (2013-06-15)

851

Configuration Guide
Step 3 Run:
timer spf max-interval [ init-interval [ incr-interval ] ]
The SPF intelligent timer is configured.

The intelligent timer changes as follows:
l The delay for the first SPF calculation is determined by init-interval; the delay for the second
SPF calculation is determined by incr-interval. From the third time on, the delay in SPF
calculation increases twice every time until the delay reaches the value specified by maxinterval. After the delay remains at the value specified by max-interval for three times or the
IS-IS process is restarted, the delay decreases to the value specified by init-interval.
l If incr-interval is not specified, the delay in SPF calculation for the first time is determined
by init-interval. From the second time on, the delay in SPF calculation is determined by maxinterval. After the delay remains at the value specified by max-interval for three times or the
IS-IS process is restarted, the delay decreases to the value specified by init-interval.
l When only max-interval is specified, the intelligent timer functions as an ordinary one-time
triggering timer.
spf-slice-size duration-time
The maximum duration for SPF calculation is configured.

----End

After the parameters specifying the IPv4 IS-IS route convergence speed are set, run the following
commands to verify that the configurations are correct.
Procedure
l
Run the display isis interface [ verbose ] [ process-id | vpn-instance vpn-instancename ] command to check IS-IS packet information.

[ verbose | [ level-1 | level-2 ] | ip-address [ mask | mask-length ] ] * command to check the
preference of IS-IS routes.
----End
5.4.9 Configuring Static IPv4 BFD for IS-IS

BFD can provide link failure detection featuring light load and high speed (at the millisecond
level). Static IPv4 BFD can be configured to monitor IS-IS links.
Context
In a static BFD session scenario, you need to configure single-hop BFD parameters, such as
local and remote discriminators and then configure the device to send BFD session setup
requests.
A static BFD session can only be established and released manually. A configuration error will
lead to a BFD failure. For example, if a local or remote discriminator is incorrectly configured,
a BFD session will not work properly.
Issue 04 (2013-06-15)

852

Configuration Guide
Before configuring static IPv4 BFD for IS-IS, complete the following tasks:
l
Configuring Basic IPv4 IS-IS Functions.
No.
Data
Procedure
l
Enable BFD globally.

1.
Run:
system-view

2.
Run:
bfd

3.
Run:
quit

l
Configure a single-hop BFD session.

1.
Run:
bfd cfg-name bind peer-ip ip-address [ interface interface-type interfacenumber ]
BFD is enabled between the specified interface and peer router.

If a peer IP address and a local interface are specified in the bfd command, BFD
monitors only a single-hop link with the interface specified in the bfd command as
the outbound interface and with the peer IP address specified in the peer-ip command
as the next-hop address.
2.
Set discriminators.
Run:
A local discriminator is set.

Run:
A remote discriminator is set.

The local discriminator of a device must be the remote discriminator of the device on
the other end; otherwise, a BFD session cannot be established. In addition, the local
and remote discriminators cannot be modified after being configured.
Issue 04 (2013-06-15)

853

Configuration Guide

NOTE
The local discriminator set using the local discr-value command on a device must be the same
as the remote discriminator set using the remote discr-value command on the device of the
other end.
3.
Run:
commit
Configurations are committed.

4.
Run:
quit

l
Enable static IPv4 BFD on an interface.

1.
Run:

2.
Run:
isis bfd static
Static IPv4 BFD is enabled on the specified interface.

NOTE
To enable static IPv4 BFD on an RPR interface, use the isis bfd static and isis fast-sense
rpr commands or use only the isis fast-sense command.
The isis fast-sense command integrates the functions of the isis bfd static and isis fast-sense
rpr commands. Therefore, you can either configure the isis fast-sense command or configure
both the isis bfd static and isis fast-sense rpr commands.
----End

Information about a BFD session can be viewed only after parameters of the BFD session are
set and the BFD session is established.
Run the display isis interface verbose command. The command output shows that the status
of static BFD for IS-IS process 1 is Yes.
5.4.10 Configuring Dynamic IPv4 BFD for IS-IS

Dynamic IPv4 BFD for IS-IS can accelerate IS-IS route convergence.
Context
Connection status between an IS-IS device and its neighbors can be monitored by exchanging
Hello packets at intervals. The minimum allowable sending interval is 3s, and a neighbor is
declared Down after at least three intervals during which no response Hello packet is received
from the neighbor. IS-IS takes more than one second to detect that a neighbor becomes Down,
resulting in loss of a large amount of high-speed data.
To solve this problem, BFD must be configured for IS-IS. IPv4 BFD provides millisecond-level
fault detection. After detecting a link or node failure, BDF will notify IS-IS of the failure,
accelerating the IS-IS route convergence speed.
Issue 04 (2013-06-15)

854

Configuration Guide
Dynamic IPv4 BFD for IS-IS implements dynamic setup of BFD sessions. When a new IS-IS
neighbor relationship is set up, BFD is notified of the neighbor parameters and the detection
parameters (including source and destination IP addresses). Then a BFD session will be
established based on the received neighbor parameters. Dynamic BFD is more flexible than
static BFD.
Before configuring dynamic IPv4 BFD for IS-IS, complete the following tasks:
l
Configuring Basic IS-IS Functions
No.
Data
Number of the IS-IS process to be enabled with BFD
Parameter values of a BFD session
You can use either of the following methods to enable dynamic IPv4 BFD for IS-IS:
l
Enable dynamic IPv4 BFD for specified IS-IS processes. This method is recommended
if you need to enable dynamic IPv4 BFD for IS-IS on a large number of IS-IS interfaces.
Enable dynamic IPv4 BFD for specified interfaces. This method is recommended if you
need to enable dynamic IPv4 BFD for IS-IS on a small number of IS-IS interfaces.
Enable dynamic IPv4 BFD for an IS-IS process.
Procedure
1.
Run:
system-view

2.
Run:
bfd

3.
Run:
quit

4.
Run:
isis process-id

5.
Issue 04 (2013-06-15)
Run:
855

Configuration Guide

BFD for IS-IS is enabled.

After BFD is enabled globally and the neighbor status becomes Up, IS-IS adopts
default BFD parameters to establish BFD sessions on all interfaces.
6.
(Optional) Run:
bfd all-interfaces { min-rx-interval receive-interval | min-tx-interval
transmit-interval | detect-multiplier multiplier-value } *
The parameters for establishing BFD sessions are set for all interfaces.
The command execution result is applicable to BFD session parameters on all IS-IS
interfaces.
7.
Run:
quit

To disable the BFD function on an interface, run the isis bfd block command in the
interface view to disable the interface from establishing BFD sessions.
l
Enable dynamic IPv4 BFD on an interface.

1.
Run:
system-view

2.
Run:
bfd

3.
Run:
quit

4.
Run:

5.
Run:
isis bfd enable
BFD is enabled on the interface.

After BFD is configured globally and the neighbor status is Up (on a broadcast
network, DIS is in the Up state), default BFD parameters will be used to establish
BFD sessions on the specified interface.
6.
(Optional) Run:
isis bfd { min-rx-interval receive-interval | min-tx-interval transmitinterval | detect-multiplier multiplier-value } *
Run this command when BFD session parameters need to be configured for a specified
interface.
Issue 04 (2013-06-15)

856

Configuration Guide

NOTE
The priority of BFD configured on an interface is higher than that of BFD configured for a
process. If BFD session parameters are configured for both a process and an interface, the
parameters on the interface will be used to establish a dynamic BFD session.
----End

After BFD is enabled on both ends of a link, run the display isis [ process-id | vpn-instance
vpn-instance-name ] bfd session { all | peer ip-address | interface interface-type interfacenumber } command.
5.4.11 Configuring IS-IS GR

By configuring IS-IS GR, you can enable Switch to restart gracefully and avoid temporary black
holes.

Before configuring IS-IS GR, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
The restart of an IS-IS router causes the temporary interruption of the network, because the
adjacency relationship between the Switch and its neighbor is torn down. The LSPs packets of
the Switch are deleted, which makes route calculation inaccurate. Packets are thus lost.
You can configure IS-IS GR to solve this problem. After IS-IS GR is enabled, the Switch notifies
the neighbor of the restart status, and reestablishes the adjacency relationship with its neighbor
without interrupting the forwarding.
The advantages of IS-IS GR are as follows:
l
When IS-IS restarts, the Switch can resend connection requests to its neighbor. The
adjacency relationship is not torn down.
Before LSPs packets are generated, GR minimizes the interference caused by waiting for
the database synchronization.
If the Switch starts for the first time, the Switch sets the overload bit in LSPs until the LSDB
synchronization is complete. This avoids route black holes.
Before configuring IS-IS GR, complete the following tasks:
l
Configuring IP addresses for interfaces to ensure network connectivity between

neighboring nodes.
Data Preparation
To configure IS-IS GR, you need the following data.
Issue 04 (2013-06-15)

857

Configuration Guide
No.
Data
ID of an IS-IS process
Interval for reestablishing GR sessions
Whether to suppress the advertisement of the adjacency when the GR restarter restarts
Enabling IS-IS GR
Before configuring IS-IS GR, you need to enable the GR capability for IS-IS.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
graceful-restart
IS-IS GR is enabled.
By default, IS-IS GR is disabled.
----End
Configuring Parameters of an IS-IS GR Session

By setting IS-IS GR parameters, you can avoid temporary black holes on the network.
Context
The Switch that starts for the first time does not maintain the forwarding status. If the Switch
restarts, the LSPs generated when the Switch runs last time may exist in the LSDB of other
Switches in the network.
The sequence number of an LSP fragment is reinitialized when the Switch starts. Therefore, the
Switch considers that the previously advertised LSP stored on other Switches is newer than the
LSP generated locally after the Switch starts. This leads to the temporary black hole in the
network, which lasts until the normal LSDB update process finishes. The Switch then regenerates
its LSPs and advertises the LSPs with the highest sequence number.
When this Switch starts, if the neighbor of the Switch suppresses the advertisement of the
adjacency until this Switch advertises the updated LSPs, the preceding case can thus be avoided.
Issue 04 (2013-06-15)

858

Configuration Guide
Do as follows on the Switch that runs IS-IS:
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
graceful-restart interval interval-value
The interval for reestablishing an IS-IS GR session is set.

The restart interval is set to the Holdtime in an IS-IS Hello PDU. Thus, the adjacency relationship
is not torn down when the Switch restarts. By default, the restart period is 300 seconds.
graceful-restart suppress-sa
The GR restarter is configured to suppress the Suppress-Advertisement (SA) bit of the restart
TLV.
To prevent a Switch from suppressing the SA bit in a Hello PDU during the active/standby
switchover, the administrator can run the undo graceful-restart suppress-sa command.
By default, the SA bit is not suppressed.
----End

After configuring IS-IS GR, you can check the IS-IS GR status and parameters.
Prerequisites
The configurations for IS-IS GR are complete.
Procedure
Step 1 Run display isis graceful-restart status [ level-1 | level-2 ] [ process-id | vpn-instance vpninstance-name ] command to check the status of IS-IS GR.
----End
5.4.12 Maintaining IS-IS

Maintaining IS-IS involves resetting IS-IS and clearing IS-IS statistics.
Resetting IS-IS Data Structure

By restarting IS-IS, you can reset IS-IS. You can also reset IS-IS in GR mode.
Issue 04 (2013-06-15)

859

Configuration Guide
Context
CAUTION
The IS-IS data structure cannot be restored after you reset it. All the previous structure
information and the neighbor relationship are reset. Exercise caution when running this
command.
To clear the IS-IS data structure, run the following reset command in the user view.
Procedure
Step 1 Run reset isis all [ process-id | vpn-instance vpn-instance-name ] command to reset the IS-IS
data structure.
By default, the IS-IS data structure is not reset.
----End
Resetting a Specific IS-IS Neighbor

By restarting IS-IS neighbors, you can reset the IS-IS neighbor relationship, and thus make the
new configuration take effect.
Context
CAUTION
The specified IS-IS neighbor relationship is deleted after you reset a specified IS-IS neighbor
by using the reset isis peer command. Exercise caution when running this command.
After the IS-IS routing policy or the protocol changes, you can reset a specific IS-IS neighbor
to validate the new configuration.
To reset a specific IS-IS neighbor, run the following reset command in the user view.
Procedure
Step 1 Run reset isis peer system-id [ process-id | vpn-instance vpn-instance-name ] command to reset
a specific IS-IS neighbor.
----End

This section provides examples of IS-IS configuration.
Example for Configuring Basic IS-IS Functions

Issue 04 (2013-06-15)

860

Configuration Guide
l
SwitchA, SwitchB, SwitchC, and SwitchD belong to the same domain. The IS-IS routing
protocol runs on these four Switches to ensure connectivity on an IP network.
The areas IDs of SwitchA, SwitchB, and SwitchC are all 10, and the area ID of SwitchD
is 20.
SwitchA and SwitchB are Level-1 Switches. SwitchC is the Level-1-2 Switch. SwitchD is
the Level-2 Switch.
Figure 5-22 Networking diagram for configuring basic IS-IS functions
Switch A
L1
GE 0/0/1
GE 0/0/1
IS-IS
Area 10
GE 0/0/2
Switch C
L1/2
GE 0/0/1
GE 0/0/2
GE 0/0/3
Switch D
L2
GE 0/0/1
IS-IS
Area 20
Switch B
L1
Switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 10
10.1.1.2/24
SwitchB
GE 0/0/1
VLANIF 20
10.1.2.2/24
SwitchC
GE 0/0/1
VLANIF 10
10.1.1.1/24
SwitchC
GE 0/0/2
VLANIF 20
10.1.2.1/24
SwitchC
GE 0/0/3
VLANIF 30
192.168.0.1/24
SwitchD
GE 0/0/1
VLANIF 30
192.168.0.2/24
SwitchD
GE 0/0/2
VLANIF 40
172.16.1.1/24
Issue 04 (2013-06-15)

861

Configuration Guide
1.
Configure the VLANs to which the physical interfaces belong.
2.
Assign IP addresses to VLANIF interfaces.
3.
Run the IS-IS progress on each Switch, specify the network entity, and configure the level.
4.
Check the IS-IS database and routing table of each Switch.
Data Preparation
l
VLAN ID of each interface, as shown in Figure 5-22
System ID, level, and area ID of each Switch

SwitchA: The system ID is 0000.0000.0001; the area ID is 10; the level is Level-1.
SwitchB: The system ID is 0000.0000.0002; the area ID is 10; the level is Level-1.
SwitchC: The system ID is 0000.0000.0003; the area ID is 10; the level is Level-1-2.
SwitchD: The system ID is 0000.0000.0004; the area ID is 20; the level is Level-2.
1.
Configure the IDs of the VLANs to which the interfaces belong.

The configuration details are not mentioned.
2.

The configuration details are not mentioned.
3.
Run the IS-IS progress on each Switch, specify the network entity, and configure the level.
[SwitchA] isis 1
[SwitchA-isis-1] is-level level-1
[SwitchA-isis-1] network-entity 10.0000.0000.0001.00
[SwitchA-isis-1] quit
[SwitchB] isis 1
[SwitchB-isis-1] is-level level-1
[SwitchB-isis-1] network-entity 10.0000.0000.0002.00
[SwitchB-isis-1] quit
[SwitchC] isis 1
[SwitchC-isis-1] network-entity 10.0000.0000.0003.00
[SwitchC-isis-1] quit
# Configure SwitchD.
[SwitchD] isis 1
[SwitchD-isis-1] is-level level-2
[SwitchD-isis-1] network-entity 20.0000.0000.0004.00
[SwitchD-isis-1] quit
4.
Enable the IS-IS progress on each interface and enable IS-IS small-hello.
[SwitchA-Vlanif10] isis enable 1
Issue 04 (2013-06-15)

862

Configuration Guide
[SwitchB-Vlanif20] isis enable 1

[SwitchC-Vlanif10] isis enable 1
[SwitchD] interface vlanif 30
[SwitchD-Vlanif30] isis enable 1
[SwitchD-Vlanif30] quit
5.

# Display the IS-IS LSDB of each Switch.
[SwitchA] display isis lsdb
Database information for ISIS(1)
-------------------------------Level-1 Link State Database
LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/
OL
------------------------------------------------------------------------0000.0000.0001.00-00*
0x00000006
0xbf7d
649
68
0/0/0
0000.0000.0002.00-00
0x00000003
0xef4d
545
68
0/0/0
0000.0000.0003.00-00
0x00000008
0x3340
582
111
1/0/0
0000.0000.0003.01-00
0x00000004
0xa7dd
582
55
0/0/0
0000.0000.0002.01-00
0x00000002
0xc0c4
524
55
0/0/0
Total LSP(s): 5
*(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended),
ATT-Attached, P-Partition, OL-Overload
[SwitchB] display isis lsdb
LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/
OL
------------------------------------------------------------------------0000.0000.0001.00-00
0x00000006
0xbf7d
642
68
0/0/0
0000.0000.0002.00-00*
0x00000003
0xef4d
538
68
0/0/0
0000.0000.0003.00-00
0x00000008
0x3340
574
111
1/0/0
0000.0000.0003.01-00
0x00000004
0xa7dd
582
55
0/0/0
0000.0000.0002.01-00*
0x00000002
0xc0c4
524
55
0/0/0
Total LSP(s): 5
[SwitchC] display isis lsdb
LSPID
OL
Issue 04 (2013-06-15)
Seq Num
Checksum

Holdtime
Length
ATT/P/
863

Configuration Guide
------------------------------------------------------------------------0000.0000.0001.00-00
0x00000006
0xbf7d
638
68
0/0/0
0000.0000.0002.00-00
0x00000003
0xef4d
533
68
0/0/0
0000.0000.0003.00-00*
0x00000008
0x3340
569
111
1/0/0
0000.0000.0003.01-00*
0x00000005
0xa7dd
569
55
0/0/0
0000.0000.0002.01-00
0x00000003
0xc0c4
569
55
0/0/0
Total LSP(s): 5
Level-2 Link State Database
LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/
OL
------------------------------------------------------------------------0000.0000.0003.00-00*
0x00000008
0x55bb
650
100
0/0/0
0000.0000.0003.03-00*
0x00000003
0xef91
650
55
0/0/0
0000.0000.0004.00-00
0x00000005
0x651
629
84
0/0/0
Total LSP(s): 3
[SwitchD] display isis lsdb
LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/
OL
------------------------------------------------------------------------0000.0000.0003.00-00
0x00000008
0x55bb
644
100
0/0/0
0000.0000.0003.03-00
0x00000003
0xef91
644
55
0/0/0
0000.0000.0004.00-00*
0x00000005
0x651
624
84
0/0/0
Total LSP(s): 3
# Display the IS-IS routing information of each Switch. A default route must be available
in the routing table of the Level-1 Switch and the next hop is a Level-1-2 Switch. The
routing table of the Level-2 Switch must contain all Level-1 and Level-2 routes.
[SwitchA] display isis route
Route information for ISIS(1)
----------------------------ISIS(1) Level-1 Forwarding Table
-------------------------------IPV4 Destination
IntCost
ExtCost
ExitInterface
NextHop
Flags
------------------------------------------------------------------------0.0.0.0/0
10
NULL
Vlanif10
10.1.1.1
A/-/-/10.1.1.0/24
10
NULL
Vlanif10
Direct
D/-/
L/10.1.2.0/24
20
NULL
Vlanif10
10.1.1.1
A/-/-/192.168.0.0/24
20
NULL
Vlanif10
10.1.1.1
A/-/-/Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
[SwitchC] display isis route
Issue 04 (2013-06-15)

864

Configuration Guide

--------------------------------
IPV4 Destination
IntCost
ExtCost
ExitInterface
NextHop
Flags
------------------------------------------------------------------------10.1.1.0/24
10
NULL
Vlanif10
Direct
D/-/
L/10.1.2.0/24
10
NULL
Vlanif20
Direct
D/-/
L/192.168.0.0/24
10
NULL
Vlanif30
Direct
D/-/
L/172.16.0.0/24
20
NULL
Vlanif30
192.168.0.2
U-Up/Down Bit Set
ISIS(1) Level-2 Forwarding Table
-------------------------------IPV4 Destination
IntCost
ExtCost
ExitInterface
NextHop
Flags
------------------------------------------------------------------------10.1.1.0/24
10
NULL
Vlanif10
Direct
D/-/
L/10.1.2.0/24
10
NULL
Vlanif20
Direct
D/-/
L/192.168.0.0/24
10
NULL
Vlanif30
Direct
D/-/
L/Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
[SwitchD] display isis route
-------------------------------IPV4 Destination
IntCost
ExtCost
ExitInterface
NextHop
Flags
------------------------------------------------------------------------192.168.0.0/24
10
NULL
Vlanif30
Direct
D/-/
L/10.1.1.0/24
20
NULL
Vlanif30
192.168.0.1
A/-/-/10.1.2.0/24
20
NULL
Vlanif30
192.168.0.1
A/-/-/172.16.0.0/24
10
NULL
Vlanif40
192.168.0.2
U-Up/Down Bit Set
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
isis 1
is-level level-1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
isis enable 1
#
Issue 04 (2013-06-15)

865

Configuration Guide
#
return

#
sysname SwitchB
#
vlan batch 20
#
isis 1
is-level level-1
network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchC
#
vlan batch 10 20 30
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
isis enable 1
#
#
#
#
return

#
sysname SwitchD
#
vlan batch 30 40
#
isis 1
is-level level-2
network-entity 20.0000.0000.0004.00
#
Issue 04 (2013-06-15)

866

Configuration Guide
interface Vlanif30
ip address 192.168.0.2 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 172.16.1.1 255.255.0.0
isis enable 1
#
#
#
Return
Example for Configuring IS-IS Route Aggregation

l
SwitchA, SwitchB, and SwitchC are interconnected by running the IS-IS protocol.
SwitchA belongs to Area 20. SwitchB and SwitchC belong to Area 10.
SwitchA is a Level-2 Switch. SwitchB is a Level-1-2 Switch. SwitchC is a Level-1

Switch.
The addresses in Area 10 can be aggregated as 172.1.0.0/16.
Figure 5-23 Networking diagram for configuring IS-IS route convergence
network 1
172.1.1.0/24
L2
Switch A
GE 0/0/1
Area 20
Area 10
GE 0/0/2
GE 0/0/2
GE 0/0/1
GE 0/0/1
Switch B Switch C
L1/L2
L1
network 2
172.1.2.0/24
GE 0/0/3
GE 0/0/4
network 3
172.1.3.0/24
Switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 50
172.2.1.1/24
SwitchB
GE 0/0/1
VLANIF 10
172.1.4.2/24
Issue 04 (2013-06-15)

867

Configuration Guide
SwitchB
GE 0/0/2
VLANIF 50
172.2.1.2/24
SwitchC
GE 0/0/1
VLANIF 10
172.1.4.1/24
SwitchC
GE 0/0/2
VLANIF 20
172.1.1.1/24
SwitchC
GE 0/0/3
VLANIF 30
172.1.2.1/24
SwitchC
GE 0/0/4
VLANIF 40
172.1.3.1/24
1.
Enable basic IS-IS functions on each Switch so that the Switches can be interconnected.
2.
Check the IS-IS routing table of SwitchA.
3.
Configure route convergence on SwitchB.
Data Preparation
l

SwitchA: The system ID is 0000.0000.0001; the area ID is 20; the level is Level-2.
SwitchB: The system ID is 0000.0000.0002; the area ID is 10; the level is Level-1-2.
SwitchC: The system ID is 0000.0000.0003; the area ID is 10; the level is Level-1.
1.
Configure the VLAN ID of each physical interface.

2.

3.
Configure basic IS-IS functions.

[SwitchA] isis 1
[SwitchB] isis 1
Issue 04 (2013-06-15)

868

Configuration Guide

[SwitchC] isis 1
[SwitchC-isis-1] is-level level-1
The configurations of the VLANIF 20, VLANIF30, and VLANIF 40 interfaces are the
same as the configuration of the VLANIF 10 interface.
4.
Check the IS-IS routing table of SwitchA.

[SwitchA]display isis route
-------------------------------IPV4 Destination
IntCost
ExtCost
ExitInterface
NextHop
Flags
------------------------------------------------------------------------172.1.1.0/24
20
NULL
Vlanif50
172.2.1.2
A/-/-/172.1.2.0/24
20
NULL
Vlanif50
172.2.1.2
A/-/-/172.1.3.0/24
20
NULL
Vlanif50
172.2.1.2
A/-/-/172.1.4.0/24
20
NULL
Vlanif50
172.2.1.2
A/-/-/172.2.1.0/24
10
NULL
Vlanif50
Direct
D/-/
U-Up/Down Bit Set
5.
Configure route convergence on SwitchB.

# Aggregate 172.1.1.0/24, 172.1.2.0/24, 172.1.3.0./24, and 172.1.4.0/24 as 172.1.0.0/16 on
SwitchB.
[SwitchB] isis 1
[SwitchB-isis-1] summary 172.1.0.0 255.255.0.0 level-1-2
6.

# Display the routing table of SwitchA, and you can find that 172.1.1.0/24, 172.1.2.0/24,
172.1.3.0/24, and 172.1.4.0/24 are aggregated as 172.1.0.0/16.
-------------------------------IPV4 Destination
IntCost
ExtCost
ExitInterface
NextHop
Flags
------------------------------------------------------------------------172.1.0.0/22
20
NULL
Vlanif50
172.2.1.2
A/-/-/172.2.1.0/24
10
NULL
Vlanif50
Direct
D/-/
U-Up/Down Bit Set
Issue 04 (2013-06-15)

869

Configuration Guide
Configuration Files
l

#
sysname SwitchA
#
vlan batch 50
#
isis 1
is-level level-2
network-entity 20.0000.0000.0001.00
#
interface Vlanif50
ip address 172.2.1.1 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchB
#
vlan batch 10 50
#
isis 1
network-entity 10.0000.0000.0002.00
summary 172.1.0.0 255.255.0 level-1-2
#
interface Vlanif10
ip address 172.1.4.2 255.255.255.0
isis enable 1
#
interface Vlanif50
ip address 172.2.1.2 255.255.255.0
isis enable 1
#
#
#
return

#
sysname SwitchC
#
vlan batch 10 20 30 40
#
isis 1
is-level level-1
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 172.1.4.1 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 172.1.1.1 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 172.1.2.1 255.255.255.0
Issue 04 (2013-06-15)

870

Configuration Guide
isis enable 1
#
interface Vlanif40
ip address 172.1.3.1 255.255.255.0
isis enable 1
#
#
#
#
#
return
Example for Configuring the DIS Election of IS-IS

l
SwitchA, SwitchB, SwitchC, and SwitchD are interconnected by running the IS-IS
protocol.
SwitchA, SwitchB, SwitchC, and SwitchD belong to Area 10.
SwitchA and SwitchB are Level-1-2 switches. SwitchC is the Level-1 Switch. SwitchD is
the Level-2 Switch.
It is required to change the DIS priority of the interface to configure SwitchA to a Level-1-2
DIS.
Figure 5-24 Networking diagram for configuring the DIS election of IS-IS
Switch A
L1/L2
GE 0/0/1
GE 0/0/1
GE 0/0/1
Switch C
L1
Switch B
L1/L2
GE 0/0/1
Switch D
L2
Switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 10
10.1.1.1/24
Issue 04 (2013-06-15)

871

Configuration Guide
SwitchB
GE 0/0/1
VLANIF 10
10.1.1.2/24
SwitchC
GE 0/0/1
VLANIF 10
10.1.1.3/24
SwitchD
GE 0/0/1
VLANIF 10
10.1.1.4/24
1.
2.
Check information about the IS-IS interface on each Switch with the default priority.
3.
Configure the DIS priority on the Switch.
Data Preparation
l

SwitchA: The system ID is 0000.0000.0001; the area ID is 10; the DIS priority is 100;
the level is Level-1.
SwitchB: The system ID is 0000.0000.0002; the area ID is 10; the level is Level-1-2.
SwitchC: The system ID is 0000.0000.0003; the area ID is 10; the level is Level-1.
SwitchD: The system ID is 0000.0000.0004; the area ID is 10; the level is Level-2.
1.

2.

3.
Display the MAC address of the VLANIF 10 interface on each Switch.

# Display the MAC address of the VLANIF 10 interface on SwitchA.
[SwitchA] display arp interface vlanif 10
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN
-----------------------------------------------------------------------------10.1.1.1
0200-0000-dc00
I Vlanif10
-----------------------------------------------------------------------------Total:1
Dynamic:0
Static:0
Interface:1
# Display the MAC address of the VLANIF 10 interface on SwitchB.

[SwitchB] display arp interface vlanif 10
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN
-----------------------------------------------------------------------------10.1.1.2
00e0-fccd-acdf
I Vlanif10
-----------------------------------------------------------------------------Total:1
Dynamic:0
Static:0
Interface:1
Issue 04 (2013-06-15)

872

Configuration Guide
# Display the MAC address of the VLANIF 10 interface on SwitchC.

[SwitchC] display arp interface vlanif 10
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN
-----------------------------------------------------------------------------10.1.1.3
00e0-1396-1600
I Vlanif10
-----------------------------------------------------------------------------Total:1
Dynamic:0
Static:0
Interface:1
# Display the MAC address of the VLANIF 10 interface on SwitchD.

[SwitchD] display arp interface vlanif 10
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN
-----------------------------------------------------------------------------10.1.1.4
00e0-fcfd-305c
I Vlanif10
-----------------------------------------------------------------------------Total:1
Dynamic:0
Static:0
Interface:1
4.

[SwitchA] isis 1
[SwitchB] isis 1
[SwitchC] isis 1
[SwitchD] isis 1
[SwitchD-isis-1] network-entity 10.0000.0000.0004.00
[SwitchD-isis-1] is-level level-2
[SwitchD-isis-1] quit
# Display information about the IS-IS neighbors of SwitchA.

[SwitchA] display isis peer
System Id
PRI
0000.0000.0002
(L1L2)
64
0000.0000.0003
64
0000.0000.0002
64
0000.0000.0004
64
Total Peer(s): 4
Issue 04 (2013-06-15)
Peer information for ISIS(1)

Interface
Circuit Id
State HoldTime
Vlanif10
0000.0000.0002.01
Up
Type
9s
L1
Vlanif10
0000.0000.0002.01
Up
27s
L1
Vlanif10
0000.0000.0004.01
Up
28s
L2(L1L2)
Vlanif10
0000.0000.0004.01
Up
8s
L2

873

Configuration Guide
# Display information about the IS-IS interfaces on SwitchA.

[SwitchA] display isis interface
Interface
Vlanif10
Id
001
Interface information for ISIS(1)

--------------------------------IPV4.State
IPV6.State
MTU
Up
Down
1497
Type
L1/L2
DR
No/No
# Display information about the IS-IS interfaces on SwitchB.

[SwitchB] display isis interface
Interface
Vlanif10
Id
001

--------------------------------IPV4.State
IPV6.State
MTU
Up
Down
1497
Type
L1/L2
DIS
Yes/No
# Display information about the IS-IS interfaces on SwitchD.

[SwitchD] display isis interface
Interface
Vlanif10
Id
001

--------------------------------IPV4.State
IPV6.State
MTU
Up
Down
1497
Type
L1/L2
DR
No/Yes
NOTE
When the default DIS priority is used,

l The MAC address of the interface on SwitchB is the largest one among that of the interfaces on
the Level-1 Switches. Thus, SwitchB is elected as the Level-1 DIS.
l The MAC address of the interface on SwitchD is the largest one among that of the interfaces on
the Level-2 Switches. Thus, SwitchD is elected as the Level-2 DIS.
The Level-1 pseudonode is 0000.0000.0002.01. The Level-2 pseudonode is 0000.0000.0004.01.
5.
Configure the DIS priority of SwitchA.

[SwitchA-Vlanif10] isis dis-priority 100
# Display information about the IS-IS neighbors of SwitchA.

System Id
PRI
0000.0000.0002
(L1L2) 64
0000.0000.0003
64
0000.0000.0002
(L1L2) 64
0000.0000.0004
64
Total Peer(s): 4
6.

---------------------------Interface
Circuit Id
State HoldTime Type
Vlanif10
Vlanif10
Vlanif10
Vlanif10
0000.0000.0001.01
0000.0000.0001.01
0000.0000.0001.01
0000.0000.0001.01
Up
Up
Up
Up
21s
27s
L1
L1
28s
30s
L2
L2

# Display information about the IS-IS interfaces on SwitchA.
[SwitchA] display isis interface
Interface
Vlanif10
Id
001

--------------------------------IPV4.State
IPV6.State
MTU
Up
Down
1497
Type DIS
L1/L2 Yes/Yes
As displayed above, after the DIS priority of the IS-IS interface is changed, SwitchA
immediately becomes a Level-1-2 DIS and its pseudonode is 0000.0000.0001.01.
Issue 04 (2013-06-15)

874

Configuration Guide
# Display information about the IS-IS neighbors and IS-IS interfaces on SwitchB.
[SwitchB] display isis peer
---------------------------Interface
Circuit Id
State HoldTime
System Id
PRI
0000.0000.0001
Vlanif10
(L1L2) 100
0000.0000.0003
Vlanif10
L1
64
0000.0000.0001
Vlanif10
(L1L2) 100
0000.0000.0004
Vlanif10
L2
64
[SwitchB] display isis interface
Interface
Vlanif10
Id
001
0000.0000.0001.01
Up
7s
0000.0000.0001.01
Up
25s
0000.0000.0001.01
Up
7s
0000.0000.0001.01
Up
25s

--------------------------------IPV4.State
IPV6.State
MTU
Up
Down
1497
Type
L1
L2
Type DIS
L1/L2 No/No
# Display information about the IS-IS neighbors and IS-IS interfaces on SwitchD.
[SwitchD] display isis peer
---------------------------Interface
Circuit Id
State HoldTime
System Id
PRI
0000.0000.0001
Vlanif10
100
0000.0000.0002
Vlanif10
L2
64
[SwitchD] display isis interface
Interface
Vlanif10
Id
001
0000.0000.0001.01
0000.0000.0001.01
Up
Up

--------------------------------IPV4.State
IPV6.State
MTU
Up
Down
1497
9s
Type
L2
28s
Type
L1/L2
DIS
No/No
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
isis enable 1
isis dis-priority 100
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
Issue 04 (2013-06-15)

875

Configuration Guide
isis 1
network-entity 10.0000.0000.0002.00
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchC
#
vlan batch 10
#
isis 1
is-level level-1
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 10.1.1.3 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchD
#
vlan batch 10
#
isis 1
is-level level-2
network-entity 10.0000.0000.0004.00
#
interface Vlanif10
ip address 10.1.1.4 255.255.255.0
isis enable 1
#
#
return
Example for Configuring IS-IS Load Balancing

l
SwitchA, SwitchB, SwitchC, and SwitchD are interconnected in an IP network by running

the IS-IS protocol.
SwitchA, SwitchB, SwitchC, and SwitchD are Level-2 Switches in Area 10.
Load balancing is required for the transmission of the traffic from SwitchA to SwitchD
through SwitchB and SwitchC respectively.
Issue 04 (2013-06-15)

876

Configuration Guide
Figure 5-25 Networking diagram for configuring IS-IS load balancing
Switch B
L2
GE 0/0/1
GE 0/0/3
Switch A
L2
GE 0/0/2
Switch D
L2
GE 0/0/1
GE 0/0/1
GE 0/0/3
Area10
GE 0/0/2
GE 0/0/2
GE 0/0/1
GE 0/0/2
Switch C
L2
Switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 10
10.1.1.1/24
SwitchA
GE 0/0/2
VLANIF 20
10.1.2.1/24
SwitchA
GE 0/0/3
VLANIF 50
172.16.1.1/24
SwitchB
GE 0/0/1
VLANIF 10
10.1.1.2/24
SwitchB
GE 0/0/2
VLANIF 30
192.168.0.1/24
SwitchC
GE 0/0/1
VLANIF 20
10.1.2.2./24
SwitchC
GE 0/0/2
VLANIF 40
192.168.1.1/24
SwitchD
GE 0/0/1
VLANIF 30
192.168.0.2/24
SwitchD
GE 0/0/2
VLANIF 40
192.168.1.2/24
SwitchD
GE 0/0/3
VLANIF 60
172.17.1.1/24
1.
2.
Set the number of equal-cost routes to 1 to carry out load balancing, and check information
about the routing table.
3.
Configure load balancing on SwitchA and check information about the routing table.
4.
(Optional) Configure the preference for equal-cost routes on SwitchA.
Data Preparation
l
Issue 04 (2013-06-15)

877

Configuration Guide

Switch A: The system ID is 0000.0000.0001; the area ID is 10; the level is Level-2.
Switch B: The system ID is 0000.0000.0002; the area ID is 10; the level is Level-2.
Switch C: The system ID is 0000.0000.0003; the area ID is 10; the level is Level-2.
Switch D: The system ID is 0000.0000.0004; the area ID is 10; the level is Level-2.
Number of equal-cost routes for load balancing on Switch A: 1
Load balancing mode on Switch A
Weight for the preference of the equal-cost routes on Switch C: 1
1.

2.

3.

4.
Set the number of equal-cost routes for load balancing to 1 on Switch A.

[SwitchA] isis 1
[SwitchA-isis-1] maximum load-balancing 1
# Display the routing table of SwitchA.

-------------------------------IPV4 Destination
IntCost
ExtCost
ExitInterface
NextHop
Flags
------------------------------------------------------------------------192.168.1.0/24
20
NULL
Vlanif20
10.1.2.2
A/-/-/10.1.1.0/24
10
NULL
Vlanif10
Direct
D/-/
L/172.16.1.0/24
10
NULL
Vlanif50
Direct
D/-/
L/172.17.1.0/24
30
NULL
Vlanif10
10.1.1.2
A/-/-/10.1.2.0/24
10
NULL
Vlanif20
Direct
D/-/
L/192.168.0.0/24
20
NULL
Vlanif10
10.1.1.2
U-Up/Down Bit Set
As shown in the routing table, when the maximum number of equal-cost routes for load
balancing is set to 1, IS-IS chooses the next hop 10.1.1.2 (Switch B) as the only best route
to the destination network 172.17.1.0. This is because Switch B has a smaller system ID.
5.
Restore the default number of equal-cost routes for load balancing on Switch A.
[SwitchA] isis 1
Issue 04 (2013-06-15)

878

Configuration Guide
[SwitchA-isis-1] undo maximum load-balancing


-------------------------------IPV4 Destination
IntCost
ExtCost
ExitInterface
NextHop
Flags
------------------------------------------------------------------------192.168.1.0/24
20
NULL
Vlanif20
10.1.2.2
A/-/-/10.1.1.0/24
10
NULL
Vlanif10
Direct
D/-/
L/172.16.1.0/24
10
NULL
Vlanif50
Direct
D/-/
L/172.17.1.0/24
30
NULL
Vlanif10
10.1.1.2
A/-/-/Vlanif20
10.1.2.2
10.1.2.0/24
10
NULL
Vlanif20
Direct
D/-/
L/192.168.0.0/24
20
NULL
Vlanif10
10.1.1.2
U-Up/Down Bit Set
As shown in the routing table, the number of equal-cost routes for load balancing is restored
to the default value of 6. Both the next hops of Switch A, 10.1.1.2 (that is, SwitchB) and
10.1.2.2 (that is, SwitchC) now become valid.
6.
(Optional) Configure the preference for equal-cost routes on Switch A.

If you do not perform load balancing through Switch B and SwitchC, configure the
preference of the equal-cost routes and specify the next hop.
[SwitchA] isis
[SwitchA-isis-1] nexthop 10.1.2.2 weight 1
7.

-------------------------------IPV4 Destination
IntCost
ExtCost
ExitInterface
NextHop
Flags
------------------------------------------------------------------------------192.168.1.0/24
20
NULL
Vlanif20
10.1.2.2
A/-/-/10.1.1.0/24
10
NULL
Vlanif10
Direct
D/-/
L/172.16.1.0/24
10
NULL
Vlanif50
Direct
D/-/
L/172.17.1.0/24
30
NULL
Vlanif20
10.1.2.2
A/-/-/10.1.2.0/24
10
NULL
Vlanif20
Direct
D/-/
L/192.168.0.0/24
20
NULL
Vlanif10
10.1.1.2
A/-/-/-
Issue 04 (2013-06-15)

879

Configuration Guide
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,

U-Up/Down Bit Set
As shown in the routing table, the preference (with the weight of 1) of the next hop 10.1.2.2,
the Switch C, is higher than that of 10.1.1.2, the Switch B, after the preference is configured
for equal-cost routes. Thus, IS-IS chooses the next hop 10.1.2.2 as the best route.
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 20 50
#
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
nexthop 10.1.2.2 weight
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
isis enable 1
#
interface Vlanif50
ip address 172.16.1.1 255.255.255.0
isis enable 1
#
#
#
#
return

#
sysname SwitchB
#
vlan batch 10 30
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
isis enable 1
#
#
Issue 04 (2013-06-15)

880

Configuration Guide
#
return

#
sysname SwitchC
#
vlan batch 20 40
#
isis 1
is-level level-2
network-entity 10.0000.0000.0003.00
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 192.168.1.1 255.255.255.0
isis enable 1
#
#
#
return

#
sysname SwitchD
#
vlan batch 30 40 60
#
isis 1
is-level level-2
network-entity 10.0000.0000.0004.00
#
interface Vlanif30
ip address 192.168.0.2 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 192.168.1.2 255.255.255.0
isis enable 1
#
interface Vlanif60
ip address 172.17.1.1 255.255.255.0
isis enable 1
#
#
#
#
return
Issue 04 (2013-06-15)

881

Configuration Guide
Example for Configuring IS-IS GR

As shown in Figure 5-26, the networking requirements are as follows: Switch A, Switch A and
Switch C belong to the same autonomous system . They run the IS-IS protocol to implement
interworking and provide the GR mechanism.
After Switch A, Switch B, and Switch C set up IS-IS adjacencies with each other, they start to
exchange routing information. When IS-IS is restarted on Switch A, Switch A resends
connection requests to neighbors to synchronize the LSDB.
Figure 5-26 Networking diagram of IS-IS GR configuration
SwitchC
L1/L2
SwitchA
L1
GE0/0/1
SwitchB
L2
GE0/0/2
GE0/0/1
GE0/0/1
Switch
Interface
VLANIF interface
IP address
SwitchA
VLANIF 10
100.1.1.1/24
SwitchB
VLANIF 20
100.2.1.2/24
SwitchC
VLANIF 10
100.1.1.2/24
SwitchC
VLANIF 20
100.2.1.1/24
1.
Enable IS-IS on each Switch so that the Switches can be interconnected.
2.
Configure GR in the IS-IS view on each Switch and configure the same interval for the
restart.
Data Preparation
l
System ID, level, and area ID of each Switch :

Switch A: The system ID is 0000.0000.0001; the area ID is 10; the level is Level-1.
Switch B: The system ID is 0000.0000.0002; the area ID is 10; the level is Level-2.
Switch C: The system ID is 0000.0000.0003; the area ID is 10; the level is Level-1-2.
l
Issue 04 (2013-06-15)
Restart interval
882

Configuration Guide
Procedure
[SwitchA] vlan 10
[SwitchA-Vlan10] quit
The configurations of Switch B and Switch are similar to the configuration of Switch A, and
[SwitchA] interface vlanif10
The configurations of Switch B and Switch are similar to the configuration of Switch A, and
Step 3 Configure the basic function of IS-IS. The configuration procedure is not mentioned here.
Step 4 Configure IS-IS GR.
# Enable IS-IS GR on Switch A and set the restart interval. The configurations on Switch B and
Switch C are the same as the configurations on Switch A. Switch A is taken as an example here.
[SwitchA] isis 1
[SwitchA-isis-1] graceful-restart
[SwitchA-isis-1] graceful-restart interval 150

# Run the display fib command on Switch A to view the Forwarding Information Base (FIB)
table.
<SwitchA> display fib
Route Flags: G - Gateway Route, H - Host Route,
U - Up Route
S - Static Route, D - Dynamic Route, B - Black Hole Route
FIB Table:
Total number of Routes : 5
Destination/Mask
127.0.0.1/32
127.0.0.0/8
100.1.1.1/32
100.1.1.0/24
100.2.1.0/24
Nexthop
127.0.0.1
127.0.0.1
127.0.0.1
100.1.1.1
100.1.1.2
Flag
HU
U
HU
U
DGU
TimeStamp
t[21]
t[21]
t[20678]
t[20678]
t[79388]
Interface
InLoop0
InLoop0
InLoop0
Vlanif10
Vlanif10
TunnelID
0x0
0x0
0x0
0x0
0x0
# Reset the IS-IS process by using the GR method on Switch A.

<SwitchA> reset isis all graceful-restart
NOTE
The Switch restarts an IS-IS process in GR mode only when GR is enabled for the IS-IS process.
# Run the display fib command on Switch A and view the FIB table to check whether GR works
normally. If GR works normally, the FIB table does not change and the forwarding service is
not affected when Switch A restarts the IS-IS process in GR mode.
U - Up Route
Issue 04 (2013-06-15)

883

Configuration Guide
FIB Table:
Destination/Mask
127.0.0.1/32
127.0.0.0/8
100.1.1.1/32
100.1.1.0/24
100.2.1.0/24
Nexthop
127.0.0.1
127.0.0.1
127.0.0.1
100.1.1.1
100.1.1.2
Flag
HU
U
HU
U
DGU
TimeStamp
t[21]
t[21]
t[20678]
t[20678]
t[79388]
Interface
InLoop0
InLoop0
InLoop0
Vlanif10
Vlanif10
TunnelID
0x0
0x0
0x0
0x0
0x0
As shown in the display, the FIB table on Switch A does not change and the forwarding service
is not affected.
# Disable IS-IS GR on Switch A.
[SwitchA] isis 1
[SwitchA-isis-1] undo graceful-restart
# Reset the IS-IS process on Switch A.

<SwitchA> reset isis all
# Run the display fib command on Switch A to view the FIB table.
U - Up Route
FIB Table:
Destination/Mask
127.0.0.1/32
127.0.0.0/8
100.1.1.1/32
100.1.1.0/24
Nexthop
127.0.0.1
127.0.0.1
127.0.0.1
100.1.1.1
Flag
HU
U
HU
U
TimeStamp
t[21]
t[21]
t[20678]
t[20678]
Interface
InLoop0
InLoop0
InLoop0
Vlanif10
TunnelID
0x0
0x0
0x0
0x0
As shown in the display, the FIB table on Switch A changes and the forwarding service is
affected.
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
isis 1
graceful-restart
graceful-restart interval 150
is-level level-1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
isis enable 1
#
#
return
l
Issue 04 (2013-06-15)

884

Configuration Guide
#
sysname SwitchB
#
vlan batch 20
#
isis 1
graceful-restart
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 100.2.1.2 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchC
#
vlan batch 10 20
#
isis 1
graceful-restart
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 100.1.1.2 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 100.2.1.1 255.255.255.0
isis enable 1
#
#
#
return
Example for Configuring Static BFD for IS-IS

As show in Figure 5-27:
l
A Layer 2 switch exists between Switch A and Switch B.
Switch A, Switch B and Switch C run IS-IS.
BFD is configured to detect the IS-IS neighbor relationship between Switch A and Switch
B. When the link between Switch A and Switch B is faulty, BFD can fast detect the default
and report it to IS-IS.
Issue 04 (2013-06-15)

885

Configuration Guide
Figure 5-27 Networking diagram for configuring static BFD for IS-IS
GE0/0/1
100.1.1.1/24
GE0/0/1
100.1.1.2/24
SwitchA
GE0/0/2
100.2.1.1/24
SwitchB
GE0/0/1
100.2.1.2/24 SwitchC
Switch
Interface
VLANIF interface
IP address
SwitchA
GE0/0/1
VLANIF 10
100.1.1.1/24
SwitchB
GE0/0/1
VLANIF 10
100.1.1.2/24
SwitchB
GE0/0/2
VLANIF 30
100.2.1.1/24
SwitchC
GE0/0/1
VLANIF 30
100.2.1.2/24
NOTE
BFD for IS-IS cannot be used to detect the multi-hops link between Switch A and Switch C, because the
IS-IS neighbor relationship cannot be established between Switch A and Switch C.
1.
Enable basic IS-IS functions on each Switch.
2.
Enable BFD on Switch A and Switch B.
Data Preparation
l
IS-IS process ID
Area addresses of Switch A, Switch B, and Switch C
Levels of Switch A, Switch B, and Switch C
Name of the BFD session set up between Switch A and Switch B and the peer IP address
to be detected
Local and remote discriminators of the BFD session set up between Switch A and Switch
B
Procedure
[SwitchA] vlan batch 10
Issue 04 (2013-06-15)

886

Configuration Guide
Step 2 Configure an IP address for each VLANIF interface.

Step 3 Configuration basic IS-IS functions.
[SwitchA] isis 1
[SwitchA-isis-1] network-entity aa.1111.1111.1111.00
[SwitchB] isis 1
[SwitchB-isis-1] network-entity aa.2222.2222.2222.00
[SwitchC] isis 1
[SwitchC-isis-1] network-entity aa.3333.3333.3333.00
After the preceding configurations, you can view that the neighbor relationship is established
between Switch A and Switch B.
---------------------------System Id
Interface
Circuit Id
State HoldTime Type
2222.2222.2222 Vlanif10
001
Up
23s
L2
PRI
64
The IS-IS routing table of Switch A has entries to Switch B and Switch C.
-------------------------------IPV4 Destination
IntCost
ExtCost ExitInterface
NextHop
Flags
------------------------------------------------------------------------100.1.1.0/24
10
NULL
Vlanif10
Direct
D/-/L/100.2.1.0/24
20
NULL
Vlanif10
100.1.1.2
A/-/L/Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
Step 4 Configure BFD.

# Enable BFD on Switch A and configure a BFD session.
Issue 04 (2013-06-15)

887

Configuration Guide
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip 100.1.1.2 interface vlanif 10
[SwitchA-bfd-session-atob] discriminator local 1
[SwitchA-bfd-session-atob] discriminator remote 2
[SwitchA-bfd-session-atob] commit
[SwitchA-bfd-session-atob] quit
# Enable BFD on Switch B and configure a BFD session.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip 100.1.1.1 interface vlanif 10
[SwitchB-bfd-session-btoa] discriminator local 2
[SwitchB-bfd-session-btoa] discriminator remote 1
[SwitchB-bfd-session-btoa] commit
[SwitchB-bfd-session-btoa] quit
After the preceding configurations, you can view that the status of the BFD session is Up when
the display bfd session command is used on Switch A or Switch B.
The display on Switch A is as follows:
[SwitchA] display bfd session all
-----------------------------------------------------------------------Local Remote PeerIpAddr
State
Type
InterfaceName
-----------------------------------------------------------------------1
2
100.1.1.2
Up
S_IP_IF
Vlanif10
-----------------------------------------------------------------------Total UP/DOWN Session Number : 1/0
Step 5 Enable IS-IS fast sense.

[SwitchA-Vlanif10] isis bfd static
[SwitchB-Vlanif10] isis bfd static

# Enable the debugging on Switch A and output information to the VTY tunnel.
[SwitchA]
[SwitchA]
<SwitchA>
<SwitchA>
<SwitchA>
<SwitchA>
info-center source bfd channel 1 log level debugging state on

quit
debugging isis circuit-information
terminal debugging
terminal logging
terminal monitor
# Run the shutdown command on Vlanif10 of Switch B to simulate a link fault.

# On Switch A, the following log information and debugging information are displayed. It
indicates that IS-IS deletes the neighbor relationship with Switch B according to the fault
reported by BFD.
Sep 12 2007 11:32:18 RT2 %%01ISIS/4/PEER_DOWN_BFDDOWN(l): IS-IS process id 1 nei
ghbor 2222.2222.2222 is down on the interface GE1/0/0 because BFD node is Down.
The last Hello packet is received at 11:32:10. The maximum interval for sending
Hello packets is 9247. The local router sends 426 Hello packets and receives 61
Hello packets. The Hello packet type is Lan Level-2.
Issue 04 (2013-06-15)

888

Configuration Guide
*0.481363988 RT2 ISIS/6/ISIS:

ISIS-1-FastSense: Deleting Neighbour by IP Address 100.1.1.2 On Vlanif10(IS01_1048)
Run the display isis route command or the display isis peer command on Switch A, no
information is displayed. This indicates that the IS-IS neighbor relationship between Switch A
and Switch B is deleted.
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
info-center source BFD channel 1 log level debugging
#
bfd
#
isis 1
is-level level-2
network-entity aa.1111.1111.1111.00
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
isis enable 1
isis bfd static
#
bfd atob bind peer-ip 100.1.1.2 interface Vlanif10
commit
#
#
return

#
sysname SwitchB
#
vlan batch 10 30
#
bfd
#
isis 1
is-level level-2
#
interface Vlanif10
ip address 100.1.1.2 255.255.255.0
isis enable 1
isis bfd static
shutdown
#
interface Vlanif30
ip address 100.2.1.1 255.255.255.0
isis enable 1
#
bfd btoa bind peer-ip 100.1.1.1 interface Vlanif10
commit
#
Issue 04 (2013-06-15)

889

Configuration Guide
#
#
return

#
sysname SwitchC
#
vlan batch 30
#
isis 1
is-level level-2
#
interface Vlanif30
ip address 100.2.1.2 255.255.255.0
isis enable 1
#
#
return
Example for Configuring Dynamic BFD for IS-IS

As shown in Figure 5-28, it is required as follows:
l
Run IS-IS on Switch A, Switch B, and Switch C.
Enable BFD of the IS-IS process on Switch A, Switch B, and Switch C.
Traffic is transmitted on the active link Switch A Switch B. The link Switch A Switch
B Switch C acts as the standby link.
Enable BFD of the interface on the link between Switch A and Switch B. When the link
between Switch A and Switch B fails, BFD can quickly detect the fault and notify IS-IS of
the fault; therefore, the traffic is transmitted on the standby link.
Issue 04 (2013-06-15)

890

Configuration Guide
Figure 5-28 Networking diagram for configuring the dynamic BFD
Switch A
GE0/0/2
3.3.3.1/24
GE0/0/3
GE0/0/2 SwitchB
172.16.1.1/24
3.3.3.2/24
GE0/0/1
2.2.2.2/24
GE0/0/1
1.1.1.1/24
GE0/0/2
2.2.2.1/24
GE0/0/1
1.1.1.2/24
SwitchC
Switch
Interface
VLANIF interface
IP address
Switch A
GE0/0/1
VLANIF 10
1.1.1.1/24
Switch A
GE0/0/2
VLANIF 20
3.3.3.1/24
Switch B
GE0/0/1
VLANIF 50
2.2.2.2/24
Switch B
GE0/0/2
VLANIF 20
3.3.3.2/24
Switch B
GE0/0/3
VLANIF 40
172.16.1.1/24
Switch C
GE0/0/2
VLANIF 50
2.2.2.1/24
Switch C
GE0/0/1
VLANIF 10
1.1.1.2/24
1.
Enable IS-IS on each Switch and ensure the connectivity of the Switches
2.
Set the interface cost of IS-IS to control the route selection of the Switches.
3.
Enable global BFD.
4.
Enable the BFD detection mechanism of the IS-IS process on Switch A, Switch B, and
Switch C.
5.
Enable the BFD detection mechanism of the interfaces on Switch A and Switch B.
Data Preparation
l
Process ID of IS-IS
Area numbers of Switch A, Switch B, and Switch C
Interface cost of Switch A, Switch B and Switch C
Interface number and type number of BFD enabled on Switch A and Switch B
Issue 04 (2013-06-15)

891

Configuration Guide
Minimum interval for sending the BFD packets, minimum interval for receiving the BFD
packets, and local detection multiple on Switch A and Switch B
Procedure
[Quidway] sysname Switch A
0/0/1
hybrid pvid vlan 10
0/0/2
hybrid pvid vlan 20
The configurations of SwitchB and SwitchC are similar to the configuration of SwitchA, and
Step 3 Configure the basic IS-IS functions.
[SwitchA] isis
[SwitchB] isis
[SwitchC] isis
Issue 04 (2013-06-15)

892

Configuration Guide

# After the preceding configurations are complete, use the display isis peer command. You can
view that the neighboring relationship is set up between Switch A and Switch B, and that between
Switch A and Switch C. Take the configuration on Switch A as an example:
---------------------------System Id
Interface
Circuit Id
State HoldTime Type
0000.0000.0002 Vlanif20
0000.0000.0002.01 Up
9s
L2
0000.0000.0003 Vlanif10
0000.0000.0001.02 Up
21s
L2
Total Peer(s): 2
PRI
64
64
# The Switches have learned routes of each other. Take the routing table of Switch A as an
example:
Destinations : 8
Routes : 9
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
1.1.1.0/24 Direct 0
0
D 1.1.1.1
Vlanif10
1.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
2.2.2.0/24 ISIS-L2
15
20
D 1.1.1.2
Vlanif10
3.3.3.0/24 Direct 0
0
D 3.3.3.1
Vlanif20
3.3.3.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
172.16.1.0/24 ISIS-L2
15
20
D 3.3.3.2
Vlanif20
As shown in the routing table, the next hop address of the route to 172.16.1.0/24 is 3.3.3.2 and
traffic is transmitted on the active link from Switch A to Switch B.
Step 4 Set the interface cost.
[SwitchA-Vlanif20] isis cost 5
[SwitchB-Vlanif20] isis cost 5
Step 5 Configure BFD of the IS-IS process.

# Enable BFD of the IS-IS process on Switch A.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] isis
[SwitchA-isis-1] bfd all-interfaces enable
# Enable BFD of the IS-IS process on Switch B.

Issue 04 (2013-06-15)

893

Configuration Guide
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] isis
[SwitchB-isis-1] bfd all-interfaces enable
# Enable BFD of the IS-IS process on Switch C.

[SwitchC] bfd
[SwitchC-bfd] quit
[SwitchC] isis
[SwitchC-isis-1] bfd all-interfaces enable
# After the preceding configurations are complete, run the display isis bfd session all command
on Switch A, Switch B, or Switch C. You can view that the status of BFD is Up.
Take the display of Switch A as an example:
[SwitchA] display isis bfd session all
BFD session information for ISIS(1)
----------------------------------Peer System ID : 0000.0000.0002
Interface : Vlanif20
TX : 10
BFD State : up
Peer IP Address : 1.1.1.2
RX : 100
LocDis : 8193
Local IP Address: 1.1.1.1
BFD State : up
Multiplier : 3
RemDis : 8192
Type : L2
Diag : No diagnostic information
Peer System ID : 0000.0000.0003
Multiplier : 3
RemDis : 8192
Type : L2
From the preceding display, you can view that the status of the BFD session between Switch A
and Switch B and that between Switch A and Switch C are Up.
Step 6 Configure BFD of the interfaces.
# Configure BFD on Vlanif20 of Switch A, set the minimum interval for sending the packets
multiple to 4.
[SwitchA-Vlanif20] isis bfd enable
[SwitchA-Vlanif20] isis bfd min-tx-interval 100 min-rx-interval 100 detectmultiplier 4
# Configure BFD on Vlanif20 of Switch B, set the minimum interval for sending the packets
multiple to 4.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB-Vlanif20] isis bfd enable
[SwitchB-Vlanif20] isis bfd min-tx-interval 100 min-rx-interval 100 detectmultiplier 4
# After the preceding configurations are complete, run the display isis bfd session all command
on Switch A or Switch B. You can view that the parameters of the BFD have taken effect. Take
the display of Switch B as an example:
[SwitchB] display isis bfd session all
----------------------------------Peer System ID : 0000.0000.0001
Issue 04 (2013-06-15)

894

Configuration Guide
TX : 100
BFD State : up
RX : 100
LocDis : 8192
Multiplier : 4
RemDis : 8192
Peer System ID : 0000.0000.0003
TX : 100
BFD State : up
RX : 100
LocDis : 8192
Multiplier : 3
RemDis : 8193

Type : L2
Type : L2

# Run the shutdown command on Vlanif20 of Switch B to simulate the active link failure.
Step 8 # Display the routing table on Switch A.

Destinations : 8
Routes : 8
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
1.1.1.0/24 Direct 0
0
D 1.1.1.1
Vlanif10
1.1.1.1/32 Direct 0
0
D 127.0.0.1
Vlanif10
2.2.2.0/24 ISIS-L2
15
20
D 1.1.1.2
Vlanif10
3.3.3.0/24 Direct 15
25
D 1.1.1.2
Vlanif10
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
172.16.1.0/24 ISIS-L2
15
30
D 1.1.1.2
Vlanif10
As shown in the routing table, the standby link Switch A Switch C Switch B takes effect
after the active link fails. The next hop address of the route to 172.16.1.0/24 becomes 1.1.1.2.
# Run the display isis bfd session all command on Switch A. You can view the status of the
BFD session is Up between Switch A and Switch C.
[SwitchA] display isis bfd session all
----------------------------------Peer System ID : 0000.0000.0003
TX : 100
BFD State : up
RX : 100
LocDis : 8192
Multiplier : 3
RemDis : 8192
Type : L2
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 20
#
bfd
#
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 1.1.1.1 255.255.255.0
isis enable 1
Issue 04 (2013-06-15)

895

Configuration Guide
#
interface Vlanif20
ip address 3.3.3.1 255.255.255.0
isis enable 1
isis cost 5
isis bfd enable
isis bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4
#
#
#
return

#
sysname SwitchB
#
vlan batch 20 40 50
#
bfd
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Vlanif50
ip address 2.2.2.2 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 3.3.3.2 255.255.255.0
isis enable 1
isis cost 5
isis bfd enable
isis bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
isis enable 1
#
#
shutdown
#
#
return

#
sysname SwitchC
#
vlan batch 10 50
#
bfd
#
isis 1
Issue 04 (2013-06-15)

896

Configuration Guide
is-level level-2
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 1.1.1.2 255.255.255.0
isis enable 1
#
interface Vlanif50
ip address 2.2.2.1 255.255.255.0
isis enable 1
#
#
#
return
5.5 BGP Configuration

BGP is used between ASs to transmit routing information on large-scale and complex networks.
5.5.1 BGP Overview

BGP is mainly used to control route transmission and select the optimal route.
The Border Gateway Protocol (BGP) is a dynamic routing protocol used between Autonomous
Systems (ASs). BGP-1 (defined in RFC 1105), BGP-2 (defined in RFC 1163), and BGP-3
(defined in RFC 1267) are three earlier-released versions of BGP. The current BGP version is
BGP-4 defined in RFC 4271.
As an exterior routing protocol on the Internet, BGP is widely used among Internet Service
Providers (ISPs).
NOTE
Unless otherwise stated, BGP stated in this document refers to BGP-4.
Characteristics of BGP are as follows:

l
Different from the Internal Gateway Protocol (IGP) such as the Open Shortest Path First
(OSPF) and Routing Information Protocol (RIP), BGP is an Exterior Gateway Protocol
(EGP), which controls route advertisement and selects the optimal route between ASs rather
than discover or calculate routes.
BGP uses the Transport Control Protocol (TCP) with the port number being 179 as the
transport layer protocol. The reliability of BGP is thus enhanced.
BGP supports Classless Inter-Domain Routing (CIDR).
BGP transmits only the updated routes when routes are being updated. This reduces the
bandwidth occupied by BGP for route distribution. Therefore, BGP is applicable to the
Internet where a large number of routes are transmitted.
BGP eliminates routing loops by adding AS path information to BGP routes.
BGP provides rich routing policies to flexibly select and filter routes.
BGP can be easily extended and adapt to the development of networks.
BGP runs on the Switch in either of the following modes:

Issue 04 (2013-06-15)

897

Configuration Guide
Internal BGP (IBGP)
External BGP (EBGP)
When BGP runs within an AS, it is called IBGP. When BGP runs between ASs, it is called
EBGP.
5.5.2 BGP Features Supported by the AC6605

The system supports various BGP features, including route summarization, peer group, route
reflector, confederation, community, MP-BGP, BGP Tracking, route dampening, load
balancing, BGP next hop delayed response, BFD for BGP and BGP security.
Main Route Attributes

l
Origin attribute
AS_Path attribute
Next_Hop attribute
Multi-Exit-Discriminator (MED) attribute
Local_Pref attribute
Community attribute
Principles of Route Selection

On the AC6605, when there are multiple active routes to the same destination, BGP selects routes
according to the following principles:
1.
Prefers the route with the highest PreVal.

PrefVal is a Huawei-specific parameter. It is valid only on the device where it is configured.
2.
Prefers the route with the highest Local_Pref.

A route without Local_Pref is considered to have had the value set by using the default
local-preference command or to have a value of 100 by default.
3.
Prefers a locally originated route. A locally originated route takes precedence over a route
learned from a peer.
Locally originated routes include routes imported by using the network command or the
import-route command, manually aggregated routes, and automatically summarized
routes.
4.
a.
A summarized route is preferred. A summarized route takes precedence over a nonsummarized route.
b.
A route obtained by using the aggregate command is preferred over a route obtained
by using the summary automatic command.
c.
A route imported by using the network command is preferred over a route imported
by using the import-route command.
Prefers the route with the shortest AS_Path.

l The AS_CONFED_SEQUENCE and AS_CONFED_SET are not included in the
AS_Path length.
l An AS_SET counts as 1, no matter how many ASs are in the set.
l After the bestroute as-path-ignore command is run, the AS_Path attributes of routes
are not compared in the route selection process.
Issue 04 (2013-06-15)

898

Configuration Guide
5.
Prefers the route with the highest Origin type. IGP is higher than EGP, and EGP is higher
than Incomplete.
6.
Prefers the route with the lowest Multi Exit Discriminator (MED).
l The MEDs of only routes from the same AS but not a confederation sub-AS are
compared. MEDs of two routes are compared only when the first AS number in the
AS_SEQUENCE (excluding AS_CONFED_SEQUENCE) is the same for the two
routes.
l A route without any MED is assigned a MED of 0, unless the bestroute med-none-asmaximum command is run. If the bestroute med-none-as-maximum command is run,
the route is assigned the highest MED of 4294967295.
l After compare-different-as-med command is run, the MEDs in routes sent from peers
in different ASs are compared. Do not use this command unless it is confirmed that
different ASs use the same IGP and route selection mode. Otherwise, a loop may occur.
l If the bestroute med-confederation command is run, MEDs are compared for routes
that consist only of AS_CONFED_SEQUENCE. The first AS number in the
AS_CONFED_SEQUENCE must be the same for the routes.
l After the deterministic-med command is run, routes are not selected in the sequence
in which routes are received.
7.
Prefers EBGP routes over IBGP routes.

EBGP is higher than IBGP, IBGP is higher than LocalCross, and LocalCross is higher than
RemoteCross.
If the ERT of a VPNv4 route in the routing table of a VPN instance on a PE matches the
IRT of another VPN instance on the PE, the VPNv4 route will be added to the routing table
of the second VPN instance. This is called LocalCross. If the ERT of a VPNv4 route from
a remote PE is learned by the local PE and matches the IRT of a VPN instance on the local
PE, the VPNv4 route will be added to the routing table of that VPN instance. This is called
RemoteCross.
8.
Prefers the route with the lowest IGP metric to the BGP next hop.
NOTE
Assume that load balancing is configured. If the preceding rules are the same and there are multiple
external routes with the same AS_Path, load balancing will be performed based on the number of
configured routes.
9.
Prefers the route with the shortest Cluster_List.
10. Prefers the route advertised by the Switch with the smallest router ID.
NOTE
If routes carry the Originator_ID, the originator ID is substituted for the router ID during route
selection. The route with the smallest Originator_ID is preferred.
11. Prefers the route learned from the peer with the smallest address if the IP addresses of peers
are compared in the route selection process.
Policies for BGP Route Advertisement

On the AC6605, BGP advertises routes based on the following policies:
l
When there are multiple active routes, the BGP speaker advertises only the optimal route
to its peer.
The BGP speaker advertises only the preferred routes to its peer.
Issue 04 (2013-06-15)

899

Configuration Guide
The BGP speaker advertises the routes learned from EBGP peers to all BGP peers
(including EBGP peers and IBGP peers) except the peers that advertise these routes.
The BGP speaker does not advertise the routes learned from IBGP peers to its IBGP peers.
The BGP speaker advertises the routes learned from IBGP peers to its EBGP peers.
The BGP speaker advertises all preferred BGP routes to the new peers when peer
relationships are established.
Routing Selection Policies for Load Balancing

In BGP, the next-hop address of a generated route may not be the address of the peer that is
directly connected to the local Switch. One common scenario is that the next hop is not changed
when a route is advertised between IBGP peers. Therefore, before forwarding a packet, the
Switch must find a directly reachable address, through which the packet can reach the next hop
specified in the routing table. In this process, the route to the directly reachable address is called
a dependent route. BGP routes depend on these dependent routes for packet forwarding. The
process of finding a dependent route based on the next-hop address is called route iteration.
The AC6605 supports iteration-based BGP load balancing. If load balancing is configured for
a dependent route (assume that there are three next-hop addresses), BGP generates the same
number of next-hop addresses to forward packets. BGP load balancing based on iteration does
not need to be configured by using commands. This feature is always enabled on the AC6605.
BGP load balancing is different from IGP load balancing in the following implementation
methods:
l
In IGPs, if there are different routes to the same destination address, an IGP calculates
metrics of these routes based on its own routing algorithm and performs load balancing
among the routes with the same metric.
BGP does not have a routing algorithm. Therefore, BGP cannot determine whether to
perform load balancing among routes based on explicit metrics. BGP, however, contains
many route attributes, which have different priorities in route selection policies. Therefore,
BGP performs load balancing according to route selection policies. That is, load balancing
is performed according to the configured maximum number of equal-cost routes only when
all the routes have the same high preference.
NOTE
l By default, BGP performs load balancing only among the routes with the same AS_Path attribute. You
can use the bestroute as-path-ignore
command to configure BGP not to compare the AS_Path attribute of routes when performs load
balancing.
l BGP load balancing is also applicable between ASs in a confederation.
Route Summarization
On a large-scale network, the BGP routing table is large. You can configure route summarization
to reduce the size of the routing table.
Route summarization is the process of consolidating multiple routes into one single
advertisement. After route summarization is configured, BGP advertises only the summarized
route rather than all specific routes to its peers.
The AC6605 supports automatic summarization and manual summarization. Manual
summarization can be used to control attributes of the summarized route and determine whether
to advertise its specific routes.
Issue 04 (2013-06-15)

900

Configuration Guide
Synchronization Between IBGP and IGP

Synchronization between IBGP and IGP is a method of preventing external routes from being
imported by error.
If the synchronization function is configured, the IGP routing table is examined before an IBGP
route is added to the routing table and advertised to EBGP peers. The IBGP route is added to
the routing table and advertised to EBGP peers only when the IGP knows this IBGP route.
The synchronization function can be disabled in the following situations:
l
The local AS is not a transit AS.
Full-mesh IBGP connections are established between all Switchs in the local AS.
NOTE
In the AC6605, the synchronization function is disabled by default.
Peer Group
A peer group is a group of peers with the same policies. After a peer is added to a peer group,
it inherits the configurations of this peer group. When the configurations of the peer group are
changed, the configurations of peers in the peer group are changed accordingly.
On a large-scale BGP network, there are a large number of peers and most of them have the
same policies. To configure these peers, you have to repeatedly use some commands. In such a
case, you can simplify configurations by using the peer group.
Adding many peers to a peer group also speeds up route advertisement.
Route Reflector
To ensure the routing synchronization between IBGP peers, you need to establish full-mesh
connections between the IBGP peers. If there are n Switchs in an AS, n (n-1)/2 IBGP connections
need to be established. When there are a large number of IBGP peers, network resources and
CPU resources are greatly consumed.
To solve this problem, route reflection is introduced. In an AS, one Switch functions as a route
reflector (RR) and other Switchs serve as the clients of the RR. The clients establish IBGP
connections with the RR. The RR transmits or reflects routes among clients, and the clients do
not need to establish BGP connections.
A BGP Switch that is neither an RR nor a client is a non-client. Full-mesh connections must be
established between non-clients and an RR, and between all non-clients.
Confederation
Confederation is another method of dealing with increasing IBGP connections in an AS. It
divides an AS into several sub-ASs. IBGP connections are established between IBGP peers
within each sub-AS, and EBGP connections are established between sub-ASs.
For BGP speakers outside a confederation, sub-ASs in the same confederation are invisible.
External devices do not need to know the topology of each sub-AS. The confederation ID is the
AS number that is used to identify the entire confederation.
The confederation has disadvantages. That is, if the Switch needs to be reconfigured in a
confederation, the logical typology changes accordingly.
Issue 04 (2013-06-15)

901

Configuration Guide
On a large-scale BGP network, the RR and confederation can be used together.
Community
The community attribute is a route attribute. It is transmitted between BGP peers and is not
restricted by the AS. A peer group allows a group of peers to share the same policies, whereas
the community allows a group of BGP routers in multiple ASs to share the same policies.
Before a BGP Switch advertises the route with the community attribute to other peers, it can
change the community attribute of this route.
Besides well-known communities, you can use a community filter to filter self-defined extended
community attributes to control routing policies in a more flexible manner.
Introduction to MP-BGP
Traditional BGP-4 manages only IPv4 unicast routing information and has limitations in interAS routing when used in the applications of other network layer protocols.
To support multiple network layer protocols, the Internet Engineering Task Force (IETF) extends
BGP-4 to Multiprotocol Extensions for BGP-4 (MP-BGP). The current MP-BGP standard is
RFC 2858 (Multiprotocol Extensions for BGP-4).
MP-BGP is forward compatible. That is, the Switchs that support MP-BGP can communicate
with the Switchs that do not support MP-BGP.
Extended Attributes of MP-BGP

Among BGP-4 packets, an Update packet carries three IPv4-related attributes: Network Layer
Reachability Information (NLRI), Next_Hop, and Aggregator. The Aggregator attribute
contains the IP address of the BGP speaker that performs route summarization.
To support multiple types of network layer protocols, BGP-4 needs to carry network layer
protocol information in the NLRI attribute and Next_Hop attribute. MP-BGP introduces two
new route attributes:
l
Multiprotocol Reachable NLRI (MP_REACH_NLRI): It is used to advertise reachable

routes and next hops.
Multiprotocol Unreachable NLRI (MP_UNREACH_NLRI): It is used to withdraw

unreachable routes.
The two new attributes are optional non-transitive. Therefore, the BGP speakers that do not
support the multiprotocol capability will ignore the two attributes, and do not advertise the
information to peers.
Address Family
BGP uses address families to distinguish different network layer protocols. For the values of
address families, see RFC 1700 (Assigned Numbers). The AC6605 supports multiple MP-BGP
extensions, such as VPN extension, which are configured in their respective address family
views.
Issue 04 (2013-06-15)

902

Configuration Guide
NOTE
This chapter does not describe the commands related to a specific application in the MP-BGP address
family view.
For the configuration in the BGP VPNv4 address family view, BGP VPN instance address family view,
and BGP L2VPN address family view, see the AC6605 Access Controller Configuration Guide - VPN.
BGP Tracking
BGP tracking speeds up network convergence by adjusting the interval between peer
unreachbility discovery and connection interruption. It is easy to deploy and has a good
extensibility.
Route Dampening
Route dampening is a method of solving the problem of route instability. Route instability is
reflected by route flapping. That is, a route in the routing table disappears and appears repeatedly.
If route flapping occurs, a routing protocol sends an Update message to its peers. After receiving
this Update message, the peers recalculate routes and modify their routing tables. Frequent route
flapping consumes a lot of bandwidth and CPU resources, even affecting the normal operation
of the network.
In most cases, BGP is applicable to complex networks where routes change frequently. To avoid
the impact of frequent route flapping, BGP suppresses unstable routes by using route dampening.
BGP Next Hop Delayed Response

BGP next hop delayed response can be used to speed up BGP route convergence and minimize
traffic loss when the upstream path of a PE connected to an RR changes.
BFD for BGP

The AC6605 supports Bidirectional Forwarding Detection (BFD) in IPv4 to provide fast link
failure detection for BGP peer relationship.
BFD can rapidly detect faults on the links between BGP peers and report the faults to BGP, thus
implementing fast convergence of BGP routes.
BGP Security
l
The AC6605 authenticates BGP peers by using MD5 and Key-Chain, preventing packet
fraud or unauthorized packet modification.
Generalized TTL Security Mechanism (GTSM) checks TTL values to defend against
attacks. GTSM checks whether or not the TTL value in the IP header is within a specified
range, protecting the router against attacks and improving system security.
The number of routes received from the BGP peer is limited to prevent the resources from
exhausting. See Configuring to Controll the Acceptment of BGP Routing
Information.
The lengths of AS paths on the inbound interface and the outbound interface are limited.
The excess packets are discarded. See Configuring AS_Path Attributes for Routes.
5.5.3 Configuring Basic BGP Functions

Configuring basic BGP functions is the prerequisite to building a BGP network.
Issue 04 (2013-06-15)

903

Configuration Guide

Basic BGP functions must be configured first when you build up a BGP network.
BGP can be configured on a network to implement communication among ASs. This section
describes how to configure basic BGP functions.
Because BGP uses TCP connections, you need to specify the IP address of the peer when
configuring BGP. The BGP peer may not be the neighboring Switch. The BGP peer relationship
can also be established by using logical links. Loopback interface addresses are usually used to
establish BGP connections to enhance the stability of these connections.
Configuring basic BGP functions includes the following steps:
l
Start BGP processes. This step is a prerequisite for configuring basic BGP functions.
Establish BGP peer relationships: Devices can exchange BGP routing information only
after they are configured as peers and establish peer relationships.
Import routes. BGP itself cannot discover routes. Instead, it imports routes discovered by
other protocols to implement communication between ASs.
NOTE
The commands in the BGP-IPv4 unicast address family view can be run in the BGP view. These commands
are described in the BGP-IPv4 unicast address family view in configuration files.
Before configuring basic BGP functions, complete the following task:
l
the link layer protocol on the interfaces is Up
Data Preparation
To configure basic BGP functions, you need the following data.
No.
Data
Local AS number and router ID
IPv4 address and AS number of a peer
Interface originating an Update message
Starting a BGP Process

Starting a BGP process is a prerequisite for configuring basic BGP functions. When starting a
BGP process on a device, specify the number of the AS to which the device belongs.
Context
Do as follows on the Switch where a BGP connection needs to be established:
Issue 04 (2013-06-15)

904

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number
BGP is enabled (the local AS number is specified), and the BGP view is displayed.
router-id ipv4-address
A router ID is set.
Configuring or changing the router ID of BGP causes the BGP peer relationship between
Switches to be reset.
NOTE
To enhance network reliability, configuring a loopback interface address as the router ID is recommended.
If no router ID is set, BGP automatically selects the router ID in the system view as the router ID of BGP.
For the rule for selecting a router ID in the system view, see the router-id command .
----End
Configuring BGP Peers

Two devices can exchange BGP routing information only after they are configured as peers and
establish a peer relationship.
Context
Because BGP uses TCP connections, you need to specify IP addresses for peers when
configuring BGP. Two BGP peers are not definitely neighboring to each other. Such BGP peers
establish a BGP peer relationship by using a logical link. Using loopback interface addresses to
set up BGP peer relationships improves the stability of BGP connections, and therefore is
recommended.
IBGP peer relationships are established between the devices within an AS. EBGP peer
relationships are established between the devices in different ASs.
Procedure
l
Configure an IBGP peer.

1.
Run:
system-view

2.
Run:
bgp as-number
The BGP view is displayed.

3.
Run:
peer ipv4-address as-number as-number
Issue 04 (2013-06-15)

905

Configuration Guide
The IP address of a peer and the number of the AS where the peer resides are specified.
The number of the AS where the specified peer resides must be the same as that of
the local AS.
The IP address of the specified peer can be one of the following types:
IP address of an interface on a directly-connected peer
IP address of a loopback interface on a reachable peer
IP address of a sub-interface on a directly-connected peer
4.
Run:
peer ipv4-address connect-interface interface-type interface-number
[ ipv4-source-address ]
The source interface and source address are specified for establishing a TCP
connection.
By default, BGP uses the physical interface that is directly connected to the peer as
the local interface of a TCP connection.
NOTE
When loopback interfaces are used to establish a BGP connection, run the peer connectinterface command at both ends of the connection to ensure that the connection is correctly
established. If this command is run on only one end, the BGP connection may fail to be
established.
5.
(Optional) Run:
peer ipv4-address description description-text
A description is configured for the peer.

Configuring a description for a peer simplifies network management.
l
Configure an EBGP peer.

1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
The IP address of a peer and the number of the AS where the peer resides are specified.
The number of the AS where the specified peer resides must be different from that of
the local AS.
The IP address of the specified peer can be one of the following types:
IP address of an interface on a directly-connected peer
IP address of a loopback interface on a reachable peer
IP address of a sub-interface on a directly-connected peer
4.
(Optional) Run:
peer ipv4-address connect-interface interface-type interface-number
[ ipv4-source-address ]
Issue 04 (2013-06-15)

906

Configuration Guide
The source interface and source address are specified for establishing a TCP
connection.
By default, BGP uses the physical interface that is directly connected to the peer as
the local interface of a TCP connection.
NOTE
When loopback interfaces are used to establish a BGP connection, run the peer connectinterface command at both ends of the connection to ensure that the connection is correctly
established. If this command is run on only one end, the BGP connection may fail to be
established.
5.
(Optional) Run:
peer ipv4-address ebgp-max-hop [ hop-count ]
The default value of hop-count is 255.

The maximum number of hops is configured for establishing an EBGP connection.
A direct physical link must be available between EBGP peers. If such a link does not
exist, the peer ebgp-max-hop command must be used to allow EBGP peers to
establish a TCP connection over multiple hops.
NOTE
If loopback interfaces are used to establish an EBGP peer relationship, the peer ebgp-maxhop command (hop-count 2) must be run. Otherwise, the peer relationship cannot be
established.
6.
(Optional) Run:
peer ipv4-address description description-text
A description is configured for the peer.

Configuring a description for a peer simplifies network management.
----End
Configuring BGP to Import Routes

BGP can import routes from other protocols. When routes are imported from a dynamic routing
protocol, the process IDs of the routing protocol must be specified.
Context
BGP itself cannot discover routes. Instead, it imports routes discovered by other protocols such
as an IGP or the static routing protocol into the BGP routing table. These imported routes are
then transmitted within an AS or between ASs.
BGP can import routes in either Import or Network mode:
l
In Import mode, BGP imports routes by a specific routing protocol. RIP routes, OSPF
routes, IS-IS routes, static routes, or direct routes can be imported into the BGP routing
table.
In Network mode, routes with the specified prefix and mask are imported into the BGP
routing table. Compared with the Import mode, the Network mode imports more specific
routes.
Issue 04 (2013-06-15)

907

Configuration Guide
Procedure
l
Configure BGP to import routes in Import mode.

1.
Run:
system-view

2.
Run:
bgp as-number

3.
(Optional) Run:
ipv4-family unicast
The BGP-IPv4 unicast address family view is displayed.

By default, the BGP-IPv4 unicast address family view is displayed.
4.
Run:
import-route protocol [ process-id ] [ med med | route-policy route-policyname ] *
BGP is configured to import routes from other protocols.

By configuring the parameter med, you can set MED values for the imported routes.
The EBGP peer selects the route with the smallest MED for traffic entering an AS.
By configuring the parameter route-policy route-policy-name, you can filter the
routes imported from other protocols.
NOTE
The process ID of a routing protocol needs to be specified if IS-IS, OSPF, or RIP routes are to
be imported.
5.
(Optional) Run:
default-route imported
BGP is configured to import default routes.

To import default routes, run both the default-route imported command and the
import-route command. If only the import-route command is used, no default route
can be imported. In addition, the default-route imported command is used to import
only the default routes that exist in the local routing table.
l
Configure BGP to import routes in Network mode.

1.
Run:
system-view

2.
Run:
bgpas-number

3.
(Optional) Run:
ipv4-family unicast
The BGP-IPv4 unicast address family view is displayed.

Issue 04 (2013-06-15)

908

Configuration Guide
By default, the BGP-IPv4 unicast address family view is displayed.

4.
Run:
network ipv4-address [ mask | mask-length ] [ route-policy route-policyname ]
BGP is configured to advertise local routes.

If no mask or mask length is specified, the IP address is processed as a classful address.
A local route to be advertised must be in the local IP routing table. Routing policies
can be used to control the routes to be advertised more flexibly.
NOTE
l The destination address and mask specified in the network command must be consistent
with those of the corresponding entry in the local IP routing table. Otherwise, the specified
route cannot be advertised.
l When using the undo network command to clear the existing configuration, specify a
correct mask.
----End

After basic BGP functions are configured, you can view information about BGP peers and BGP
routes.
Prerequisites
The configurations of basic BGP functions are complete.
Procedure
l
Run the display bgp peer [ verbose ] command to check information about all BGP peers.
Run the display bgp peer ipv4-address { log-info | verbose } command to check log
information of a specified BGP peer.
Run the display bgp routing-table [ ipv4-address [ mask | mask-length ] ] command to

check BGP routes.
----End
5.5.4 Configuring BGP Route Attributes

BGP has many route attributes. Configuring route attributes can change route selection results.

Before configuring BGP route attributes, familiarize yourself with the applicable environment,
BGP has many route attributes. You can change route selection results by configuring attributes
for routes. Route attributes are listed as follows:
Issue 04 (2013-06-15)

909

Configuration Guide
BGP preference
Setting the BGP preference can affect route selection between BGP routes and other routing
protocols' routes.
Preferred values
After preferred values are set for BGP routes, the route with the greatest value is preferred
when multiple routes to the same destination exist in the BGP routing table.
Local_Pref
The Local_Pref attribute has the same function as the preferred value of a route. If both of
them are configured for a BGP route, the preferred value takes precedence over the
Local_Pref attribute.
MED
The MED attribute is used to determine the optimal route for traffic that enters an AS. The
route with the smallest MED value is selected as the optimal route if the other attributes of
the routes are the same.
Next_Hop
BGP route selection can be flexibly controlled by changing Next_Hop attributes for routes.
AS_Path
The AS_Path attribute is used to prevent rooting loops and control route selection.
Before configuring BGP route attributes, complete the following tasks:
l
Configuring IP addresses for interfaces to ensure IP connectivity between neighboring

nodes
Configuring Basic BGP Functions
Data Preparation
To configure BGP route attributes, you need the following data.
No.
Data
AS number
BGP preference value
Local_Pref value
MED value
Configuring the BGP Preference

Setting the BGP preference can affect route selection between BGP routes and other routing
protocols' routes.
Context
Multiple dynamic routing protocols can be run on a device at the same time. In this case, there
is a problem of route sharing and selecting among routing protocols. To address this problem,
Issue 04 (2013-06-15)

910

Configuration Guide
the system sets a default preference for each routing protocol. If different protocols have routes
to the same destination, the protocol with the highest preference is selected to forward IP packets.
Perform the following steps on a device running BGP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family unicast
The IPv4 unicast address family view is displayed.

Step 4 Run:
preference { external internal local | route-policy route-policy-name }
The BGP preference is set.

The smaller the preference value, the higher the preference.
BGP has the following types of routes:
l EBGP routes learned from peers in other ASs
l IBGP routes learned from peers in the same AS
l Locally originated routes (A locally originated route is a route summarized by using the
summary automatic command or the aggregate command.)
Different preference values can be set for these three types of routes.
In addition, a routing policy can also be used to set the preferences for the routes that match the
policy. The routes that do not match the policy use the default preference.
NOTE
At present, the peer route-policy command cannot be used to set the BGP preference.
----End
Configuring Preferred Values for BGP Routes

After preferred values are set for BGP routes, the route with the greatest value is preferred when
multiple routes to the same destination exist in the BGP routing table.
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

911

Configuration Guide
Step 2 Run:
bgp as-number

Step 3 Run:
peer { group-name | ipv4-address } preferred-value value
A preferred value is set for all the routes learned from a specified peer.
The original preferred value of a route learned from a peer defaults to 0.
If there are multiple routes to the same address prefix, the route with the highest preferred value
is preferred.
----End
Configuring a Default Local_Pref Attribute for a Device

The Local_Pref attribute is used to determine the optimal route for traffic that leaves an AS.
Context
The Local_Pref attribute is used to determine the optimal route for traffic that leaves an AS. If
a BGP device obtains multiple routes from different IBGP peers and these routes have different
next hops to the same destination, the BGP device will select the route with the greatest
Local_Pref value.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family unicast

Step 4 Run:
default local-preference preference
A default Local_Pref attribute is set for the local device.

----End
Configuring MED Attributes for BGP Routes

The MED attribute equals a metric used in an IGP. The MED attribute is used to determine the
optimal route for traffic that enters an AS. The route with the smallest MED value is selected as
the optimal route if the other attributes of the routes are the same.
Issue 04 (2013-06-15)

912

Configuration Guide
Context
The MED attribute equals a metric used in an IGP, and is used to determine the optimal route
for traffic that enters an AS. If a BGP device obtains multiple routes from different EBGP peers
and these routes have different next hops to the same destination, the BGP device will select the
route with the smallest MED value.
Procedure
l
Set the default MED value on a device.

Perform the following steps on a BGP device:
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
default med med
The default MED value is set.

NOTE
The default med command is valid only for routes imported using the import-route command
and BGP summarized routes on the local device.
Compare the MED values of the routes from different ASs.

1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
compare-different-as-med
The MED values of routes from different ASs are compared.

Issue 04 (2013-06-15)

913

Configuration Guide
By default, the BGP device compares the MED values of only routes from different
peers in the same AS. This command enables the BGP device to compare the MED
values of routes from different ASs.
l
Configure the method used by BGP to handle the situation where a route has no MED
attribute during route selection.
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
bestroute med-none-as-maximum
The system treats a BGP route as one with the maximum MED value if the route has
no MED value.
After the bestroute med-none-as-maximum command is run, BGP treats a BGP
route as one with the maximum MED value if the route that has no MED attribute
when selecting an optimal route. If this command is not run, BGP uses 0 as the MED
value for a route that has no MED value.
----End
Configuring Next_Hop Attributes for Routes

Setting Next_Hop attributes for routes flexibly controls BGP route selection.
Procedure
l
Configure a device to change the next-hop address of a route when the device advertises
the route to an IBGP peer.
By default, a device does not change the next-hop address of a route learned from an EBGP
peer before forwarding the route to IBGP peers. The next-hop address of a route advertised
by an EBGP peer to this device is the address of the EBGP peer. After being forwarded to
IBGP peers, this route cannot become an active route because the next hop is unreachable.
The relevant ASBR must be configured to change the next-hop address of the route to the
ASBR's own IP address before the ASBR advertises the route to an IBGP peer. The route
is active on the IBGP peer if the next hop is reachable.
1.
Run:
system-view

2.
Run:
bgp as-number
Issue 04 (2013-06-15)

914

Configuration Guide

3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } next-hop-local
The device is configured to change the next-hop address of a route to the device's own
IP address before the device advertises the route to an IBGP peer.
By default, a device does not change the next-hop address of a route when advertising
the route to an IBGP peer.
NOTE
If BGP load balancing is configured, the local Switch changes the next-hop address of a route
to it's own IP address when advertising the route to IBGP peers or peer groups, regardless of
whether the peer next-hop-local command is used.
Prevent a device from changing the next-hop address of a route imported from an IGP when
the device advertises the route to an IBGP peer.
Perform the following steps on a Switch that runs BGP and has imported IGP routes:
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } next-hop-invariable
The device is prevented from changing the next-hop address of a route imported from
an IGP before advertising the route to an IBGP peer.
By default, a device changes the next-hop address of a route imported from an IGP to
the address of the interface connecting the device to its peer when advertising the route
to an IBGP peer.
----End
Configuring AS_Path Attributes for Routes

The AS_Path attribute is used to prevent rooting loops and control route selection.
Procedure
l
Allow repeated local AS numbers.

BGP uses AS numbers to detect routing loops. In Hub and Spoke networking, if EBGP
runs between a Hub-PE and a Hub-CE, the route sent from the Hub-PE to the Hub-CE
Issue 04 (2013-06-15)

915

Configuration Guide
carries the AS number of the Hub-PE. After the Hub-CE sends an Update message that
contains the AS number of the Hub-PE to the Hub-PE, the Hub-PE will deny it.
To ensure proper route transmission in Hub and Spoke networking, configure all the BGP
peers on the path, along which the Hub-CE advertises private network routes to the SpokeCE, to accept the routes in which the local AS number repeats once.
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } allow-as-loop [ number ]
The local AS number is allowed to repeat in the AS_Path attribute.

Generally, a BGP device checks the AS_Path attribute of a route sent from a peer. If
the local AS number already exists in the AS_Path attribute, BGP ignores this route
to avoid a routing loop.
In some special applications, you can use the peer allow-as-loop command to allow
the AS_Path attributes of routes sent from the peers to contain the local AS number.
You can also set the number of times the local AS number is repeated.
l
Configure BGP not to compare AS_Path attributes of routes in the route selection process.
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
bestroute as-path-ignore
BGP is configured to ignore AS_Path attributes of routes during route selection.

l
Configure a fake AS number.

Generally, a device supports only one BGP process. This means that a device supports only
one AS number. If AS numbers need to be replaced during network migration, you can run
the peer fake-as command to set a fake AS number for a specified peer to ensure smooth
network migration.
Issue 04 (2013-06-15)

916

Configuration Guide
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
peer { ipv4-address | group-name } fake-as fake-as-number
A fake AS number is configured.

The peer fake-as command can be used to hide the actual AS number of a BGP device.
EBGP peers in other ASs will use the fake AS number of this BGP device to set up
EBGP peer relationships with this device.
NOTE
This command can be used only on EBGP peers.
Enable AS number replacement.

Before advertising a route to a specified CE, a PE enabled with AS number replacement
replaces the AS number of the CE in the AS_Path attribute of the route with the local AS
number.
CAUTION
Exercise caution when running the peer substitute-as command, because improper use of
this command may cause routing loops.
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP-VPN instance IPv4 address family view is displayed.

4.
Run:
peer { ipv4-address | group-name } substitute-as
AS number replacement is enabled.

l
Configure the AS_Path attribute to carry only public AS numbers.

A route advertised by a BGP device to its peer usually carries an AS number. The AS
number may be public or private. Public AS numbers can be used on the Internet. They are
assigned and managed by the Internet Assigned Number Authority (IANA). Private AS
numbers cannot be advertised to the Internet, and they are used only within ASs. If private
Issue 04 (2013-06-15)

917

Configuration Guide
AS numbers are advertised to the Internet, a routing loop may occur. To address this
problem, you can run the peer public-as-only command to allow the AS_Path attribute to
carry only public AS numbers.
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } public-as-only
The AS_Path attribute is configured to carry only public AS numbers.

An AS number ranges from 1 to 4294967295. A public AS number ranges from 1 to
64511, and from 65536 (1.0 in the x.y format) to 4294967295 (65535.65535 in the
x.y format). A private AS number ranges from 64512 to 65534. The AS number 65535
is reserved for particular use.
The peer public-as-only command can be used only on EBGP peers.
----End

After BGP route attributes are configured, you can view information about these route attributes.
Prerequisites
The BGP route attribute configuration is complete.
Procedure
l
Run the display bgp paths [ as-regular-expression ] command to check information about
AS_Path attributes of routes.
Run the display bgp routing-table different-origin-as command to check information

about routes that have the same destination address but different source AS numbers.
Run the display bgp routing-table regular-expression as-regular-expression command

to check information about routes matching a specified regular expression.
Run the display bgp routing-table [ network [ { mask | mask-length } [ longerprefixes ] ] ] command to check routing information in a BGP routing table.
----End
5.5.5 Configuring BGP to Advertise Routes

BGP is used to transmit routing information. BGP advertises only the wanted routes after filtering
routes to be advertised, and modifies route attributes to direct network traffic.
Issue 04 (2013-06-15)

918

Configuration Guide

Before configuring BGP to advertise routes, familiarize yourself with the applicable
BGP is used to transmit routing information between ASs. Route advertisement directly affects
traffic forwarding.
There are usually a large number of routes in a BGP routing table. Transmitting a great deal of
routing information brings a heavy load to devices. Routes to be advertised need to be controlled
to address this problem. You can configure devices to advertise only routes that these devices
want to advertise or routes that their peers require.
Multiple routes to the same destination may exist and traverse different ASs. Routes to be
advertised need to be filtered in order to direct routes to specific ASs.
Filters can be used to filter routes to be advertised by BGP. BGP can filter routes to be advertised
to a specific peer or peer group.
Before configuring BGP to advertise routes, complete the following task:
l
Data Preparation
To configure BGP to advertise routes, you need the following data.
No.
Data
Name or number of an ACL
Name, number, and matching mode of an IP prefix list
Number or name of an AS_Path filter
Number or name and matching mode of a community filter
Number or name and matching mode of an extcommunity filter
Name and matching mode of a route-policy, and number of the route-policy's node
Configuring BGP Filters

BGP filters filter routes to be advertised.
Context
BGP uses the following types of filters to filter routes:
Issue 04 (2013-06-15)

919

Configuration Guide
Access Control List(ACL)
IP-Prefix List
AS_Path filter
Community filter
Extcommunity filter
Route-Policy
Configure an ACL.
Procedure
An ACL is a series of sequential rules composed of permit and deny clauses. These rules
are described based on source addresses, destination addresses, and port numbers of
packets. ACL rules are used to classify packets. After ACL rules are applied to a device,
the device permits or denies packets based on the ACL rules.
For details on ACL configurations, see the AC6605 Access Controller Configuration Guide
- IP Services.
An ACL can be used as a matching condition of a route-policy or used in the filterpolicy { acl-number | acl-name acl-name } export [ protocol [ process-id ] ] command or
the peer { group-name | ipv4-address } filter-policy { acl-number | acl-name acl-name }
export command.
l
Configure an IP prefix list.

An IP prefix list is a type of filter used to filter routes based on destination addresses. An
IP prefix list is identified by its name. An IP prefix list can be used flexibly to implement
accurate filtering. For example, it can be used to filter a route or routes to a network segment.
If a large number of routes that do not have the same prefix need to be filtered, configuring
an IP prefix list to filter the routes is very complex.
An IP prefix list can be used as a matching condition of a route-policy or used in the filterpolicy ip-prefix ip-prefix-name export [ protocol [ process-id ] ] command or the peer
{ group-name | ipv4-address } ip-prefix ip-prefix-name export command.
Perform the following steps on a BGP Switch:
1.
Run:
system-view

2.
Run:
ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ipaddress mask-length [ greater-equal greater-equal-value ] [ less-equal
less-equal-value ]
An IPv4 prefix list is configured.

The mask length range can be specified as mask-length <= greater-equal-value <=
less-equal-value <= 32. If only greater-equal is specified, the prefix range is [greaterequal-value, 32]. If only less-equal is specified, the prefix range is [mask-length, lessequal-value].
An IPv4 prefix list is identified by its name, and each IP prefix list can contain multiple
entries. Each entry is identified by an index number, and can specify a matching range
Issue 04 (2013-06-15)

920

Configuration Guide
in the form of a network prefix uniquely. An IPv4 prefix list named abcd is used as
an example.
#
ip ip-prefix abcd index 10 permit 1.0.0.0 8
During route matching, the system checks the entries by index number in ascending
order. If a route matches an entry, the route will not be matched with the next entry.
The AC6605 denies all unmatched routes by default. If all entries in an IPv4 prefix
list are in deny mode, all routes will be denied by the IPv4 prefix list. In this case, you
must define an entry permit 0.0.0.0 0 less-equal 32 after the entries in deny mode to
allow all the other IPv4 routes to by permitted by the IPv4 prefix list.
NOTE
If more than one IP prefix entry is defined, at least one entry should be set in permit mode.
Configure an AS_Path filter.

An AS_Path filter is used to filter BGP routes based on the AS_Path attributes contained
in the BGP routes. If you do not want traffic to pass through an AS, configure an AS_Path
filter to filter out the traffic carrying the number of the AS. If the BGP routing table of each
device on a network is large, configuring an ACL or an IP prefix list to filter BGP routes
may be complicated and make it difficult to maintain new routes.
NOTE
If the AS_Path information of a summarized route is lost, the AS_Path filter cannot be used to filter
the summarized route, but can still be used to filter the specific routes from which the summarized
route is derived.
An AS_Path filter can be used as a matching condition of a route-policy or be used in the

peer as-path-filter command.
1.
Run:
system-view

2.
Run:
ip as-path-filter { as-path-filter-number | as-path-filter-name }
{ permit | deny } regular-expression
An AS_Path filter is configured.

An AS_Path filter uses a regular expression to define matching rules. A regular
expression consists of the following parts:
Metacharacter: defines matching rules.
General character: defines matching objects.
Table 5-4 Metacharacters
Issue 04 (2013-06-15)
Metacharacter
Description
Escape character.
Matches any single character except "\n", including spaces.

921

Configuration Guide
Metacharacter
Description
An asterisk indicates that there are 0, 1, or any number of the

previous expression.
A plus sign indicates that there is at least 1 of the previous

expression.
Matches either expression it separates.
Specifies the beginning of a line.
Specifies the end of a line.
[xyz]
Matches any character in the brackets.
[^xyz]
Matches a single character that is not contained within the

brackets.
[a-z]
Matches any character within the specified range.
[â-z]
Matches any character out of the specified range.
{n}
Repeats "n" times. "n" is a non-negative integer.
{n,}
Repeats at least "n" times. "n" is a non-negative integer.
{n,m}
Repeats "n" to "m" times. "m" and "n" are both non-negative
integers, and "n" is equal to or smaller than "m". Note that
there is no space between "n" and the comma, or between the
comma and "m".
For example, ^10 indicates that only the AS_Path attribute starting with 10 is matched.
A circumflex (^) indicates that the beginning of a character string is matched.
Multiple rules, permit or deny, can be specified in a filter. The relationship between
theses rules is "OR". This means that if a route meets one of the matching rules, the
route matches the AS_Path filter.
NOTE
For details on a regular expression, see the AC6605 Access Controller Configuration Guide Basic Configurations.
Configure a community filter.

A BGP community attribute is used to identify a group of routes with the same properties.
Routes can be classified by community attribute. This facilitates route management.
Some AS internal routes may not need to be advertised to any other AS, whereas AS external
routes need to be advertised to other ASs. These AS external routes have different prefixes
(as a result, an IP prefix list is inapplicable) and may come from different ASs (as a result,
an AS_Path filter is inapplicable). You can set a community attribute value for these AS
internal routes and another community attribute value for these AS external routes on an
ASBR to control and filter these routes.
Issue 04 (2013-06-15)

922

Configuration Guide
1.
Run:
system-view

2.
Run:
ip community-filter
A community filter is configured.

To configure a standard community filter, run the ip community-filter { basic
comm-filter-name { permit | deny } [ community-number | aa:nn ] * &<1-9> |
basic-comm-filter-num { permit | deny } [ community-number | aa:nn ] *
&<1-16> } [ internet | no-export-subconfed | no-advertise | no-export ] *
command.
To configure an advanced community filter, run the ip community-filter
{ advanced comm-filter-name | adv-comm-filter-num } { permit | deny } regularexpression command.
l
Configure an extcommunity filter.

Similar to a BGP community filter, a BGP extcommunity filter is used to filter private
network routes.
1.
Run:
system-view

2.
Perform either of the following operations as required to configure an extcommunity

filter.
To configure a basic extcommunity filter, run the ip extcommunity-filter { basicextcomm-filter-num | basic basic-extcomm-filter-name } { deny | permit } { rt
{ as-number:nn | ipv4-address:nn } } &<1-16> command.
To configure an advanced extcommunity filter, run the ip extcommunity-filter
{ adv-extcomm-filter-num | advanced adv-extcomm-filter-name } { deny |
permit } regular-expression command.
Multiple entries can be defined in an extcommunity filter. The relationship between
the entries is "OR". This means that if a route matches one of the rules, the route
matches the filter.
Configure a route-policy.
A route-policy is used to match routes or route attributes, and to change route attributes
when specific conditions are met. As the preceding filters can be used as matching
conditions of a route-policy, the route-policy is powerful in functions and can be used
flexibly.
1.
Run:
system-view

2.
Run:
route-policy route-policy-name { permit | deny } node node
Issue 04 (2013-06-15)

923

Configuration Guide
A node is configured for a route-policy, and the view of the route-policy is displayed.
A route-policy consists of multiple nodes. For example, the route-policy routepolicy-example permit node 10 command specifies node 10 and the route-policy
route-policy-example deny node 20 command specifies node 20. The two nodes
belong to the route-policy specified by route-policy-example. The relationship
between the nodes of a route-policy is "OR". The details are as follows:
If a route matches one node, the route matches the route-policy and will not be
matched with the next node. For example, there are two nodes defined using the
route-policy route-policy-example permit node 10 and route-policy routepolicy-example deny node 20 commands. If a route matches the node defined
using the route-policy route-policy-example permit node 10 command, the route
will not be matched with the node defined using the route-policy route-policyexample deny node 20 command.
If a route does not match any node, the route fails to match the route-policy.
When a route-policy is used to filter a route, the route is first matched with the node
with the smallest node value. For example, if two nodes are configured using the
route-policy route-policy-example permit node 10 and route-policy route-policyexample deny node 20 commands, a route is first matched with the node configured
using the route-policy route-policy-example permit node 10 command.
NOTE
The AC6605 considers that each unmatched route fails to match the route-policy by default. If
more than one node is defined in a route-policy, at least one of them must be in permit mode.
3.
(Optional) Perform the following operations as needed to configure if-match clauses

for current nodes of the route-policy.
if-match clauses are used to filter routes. If no if-match clause is specified, all routes
will match the node in the route-policy.
To match an ACL, run the if-match acl { acl-number | acl-name } command.
To match an IP prefix list, run the if-match ip-prefix ip-prefix-name command.
NOTE
The if-match acl and if-match ip-prefix commands cannot be used together in the same
node of a route-policy, because the latest configuration will override the previous one.
To match the AS-Path attribute of BGP routes, run the if-match as-path-filter
{ as-path-filter-number | as-path-filter-name } &<1-16> command.
To match the community attribute of BGP routes, run either of the following
commands:
if-match community-filter { basic-comm-filter-num [ whole-match ] | advcomm-filter-num }* &<1-16>
if-match community-filter comm-filter-name [ whole-match ]
To match the extended community attribute of BGP routes, run the if-match
extcommunity-filter { { basic-extcomm-filter-num | adv-extcomm-filter-num }
&<1-16> | basic-extcomm-filter-name | advanced-extcomm-filter-name }
command.
The operations in Step 3 can be performed in any order. A node may have multiple
if-match clauses or no if-match clause.
Issue 04 (2013-06-15)

924

Configuration Guide

NOTE
The relationship between the if-match clauses in a node of a route-policy is "AND". A route
must match all the rules before the action defined by the apply clause is taken. For example,
if two if-match clauses (if-match acl 2003 and if-match as-path-filter 100) are defined in the
route-policy route-policy-example permit node 10 command, a route is considered to match
node 10 only when it matches the two if-match clauses.
4.
(Optional) Perform the following operations as needed to configure apply clauses for
current nodes of the route-policy:
apply clauses can be used to set attributes for routes matching if-match clauses. If
this step is not performed, the attributes of routes matching if-match clauses keep
unchanged.
To replace or add a specified AS number in the AS_Path attribute of a BGP route,
run the apply as-path as-number command.
To delete a specified BGP community attribute from a route, run the apply commfilter comm-filter-number delete command.
TIP
The apply comm-filter delete command deletes a specified community attribute from a
route. An instance of the ip community-filter command can specify only one community
attribute each time. To delete more than one community attribute, run the ip communityfilter command multiple times. If multiple community attributes are specified in one
community filter, none of them can be deleted. For more information, see the AC6605
Access Controller Command Reference.
To delete all community attributes from a BGP route, run the apply community
none command.
To set community attributes for a BGP route, run the apply community
{ { community-number | aa:nn } &<1-32> | internet | no-advertise | no-export |
no-export-subconfed }* [ additive ] command.
To set an extended community attribute (route-target) for a route, run the apply
extcommunity { rt { as-number:nn | 4as-number:nn | ipv4-address:nn } }
&<1-16> [ additive ] command.
To set the local preference for a BGP route, run the apply local-preference
preference command.
To set the Origin attribute for a BGP route, run the apply origin { igp | egp asnumber | incomplete } command.
To set a preferred value for a BGP route, run the apply preferred-value preferredvalue command.
To set dampening parameters for an EBGP route, run the apply dampening halflife-reach reuse suppress ceiling command.
apply clauses or no apply clause.
----End
Configuring to Controll the Advertisement of BGP Routing Information

After a route advertisement policy is configured on a device, the device advertises only routes
matching the policy to its peers.
Issue 04 (2013-06-15)

925

Configuration Guide
Procedure
l
Configure a BGP device to advertise routes to all peers or peer groups.

You can configure a BGP device to filter routes to be advertised. Perform the following
steps on a BGP Switch:
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Perform either of the following operations to configure the BGP device to advertise
routes to all peers or peer groups:
To filter routes based on an ACL, run the filter-policy { acl-number | acl-name
acl-name } export [ protocol [ process-id ] ] command.
To filter routes based on an IP prefix list, run the filter-policy ip-prefix ip-prefixname export [ protocol [ process-id ] ] command.
If protocol is specified, only routes discovered by a specific routing protocol are
filtered. If protocol is not specified, all the routes to be advertised are filtered, including
routes imported using the import-route (BGP) command and local routes advertised
using the network (BGP) command.
NOTE
If an ACL has been referenced in the filter-policy command but no VPN instance is specified
in the ACL rule, BGP will filter routes including public and private network routes in all address
families. If a VPN instance is specified in the ACL rule, only the data traffic from the VPN
instance will be filtered, and no route of this VPN instance will be filtered.
Configure a BGP device to advertise routes to a specific peer or peer group.

You can configure a BGP device to filter routes to be advertised. Perform the following
steps on a BGP Switch:
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Issue 04 (2013-06-15)
Perform any of the following operations to configure the BGP device to advertise
routes to a specific peer or peer group:
926

Configuration Guide
To filter routes based on an ACL, run the peer { ipv4-address | group-name }

filter-policy { acl-number | acl-name acl-name } export command.
To filter routes based on an IP prefix list, run the peer { ipv4-address | groupname } ip-prefix ip-prefix-name export command.
To filter routes based on an AS_Path filter, run the peer { ipv4-address | groupname } as-path-filter { as-path-filter-number | as-path-filter-name } export
command.
To filter routes based on a route-policy, run the peer { ipv4-address | groupname } route-policy route-policy-name export command.
A peer group and its members can use different export policies to filter routes. Each
peer can select its policy when advertising routes.
----End
Configuring BGP Soft Reset

BGP soft reset allows the system to refresh a BGP routing table dynamically without tearing
down any BGP connection if routing policies are changed.
Context
After changing a BGP import policy, you must reset BGP connections for the new import policy
to take effect, interrupting these BGP connections temporarily. BGP route-refresh allows the
system to refresh a BGP routing table dynamically without tearing down any BGP connection
if routing policies are changed.
l
If a device's peer supports route-refresh, the refresh bgp command can be used on the
device to softly reset the BGP connection with the peer and update the BGP routing table.
If a device's peer does not support route-refresh, the peer keep-all-routes command can
be used on the device to remain all routing updates received from the peer so that the device
can refresh its routing table without closing the connection with the peer.
Procedure
l
If the device's peers support route-refresh, perform the following operations:

1.
(Optional) Enable route-refresh.

a.
Run:
system-view

b.
Run:
bgp as-number

c.
Run:
peer { ipv4-address | group-name } capability-advertise route-refresh
Route-refresh is enabled.
By default, route-refresh is enabled.
Issue 04 (2013-06-15)

927

Configuration Guide
If route-refresh is enabled on all BGP Switches and the import policy of the local
Switch is changed, the local Switch sends a route-refresh message to peers or peer
groups. After receiving the message, the peers or peer groups resend routing
information to the local BGP Switch. This enables the local Switch to dynamically
refresh its BGP routing table and apply the new routing policy without closing any
BGP connections.
2.
Configure BGP soft reset.

a.
Run the refresh bgp [ vpn-instance vpn-instance-name ipv4-family ] { all |

ipv4-address | group group-name | external | internal } { export | import }
command in the user view to softly reset the BGP connections between the
devices and its peers or peer groups.
external softly resets an EBGP connection, and internal softly resets an IBGP
connection.
export triggers outbound BGP soft reset, and import triggers inbound BGP soft reset.
l
If the device's peers do not support route-refresh, perform the following operations:
Configure the device to store all the routing updates received from its peers or peer
groups.
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } keep-all-routes
The device is configured to store all the routing updates received from its peers
or peer groups.
By default, the device stores only the routing updates that are received from peers or
peer groups and match a configured import policy.
After this command is used, all routing updates sent by a specified peer or peer group
are stored, regardless of whether an import policy is used. When the local routing
policy changes, the information can be used to regenerate BGP routes again.
NOTE
This command must be run on the local device and its peers. If the peer keep-all-routes
command is run on the device for the first time, the sessions between the device and its peers
are reestablished.
The peer keep-all-routes command does not need to be run on the Switch that supports routerefresh. If the peer keep-all-routes command is run on the Switch, the sessions between the
Switch and its peers will not be reestablished but the refresh bgp command does not take effect
on the Switch.
----End
Issue 04 (2013-06-15)

928

Configuration Guide

After the configurations of controlling BGP route advertisement are complete, you can view
filters, routes matching a specified filter, and routes advertised to BGP peers.
Prerequisites
The BGP route advertisement configurations are complete.
Procedure
l
Run the display ip as-path-filter [ as-path-filter-number | as-path-filter-name ] command

to check information about a configured AS_Path filter.
Run the display ip community-filter [ basic-comm-filter-num | adv-comm-filter-num |

comm-filter-name ] command to check information about a configured community filter.
Run the display ip extcommunity-filter [ extcomm-filter-number | extcomm-filter-name ]

command to check information about a configured extcommunity filter.
Run the display bgp routing-table as-path-filter { as-path-filter-number | as-path-filtername } command to check information about routes matching a specified AS_Path filter.
Run the display bgp routing-table community-filter { { community-filter-name | basiccommunity-filter-number } [ whole-match ] | advanced-community-filter-number }
command to check information about routes matching a specified BGP community filter.
Run the display bgp routing-table peer ipv4-address advertised-routes [ statistics ]

command to check information about routes advertised by a BGP device to its peers.
----End
5.5.6 Configuring BGP to Receive Routes

BGP is used to transmit routing information. BGP can filter received routes to accept only the
expected routes, and can modify route attributes to direct network traffic.

Before configuring BGP to receive routes, familiarize yourself with the applicable environment,
BGP is used to transmit routing information between ASs. Route reception directly affects traffic
forwarding.
The BGP Switch may receive routes to the same destination from different BGP peers. To control
traffic forwarding paths, the Switch needs to filter the received BGP routes.
The Switch may be attacked and receive a large number of routes from its BGP peers, consuming
lots of resources of the Switch. Therefore, the administrator must limit the resources to be
consumed based on networking planning and Switch capacities, no matter whether too many
BGP routes caused by malicious attacks or incorrect configurations.
Filters can be used to filter routes to be received by BGP. BGP can filter the routes received
from all peers or peer groups or only the routes received from a specific peer or peer group.
Issue 04 (2013-06-15)

929

Configuration Guide
Before configuring BGP to receive routes, complete the following task:
l
Data Preparation
To configure BGP to receive routes, you need the following data.
No.
Data
Name or number of an ACL
Name, number, and matching mode of an IP prefix list
Number or name of an AS_Path filter
Number or name and matching mode of a community filter
Number or name and matching mode of an extended community filter
Name and matching mode of a route-policy, and number of the route-policy's node
Configuring BGP Filters

BGP filters can be used to filter routes to be received.
Context
Filters are needed to filter routes to flexibly receive routes. Currently, six filters are available
for BGP:
l
Access Control List(ACL)
IP-Prefix List
AS_Path filter
Community filter
Extcommunity filter
Route-Policy
Configure an ACL.
Procedure
An ACL is a series of sequential rules composed of permit and deny clauses. These rules
are described based on source addresses, destination addresses, and port numbers of
packets. ACL rules are used to classify packets. After ACL rules are applied to a device,
the device permits or denies packets based on the ACL rules.
For details on ACL configurations, see the AC6605 Access Controller Configuration Guide
- IP Services.
Issue 04 (2013-06-15)

930

Configuration Guide
An ACL can be used as a matching condition of a route-policy or used in the filterpolicy { acl-number | acl-name acl-name } import command or the peer { group-name |
ipv4-address } filter-policy { acl-number | acl-name acl-name } import command.
l
Configure an IP prefix list.

An IP prefix list is a type of filter used to filter routes based on destination addresses. An
IP prefix list is identified by its name. An IP prefix list can be used flexibly to implement
accurate filtering. For example, it can be used to filter a route or routes to a network segment.
If a large number of routes that do not have the same prefix need to be filtered, configuring
an IP prefix list to filter the routes is very complex.
An IP prefix list can be used as a matching condition of a route-policy or used in the filterpolicy ip-prefix ip-prefix-name import command or the peer { group-name | ipv4address } ip-prefix ip-prefix-name import command.
1.
Run:
system-view

2.
Run:
ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ipaddress mask-length [ greater-equal greater-equal-value ] [ less-equal
less-equal-value ]

The mask length range can be specified as mask-length <= greater-equal-value <=
less-equal-value <= 32. If only greater-equal is specified, the prefix range is [greaterequal-value, 32]. If only less-equal is specified, the prefix range is [mask-length, lessequal-value].
An IPv4 prefix list is identified by its name, and each IP prefix list can contain multiple
entries. Each entry is identified by an index number, and can specify a matching range
in the form of a network prefix uniquely. An IPv4 prefix list named abcd is used as
an example.
#
During route matching, the system checks the entries by index number in ascending
order. If a route matches an entry, the route will not be matched with the next entry.
The AC6605 denies all unmatched routes by default. If all entries in an IPv4 prefix
list are in deny mode, all routes will be denied by the IPv4 prefix list. In this case, you
must define an entry permit 0.0.0.0 0 less-equal 32 after the entries in deny mode to
allow all the other IPv4 routes to by permitted by the IPv4 prefix list.
NOTE
If more than one IP prefix entry is defined, at least one entry should be set in permit mode.
Configure an AS_Path filter.

An AS_Path filter is used to filter BGP routes based on the AS_Path attributes contained
in the BGP routes. If you do not want traffic to pass through an AS, configure an AS_Path
filter to filter out the traffic carrying the number of the AS. If the BGP routing table of each
Issue 04 (2013-06-15)

931

Configuration Guide
device on a network is large, configuring an ACL or an IP prefix list to filter BGP routes
may be complicated and make it difficult to maintain new routes.
NOTE
If the AS_Path information of a summarized route is lost, the AS_Path filter cannot be used to filter
the summarized route, but can still be used to filter the specific routes from which the summarized
route is derived.
An AS_Path filter can be used as a matching condition of a route-policy or be used in the

peer as-path-filter command.
1.
Run:
system-view

2.
Run:
ip as-path-filter { as-path-filter-number | as-path-filter-name }
{ permit | deny } regular-expression
An AS_Path filter is configured.

An AS_Path filter uses a regular expression to define matching rules. A regular
expression consists of the following parts:
Metacharacter: defines matching rules.
General character: defines matching objects.
Table 5-5 Metacharacters
Issue 04 (2013-06-15)
Metacharacter
Description
Escape character.
Matches any single character except "\n", including spaces.
An asterisk indicates that there are 0, 1, or any number of the

previous expression.
A plus sign indicates that there is at least 1 of the previous

expression.
Matches either expression it separates.
Specifies the beginning of a line.
Specifies the end of a line.
[xyz]
Matches any character in the brackets.
[^xyz]
Matches a single character that is not contained within the

brackets.
[a-z]
Matches any character within the specified range.
[â-z]
Matches any character out of the specified range.
{n}
Repeats "n" times. "n" is a non-negative integer.

932

Configuration Guide
Metacharacter
Description
{n,}
Repeats at least "n" times. "n" is a non-negative integer.
{n,m}
Repeats "n" to "m" times. "m" and "n" are both non-negative
integers, and "n" is equal to or smaller than "m". Note that
there is no space between "n" and the comma, or between the
comma and "m".
For example, ^10 indicates that only the AS_Path attribute starting with 10 is matched.
A circumflex (^) indicates that the beginning of a character string is matched.
Multiple rules, permit or deny, can be specified in a filter. The relationship between
theses rules is "OR". This means that if a route meets one of the matching rules, the
route matches the AS_Path filter.
NOTE
For details on a regular expression, see the AC6605 Access Controller Configuration Guide Basic Configurations.
Configure a community filter.

A BGP community attribute is used to identify a group of routes with the same properties.
Routes can be classified by community attribute. This facilitates route management.
Some AS internal routes may not need to be advertised to any other AS, whereas AS external
routes need to be advertised to other ASs. These AS external routes have different prefixes
(as a result, an IP prefix list is inapplicable) and may come from different ASs (as a result,
an AS_Path filter is inapplicable). You can set a community attribute value for these AS
internal routes and another community attribute value for these AS external routes on an
ASBR to control and filter these routes.
1.
Run:
system-view

2.
Run:
ip community-filter
A community filter is configured.

To configure a standard community filter, run the ip community-filter { basic
comm-filter-name { permit | deny } [ community-number | aa:nn ] * &<1-9> |
basic-comm-filter-num { permit | deny } [ community-number | aa:nn ] *
&<1-16> } [ internet | no-export-subconfed | no-advertise | no-export ] *
command.
To configure an advanced community filter, run the ip community-filter
{ advanced comm-filter-name | adv-comm-filter-num } { permit | deny } regularexpression command.
l
Configure an extcommunity filter.

Similar to a BGP community filter, a BGP extcommunity filter is used to filter private
network routes.
Issue 04 (2013-06-15)

933

Configuration Guide

1.
Run:
system-view

2.
Perform either of the following operations as required to configure an extcommunity

filter.
To configure a basic extcommunity filter, run the ip extcommunity-filter { basicextcomm-filter-num | basic basic-extcomm-filter-name } { deny | permit } { rt
{ as-number:nn | ipv4-address:nn } } &<1-16> command.
To configure an advanced extcommunity filter, run the ip extcommunity-filter
{ adv-extcomm-filter-num | advanced adv-extcomm-filter-name } { deny |
permit } regular-expression command.
Multiple entries can be defined in an extcommunity filter. The relationship between
the entries is "OR". This means that if a route matches one of the rules, the route
matches the filter.
Configure a route-policy.
A route-policy is used to match routes or route attributes, and to change route attributes
when specific conditions are met. As the preceding filters can be used as matching
conditions of a route-policy, the route-policy is powerful in functions and can be used
flexibly.
1.
Run:
system-view

2.
Run:
A node is configured for a route-policy, and the view of the route-policy is displayed.
A route-policy consists of multiple nodes. For example, the route-policy routepolicy-example permit node 10 command specifies node 10 and the route-policy
route-policy-example deny node 20 command specifies node 20. The two nodes
belong to the route-policy specified by route-policy-example. The relationship
between the nodes of a route-policy is "OR". The details are as follows:
If a route matches one node, the route matches the route-policy and will not be
matched with the next node. For example, there are two nodes defined using the
route-policy route-policy-example permit node 10 and route-policy routepolicy-example deny node 20 commands. If a route matches the node defined
using the route-policy route-policy-example permit node 10 command, the route
will not be matched with the node defined using the route-policy route-policyexample deny node 20 command.
If a route does not match any node, the route fails to match the route-policy.
When a route-policy is used to filter a route, the route is first matched with the node
with the smallest node value. For example, if two nodes are configured using the
route-policy route-policy-example permit node 10 and route-policy route-policyexample deny node 20 commands, a route is first matched with the node configured
using the route-policy route-policy-example permit node 10 command.
Issue 04 (2013-06-15)

934

Configuration Guide

NOTE
The AC6605 considers that each unmatched route fails to match the route-policy by default. If
more than one node is defined in a route-policy, at least one of them must be in permit mode.
3.
(Optional) Perform the following operations as needed to configure if-match clauses

for current nodes of the route-policy.
if-match clauses are used to filter routes. If no if-match clause is specified, all routes
will match the node in the route-policy.
To match an ACL, run the if-match acl { acl-number | acl-name } command.
To match an IP prefix list, run the if-match ip-prefix ip-prefix-name command.
NOTE
The if-match acl and if-match ip-prefix commands cannot be used together in the same
node of a route-policy, because the latest configuration will override the previous one.
To match the AS-Path attribute of BGP routes, run the if-match as-path-filter
{ as-path-filter-number | as-path-filter-name } &<1-16> command.
To match the community attribute of BGP routes, run either of the following
commands:
if-match community-filter { basic-comm-filter-num [ whole-match ] | advcomm-filter-num }* &<1-16>
if-match community-filter comm-filter-name [ whole-match ]
To match the extended community attribute of BGP routes, run the if-match
extcommunity-filter { { basic-extcomm-filter-num | adv-extcomm-filter-num }
&<1-16> | basic-extcomm-filter-name | advanced-extcomm-filter-name }
command.
if-match clauses or no if-match clause.
NOTE
The relationship between the if-match clauses in a node of a route-policy is "AND". A route
must match all the rules before the action defined by the apply clause is taken. For example,
if two if-match clauses (if-match acl 2003 and if-match as-path-filter 100) are defined in the
route-policy route-policy-example permit node 10 command, a route is considered to match
node 10 only when it matches the two if-match clauses.
4.
(Optional) Perform the following operations as needed to configure apply clauses for
current nodes of the route-policy:
apply clauses can be used to set attributes for routes matching if-match clauses. If
this step is not performed, the attributes of routes matching if-match clauses keep
unchanged.
To replace or add a specified AS number in the AS_Path attribute of a BGP route,
run the apply as-path as-number command.
To delete a specified BGP community attribute from a route, run the apply commfilter comm-filter-number delete command.
Issue 04 (2013-06-15)

935

Configuration Guide

TIP
The apply comm-filter delete command deletes a specified community attribute from a
route. An instance of the ip community-filter command can specify only one community
attribute each time. To delete more than one community attribute, run the ip communityfilter command multiple times. If multiple community attributes are specified in one
community filter, none of them can be deleted. For more information, see the AC6605
Access Controller Command Reference.
To delete all community attributes from a BGP route, run the apply community
none command.
To set community attributes for a BGP route, run the apply community
{ { community-number | aa:nn } &<1-32> | internet | no-advertise | no-export |
no-export-subconfed }* [ additive ] command.
To set an extended community attribute (route-target) for a route, run the apply
extcommunity { rt { as-number:nn | 4as-number:nn | ipv4-address:nn } }
&<1-16> [ additive ] command.
To set the local preference for a BGP route, run the apply local-preference
preference command.
To set the Origin attribute for a BGP route, run the apply origin { igp | egp asnumber | incomplete } command.
To set a preferred value for a BGP route, run the apply preferred-value preferredvalue command.
To set dampening parameters for an EBGP route, run the apply dampening halflife-reach reuse suppress ceiling command.
apply clauses or no apply clause.
----End
Configuring to Controll the Acceptment of BGP Routing Information

After an import policy is configured, only the routes that match the import policy can be received.
Procedure
l
Configure BGP to receive routes from all its peers or peer groups.
You can configure a BGP device to filter received routes. Perform the following steps on
a BGP Switch:
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Issue 04 (2013-06-15)
Perform either of the following operations to configure the BGP device to filter the
routes received from all its peers or peer groups:
936

Configuration Guide
To filter routes based on a specified ACL, run the filter-policy { acl-number | aclname acl-name } import command.
To filter routes based on an IP prefix list, run the filter-policy ip-prefix ip-prefixname import command.
NOTE
If an ACL has been referenced in the filter-policy command but no VPN instance is specified
in any ACL rule, BGP will filter routes including public network routes and private network
routes in all address families. If a VPN instance is specified in an ACL rule, only the data traffic
from the VPN instance will be filtered, and no routes of this VPN instance will be filtered.
Configure a BGP device to receive routes from a specific peer or peer group.
You can configure a BGP device to filter received routes. Perform the following steps on
a BGP Switch:
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Perform any of the following configurations to configure the BGP device to filter the
routes received from a specific peer or peer group:
To filter routes based on an ACL, run the peer { ipv4-address | group-name }
filter-policy { acl-number | acl-name acl-name } import command.
To filter routes based on an IP prefix list, run the peer { ipv4-address | groupname } ip-prefix ip-prefix-nameimport command.
To filter routes based on an AS_Path filter, run the peer { ipv4-address | groupname } as-path-filter { as-path-filter-number | as-path-filter-name } import
command.
To filter routes based on a route-policy, run the peer { ipv4-address | groupname } route-policy route-policy-name import command.
A peer group and its members can use different import policies when receiving routes.
This means that each member in a peer group can select its own policy to filter received
routes.
Limit the number of the routes received from a peer or peer group.
When the Switch running BGP is attacked or network configuration errors occur, the
Switch receives a large number of routes from its neighbor. As a result, a large number of
resources of the Switch are consumed. Therefore, the administrator must limit the resources
used by the Switch based on network planning and the capacity of the Switch. BGP provides
peer-based route control to limit the number of routes to be sent by a neighbor. Thus, the
preceding problem is addressed.
1.
Run:
system-view
Issue 04 (2013-06-15)

937

Configuration Guide

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
peer { group-name | ipv4-address } route-limit limit [ percentage ]
[ alert-only | idle-forever | idle-timeout times ]
The number of routes that can be received from a peer or peer group is set.
The command provides the limit on the number of received routes based on peers.
You can configure specific parameters as required to control BGP after the number
of the routes received from a peer exceeds the threshold.
alert-only: The peer relationship is kept. No route is received after the number of
received routes exceeds the threshold, and an alarm is generated and recorded in
the log.
idle-forever: The peer relationship is interrupted. The router does not retry setting
up a connection. An alarm is generated and recorded in the log. In this case, run
the display bgp peer [ verbose ] command, and you can find that the status of the
peer is Idle. To restore the BGP connection, run the reset bgp command.
idle-timeout: The peer relationship is interrupted. The router retries setting up a
connection after the timer expires. An alarm is generated and recorded in the log.
In this case, run the display bgp peer [ verbose ] command, and you can find that
the status of the peer is Idle. To restore the BGP connection before the timer
expires, run the reset bgp command.
If none of the preceding parameters is set, the peer relationship is disconnected.
The router retries setting up a connection after 30 seconds. An alarm is generated
and recorded in the log.
NOTE
If the number of routes received by the local router exceeds the upper limit and the peer routelimit command is used for the first time, the local router and its peer reestablish the peer relationship,
regardless of whether alert-only is set.
----End
Configuring BGP Soft Reset

BGP soft reset allows the system to refresh a BGP routing table dynamically without tearing
down any BGP connection if routing policies are changed.
Context
After changing a BGP import policy, you must reset BGP connections for the new import policy
to take effect, interrupting these BGP connections temporarily. BGP route-refresh allows the
system to refresh a BGP routing table dynamically without tearing down any BGP connection
if routing policies are changed.
Issue 04 (2013-06-15)

938

Configuration Guide
If a device's peer supports route-refresh, the refresh bgp command can be used on the
device to softly reset the BGP connection with the peer and update the BGP routing table.
If a device's peer does not support route-refresh, the peer keep-all-routes command can
be used on the device to remain all routing updates received from the peer so that the device
can refresh its routing table without closing the connection with the peer.
Procedure
l
If the device's peers support route-refresh, perform the following operations:

1.
(Optional) Enable route-refresh.

a.
Run:
system-view

b.
Run:
bgp as-number

c.
Run:
peer { ipv4-address | group-name } capability-advertise route-refresh
Route-refresh is enabled.
By default, route-refresh is enabled.
If route-refresh is enabled on all BGP Switches and the import policy of the local
Switch is changed, the local Switch sends a route-refresh message to peers or peer
groups. After receiving the message, the peers or peer groups resend routing
information to the local BGP Switch. This enables the local Switch to dynamically
refresh its BGP routing table and apply the new routing policy without closing any
BGP connections.
2.
Configure BGP soft reset.

a.
Run the refresh bgp [ vpn-instance vpn-instance-name ipv4-family ] { all |

ipv4-address | group group-name | external | internal } { export | import }
command in the user view to softly reset the BGP connections between the
devices and its peers or peer groups.
external softly resets an EBGP connection, and internal softly resets an IBGP
connection.
export triggers outbound BGP soft reset, and import triggers inbound BGP soft reset.
l
If the device's peers do not support route-refresh, perform the following operations:
Configure the device to store all the routing updates received from its peers or peer
groups.
1.
Run:
system-view

2.
Run:
bgp as-number

Issue 04 (2013-06-15)

939

Configuration Guide
3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } keep-all-routes
The device is configured to store all the routing updates received from its peers
or peer groups.
By default, the device stores only the routing updates that are received from peers or
peer groups and match a configured import policy.
After this command is used, all routing updates sent by a specified peer or peer group
are stored, regardless of whether an import policy is used. When the local routing
policy changes, the information can be used to regenerate BGP routes again.
NOTE
This command must be run on the local device and its peers. If the peer keep-all-routes
command is run on the device for the first time, the sessions between the device and its peers
are reestablished.
The peer keep-all-routes command does not need to be run on the Switch that supports routerefresh. If the peer keep-all-routes command is run on the Switch, the sessions between the
Switch and its peers will not be reestablished but the refresh bgp command does not take effect
on the Switch.
----End

After configuring BGP route reception, you can view the imported routes matching a specified
filter.
Prerequisites
The BGP route reception configurations are complete.
Procedure
l
Run the display ip as-path-filter [ as-path-filter-number | as-path-filter-name ] command

to check a configured AS_Path filter.
Run the display ip community-filter [ basic-comm-filter-num | adv-comm-filter-num |

comm-filter-name ] command to check information about a configured community filter.
Run the display ip extcommunity-filter [ extcomm-filter-number | extcomm-filter-name ]

command to check information about a configured extended community filter.
Run the display bgp routing-table as-path-filter { as-path-filter-number | as-path-filtername } command to check information about routes matching a specified AS_Path filter.
Run the display bgp routing-table community-filter { { community-filter-name | basiccommunity-filter-number } [ whole-match ] | advanced-community-filter-number }
command to check information about routes matching a specified BGP community filter.
Run the display bgp routing-table peer ipv4-address received-routes [ active ]

[ statistics ] command to check information about routes received by a BGP device from
its peers.
Issue 04 (2013-06-15)

940

Configuration Guide
Run the display bgp routing-table peer ipv4-address accepted-routes command to check
information about the routes that are received by a BGP device from a specified peer and
match the routing policy.
----End
5.5.7 Configuring BGP Route Aggregation

Configuring BGP Route Aggregation on a device can reduce the sizes of routing tables on the
peers of the device.
The BGP routing table of a device on a medium or large BGP network contains a large number
of routing entries. Storing the routing table consumes a large number of memory resources, and
transmitting and processing routing information consume lots of network resources. Configuring
route aggregation can reduce the size of a routing table, prevent specific routes from being
advertised, and minimize the impact of route flapping on network performance. BGP route
aggregation and routing policies enable BGP to effectively transmit and control routes.
BGP supports automatic and manual aggregation. Manual aggregation takes precedence over
automatic aggregation.
Before configuring BGP route aggregation, complete the following task:
l
Configure automatic route aggregation.
Procedure
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
summary automatic
Automatic aggregation is configured for imported routes.

The summary automatic command aggregates routes imported by BGP. The routes
can be direct routes, static routes, RIP routes, OSPF routes, or IS-IS routes. After this
command is run, BGP aggregates routes based on natural network segments. The
command, however, cannot aggregate routes imported using the network command.
l
Issue 04 (2013-06-15)
Configure manual route aggregation.

941

Configuration Guide
1.
Run:
system-view

2.
Run:
bgpas-number

3.
Run:
ipv4-familyunicast

4.
Run:
aggregate ipv4-address { mask | mask-length } [ as-set | attribute-policy
route-policy-name1 | detail-suppressed | origin-policy route-policy-name2
| suppress-policyroute-policy-name3 ] *
Manual route aggregation is configured.

as-set is used to generate an aggregated route in which the AS_Path attribute contains
AS_Path information of specific routes. If many routes need to be aggregated, exercise
caution when using this parameter. Frequent changes in specific routes cause flapping
of the aggregated route.
detail-suppressed is used to suppress the advertisement of specific routes. After
detail-suppressed is set, only aggregated routes are advertised. Aggregated routes
carry the atomic-aggregate attribute, not the community attributes of specific routes.
suppress-policy is used to suppress the advertisement of specified routes. The ifmatch clause of route-policy can be used to filter routes to be suppressed. Only the
routes matching the policy will be suppressed, and the other routes will still be
advertised. The peer route-policy command can also be used to filter out the routes
not to be advertised to peers.
After origin-policy is used, only the routes matching route-policy are aggregated.
attribute-policy is used to set attributes for an aggregated route. If the AS_Path
attribute is set in the policy using the apply as-path command and as-set is set in the
aggregate command, the AS_Path attribute in the policy does not take effect. The
peer route-policy command can also be used to set attributes for an aggregated route.
Only the routes that exist in the local BGP routing table can be manually aggregated.
For example, if route 10.1.1.1/24 is not in the BGP routing table, BGP will not generate
an aggregated route for it even if the aggregate 10.1.1.1 16 command is used.
When using manual aggregation, you can apply various routing policies and set route
attributes.
----End

After route aggregation is configured, you can check whether the configuration is correct.
l
Issue 04 (2013-06-15)
Run the display bgp routing-table [ network [ mask | mask-length ] ] command to check
information about BGP aggregated routes.
942

Configuration Guide
5.5.8 Configuring BGP Peer Groups

Configuring BGP peer groups simplifies the BGP network configuration and improves the route
advertisement efficiency.

Before configuring BGP peer groups, familiarize yourself with the applicable environment,
A BGP peer group consists of BGP peers that have the same update policies and configurations.
A large-scale BGP network has a large number of peers. Configuring and maintaining these
peers is difficult. To address this problem, configure a BGP peer group for BGP peers with the
same configurations. Configuring BGP peer groups simplifies peer management and improves
the route advertisement efficiency.
Based on the ASs where peers reside, peer groups are classified as follows:
l
IBGP peer group: The peers of an IBGP peer group are in the same AS.
Pure EBGP peer group: The peers of a pure EBGP peer group are in the same external AS.
Mixed EBGP peer group: The peers of a mixed EBGP peer group are in different external
ASs.
If a function is configured on a peer and its peer group, the function configured on the peer takes
precedence over that configured on the peer group. After a peer group is created, peers can be
added to the peer group. If these peers are not configured separately, they will inherit the
configurations of the peer group. If a peer in a peer group has a specific configuration
requirement, the peer can be configured separately. The configuration of this peer will override
the configuration inherited by the peer from the peer group.
Before configuring BGP peer groups, complete the following task:
l
Data Preparation
To configure BGP peer groups, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Type and name of a peer group, and IP addresses of peer group members

943

Configuration Guide
Creating IBGP Peer Groups

If multiple IBGP peers exist, adding them to an IBGP peer group can simplify the BGP network
configuration and management. When creating an IBGP peer group, you do not need to specify
an AS number for the IBGP peer group.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
group group-name internal
An IBGP peer group is created.

Step 4 Run:
peer ipv4-address group group-name
A peer is added to the peer group.

NOTE
You can repeat step 4 to add multiple peers to the peer group. If the local device has not established a peer
relationship with this peer, the device will attempt to establish a peer relationship with this peer, and set
the AS number of this peer to the AS number of the peer group.
When creating an IBGP peer group, you do not need to specify the AS number.
After configuring a peer group, you can configure BGP functions for the peer group. By default,
all peers in a peer group inherit the entire configuration of the peer group. The inherited
configuration can be overridden if you directly configure commands for the peer.
----End
Creating Pure EBGP Peer Groups

If multiple EBGP peers exist in an AS, adding them to an EBGP peer group can simplify the
BGP network configuration and management. All the peers in a pure EBGP peer group must
have the same AS number.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Issue 04 (2013-06-15)

944

Configuration Guide
Step 3 Run:
group group-name external
A pure EBGP peer group is created.

Step 4 Run:
peer group-name as-number as-number
An AS number is set for the EBGP peer group. If peers already exist in a peer group, you can
neither change the AS number of the peer group nor delete the AS number of the peer group by
using the undo peer as-number command.
Step 5 Run:
A peer is added to the peer group.

NOTE
You can repeat step 5 to add multiple peers to the peer group. If the local device has not established a peer
relationship with this peer, the device will attempt to establish a peer relationship with this peer, and set
the AS number of this peer to the AS number of the peer group.
----End
Creating Mixed EBGP Peer Groups

If multiple EBGP peers exist in different ASs, adding them to a mixed EBGP peer group can
simplify the BGP network configuration and management. When creating a mixed EBGP peer
group, you need to specify an AS number for each peer.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
group group-name external
A mixed EBGP peer group is created.

Step 4 Run:
A peer is created and an AS number is set for this peer.

Step 5 Run:
Issue 04 (2013-06-15)

945

Configuration Guide
The peer is added to the peer group.

NOTE
You can repeat Steps 4 and 5 to add multiple peers to the peer group.
You need to specify an AS number for each peer in a mixed EBGP peer group.
----End

After BGP peer groups are configured, you can view information about BGP peers and BGP
peer groups.
Prerequisites
The BGP peer group configurations are complete.
Procedure
l
Run the display bgp peer [ ipv4-address ] verbose command to check detailed information
about BGP peers.
Run the display bgp group [ group-name ] command to check information about BGP
peer groups.
NOTE
This command is applied only to devices on which BGP peer groups are created.
If a peer group is specified in this command, detailed information about this peer group
will be displayed. If no peer group is specified in this command, information about all BGP
peer groups is displayed.
----End
5.5.9 Configuring BGP Route Reflectors

Deploying BGP RRs allows IBGP peers to communicate without establishing full-mesh
connections between them. Using BGP RRs simplifies network configurations and improves
route advertisement efficiency.

Before configuring BGP RRs, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the data required for the configuration. This will help
you complete the configuration task quickly and efficiently.
BGP uses the AS_Path attribute to prevent route loops, but it does not change the AS_Path
attribute of a route sent between IBGP peers within an AS. This may cause a route loop. To
prevent this problem, the BGP standard defines that a BGP device is prohibited from advertising
Issue 04 (2013-06-15)

946

Configuration Guide
any route that received from another IBGP peer. Full-mesh connections then must be created
between IBGP peers to ensure the connectivity between them. If many IBGP peers exists, the
overhead will be large and the configuration workload will be heavy for establishing full-mesh
logical connections between Switches. In addition, the network will be difficult to maintain.
Using BGP confederations or RRs can solve these problems. A BGP confederation consists of
several sub-ASs in an AS. Full-mesh logical connections need to be established and maintained
between IBGP peers in each sub-AS. To deploy RRs, you only need to configure the RR
functionality on Switches and do not need to change configurations on other devices. In this
regard, deploying RRs is easier and more flexible than deploying confederations.
Before configuring a BGP RR, complete the following task:
l
Data Preparation
To configure a BGP RR, you need the following data.
No.
Data
Role of each Switch (RR, client, or non-client)
(Optional) Cluster ID of the RR
Configuring a Route Reflector and Specifying Clients

Deploying an RR and clients in an address family allows IBGP peers to communicate without
having full-mesh logical connections established between them, reducing network configuration
and maintenance workload, and improving network performance.
Context
In an AS, one Switch serves as an RR, and the other Switches serve as clients. IBGP peer
relationships are set up between the RR and clients. The RR reflects routes between clients, and
BGP connections do not need to be established between the clients. A BGP device that is neither
an RR nor a client is called a non-client. Non-clients and the RR must establish full-mesh
connections with each other.
After receiving IBGP routes, the RR selects optimal routes based on BGP route selection policies
and advertises learned routes to its clients and non-clients following the rules described below:
l
After learning routes from non-clients, the RR advertises the routes to all clients.
After learning routes from clients, the RR advertises the routes to all non-clients and clients.
In addition, the RR advertises learned EBGP routes to all non-clients and clients.
It is easy to configure an RR. The RR functionality only needs to be configured on one
Switch. Configurations on clients are not required.
Perform the following steps on the Switch that is running BGP and is to be specified as an RR:
Issue 04 (2013-06-15)

947

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family unicast

Step 4 Run:
peer { ipv4-address | group-name } reflect-client
The Switch is specified as an RR and its clients are configured.

To add more clients, repeat the step.
reflect-client configured in an address family is valid only in this address family and cannot be
inherited by other address families. Configuring reflect-client in a specified address family is
recommended.
----End
(Optional) Disabling Route Reflection Between Clients

If the clients of an RR are fully meshed, prohibiting route reflection among the clients can reduce
the link cost.
Context
The RR usually advertises the routes learned from clients to all non-clients and clients. If fullmesh logical connections have been established between all the clients of the RR, the clients are
capable of sending routes to each other without the help of the RR. Route reflection can be
disabled between clients to reduce the stress on the RR.
Perform the following steps on the RR that is running BGP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family unicast
Issue 04 (2013-06-15)

948

Configuration Guide

Step 4 Run:
undo reflect between-clients
Route reflection is disabled between clients.

If the clients of an RR have established full-mesh connections with each other, the undo reflect
between-clients command can be used to disable route reflection between clients in order to
reduce the link cost. By default, route reflection is enabled between the clients of an RR.
This command can only be configured on the RR.
----End
(Optional) Configuring the Cluster ID for a Route Reflector

If several RRs are deployed in a cluster, assigning the same cluster ID to them can prevent route
loops.
Context
A backup RR is usually deployed in an AS to prevent a fault on an RR from causing the clients
and non-clients unable to receive routing information. This backup RR improves network
reliability.
As shown in Figure 5-29, RR1 and RR2 are configured as backups for each other in AS 65000.
Clients 1, 2, and 3 are their clients. An IBGP peer relationship is set up between RR1 and RR2
so that each RR is the other RR's non-client.
Figure 5-29 RR cluster
RR2
RR1
IBGP
Cluster
IBGP
Client1
IBGP
Client2
IBGP
Client3
AS65000
Route loops may easily occur in this network. For example, when Client1 receives an updated
route from an EBGP peer, it uses IBGP to advertise this route to RR1 and RR2. Then the
following problems will happen in the same time:
l
RR1 advertises it to its clients and non-client (RR2),
RR2 advertises it to its clients and non-client (RR1).
As a result, a route loop occurs between RR1 and RR2.

Issue 04 (2013-06-15)

949

Configuration Guide
To address this problem, configure all Switches on the network shown in Figure 5-29 into the
same cluster and assign them the same cluster ID. After the configuration is complete, if Client1
receives an updated route from an EBGP peer, it uses IBGP to advertise this route to RR1 and
RR2.
l
After receiving this route, RR1 reflects it to its clients and RR2 and adds the local cluster
ID to the front of the cluster list.
After receiving the route reflected from RR1, RR2 checks the cluster list. After finding that
the local cluster ID is already on the cluster list, RR2 discards the route.
NOTE
Using a cluster list prevents route loops between RRs within an AS.
Perform the following steps on each Switch that is running BGP:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family unicast

Step 4 Run:
reflector cluster-id cluster-id
A cluster ID is configured.
If a cluster has multiple RRs, use this command to set the same cluster-id for these RRs to prevent
route loops.
NOTE
To ensure that a client can learn the routes reflected by an RR, the Cluster ID configured on the RR must
be different from the Cluster ID of the client (By default, the client uses its Router ID as the cluster ID). If
the Cluster ID is the same as the Cluster ID of the client, the client discards received routes.
----End
(Optional) Preventing BGP Routes from Being Added into the IP Routing Table
Disabling BGP route delivery to the IP routing table on an RR can prevent traffic from being
forwarded by the RR, improving route advertisement efficiency.
Context
Usually, BGP routes are delivered to the IP routing table on the Switch to guide traffic
forwarding. If the Switch does not need to forward traffic, disable BGP route delivery to the IP
routing table on the Switch.
Issue 04 (2013-06-15)

950

Configuration Guide
BGP route delivery to the IP routing table is generally disabled on RRs. An RR transmits routes
and forwards traffic within an AS. If the RR is connected to many clients and non-clients, the
route transmission task will consume a lot of CPU resources of the RR and cause the RR unable
to implement traffic forwarding. To improve the efficiency of route transmission, disable BGP
route delivery to the IP routing table on the RR to make the RR dedicated to route transmission.
Perform the following steps on the Switch that is running BGP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family unicast

Step 4 Run:
bgp-rib-only [ route-policy route-policy-name ]
BGP route delivery to the IP routing table is disabled.

The routes preferred by BGP are delivered to the IP routing table by default.
If route-policy route-policy-name is configured in the bgp-rib-only command, routes matching
the policy are not delivered to the IP routing table, and routes not matching the policy are
delivered to the IP routing table, with the route attributes unchanged.
NOTE
The bgp-rib-only command and the active-route-advertise command are mutually exclusive.
----End

After configuring BGP RRs, you can view BGP RR configurations and routing information
transmitted by BGP.
Prerequisites
All BGP RR configurations are complete.
Procedure
l
Run the display bgp routing-table [ network [ { mask | mask-length } [ longerprefixes ] ] ] command to check information in a BGP routing table.
----End
Issue 04 (2013-06-15)

951

Configuration Guide
5.5.10 Configuring a BGP Confederation

BGP confederations can be configured on a large BGP network to reduce the number of IBGP
connections and simplify routing policy management, increasing route advertisement efficiency.
A confederations can be used to reduce the number of IBGP connections in an AS. It divides an
AS into several sub-ASs. Full-mesh IBGP connections are established between devices in each
sub-AS, and full-mesh EBGP connections are established between devices in different sub-ASs,
Compared with RRs, confederations facilitate IGP extensions.
Before configuring a BGP confederation, complete the following tasks:
l
Configuring link layer protocol parameters for interfaces to ensure that the link layer
protocol on the interfaces is Up
Configure a BGP confederation.
Procedure
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
confederation id as-number
A confederation ID is set.
4.
Run:
confederation peer-as as-number &<1-32>
The number of the sub-AS where other EBGP peers connected to the local AS reside
is set.
as-number is valid in the confederation only when the sub-ASs of the confederation
are configured.
The confederation id and confederation peer-as commands must be run on all the
EBGP peers in the same confederation, and the same confederation ID must be set for
these EBGP peers.
Issue 04 (2013-06-15)

952

Configuration Guide

NOTE
An old speaker that has a 2-byte AS number cannot be in the same confederation with a new
speaker that has a 4-byte AS number. Otherwise, a routing loop may occur. This is because the
AS4_Path attribute does not support confederations.
Configure confederation compatibility.

Other Switchs may implement the confederation that does not comply with the RFC
standard. In such a situation, confederation compatibility must be configured. Perform the
following steps on a BGP device:
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
confederation nonstandard
The Switchs are configured to be compatible with the nonstandard AS confederation.

By default, the configured confederation accords with RFC 3065.
----End

After a confederation is configured, you can check whether the configuration is correct.
l
about BGP peers.
5.5.11 Configuring BGP Community Attributes

Community attributes are used to simplify routing policy management.

Before configuring BGP community attributes, familiarize yourself with the applicable
Community attributes are used to simplify routing policy application and facilitate network
maintenance. They allow a group of BGP Switchs in different ASs to share the same routing
policies. Before advertising a route with the community attribute to peers, a BGP Switch can
change the original community attribute of this route. Community attributes are route attributes,
which are transmitted between BGP peers, and the transmission is not restricted within an AS.
Issue 04 (2013-06-15)

953

Configuration Guide
Before configuring BGP community attributes, complete the following task:
l
Data Preparation
To configure BGP Community attributes, you need the following data.
No.
Data
Community attribute value
Route-policy name, node sequence number, and matching condition
Names of inbound and outbound routing policies
Configuring Community Attribute-Related Routing Policies

A routing policy that references a community attribute needs to be configured before the
community attribute is advertised.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A node is configured for a routing policy, and the view of the routing policy is displayed.
Step 3 (Optional) Configure filtering conditions (if-match clauses) for a routing policy. Community
attributes can be added only to the routes that pass the filtering, and the community attributes
of only the routes that pass the filtering can be modified.
For configuration details, see (Optional) Configuring if-match Clauses.
Step 4 Configure community or extended community attributes for BGP routes.
l Run:
apply community { { community-number | aa:nn } &<1-32> | internet | noadvertise | no-export | no-export-subconfed }* [ additive ]
Community attributes are configured for BGP routes.

NOTE
A maximum of 32 community attributes can be configured in the apply community command.
l Run:
apply extcommunity { rt { as-number:nn | ipv4-address:nn } } &<1-16>
[ additive ]
An extended community attribute (Route-Target) is configured for BGP routes.

----End
Issue 04 (2013-06-15)

954

Configuration Guide
Configuring a BGP Device to Send Community Attributes to Its Peer

A community attribute takes effect only after the community attribute and the routing policy
referencing the community attribute are advertised.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family unicast

Step 4 Run:
peer { ipv4-address | group-name } route-policy route-policy-name export
An export routing policy is configured.

NOTE
When configuring a BGP community, use a routing policy to define the community attribute, and apply
the routing policy to the routes to be advertised.
For details on routing policy configurations, see the chapter "Routing Policy Configuration."
Step 5 Run one of the following commands as needed to configure a BGP device to advertise
community attributes to its peer or peer group.
l To configure the BGP device to send a standard community attribute to its peer or peer group,
run:
peer { ipv4-address | group-name } advertise-community
By default, a device advertises no community attribute to its peer or peer group.

l To configure the BGP device to send an extended community attribute to its peer or peer
group, run:
peer { ipv4-address | group-name } advertise-ext-community
By default, a device advertises no extended community attribute to its peer or peer group.
----End

After configuring BGP community attributes, you can view the configured BGP community
attributes.
Prerequisites
The BGP community attribute configurations are complete.
Issue 04 (2013-06-15)

955

Configuration Guide
Procedure
l
Run the display bgp routing-table network [ mask | mask-length ] command to check the
detailed information about BGP routes.
Run the display bgp routing-table community [ community-number | aa:nn ] &<1-29>

[ internet | no-advertise | no-export | no-export-subconfed ] * [ whole-match ] command
to check information about the routes carrying specified BGP community attributes.
----End
5.5.12 Configuring to Adjust the BGP Network Convergence Speed

You can adjust the BGP network convergence speed by adjusting BGP peer connection
parameters to adapt to changes on large-scale networks.

Before adjusting the BGP network convergence speed, familiarize yourself with the applicable
BGP is used to transmit routing information on large-scale networks. Frequent network changes
affect the establishment and maintenance of BGP peer relationships, affecting the BGP network
convergence speed.
The route dampening and triggered update functions of BGP suppress frequent route changes
to a certain extent, but cannot minimize the impact of network flapping on BGP connections.
You can configure BGP timers, disabling rapid EBGP connection reset, and enable BGP tracking
to suppress BGP network flapping and speed up BGP network convergence.
l
ConnectRetry timer
A ConnectRetry timer is used to set an interval between BGP attempts to initiate TCP
connections. After BGP initiates a TCP connection, the ConnectRetry timer will be stopped
if the TCP connection is established successfully. If the first attempt to establish a TCP
connection fails, BGP tries again to establish the TCP connection after the ConnectRetry
timer expires.
You can accelerate or slow down the establishment of BGP peer relationships by changing
the BGP ConnectRetry interval. For example, if the ConnectRetry interval is reduced, BGP
will wait less time before retrying to establish a TCP connection when the previous attempt
fails. This speeds up TCP connection establishment. If a BGP peer flaps constantly, the
ConnectRetry interval can be increased to suppress route flapping caused by BGP peer
flapping. This speeds up route convergence.
BGP Keepalive and hold timers

BGP uses Keepalive messages to maintain BGP peer relationships and monitor connection
status.
After establishing a BGP connection, two peers send Keepalive messages periodically to
each other to detect the BGP connection status. If the Switch does not receive any Keepalive
message or any other types of packets from the peer within the hold time, the Switch
considers the BGP connection interrupted and closes the BGP connection.
Issue 04 (2013-06-15)

956

Configuration Guide
BGP MinRouteAdvertisementIntervalTimer
BGP does not periodically update a routing table. When BGP routes change, BGP updates
the changed BGP routes in the BGP routing table by sending Update messages. If a route
changes frequently, to prevent the Switch from sending Update messages upon every
change, set the interval at which Update messages are sent.
Rapid EBGP connection reset

Rapid EBGP connection reset is enabled by default so that EBGP can quickly detect the
status of interfaces used to establish EBGP connections. If the interface status is changed
frequently, rapid EBGP connection reset can be disabled. As a result, direct EBPG sessions
will not be reestablished and deleted as interface alternates between Up and Down. This
implements rapid network convergence.
BGP tracking
BGP tracking can speed up network convergence by adjusting the interval between peer
unreachability discovery and connection interruption. BGP tracking is easy to deploy and
has good extensibility.
Before adjusting the BGP network convergence speed, complete the following tasks:
l
Data Preparation
To adjust the BGP network convergence speed, you need the following data.
No.
Data
Value of the ConnectRetry timer
Values of BGP Keepalive and hold timers
Value of the MinRouteAdvertisementIntervalTimer
Interval between peer unreachability discovery and connection interruption
Configuring a BGP ConnectRetry Timer

You can control the speed at which BGP peer relationships are established by changing the BGP
ConnectRetry timer value.
Context
After BGP initiates a TCP connection, the ConnectRetry timer will be stopped if the TCP
connection is established successfully. If the first attempt to establish a TCP connection fails,
BGP tries again to establish the TCP connection after the ConnectRetry timer expires.
l
Setting a short ConnectRetry interval reduces the period BGP waits between attempts to
establish a TCP connection. This speeds up the establishment of the TCP connection.
Setting a long connectRetry interval suppresses routing flapping caused by peer relationship
flapping.
Issue 04 (2013-06-15)

957

Configuration Guide
A ConnectRetry timer can be configured either for all peers or peer groups, or for a specific peer
or peer group. A ConnectRetry timer configured for a specific peer takes precedence over that
configured for the peer group of this peer. In addition, a ConnectRetry timer configured for a
specific peer or peer group takes precedence over that configured for all peers or peer groups.
Procedure
l
Configure a BGP ConnectRetry timer for all peers or peer groups.

1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
timer connect-retry connect-retry-time
A BGP ConnectRetry timer is configured for all peers or peer groups.

By default, the ConnectRetry timer value is 32s.
l
Configure a ConnectRetry timer for a specific peer or peer group.

1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
peer { group-name | ipv4-address } timer connect-retry connect-retry-time
A ConnectRetry timer is configured for a specific peer or peer group.

By default, the ConnectRetry timer value is 32s.
The ConnectRetry timer configured for a peer or peer group takes precedence over
that configured for all peers or peer groups.
----End
Configuring BGP Keepalive and Hold Timers

The values of BGP Keepalive and hold timers determine the speed at which BGP detects network
faults. You can adjust the values of these timers to improve network performance.
Context
Keepalive messages are used by BGP to maintain peer relationships. After establishing a BGP
connection, two peers periodically send Keepalive messages to each other to detect BGP peer
Issue 04 (2013-06-15)

958

Configuration Guide
relationship status. If a device receives no Keepalive message from its peer after the hold timer
expires, the device considers the BGP connection to be closed.
l
If short Keepalive time and holdtime are set, BGP can detect a link fault quickly. This
speeds up BGP network convergence, but increases the number of Keepalive messages on
the network and loads of Switches, and consumes more network bandwidth resources.
If long Keepalive time and holdtime are set, the number of Keepalive messages on the
network is reduced. This reduces loads of Switches. If the Keepalive time is too long, BGP
is unable to detect link status changes in a timely manner. This is unhelpful for
implementing rapid BGP network convergence and may cause many packets to be lost.
CAUTION
Changing timer values using the timer command or the peer timer command interrupts BGP
peer relationships between Switches. Therefore, exercise caution before changing the value of
a timer.
Keepalive and hold timers can be configured either for all peers or peer groups, or for a specific
peer or peer group. Keepalive and hold timers configured for a specific peer take precedence
over those configured for the peer group of this peer. In addition, Keepalive and hold timers
configured for a specific peer or peer group take precedence over those configured for all peers
or peer groups.
Procedure
l
Configure BGP timers for all peers or peer groups.

1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
timer keepalive keepalive-time hold hold-time
BGP timers are configured.

The proper maximum interval at which Keepalive messages are sent is one third the
holdtime and is not less than one second. If the holdtime is not set to 0, it is 3s at least.
By default, the keepalive-time value is 60s and the hold-time value is 180s.
NOTE
Setting the Keepalive time to 20s is recommended. If the Keepalive time is smaller than 20s,
sessions between peers may be closed.
When setting values of keepalive-time and hold-time, note the following points:
Issue 04 (2013-06-15)

959

Configuration Guide
The keepalive-time and hold-time values cannot be both set to 0. Otherwise, the
BGP timers become invalid, meaning that BGP will not send Keepalive messages
to detect connection status.
The hold-time value cannot be much greater than the keepalive-time value. For
example, keepalive-time cannot be set to 1 while hold-time is set to 65535. If the
hold-time value is too large, BGP cannot detect connection status in time.
After a connection is established between peers, the keepalive-time and hold-time
values are negotiated by the peers. The smaller one of the hold-time values carried by
Open messages of both peers is taken as the hold-time value. The smaller of one third
of the hold-time value and the locally configured keepalive-time value is taken as the
keepalive-time value.
l
Configure timers for a specific peer or peer group.

1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
peer { ipv4-address | group-name } timer keepalive keepalive-time hold
hold-time
The Keepalive and hold timer values are set for a specific peer or peer group.
For information about the relationship between the keepalive-time and hold-time
values, see Configure BGP timers for all peers or peer groups.
NOTE
Setting the Keepalive time to 20s is recommended. If the Keepalive time is smaller than 20s,
sessions between peers may be closed.
Timers set for a specific peer or peer group takes precedence over timers set for all
peers or peer groups.
----End
Configuring a MinRouteAdvertisementIntervalTimer
A proper MinRouteAdvertisementIntervalTimer can be configured to suppress frequent route
changes, improving BGP network stability.
Context
BGP peers use update messages to exchange routing information. Update messages can be used
to advertise multiple reachable routes with the same attributes or withdraw multiple unreachable
routes.
BGP does not periodically update a routing table. When BGP routes change, BGP updates the
changed BGP routes in the BGP routing table by sending Update messages. If a route changes
frequently, to prevent the Switch from sending Update messages upon every change, set the
interval at which Update messages are sent.
Issue 04 (2013-06-15)

960

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
peer { ipv4-address | group-name } route-update-interval interval
A MinRouteAdvertisementIntervalTimer is configured.
By default, the interval at which Update messages are sent to IBGP peers is 15s, and the interval
at which Update messages are sent to EBGP peers is 30s.
ipv4-address specifies the address of a specific group. group-name specifies the name of a peer
group. The MinRouteAdvertisementIntervalTimer configured for a peer takes precedence over
the MinRouteAdvertisementIntervalTimer configured for a peer group.
----End
Disabling Fast Reset of EBGP Connections

Disabling rapid EBGP connection reset can prevent repeated reestablishment and deletion of
EBGP sessions in the event of route flapping. This speeds up BGP network convergence.
Context
Rapid EBGP connection reset is enabled by default. This allows BGP to immediately respond
to a fault on an interface and delete the direct EBGP sessions on the interface without waiting
for the hold timer to expire and implements rapid BGP network convergence.
NOTE
Rapid EBGP connection reset enables BGP to quickly respond to interface faults but does not enable BGP
to quickly respond to interface recovery. After the interface recovers, BGP uses its state machine to restore
relevant sessions.
If the status of an interface used to establish an EBGP connection changes frequently, the EBGP
session will be deleted and reestablished repeatedly, causing network flapping. Rapid EBGP
connection reset can be disabled in such a situation. BGP will delete direct EBGP sessions on
the interface until the hold timer expires. This suppresses BGP network flapping, helps to
implement rapid BGP network convergence, and reduces network bandwidth consumption.
Perform the following steps on a BGP Switch.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

961

Configuration Guide

Step 2 Run:
bgp as-number

Step 3 Run:
undo ebgp-interface-sensitive
Rapid EBGP connection reset is disabled.

NOTE
Rapid EBGP connection reset is disabled in a situation where the status of an interface used to establish
an EBGP connection changes frequently. If the status of the interface becomes stable, run the ebgpinterface-sensitive command to enable rapid EBGP connection reset to implement rapid BGP network
convergence.
----End
Enabling BGP Peer Tracking

BGP peer tracking can be used to adjust the interval between peer unreachability discovery and
connection interruption. This suppresses BGP peer relationship flapping caused by route
flapping and improves BGP network stability.
Context
BGP can be configured to detect peer relationship status changes in order to implement rapid
BGP convergence. BFD, however, needs to be configured on the entire network, and has poor
extensibility. If BFD cannot be deployed on a device to detect BGP peer relationship status,
BGP peer tracking can be enabled on the device to quickly detect link or peer unreachability,
implementing rapid network convergence.
Perform the following steps on a BGP Switch.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
peer { group-name | ipv4-address } tracking [ delay delay-time ]
BGP peer tracking is enabled on the device to detect the status of a specified peer.
By default, BGP peer tracking is disabled.
ipv4-address specifies the address of a peer. group-name specifies the name of a peer group.
BGP peer tracking configured on a peer takes precedence over BGP peer tracking configured
on the peer group of this peer.
Issue 04 (2013-06-15)

962

Configuration Guide
If delay-time is not specified, the default delay (0 seconds) is used. This means that a BGP device
tears down the connection with a peer immediately after detecting the peer unreachable.
A proper delay-time value can ensure network stability.
l If an IBGP peer relationship is established based on an IGP route, the delay-time values set
on BGP peers must be greater than the IGP route convergence time. Otherwise, if IGP route
flapping occurs, the BGP peer relationship will be interrupted before network convergence
is complete.
NOTE
IGP GR is configured and a BGP peer relationship is established based on an IGP route. If a device
becomes faulty and performs an active/standby switchover, the IGP will not delete routes received by
the device. As a result, the BGP peer relationship will not be interrupted, even through BGP peer
tracking does not take effect.
l If BGP peers have negotiated the GR capability and one of the peers performs an active/
standby switchover, the delay-time values on the BGP peers must be greater than the GR
time. Otherwise, the BGP peer relationship will be interrupted before the GR time expires.
As a result, GR becomes invalid.
----End

After the BGP network convergence speed is adjusted, you can view information about BGP
peers and peer groups.
Prerequisites
The configurations for adjusting the BGP network convergence speed are complete.
Procedure
l
Run the display bgp peer [ verbose ] command to check information about BGP peers.
----End
5.5.13 Configuring BGP Route Dampening

BGP route dampening can be configured to suppress unstable routes.
The main cause of route instability is route flapping. A route is considered to be flapping when
it repeatedly appears and then disappears in the routing table. BGP is generally applied to
complex networks where routes change frequently. Frequent route flapping consumes lots of
bandwidth and CPU resources and even seriously affects network operations.
BGP route dampening prevents frequent route flapping by using a penalty value to measure route
stability. When a route flaps for the first time, a penalty value is assigned to the route. Later,
each time the route flaps, the penalty value of the route increases by a specific value. The greater
the penalty value, the less stable the route. If the penalty value of a route exceeds the pre-defined
threshold, the route will not be advertised until the penalty value of the route reduces to the reuse
threshold.
Route dampening applies only to EBGP routes. IBGP routes, however, cannot be dampened.
Generally, IBGP routes include routes from the local AS, requiring that the forwarding tables
Issue 04 (2013-06-15)

963

Configuration Guide
be the same. In addition, IGP fast convergence aims to achieve information synchronization. If
IBGP routes are dampened, dampening parameters vary on different devices, and the forwarding
tables are inconsistent.
Before configuring BGP route dampening, complete the following task:
l
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family unicast

Step 4 Run:
dampening [ half-life-reach reuse suppress ceiling | route-policy route-policyname ] *
BGP route dampening parameters are set.

NOTE
The dampening command takes effect only for EBGP routes.
When you configure BGP route dampening, the values of reuse, suppress, and ceiling should
meet the relationship of reuse<suppress<ceiling.
If routes are differentiated based on policies and the dampening command is run to reference
a route-policy, BGP can use different route dampening parameters to suppress different routes.
----End

After BGP route dampening is configured, you can check whether the configuration is correct.
l
Run the display bgp routing-table flap-info [ regular-expression as-regularexpression | as-path-filter as-path-filter-number | network-address [ { mask | masklength } [ longer-match ] ] ] command to check route flapping statistics.
Run the display bgp routing-table dampened command to check dampened BGP routes.
Run the display bgp routing-table dampening parameter command to check configured
BGP route dampening parameters.
Issue 04 (2013-06-15)

964

Configuration Guide
5.5.14 Configuring a BGP Device to Send a Default Route to Its Peer

After a BGP device is configured to send a default route to its peer, the BGP device sends a
default route with the local address as the next-hop address to a specified peer, regardless of
whether there are default routes in the local routing table. This greatly reduces the number of
routes on the network.
The BGP routing table of a device on a medium or large BGP network contains a large number
of routing entries. Storing the routing table consumes a large number of memory resources, and
transmitting and processing routing information consume lots of network resources. If a device
needs to send multiple routes to its peer, the device can be configured to send only a default
route with the local address as the next-hop address to its peer, regardless of whether there are
default routes in the local routing table. This greatly reduces the number of routes on the network
and the consumption of memory resources on the peer and network resources.
Figure 5-30 Networking diagram for configuring a BGP device to send a default route to its
peer
20.1.1.0/24
Switch A
192.168.2.2/24
20.2.1.0/24
192.168.2.1/24
Switch B
20.3.1.0/24
On the network shown in Figure 5-30, Switch A and Switch B have established a BGP peer
relationship. Switch B has imported routes to network segments 20.1.1.0/24, 20.2.1.0/24, and
20.3.1.0/24 to its BGP routing table. Switch A needs to learn these routes from Switch B. To
reduce the consumption of memory resources of Switch A and bandwidth used by Switch B for
sending routing information to Switch A, configure Switch B to send a default route to its peer
(Switch A) and use a routing policy to prevent all the routes to network segments 20.1.1.0/24,
20.2.1.0/24, and 20.3.1.0/24 from being sent to Switch A. Then, Switch A stores only one default
route but can still send traffic to the three network segments.
Before configuring a BGP device to send a default route to its peer, complete the following task:
l
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

965

Configuration Guide

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family unicast

Step 4 Run:
peer { group-name | ipv4-address } default-route-advertise [ route-policy routepolicy-name ] [ conditional-route-match-all { ipv4-address1 { mask1 | masklength1 } } &<1-4> | conditional-route-match-any { ipv4-address2 { mask2 | masklength2 } } &<1-4> ]
The device is configured to send a default route to a peer or a peer group.

If route-policy route-policy-name is set, the BGP device changes attributes of a default route
based on the specified route policy.
If conditional-route-match-all { ipv4-address1 { mask1 | mask-length1 } } &<1-4> is set, the
BGP device sends a default route to the peer only when all specified routes exist in the local
routing table.
If conditional-route-match-any { ipv4-address2 { mask2 | mask-length2 } } &<1-4> is set, the
local device sends a default route to the peer when one of the specified routes exists in the local
routing table.
NOTE
After the peer default-route-advertise command is used on a device, the device sends a default route with
the local address as the next-hop address to a specified peer, regardless of whether there is a default route
in the routing table.
----End

After a BGP device is configured to send a default route to a peer, you can check whether the
configuration is correct.
l
Run the display bgp routing-table [ ipv4-address [ mask | mask-length ] ] command on a

peer to check information about a received BGP default route.
# Run the display bgp routing-table command on a peer to view information about a received
BGP default route.
5.5.15 Configuring BGP Load Balancing

Configuring BGP load balancing better utilizes network resources and reduces network
congestion.
On large networks, there may be multiple valid routes to the same destination. BGP, however,
advertises only the optimal route to its peers. This may result in unbalanced traffic on different
routes.
Issue 04 (2013-06-15)

966

Configuration Guide
The following two methods can be used to address the problem of unbalanced traffic:
l
Use BGP routing policies to allow traffic to be balanced. For example, use a routing policy
to modify the Local_Pref, AS_Path, Origin, and Multi Exit Discriminator (MED) attributes
of BGP routes to direct traffic to different forwarding paths for load balancing. For details
on how to modify attributes of BGP routes, see Configuring BGP Route Attributes.
Use multiple paths for load balancing. In this method, multiple equal-cost routes need to
be configured for traffic load balancing.
NOTE
Equal-cost BGP routes can be generated for traffic load balancing only when the first 8 route attributes
described in "Route Selection Policies for Load Balancing" in BGP Features Supported by the
AC6605 are the same, and the AS-Path attributes are also the same.
Before configuring BGP load balancing, complete the following task:
l
Data Preparation
To configure BGP load balancing, you need the following data.
No.
Data
Number of BGP routes to be used for load balancing
Number of EBGP and IBGP routes to be used for load balancing
Procedure
l
Set the number of BGP routes to be used for load balancing.

1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
maximum load-balancing [ ebgp | ibgp ] number
The number of BGP routes to be used for load balancing is set.

By default, the number of BGP routes to be used for load balancing is 1, meaning that
load balancing is not implemented.
Issue 04 (2013-06-15)

967

Configuration Guide
ebgp indicates that load balancing is implemented only among EBGP routes.
ibgp indicates that load balancing is implemented only among IBGP routes.
If neither ebgp nor ibgp is specified, both EBGP and IBGP routes participate in
load balancing, and the number of EBGP routes to be used for load balancing is
the same as the number of IBGP routes to be used for load balancing.
NOTE
The maximum load-balancing number command cannot be configured together with the
maximum load-balancing ebgp number or maximum load-balancing ibgp number
command.
When routes with the same destination addresses carry out load balancing on the public
network, the system determines the type of optimal routes first. If the optimal routes are IBGP
routes, only IBGP routes carry out load balancing. If the optimal routes are EBGP routes, only
EBGP routes carry out load balancing. This means that load balancing cannot be implemented
among IBGP and EBGP routes with the same destination address.
5.
(Optional) Run:
load-balancing as-path-ignore
The Switch is configured not to compare the AS-Path attributes of the routes to be
used for load balancing.
By default, the Switch compares the AS-Path attributes of the routes to be used for
load balancing.
NOTE
l If there are multiple routes to the same destination but these routes pass through different
ASs, load balancing cannot be implemented among these routes by default. To implement
load balancing among these routes, run the load-balancing as-path-ignore command.
After the load-balancing as-path-ignore command is run, the device no longer compares
the AS-Path attributes of the routes to be used for load balancing. Therefore, exercise
caution when using this command.
l The load-balancing as-path-ignore and bestroute as-path-ignore commands are
mutually exclusive.
----End

After the BGP load balancing configurations are complete, you can run the following commands
to check the configurations.
l
5.5.16 Configuring the BGP Next Hop Delayed Response

Configuring the BGP next hop delayed response can minimize traffic loss during route changes.
Context
Configuring the BGP next hop delayed response can speed up BGP route convergence and
minimize traffic loss.
As shown in Figure 5-31, PE1, PE2, and PE3 are the clients of the RR. CE2 is dual-homed to
PE1 and PE2. PE1 and PE2 advertise their routes to CE2 to the RR. The RR advertises the route
from PE1 to PE3. PE3 has a route to CE2 only and advertises this route to CE1. After the route
Issue 04 (2013-06-15)

968

Configuration Guide
exchange, CE1 and CE2 can communicate. If PE1 fails, PE3 detects that the next hop is
unreachable and instructs CE1 to delete the route to CE2. Traffic is interrupted. After BGP route
convergence is complete, the RR selects the route advertised by PE2 and sends a route update
message to PE3. PE3 then advertises this route to CE1, and traffic forwarding is restored to the
normal state. A high volume of traffic will be lost during traffic interruption because BGP route
convergence is rather slow.
If the BGP next hop delayed response is enabled on PE3, PE3 does not reselect a route or instruct
CE1 to delete the route to CE2 immediately after detecting that the route to PE1 is unreachable.
After BGP convergence is complete, the RR selects the route advertised by PE2 and sends the
route to PE3. PE3 then reselects a route and sends a route update message to CE1. Traffic
forwarding is restored to the normal state. After the BGP next hop delayed response is enabled
on PE3, PE3 does not need to delete the route or instruct CE1 to delete the route. This delayed
response speeds up BGP route convergence and minimizes traffic loss.
Figure 5-31 Networking diagram for configuring the BGP next hop delayed response
CE1
PE3
PE1
CE2
RR
PE2
The BGP next hop delayed response applies to a scenario where the next hop has multiple links
to reach the same destination. If there is only one link between the next hop and the destination,
configuring the BGP next hop delayed response may cause heavier traffic loss when the link
fails because link switching is impossible.
Before configuring the BGP next hop delayed response, complete the following task:
l
Data Preparation
To configure the BGP next hop delayed response, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Delay in responding to changes of the next hop

969

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
nexthop recursive-lookup delay [ delay-time ]
A delay in responding to a next hop change is set.

The default delay time is 5 seconds.
NOTE
BGP route convergence depends on IGP route convergence. If IGP route convergence is quick, the default
delay time does not need to be changed. If IGP route convergence is slow, setting a delay time longer than
IGP route convergence time is recommended.
----End

After configuring the BGP next hop delayed response, you can run the following command to
check the previous configuration.
l
Run the display current-configuration configuration bgp | include nexthop recursivelookup delay command to view information about the delay in responding to a next hop
change.
5.5.17 Configuring BFD for BGP

BFD for BGP speeds up fault detection and therefore increases the route convergence speed.
As technologies develop, voice and video services are widely applied. These services are quite
sensitive to the packet loss and delay.BGP periodically sends Keepalive packets to its peers to
detect the status of its peers. The detection mechanism, however, takes more than one second.
When the data transmission rate reaches the level of Gbit/s, such slow detection will cause a
large amount of data to be lost. As a result, the requirement for high reliability of carrier-class
networks cannot be met.
BFD for BGP can be used to reduce packet loss and delay. BFD for BGP detects faults on links
between BGP peers within 50 milliseconds. The fast detection speed ensures fast BGP route
convergence and minimizes traffic loss.
Issue 04 (2013-06-15)

970

Configuration Guide
NOTE
By default, a multi-hop BGP session is established between Huawei devices that set up an IBGP peer
relationship. A BFD for IGP session and A BFD for IBGP session cannot be both set up between a Huawei
device and a non-Huawei device that sets up a single-hop BGP session with its peer by default. In such a
situation, setting up only A BFD for IGP session or A BFD for IBGP session between the Huawei and nonHuawei devices is recommended.
Before configuring BFD for BGP, complete the following task:
l
Data Preparation
To configure BFD for BGP, you need the following data.
No.
Data
IP address of the BGP peer or name of the peer group for which BFD needs to be
configured
BFD parameters, including the minimum and maximum intervals for receiving BFD
packets, Wait-to-Restore (WTR) time of a BFD session, and the detection multiplier
Name of the VPN instance for which BFD needs to be configured
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd

Step 3 Run:
quit

Step 4 Run:
bgp as-number

ipv4-family vpn-instance vpn-instance-name
The BGP-VPN instance IPv4 address family view is displayed.

Issue 04 (2013-06-15)

971

Configuration Guide
NOTE
BFD for BGP can be configured for the VPN in this view. To configure BFD for BGP for the public
network, skip this step.
Step 6 Run:
peer { group-name | ipv4-address } bfd enable
BFD is enabled for the peer or peer group and a BFD session is established using default
parameters.
After BFD is enabled for a peer group, BFD sessions will be created on the peers that belong to
this peer group and are not configured with the peer bfd block command.
peer { group-name | ipv4-address } bfd { min-tx-interval min-tx-interval | min-rxinterval min-rx-interval | detect-multiplier multiplier | wtr wtr-value } *

NOTE
The BFD parameters of peers take precedence over those of peer groups. If BFD parameters are configured
on peers, they will be used in BFD session establishment.
The default interval for transmitting BFD packets and the default detection multiplier are
recommended. When changing the default values, pay attention to the network status and the
network reliability requirement. A short interval for transmitting BFD packets can be configured
for a link that has a higher reliability requirement. A long interval for transmitting BFD packets
can be configured for a link that has a lower reliability requirement.
NOTE
There are three formulas: Actual interval for the local device to send BFD packets = max {Locally
configured interval for transmitting BFD packets, Remotely configured interval for receiving BFD
packets}, Actual interval for the local device to receive BFD packets = max {Remotely configured interval
for transmitting BFD packets, Locally configured interval for receiving BFD packets}, and Local detection
period = Actual interval for receiving BFD packets x Remotely configured BFD detection multiplier.
For example:
l On the local device, the configured interval for transmitting BFD packets is 200 ms, the interval for
receiving BFD packets is 300 ms, and the detection multiplier is 4.
l On the peer device, the configured interval for transmitting BFD packets is 100 ms, the interval for
receiving BFD packets is 600 ms, and the detection multiplier is 5.
Then:
l On the local device, the actual interval for transmitting BFD packets is 600 ms calculated by using the
formula max {200 ms, 600 ms}; the interval for receiving BFD packets is 300 ms calculated by using
the formula max {100 ms, 300 ms}; the detection period is 1500 ms calculated by multiplying 300 ms
by 5.
l On the peer device, the actual interval for transmitting BFD packets is 300 ms calculated by using the
formula max {100 ms, 300 ms}; the interval for receiving BFD packets is 600 ms calculated by using
the formula max {200 ms, 600 ms}; the detection period is 2400 ms calculated by multiplying 600 ms
by 4.
wtr wtr-value can be specified in the command to suppress frequent BFD and BGP session
flapping caused by link flapping. If a BFD session over a link goes Down, it does not go Up
immediately after the link recovers. Instead, the BFD session waits for the WTR timer to expire
before going Up. If the link fails again before the WTR timer expires, BFD does not send a link
fault message to BGP, and the BGP session status is stabilized.
Issue 04 (2013-06-15)

972

Configuration Guide
The default value of wtr-value is 0, which means that the WTR timer will not be started.
peer ipv4-address bfd block
A peer is prevented from inheriting the BFD function of the peer group to which it belongs.
If a peer joins a peer group enabled with BFD, the peer inherits the BFD configuration of the
group and creates a BFD session. To prevent the peer from inheriting the BFD function of the
peer group, perform this step.
NOTE
The peer bfd block command and the peer bfd enable command are mutually exclusive. After the peer
bfd block command is run, the BFD session is automatically deleted.
----End

After configuring BFD for BGP, you can run the following command to check the
configurations.
l
Run the display bgp bfd session { [ vpnv4 vpn-instance vpn-instance-name ] peer ipv4address | all } command to check information about the BFD session between BGP peers.
5.5.18 Configuring BGP Security

Authentication can be implemented during the establishment of a TCP connection to enhance
BGP security.

Before configuring BGP security, familiarize yourself with the applicable environment,
MD5 authentication, keychain authentication, or GTSM can be configured on a BGP network
to enhance BGP security.
l
MD5 authentication
BGP uses TCP as the transport protocol and considers a packet valid as long as the source
address, destination address, source port, destination port, and TCP sequence number of
the packet are correct. Most parameters in a packet can be easily obtained by attackers. To
protect BGP against attacks, MD5 authentication can be used during TCP connection
establishment between BGP peers to reduce the possibility of attacks.
To prevent the MD5 password set on a BGP peer from being decrypted, you need to update
the MD5 password periodically.
Keychain authentication
A keychain consists of multiple authentication keys, each of which contains an ID and a
password. Each key has a lifecycle. Based on the life cycle of a key, you can dynamically
select different authentication keys from the keychain. After keychains with the same rules
Issue 04 (2013-06-15)

973

Configuration Guide
are configured on the two ends of a BGP connection, the keychains can dynamically select
authentication keys to enhance BGP attack defense.
l
GTSM
GTSM checks TTL values to defend against attacks. For example, an attacker forges BGP
packets and keeps sending them to one Switch. After receiving these packets, the Switch
identifies the destination of the packets. The forwarding plane of the Switch then directly
sends the packets to the control plane for processing without checking the validity of the
packets. As a result, the Switch is busy processing these "valid" packets, resulting in high
CPU usage.
GTSM checks whether or not the TTL value in the IP header is within a specified range,
protecting the Switch against attacks and improving system security.
NOTE
l The AC6605 supports GTSM.

l GTSM supports only unicast addresses; therefore, the GTSM function must be configured on all
the Switchs configured with BGP.
Before configuring BGP security, complete the following task:
l
Data Preparation
To configure BGP security, you need the following data.
No.
Data
Each Switch's peer address or peer group name
MD5 authentication password
Keychain authentication name
Configuring MD5 Authentication

In BGP, MD5 authentication sets an MD5 authentication password for a TCP connection, and
is performed by TCP. If authentication fails, no TCP connection will be established.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Issue 04 (2013-06-15)

974

Configuration Guide
Step 3 Run:
peer { ipv4-address | group-name } password { cipher cipher-password | simple
simple-password }
An MD5 authentication password is set.

An MD5 authentication password can be set either in cipher or plain text.
l cipher cipher-password indicates that a password is recorded in cipher text. This means that
a password is encrypted using a special algorithm and then recorded in a configuration file.
l simple simple-password indicates that a password is recorded in plain text. This means that
a password is directly recorded in a configuration file.
NOTE
The peer password command run in the BGP view is also applicable to the BGP-VPNv4 address family
view, because both BGP and BGP-VPNv4 use the same TCP connection.
----End
Configuring BGP GTSM

The GTSM function protects devices by checking whether the TTL value in the IP header is
within a pre-defined range.
Procedure
l
Adjust GTSM.
Perform the following steps on two devices that establish a BGP peer relationship:
1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
peer { group-name | ipv4-address } valid-ttl-hops [ hops ]
BGP GTSM is configured.

The valid TTL range of a checked packet is [255 - hops + 1, 255]. For example, the
hops value is 1 for an EBGP direct route. This means that the valid TTL of the EBGP
direct routes is 255. By default, the hops value is 255. This means that the valid TTL
range is [ 1, 255 ].
NOTE
l The peer valid-ttl-hops command run in the BGP view is also applicable to the BGPVPNv4 address family view, because both BGP and BGP-VPNv4 use the same TCP
connection.
l The configurations of GTSM and EBGP-MAX-HOP affect the TTL values of sent BGP
packets, and the configurations of the two functions are mutually exclusive.
An interface board of a BGP device enabled with GTSM checks the TTL values in all
received BGP packets. In actual networking, packets with the TTL values out of a
Issue 04 (2013-06-15)

975

Configuration Guide
specified range are either allowed to pass or discarded by GTSM. When the default
action of GTSM is drop, an appropriate TTL value range needs to be set based on the
network topology. Packets with the TTL values out of the range will be discarded.
This prevents bogus BGP packets from consuming CPU resources.
l
Set the GTSM default action.

Perform the following steps on a GTSM-enabled Switch:
1.
Run:
system-view

2.
Run:
gtsm default-action { drop | pass }
The default action to be taken on the packets that do not match a GTSM policy is
Drop.
By default, the action to be taken on the packets that do not match the GTSM policy
is pass
NOTE
If the default action is configured but no GTSM policy is configured, GTSM does not take
effect.
Configure the log function for dropped packets.

Perform the following steps on a GTSM-enabled Switch:
1.
Run:
system-view

2.
Run:
gtsm log drop-packet all
The log function is enabled on a specified board.

The log records information that GTSM drops packets, which helps locate faults.
----End

After configuring BGP security, you can view authentication information about BGP peers.
Prerequisites
The BGP security configurations are complete.
Procedure
l
about MD5 and keychain authentication on BGP peers.
Run the display bgp peer verbose command to check whether the GTSM function is
enabled on BGP peers and check the configured maximum valid TTL value.
Issue 04 (2013-06-15)

976

Configuration Guide
Run the display gtsm statistics all command to check GTSM statistics on all boards,
including the total number of packets, the number of passed packets, and the number of
dropped packets.
----End
5.5.19 Maintaining BGP

Maintaining BGP involves resetting a BGP connection and clearing BGP statistics.
Resetting BGP Connections

You can also reset BGP in GR mode. Resetting a BGP connection will interrupt the peer
relationship.
Context
CAUTION
The BGP peer relationship is interrupted after you reset BGP connections with the reset bgp
command. Exercise caution when running this command.
When the BGP routing policy on the Switch that does not support Route-refresh changes, you
need to reset BGP connections to validate the configuration. To reset BGP connections, run the
following reset commands in the user view.
Procedure
l
To validate the new configurations, run the reset bgp all command in the user view to reset
all BGP connections.
To validate the new configurations, run the reset bgp as-number command in the user view
to reset the BGP connection between the specified AS.
To validate the new configurations, run the reset bgp ipv4-address command in the user
view to reset the BGP connection between a specified peer.
To validate the new configurations, run the reset bgp external command in the user view
to reset all the EBGP connections.
To validate the new configurations, run the reset bgp group group-name command in the
user view to reset the BGP connection with the specified peer-groups.
To validate the new configurations, run the reset bgp internal command in the user view
to reset all IBGP connections.
----End
Clearing BGP Information

This section describes how to clear the statistics of BGP accounting, flapped routes, and
suppressed routes.
Issue 04 (2013-06-15)

977

Configuration Guide
Context
CAUTION
BGP statistics cannot be restored after being cleared. Exercise caution when running this
command.
Procedure
l
Run the reset bgp flap-info [ regexp as-path-regexp | as-path-filter | ipv4-address

[ mask | mask-length ] ] command in the user view to clear the statistics of flapped routes.
Run the reset bgp dampening [ ipv4-address [ mask | mask-length ] ] command in the user
view to clear the dampened routes and advertise the suppressed routes.
Run the reset bgp ipv4-address flap-info command in the user view to clear the statistics
of route flapping.
----End

This section provides several configuration examples of BGP.
Example for Configuring Basic BGP Functions

As shown in Figure 5-32, all Switches run BGP. An EBGP peer relationship is set up between
SwitchA and SwitchB. IBGP peer relationships are set up between SwitchB, SwitchC, and
SwitchD.
Figure 5-32 Networking diagram for configuring basic BGP functions
Switch C
GE 0/0/1
GE 0/0/2
GE 0/0/2
GE 0/0/1
Switch B
GE 0/0/1
Switch A
GE 0/0/2
GE 0/0/3
GE 0/0/2
GE 0/0/1
Switch D
AS65009
AS65008
Switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 10
200.1.1.2/24
SwitchA
GE 0/0/2
VLANIF 50
8.1.1.1/8
Issue 04 (2013-06-15)

978

Configuration Guide
SwitchB
GE 0/0/1
VLANIF 10
200.1.1.1/24
SwitchB
GE 0/0/2
VLANIF 20
9.1.3.1/24
SwitchB
GE 0/0/3
VLANIF 30
9.1.1.1/24
SwitchC
GE 0/0/1
VLANIF 20
9.1.3.2/24
SwitchC
GE 0/0/2
VLANIF 40
9.1.2.1/24
SwitchD
GE 0/0/1
VLANIF 30
9.1.1.2/24
SwitchD
GE 0/0/2
VLANIF 40
9.1.2.2/24
1.
Set up IBGP peer relationships between SwitchB, SwitchC and SwitchD.
2.
Create an EBGP peer relationship between SwitchA and SwitchB.
3.
Advertise routes through the network command on SwitchA and check the routing tables
of SwitchA, SwitchB, and SwitchC.
4.
Configure BGP on SwitchB to import direct routes, and check the routing tables of
SwitchA and SwitchC.
Data Preparation
l
The VLAN ID of each interface is shown in Figure 5-32.
The IP address of each VLANIF interface is shown in Figure 5-32.
The router ID of SwitchA is 1.1.1.1 and the number of the AS where it resides is 65008.
The router IDs of SwitchB, SwitchC, and SwitchD are 2.2.2.2, 3.3.3.3. and 4.4.4.4, and the
number of the AS where they reside is 65009.
1.

2.

3.
Create IBGP peer relationships.

[SwitchB] bgp
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
65009
router-id 2.2.2.2
[SwitchC] bgp
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
Issue 04 (2013-06-15)
65009
router-id 3.3.3.3

979

Configuration Guide
[SwitchC-bgp] quit
Configure SwitchD
[SwitchD] bgp
[SwitchD-bgp]
[SwitchD-bgp]
[SwitchD-bgp]
[SwitchD-bgp]
4.
65009
router-id 4.4.4.4
quit
Create an EBGP peer relationship.

# Configure SwitchA
[SwitchA] bgp 65008
[SwitchA-bgp] router-id 1.1.1.1
[SwitchA-bgp] peer 200.1.1.1 as-number 65009
[SwitchB] bgp 65009
[SwitchB-bgp] quit
# Check the status of BGP connections.

[SwitchB] display bgp peer
BGP local router ID : 2.2.2.2
Local AS number : 65009
Total number of peers : 3
Peers in established state : 3
Peer
AS
MsgRcvd
MsgSent
9.1.1.2
9.1.3.2
200.1.1.2
4 65009
4 65009
4 65008
49
56
49
62
56
65
OutQ
Up/Down
State PrefRcv
0 00:44:58 Established
0
0
1
You can view that the BGP connections between SwitchB and all the other switches are
set up.
5.
Configure SwitchA to advertise the route 8.0.0.0/8.

Configure SwitchA to advertise routes.
[SwitchA] bgp 65008
[SwitchA-bgp] ipv4-family unicast
[SwitchA-bgp-af-ipv4] network 8.0.0.0 255.0.0.0
[SwitchA-bgp-af-ipv4] quit
[SwitchA-bgp] quit

[SwitchA] display bgp routing-table
BGP Local router ID is 1.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 1
Network
NextHop
*>
8.0.0.0
0.0.0.0
MED
0
LocPrf
PrefVal Path/Ogn
0
# Check the routing table of SwitchB.

[SwitchB] display bgp routing-table
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
Issue 04 (2013-06-15)

980

Configuration Guide
*>
8.0.0.0
200.1.1.2
65008i

[SwitchC] display bgp routing-table
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
i
8.0.0.0
200.1.1.2
100
65008i
From the routing table, you can view that SwitchC has learned the route to the destination
8.0.0.0 in AS 65008, but the next hop 200.1.1.2 is unreachable. Therefore, this route is
invalid.
6.
Configure BGP to import direct routes

[SwitchB] vlan 65009
[SwitchB-bgp] ipv4-family unicast
[SwitchB-bgp-af-ipv4] import-route direct
[SwitchB-bgp-af-ipv4] quit
[SwitchB-bgp] quit
# Check the BGP routing table of SwitchA.

Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
*>
*>
*
8.0.0.0
9.1.1.0/24
9.1.3.0/24
200.1.1.0
0.0.0.0
200.1.1.1
200.1.1.1
200.1.1.1
0
0
0
i
0
0
65009?
65009?
65009?
# Check the BGP routing table of SwitchC.

Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
* i
*>i
i
*>i
8.0.0.0
9.1.1.0/24
9.1.3.0/24
200.1.1.0
200.1.1.2
9.1.3.1
9.1.3.1
9.1.3.1
100
100
100
100
0
0
0
65008i
?
?
0
0
0
You can view that the route to 8.0.0.0 becomes valid, and the next hop is the address of
SwitchA.
# Perform the ping operation to verify the configuration.
[SwitchC] ping 8.1.1.1
PING 8.1.1.1: data bytes, press CTRL_C to
Reply from 8.1.1.1: bytes=56 Sequence=1
Issue 04 (2013-06-15)
break
ttl=254
ttl=254
ttl=254
ttl=254
ttl=254

time=31
time=47
time=31
time=16
time=31
ms
ms
ms
ms
ms
981

Configuration Guide

0.00% packet loss
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 50
#
interface Vlanif10
ip address 200.1.1.2 255.255.255.0
#
interface Vlanif50
ip address 8.1.1.1 255.0.0.0
#
#
#
bgp 65008
router-id 1.1.1.1
#
ipv4-family unicast
network 8.0.0.0
#
return

#
sysname SwitchB
#
vlan batch 10 20 30
#
interface Vlanif10
ip address 200.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 9.1.3.1 255.255.255.0
#
interface Vlanif30
ip address 9.1.1.1 255.255.255.0
#
#
#
#
bgp 65009
router-id 2.2.2.2
Issue 04 (2013-06-15)

982

Configuration Guide

#
ipv4-family unicast
import-route direct
peer 9.1.1.2 enable
peer 9.1.3.2 enable
#
return

#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 9.1.3.2 255.255.255.0
#
interface Vlanif40
ip address 9.1.2.1 255.255.255.0
#
#
#
bgp 65009
router-id 3.3.3.3
#
ipv4-family unicast
peer 9.1.3.1 enable
peer 9.1.2.2 enable
#
return

#
sysname SwitchD
#
vlan batch 30 40
#
interface Vlanif30
ip address 9.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 9.1.2.2 255.255.255.0
#
#
#
bgp 65009
router-id 4.4.4.4
#
Issue 04 (2013-06-15)

983

Configuration Guide
ipv4-family unicast
peer 9.1.1.1 enable
peer 9.1.2.1 enable
#
return
Example for Configuring AS-Path Filter

As shown in Figure 5-33, EBGP connections are set up between Switch A, Switch B, and Switch
C. Configure the AS-Path filter on Switch B. AS 20 thus does not advertises routes of AS 30 to
AS 10, or advertise routes of AS 10 to AS 30.
Figure 5-33 Networking diagram for configuring the AS-Path filter
GE0/0/1
GE0/0/2
200.1.4.1/24
200.1.2.1/24
SwitchA
AS 10
EBGP
EBGP
GE0/0/2
200.1.2.2/24
AS 20
SwitchB
GE0/0/1
200.1.4.2/24
EBGP
GE0/0/1
200.1.3.1/24
GE0/0/2
200.1.3.2/24
AS 30
SwitchC
Switch
Interface
VLANIF interface
IP address
SwitchA
VLANIF 10
200.1.4.1/24
SwitchA
VLANIF 20
200.1.2.1/24
SwitchB
VLANIF 30
200.1.3.1/24
SwitchB
VLANIF 20
200.1.2.2/24
SwitchC
VLANIF 30
200.1.3.2/24
SwitchC
VLANIF 10
200.1.4.2/24
1.
Issue 04 (2013-06-15)
Configure EBGP connections between Switch A and Switch B, Switch B and Switch C,
and Switch C and Switch A, and import direct routes.
984

Configuration Guide
2.
Configure the AS-Path on Switch B, and apply the filtering rule.
Data Preparation
l
The router ID of Switch A is1.1.1.1, and the number of its AS is 10.
The router ID of Switch B is 2.2.2.2, and the number of its AS is 20.
The router ID of Switch C is 3.3.3.3, and the number of its AS is 30.
Procedure
[SwitchA-GigabitEthernett0/0/1] port hybrid untagged vlan 10
Step 3 Configure IBGP connections.
[SwitchA] bgp
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
10
router-id 1.1.1.1
import-route direct
[SwitchB] bgp
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
20
router-id 2.2.2.2
import-route direct
quit
[SwitchC] bgp
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
Issue 04 (2013-06-15)
30
router-id 3.3.3.3

985

Configuration Guide
[SwitchC-bgp] import-route direct

[SwitchC-bgp] quit
# Check the routing table advertised by Switch B to peer 200.1.3.2. Take the routing table
advertised by Switch B to Switch C as an example. You can find that Switch B advertises the
routes destined to the network segment between Switch A and Switch C.
<SwitchB> display bgp routing-table peer 200.1.3.2 advertised-routes
*>
*>
*>
Network
NextHop
200.1.2.0
200.1.3.0
200.1.4.0
200.1.3.1
200.1.3.1
200.1.3.1
MED
LocPrf
PrefVal Path/Ogn
0
0
0
0
0
20?
20?
20 10?
Check the routing table of Switch C. You can find that Switch C learns the advertised by Switch
B.
<SwitchC> display bgp routing-table
Network
NextHop
*>
*
*>
*
200.1.2.0
*>
*>
*
200.1.3.2/32
200.1.4.0
*>
200.1.4.2/32
200.1.4.1
200.1.3.1
0.0.0.0
200.1.4.1
200.1.3.1
0.0.0.0
0.0.0.0
200.1.3.1
200.1.4.1
0.0.0.0
200.1.3.0
MED
LocPrf
PrefVal Path/Ogn
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
10?
20?
?
10 20?
20?
?
?
20 10?
10?
?
Step 4 Configure the AS-Path filter on Switch B and apply the filter on the outbound interface of Switch
B.
# Create AS-Path filter 1, denying the passing of routes carrying AS 30. The regular expression
"_30_" indicates any AS list that contains AS 30 and ".*" matches any character.
[SwitchB] ip as-path-filter 1 deny _30_
[SwitchB] ip as-path-filter 1 permit .*
# Create AS-Path filter 2, denying the passing of routes carrying AS 10.

[SwitchB] ip as-path-filter 2 deny _10_
[SwitchB] ip as-path-filter 2 permit .*
# Apply the AS-Path filter on two outbound interfaces of Switch B.

[SwitchB] bgp
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
Issue 04 (2013-06-15)
20
peer 200.1.2.1 as-path-filter 1 export
quit

986

Configuration Guide
Step 5 Check the routing table advertised by Switch B, and you can find that the advertised routes to
the network segment between Switch A and Switch C do not exist. Take the route advertised by
Switch B to Switch C as an example.
*>
*>
*>
Network
NextHop
200.1.2.0
200.1.3.0
200.1.4.0
200.1.3.1
200.1.3.1
200.1.3.1
MED
LocPrf
0
0
PrefVal Path/Ogn
0
0
0
20?
20?
20 10?
Similarly, the BGP routing table of Switch C does not have the two routes.
<SwitchC> display bgp routing-table
Network
NextHop
*>
*
*>
*
200.1.2.0
*>
*>
200.1.3.2/32
200.1.4.0
*>
200.1.4.2/32
200.1.4.1
200.1.3.1
0.0.0.0
200.1.4.1
200.1.3.1
0.0.0.0
0.0.0.0
200.1.4.1
0.0.0.0
200.1.3.0
MED
LocPrf
0
0
0
PrefVal Path/Ogn
0
0
0
0
0
0
0
0
0
0
0
0
0
0
10?
20?
?
10 20?
20?
?
?
10?
?
Check the routing table advertised by Switch B, and you can find that advertised routes directly
connected to Switch A and Switch C do not exist. Take the route advertised by Switch B to
Switch A as an example.
*>
*>
Network
NextHop
200.1.2.0
200.1.3.0
200.1.2.2
200.1.2.2
MED
LocPrf
0
0
PrefVal Path/Ogn
0
0
20?
20?
Similarly, the BGP routing table of Switch A does not have the two routes.
<SwitchA> display bgp routing-table
Network
Issue 04 (2013-06-15)
NextHop
MED
LocPrf

PrefVal Path/Ogn
987

Configuration Guide
*>
200.1.2.0
*>
*>
*
*>
200.1.2.1/32
200.1.3.0
*>
200.1.4.1/32
200.1.4.0
0.0.0.0
200.1.2.2
0.0.0.0
200.1.2.2
200.1.4.2
0.0.0.0
200.1.4.2
0.0.0.0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
20?
?
20?
30?
?
30?
?
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif20
ip address 200.1.2.1 255.255.255.0
#
interface Vlanif10
ip address 200.1.4.1 255.255.255.0
#
interface Vlanif20
ip address 200.1.2.1 255.255.255.0
#
#
#
bgp 10
router-id 1.1.1.1
#
ipv4-family unicast
import-route direct
#
return

#
sysname SwitchB
#
vlan batch 20 30
#
interface Vlanif30
ip address 200.1.3.1 255.255.255.0
#
interface Vlanif20
ip address 200.1.2.2 255.255.255.0
#
#
Issue 04 (2013-06-15)

988

Configuration Guide
#
bgp 20
router-id 2.2.2.2
#
ipv4-family unicast
import-route direct
#
ip as-path-filter 1 deny _30_
ip as-path-filter 1 permit .*
ip as-path-filter 2 deny _10_
ip as-path-filter 2 permit .*
#
Return

#
sysname SwitchC
#
vlan batch 10 30
#
interface Vlanif10
ip address 200.1.4.2 255.255.255.0
#
interface Vlanif30
ip address 200.1.3.2 255.255.255.0
#
#
#
bgp 30
router-id 3.3.3.3
#
ipv4-family unicast
import-route direct
#
return
Example for Configuring BGP to Interact with an IGP

As shown in Figure 5-34, OSPF is used inside AS 65009. An EBGP peer relationship is set up
between SwitchA and SwitchB. SwitchC runs OSPF instead of BGP.
Issue 04 (2013-06-15)

989

Configuration Guide
Figure 5-34 Networking diagram for configuring BGP to interact with an IGP
GE 0/0/2
GE 0/0/2
GE 0/0/1
GE 0/0/2
GE 0/0/1
Switch A
GE 0/0/1
Switch B
AS65008
Switch C
AS65009
Switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 10
3.1.1.2/24
SwitchA
GE 0/0/2
VLANIF 30
8.1.1.1/24
SwitchB
GE 0/0/1
VLANIF 10
3.1.1.1/24
SwitchB
GE 0/0/2
VLANIF 20
9.1.1.1/24
SwitchC
GE 0/0/1
VLANIF 20
9.1.1.2/24
SwitchC
GE 0/0/2
VLANIF 40
9.1.2.1/24
1.
Configure OSPF on SwitchB and SwitchC.
2.
Create an EBGP peer relationship on SwitchA and SwitchB.
3.
Configure BGP to interact with OSPF on SwitchB and check the routes.
4.
Configure BGP route aggregation on SwitchB to simplify the BGP routing table.
Data Preparation
l
The router ID of SwitchA is 1.1.1.1 and the number of the AS where it resides is 65008.
The router IDs of SwitchB and SwitchC are 2.2.2.2 and 3.3.3.3, and the number of the AS
where they reside is 65009.
1.

2.

3.
Issue 04 (2013-06-15)
Configure OSPF.
990

Configuration Guide
[SwitchB] ospf 1
[SwitchC] ospf 1
4.
Create an EBGP peer relationship.

Configure SwitchA.
[SwitchA] bgp 65008
[SwitchA-bgp] quit
[SwitchB] bgp 65009
5.
Configure BGP to interact with an IGP

# On SwitchB, configure BGP to import OSPF routes.
[SwitchB-bgp-af-ipv4] import-route ospf 1
[SwitchB-bgp] quit

Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
8.1.1.0/24
0.0.0.0
0
0
i
*>
9.1.1.0/24
3.1.1.1
0
0
65009?
*>
9.1.2.0/24
3.1.1.1
2
0
65009?
# On SwitchB, configure BGP to import BGP routes.

[SwitchB] ospf
[SwitchB-ospf-1] import-route bgp

[SwitchC] display ip routing-table
Destinations : 7
Routes : 7
Destination/Mask
8.1.1.0/24
9.1.1.0/24
9.1.1.2/32
Issue 04 (2013-06-15)
Proto
O_ASE
Direct
Direct
Pre
150
0
0
Cost
1
0
0
Flags
D
D
D

NextHop
9.1.1.1
9.1.1.2
127.0.0.1
Interface
Vlanif20
Vlanif20
InLoopBack0
991

Configuration Guide

9.1.2.0/24
9.1.2.1/32
127.0.0.0/8
127.0.0.1/32
6.
Direct
Direct
Direct
Direct
0
0
0
0
0
0
0
0
D
D
D
D
9.1.2.1
127.0.0.1
127.0.0.1
127.0.0.1
Vlanif40
InLoopBack0
InLoopBack0
InLoopBack0
Configure automatic aggregation.

[SwitchB] bgp 65009
[SwitchB-bgp-af-ipv4] summary automatic
[SwitchB-bgp] quit
# Check the BGP routing table of SwitchA.

Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
*>
8.1.1.0/24
9.0.0.0
0.0.0.0
3.1.1.1
0
0
i
65009?
# Perform the ping operation to verify the configuration.

[SwitchA] ping -a 8.1.1.1 9.1.2.1
0.00% packet loss
ms
ms
ms
ms
ms
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 3.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 8.1.1.1 255.255.255.0
#
#
#
bgp 65008
router-id 1.1.1.1
#
ipv4-family unicast
Issue 04 (2013-06-15)

992

Configuration Guide

network 8.1.1.0 255.255.255.0
peer 3.1.1.1 enable
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 3.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 9.1.1.1 255.255.255.0
#
#
#
bgp 65009
router-id 2.2.2.2
#
ipv4-family unicast
summary automatic
import-route ospf 1
peer 3.1.1.2 enable
#
ospf 1
import-route bgp
area 0.0.0.0
network 9.1.1.0 0.0.0.255
return

#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 9.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 9.1.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 9.1.1.0 0.0.0.255
network 9.1.2.0 0.0.0.255
#
return
Issue 04 (2013-06-15)

993

Configuration Guide
Example for Configuring BGP Load Balancing and the MED

As shown in Figure 5-35, all Switches run BGP. SwitchA resides in AS 65008. Both SwitchB
and SwitchC reside in AS 65009. EBGP runs among SwitchA, SwitchB, and SwitchC. IBGP
runs between SwitchB and SwitchC.
Figure 5-35 Networking diagram of BGP route selection
Switch B
GE 0/0/1
GE 0/0/1
GE 0/0/2
GE 0/0/2
GE 0/0/2
Switch A
GE 0/0/1
Switch C
AS65009
AS65008
Switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 10
200.1.1.2/24
SwitchA
GE 0/0/2
VLANIF 20
200.1.2.2/24
SwitchB
GE 0/0/1
VLANIF 10
200.1.1.1/24
SwitchB
GE 0/0/2
VLANIF 30
9.1.1.1/24
SwitchC
GE 0/0/1
VLANIF 20
200.1.2.1/24
SwitchC
GE 0/0/2
VLANIF 30
9.1.1.2/24
1.
Set up EBGP peer relationships between SwitchA and SwitchB, and between SwitchA and
SwitchC. Create an IBGP peer relationship between SwitchB and SwitchC.
2.
Configure load balancing and the MED on SwitchA and check the routing table.
Data Preparation
l
Issue 04 (2013-06-15)

994

Configuration Guide
The router IDs of SwitchA is 1.1.1.1, the number of the AS where it resides is 65008, and
the number of routes for load balancing is 2.
The router IDs of SwitchB and SwitchC are 2.2.2.2 and 3.3.3.3, the number of the AS where
they reside is 65008, the default MED of SwitchB is 100.
1.

2.

3.
Create EBGP peer relationships.

Configure SwitchA.
[SwitchA] bgp
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
65008
router-id 1.1.1.1
quit
[SwitchB] bgp 65009
[SwitchB-bgp-af-ipv4] network 9.1.1.0 255.255.255.0
[SwitchB-bgp] quit
[SwitchC] bgp 65009
[SwitchC-bgp] ipv4-family unicast
[SwitchC-bgp-af-ipv4] network 9.1.1.0 255.255.255.0
[SwitchC-bgp-af-ipv4] quit
[SwitchC-bgp] quit

Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
*
9.1.1.0/24
200.1.1.1
200.1.2.1
0
0
0
0
65009i
65009i
You can view that there are two valid routes to the destination 9.1.1.0/24. The route whose
next hop is 200.1.1.1 is the optimal route because the router ID of SwitchB is smaller.
4.
Configure load balancing.

Configure SwitchA.
[SwitchA] bgp 65008
[SwitchA-bgp-af-ipv4] maximum load-balancing 2
Issue 04 (2013-06-15)

995

Configuration Guide
[SwitchA-bgp] quit

Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
*>
9.1.1.0/24
200.1.1.1
200.1.2.1
0
0
0
0
65009i
65009i
You can view that the BGP route 9.1.1.0/24 has two next hops that are 200.1.1.1 and
200.1.2.1. Both of them are optimal routes.
5.
Set the MED.

# Set the MED sent by SwitchB to SwitchA through the policy.
[SwitchB] route-policy 10 permit node 10
[SwitchB-route-policy] apply cost 100
[SwitchB-route-policy] quit
[SwitchB] bgp 65009
[SwitchB-bgp] peer 200.1.1.2 route-policy 10 export

Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
*
9.1.1.0/24
200.1.2.1
200.1.1.1
0
100
0
0
65009i
65009i
You can view that the MED of route with the next hop as 200.1.1.1 (SwitchB) is 100, and
the MED of the route with the next hop as 200.1.2.1 is 0. Therefore, the route with the
smaller MED is selected.
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 200.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 200.1.2.2 255.255.255.0
#
#
#
bgp 65008
Issue 04 (2013-06-15)

996

Configuration Guide
router-id 1.1.1.1
#
ipv4-famlily unicast
maximum load-balancing 2
#
return

#
sysname SwitchB
#
vlan batch 10 30
#
interface Vlanif10
ip address 200.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 9.1.1.1 255.255.255.0
#
#
#
bgp 65009
router-id 2.2.2.2
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
peer 200.1.1.2 route-policy 10 export
peer 9.1.1.2 enable
#
route-policy 10 permit node 10
apply cost 100
#
return

#
sysname SwitchC
#
vlan batch 20 30
#
interface Vlanif10
ip address 200.1.2.1 255.255.255.0
#
interface Vlanif30
ip address 9.1.1.2 255.255.255.0
#
#
#
bgp 65009
Issue 04 (2013-06-15)

997

Configuration Guide
router-id 3.3.3.3
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
peer 9.1.1.1 enable
#
return
Example for Configuring the BGP Community Attribute

As shown in Figure 5-36, Switch B creates EBGP connections with Switch A and Switch C.
You can configure the No_Export community attribute on Switch A. Thus, the routes advertised
from AS 10 to AS 20 are not advertised to other ASs.
Figure 5-36 Networking diagram for configuring the BGP community
GE0/0/1
9.1.1.1/24
AS 10
GE0/0/2
200.1.2.1/24
SwitchA
EBGP
GE0/0/2
200.1.2.2/24
GE0/0/3
EBGP 200.1.3.2/24
SwitchB
AS 20
GE0/0/3
200.1.3.1/24
SwitchC
AS 30
Switch
Interface
VLANIF interface
IP address
SwitchA
VLANIF 10
9.1.1.1/24
SwitchA
VLANIF 20
200.1.2.1/24
SwitchB
VLANIF 20
200.1.2.2/24
SwitchB
VLANIF 30
200.1.3.1/24
SwitchC
VLANIF 30
200.1.3.2/24
Issue 04 (2013-06-15)

998

Configuration Guide
1.
Configure the EBGP connections between Switch A and Switch B, and between Switch B
and Switch C.
2.
Configure the routing policy on Switch A, and advertise No_Export community attribute.
Data Preparation
l
The router ID of Switch A is 1.1.1.1 and its AS number is 10.
The router ID of Switch B is 2.2.2.2 and its AS number is 20.
The router ID of Switch C is 3.3.3.3 and its AS number is 30.
Procedure
0/0/1
hybrid pvid vlan 10
0/0/2
hybrid pvid vlan 20
Step 3 Configure EBGP.
[SwitchA] bgp 10
[SwitchB] bgp
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
20
router-id 2.2.2.2
quit
[SwitchC] bgp 30
Issue 04 (2013-06-15)

999

Configuration Guide

[SwitchC-bgp] quit
# Check the routing table of Switch B.

[SwitchB] display bgp routing-table 9.1.1.0
Paths:
1 available, 1 best, 1 select
BGP routing table entry information of 9.1.1.0/24:
From: 200.1.2.1 (1.1.1.1)
Route Duration: 00h00m15s
Direct Out-interface: Vlanif20
Original nexthop: 200.1.2.1
Qos information : 0x0
AS-path 10, origin igp, MED 0, pref-val 0, valid, external, best, select, activ
e, pre 255
Advertised to such 2 peers:
200.1.2.1
200.1.3.2
You can view that Switch B advertises the received routes to Switch C in AS 30.
# Check the routing table of Switch C.
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
9.1.1.0/24
200.1.3.1
0
20 10i
You can find that Switch C has learned a route to the destination 9.1.1.0/24 from Switch B.
Step 4 Configure BGP community attributes.
# Configure the routing policy on Switch A to enable Switch B not to advertise the routes
advertised by Switch A to any other AS.
[SwitchA] route-policy comm_policy permit node 10
[SwitchA-route-policy] apply community no-export
[SwitchA-route-policy] quit
# Apply routing policies.

[SwitchA] bgp 10
[SwitchA-bgp-af-ipv4] peer 200.1.2.2 route-policy comm_policy export
[SwitchA-bgp-af-ipv4] peer 200.1.2.2 advertise-community
# Check the routing table of Switch B.

Paths:
From: 200.1.2.1 (1.1.1.1)
Direct Out-interface: Vlanif20
Community:no-export
AS-path 10, origin igp, MED 0, pref-val 0, valid, external, best, select, activ
e, pre 255
Not advertised to any peer yet
Issue 04 (2013-06-15)

1000

Configuration Guide
You can view the configured community attribute in the BGP routing table of Switch B. At this
time, there are no routes to the destination 9.1.1.0/24 in the BGP routing table of Switch C.
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 9.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 200.1.2.1 255.255.255.0
#
#
#
bgp 10
router-id 1.1.1.1
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
peer 200.1.2.2 route-policy comm_policy export
peer 200.1.2.2 advertise-community
#
route-policy comm_policy permit node 10
apply community no-export
#
return

#
sysname SwitchB
#
vlan batch 20 30
#
interface Vlanif20
ip address 200.1.2.2 255.255.255.0
#
interface Vlanif30
ip address 200.1.3.1 255.255.255.0
#
#
#
bgp 20
router-id 2.2.2.2
#
Issue 04 (2013-06-15)

1001

Configuration Guide
ipv4-family unicast
#
return

#
sysname SwitchC
#
vlan batch 30
#
interface Vlanif30
ip address 200.1.3.2 255.255.255.0
#
#
bgp 30
router-id 3.3.3.3
#
ipv4-family unicast
#
return
Example for Configuring a BGP RR

As shown in Figure 5-37, Switch A is a non-client. Switch B is the RR of cluster 1. Switch D
and Switch E are two clients of cluster 1. Because the IBGP connection is created between Switch
D and Switch E, they do not need an RR. Switch C is the RR of cluster 2. Switch F, Switch G,
and Switch H are the clients of cluster 2.
It is required that the peer groups be used to simplify configuration and management.
Issue 04 (2013-06-15)

1002

Configuration Guide
Figure 5-37 Networking diagram for configuring a BGP RR
GE0/0/3
SwitchA
GE0/0/1
GE0/0/2
AS 65010
GE0/0/1
SwitchB
GE0/0/2
GE0/0/4
GE0/0/3
GE0/0/1
Cluster1
GE0/0/1
GE0/0/1
SwitchC
GE0/0/2
GE0/0/3
Cluster2
GE0/0/1
GE0/0/2
GE0/0/2
SwitchD
SwitchH
GE0/0/5
GE0/0/1
GE0/0/4
GE0/0/1
SwitchE
SwitchF
SwitchG
Switch
Interface
VLANIF interface
IP address
SwitchA
VLANIF 10
10.1.1.2/24
SwitchA
VLANIF 30
10.1.3.2/24
SwitchA
VLANIF 100
9.1.1.1/24
SwitchB
VLANIF 10
10.1.1.1/24
SwitchB
VLANIF 20
10.1.2.1/24
SwitchB
VLANIF 40
10.1.4.1/24
SwitchB
VLANIF 50
10.1.5.1/24
SwitchC
VLANIF 30
10.1.3.1/24
SwitchC
VLANIF 20
10.1.2.2/24
SwitchC
VLANIF 70
10.1.7.1/24
SwitchC
VLANIF 80
10.1.8.1/24
SwitchC
VLANIF 90
10.1.9.1/24
SwitchD
VLANIF 40
10.1.4.2/24
SwitchD
VLANIF 60
10.1.6.1/24
SwitchE
VLANIF 50
10.1.5.2/24
SwitchE
VLANIF 60
10.1.6.2/24
SwitchF
VLANIF 70
10.1.7.2/24
SwitchG
VLANIF 80
10.1.8.2/24
SwitchH
VLANIF 90
10.1.9.2/24
Issue 04 (2013-06-15)

1003

Configuration Guide
1.
Establish IBGP connections between the client and the RR, and between the non-client and
the RR.
2.
Configure route reflection on Switch B and Switch C, specify the client, and check the
routes.
Data Preparation
l
Number of the AS where all Switch s reside being 65010
Router IDs of Switch A, Switch B, Switch C, Switch D, Switch E, Switch F, Switch G, and
Switch H being 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5, 6.6.6.6, 7.7.7.7, and 8.8.8.8
ID of the cluster where Switch B resides being 1 and ID of the cluster where Switch C
resides being 2
Procedure
Step 1 Create VLANs and add interfaces to the corresponding VLANs.
[SwitchA] vlan batch 10 30 100
0/0/1
hybrid pvid vlan 10
0/0/2
hybrid pvid vlan 30
0/0/3
hybrid pvid vlan 100
The configurations of Switch B, Switch C, Switch D, Switch E, Switch F, Switch G, and Switch
H are the same as the configuration of Switch A, and are not mentioned here.
Step 3 Establish IBGP connections between the clients and the RR, and between the non-clients and
the RR. The configuration details are not mentioned here.
Step 4 Configure Switch A to advertise the local network route 9.1.1.0/24. The configuration details
Issue 04 (2013-06-15)

1004

Configuration Guide
Step 5 Configure the RR.

[SwitchB] bgp 65010
[SwitchB-bgp] group in_rr internal
[SwitchB-bgp] peer 10.1.4.2 group in_rr
[SwitchB-bgp] peer 10.1.5.2 group in_rr
[SwitchB-bgp-af-ipv4] peer in_rr reflect-client
[SwitchB-bgp-af-ipv4] undo reflect between-clients
[SwitchB-bgp-af-ipv4] reflector cluster-id 1
[SwitchB-bgp] quit
[SwitchC] bgp 65010
[SwitchC-bgp] group in_rr internal
[SwitchC-bgp] peer 10.1.7.2 group in_rr
[SwitchC-bgp] ipv4-family unicast
[SwitchC-bgp-af-ipv4] peer in_rr reflect-client
[SwitchC-bgp-af-ipv4] reflector cluster-id 2
[SwitchC-bgp-af-ipv4] quit
[SwitchC-bgp] quit
# Check the routing table of Switch D.

[SwitchD] display bgp routing-table 9.1.1.0
Paths:
1 available, 0 best
From: 10.1.4.1 (2.2.2.2)
Convergence Priority:
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, internal, pre 255
Originator: 1.1.1.1
Cluster list: 0.0.0.1
Not advertised to any peers yet
According to the routing table, you can view that Switch D has learned the route advertised by
Switch A from Switch B. You can also view the Originator and Cluster_ID of the route.
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 30 100
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.2 255.255.255.0
#
interface Vlanif100
Issue 04 (2013-06-15)

1005

Configuration Guide
ip address 9.1.1.1 255.255.255.0

#
#
#
#
bgp 65010
router-id 1.1.1.1
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
#
return

#
sysname SwitchB
#
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
#
interface Vlanif50
ip address 10.1.5.1 255.255.255.0
#
#
#
#
#
bgp 65010
router-id 2.2.2.2
group in_rr internal
peer 10.1.4.2 group in_rr
Issue 04 (2013-06-15)

1006

Configuration Guide
#
ipv4-family unicast
undo reflect between-clients
reflector cluster-id 1
peer in_rr enable
peer in_rr reflect-client
#
return

#
sysname SwitchC
#
vlan batch 20 30 70 80 90
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif70
ip address 10.1.7.1 255.255.255.0
#
interface Vlanif80
ip address 10.1.8.1 255.255.255.0
#
interface Vlanif90
ip address 10.1.9.1 255.255.255.0
#
#
#
#
#
#
bgp 65010
router-id 3.3.3.3
group in_rr internal
#
ipv4-family unicast
Issue 04 (2013-06-15)

1007

Configuration Guide

reflector cluster-id 2
peer in_rr enable
peer in_rr reflect-client
#
return

#
sysname SwitchD
#
vlan batch 40 60
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
#
interface Vlanif60
ip address 10.1.6.1 255.255.255.0
#
#
#
bgp 65010
router-id 4.4.4.4
#
ipv4-family unicast
#
return
NOTE
The configuration files of other Switch s are similar to the configuration file of Switch D, and are not
mentioned here.
Example for Configuring a BGP Confederation

As shown in Figure 5-38, several Switches run BGP in AS 200. To reduce the number of IBGP
connections, divide AS 200 into three sub-ASs, namely AS 65001, AS 65002, and AS 65003.
In addition, IBGP connections are set up between the three Switches in AS 65001.
Issue 04 (2013-06-15)

1008

Configuration Guide
Figure 5-38 Networking diagram for configuring a BGP confederation
AS 200
SwitchC
SwitchB
AS 65002
GE0/0/1
GE0/0/1
AS 65003
AS 100
GE0/0/2
GE0/0/1
GE0/0/2
GE0/0/1
GE0/0/5
SwitchA
SwitchF
AS 65001
GE0/0/1
GE0/0/3
GE0/0/4
GE0/0/1
SwitchD
GE0/0/2
GE0/0/2
SwitchE
Switch
Interface
VLANIF interface
IP address
SwitchA
VLANIF 10
10.1.1.1/24
SwitchA
VLANIF 20
10.1.2.1/24
SwitchA
VLANIF 30
10.1.3.1/24
SwitchA
VLANIF 40
10.1.4.1/24
SwitchA
VLANIF 60
200.1.1.1/24
SwitchB
VLANIF 10
10.1.1.2/24
SwitchC
VLANIF 20
10.1.2.2/24
SwitchD
VLANIF 30
10.1.3.2/24
SwitchD
VLANIF 50
10.1.5.1/24
SwitchE
VLANIF 40
10.1.4.2/24
SwitchE
VLANIF 50
10.1.5.2/24
SwitchF
VLANIF 60
200.1.1.2/24
SwitchF
VLANIF 70
9.1.1.1/24
1.
Configure the BGP confederation on each Switch in AS 200.
2.
Establish IBGP connections in AS 65001.
3.
Establish EBGP connections between AS 100 and AS 200, and check the routes.
Issue 04 (2013-06-15)

1009

Configuration Guide
Data Preparation
l
Router IDs of Switch A, Switch B, Switch C, Switch D, Switch E, and Switch F being
1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5, and 6.6.6.6
AS 100, AS 200, and three sub-AS numbers of AS 200 are 65001, 65002, and 65003
Procedure
Step 1 Create VLANs and add interfaces to the corresponding VLANs.
[SwitchA] vlan batch 10 20 30 40 60
0/0/1
hybrid pvid vlan 10
0/0/2
hybrid pvid vlan 20
0/0/3
hybrid pvid vlan 30
0/0/4
hybrid pvid vlan 40
0/0/5
hybrid pvid vlan 60
The configurations of Switch B, Switch C, Switch D, Switch E, and Switch F are the same as
the configuration of Switch A, and are not mentioned here.
[SwitchA-Vlanif10] ip address
10.1.1.1 24
10.1.2.1 24
10.1.3.1 24
10.1.4.1 24
200.1.1.1 24
The configurations of Switch B, Switch C, Switch D, Switch E, and Switch F are the same as
the configuration of Switch A, and are not mentioned here.
Step 3 Configure the BGP confederation.
Issue 04 (2013-06-15)

1010

Configuration Guide
[SwitchA] bgp 65001

[SwitchA-bgp] confederation id 200
[SwitchA-bgp] confederation peer-as 65002 65003
[SwitchA-bgp-af-ipv4] peer 10.1.1.2 next-hop-local
[SwitchA-bgp] quit
[SwitchB] bgp
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
65002
router-id 2.2.2.2
confederation id 200
confederation peer-as 65001 65003
quit
[SwitchC] bgp
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
65003
router-id 3.3.3.3
quit
Step 4 Establish IBGP connection in AS 65001.

[SwitchA] bgp 65001
[SwitchD] bgp
[SwitchD-bgp]
[SwitchD-bgp]
[SwitchD-bgp]
[SwitchD-bgp]
65001
router-id 4.4.4.4
quit
[SwitchE] bgp
[SwitchE-bgp]
[SwitchE-bgp]
[SwitchE-bgp]
[SwitchE-bgp]
65001
router-id 5.5.5.5
quit
Step 5 Establish an EBGP connection between AS 100 and AS 200.

[SwitchA] bgp 65001
[SwitchA-bgp] quit
# Configure Switch F.
[SwitchF] bgp 100
[SwitchF-bgp] router-id 6.6.6.6
Issue 04 (2013-06-15)

1011

Configuration Guide
[SwitchF-bgp] peer 200.1.1.1 as-number 200

[SwitchF-bgp] ipv4-family unicast
[SwitchF-bgp-af-ipv4] network 9.1.1.0 255.255.255.0
[SwitchF-bgp-af-ipv4] quit
[SwitchF-bgp] quit

# Check the BGP routing table of Switch B.
[SwitchB] display bgp routing-table
Network
NextHop
MED
LocPrf
*>i 9.1.1.0/24
10.1.1.1
0
100
PrefVal Path/Ogn
0
(65001) 100i

Paths:
1 available, 1 best,1 select
From: 10.1.1.1 (1.1.1.1)
Relay IP Nexthop: 0.0.0.0
Relay IP Out-Interface: Vlanif10
AS-path (65001) 100, origin igp, MED 0, localpref 100, pref-val 0, valid, exter
nal-confed, best,select, active, pre 255
# Check the BGP routing table of Switch D.

[SwitchD] display bgp routing-table
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>i 9.1.1.0/24
10.1.3.1
0
[SwitchD] display bgp routing-table 9.1.1.0
100
100i

Paths:
From: 10.1.3.1 (1.1.1.1)
Relay IP Nexthop: 0.0.0.0
Relay IP Out-Interface: Vlanif30
AS-path 100, origin igp, MED 0, localpref 100, pref-val 0, valid, internal,
best,select, active, pre 255
----End
Issue 04 (2013-06-15)

1012

Configuration Guide
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 20 30 40 60
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
#
interface Vlanif60
ip address 200.1.1.1 255.255.255.0
#
#
#
#
#
#
bgp 65001
router-id 1.1.1.1
#
ipv4-family unicast
peer 10.1.1.2 next-hop-local
#
return
Issue 04 (2013-06-15)

1013

Configuration Guide
#
sysname SwitchB
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
bgp 65002
router-id 2.2.2.2
#
ipv4-family unicast
#
return

#
sysname SwitchC
#
vlan batch 20
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
#
#
bgp 65003
router-id 3.3.3.3
#
ipv4-family unicast
#
return

#
sysname SwitchD
#
vlan batch 30 50
#
interface Vlanif30
ip address 10.1.3.2 255.255.255.0
#
interface Vlanif50
ip address 10.1.5.1 255.255.255.0
#
#
#
bgp 65001
Issue 04 (2013-06-15)

1014

Configuration Guide
router-id 4.4.4.4
#
ipv4-family unicast
#
return

#
sysname SwitchE
#
vlan batch 40 50
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
#
interface Vlanif50
ip address 10.1.5.2 255.255.255.0
#
#
#
bgp 65001
router-id 5.5.5.5
#
ipv4-family unicast
#
return

#
sysname SwitchF
#
vlan batch 60 70
#
interface Vlanif60
ip address 200.1.1.2 255.255.255.0
#
interface Vlanif70
ip address 9.1.1.1 255.255.255.0
#
#
#
bgp 100
router-id 6.6.6.6
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
Issue 04 (2013-06-15)

1015

Configuration Guide

#
return
Example for Configuring BFD for BGP

As shown in Figure 5-39, Switch A belongs to AS 100, and Switch B and Switch C belong to
AS 200. EBGP connections are established between Switch A and Switch B and between Switch
A and Switch C.
Service flow is transmitted on the active link Switch A Switch B. The link Switch A Switch
C Switch B acts as the standby link.
Use BFD to detect the BGP peer relationship between Switch A and Switch B. When the link
between Switch A and Switch B fails, BFD can rapidly detect the fault and notify BGP. Service
flows are transmitted on the standby link.
Figure 5-39 Networking diagram for configuring BFD for BGP
SwitchB
GE0/0/2
GE0/0/2
GE0/0/3
GE0/0/1
EBGP
IBGP
GE0/0/1
AS 200
SwitchA
AS 100
GE0/0/1
GE0/0/2
EBGP
SwitchC
Switch
Interface
SwitchA
VLANIF 10
200.1.2.1/24
SwitchA
VLANIF 20
200.1.1.1/24
SwitchB
VLANIF 30
9.1.1.1/24
SwitchB
VLANIF 20
200.1.1.2/24
SwitchB
VLANIF 40
172.16.1.1/24
SwitchC
VLANIF 10
200.1.2.2/24
SwitchC
VLANIF 30
9.1.1.2/24
Issue 04 (2013-06-15)

1016

Configuration Guide
1.
Configure basic BGP functions on each Switch.
2.
Configure MED attributes to control the route selection.
3.
Enable BFD on Switch A and Switch B.
Data Preparation
l
Router IDs and AS numbers of Switch A Switch B, and Switch C
Peer IP address detected by BFD
Minimum interval for sending BFD control packets, minimum interval for receiving BFD
control packets, and local detection multiplier
Procedure
Step 1 Assign IP addresses to the interfaces of Switches. The configuration details are not mentioned
here.
Step 2 Configure basic BGP functions. Establish EBGP peer relationships between Switch A and
Switch B, and between Switch A and Switch C and an IBGP peer relationship between
Switch B and Switch C.
[SwitchA] bgp
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
[SwitchA-bgp]
100
router-id 1.1.1.1
peer 200.1.1.2 ebgp-max-hop
quit
[SwitchB] bgp
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
200
router-id 2.2.2.2
network 172.16.1.0 255.255.255.0
quit
[SwitchC] bgp
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
200
router-id 3.3.3.3
network 9.1.1.0 255.255.255.0
quit
# Check the status of BGP peer relationships on Switch A. The command output shows that the
BGP peer relationships are in the Established state.
<SwitchA> display bgp peer
Peer
Issue 04 (2013-06-15)
AS
MsgRcvd

MsgSent
OutQ
Up/Down

State PrefRcv
1017

Configuration Guide
200.1.1.2
200.1.2.2
4
4
200
200
2
2
5
4
0
0
Step 3 Set the MED.

Set the MED sent from Switch B to Switch C through the policy.
[SwitchB] route-policy 10 permit node 10
[SwitchB-route-policy] apply cost 100
[SwitchB-route-policy] quit
[SwitchB] bgp 200
[SwitchB-bgp] peer 200.1.1.1 route-policy 10 export
[SwitchC] route-policy 10 permit node 10
[SwitchC-route-policy] apply cost 150
[SwitchC-route-policy] quit
[SwitchC] bgp 200
[SwitchC-bgp] peer 200.1.2.1 route-policy 10 export
# View all BGP routing information on Switch A.

Network
*>
*
NextHop
172.16.1.0/24
200.1.1.2
200.1.2.2
MED
LocPrf
100
150
PrefVal Path/Ogn
0
0
200i
200i
According to the BGP routing table, the next hop address of the route destined for 172.16.1.0/24
is 200.1.1.2 and service flow is transmitted on the active link Switch A Switch B.
Step 4 Configure BFD, and set the interval for transmitting BFD packets, the interval for receiving BFD
packets, and the local detection multiplier.
# Enable BFD on Switch A. Set the minimum intervals for transmitting and receiving BFD
packets to 100 ms and the local detection multiplier to 4.
[SwitchA] bfd
[SwitchA-bfd]
[SwitchA] bgp
[SwitchA-bgp]
[SwitchA-bgp]
multiplier 4
quit
100
peer 200.1.1.2 bfd enable
peer 200.1.1.2 bfd min-tx-interval 100 min-rx-interval 100 detect-
# Enable BFD on Switch B. Set the minimum intervals for transmitting and receiving BFD
packets to 100 ms and the local detection multiplier to 4.
[SwitchB] bfd
[SwitchB-bfd]
[SwitchB] bgp
[SwitchB-bgp]
[SwitchB-bgp]
multiplier 4
quit
200
peer 200.1.1.1 bfd min-tx-interval 100 min-rx-interval 100 detect-
# Display all BFD sessions on Switch A.

<SwitchA> display bgp bfd session all
Issue 04 (2013-06-15)

1018

Configuration Guide
Local_Address
200.1.1.1
Tx-interval(ms)
100
Wtr-interval(m)
0
Peer_Address
200.1.1.2
Rx-interval(ms)
100
LD/RD
8201/8201
Multiplier
4
Interface
GigibitEthernet2/0/0
Session-State
Up

# Run the shutdown command on VLANIF20 of Switch B to simulate faults on the active link.
# Check the BGP routing table on Switch A.

Network
*>
NextHop
172.16.1.0/24
200.1.2.2
MED
LocPrf
150
PrefVal Path/Ogn
0
200i
According to the BGP routing table, the standby link Switch A Switch C Switch B takes
effect after the active link fails. The next hop address of the route destined for 172.16.1.0/24
becomes 200.1.2.2.
----End
Configuration Files
l

#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 200.1.2.1 255.255.255.0
#
interface Vlanif20
ip address 200.1.1.1 255.255.255.0
#
#
#
bgp 100
router-id 1.1.1.1
peer 200.1.1.2 bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier
4
Issue 04 (2013-06-15)

1019

Configuration Guide
#
ipv4-family unicast
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 20 30 40
#
bfd
#
interface Vlanif30
ip address 9.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 200.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
#
bgp 200
router-id 2.2.2.2
peer 200.1.1.1 bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier
4
#
ipv4-family unicast
network 172.16.1.0 255.255.255.0
peer 9.1.1.2 enable
#
apply cost 100
#
return

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 10 30
#
bfd
#
interface Vlanif10
Issue 04 (2013-06-15)

1020

Configuration Guide
ip address 200.1.2.2 255.255.255.0

#
interface Vlanif30
ip address 9.1.1.2 255.255.255.0
#
#
#
bgp 200
router-id 3.3.3.3
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
peer 9.1.1.1 enable
#
apply cost 150
#
return
Example for Configuring BGP GTSM

As shown in Figure 5-40, Switch A belongs to AS 10, and Switch B, Switch C, and Switch D
belong to AS 20. BGP is run in the network and BGP GTSM is configured to protect Switch B
against CPU-utilization attacks.
Figure 5-40 Networking diagram for configuring BGP GTSM
IBGP
SwitchC
GE0/0/1 SwitchBGE0/0/2
GE0/0/1
10.1.1.2/24
EBGP
20.1.1.1/24 20.1.1.2/24
SwitchA
Loopback0
2.2.2.9/32
GE0/0/1
AS10 10.1.1.1/24
AS20
GE0/0/2
3. Loo
3. p IBGP 20.1.2.1/24
3. ba
9/ c
IB
32 k0
GP
GE0/0/1
20.1.2.2/24
SwitchD
PC
Loopback0
4.4.4.9/32
Switch
Interface
VLANIF interface
IP address
SwitchA
VLANIF 10
10.1.1.1/24
SwitchB
VLANIF 10
10.1.1.2/24
SwitchB
VLANIF 20
20.1.1.1/24
Issue 04 (2013-06-15)

1021

Configuration Guide
SwitchC
VLANIF 20
20.1.1.2/24
SwitchC
VLANIF 30
20.1.2.1/24
SwitchD
VLANIF 30
20.1.2.2/24
1.
Configure OSPF on Switch B, Switch C, and Switch D to implement interworking in AS

20.
2.
Set up an EBGP connection between Switch A and Switch B, and set up IBGP connections
between Switch B, Switch C, and Switch D through loopback interfaces.
3.
Configure GTSM on Switch A, Switch B, Switch C, and Switch D.
Data Preparation
l
Route IDs of Switch A, Switch B, Switch C, Switch D and number of the AS where they
reside
TTL values between Switch A and Switch B, between Switch B and Switch C, between
Switch C and Switch D, and between Switch B and Switch D.
Procedure
Step 3 Configure OSPF.
Step 4 Configure an IBGP connection.
[SwitchB] bgp 20
Issue 04 (2013-06-15)

1022

Configuration Guide
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]

router-id 2.2.2.9
peer 3.3.3.9 connect-interface LoopBack0
[SwitchC] bgp
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
20
router-id 3.3.3.9
[SwitchD] bgp
[SwitchD-bgp]
[SwitchD-bgp]
[SwitchD-bgp]
[SwitchD-bgp]
[SwitchD-bgp]
20
router-id 4.4.4.9
Step 5 Configure an EBGP connection.

[SwitchA] bgp 10
# Display the connection status of the BGP peers.

<SwitchB> display bgp peer
Peer
AS
MsgRcvd
MsgSent
3.3.3.9
4.4.4.9
10.1.1.1
4
4
4
20
20
10
8
8
7
7
10
7
OutQ
Up/Down
State PrefRcv
0
0
0
You can view that Switch B has set up BGP connections with other routers.
Step 6 Configure GTSM on Switch A and Switch B. Switch A and Switch B are directly connected, so
the range of the TTL value between the two Switches is [255, 255]. The value of valid-ttlhops is 1.
# Configure GTSM on Switch A.
[SwitchA-bgp] peer 10.1.1.2 valid-ttl-hops 1
# Configure GTSM of the EBGP connection on Switch B.

[SwitchB-bgp] peer 10.1.1.1 valid-ttl-hops 1
# Check the GTSM configuration.

<SwitchB> display bgp peer 10.1.1.1 verbose
BGP Peer is 10.1.1.1, remote AS 10
Type: EBGP link
Issue 04 (2013-06-15)

1023

Configuration Guide

BGP version 4, Remote router ID 1.1.1.9
Update-group ID : 2
BGP current state: Established, Up for 00h49m35s
BGP current event: RecvKeepalive
BGP last state: OpenConfirm
BGP Peer Up count: 1
Received total routes: 0
Received active routes total: 0
Advertised total routes: 0
Port: Local - 179
Remote - 52876
Configured: connect-retry Time: 32 sec
Configured: Active Hold Time: 180 sec
Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Address family IPv4 Unicast: advertised and received
Received: Total 59 messages
Update messages
0
Open messages
2
KeepAlive messages
57
Notification messages
0
Refresh messages
0
Sent: Total 79 messages
Update messages
5
Open messages
2
KeepAlive messages
71
1
Refresh messages
0
Authentication type configured: None
Last keepalive received: 2009-02-20 13:54:58+00:00
Minimum route advertisement interval is 30 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
GTSM has been enabled, valid-ttl-hops: 1
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured
You can view that GTSM is enabled, the valid hop count is 1, and the BGP connection is in the
Established state.
Step 7 Configure GTSM on Switch B and Switch C. Switch B and Switch C are directly connected, so
# Configure GTSM on Switch B.
# Configure GTSM of the IBGP connection on Switch C.

[SwitchC-bgp] peer 2.2.2.9 valid-ttl-hops 1
# View the GTSM configuration.

Type: IBGP link
Update-group ID : 1
BGP current event: KATimerExpired
Issue 04 (2013-06-15)

1024

Configuration Guide

Port: Local - 54998
Remote - 179
Update messages
0
Open messages
1
KeepAlive messages
62
0
Refresh messages
0
Update messages
10
Open messages
1
KeepAlive messages
58
0
Refresh messages
0
Nexthop self has been configured
Connect-interface has been configured
Established state.
Step 8 Configure GTSM on Switch C and Switch D. Switch C and Switch D are directly connected, so
# Configure GTSM of the IBGP connection on Switch C.
[SwitchC-bgp] peer 4.4.4.9 valid-ttl-hops 1
# Configure GTSM of the IBGP connection on Switch D.

[SwitchD-bgp] peer 3.3.3.9 valid-ttl-hops 1

<SwitchC> display bgp peer 4.4.4.9 verbose
Type: IBGP link
Update-group ID : 1
BGP current event: KATimerExpired
Issue 04 (2013-06-15)

1025

Configuration Guide
Port: Local - 179

Remote - 53758
Update messages
0
Open messages
1
KeepAlive messages
62
0
Refresh messages
0
Update messages
0
Open messages
2
KeepAlive messages
61
0
Refresh messages
0
Established state.
Step 9 Configure GTSM on Switch B and Switch D. Switch B and Switch D are connected by Switch
C, so the range of the TTL value between the two Switches is [254, 255]. The value of validttl-hops is 2.
# Configure GTSM of the IBGP connection on Switch B.
# Configure GTSM on Switch D.

[SwitchD-bgp] peer 2.2.2.9 valid-ttl-hops 2

Type: IBGP link
Update-group ID : 0
BGP current event: RecvKeepalive
Port: Local - 53714
Remote - 179
Issue 04 (2013-06-15)

1026

Configuration Guide

Update messages
0
Open messages
1
KeepAlive messages
71
0
Refresh messages
0
Update messages
10
Open messages
1
KeepAlive messages
71
0
Refresh messages
0
Nexthop self has been configured
You can view that GTSM is configured, the valid hop count is 2, and the BGP connection is in
the Established state.
NOTE
l In this example, if the value of valid-ttl-hops of either Switch B or Switch D is smaller than 2, the
IBGP connection cannot be set up.
l GTSM must be configured on the two ends of the BGP connection.

# Run the display gtsm statistics all command on Switch B to check the GTSM statistics of
Switch B. By default, Switch B does not discard any packet when all packets match the GTSM
policy.
<SwitchB> display gtsm statistics all
GTSM Statistics Table
---------------------------------------------------------------SlotId Protocol Total Counters Drop Counters Pass Counters
---------------------------------------------------------------0
BGP
17
0
17
0
BGPv6
0
0
0
0
OSPF
0
0
0
0
LDP
0
0
0
----------------------------------------------------------------
If the host simulates the BGP packets of Switch A to attack Switch B, the packets are discarded
because their TTL value is not 255 when reaching Switch B. In the GTSM statistics of Switch
B, the number of dropped packets increases accordingly.
----End
Configuration Files
l

#
Issue 04 (2013-06-15)

1027

Configuration Guide
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 10
router-id 1.1.1.9
peer 10.1.1.2 valid-ttl-hops 1
#
ipv4-family unicast
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
bgp 20
router-id 2.2.2.9
#
ipv4-family unicast
import-route ospf 1
peer 3.3.3.9 enable
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
Issue 04 (2013-06-15)

1028

Configuration Guide
return

#
sysname SwitchC
#
vlan batch 20 30
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 20.1.2.1 255.255.255.0
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
bgp 20
router-id 3.3.3.9
#
ipv4-family unicast
peer 2.2.2.9 enable
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 20.1.2.0 0.0.0.255
network 20.1.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return

#
sysname SwitchD
#
vlan batch 30
#
interface Vlanif30
ip address 20.1.2.2 255.255.255.0
#
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
#
bgp 20
router-id 4.4.4.9
Issue 04 (2013-06-15)

1029

Configuration Guide

#
ipv4-family unicast
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ospf 1
area 0.0.0.0
network 20.1.2.0 0.0.0.255
network 4.4.4.9 0.0.0.0
#
return
5.6 MBGP Configuration

MBGP is dedicated to transmitting multicast routing information across ASs.
5.6.1 MBGP Overview

MBGP is the multiprotocol extension of BGP.
When a multicast source and its receivers are distributed in different Autonomous Systems
(ASs), a forwarding tree needs to be set up across ASs. The Multiprotocol Border Gateway
Protocol (MP-BGP) specially transfers routes between ASs for multicast.
MP-BGP is the multiprotocol extension of the Border Gateway Protocol (BGP). At present,
BGP4 is applied only to unicast. MP-BGP, based on BGP4, supports multiple routing protocols,
including multicast.
l
MP-BGP maintains routes for unicast and multicast at the same time, stores them in
different routing tables, and keeps the routing information of unicast and multicast separate
from each other.
MP-BGP builds different network topologies for unicast and multicast at the same time.
Most of unicast routing policies and configuration methods supported by BGP4 can be
applied to multicast. MP-BGP maintains different routes for unicast and multicast
according to routing policies.
When MP-BGP is applied to multicast, it is called Multicast BGP (MBGP).

NOTE
This chapter describes the configuration of MP-BGP applied to multicast, that is, MBGP configuration.
For the details of MP-BGP, refer to the chapter "BGP Configuration" in the AC6605 Access Controller
Configuration Guide - IP Routing.
5.6.2 MBGP Features Supported by the AC6605

You can configure such features as load splitting, route aggregation, route dampening,
community attributes, and route reflectors when configuring MBGP.
For details, refer to the chapter "BGP Configuration" in the AC6605 Access Controller
5.6.3 Configuring Basic MBGP Functions

Before constructing an MBGP network, you need configure basic functions of MBGP.
Issue 04 (2013-06-15)

1030

Configuration Guide

Before configuring basic MBGP functions, familiarize yourself with the applicable environment,
pre-configuration tasks, and required data. This can help you complete the configuration task
Perform the Reverse Path Forwarding (RPF) check on multicast packets according to the
following factors:
l
Static multicast route
Unicast route
MBGP route
Setting up MBGP connections in the multicast address family view can provide routing
information for RPF check.
Before configuring basic MBGP functions, you need to configure basic Multicast functions.
Data Preparation
To configure basic MBGP functions, you need the following data.
No.
Data
Local AS number and router ID
IPv4 addresses and AS numbers of peers
Interface originating the Update message
Cluster ID of the route reflector
Configuring a BGP Peer

Devices can exchange routing information only after they have successfully set up a BGP peer
relationship.
Context
NOTE
If the two Switches that plan to set up the MBGP peer relationship have set up a BGP connection, skip the
section.
Do as follows on the two Switches between which the MBGP peer relationship needs to be set
up.
Issue 04 (2013-06-15)

1031

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number
BGP is enabled, the local AS number is set, and the BGP view is displayed.
router-id ipv4-address
The ID of a BGP Switch is set.

Step 4 Run:
peer ip-address as-number as-number
The IP address and AS number of a remote peer are specified.

peer { ipv4-address | group-name } connect-interface interface-type interfacenumber [ ipv4-source-address ]
The local interface and the source address used to set up a BGP connection are specified.
If the BGP connection is set up through a Loopback interface , the command is required.
----End
Configuring an MBGP Peer

Setting up MBGP connections in the multicast address family view can provide routing
information for RPF check.
Context
Do as follows on the Switch configured with a BGP peer:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family multicast
The BGP-IPv4 multicast address family view is displayed.

Step 4 Run:
Issue 04 (2013-06-15)

1032

Configuration Guide
peer { ipv4-address | group-name } enable
MBGP is enabled on the original BGP peer or peer group. The original BGP peer becomes an
MBGP peer.
The parameters of the command are explained as follows:
l group-name: specifies the original BGP peer group.
l ipv4-address: specifies the IP address of the original remote BGP peer.
----End
Configuring an MBGP Route Reflector

By configuring MBGP route reflectors, you can solve the problem about the full-connection
among IBGP peers.
Context
CAUTION
A Route reflector is valid only for IBGP peers. Before performing the configuration, you must
establish the IBGP peer relationships between MBGP route reflector and clients.
The configuration is optional. By default, the route reflector is not configured.
Do as follows on the Switch that is to become an MBGP route reflector:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
peer { group-name | ipv4-address } reflect-client
The local host is configured as a route reflector, and the peer (group) is specified as a client of
the route reflector.
l group-name: specifies the name of an MBGP peer group.
l ipv4-address: specifies the IP address of a remote MBGP peer.
Issue 04 (2013-06-15)

1033

Configuration Guide

reflector cluster-id cluster-id
The cluster ID of the route reflector is configured.

By default, the route reflector uses its Switch ID as the cluster ID.
cluster-id: Specifies the cluster ID of the route reflector. The value can be an integer ranging
from 1 to 4294967295. It can also be identified in the IPv4 address format.
----End
Configuring MBGP to Import Local Routes

MBGP can import routes from other protocols. When a dynamic routing protocol is imported,
the process ID need be specified.
Context
NOTE
MBGP routes are originated from the following:

l Routes statically imported by using the network command.
l Routes imported by using the import-route command.
Users can import at least one type of local routes as required.
Do as follows on the Switch configured with an MBGP peer:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
network ipv4-address [ mask | mask-length ] [ route-policy route-policy-name ]
The routes of the local network segment are advertised.

l ipv4-address [ mask-length | mask ]: specifies the routes to be advertised. If the network mask
is not specified, routes will be exactly matched against the natural network mask.
l route-policy route-policy-name: specifies the name of the routing policy that controls the
routes to be advertised.
The network command is used to advertise the exactly-matched routes. To be specific, the
command can be used to advertise the routes only with the exactly-matched address prefix and
Issue 04 (2013-06-15)

1034

Configuration Guide
mask. If the mask is not designated, the routes are exactly matched based on the natural network
segment.
Step 5 Run:
import-route protocol [ process-id ] [ med med | route-policy route-policy-name ]
The routes of other protocols are imported to MBGP.

l protocol [ process-id ]: specifies the routing protocol and the process ID of the routing
protocol from which routes are imported. The routing protocol contains direct, unr, rip,
isis and ospf. When the routing protocol is isis, ospf or rip, the process ID must be specified.
l med med: specifies the MED value assigned to an imported route.
l route-policy route-policy-name: specifies the route filtering policy. Only the route that
passes the filtering of the policy is imported.
default-route imported
Default routes are imported to the MBGP routing table.

By default, no default route is imported to the MBGP routing table.
The default-route imported command needs to work with the import-route command to
import default routes. The default routes cannot be imported by using only the import-route
command. The default-route imported command is used to import the default routes that exist
in the local routing table.
----End

After basic functions of MBGP are configured, you can check information about MBGP peers.
Prerequisites
The configurations of basic MBGP functions are complete.
Procedure
l
Run the display bgp multicast peer [ [ ipv4-address ] verbose ] command to check
information about an MBGP peer. If peer-address is not specified, the information about
all MBGP peers is displayed.
Run the display bgp multicast group [ group-name ] command to check information about
an MBGP peer group.
Run the display bgp multicast network command to check the routing information to be
advertised by MBGP through network command.
Run the display bgp multicast routing-table [ network [ { mask | mask-length } [ longerprefixes ] ] ] command to check the MBGP routing table.
----End
Issue 04 (2013-06-15)

1035

Configuration Guide
5.6.4 Configuring the Policy for Advertising MBGP Routes

You can configure a route advertisement policy to determine which routing information need
be advertised to peers.

Before configuring a policy for advertising MBGP routes, familiarize yourself with the
applicable environment, pre-configuration tasks, and required data. This can help you complete
A Switch configured with the MBGP peer advertises the local routing information to a remote
peer. Based on the actual networking, users can adopt the following policies as required:
l
Whether MBGP changes the next hop when advertising a route to IBGP peers
Whether MBGP advertises all local routes or only the locally aggregated routes
Whether MBGP advertises default routes
Whether MBGP advertises community attributes or extended community attributes
Whether a BGP Update message sent by an MBGP peer carries the private AS number
Before configuring the policy for advertising MBGP routes, complete the task of Configuring
Basic MBGP Functions.
Data Preparation
To configure the policy for advertising MBGP routes, you need the following data.
No.
Data
AS number
Address of a remote peer or the name of a peer group
Name of the routing policy
Addresses and masks of the local routes that need to be aggregated
(Optional) Configuring the Next Hop of a Route as the Local Address

Configuring the next-hop of a route as the local address is applicable to IBGP peers.
Context
Do as follows on the Switch configured with an MBGP peer.
NOTE
The configuration is optional, and is valid only for IBGP peer or peer group.
Issue 04 (2013-06-15)

1036

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
peer { group-name | ipv4-address } next-hop-local
The local address is configured as the next hop of routes, when MBGP advertises routes to an
MBGP peer or peer group.
l group-name: specifies an MBGP peer group.
----End
(Optional) Configuring the Aggregation of Local MBGP Routes

Route aggregation reduces the number of routes in the routing table on the MBGP peer.
Context
NOTE
The configuration is optional. By default, MBGP does not aggregate local routes.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Issue 04 (2013-06-15)

1037

Configuration Guide
Step 4 MBGP supports the following two ways of local route aggregation:
l Automatic aggregation: aggregates the routes imported by MBGP locally.
Run:
summary automatic
The automatic aggregation of the subnet routes is configured.

l Manual aggregation: aggregates routes in the local MBGP routing table. Manual aggregation
takes precedence over automatic aggregation.
Run:
aggregate ipv4-address { mask | mask-length } [ as-set | attribute-policy routepolicy-name1 | detail-suppressed | origin-policy route-policy-name2 | suppresspolicy route-policy-name3 ] *
The local route aggregation is configured.

MBGP advertises the aggregated route.
----End
(Optional) Configuring the Local Peer to Advertise Default Routes

MBGP sends a default route with the next hop address being the local address to the specified
peer regardless of whether there is a default route in the local routing table.
Context
NOTE
The configuration is optional. By default, no default route is advertised.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
peer { group-name | ipv4-address } default-route-advertise [ route-policy routepolicy-name ]
A default route is advertised to a remote MBGP peer or peer group.

Issue 04 (2013-06-15)

1038

Configuration Guide

l route-policy route-policy-name: specifies the routing policy that controls all advertised
routes.
----End
Configuring the Local Peer to Advertise Community Attribute and Extended

Community Attribute
Community attributes and extended community attributes can simplify the management of
routing policies.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

peer { ipv4-address | group-name } advertise-community
The local peer is configured to advertise the community attribute to an MBGP peer group or a
remote MBGP peer.
By default, the local peer does not advertise the community attribute.
The parameters of this command are explained as follows:
l ipv4-address: specifies the IP address for a remote MBGP peer.
l advertise-community: advertises the community attribute.
peer { ipv4-address | group-name } advertise-ext-community
The local peer is configured to advertise the extended community attribute to an MBGP peer
group or a remote MBGP peer.
By default, the local peer does not advertise the extended community attribute.
Issue 04 (2013-06-15)

1039

Configuration Guide

l ipv4-address: specifies the IP address for a remote MBGP peer.
l advertise-ext-community: advertises the extended community attribute.
----End
Configuring Update Packets not to Carry Private AS Number

You can configure an MBGP peer to send an Update message without private AS number when
advertising routing information.
Context
NOTE
The configuration is applicable only to an EBGP peer. By default, an update message can carries private
AS number.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
peer { ipv4-address | group-name } public-as-only
A MBGP update message sent to an MBGP peer group or a remote MBGP peer is configured
not to carry private AS number. The public AS number can be directly used on the Internet. The
private AS number cannot be advertised to the Internet, and is used only in the inter-domain.
----End

After the policy for advertising MBGP routes is configured, you can check information about
MBGP routing information.
Issue 04 (2013-06-15)

1040

Configuration Guide
Prerequisites
The configurations of the policy for advertising MBGP routes are complete.
Procedure
l
Run the display bgp multicast routing-table community [ aa:nn | community-number ]

& <1-29> [ internet | no-advertise | no-export | no-export-subconfed ] * [ wholematch ] command to check the routing information of a specified MBGP community.
Run the display bgp multicast routing-table community-filter { { community-filtername | basic-community-filter-number } [ whole-match ] | advanced-community-filternumber } command to check the routes that match a specified MBGP community attribute
filter.
Run the display bgp multicast network command to check the routing information to be
advertised by MBGP through network command.
Run the display bgp multicast routing-table [ network [ { mask | mask-length } [ longerprefixes ] ] ] command to check the MBGP routing table.
Run the display bgp multicast routing-table cidr command to check CIDR routes.
Run the display bgp multicast routing-table statistics command to check the statistics
of the MBGP routing table.
----End
5.6.5 Configuring the Policy for Exchanging Routes Between MBGP

Peers
By configuring a proper route exchange policy, you can control the routing information
exchanged between MBGP peers.

Before configuring a policy for exchanging routes between MBGP peers, familiarize yourself
with the applicable environment, pre-configuration tasks, and required data. This can help you
Based on the actual network, users can configure the related route exchange polices to control
the routing information transmitted between MBGP peers.
For a Switch configured with MBGP, the routes exchanged between peers are classified into the
following types:
l
import: filters the routes sent by a specified peer. Only the routes that pass the filtering are
received.
export: filters the routes sent to a specified peer or peer group. Only the routes that pass
the filtering are sent.
Pre-configuration Task
Before configuring the route filtering policy between MBGP peers, complete the following task:
Issue 04 (2013-06-15)

1041

Configuration Guide
Configuring Basic MBGP Functions
Data Preparation
To configure the route filtering policy between MBGP peers, you need the following data.
No.
Data
Number of the AS where the peer resides
Address of a peer or name of a peer group
Name of the routing policy, sequence number of the node, and matching rule
ID of the ACL
AS-Path filter
IP-Prefix
The threshold of the route-limit
Configuring the Route Filtering Policy Globally

By configuring an MBGP routing policy, you can control route exchange with any remote MBGP
peer.
Context
NOTE
The configuration is optional and is applicable to the route exchange with any peer.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
MBGP routing policy is configured to filter the received routes.

Issue 04 (2013-06-15)

1042

Configuration Guide

l acl-number and acl-name acl-name: specifies the address filtering table.
l ip-prefix-name: specifies the address prefix list.
l import: filters the routes sent by any MBGP peer. Only the routes that pass the filtering are
received.
Step 5 Run:
MBGP routing policy is configured to filter advertised routes.

l acl-number and acl-name acl-name: specifies the address filtering table.
l ip-prefix-name: specifies the address prefix list.
l export [ protocol [ process-id ] ]: filters the routes sent to any MBGP peer. In fact, the filtering
is performed when the local routes are imported to the MBGP routing table. This command
is used to import the local routes that pass the filtering to the MBGP routing table, and then
advertise the routing information in the MBGP routing table.
NOTE
process-id specifies the number of the unicast routing protocol. When the unicast routing protocol is ISIS, OSPR or RIP, you need to set process-id.
----End
Configuring the Route Filtering Policy Based on Route-policy

By configuring an MBGP route-policy, you can flexibly filter routes.
Context
NOTE
The configuration is optional. By default, the route filtering policy based on route-policy is not configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
Issue 04 (2013-06-15)

1043

Configuration Guide
peer { ipv4-address | group-name } route-policy route-policy-name { import |

export }
The MBGP routing policy based on route-policy is configured to control the route exchange
with a specified remote MBGP peer.
l group-name specifies an MBGP peer group.
l ipv4-address: specifies the IP address of the remote MBGP peer.
l route-policy-name: specifies the routing policy.
l import: filters the routes sent by a specified remote MBGP peer or peer group. Only the
routes that pass the filtering are received.
l export: filters the routes sent to a specified remote MBGP peer or peer group. Only the routes
that pass the filtering are sent.
----End
Configuring the Route Filtering Policy Based on ACL

By defining an ACL, you can specify the IP address and subnet range to match the destination
network segment address or the next hop address of a route.
Context
NOTE
The configuration is optional. By default, the route filtering policy based on the ACL is not configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
peer { ipv4-address | group-name } filter-policy { acl-number | acl-name acl-name }
{ import | export }
The MBGP routing policy based on the ACL is configured to control the route exchange with
a specified remote MBGP peer.
Issue 04 (2013-06-15)

1044

Configuration Guide

l acl-number and acl-name acl-name: specifies the ACL.
----End
Configuring the Route Filtering Policy Based on AS-Path List

An AS_Path filter specifies rules for filtering routes regarding AS_Path attributes.
Context
NOTE
The configuration is optional. By default, the route filtering policy based on the AS-Path list is not
configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
peer { ipv4-address | group-name } as-path-filter { as-path-filter-number | as-pathfilter-name } { import | export }
The MBGP routing policy based on the AS-Path list is configured to control the route exchange
with a specified remote MBGP route.
l as-path-filter-number and as-path-filter-name: specifies the AS-Path list.
----End
Issue 04 (2013-06-15)

1045

Configuration Guide
Configuring the Route Filtering Policy Based on IP Prefix

By configuring an IP prefix list, you can filter MBGP routes based on route prefixes.
Context
NOTE
The configuration is optional. By default, the route filtering policy based on the IP prefix list is not
configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
peer { ipv4-address | group-name } ip-prefix ip-prefix-name { import | export }
The MBGP routing policy based on the IP prefix list is configured to control the route exchange
with a specified remote MBGP peer.
l ip-prefix-name: specifies the IP prefix list.
----End
Configuring the Maximum Number of Routes Received from Peers

You can set the maximum number of routes that can be received from the peer as required and
specify the action of the peer when the number of routes exceeds the threshold.
Context
Issue 04 (2013-06-15)

1046

Configuration Guide
NOTE
The configuration is optional. By default, the maximum number of routes received from peers is not
configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
peer { group-name | ipv4-address } route-limit limit [ percentage ] [ alert-only |
idle-forever | idle-timeout times ]
The number of routes received from an MBGP peer or peer group is limited.
The command can be used to control the peer to receive routes. You can configure specific
parameters as required to control BGP after the number of the routes received from a peer exceeds
the threshold.
l alert-only: indicates that only an alarm is generated when the number of routes exceeds the
limit.
l idle-forever: indicates that when the number of routes exceeds the limit, the connection is
not automatically set up until the reset bgp command is used.
l idle-timeout times: indicates the timeout timer for reestablishing the connection
automatically after the number of routes exceeds the limit. times specifies the value of the
timer.
l If the three parameters are not set, the peer relationship is disconnected. The Switch retries
setting up a connection after 30 seconds. An alarm is generated and recorded in the log.
----End

After the policy for exchanging routes between MBGP routes is configured, you can check
information about MBGP routing information.
Prerequisites
The configurations of the policy for exchanging routes between MBGP peers are complete.
Issue 04 (2013-06-15)

1047

Configuration Guide
Procedure
l
Run the display bgp multicast routing-table different-origin-as command to check the
routes different from the original AS.
Run the display bgp multicast routing-table regular-expression as-regular-expression

command to check the routing information that matches the AS regular expression.
Run the display bgp multicast paths [ as-regular-expression ] command to check the
information about the AS paths.
Run the display bgp multicast routing-table as-path-filter { as-path-filter-number | aspath-filter-name } command to check the routing information that matches the filtering list.
Run the display bgp multicast routing-table community-filter { { community-filtername | basic-community-filter-number } [ whole-match ] | advanced-community-filternumber } command to check the routes that match the MBGP community list.
Run the display bgp multicast routing-table peer ipv4-address { advertised-routes |

received-routes [ active ] } command to check the routing information receive form or
sent to a specified MBGP peer.
Run the display bgp multicast network command to check the routing information
advertised by MBGP.
----End
5.6.6 Configuring MBGP Route Attributes

MBGP has many route attributes. You can change MBGP route selection by setting these
attributes.

Before configuring MBGP Route Attributes, familiarize yourself with the applicable
environment, pre-configuration tasks, and required data. This can help you complete the
MBGP has many route attributes. You can change the optimal route selection by using the
following attributes.
l
Preferred values of MBGP routes
Preferences of MBGP routes
Local_Pref
MED of MBGP routes
Before configuring the policy for MBGP route selection, complete the task of Configuring Basic
MBGP Functions.
Data Preparation
To configure the policy for MBGP route selection, you need the following data.
Issue 04 (2013-06-15)

1048

Configuration Guide
No.
Data
AS number
Protocol preference of MBGP
Preferred value
Local_Pref
MED of MBGP routes
Setting Preferred Values of Routes Learned from Peers

You can set a preferred value for each route and thus when the MBGP routing table contains
multiple routes to the same destination, the route with the greatest preferred value is selected.
Context
NOTE
The configuration is optional. By default, the preferred value is 0.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
peer { group-name | ipv4-address } preferred-value value
The preferred value is set for a route learnt from an MBGP peer group or a remote MBGP peer.
The route with the greatest preferred value is selected as the route to a specified network.
----End
Issue 04 (2013-06-15)

1049

Configuration Guide
Configuring the Preference of an MBGP Route

By configuring the preference of the MBGP protocol, you can control route selection of MBGP
and other types protocols.
Context
NOTE
The configuration is optional. By default, the default preferences of EBGP routes, IBGP routes, and local
routes are 255.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
preference { external internal local | route-policy route-policy-name }
The preferences of internal, external and local routes are set. The smaller the preference value,
the higher the preference.
l external: specifies the preference of the route learned from an EBGP peer.
l internal: specifies the preference of the route learned from an IBGP peer.
l local: specifies the preference of the local originated route.
l route-policy route-policy-name: specifies the routing policy. The configuration is applicable
to the specific routes that meet certain matching conditions.
----End
Configuring the Local-Pref of an MBGP Route

The Local_Pref attribute is used to determine the optimal route to the destination when the packet
leaves the current AS. When an MBGP device obtains multiple routes to the same destination
address but with different next hops through IBGP peers, it selects the route with the largest
Local_Pref value.
Context
Issue 04 (2013-06-15)

1050

Configuration Guide
NOTE
The configuration is optional. By default, the Local_Pref value of the MBGP route is 100.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
default local-preference preference
Local-Pref of the local host is configured.

When an MBGP Switch obtains multiple routes with the same destination but different next
hops from different IBGP peers, the route with the greatest Local_Pref value is preferred.
----End
Configuring the MED Attribute of an MBGP Route

The MED attribute is similar to the IGP metric. It is used by the EBGP peer to determine the
route for the traffic entering the AS. The route with the smallest MED value is selected.
Context
NOTE
The configuration is optional. When an MBGP Switch obtains multiple routes with the same destination
but different next hops from different EBGP peers, the route with the smallest MED value is preferred if
other conditions of these routes are the same.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
Issue 04 (2013-06-15)

1051

Configuration Guide

l Run:
default med med
The default MED value of the local host is configured.

l Run:
compare-different-as-med
MED values of routes from different ASs are compared.

By default, the MBGP Switch compares only the MED values of the routes from the same
AS.
l Run:
deterministic-med
Deterministic-MED is enabled.
If this command is not configured, when an optimal route is to be selected from among routes
which are received from different ASs and which carry the same prefix, the sequence in
which routes are received is relevant to the result of route selection. After the command is
configured, however, when an optimal route is to be selected from among routes which are
received from different ASs and which carry the same prefix, routes are first grouped
according to the leftmost AS in the AS_Path. Routes with the same leftmost AS are grouped
together, and after comparison, an optimal route is selected for the group. The group optimal
route is then compared with optimal routes from other groups to determine the final optimal
route. This mode of route selection ensures that the sequence in which routes are received is
no longer relevant to the result of route selection.
l Run:
bestroute med-none-as-maximum
When the MED value of a route is lost, the route is configured with the maximum MED
value.
By default, the MED value of the route is 0.
l Run:
bestroute med-confederation
MED values of routes in the same confederation are compared.

By default, the MBGP Switch compares the MED values of routes in the same AS.
----End
Configuring Next_Hop
The next-hop attribute is used to flexibly control MGBP route selection.
Context
Do as follows on the Switch configured with the MBGP peer:
Procedure
Step 1 Run:
Issue 04 (2013-06-15)

1052

Configuration Guide
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
nexthop recursive-lookup route-policy route-policy-name
The next-hop iteration based on the specified routing policy is enabled.

By default, the next-hop iteration based on the specified routing policy is disabled.
The next-hop iteration based on the specified routing policy can control the iterated route
according to certain conditions. The route that fails to pass the policy is ignored.
----End

After MBGP route attributes are configured, you can check information about each attribute of
the route.
Prerequisites
The configurations of the policy for MBGP route selection are complete.
Procedure
l
Run the display bgp multicast routing-table command to check the routes of the MBGP
routing table.
Run the display bgp multicast routing-table statistics command to check the statistics
of the MBGP routing table.
----End
5.6.7 Configuring MBGP Route Dampening

Configuring MBGP dampening can suppress the unstable MBGP routing information.

Before configuring MBGP route dampening, familiarize yourself with the applicable
Issue 04 (2013-06-15)

1053

Configuration Guide
Configuring MBGP dampening can suppress the unstable routing information. After MBGP
dampening is configured, the unstable routing information is not added to the MBGP routing
table, or advertised to other MBGP peers.
Before configuring MBGP route dampening, complete the following task:
l
Configuring Basic MBGP Functions
Data Preparation
To configure MBGP route dampening, you need the following data.
No.
Data
Dampening parameters, including the half-life and threshold
Enabling Dampening Parameters of an MBGP Route

MBGP route dampening increases network stability. You can flexibly configure routing policies
for router dampening.
Context
NOTE
The configuration is valid only for EBGP routes. By default, the default values of dampening parameters
are used.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
dampening [ half-life-reach reuse suppress ceiling | route-policy route-policyname ] *
The dampening parameters of an MBGP route are configured.

Issue 04 (2013-06-15)

1054

Configuration Guide

l half-life-reach: specifies the half-life of a reachable route.
l reuse: specifies the threshold for releasing routes from being suppressed. When the penalty
is smaller than the threshold, the suppressed routes are reused.
l suppress: specifies the threshold for suppressing routes. The value must be greater than the
value of reuse. When the penalty is greater than the threshold, the routes are suppressed.
l ceiling: specifies the ceiling value of the threshold. The value must be greater than the value
of suppress.
l route-policy route-policy-name: specifies the routing policy. The configuration is applicable
to the routes that meet certain matching conditions.
----End

After MBGP route dampening is configured, you can check information about MBGP dampened
routes, configuration parameters, and statistics of MBGP route flapping.
Prerequisites
The configurations of MBGP route dampening are complete.
Procedure
l
Run the display bgp multicast routing-table dampened command to check MBGP
dampened routes.
Run the display bgp multicast routing-table dampening parameter command to check
MBGP route dampening parameters.
Run the display bgp multicast routing-table flap-info [ network-address [ mask [ longermatch ] | mask-length [ longer-match ] ] | as-path-filter { as-path-filter-number | as-pathfilter-name } | regular-expression as-regular-expression ]command to check the statistics
of MBGP route flapping.
----End
5.6.8 Maintaining MBGP

Maintaining MBGP involves resetting MBGP connections and clearing MBGP statistics.
Resetting MBGP Connection

You can choose to reset MBGP in GR mode. Resetting an MBGP connection will interrupt the
MBGP peer relationship.
Context
CAUTION
The MBGP peer relationship is deleted after you reset MBGP connections with the reset bgp
multicast command. So, confirm the action before you use the command.
Issue 04 (2013-06-15)

1055

Configuration Guide
Procedure
l
Run the reset bgp multicast ipv4-address command in the user view to reset the MBGP
connection between specified peers.
Run the reset bgp multicast all command in the user view to reset all MBGP connections.
Run the reset bgp multicast group group-name command in the user view to reset the
MBGP connections between all peers in the peer group.
Run the reset bgp multicast external command in the user view to reset external
connections.
Run the reset bgp multicast internal command in the user view to reset internal
connections.
----End
Clearing MBGP Statistics

You can clear statistics of either MBGP route flapping or MBGP route dampening.
Context
CAUTION
The MBGP statistics cannot be restored after you clear them. So, confirm the action before you
use the command.
Procedure
l
Run the reset bgp multicast dampening [ ipv4-address [ mask | mask-length ] ] command
in the user view to clear the MBGP routing information.
Run the reset bgp multicast flap-info [ ipv4-address [ mask-length | mask ] | as-pathfilter { as-path-filter-number | as-path-filter-name } | regrexp regrexp ] command in the
user view to clear the information about the MBGP route flapping.
----End
Debugging MBGP
Routers generate debugging information after you enable the debugging of modules in the user
view. Debugging information shows the contents of packets sent or received by the debugged
module.
Context
CAUTION
Issue 04 (2013-06-15)

1056

Configuration Guide
When an MBGP fault occurs, run the following debugging commands in the user view to debug
MBGP and locate the fault.
For more information about debugging commands, refer to the AC6605 Access Controller
Debugging Reference.
Procedure
l
Run the debugging bgp all command in the user view to enable all the debugging of MBGP.
Run the debugging bgp event command in the user view to enable the debugging of MBGP
event.
Run the debugging bgp { keepalive | open | packet | route-refresh } [ receive | send ]
[ verbose ] command in the user view to enable the debugging of MBGP packets.
Run the debugging bgp update multicast [ acl acl-number | ip-prefix ip-prefix-name |
peer peer-address ] [ receive | send ] [ verbose ] command in the user view to enable the
debugging of MBGP update packets.
----End

MBGP configuration examples are provided, including networking requirements and diagram,
configuration roadmap, and configuration notes.
Example for Configuring Basic MBGP Functions

As shown in Figure 5-41, the receiver receives VOD information in multicast mode. The
receiver and the source reside in different ASs. The MBGP peer relationship is established
between ASs to transmit multicast routing information.
Issue 04 (2013-06-15)

1057

Configuration Guide
Figure 5-41 Networking diagram of MBGP configuration
AS100
AS200
SwitchD
Loopback0
GE0/0/2
SwitchA
Source
GE0/0/2
GE0/0/1
Loopback0
SwitchB
GE0/0/1
GE0/0/1
GE0/0/2
GE0/0/3
Loopback0
GE0/0/3
SwitchC
GE0/0/2
GE0/0/1
Loopback0
Receiver
MBGP peers
Switch
Interface
Vlanif interface
IP address
SwitchA
GE 0/0/1
Vlanif100
192.1.1.1/24
SwitchA
GE 0/0/2
Vlanif101
10.10.10.1/24
SwitchA
LoopBack0
1.1.1.1/32
SwitchB
GE 0/0/1
Vlanif100
192.1.1.2/24
SwitchB
GE 0/0/2
Vlanif200
194.1.1.2/24
SwitchB
GE 0/0/3
Vlanif300
193.1.1.2/24
SwitchB
LoopBack0
2.2.2.2/32
SwitchC
GE 0/0/1
Vlanif400
195.1.1.1/24
SwitchC
GE 0/0/2
Vlanif102
22.22.22.1/24
SwitchC
GE 0/0/3
Vlanif300
193.1.1.1/24
SwitchC
LoopBack0
3.3.3.3/32
SwitchD
GE 0/0/1
Vlanif400
195.1.1.2/24
SwitchD
GE 0/0/2
Vlanif200
194.1.1.1/24
SwitchD
LoopBack0
4.4.4.4/32
1.
Configure the IP addresses for the interfaces on each Switch to ensure internetworking
within the AS in unicast mode.
2.
Configure the MBGP peer and set up inter-AS multicast routes.
Issue 04 (2013-06-15)

1058

Configuration Guide
3.
Configure the MBGP routes to be advertised.
4.
Enable multicast on each Switch.
5.
Configure basic PIM-SM functions in each AS and enable the IGMP function on the
interfaces at the host side.
6.
Configure the BSR boundary on the interfaces connecting two ASs.
7.
Configure the MSDP peers to transfer inter-AS multicast information.
Data Preparation
l
AS number of Switch A: 100
AS number of Switch B, Switch C, and Switch D: 200
Address of the multicast group (225.1.1.1) and address of the multicast source
(10.10.10.10/24)
NOTE
This configuration example describes only the commands used to configure MBGP.
Procedure
Step 1 Configure the IP addresses for the interfaces on each Switch and the OSPF protocol in the ASs.
# Configure the IP addresses and masks of the interfaces on each Switch according to Figure
5-41. Connect the Switches through OSPF and ensure that Switch B, Switch C, and Switch D
can communicate with each other through the network layer and can learn the routes on the
LoopBack interfaces of each other. Configure the Switches to dynamically update routes through
a unicast routing protocol. OSPF process 1 is adopted in the configuration and the procedure is
not mentioned here.
Step 2 Configure BGP, enable the MBGP protocol, and configure the MBGP peers.
# Configure BGP and the MBGP peer on Switch A.
[SwitchA] bgp 100
[SwitchA-bgp] ipv4-family multicast
[SwitchA-bgp-af-multicast] peer 192.1.1.2 enable
[SwitchA-bgp-af-multicast] quit
[SwitchA-bgp] quit
# Configure BGP and the MBGP peer on Switch B.

[SwitchB] bgp 200
[SwitchB-bgp] ipv4-family multicast
[SwitchB-bgp-af-multicast] peer 192.1.1.1 enable
[SwitchB-bgp-af-multicast] quit
[SwitchB-bgp] quit
# Configure BGP and the MBGP peer on Switch C.

[SwitchC] bgp 200
Issue 04 (2013-06-15)

1059

Configuration Guide
[SwitchC-bgp] ipv4-family multicast

[SwitchC-bgp-af-multicast] peer 193.1.1.2 enable
[SwitchC-bgp-af-multicast] peer 195.1.1.2 enable
[SwitchC-bgp-af-multicast] quit
[SwitchC-bgp] quit
# Configure BGP and the MBGP peer on Switch D.

[SwitchD] bgp 200
[SwitchD-bgp] ipv4-family multicast
[SwitchD-bgp-af-multicast] peer 194.1.1.2 enable
[SwitchD-bgp-af-multicast] peer 195.1.1.1 enable
[SwitchD-bgp-af-multicast] quit
[SwitchD-bgp] quit
Step 3 Configure the routes to be advertised.

# Configure the routes to be advertised on Switch A.
[SwitchA] bgp 100
[SwitchA-bgp] ipv4-family multicast
[SwitchA-bgp-af-multicast] import-route direct
[SwitchA-bgp-af-multicast] quit
[SwitchA-bgp] quit
# Configure the routes to be advertised on Switch B.

[SwitchB] bgp 200
[SwitchB-bgp] import-route ospf 1
[SwitchB-bgp] ipv4-family multicast
[SwitchB-bgp-af-multicast] import-route direct
[SwitchB-bgp-af-multicast] import-route ospf 1
[SwitchB-bgp-af-multicast] quit
[SwitchB-bgp] quit
# Configure the routes to be advertised on Switch C. The configuration of Switch D is similar

to the configuration of Switch C, and is not mentioned here.
[SwitchC] bgp 200
[SwitchC-bgp] ipv4-family multicast
[SwitchC-bgp-af-multicast] import-route direct
[SwitchC-bgp-af-multicast] import-route ospf 1
[SwitchC-bgp-af-multicast] quit
[SwitchC-bgp] quit
Step 4 Enable multicast on each Switch and the interfaces that are connected.
[SwitchA] multicast
[SwitchA] interface
[SwitchA-Vlanif100]
[SwitchA-Vlanif100]
[SwitchA] interface
[SwitchA-Vlanif101]
[SwitchA-Vlanif101]
routing-enable
Vlanif 100
pim sm
quit
Vlanif 101
pim sm
quit
[SwitchB] multicast
[SwitchB] interface
[SwitchB-Vlanif100]
[SwitchB-Vlanif100]
[SwitchB] interface
[SwitchB-Vlanif200]
[SwitchB-Vlanif200]
[SwitchB] interface
Issue 04 (2013-06-15)
routing-enable
Vlanif 100
pim sm
quit
Vlanif 200
pim sm
quit
Vlanif 300

1060

Configuration Guide
[SwitchB-Vlanif300] pim sm
[SwitchC] multicast
[SwitchC] interface
[SwitchC-Vlanif400]
[SwitchC-Vlanif400]
[SwitchC] interface
[SwitchC-Vlanif102]
[SwitchC-Vlanif102]
[SwitchC-Vlanif102]
[SwitchC] interface
[SwitchC-Vlanif300]
[SwitchC-Vlanif300]
routing-enable
Vlanif 400
pim sm
quit
Vlanif 102
pim sm
igmp enable
quit
Vlanif 300
pim sm
quit
[SwitchD] multicast
[SwitchD] interface
[SwitchD-Vlanif400]
[SwitchD-Vlanif400]
[SwitchD] interface
[SwitchD-Vlanif200]
[SwitchD-Vlanif200]
routing-enable
Vlanif 400
pim sm
quit
Vlanif 200
pim sm
quit
Step 5 Configure BSR and RP within each AS.

[SwitchA] interface LoopBack 0
[SwitchA-LoopBack0] ip address 1.1.1.1 255.255.255.255
[SwitchA-LoopBack0] pim sm
[SwitchA-LoopBack0] quit
[SwitchA] pim
[SwitchA-pim] c-bsr LoopBack 0
[SwitchA-pim] c-rp LoopBack 0
[SwitchA-pim] quit
[SwitchB] interface LoopBack 0
[SwitchB-LoopBack0] ip address 2.2.2.2 255.255.255.255
[SwitchB-LoopBack0] pim sm
[SwitchB] pim
[SwitchB-pim] c-bsr LoopBack 0
[SwitchB-pim] c-rp LoopBack 0
[SwitchB] quit
Step 6 Configure the BSR boundary on the interfaces connecting two ASs.
[SwitchA] interface Vlanif 100
[SwitchA-Vlanif100] pim bsr-boundary
[SwitchB] interface Vlanif 100
[SwitchB-Vlanif100] pim bsr-boundary
Step 7 Configure MSDP peers.

Issue 04 (2013-06-15)

1061

Configuration Guide
[SwitchA] msdp
[SwitchA-msdp] peer 192.1.1.2 connect-interface Vlanif100
[SwitchA-msdp] quit
[SwitchB] msdp
[SwitchB-msdp] peer 192.1.1.1 connect-interface Vlanif100
[SwitchB-msdp] quit

# Run the display bgp multicast peer command to view the MBGP peer relationship between
Switches. For example, the following information shows the MBGP peer relationship on Switch
A:
[SwitchA] display bgp multicast peer
Peer
V
AS
MsgRcvd MsgSent
192.1.1.2
4
200 82
75

OutQ Up/Down
State
PrefRcv
0
00:30:29 Established
17
# Run the display msdp brief command to view information about the MSDP peer relationship
between Switches. For example, the following information shows the MBGP peer relationship
on Switch B:
[SwitchB] display msdp brief
MSDP Peer Brief Information
Configured
Up
Listen
1
1
0
Peer's Address
192.1.1.1
State
Up
Connect
0
Up/Down time
00:07:17
Shutdown
0
AS
100
SA Count
1
Down
0
Reset Count
0
----End
Configuration Files
l

#
sysname SwitchA
#
#
multicast routing-enable
#
interface Vlanif100
ip address 192.1.1.1 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
pim sm
#
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
pim sm
#
pim
Issue 04 (2013-06-15)

1062

Configuration Guide
c-bsr LoopBack 0
c-rp LoopBack 0
#
bgp 100
#
ipv4-family unicast
#
import-route direct
#
msdp
peer 192.1.1.2 connect-interface Vlanif100
#
return

#
sysname SwitchB
#
#
#
interface Vlanif100
ip address 192.1.1.2 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif200
ip address 194.1.1.2 255.255.255.0
pim sm
#
interface Vlanif300
ip address 193.1.1.2 255.255.255.0
pim sm
#
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
pim sm
#
pim
c-bsr LoopBack 0
c-rp LoopBack 0
#
ospf 1
area 0.0.0.0
network 193.1.1.0 0.0.0.255
network 194.1.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
bgp 200
#
ipv4-family unicast
Issue 04 (2013-06-15)

1063

Configuration Guide

undo
peer
peer
peer
synchronization
192.1.1.1 enable
193.1.1.1 enable
194.1.1.1 enable
#
import-route direct
import-route ospf 1
#
msdp
peer 192.1.1.1 connect-interface Vlanif100
#
return

#
sysname SwitchC
#
#
#
interface Vlanif102
ip address 22.22.22.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif300
ip address 193.1.1.1 255.255.255.0
pim sm
#
interface Vlanif400
ip address 195.1.1.1 255.255.255.0
pim sm
#
#
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 193.1.1.0 0.0.0.255
network 195.1.1.0 0.0.0.255
network 3.3.3.3 0.0.0.0
#
bgp 200
#
ipv4-family unicast
#
import-route direct
Issue 04 (2013-06-15)

1064

Configuration Guide

import-route ospf 1
#
return

#
sysname SwitchD
#
vlan batch 200 400
#
#
interface Vlanif200
ip address 194.1.1.1 255.255.255.0
pim sm
#
interface Vlanif400
ip address 195.1.1.2 255.255.255.0
pim sm
#
#
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 194.1.1.0 0.0.0.255
network 195.1.1.0 0.0.0.255
network 4.4.4.4 0.0.0.0
#
bgp 200
#
ipv4-family unicast
#
import-route direct
import-route ospf 1
#
return
5.7 Routing Policy Configuration

Routing policies are used to filter routes to change the path through which network traffic passes.
5.7.1 Overview of the Routing Policy

By using routing policies, you can flexibly control the routes to be sent or received.
Issue 04 (2013-06-15)

1065

Configuration Guide
Routing Policy
Routing policies are used to filter routes and control the receiving and advertising of routes. By
changing the route attributes such as reachability, you can change the path that the traffic passes
through.
When a Switch sends or receives routes, it may use certain policies to filter routes. The policies
are used in the following situations:
l
Send or receive routes that meet the matching rules.
A routing protocol such as the Routing Information Protocol (RIP) needs to import the
routes discovered by other routing protocols to enrich its routing information. When
importing routes from other routing protocols, the Switch may import certain routes that
meet the matching rules, and set attributes of the routes imported to meet the requirement.
To implement a routing policy, you must:

l
Define a set of matching rules and setting rules. The policy is applied to the routing
information to meet the requirements of the matching rules.
Apply the matching rules to the routing policies for route advertisement, reception, and
import.
Differences Between Routing Policy and PBR

Different from the forwarding by searching the Forwarding information base (FIB) according
to the destination address of a packet, Policy-based routing (PBR) is a route selection mechanism
based on policies set by users. PBR supports the information based on the source address and
the length of a packet. PBR selects routes according to the set policy. PBR can be applicable to
security and load balancing.
Routing policies and PBR are different concepts. Table 5-6 shows the differences between the
two concepts.
Table 5-6 Differences between routing policy and PBR
Routing policy
Policy-based routing
Forwards packets based on the

destination address in the routing table.
Forwards packets based on the policy. If packets

fail to be forwarded, the device forwards packets
by searching the routing table.
Based on the control plane and serves

the routing protocol and routing table.
Based on forwarding plane and serves for the

forwarding policy.
Combines with the routing protocol
Needs to be manually configured hop by hop to

ensure that the packet is forwarded through the
policy.
5.7.2 Routing Policy Features Supported by the AC6605

When configuring routing policies, you can use these filters: ACL, IP prefix list, AS-Path filter,
community filter, extended community filter, RD filter, and Route-Policy.
Issue 04 (2013-06-15)

1066

Configuration Guide
Filters
The AC6605 provides several types of filters for routing protocols, such as Access Control Lists
(ACLs), IP prefix lists, AS-Path filters, community filters, extended community filters
(Extcommunity-filters), and Route-Policies.
l
ACL
The ACL consists of the ACL for IPv4 packets. According to the usage, ACLs are classified
into three types, that is, layer 2 ACLs, basic ACLs, and advanced ACLs. When defining
an ACL, you can specify the IP address and subnet range to match the destination network
segment address or the next hop address of a route.
For details of the ACL configuration, refer to the AC6605 Access Controller Configuration
Guide - IP Services.
IP-Prefix List
The IP-prefix list consists of IPv4 prefix list. The implementation of the IP-prefix is flexible.
An IP-prefix list is identified by its list name. Each prefix list includes multiple entries.
Each entry can independently specify the matching range in the form of the network prefix.
The matching range is identified by an index number that designates the sequence of the
matching check.
During the matching, the Switch checks entries identified by index numbers in an ascending
order. When a route matches an entry, the system does not search the next entry matching
the route. For the detailed configuration, refer to Configuring the IP-Prefix List.
AS-Path Filter
Border Gateway Protocol (BGP) routing information packet includes an autonomous
system (AS) path domain. The AS-Path filter specifies the matching condition for the AS
path domain.
For the configuration of AS-Path filter, refer to BGP Configuration.
Community Filter
The community filter is used only in BGP. The BGP routing information includes a
community attribute domain. It is used to identify a community. The community filter
specifies the matching condition for the community attribute domain.
For the configuration of community filter, refer to BGP Configuration.
Extcommunity-Filter
The Extcommunity-filter is used only in BGP. The extended community of BGP supports
only the Router-Target (RT) extended community of Virtual Private Network (VPN). The
Extcommunity-filter specifies matching rules for the extended community attribute.
For the configuration of excommunity-filter, refer to BGP Configuration.
RD Filter
Through Route Distinguisher (RD), the VPN instance implements the independency of
address space and identifies the IPv4 and IPv6 prefixes of the same address space. The RD
attribute filter specifies matching conditions for different RDs.
For the configuration of the RD attribute filter, refer to the AC6605 Access Controller
Configuration Guide - VPN.
Route-Policy
The Route-Policy is a complex filter. A Route-Policy is used to match certain route
attributes, and to change the route attributes when certain matching rules are met. The
Route-Policy uses the preceding filters to define its filtering rules.
Issue 04 (2013-06-15)

1067

Configuration Guide
A Route-Policy consists of multiple nodes. The relationship between the nodes is "OR".
The system checks the nodes in the routing policy, the node with the smaller value of node
is checked first. When the route matches a node in the routing policy, it passes the RoutePolicy and the system does not search the next matching node.
Each node comprises a set of if-match and apply clauses. The if-match clauses define the
matching rules. The matching objects are certain route attributes. The relationship between
if-match clauses in a node is "AND". A matching succeeds only when all the matching
rules specified by the if-match clauses in the same nod are matched.
The apply clauses specify actions. When a route matches a rule, the apply clause sets
certain attributes for the route. For the detailed configuration, refer to Configuring the
Route-Policy.
Application of the Routing Policy

The routing policy is used in the following situations:
l
Import routes that meet the matching rules through filters when a routing protocol imports
routes discovered by other protocols.
Filter routes that a routing protocol advertises or receives. Only the routes that meet the
matching rules are received or advertised.
For the configuration of routing policy applications, refer to the related routing protocol
configurations.
NOTE
After the routing policy changes, Routing Management Module (RM) immediately notifies various
protocols for processing by default.
5.7.3 Configuring the IP-Prefix List

An IP prefix list filters routes according to the destination addresses of the routes.

Before configuring the IP prefix list, familiarize yourself with the applicable environment,
Before applying a routing policy, you should set the matching rules, that is, filters. Compared
with an ACL, an IP prefix list is more flexible. When the IP prefix list is used to filter routes, it
matches the destination address of a route.
None.
Data Preparation
To configure an IP prefix list, you need the following data.
Issue 04 (2013-06-15)

1068

Configuration Guide
No.
Data
Name of IP prefix list
Matched address range
Configuring an IPv4 Prefix List

An IP prefix list filters routes according to IP address prefixes. An IP address prefix is defined
by the IP address and mask length.
Context
Do as follows on the Switch to which the IP prefix list is applied:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ip-address
mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ]

The range of the mask length can be specified as mask-length <= greater-equal-value <= lessequal-value <= 32. If only greater-equal is specified, the range of the prefix is [greater-equalvalue, 32]; if only less-equal is specified, the range of the prefix is [mask-length, less-equalvalue].
An IPv4 prefix list is identified by its list name. Each prefix list contains multiple entries. Each
entry can independently specify the matching range in the form of the network prefix and identify
it with an index number. For example, the following shows an IPv4 prefix list named abcd:
#
During the matching, the system checks the entries identified by the index numbers in an
ascending order. When a route matches an entry, it does not match other entries.
In the AC6605, all unmatched routes cannot pass the filtering list. If all entries are in deny mode,
all routes are filtered. It is recommended that you define a permit 0.0.0.0 0 less-equal 32 entry
after multiple entries in deny mode, thus allowing all the other IPv4 routes to pass the IP prefix
list.
Issue 04 (2013-06-15)

1069

Configuration Guide
NOTE
If more than one IP-prefix entry is defined, at least one entry should be in the permit mode.
If the IP prefix list is used in OSPF to allow the packets from a specified network segment, run the display
ospf lsdb ase ip-address command to check whether the forwarding address is 0.0.0.0 . If not, permit this
forwarding address when configuring the IP prefix list. If the forwarding address is not permitted, you
cannot display the routing table of the allowed network segment.
----End

After an IP prefix list is configured, you can check information about the IP prefix list.
Prerequisites
The configurations for the IP-Prefix list are complete.
Procedure
l
Run the display ip ip-prefix [ ip-prefix-name ] command to check information about the
IPv4 prefix list.
----End
Example
Run the display ip ip-prefix p1 command. You can view information about the prefix list named
p1.
<Quidway> display ip ip-prefix p1
Prefix-list pl
Permitted 5
Denied 2
index: 10
permit 192.168.0.0/16
ge
17
le
18
5.7.4 Configuring the Route-Policy

Each node of a Route-Policy consists of a set of if-match and apply clauses.

Before configuring the Route-Policy, familiarize yourself with the applicable environment,
A Route-Policy is used to match routes or certain route attributes, and to change these attributes
when the matching rules are met.
A Route-Policy consists of multiple nodes. Each node is classified into the following clauses:
l
if-match clauses: define the matching rules. The matching rules are used by the routes that
match the Route-Policy. The matching objects refer to some attributes of the route.
apply clauses: specify actions, that is, configuration commands used to modify certain
attributes.
Issue 04 (2013-06-15)

1070

Configuration Guide
For more information about Route-Policy, refer to the AC6605 Access Controller Feature
Description - IP Routing.
To configure a Route-Policy, complete the following tasks:
l
Configuring routing protocols
Data Preparation
To configure a Route-Policy, you need the following data.
No.
Data
Name and node number of the Route-Policy
Matching rule
Route attributes to be modified
Creating a Route-Policy
By applying a Route-Policy, you can set attributes for the imported routes according to
networking requirements.
Context
Do as follows on the Switch to which the Route-Policy is applied:
Procedure
Step 1 Run:
system-view

Step 2 Run:
A node of the Route-Policy is created and the Route-Policy view is displayed.

l The parameter permit specifies a node in a Route-Policy in permit mode. If a route matches
the node, the Switch performs actions defined by the apply clauses and the matching is
complete. Otherwise, the route continues to match the next nod.
l The parameter deny specifies a node in a Route-Policy in deny mode. In deny mode, the
apply clauses are not used. If a route entry matches all the if-match clauses of the node, the
route is denied by the node and the next node is not matched. If the entry does not match all
the clauses, the next node is matched.
NOTE
In the AC6605, by default, the unmatched routes are denied. If multiple nodes are defined in a RoutePolicy, at least one of them should be in permit mode.
Issue 04 (2013-06-15)

1071

Configuration Guide
When the parameter route-policy is used to filter routes, note the following:
l If a route does not match any node, it is denied by the Route-Policy.
l If all the nodes in the routing policy are in deny mode, all the routes are denied by the RoutePolicy.
When a Route-Policy is used to filter the routing information, the node with the smaller value
of node is tested first.
description text
The description of the routing policy is configured.

----End
(Optional) Configuring the If-Match Clause

The if-match clauses define the rules for matching certain route attributes.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The Route-Policy view is displayed.

l Run:
if-match acl { acl-number | acl-name }
The ACL is configured to match the routes.

l Run:
if-match cost cost
The cost is set to match the routes.

l Run:
if-match interface interface-type interface-number
The outbound interface is configured to match the routes.

l Run:
if-match ip { next-hop | route-source | group-address } { acl { acl-number | aclname } | ip-prefix ip-prefix-name }
The next hop, the source address or the multicast group address is configured to match the
routes.
l Run:
if-match ip-prefix ip-prefix-name
Issue 04 (2013-06-15)

1072

Configuration Guide
The IP prefix list is configured to match the routes.

NOTE
For the same Route-Policy node, you cannot run the if-match acl command and the if-match ipprefix command at the same time. This is because the latest configuration overrides the previous
configuration.
l Perform as follows to match the type of the route:

Run:
if-match route-type { external-type1 | external-type1or2 | external-type2 |
internal | nssa-external-type1 | nssa-external-type1or2 | nssa-externaltype2 }
The route type, OSPF in this case, is set to match the routes.
Run:
if-match route-type { is-is-level-1 | is-is-level-2 }
The route type, IS-IS in this case, is set to match the routes.
l Run:
if-match tag tag
The tag is set to match the routes.

The commands in Step 3 can be used regardless of the order. A node can have multiple or no
if-match clauses.
NOTE
l For the same node in a route-policy, the relationship between if-match clauses is "AND". The route
must meet all the matching rules before the actions defined by the apply clauses are performed. In the
if-match route-type and if-match interface commands, the relationship between the if-match clauses
is "OR". In other commands, the relationship between if-match clauses is "AND".
l If no if-match clause is specified, all the routes meet the matching rules.
----End
(Optional) Configuring the Apply Clause

The apply clauses specify actions to set certain route attributes.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The Route-Policy view is displayed.

l Run:
apply cost [ + | - ] cost
Issue 04 (2013-06-15)

1073

Configuration Guide
The cost of the route is set.

l Set the cost type of the route.
Run the apply cost-type { external | internal } command to set the cost type of an ISIS route.
Run the apply cost-type { type-1 | type-2 } command to set the cost type of an OSPF
route.
The apply cost-type { external | internal } command and the apply cost-type { type-1 |
type-2 } command are mutually exclusive and cannot be configured at the same time.
l Run:
apply ip-address next-hop { peer-address | ipv4-address }
The next hop address of the IPv4 route is set.

l Run:
apply isis { level-1 | level-1-2 | level-2 }
The route level of IS-IS is set.

l Run:
apply ospf { backbone | stub-area }
The area of the OSPF that routes are imported into is set.
l Run:
apply preference preference
The preference of the routing protocol is set.

The smaller the preference value, the higher the preference.
l Run:
apply tag tag
The tag of the route is set.

The commands in Step 3 can be used regardless of the order.
----End

After the Route-Policy is configured, you can check information about the Route-Policy.
Prerequisites
The configurations for the Route-Policy are complete.
Procedure
l
Run the display route-policy [ route-policy-name ] command to check the Route-Policy.
----End
5.7.5 Applying Filters to Received Routes

By applying the related filters of routing policies to routing protocols, you can filter the received
routes.
Issue 04 (2013-06-15)

1074

Configuration Guide

Before applying filters to the received routes, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
After defining the filters including the IP prefix list, ACL, and Route-Policy related to the routing
policy, you need to import the filters to the protocols. The routing filters are used in the following
situations:
l
Filtering the received routes

Use the filter-policy command in the protocol view and apply an ACL or an IP prefix list
to filter the received routes. Only the routes that meet the matching rules are received.
The filter-policy import command is used to filter the received routes.
For the distance vector (DV) protocol and the link state protocol, the procedures are
different after the filter-policy command is run.
DV protocol
A DV protocol generates routes based on the routing table. The filters affect the routes
received from the neighbor and the routes to be sent to the neighbor.
Link state protocol
A link state protocol generates routes based on the Link State Database. The filterpolicy command does not affect the Link State Advertisements (LSAs) or the integrity
of the LSDB. Therefore, the effect on the commands of filter-policy import and filterpolicy export are different.
The filter-policy import command identifies the route that is added to a local routing
table from a protocol routing table only. That is, this command affects the local routing
table only, but dose not affect the protocol routing table.
NOTE
l BGP has powerful filtering functions. For details of BGP configuration, refer to BGP
Configuration.
l You can run the filter-policy command and the import-route command with different parameters for
RIP, OSPF, IS-IS, and BGP. For details, refer to related configurations.
Before applying filters to received routes, complete the following tasks:
l
Configuring the IP-Prefix List
Configuring an ACL
Configuring the Route-Policy
Data Preparation
To apply filters to received routes, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Name of the IP prefix list

1075

Configuration Guide
No.
Data
Name of the ACL
Name of the Route-Policy and node number
Filtering Routes Received by RIP

By applying filters, you can control the receiving of RIP routes.
Context
Do as follows on the Switch that runs RIP:
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ] [ vpn-instance vpn-instance-name ]
Step 3 Run either of the following commands as required:
l filter-policy { acl-number | acl-name acl-name } import [ interface-type interfacenumber ]
l filter-policy gateway ip-prefix-name import
l filter-policy ip-prefix ip-prefix-name [ gateway ip-prefix-name ] import [ interface-type
interface-number ]
The filtering policy is configured for routes received by RIP.
The filter-policy is configured in the RIP process. If routes are filtered based on an interface,
you can configure only one route-policy based on the interface at a time. If no interface is
specified, the system considers the configured route-policy as the global route-policy, and you
can configure only one route-policy at a time. If the route-policy is configured repeatedly, the
new route-policy will replace the old route-policy.
----End
Filtering Routes Received by OSPF

By applying filters, you can control the receiving of OSPF routes.
Context
Do as follows on the Switch that runs OSPF:
Issue 04 (2013-06-15)

1076

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]
An OSPF process is enabled and the OSPF view is displayed.

Step 3 Run:
The filtering policy is configured for routes received by OSPF.

----End
Filtering Routes Received by IS-IS

By applying filters, you can control the receiving of IS-IS routes.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ] [ vpn-instance vpn-instance-name ]
An IS-IS process is enabled and the IS-IS view is displayed.

Step 3 Run:
filter-policy { acl-number | acl-name acl-name | ip-prefix ip-prefix-name | routepolicy route-policy-name } import
You can configure IS-IS to filter the received routes to be added to the IP routing table.
----End
Filtering Routes Received by BGP

By applying filters, you can control the receiving of BGP routes.
Procedure
l
Filtering the Received Routes

Do as follows on the Switch that runs BGP:
1.
Issue 04 (2013-06-15)
Run:
1077

Configuration Guide

system-view

2.
Run:
bgp as-number

3.
Run:
filter-policy { acl-number | acl-name acl-name | ip-prefix ip-prefixname } import
The filtering policy is configured for routes received by BGP.

l
Filtering Routes Received from the Peers or Peer Groups

1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
peer { group-name | ipv4-address } filter-policy { acl-number | acl-name
acl-name } import
The filtering policy is configured for routes received from peers or peer groups.
----End

After filters are applied to the received routes, you can check information about the routing table
of each protocol.
Prerequisites
The configurations for applying filters to received routes are complete.
Procedure
l
Run the display rip process-id route command to check information about the RIP routing
table.
Run the display ospf [ process-id ] routing command to check information about the OSPF
routing table.
Run the display isis [ process-id ] route command to check information about the ISIS
routing table.
Run the display bgp routing-table command to check information about the BGP routing
table.
Issue 04 (2013-06-15)

1078

Configuration Guide
Run the display ip routing-table command to check information about the public IPv4
routing table.
Run the display ip routing-table command on the neighboring Switch. You can find that
the routes that meet the matching rules set on the neighboring Switch are filtered or the
actions defined by the apply clauses are performed.
----End
5.7.6 Applying Filters to Advertised Routes

By applying the related filters of routing policies to routing protocols, you can filter advertised
routes.

Before applying filters to advertised routes, familiarize yourself with the applicable
policy, you need to import the filters to the protocols.
l
Filtering the advertised routes

Use the filter-policy command in the protocol view and import an ACL or an IP prefix list
to filter the advertised routes. Only the routes that meet the matching rules are advertised.
The filter-policy export command is used to filter the advertised routes.
For the DV protocol and the link state protocol, the procedures are different after the filterpolicy command is run.
DV protocol
A DV protocol generates routes based on the routing table. The filters affect the route
received from the neighbor and the route to be sent to the neighbor.
Link state protocol
A link state protocol generates routes based on LSDBs. The filter-policy does not affect
LSAs or the integrity of LSDBs. The commands of filter-policy import and filterpolicy export are different.
To advertise routes, you can run the filter-policy export command on a device to control
whether the device advertises the routes imported by a specific routing protocol (such
as RIP) from other routing protocols. If the device has not imported any route in
Import mode, it will not add LSAs or LSPs corresponding to the imported routes to its
LSDB. The device, however, can advertise LSAs that carry the routing information
discovered by the specific routing protocol itself to other Switches.
NOTE
l BGP has powerful filtering function. For details of BGP configuration, refer to BGP Configuration.
Issue 04 (2013-06-15)

1079

Configuration Guide
Before applying filters to advertised routes, complete the following tasks:
l
Configuring an ACL
5.7.4 Configuring the Route-Policy
Data Preparation
To apply filters to advertised routes, you need the following data.
No.
Data
Name of the ACL
Filtering Routes Advertised by RIP

By applying filters, you can control the advertisement of RIP routes.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]
A RIP process is enabled and the RIP view is displayed.

Step 3 Run
[ protocol [ process-id ] | interface-type interface-number ]
The filtering policy is configured for routes advertised by RIP.

The filter-policy is configured in the RIP process. If routes are filtered based on an interface,
you can configure only one route-policy based on the interface at a time. If no interface is
specified, the system considers the configured route-policy as the global route-policy, and you
can configure only one route-policy at a time. If the route-policy is configured repeatedly, the
new route-policy will replace the old route-policy.
----End
Issue 04 (2013-06-15)

1080

Configuration Guide
Filtering Routes Advertised by OSPF

By applying filters, you can control the advertisement of OSPF routes.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
The filtering policy is configured to filter the imported routes when these routes are advertised
by OSPF.
----End
Filtering Routes Advertised by IS-IS

By applying filters, you can control the advertisement of IS-IS routes.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]
An IS-IS process is enabled and the IS-IS view is displayed.

Step 3 Run:
filter-policy { ip-prefix ip-prefix-name | route-policy route-policy-name } export
The filtering policy is configured for routes advertised by IS-IS.

----End
Issue 04 (2013-06-15)

1081

Configuration Guide
Filtering Routes Advertised by BGP

By applying filters, you can control the advertisement of BGP routes.
Procedure
l
Filtering the Advertised Routes

1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast

4.
Run:
filter-policy { acl-number | acl-name acl-name | ip-prefix ip-prefixname } export [ protocol [ process-id ] ]
The filtering policy is configured for routes advertised by BGP.

For the routes imported by BGP, only the routes that meet matching rules can be added
to the BGP local routing table and advertised to the BGP peers.
If protocol is specified, only the routes of the specified protocol are filtered.
If the parameter is not specified, all the routes advertised by BGP are filtered,
including the imported routes and the local routes advertised through the
network command.
NOTE
The filter-policy export command of different protocols have different affect ranges on routes
advertisement:
l For the link state protocol, only the routes imported are filtered.
l For the DV protocol, the routes imported and the routes discovered by the protocols are
filtered.
Filtering Routes Advertised to the Peers

1.
Run:
system-view

2.
Run:
bgp as-number

3.
Run:
ipv4-family unicast
Issue 04 (2013-06-15)

1082

Configuration Guide

4.
Run:
peer { group-name | ipv4-address } filter-policy { acl-number | acl-name
acl-name } export
The filtering policy is configured for routes advertised to the peers or peer groups.
----End

After filters are applied to advertised routes, you can check information about the routing table
of each protocol.
Prerequisites
The configurations for applying filters to advertised routes are complete.
Procedure
l
table.
routing table.
routing table.
table.
routing table.
the routes that meets the matching rules set on the neighboring Switch are filtered or the
actions defined by the apply clauses are performed.
----End
5.7.7 Applying Filters to Imported Routes

By applying the related filters of routing policies to routing protocols, you can filter imported
routes.

Before applying filters to imported routes, familiarize yourself with the applicable environment,
policy, you need to import the filters to the protocols.
l
Issue 04 (2013-06-15)
Applying the policy to import external routes

1083

Configuration Guide
Use the import-route command in the protocol view. Import the required external
routes to the protocols and apply a Route-Policy to the imported routes.
After the external routes are imported, run the filter-policy export to filter the routes.
Only the routes that meet the matching rules are advertised.
NOTE
l BGP has powerful filtering functions. For details of BGP configuration, refer to BGP
Configuration.
Before applying filters to imported routes, complete the following tasks:
l
Configuring the IP-Prefix List
Configuring an ACL
Configuring the Route-Policy
Data Preparation
To apply filters to imported routes, you need the following data.
No.
Data
Name of the ACL
Applying Route-Policy to Routes Imported by RIP

By applying filters, you can control the import of RIP routes.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]
A RIP routing process is enabled and the RIP view is displayed.

Step 3 Run:
Issue 04 (2013-06-15)

1084

Configuration Guide
import-route bgp [ cost { cost | transparent } | route-policy route-policy-name ]

or import-route { { static | direct } | { { rip | ospf | isis } [ process-id ] } }
[ cost cost | route-policy route-policy-name ] *
*
The external routes are imported.

----End
Applying Route-Policy to Routes Imported by OSPF

By applying filters, you can control the import of OSPF routes.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
import-route { limit limit-number | { bgp [ permit-ibgp ] | direct | unr | rip
[ process-id-rip ] | static | isis [ process-id-isis ] | ospf [ process-id-ospf ] }
[ cost cost | type type | tag tag | route-policy route-policy-name ] * }

----End
Applying Route-Policy to Routes Imported by BGP

By applying filters, you can control the import of BGP routes.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Issue 04 (2013-06-15)

1085

Configuration Guide
Step 3 Run:
ipv4-family unicast

Step 4 Run:
import-route protocol [ process-id ] [ med med | route-policy route-policy-name ]

----End

After filters are applied to imported routes, you can check information about the routing table
of each protocol.
Prerequisites
The configurations for applying filters to imported routes are complete.
Procedure
l
table.
routing table.
routing table.
table.
routing table.
the routes that meet the matching rules on the neighboring Switch are filtered or the actions
defined by the apply clauses are performed.
----End
5.7.8 Controlling the Valid Time of the Routing policy

To ensure network stability, you need to configure the delay for applying a routing policy when
modifying the routing policy.

Before configuring the delay for applying a routing policy, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
In actual applications, when the configurations of multiple cooperative routing polices change,
the Routing Management Module (RM) immediately notifies related protocols to apply a new
Issue 04 (2013-06-15)

1086

Configuration Guide
routing policy, after the configuration of the routing policy is complete. An incomplete routing
policy causes route flapping, instability of the network, and a waste of time during packet
processing.
The AC6605 provides the following rules for processing changes of a routing policy:
l
By default, the RM immediately notifies the protocol of applying the new policy when the
routing policy changes.
If the valid time of the routing policy is configured, when the commands used to configure
the routing policy change, the RM does not notify various protocols of immediately
processing the changes. Instead, the RM waits for a certain period, and then notifies various
protocols of applying the changed routing policy.
If the routing policy changes again during the waiting time, the RM resets the timer.
You can run related commands to set the waiting time as required.
None.
Data Preparation
To configure the valid time of the routing policy, you need the following data.
No.
Data
Delay for applying the routing policy
Configuring the Delay for Applying the Routing Policy

When modifying multiple cooperative routing policies, you need to configure the delay for
applying a routing policy.
Context
Do as follows on the Switch on which the delay for applying routing policy needs to be changed:
Procedure
Step 1 Run:
system-view

Step 2 Run:
route-policy-change notify-delay delay-time
The delay for applying the routing policy is set.

The delay ranges from 1 to 180, in seconds.
By default, the RM immediately notifies the protocol of applying the new policy when the routing
policy changes.
Issue 04 (2013-06-15)

1087

Configuration Guide
Step 3 Run:
quit
Back to the user view.

refresh bgp all { export | import }
BGP is configured to apply the new routing policy.

After the command is used, policy filtering is immediately effective. You can run the command
to configure BGP to immediately apply new policies.
The polices affected by the timer are ACLs, IP prefix lists, AS-Path filters, community filters,
extended community filters, RD filters, and Route-Policies.
----End

After the delay for applying a routing policy is configured, you can check the configuration.
Prerequisites
The configurations for controlling the valid time of the routing policy are complete.
Procedure
l
Run the display current-configuration | include notify-delay command to check the

delay for applying the routing policy.
----End
5.7.9 Maintaining the Routing Policy

Maintaining routing policies involves clearing the statistics of the IP prefix list and debugging
routing policies.
Context
By default, the statistics of IP prefix lists are not cleared.
Procedure
l
Run reset ip ip-prefix [ ip-prefix-name ] command in the user view to clear the IPv4 prefix
list statistics.
----End

This section provides several configuration examples of the routing policy.
Example for Filtering Received and Advertised Routes

Issue 04 (2013-06-15)

1088

Configuration Guide
As shown in Figure 5-42, in a network that runs OSPF, Switch-A receives routes from the
Internet and provides some of these routes for Switch-B. Switch-A is required to provide
172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24 to Switch-B. Switch-C receives only
172.1.18.0/24 and Switch-D receives all routes provided by Switch-B.
Figure 5-42 Networking diagram for filtering received and advertised routes
GE 0/0/1
172.1.16.0/24
172.1.17.0/24
172.1.18.0/24
172.1.19.0/24
172.1.20.0/24
Switch B
Switch C
GE 0/0/2
GE 0/0/1
GE 0/0/3
Switch D
GE 0/0/1
GE 0/0/1
OSPF
Switch A
Switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 10
192.168.1.1/24
SwitchB
GE 0/0/1
VLANIF 10
192.168.1.2/24
SwitchB
GE 0/0/2
VLANIF 20
192.168.2.1/24
SwitchB
GE 0/0/3
VLANIF 30
192.168.3.1/24
SwitchC
GE 0/0/1
VLANIF 20
192.168.2.2/24
SwitchD
GE 0/0/1
VLANIF 30
192.168.3.2/24
1.
Create the ID of the VLAN to which each interface belongs.
2.
3.
Configure basic OSPF functions on Switch-A, Switch-B, Switch-C, and Switch-D.
4.
Configure static routes on Switch-A and import these routes into OSPF.
5.
Configure the policy for advertising routes on Switch-A and check the filtering result on
Switch-B.
6.
Configure the policy for receiving routes on Switch-C and check the filtering result on
Switch-C.
Data Preparation
Issue 04 (2013-06-15)

1089

Configuration Guide
Five static routes imported by Switch-A
Switch-A, Switch-B, Switch-C, and Switch-D located in Area 0, that is, the backbone area
Names of the IP prefix list and route to be filtered
1.

2.

3.
Configure basic OSPF functions.

# Configure Switch-A.
[SwitchA] ospf
# Configure Switch-B.
[SwitchB] ospf
network 192.168.1.0 0.0.0.255

network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
quit
# Configure Switch-C.
[SwitchC] ospf
# Configure Switch-D.
[SwitchD] ospf
4.
Configure five static routes on Switch-A and import these routes to OSPF.
[SwitchA] ip route-static 172.1.16.0
[SwitchA] ospf
[SwitchA-ospf-1] import-route static
24
24
24
24
24
NULL
NULL
NULL
NULL
NULL
0
0
0
0
0
# Check the IP routing table on Switch-B. You view that the five static routes are imported
to OSPF.
Destinations : 13
Routes : 13
Destination/Mask
127.0.0.0/8
Issue 04 (2013-06-15)
Proto
Pre
Direct 0
Cost
0
Flags NextHop
D

127.0.0.1
Interface
InLoopBack0
1090

Configuration Guide

127.0.0.1/32
192.168.1.0/24
192.168.1.2/32
192.168.2.0/24
192.168.2.1/32
192.168.3.0/24
192.168.3.1/32
172.1.16.0/24
172.1.17.0/24
172.1.18.0/24
172.1.19.0/24
172.1.20.0/24
5.
Direct
Direct
Direct
Direct
Direct
Direct
Direct
O_ASE
O_ASE
O_ASE
O_ASE
O_ASE
0
0
0
0
0
0
0
150
150
150
150
150
0
0
0
0
0
0
0
1
1
1
1
1
D
D
D
D
D
D
D
D
D
D
D
D
127.0.0.1
192.168.1.2
127.0.0.1
192.168.2.1
127.0.0.1
192.168.3.1
127.0.0.1
192.168.1.1
192.168.1.1
192.168.1.1
192.168.1.1
192.168.1.1
InLoopBack0
Vlanif10
Vlanif10
Vlanif20
Vlanif20
Vlanif30
Vlanif30
Vlanif10
Vlanif10
Vlanif10
Vlanif10
Vlanif10
Configure the policy for advertising routes.

# Set an IP prefix list named a2b on Switch-A.
[SwitchA] ip ip-prefix a2b index 10 permit 172.1.17.0 24
# Set a policy for advertising routes on Switch-A and use a2b to filter routes.
[SwitchA] ospf
[SwitchA-ospf-1] filter-policy ip-prefix a2b export static
# Check the routing table on Switch-B. You can view that Switch-B receives only three
routes defined in a2b.
Destinations : 11
Routes : 11
Destination/Mask
127.0.0.0/8
127.0.0.1/32
192.168.1.0/24
192.168.1.2/32
192.168.2.0/24
192.168.2.1/32
192.168.3.0/24
192.168.3.1/32
172.1.17.0/24
172.1.18.0/24
172.1.19.0/24
6.
Proto
Pre
Direct
Direct
Direct
Direct
Direct
Direct
Direct
Direct
O_ASE
O_ASE
O_ASE
0
0
0
0
0
0
0
0
150
150
150
Cost
0
0
0
0
0
0
0
0
1
1
1
Flags NextHop
D
D
D
D
D
D
D
D
D
D
D
127.0.0.1
127.0.0.1
192.168.1.2
127.0.0.1
192.168.2.1
127.0.0.1
192.168.3.1
127.0.0.1
192.168.1.1
192.168.1.1
192.168.1.1
Interface
InLoopBack0
InLoopBack0
Vlanif10
Vlanif10
Vlanif20
Vlanif20
Vlanif30
Vlanif30
Vlanif10
Vlanif10
Vlanif10
Configure the policy for receiving routes.

# Set an IP prefix list named in on Switch-C.
[SwitchC] ip ip-prefix in index 10 permit 172.1.18.0 24
# Set a policy for receiving routes on Switch-C and use in to filter routes.
[SwitchC] ospf
[SwitchC-ospf-1] filter-policy ip-prefix in import
# Check the routing table on Switch-C. You can find that Switch-C in the local core routing
table receives only one route defined in in.
[SwitchC] display ip routing-table
Destinations : 5
Routes : 5
Destination/Mask
127.0.0.0/8
127.0.0.1/32
192.168.2.0/24
192.168.2.2/32
Issue 04 (2013-06-15)
Proto
Direct
Direct
Direct
Direct
Pre
0
0
0
0
Cost
0
0
0
0
Flags NextHop
D
D
D
D

127.0.0.1
127.0.0.1
192.168.2.1
127.0.0.1
Interface
InLoopBack0
InLoopBack0
Vlanif20
Vlanif20
1091

Configuration Guide

172.1.18.0/24
O_ASE
150
192.168.1.1
Vlanif10
Configuration Files
l
Configuration file of Switch-A

#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
ospf 1
filter-policy ip-prefix a2b export static
import-route static
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ip ip-prefix a2b index 10 permit 172.1.17.0 24
#
#
return
Configuration file of Switch-B

#
sysname SwitchB
#
vlan batch 10 20 30
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
return
Issue 04 (2013-06-15)

1092

Configuration Guide
Configuration file of Switch-C

#
sysname SwitchC
#
vlan batch 20
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
#
ospf 1
filter-policy ip-prefix in import
area 0.0.0.0
network 192.168.2.0 0.0.0.255
#
ip ip-prefix in index 10 permit 172.1.18.0 24
#
return
Configuration file of Switch-D

#
sysname SwitchD
#
vlan batch 30
#
interface Vlanif30
ip address 192.168.3.2 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
#
return
Example for Applying a Routing Policy to Imported Routes

As shown in Figure 5-43, Switch-B exchanges routing information with Switch-A through
OSPF and with Switch-C through IS-IS.
Switch-B is required to import IS-IS routes into OSPF and to use the routing policy to set the
route attributes. The cost value of the route 172.17.1.0/24 is set to 100, and the tag of the route
172.17.2.0/24 is set to 20.
Issue 04 (2013-06-15)

1093

Configuration Guide
Figure 5-43 Networking diagram of applying a routing policy for imported routes
Switch B
Switch C GE 0/0/4
GE 0/0/2
GE 0/0/2
Switch A
GE 0/0/1
GE 0/0/1
GE 0/0/1
GE 0/0/3
IS-IS
OSPF
Switch
Interface
VLANIF Interface
IP Address
SwitchA
GE 0/0/1
VLANIF 10
192.168.1.1/24
SwitchB
GE 0/0/1
VLANIF 10
192.168.1.2/24
SwitchB
GE 0/0/2
VLANIF 20
192.168.2.2/24
SwitchC
GE 0/0/1
VLANIF 20
192.168.2.1/24
SwitchC
GE 0/0/2
VLANIF 30
172.17.1.1/24
SwitchC
GE 0/0/3
VLANIF 40
172.17.2.1/24
SwitchC
GE 0/0/4
VLANIF 50
172.17.3.1/24
1.
Create the ID of the VLAN to which each interface belongs.
2.
3.
Configure basic IS-IS functions on Switch-B and Switch-C.
4.
Configure OSPF on Switch-A and Switch-B and import IS-IS routes.
5.
Configure a routing policy on Switch-B and apply the routing policy when OSPF imports
IS-IS routes, and verify the routes.
Data Preparation
l
The IS-IS level of Switch-C is Level-2. The system ID is ID 0000.0000.0001. The IS-IS
level of Switch-B is Level-2. The system ID is ID 0000.0000.0002. The area number of
Switch-B and Switch-C is 10.
Switch-A and Switch-B are located in Area 0, that is, the backbone area.
Configure the names of the filtering list and IP prefix list. The cost of the route 172.17.1.0/24
is 100 and the tag of the route 172.17.2.0/24 is 20.
1.

Issue 04 (2013-06-15)

1094

Configuration Guide
2.

3.
Configure IS-IS.
# Configure Switch-C.
[SwitchC] isis
[SwitchC-Vlanif20] isis enable
# Configure Switch-B.
[SwitchB] isis
[SwitchB-Vlanif20] isis enable
4.
Configure OSPF and import routes.

# Configure Switch-A and enable OSPF.
[SwitchA] ospf
# Configure Switch-B, enable OSPF, and import IS-IS routes.

[SwitchB] ospf
[SwitchB-ospf-1] import-route isis 1
# Check the OSPF routing table of Switch-A. You can view the imported routes.
Routing Tables
Routing for Network
Destination
Cost Type
192.168.1.0/24
1 Stub
Routing for ASEs
Destination
192.168.2.0/24
172.17.1.0/24
172.17.2.0/24
172.17.3.0/24
Total Nets: 5
Intra Area: 1
Issue 04 (2013-06-15)
Cost
1
1
1
1
Inter Area: 0
NextHop
192.168.1.1
Type
Type2
Type2
Type2
Type2
ASE: 4
Tag
1
1
1
1
AdvRouter
192.168.1.1
NextHop
192.168.1.2
192.168.1.2
192.168.1.2
192.168.1.2
Area
0.0.0.0
AdvRouter
192.168.1.2
192.168.1.2
192.168.1.2
192.168.1.2
NSSA: 0

1095

Configuration Guide
5.
Set the filtering list.

# Set ACL 2002 to match 172.17.2.0/24.
[SwitchB] acl number 2002
[SwitchB-acl-basic-2002] rule permit source 172.17.2.0 0.0.0.255
[SwitchB-acl-basic-2002] quit
# Set an IP prefix list named prefix-a to match 172.17.1.0/24.

[SwitchB] ip ip-prefix prefix-a index 10 permit 172.17.1.0 24
6.
Set a Route-Policy.
[SwitchB] route-policy
[SwitchB-route-policy]
[SwitchB] route-policy
7.
isis2ospf permit node 10

if-match ip-prefix prefix-a
apply cost 100
quit
isis2ospf permit node 20
if-match acl 2002
apply tag 20
quit
Apply the Route-Policy when routes are imported.

# Configure Switch-B and apply the Route-Policy when routes are imported.
[SwitchB] ospf
[SwitchB-ospf-1] import-route isis 1 route-policy isis2ospf
# Check the OSPF routing table of SwitchA. You can view the cost of the route with the
destination address as 172.17.1.0/24 is 100, and the tag of the route with the destination
address as 172.17.2.0/24 is 20. Other routing attributes do not change.
Routing Tables
Routing for Network
Destination
Cost Type
NextHop
AdvRouter
192.168.1.0/24
1
Stub
192.168.1.1
192.168.1.1
Routing for ASEs
Destination
192.168.2.0/24
172.17.1.0/24
172.17.2.0/24
172.17.3.0/24
Total Nets: 5
Intra Area: 1
Cost
1
100
1
1
Inter Area: 0
Type
Type2
Type2
Type2
Type2
ASE: 4
Tag
1
1
20
1
NextHop
192.168.1.2
192.168.1.2
192.168.1.2
192.168.1.2
Area
0.0.0.0
AdvRouter
192.168.1.2
192.168.1.2
192.168.1.2
192.168.1.2
NSSA: 0
Configuration Files
l
Configuration file of Switch-A

#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
Issue 04 (2013-06-15)

1096

Configuration Guide
return
Configuration file of Switch-B

#
sysname SwitchB
#
vlan batch 10 20
#
acl number 2002
rule 5 permit source 172.17.2.0 0.0.0.255
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
isis enable 1
#
#
#
ospf 1
import-route isis 1 route-policy isis2ospf
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
route-policy isis2ospf permit node 10
if-match ip-prefix prefix-a
apply cost 100
#
route-policy isis2ospf permit node 20
if-match acl 2002
apply tag 20
#
ip ip-prefix prefix-a index 10 permit 172.17.1.0 24
#
return
Configuration file of Switch-C

#
sysname SwitchC
#
#
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 172.17.1.1 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 172.17.2.1 255.255.255.0
isis enable 1
#
interface Vlanif50
Issue 04 (2013-06-15)

1097

Configuration Guide
ip address 172.17.3.1 255.255.255.0

isis enable 1
#
#
#
#
#
return
Issue 04 (2013-06-15)

1098

Configuration Guide
6 Configuration Guide - Multicast
Configuration Guide - Multicast
About This Chapter

This document describes the multicast service supported by the AC6605, including basic
knowledge, protocol implementation, configuration procedures, and configuration examples.
This document guides you through the configuration of the multicast service of the AC6605.
6.1 IP Multicast Configuration Guide
The system supports the construction of multicast services through multicast protocols in IPv4
networks. In addition, the typical configuration solutions of multicast networks are provided.
6.2 IGMP Snooping Configuration
This chapter describes the procedure for configuring IGMP snooping and maintenance
commands, and provides configuration examples.
6.3 Multicast VLAN Replication Configuration
This chapter describes the procedure for configuring multicast VLAN replication and
maintenance commands, and provides configuration examples.
6.4 IGMP Configuration
This chapter describes the procedure for configuring IGMP and commands for maintaining
IGMP, and provides configuration examples.
6.5 PIM-DM (IPv4) Configuration
The PIM protocol is used to implement multicast routing and data forwarding inside an AS. The
PIM-DM protocol is a multicast routing protocol of dense node. It is applicable to a small-scale
network with densely-distributed members.
6.6 PIM-SM (IPv4) Configuration
PIM-SM protocol is a multicast routing protocol of sparse node. It is applicable to a large-scale
network with sparsely-distributed members.
6.7 MSDP Configuration
The MSDP protocol is used to implement multicast routing and data forwarding between PIMSM domains and anycast RP in a PIM-SM domain.
6.8 IPv4 Multicast Routing Management
Issue 04 (2013-06-15)

1099

Configuration Guide
The system synchronously maintains multiple multicast routing protocols, and controls multicast
routing and forwarding through the information exchanged between the control plane and the
forwarding plane.
Issue 04 (2013-06-15)

1100

Configuration Guide
6.1 IP Multicast Configuration Guide

The system supports the construction of multicast services through multicast protocols in IPv4
networks. In addition, the typical configuration solutions of multicast networks are provided.
6.1.1 IP Multicast Overview

Multicast is a Point to Multi-Point (P2MP) data transmission mode. During data transmission,
multicast can ensure the security of information. Multicast consumes limited network
bandwidth.
The multicast technology applied to IPv4 is called IP multicast.
The Internet services implemented through IP multicast include IPTV, Video and Audio
Conferences, e-learning, and remote medicine.
6.1.2 IP Multicast Features Supported by the AC6605

In the AC6605, IPv4 networks and IPv6 networks can support multicast services, but networks
that run IPv4 simultaneously do not support multicast services.
6.1.3 IPv4 Multicast Configuration Guide

This section describes multicast addresses, protocols, and typical configuration solutions in IPv4
networks.
IPv4 Multicast Addresses

The IPv4 multicast addresses range from 224.0.0.0 to 239.255.255.255. Table 6-1 shows the
ranges of various IPv4 multicast addresses.
The multicast group address available for multicast data services ranges from 224.0.1.0 to
239.255.255.255. Any host (or other receiving device) that joins a multicast group within this
range becomes a member of the group, and can identify and receive IP packets with the IP
multicast address as the destination address. The members of a group can be distributed at any
position in the network. The hosts can join or leave a multicast group at any time.
Table 6-1 Class D addresses
Class D Address Range
Description
224.0.0.0 to 224.0.0.255
Indicates the reserved group addresses for local links. The

addresses are reserved by Internet Assigned Number
Authority (IANA) for routing protocols, and are called
permanent multicast group addresses. The addresses are
used to identify a group of specific network devices rather
than being used for multicast forwarding.
224.0.1.0 to 231.255.255.255
Indicates Any-Source Multicast (ASM) addresses. The

addresses are valid in the entire network.
233.0.0.0 to 238.255.255.255
Issue 04 (2013-06-15)

1101

Configuration Guide
Class D Address Range
Description
232.0.0.0 to 232.255.255.255
Indicates Source-Specific Multicast (SSM) addresses.

This is the default SSM group address scope, and is valid
in the entire network.
239.0.0.0 to 239.255.255.255
Indicates administration multicast addresses. The default

range of BSR administrative domain group addresses is
valid only in the local BSR administration domain. The
addresses are private addresses. You can configure the
same address in different BSR administration domains.
IPv4 Multicast Protocols

To implement a complete set of IPv4 multicast services, various multicast protocols deployed
in the network need to cooperate with each other, as shown in Figure 6-1.
Figure 6-1 Location of each IPv4 multicast protocol
IPv4 Network
AS1
IPv4 Network
AS2
Source
PIM
MSDP
PIM
IGMP
IGMP
User
Issue 04 (2013-06-15)

User
1102

Configuration Guide
Table 6-2 Multicast protocols

Applied Location
Objectives
Multicast Protocol
Between hosts and

multicast switches
Connecting hosts to a multicast

network:
Internet Group
Management Protocol
(IGMP)
l Ensure that the members can

dynamically join and leave a
group at the host side.
l Manage and maintain the
member relationship at the switch
side and exchange information
with the upper-layer multicast
routing protocols.
Between intra-domain
multicast switches
Multicast routing and forwarding:

l Create multicast routes on
demand.
l Respond to the changes of the
network topology and maintain
the multicast routing table.
Protocol Independent
Multicast (PIM), including
Protocol Independent
Multicast-Dense Mode
(PIM-DM) and Protocol
Independent MulticastSparse Mode (PIM-SM)
l Forward packets according to the

routing table.
Between inter-domain
multicast switches
Sharing information about interdomain multicast sources:

l Switches in the domain where the
source resides transmit the local
source information to switches in
other domains.
Multicast Source
Discovery Protocol
(MSDP)
l Switches in different domains

transmit the source information.
Typical Configuration Solution
CAUTION
Customize configuration solutions according to the actual network conditions and service
requirements. The configuration solution in this section functions only as a reference.
The network environments are classified into two types, which need different configuration
solutions. For details, refer to the AC6605 Access Controller Configuration Guide Multicast.
NOTE
Ensure that unicast routes work normally in the network before configuring IP multicast.
Issue 04 (2013-06-15)

1103

Configuration Guide
Small-Scale Network
A small-scale network, such as a test network, is suitable to implement multicast data
transmission in a Local Area Network (LAN), and does not interconnect with the Internet.
Perform the following configurations:
1.
Enable multicast on all AC6605s in the network.
2.
Enable PIM-DM on all interfaces of the AC6605s.
3.
Enable IGMP on the AC6605 interface connected to hosts.
4.
If multicast needs to be deployed in a VPN, perform the preceding configurations in the

private network and public network respectively, and configure the Multicast Domain
(MD) on PEs.
Large-Scale Network
A large-scale network is suitable to transmit multicast services on an ISP network, and
interconnects with the Internet.
Perform the following configurations:
1.
Enable multicast on all AC6605s in the network.
2.
Enable PIM-SM on all interfaces of the AC6605s.
3.
Enable IGMP on the AC6605 interface connected to hosts.
4.
Configure an RP, specify a static RP, or elect an RP from C-RPs.
5.
Divide a network into PIM-SM domains.
6.
Configure MSDP in the PIM-SM domain and implement the anycast RP.
7.
Configure MSDP between PIM-SM domains. Generally, MSDP cooperates with MBGP.
Controlling Multicast Forwarding

IP multicast guides the forwarding of multicast packets by using the multicast routing table and
forwarding table. You can adjust the transmission path of multicast data by configuring the
Reverse Path Forwarding (RPF) routing policy, and limit multicast forwarding by configuring
the forwarding policy and the capacity of the forwarding table.
6.2 IGMP Snooping Configuration

This chapter describes the procedure for configuring IGMP snooping and maintenance
commands, and provides configuration examples.
6.2.1 IGMP Snooping Overview

This section describes the functions and advantages of the IGMP snooping protocol.
IGMP Snooping Function

Internet Group Management Protocol Snooping (IGMP snooping) is a Layer 2 multicast
protocol. The IGMP snooping protocol maintains information about the outgoing interfaces of
multicast packets by listening to multicast protocol packets exchanged between the router and
Issue 04 (2013-06-15)

1104

Configuration Guide
hosts. Thus the IGMP snooping protocol manages and controls the forwarding of multicast
packets.
After receiving multicast packets from an upstream device, an Ethernet device at the edge of the
access network forwards the multicast packets to multicast receivers. As shown in Figure 6-2,
multicast data is broadcast at the data link layer by default, which wastes network bandwidth
and causes multicast data to be sent to unpaid subscribers.
If IGMP snooping is configured on the Layer 2 device, multicast data of a known group is
forwarded to specified receivers (paid subscribers) but not broadcast at the data link layer.
Figure 6-2 Comparison before and after IGMP snooping is configured on a Layer 2 device
Multicast packet transmission

without IGMP Snooping
Multicast packet transmission

when IGMP Snooping runs
Source
Source
Router
Router
PIM
PIM
Switch
Reciever A
Reciever B
Switch
Reciever A
Reciever B
Multicast Packet
IGMP Snooping Advantages

The IGMP snooping protocol forwards multicast information only to the specified receivers
through Layer 2 multicast. It has the following advantages:
l
Reducing broadcast packets on Layer 2 networks, and thus saving network bandwidth
Enhancing the security of multicast information
Performing accounting for each host independently
6.2.2 IGMP Snooping Supported by the AC6605

This section describes IGMP snooping features supported by the AC6605.
Issue 04 (2013-06-15)

1105

Configuration Guide
Basic Features of IGMP Snooping

The AC6605 supports VLAN-based IGMP snooping.
IGMP snooping implements Layer 2 multicast and controls multicast data forwarding by
listening to multicast protocol packets sent between an upstream router and a downstream host
and maintaining downstream interface information.
The AC6605 supports the following IGMP snooping functions:
l
Configures a router interface as a static router interface.
Adds interfaces to a multicast group statically.
Supports the IGMP snooping querier function.
Suppresses IGMP snooping messages.
Disables the AC6605 from forwarding the Report and Leave messages received in a VLAN
to the upstream router with static groups configured.
Adjusts IGMP snooping parameters to optimize the Layer 2 multicast network.
Static Multicast MAC Address

In Layer 2 multicast, you can dynamically create multicast MAC address entries using Layer 2
multicast protocols such as IGMP snooping or manually configure multicast MAC address
entries. After a multicast MAC address is configured on an interface, the MAC address is bound
to the interface and multicast packets destined for this MAC address are forwarded only by this
interface.
IGMP Snooping Proxy

Configuring IGMP snooping proxy on an edge device can reduce the number of IGMP Report
and Leave messages received by an upstream Layer 3 device and improve performance of the
upstream Layer 3 device. The device configured with IGMP snooping proxy functions as a host
for its upstream device and a querier for its downstream host.
Layer 2 Multicast Policy

The AC6605 uses Layer 2 multicast policies according to networking requirements:
l
Configures a multicast group policy to control the multicast groups that users can join.
Enables interfaces to quickly leave multicast groups.
Sets the maximum number of multicast groups that an interface can dynamically join to
limit the multicast forwarding entries dynamically learned on the interface.
Configures multicast entry overwriting.
Filters Layer 2 multicast data on an interface.
Discards unknown multicast data packets, preventing them from being broadcast in
VLANs.
IGMP Snooping SSM Mapping

In the SSM model, if IGMPv3 is run on a receiver host, you can specify the multicast source for
IGMPv3 multicast data packets; if only IGMPv1 or IGMPv2 can be run on the receiver host,
you cannot specify the multicast source for IGMPv1 or IGMPv2 multicast data packets. IGMP
snooping SSM mapping is a solution. It generates a mapping between a multicast group and a
Issue 04 (2013-06-15)

1106

Configuration Guide
multicast source. (*, G) information in IGMPv1 or IGMPv2 multicast data packets is then
mapped to (S, G) information, providing SSM services for the hosts running IGMPv1 or
IGMPv2.
IGMP Snooping CPCAR Precautions

When there are a large number of multicast groups, IGMP packets are transmitted at a rate higher
than the default CIR rate. This may result in the loss of IGMP protocol packets and failure to
receive multicast programs. To avoid the problems, set an appropriate CIR value to prevent CPU
overload. For details, see 8.7.2 Local Attack Defense Features Supported by the AC6605 in
Configuration Guide - Security.
6.2.3 Configuring IGMP Snooping

This section describes how to configure IGMP snooping.

Internet Group Management Protocol Snooping (IGMP snooping) is a Layer 2 multicast
protocol. The IGMP snooping protocol maintains information about the outgoing interfaces of
multicast packets by listening to multicast protocol packets exchanged between the router and
hosts. Thus the IGMP snooping protocol manages and controls the forwarding of multicast
packets.
If IGMP snooping is configured on the Layer 2 device, multicast data of a known group is
forwarded to specified receivers (paid subscribers) but not broadcast at the data link layer.
Before configuring IGMP snooping in a VLAN, complete the following tasks:
l
Connecting interfaces and configuring the physical parameters of each interface to make
the physical layer in Up state
Creating a VLAN
Adding interfaces to the VLAN
Data Preparation
To configure IGMP snooping in a VLAN, you need the following data.
Issue 04 (2013-06-15)
No.
Data
ID of the VLAN
(Optional) Version of IGMP messages
(Optional) Types and numbers of interfaces

1107

Configuration Guide
No.
Data
(Optional) Parameters of a querier: interval

for sending IGMP General Query messages,
robustness variable, maximum response time,
and interval for sending Last Member Query
messages
(Optional) Suppression duration of IGMP

messages
(Optional) Aging time of the router interface
(Optional) Source IP address of IGMP Query

messages
Enabling IGMP Snooping

Context
By default, IGMP snooping is disabled on the AC6605. You need to enable IGMP snooping on
the AC6605.
You can set the forwarding mode of multicast data so that the multicast flows can be forwarded
based on IP addresses or MAC addresses. When multicast IP addresses are mapped to MAC
addresses, up to 32 IP addresses can be mapped to one MAC address. Therefore, it is
recommended that multicast data be forwarded based on IP addresses; otherwise, unregistered
users may receive the multicast data.
Procedure
Step 1 Run:
system-view

Step 2 Run:
igmp-snooping enable
IGMP snooping is enabled globally.

Step 3 Run:
vlan vlan-id

l2-multicast forwarding-mode { ip | mac }
The multicast flows in the VLAN are forwarded based on IP addresses or MAC addresses.
By default, multicast flows are forwarded based on IP addresses.
Issue 04 (2013-06-15)

1108

Configuration Guide
CAUTION
Before setting the forwarding mode of multicast data in a VLAN, disable IGMP snooping in the
VLAN. After setting the forwarding mode, enable IGMP snooping in the VLAN for the
configuration to take effect.
Step 5 Run:
IGMP snooping is enabled in the VLAN.

NOTE
To enable the IGMP snooping function of multiple VLANs, run the igmp-snooping enable [ vlan vlanid1 [ to vlan-id2 ] & <1-10> ] command in the system-view.
If IGMP snooping is enabled in a VLAN, N:1 VLAN mapping or VLAN stacking cannot be configured.

igmp-snooping version { 1 | 2 |3 }
The version of IGMP messages that the AC6605 can process is set.
By default, the AC6605 can process messages of IGMPv1 and IGMPv2 but cannot process
messages of IGMPv3.
NOTE
When the forwarding in a VLAN is based on the MAC address, the IGMP message version cannot be set
to IGMPv3.
----End
(Optional) Configuring a Static Router Interface

Context
By default, dynamic interface learning is enabled in a VLAN. A switch decides whether to add
dynamic router interfaces by monitoring IGMP Query or PIM Hello messages. When a dynamic
router interface does not receive an IGMP Query or a PIM Hello message before it times out,
the switch deletes the interface from the router interface list.
If a switch needs to forward multicast data from an interface for a long period of time, configure
this interface as a static router interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Issue 04 (2013-06-15)

1109

Configuration Guide
Step 3 Run:
(Optional)undo igmp-snooping router-learning
Dynamic learning of router interfaces is disabled in the VLAN.

Step 4 Run:
quit

Step 5 Run:

The interface can be a GE interface, or an Eth-Trunk interface. It is the interface that connects
the AC6605 to the upstream router.
Step 6 Run:
igmp-snooping static-router-port vlan { { vlan-id [ to vlan-id ] } &<1-10> }
The interface is configured as a static router interface.

----End
(Optional) Configuring Multicast Group Member Interfaces

Context
By default, an interface dynamically learns forwarding entries. A switch decides whether to add
dynamic member interfaces by monitoring IGMP Membership Report messages. If a dynamic
member interface does not receive an IGMP Membership Report message from a multicast group
before the interface times out, the switch deletes the interface from the outbound interface list.
If the hosts connected to an interface need to receive the multicast data of a specific multicast
group or multicast source group, add the interface statically to the multicast group or multicast
source group. The interface is called a static member interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface can be a GE interface, or an Eth-Trunk interface.
undo igmp-snooping learning vlan { vlan-id { [ &<1-10> ][to vlan-id ] | all } }
The interface is disabled from learning forwarding entries.

Step 4 Run:
Issue 04 (2013-06-15)

1110

Configuration Guide
l2-multicast static-group { [ source-address source-ip-address ] group-address

group-ip-address } vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> }
The interface is added to a multicast group statically. It is then a static member interface. You
can also run the l2-multicast static-group [ source-address source-ip-address ] groupaddress group-ip-address1 to group-ip-address2 vlan vlan-id command to add the interface to
multiple multicast groups.
NOTE
After an interface is added to a multicast group statically, existing entries cannot be replaced.
----End
(Optional) Configuring IGMP Snooping Querier

Context
If IGMP messages sent from the upstream router cannot reach the AC6605 for certain reasons,
for example, IGMP is not enabled or if the multicast forwarding entries on the upstream router
are statically configured and do not need to be dynamically learned, you can configure the IGMP
snooping querier on the AC6605. The IGMP snooping querier then sends IGMP Query
messages. You can adjust parameters of the IGMP snooping querier as required.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
igmp-snooping querier enable
The IGMP snooping querier is enabled for the VLAN.

By default, an IGMP snooping querier is disabled.
NOTE
After IGMP snooping querier is enabled in a VLAN, the switch periodically broadcasts IGMP Query
messages to all the interfaces in the VLAN, including router interfaces. This may result in IGMP snooping
querier reelection. If an IGMP snooping querier already exists on a multicast network, configuring IGMP
snooping querier is not recommended.
IGMP snooping querier cannot be enabled in a VLAN if the corresponding VLANIF interface has IGMP
enabled.
IGMP snooping querier and IGMP snooping proxy cannot be enabled in the same VLAN.

igmp-snooping query-interval query-interval
The interval at which the querier sends IGMP General Query messages is set.
Issue 04 (2013-06-15)

1111

Configuration Guide
By default, the interval for sending IGMP General Query messages is 60 seconds.
igmp-snooping robust-count robust-count
The robustness variable of the querier is set.

By default, the IGMP robustness variable is 2.
igmp-snooping max-response-time max-response-time
The maximum response time of IGMP Query messages is set.

By default, the maximum response time of IGMP Query messages is 10 seconds.
NOTE
The maximum response time must be shorter than the interval at which General Query messages are sent.
When receiving IGMP Report messages from hosts, the AC6605 sets the aging time of member interfaces
using the following formula: Aging time = IGMP robustness variable x Interval at which IGMP General
Query messages are sent + Maximum response time.

igmp-snooping lastmember-queryinterval lastmember-queryinterval
The interval at which the querier sends Last Member Query (IGMP Group-Specific Query)
messages is set.
By default, the interval at which IGMP Group-Specific Query messages are sent is 1 second.
NOTE
After receiving IGMP Leave messages from hosts, the AC6605 sets the aging time of member interfaces
by using the following formula: Interval at which IGMP Group-Specific Query messages are sent x IGMP
robustness variable.
IGMPv1 hosts do not send Leave messages when leaving multicast groups. Therefore, the igmp-snooping
lastmember-queryinterval command is valid only when the IGMP snooping version is set to 2 in the
VLAN.

quit

igmp-snooping send-query source-address ip-address
The source IP address of an IGMP General Query message is set.

By default, the source address of an IGMP General Query message is 192.168.0.1. When
192.168.0.1 has been used by other devices on the network, run this command to change the
source IP address of an IGMP General Query message.
----End
(Optional) Configuring IGMP Message Suppression

Issue 04 (2013-06-15)

1112

Configuration Guide
Context
Hosts running IGMP in a VLAN use a snooping mechanism to suppress Report messages that
member hosts send to join the same multicast group. However, many duplicate Report messages
may be sent when the suppression time expires. In addition, hosts running IGMPv2 and IGMPv3
send duplicate Leave messages when they leave a multicast group.
After IGMP message suppression is enabled on a Layer 2 device, the device sends a Membership
Report message only in the following conditions:
l
A multicast group receives a Query message from the upstream querier.
The first member joins a multicast group.
The last member of a multicast group leaves the multicast group.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
igmp-snooping report-suppress
IGMP message suppression is enabled.

NOTE
When configuring IGMP message suppression, pay attention to the following points:
l When IGMP message suppression is configured in a VLAN, IGMP cannot be enabled on the
corresponding VLANIF interface.
l The functions of IGMP snooping proxy and IGMP message suppression cannot be configured in the
same VLAN.
l The switch can suppress duplicate Membership Report messages even when IGMP message
suppression is disabled. The default message suppression time is 10 seconds. To change the suppression
time, run the igmp-snooping suppress-time suppress-time command. To disable IGMP message
suppression, set the suppression time to 0.
----End
(Optional) Adjusting IGMP Snooping Parameters

Context
You can adjust the following IGMP snooping parameters to optimize the AC6605 multicast
performance according to the actual network situation.
l
Aging time of a router interface

When a short-term congestion occurs on the network, it takes a longer time to transmit
Query messages from the IGMP querier to the AC6605. If a router interface on the
Issue 04 (2013-06-15)

1113

Configuration Guide
AC6605 ages within this period, the AC6605 does not send Report or Leave messages to
the router interface. As a result, multicast data forwarding may be interrupted. To solve
this problem, set a longer aging time for the router interface on an unstable network.
l
Router-Alert option
By default, the AC6605 does not check whether IGMP messages contain the Router-Alert
option and sends all the IGMP messages to the upper-layer routing protocol. Discarding
IGMP messages without the Router-Alert option improves device performance, reduces
cost, and enhances security of the upper-layer routing protocol.
Response to Layer 2 topology change events

This function enables the AC6605 to detect Layer 2 topology changes and correctly forward
multicast data according to the new topology.
Source IP address of IGMP Query messages sent by the AC6605
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
igmp-snooping router-aging-time router-aging-time
The aging time is set for router interfaces.

By default:
l If a router interface receives an IGMP Query message, the AC6605 sets the remaining aging
time of the interface to 180 seconds.
l If the router interface receives a PIM Hello packet and the Holdtime value of the Hello packet
is larger than the remaining aging time of the interface, the AC6605 sets the aging time of
the interface to the Holdtime value contained in the PIM Hello packet. If the Holdtime value
of the Hello packet is smaller than the remaining aging time of the interface, the AC6605
does not reset the aging time of the interface.
Step 4 Run:
igmp-snooping require-router-alert
The AC6605 is configured to process only the IGMP messages with the Router-Alert option in
the IP header.
By default, the AC6605 can process the IGMP messages without the Router-Alert option in the
IP header received from a VLAN.
Step 5 Run:
igmp-snooping send-router-alert
The AC6605 is configured to send the IGMP messages with the Router-Alert option in the IP
header.
Issue 04 (2013-06-15)

1114

Configuration Guide
By default, the AC6605 sends the IGMP messages with the Router-Alert option in the IP header.
Step 6 Run:
quit
Exit the VLAN view.

Step 7 Run:
igmp-snooping send-query enable
The AC6605 is configured to send IGMP General Query messages when receiving topology
change events.
----End

Prerequisites
The configuration of IGMP snooping in a VLAN is complete.
Procedure
l
Run the display igmp-snooping configuration command to check the non-default

configurations of IGMP snooping.
Run the display igmp-snooping [ vlan vlan-id ] command to check the configuration of
IGMP snooping in a VLAN.
Run the display igmp-snooping statistics vlan [ vlan-id ] command to check the statistics
of IGMP snooping in a VLAN.
Run the display igmp-snooping port-info [ vlan vlan-id [ group-address groupaddress ] ] [ verbose ] command to check the information about member interfaces of a
multicast group.
Run the display igmp-snooping router-port vlan vlan-idcommand to check the

information about router interfaces.
Run the display l2-multicast forwarding-table vlan [ [ source-address sourceaddress ] group-address { group-address | router-group } ] command to check the
multicast forwarding table of a VLAN.
Run the display igmp-snooping querier vlan [ vlan-id ] command to check the enabling
information about the IGMP snooping querier.
----End
Example
Run the display igmp-snooping configuration command, and you can view the information
about the non-default IGMP snooping configurations of all VLANs.
<Quidway> display igmp-snooping configuration
IGMP Snooping Configuration for VLAN 7
igmp-snooping version 3
igmp-snooping querier enable
If the configurations succeed, you can obtain the following information after running the display
igmp-snooping [ vlan vlan-id ] command:
Issue 04 (2013-06-15)

1115

Configuration Guide
The IGMP version is set correctly.
Aging time of the router interface, interval for sending Last Member Query messages,
interval for sending IGMP General Query messages, maximum response time, suppression
duration of IGMP messages, and IGMP robustness variable are correctly set.
The Router Alert option is set correctly.
The function that sends IGMP Query messages to member interfaces in a VLAN and packet
suppression function are configured correctly.
Router interface learning is configured correctly.
The following is an example.

<Quidway> display igmp-snooping vlan 3
IGMP Snooping Information for VLAN 3
IGMP Snooping is Enabled
IGMP Version is Set to default 2
IGMP Query Interval is Set to default 125
IGMP Max Response Interval is Set to default 10
IGMP Robustness is Set to default 2
IGMP Last Member Query Interval is Set to default 1
IGMP Router Port Aging Interval is Set to 180s or holdtime in hello
IGMP Filter Group-Policy is Set to default : Permit All
IGMP Prompt Leave Disable
IGMP Router Alert is Not Required
IGMP Send Router Alert Enable
IGMP Proxy Disable
IGMP Report Suppress Disable
IGMP Suppress Time is set to default 10 seconds
IGMP Querier Disable
IGMP Router Port Learning Enable
IGMP Limit Action Disable
IGMP SSM-Mapping Disable
IGMP Suppress-dynamic-join Disable
Run the display igmp-snooping router-port vlan vlan-id command, and you can view the
information about router interfaces.
<Quidway> display igmp-snooping router-port vlan 3
Port Name
UpTime
Expires
Flags
-------------------------------------------------------------VLAN 3, 2 router-port(s)
GE0/0/1
1d:22h
00:01:20
DYNAMIC
GE0/0/2
2d:10h
-STATIC
Run the display igmp-snooping port-info [ vlan vlan-id ] [ group-address group-address ]

[ verbose ] command, and you can view the information about member interfaces.
<Quidway> display igmp-snooping port-info
----------------------------------------------------------------------(Source, Group) Port
Flag
Flag: S:Static
D:Dynamic
M: Ssm-mapping
----------------------------------------------------------------------VLAN 101, 1 Entry(s)
(*, 225.0.0.1) GE0/0/1
-D1 port(s)
VLAN 102, 1 Entry(s)
(*, 225.0.0.1) GE0/0/24
-D1 port(s)
-----------------------------------------------------------------------
Run the display l2-multicast forwarding-table vlan 7 command, and you can view the
multicast forwarding table of VLAN 7.
<Quidway> display l2-multicast forwarding-table vlan 7
VLAN ID : 7, Forwarding Mode : IP
Issue 04 (2013-06-15)

1116

Configuration Guide
----------------------------------------------------------------------(Source, Group)
Interface
Out-Vlan
----------------------------------------------------------------------Router-port
7
(1.1.1.1, 232.1.1.1)
7
----------------------------------------------------------------------Total Group(s) : 1
Run the display igmp-snooping querier vlan [ vlan-id ] command. If the querier is displayed
as Enabled, it indicates that the querier is successfully enabled.
<Quidway> display igmp-snooping querier vlan
VLAN
Querier-state
----------------------------------------------3
Enable
total entry 1
6.2.4 Configuring a Layer 2 Multicast Policy

This section describes how to configure a Layer 2 multicast policy.

A Layer 2 multicast policy controls the multicast programs that users can order on a switch with
IGMP snooping enabled. This policy improves multicast network controllability and security.
The AC6605 supports the following Layer 2 multicast policies:
l
Configures multicast group policy, prohibiting multicast member interfaces from joining
the specified multicast group.
Enables interfaces to quickly leave multicast groups.
Sets the maximum number of multicast groups that an interface can dynamically join.
Configures multicast entry overwriting.
Filters out multicast data packets sent from specified VLANs on an interface.
Discards unknown multicast data packets, preventing them from being broadcast in
VLANs.
You can use Layer 2 multicast policies according to network requirements.
Before configuring a Layer 2 multicast policy, complete the following tasks:
l
Enabling IGMP snooping globally and in a VLAN
Creating VLANs and adding interfaces to these VLANs
Data Preparation
To configure a Layer 2 multicast policy, you need the following data.
Issue 04 (2013-06-15)

1117

Configuration Guide
No.
Data
Types and numbers of interfaces
ACL rules applied to a multicast group policy
ACL rules applied to prompt leave of

multicast member interfaces
Configuring a Multicast Group Policy

Context
A multicast group policy determines which multicast groups the hosts in a VLAN can join.
NOTE
When creating an ACL in a multicast group policy for a VLAN, specify the deny parameter in the rule
command to prohibit the hosts in the VLAN from joining all or specified multicast groups.
Procedure
Step 1 Run:
system-view

Step 2 Use either of the following methods to configure a multicast group policy.
l Configure a multicast group policy in a VLAN.
1.
Run:
vlan vlan-id

2.
Run:
igmp-snooping group-policy acl-number [ version number ]
A multicast group policy is configured to prohibit the hosts in the specified VLANs
from joining the specified multicast group.
l Configure a multicast group policy on an interface.
1.
Run:

The interface can be Ethernet, GE, or Eth-Trunk interface.
2.
Run:
igmp-snooping group-policy acl-number [ version number ] vlan vlan-id1
[ to vlan-id2 ]
A multicast group policy is configured to prohibit the hosts in the specified VLANs
from joining the specified multicast group.
Issue 04 (2013-06-15)

1118

Configuration Guide
By default, the hosts in a VLAN can join any multicast group. If the IGMP version is not specified
for a multicast group policy, the AC6605 applies the policy to all the received IGMP messages
regardless of their versions.
If you configure multicast group policies for the same VLAN in the interface view and VLAN
view, only the policy configured in the interface view takes effect.
NOTE
A multicast group policy does not apply to static multicast entries.
----End
Configuring Prompt Leave for Interfaces

Prerequisites
A basic ACL is configured to specify the IP multicast groups that hosts can leave.
For the configuration of the ACL, see 8.9 ACL Configuration in the AC6605 Access Controller
Context
When an interface on the AC6605 receives an IGMP Leave message from a host, the AC6605
deletes the forwarding entry that corresponds to the interface from the multicast forwarding table
immediately without waiting for the aging of the forwarding entry. This is called prompt leave.
When each interface in a VLAN is connected to only one host, you can enable prompt leave for
interfaces in the VLAN.
NOTE
Prompt leave takes effect for interfaces in a VLAN only when the AC6605 can process IGMPv2 or IGMPv3
messages.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
igmp-snooping prompt-leave [ group-policy acl-number ]
Prompt leave is enabled for interfaces in the VLAN.

If group-policy acl-number is not specified, the AC6605 immediately deletes the forwarding
entry corresponding to a member interface after receiving the Leave message from the interface.
By default, prompt leave is disabled for interfaces.
Issue 04 (2013-06-15)

1119

Configuration Guide
NOTE
On the AC6605, the permit rule is applicable to all multicast groups by default. To configure prompt leave
for a specified multicast group, you need to use the rule deny source any command.
----End
Setting the Maximum Number of Multicast Groups that Hosts Attached to an

Interface Can Join
Context
To limit the number of multicast programs available to users and multicast data traffic on an
interface, set the maximum number of multicast groups that users can join.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
igmp-snooping group-limit group-limit vlan {vlan-id [ to vlan-id ] } &<1-10>
The maximum number of multicast groups that hosts attached to the interface can join.
If the number of multicast groups that an interface has joined is greater than the value of grouplimit configured on the interface, the current number of multicast groups on the interface does
not change but the interface cannot join new multicast groups.
----End
Configuring Layer 2 Multicast Entry Overwriting

Context
If the number of multicast groups on an interface or the Switch reaches the limit, users connected
to the interface or Switch cannot join new multicast groups. After Layer 2 multicast entry
overwriting is configured, the Switch records information about multicast users. When a user
requests to join a new multicast group but the number of multicast groups on the interface or
Switch has reached the limit, the Switch checks all the programs that the user has ordered. If a
program is watched only by this user, the Switch replaces the entry of this program with the
entry of the new program.
Issue 04 (2013-06-15)

1120

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
igmp-snooping limit-action
Layer 2 multicast entry overwriting is configured in the VLAN.

NOTE
l When an interface is statically bound to a multicast group, the Layer 2 multicast entry overwriting
function becomes invalid on the interface.
l The new multicast entry cannot replace the old one when the old multicast group has multiple multicast
users or is a static multicast group.
l A new (S, G) entry can replace only an old (S, G), and a new (*, G) entry can replace only an old (*,
G) entry.
----End
Enabling the Discarding of Unknown Multicast Data Packets in a VLAN

Context
Unknown multicast data packets are broadcast in a VLAN by default. If multicast services are
stable, for example, the static Layer 2 multicast service, unknown multicast data packets do not
need to be processed. You can enable the discarding of multicast data packets in such a case. If
multicast services are unstable, for example, users frequently join or leave multicast groups,
unknown multicast data packets need to be processed; otherwise some users cannot receive
multicast data.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
multicast drop-unknown
Discarding unknown multicast data packets is enabled.

----End
Issue 04 (2013-06-15)

1121

Configuration Guide

Prerequisites
All the configurations of the Layer 2 multicast policy are complete.
Procedure
l
Run the display igmp-snooping configuration command to check the non-default IGMP
snooping configuration.
You can view the configuration of a Layer 2 multicast policy in a VLAN by viewing the
non-default IGMP snooping configuration in the VLAN.
Run the display l2-multicast forwarding-table vlan vlan-id [ [ source-address sourceaddress ] group-address { group-address | router-group } ] command to view the Layer
2 multicast forwarding table in a specified VLAN.
You can check whether a Layer 2 multicast policy is used correctly by viewing Layer 2
multicast forwarding entries.
----End
Example
# View the non-default IGMP snooping configuration in VLAN 10.
<Quidway> display igmp-snooping vlan 10 configuration
igmp-snooping group-policy 2002
igmp-snooping limit-action
6.2.5 Configuring Layer 2 Multicast SSM Mapping

This section describes how to configure the Layer 2 multicast SSM mapping function.

If the Switch connected to user hosts is configured with IGMPv3, SSM mapping needs to be
configured on the Switch to map the multicast group addresses not in the SSM group to the
specified source addresses.
When the Switch running IGMPv3 receives an IGMPv2 packet whose address is in the SSM
group, the SSM mapping function can automatically map the address of the packet to the
specified source.
Before configuring SSM mapping, complete the following task:
l
Issue 04 (2013-06-15)
Enabling global IGMP snooping

1122

Configuration Guide
Data Preparation
To configure SSM mapping, you need the following data.
No.
Data
(Optional) ACL rule
(Optional) SSM policy
Source addresses mapped to the multicast group addresses
(Optional) Configuring an SSM Group Policy

Context
If a user joins an ASM multicast group, you need to configure an SSM group policy in the VLAN
to add the multicast group address to the range of SSM group addresses.
NOTE
When you create an ACL for an SSM policy, the configuration takes effect only if you select permit and
specify a multicast address in the rule command. The configuration does not take effect if deny is selected
or if the specified address is not a multicast address.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
igmp-snooping ssm-policy basic-acl-number
An SSM group policy is configured.

By default, the address of an SSM group ranges from 232.0.0.0 to 232.255.255.255. After you
configure an SSM policy, the multicast groups specified in the SSM policy are considered as
SSM groups.
----End
Configuring Layer 2 Multicast SSM Mapping

Context
By configuring SSM mapping, you can set up one-to-one mappings between multicast groups
and multicast sources.
Issue 04 (2013-06-15)

1123

Configuration Guide
SSM mapping can be configured only when IGMP snooping is enabled globally and in the
corresponding VLAN and when the IGMP messages version is set to IGMPv3 in the VLAN.
If the multicast replication function is configured, you only need to configure SSM mapping in
the multicast VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
The version number of IGMP is set to 3.

The default version number of IGMP snooping is 2, but IGMPv2 version does not support SSM
mapping.
Step 4 Run:
igmp-snooping ssm-mapping enable
SSM mapping is enabled in the VLAN.

By default, SSM mapping is disabled.
Step 5 Run:
igmp-snooping ssm-mapping ip-group-address { ip-group-mask | mask-length } ipsource-address
The mapping between a multicast group address and a multicast source is configured.
The specified multicast group address must be in the range of multicast group addresses specified
by the SSM policy. For the configuration of the SSM policy, see (Optional) Configuring an
SSM Group Policy.
----End

Prerequisites
The configurations of SSM mapping are complete.
Procedure
l
Run the display igmp-snooping port-info command to view the IGMP snooping entries
on an interface.
----End
Issue 04 (2013-06-15)

1124

Configuration Guide
Example
Run the display igmp-snooping port-info command, and you can view the IGMP snooping
entries on the interface. For example:
<Quidway> display igmp-snooping port-info vlan 10
Flag
Flag: S:Static
D:Dynamic
M: Ssm-mapping
----------------------------------------------------------------------VLAN 10, 3 Entry(s)
(*, 225.1.1.1) GE0/0/2
--M
1 port(s)
(*, 225.1.1.2) GE0/0/2
--M
1 port(s)
(*, 225.1.1.3) GE0/0/2
--M
1 port(s)
-----------------------------------------------------------------------
6.2.6 Maintaining Layer 2 Multicast

Maintaining Layer 2 multicast involves resetting Layer 2 Multicast statistics, and debugging
IGMP Snooping.
Clearing Static Entries in a Multicast Forwarding Table

Context
CAUTION
Static entries in a forwarding table cannot be restored after you clear them and you have to
configure them again. Confirm the operation before you run the following command.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
undo l2-multicast static-group [ source-address source-ip-address ] group-address
group-ip-address vlan { all | { vlan-id1 [ to vlan-id2 ] } & <1-10> }
The interface is removed from a multicast group.

Or run:
undo l2-multicast static-group [ source-address source-ip-address ] group-address
group-ip-address1 to group-ip-address2 vlan vlan-id
Issue 04 (2013-06-15)

1125

Configuration Guide
The interface is removed from multiple multicast groups in a batch.

----End
Clearing Multicast Forwarding Entries

Context
CAUTION
Running this command disables hosts in a VLAN from receiving certain multicast flows. The
hosts in the VLAN receive the multicast flows again only after the AC6605 receives IGMP
Report messages from the hosts again and the forwarding entries are regenerated on the
AC6605.
Procedure
l
Run the reset igmp-snooping group { all | vlan { vlan-id | all } } command in the user
view to clear the dynamic forwarding entries in the multicast forwarding table.
NOTE
This command cannot clear static forwarding entries and dynamic router port entries.
----End
Clearing the Statistics on IGMP Snooping

Context
CAUTION
The statistics on IGMP snooping cannot be restored after you clear them. So, confirm the action
Procedure
l
Run the reset igmp-snooping statistics { all | vlan { vlan-id | all } } command in the user
view to clear the statistics on IGMP snooping.
----End
Debugging IGMP Snooping

Issue 04 (2013-06-15)

1126

Configuration Guide
Context
CAUTION
igmp-snooping all command to disable it immediately.
Procedure
l
Run the debugging igmp-snooping { all | aps | event | fwd | general | leave [ basic-aclnumber ] | mvlan | packet [ advance-acl-number ] | query [ advance-acl-number ] |
report [ advance-acl-number ] | syn | timer } command in the user view to enable
debugging of IGMP snooping.
----End
6.2.7 Configuration examples

This section provides several configuration examples of IGMP snooping in a VLAN.
Example for Configuring IGMP Snooping

As shown in Figure 6-3, GE 0/0/1 of the AC6605 is connected to a router on the multicast source
side, and GE 0/0/2 is connected to hosts. You are required to configure IGMP snooping to ensure
that three hosts in VLAN 3 can receive multicast data from multicast groups in the range of
225.1.1.1 to 225.1.1.3 permanently.
Figure 6-3 Networking diagram for configuring VLAN-based IGMP snooping
Multicast source
DHCP server
IP/MPLS core
GE0/0/1
Switch
GE0/0/2
VLAN3
Host3
Issue 04 (2013-06-15)
Host4
Host5

1127

Configuration Guide
1.
2.
Enable IGMP snooping globally and in the VLAN.
3.
Configure a static router interface.
4.
Configure static multicast groups 225.1.1.1, 225.1.1.2, and 225.1.1.3.
Data Preparation
l
ID of the VLAN that GE 0/0/2 and GE 0/0/1 belong to: VLAN 3
Static router interface: GE0/0/1
Addresses of static multicast groups: 225.1.1.1, 225.1.1.2, 225.1.1.3
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
[Switch] vlan 3
[Switch-vlan3] quit
[Switch] interface gigabitethernet
[Switch-GigabitEthernet0/0/1] port
0/0/1
0/0/2
Step 2 Enable IGMP snooping.

# Enable IGMP snooping globally.
[Switch] igmp-snooping enable
# Enable IGMP snooping in VLAN 3.

[Switch] vlan 3
[Switch-vlan3] igmp-snooping enable
[Switch-vlan3] quit
Step 3 Configure GE 0/0/1 as the static router interface of VLAN 3.

[Switch-GigabitEthernet0/0/1] igmp-snooping static-router-port vlan 3
Step 4 Configure static multicast groups.

[Switch-GigabitEthernet0/0/2] l2-multicast static-group group-address 225.1.1.1
vlan 3
vlan 3
vlan 3

Issue 04 (2013-06-15)

1128

Configuration Guide
# Check all configurations of IGMP snooping.

[Switch] display igmp-snooping vlan configuration
According to the preceding information, the IGMP snooping of the VLAN is enabled.
# Check the configuration of the static router interface.
Run the display igmp-snooping router-port vlan 3 command on the AC6605.
[Switch] display igmp-snooping router-port vlan 3
Port Name
UpTime
Expires
Flags
--------------------------------------------------------------------VLAN 3, 1 router-port(s)
GE0/0/1
2d:10h
-STATIC
According to the preceding information, GE 0/0/1 is configured as a static router interface.

# Verify the information about member interfaces of a static multicast group.
[Switch] display igmp-snooping port-info
Flag
Flag: S:Static
D:Dynamic
M: Ssm-mapping
----------------------------------------------------------------------VLAN 3, 3 Entry(s)
(*, 225.1.1.1) GE0/0/2
S-1 port(s)
(*, 225.1.1.2) GE0/0/2
S-1 port(s)
(*, 225.1.1.3) GE0/0/2
S-1 port(s)
-----------------------------------------------------------------------
According to the preceding information, multicast groups 225.1.1.1 to 225.1.1.3 are configured
with static forwarding entries.
# View the multicast forwarding table.
[Switch] display l2-multicast forwarding-table vlan 3
VLAN ID : 3, Forwarding Mode : IP
-------------------------------------------------------------------(Source, Group)
Interface
Out-Vlan
-------------------------------------------------------------------Router-port
3
(*, 225.1.1.1)
3
3
(*, 225.1.1.2)
3
3
(*, 225.1.1.3)
3
3
-------------------------------------------------------------------Total Group(s) : 3
The preceding information shows the VLAN ID and outgoing interface mapping the data from
multicast groups 225.1.1.1 to 225.1.1.3.
----End
Issue 04 (2013-06-15)

1129

Configuration Guide
Configuration Files
l
Configuration file of the AC6605

#
sysname Switch
#
vlan batch 3
#
#
vlan 3
#
igmp-snooping static-router-port vlan 3
#
l2-multicast static-group group-address 225.1.1.1 to 225.1.1.3 vlan 3
#
return
Example for Configuring IGMP Snooping SSM Mapping

On the network shown in Figure 6-4, IGMPv2 is run on Switch and Host 1 and Host 2, and
IGMPv3 is run on the last-hop router Router A on the multicast source side. Switch A is the
AC6605 device. GE 0/0/1 on Switch A is connected to Router A and GE 0/0/2 on Switch A is
connected to a switch directly connected with users. GE 0/0/1 on Switch A is a static router
interface and GE 0/0/2 is statically added to multicast group 224.1.1.1. GE 0/0/1 and GE 0/0/2
both join VLAN 10 and IGMP SSM mapping is deployed on Router A.
It is required that IGMP snooping SSM mapping be configured on Switch A in the VLAN to
work jointly with IGMP SSM mapping. IGMP snooping SSM mapping also generates a mapping
between a multicast group and a multicast source. (*, G) information in IGMPv1 or IGMPv2
multicast data packets is then mapped to (S, G) information, providing SSM services for the
hosts running IGMPv1 or IGMPv2.
Issue 04 (2013-06-15)

1130

Configuration Guide
Figure 6-4 Networking diagram for configuring IGMP snooping SSM mapping
Source 2
10.1.1.2
Internet/
Intranet
Source 1
10.1.1.1
RouterA
GE0/0/1
GE0/0/2
SwitchA
Swtich
SSM Mapping
VLAN10
Host1
Host2
1.
Configure basic IGMP snooping functions so that users can receive multicast data from
multicast sources.
2.
Configure an SSM group policy for IGMP snooping to add the ASM group addresses of
users to the SSM group address range.
3.
Configure IGMP snooping SSM mapping so that users can receive multicast data from a
specified multicast source.
Data Preparation
l
VLAN 10 to which GE 0/0/1 and GE 0/0/2 on Switch A are added
IGMPv3 run on Switch A and IGMPv2 run on Switch, Host 1, and Host 2
Multicast source address 10.1.1.2
Procedure
Step 1 Configure a VLAN.
[SwitchA] vlan 10
Issue 04 (2013-06-15)

1131

Configuration Guide

0/0/2
hybrid pvid vlan 10
Step 2 Enable global IGMP snooping and IGMP snooping in the VLAN.
[SwitchA] igmp-snooping enable
[SwitchA] vlan 10
[SwitchA-vlan10] igmp-snooping enable
Step 3 Configure IGMPv3 on Switch A and configure IGMPv2 on hosts. The hosts are not allowed to
upgrade the IGMP version to 3.
[SwitchA-vlan10] igmp-snooping version 3
Step 4 Configure GE 0/0/1 as a static router interface in VLAN 10.

[SwitchA-GigabitEthernet0/0/1] igmp-snooping static-router-port vlan 10
Step 5 Configure an SSM group policy for IGMP snooping and enable IGMP snooping SSM mapping.
[SwitchA] acl number 2008
[SwitchA-acl-basic-2008] rule 5 permit source 224.1.1.1 0
[SwitchA-acl-basic-2008] quit
[SwitchA] vlan 10
[SwitchA-vlan10] igmp-snooping ssm-policy 2008
[SwitchA-vlan10] igmp-snooping ssm-mapping enable
[SwitchA-vlan10] igmp-snooping ssm-mapping 224.1.1.1 24 10.1.1.2

# Run the display igmp-snooping vlan configuration command on Switch A. You can view
IGMP snooping configurations in the VLAN.
[SwitchA] display igmp-snooping vlan configuration
igmp-snooping ssm-policy 2008
igmp-snooping ssm-mapping 224.1.1.0 255.255.255.0 10.1.1.2
# After SwitchA receives a Report message, run the display igmp-snooping port-info command
to view the configurations on the interface.
[SwitchA] display igmp-snooping port-info
Flag
Flag: S:Static
D:Dynamic
M: Ssm-mapping
----------------------------------------------------------------------VLAN 10, 1 Entry(s)
(10.1.1.2, 224.1.1.1) GE0/0/2
--M
1 port(s)
-----------------------------------------------------------------------
----End
Issue 04 (2013-06-15)

1132

Configuration Guide
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
#
acl number 2008
#
vlan 10
igmp-snooping ssm-policy 2008
igmp-snooping ssm-mapping 224.1.1.0 255.255.255.0 10.1.1.2
#
igmp-snooping static-router-port vlan 10
#
#
return
6.3 Multicast VLAN Replication Configuration

This chapter describes the procedure for configuring multicast VLAN replication and
maintenance commands, and provides configuration examples.
6.3.1 Multicast VLAN Replication Overview

After multicast VLAN replication is configured on a Switch, the upstream router only needs to
transmit multicast data to a multicast VLAN. This function saves bandwidth because the
upstream router does not need to send a copy of multicast data to each user VLAN.
In traditional multicast transmission mode, the upstream router must copy multicast data for
each user VLAN and send all copies to the Switch when users in different VLANs request the
program provided by the same multicast source. This mode wastes network bandwidth and adds
workload on the router.
When users in multiple VLANs require the program of the same multicast source, you can
configure the VLANs as the user VLANs of a multicast VLAN on the Switch. The upstream
router only needs to send multicast data to the multicast VLAN and does not need to send a copy
to each user VLAN. When the Switch receives multicast data packets from the upstream router,
it distributes multicast data packets to the user VLANs that have multicast receivers.
6.3.2 Multicast VLAN Replication Supported by the AC6605

This section describes the multicast VLAN replication features supported by the AC6605.
Multicast VLAN Replication Based on User VLANs

and reduces workload of the router
Issue 04 (2013-06-15)

1133

Configuration Guide
Figure 6-5 shows the traditional multicast data transmission mode. When HostA, HostB, and
HostC in different VLANs join the same multicast group, the Layer 3 device (router) must copy
multicast data for each VLAN and send all copies to the Layer 2 device (switch). This wastes
bandwidth and burdens the router.
Figure 6-5 Traditional multicast data transmission
Multicast Packet
VLAN 2
VLAN 3
Receiver
HostA
VLAN 2
VLAN 4
Receiver
HostB
Source
Router
Switch
VLAN 3
Receiver
HostC
VLAN 4
Figure 6-6 shows multicast data transmission after multicast VLAN replication is configured.
The router only needs to copy multicast data for the multicast VLAN and sends the data to the
switch. This saves network bandwidth and reduces workload of the router.
Figure 6-6 Multicast VLAN replication
Multicast Packet
Multicast VLAN
VLAN 2
VLAN 3
Receiver
HostA
VLAN 2
VLAN 4
Receiver
HostB
Source
Router
Switch
VLAN 3
Receiver
HostC
VLAN 4
The AC6605 supports the following mapping modes between multicast VLANs and user
VLANs:
l
Issue 04 (2013-06-15)
One-to-many mapping between a multicast VLAN and user VLANs

1134

Configuration Guide
Many-to-many mapping between multicast VLANs and user VLANs
Multicast VLAN Replication Based on Interfaces

A carrier provides the multicast service for multiple Internet service providers (ISPs) and assigns
a multicast VLAN to each ISP to isolate multicast data and routes. The ISPs provide multicast
services for users on different interfaces. The interfaces may be added to the same user VLAN,
so multicast packets of an ISP may be sent to users that do not subscribe to services of this ISP.
To protect interests of ISPs, the carrier can bind user VLANs to multicast VLANs on the userside interfaces. As shown in Figure 6-7, after multicast VLANs are bound to user VLANs on
user-side interfaces, multicast data packets are only sent to user VLANs on the specified
interfaces.
Figure 6-7 Multicast data transmission before and after multicast VLAN replication is
configured on interfaces
Multicast Packet
Multicast VLAN 2
Multicast VLAN 3
Multicast Packet
Multicast VLAN 2
Multicast VLAN 3
Router
Source
Router
Source
Switch
ISP1
VLAN4
Receiver
HostA
Switch
ISP1
VLAN4
ISP2
VLAN4
HostA
Receiver
HostA
ISP2
VLAN4
HostA
6.3.3 Configuring Multicast VLAN Replication Based on User

VLANs
This section describes how to implement multicast VLAN replication based on user VLANs.

In traditional multicast transmission mode, a router must copy multicast data for each user VLAN
and send all copies to the downstream device when users in different VLANs request the program
Issue 04 (2013-06-15)

1135

Configuration Guide
provided by the same multicast source. This mode wastes network bandwidth and adds workload
on the router.
Multicast VLAN replication helps to manage and control the multicast source and the multicast
group members. This function enables users in different VLANs to receive the same multicast
flow and saves bandwidth.
In multicast VLAN replication implementation, VLANs are classified into multicast VLANs
and multiple user VLANs. The AC6605 interface connected to a multicast source belongs to a
multicast VLAN, and interfaces connected to members of a multicast group belong to user
VLANs. The multicast VLAN aggregates multicast flows, and user VLANs receive data from
the multicast VLAN.
Before configuring multicast VLAN replication based on user VLANs, complete the following
tasks:
l
physical status of the interfaces is Up
Enabling IGMP snooping globally
Data Preparation
To configure multicast VLAN replication based on user VLANs, you need the following data.
No.
Data
Multicast VLAN ID
User VLAN IDs
Configuring Multicast VLAN Replication Based on User VLANs

Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created and the VLAN view is displayed.

Step 3 Run:

Issue 04 (2013-06-15)

1136

Configuration Guide
Step 4 Run:
multicast-vlan enable
Multicast VLAN replication is enabled, and the VLAN is configured as a multicast VLAN.
By default, multicast VLAN replication is disabled.
After IP multicast is configured on the AC6605, no multicast VLAN can be configured.
Step 5 Run:
multicast-vlan user-vlan { { vlan-id1 [ to vlan-id2 ] } & <1-10> }
User VLANs are bound to the multicast VLAN.

The vlan-id1 and vlan-id2 parameters specify user VLAN IDs. The value of vlan-id2 must be
greater than the value of vlan-id1.
NOTE
The user VLANs specified in the command must be existing VLANs enabled with IGMP snooping and
cannot be multicast VLANs or user VLANs of another multicast VLAN.
----End
Adding Interfaces to VLANs

Procedure
Step 1 Run:
system-view

Step 2 Add a network-side interface to a multicast VLAN.
1.
Run the interface interface-type interface-number command to enter the network-side

interface view.
2.
Configure the network-side interface as a trunk or hybrid interface and add the interface to
the multicast VLAN. For the configuration procedure, see Dividing a LAN into VLANs
Based on Ports.
3.
Step 3 Add a user-side interface to a user VLAN.

1.
Run the interface interface-type interface-number command to enter the user-side interface
view
2.
Configure the user-side interface as a trunk or hybrid interface and add the interface to the
user VLAN. For the configuration procedure, see Dividing a LAN into VLANs Based on
Ports.
----End

Prerequisites
The configuration of multicast VLAN replication is complete.
Issue 04 (2013-06-15)

1137

Configuration Guide
Procedure
l
Run the display multicast-vlan vlan [ vlan-id ] command to view information about a
multicast VLAN.
----End
Example
Run the display multicast-vlan vlan [ vlan-id ] command to view information about a multicast
VLAN.
<Quidway> display multicast-vlan vlan 3
Multicast-vlan
: 3
User-vlan Number
: 2
IGMP snooping state
: Enable
MLD snooping state
: Disable
User-vlan
Snooping-state
----------------------------------------------100
IGMP Enable /MLD Disable
200
Run the display user-vlan vlan [ vlan-id ] command to view information about user VLANs.
<Quidway> display user-vlan vlan
Total user vlan
2
user-vlan snooping-state
multicast-vlan snooping-state
----------------------------------------------------------------------------100
IGMP Enable /MLD Disable 3
200
6.3.4 Configuring Multicast VLAN Replication Based on Interfaces

This section describes how to configure multicast VLAN replication based on interfaces.

A carrier provides the multicast service for multiple Internet service providers (ISPs) and assigns
a multicast VLAN to each ISP to isolate multicast data and routes. The ISPs provide multicast
services for users on different interfaces. The interfaces may be added to the same user VLAN,
so multicast packets of an ISP may be sent to users that do not subscribe to services of this ISP.
To protect interests of ISPs, the carrier can bind user VLANs to multicast VLANs on the userside interfaces. Multicast data packets of a user VLAN are then sent to the specified interface.
Before configuring multicast VLAN replication based on interfaces, complete the following
tasks:
l
physical status of the interfaces is Up
Enabling IGMP snooping globally
Issue 04 (2013-06-15)

1138

Configuration Guide
Data Preparation
To configure multicast VLAN replication based on interfaces, you need the following data.
No.
Data
Multicast VLAN ID
User VLAN IDs
Creating a Multicast VLAN

Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:

----End
Binding User VLANs to a Multicast VLAN on an Interface

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
l2-multicast-bind vlan vlanid1 [ to vlanid2 ] mvlan mvlanid
User VLANs are bound to a multicast VLAN on the interface.

This command is used on user-side interfaces.
Issue 04 (2013-06-15)

1139

Configuration Guide
The user VLANs must exist, and cannot be multicast VLANs or user VLANs of another multicast
VLAN.
----End

Procedure
Step 1 Run:
system-view

1.

interface view.
2.
Based on Ports.
3.

1.
view
2.
Ports.
----End

Procedure
l
Run the display l2-multicast-bind [ mvlan vlan-id ] command to view information about
a multicast VLAN and user VLANs bound to the multicast VLAN on an interface.
----End
Example
Run the display l2-multicast-bind [ mvlan vlan-id ] command to view information about a
multicast VLAN and its user VLANs.
<Quidway> display l2-multicast-bind mvlan 90
------------------------------------------------------------------Port
Startvlan
Endvlan
Mvlan
------------------------------------------------------------------GigabitEthernet0/0/1
901
-90
------------------------------------------------------------------Total Table(s) : 1
Issue 04 (2013-06-15)

1140

Configuration Guide
6.3.5 Configuring Many-to-Many Multicast VLAN Replication

This section describes how to bind multiple user VLANs to multiple multicast VLANs.

In many-to-one mode, a user VLAN can be added to only one multicast VLAN and users in the
user VLAN can receive programs of only one multicast group. Many-to-many multicast VLAN
allows you to add a user VLAN to multiple multicast VLANs and specify multiple multicast
groups for users in the user VLAN.
When a user VLAN needs to be mapped to multiple multicast VLANs, enable the user VLAN
to be added to multiple multicast VLANs, and configure multicast flows.
Before configuring the many-to-many multicast VLANs, complete the following tasks:
l
Connecting interfaces of Switch and setting physical parameters for the interfaces to ensure
that the physical status of the interfaces is Up.
Adding interfaces to the multicast VLAN and user VLAN.
Data Preparation
To configure many-to-many multicast VLANs, you need the following data.
Number
Data
Multicast VLAN IDs
User VLAN ID
Type and number of an interface
Multicast group address of the static flow in

multicast VLANs
Enabling a User VLAN to Be Added to Multiple Multicast VLANs

Prerequisites
Before adding a user VLAN to multiple multicast VLANs, run the multicast flow-trigger
enable command.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1141

Configuration Guide

Step 2 Run:
IGMP snooping is enabled globally.

Step 3 Run:
vlan vlan-id
A user VLAN is created and its view is displayed.

Step 4 Run:
IGMP snooping is enabled in the user VLAN.

Step 5 Run:
multicast flow-trigger enable
The user VLAN is enabled to be added to multiple multicast VLANs.

The multicast flow-trigger enable command can only be used in user VLANs.
----End
Adding a User VLAN to Multiple Multicast VLANs

Prerequisites
If a user in a user VLAN wants to receive multicast data in multiple multicast VLANs, repeat
the following steps to add the user VLAN to multiple multicast VLANs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created and its view is displayed.

Step 3 Run:

Step 4 Run:
Multicast VLAN replication is enabled and the current VLAN is configured as a multicast
VLAN.
After IP multicast is configured on the AC6605, no multicast VLAN can be configured.
Issue 04 (2013-06-15)

1142

Configuration Guide
Step 5 Run:
multicast-vlan user-vlan { { vlan-id1 [ to vlan-id2 ] } & <1-10> }
User VLANs are added to the multicast VLAN.

Before adding the user VLAN to multiple multicast VLANs, run the multicast flow-trigger
enable command in the user VLAN view to enable it to be added to multiple multicast VLANs.
----End
(Optional) Configuring a Static Flow in a Multicast VLAN

Context
When user VLANs need to join multiple multicast VLANs, you need to run the multicast flowtrigger enable command in the view of each user VLAN to enable the triggering of multicast
flows, and then configure static flows in each multicast VLAN. In this manner, the many-tomany mapping based on {UVLAN, Source, Group} is set up between user VLANs and multicast
VLANs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
The IGMP snooping is enabled.

Step 4 Run:
The multicast VLAN is enabled.

Step 5 Run:
multicast static-flow { ipv4-group-address [ source ipv4-source-address ]}
A static flow is configured in a multicast VLAN.

By default, no static flow is configured in a multicast VLAN.
NOTE
Any two static flows in a multicast VLAN cannot be the same. Note that flows of the same multicast group
with different source IP addresses are considered as different flows.
----End

Issue 04 (2013-06-15)

1143

Configuration Guide
Procedure
Step 1 Run:
system-view

1.

interface view.
2.
Based on Ports.
3.

1.
view
2.
Ports.
----End

Procedure
l
Run the display multicast static-flow [ vlan vlan-id ] command to view the static flow in
a multicast VLAN.
----End
Example
# Run the display multicast static-flow [ vlan vlan-id ] command to view the static flow in
multicast VLAN 10.
<Quidway> display multicast static-flow
------------------------------------------------------------------Vlan
(Source, Group)
------------------------------------------------------------------10
(*, 225.1.1.1)
------------------------------------------------------------------Total Table(s) : 1

This section provides configuration examples of multicast VLAN replication.
Example for Configuring Multicast VLAN Replication Based on User VLANs

Issue 04 (2013-06-15)

1144

Configuration Guide
As shown in Figure 6-8, RouterA is connected to the multicast source. GE 1/0/0 of RouterA is
connected to GE0/0/1 of SwitchA. GE0/0/1 of SwitchA belongs to VLAN 10. HostA, HostB,
and HostC are connected to GE0/0/2, GE0/0/3, and GE0/0/4 of SwitchA and belong to VLAN
100, VLAN 200, and VLAN 300 respectively.
To save network bandwidth, you can configure multicast VLAN replication based on user
VLANs on SwitchA. RouterA then only needs to send one copy of multicast data to the multicast
VLAN, and SwitchA distributes multicast data to user VLANs.
Figure 6-8 Networking diagram for configuring multicast VLAN replication based on user
VLANs
GE1/0/0 RouterA
Source
VLAN10
GE0/0/1 SwitchA
GE0/0/2
GE0/0/4
GE0/0/3
VLAN100
VLAN300
VLAN200
HostA
Reciever
HostB
Reciever
HostC
Reciever
1.
Enable IGMP snooping globally.
2.
Create a multicast VLAN and enable IGMP snooping in the multicast VLAN.
3.
Create user VLANs and enable IGMP snooping in the user VLANs.
4.
Bind the user VLANs to the multicast VLAN.
5.
Add the network-side interface and user-side interfaces to VLANs as hybrid interfaces.
Data Preparation
l
Interface connected to RouterA and the VLAN that the interface belongs to
User-side interfaces and the VLANs that the interfaces belong to
Issue 04 (2013-06-15)

1145

Configuration Guide
Procedure
Step 1 Enable IGMP snooping globally.
Step 2 Create a multicast VLAN and enable IGMP snooping in the multicast VLAN.
[SwitchA] vlan 10
[SwitchA-vlan10] multicast-vlan enable
Step 3 Create user VLANs and enable IGMP snooping in the user VLANs.
[SwitchA] vlan 100
[SwitchA] vlan 200
[SwitchA] vlan 300
Step 4 Bind user VLANs 100, 200, and 300 to multicast VLAN 10.
[SwitchA] vlan 10
[SwitchA-vlan10] multicast-vlan user-vlan 100 200 300
Step 5 Add interfaces to VLANs as hybrid interfaces.

# Add GE0/0/1 to multicast VLAN 10.
# Add GE0/0/2, GE0/0/3, and GE0/0/4 to user VLANs 100, 200, and 300 respectively.
[SwitchA-GigabitEthernet0/0/2] port hybrid
pvid vlan 100

untagged vlan 100
pvid vlan 200
untagged vlan 200
pvid vlan 300
untagged vlan 300

View information about the multicast VLAN and user VLANs on SwitchA.
[SwitchA] display multicast-vlan vlan
Total multicast vlan
1
multicast-vlan
user-vlan number
snooping-state
---------------------------------------------------------------10
3
[SwitchA] display user-vlan vlan
Total user vlan
3
-----------------------------------------------------------------------------
Issue 04 (2013-06-15)

1146

Configuration Guide
100
200
300

10
10
10

----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 100 200 300
#
#
vlan 10
multicast-vlan user-vlan 100 200 300
#
vlan 100
#
vlan 200
#
vlan 300
#
#
#
#
#
return
Example for Configuring Multicast VLAN Replication Based on Interfaces

As shown in Figure 6-9, the Router is connected to the multicast source. GE 0/0/1 of the Switch
A is connected to the Router. GE 0/0/2 provides services for ISP1, and GE 0/0/3 provides services
for ISP2. ISP1 and ISP2 use multicast VLAN 2 and VLAN 3 respectively to provide multicast
services for users. GE 0/0/2 and GE 0/0/3 belong to user VLAN 10.
To protect interests of the ISPs and ensure that multicast packets of each ISP are only sent to
users of the ISP, multicast VLANs and user VLANs can be bound on the user-side interfaces.
After the configuration is complete, multicast data of an ISP will be sent only to the interface
connected to the ISP.
Issue 04 (2013-06-15)

1147

Configuration Guide
Figure 6-9 Networking diagram for configuring multicast VLAN replication based on interfaces
Source
Router
GE1/0/0
GE0/0/1
GE0/0/2
GE0/0/3
SwitchA
ISP1
VLAN10
ISP2
VLAN10
Receiver
HostB
Receiver
HostA
Multicast
Packet VLAN
Multicast
2
Multicast VLAN 3
1.
Enable IGMP snooping globally.
2.
Create multicast VLANs 2 and 3 and enable IGMP snooping in the multicast VLANs.
3.
Create user VLAN 10.
4.
Bind the user VLAN to multicast VLANs on GE 0/0/2 and GE 0/0/3.
5.
Add the network-side interface and user-side interfaces to VLANs as hybrid interfaces.
Data Preparation
l
Interface connected to the Router and the VLAN that the interface belongs to
User-side interfaces and the VLANs that the interfaces belong to
Procedure
Step 1 Create multicast VLANs 2 and 3 and enable IGMP snooping in the multicast VLANs.
[SwitchA] vlan 2
Issue 04 (2013-06-15)

1148

Configuration Guide

[SwitchA] vlan 3
Step 2 Create user VLAN 10.

[Switch] vlan batch 10
Step 3 Bind the user VLAN to multicast VLANs on GE 0/0/2 and GE 0/0/3.
[SwitchA-GigabitEthernet0/0/2] l2-multicast-bind vlan 10 mvlan 2
[SwitchA-GigabitEthernet0/0/3] l2-multicast-bind vlan 10 mvlan 3
Step 4 Add GE0/0/1 to the multicast VLANs, and add GE 0/0/2 and GE 0/0/3 to the user VLAN.
# Add GE0/0/1 to multicast VLANs 2 and 3 as a trunk interface.
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 3
# Add GE0/0/2 and GE0/0/3 to VLAN 10 as hybrid interfaces.

0/0/2
hybrid pvid vlan 10
0/0/3
hybrid pvid vlan 10

Run the display l2-multicast-bind [ mvlan vlan-id ] command on the Switch A to view binding
between user VLANs and multicast VLANs.
[SwitchA] display l2-multicast-bind
------------------------------------------------------------------Port
Startvlan
Endvlan
Mvlan
------------------------------------------------------------------GigabitEthernet0/0/2
10
-2
10
-3
------------------------------------------------------------------Total Table(s) : 2
----End
Configuration Files
l
Configuration file of the SwitchA

#
sysname Switch
#
vlan batch 2 to 3 10
#
#
vlan 2
#
vlan 3
Issue 04 (2013-06-15)

1149

Configuration Guide
#
l2-multicast-bind vlan 10 mvlan 2
#
l2-multicast-bind vlan 10 mvlan 3
#
#
return
Example for Configuring Many-to-Many Multicast VLANs

As shown in Figure 6-10, GE 0/0/1 of Switch is connected to Router A and receives multicast
data from Router A through multicast VLAN 10.GE 0/0/2 of Switch is connected to Router B
and receives multicast data from Router B through multicast VLAN 20. GE 0/0/3 of Switch is
connected to the user VLAN.
The user needs to receive data of multicast group 225.1.1.1 from Router A and receive data of
multicast group 225.1.2.1 from Router B.
Figure 6-10 Networking diagram of many-to-many multicast VLAN replication based on user
VLANs
RouterA
S1
RouterB
MVLAN10
GE0/0/1
GE0/0/3
UVLAN100
MVLAN20
S2
GE0/0/2
Switch
Receiver
Issue 04 (2013-06-15)

1150

Configuration Guide
1.
Enable IGMP snooping in the system view.
2.
Create multicast VLANs and enable IGMP snooping in the multicast VLAN.
3.
Create a user VLAN and enable IGMP snooping in the user VLAN. Enable the triggering
of the multicast flow in the user VLAN.
4.
Add the user VLAN to multiple multicast VLANs and configure the static multicast flow
in the multicast VLANs.
5.
Add the network-side interfaces and user-side interface to VLANs as hybrid interfaces.
Data Preparation
l
Interfaces connected to the routers and the multicast VLANs that the interfaces belong to
Interfaces connected to the user and the multicast VLANs that the interfaces belong to
Procedure
Step 1 Enable IGMP snooping in the system view.
[Switch] igmp-snooping enable
Step 2 Create multicast VLANs 10 and 20 and enable IGMP snooping in the multicast VLANs.
[Switch] vlan 10
[Switch-vlan10] multicast-vlan enable
[Switch] vlan 20
[Switch-vlan20] multicast-vlan enable
Step 3 Create user VLAN 100 and enable IGMP snooping in the user VLAN. Enable the triggering of
the multicast flow in the user VLAN.
[Switch] vlan 100
[Switch-vlan100] multicast flow-trigger enable
Step 4 Add user VLAN 100 to multicast VLANs10 and 20 and configure the static multicast flow in
the multicast VLANs.
[Switch] vlan 10
[Switch-vlan10] multicast-vlan user-vlan 100
[Switch-vlan10] multicast static-flow 225.1.1.1
[Switch] vlan 20
[Switch-vlan20] multicast-vlan user-vlan 100
[Switch-vlan20] multicast static-flow 225.1.2.1
Step 5 Add interfaces to VLANs as hybrid interfaces.

# Add GE 0/0/1 to multicast VLAN 10. Add GE 0/0/2 to multicast VLAN 20.
Issue 04 (2013-06-15)
0/0/1
hybrid pvid vlan 10
0/0/2
hybrid pvid vlan 20

1151

Configuration Guide
# Add GE 0/0/3 to user VLAN 100.

[Switch-GigabitEthernet0/0/3] port hybrid pvid vlan 100
[Switch-GigabitEthernet0/0/3] port hybrid untagged vlan 100

# Run the display user-vlan vlan command. You can see that the user VLAN has been added
to multicast VLANs 10 and 20.
[Quidway] display user-vlan vlan
Total user vlan
2
----------------------------------------------------------------------------100
100
# Run the display multicast static-flow command to view the static multicast flow in the
multicast VLANs. Users in the user VLAN can be added to the multicast group.
[Quidway] display multicast static-flow
------------------------------------------------------------------Vlan
(Source, Group)
------------------------------------------------------------------10
(*, 225.1.1.1)
20
(*, 225.1.2.1)
------------------------------------------------------------------Total Table(s) : 2
----End
Configuration File
l

#
sysname Switch
#
#
#
vlan 10
igmp-snooping
enable
multicast-vlan
enable
multicast static-flow 225.1.1.1
multicast-vlan user-vlan 100
#
vlan 20
igmp-snooping
enable
multicast-vlan
enable
multicast static-flow 225.1.2.1
multicast-vlan user-vlan 100
#
vlan 100
multicast flow-trigger enable
#
#
Issue 04 (2013-06-15)

1152

Configuration Guide

#
#
return
6.4 IGMP Configuration

This chapter describes the procedure for configuring IGMP and commands for maintaining
IGMP, and provides configuration examples.
6.4.1 Introduction to IGMP

This section describes the principle of IGMP.
In the TCP/IP protocol suite, the Internet Group Management Protocol (IGMP) manages IPv4
multicast members. It sets up and maintains the multicast membership between IP hosts and
adjacent multicast routers.
As a routing switch, the AC6605 supports IP multicast. When IGMP is configured, the
AC6605 can be used as a multicast switch. IGMP is the signaling mechanism of the host towards
the AC6605, which is used by IP multicast in an end user network. IGMP needs to be enabled
on hosts and on AC6605s.
NOTE
l Whether the host supports IGMP depends on the used operating system.
l The switch mentioned in the following contents is an AC6605 supporting the Layer 3 multicast protocol
and multicast router function.
All receiver hosts that participate in multicast transmission must be enabled with IGMP.
A host can join or leave a multicast group at any time and from any position. The number
of members of a multicast group is not limited.
Through IGMP, a multicast L3 device can know whether there is a multicast group receiver,
namely, a group member, on the network segment to which an interface of the router is
connected. Each host needs to save only the information about the groups that the host itself
joins.
At present, IGMP has three versions: IGMPv1 (defined by RFC 1112), IGMPv2 (defined by
RFC 2236), and IGMPv3 (defined by RFC 3376). All IGMP versions support the Any-Source
Multicast (ASM) model. IGMPv3 can be directly applied to the Source-Specific Multicast
(SSM) model, while IGMPv1 and IGMPv2 require the support of SSM mapping.
6.4.2 IGMP Features Supported by the AC6605

This section describes IGMP features supported by the AC6605.
Basic IGMP Functions

The basic IGMP features that the AC6605 supports are as follows:
l
Supporting IGMPv1, IGMPv2, and IGMPv3 and configurable version.
Supporting the static IGMP.
Issue 04 (2013-06-15)

1153

Configuration Guide
Configuring the range of multicast groups that an interface can join.
Router-Alert Option
IGMPv2 and IGMPv3 have the Group-Specific and Source/Group-Specific Query messages.
The groups are varied and an AC6605 cannot join all groups. Therefore, the IGMP needs to use
the Router-Alert option. Then the IGMP can send messages for the groups that the local
AC6605 does not join to the upper-level protocol for processing.
You can determine whether to set the Router-Alert option in the IGMP messages to be sent and
whether the received IGMP messages must contain the Router-Alert option.
IGMP Query Controller

For IGMPv1, you can set the interval for sending General Query messages and robustness
variable.
NOTE
IGMPv1 does not support querier election. Therefore, you need to enable PIM for querier election.
For IGMPv2, you can set the interval for sending General Query messages, robustness variable,
maximum response duration of IGMP Query messages, and IGMP prompt leave.
For IGMPv3, you can set the interval for sending General Query messages, robustness variable,
and maximum response time of IGMP Query messages.
SSM-Mapping
An AC6605 can serve hosts of IGMPv1 and IGMPv2 after you configure SSM-Mapping on the
AC6605.
IGMP Limit
l
The function of IGMP Limit is applicable to IPv4 PIM-SM and IPv4 PIM-DM networks.
To limit the number of users accessing IP core networks, you can configure the IGMP limit
function.
Configure the maximum number of global IGMP group memberships on a AC6605.
Configure the maximum number of IGMP group memberships on an interface.
NOTE
If the IGMP limit function is required to be configured globally, and for an interface on the same
AC6605, it is recommended that the limits on the number of global IGMP group memberships, and
the number of IGMP group memberships on the interface should be in descending order.
IGMP CPCAR Precautions

When there are a large number of multicast groups, IGMP packets are transmitted at a rate higher
than the default CIR rate. This may result in the loss of IGMP protocol packets and failure to
receive multicast programs. To avoid the problems, set an appropriate CIR value to prevent CPU
overload. For details, see 8.7.2 Local Attack Defense Features Supported by the AC6605 in
Issue 04 (2013-06-15)

1154

Configuration Guide
6.4.3 Configuring Basic IGMP Functions

This section describes how to configure and apply IGMP.

IGMP is applied to the network segment in which a host is connected to an AC6605. IGMP
needs to run on both the AC6605 and the host. The following contents describe how to configure
IGMP on an AC6605.
You must enable IP multicast routing before configuring IGMP. IP multicast routing is the
prerequisite of configuring all multicast functions. If IP multicast routing is disabled, the
multicast-related configurations cannot take effect.
IGMP needs to be enabled on the VLANIF interface that is connected to the host. The matching
IGMP version needs to be configured on the AC6605 and host because the IGMP messages vary
according to version. The later version on the AC6605 side is compatible with the earlier version
on the host side. Other configurations can be performed only after IGMP is enabled.
The host where the IGMP is run responds to the IGMP Query message of the AC6605. If the
host gives no response and the operation times out, the AC6605 considers that the multicast
group does not contain any member on the network segment and cancels data forwarding.
To enable hosts on the network segment of the interface to join the specified groups and receive
packets from the groups, you can set an ACL on the related interface to limit the range of groups
that the interface serves.
Before configuring basic IGMP functions, complete the following tasks:
l
Configuring the parameters of the link layer protocol and the IP address of the interface to
enable the link-layer protocol
Configuring the unicast routing protocol to ensure that IP routes between nodes are
reachable
Data Preparation
To configure basic IGMP functions, you need the following data.
Issue 04 (2013-06-15)
No.
Data
ID of the VLAN to which the interface

communicating with the host belongs
IGMP version
IP addresses of the multicast group and

multicast source
ACL rule for filtering multicast groups

1155

Configuration Guide
Enabling IP Multicast
Context
The IP multicast function is the prerequisite of configuring other multicast protocols. Do as
follows on the AC6605 connected to a host.
Procedure
Step 1 Run:
system-view

Step 2 Run:
IP multicast routing is enabled.

By default, the IP multicast routing function is disabled on an AC6605
----End
Enabling the IGMP Function

Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface can be a VLANIF interface, or an Loopback interface.
Step 3 Run:
igmp enable
The IGMP function is enabled.

By default, the IGMP function is disabled on an interface.
NOTE
If PIM-SM or PIM-DM is also required on this interface, PIM-SM or PIM-DM must be enabled before
IGMP is enabled.
----End
(Optional) Specifying the IGMP Version

Issue 04 (2013-06-15)

1156

Configuration Guide
Context
CAUTION
Make sure that all the interfaces on AC6605s are configured with IGMP of the same version on
one network segment. By default, IGMPv2 is adopted.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
igmp version { 1 | 2 | 3 }
The IGMP version is specified on the interface.

----End
(Optional) Configuring a Static IGMP Group

Context
After an interface is added to a multicast group statically, the AC6605 considers that multicast
group members exist on the network segment that the interface belongs to. Therefore,
AC6605 receives the multicast data sent to the multicast group.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type
interface-number

Step 3 Run:
igmp static-group group-address [ inc-step-mask { group-mask | group-mask-length }
number group-number ] [ source source-address ]
Issue 04 (2013-06-15)

1157

Configuration Guide
The interface is added to the multicast group or multicast source group statically.
If a loopback interface is used, the AC6605 forwards the received data only when a user demands
the data. In this case, the bandwidth usage is reduced. If a VLANIF interface is adopted, the
AC6605 forwards the received data directly.
If a loopback interface is used, the AC6605 forwards the received data only when a user requests
the data. This reduces the CPU usage. VLANIF interfaces forward multicast data immediately.
By default, an interface is not statically added to any multicast group.
----End
(Optional) Configuring an IGMP Multicast Group Policy

Context
To enable hosts on the network to which the interface is connected to join the specified multicast
groups and to receive messages from the groups, you need to set an ACL rule on the related
interface to filter the received messages. In this case, the range of groups that the interface serves
can be limited.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type
interface-number

Step 3 Run:
igmp group-policy acl-number [ 1 | 2 | 3 ]
The range of multicast groups that the interface can join is configured.
By default, an interface can join any multicast group.
----End

Prerequisites
The configuration of basic IGMP functions is complete.
Procedure
l
Issue 04 (2013-06-15)
Run the display igmp interface [ interface-type interface-number ] [ verbose ] command

to check the configuration and running status of IGMP on an interface.
1158

Configuration Guide
Run the display igmp group [ group-address | interface interface-type interfacenumber ] * static command to check the information about the members of the static IGMP
multicast group.
Run the display igmp group[ group-address | interface interface-type interfacenumber ] * [ verbose ] command to check the information about the members that
dynamically join the IGMP multicast group.
----End
Example
Run the display igmp interface vlanif 3 command to check the configuration of IGMP on
VLANIF 3.
<Quidway> display igmp interface vlanif 3
Interface information
Vlanif10
(100.0.0.3):
IGMP is enabled
Current IGMP version is 2
IGMP state: up
IGMP group policy: none
IGMP limit: Value of query interval for IGMP (negotiated): Value of query interval for IGMP (configured): 60 s
Value of other querier timeout for IGMP: Value of maximum query response time for IGMP: 10 s
Querier for IGMP: 100.0.0.3 (this router)
Run the display igmp group static command to check the information about the static IGMP
multicast group.
<Quidway> display igmp group static
Static join group information
Total 2 entries, Total 2 active entries
Group Address
Source Address Interface
225.0.0.10
0.0.0.0
Loop1
232.1.1.20
10.0.0.1
Vlanif3
State
UP
UP
Expires
never
never
6.4.4 Setting the Parameters of IGMP Features

This section describes how to set the parameters of IGMP features.
Context
By default, IGMP can work normally. In the AC6605, you can change the values of related
parameters according to the specific network environment. You can perform the following
configurations as required.
NOTE
l The configuration in the IGMP view is valid globally. The configuration in the interface view is valid
only for the specific interface.
l If this command is configured in the interface view and the IGMP view, the values set in the interface
view are preferred. If this command is not configured in the interface view, the values configured in
the IGMP view are valid.

Issue 04 (2013-06-15)

1159

Configuration Guide
IGMPv2 and IGMPv3 have the Group-Specific and Source/Group-Specific Query messages.
The groups are varied and an AC6605 cannot join all groups. Therefore, the IGMP needs to use
the Router-Alert option. Then the IGMP can send messages for the groups that the local device
does not join to the upper protocol for processing.
The IGMP querier periodically sends IGMP Query messages on the shared network connected
to receivers. When receiving a Report message from a member, the querier updates information
about the membership. If non-queriers do not receive any General Query message within the
Keepalive period of the IGMP querier, the querier is considered faulty, and a new round of the
querier election is triggered automatically.
In some cases, one host matches a port. Therefore, a querier matches only one receiver host.
When a receiver host switches between multiple groups frequently, you can enable the prompt
leave mechanism on the querier.
Before configuring IGMP message options and timers, complete the following tasks:
l
Configuring the unicast routing protocol to make the IP routes of nodes be reachable
Data Preparation
To configure IGMP message options and related timers, you need the following data.
No.
Data
Whether the Router-Alert option is contained

in the packet
Interval for sending IGMP General Query

messages
IGMP robustness variable
Maximum response duration of the IGMP

Query messages
Keepalive period of the other IGMP queriers
Interval for sending IGMP Group-Specific

Query messages
ACL that limits the application range of

prompt leave
Configuring IGMP Message Options

Context
The Router-Alert option requires the AC6605 to send the received IGMP messages that have
not been added to IGMP groups to the upper layer protocol. By default, the AC6605 sends IGMP
Issue 04 (2013-06-15)

1160

Configuration Guide
messages containing the Router-Alert option, but does not check the Router-Alert option in the
received messages. That is, the AC6605 processes all the received IGMP messages, regardless
whether the messages contain the Router-Alert option. If require-router-alert is configured,
the AC6605 checks this option.
The Router-Alert option can be configured globally or on an interface.
l
The global configuration is valid on each interface.
The configuration on an interface is valid only for the specific interface. The configuration
on an interface takes precedence over the global configuration. If the Router-Alert option
is not configured on the interface, the global configuration is used.
Configuring IGMP message options globally
Procedure
1.
Run:
system-view

2.
Run:
igmp
The IGMP view is displayed.

3.
Run:
require-router-alert
The AC6605 is configured to ignore the IGMP messages that do not contain the
Router-Alert option.
4.
Run:
send-router-alert
The AC6605 is configured to add the Router-Alert option to the IGMP message
header.
NOTE
After you run the send-router-alert command, information about the Router-Alert option will
not be displayed when you view the current configuration. To view information about the
Router-Alert option, run the undo send-router-alert command first.
Configuring IGMP message options for the interface

1.
Run:
system-view

2.
Run:

3.
Run:
igmp require-router-alert
The AC6605 is configured to ignore the IGMP messages that do not contain the
Router-Alert option.
Issue 04 (2013-06-15)

1161

Configuration Guide
4.
Run:
igmp send-router-alert
The AC6605 is configured to add the Router-Alert option to the IGMP message
header.
NOTE
After you run the igmp send-router-alert command, information about the Router-Alert
option will not be displayed when you view the current configuration. To view information
about the Router-Alert option, run the undo igmp send-router-alert command first.
----End
Configuring the IGMPv1 Querier

Context
The IGMP querier can be configured globally or on an interface.
l
The configuration on an interface is valid only for the specific interface. The configuration
on an interface takes precedence over the global configuration. If the IGMP querier is not
configured on the interface, the global configuration is used.
When the IGMP version is IGMPv1, the configurable parameters of the IGMP querier include
the interval for sending IGMP General Query messages and IGMP robustness variable.
Procedure
l
Configuring the global IGMP querier

1.
Run:
system-view

2.
Run:
igmp

3.
Run:
timer query interval
The interval for sending IGMP General Query messages is set.

4.
Run:
robust-count robust-value
The IGMP robustness variable is set.

When the AC6605 starts, the AC6605 sends General Query messages robust-value
times. The interval between the messages is 1/4 of the interval for sending IGMP
General Query messages. By default, the robustness variable is 2.
l
Configuring the IGMP querier on an interface

1.
Issue 04 (2013-06-15)
Run:
1162

Configuration Guide

system-view

2.
Run:

3.
Run:
igmp timer query interval

4.
Run:
igmp robust-count robust-value

When the AC6605 starts, the AC6605 sends General Query messages robust-value
times. The interval between the messages is 1/4 of the interval for sending IGMP
General Query messages. By default, the robustness variable is 2.
----End
Configuring the IGMPv2 or IGMPv3 Querier

Context
The IGMP querier can be configured globally or on an interface.
l
The configuration on an interface is valid only for the specified interface. The configuration
on an interface takes precedence over the global configuration. If the IGMP querier is not
configured on the interface, the global configuration is used.
When the version of IGMP is IGMPv2 or IGMPv3, the configurable parameters of the IGMP
querier include the interval for sending IGMP General Query messages, interval for sending
IGMP Group-Specific Query messages, maximum response time for IGMP Query messages,
Keepalive period of other IGMP queriers, and IGMP robustness variable.
NOTE
In actual configuration, ensure that the interval for sending IGMP General Query messages is greater than
the maximum response time for IGMP Query messages and is smaller than the Keepalive period of other
IGMP queriers.
Procedure
l
Configuring the IGMP querier globally

1.
Run:
system-view

2.
Issue 04 (2013-06-15)
Run:
1163

Configuration Guide

igmp

3.
Run:
timer query interval

4.
Run:
robust-count robust-value

When the system starts, the system sends General Query messages for a number
of times specified by the value of the robustness variable. The interval for sending
General Query messages is 1/4 of the interval for sending IGMP General Query
messages.
When receiving a Leave message, the AC6605 sends the IGMP Group-Specific
Query messages for the time specified by the value of the robustness variable at
the interval that you set.
By default, the robustness variable is 2.
5.
Run:
max-response-time interval
The maximum response time for an IGMP Query message is set.

By default, the maximum response time for an IGMP Query message is 10 seconds.
6.
Run:
timer other-querier-present interval
The Keepalive period of other IGMP queriers is set.

By default, the Keepalive period of other IGMP queriers = Robustness variable x
Interval for sending General Query messages + Maximum response time x 1/2. When
the values of the parameters in the formula are the default values, the Keepalive period
of other IGMP queriers is 125 seconds.
7.
Run:
lastmember-queryinterval interval
The interval at which AC6605 sends IGMP Group-Specific Query messages is set.
By default, the interval for sending IGMP Group-Specific Query messages is 1 second.
l
Configuring the IGMP querier on an interface

1.
Run:
system-view

2.
Run:

Issue 04 (2013-06-15)

1164

Configuration Guide
3.
Run:
igmp timer query interval

4.
Run:
igmp robust-count robust-value

When the system starts, the system sends General Query messages for a number
of times specified by the value of the robustness variable. The interval for sending
messages is 1/4 of the interval for sending IGMP General Query messages.
When receiving a Leave message, the AC6605 sends IGMP Group-Specific Query
messages for the time specified by the value of the robustness variable at the
interval that you set.
By default, the robustness variable is 2.
5.
Run:
igmp max-response-time interval
The maximum response time for IGMP Query messages is set.

By default, the maximum response time for an IGMP Query message is 10 seconds.
6.
Run:
igmp timer other-querier-present interval
The Keepalive period of other IGMP queriers is set.

By default, Keepalive period of other IGMP queriers = Robustness variable x Interval
for sending General Query messages + Maximum response time x 1/2. When the
values of the parameters to the right of the equal mark are the default values, the
Keepalive period of other IGMP queriers is 125 seconds.
7.
Run:
igmp lastmember-queryinterval interval
The interval at which the AC6605 sends IGMP Group-Specific Query messages is
set.
By default, the interval for sending IGMP Group-Specific Query messages is 1 second.
8.
Run:
igmp on-demand
The (S, G) entry never times out. The interface does not send IGMP Query messages.
By default, the interface sends Query messages and participates in querier election.
NOTE
Both IGMPv2 and IGMPv3 support the igmp on-demand command.
----End
Configuring IGMP Prompt Leave

Issue 04 (2013-06-15)

1165

Configuration Guide
Context
After receiving a Leave message from a host, the querier reports the message to the upstream
router instead of sending a Last Member Query message. This process is called IGMP prompt
leave. In this manner, the delay in response is reduced and the bandwidth occupied by various
messages is saved.
NOTE
IGMP prompt leave is applicable to IGMPv2 and IGMPv3.
When the IGMP version is IGMPv1, the IGMP prompt leave does not take effect even if there is
information about this function in current configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:

VLANIF Interface view, Loopback interface view
Step 3 Run:
igmp prompt-leave [ group-policy basic-acl-number ]
The AC6605 leaves the group immediately without sending the Last Member Query message.
By default, the AC6605 sends the Last Member Query message after receiving a Leave message
from a host.
----End

Prerequisites
The configuration of basic IGMP functions and parameters is complete.
Procedure
l
Run the display igmp group [ group-address | interface interface-type interfacenumber ] * [ static | verbose ] command to check the information about members of an
IGMP multicast group.

to check the configuration and running status of IGMP on the interface.
Run the display igmp routing-table [ group-address [ mask { group-mask | group-masklength } ] | source-address [ mask { source-mask | source-mask-length } ] ]* [ static ]
command to check the information about the IGMP routing table.
Run the preceding command, and you can obtain the following result:
Issue 04 (2013-06-15)

1166

Configuration Guide
The membership information of the IGMP multicast group is correct.

The configuration and running status of IGMP on an AC6605 interface are correct.
A matched multicast forwarding interface exists in the downstream list of the (*, G) or
(S, G) entry.
----End
Example
Run the display igmp group interface vlanif 3 static command, and you can view the IGMP
configuration on VLANIF 3.
<Quidway> display igmp group interface vlanif 3 static
Static join group information
Total 2 entries
Specified interface state:UP
Total 2 entries matched
Group Address
232.1.1.1
225.0.0.10
Source Address
10.0.0.1
0.0.0.0
Expires
never
never
Run the display igmp routing-table command, and you can view the IGMP routing table.
NOTE
The IGMP routing table is generated only after PIM is enabled.

<Quidway> display igmp routing-table
Total 1 entry
00001. (*, 225.0.0.10)
List of 1 downstream interface
Vlanif3 (100.0.0.3),
Protocol: STATIC
6.4.5 Configuring SSM Mapping

This section describes the applications of SSM mapping and the method of configuring SSM
mapping.

In the network segment where the SSM model is used to provide multicast services, some hosts
must run IGMPv1 or IGMPv2 because of some limitations. To provide services for these hosts,
you need to configure the SSM static mapping on AC6605s.
Before configuring SSM mapping, complete the following tasks:
l
Configuring the unicast routing protocol to ensure that the IP routes between nodes are
reachable
Enabling the IGMP Function
Issue 04 (2013-06-15)

1167

Configuration Guide
Data Preparation
To configure SSM mapping, you need the following data.
No.
Data
Interface that needs to be enabled with SSM

mapping
Addresses and masks of the multicast group

and multicast source
Enabling SSM Mapping

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
igmp enable
The IGMP function is enabled.

Step 4 Run:
igmp version 3
The version number of IGMP is set to 3.

To ensure that hosts running any IGMP version on the network segment can obtain SSM services,
it is recommended to run IGMPv3 on the AC6605 interface.
Step 5 Run:
igmp ssm-mapping enable
SSM mapping is enabled.

----End
Configuring the SSM Mapping Policy

Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1168

Configuration Guide

Step 2 Run:
igmp

Step 3 Run:
ssm-mapping group-address { mask | mask-length } source-address
An SSM group is mapped to a source.

The IP addresses of SSM groups range from 232.0.0.0 to 232.255.255.255. You can run the
command repeatedly to map an SSM group to multiple sources.
l group-address { mask | mask-length }: specifies the group address and mask.
l source-address: specifies the address of the source mapping the SSM group.
----End

Prerequisites
The configuration of SSM mapping is complete.
Procedure
l
Run the display igmp group [ group-address | interface interface-type interfacenumber ]* ssm-mapping [ verbose ] command to check the address of a specific source or
group.
Run the display igmp ssm-mapping { group [ group-address ] | interface [ interfacetype interface-number ] } command to check the information about SSM mapping of a
specific source or group.
----End
Example
Run the display igmp ssm-mapping group [ group-address ] command, and you can view the
information about SSM mapping of a specified group address.
<Quidway> display igmp ssm-mapping group 232.0.0.1
IGMP SSM-Mapping conversion table
Total 2 entries
2 entries matched
00001. (10.0.0.1, 232.0.0.1)
00002. (10.0.0.2, 232.0.0.1)
Run the display igmp ssm-mapping interface interface-type interface-number command, and
you can view information about SSM mapping on a specified interface.
<Quidway> display igmp ssm-mapping interface vlanif 3
Info: IGMP SSM-Mapping is enabled
Issue 04 (2013-06-15)

1169

Configuration Guide
6.4.6 Configuration IGMP Limit Function

This section describes how to configure the IGMP limit function.

To limit IPTV ICPs and the number of users accessing IP core networks, you can configure the
IGMP limit function.
The IGMP limit function is configured on the last-hop AC6605 connected to users. You can
perform the following configurations as required:
l
Configure the maximum number of global IGMP group memberships on a AC6605.
Configure the maximum number of IGMP group memberships on an interface.
Before configuring the IGMP limit function, complete the following task:
l
Configuring a unicast routing protocol
Data Preparation
To configure the IGMP limit function, you need the following data.
No.
Data
Maximum number of global IGMP group memberships
Maximum number of IGMP group memberships on an interface
Configuring the Maximum Number of Global IGMP Group Memberships

Context
Do as follows on the AC6605 connected to hosts.
Procedure
Step 1 Run:
system-view

Step 2 Run:
igmp global limit number
The maximum number of global IGMP entries is set.

Issue 04 (2013-06-15)

1170

Configuration Guide
NOTE
You can also configure the maximum of global IGMP group memberships by running the limit number
command view in the IGMP view.
----End
Configuring the Maximum Number of IGMP Group Memberships on an Interface

Context
Do as follows on the AC6605 connected to hosts.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The IGMP interface view is displayed.

Step 3 Run:
igmp limit number
The maximum number of IGMP group memberships is set on the interface.

----End

Procedure
l

to check the configuration and running of IGMP on an interface.
----End
6.4.7 Maintaining IGMP

This section describes how to maintain IGMP.
Clearing the Information About an IGMP Group
Issue 04 (2013-06-15)

1171

Configuration Guide
Context
CAUTION
The IGMP group that an interface dynamically joins is deleted after you run the reset igmp
group command. Receivers may not receive multicast information normally. Therefore, confirm
the action before run the command.
You can run the following commands to clear the information about an IGMP group in the user
view.
Procedure
l
Run the reset igmp group { all | interface interface-type interface-number { all | groupaddress [ mask { group-mask | group-mask-length } ] [ source-address [ mask { sourcemask | source-mask-length } ] ] } } command to clear the IGMP group that the interface
already dynamically joins.
----End
Monitoring the Running Status of IGMP

Context
To check the running status of IGMP during routine maintenance, run the following display
commands in any view.
Procedure
l
Run the display igmp group [ group-address | interface interface-type interfacenumber ] [ static ] [ verbose ] command to check the information about the IGMP multicast
group.
Run the display igmp group ssm-mapping [ verbose ] command to check the information
about the multicast group that is already configured with SSM mapping.

to check the configuration and running status of IGMP on the interface.
Run the display igmp routing-table [ group-address [ mask { group-mask | group-masklength } ] | source-address [ mask { source-mask | source-mask-length } ] ]* [ static ]
[ outgoing-interface-number [ number ] ] command to check the information about the
IGMP routing table.
Run the display igmp ssm-mapping { group [ group-address ] | interface [ interfacetype interface-number ] } command to check the information about SSM mapping of a
specific source or group.
----End
Debugging IGMP
Issue 04 (2013-06-15)

1172

Configuration Guide
Context
CAUTION
Procedure
l
Run the debugging igmp { all | event | leave | report | query | timer } command to enable
the debugging of IGMP.
Run the debugging igmp ssm-mapping [ advanced-acl-number ] command to enable the

debugging of SSM mapping.
----End

This section provides several configuration examples of IGMP.
Example for Configuring Basic IGMP Functions

On the network as shown in Figure 6-11, the unicast routing function is normal. You are required
to implement multicast on the network to enable hosts to receive the Video On Demand (VOD)
information.
When the hosts connected to a certain interface need to receive a popular program for a long
time, you can add the interface to a multicast group statically. As shown in the following figure,
if HostA needs to receive the multicast data from the multicast group 225.1.1.1 for a long time,
you need to add GE 0/0/1 on the Switch A to the multicast group 225.1.1.1 statically.
Issue 04 (2013-06-15)

1173

Configuration Guide
Figure 6-11 Networking diagram for configuring basic IGMP functions

Ethernet
HostA
SwitchA
Receiver
N1
GE0/0/1
GE0/0/2
HostB
SwitchB
GE0/0/1
GE0/0/2
PIM Network
Leaf network
HostC
Receiver
SwitchC
GE0/0/2
N2
GE0/0/1
HostD
Ethernet
Switch
Physical interface
VLANIF interface
IP address
SwitchA
GE 0/0/1
VLANIF 10
10.110.1.1/24
SwitchA
GE 0/0/2
VLANIF 11
192.168.1.1/24
SwitchB
GE 0/0/1
VLANIF 20
10.110.2.1/24
SwitchB
GE 0/0/2
VLANIF 21
192.168.2.1/24
SwitchC
GE 0/0/1
VLANIF 30
10.110.3.1/24
SwitchC
GE 0/0/2
VLANIF 31
192.168.3.1/24
1.
Enable multicast on all switches providing multicast services.
2.
Enable PIM-SM on all the interfaces on switch.
3.
Enable IGMP on the interfaces on the host side.
4.
Add VLANIF 10 on switch to the multicast group 225.1.1.1 statically.
Data Preparation
l
Version of IGMP running between switches and hosts
Static multicast group address: 225.1.1.1

NOTE
This configuration example describes only the commands used to configure IGMP.
Procedure
Step 1 Configure the IP addresses of interfaces and the unicast routing protocol on each switch.
Issue 04 (2013-06-15)

1174

Configuration Guide
Configure the IP address and mask of each interface according to Figure 6-11. Configure OSPF
to ensure the communication between Switch A, Switch B, and Switch C on the network layer,
and to ensure the dynamic update through the unicast routing protocol.
For details on how to configure IP addresses of interfaces, see 4.1.3 Configuring IP Addresses
for Interfaces in the AC6605 Access Controller Configuration Guide - Basic Configurations.
For details on how to configure OSPF, see OSPF Configuration in the AC6605 Access
Controller Configuration Guide - IP Routing.
Step 2 Enable multicast on all switches and PIM-SM on all interfaces.
# Enable multicast on AC6605A and enable PIM-SM on all interfaces. The configurations of
Switch B and Switch C are similar to the configuration of Switch A, and are not provided here.
[SwitchA] multicast routing-enable
[SwitchA-Vlanif10] pim sm
[SwitchA-Vlanif11] pim sm
Step 3 Enable IGMP on the interfaces connected to hosts.

# Enable IGMP on VLANIF 10 on Switch A and configure the IGMP version as IGMPv2. The
configurations of Switch B and Switch C are similar to the configuration of Switch A, and are
not provided here.
NOTE
By default, IGMPv2 is used and you do not need to set the IGMP version here. To use other IGMP versions,
run the igmp version command to set the version.
[SwitchA-Vlanif10] igmp enable
[SwitchA-Vlanif10] igmp version 2
Step 4 Add VLANIF 10 on Switch A to the multicast group 225.1.1.1 statically. In this manner, the
hosts connected to VLANIF 10 can steadily receive the multicast data sent to the multicast group
225.1.1.1.
[SwitchA-Vlanif10] igmp static-group 225.1.1.1

# Run the display igmp interface command. You can check the configuration and running status
of IGMP on each interface. For example, the information about IGMP on VLANIF 10 of Switch
A is as follows:
[SwitchA] display igmp interface vlanif 10
Interface information
Vlanif 10(10.110.1.1):
IGMP is enabled
Current IGMP version is 2
IGMP state: up
IGMP group policy: none
IGMP limit: Value of query interval for IGMP (negotiated): Value of query interval for IGMP (configured): 60 s
Value of other querier timeout for IGMP: 0 s
Value of maximum query response time for IGMP: 10 s
Querier for IGMP: 10.110.1.1 (this router)
# Run the display igmp routing-table command on Switch A. You can check whether VLANIF
10 is added to the multicast group 225.1.1.1 statically. If the (*, 225.1.1.1) entry exists on Switch
Issue 04 (2013-06-15)

1175

Configuration Guide
A, the downstream interface is VLANIF 10, and the protocol type is STATIC, you can infer
that VLANIF 10 is added to the multicast group 225.1.1.1 statically.
[SwitchA] display igmp routing-table
Routing table of VPN-Instance: public net
Total 1 entry
00001. (*, 225.1.1.1)
List of 1 downstream interface
Vlanif10 (10.110.1.1),
Protocol: STATIC
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 to 11
#
#
interface Vlanif10
ip address 10.110.1.1 255.255.255.0
pim sm
igmp enable
igmp static-group 225.1.1.1
#
interface Vlanif11
ip address 192.168.1.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 20 to 21
#
#
interface Vlanif20
ip address 10.110.2.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif21
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
Issue 04 (2013-06-15)

1176

Configuration Guide
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 30 to 31
#
#
interface Vlanif30
ip address 10.110.3.2 255.255.255.0
pim sm
igmp enable
#
interface Vlanif31
ip address 192.168.3.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.3.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
return
Example for Configuring SSM Mapping

On the multicast network as shown in Figure 6-12, PIM-SM is run and ASM and SSM models
are used to provide multicast services. IGMPv3 is run on the interface on the Switch connected
to the Receiver. The IGMP version on the Receiver is IGMPv2 and cannot be upgraded to
IGMPv3.
The range of SSM group addresses on the current network is 232.1.1.0/24. S1, S2, and S3 send
multicast data to the multicast group whose IP address is in this range. The Receiver receives
the multicast data only from S1 and S3.
Solution: Configure SSM mapping on SwitchD.
Issue 04 (2013-06-15)

1177

Configuration Guide
Figure 6-12 Networking of the SSM mapping configuration

S2
S3
133.133.2.1/24 Switch B
Switch C 133.133.3.1/24
GE 0/0/3 GE 0/0/3
GE 0/0/1
GE 0/0/1
GE 0/0/2
GE 0/0/2
S1
133.133.1.1/24
GE 0/0/1
PIM-SM
GE 0/0/2
Switch A
Receiver
133.133.4.1/24
GE 0/0/1
GE 0/0/2
GE 0/0/3 GE 0/0/3
Switch D
Switch
Physical interfaces
VLANIF interface
IP address
SwitchA
GE0/0/1
VLANIF 10
133.133.1.2/24
SwitchA
GE0/0/2
VLANIF 20
192.168.1.1/24
SwitchA
GE0/0/3
VLANIF 30
192.168.4.2/24
SwitchB
GE0/0/1
VLANIF 11
133.133.2.2/24
SwitchB
GE0/0/2
VLANIF 20
192.168.1.2/24
SwitchB
GE0/0/3
VLANIF 31
192.168.2.1/24
SwitchC
GE0/0/1
VLANIF 12
133.133.3.2/24
SwitchC
GE0/0/2
VLANIF 21
192.168.3.1/24
SwitchC
GE0/0/3
VLANIF 31
192.168.2.2/24
SwitchD
GE0/0/1
VLANIF 13
133.133.4.2/24
SwitchD
GE0/0/2
VLANIF 21
192.168.3.2/24
SwitchD
GE0/0/3
VLANIF 30
192.168.4.1/24
1.
Enable SSM mapping on the interfaces of the switches connected to hosts.
2.
Set the range of SSM group addresses on all the switches in the PIM-SM domain.
3.
Configure the static SSM mapping rules on the switches where SSM mapping is enabled.
Data Preparation
l
Range of SSM multicast groups
IP addresses of Source 1 and Source 3

NOTE
This configuration example describes only the commands used to configure SSM mapping.
Issue 04 (2013-06-15)

1178

Configuration Guide
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
Step 2 Configure the IP address of each VLANIF and the unicast routing protocol according to Figure
6-12.
Step 3 Enable IGMP and SSM mapping on the interfaces connected to hosts.
[SwitchD] multicast routing-enable
[SwitchD-Vlanif13] igmp enable
[SwitchD-Vlanif13] igmp version 3
[SwitchD-Vlanif13] igmp ssm-mapping enable
Step 4 Configure the range of SSM group addresses.

# Set the range of SSM group addresses to 232.1.1.0/24 on all switches. The configurations of
Switch B, SwitchC, and Switch D are similar to configuration of Switch A, and are not provided
here.
[SwitchA-Acl-Basic-2000] rule permit source 232.1.1.0 0.0.0.255
[SwitchA-Acl-Basic-2000] quit
[SwitchA] pim
[SwitchA-pim] ssm-policy 2000
Step 5 Configure static SSM mapping rules on the switches connected to hosts.
# Map the multicast group in the range of 232.1.1.0/24 to Source 1 and Source 3.
[SwitchD] igmp
[SwitchD-igmp] ssm-mapping 232.1.1.0 24 133.133.1.1
[SwitchD-igmp] ssm-mapping 232.1.1.0 24 133.133.3.1
# Check the information about SSM mapping of specific sources and group addresses on
switches.
[SwitchD] display igmp ssm-mapping group
IGMP SSM-Mapping conversion table
Total 2 entries
2 entries matched
00001. (133.133.1.1, 232.1.1.0/24)
00002. (133.133.3.1, 232.1.1.0/24)

# The Receiver joins the group 232.1.1.1.
# Run the display igmp group ssm-mapping command to view the information about the
specific sources or group addresses on the switches. Take the information about the specific
source or group address on Switch D for example:
[SwitchD] display igmp group ssm-mapping
IGMP SSM mapping interface group report information of VPN-Instance: public net
Vlanif10 (133.133.4.2):
Total 1 IGMP SSM-Mapping Group reported
Group Address
Last Reporter
Uptime
Expires
232.1.1.1
133.133.4.1
00:01:44
00:00:26
[SwitchD] display igmp group ssm-mapping verbose
Interface group report information of VPN-Instance: public net
Vlanif10 (133.133.4.2):
Total entry on this interface: 1
Total 1 IGMP SSM-Mapping Group reported
Group: 232.1.1.1
Issue 04 (2013-06-15)

1179

Configuration Guide

Uptime: 00:01:52
Expires: 00:00:18
Last reporter: 133.133.4.1
Last-member-queryCounter: 0
Last-member-query-timer-expiry: off
Group mode: exclude
Version1-host-present-timer-expiry: off
Version2-host-present-timer-expiry: 00:00:17
# Run the display pim routing-table command to view the PIM-SM multicast routing table on
a switch. Take the information displayed on Switch D for example:
[SwitchD] display pim routing-table
VPN-Instance: public net
Total 2 (S, G) entries
(133.133.1.1, 232.1.1.1)
RP: 192.168.3.2
Protocol: pim-ssm, Flag:EXT NIIF
UpTime: 00:11:25
Upstream interface: Vlanif30
Upstream neighbor: 192.168.4.2
RPF prime neighbor: 192.168.4.2
Downstream interface(s) information :
Total number of downstreams: 1
1: Vlanif13
Protocol: igmp, UpTime: 00:11:25, Expires:(133.133.3.1, 232.1.1.1)
RP: 192.168.3.2
Protocol: pim-ssm, Flag:EXT NIIF
UpTime: 00:11:25
Downstream interface(s) information:
1: Vlanif13
Protocol: igmp, UpTime: 00:11:25, Expires:-
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 20 30
#
#
acl number 2000
#
interface Vlanif10
ip address 133.133.1.2 255.255.255.0
pim sm
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
pim sm
#
interface Vlanif30
ip address 192.168.4.2 255.255.255.0
pim sm
#
Issue 04 (2013-06-15)

1180

Configuration Guide
#
#
#
ospf 1
area 0.0.0.0
network 133.133.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
ssm-policy 2000
#
return

#
sysname SwitchB
#
vlan batch 11 20 31
#
#
acl number 2000
#
interface Vlanif11
ip address 133.133.2.2 255.255.255.0
pim sm
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif31
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 133.133.2.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
ssm-policy 2000
#
return

#
sysname SwitchC
#
vlan batch 12 21 31
#
#
acl number 2000
Issue 04 (2013-06-15)

1181

Configuration Guide

#
interface Vlanif12
ip address 133.133.3.2 255.255.255.0
pim sm
#
interface Vlanif21
ip address 192.168.3.1 255.255.255.0
pim sm
#
interface Vlanif31
ip address 192.168.2.2 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 133.133.3.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
ssm-policy 2000
#
return

#
sysname SwitchD
#
vlan batch 13 21 30
#
#
interface Vlanif13
ip address 133.133.4.2 255.255.255.0
pim sm
igmp enable
igmp version 3
igmp ssm-mapping enable
#
interface Vlanif21
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif30
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 133.133.4.0 0.0.0.255
network 192.168.3.0 0.0.0.255
Issue 04 (2013-06-15)

1182

Configuration Guide
network 192.168.4.0 0.0.0.255

#
pim
c-bsr vlanif30
c-rp vlanif30
ssm-policy 2000
#
acl number 2000
#
igmp
ssm-mapping 232.1.1.0 255.255.255.0 133.133.1.1
ssm-mapping 232.1.1.0 255.255.255.0 133.133.3.1
#
return
6.5 PIM-DM (IPv4) Configuration

PIM-DM protocol is a multicast routing protocol of dense node. It is applicable to a small-scale
6.5.1 PIM-DM Overview

In the network where multicast group members are densely distributed and each network
segment may have multicast group members, PIM-DM builds a unidirectional and loop-free
SPT from the multicast source to the group member through periodical flooding and pruning.
CAUTION
This chapter is concerned only about the PIM-DM configuration in an IPv4 network.
The Protocol Independent Multicast (PIM) is a multicast protocol that is independent of unicast
routing protocol such as static route, RIP, OSPF, IS-IS, and BGP. Multicast routing is
independent of unicast routing protocols, except that unicast routing protocols are used to
generate related multicast routing entries.
Based on the Reverse Path Forwarding (RPF), PIM transmits multicast data across a network.
RPF constructs a multicast forwarding tree by using the existing unicast routing information.
When a multicast packet reaches a Switch, the Switch performs the RPF check first. If the packet
does not pass the RPF check, the Switch directly discards the packet.
NOTE
For details about RPF, see IPv4 Multicast Routing Management.
The Protocol Independent Multicast-Dense Mode (PIM-DM) is applicable to a small-scale

The functions and location of PIM-DM in a multicast network are shown in Figure 6-13.
Issue 04 (2013-06-15)

1183

Configuration Guide
Figure 6-13 Location of PIM-DM on the multicast network
IGMP
PIM-DM
Source
Multicast
Server
Receiver
UserA
Receiver
UserB
PIM-DM
PIM-DM
IGMP
Receiver
UserC
Receiver
UserD
The Protocol Independent Multicast-Sparse Mode (PIM-SM) is applicable to a large-scale

network with sparsely-distributed members. For details about PIM-SM, see PIM-SM (IPv4)
Configuration.
6.5.2 PIM-DM Features Supported by the AC6605

The system can work normally with default PIM-DM parameters. You are also allowed to adjust
parameters related to neighbor discovery, prune, state refresh, graft, and assert according to
specific scenarios. In addition, you can configure various filtering policies and the PIM silent
function to enhance the PIM-DM security.
Controlling the Forwarding of a Multicast Source

You can configure the Keepalive period of a multicast source and the filtering rules based on
multicast sources.
Adjusting Control Parameters for Setting Up Neighbor Relationship

You can set the following control parameters:
l
The interval for sending Hello messages
The period for keeping neighbors reachable
Whether the Hello messages without the Generation ID option are received
The maximum delay for triggering Hello messages
Neighbor filtering function: An interface sets up neighbor relationships with only the
addresses matching the filtering rules and deletes the neighbors unmatched with the filtering
rules
Issue 04 (2013-06-15)

1184

Configuration Guide
Adjusting Control Parameters for Pruning

You can adjust the following control parameters for pruning:
l
The interval for keeping the Prune state of the downstream interface
The delay from the time when the current Switch receives a Prune message from a
downstream Switch to the time when the current Switch performs the prune action in the
LAN
The period for overriding the prune action
Adjusting Control Parameters for State-Refresh

You can enable or disable State-Refresh, set the interval for sending PIM State-Refresh
messages, set the minimum interval for receiving the next State-Refresh message, and set the
TTL value for forwarding State-Refresh messages on the Switch directly connected to the source.
Adjusting Control Parameters for Graft

You can set the interval for retransmitting Graft messages.
Adjusting Control Parameters for Assert

You can set the period for a Switch to retain the Assert state. The Switch that fails in the election
prevents the downstream interface from forwarding multicast data during this period. After the
period expires, the downstream interface continues to forward multicast data.
Attack Defense Using PIM Silent

Some hosts may send a large number of malicious PIM Hello messages, which results in the
suspension of the Switch. The PIM Silent function can then be configured on the interfaces
connected to hosts to protect the Switch.
PIM-DM (IPv4) CPCAR Precautions

When there are a large number of multicast groups, PIM (IPv4) packets are transmitted at a rate
higher than the default CIR rate. This may result in the loss of PIM (IPv4) protocol packets and
failure to receive multicast programs. To avoid the problems, set an appropriate CIR value to
prevent CPU overload. For details, see 8.7.2 Local Attack Defense Features Supported by
the AC6605 in Configuration Guide - Security.
6.5.3 Configuring Basic PIM-DM Functions

Ensure that unicast routes are reachable before enabling IPv4 multicast routing, and enable PIMDM on each interface of the multicast device. In this manner, the PIM-DM network can work
normally.

Before configuring basic PIM-DM functions, configure a unicast IPv4 routing protocol.
Issue 04 (2013-06-15)

1185

Configuration Guide
PIM-DM is applicable to a small-scale network, and most network segments of the network have
receivers.
Before configuring basic PIM-DM functions, complete the following configuration tasks:
l
Configuring an IPv4 unicast routing protocol
Data Preparation
To configure basic PIM-DM functions, you need the following data.
No.
Data
Enabling IPv4 Multicast Routing

Prior to configuring all IPv4 multicast features, enable IPv4 multicast routing.
Context
Do as follows on the Switch:
Procedure
Step 1 Run:
system-view

Step 2 Run:
IPv4 multicast routing is enabled in the public network instance.

----End
Enabling PIM-DM
An interface can set up PIM neighbor relationship with other devices after PIM-DM is enabled
on it.
Context
NOTE
When Switchs are distributed in PIM-DM domains, enable PIM-SM on all non-boundary interfaces.

Issue 04 (2013-06-15)

1186

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
pim dm
PIM-DM is enabled.
After PIM-DM is enabled on the interface and the PIM neighbor relationship is set up between
Switches, the protocol packets sent by the PIM neighbors can be processed. You can run the
undo pim dm command to disable PIM-DM on the interface.
----End

After PIM-DM is configured successfully, you can check information about the PIM interface,
PIM neighbor, and PIM routing table through commands..
Procedure
l
Run the command display pim interface [ interface-type interface-number | up | down ]

[ verbose ] to check PIM on interfaces of the public network.
Run the command display pim neighbor [ neighbor-address | interface interface-type

interface-number | verbose ] * to check PIM neighbors of the public network.
Run the following commands to check the PIM routing table of the public network instance.
display pim routing-table [ group-address [ mask { group-mask-length | groupmask } ] | source-address [ mask { source-mask-length | source-mask } ] | incominginterface { interface-type interface-number | register } | outgoing-interface
{ include | exclude | match } { interface-type interface-number | register | none } |
mode { dm | sm | ssm } | flags flag-value | fsm ] * [ outgoing-interface-number
[ number ] ]
----End
Example
Run the display pim interface verbose command, and you can view the detailed information
about PIM on the interface in the public network instance.
<Quidway> display pim interface verbose
Interface: Vlanif117, PIM version: 2
PIM mode: Dense
PIM state: down
PIM DR: -
Issue 04 (2013-06-15)

1187

Configuration Guide

PIM DR Priority (configured): 1
PIM neighbor count: PIM hello interval: 30 s
PIM LAN delay (negotiated): PIM LAN delay (configured): 500 ms
PIM hello override interval (negotiated): PIM hello override interval (configured): 2500 ms
PIM Silent: disabled
PIM neighbor tracking (negotiated): PIM neighbor tracking (configured): disabled
PIM generation ID: PIM require-GenID: disabled
PIM hello hold interval: 105 s
PIM assert hold interval: 180 s
PIM triggered hello delay: 5 s
PIM J/P interval: 60 s
PIM J/P hold interval: 210 s
PIM state-refresh processing: enabled
PIM state-refresh interval: 60 s
PIM graft retry interval: 3 s
PIM state-refresh capability on link: capable
PIM BFD: disabled
PIM dr-switch-delay timer : not configured
Number of routers on link not using DR priority: Number of routers on link not using LAN delay: Number of routers on link not using neighbor tracking: ACL of PIM neighbor policy: ACL of PIM ASM join policy: ACL of PIM SSM join policy: ACL of PIM join policy: -
6.5.4 Adjusting Control Parameters of a Multicast Source

A multicast device can control the forwarding of multicast data based on multicast sources. This
helps to control multicast data flows and limit information that can be obtained by downstream
receivers to enhance security.

After basic functions of PIM-DM are configured, you can configure the lifetime of a multicast
source and source address-based filtering rules as required.
This configuration is applicable to all PIM-DM networks.
A PIM Switch checks the passing multicast data. By checking whether the data matches the
filtering rule, the Switch determines whether to forward the data. In this case, you can regard
the Switch as the filter of the multicast data. The filter helps to control the data flow and limit
the information that downstream receivers can obtain. Network security is thus ensured.
Before configuring control parameters of a multicast source, complete the following tasks:
l
Configuring Basic PIM-DM Functions
Data Preparation
To configure control parameters of a multicast source, you need the following data.
Issue 04 (2013-06-15)

1188

Configuration Guide
No.
Data
Keepalive period of a multicast source
Filtering rules of multicast source addresses
Configuring the Lifetime of a Source

A multicast device starts a timer for each (S, G) entry. If the multicast device does not receive
any multicast packets from a multicast source within the set lifetime of the multicast source, it
considers that the (S, G) entry becomes invalid and the multicast source stops sending multicast
data to the multicast group.
Context
Do as follows on the PIM Switch:
NOTE
If there is no special requirement, default values are recommended.
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim
The PIM view is displayed.

Step 3 Run:
source-lifetime interval
The lifetime of a source is set.

If a Switch does not receive any (S, G) packet in the lifetime of the source, the Switch considers
that the source stops sending multicast data to G and the (S, G) entry becomes invalid.
When State-Refresh is enabled, the lifetime of the multicast source is prolonged to about the
value of interval.
----End
Configuring Filtering Rules Based on Source Addresses

After ACL rules are configured, a multicast device can filter the received multicast packets based
on source addresses or source/group addresses.
Context
Do as follows on the PIM Switch:
Issue 04 (2013-06-15)

1189

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
source-policy acl-number
The filter is configured.

The effect of the filtering is more obvious if the filter is closer to the source.
If the basic ACL is configured, only the packets with the source addresses that pass the filtering
are forwarded.
If the advanced ACL is configured, only the packets with the source addresses and group
addresses that pass the filtering are forwarded.
----End

After the control parameters of a multicast source are adjusted, you can run commands to check
entries in the PIM routing table.
Procedure
l
Run the following commands to check the PIM routing table.

[ number ] ]
display pim routing-table brief [ group-address [ mask { group-mask-length | groupmask } ] | source-address [ mask { source-mask-length | source-mask } ] | incominginterface { interface-type interface-number | register } ] *
----End
6.5.5 Adjusting Control Parameters for Maintaining Neighbor

Relationships
PIM devices exchange Hello messages to set up neighbor relationships and negotiate various
control parameters for controlling the neighbor relationships.
Issue 04 (2013-06-15)

1190

Configuration Guide

After basic functions of PIM-DM are configured, you can adjust related parameters of Hello
messages for controlling the neighbor relationships, and configure the neighbor filtering function
to enhance security as required.
PIM Switchs exchange Hello messages to set up neighbor relationships and negotiate various
control parameters.
The Switch under the control of default values can work normally. In the AC6605, users can
adjust related parameters according to the specific network environment.
NOTE
Before adjusting control parameters for maintaining neighbor relationships, complete the
following tasks:
l
Data Preparation
To adjust control parameters for maintaining neighbor relationships, you need the following
data.
No.
Data
Timeout period of the neighbor
Interval for sending Hello messages
Maximum delay for triggering Hello messages
Number or name of the ACL used to filter PIM neighbors
Configuring the Interval for Sending Hello Messages

The interval for sending Hello messages can be set either globally or on an interface. The
configuration in the interface view is prior to the configuration in the PIM view. When the
interval is not configured in the interface view, the configuration in the PIM view takes effect.
Context
Do as follows on the PIM-DM Switch:
Issue 04 (2013-06-15)

1191

Configuration Guide
NOTE
The configuration involves the following cases:

l Global configuration: It is valid on each interface.
l Configuration on an interface: The configuration on an interface takes precedence over the global
configuration. If the configuration on an interface is not done, the global configuration is used.
Procedure
l
Global Configuration
1.
Run:
system-view

2.
Run:
pim

3.
Run:
timer hello interval
The interval for sending Hello messages is set.

l
Configuration on an Interface
1.
Run:
system-view

2.
Run:

3.
Run:
pim timer hello interval

4.
Run:
pim triggered-hello-delay interval
The maximum delay for triggering Hello messages is set.

After the maximum delay is set, the conflict caused by multiple PIM Switchs sending
Hello messages simultaneously is prevented.
----End
Configuring the Timeout Period of a Neighbor

The timeout period of a neighbor can be set either globally or on an interface. If the multicast
device does not receive any Hello message from a neighbor when the timeout period is expired,
the device considers that the neighbor is unreachable. The timeout period of the neighbor must
be longer than the interval for sending Hello messages.
Issue 04 (2013-06-15)

1192

Configuration Guide
Context
NOTE
The configuration involves the following two cases:

Procedure
l
1.
Run:
system-view

2.
Run:
pim

3.
Run:
hello-option holdtime interval
The timeout period during which the neighbor is reachable is set.

If no Hello message is received from a neighbor in the timeout period, the neighbor
is considered unreachable.
l
1.
Run:
system-view

2.
Run:

3.
Run:
pim hello-option holdtime interval
The timeout period during which the neighbor is reachable is set.

If no Hello message is received from a neighbor in the timeout period, the neighbor
is considered unreachable.
----End
Refusing to Receive the Hello Message Without the Generation ID Option

When the Generation ID option in the Hello message received from an upstream neighbor
changes, it indicates that the status of the upstream neighbor changes. Therefore, you can
configure a PIM interface to deny the Hello messages without Generation ID options to obtain
the upstream neighbor status in real time.
Issue 04 (2013-06-15)

1193

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
pim require-genid
The Generation ID option is set in a Hello message.

The Hello message without the Generation ID option is rejected.
changes, it indicates that the pim state of upstream neighbor changes, for example restarts. If a
Switch does not want to receive data from an upstream neighbor, the Switch sends a Prune
message after receiving a data packet from the upstream neighbor.
----End
Configuring PIM Neighbor Filtering

To prevent some unknown devices from being involved in PIM, filtering PIM neighbors is
required. An interface sets up neighbor relationships with only the addresses matching the
filtering rules and deletes the neighbors unmatched with the filtering rules.
Context
To prevent some Switch from being involved in PIM, filtering PIM neighbors is required.
Do as follows on the Switch running PIM-DM:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
pim neighbor-policy basic-acl-number
Issue 04 (2013-06-15)

1194

Configuration Guide
PIM neighbor filtering is configured.

----End

After the neighbor control parameters are adjusted, you can run commands to check information
about the PIM interface and the PIM neighbor.
Procedure
l
Run the display pim interface [ interface-type interface-number | up | down ]

[ verbose ] command to check PIM on an interface.
Run the display pim neighbor [ neighbor-address | interface interface-type interfacenumber | verbose ] * command to check information about a PIM neighbor.
----End
6.5.6 Adjusting Control Parameters for Prune

When the last member leaves a group, the multicast device sends a Prune message upstream,
requesting the upstream device to execute the prune action. If other downstream devices on the
same network segment need the multicast data for this group, they need to send Join messages
to override the prune action.

After basic PIM-DM functions are configured, you can set the period for an interface to keep
the prune state, delay for transmitting Prune messages in a LAN, and interval for overriding the
prune action as required.
When the last member leaves its group, the Switch sends a Prune message through an upstream
interface. After receiving the Prune message, the upstream Switch performs the prune action
and stops sending multicast packets to this network segment. If other downstream Switchs exist
in the network, the Switchs need to send a Join message to override the prune action.
Switchs can work normally under the control of the default parameter values. Users can adjust
related parameters according to the specific network environment.
NOTE

Before adjusting control parameters for prune, complete the following tasks:
l
Configuring Basic PIM-DM(IPv6) Functions
Issue 04 (2013-06-15)

1195

Configuration Guide
Data Preparation
To adjust control parameters for prune, you need the following data.
No.
Data
Timeout period of the Prune state
Delay for transmitting Prune messages
Interval for overriding the prune action
Configuring the Period for an Interface to Keep the Prune State

The period for an interface to keep the prune state can be set either globally or on an interface.
After the period expires, the pruned interface starts to forward messages again. If the multicast
device receives a State-Refresh message before the period expires, it resets the timer, that is, it
refreshes the prune state.
Context
Procedure
l
1.
Run:
system-view

2.
Run:
pim

3.
Run:
holdtime join-prune interval
The period during which the downstream interface is in the Prune state is set.
After the period expires, the pruned interface starts to forward packets again. Before
the period expires, the Switch refreshes the Prune state when receiving a State-Refresh
message.
l
1.
Run:
system-view

2.
Run:

Issue 04 (2013-06-15)

1196

Configuration Guide
3.
Run:
pim holdtime join-prune interval
The period during which the downstream interface is in the Prune state is set.
After the period is expired, the pruned interface starts to forward packets again.
Before the period expires, the Switch refreshes the Prune state when receiving a StateRefresh message.
----End
Configuring the Delay for Transmitting Prune Messages in a LAN

The delay for transmitting Prune messages in a LAN can be set either globally or on an interface.
When the values of lan-delay on all devices along the same link are different, the maximum
value of these values is preferred.
Context
Procedure
l
1.
Run:
system-view

2.
Run:
pim

3.
Run:
hello-option lan-delay interval
The delay for transmitting messages in a LAN is set.

l
1.
Run:
system-view

2.
Run:

3.
Run:
pim hello-option lan-delay interval

----End
Issue 04 (2013-06-15)

1197

Configuration Guide
Configuring the Interval for Overriding the Prune Action

When a device sends a Prune message to the upstream in the same network segament, if other
devices still needs to receive the multicast data, the device must send a Join message upstream
within the override-interval.
Context
Procedure
l
1.
Run:
system-view

2.
Run:
pim

3.
Run:
hello-option override-interval interval
The interval for overriding the prune action is set.

When a Switch sends a Prune message to the upstream Switch in the same network
segament, if other Switch still requests the multicast data, it needs to send a Join
message to the upstream Switch in the override-interval period.
l
1.
Run:
system-view

2.
Run:

3.
Run:
pim hello-option override-interval interval
The interval for overriding the prune action is set.

----End

After the control parameters for prune are adjusted, you can check information about the PIM
interface and the PIM routing table and statistics about PIM control messages through
commands.
Issue 04 (2013-06-15)

1198

Configuration Guide
Procedure
l

[ verbose ] command to check information about PIM on an interface.
Run the display pim control-message counters [ message-type { assert | graft | graftack |hello | join-prune | state-refresh | bsr } | interface interface-type interfacenumber ] * command to check the number of sent or received PIM control packets.

[ number ] ]
display pim routing-table [ group-address [ mask { group-mask-length | groupmask } ] | source-address [ mask { source-mask-length | source-mask } ] | incominginterface { interface-type interface-number | register } ] *
----End
6.5.7 Adjusting Control Parameters for State-Refresh

In a PIM-DM network, the periodic flooding-pruning wastes lots of network resources. To
prevent the pruned interface from forwarding messages because the prune timer times out, you
can enable the State-Refresh function. The multicast device then sends State-Refresh messages
periodically to refresh the prune state of the interface and maintain the SPT.

After basic functions of PIM-DM are configured, you can set the interval for sending StateRefresh messages, period for waiting to receive the next State-Refresh message, and TTL value
carried in the State-Refresh message as required.
In a PIM-DM network, periodical flooding-prune wastes a lot of network resources. To prevent
a pruned interface from forwarding packets, you can enable the State-Refresh function.
Switch periodically send State-Refresh messages to refresh the prune state of interfaces and
maintain the SPT.
NOTE
If there is no specific requirement, default values are recommended.
Before adjusting control parameters for State-Refresh, complete the following tasks:
l
Issue 04 (2013-06-15)

1199

Configuration Guide
Data Preparation
To adjust control parameters for State-Refresh, you need the following data.
No.
Data
Interval for sending PIM State-Refresh messages
Period for waiting to receive the next State-Refresh message
TTL value for forwarding State-Refresh messages
Disabling State-Refresh
After this function is disabled on the interface, the interface cannot forward any State-Refresh
messages.
Context
Do as follows on all the Switchs in the PIM-DM domain.
NOTE
By default, PIM-DM State-Refresh is enabled on the interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
undo pim state-refresh-capable
PIM-DM State-Refresh is disabled.

The interface on which PIM-DM State-Refresh is disabled cannot forward any State-Refresh
message.
NOTE
You can run the pim state-refresh-capable command to re-enable PIM-DM State-Refresh on the interface.
----End
Issue 04 (2013-06-15)

1200

Configuration Guide
Configuring the Interval for Sending State-Refresh Messages

To prevent pruned interfaces from forwarding messages after the prune state timer times out,
you need to set the interval for sending State-Refresh messages to be shorter than the period for
keeping the Prune state.
Context
Do as follows on all the Switchs in the PIM-DM domain:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
state-refresh-interval interval
The interval for sending PIM State-Refresh messages is set.

NOTE
l This command is applicable to the first-hop Switch connecting with the multicast source.
l The interval for sending PIM State-Refresh messages should be shorter than the timeout period for
keeping the Prune state.
l You can run the holdtime join-prune command to set the timeout period for keeping the Prune state.
----End
Configuring the Period for Receiving the Next State-Refresh Message

A multicast device may receive PIM State-Refresh messages from multiple routers in a short
period and some PIM State-Refresh messages are repeated. Before the state-refresh timer times
out, the device discards the received repeated State-Refresh messages. The device is allowed to
receive the next State-Refresh message only after the timer times out.
Context
Do as follows on all the PIM-DM Switchs in the PIM-DM domain:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim
Issue 04 (2013-06-15)

1201

Configuration Guide

Step 3 Run:
state-refresh-rate-limit interval
The period for waiting to receive the next State-Refresh message is set.
----End
Configuring the TTL Value Carried in a State-Refresh Message

After receiving the PIM State-Refresh message, a multicast device decrements the TTL value
by 1 and then forwards the message downstream until the TTL value becomes 0. In a smallsized network, the PIM State-Refresh message is transmitted circularly on the network. You can
adjust the TTL value according to the network scale.
Context
Do as follows on the PIM-DM Switchs directly connected to the source in the PIM-DM domain:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
state-refresh-ttl ttl-value
The TTL value carried in the State-Refresh message is set.

NOTE
This command is valid only on the Switch directly connected to the source.
----End

After the control parameters for state-refresh are adjusted, you can check information about the
PIM interface and the PIM routing table and statistics about PIM control messages through
commands.
Procedure
l

Run the display pim control-message counters [ message-type { assert | graft | graftack |hello | join-prune | state-refresh | bsr } | interface interface-type interfacenumber ] * command to check the number of the sent or received PIM control messages.
Issue 04 (2013-06-15)

1202

Configuration Guide

[ number ] ]
----End
6.5.8 Adjusting Control Parameters for Graft

To make new members in a network to quickly receive multicast data, a multicast device actively
sends a Graft message through an upstream interface, requesting the upstream device to forward
multicast data to this network segment.

After basic functions of PIM-DM are configured, you can set the interval for retransmitting Graft
messages as required.
In a PIM-DM network, if State-Refresh is not enabled, a pruned interface can forward packets
after the Prune state times out. If State-Refresh is enabled, the pruned interface may never
forward packets.
To enable new members in the network to receive multicast data quickly, a PIM-DM Switch
sends a Graft message through an upstream interface. After receiving the Graft message, the
upstream Switch responds immediately with a Graft-Ack message and enables the interface that
receives the Graft message to forward packets.
the related parameters according to the specific network environment.
NOTE
Pre-configuration Task
Before configuring control parameters for graft, complete the following tasks:
l
Data Preparation
To configure control parameters for graft, you need the following data.
Issue 04 (2013-06-15)

1203

Configuration Guide
No.
Data
Interval for retransmitting Graft messages
Configuring the Interval for Retransmitting Graft Messages

In PIM-DM mode, when a member joins a pruned group, the multicast device sends a Graft
message and waits for an ACK message from the upstream device. If the downstream device
does not receive any ACK message within a certain period, the device resends the Graft message
until it receives an ACK message from the upstream device.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
pim timer graft-retry interval
The interval for retransmitting Graft messages is set.

If the local Switch does not receive any Graft-Ack message from the upstream Switch in a
specified period, it resends a Graft message.
----End

After the control parameters for graft are adjusted, you can check information about the
unacknowledged PIM-DM graft, PIM interface, and PIM routing table and statistics about PIM
control messages through commands.
Procedure
l

Run the display pim control-message counters [ message-type { assert | graft | graftack |hello | join-prune | state-refresh | bsr } | interface interface-type interfacenumber ] * command to check the number of the sent or received PIM control messages.
Issue 04 (2013-06-15)

1204

Configuration Guide
mode { dm |sm | ssm } | flags flag-value | fsm ] * [ outgoing-interface-number
[ number ] ]
----End
6.5.9 Adjusting Control Parameters for Assert

If a multicast device can receive multicast data through an downstream interface, this indicates
that other upstream devices exist in this network segment. The device then sends an Assert
message through the downstream interface to take part in the election of the unique upstream
device.

After basic functions of PIM-DM are configured, you can set the holdtime of the Assert state as
required.
When a PIM-DM Switch receives multicast data through a downstream interface, it indicates
that other upstream Switchs exist in the network segment. The Switch sends Assert messages
through the interface to elect the unique upstream Switch.
NOTE
Before adjusting control parameters for Assert, complete the following tasks:
l
Data Preparation
To adjust control parameters for Assert, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Period for keeping the Assert state

1205

Configuration Guide
Configuring the Period for Keeping the Assert State

The device that fails in the election prevents its downstream interface from forwarding multicast
data. After the holdtime of the Assert state expires, the downstream interface can forward
multicast data.
Context
NOTE

Procedure
l
1.
Run:
system-view

2.
Run:
pim

3.
Run:
holdtime assert interval
The period for holding the Assert state is set.

The Switch that fails in the election prevents its downstream interface from forwarding
multicast data.
After the Holdtime of the Assert state expires, the downstream interface can forward
packets.
l
1.
Run:
system-view

2.
Run:

3.
Run:
pim holdtime assert interval

The Switch that fails in the election prevents its downstream interface from forwarding
multicast data.
Issue 04 (2013-06-15)

1206

Configuration Guide
After the Holdtime period of the Assert state expires, the downstream interface can
forward packets.
----End

After the control parameters for assert are adjusted, you can check information about the PIM
commands.
Procedure
l

Run the display pim control-message counters [ message-type { assert | graft | graftack |hello | join-prune | state-refresh | bsr } | interface interface-type interfacenumber ] * command to check the number of sent or received PIM control messages.

[ number ] ]
----End
6.5.10 Configuring PIM Silent Function

The interface directly connecting a multicast device to a user host needs to be enabled with PIM.
In this case, some malicious hosts may simulate a large number of PIM Hello messages and send
the messages to the interface for processing. As a result, the multicast device is suspended. To
avoid the preceding case, you can set the interface to be in the PIM Silent state.

After basic functions of PIM-DM and IGMP are configured, you can configure the PIM silent
function on the interface connected with the user host. This interface should be enabled with
PIM-DM and IGMP first.
On the access layer, the interface directly connected to hosts needs to be enabled with PIM. You
can set up the PIM neighbor relationship on the interface to process various PIM packets. The
configuration, however, has the security vulnerability. When a host maliciously generates PIM
Hello messages and sends many packets to a Switch, the Switch may fail.
To prevent the preceding case, you can set the status of the interface to PIM silent. When the
interface is in the PIM silent state, the interface is prevented from receiving and forwarding any
Issue 04 (2013-06-15)

1207

Configuration Guide
PIM packet. All PIM neighbor relationships and PIM state machines on the interface are deleted.
At the same time, IGMP on the interface is not affected.
To enable PIM silent, the network environment must meet the following conditions:
l
PIM silent is applicable only to the interface directly connected to the host network segment
that is connected only to this Switch.
CAUTION
If PIM silent is enabled on the interface connected to a Switch, the PIM neighbor relationship
cannot be established and a multicast fault may occur.
If the host network segment is connected to multiple Switchs and PIM silent is enabled on
multiple interfaces of the Switchs, these interfaces do not send Assert messages. Therefore,
multiple interfaces that forward multicast data exist in the user network segment. A multicast
fault thus occurs.
Before configuring PIM silent, complete the following tasks:
l
Configuring a unicast routing protocol to make the network reachable
Configuring PIM-DM
Configuring IGMP
Data Preparation
To configure PIM silent, you need the following data.
No.
Data
Type and number of the interface connected to hosts
Configuring PIM Silent

After the interface is configured with PIM silent, it is forbidden to receive or forward any PIM
protocol packet. All PIM neighbors and PIM state machines on this interface are deleted. Then,
this interface automatically becomes the DR. IGMP on the interface is not affected.
Context
Do as follows on the interface connected to the host network segment:
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

1208

Configuration Guide
Step 2 Run:

Step 3 Run:
pim silent
PIM silent is enabled.

After PIM silent is enabled, the Hello message attack of malicious hosts is effectively prevented,
and the Switch is protected.
----End

After PIM silent is configured, you can run the command to check information about the PIM
interface.
Prerequisites
All the configurations of PIM silent are complete.
Procedure
l

----End
Example
Run the display pim interface verbose command, and you can find that the configuration is
complete.
<Quidway> display pim interface Vlanif 10 verbose
Interface: Vlanif10,
PIM version: 2
PIM mode: Dense
PIM state: down
PIM DR: PIM DR Priority (configured): 1
PIM neighbor count: PIM hello interval: 30 s
PIM LAN delay (negotiated): PIM LAN delay (configured): 500 ms
PIM hello override interval (negotiated): PIM hello override interval (configured): 2500 ms
PIM Silent: enabled
PIM neighbor tracking (negotiated): PIM neighbor tracking (configured): disabled
PIM generation ID: PIM require-GenID: disabled
PIM state-refresh processing: enabled
Issue 04 (2013-06-15)

1209

Configuration Guide

PIM state-refresh interval: 60 s
PIM graft retry interval: 3 s
PIM state-refresh capability on link: capable
PIM BFD: disabled
Number of routers on link not using DR priority: Number of routers on link not using LAN delay: Number of routers on link not using neighbor tracking: ACL of PIM neighbor policy: ACL of PIM ASM join policy: ACL of PIM SSM join policy: ACL of PIM join policy: -
6.5.11 Maintaining PIM-DM (IPv4)

Maintaining PIM-DM involves resetting PIM statistics, monitoring PIM running status and
debugging PIM.
Clearing Statistics of PIM Control Messages

If you need to re-collect the statistics about PIM control messages, you can reset the existent
statistics. Note that the statistics cannot be restored after you reset them. This operation does not
affect normal running of PIM.
Context
CAUTION
The statistics of the PIM control messages on the interface cannot be restored after you reset
them. Confirm the action before you run the command.
Procedure
l
Run the reset pim control-message counters [ interface interface-type interfacenumber ] command in the user view to clear the statistics of the PIM control messages on
an interface.
----End
Monitoring the Running Status of PIM

During the routine maintenance, you can run the display commands in any view to know the
running of PIM.
Context
In routine maintenance, you can run the following commands in any view to check the running
status of PIM.
Procedure
l
Issue 04 (2013-06-15)
Run the display pim claimed-route [ source-address ] command in any view to check the
unicast routes used by PIM.
1210

Configuration Guide
Run the display pim control-message counters [ message-type { assert graft | graftack |hello | join-prune | state-refresh | bsr } | interface interface-type interfacenumber ] * command in any view to check the number of sent or received PIM control
messages.

[ verbose ] command to check information about PIM on an interface.
Run the display pim neighbor [ neighbor-address | interface interface-type interfacenumber | verbose ] * command to check information about a PIM neighbor.

[ number ] ]
----End
Debugging PIM
When a fault occurs during the running of PIM, run the debugging commands in the user view
and check the contents of sent and received packets for fault location.
Context
CAUTION
When a PIM fault occurs, run the following debugging command in the user view to debug PIM
and locate the fault.
Procedure
l
Run the debugging pim all command in the user view to enable all the debugging of PIM.
Run the debugging pim event [ advanced-acl-number ] command in the user view to
enable the debugging of PIM events.
Run the debugging pim routing-table [ advanced-acl-number ] command in the user view
to enable the debugging of PIM routes.
Run the debugging pim assert [ advanced-acl-number | [ receive | send ] ] * command

in the user view to enable the debugging of PIM Assert.
Run the debugging pim state-refresh [ advanced-acl-number | [ receive | send ] ] *

command in the user view to enable the debugging of PIM State-Refresh.
----End
Issue 04 (2013-06-15)

1211

Configuration Guide
6.5.12 Configuration Example

Configuration examples are provided to show how to construct a basic PIM-DM network.
Example for Configuring the PIM-DM Network

On the experiment network shown in Figure 6-14, multicast is deployed. The unicast routes
work normally. The AC6605s on the network need to be configured properly so that hosts can
receive the VOD information in multicast mode.
Figure 6-14 Networking diagram for configuring basic PIM-DM functions
Ethernet
SwitchA
Ethernet
Source
GE 0/0/2
GE 0/0/1
GE 0/0/3 PIM-DM
GE 0/0/4
SwitchD
GE 0/0/2
GE 0/0/1
GE 0/0/1
Receiver
HostA
N1
Leaf network
GE 0/0/2
N2
SwitchB
GE 0/0/1
GE 0/0/2
SwitchC
Receiver
HostB
Ethernet
Switch
Physical interface
VLANIF interface
IP address
Switch A
GE0/0/1
VLANIF100
192.168.1.1/24
Switch A
GE0/0/2
VLANIF101
10.110.1.1/24
SwitchB
GE0/0/1
VLANIF200
192.168.2.1/24
SwitchB
GE0/0/2
VLANIF102
10.110.2.1/24
SwitchC
GE0/0/1
VLANIF300
192.168.3.1/24
SwitchC
GE0/0/2
VLANIF102
10.110.2.2/24
SwitchD
GE0/0/1
VLANIF200
192.168.2.2/24
SwitchD
GE0/0/2
VLANIF300
192.168.3.2/24
SwitchD
GE0/0/3
VLANIF100
192.168.1.2/24
SwitchD
GE0/0/4
VLANIF103
10.110.5.1/24
In a small-scale experiment network, PIM-DM is adopted to configure multicast. Enable PIM
silent on the VLANIF interfaces of Switch A to protect Switch A from Hello message attacks.
Issue 04 (2013-06-15)

1212

Configuration Guide
1.
Configure the IP addresses of interfaces and the unicast routing protocol. PIM is an intradomain multicast routing protocol that depends on a unicast routing protocol. The multicast
routing protocol can work normally after the unicast routing protocol works normally.
2.
Enable multicast on the switch.
3.
Enable PIM-DM on each interface.
Data Preparation
l
Address of multicast group G: 225.1.1.1/24
Address of multicast group S: 10.110.5.100/24
Version of the IGMP protocol running between routers and hosts: IGMPv2
NOTE
This configuration example describes only the commands used to configure PIM-DM.
Procedure
Step 1 Configure the IP address of each interface and the unicast routing protocol.
# Configure IP addresses and masks of interfaces on the switches according to Figure 6-14.
Configure OSPF between switches to ensure that the switches can communicate at the network
layer and update routes through the unicast routing protocol.
For details on how to configure IP addresses of interfaces, see 4.1.3 Configuring IP Addresses
for Interfaces in the AC6605 Access Controller Configuration Guide - Basic Configuration.
For details on how to configure OSPF, see 5.3 OSPF Configuration in the AC6605 Access
Controller Configuration Guide - IP Routing.
Step 2 Enable multicast on all switches and enable PIM-DM on all interfaces.
# Enable multicast on Switch A and enable PIM-DM on each interface. The configurations of
Switch B, Switch C, and Switch D are similar to the configuration of Switch A, and are not
provided here.
[SwitchA] multicast
[SwitchA] interface
[SwitchA-Vlanif100]
[SwitchA-Vlanif100]
[SwitchA] interface
[SwitchA-Vlanif101]
[SwitchA-Vlanif101]
routing-enable
vlanif 100
pim dm
quit
vlanif 101
pim dm
quit
Step 3 Configure the interfaces connected to hosts to be PIM silent and configure IGMP on the interface.
# On Switch A, configure the vlanif interfaces connected to hosts to be PIM silent, and configure
IGMP on the interface. The configurations of Switch B, Switch C, and Switch D are similar to
configuration of Switch A, and are not provided here.
[SwitchA] interface
[SwitchA-Vlanif101]
[SwitchA-Vlanif101]
[SwitchA-Vlanif101]
vlanif 101
pim silent
igmp enable
quit

# Run the display pim interface command to view the configuration and operating of PIM on
the router interface. The display of the PIM configuration on Switch D is as follows:
Issue 04 (2013-06-15)

1213

Configuration Guide
[SwitchD] display pim interface

Interface
State
NbrCnt
HelloInt
Vlanif103
up
0
30
Vlanif100
up
0
30
Vlanif200
up
1
30
Vlanif300
up
1
30
DR-Pri
1
1
1
1
DR-Address
10.110.5.1(local)
192.168.1.2(local)
192.168.2.2(local)
192.168.3.2(local)
# Run the display pim neighbor command to check the PIM neighbor relationship between the
switches. The display of the PIM neighbor relationship on Switch D is as follows:
[SwitchD] display pim neighbor
Total Number of Neighbors = 3
Neighbor
Session
192.168.1.1
N
192.168.2.1
N
192.168.3.1
Interface
Uptime
Expires
Dr-Priority
Vlanif100
00:02:22
00:01:27
Vlanif200
00:00:22
00:01:29
Vlanif300
00:00:23
00:01:31
BFD-
# Run the display pim routing-table command to view the PIM multicast routing table on the
switch. Assume that HostA needs to receive the information about multicast group G
225.1.1.1/24. When sending multicast packets to multicast group G, multicast source S
10.110.5.100/24 generates an SPT through flooding and the (S, G) entries exist on Switch A and
Switch D that are in the SPT. When HostA joins multicast group G, an (*, G) entry is generated
on Switch A. The information displayed on Switch B and Switch C is similar to the information
displayed on Switch A. The displayed information is as follows:
[SwitchA] display pim routing-table
Total 1 (*, G) entry; 1 (S, G) entry
(*, 225.1.1.1)
Protocol: pim-dm, Flag: WC
UpTime: 03:54:19
Upstream interface: NULL
Upstream neighbor: NULL
RPF prime neighbor: NULL
1: Vlanif101
Protocol: igmp, UpTime: 01:38:19, Expires: never
(10.110.5.100, 225.1.1.1)
Protocol: pim-dm, Flag: ACT
UpTime: 00:00:44
1: Vlanif101
Protocol: pim-dm, UpTime: 00:00:44, Expires: never
[SwitchD] display pim routing-table
(10.110.5.100, 225.1.1.1)
Protocol: pim-dm, Flag: LOC ACT
UpTime: 01:35:25
Issue 04 (2013-06-15)

1214

Configuration Guide

1: Vlanif100
2: Vlanif200
----End
Configuration Files
l

#
sysname SwitchA
#
#
vlan batch 100 101
#
interface Vlanif100
ip address 192.168.1.1 255.255.255.0
pim dm
#
interface Vlanif101
ip address 10.110.1.1 255.255.255.0
pim dm
pim silent
igmp enable
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 10.110.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
#
vlan batch 200 102
#
interface Vlanif102
ip address 10.110.2.1 255.255.255.0
pim dm
igmp enable
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
pim dm
#
#
Issue 04 (2013-06-15)

1215

Configuration Guide
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 10.110.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
#
vlan batch 102 300
#
interface Vlanif102
ip address 10.110.2.2 255.255.255.0
pim dm
igmp enable
#
interface Vlanif300
ip address 192.168.3.1 255.255.255.0
pim dm
#
#
#
ospf 1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
network 10.110.2.0 0.0.0.255
#
return

#
sysname SwitchD
#
#
vlan batch 100 103 200 300
#
interface Vlanif 100
ip address 192.168.1.2 255.255.255.0
pim dm
#
ip address 10.110.5.1 255.255.255.0
pim dm
#
ip address 192.168.2.2 255.255.255.0
pim dm
#
ip address 192.168.3.2 255.255.255.0
pim dm
#
#
Issue 04 (2013-06-15)

1216

Configuration Guide

#
#
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 10.110.5.0 0.0.0.255
#
return
6.6 PIM-SM (IPv4) Configuration

PIM-SM protocol is a multicast routing protocol of sparse node. It is applicable to a large-scale
network with sparsely-distributed members.
6.6.1 PIM-SM Overview

In a PIM-SM network, group members are sparsely distributed and almost all the network
segments do not have group members resided. Therefore, an RP is a forwarding core of the PIMSM network. All PIM devices in the PIM-SM network must know the location of the RP and
the RP collects information about both group members and multicast sources.
The Protocol Independent Multicast (PIM) indicates that any unicast routing protocol, such as
static route, RIP, OSPF, IS-IS, or BGP, can provide the routing information for IP multicast.
multicast routing is independent of unicast routing protocols, except that the unicast routing table
is used to generated multicast routing entries.
PIM forwards multicast packets by using the Reverse Path Forwarding (RPF) mechanism. The
RPF mechanism is used to create the multicast forwarding tree through the existing unicast
routing information. When a multicast packet arrives at a Switch, the Switch performs the RPF
check on the packet. If the RPF check succeeds, a multicast routing entry is created for
forwarding the multicast packet. If the RPF check fails, the packet is discarded.
NOTE
For details of RPF, refer to the chapter IPv4 Multicast Routing Management.
The working process of the Protocol Independent Multicast-Sparse Mode (PIM-SM) consists
of neighbor discovery, assert, DR election, RP discovery, join, prune, register, and SPT
switchover.
As shown in Figure 6-15, PIM-SM is used in a large-scale network with sparsely distributed
group members.
Issue 04 (2013-06-15)

1217

Configuration Guide
Figure 6-15 Application of PIM-SM a the multicast network
Receiver
IGMP
Source
PIM-SM
PIM-SM
Multicast
Server
PIM-SM
UserA
PIM-SM
PIM-SM
Receiver
IGMP
UserB
PIM-SM
Receiver
PIM-SM
IGMP
UserC
NOTE
l The Protocol Independent Multicast Dense Mode (PIM-DM) is applicable to a small-scale network
with densely distributed members.
l PIM-SM can be used to construct the Any-Source Multicast (ASM) and Source-Specific Multicast
(SSM) models.
6.6.2 PIM-SM Features Supported by the AC6605

The system can work normally with default PIM-SM parameters. You are also allowed to adjust
parameters related to neighbor discovery, forwarding, DR, RP, join, register, and assert. In
addition, you can configure various filtering policies and the PIM silent function to enhance the
PIM-SM security. PIM-SM supports SSM, PIM BFD, PIM GR, and SPT switchover.
Basic PIM-SM Functions

PIM-SM supports the ASM and SSM models. You can set the range of ASM group addresses
or the range of SSM group addresses.
Static RP
You can specify a static RP on all the Switchs in a PIM-SM domain. When a dynamic RP exists
in the domain, the dynamic RP is preferred by default, but you can configure the static RP to be
preferred.
Dynamic RP
You can configure C-RPs and C-BSRs in a PIM-SM domain and set the unified rules used to
dynamically generated the BSR and the RP. You can adjust the priority for C-RP election, adjust
the lifetime of the advertisement message on the BSR received from the C-RP, adjust the interval
Issue 04 (2013-06-15)

1218

Configuration Guide
for the C-RP to send advertisement messages, and specify an Access Control List (ACL) to limit
the range of the multicast groups served by the C-RP.
BSR
You can specify the C-BSR in the BSR domain, adjust the hash length used by the RP for C-RP
election, adjust the priority used for BSR election, and adjust the legal BSR address range. To
limit the transmission of BSR messages, you can configure the BSR service boundary on an
interface of the Switch on the boundary of the BSR domain.
Filtering Policy Based on Source Addresses

You can configure filtering rules of the multicast source address to control multicast sources.
You can configure the policy to filter Register messages, and suppress PIM-SM Register
messages.
BSR Administrative Domain

You can configure the service boundary of the BSR administrative domain and the boundary of
the administrative domain by using the related commands.
Adjusting Parameters for Maintaining PIM-SM Neighbors

You can adjust the following parameters about PIM-SM neighbors, including:
l
Time period for the neighbor to hold the reachable state
Whether to receive the Hello messages with Generation IDs
Maximum delay in triggering the Hello messages
Priority for DR election
DR switching delay
Neighbor filtering function: An interface sets up neighbor relationships with only the
addresses matching the filtering rules.
Configuring Control Parameters for Multicast Forwarding

You can adjust control parameters for multicast forwarding, including:
l
Interval for sending Join messages
Time period for the downstream interface to keep the forwarding state
Time for overriding the prune action
Filtering Join information in the Join/Prune messages
Neighbor check function: checks whether the Join/Prune and Assert messages are sent to
or received from a PIM neighbor. If not, these messages are not processed.
Configuring Control Parameters for Assert

You can configure the period for retaining the Assert state of the Switch interface.
Issue 04 (2013-06-15)

1219

Configuration Guide
Adjusting Control Parameters for SPT Switchover

You can adjust conditions of the SPT switchover and the interval for checking the forwarding
rate of multicast data.
PIM BFD
In the AC6605, you can dynamically set up the BFD session to detect the status of the link
between PIM neighbors. Once a fault occurs on the link, BFD reports the fault to PIM.
PIM GR
The AC6605 supports the PIM GR function on the Switch with double MPUs. PIM GR ensures
normal multicast data forwarding during master-slave switchover of the Switch.

On the access layer, the Switch interface directly connected to hosts needs to be enabled with
PIM. You can establish a PIM neighbor on the Switch interface to process various PIM packets.
The configuration, however, has the security vulnerability. When a host maliciously generates
PIM Hello packets and sends the packets in large quantity, the Switch may break down.
To prevent the preceding case, you can set the status of the Switch interface to PIM silent. When
the interface is in the PIM silent state, the interface is prohibited from receiving and forwarding
any PIM packet. Then all PIM neighbors and PIM state machines on the interface are deleted.
The interface acts as the static DR and immediately takes effect. At the same time, IGMP on the
interface are not affected.
PIM-SM (IPv4) CPCAR Precautions

When there are a large number of multicast groups, PIM (IPv4) packets are transmitted at a rate
higher than the default CIR rate. This may result in the loss of PIM (IPv4) protocol packets and
failure to receive multicast programs. To avoid the problems, set an appropriate CIR value to
prevent CPU overload. For details, see 8.7.2 Local Attack Defense Features Supported by
the AC6605 in Configuration Guide - Security.
6.6.3 Configuring Basic PIM-SM Functions

Ensure that unicast routes are reachable before configuring IPv4 multicast routing and enable
PIM-SM on each interface of the multicast device. Configure static or dynamic RP so that the
PIM-SM network can work normally.

Before configuring basic PIM-SM functions, configure an IPv4 unicast routing protocol.
A PIM-SM network can adopt the ASM and SSM models to provide multicast services for user
hosts. The integrated components (including the RP) of the ASM model must be configured in
the network first. The SSM group address range is then adjusted as required.
Issue 04 (2013-06-15)

1220

Configuration Guide
NOTE
The SSM model is only supported in IGMPv3. If user hosts must run IGMPv1 or IGMPv2, configure IGMP
SSM mapping on Switch interfaces.
Through IGMP, a Switch knows the multicast group G that a user wants to join.
l
If G is in the SSM group address range and the source S is specified when the user joins G
through IGMPv3, the SSM model is used to provide multicast services.
If G is in the SSM group address range and the Switch is configured with the (S, G) SSM
mapping rules, the SSM model is used to provide multicast services.
If G is not in the SSM group address range, the ASM model is used to provide multicast
services.
In the PIM-SM network, the ASM model supports the following methods to obtain an RP. You
can select the method as required.
l
dynamic RP: To obtain the dynamic RP, select several Switchs in the PIM-SM domain and
configure them as C-RPs and C-BSRs, and then configure the BSR boundary on the
interface on the boundary of the domain. Each Switch in the PIM-SM domain can then
automatically obtain the RP.
Static RP: To obtain a static RP, manually configure RP on each Switch in the PIM-SM
domain. For the large-scale PIM network, configuring the static RP is complicated. To
enhance the robustness and the operating management of the multicast network, the static
RP is usually used as the backup of the BSR-RP.
A multicast group may be in the service range of the dynamic RP and the static RP
simultaneously. By default, The Switch prefers the dynamic RP. If the static RP precedence is
configured, the static RP is preferred.
Different multicast groups correspond to different RPs. Compared with all groups corresponding
to an RP, this can reduce the burden of an RP and enhance the robustness of the network.
Before configuring basic PIM-SM functions, complete the following tasks:
l
Data Preparation
To configure basic PIM-SM functions, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Static RP address
ACL rule indicating the service scope of static RP
C-RP priority
ACL rule indicating the service scope of C-RP
Interval for C-RP sending Advertisement message
Timeout of the period during which BSR waits to receive the Advertisement message
from C-RP.
1221

Configuration Guide
No.
Data
C-BSR Hash mask length
C-BSR priority
SSM group address range
Enabling IP Multicast Routing

Prior to configuring all IPv4 multicast features, enable IPv4 multicast routing.
Procedure
Step 1 Run:
system-view

Step 2 Run:
IP multicast routing is enabled in the public network instance.

----End
Enabling Basic PIM-SM Functions

An interface can set up PIM neighbor relationship with other devices after PIM-SM is enabled
on it.
Context
NOTE
When the Switch is distributed in the PIM-SM domain, enable PIM-SM on all non-boundary interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
pim sm
PIM SM is enabled.
Issue 04 (2013-06-15)

1222

Configuration Guide
After PIM SM is enabled on the interface and PIM neighbor relationships are set up between
Switches, the protocol packets from the PIM neighbors can be processed.
----End
(Optional) Configuring a Static RP

When only one RP exists in the network, you can manually configure a static RP rather than a
dynamic RP. This can save the bandwidth occupied by message exchange between the C-RP
and the BSR. The configurations about the static RP should be the same on all the devices in a
PIM-SM domain.
Context
CAUTION
When the static RP and the dynamic RP are configured in the PIM-SM at the same time, faults
may occur in the network. So, confirm the action before you run the command. If you want to
use only the dynamic RP in the PIM-SM network, skip the configuration.
Do as follows on all Switchs in a PIM-SM domain. The Switchs where static RP is not configured
cannot participate in multicast forwarding in this PIM-SM domain.
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
static-rp rp-address [ basic-acl-number ] [ preferred ]
----End
(Optional) Configuring a Dynamic RP

In a PIM-SM domain, you can select several PIM devices and configure C-RPs on the devices.
Then, an RP is elected from these C-RPs. The C-BSRs should also be configured and a BSR is
elected from these C-BSRs. The BSR is responsible for collecting and advertising the C-RP
information on the network. The system supports the auto-RP listening function.
Issue 04 (2013-06-15)

1223

Configuration Guide
Context
CAUTION
The configuration is applicable only to the dynamic RP. If you want to use the static RP in the
network, skip the configuration.
Do as follows on the Switch that may become RP in the PIM-SM domain:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
c-rp interface-type interface-number [ group-policy basic-acl-number | priority
priority | holdtime hold-interval | advertisement-interval adv-interval ] *
The C-RP is configured.

l interface-type interface-number: specifies the interface where the C-RP resides. The
interface must be configured with PIM-SM.
l priority priority: specifies the priority for electing C-RP. The greater is the value, the lower
is the priority. By default, it is 0.
In the RP election, the C-RP with the highest priority wins. In case of the same priority, the
hash function is used and the C-RP with the greatest hash value wins. In case of the same
priority and the same hash value, the C-RP with the highest IP address wins.
NOTE
It is recommended to configure the loopback interfaces as RPs.

If the address borrowing is configured, it is not recommended to configure C-RP on the interfaces that
have the same addresses. If the priorities of the interfaces are different, the BSR considers that the CRP configuration is repeatedly modified.
l holdtime hold-interval: specifies the interval during which the BSR waits for the
Advertisement message from the C-RP. By default, the interval is 150 seconds.
l advertisement-interval adv-interval: specifies the interval during which the C-RP sends the
Advertisement message. By default, the interval is 60 seconds.
Step 4 Run:
c-bsr interface-type interface-number [ hash-length [ priority ] ]
The C-BSR is configured.

l interface-type interface-number: specifies the interface where the C-BSR resides. The
interface must be configured with the PIM-SM.
l hash-length: specifies the length of the hash. According to the G, C-RP address, and the value
of hash-length, Switchs calculate the C-RPs that have the same priority and require to serve
Issue 04 (2013-06-15)

1224

Configuration Guide
G by operating hash functions, and compare the calculation results. The C-RP with the
greatest calculated value functions as the RP that serves G.
l priority: specifies the priority used by Switchs to join the BSR election. The greater is the
value, the higher is the priority. By default, it is 0.
In the BSR election, the C-BSR with the highest priority wins. In the case of the same priority,
the C-BSR with the largest IP address wins.
bsm semantic fragmentation
The BSR message fragmentation is enabled.

It is recommended to enable BSR message fragmentation on all devices on the network because
BSR message fragmentation can solve the problem faced by IP fragmentation that all fragments
become unavailable due to loss of fragment information.
auto-rp listening enable
The Auto-RP listening is enabled.

When the Switch interworks with a Switch supporting auto-RP, this command needs to be
configured on the Switch.
----End
(Optional) Configuring the SSM Group Address Range

The default SSM group address range is 232.0.0.0/8. You can manually configure the SSM group
address range. Ensure that the SSM group address ranges configured on all devices in the network
are identical.
Context
This configuration is optional. By default, the SSM group address range is 232.0.0.0/8.
Do as follows on all Switchs in the PIM-SM domain:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
ssm-policy basic-acl-number
The SSM group address range is configured.

Issue 04 (2013-06-15)

1225

Configuration Guide
NOTE
Ensure that the SSM group address range of all Switchs in the network is consistent.
----End

After basic functions of PIM-SM are configured, you can check information about the BSR, RP,
PIM interface, PIM neighbor, and PIM routing table through commands.
Procedure
l

Run the display pim neighbor [ neighbor-address | interface interface-type interfacenumber | verbose ] * command to check a PIM neighbor.

[ number ] ]
Run the display pim rp-info [ group-address ] command to check the RP in a PIM-SM
domain.
----End
6.6.4 Adjusting Control Parameters for a Multicast Source

A multicast device can control the forwarding of multicast data based on multicast sources. This
helps to control multicast data flows and limit information that can be obtained by downstream
receivers to enhance security.

After basic functions of PIM-SM are configured, you can configure the lifetime of a multicast
source and source address-based filtering rules as required.
All the configurations in this section are applicable to the ASM and SSM models.
PIM Switchs check the multicast data that passes by. By checking whether the data matches the
filtering rule, the Switchs determine whether to forward the data. That is, the Switchs in the PIM
domain function as filters. The filters help to control the data flow, and to limit the information
that the downstream receiver can obtain.
Switchs can work normally under the control of default values. The AC6605 allows users to
adjust the parameters as required.
Issue 04 (2013-06-15)

1226

Configuration Guide
NOTE
Before adjusting control parameters for a multicast source, complete the following tasks:
l
Configuring a certain unicast routing protocol
Configuring Basic PIM-SM Functions
Data Preparation
To adjust control parameters for a multicast source, you need the following data.
No.
Data
Lifetime of a multicast source
Filtering rules based on multicast source addresses
Configuring the Lifetime of a Source

A multicast device starts a timer for each (S, G) entry. If the multicast device does not receive
any multicast packets from a multicast source within the set lifetime of the multicast source, it
considers that the (S, G) entry becomes invalid and the multicast source stops sending multicast
data to the multicast group.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
source-lifetime interval
The lifetime of a source is configured.

If the lifetime of the source expires, the (S, G) entry becomes invalid.
----End
Issue 04 (2013-06-15)

1227

Configuration Guide
Configuring Filtering Rules Based on Source Addresses

After ACL rules are configured, a multicast device can filter the received multicast packets based
on source addresses or source/group addresses.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
source-policy acl-number
A filter is configured.
If the basic ACL is configured, only the packets with the source addresses that pass the filtering
are forwarded.
If the advanced ACL is configured, only the packets with the source addresses and group
addresses that pass the filtering are forwarded.
----End

After the control parameters of a multicast source are adjusted, you can run commands to check
Procedure
l

[ number ] ]
----End
Issue 04 (2013-06-15)

1228

Configuration Guide
6.6.5 Adjusting Control Parameters of the C-RP and C-BSR

If a dynamic RP is used, you can adjust parameters of C-RPs and C-BSR as required. If there is
no special requirement, default values are recommended.

If dynamic RP is used, after basic functions of PIM-SM are configured, you can adjust parameters
of the C-RP and C-BSR, configure a BSR boundary, and set valid address ranges for BSRs and
C-RPs.
This section describes how to adjust control parameters of the C-RP and the C-BSR by using
commands in the ASM model.
NOTE
The configuration is applicable only to a BSR-RP. If you want to use only a static RP in the network, skip
the configuration.
The Switch can work properly by using default values of control parameters. The AC6605 allows
users to adjust parameters.
NOTE
Default values are recommended.
Before adjusting control parameters of the C-RP and C-BSR, complete the following tasks:
l
Data Preparation
To adjust various control parameters of the C-RP and C-BSR, you need the following data.
Issue 04 (2013-06-15)
No.
Data
C-RP priority
Interval for a C-RP to send Advertisement messages
Timeout of the period during which a BSR waits to receive Advertisement messages
from a C-RP
Hash mask length of a C-BSR
Priority of a C-BSR
Interval for a C-BSR to send Bootstrap messages
Time of holding the Bootstrap message received from a BSR
ACL defining the valid BSR address scope

1229

Configuration Guide
Adjusting C-RP Parameters

C-RPs periodically send Advertisement messages to a BSR. The Advertisement messages carry
C-RP priorities. You can adjust the C-RP priority, the interval for sending Advertisement
messages, and the holdtime of Advertisement messages on a device configured with the C-RP.
Context
Do as follows on the Switch configured with the C-RP:
NOTE
You can re-set various parameters of a C-RP. This configuration is optional. If there is no specific
requirement, default values of parameters are recommended.
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
c-rp priority priority
The C-RP priority is set.

Step 4 Run:
c-rp advertisement-interval interval
The interval during which the C-RP sends Advertisement messages is set.
Step 5 Run:
c-rp holdtime interval
The time for holding the Advertisement message from a C-RP is set. The value must be greater
than the interval for a C-RP to send advertisement messages.
The C-RP periodically sends advertisement messages to the BSR. After receiving the
advertisement messages, the BSR obtains the Holdtime of the C-RP from the message. During
the Holdtime, the C-RP is valid. When the Holdtime expires, the C-RP ages out.
----End
Adjusting C-BSR Parameters

At first, each C-BSR considers itself as a BSR and sends Bootstrap messages to all devices in
the network. You can adjust the hash mask length of the C-BSR carried in a Bootstrap message,
the C-BSR priority, the interval for sending Bootstrap messages, and the holdtime of Bootstrap
messages on a device configured with the C-BSR.
Issue 04 (2013-06-15)

1230

Configuration Guide
Context
Do as follows on the Switch configured with the C-BSR:
NOTE
You can re-set various parameters of a C-BSR. This configuration is optional. If there is no specific
requirement, the default values of parameters are recommended.
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
c-bsr hash-length hash-length
The hash mask length of a C-BSR is set.

Step 4 Run:
c-bsr priority priority
The priority of the C-BSR is set.

Step 5 Run:
c-bsr interval interval
The interval for the BSR to send Bootstrap messages is set.

Step 6 Run:
c-bsr holdtime interval
The time of holding the Bootstrap message received from a BSR is set.
The BSR periodically sends a Bootstrap message to the network. After receiving the Bootstrap
message, the Switchs keep the message for a certain time. During the period, the BSR election
stops temporarily. If the Holdtime timer times out, a new round of BSR election is triggered
among C-BSRs.
NOTE
Ensure that the value of c-bsr holdtime is greater than the value of c-bsr interval. Otherwise, the winner
of BSR election cannot be fixed.
----End
Configuring the BSR Boundary

A BSR boundary can be configured on an interface. Bootstrap messages cannot pass the BSR
boundary. Multiple BSR boundary interfaces divide the network into different PIM-SM
domains.
Issue 04 (2013-06-15)

1231

Configuration Guide
Context
Do as follows on the Switch that may become the BSR boundary:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
pim bsr-boundary
The BSR boundary is configured. Bootstrap messages cannot pass the BSR boundary.
By default, all the PIM-SM Switchs on the network can receive Bootstrap messages.
----End
(Optional) Configuring the BSR Address Range

ACL-based policies can be set on all devices to filter C-BSR addresses. The devices then receive
only the Bootstrap messages with the source addresses being in the valid C-BSR address range.
Thus, BSR spoofing is avoided.
Context
Do as follows on all Switches in the PIM-SM domain:
NOTE
By default, all BSR packets are received without the BSR source address check.
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
bsr-policy basic-acl-number
The legal range of BSR addresses is set.

Issue 04 (2013-06-15)

1232

Configuration Guide
After receiving a BSR message, the Switch checks the source address of the message. If the
source address is not within the range of legal addresses, the message is discarded. BSR spoofing
is thus prevented.
----End
(Optional) Configuring the Range of Valid C-RP Addresses

ACL-based policies can be set on all C-BSRs to filter C-RP addresses and addresses of the groups
that the C-RPs serve. The BSR adds C-RP information to the RP-set only when the addresses
are in the set legal address range. Thus, C-RP spoofing is avoided.
Context
Do as follows on all the C-BSRs in the PIM-SM domain:
NOTE
This configuration is optional. By default, a Switch does not check the C-RP address and the group address
contained in a received Advertisement message and adds them to the RP-set.
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
crp-policy advanced-acl-number
The range of the valid C-RP addresses and the range of the multicast group addresses that a
Switch serves are specified. When receiving an Advertisement message, the Switch checks the
C-RP address and the addresses of the groups that the C-RP serves in the message. The C-RP
address and the addresses of the groups that the C-RP serves are added to the RP-Set only when
they are in the valid address range. The C-RP spoofing can thus be prevented.
----End

After the control parameters of C-RPs and C-BSRs are adjusted, you can check information
about the BSR and RP and check whether a BSR boundary is configured on the interface through
commands.
Procedure
l
Run the display pim bsr-info command to check the BSR in a PIM-SM domain.
domain.
----End
Issue 04 (2013-06-15)

1233

Configuration Guide
6.6.6 Configuring a BSR Administrative Domain

A PIM-SM network can be divided into multiple BSR administrative domains and a global
domain. This effectively reduces the load of a single BSR, and provides a special service for
specific multicast groups.

After dynamic RP and basic PIM-SM functions are configured, you can configure BSR
administrative domains as required. Each BSR administrative domain maintains a BSR and
provides services for the multicast groups within a specific address range. Multicast groups that
do not belong to any BSR administrative domain are served by the global domain.
This section describes how to configure a BSR administrative domain in the ASM model through
commands.
In the traditional mode, a PIM-SM network maintains only one BSR and all multicast groups in
the network are in the administrative range of the BSR. To better manage the domains, the PIMSM network is divided into multiple BSR administrative domains. Each BSR administrative
domain maintains only one BSR that serves specified multicast groups. BSR administrative
domains are geographically isolated. Multicast packets of a BSR administrative domain cannot
pass the border of the domain.
The address of a multicast group served by a BSR administrative domain is valid only in the
BSR administrative domain. The addresses of multicast groups served by different BSR
administrative domains can be identical and these addresses are equal to private multicast group
addresses.
Multicast groups that do not belong to any BSR administrative domain are served by the global
domain. Global domain maintains only one BSR that serves the remaining multicast groups.
Dividing a PIM-SM network into multiple BSR administrative domains and a global domain
effectively reduces the load of a single BSR, and provides a special service for specific multicast
groups.
The Switch can work normally under the control of default values. The AC6605 allows users to
adjust the parameters.
NOTE
Default values are recommended.
Before configuring a BSR administrative domain, complete the following tasks:
l
Data Preparation
To configure a BSR administrative domain, you need the following data.
Issue 04 (2013-06-15)

1234

Configuration Guide
No.
Data
Priority and hash mask length for electing a BSR in a BSR domain
Priority and hash mask length of electing the global domain BSR
Enabling a BSR Administrative Domain

Enable BSR administrative domains on all devices in a PIM-SM network.
Context
Do as follows on all Switchs in the PIM-SM network:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
c-bsr admin-scope
The division of BSR administrative domains is enabled in a PIM-SM network.

----End
Configuring the Boundary of a BSR Administrative Domain

After an interface is configured as a BSR administrative domain boundary, all the multicast
packets for the groups in this BSR administrative domain cannot pass this interface.
Context
Do as follows on all Switchs at the boundary of a BSR administrative domain:
NOTE
The Switchs outside the BSR administrative domain cannot forward the multicast packets of the BSR
administrative domain.
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

1235

Configuration Guide
Step 2 Run:

Step 3 Run:
multicast boundary group-address { mask | mask-length }
The BSR administrative domain boundary is configured. Multicast packets that belong to the
BSR administrative domain cannot traverse the boundary.
----End
Adjusting C-BSR Parameters

You can adjust the C-BSR parameters of the BSR administrative domain and the global domain
as required.
Context
Do as follows on all C-BSRs:
NOTE
The C-BSR configuration involves three cases:

l Global configuration: For global configuration, see Adjusting Control Parameters of the C-RP and
C-BSR. It is valid in the global domain and each BSR administrative domain.
l Configuration in a BSR administrative domain: Because the configuration in a BSR administrative
domain takes precedence over the global configuration, the global configuration is used when the
configuration in a BSR administrative domain is not done.
l Configuration in the global domain: Because the configuration in the global domain takes precedence
over the global configuration, the global configuration is used when the configuration in the global
domain is not done.
Procedure
l
Configuration in a BSR Administrative Domain

1.
Run:
system-view

2.
Run:
pim

3.
Run:
c-bsr group group-address { mask | mask-length } [ hash-length hashlength | priority priority ] *
The C-BSR parameters are configured.

group-address { mask | mask-length }: specifies the range of the multicast groups
served by a C-BSR. Group addresses in the 239.0.0.0/8 are valid group addresses.
hash-length hash-length: specifies the hash mask length of a C-BSR.
Issue 04 (2013-06-15)

1236

Configuration Guide
priority priority: specifies the priority of a C-BSR.

l
Configuration in the Global Domain

1.
Run:
system-view

2.
Run:
pim

3.
Run:
c-bsr global [ hash-length hash-length | priority priority ] *
The C-BSR parameters are configured.

hash-length hash-length: specifies the hash mask length of a C-BSR.
priority priority: specifies the priority of a C-BSR.
----End

After a BSR administrative domain is configured, you can run commands to view configurations
about the BSR and RP.
Procedure
l
Run the display pim bsr-info command to check the BSR in a PIM-SM domain.
domain.
----End
6.6.7 Adjusting Control Parameters for Establishing the Neighbor

Relationship
Multicast devices establish PIM neighbor relationships and negotiate various control parameters
by exchanging Hello messages. You can adjust the parameters carried in Hello messages as
required. If there is no special requirement, adopt default values.

After basic functions of PIM-SM are configured, you can adjust related parameters of Hello
messages for controlling neighbor relationships, and configure the downstream neighbor
tracking function and the neighbor filtering function.
The configuration in this section is applicable to both the ASM model and the SSM model.
The PIM Switchs send Hello messages to each other to establish the neighbor relationship,
negotiate the control parameters, and elect a DR.
Issue 04 (2013-06-15)

1237

Configuration Guide
The Switch can work normally by default. The AC6605 allows the users to adjust the parameters
as required.
NOTE
It is recommended to adopt the default value if there is no special requirement.
Before configuring control parameters for establishing the neighbor relationship, complete the
following tasks:
l
Configuring unicast routing protocol
Data Preparation
To adjust the control parameters for establishing the neighbor relationship, you need the
following data.
No.
Data
Priority of the DR that is elected
Timeout period for waiting for Hello messages from a neighbor
Maximum delay for triggering Hello messages
DR switchover delay, that is, the period during which the original entries are still
valid when the interface changes from a DR to a non-DR.
Number or name of the ACL used to filter PIM neighbors
Configuring Control Parameters for Establishing the Neighbor Relationship

Control Parameters for Establishing the Neighbor Relationship can be configured either globally
or on an interface. The configuration in the interface view is prior to the configuration in the
PIM view. When the interval is not configured in the interface view, the configuration in the
PIM view takes effect.
Context
Do as follows on the PIM-SM Switch.
NOTE

l Global configuration: It is valid on all the interfaces.
Issue 04 (2013-06-15)

1238

Configuration Guide
Procedure
l
1.
Run:
system-view

2.
Run:
pim

3.
Run:
timer hello interval

4.
Run:
hello-option holdtime interval
The timeout period of holding the reachable state of a neighbor is set.

If no Hello message is received after the interval expires, the neighbor is considered
unreachable.
l
1.
Run:
system-view

2.
Run:

3.
Run:
pim timer hello interval

4.
Run:
pim triggered-hello-delay interval
The maximum delay for triggering Hello messages is set.

This can prevent the conflict of Hello messages sent by multiple PIM Switchs at the
same time.
5.
Run:
pim hello-option holdtime interval
The timeout period of holding the reachable state of a neighbor is set.

If no Hello message is received after the interval expires, the neighbor is considered
unreachable.
6.
Run:
pim require-genid
The Generation ID option is contained in a received Hello message. The Hello message
without the Generation ID option is rejected.
Issue 04 (2013-06-15)

1239

Configuration Guide
By default, the Switch handles the Hello message without the Generation option.
----End
Configuring Control Parameters for Electing a DR

The control parameters for electing a DR can be set either globally or on an interface.
Context
Do as follows on the PIM-SM Switch:
NOTE

Procedure
l
1.
Run:
system-view

2.
Run:
pim

3.
Run:
hello-option dr-priority priority
The DR priority is set.

On a shared network segment where all PIM Switchs support the DR priority, the
interface with the highest priority acts as the DR. In the case of the same priority, the
interface with the largest IP address acts as the DR. If a minimum of one PIM
Switch does not support the DR priority, the interface with the largest IP address acts
as the DR.
l
1.
Run:
system-view

2.
Run:

3.
Run:
pim hello-option dr-priority priority
The DR priority is set.

Issue 04 (2013-06-15)

1240

Configuration Guide
On a shared network segment where all PIM Switchs support the DR priority, the
interface with the highest priority acts as the DR. In the case of the same priority, the
interface with the largest IP address acts as the DR. If a minimum of one PIM
Switch does not support the DR priority, the interface with the largest IP address acts
as the DR.
4.
Run:
pim timer dr-switch-delay interval
The DR switchover delay is configured and the delay is specified.

When an interface changes from a DR to a non-DR, the original entries are valid till
the delay expires.
By default, once an interface changes from a DR to a non-DR, the original entries are
deleted immediately.
----End
Enabling the Function of Tracking a Downstream Neighbor

changes, it indicates that the status of the upstream neighbor changes. Therefore, you can
configure a PIM interface to deny the Hello messages without Generation ID options to obtain
the upstream neighbor status in real time.
Context
NOTE

l Configuration on the interface: The configuration on an interface takes precedence over the global
Procedure
l
Global configuration
1.
Run:
system-view

2.
Run:
pim

3.
Run:
hello-option neighbor-tracking
The function of tracking a downstream neighbor is enabled.

After this function is enabled, information about the downstream neighbor who has
sent a Join message and whose Join state does not times out is recorded.
Issue 04 (2013-06-15)

1241

Configuration Guide

NOTE
The function of tracking downstream neighbors cannot be implemented unless all the PIM
Switchs in the shared network segment are enabled with this function.
Configuration on an interface
1.
Run:
system-view

2.
Run:

3.
Run:
pim hello-option neighbor-tracking
The function of tracking a downstream neighbor is enabled.

After this function is enabled, information about the downstream neighbor who has
sent a Join message and whose Join state does not times out is recorded.
NOTE
The function of tracking downstream neighbors cannot be implemented unless all PIM
Switchs in the shared network segment are enabled with this function.
----End
Configuring PIM Neighbor Filtering

To prevent some unknown devices from being involved in PIM, filtering PIM neighbors is
required. An interface sets up neighbor relationships with only the addresses matching the
filtering rules and deletes the neighbors unmatched with the filtering rules.
Context
To prevent some Switches from establishing unauthorized neighbor relationships through the
PIM protocol, configure the local device to filter PIM neighbors.
Do as follows on the Switch enabled with PIM-SM:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
Issue 04 (2013-06-15)

1242

Configuration Guide
pim neighbor-policy basic-acl-number
PIM neighbor filtering is configured.

----End

After the neighbor control parameters are adjusted, you can run commands to check information
about the PIM interface and the PIM neighbor.
Procedure
l

Run the display pim neighbor [ neighbor-address | interface interface-type interfacenumber | verbose ] * command to check a PIM neighbor.
----End
6.6.8 Adjusting Control Parameters for Source Registering

In a PIM-SM network, the DR directly connected to the multicast source encapsulates multicast
data in a Register message and sends it to the RP in unicast mode. The RP then decapsulates the
message, and forwards the multicast data to receivers along the RPT. The system supports the
Register message filtering and suppression functions.

After basic functions of PIM-SM are configured, you can configure filtering policies and the
checksum method for Register messages and configure PIM-SM Register suppression as
required.
This section describes how to configure the control parameters of the source registering through
commands.
In a PIM-SM network, the DR directly connected to the source S encapsulates multicast data in
a Register message and sends it to the RP in unicast mode. The RP then decapsulates the message,
and forwards it along the RPT.
After the SPT switchover on the RP is complete, the multicast data reaches the RP along the
SPT tree in the multicast mode. The RP sends a Register-stop message to the DR at the source
side. The DR stops sending Register messages and enters the suppressed state. During the register
suppression, the DR periodically sends null-register packets to inform that the source is still in
the active state. After the timeout of the register suppression, the DR starts to send Register
message again.
The Switch can work normally under the control of default values. The AC6605 allows the users
to adjust the parameters as required.
NOTE
It is recommended to adopt default values if there is no special requirement.
Issue 04 (2013-06-15)

1243

Configuration Guide
Before adjusting control parameters for source registering, complete the following tasks:
l
Data Preparation
To adjust control parameters for source registering, you need the following data.
No.
Data
ACL rules used by the RP to filter Register messages
Whether the checksum is calculated only according to the header of a Register

message
Timeout for keeping the suppressed state of registering
Interval for sending null Register messages to the RP
Configuring PIM-SM Register Messages

You can configure filtering policies for Register messages on all the devices that may become
RPs. By default, the checksum is calculated based on the entire Register message. You can
configure the device to calculate the checksum based on only the header of a Register message.
Context
Do as follows on all Switchs that may become an RP:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
register-policy advanced-acl-number
The policy for filtering Register messages is set.

The RP applies the policy to filter received Register messages.
Step 4 Run:
register-header-checksum
The checksum is calculated only according to the header of a Register message.

Issue 04 (2013-06-15)

1244

Configuration Guide
By default, the checksum is calculated according to the entire message.

----End
Configuring PIM-SM Register Suppression

You can set the timeout period for keeping the register suppression state and the interval for
sending null Register messages on all the devices that may becomes DRs at the multicast source
side.
Context
Do as follows on all the Switchs that may become the DR at the multicast source side:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
register-suppression-timeout interval
The timeout for keeping the suppressed state of registering is set.

Step 4 Run:
probe-interval interval
The interval for sending null Register messages is set.

NOTE
The probe-interval value must be smaller than half of register-suppression-timeout value.
----End
(Optional) Specifying the Source Address for Sending Register Messages

Specify the source address for sending Register messages on all devices that may become
source's DRs. In this manner, registration errors will not occur due to repeated IP addresses on
the network or filtered IP addresses.
Context
Generally, the source address for sending Register messages is the IP address of the interface
connecting the source's DR to the multicast source. An error occurs if the source address for
sending Register messages is not unique for the RP on the network or has been filtered out. To
solve the problem, specify a proper interface IP address as the source address for sending Register
messages.
Issue 04 (2013-06-15)

1245

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
register-source interface-type interface-number
The source address for sending Register messages from the source's DR is specified.
You are advised to specify the IP address of the loopback interface as the source address for
sending Register messages from the source's DR.
----End

After control parameters for source registering are adjusted, you can run the corresponding
command to check information about the PIM interface.
Procedure
l

----End
6.6.9 Adjusting Control Parameters for Forwarding

A multicast device sends Join messages upstream to require to forward multicast data and Prune
messages upstream for requiring to stop forwarding multicast data. You can adjust control
parameters for multicast data forwarding as required. If there is no special requirement, adopt
default values.

After basic functions of PIM-SM are configured, you can adjust related control parameters of
forwarding relationship maintenance, and configure the Join information filtering and neighbor
checking functions to enhance security as required.
The configurations in this section are applicable to the ASM model and the SSM model.
When the first member of a group appears in the network segment, the Switch sends a Join
message through an upstream interface, requiring the upstream Switch to forward packets to the
network segment.
When the last member of the group leaves, the Switch sends a Prune message through an
upstream interface, requiring the upstream Switch to perform the Prune action and to stop
Issue 04 (2013-06-15)

1246

Configuration Guide
forwarding packets to this network segment. If other downstream Switchs in this network
segment still want to receive data of this group, they must send a Join message to override the
Prune action.
In the ASM model, a Switch periodically sends Join messages to the RP to prevent RPT branches
from being deleted due to timeout.
NOTE
Before adjusting control parameters for forwarding, complete the following tasks:
l
Data Preparation
To adjust control parameters for forwarding, you need the following data.
No.
Data
Interval for sending Join/Prune messages
Interval for holding the Join/Prune state
Delay for transmitting Prune messages
Period of overriding the Prune action
Number or name of the ACL used to filter join information in the Join/Prune messages
Whether neighbor check needs to be performed after Join/Prune message and Assert
messages are sent or received
Configuring Control Parameters for Keeping the Forwarding State

The control parameters of multicast data forwarding can be set either globally or on an interface.
The parameters specify the interval for sending Join/Prune messages and the period for a
downstream interface to keep the Join/Prune state.
Context
Issue 04 (2013-06-15)

1247

Configuration Guide
NOTE

Procedure
l
1.
Run:
system-view

2.
Run:
pim

3.
Run:
timer join-prune interval
The interval for sending Join/Prune messages is set.

4.
Run:
holdtime join-prune interval
The interval for holding the Join/Prune state of a downstream interface is set.
l
1.
Run:
system-view

2.
Run:

3.
Run:
pim timer join-prune interval
The interval for sending Join/Prune messages is set.

4.
Run:
pim holdtime join-prune interval
The interval for holding the Join/Prune state of a downstream interface is set.
5.
Run:
pim require-genid
The Generation ID option is contained in a received Hello message. The Hello message
without the Generation ID option is rejected.
By default, the Switch handles the Hello message without the Generation option.
The change of the Generation ID in the Hello message received from an upstream
neighbor indicates that the upstream neighbor is lost or the status of the upstream
Issue 04 (2013-06-15)

1248

Configuration Guide
neighbor has changed. The Switch immediately sends the Join/Prune message to the
upstream Switch to refresh the status.
----End
Configuring Control Parameters for Prune

The control parameters for prune can be set either globally or on an interface. The parameters
specify the delay for transmitting messages in a LAN and the interval for overriding the Prune
action.
Context
NOTE

l Global Configuration: It is valid on all the interfaces.
Procedure
l
1.
Run:
system-view

2.
Run:
pim

3.
Run:
hello-option lan-delay interval

A Hello message carries lan-delay and override-interval . PPT indicates the delay
from the time when a Switch receives the Prune message from a downstream interface
to the time when the Switch performs the prune action to suppress the forwarding of
the downstream interface. The PPT is obtained by the lan-delay plus override-interval.
If the Switch receives a Join message from a downstream Switch within the PPT, the
Switch does not perform the prune action.
4.
Run:
hello-option override-interval interval
The interval for overriding the Prune action is set.

When a Switch sends a Prune message to the upstream Switch in the same network
segament, if other Switch still requests the multicast data, it needs to send a Join
message to the upstream Switch in the override-interval period.
l
1.
Run:
system-view
Issue 04 (2013-06-15)

1249

Configuration Guide

2.
Run:

3.
Run:
pim hello-option lan-delay interval

4.
Run:
pim hello-option override-interval interval
The interval for overriding the Prune action is set.

----End
(Optional) Configuring Parameters for Join/Prune Messages

The parameters such as the maximum message size and number of (S, G) entries, and the message
package function can be configured for PIM Join/Prune messages.
Context
Perform the following steps on the PIM-SM-enabled Switch:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim [ vpn-instance vpn-instance-name ]

Step 3 Run:
join-prune max-packet-length packet-length
The maximum size of each PIM-SM Join/Prune message to be sent is configured.

The default size is 8100 bytes.
Step 4 Run:
join-prune periodic-messages queue-size queue-size
The maximum number of entries carried in a PIM-SM Join/Prune message that is sent every
second is configured.
The default value is 1020.
Step 5 Run:
join-prune triggered-message-cache disable
Issue 04 (2013-06-15)

1250

Configuration Guide
The function to package Join/Prune messages in real time is disabled. This function is enabled
by default.
----End
Configuring Join Information Filtering

A Join/Prune message received by an interface may contain both join information and prune
information. You can configure the interface to filter join information based on ACL rules. The
device then creates PIM entries for only the join information matching ACL rules.
Context
A Join/Prune message received by an interface may contain both join information and prune
information. You can configure the Switch to filter join information based on ACL rules. The
Switch then creates PIM entries for only the join information matching ACL rules, which can
avoid access of illegal users.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
pim join-policy { advanced-acl-number | asm basic-acl-number | ssm advanced-aclnumber }
Join information filtering is configured.

----End
Configuring Neighbor Check

If PIM neighbor check is enabled, a device checks whether the Join/Prune and Assert messages
are sent to or received from PIM neighbors. If not, the device drops the messages.
Context
By default, checking whether the Join/Prune message and Assert messages are sent to or received
from a PIM neighbor is not enabled.
If PIM neighbor checking is required, it is recommended to configure the neighbor checking
function on the devices connected with user devices rather than on the internal devices of the
network. Then, the Switch checks whether the Join/Prune and Assert messages are sent to or
received from a PIM neighbor. If not, the Switch drops the messages.
Issue 04 (2013-06-15)

1251

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
neighbor-check { receive | send }
The neighbor check function is configured.

You can specify both receive and send to enable the PIM neighbor check function for the
received and sent Join/Prune and Assert messages.
----End

After control parameters for multicast data forwarding are adjusted, you can check information
about the PIM interface and the PIM routing table and statistics about PIM control messages
through commands.
Procedure
l

Run the display pim control-message counters [ message-type { assert | graft | graftack | hello | join-prune | state-refresh | bsr } | interface interface-type interfacenumber ] * command to check the number of sent or received PIM control messages.

[ number ] ]
----End
6.6.10 Adjusting Control Parameters for Assert

If a multicast device can receive multicast data through the downstream interface, this indicates
that other upstream devices exist in this network segment. The device then sends an Assert
Issue 04 (2013-06-15)

1252

Configuration Guide
message through the downstream interface to take part in the election of the unique upstream
device.

After basic functions of PIM-SM are configured, you can set the period for holding the Assert
state as required.
The configurations in this section ares applicable to the ASM model and the SSM model.
If a PIM-SM Switch receives multicast data through a downstream interface, it indicates that
other upstream Switchs exist in this network segment. Switchs send Assert messages to elect
the unique upstream Switch.
NOTE
Before adjusting control parameters for assert, complete the following tasks:
l
Data Preparation
To adjust control parameters for assert, you need the following data.
No.
Data
Period for holding the Assert state
Configuring the Period for Keeping the Assert State

The device that fails in the election prevents its downstream interface from forwarding multicast
data during the Assert state. After the holdtime of the Assert state expires, the downstream
interface can forward multicast data.
Context
Do as follows on all the Switchs in the PIM-SM domain:
Issue 04 (2013-06-15)

1253

Configuration Guide
NOTE

Procedure
l
1.
Run:
system-view

2.
Run:
pim

3.
Run:
holdtime assert interval

The Switch that fails in the election prevents the downstream interface from
forwarding multicast packets within the interval. After the interval expires, the
downstream interface starts to forward multicast packets.
l
Configuration on the Interface

1.
Run:
system-view

2.
Run:

3.
Run:
pim holdtime assert interval
The period for holding the Assert state is configured.

The Switch that fails in the election prohibits the downstream interface from
forwarding multicast packets within this interval. After the interval expires, the
downstream interface starts to forward multicast packets.
----End

After the control parameters for assert are adjusted, you can check information about the PIM
commands.
Issue 04 (2013-06-15)

1254

Configuration Guide
Procedure
l

Run the display pim control-message counters [ message-type { assert | graft | graftack | hello | join-prune | state-refresh } | interface interface-type interface-number ] *
command to check the number of sent or received PIM control messages.

[ number ] ]
----End
6.6.11 Configuring the SPT Switchover

A high volume of multicast data traffic increases the load of an RP, and may result in a fault.
To solve this problem, PIM-SM allows the RP or the DR at the group member side to trigger
the SPT switchover when the rate of multicast packets is high.

After basic functions of PIM-SM are configured, you can adjust control parameters for SPT
switchover as required.
This section describes how to configure the control parameters of the SPT switchover through
commands.
In a PIM-SM network, each multicast group corresponds to an RPT. At first, all multicast sources
encapsulate data in Register messages, and send them to the RP in the unicast mode. The RP
decapsulates the messages and forwards them along the RPT.
Forwarding multicast data by using the RPT has the following defects:
l
The DR at the source side and the RP need to encapsulate and decapsulate packets.
Forwarding path may not be the shortest path from the source to receivers.
Large-volume data flow increases the load of the RP, and may cause a fault.
The solution to the preceding defects is that:

l
SPT switchover triggered by the RP: The RP sends a Join message to the source, and
establishes a multicast route along the shortest path from the source to the RP. The
subsequent packets are forwarded along the path.
SPT switchover triggered by the DR at the member side: The DR at the member side checks
the forwarding rate of multicast data. If the DR finds that the rate exceeds the threshold,
Issue 04 (2013-06-15)

1255

Configuration Guide
the DR tiggers the SPT switchover immediately. The DR sends a Join message to the source,
and establishes a multicast route along the shortest path from the source to the DR. The
subsequent packets are forwarded along the path.
Switchs can work normally under the control of default values. The AC6605 allows users to
NOTE
Before configuring the SPT switchover, complete the following tasks:
l
Data Preparation
To configure the SPT switchover, you need the following data.
No.
Data
Rate threshold that the DR at the member side switches packets from the RPT to the
SPT
Group filtering policy and sequence policy for the switchover from the RPT to the
SPT
Interval for checking the rate threshold of multicast data before the RPT-to-SPT
switchover
(Optional) Disabling a Member-side DR from Initiating SPT Switchover

This section describes how to disable a member-side DR from initiating SPT Switchover .
Context
Do as follows on all the Switchs that may become a DR at the member side:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
Issue 04 (2013-06-15)

1256

Configuration Guide
spt-switch-threshold infinity [ group-policy basic-acl-number [ order ordervalue ] ]
The SPT switchover condition is set.

----End

After the control parameters for SPT switchover are adjusted, you can run commands to check
Procedure
l

[ number ] ]
----End
6.6.12 Configuring PIM BFD

After detecting a fault on the peer, BFD immediately notifies the PIM module to trigger a new
DR election rather than waits until the neighbor relationship times out. This shortens the period
during which multicast data transmission is discontinued and thus improves the reliability of
multicast data transmission.

After basic functions of PIM-SM are configured, you can configure PIM BFD to improve PIM
network reliability, and adjust BFD parameters as required.
Generally, if the current DR in a shared network segment is faulty, other PIM neighbors triggers
a new round of DR election only after the neighbor relationship times out. The duration that data
transmission is interrupted is not shorter than the timeout period of the neighbor relationship.
Generally, it is of second level.
BFD features fast detection of faults, and is up to the millisecond level. BFD can detect statuses
of PIM neighbors in the shared network segment. When BFD detects that a peer is faulty, BFD
immediately reports it to PIM. PIM then triggers a new round of DR election without waiting
for the timeout of the neighbor relationship. This shortens the duration of interruption of data
transmission and enhances the reliability of the network.
PIM BFD is also applicable to the assert election in a shared network segment. It can fast respond
to the fault of the interface that wins the assert election.
Issue 04 (2013-06-15)

1257

Configuration Guide
Before configuring PIM BFD, complete the following task:
l
Enabling BFD in the system view
Data Preparation
To configure PIM BFD, you need the following data.
No.
Data
Minimum intervals for sending and receiving BFD detection messages, and local
detection multiple
Enabling PIM BFD

Enable PIM BFD on the devices that set up a PIM neighbor relationship.
Context
Do as follows on PIM Switchs that set up the neighbor relationship:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
pim bfd enable
PIM BFD is enabled.

By default, PIM BFD is disabled.
----End
(Optional) Adjusting BFD Parameters

You can adjust PIM BFD parameters as required. PIM BFD parameters include the minimum
interval for sending and receiving PIM BFD packets and the local detection multiplier.
Issue 04 (2013-06-15)

1258

Configuration Guide
Context
Do as follows on two PIM Switchs that set up the neighbor relationship:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The interface view is displayed

Step 3 Run:
pim bfd { min-tx-interval tx-value | min-rx-interval rx-value | detect-multiplier
multiplier-value }*
PIM BFD parameters are adjusted.

PIM BFD parameters include the minimum interval for sending PIM BFD messages, the
minimum interval for receiving PIM BFD messages, and the local detection multiple.
If this command is not used, the default values of these parameters are used. When the BFD
parameters configured for other protocols are the same as those configured for PIM, the
configurations of the PIM BFD parameters are affected.
----End

After PIM BFD is configured, you can run the command to check information about PIM BFD
sessions.
Procedure
l
Run the following commands to check information about a PIM BFD session.
display pim bfd session statistics
display pim bfd session [ interface interface-type interface-number | neighbor
neighbor-address ] *
----End
6.6.13 Configuring PIM Silent

The interface directly connecting a multicast device to a user host needs to be enabled with PIM.
In this case, some malicious hosts may simulate a large number of PIM Hello messages and send
the messages to the interface for processing. As a result, the multicast device is suspended. To
avoid the preceding case, you can set the interface to be in the PIM Silent state.
Issue 04 (2013-06-15)

1259

Configuration Guide

After basic functions of PIM-SM and IGMP are configured, you can configure the PIM silent
function on the interface connected with the user host. This interface should be enabled with
PIM-SM and IGMP first.
On the access layer, the interface directly connected to hosts needs to be enabled with PIM. You
can establish the PIM neighbor relationship on the interface to process various PIM packets. The
configuration, however, has potential risks of security. When a host maliciously generates PIM
Hello packets and sends the packets in large quantity, the Switch may fail.
To solve the problem, set the status of the interface to PIM silent. When the interface is in PIM
silent state, the interface is prevented from receiving and forwarding any PIM packet. All PIM
neighbors and PIM state machines on the interface are deleted. The interface acts as the static
DR and immediately takes effect. At the same time, IGMP on the interface are not affected.
PIM silent is applicable only to the interface directly connected to the host network segment that
is connected only to this Switch.
CAUTION
If PIM silent is enabled on the interface connected to a Switch, the PIM neighbor relationship
cannot be set up and a multicast fault may occur.
If the host network segment is connected to multiple Switchs and PIM silent is enabled on
multiple interfaces, the interfaces become static DRs. Therefore, multiple DRs exist in this
network segment, and a fault occurs.
Before configuring PIM silent, complete the following tasks:
l
Configuring a unicast routing protocol to make the network layer reachable
Configuring PIM-SM
Configuring IGMP
Data Preparation
To configure PIM silent, you need the following data.
Issue 04 (2013-06-15)
No.
Data
The type and number of the interface connected to hosts

1260

Configuration Guide

After the interface is configured with PIM silent, it is forbidden to receive or forward any PIM
protocol packet. All PIM neighbors and PIM state machines on this interface are deleted. Then,
this interface automatically becomes the DR. IGMP on the interface is not affected.
Context
Do as follows on the interface connected to the host network segment:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
pim silent
PIM silent is enabled.

After PIM silent is enabled, the Hello packet attack of malicious hosts is effectively prevented
and the Switch is protected.
----End

After PIM silent is configured, you can run the command to check information about the PIM
interface.
Prerequisites
All the configurations of PIM silent are complete.
Procedure
l

----End
Example
Run the display pim interface verbose command, and you can find that the configuration is
complete.
<SwitchA> display pim interface verbose
Interface: Vlanif10, 2.2.2.2
PIM version: 2
Issue 04 (2013-06-15)

1261

Configuration Guide

PIM mode: Sparse
PIM state: up
PIM DR: 2.2.2.2 (local)
PIM neighbor count: 0
PIM hello interval: 30 s
PIM LAN delay (negotiated): 500 ms
PIM LAN delay (configured): 500 ms
PIM hello override interval (negotiated): 2500 ms
PIM hello override interval (configured): 2500 ms
PIM Silent: enabled
PIM neighbor tracking (negotiated): disabled
PIM neighbor tracking (configured): disabled
PIM generation ID: 0X2649E5DA
PIM require-genid: disabled
PIM BSR domain border: disabled
PIM BFD: disabled
Number of routers on link not using DR priority: 0
Number of routers on link not using LAN delay: 0
Number of routers on link not using neighbor tracking: 1
ACL of PIM neighbor policy: ACL of PIM ASM join policy: ACL of PIM SSM join policy: ACL of PIM join policy: -
6.6.14 Maintaining PIM-SM (IPv4)

Maintaining PIM-SM involves resetting PIM statistics, and monitoring PIM running status.
Clearing Statistics of PIM Control Messages

If you need to re-collect the statistics about PIM control messages, you can reset the existent
statistics. Note that the statistics cannot be restored after you reset them. This operation does not
affect normal running of PIM.
Context
CAUTION
The statistics of PIM control messages on an interface cannot be restored after you clear it. So,
confirm the action before you use the command.
Procedure
l
Run the reset pim control-message counters [ interface interface-type interfacenumber ] command in the user view to clear the statistics of PIM control messages on an
interface.
----End
Issue 04 (2013-06-15)

1262

Configuration Guide
Monitoring the Running Status of PIM-SM

running of PIM.
Context
status of PIM-SM.
Procedure
l
Run the display pim claimed-route [ source-address ] command in any view to check the
unicast routes used by PIM.
Run the display pim bfd session [ interface interface-type interface-number | neighbor
neighbor-address ] * command in any view to check information about a PIM BFD session.
Run the display pim control-message counters [ message-type { assert | graft | graftack | hello | join-prune | state-refresh | bsr } | interface interface-type interfacenumber ] * command in any view to check the number of sent or received PIM control
messages.

[ verbose ] command in any view to check PIM on an interface.
Run the command display pim neighbor [ neighbor-address | interface interface-type

interface-number | verbose ] * to check PIM neighbors.
Run the following commands in any view to check the PIM routing table.
[ number ] ]
Run the display pim rp-info [ group-address ] command in any view to check information
about the RP to which a multicast group corresponds.
Run the display pim invalid-packet [ interface interface-type interface-number |

message-type { assert | graft | graft-afk | state-refresh | bsr | hello | join-prune } ] *
command in any view to check the statistics about invalid PIM messages received by a
device.
----End
Debugging PIM
When a fault occurs during the running of PIM, run the debugging commands in the user view
Issue 04 (2013-06-15)

1263

Configuration Guide
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, execute the undo
debugging all command to disable it immediately.
When a PIM fault occurs, run the following debugging command in the user view to debug PIM
Procedure
l
Run the debugging pim all command in the user view to enable all the debugging of PIM.
Run the debugging pim event [ advanced-acl-number ] command in the user view to enable
the debugging of PIM events.
Run the debugging pim routing-table [ advanced-acl-number ] command in the user view
to enable the debugging of PIM routes.
Run the debugging pim assert [ advanced-acl-number | [ receive | send ] ] * command in

the user view to enable the debugging of PIM Assert.
Run the debugging pim rp [ receive | send ] command in the user view to the debugging
of PIM RP.
Run the debugging pim register [ advanced-acl-number ] command in the user view to
enable the debugging of PIM Register.
Run the debugging pim msdp [ advanced-acl-number ] command in the user view to
enable the debugging of the information exchanged between PIM and MSDP.
Run the debugging pim bfd { all | create | delete | event } command in the user view to
enable the debugging of PIM BFD.
----End

Configuration examples are provided to show how to construct a basic PIM-SM network and
configure basic functions of PIM-SM.
Example for Configuring the PIM-SM Network

As shown in Figure 6-16, multicast is deployed on the network of an Internet Service Provider
(ISP). The Interior Gateway Protocol (IGP) is deployed on the network. The unicast routing
routes work normally and are connected to the Internet. The routers on the network need to be
configured properly so that hosts can receive the video on demand (VOD) in multicast mode.
Issue 04 (2013-06-15)

1264

Configuration Guide
Figure 6-16 Networking diagram for configuring PIM-SM multicast network
Ethernet
SwitchA
GE 0/0/3
Ethernet
GE 0/0/2
N1
Receiver
GE 0/0/1
SwitchE
GE 0/0/2
GE 0/0/3 PIM-SM
Source GE 0/0/3
GE 0/0/1
GE 0/0/2
GE 0/0/4
SwitchD GE 0/0/4
GE 0/0/1
GE 0/0/1
HostA
Leaf networks
GE 0/0/2
SwitchB
GE 0/0/2
GE 0/0/1
SwitchC
Receiver
HostB
N2
Ethernet
Switch
Physical interface
VLANIF interface
IP address
SwitchA
GE 0/0/1
VLANIF 100
192.168.9.1/24
SwitchA
GE 0/0/2
VLANIF 101
10.110.1.1/24
SwitchA
GE 0/0/3
VLANIF 200
192.168.1.1/24
SwitchB
GE 0/0/1
VLANIF 300
192.168.2.1/24
SwitchB
GE 0/0/2
VLANIF 102
10.110.2.1/24
SwitchC
GE 0/0/1
VLANIF 102
10.110.2.2/24
SwitchC
GE 0/0/2
VLANIF 400
192.168.3.1/24
SwitchD
GE 0/0/1
VLANIF 500
192.168.4.2/24
SwitchD
GE 0/0/2
VLANIF 200
192.168.1.2/24
SwitchD
GE 0/0/3
VLANIF 103
10.110.5.1/24
SwitchD
GE 0/0/4
VLANIF 104
10.110.4.1/24
SwitchE
GE 0/0/1
VLANIF 400
192.168.3.2/24
SwitchE
GE 0/0/2
VLANIF 300
192.168.2.2/24
SwitchE
GE 0/0/3
VLANIF 100
192.168.9.2/24
SwitchE
GE 0/0/4
VLANIF 500
192.168.4.1/24
The ISP network connects to the Internet. The PIM-SM protocol is used to configure the
multicast function, which facilitates service expansion. The ASM and SSM models provide
multicast services. The configuration roadmap is as follows:
1.
Configure the IP addresses of interfaces and the unicast routing protocol. PIM is an intradomain multicast routing protocol that depends on a unicast routing protocol. The multicast
routing protocol can work normally after the unicast routing protocol works normally.
2.
Enable multicast on all switches providing multicast services. Before configuring other
PIM-SM functions, you must enable the multicast function.
3.
Enable PIM-SM on all the interfaces of switches. After PIM-SM is enabled, you can
configure other PIM-SM functions.
Issue 04 (2013-06-15)

1265

Configuration Guide

NOTE
If IGMP is also required on this interface, PIM-SM must be enabled before IGMP is enabled. The
configuration order cannot be reversed; otherwise, the configuration of PIM fails.
4.
Enable IGMP on the interfaces of switches connected to hosts. A receiver can join and
leave a multicast group freely by sending an IGMP message. The leaf switches maintain
the multicast membership through IGMP.
5.
Enable the PIM silent function on interface that is directly connected to hosts. In this
manner, malicious hosts are prevented from simulating PIM Hello messages and security
of multicast routers is ensured.
NOTE
PIM silent is applicable only to the interfaces of a switch directly connected to the host network
segment that is connected only to this switch.
6.
Configure the RP. The RP is a root node of an RPT on the PIM-SM network. It is
recommended that you configure the RP on a device that has more multicast flows, for
example, Switch E in Figure 6-16.
NOTE
l After creating an (*, G) entry according to the new multicast membership, the DR on the user
side sends Join/Prune messages towards the RP and updates the shared tree on the path.
l When a multicast data source starts to send data to groups, the DR unicasts the Register message
to the RP. After receiving the Register message, the RP decapsulates it and then forwards it to
other multicast members along the shared tree. At the same time, the RP sends a Register-Stop
message to the DR on the multicast source side. After the Register-Stop is performed, the RPT
can be switched to the SPT.
NOTE
This configuration example describes only the commands used to configure PIM-SM.
Data Preparation
l
Address of multicast group S: 10.110.5.100/24
Version of the IGMP protocol running between routers and hosts: IGMPv3
Range of SSM group addresses: 232.1.1.0/24
Procedure
For details on how to configure IP addresses of interfaces, see 4.1 IP Addresses
Configuration in the AC6605 Access Controller Configuration Guide - IP Service. For details
on how to configure OSPF, see 5.3 OSPF Configuration in the AC6605 Access Controller
Step 2 Enable multicast on all switches and PIM-SM on all interfaces.
Issue 04 (2013-06-15)

1266

Configuration Guide
# Enable multicast on all the switches and enable PIM-SM on all interfaces. The configurations
of Switch B, Switch C, and Switch D are similar to the configuration of Switch A, and are not
provided here.
[SwitchA] multicast
[SwitchA] interface
[SwitchA-Vlanif101]
[SwitchA-Vlanif101]
[SwitchA] interface
[SwitchA-Vlanif100]
[SwitchA-Vlanif100]
[SwitchA] interface
[SwitchA-Vlanif200]
[SwitchA-Vlanif200]
routing-enable
vlanif 101
pim sm
quit
vlanif 100
pim sm
quit
vlanif 200
pim sm
quit
Step 3 Enable IGMP on the interfaces connected to hosts.

# Enable IGMP on the interface connecting Switch A to hosts. The configurations of Switch B,
Switch C, and Switch D are similar to configuration of Switch A, and are not provided here.
[SwitchA-Vlanif101] igmp enable
[SwitchA-Vlanif101] igmp version 3
Step 4 Enable PIM silent on Switch A.

[SwitchA-Vlanif101] pim silent
Step 5 Configure the RP.

NOTE
The RP can be configured in two modes: the static RP and the dynamic RP. The static RP can be configured
together with the dynamic RP. You can also configure only the static RP or the dynamic RP. When the
static RP and the dynamic RP are configured simultaneously, you can change the parameter values to
specify which RP is preferred.
This example shows how to configure the static RP and the dynamic RP and to specify the
dynamic RP as the preferred RP and the static RP as the standby RP.
# Configure the dynamic RP on one or more switches in the PIM-SM domain. In this example,
set the service range of the RP and specify the locations of the C-BSR and the C-RP on Switch
E.
[SwitchE] acl number 2008
[SwitchE-acl-basic-2008] rule permit source 225.1.1.0 0.0.0.255
[SwitchE-acl-basic-2008] quit
[SwitchE] pim
[SwitchE-pim] c-bsr vlanif 100
[SwitchE-pim] c-rp vlanif 100 group-policy 2008 priority 10
# Configure static RPs on all switches. The configurations of Switch B, Switch C, Switch D,
and Switch E are similar to configuration on Switch A, and are not provided here.
NOTE
If you enter preferred to the right of static-rp X.X.X.X, the static RP is selected as the RP in the PIM-SM
domain.
[SwitchA] pim
[SwitchA-pim] static-rp 192.168.2.2
Step 6 Configure the BSR boundary on the interface connecting Switch D to the Internet.
[SwitchD-Vlanif104] pim bsr-boundary
Issue 04 (2013-06-15)

1267

Configuration Guide
Step 7 Configure the range of SSM group addresses.

# Set the range of SSM group addresses to 232.1.1.0/24 on all switches. The configurations of
Switch B, Switch C, Switch D, and Switch E are the same as the configuration of Switch A, and
are not provided here.
[SwitchA-acl-basic-2000] rule permit source 232.1.1.0 0.0.0.255
[SwitchA-acl-basic-2000] quit
[SwitchA] pim
[SwitchA-pim] ssm-policy 2000

# Run the display pim interface command. You can view the configuration and running status
of PIM on the interface. For example, the PIM information displayed on Switch C is as follows:
[SwitchC] display pim interface
Interface
State
NbrCnt
HelloInt
Vlanif102
up
0
30
Vlanif400
up
1
30
DR-Pri
1
1
DR-Address
10.110.2.2
192.168.3.1
(local)
(local)
# Run the display pim bsr-info command to view information about BSR election on the
switches. For example, the BSR information on Switch A and Switch E (including the C-BSR
information on Switch E) is as follows:
[SwitchA] display pim bsr-info
Elected AdminScoped BSR Count: 0
Elected BSR Address: 192.168.9.2
Priority: 0
Hash mask length: 30
State: Accept Preferred
Scope: Not scoped
Uptime: 01:40:40
Expires: 00:01:42
C-RP Count: 1
[SwitchE] display pim bsr-info
Elected AdminScoped BSR Count: 0
Elected BSR Address: 192.168.9.2
Priority: 0
Mask length: 30
State: Elected
Scope: Not scoped
Uptime: 00:00:18
Next BSR message scheduled at :00:01:42
C-RP Count: 1
Candidate AdminScoped BSR Count: 0
Candidate BSR Address is: 192.168.9.2
Priority: 0
Hash mask length: 30
State:Elected
Scope: Not scoped
Wait to be BSR: 0
# Run the display pim rp-info command to view the RP information on the switches. For
example, the RP information displayed on Switch A is as follows:
[SwitchA] display pim rp-info
PIM-SM BSR RP Number:1
Group/MaskLen: 225.1.1.0/24
RP: 192.168.9.2
Priority: 0
Uptime: 00:45:13
Issue 04 (2013-06-15)

1268

Configuration Guide
Expires: 00:02:17
PIM SM static RP Number:1
Static RP: 192.168.2.2
# Run the display pim routing-table command. You can view the PIM multicast routing table.
Host A needs to receive the information from group 225.1.1.1/24, and HostB needs to receive
the information sent by the source 10.110.5.100/24 to the group 232.1.1.1/24. The displayed
information is as follows:
[SwitchA] display pim routing-table
(*, 225.1.1.1)
RP: 192.168.9.2
Protocol: pim-sm, Flag: WC
UpTime: 00:13:46
Upstream interface: Vlanif 100,
1: Vlanif 101
RP: 192.168.9.2
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
Upstream interface: Vlanif 200
1: vlanif101
Protocol: pim-sm, UpTime: 00:00:42, Expires:[SwitchD] display pim routing-table
(10.110.5.100, 225.1.1.1)
RP: 192.168.9.2
UpTime: 00:00:42
Upstream interface: vlanif103
1: vlanif200
Protocol: pim-sm, UpTime: 00:00:42, Expires:(10.110.5.100, 232.1.1.1)
Protocol: pim-ssm, Flag:
UpTime: 00:01:20
1: vlanif500
Protocol: pim-ssm, UpTime: 00:01:20, Expires:[SwitchE] display pim routing-table
(*, 225.1.1.1)
Issue 04 (2013-06-15)

1269

Configuration Guide

RP: 192.168.9.2 (local)
UpTime: 00:13:16
Upstream interface: Register
1: vlanif100
Protocol: pim-sm, UpTime: 00:13:16, Expires: 00:03:22
(10.110.5.100, 232.1.1.1)
UpTime: 00:01:22
1: vlanif400
Protocol: pim-ssm, UpTime: 00:01:22, Expires:[SwitchC] display pim routing-table
Total 1 (S, G) entry
(10.110.5.100, 232.1.1.1)
UpTime: 00:01:25
1: vlanif102
Protocol: igmp, UpTime: 00:01:25, Expires:-
----End
Configuration Files
l

#
sysname SwitchA
#
#
#
acl number 2000
#
interface Vlanif100
ip address 192.168.9.1 255.255.255.0
pim sm
#
interface Vlanif101
ip address 10.110.1.1 255.255.255.0
pim sm
igmp enable
igmp version 3
pim silent
#
interface Vlanif200
ip address 192.168.1.1 255.255.255.0
pim sm
#
Issue 04 (2013-06-15)

1270

Configuration Guide

#
#
#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.9.0 0.0.0.255
#
pim
static-rp 192.168.2.2
ssm-policy 2000
#
return

#
sysname SwitchB
#
#
vlan batch 102 300
#
acl number 2000
#
ip address 10.110.2.1 255.255.255.0
pim sm
igmp enable
igmp version 3
#
interface Vlanif300
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
static-rp 192.168.2.2
ssm-policy 2000
#
return

#
sysname SwitchC
#
vlan batch 102 400
#
Issue 04 (2013-06-15)

1271

Configuration Guide
#
acl number 2000
#
interface Vlanif102
ip address 10.110.2.2 255.255.255.0
pim sm
igmp enable
igmp version 3
#
interface Vlanif400
ip address 192.168.3.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
static-rp 192.168.2.2
ssm-policy 2000
#
return

#
sysname SwitchD
#
vlan batch 103 104 200 500
#
#
acl number 2000
#
interface Vlanif103
ip address 10.110.5.1 255.255.255.0
pim sm
#
interface Vlanif104
ip address 10.110.4.1 255.255.255.0
pim sm
pim bsr-boundary
#
interface Vlanif200
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif500
ip address 192.168.4.2 255.255.255.0
pim sm
#
#
#
Issue 04 (2013-06-15)

1272

Configuration Guide

#
#
ospf 1
area 0.0.0.0
network 10.110.4.0 0.0.0.255
network 10.110.5.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
static-rp 192.168.2.2
ssm-policy 2000
#
return

#
sysname SwitchE
#
vlan batch 100 300 400 500
#
#
acl number 2000
#
acl number 2008
#
interface Vlanif100
ip address 192.168.9.2 255.255.255.0
pim sm
#
interface Vlanif300
ip address 192.168.2.2 255.255.255.0
pim sm
#
interface Vlanif400
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif500
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#
#
#
ospf 1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
network 192.168.2.0 0.0.0.255
Issue 04 (2013-06-15)

1273

Configuration Guide

network 192.168.9.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
c-bsr vlanif 100
c-rp vlanif 100 group-policy 2008 priority 10
static-rp 192.168.2.2
ssm-policy 2000
#
return
Example for Configuring PIM BFD

On the multicast network shown in Figure 6-17, PIM-SM is run between switches. Hosts receive
the VOD information from the multicast source. Switch A is the DR on the source side. Switch
B and Switch C are connected to the segment where hosts reside. When the DR changes, other
switches on the network segment can detect the change of the DR quickly.
Figure 6-17 Configuring the PIM BFD networking in the shared network segment
SwitchA
Source
10.1.7.1/24
PIM-SM
GE 0/0/1
SwitchC
GE 0/0/1
GE 0/0/2
SwitchB
GE 0/0/2
VLAN100
User1
User2
1.
Configure PIM BFD on the interfaces that connect switches to the network segment where
the host is located.
Data Preparation
l
Issue 04 (2013-06-15)
Parameters of PIM BFD sessions

1274

Configuration Guide
NOTE
This configuration example describes only the commands used to configure PIM-SM BFD.
Procedure
For details on how to configure IP addresses of interfaces, see 4.1 IP Addresses
Configuration in the AC6605 Access Controller Configuration Guide - IP Service. For details
on how to configure OSPF, see 5.3 OSPF Configuration in the AC6605 Access Controller
Step 2 Enable BFD globally and configure PIM BFD in the interface view.
# Enable BFD globally on Switch B and Switch C, enable PIM BFD on the interfaces that are
connected to the network segment where the host resides, and set PIM BFD parameters. The
configuration on Switch C is similar to the configuration on Switch B and is not provided here.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB-Vlanif100] pim bfd enable
[SwitchB-Vlanif100] pim bfd min-tx-interval 200 min-rx-interval 200 detectmultiplier 5

# Run the display pim interface verbose command, and you can view detailed information
about the interface that runs PIM. The information about the interface that runs PIM on Switch
B indicates that the DR on the network segment where the host is located is Switch C. PIM BFD
is enabled on the interface.
[SwitchB] display pim interface vlanif100 verbose
Interface: Vlanif100, 10.1.1.1
PIM version: 2
PIM mode: Sparse
PIM state: up
PIM DR: 10.1.1.2
PIM neighbor count: 1
PIM Hello interval: 30 s
PIM LAN delay (negotiated): 500 ms
PIM LAN delay (configured): 500 ms
PIM Hello override interval (negotiated): 2500 ms
PIM Hello override interval (configured): 2500 ms
PIM Silent: disabled
PIM neighbor tracking (negotiated): disabled
PIM neighbor tracking (configured): disabled
PIM generation ID: 0XF5712241
PIM require-GenID: disabled
PIM hello assert interval: 180 s
PIM triggered Hello delay: 5 s
PIM BSR domain border: disabled
PIM BFD: enable
PIM BFD min-tx-interval: 200 ms
PIM BFD min-rx-interval: 200 ms
Issue 04 (2013-06-15)

1275

Configuration Guide

PIM BFD detect-multiplier: 3
PIM dr-switch-delay timer : 20 s
Number of routers on link not using DR priority: 0
Number of routers on link not using LAN delay: 0
Number of routers on link not using neighbor tracking: 2
ACL of PIM neighbor policy: ACL of PIM ASM join policy: ACL of PIM SSM join policy: ACL of PIM join policy: -
# Run the display pim bfd session command to display information about the BFD session on
each switch. You can check whether the BFD session is set up on each switch.
[SwitchB] display pim bfd session
Total 1 BFD session Created
Vlanif100 (10.1.1.1): Total 1 BFD session Created
Neighbor
10.1.1.2
ActTx(ms)
200
ActRx(ms)
200
ActMulti
3
Local/Remote
8192/8192
State
Up
# Run the display pim routing-table command to view the PLM routing table. SwitchC
functions as the DR. The (S, G) and (*, G) entries exist. The displayed information is as follows:
[SwitchC] display pim routing-table
(*, 225.1.1.1)
RP: 10.1.5.2
UpTime: 00:13:46
Upstream interface:
vlanif200,
1: Vlanif100,
RP: 10.1.5.2
UpTime: 00:00:42
1: Vlanif100
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
----End
Configuration Files
l
SwitchA needs to be configured with only basic PIM SM functions. The configuration file
is not provided here.
The following is the configuration file of Switch B. The configuration file of Switch C is
similar to the configuration file of Switch B, and is not provided here.
#
sysname SwitchB
#
vlan batch 100 200
#
Issue 04 (2013-06-15)

1276

Configuration Guide
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
pim sm
igmp enable
pim bfd enable
pim bfd min-tx-interval 200 min-rx-interval 200 detect-multiplier 5
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return
6.7 MSDP Configuration

The MSDP protocol is used to implement multicast routing and data forwarding between PIMSM domains and anycast RP in a PIM-SM domain.
6.7.1 MSDP Overview

MSDP functions to set up an MSDP peer relationship between RPs in different PIM-SM
domains. MSDP peers exchange (S, G) information by sending SA messages. In this manner,
MSDP peers share multicast source information and hosts can receive multicast data from the
multicast sources in another PIM-SM domain.
In the general PIM-SM mode, a multicast source registers only with the local rendezvous point
(RP). The information on the inter-domain multicast sources is isolated. The RP knows only the
source in its domain, establishes a multicast distribution tree (MDT) in its domain, and distributes
the data sent by the source to the local users.
A mechanism is required to enable the local RP to share the information on the multicast sources
of other domains. With the mechanism, the local RP can send Join messages to the multicast
sources of other domains and establish MDTs. Therefore, multicast packets can be transmitted
across domains, and hosts in the local domain can receive data sent by multicast sources in other
domains.
The Multicast Source Discovery Protocol (MSDP) is an inter-area multicast solution based on
multiple interconnected PIM-SM domains, and can solve the preceding problem.
MSDP achieves this objective by setting up the MSDP peer relationship between RPs of different
domains. MSDP peers share the information on multicast sources by sending Source Active
(SA) messages. They transmit the (S, G) information from the RP that the source S registers
with to other RPs connected to members of G.
MSDP peers are connected through the TCP connection. MSDP peers perform the RPF check
on received SA messages.
Issue 04 (2013-06-15)

1277

Configuration Guide
NOTE
MSDP is applicable only to PIM-SM domains, and useful only for the Any-Source Multicast (ASM) mode.
6.7.2 MSDP Features Supported by the AC6605

MSDP is used to implement PIM-SM inter-domain multicast and anycast RP in a PIM-SM
domain. You can control connections between MSDP peers, adjust SA message parameters, and
configure authentication for MSDP peers and filtering policies for SA messages to enhance
MSDP security. The system supports multi-instance MSDP.
PIM-SM Inter-Domain Multicast

When a multicast network is divided into multiple PIM-SM domains, MSDP is used to connect
RPs in each domain to share the multicast source information. In this manner, hosts in a domain
can receive multicast data sent by multicast sources in other domains.
You can configure a loopback interface as a C-RP or a static RP or specify the address of a
loopback interface as a logical RP address for SA messages.
PIM-SM Intra-Domain Anycast RP

After anycast RP is applied to a PIM-SM domain, the multicast source registers with the nearest
RP and receivers send Join messages to the nearest RP. This reduces the burden of a single RP,
implements RP backup, and optimizes the forwarding path.
You can use a loopback interface as a interface of C-RP or static RP and specify the logical RP
address for an SA message.
Configuring Control Parameters for Maintaining MSDP Peer Connections

In the AC6605, you can set up and tear down an MSDP session, and configure the period for
retrying to send TCP connection requests to the remote MSDP peers.
Configuring SA Cache
By default, SA-Cache is enabled on Switchs. Therefore, Switchs can locally store the (S, G)
information carried in SA messages. When required to receive the multicast data, the Switchs
can obtain the (S, G) information from the SA-Cache.
You can set the maximum number of cached (S, G) entries, which can effectively prevent the
Denial of Service (DoS) attack.
You can disable SA-Cache on a Switch. After the SA-Cache on a Switch is disabled, the
Switch does not locally store the (S, G) information carried in SA messages. When the Switch
needs to receive multicast data, it needs to wait for the SA message to be sent by its MSDP peer
in the next period. This causes a delay for receivers to obtain multicast source information.
Controlling SA Requests
Certain Switchs cannot be enabled with SA Cache or the capacity of SA Cache on these
Switchs is too small. When these Switchs need to receive multicast data, they cannot immediately
obtain the valid (S, G) information but need to wait for the SA message to be sent by their MSDP
peers in the next period.
Issue 04 (2013-06-15)

1278

Configuration Guide
If SA Cache is enabled on the remote MSDP peer and the capacity of the SA Cache is large, you
can configure "sending SA request messages" on the local Switch to reduce the period during
which receivers obtain multicast source information.
At the same time, you can also configure the filtering rules for receiving SA request messages
on the remote MSDP peers.
Transmitting Burst Multicast Data

When the interval for a certain multicast source to send multicast data is longer than the timeout
period of an (S, G) entry, the source DR can only encapsulate burst multicast data in Register
messages and send them to the source RP. The source RP uses SA messages to transmit (S, G)
information to the remote RP. The remote RP then sends an (S, G) Join message towards the
multicast source to create an SPT. Because of the timeout of the (S, G) entry, the remote user
cannot receive the multicast data sent by S.
The AC6605 supports the transmission of burst multicast data. You can enable the function of
encapsulating a multicast data packet in an SA message on the source RP. The source RP can
then encapsulate multicast data in an SA message and send the message out. After receiving the
SA message, the remote RP decapsulates the message, and then forwards multicast data to hosts
in the domain along the RPT.
Setting the TTL threshold can limit the transmission scope of a multicast data packet contained
in an SA message. After receiving an SA message containing a multicast data packet, an MSDP
peer checks the TTL value in the IP header of the multicast packet. If the TTL value is equal to
or smaller than the threshold, the MSDP peer does not forward the SA message to the specific
remote peers. If the TTL value is greater than the threshold, the MSDP peer reduces the TTL
value in the IP header of the multicast packet by 1, and then encapsulates the multicast packet
in an SA message and sends the message out.
Rules for Creating, Receiving, and Forwarding SA Messages

By default, MSDP Switchs receive all SA messages that pass the RPF check and forward them
to all MSDP peers.
To control the transmission of SA messages between MSDP peers, you can configure filtering
rules by using the following methods:
l
Setting rules for filtering SA messages based on multicast sources on the source RP
The source RP filters active multicast sources that register with the local Switch, and then
determines whether to send (S, G) entries based on the rules.
Setting rules for filtering SA messages received from remote MSDP peers
When an SA message sent by a remote MSDP peer reaches the local Switch, the Switch
determines whether to receive the message based on the rules.
Setting rules for filtering SA messages forwarded to remote MSDP peers

Before forwarding an SA message to a remote MSDP peer, the local Switch determines
whether to forward it based on the rules.
MSDP Authentication
Configuring MSDP MD5 authentication can improve the security of TCP connections set up
between MSDP peers. Note that the MSDP peers must be configured with the same
authentication password; otherwise, the TCP connection cannot be set up between MSDP peers
and MSDP messages cannot be transmitted.
Issue 04 (2013-06-15)

1279

Configuration Guide
6.7.3 Configuring PIM-SM Inter-domain Multicast

This section describes how to set up an MSDP peer relationship between PIM-SM domains in
an AS and how to configure MSDP peers to implement PIM-SM inter-domain multicast.

Before configuring PIM-SM inter-domain multicast, you need to configure intra-domain
multicast.
When a large multicast network is divided into multiple PIM-SM domains, MSDP is used to
connect RPs of various domains to share the source information. In this manner, hosts in a domain
can receive multicast data sent by multicast sources in other domains.
To ensure that all RPs in the network can share the source information, reduce the scale of an
MSDP connected graph. It is recommended to configure MSDP peer relationships between all
RPs, including static RPs and C-RPs, in the network.
To ensure that SA messages transmitted between MSDP peers are not interrupted by RPF rules
and to reduce redundant traffic, the following solutions are recommended:
l
Add MSDP peers in the same AS to one Mesh Group.
If MSDP peers are in different ASs, select either of the following solutions:
Establish an MBGP peer relationship and use the same interface address.
Configure each other as a static RPF peer.
NOTE
Both BGP and MBGP can be used to set up inter-AS EBGP peer relationships. MBGP is recommended
because MBGP does not affect the unicast topology of a network.
Before configuring PIM-SM inter-domain multicast, complete the following tasks:
l
Configuring a unicast routing protocol to enable interworking at the network layer
Enabling IP multicast
Configuring a PIM-SM domain to implement intra-domain multicast
Data Preparation
To configure PIM-SM inter-domain multicast, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Address of a remote MSDP peer
Type and number of the local interface connected to MSDP peers
Description of an MSDP peer
Name of a mesh group

1280

Configuration Guide
Configuring Intra-AS MSDP Peers

When multiple PIM-SM domains exist in an AS or multiple RPs serving different multicast
groups exist in a PIM-SM domain, you are recommended to configure MSDP peer relationships
between all RPs (including static RPs and C-RPs) and add all MSDP peers to a mesh group.
Context
Do as follows on the RPs of all PIM-SM domains that belong to the same AS:
Procedure
Step 1 Run:
system-view
The system is displayed.

Step 2 Run:
msdp
MSDP is enabled in the public network instance and the MSDP view is displayed.
Step 3 Run:
peer peer-address connect-interface interface-type interface-number
An MSDP peer connection is configured

l peer-address: specifies the address of a remote MSDP peer.
l interface-type interface-number: specifies the local interface connected to the remote MSDP
peer.
peer peer-address description text
The description of a remote MSDP peer is added.

This configuration helps to differentiate remote MSDP peers and manage the connections with
the remote MSDP peers.
l peer-address specifies the address of a remote MSDP peer.
l text: specifies the description text. The text is a string of 80 characters.
Step 5 Run:
peer peer-address mesh-group name
A remote MSDP peer is configured to join a mesh group.

That is, the remote MSDP peer is acknowledged as a member of the mesh group.
l name: specifies the name of a mesh group. The members of the same mesh group use the
same mesh group name.
Issue 04 (2013-06-15)

1281

Configuration Guide
Note the following:

l MSDP peer connections must be set up between all members of the same mesh group.
l All members of the mesh group must acknowledge each other as a member of the group.
l An MSDP peer can belong to only one mesh group. If an MSDP peer is configured to join
different mesh groups for multiple times, only the latest configuration is valid.
----End
Configuring Inter-AS MSDP Peers on MBGP Peers

You can configure an MSDP peer relationship between RPs in different ASs that have set up an
MBGP peer relationship. In this manner, PIM-SM domains in different ASs can share multicast
source information.
Context
Establish the MBGP peer relationship between two RPs of different ASs and do as follows on
the MBGP peers:
NOTE
If the two RPs set up the BGP peer relationship, it is not necessary to set up the MBGP peer relationship
between them.
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp
MSDP is enabled in the public network instance, and the MSDP view is displayed.
Step 3 Run:
An MSDP peer connection is configured.

l peer-address: specifies the address of a remote MSDP peer. The address is the same as that
of the remote BGP or MBGP peer.
peer. The interface is the same as the local BGP or MBGP interface.
The description of the MSDP peer is added.

The configuration helps to distinguish the remote MSDP peers and manage the connections with
Issue 04 (2013-06-15)

1282

Configuration Guide

----End
Configuring Static RPF Peers

You can configure a static RPF peer relationship between RPs in different ASs so that SA
messages which sent by RPF peer don't need do RPF check.
Context
NOTE
If Configuring Inter-AS MSDP Peers on MBGP Peers is complete, skip the configuration.
Do as follows on two RPs of different ASs:
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp
Step 3 Run:
An MSDP peer connection is configured.

peer.
The description of a remote MSDP peer is added.

The configuration helps to distinguish remote MSDP peers and manage the connections with
l text: specifies the description text. The text is a string of up to 80 characters.
Step 5 Run:
static-rpf-peer peer-address [ rp-policy ip-prefix-name ]
A remote MSDP peer is statically specified as an RPF peer.

Issue 04 (2013-06-15)

1283

Configuration Guide
peer-address specifies the address of a remote MSDP peer.

----End

After PIM-SM inter-domain multicast is configured, you can run related commands to check
brief and detailed information about MSDP peers.
Procedure
l
Run the display msdp brief command to check the brief information about the statuses of
all remote peers that establish MSDP peer relationships with the local host.
Run the display msdp peer-status [ peer-address ] to check the detailed information about
the statuses of the specified remote peers that establish the MSDP peer relationships with
the local host.
----End
Example
Run the display msdp brief command. If the brief information about the remote MSDP peer
status is displayed, it means that the configuration succeeds. For example:
<Quidway> display msdp brief
Configured
Up
Listen
2
2
0
Peer's Address
192.168.2.1
192.168.4.2
State
UP
UP
Connect
0
Up/Down time
01:07:08
00:06:39
AS
200
100
Shutdown
0
SA Count
8
13
Down
0
Reset Count
0
0
6.7.4 Configuring an Anycast RP in a PIM-SM Domain

Anycast RP indicates that when multiple RPs with the same address reside in the same PIM-SM
domain and MSDP peer relationships are set up between these RPs, IP routing automatically
selects the topologically closest RP for each source and receiver. In this manner, burdens on a
single RP are released, RP backup is implemented, and the forwarding path is optimized.

You can configure anycast RP in the scenario where devices in a PIM-SM domain are reachable,
PIM-SM is enabled on the interfaces configured with multicast routing, and no RP is configured
in the network.
In a traditional PIM-SM domain, each multicast group can be mapped to only one RP. When
the network is overloaded or the traffic is too concentrated, many network problems are caused.
For example, the pressure of the RP is too heavy, Switchs converge slowly after the RP fails,
and the multicast forwarding path is not optimal.
After anycast RPs are applied in a PIM-SM domain, the source registers with the nearest RP and
hosts sends Join messages to the nearest RP. That is, the load of a single RP is abated, the RP
backup is implemented, and the forwarding path is optimized.
The recommended configuration solutions are as follows:
Issue 04 (2013-06-15)

1284

Configuration Guide
Configure loopback interfaces on multiple Switchs in the PIM-SM domain respectively,

assign the same IP address to the loopback interfaces, and advertise the IP address by using
unicast routes.
Configure the loopback interfaces on the Switchs as C-RPs or configure the address of the
loopback interface as a static RP on all Switchs in the PIM-SM domain.
Set up the MSDP peer relationship between the Switchs. If the number of Switchs is greater
than three, it is recommended to set up the MSDP peer relationship between the Switchs
and configure them to join the same mesh group.
Specify the logical RP address to transmit SA messages between the MSDP peers.
Before configuring an anycast RP in a PIM-SM domain, complete the following tasks:
l
Configuring a unicast routing protocol to implement interconnection at the network layer
Configuring a PIM-SM domain without any RP
Data Preparation
To configure an anycast RP in a PIM-SM domain, you need the following data.
No.
Data
RP address
Interface and address of the local MSDP peer
Interface and address of the remote MSDP peer
Description of an MSDP peer
Configuring the Interface Address of an RP

Before configuring anycast RP on the devices in a PIM-SM domain, configure a loopback
interface on each device and assign the same IP address to the loopback interfaces. In addition,
advertise the IP address of the RP through unicast routes to ensure that each device has a
reachable route to the RP interface.
Context
Use a unicast routing protocol in the current network to advertise the address of the newly
configured RP interface. Ensure that all Switchs in the network have a route to the RP.
In the PIM-SM domain, do as follows on multiple Switchs on which the anycast RP is to be
configured:
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1285

Configuration Guide

Step 2 Run:
interface loopback interface-number
The loopback interface view is displayed.

Multiple RPs can use the same IP address in a network. The RPs, therefore, are configured on
the loopback interface.
Step 3 Run:
The address of the loopback interface is configured.

l ip-address: specifies the address of an RP. The RPs configured on multiple devices uses the
same IP address.
l mask | mask-length: specifies the address mask of the loopback interface.
Step 4 Run:
pim sm
PIM-SM is enabled for the RP interface.

NOTE
Before configuring a dynamic RP, you need to run this command. This command is not required when you
configure a static RP.
----End
Configuring a C-RP
A loopback interface is generally configured as a C-RP on the device to be configured with
anycast RP.
Context
NOTE
l If the PIM-SM network uses a static RP, the configuration is not necessary.
l If the PIM-SM network uses a BSR-RP, the configuration is mandatory. Before configuring a C-RP,
configure a BSR and BSP boundary. The BSR address cannot be the same as the C-RP address.
Do as follows on multiple Switchs where anycast RP is to be configured in the PIM-SM domain:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Issue 04 (2013-06-15)

1286

Configuration Guide
Step 3 Run:
c-rp loopback interface-number
An interface is configured as a C-RP.

----End
Statically Configuring an RP
To configure a static RP, you need to configure the addresses of the loopback interfaces as the
RP addresses on all the devices in a PIM-SM domain.
Context
NOTE
l When the PIM-SM network uses a BSR-RP, the configuration is not necessary.
l When the PIM-SM network uses a static RP, the configuration is mandatory.
Do as follows on all Switchs in the PIM-SM domain:
Procedure
Step 1 Run:
system-view

Step 2 Run:
pim

Step 3 Run:
static-rp rp-address
The loopback interface address is configured as a static RP address.

----End
Configuring an MSDP Peer

MSDP peer relationships need be set up between RPs. If there are more than three devices,
MSDP peer relationships should be set up between any two devices and all MSDP peers should
be added to one mesh group.
Context
Do as follows on multiple Switchs on which an anycast RP is to be created:
NOTE
If the number of Switchs configured with the RPs that have the same IP address exceeds two, ensure the
interconnection between the Switchs that set up MSDP peer relationship.
Issue 04 (2013-06-15)

1287

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp
Step 3 Run:
An MSDP peer connection is created.

l interface-type interface-number: specifies the local interface.
The description of the MSDP peer is added.

This configuration helps to differentiate remote MSDP peers and manage the connection with
peer peer-address mesh-group name
A remote MSDP peer is configured to join a mesh group.

That is, the remote MSDP peer is acknowledged as a member of the mesh group.
If only two Switchs are configured with the anycast-RP, this configuration is not necessary.
l name: specifies the name of a mesh group. The members of the same mesh group use the
same mesh group name.
Note the following:
l MSDP peer connections must be set up between all members of the mesh group.
l All members of the mesh group must acknowledge each other as the member of the mesh
group.
l An MSDP peer belongs to only one mesh group. If an MSDP peer is configured to join
different mesh groups for many times, only the last configuration is valid.
----End
Issue 04 (2013-06-15)

1288

Configuration Guide
Specifying the Logical RP Address for an SA Message

After receiving an SA message, an MSDP peer performs the RPF check on the message. If the
remote RP address carried in the SA message is the same as the local RP address, the MSDP
peer discards the SA message. Therefore, you need to specify a logical RP address for SA
messages on the device on which anycast RP is to be configured.
Context
After receiving an SA message, an MSDP peer performs the RPF check on the message. If the
remote RP address carried in the SA message is the same as the local RP address, the SA message
is discarded.
Do as follows on the Switchs on which the anycast RP is to be configured:
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp
The MSDP view is displayed.

Step 3 Run:
originating-rp interface-type interface-number
The logical RP interface is configured. The logical RP interface cannot be the same as the actual
RP interface. It is recommended to configure the logical interface as the MSDP peer interface.
After the originating-rp command is used, the logical RP address carried in the SA message
sent by the Switch replaces the RP address in the IP header of the SA message, and the SA
message can pass the RPF check after reaching the remote Switch.
NOTE
The system does not advertise routes on the MTIs to VPNs; therefore, the MTIs cannot be used as logical
RPs.
----End

After anycast RP in a PIM-SM domain is configured, you can run related commands to check
brief information about MSDP peers and RP information of PIM routing entries.
Procedure
l
Run the display msdp brief command to check the the brief information of the MSDP peer
status.
Run the display pim routing-table command to check the information about the RP
corresponding to the PIM routing table.
----End
Issue 04 (2013-06-15)

1289

Configuration Guide
Example
Run the display msdp [ vpn-instance vpn-instance-name | all-instance ] brief command. If the
brief information about the remote MSDP peer status is displayed, it means that the configuration
succeeds. For example:
Configured
Up
Listen
1
1
0
Peer's Address
2.2.2.2
State
UP
Connect
0
Up/Down time
00:10:17
AS
?
Shutdown
0
SA Count
0
Down
0
Reset Count
0
Run the display pim routing-table command. If the RP information corresponding to the
routing table is displayed, it means that the configuration succeeds. For example:
<Quidway> display pim routing-table
(10.11.1.2, 225.1.1.1)
RP: 7.7.7.7 (local)
UpTime: 00:01:57
1: Vlanif20
Protocol: pim-sm, UpTime: - , Expires:
6.7.5 Managing MSDP Peer Connections

MSDP peers should set up TCP connections. You can then flexibly control the sessions set up
between MSDP peers by closing or re-establishing TCP connections. You can also adjust the
interval for retrying to set up a TCP connection between MSDP peers.

After PIM-SM inter-domain multicast or anycast RP in a PIM-SM domain is configured, you
can manage the connection between MSDP peers as required.
MSDP peers are connected by the TCP connection (the port number is 639). Users can close or
reestablish a TCP connection, and flexibly control the sessions set up between MSDP peers.
When a new MSDP peer is created, or when a closed MSDP peer connection is restarted, or
when a faulty MSDP peer tries recovering, the TCP connection needs to be immediately set up
between MSDP peers. Users can flexibly adjust the interval for retrying setting up an MSDP
peer connection.
Before managing MSDP peer connections, complete the following tasks:
l
Issue 04 (2013-06-15)

1290

Configuration Guide
Configuring PIM-SM Inter-domain Multicast or Configuring an Anycast RP in a

PIM-SM Domain
Data Preparation
To manage MSDP peer connections, you need the following data.
No.
Data
The period for retrying sending the TCP connection request to the remote MSDP peer
of the local Switch
Controlling the Sessions Between MSDP Peers

After the connection between MSDP peers is closed, the MSDP peers no longer exchange SA
messages and do not retry to set up a new connection. You can restart the connection between
the MSDP peers as required.
Context
Do as follows on the Switch on which the MSDP peer is created:
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp

Step 3 Run:
shutdown peer-address
A session with the remote MSDP peer is closed.

l After the session with the remote MSDP peer is closed, the TCP connection is closed, the
peers no longer transmit SA messages, and the peers do not re-try setting up the connection.
The configuration, however, is saved.
l You can run the undo shutdown peer-address command to open the session with the remote
MSDP peer, and reestablish the TCP connection.
----End
Issue 04 (2013-06-15)

1291

Configuration Guide
Adjusting the interval for Retrying Setting up an MSDP Peer Connection

When a new MSDP peer relationship is created, when a closed MSDP peer connection is
restarted, or when a faulty MSDP peer tries recovering, a TCP connection needs to be
immediately set up between the MSDP peers. You can flexibly adjust the interval for retrying
to set up a TCP connection between MSDP peers.
Context
Do as follows on the Switch on which the MSDP peer is created:
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp

Step 3 Run:
timer retry interval
The period for retrying sending the TCP connection request to the remote MSDP peer is set
----End

After a TCP connection is set up between MSDP peers, you can run related commands to check
brief and detailed information about MSDP peers.
Procedure
l
Run the display msdp brief command to check the brief information about the statuses of
all remote peers that establish MSDP peer relationships with the local host.
Run the display msdp peer-status [ peer-address ] to check the detailed information about
the statuses of the specified remote peers that establish the MSDP peer relationships with
the local host.
----End
Example
Configured
Up
Listen
2
2
0
Peer's Address
192.168.2.1
192.168.4.2
Issue 04 (2013-06-15)
State
UP
UP
Connect
0
Up/Down time
01:07:08
00:06:39
AS
200
100

Shutdown
0
SA Count
8
13
Down
0
Reset Count
0
0
1292

Configuration Guide
6.7.6 Configuring SA Cache

An SA cache is used to save the (S, G) information carried in SA messages locally. When a
device needs to receive multicast data, it directly obtains available (S, G) information from the
SA cache.

can configure an SA cache as required.
By default, SA Cache is enabled on Switchs on which MSDP peers are configured. The
Switchs can locally store the (S, G) information carried in SA messages. When the Switchs need
to receive (S, G) information, the Switchs can obtain the (S, G) information from the SA Cache.
Setting the maximum number of (S, G) entries can prevent the Denial of Service (DoS) attack.
Users can disable the SA Cache of a Switch. After the SA Cache of a Switch is disabled, the
Switch does not locally store the (S, G) information carried in SA messages. When a Switch
wants to receive (S, G) data, it needs to waits for the SA message to be sent by its MSDP peer
in the next period. This delays receivers from obtaining multicast data.
Before configuring SA Cache, complete the following tasks:
l

PIM-SM Domain
Data Preparation
To configure SA Cache, you need the following data.
No.
Data
Maximum number of (S, G) entries in the SA Cache
Configuring the Maximum Number of (S, G) Entries in the Cache

Setting the maximum number of (S, G) entries in an SA cache can prevent DoS attacks.
Context
Do as follows on the Switch on which the MSDP peer is configured:
NOTE
If the configuration is not done, default values are used.
Issue 04 (2013-06-15)

1293

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp

Step 3 Run:
peer peer-address sa-cache-maximum sa-limit
The maximum number of (S, G) entries is set.

l sa-limit: specifies the maximum number of cached (S, G) entries. The value of configuration
is valid when it is less than the specification of cache. Contrarily, specification of cache is
valid.
----End
Disabling the SA Cache Function

You are allowed to disable the SA cache function. Then, when a device wants to receive multicast
data, it needs to wait for the SA message to be sent by its MSDP peer in the next period. This
results in a delay in obtaining multicast data.
Context
Do as follows on the Switch on which the MSDP peer is configured:
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp

Step 3 Run:
undo cache-sa-enable
The SA Cache function is disabled.

NOTE
To reenable SA Cache, run the cache-sa-enable command in the MSDP view.
----End
Issue 04 (2013-06-15)

1294

Configuration Guide

After the SA cache function is configured, you can run related commands to check the
information about entries in the SA cache.
Procedure
l
Run the display msdp sa-cache [ group-address | source-address | { 2-byte-as-number |

4-byte-as-number } ] * command to check (S, G) entries in the SA Cache of the public
network instance.
Run the display msdp sa-count [ 2-byte-as-number | 4-byte-as-number ] command to

check the number of (S, G) entries in the SA Cache of the public network instance.
----End
Example
Run the display msdp sa-cache command to check (S, G) entries in SA Cache.
<Quidway> display msdp sa-cache
MSDP Source-Active Cache Information: public net
MSDP Total Source-Active Cache - 3 entries
MSDP matched 3 entries
(8.8.8.8, 225.0.0.200)
Origin RP: 4.4.4.4
Pro: BGP, AS: 10
Uptime: 00:00:33, Expires: 00:05:27
(8.8.8.8, 225.0.0.201)
Origin RP: 4.4.4.4
Pro: BGP, AS: 1.0
Uptime: 00:00:33, Expires: 00:05:27
(8.8.8.8, 225.0.0.202)
Origin RP: 4.4.4.4
Pro: BGP, AS: 65535.65535
Uptime: 00:00:33, Expires: 00:05:27
Run the display msdp sa-count command to check the number of (S, G) entries in SA Cache.
<Quidway> display msdp sa-count
MSDP Source-Active Count Information: public net
Number of cached Source-Active entries, counted by Peer
Peer's Address
Number of SA
10.10.10.10
5
Number of source and group, counted by AS
AS
Number of source
Number of group
?
3
3
Total 5 Source-Active entries matched
6.7.7 Configuring the SA Request

If the capacity of the SA cache enabled on the remote MSDP peer is too large, configuring
"sending SA Request message" on the local device can shorten the time taken by a receiver to
obtain multicast source information. You can configure filtering rules for receiving SA Request
messages on a specified remote MSDP peer.

can configure "SA Request message sending" as required.
Issue 04 (2013-06-15)

1295

Configuration Guide
The capacity of SA Cache on certain Switchs is small. When these Switchs need to receive
multicast data, they cannot immediately obtain the valid (S, G) information and need to wait for
the SA message sent by their MSDP peers in the next period.
If SA Cache is enabled on the remote MSDP peer and the capacity of the SA Cache is large,
configuring "sending SA Request message" on the local Switch can shorten the period during
which receivers obtain multicast source information.
l
When the local Switch wants to receive (S, G) information, it sends an SA Request message
to a specified remote MSDP peer.
Once receiving the SA Request message, the MSDP peer responds to the SA Request
message with the required (S, G) information. If the "filtering rule of SA Request message"
is configured on the remote MSDP peer, it checks the SA Request messages received from
a specified peers and determines whether to respond according to the checking results.
Before configuring an SA request, complete the following tasks:
l

PIM-SM Domain
Data Preparation
To configure an SA request, you need the following data.
No.
Data
Filtering list for receiving SA request messages
Configuring "Sending SA Request Messages" on the Local Switch

When a device receives a new Join message and no corresponding (S, G) entry exists locally or
in the SA cache, the device immediately sends an SA Request message to the specified MSDP
peer rather than waits for the SA message in the next period.
Context
Do as follows on the local Switch:
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1296

Configuration Guide

Step 2 Run:
msdp

Step 3 Run:
peer peer-address request-sa-enable
Sending SA Request message is configured.

peer-address specifies the address of a remote MSDP peer. When the local Switch receives a
new Join message from a group, it sends an SA Request message only to peer-address.
----End
(Optional) Configuring the Filtering Rules for Receiving SA Request Messages

You can configure rules for filtering the SA Request messages received from the local device
on a specified remote MSDP peer. If the SA Request message passes the filtering, the peer
immediately responds.
Context
Do as follows on the remote MSDP peer specified by using the peer peer-address request-saenable command. If the configuration is not done, once an SA message reaches, the Switch
immediately responds to it with an SA message containing the required (S, G) information.
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp

Step 3 Run:
peer peer-address sa-request-policy [ acl basic-acl-number ]
The filtering rules for receiving SA Request messages are set.

l peer-address: specifies the address of an MSDP peer that sends the SA Request message.
l acl: specifies the filtering policy. If the ACL is not specified, all SA messages sent by a peer
are ignored. If the ACL is specified, only the SA messages that match the ACL are received
and other SA messages are discarded.
----End
Check the Configuration

After "SA Request message sending" is configured, you can run related commands to check
detailed information about MSDP peers and SA cache information.
Issue 04 (2013-06-15)

1297

Configuration Guide
Procedure
l
Run the display msdp peer-status [ peer-address ] command to check detailed information
about the MSDP peer status.

4-byte-as-number } ] * command to check SA Cache of the public network.
----End
Example
Run the display msdp peer-status [ peer-address ] command, and you can view the SARequests field and check whether the configuration is valid. For example:
<Quidway> display msdp peer-status
MSDP Peer 172.40.41.1, AS ?
Description:
Information about connection status:
State: Up
Up/down time: 00:26:41
Resets: 0
Connection interface: Vlanif10 (172.40.41.2)
Number of sent/received messages: 27/28
Number of discarded output messages: 0
Elapsed time since last connection or counters clear: 00:26:56
Information about (Source, Group)-based SA filtering policy:
Import policy: none
Export policy: none
Information about SA-Requests:
Policy to accept SA-Request messages: 2000
Sending SA-Requests status: enable
Minimum TTL to forward SA with encapsulated data: 0
SAs learned from this peer: 0, SA Cache maximum for the peer: none
Input queue size: 0, Output queue size: 0
Counters for MSDP message:
Count of RPF check failure: 0
Incoming/outgoing SA messages: 16/0
Incoming/outgoing SA requests: 0/0
Incoming/outgoing SA responses: 0/0
Incoming/outgoing data packets: 0/0
Peer authentication: configured
Peer authentication type: Key-Chain
6.7.8 Configuring the Filtering Rules for SA Messages

By default, a device receives all SA messages that pass the RPF check, and forwards the SA
messages to all MSDP peers. To control the transmission of SA messages among MSDP peers,
you can configure rules to filter the constructing, receiving, and forwarding SA messages.

can configure filtering rules for SA messages.
By default, MSDP Switchs receive all SA messages that pass the RPF check and forward them
to all MSDP peers. To control of the transmission of SA messages among MSDP peers, users
can configure various filtering rules by using the following methods:
Issue 04 (2013-06-15)

1298

Configuration Guide
Setting the rules for filtering the multicast source of an SA message on the source RP. The
source RP filters active multicast sources that register with the local Switch, and determines
the (S, G) entries to be sent according to the rules.
Setting the rules for filtering an SA message received from a remote MSDP peer. When an
SA message sent by a remote MSDP peer reaches a Switch, the Switch determines whether
to receive the message based on the rules.
Setting the rules for filtering an SA message forwarded to a remote MSDP peer. Before
forwarding the SA message to the remote MSDP peer, the Switch determines whether to
forward it based on the rules.
Before configuring the filtering rules for SA messages, complete the following tasks:
l

PIM-SM Domain
Data Preparation
To configure the filtering rules for SA messages, you need the following data.
No.
Data
Filtering list for creating SA messages
Filtering list for receiving SA messages
Filtering list for forwarding SA messages
Setting Rules for Creating an SA Message

You can set rules for filtering the multicast source of an SA message on the source RP. The
source RP then filters locally registered and active multicast sources, and determines which (S,
G) information need be advertised based on the set rules.
Context
Do as follows on the source RP configured with an MSDP peer:
NOTE
If the configuration is not done, an SA message created by the source RP contains the information of all
local active sources.
Issue 04 (2013-06-15)

1299

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp

Step 3 Run:
import-source [ acl acl-number ]
The rules for filtering the multicast source of an SA message are set.
l acl: specifies the filtering list based on multicast sources. The SA message created by an
MSDP peer contains the local source information that match the filtering rules. The MSDP
peer can thus control the local (S, G) information.
l If the import-source command with acl is used, the SA message does not advertise any
information about the local active source.
----End
Setting Rules for Receiving an SA Message

You can set the rules for filtering the received SA messages on a specified remote MSDP peer.
When SA messages sent by a remote MSDP peer reach the local device, the local device
determines whether to accept the messages based on the set rules.
Context
Do as follows on the Switch configured with MSDP:
NOTE
If the configuration is not done, the Switch receives all SA messages that pass the RPF check.
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp

Step 3 Run:
peer peer-address sa-policy import [ acl { advanced-acl-number ]
The rules for filtering an SA message received from a remote MSDP peer are set.
Issue 04 (2013-06-15)

1300

Configuration Guide

l acl: specifies the advanced filtering list. Only the (S, G) information that passes the filtering
of the ACL is received. The (S, G) information is contained in an SA message sent by the
peer specified by peer-address .
l If the peer peer-address sa-policy import command without acl is used, the Switch does
not receive any (S, G) information from the peer specified by peer-address.
----End
Setting Rules for Forwarding an SA Message

You can set the rules for filtering the SA messages to be forwarded to a remote MSDP peer on
a local device. The local device then determines whether to forward the received SA messages
based on the set rules.
Context
Do as follows on the Switch enabled with MSDP:
NOTE
If the configuration is not done, the Switch forwards all SA messages that pass the RPF check.
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp

Step 3 Run:
peer peer-address sa-policy export [ acl advanced-acl-number ]
The rules for filtering an SA message forwarded to a remote MSDP peer is set.
l acl: specifies the advanced filtering list. Only the (S, G) information that matches the ACL
rule is forwarded to the peer specified by peer-address.
l If the peer peer-address sa-policy export command without acl is used, the Switch does not
forward any (S, G) information to the peer specified by peer-address.
----End

After filtering rules for SA messages are configured, you can run related commands to check
detailed information about MSDP peers and SA cache information.
Issue 04 (2013-06-15)

1301

Configuration Guide
Procedure
l

4-byte-as-number } ] * command to check SA Cache of the public network instance.
about the MSDP peer status.
----End
Example
Run the display msdp [ vpn-instance vpn-instance-name | all-instance ] peer-status [ peeraddress ] command, and you can view information about the (Source, Group)-based SA filtering
policy field and check whether the configuration is valid. For example:
MSDP Peer 172.40.41.1, AS ?
Description:
State: Up
Resets: 0
Import policy: 3000
Export policy: 3002
SAs learned from this peer: 0, SA Cache maximum for the peer: none
Peer authentication: unconfigured
Peer authentication type: none
Run the display msdp sa-cache command to check the information about (S, G) entries in SA
Cache.
l
If group-address is specified, the (S, G) entry to which a specified group corresponds is

displayed.
If source-address is specified, the (S, G) entry to which a specified source corresponds is

displayed.
If 2-byte-as-number or 4-byte-as-number is specified, the (S, G) entry whose Origin RP

attribute belongs to a specified AS is displayed.
<Quidway> display msdp sa-cache

MSDP Source-Active Cache Information of VPN-Instance: public net
MSDP Total Source-Active Cache - 3 entries
MSDP matched 3 entries
(8.8.8.8, 225.0.0.200)
Origin RP: 4.4.4.4
Pro: BGP, AS: 10
Uptime: 00:00:33, Expires: 00:05:27
(8.8.8.8, 225.0.0.201)
Issue 04 (2013-06-15)

1302

Configuration Guide
Origin RP: 4.4.4.4

Pro: BGP, AS: 1.0
Uptime: 00:00:33, Expires: 00:05:27
(8.8.8.8, 225.0.0.202)
Origin RP: 4.4.4.4
Pro: BGP, AS: 65535.65535
Uptime: 00:00:33, Expires: 00:05:27
6.7.9 Configuring MSDP Authentication

MSDP peer authentication uses the MD5 authentication algorithm.

After Anycast RP is configured for PIM-SM intra-domain or inter-domain multicast, you can
configure MSDP authentication as required to ensure the security of the TCP connection between
MSDP peers.
Configuring MSDP authentication can enhance the security of the TCP connections between
MSDP peers.
Before configuring MSDP authentication, complete the following tasks:
l
Configuring a unicast routing protocol to implement intra-domain IP interworking
Configuring PIM-SM domains to implement intra-domain multicast

PIM-SM Domain
Data Preparation
Before configuring MSDP authentication, prepare the following data:
No.
Data
IP address of the peer to be configured with MSDP authentication
Password for MSDP MD5 authentication
Configuring MSDP MD5 Authentication

The MSDP peers must be configured with the same authentication password; otherwise, the TCP
connection cannot be set up between MSDP peers and MSDP messages cannot be transmitted.
The authentication password on peers can be in different forms, that is, the password on one end
can be in the cipher text while the password on the peer can be in the plain text.
Issue 04 (2013-06-15)

1303

Configuration Guide
Context
By default, MSDP MD5 authentication is not configured.
Do as follows on the Switch configured with MSDP peers:
Procedure
Step 1 Run:
system-view

Step 2 Run:
msdp

Step 3 Run:
peer peer-address password { cipher cipher-password | simple simple-password }
MSDP MD5 authentication is configured.

The MSDP MD5 authentication password is case sensitive and cannot contain any space.
The MSDP peers must be configured with the same authentication password; otherwise, the TCP
connection cannot be set up between MSDP peers and MSDP messages cannot be transmitted.
The authentication password on peers can be in different forms, that is, the password on one end
can be in the cipher text while the password on the peer can be in the plain text.
NOTE
Characters ^#^# and $@$@ are used to identify passwords with variable lengths. Characters ^#^# are the
prefix and suffix of a new password, and characters $@$@ are the prefix and suffix of an old password.
Neither of them can be both configured at the beginning and end of a plain text password.
----End

After MSDP authentication is configured, you can run related commands to check brief and
detailed information about MSDP peers.
Procedure
l
Run the display msdp brief command to check brief information about MSDP peers.
about MSDP peers.
----End
Example
Run the display msdp peer-status [ peer-address ] command, and you can find the Peer
authentication and Peer authentication type fields in the command output. For example:
MSDP Peer 172.40.41.1, AS ?
Description:
Issue 04 (2013-06-15)

1304

Configuration Guide
State: Up
Resets: 0
Import policy: 3000
Export policy: 3002
SAs learned from this peer: 0, SA-cache maximum for the peer: none
Peer authentication: configured
Peer authentication type: MD5
6.7.10 Maintaining MSDP

Maintaining MSDP involves clearing MSDP peer statistics and (S, G) information in the SA
cache, and monitoring MSDP running status.
Clearing Statistics of MSDP Peers

When clear MSDP peer statistics, you can choose whether to reset the TCP connection between
MSDP peers. Note that MSDP peer statistics cannot be restored after you clear them. Resetting
the TCP connection will affect the running of MSDP.
Context
CAUTION
The statistics of MSDP peers cannot be restored after you clear it. So, confirm the action before
Procedure
l
Run the reset msdp peer [ peer-address ] command in the user view to clear the TCP
connection with a specified MSDP peer and all statistics of the specified MSDP peer.
Run the reset msdp statistics [ peer-address ] command in the user view to clear the
statistics of an MSDP peer or multiple MSDP peers of the public network instance, if MSDP
peers are not reset.
Run the reset msdp control-message counters [ peer peer-address ] command in the user
view to clear the statistics about the received, sent, and discarded MSDP messages.
----End
Issue 04 (2013-06-15)

1305

Configuration Guide
Clearing (S, G) Information in SA Cache

When you want to reset contents in an SA cache, you can clear all (S, G) information from the
SA cache. Note that the (S, G) information cannot be restored after you clear it.
Context
CAUTION
The (S, G) information in SA Cache cannot be restored after you clear it. So, confirm the action
Procedure
l
Run the reset msdp sa-cache [ group-address ] command in the user view to clear the
entries in MSDP SA Cache.
----End
Monitoring the Running Status of MSDP

running of MSDP.
Context
status of MSDP.
Procedure
l
Run the display msdp brief [ state { connect | down | listen | shutdown | up } ] command
in any view to check brief information about the MSDP peer status.
Run the display msdp peer-status [ peer-address ] command in any view to check detailed
information about the status of an MSDP peer of the public network instance.

4-byte-as-number } ] * command in any view to check the (S, G) information in SA Cache.
Run the display msdp sa-count [ 2-byte-as-number | 4-byte-as-number ] command in any

view to check the number of (S, G) entries in MSDP Cache.
Run the display msdp control-message counters [ peer peer-address | message-type

{ source-active | sa-request | sa-response | keepalive | notification | tracerouterequest | traceroute-reply | data-packets | unknown-type } ] * command in any view to
check statistics about the received, sent, and discarded MSDP messages.
Run the display msdp invalid-packet [ peer peer-address | message-type { keepalive |

notification | sa-request | sa-response | source-active } ] * command in any view to check
the statistics about invalid MSDP messages received by a device.
Issue 04 (2013-06-15)

1306

Configuration Guide
Run the display msdp rpf-peer original-rp original-rp-address command in any view to
check information about all the RPF peers of a specific source's RP address, including RPF
peer selection rules and RPF route types.
----End
Debugging MSDP
When a fault occurs during the running of MSDP, run the debugging commands in the user view
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, execute the undo
debugging all command to disable it immediately.
When an MSDP fault occurs, run the following debugging commands in the user view to debug
MSDP and locate the fault.
Procedure
l
Run the debugging msdp all command in the user view to enable all the debugging of
MSDP.
Run the debugging msdp connect command in the user view to enable the debugging of
the resetting of the MSDP peer connection.
Run the debugging msdp event command in the user view to enable the debugging of
MSDP events.
Run the debugging msdp packet command in the user view to enable the debugging of
MSDP packets.
Run the debugging msdp source-active command in the user view to enable the debugging
of MSDP active sources.
----End

Configuration examples are provided to show how to implement PIM-SM inter-domain
multicast through MBGP, how to implement inter-AS multicast through static RPF peers, and
how to configure anycast RP in a PIM-SM domain.
Example for Configuring Basic MSDP Functions

As shown in Figure 6-18, two ASs exist on the network. Each AS contains one or more PIMSM domains; each PIM-SM domain has 0 or 1 multicast source and receiver. The receivers in
Issue 04 (2013-06-15)

1307

Configuration Guide
PIM-SM2 need to receive the multicast data sent by S3 in the PIM-SM3 domain and multicast
data sent by S1 in the PIM-SM1 domain.
Figure 6-18 Networking diagram for configuring basic MSDP functions
AS200
AS100
Loopback0
1.1.1.1/32
Switch A
GE 0/0/2
GE 0/0/2
GE 0/0/1
PIM-SM1
GE 0/0/1
Switch B
Loopback0
2.2.2.2/32
PIM-SM2
GE 0/0/1
Switch C
GE 0/0/2
GE 0/0/2
Switch D
GE 0/0/1
GE 0/0/3
GE 0/0/3
S1
Receiver
Switch F
GE 0/0/2
GE 0/0/2
GE0/0/1
Switch E
PIM-SM3
Loopback0
3.3.3.3/32
S3
MSDP peer
Switch
Physical interface
VLANIF interface
IP address
SwitchA
GE 0/0/1
VLANIF 101
10.110.1.1/24
SwitchA
GE 0/0/2
VLANIF 100
192.168.1.1/24
SwitchB
GE 0/0/1
VLANIF 200
192.168.2.1/24
SwitchB
GE 0/0/2
VLANIF 100
192.168.1.2/24
SwitchC
GE 0/0/1
VLANIF 200
192.168.2.2/24
SwitchC
GE 0/0/2
VLANIF 300
192.168.3.1/24
SwitchC
GE 0/0/3
VLANIF 400
192.168.4.1/24
SwitchD
GE 0/0/1
VLANIF 102
10.110.2.1/24
SwitchD
GE 0/0/2
VLANIF 300
192.168.3.2/24
SwitchE
GE 0/0/2
VLANIF 500
192.168.5.1/24
SwitchE
GE 0/0/3
VLANIF 400
192.168.4.2/24
SwitchF
GE 0/0/1
VLANIF 103
10.110.3.1/24
SwitchF
GE 0/0/2
VLANIF 500
192.168.5.2/24
1.
Issue 04 (2013-06-15)
Configure the IP addresses of the interfaces on each switch and configure OSPF in the AS
to ensure that the unicast routes within the AS are reachable.
1308

Configuration Guide
2.
Configure EBGP peers and import BGP and OSPF routes into each other's routing table to
ensure that the unicast routes between ASs are reachable.
3.
Enable multicast and PIM-SM on each interface, configure the boundary domain, and
enable the IGMP function on the interfaces connected to hosts.
4.
Configure the C-BSR and C-RP. Configure the RPs of PIM-SM1 and PIM-SM2 on the
ASBR.
5.
Establish MSDP peer relationship between RPs of each domain. The MSDP peers and the
EBGP peers between ASs use the same interface addresses. According to the RPF rule, the
switches receive SA messages from the next hop toward the source RP.
Data Preparation
l
Number of the AS that Switch A and Switch B belong to, namely 100, and router ID of
Switch B, namely, 1.1.1.1
Number of the AS that Switch C and Switch D belong to, namely 200, and Router ID of
Switch C, namely, 2.2.2.2
Number of the AS that Switch E and Switch F belong to, namely 200
NOTE
This configuration example describes only the commands related to MSDP configuration.
Procedure
Step 1 Configure the IP addresses of interfaces and the unicast routing protocol.
# According to Figure 6-18, configure IP addresses and masks for the interfaces on each switch.
Configure the OSPF protocol between switches. Ensure the communication on the network layer
within an AS. Ensure the dynamic route update between switches through unicast routing
protocol. The configuration procedure is not provided here.
Step 2 Configure EBGP peer relationship between ASs and import routes of BGP and OSPF into each
other's routing table.
# Configure EBGP on Switch B and import OSPF routes.
[SwitchB] bgp
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
[SwitchB-bgp]
100
router-id 1.1.1.1
import-route ospf 1
quit
# Configure EBGP on Switch C and import OSPF routes.

[SwitchC] bgp
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
[SwitchC-bgp]
200
router-id 2.2.2.2
import-route ospf 1
quit
# Import BGP routes to OSPF on Switch B. The configuration on Switch C is similar to the
configuration on Switch B, and is not provided here.
Issue 04 (2013-06-15)

1309

Configuration Guide
[SwitchB] ospf 1
[SwitchB-ospf-1] import-route bgp
Step 3 Enable multicast, enable PIM-SM on all interfaces, configure the domain boundary, and enable
IGMP on the interface connecting to the host.
# Enable multicast on Switch B and enable PIM-SM on each interface. The configurations of
other switches are similar to the configuration of Switch B, and are not provided here.
[SwitchB] multicast
[SwitchB] interface
[SwitchB-Vlanif100]
[SwitchB-Vlanif100]
[SwitchB] interface
[SwitchB-Vlanif200]
routing-enable
vlanif 100
pim sm
quit
vlanif 200
pim sm
# Configure the domain boundary on VLANIF 200 of Switch B.

[SwitchB-Vlanif200] pim bsr-boundary
# Configure the domain boundary on VLANIF 200 and VLANIF 400 of Switch C. Configure
the service boundary of BSR on VLANIF 400 of Switch E. The configuration on Switch E is
similar to the configuration on Switch B, and is not provided here.
# Enable IGMP on the interface connecting Switch D to the leaf network.
[SwitchD-Vlanif102] igmp enable
Step 4 Configure the C-BSR and C-RP.

# Create Loopback0, and then configure a CBSR, and a C-RP on Loopback0 on Switch B. The
configurations of Switch C and Switch E are similar to the configuration of Switch B, and are
not provided here.
[SwitchB] interface loopback 0
[SwitchB-LoopBack0] ip address 1.1.1.1 255.255.255.255
[SwitchB-LoopBack0] pim sm
[SwitchB] pim
[SwitchB-pim] cBsr loopback 0
[SwitchB-pim] c-rp loopback 0
[SwitchB-pim] quit
Step 5 Configure MSDP peer relations.

# Configure the MSDP peer relationship on Switch B.
[SwitchB] msdp
[SwitchB-msdp] peer 192.168.2.2 connect-interface vlanif200
[SwitchB-msdp] quit
# Configure the MSDP peer relationship on Switch C.

[SwitchC] msdp
[SwitchC-msdp] peer 192.168.2.1 connect-interface vlanif200
[SwitchC-msdp] peer 192.168.4.2 connect-interface vlanif400
[SwitchC-msdp] quit
# Configure the MSDP peer relationship on Switch E.

[SwitchE] msdp
[SwitchE-msdp] peer 192.168.4.1 connect-interface vlanif400
[SwitchE-msdp] quit
Issue 04 (2013-06-15)

1310

Configuration Guide

# Run the display bgp peer command to view the BGP peer relationship between switches. For
example, the following information shows the BGP peer relationship on Switch B and Switch
C:
[SwitchB] display bgp peer
Peer
PrefRcv
AS
200
192.168.2.2
MsgRcvd
MsgSent
24
OutQ
21
Up/Down
State
00:13:09
Established
[SwitchC] display bgp peer

Peer
PrefRcv
AS
MsgRcvd
MsgSent
OutQ
Up/Down
State
100
18
16
00:12:04
Established
192.168.2.1
# Run the display bgp routing-table command to view the BGP routing table on a switch. For
example, the BGP routing table displayed on Switch C is as follows:
Network
NextHop
*>
1.1.1.1/32
192.168.2.1
*>i
2.2.2.2/32
0.0.0.0
*>
192.168.2.0
0.0.0.0
*>
192.168.2.1/32
0.0.0.0
*>
192.168.2.2/32
0.0.0.0
MED
0
0
0
0
0
LocPrf
PrefVal
0
0
0
0
0
Path/Ogn
100?
?
?
?
?
# Run the display msdp brief command to view the status of the MSDP peer relationship
between switches. The information about establishing MSDP peer relationship among Switch
B, Switch C and Switch E is as follows:
[SwitchB] display msdp brief
Configured
Up
Listen
1
1
0
Peer's Address
192.168.2.2
State
UP
Connect
0
Up/Down time
00:12:27
AS
200
Shutdown
0
SA Count
13
Down
0
Reset Count
0
[SwitchC] display msdp brief

Configured
Up
Listen
2
2
0
Peer's Address
192.168.2.1
Issue 04 (2013-06-15)
State
UP
Connect
0
Up/Down time
01:07:08
AS
100

Shutdown
0
SA Count
8
Down
0
Reset Count
0
1311

Configuration Guide
192.168.4.2

UP
00:06:39
200
13
Shutdown
0
SA Count
8
Down
0
Reset Count
0
[SwitchE] display msdp brief

Configured
Up
Listen
Connect
1
1
0
0
Peer's Address
State
Up/Down time
AS
192.168.4.1
UP
00:15:32
200
# Run the display msdp peer-status command to view the details about MSDP peer relations
between switches. The details displayed on Switch B are as follows:
[SwitchB] display msdp peer-status
MSDP Peer 192.168.2.2, AS 200
Description:
State: Up
Resets: 0
Connection interface: vlanif200 (192.168.2.1)
Information about (Source, Group)Based SA filtering policy:
Import policy: none
Export policy: none
Policy to accept SA-Request messages: none
Sending SA-Requests status: disable
SAs learned from this peer: 0, SA-Cache maximum for the peer: none
Peer authentication: unconfigured
Peer authentication type: none
# Run the display pim routing-table command to view the PIM routing table on a switch. When
multicast sources S1 (10.110.1.2/24) in PIM-SM1 and S3 (10.110.3.2/24) in PIM-SM3 send
multicast data to multicast group G (225.1.1.1/24), Receiver (10.110.2.2/24) in PIM-SM2 can
receive the multicast data. The PIM routing tables displayed on Switch B and Switch C are as
follows:
[SwitchB] display pim routing-table
(10.110.1.2, 225.1.1.1)
RP: 1.1.1.1(local)
Protocol: pim-sm, Flag: SPT EXT ACT
UpTime: 00:00:42
1: vlanif100
Protocol: pim-sm, UpTime: 00:00:42, Expires:[SwitchC] display pim routing-table
Total 1 (*, G) entry; 2 (S, G) entries
Issue 04 (2013-06-15)

1312

Configuration Guide
(*, 225.1.1.1)
RP: 2.2.2.2(local)
Protocol: pim-sm, Flag: WC RPT
UpTime: 00:13:46
Upstream interface: NULL,
1: vlanif300,
RP: 2.2.2.2
Protocol: pim-sm, Flag: SPT MSDP ACT
UpTime: 00:00:42
1: vlanif300
RP: 2.2.2.2
Protocol: pim-sm, Flag: SPT MSDP ACT
UpTime: 00:00:42
1: vlanif300
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100 101
#
#
interface Vlanif100
ip address 192.168.1.1 255.255.255.0
pim sm
#
interface Vlanif101
ip address 10.110.1.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 10.110.1.0 0.0.0.255
Issue 04 (2013-06-15)

1313

Configuration Guide
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
#
interface Vlanif100
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
pim sm
pim bsr-boundary
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
pim sm
#
#
#
bgp 100
router-id 1.1.1.1
import-route ospf 1
#
ospf 1
import-route bgp
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
msdp
peer 192.168.2.2 connect-interface vlanif200
#
return

#
sysname SwitchC
#
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
pim sm
pim bsr-boundary
#
interface Vlanif300
ip address 192.168.3.1 255.255.255.0
pim sm
#
interface Vlanif400
Issue 04 (2013-06-15)

1314

Configuration Guide
ip address 192.168.4.1 255.255.255.0

pim sm
pim bsr-boundary
#
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
pim sm
#
bgp 200
router-id 2.2.2.2
import-route ospf 1
#
ospf 1
import-route bgp
area 0.0.0.0
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
msdp
#
return

#
sysname SwitchD
#
vlan batch 102 300
#
#
interface Vlanif102
ip address 10.110.2.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif300
ip address 192.168.3.2 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
Issue 04 (2013-06-15)

1315

Configuration Guide
network 10.110.2.0 0.0.0.255

#
return

#
sysname SwitchE
#
vlan batch 400 500
#
#
ip address 192.168.4.2 255.255.255.0
pim sm
pim bsr-boundary
#
ip address 192.168.5.1 255.255.255.0
pim sm
#
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 192.168.4.0 0.0.0.255
network 192.168.5.0 0.0.0.255
network 3.3.3.3 0.0.0.0
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
msdp
#
return

#
sysname SwitchF
#
vlan batch 103 500
#
#
interface Vlanif103
ip address 10.110.3.1 255.255.255.0
pim sm
#
interface Vlanif500
ip address 192.168.5.2 255.255.255.0
pim sm
#
#
Issue 04 (2013-06-15)

1316

Configuration Guide

#
ospf 1
area 0.0.0.0
network 192.168.5.0 0.0.0.255
network 10.110.3.0 0.0.0.255
#
return
6.8 IPv4 Multicast Routing Management

The system synchronously maintains multiple multicast routing protocols, and controls multicast
routing and forwarding through the information exchanged between the control plane and the
forwarding plane.
6.8.1 Overview of IPv4 Multicast Routing Management

Multicast routing and forwarding maintains a protocol routing table, multicast routing table, and
multicast forwarding table. A multicast routing protocol creates multicast routing entries through
RPF.
In the AC6605, multicast routing and forwarding consist of the following three aspects:
l
Each multicast routing protocol has its routing table, such as PIM routing table.
The multicast routing information of each multicast routing protocol forms a general
multicast routing table.
The multicast routing table resides in the multicast route management module. It is
composed of (S, G) entries. (S, G) indicates that S sends multicast data to G. If the multicast
route management module supports multiple multicast protocols, the routing table contains
multicast routes that are generated by the protocols. The routing entries are copied to the
forwarding table.
The multicast forwarding table controls the forwarding of multicast data packets.
The multicast forwarding table guides the forwarding of multicast data packets. It remains
consistent with the multicast routing table.
To ensure that multicast data is transmitted along the correct path, multicast routing protocols
use the Reverse Path Forwarding (RPF) to create multicast routing entries.
The system performs RPF check based on the following types of routes:
l
Unicast routes
The unicast routing table collects the shortest paths to each destination.
MBGP routes
The MBGP routing table provides multicast routing information.
MIGP routes
The MIGP routing table provides the routing information calculated based on physical
interfaces of the TE tunnel to guide the forwarding of multicast packets.
Static multicast routes

The static multicast routing table provides RPF routing information that is specified through
static configuration.
Issue 04 (2013-06-15)

1317

Configuration Guide
6.8.2 IPv4 Multicast Routing Management Features Supported by

the AC6605
The IPv4 multicast routing management features supported by the system are: static multicast
route, GRE tunnel, multicast routing policy, controlling the multicast forwarding range,
controlling the capacity of a multicast forwarding table, testing multicast routes, and multicast
splitting.
Static Multicast Route

The static multicast route is an important factor of RPF check. By configuring the static multicast
route, users can specify the RPF interface and RPF neighbor for a specific source of packets on
the current Switch.
The static multicast route cannot be used to forward data. It only affects RPF check, and is also
called static RPF route.
The static multicast route is valid only on the configured multicast Switchs, and cannot be
advertised or imported to other Switchs.
Multicast Routing Policy

If multiple unicast routes with the same cost exist when a multicast Switch selects an upstream
interface, users can use one of following methods to configure the Switch to select the RPF route:
l
By default, the Switch chooses the route with the largest next-hop address.
According to the longest match, the Switch selects the route longest matching the address
of the source of the packet.
Load splitting is configured among equal-cost routes. Performing load splitting of multicast
traffic according to different policies can optimize network traffic transmission in the
scenario where multiple multicast data flows exist.
There are five multicast load splitting policies: stable-preferred, balance-preferred, source
address-based, group address-based, and source and group addresses-based. The five load
splitting policies are mutually exclusive. In stable-preferred mode and balance-preferred
mode, you can configure load splitting weights on the interfaces to achieve unbalanced
multicast load splitting.
Controlling the Multicast Forwarding Range

In a network, the multicast information to which each multicast group corresponds is transmitted
in a certain range. Users can define the multicast forwarding range by using the following
method:
l
Configuring a multicast forwarding boundary on an interface to form a closed multicast

forwarding area.
Controlling the Capacity of a Multicast Forwarding Table

When planning a specific network according to network services, the Internet Service Provider
(ISP) can perform the following configurations:
l
Limiting the number of entries in the multicast forwarding table

Each Switch maintains a forwarding entry for each received multicast packet. Too many
multicast forwarding entries, however, use up the memory of a Switch. Users can define
Issue 04 (2013-06-15)

1318

Configuration Guide
the maximum number of entries in the multicast forwarding table of a Switch. Limiting the
number of entries according to the actual networking and service performance can avoid
Switch faults caused by excessive entries.
l
Limiting the number of downstream nodes of each forwarding entry

Switch replicate a multicast packet for each downstream node, and then send it out. Each
downstream node forms a branch of an MDT. The number of downstream nodes determines
the maximum scale of the MDT and the multicast service range. Users can define the
number of downstream nodes of a single forwarding entry. Limiting the number of
downstream nodes according to the actual networking and service performance can reduce
the processing pressure of a Switch and control the multicast service range.
Testing Multicast Routing

When a fault occurs on a multicast network, you can run the ping multicast and mtrace
commands to test the connectivity of the network.
The ping multicast command is used to check whether a group is reachable and to implement
the following functions:
l
Pinging a reserved group address

This is used to check whether a member of a group exists in the directly connected network
segment, and is not exclusive for multicast networks. You can ping devices that use
multicast addresses.
Pinging a common group address

This function is applied as follows:
To generate multicast traffic and trigger the creation of multicast routing entries: Based
on multicast routing information, you can check whether a protocol runs normally,
determine whether the network can carry multicast services, or test the forwarding
performance.
To check the members of related groups in the network: Based on the ICMP-EchoReply messages received from destination hosts, the Switch on which the command is
used checks the members of the groups in the network, and calculates response time
and the TTL from the Switch to members. You can run the command repeatedly in a
certain interval to calculate the network delay and route flapping.
The mtrace command can be used to trace the following paths and output the hop information:
l
RPF path from a source to a querier
Multicast path from a source to a querier
RPF path from a source to a destination host
Multicast path from a source to a destination host

NOTE
You can ping multicast addresses by using the Network Quality Analysis (NQA) test instances or related
commands. For detailed configurations of NQA test instances, refer to the chapter " NQA Configuration
" in AC6605 Access Controller Configuration Guide - Network Management.
6.8.3 Configuring a Static Multicast Route

Static multicast routes have the functions of changing RPF routes and connecting RPF routes.
Issue 04 (2013-06-15)

1319

Configuration Guide

Before configuring static multicast routes, familiarize yourself with the applicable environment,
pre-configuration tasks, and required data. This can help you complete the configuration task
Static multicast route has the following functions:
l
Changing RPF route

If the topology of multicast is the same as that of unicast, the transmission path of multicast
data is the same as that of unicast data. Users can change the RPF route by configuring a
static multicast route. Thus a transmission path of the multicast data, which is different
from the transmission path of unicast data, is established.
Connecting RPF route

In the network segment where unicast routes are blocked, when multicast static routes are
not configured, packets cannot be forwarded because there is no RPF route. You can
configure multicast static routes. Therefore, the system can generate RPF routes, complete
RPF check, create routing entries, and guide the forwarding of packets.
Before configuring a static multicast route, complete the following tasks:
l
Configuring basic multicast functions
Data Preparation
To configure a static multicast route, you need the following data.
No.
Data
Multicast source address, mask or mask length
Unicast routing protocol
Filtering policy and its preference
The IP address of the RPF neighbor, the type and the number of the outgoing interface
Configuring a Static Multicast Route Function

When configuring a static multicast route, you can specify an RPF interface and an RPF neighbor
on the current multicast device.
Issue 04 (2013-06-15)

1320

Configuration Guide
Context
CAUTION
When configuring a static multicast route, configure the outgoing interface through the command
if the next hop is in the point-to-point format. If the next hop is not in the point-to-point format,
you must use the next hop.
Do as follows on the multicast Switch:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip rpf-route-static source-address { mask | mask-length } [ isis process-id | ospf
process-id | rip process-id | bgp | static ] [ route-policy route-policy-name ]
{ gateway-address | interface-type interface-number } [ preference preference ]
[ order order-number ]
A static multicast route is configured.

l source-address { mask |mask-length }: specifies a source address and mask.
l isis process-id, ospf process-id, rip process-id, bgp, static: specifies that the matching route
must be present in the specified unicast routing protocol. protocol specifies a unicast routing
protocol. process-id specifies the ID of a process.
l route-policy route-policy-name: specifies the matching rule of the static multicast route.
l interface-type interface-number: specifies the type and the number of the outgoing interface.
The outgoing interface acts as the RPF interface.
l preference preference: specifies the preference of the route. The greater the preference value
is, the lower the preference is.
l order order-number: specifies the configuration order of routes on the same network
segment.
----End

After static multicast routes are configured, you can check the static multicast routing table and
RPF routing information to ensure the normal running of the multicast network.
Procedure
l
Issue 04 (2013-06-15)
Run the display multicast routing-table static [ config ] [ source-address { mask | masklength } ] command to check the static multicast routing table.
1321

Configuration Guide
Run the display multicast rpf-info source-address [ group-address ] [ rpt | spt ] command
to check RPF routing information of a specified multicast source.
----End
6.8.4 Configuring the Multicast Routing Policy

Configuring a multicast routing policy involvesconfiguring the multicast Hash algorithm,
configuring the longest match of the multicast route, configuring multicast load splitting, and
setting a multicast load splitting weight.

Before configuring multicast routing policies, familiarize yourself with the applicable
If multiple equal-cost unicast routes exist when a multicast Switch select an upstream interface,
you can configure the Switch to choose the RPF Switch by using one of the following methods:
l
By default, the Switch chooses the route with the largest next-hop address.
According to the longest match rules, you can configure the Switch to select the route with
the destination address that longest matches the address of the source of the packet.
You can configure load splitting among these routes. Performing load splitting of multicast
traffic according to different policies can optimize network traffic when multiple multicast
data flows exist.
When many multicast hash collisions occur, the Switch may fail to learn some multicast
addresses. When this situation occurs, you can change the multicast hash algorithm to reduce
hash collisions.
Before configuring the multicast routing policy, complete the following tasks:
l
Data Preparation
To configure the multicast routing policy, you need the following data.
Issue 04 (2013-06-15)
No.
Data
The VPN instance name
Multicast load splitting policy
(Optional) Multicast load balancing timer
Multicast load splitting weight on the interface

1322

Configuration Guide
Configuring Longest Match of Multicast Route

If the longest match principle is configured for route selection, a multicast device prefers the
route with the longest matched mask. If the mask lengths of multiple routes are the same, the
device selects a route as the multicast data forwarding path in the order of the static multicast
route, inter-domain unicast route, and intra-domain unicast route.
Context
By default, routes are selected in the order of routing entries.
Procedure
l
Public network instance

1.
Run:
system-view

2.
Run:
multicast longest-match
Routes are selected according to the longest match.

----End
Configuring Multicast Load Splitting

Performing load splitting of multicast traffic according to different policies can optimize network
traffic transmission in the scenario where multiple multicast data flows exist. You can choose
to configure a balance-preferred or stable-preferred load splitting policy.
Context
The multicast load splitting function extends multicast routing rules, which does not fully depend
on the RPF check. If multiple equal-cost optimal routes exist over the network, they all can be
used for multicast data forwarding and multicast traffic is load split among multiple equal-cost
routes.
By default, load splitting is not performed.
Procedure
l
Public network instance

1.
Run:
system-view

2.
Run:
multicast load-splitting { source | group | source-group | stablepreferred }
Issue 04 (2013-06-15)

1323

Configuration Guide
Multicast load balancing is configured.

3.
(Optional) Run:
multicast load-splitting-timer interval
A load balancing timer is set.

----End
Configuring a Multicast Load Splitting Weight

When a load splitting policy is configured, because the forwarding capabilities of equal-cost
routes are different from the actual load bearing situation on the equal-cost routes, balanced load
splitting cannot meet network requirements in some scenarios. In such a case, you can configure
a load splitting weight on an interface to achieve unbalanced multicast load splitting.
Context
When stable-preferred or balance-preferred load splitting is configured, because the forwarding
capabilities of equal-cost routes are different from the actual load bearing situation on the equalcost routes, balanced load splitting cannot meet network requirements in some scenarios. In such
a case, you can configure a load splitting weight on an interface to achieve unbalanced multicast
load splitting.
Do as follows on the Switch enabled with multicast:
Procedure
Step 1 Run:
system-view

Step 2 Run:

By default, the multicast load splitting weight of an interface is 1.
The greater the multicast load splitting weight of an interface, the more multicast routing entries
with this interface being the upstream interface. When the multicast load splitting weight on an
interface is 0, it indicates that the routes with this interface being the upstream interface do not
take part in load splitting.
Step 3 Run:
multicast load-splitting weight weight-value
The multicast load splitting weight is set on the interface.

----End

After multicast routing policies are configured, you can check the multicast routing table and
RPF routing information to ensure normal running of the multicast network.
Issue 04 (2013-06-15)

1324

Configuration Guide
Procedure
l
Run the following commands to check the multicast routing table.

display multicast routing-table [ group-address [ mask { group-mask | group-masklength } ] | source-address [ mask { source-mask | source-mask-length } ] | incominginterface { interface-type interface-number | register } | outgoing-interface
{ include | exclude | match } { interface-type interface-number | register | none } ] *
[ outgoing-interface-number [ number ] ]
Run the following command to check the source-specific RPF route.

display multicast rpf-info source-address [ group-address ]
----End
6.8.5 Configuring the Multicast Forwarding Scope

Multicast information of each multicast group in a network should be transmitted within a certain
range. Therefore, configuring a multicast forwarding boundary are necessary for restricting the
multicast data forwarding scope.
Establish the Configuration Task

Before configuring the multicast data forwarding scope, familiarize yourself with the applicable
Multicast information to which each multicast group corresponds is forwarded in a certain scope
in network. Uers can define the multicast forwarding scope by using the following methods:
l
Configuring the multicast forwarding boundary to form a close multicast forwarding area.
The interface configured with a forwarding boundary of a multicast group cannot send or
receive packets of the multicast group.
Before configuring the multicast forwarding scope, complete the following tasks:
l
Data Preparation
To configure the multicast forwarding scope, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Group address, mask, and mask length of the multicast forwarding boundary

1325

Configuration Guide
Configuring the Multicast Forwarding Boundary

When an interface of a multicast device is configured with a forwarding boundary for a specified
group, the forwarding scope of multicast packets is restricted.
Context
By default, no multicast forwarding boundary is configured on the interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
multicast boundary group-address { mask | mask-length }
The multicast forwarding boundary is configured.

----End

After the multicast forwarding scope is configured, you can check information about the
multicast routing table and multicast boundary of an interfaceto ensure normal running of the
multicast network.
Procedure
l
Run the following commands to check the multicast routing table.

Run the display multicast boundary [ group-address [ mask | mask-length ] ]

[ interface interface-type interface-number ] command to check information about the
multicast boundary of an interface.
----End
6.8.6 Configuring Control Parameters of the Multicast Forwarding

Table
During network planning, you can restrict the capacity of the forwarding table on a multicast
device, such as the maximum number of entries in the multicast forwarding table and the
Issue 04 (2013-06-15)

1326

Configuration Guide
maximum number of downstream interfaces of multicast forwarding entries. In this manner,

traffic load on the multicast device is released and the fault risk resulted from excessive entries
can be avoided.

Before configuring control parameters for the multicast forwarding table, familiarize yourself
with the applicable environment, pre-configuration tasks, and required data. This can help you
To plan a network according to the services, the ISP needs to perform the following configuration
policies:
l
Limiting the number of entries in the multicast forwarding table

Each Switch maintains a routing entry for each received multicast packet. Too many entries,
however, may exhaust the memory of the Switch. In this case, you can define the maximum
number of multicast routing entries. Limiting the number of the entries can avoid faults in
the Switch.
Limiting the number of downstream nodes of a single entry

Switchs copy a multicast packet for each downstream node, and the downstream node sends
the copy out. Each downstream node forms a branch of the multicast distribution tree. The
number of the downstream nodes determines the maximum scale of the multicast
distribution tree and the multicast service scope. Users can define the number of the
downstream nodes of a single forwarding entry. Limiting the number of downstream nodes
according to the actual networking and the services can reduce the pressure of Switchs and
control the multicast service scope.
Before configuring control parameters of the multicast forwarding table, complete the following
tasks:
l
Data Preparation
To configure control parameters of the multicast forwarding table, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Maximum number of entries in the multicast forwarding table
The VPN instance name
Maximum number of downstream nodes of each entry in the multicast forwarding

table

1327

Configuration Guide
Setting the Maximum Number of Entries in Multicast Forwarding Table

You can adjust the number of entries according to the actual networking and service performance
to avoid the fault risk resulted from excessive entries.
Context
Too many multicast forwarding entries may use up the memory of a multicast device. You can
set the maximum number of entries in a multicast forwarding table of a multicast device. By
default, the maximum number supported by the system is used.
Procedure
l
Run:
system-view

l
Run:
multicast forwarding-table route-limit limit
The maximum number of entries in the multicast forwarding table is configured.

----End
Setting the Maximum Number of Downstream Nodes of Multicast Forwarding

Entry
A multicast device replicates a copy of multicast packets for each downstream interface. Then,
you can set the number of downstream interfaces of a single forwarding entry and adjust the
number of downstream interfaces according to the actual networking and service performance
to release the burden on the multicast device.
Context
CAUTION
This configuration becomes valid only after the reset multicast forwarding-table command is
used. Multicast services are interrupted after you run the reset multicast forwarding-table
command. So, confirm the action before you use the command.
Procedure
l
Run:
system-view

l
Run:
multicast forwarding-table downstream-limit limit
Issue 04 (2013-06-15)

1328

Configuration Guide
The maximum number of downstream nodes of a forwarding entry in the multicast

forwarding table is configured.
The maximum number is valid when it is smaller than the default value.
----End

After control parameters for the multicast forwarding table are configured, you can check
information about the multicast routing table to ensure normal running of the multicast network.
Procedure
l
Run the display multicast forwarding-table [ group-address [ mask { group-mask |

group-mask-length } ] | source-address [ mask { source-mask | source-mask-length } ] |
incoming-interface { interface-type interface-number | register } | outgoing-interface
statistics ] * command to check the multicast forwarding table.
----End
6.8.7 Maintaining the Multicast Policy

Maintaining IPv4 multicast routing management involves testing multicast routing, checking
the RPF path and multicast path, clearing multicast forwarding and routing entries, and
monitoring multicast routing and forwarding.
Testing Multicast Routing

The section describes how to detect whether a network can bear multicast services by the ping
multicast operation.
Context
When a link fault occurs in multicast data transmission, run the following commands to check
the members of a reserved multicast group on the network segment, or generate the common
group traffic and trigger the setup of the distribution tree.
Procedure
Step 1 Run the ping multicast [ -i interface-type interface-number | -c count | -h ttl-value | -m time | p pattern | -q | -s packet (s) ize | -t timeout | -tos tos-value | -v ] * host command to ping a reserved
group address.
The preceding ping multicast command contains only a part of the parameters. For descriptions
of the parameters of this command, refer to the AC6605 Access Controller - Command
Reference.
<Quidway> ping multicast -i vlanif 10 224.0.0.5
MULTICAST PING 224.0.0.5 : 56 data bytes, press Ctrl+C to break
Reply from 110.1.1.5 : bytes=56 Sequence=1 TTL=255 time = 30ms
Reply from 110.1.1.5 : bytes=56 Sequence=1 TTL =255 time = 10ms
Request time out
Destination multicast address 224.0.0.5
Issue 04 (2013-06-15)

1329

Configuration Guide
--- Multicast ping statistics --5 Request packet(s) transmitted

4 Reply packet(s) received
20.00% packet loss
Round-trip min/avg/max = 10/14/30 ms
Step 2 Run the ping multicast [ -c count | -h ttl-value | -m time | -p pattern | -q | -s packet (s) ize | -t
timeout | -tos tos-value | -v ] * host command to ping a common group address.
The preceding ping multicast command contains only a part of the parameters. For descriptions
of the parameters of this command, refer to the AC6605 Access Controller - Command
Reference.
The ping multicast command output includes the following information:
l Response to each ping multicast message: If an echo rely message is not received before
the corresponding time expires, a message of "Request time out" is displayed; if an echo
reply message is received, the data bytes, message sequence number, time to live (TTL), and
response time are displayed.
l Final statistics: include the number of packets sent and response packets received, percentage
of failure response packets, and minimum, maximum and average response time.
<Quidway> ping multicast 225.0.0.1
MULTICAST PING 225.0.0.1 : 56 data bytes, press Ctrl+C to break
Destination multicast address 225.0.0.1
--- Multicast ping statistics --5 Request packet(s) transmitted
10 Reply packet(s) received
0% packet loss
Round-trip min/avg/max = 10/22/40 ms
----End
Check RPF Paths and Multicast Paths

This section describes how to monitor a multicast path or reverse path forwarding (RPF) path
from the multicast source to the querier or destination host on a specified multicast network, and
display hop-by-hop information.
Context
If a fault occurs in multicast data transmission, run the following commands to trace traffic paths,
collect traffic data, and locate faulty nodes. The following commands can trace four types of
traffic paths: the RPF path from the multicast source to the current router, the multicast path
from the multicast source to the current router, the RPF path from the multicast source to the
destination host, and the multicast path from the multicast source to the destination host.
Issue 04 (2013-06-15)

1330

Configuration Guide
Procedure
Step 1 Run the mtrace [ -l [ stat-times ] [ -st stat-int ] | -m max-ttl | -mr | -q nqueries | -tr ttl | -ts ttl | ur resp-dest | -v | -w timeout ] * source source-address command to monitor the RPF path from
the multicast source to the querier.
Step 2 Run the mtrace -g group [ -l [ stat-times ] [ -st stat-int ] | -m max-ttl | -mr | -q nqueries | -tr
ttl | -ts ttl | -ur resp-dest | -v | -w timeout ] * source source-address command to monitor the
multicast path from the multicast source to the querier.
Step 3 Run the mtrace { -gw last-hop-router | -d } -r receiver [ -a source-ip-address | -l [ stat-times ]
[ -st stat-int ] | -m max-ttl | -mr | -q nqueries | -tr ttl | -ts ttl | -ur resp-dest | -v | -w timeout ] *
source source-address command to monitor the RPF path from the multicast source to the
destination host.
Step 4 Run the mtrace { -gw last-hop-router | -b | -d } -r receiver -g group [ -a source-ip-address | l [ stat-times ] [ -st stat-int ] | -m max-ttl | -mr | -q nqueries | -tr ttl | -ts ttl | -ur resp-dest | -v | w timeout ] * source source-address command to monitor the multicast path from the multicast
source to the destination host.
The preceding mtrace command contains only a part of the parameters. For descriptions of the
parameters of this command, refer to the AC6605 Access Controller - Command Reference.
----End
Clearing Multicast Routing and Forwarding Entries

After you confirm to clear multicast forwarding and routing entries, use the reset command in
the user view.
Procedure
l
Run the following commands to clear the forwarding entries in the multicast forwarding
table.
reset multicast forwarding-table all
reset multicast forwarding-table { group-address [ mask { group-mask | group-masklength } ] | source-address [ mask { source-mask | source-mask-length } ] | incominginterface { interface-type interface-number | register } } *
Run the following commands to clear the routing entries in the multicast routing table.
reset multicast routing-table all
reset multicast routing-table { group-address [ mask { group-mask | group-masklength } ] | source-address [ mask { source-mask | source-mask-length } ] | incominginterface { interface-type interface-number | register } } *
----End
Monitoring the Status of Multicast Routing and Forwarding

During the routine maintenance of IPv4 multicast routing management, you can run the display
commands in any view to know the running of the multicast forwarding table and routing table.
Issue 04 (2013-06-15)

1331

Configuration Guide
Context
In routine maintenance, you can run the following commands in any view to check the status of
multicast routing and forwarding.
Procedure
l
Run the display multicast boundary [ group-address [ mask | mask-length ] ]

[ interface interface-type interface-number ] command in any view to check the multicast
boundary configured on an interface.
Run thedisplay multicast forwarding-table [ group-address [ mask { group-mask |

group-mask-length } ] | source-address [ mask { source-mask | source-mask-length } ] |
incoming-interface { interface-type interface-number | register } | outgoing-interface
statistics ] * command in any view to check the multicast forwarding table.
Run the following commands in any view to check the multicast routing table.
Run the display multicast routing-table static [ config ] [ source-address { masklength | mask } ] command in any view to check the static multicast routing table.
Run the display multicast rpf-info source-address [ group-address ] [ rpt | spt ] command
in any view to check the RPF routing information.
----End
Debugging Multicast Routing and Forwarding

When a fault occurs during IPv4 multicast routing management, run the debugging commands
in the user view and locate the fault based on the debugging information. Debugging affects the
performance of the system. So, after debugging, disable it immediately.
Context
CAUTION
Debugging affects the performance of the system. After debugging, run the undo debugging
When a fault occurs when multicast is enabled, run the following debugging commands in the
user view to debug multicast routes and to locate the fault.
Procedure
l
Run the following commands in the user view to enable the debugging of multicast
forwarding.
debugging mfib all
Issue 04 (2013-06-15)

1332

Configuration Guide
debugging mfib { no-cache | module | packet | register | route | sync | upcall | wrongiif } [ advanced-acl-number ]
l
Run the debugging mrm { all | event | packet [ advanced-acl-number ] | route [ advancedacl-number ] } command in the user view to enable the debugging of multicast routing
management.
----End

Examples for configuring static multicast routes and multicast load splitting are provided.
Example for Changing Static Multicast Routes to RPF Routes

As shown in Figure 6-19, PIM-DM runs on the network and all the switches support multicast.
The receiver can receive information from the multicast source. Switch A, Switch B, and Switch
C run OSPF. You need to configure a static multicast route to make the multicast path from the
source to the receiver different from the unicast path from the source to the receiver.
Figure 6-19 Networking diagram for changing static multicast routes to RPF routes
SwitchC
GE 0/0/3
GE 0/0/3
SwitchA
GE 0/0/2
GE 0/0/2
PIM-DM
GE 0/0/2
GE 0/0/1
SwitchB
GE 0/0/1
GE 0/0/3
8.1.1.2/2
7.1.1.2/2
4
4
Receiver
Source
Multicast static
route
Switch
Physical interface
VLANIF interface
IP address
Switch A
GE 0/0/1
VLANIF 10
9.1.1.1/24
Switch A
GE 0/0/2
VLANIF 20
8.1.1.1/24
Switch A
GE 0/0/3
VLANIF 30
12.1.1.1/24
Switch B
GE 0/0/1
VLANIF 10
9.1.1.2/24
Switch B
GE 0/0/2
VLANIF 40
13.1.1.1/24
Issue 04 (2013-06-15)

1333

Configuration Guide
Switch B
GE 0/0/3
VLANIF 50
7.1.1.1/24
Switch C
GE 0/0/2
VLANIF 40
13.1.1.2/24
Switch C
GE 0/0/3
VLANIF 30
12.1.1.2/24
1.
Configure the IP addresses of interfaces and the unicast routing protocol on each switch.
2.
Enable the multicast function on all switches, PIM-SM on all interfaces, and IGMP on the
interfaces at the host side.
3.
Configure static multicast RPF routes on Switch B, and configure Switch C as the RPF
neighbor.
Data Preparation
l
IP address of the source
Outgoing interface of the route from Switch B to SwitchC: VLANIF 40

NOTE
This configuration example describes only the commands used to configure static multicast routes.
Procedure
Step 1 Configure the IP addresses of interfaces and the unicast routing protocol on each switch.
# Configure the IP addresses and masks on the interfaces on each switch according to Figure
6-19. IP addresses must be configured on the VLANIF interfaces. OSPF runs between Switch
A, Switch B and Switch C, and the switches can update routes among them through the unicast
routing protocol. The configuration procedure is not provided here.
Step 2 Enable multicast on all switches and PIM-DM on all interfaces.
# Enable multicast on all switches, and PIM-SM on all interfaces. Enable the IGMP function on
the interfaces at the host side. The configurations of other switches are similar to configuration
of Switch B, and are not provided here.
[SwitchB] multicast routing-enable
[SwitchB-Vlanif10] pim dm
[SwitchB-Vlanif50] igmp enable
# Run the display multicast rpf-info command on Switch B to view the RPF information of
the source. The RPF routes are unicast routes, and the RPF neighbor is Switch A. The following
information is displayed:
Issue 04 (2013-06-15)

1334

Configuration Guide
[SwitchB] display multicast rpf-info 8.1.1.2

RPF information about source 8.1.1.2:
RPF interface: vlanif10, RPF neighbor: 9.1.1.1
Referenced route/mask: 8.1.1.0/24
Referenced route type: unicast
Route selection rule: preference-preferred
Load splitting rule: disable
Step 3 Configure the static multicast route.

# Configure a static multicast RPF route on Switch B, and configure Switch C as the RPF
neighbor.
[SwitchB] ip rpf-route-static 8.1.1.0 255.255.255.0 13.1.1.2

# Run the display multicast rpf-info command on Switch B to view the RPF information of
the source. The RPF information is as follows. The RPF routes and the RPF neighbor are updated
according to the static multicast route.
[SwitchB] display multicast rpf-info 8.1.1.2
RPF information about source 8.1.1.2:
RPF interface: vlanif40, RPF neighbor: 13.1.1.2
Referenced route/mask: 8.1.1.0/24
Referenced route type: mstatic
Route selection rule: preference-preferred
Load splitting rule: disable
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10 20 30
#
#
interface Vlanif10
ip address 9.1.1.1 255.255.255.0
pim dm
#
interface Vlanif20
ip address 8.1.1.1 255.255.255.0
pim dm
#
interface Vlanif30
ip address 12.1.1.1 255.255.255.0
pim dm
#
#
#
#
Issue 04 (2013-06-15)

1335

Configuration Guide
ospf 1
area 0.0.0.0
network 8.1.1.0 0.0.0.255
network 9.1.1.0 0.0.0.255
network 12.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 10 40 50
#
#
interface Vlanif10
ip address 9.1.1.2 255.255.255.0
pim dm
#
interface Vlanif40
ip address 13.1.1.1 255.255.255.0
pim dm
#
interface Vlanif50
ip address 7.1.1.1 255.255.255.0
pim dm
igmp enable
#
#
#
#
ospf 1
area 0.0.0.0
network 7.1.1.0 0.0.0.255
network 9.1.1.0 0.0.0.255
network 13.1.1.0 0.0.0.255
#
ip rpf-route-static 8.1.1.0 255.255.255.0 13.1.1.2
#
return

#
sysname SwitchC
#
vlan batch 30 40
#
#
interface Vlanif30
ip address 12.1.1.2 255.255.255.0
pim dm
#
interface Vlanif40
ip address 13.1.1.2 255.255.255.0
pim dm
#
Issue 04 (2013-06-15)

1336

Configuration Guide
#
#
ospf 1
area 0.0.0.0
network 12.1.1.0 0.0.0.255
network 13.1.1.0 0.0.0.255
#
return
Issue 04 (2013-06-15)

1337

Configuration Guide
7 Configuration Guide - QoS
Configuration Guide - QoS
About This Chapter

This document describes QoS features of the AC6605 including class-based QoS, traffic
policing, traffic shaping, congestion avoidance, and congestion management from function
introduction, configuration methods, maintenance and configuration examples. This document
guides you through the configuration and the applicable environment of QoS.
7.1 Class-based QoS Configuration
This chapter describes the basic concepts of class-based quality of service (QoS), including the
traffic classifier, traffic behavior, traffic policy, and priority mapping. It also describes
configuration methods and provides configuration examples of the traffic policy based on
complex traffic classification.
7.2 Traffic Policing and Traffic Shaping Configuration
This document describes basic concepts of traffic policing and traffic shaping. It also describes
the configuration method of traffic policing based on a traffic classifier, and provides traffic
shaping, and provides configuration examples.
7.3 Congestion Avoidance and Congestion Management Configuration
This chapter describes the basic concepts of congestion avoidance and congestion management.
It also describes configuration methods and provides configuration examples of congestion
avoidance and congestion management.
Issue 04 (2013-06-15)

1338

Configuration Guide
7.1 Class-based QoS Configuration

This chapter describes the basic concepts of class-based quality of service (QoS), including the
traffic classifier, traffic behavior, traffic policy, and priority mapping. It also describes
configuration methods and provides configuration examples of the traffic policy based on
complex traffic classification.
7.1.1 Introduction to Class-based QoS

Class-based QoS is used to classify packets sharing common features into one class and provide
the same QoS service for traffic of the same type by matching packets with certain rules. In this
manner, differentiated services are provided.
7.1.2 Class-based QoS Features Supported by the AC6605

The AC6605 supports complex traffic classification, and priority mapping.
Complex Traffic Classification

Complex traffic classification is performed based on Layer 2 or Layer 3 information in packets
or by using access control lists (ACLs). You can bind a traffic classifier to a traffic behavior to
process packets matching the traffic classifier.
A traffic behavior is related to the current phase of packets and the current network load. For
example, when packets enter a node, the AC6605 performs traffic policing and access control
based on the committed information rate (CIR). When packets leave a node, the AC6605 shapes
the traffic and re-marks the priorities.
Complex traffic classification is based on the following:
l
802.1p priority in VLAN packets
VLAN ID in packets
Inbound or outbound interface
IP precedence in IP packets
DSCP priority in IP packets
SYN Flag field in Transmission Control Protocol (TCP) packets
Source MAC address
Destination MAC address
Protocol type field encapsulated in Layer 2 packets
Layer 3 protocol type
ACL
Priority Mapping
Different packets carry different precedence fields. For example, VLAN packets carry the 802.1p
field, and IP packets carry the DSCP field or IP precedence. The mappings between priority
fields must be configured on gateways to retain priorities of packets when the packets traverse
different networks.
Issue 04 (2013-06-15)

1339

Configuration Guide
To ensure QoS for different packets, the AC6605 maps packet priorities or the default 802.1p
priority of an interface to local priorities. The AC6605 then determines the queues that packets
enter based on the mappings between internal priorities and queues. It then performs traffic
shaping, congestion avoidance, and queue scheduling. In addition, the AC6605 can re-mark
priorities of outgoing packets so that the downstream device can provide differentiated QoS
based on packet priorities.
Table 7-1 shows the mappings between internal priorities and queues.
Table 7-1 Mappings between internal priorities and queues
Internal Priority
Queue Index
BE
AF1
AF2
AF3
AF4
EF
CS6
CS7
NOTE
A color is used to determine whether the packets are discarded, and is independent of the mappings between
internal priorities and queues.
Traffic Behavior
Complex traffic classification is required to provide differentiated services. Complex traffic
classification takes effect only when it is associated with a traffic control action or a resource
allocation action.
The AC6605 provides the following traffic behaviors based on complex traffic classification:
l
Deny/Permit
The permit/deny action is the simplest traffic control action. The AC6605 controls network
traffic by forwarding or discarding packets.
Re-marking
Re-marking refers to the action taken to set the precedence field in a packet. Packets carry
different precedence fields on various networks. For example, packets carry the 802.1p
field in a VLAN and the DSCP field on an IP network. Therefore, the AC6605 is required
to mark precedence fields of packets based on the network type.
Generally, a device at the border of a network needs to re-mark the precedence fields of
incoming packets. The device at the core of a network provides corresponding QoS services
based on precedence fields marked by the border device, or it re-marks the precedence
fields based on its configuration rule.
Issue 04 (2013-06-15)

1340

Configuration Guide
Redirection
This traffic control action redirects packets to the CPU, the specified interface or the
specified next hop address. The AC6605 does not forward packets based on the destination
IP address. The AC6605 can specify a maximum of four next hops.
By using redirection, you can implement policy-based routing (PBR). The policy-based
route is a static route. When the next hop is unavailable, the AC6605 forwards packets
based on the original forwarding path.
The AC6605 can redirect only incoming packets.
Traffic policing
This traffic control action limits the volume of traffic and the resources used by the traffic
to monitor the traffic rate. By using traffic policing, the AC6605 can discard, and re-mark
the colors and CoS of packets whose rate exceeds the rate limit.
Here, traffic policing based on traffic classification is implemented. For details about traffic
policing, see 7.2 Traffic Policing and Traffic Shaping Configuration.
Flow mirroring
This traffic control action copies the specified data packets to a specified destination to
detect and troubleshoot faults on a network.
For details about flow mirroring, see Mirroring in the AC6605 Access Controller
Configuration Guide - Device Management.
Traffic statistics
This traffic control action collects data packets matching defined complex traffic
classification rules on the AC6605.
Traffic Policy
A traffic policy is a QoS policy configured by binding traffic classifiers to traffic behaviors. You
can associate a traffic classifier with a traffic behavior in a traffic policy.
7.1.3 Creating a Traffic Policy Based on Complex Traffic

Classification
After the traffic policy based on complex traffic classification is configured, the AC6605
classifies packets according to the priority of packets and quintuple information. Then the
AC6605 takes different traffic actions for packets matching classification conditions, such as
permit/deny, re-marking, and redirection.

Before configuring the traffic policy based on complex traffic classification, familiarize yourself
data. This helps you complete the configuration task quickly and accurately.
At the ingress of a network, the AC6605 functions as a border node. To limit the incoming traffic
on a network, the AC6605 can provide differentiated services for various services according to
the DSCP field, protocol type, IP address, port number, fragmentation type, and time range of
packets. In this case, you need to create a traffic policy based on complex traffic classification.
Issue 04 (2013-06-15)

1341

Configuration Guide
Generally, complex traffic classification is configured on a border node.
Before creating a traffic policy based on complex traffic classification, complete the following
tasks:
l
Configuring the physical parameters of interfaces
Setting link layer attributes of interfaces
Configuring routing protocols to ensure the connectivity of the network
Configuring ACLs if ACLs are used as matching rules for traffic classification
Data Preparation
To create a traffic policy based on complex traffic classification, you need the following data.
No.
Data
Name of the traffic classifier and matching rules of the traffic classifier
Name of the traffic behavior and related parameters
Name of the traffic policy
Interface that the traffic policy is applied to
Configuring Complex Traffic Classification

The AC6605 can classify traffic according to the ACL, and the Layer 2 information and Layer
3 information in packets.
Creating a Traffic Classifier Based on Layer 2 Information

After traffic classification based on Layer 2 information is configured, the AC6605 classifies
packets based on the Layer 2 information including the 802.1p priority, VLAN ID, source/
destination MAC address, incoming/outgoing interface, and Layer 2 protocol type.
Procedure
Step 1 Run:
system-view

Step 2 Run:
traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier based on Layer 2 information is created and the traffic classifier view is
displayed.
The and parameter indicates that the relationship between rules in a traffic classifier is "AND".
That is, the packets match a traffic classifier only when the packets match all non-ACL rules
and an ACL rule in the traffic classifier. The or parameter indicates that the relationship between
Issue 04 (2013-06-15)

1342

Configuration Guide
rules in a traffic classifier is "OR". That is, the packets match a traffic classifier when the packets
match a rule in the traffic classifier.
By default, the relationship between rules in a traffic classifier is AND.
Step 3 Run the following commands as required.
l To define matching rules based on the 802.1p priority of packets in a VLAN, run:
if-match 8021p { 8021p-value } &<1-8>
l To define matching rules based on the destination MAC address, run:

if-match destination-mac mac-address [ mac-address-mask ]
l To define matching rules based on the source MAC address, run:

if-match source-mac mac-address [ mac-address-mask ]
l To define matching rules based on the incoming interface, run:

if-match inbound-interface interface-type interface-number
l To define matching rules based on the protocol field in the Ethernet frame header, run:
if-match l2-protocol{ arp | ip | mpls | rarp | protocol-value }
l To define matching rules based on all the packets, run:

if-match any
----End
Creating a Traffic Classifier Based on Layer 3 Information

After traffic classification based on Layer 3 information is configured, the AC6605 classifies
packets according to Layer 3 information in packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A traffic classifier based on Layer 3 information is created and the traffic classifier view is
displayed.
The and parameter indicates that the relationship between rules in a traffic classifier is AND.
That is, the packets match a traffic classifier only when the packets match all non-ACL rules
and an ACL rule in the traffic classifier. The or parameter indicates that the relationship between
rules in a traffic classifier is OR. That is, the packets match a traffic classifier when the packets
match a rule in the traffic classifier.
l To define matching rules based on the DSCP priority of IP packets, run:
if-match dscp dscp-value &<1-8>
l To define matching rules based on the IP priority of IP packets, run:

if-match ip-precedence ip-precedence-value &<1-8>
Issue 04 (2013-06-15)

1343

Configuration Guide

NOTE
In a traffic classifier where the relationship between rules is AND, the if-match dscp and if-match ipprecedence commands cannot be used simultaneously.
l To define matching rules based on the Layer 3 protocol type, run:

if-match protocol
ip
l To define matching rules based on the SYN Flag field of TCP packets, run:
if-match tcp syn-flag { ack | fin | psh | rst | syn | urg }
----End
Creating a Traffic Classifier Based on an ACL

After traffic classification based on an ACL is configured, the AC6605 classifies packets based
on the ACL.
Context
The AC6605 can use an ACL to classify packets based on the IP quintuple.
The AC6605 supports basic ACLs, Layer 2 ACLs and advanced ACLs:
l
Basic ACLs are used to classify data packets based on the source IP address, fragmentation
flag, and time segment of packets.
Advanced ACLs are used to classify and define data packets based on the source IP address,
destination IP address, source port number, destination port number, fragmentation flag,
time segment, and protocol type of packets.
Layer 2 ACLs are used to classify data packets based on the source MAC address and
destination MAC address of packets.
Creating a traffic classifier based on a basic ACL
Procedure
1.
Run:
system-view

2.
Run:
acl [ number ] basic-acl-number
A basic ACL is created and the ACL view is displayed.

3.
(Optional) Run:
step step-value
The step value between ACL rule IDs is set.

4.
Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { sourceaddress source-wildcard | any } | time-range time-name ]*
A basic ACL4 rule is created.

5.
Run:
quit

Issue 04 (2013-06-15)

1344

Configuration Guide
6.
Run:
A traffic classifier is created and the traffic classifier view is displayed.

The and parameter indicates that the relationship between rules in a traffic classifier
is AND. That is, packets match a traffic classifier only when the packets match all
non-ACL rules and an ACL rule in the traffic classifier. The or parameter indicates
that the relationship between rules in a traffic classifier is OR. That is, packets match
a traffic classifier when the packets match a rule in the traffic classifier.
7.
Run:
if-match acl basic-acl-number
A traffic classifier based on a basic ACL is created.

l
Creating a traffic classifier based on an advanced ACL

1.
Run:
system-view

2.
Run:
acl
[ number ] advanced-acl-number
An advanced ACL is created and the ACL view is displayed.

NOTE
advanced-acl-number specifies the number of an advanced ACL. The value is an integer that
ranges from 3000 to 3999.
3.
Run the following commands as required.

To define an advanced ACL for Genetic Routing Encapsulation (GRE), Internet
Group Management Protocol (IGMP), IP, IPinIP, or Open Shortest Path First
(OSPF) packets, run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip
| ipinip | ospf } [ tos tos ] [ destination { destination-address
destination-wildcard | any } | dscp dscp | fragment | logging |
precedence precedence | source { source-address source-wildcard | any }
| time-range time-name ]*
To define an advanced ACL for Transmission Control Protocol (TCP) packets,

run:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ tos
tos ] [ destination { destination-address destination-wildcard | any }
| destination-port { eq | gt | lt | range } port | dscp dscp |
fragment | precedence precedence | source { source-address sourcewildcard | any } | source-port { eq | gt | lt | range } port | tcpflag { tcp-value | ack | fin | psh | rst | syn | urg } * | time-range
time-name ]*
To define an advanced ACL for User Datagram Protocol (UDP) packets, run:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ tos
| destination-port { eq | gt | lt | range } port | dscp dscp |
fragment | logging | precedence precedence | source { source-address
source-wildcard | any } | source-port { eq | gt | lt | range } port |
time-range time-name ]*
To define an advanced ACL for Internet Control Message Protocol (ICMP)

packets, run:
Issue 04 (2013-06-15)

1345

Configuration Guide

rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ tos
| dscp dscp | fragment | logging | icmp-type { icmp-name | icmp-type
icmp-code } | precedence precedence | source { source-address sourcewildcard | any } | time-range time-name ]*
4.
Run:
quit

5.
Run:

6.
Run:
if-match acl advanced-acl-number
A traffic classifier based on an advanced ACL is created.

l
Creating a traffic classifier based on a Layer 2 ACL

1.
Run:
system-view

2.
Run:
acl [ number ] mac-acl-number
A Layer 2 ACL is created and the ACL view is displayed.

NOTE
mac-acl-number specifies the number of a Layer 2 ACL. The value is an integer that ranges
from 4000 to 4999.
3.
(Optional) Run:
step step-value
The step value between ACL rule IDs is set.

4.
Run:
rule [ rule-id ] { permit | deny } [ { ether-ii | 802.3 | snap } | l2protocol type-value [ type-mask ] | destination-mac dest-mac-address
[ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] |
vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value ] * [ time-range timerange-name ]
A Layer 2 ACL rule is created.

5.
Run:
quit

6.
Issue 04 (2013-06-15)
Run:
1346

Configuration Guide


7.
Run:
if-match acl l2-acl-number
A traffic classifier based on a Layer 2 ACL is created.

----End
Configuring a Traffic Behavior

The AC6605 supports the actions of permit/deny, re-marking, redirection, traffic policing, flow
mirroring, and traffic statistics, which can be configured as required.
Configuring the Deny or Permit Action

By configuring the deny or permit action, the AC6605 rejects or permits packets matching traffic
classification rules to control the network traffic.
Procedure
Step 1 Run:
system-view

Step 2 Run:

l Run:
permit
The permit action is configured.

l Run:
deny
The deny action is configured.

NOTE
l If the deny action is configured, the packets matching a traffic classifier are discarded. The packets are
still discarded even if other actions except for the traffic statistics action are configured.
l If the permit action is configured, the packets matching a traffic classifier are processed in order.
----End
Issue 04 (2013-06-15)

1347

Configuration Guide
Configuring the Re-marking Action

The re-marking action re-marks priorities of packets matching traffic classification rules, such
as the 802.1p priority in VLAN packets, and the DSCP priority in IP packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:

l Run:
remark 8021p [ 8021p-value | inner-8021p ]
The 802.1p priority of the packets matching the traffic classification is re-marked.
NOTE
If inner-8021p is specified, the 802.1p priority in the inner tag of packets is re-marked to the outer tag.
l Run:
remark dscp { dscp-name | dscp-value }
The DSCP priority of the packets matching the traffic classification is re-marked.
l Run:
remark local-precedence { local-precedence-name | local-precedence-value }
[ color ]
The local priority of the packets matching the traffic classification is re-marked.
In a traffic behavior, the remark 8021p command and the remark local-precedence
command cannot be used together.
----End
Configuring the Redirection Action

The redirection action redirects packets matching the traffic classification rule to the specified
next hop address.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 04 (2013-06-15)

1348

Configuration Guide
l Run:
redirect
ip-nexthop ip-address &<1-4>
The packets matching the traffic classification are redirected to the next hop.
If multiple next hop IP addresses are configured, the AC6605 redirects packets in active/
standby mode. A maximum of four next hop IP addresses can be configured in a traffic
behavior. The AC6605 determines the primary path and backup paths according to the
sequence in which next hop IP addresses were configured. The next hop IP address that was
configured first has the highest priority and this next hop is used as the primary path. Other
next hops are used as backup paths. When the primary path is Down, the backup path with
the highest priority is used as the primary path.
NOTE
The policy-based routing function can be implemented by configuring redirection.
----End
Configuring Traffic Policing

Traffic policing discards the packets that exceed the rate limit or re-marks colors or CoS of these
packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green
{ discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-precedence ] } ]
[ yellow { discard | pass [ remark-dscp dscp-value | remark-8021p 8021pprecedence ] } ] [ red { discard | pass [ remark-dscp dscp-value | remark-8021p
8021p-precedence ] } ]
The CAR action is configured.

----End
Configuring Flow Mirroring

The flow mirroring action mirrors all the packets matching traffic classification rules to the
observing interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

1349

Configuration Guide

Step 3 Run:
All the flows that match a traffic classifier are mirrored to an observing interface.
NOTE
For details about flow mirroring, see Configuring Local Flow Mirroring in the AC6605 Access Controller
Configuration Guide - Device Management.
----End
Configuring Traffic Statistics

The traffic statistics action collects traffic statistics on packets matching traffic classification
rules.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
statistic enable
The traffic statistics function is enabled.

NOTE
To collect statistics about packets matching a classifier, enable the traffic statistics function in the bound
traffic behavior view.
----End
Configuring a Traffic Policy

You can associate a traffic classifier with a traffic behavior in a traffic policy.
Context
When creating a traffic policy on the AC6605, specify the matching order of traffic classifiers
in the traffic policy. The matching order includes the automatic order and configuration order:
l
Issue 04 (2013-06-15)
If the automatic order is used, traffic classifiers are matched based on their priorities. The
priority order is: Layer 2 and Layer 3 information > Layer 3 information > Layer 2
information. The traffic classifier with the highest priority is matched first.
1350

Configuration Guide
If the configuration order is used, traffic classifiers are matched in the sequence in which
they were bound to the traffic policy. The traffic classifier that was bound to the traffic
policy first is matched first.
Procedure
Step 1 Run:
system-view

Step 2 Run:
traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed.

Step 3 Run:
A traffic classifier is bound to a traffic behavior in the traffic policy.

----End
Applying the Traffic Policy

The configured traffic policy takes effect only after being applied to an interface.
Procedure
l
Applying a traffic policy to an interface

1.
Run:
system-view

2.
Run:

3.
Run the following commands as required.

On the AC6605, run:
traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the interface in the inbound or outbound direction.

Only one traffic policy can be applied to an interface in the inbound or outbound
direction.
After a traffic policy is applied, the system performs traffic policing for the packets
that pass through this interface and match traffic classification rules in the inbound or
outbound direction.
----End
Issue 04 (2013-06-15)

1351

Configuration Guide

After a traffic policy based on complex traffic classification is configured, you can view the
configuration of the traffic classifier, traffic behavior, and traffic policy.
Prerequisites
The configurations of the traffic policy based on complex traffic classification are complete.
Procedure
l
Run the display acl { acl-number | all } command to check the ACL rules.
Run the display traffic-applied [ interface [ interface-type interface-number ] | vlan

[ vlan-id ] ] { inbound | outbound } [ verbose ] command to check information about
traffic actions and ACL rules associated with a device, a VLAN, or an interface.
Run the display traffic classifier user-defined [ classifier-name ] command to check the
traffic classifier on the AC6605.
Run the display traffic behavior user-defined [ behavior-name ] command to check the
traffic behavior configuration.
Run the display traffic policy user-defined [ policy-name [ classifier classifier-name ] ]

command to check the traffic policy information.
Run the display traffic policy { interface [ interface-type interface-number ] | vlan [ vlanid ] | global } [ inbound | outbound ] command to check the traffic policy information and
flow-based traffic statistics.
Run the display traffic-policy applied-record [ policy-name ] command to check the

applied traffic policy.
----End
7.1.4 Maintaining Class-based QoS

If the traffic statistics function is enabled, you can view and clear the flow-based traffic statistics.
Displaying the Flow-based Traffic Statistics

You can use the display traffic policy statistics command to view the traffic statistics matching
the specified traffic classification rule.
Context
To view the flow-based traffic statistics, a traffic policy must exist and contain the traffic
statistics action.
Procedure
l
Run the display traffic policy statistics { global [ slot slot-id ] | interface interface-type
interface-number | vlan vlan-id } { inbound | outbound } [ verbose { classifier-base |
rule-base } [ class classifier-name ] ] command to check the flow-based traffic statistics.
----End
Issue 04 (2013-06-15)

1352

Configuration Guide
Clearing the Flow-based Traffic Statistics

You can use the reset command to clear the flow-based traffic statistics.
Context
CAUTION
The flow-based traffic statistics cannot be restored after being cleared. Exercise caution when
you run the command.
Procedure
l
Run the reset traffic policy statistics { global [ slot slot-id ] | interface interface-type
interface-number | vlan vlan-id } { inbound | outbound } command in the user view to
clear the flow-based traffic statistics.
----End

This section provides several configuration examples of class-based QoS.
Example for Configuring Policy-based Routing

After packet redirection based on complex traffic classification is configured, the AC6605
redirects packets with different IP priorities to different interfaces so that the AC6605 provides
different bandwidth services.
The Layer 2 switch of a company is connected to the ISP device through the Switch; one is a 1Gbit/s link with the gateway as 20.20.20.1/24 and the other is a 10-Gbit/s link with the gateway
as 20.20.30.1/24. The company requires that the 10 Gbit/s links send only the packets with
priorities as 4, 5, 6, and 7 and 1 Gbit/s links send packets of lower priorities to the ISP. See
Figure 7-1.
Figure 7-1 Policy-based routing networking
GE0/0/1
L2 Switch
Issue 04 (2013-06-15)
20.20.20.2/24
GE0/0/2
20.20.20.1/24
Switch
Core
network
GE0/0/3
20.20.30.1/24
Router
20.20.30.2/24

1353

Configuration Guide
1.
Create VLANs and configure interfaces so that the Switch can ping the ISP device.
2.
Create ACL rules to match the packets with priorities as 4, 5, 6, and 7 and priorities as 0,
1, 2, and 3.
3.
Create traffic classifiers to match the preceding ACL rules.
4.
Create traffic behaviors to redirect matching packets to 20.20.20.1/24 and 20.20.30.1/24.
5.
Create a traffic policy, bind traffic classifiers to traffic behaviors in the traffic policy, and
apply the traffic policy to an interface.
Data Preparation
l
VLAN 20 and VLAN 30 that all of GE0/0/1, GE0/0/2 and GE0/0/3 are added to
ACL rules 3001 and 3002
Traffic classifiers c1 and c2
Traffic behaviors b1 and b2
Traffic policy p1
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLANs 20 and 30.
[Switch] vlan batch 20 30
# Configure the type of GE 0/0/1, GE 0/0/2 and GE 0/0/3 to trunk, and add all of GE 0/0/1,
GE 0/0/2 and GE 0/0/3 to VLAN 20 and VLAN 30.
[Switch] interface gigabitethernet0/0/1
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 30
# Create VLANIF 20 and VLANIF 30 and assign IP addresses to them.

[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 20.20.20.2 24
[Switch-Vlanif20] quit
Issue 04 (2013-06-15)

1354

Configuration Guide
NOTE
Assign network segment addresses 20.20.20.1/24 and 20.20.30.1/24 to the interfaces connecting the router
and Switch. The details are not mentioned here.
Step 2 Create ACL rules.

# Create advanced ACL rules 3001 and 3002 on the Switch to permit the packets with priorities
as 4, 5, 6, and 7 and priorities as 0, 1, 2, and 3 to pass through.
[Switch] acl 3001
[Switch-acl-adv-3001]
[Switch] acl 3002
rule
rule
rule
rule
quit
permit
permit
permit
permit
ip
ip
ip
ip
precedence
precedence
precedence
precedence
0
1
2
3
rule
rule
rule
rule
quit
permit
permit
permit
permit
ip
ip
ip
ip
precedence
precedence
precedence
precedence
4
5
6
7
Step 3 Create traffic classifiers.

Create traffic classifiers c1 and c2 on the Switch with matching rules as ACL 3001 and ACL
3002.
[Switch-classifier-c1] if-match acl 3001
Step 4 Create traffic behaviors.

# Create traffic behaviors b1 and b2 on the Switch to redirect packets to network segments
20.20.20.1/24 and 20.20.30.1/24.
[Switch-behavior-b1] redirect ip-nexthop 20.20.20.1
[Switch-behavior-b2] redirect ip-nexthop 20.20.30.1
Step 5 Create a traffic policy and apply it to an interface.

# Create traffic policy p1 on the Switch and bind traffic classifiers to traffic behaviors in the
traffic policy.
# Apply traffic policy p1 to GE 0/0/1.


# Check the configuration of ACL rules.
Issue 04 (2013-06-15)

1355

Configuration Guide
[Switch] display acl 3001

Advanced ACL 3001, 4 rules
Acl's step is 5
rule 5 permit ip precedence routine
rule 10 permit ip precedence priority
rule 15 permit ip precedence immediate
rule 20 permit ip precedence flash
[Switch] display acl 3002
Advanced ACL 3002, 4 rules
Acl's step is 5
rule 5 permit ip precedence flash-override
rule 10 permit ip precedence critical
rule 15 permit ip precedence internet
rule 20 permit ip precedence network
# Check the configuration of traffic classifiers.

[Switch] display traffic classifier user-defined
User Defined Classifier Information:
Classifier: c2
Operator: AND
Rule(s) : if-match acl 3002
Classifier: c2
Operator: AND
Total classifier number is 2
# View the configuration of the traffic policy.

<Switch> display traffic policy user-defined p1
User Defined Traffic Policy Information:
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Redirect: no forced
Redirect ip-nexthop
20.20.20.1
Classifier: c2
Operator: AND
Behavior: b2
Redirect: no forced
Redirect ip-nexthop
20.20.30.1
----End
Configuration Files
l

#
sysname Switch
#
vlan batch 20 30
#
acl number 3001
rule 5 permit ip precedence routine
rule 10 permit ip precedence priority
rule 15 permit ip precedence immediate
rule 20 permit ip precedence flash
#
acl number 3002
rule 5 permit ip precedence flash-override
rule 10 permit ip precedence critical
rule 15 permit ip precedence internet
rule 20 permit ip precedence network
Issue 04 (2013-06-15)

1356

Configuration Guide
#
if-match acl 3001
if-match acl 3002
#
traffic behavior b1
redirect ip-nexthop 20.20.20.1
traffic behavior b2
redirect ip-nexthop 20.20.30.1
#
traffic policy p1
#
interface Vlanif20
ip address 20.20.20.2 255.255.255.0
#
interface Vlanif30
ip address 20.20.30.2 255.255.255.0
#
#
#
#
return
Example for Configuring Traffic Statistics Based on Complex Traffic Classification

After traffic statistics based on complex traffic classification is configured, the AC6605 collect
traffic statistics on packets with the specified source MAC address.
As shown in Figure 7-2, PC1 with the MAC address of 0000-0000-0003 is connected to other
devices through GE0/0/1 on the Switch. The Switch is required to collect the statistics on the
packets with the source MAC address of 0000-0000-0003.
Figure 7-2 Networking diagram for configuring traffic statistics based on complex traffic
classification
MAC:0000-0000-0003
GE0/0/1
VLANIF 20
20.20.20.1/24
GE0/0/2
20.20.20.2/24
PC1
Issue 04 (2013-06-15)
Switch
Core
Network
Router

1357

Configuration Guide
1.
Configure interfaces so that the Switch is connected to PC1 and the router.
2.
Create an ACL to match the packets with the source MAC address as 0000-0000-0003.
3.
Create a traffic classifier to match the ACL.
4.
Create a traffic behavior to take the statistics on the matching packets.
5.
Create a traffic policy, bind the traffic classifier to the traffic behavior in the traffic policy,
and apply the traffic policy to GE0/0/1 in the inbound direction.
Data Preparation
l
VLAN 20
ACL 4000
Traffic classifier c1
Traffic behavior b1
Traffic policy p1
Procedure
Step 1 Create a VLAN and configure interfaces.
# Create VLAN 20.
[Switch] vlan 20
# Configure the type of GE0/0/1 as access and GE0/0/2 as trunk, and add GE0/0/1 and
GE0/0/2 to VLAN 20.
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 20
# Create VLANIF 20 and assign IP address 20.20.20.1/24 to it.

NOTE
Assign network segment address 20.20.20.2/24 to the interface connecting the router and Switch. The
details are not mentioned here.
Step 2 Create an ACL.

# Create Layer 2 ACL 4000 on the Switch to match the packets with the source MAC address
as 0000-0000-0003.
Issue 04 (2013-06-15)

1358

Configuration Guide
[Switch] acl 4000

[Switch-acl-L2-4000] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff
[Switch-acl-L2-4000] quit
Step 3 Create a traffic classifier.

Create traffic classifier c1 on the Switch with ACL 4000 as the matching rule.
Step 4 Create a traffic behavior.

# Create traffic behavior b1 on the Switch and configure the traffic statistics action.
[Switch-behavior-b1] statistic enable
Step 5 Create a traffic policy and apply it to an interface.

# Create traffic policy p1 on the Switch and bind the traffic classifier to the traffic behavior in
the traffic policy.
Apply traffic policy p1 to GE0/0/1.

[Switch] quit

# Check the configuration of the ACL.
<Switch> display acl 4000
L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 permit source-mac 0000-0000-0003
# Check the configuration of the traffic classifier.

<Switch> display traffic classifier user-defined
Classifier: c1
Operator: AND
# View the configuration of the traffic policy.

<Switch> display traffic policy user-defined p1
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Statistic: enable
----End
Issue 04 (2013-06-15)

1359

Configuration Guide
Configuration Files
l

#
sysname Switch
#
vlan batch 20
#
acl number 4000
rule 5 permit source-mac 0000-0000-0003
#
if-match acl 4000
#
traffic behavior b1
statistic enable
#
traffic policy p1
#
interface Vlanif20
ip address 20.20.20.1 255.255.255.0
#
#
#
return
7.2 Traffic Policing and Traffic Shaping Configuration

This document describes basic concepts of traffic policing and traffic shaping. It also describes
the configuration method of traffic policing based on a traffic classifier, and provides traffic
shaping, and provides configuration examples.
7.2.1 Traffic Policing and Traffic Shaping Overview

This section describes the basic concepts of traffic policing and traffic shaping and the
differences between traffic policing and traffic shaping.
Traffic Policing
To make full use of limited network resources, perform traffic policing for special service flows
to adapt to the allocated network resources.
Traffic policing monitors the rate limit to limit the traffic and resource usage. It then discards
the excess traffic to limit traffic within a proper range and to protect network resources.
Token Bucket and Traffic Measurement

When the traffic exceeds the rate limit, the AC6605 uses traffic control policies. Generally, the
AC6605 uses a token bucket to measure the volume of traffic.
A token bucket is considered as a container that stores a certain number of tokens. The
AC6605 puts tokens at the configured rate (one token bucket can forward one bit of data) in a
Issue 04 (2013-06-15)

1360

Configuration Guide
token bucket. When the token bucket is full, the excess tokens overflow and the number of tokens
no longer increases.
When measuring the traffic in a token bucket, the AC6605 forwards packets based on the number
of tokens in the token bucket. If there are sufficient tokens in the token bucket to forward packets,
the traffic rate is within the rate limit. Otherwise, the traffic rate exceeds the rate limit.
Figure 7-3 Using a token bucket to measure the traffic
Packets that need to be

sent from this interface
Put tokens into the bucket at

the set rate
Continue to send
Classification
Token
bucket
Drop
The AC6605 supports the single token bucket and dual token buckets.
l
Single token bucket

The single token bucket technology uses the following parameters:
Committed burst size (CBS): indicates the maximum volume of traffic that bursts in
bucket C, in bytes.
Committed information rate (CIR): indicates the rate of tokens that are put into bucket
C, that is, the average traffic rate allowed by bucket C, in kbit/s.
If there are sufficient tokens in the bucket, packets are forwarded. At the same time, the
number of tokens in the bucket decreases based on the length of the packets. If there are
no tokens in the bucket, packets are discarded.
Dual token buckets

The dual token bucket technology uses the following parameters in addition to the CIR and
CBS:
Peak burst size (PBS): indicates the maximum volume of traffic that bursts and exceeds
the CBS in bucket P, in bytes.
Peak information rate (PIR): indicates the rate of tokens that are put into bucket P, that
is, the average traffic rate allowed by bucket P, in kbit/s.
For the dual token buckets:
The service traffic that is less than the CIR value is colored green and is allowed to pass
through.
Issue 04 (2013-06-15)

1361

Configuration Guide
The service traffic that exceeds the PIR value is colored red and is discarded.
The service traffic that ranges from the CIR value to the PIR value is colored yellow
and is discarded when congestion occurs.
Traffic Policing Features Supported by the AC6605

The AC6605 supports the following traffic policing features:
l
Interface-based traffic policing.

Interface-based traffic policing controls all incoming traffic on an interface regardless of
packet types. It discards the excess traffic, limits traffic within a proper range, and protects
network resources and carriers' interests.
Traffic policing based on a traffic classifier

Traffic policing based on a traffic classifier limits the rate of the traffic matching a traffic
classifier. The AC6605 limits the rate of incoming traffic. It discards the traffic that exceeds
the rate limit, limits traffic within an appropriate range, and protects network resources and
carriers' interests. Traffic policing based on a traffic classifier uses dual token buckets.
After traffic policing based on a traffic classifier is configured on an AC6605, CAR can be
performed twice for upstream flows. The AC6605 first applies CAR to the upstream flows
that match a traffic classifier, and then it aggregates all the upstream flows and applies CAR
to limit the aggregated flows. The upstream flows refer to the incoming service flows
matching a traffic classifier that is bound to a traffic behavior containing aggregate CAR.
NOTE
l Aggregate CAR supports only the single token bucket.

l Traffic policing based on a traffic classifier on the AC6605 implements interface-based and flowbased rate limiting in both directions. The matching rule is set to if-match any.
Traffic Shaping
Traffic shaping controls the rate of packets so that packets are sent at an even rate. It adapts the
transmission rate of packets to the downstream devices to prevent unnecessary packet loss and
congestion.
Traffic shaping also limits traffic and resources by monitoring the traffic rate. In traffic shaping,
the AC6605 also uses token buckets to measure the traffic.
Difference Between Traffic Shaping and Traffic Policing

The main difference between traffic shaping and traffic policing is that the AC6605 caches the
packets discarded in traffic policing. These packets are stored in a buffer or a queue, as shown
in Figure 7-4. When there are sufficient tokens in a token bucket, those cached packets are sent
out at an average rate.
Issue 04 (2013-06-15)

1362

Configuration Guide
Figure 7-4 Networking diagram of traffic shaping

Put tokens into the bucket at
the set rate
Packets that need to be
sent from this interface
Continue to send
Classification
Token
bucket
Queue
Drop
The delay may be increased just because the traffic shaping technology puts the packets into a
buffer or a queue. The traffic policing technology, however, does not cause a delay.
Traffic Shaping Features Supported by the AC6605

The AC6605 supports the following traffic shaping features:
l
Traffic shaping on an interface

The AC6605 performs traffic shaping for all the packets that pass through an interface.
Traffic shaping in an interface queue

The AC6605 performs traffic shaping for the packets of a certain type that pass through an
interface. In this manner, traffic shaping based on voice, data, and video services is
implemented.
7.2.2 Configuring Traffic Policing Based on an Interface

After traffic policing based on an interface is configured, the AC6605 policies the traffic on the
interface.

Before configuring traffic policing based on an interface, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This helps you
If the service traffic sent by users is not limited, a large amount of increasing burst service data
makes a network more congested. To make full use of network resources and provide better
services for more users, you must limit user service traffic. After interface-based traffic policing
is applied to the interface, the rate of all the user service traffic entering the interface is limited.
Issue 04 (2013-06-15)

1363

Configuration Guide
Before configuring a limit rate on the interface, complete the following tasks:
l
Setting physical parameters of interfaces
Setting link layer attributes of interfaces to ensure normal operation of these interfaces
Assigning IP addresses to the interfaces and configuring routing protocols to ensure that
routes are reachable
Data Preparation
To configure interface-based traffic policing, you need the following data.
No.
Data
CIR and CBS
Interface where traffic policing is configured
Limiting the Rate of Traffic on the Interface

To limit the rate of traffic entering the AC6605, configure traffic policing on the inbound
interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Or, run:

NOTE
You can configure interface-based traffic policing on GE interfaces.

To set the same QoS CAR parameters on multiple interfaces, perform the configuration on the port group
to reduce the workload.
Create a port group before performing this task. For details on how to create a port group, see (Optional)
Configuring a Port Group in the AC6605 Access Controller Configuration Guide - Ethernet.
Step 3 Run:
qos lr { inbound | outbound } cir cir-value [ cbs cbs-value ]
Traffic policing is configured on the interface.

----End
Issue 04 (2013-06-15)

1364

Configuration Guide
Configuring the Rate Limit on the Management Interface

Traffic policing on the management interface limits the traffic received from the management
interface to improve system performance.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface meth 0/0/1
The MEth interface view is displayed.

Step 3 Run:
qos lr pps packets
The rate limit is set.

NOTE
The rate limit of traffic on the management interface cannot be less than 100; otherwise, FTP and Telnet
functions may fail to work.
----End

After interface-based rate limit is configured, you can view rate limit information on the
interface.
Prerequisites
The configurations of interface-based rate limit are complete.
Procedure
l
Run the display qos lr { inbound | outbound } interface interface-type interfacenumber command to view rate limit information on the interface.
Run the display qos configuration interface [ interface-type interface-number ] command

to check all the QoS configuration on the interface.
----End
7.2.3 Configuring Traffic Policing Based on a Traffic Classifier

After traffic policing based on a traffic classifier is configured, the AC6605 policies the traffic
matching traffic classification rules.
Issue 04 (2013-06-15)

1365

Configuration Guide

Before configuring traffic policing based on a traffic classifier, familiarize yourself with the
If the service traffic sent by users is not limited, a network is congested because a large number
of users send bursts of data in the same period. To make full use of limited network resources
and provide better services for more users, limit user service traffic.
Traffic policing based on a traffic classifier can be used to control the service traffic of a certain
type.
Before configuring traffic policing based on a traffic classifier, complete the following tasks:
l
Setting link layer attributes of interfaces to ensure that these interfaces work properly
Data Preparation
To configure traffic policing based on a traffic classifier, you need the following data.
No.
Data
Name of the traffic classifier and related parameters
Name of the traffic behavior and CAR parameters: CIR, (optional) CBS, (optional)
PIR, (optional) PBS, (optional) color
Name of the traffic policy, and object and inbound or outbound direction to which
traffic policing based on a traffic classifier is applied
Configuring Complex Traffic Classification

The AC6605 can classify traffic according to the ACL, Layer 2 information in packets, and
Layer 3 information in packets.
Select proper traffic classification rules and configure complex traffic classification as required.
For details, see Configuring Complex Traffic Classification.
Configuring a Traffic Policing Action on the

You can configure traffic policing actions, set the CIR, PIR, CBS, and PBS values, and configure
actions for packets with different PHBs and colors.
Issue 04 (2013-06-15)

1366

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green
{ discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-precedence ] } ]
[ yellow { discard | pass [ remark-dscp dscp-value | remark-8021p 8021pprecedence ] } ] [ red { discard | pass [ remark-dscp dscp-value | remark-8021p
8021p-precedence ] } ]
A CAR action is configured.

You can define the color of packets in the CAR action:
l When the burst size of a packet is smaller than the CBS value, the packet is colored green.
l When the burst size of a packet is equal to or larger than the CBS value but smaller than the
PBS value, the packet is colored yellow.
l When the burst size of a packet is equal to or larger than the PBS value, the packet is colored
red.
Step 4 Run:
quit
Exit from the traffic behavior view.

----End
Creating a Traffic Policy

You can associate a traffic classifier with a traffic behavior in a traffic policy.
Procedure
Step 1 Run:
system-view

Step 2 Run:

After a traffic policy is applied, you cannot use the traffic policy command to modify the
matching order of traffic classifiers in the traffic policy. To modify the matching order, unbind
the traffic policy from the system, an interface, or a VLAN where it is applied, and re-create a
traffic policy and specify the matching order.
Step 3 Run:
Issue 04 (2013-06-15)

1367

Configuration Guide
A traffic classifier is bound to a traffic behavior in the traffic policy.

----End
Applying the Traffic Policy

The configured traffic policy takes effect only after being applied to an interface.
Procedure
l
Applying a traffic policy to an interface

1.
Run:
system-view

2.
Run:

3.
run:
A traffic policy is applied to the interface in the inbound or outbound direction.

Only one traffic policy can be applied to an interface in the inbound or outbound
direction.
After a traffic policy is applied, the system performs traffic policing for the packets
that pass through this interface and match a traffic classifier in the inbound or outbound
direction.
----End

After traffic policing based on a traffic classifier is configured, you can view the traffic statistics
or CAR statistics.
Context
The configurations of traffic policing based on a traffic classifier are complete.
Procedure
l
Run the display traffic behavior user-defined [ behavior-name ] command to check the
traffic behavior configuration.
Run the display traffic classifier user-defined [ classifier-name ] command to check the
traffic classifier configuration.

command to check the traffic policy configuration.
Run the display traffic policy { interface [ interface-type interface-number ] | vlan [ vlanid ] | global } [ inbound | outbound ] command on the AC6605 to check the traffic policy
information and flow-based traffic statistics.
Issue 04 (2013-06-15)

1368

Configuration Guide

to check all the QoS configurations on the interface.
----End
7.2.4 Configuring Traffic Shaping

After traffic shaping is configured, the AC6605 shapes packets matching traffic classification
rules so that packets are sent out at an even rate.

Before configuring traffic shaping, familiarize yourself with the applicable environment,
If the bandwidth of upstream and downstream networks is different, you can configure traffic
shaping on the outgoing interface connecting the upstream network and downstream network.
In this manner, the rate of packets sent to the downstream network meets the requirements of
the bandwidth of the downstream network. This can prevent congestion and packet loss on the
network to a certain degree.
The AC6605 supports traffic shaping on an interface and in an interface queue. You can
configure traffic shaping as required. If traffic shaping of these two types is configured, ensure
that the CIR for traffic shaping on an interface is greater than or equal to the sum of CIRs for
traffic shaping in an interface queue. Otherwise, traffic shaping fails. For example, traffic of
lower priorities preempts the bandwidth of traffic of higher priorities.
Before configuring traffic shaping, complete the following tasks:
l
Setting link layer attributes of interfaces to ensure normal operation of the interfaces
Data Preparation
To configure traffic shaping, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Rate for traffic shaping on an interface
(Optional) Rate for traffic shaping in an interface queue, including the CIR and PIR
Interface on which traffic shaping is applied or index of the queue

1369

Configuration Guide
Configuring Traffic Shaping on an Interface

You can configure traffic shaping on an interface to limit the rate of data sent by the interface.
Context
Use this procedure to perform traffic shaping for all the downstream packets on an interface.
If you need to set the same traffic shaping rate on multiple interfaces, you can perform the
configuration on the port group to reduce the workload.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Or run the port-group port-group-name command to display the port group view.
NOTE
Create a port group before performing this task. For details on how to create a port group, see Configuring
the Interface Group in the AC6605 Access Controller Configuration Guide - Ethernet.
Step 3 Run:
qos lr { inbound | outbound } cir cir-value [ cbs cbs-value ]
The rate for traffic shaping on an interface is set.

By default, the CIR for traffic shaping on an interface is the maximum bandwidth of the interface.
For example, the CIR for traffic shaping on a GE interface is 1000000 kbit/s.
NOTE
l If this command is run repeatedly on the same interface, the latest configuration overrides the previous
configuration.
l If traffic shaping in an interface queue is configured on the same interface, the CIR for traffic shaping
on an interface must be greater than or equal to the sum of CIRs for traffic shaping in an interface
queue. Otherwise, traffic shaping fails. For example, traffic of lower priorities preempts the bandwidth
of traffic of higher priorities.
----End
(Optional) Setting the Length of the Interface Queue

You can set the maximum number of packets that can be buffered in the specified interface queue
by setting the length of the interface queue.
Context
You must run the system-view command to shut down the interface before running the qos
queue max-length command. Otherwise, traffic is interrupted and an alarm is generated.
Issue 04 (2013-06-15)

1370

Configuration Guide
Procedure
l
Run:
system-view

l
Run:

l
Run:
qos queue queue-index length length-value
The length of the interface priority queue is set.

----End
Configuring Traffic Shaping in an Interface Queue

This section describes how to configure traffic shaping, enable traffic shaping in an interface
queue, and set traffic shaping parameters.
Context
Use this procedure to perform traffic shaping for packets of a certain type of services on an
interface.
Before configuring traffic shaping in an interface queue, re-mark the internal priorities based on
complex traffic classification. Different services can enter different interface queues.
To set the same queue shaping rate on multiple interfaces, perform the configuration on the port
group to reduce the workload.
NOTE
For details about internal priority re-marking based on complex traffic classification, see Creating a
Traffic Policy Based on Complex Traffic Classification.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Or, run:

NOTE
Create a port group before performing this task. For details on how to create a port group, see Configuring
the Interface Group in the AC6605 Access Controller Configuration Guide - Ethernet.
Issue 04 (2013-06-15)

1371

Configuration Guide
Step 3 Run:
qos queue queue-index shaping cir cir-value pir pir-value [ cbs cbs-value pbs pbsvalue ]
The rate for traffic shaping in an interface queue is set.

By default, the rate for traffic shaping in an interface queue is the maximum bandwidth of the
interface.
----End

After traffic shaping is configured, you can view the rate limit on an interface or in an interface
queue.
Procedure
l
Run the display qos lr { inbound | outbound } interface interface-type interfacenumber command to check the rate limit on the specified interface.
Run the display qos queue statistics interface interface-type interface-number command
to check the rate limit of the interface queue.

----End
7.2.5 Maintaining Traffic Policing and Traffic Shaping

This section describes how to maintain traffic policing and traffic shaping.
Displaying the Traffic Statistics

If the traffic statistics action is configured, you can run display commands to view the traffic
statistics.
Context
To view the flow-based traffic statistics, a traffic policy must exist and contain the traffic
statistics action.
Procedure
l
Run the display traffic policy statistics { global [ slot slot-id ] | interface interface-type
interface-number | vlan vlan-id } { inbound | outbound } [ verbose { classifier-base |
rule-base } [ class classifier-name ] ] command to check the flow-based traffic statistics.
----End
Checking the Usage of the Queue

You can use display commands to view the Usage of the Queue.
Issue 04 (2013-06-15)

1372

Configuration Guide
Context
To obtain the usage of queues, you can run the following command in any view.
Procedure
l
Run the display qos queue length interface interface-type interface-number command to
view the usage of priority queues on the interface.
----End
Clearing the Traffic Statistics

You can use the reset commands to clear the traffic statistics.
Context
CAUTION
The traffic statistics cannot be restored after being cleared. Exercise caution when you run the
command.
Procedure
l
Run the reset traffic policy statistics { global [ slot slot-id ] | interface interface-type
interface-number | vlan vlan-id } { inbound | outbound } command to clear the flowbased traffic statistics.
Run the reset qos queue statistics interface interface-type interface-number command on
the AC6605 to clear the queue-based traffic statistics on the interface.
----End

This section provides several configuration examples of traffic policing and traffic shaping.
Example for Configuring Traffic Policing Based on an Interface

You can configure interface-based traffic policing so that the Switch can provide different
bandwidth services for users.
As shown in Figure 7-5, the Switch is connected to GE 0/0/1 through the router; branch 1 and
branch 2 of the enterprise are connected to the Switch through GE 0/0/1 and GE 0/0/2 and access
the network through the Switch and router. Branch 1 and branch 2 of the enterprise require 8
Mbit/s and 5 Mbit/s bandwidth.
Issue 04 (2013-06-15)

1373

Configuration Guide
Figure 7-5 Networking diagram of traffic policing
Core network
Router
GE0/0/3
GE 0/0/1
GE 0/0/2
Switch
LSW1
LSW2
branch 1 of
the enterprise
branch 2 of
the enterprise
1.
Configure interfaces of the Switch so that users can access the network.
2.
Configure traffic policing on GE 0/0/1 and GE 0/0/2 of the Switch in the inbound direction.
Data Preparation
l
Uplink interface address of the Switch: 192.168.1.1/24
VLAN IDs of branch 1 and branch 2 of the enterprise: VLAN 100 and VLAN 200
CIR of branch 1: 8192 kbit/s; CIR of branch 2: 5120 kbit/s
Procedure
Step 1 Create VLANs and configure interfaces of the Switch.
# Create VLANs 100, 200, and 300, and then add GE 0/0/1, GE 0/0/2, and GE 0/0/1 to VLANs
100, 200, and 300.
[Switch] vlan batch 100 200 300
# Set the type of GE 0/0/1, GE 0/0/2, and GE 0/0/1 to trunk and configure GE 0/0/1, GE 0/0/2,
and GE 0/0/1 to allow packets from VLANs 100, 200, and 300 to pass through.
Issue 04 (2013-06-15)

1374

Configuration Guide

[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200 300
# Create VLANIF 300 and set its network segment address to 192.168.1.1/24.
NOTE
# On the router, set the IP address of the interface connecting the router and Switch to 192.168.1.2/24.
Step 2 Configure interface-based traffic policing.

# Configure traffic policing on GE 0/0/1 and GE 0/0/2 of the Switch.
[Switch-GigabitEthernet0/0/1] qos lr inbound cir 8192
[Switch-GigabitEthernet0/0/2] qos lr inbound cir 5120

# View the traffic policing configuration.
[Switch] display qos lr inbound interface gigabitethernet0/0/1
GigabitEthernet0/0/1 lr inbound:
cir: 8192 Kbps, cbs: 1024000 Byte
[Switch] display qos lr inbound interface gigabitethernet0/0/2
GigabitEthernet0/0/2 lr inbound:
cir: 5120 Kbps, cbs: 640000 Byte
----End
Configuration Files
l

#
sysname Switch
#
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
qos lr inbound cir 8192 cbs 1024000
#
qos lr inbound cir 5120 cbs 640000
Issue 04 (2013-06-15)

1375

Configuration Guide
#
port trunk allow-pass vlan 100 200 300
#
return
Example for Configuring Traffic Policing Based on a Traffic Classifier

The Switch provides different bandwidth by configuring traffic policing based on a traffic
classifier and setting different CAR parameters.
The Switch is connected to the router by using GE 0/0/2; enterprise users can access the network
by using the Switch and the router. In Table 7-2:
l
Voice services belong to VLAN 120.
Video services belong to VLAN 110.
Data services belong to VLAN 100.
On the Switch, traffic policing needs to be performed on packets of different services to limit
traffic within a proper range and ensure bandwidth of each service.
DSCP priorities carried in service packets sent from the user side cannot be trusted and services
require different QoS in practice. Therefore, you need to re-mark DSCP priorities of different
service packets on the Switch so that the downstream router can process packets based on
priorities.
Table 7-2 QoS provided by the Switch for upstream traffic
Traffic Type
CIR (Mbit/s)
PIR (Mbit/s)
DSCP Priority
Voice
10
46
Video
10
30
Data
10
14
Figure 7-6 Network diagram for configuring traffic policing based on a traffic classifier
Phone
VLAN 120
VLAN 100
GE0/0/1
Enterprise
LSW
PC
GE0/0/2
Switch
Core
network
Router
VLAN 110
TV
Issue 04 (2013-06-15)

1376

Configuration Guide
1.
Create VLANs and configure interfaces so that enterprise can access the network by using
the Switch.
2.
Create traffic classifiers based on the VLAN ID on the Switch.
3.
Create traffic behaviors on the Switch to limit the traffic received from the enterprise and
re-mark DSCP priorities of packets.
4.
Create a traffic policy on the Switch, bind traffic behaviors to traffic classifiers in the traffic
policy, and apply the traffic policy to the interface between the enterprise and the Switch.
Data Preparation
l
Names of traffic classifiers matching service flows
Re-marked priorities of packets with different VLAN IDs
Parameters for packets with different VLAN IDs: CIR and PIR values
Type and number of the interface to which a traffic policy needs to be applied
Procedure
# Create VLAN 100, VLAN 110, and VLAN 120 on the Switch.
[Switch] vlan batch 100 110 120
# Configure the access types of GE 0/0/1 and GE0/0/2 to trunk, add GE 0/0/1 and GE0/0/2 to
VLAN 100, VLAN 110, and VLAN 120.
0/0/1
link-type trunk
trunk allow-pass vlan 100 110 120
0/0/2
link-type trunk
trunk allow-pass vlan 100 110 120
Step 2 Create traffic classifiers.

# Create traffic classifiers c1 to c3 on the Switch to match different service flows from the
enterprise based on VLAN IDs.
[Switch] traffic classifier c1 operator
[Switch-classifier-c1] if-match vlan-id
Issue 04 (2013-06-15)
and
120
and
110
and
100

1377

Configuration Guide
Step 3 Create traffic behaviors.

# Create traffic behaviors b1 to b3 on the Switch to limit different service flows and re-mark
priorities.
[Switch-behavior-b1] car cir 2000 pir 10000 green pass
[Switch-behavior-b1] remark dscp 46
Step 4 Create a traffic policy and apply it on the interface.

# Create traffic policy p1 on the Switch, bind traffic classifiers to traffic behaviors in the traffic
policy, and apply the traffic policy to GE0/0/1 in the inbound direction to limit the packets
received from the user side and re-mark priorities of these packets.

[Switch] display traffic classifier user-defined
Classifier: c2
Precedence: 10
Operator: AND
Rule(s) : if-match vlan-id 110
Classifier: c3
Precedence: 15
Operator: AND
Classifier: c1
Precedence: 5
Operator: AND
# Check the configuration of the traffic policy. Here, the configuration of the traffic policy p1
is displayed.
[Switch] display traffic policy user-defined p1
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Issue 04 (2013-06-15)

1378

Configuration Guide
Committed Access Rate:

CIR 2000 (Kbps), CBS 250000 (Byte)
PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action
: pass
Yellow Action : pass
Red Action
: discard
Marking:
Remark DSCP ef
statistic: enable
Classifier: c2
Operator: AND
Behavior: b2
PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action
: pass
Red Action
: discard
Marking:
Remark DSCP af33
Statistic: enable
Classifier: c3
Operator: AND
Behavior: b3
PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action
: pass
Red Action
: discard
Marking:
Remark DSCP af13
Statistic: enable
# Check the configuration of the traffic policy applied on an interface. Here, the configuration
of the traffic policy applied to GE0/0/1 is displayed.
[Switch] display traffic policy statistics interface gigabitethernet 0/0/1 inbound
Traffic policy inbound: p1
Rule number: 3
Current status: OK!
--------------------------------------------------------------------Board : 1
Item
Packets
Bytes
--------------------------------------------------------------------Matched
10
10000
+--Passed
8
8000
+--Dropped
2
2000
+--Filter
2
2000
+--URPF
+--CAR
2
2000
----End
Configuration Files
l

#
sysname Switch
#
#
traffic classifier c1 operator or
if-match vlan-id 120
Issue 04 (2013-06-15)

1379

Configuration Guide

#
traffic behavior b1
car cir 2000 pir 10000 cbs 250000 pbs 1250000 green pass yellow pass red
discard
remark dscp ef
statistic enable
traffic behavior b2
discard
remark dscp af33
statistic enable
traffic behavior b3
discard
remark dscp af13
statistic enable
#
traffic policy p1
#
#
#
return
Example for Configuring Traffic Shaping

You can configure traffic shaping and set different traffic shaping rates for different types of
packets to reduce the jitter and ensure bandwidth of various services.
The Switch is connected to GE 0/0/2 and the router; the 802.1p priorities of voice, video, and
data services from the Internet are 6, 5, and 2 respectively, and these services can reach users
through the router and Switch, as shown in Figure 7-7. The rate of the traffic from the network
side is greater than the rate of the LSW interface; therefore, a jitter may occur in the outbound
direction of GE 0/0/1. To reduce the jitter and ensure the bandwidth of various services, the
requirements are as follows:
l
The CIR on the interface is 20000 kbit/s.
The CIR and PIR for the voice service are 3000 kbit/s and 5000 kbit/s respectively.
The CIR and PIR for the video service are 5000 kbit/s and 8000 kbit/s respectively.
The CIR and PIR for the data service are 2000 kbit/s and 3000 kbit/s respectively.
Issue 04 (2013-06-15)

1380

Configuration Guide
Figure 7-7 Networking diagram for configuring traffic shaping
Phone
802.1p=6
GE0/0/1
802.1p=2 Residence
PC
LSW
GE0/0/2
Switch
Core
Network
Router
802.1p=5
TV
1.
Create VLANs and configure each interface so that the residential user can access the
network through the Switch.
2.
Configure interfaces to trust 802.1p priorities of packets.
3.
Configure traffic shaping on an interface to limit the bandwidth of the interface.
4.
Configure traffic shaping in an interface queue to limit the CIRs of voice, video, and data
services.
Data Preparation
l
802.1p priorities
Rate for traffic shaping on an interface
Rate for traffic shaping in each interface queue
Procedure
# Create VLAN 10.
[Switch] vlan batch 10
# Set the type of GE 0/0/1 and GE 0/0/2 to trunk, and then add GE 0/0/1 and GE 0/0/2 to VLAN
10.
Issue 04 (2013-06-15)

1381

Configuration Guide

# Create VLANIF 10 and assign network segment address 10.10.10.1/24 to VLANIF 10.
[Switch-Vlanif10] ip address 10.10.10.1 255.255.255.0
NOTE
Assign IP address 10.10.10.2/24 to the interface connecting the router and Switch.
Step 2 Configure the interface to trust packets.

# Configure the interface to trust 802.1p priorities of packets.
Step 3 Configure traffic shaping on an interface.

# Configure traffic shaping on an interface of the Switch and set the CIR to 20000 kbit/s.
[Switch-GigabitEthernet0/0/1] qos lr outbound cir 20000
Step 4 Configure traffic shaping in an interface queue.

# Configure traffic shaping in the interface queues on the Switch, and then set the CIR and PIR
of the voice service to 3000 kbit/s and 5000kbit/s, the CIR and PIR of the video service to 5000
kbit/s and 8000 kbit/s, and the CIR and PIR of the data service to 2000 kbit/s and 3000 kbit/s.
[Switch-GigabitEthernet0/0/1]
[Switch] quit
qos queue 6 shaping cir 3000 pir 5000

quit

# If the configuration succeeds, the committed bandwidth for the packets transmitted by GE0/0/1
is 20000 kbit/s; the transmission rate of the voice service ranges from 3000 kbit/s to 5000 kbit/
s; the transmission rate of the video service ranges from 5000 kbit/s to 8000 kbit/s; the
transmission rate of the data service ranges from 2000 kbit/s to 3000 kbit/s.
----End
Configuration Files
l

#
sysname Switch
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
qos lr outbound cir 20000 cbs 2500000
Issue 04 (2013-06-15)

1382

Configuration Guide

#
trust 8021p
#
return
7.3 Congestion Avoidance and Congestion Management

Configuration
This chapter describes the basic concepts of congestion avoidance and congestion management.
It also describes configuration methods and provides configuration examples of congestion
avoidance and congestion management.
7.3.1 Overview of Congestion Avoidance and Congestion

Management
This section describes the basic concepts of congestion avoidance and congestion management.
Congestion Avoidance
Congestion avoidance is a flow control mechanism. A system configured with congestion
avoidance monitors network resource usage such as queues and memory buffers. When
congestion occurs or aggravates, the system discards packets.
Congestion avoidance mechanisms include tail drop, Random Early Detection (RED), and
Weighted Random Early Detection (WRED). The The AC6605 performs congestion avoidance
based on WRED.
Tail Drop
The traditional packet drop policy uses tail drop. The tail drop policy processes all the packets
uniformly, regardless of their class of service (CoS). When congestion occurs, packets at the
end of a queue are discarded until the congestion problem is solved.
The tail drop policy causes global TCP synchronization. When packets from multiple TCP
connections are discarded in a queue, these TCP connections enter the congestion avoidance
and slow start state simultaneously, which is called global TCP synchronization. This causes
traffic reduction and leads to traffic peak. As the process repeats, it causes the volume of network
traffic to change from heavy to light and affects the link usage.
RED
The RED mechanism randomly discards packets so that the AC6605 reduces the transmission
speeds of multiple TCP connections at different periods of time. This prevents global TCP
synchronization.
RED sets the upper threshold and lower threshold for the length of each queue and processes
packets as follows:
l
Issue 04 (2013-06-15)
When the queue length is shorter than the lower threshold, no packet is discarded.
1383

Configuration Guide
When the queue length exceeds the upper threshold, all the received packets are discarded.
When the queue length ranges from the lower threshold to the upper threshold, incoming
packets are dropped randomly. The system sets a random number for each incoming packet,
and compares it with the packet drop probability of the current queue. If the random number
is larger than the drop probability, the packet is dropped. The longer the queue, the higher
the drop probability.
WRED
The WRED mechanism also prevents global TCP synchronization by randomly discarding
packets. The random number generated by WRED is based on the priority. WRED distinguishes
the drop policy based on colors of packets, so the drop probability of packets with higher
priorities is low.
SRED
The AC6605 implements the Simple Random Early Detection (SRED) technology based on the
RED technology. In a queue on an outbound interface, the AC6605 colors the packets red or
yellow according to the priorities of packets; the AC6605 sets a threshold for discarding red
packets, a threshold for discarding yellow packets, and the drop probability.
Based on SRED, the AC6605 actively discards packets in the queue based on the drop probability
to adjust the rate of outgoing traffic at the interface.
Congestion Management
When intermittent congestion occurs on the network, delay-sensitive services require higher
QoS than others. In this case, congestion management is required. The bandwidth needs to be
increased if a network is always congested.
Congestion management uses the queue scheduling technologies. Currently, the AC6605 adopts
the following queue scheduling modes:
l
PQ Scheduling
WRR Scheduling
DRR Scheduling
PQ+WRR/PQ+DRR Scheduling
PQ Scheduling
Priority Queuing (PQ) scheduling is a queuing technology by which packets are scheduled based
on the priorities of queues in a strict manner. The packets of lower priorities can be scheduled
only after packets of higher priorities are scheduled.
In PQ scheduling mode, packets of delay-sensitive core services are put into a high priority queue
and packets of other non-core services are put into a low priority queue. This ensures that core
services are sent first.
The disadvantage of PQ scheduling is that the packets of lower priorities are not processed if
there are a large number of packets of higher priorities, when congestion occurs.
Issue 04 (2013-06-15)

1384

Configuration Guide
WRR Scheduling
WRR refers to Weighted Round Robin. WRR schedules packets of queues in a polling manner,
ensuring that packets in each queue are sent at a certain time.
Assume that there are eight output queues on an interface. WRR sets weights for the eight queues,
that is, w7, w6, w5, w4, w3, w2, w1, and w0. The weight indicates a percentage of obtaining
resources. For example, the weights of queues on a 100-Mbit/s interface are set to 50, 50, 30,
30, 10, 10, 10, and 10, corresponding to w7, w6, w5, w4, w3, w2, w1, and w0. In this case, the
lowest priority queue can obtain bandwidth of at least 5 Mbit/s. This avoids the disadvantage of
PQ scheduling.
The advantage of WRR is as follows: Although packets in multiple queues are processed in a
polling manner, the time allocated to each queue is not fixed. If a queue is null, packets of the
next queue are scheduled. This ensures better usage of bandwidth.
The disadvantages of WRR are as follows:
l
WRR allocates bandwidth according to the number of packets. When the average length
of packets in each queue is the same or known, you can obtain the required bandwidth by
setting the weight of WRR. However, you cannot obtain the required bandwidth by setting
the weight of WRR when the average length of packets in each queue changes.
The packets of short-delay services such as voice services cannot be scheduled in time.
DRR Scheduling
The principle of Deficit Round Robin (DRR) is similar to the principle of WRR.
The difference is that WRR schedules packets according to the number of packets, but DRR
schedules packets according to the length of packets. If the packet length exceeds the scheduling
capability of a queue, DRR allows the deficit weight to ensure that packets of a long length are
scheduled. When packets are scheduled in a polling manner again, this queue is not scheduled
until the weight becomes positive. Then, this queue participates in DRR scheduling.
DRR scheduling offsets the disadvantage of PQ scheduling and one disadvantage of WRR
scheduling, that is, bandwidth cannot be obtained according to the proportion.
The packets of short-delay services such as voice services cannot be scheduled in time in DRR
mode.
PQ+WRR/PQ+DRR Scheduling
PQ scheduling, WRR scheduling, and DRR scheduling have the following advantages and
disadvantages:
l
If only PQ scheduling is used, packets of lower priorities cannot obtain the bandwidth for
a long time.
If only WRR or DRR scheduling is used, delay-sensitive services such as voice service
cannot be scheduled first.
PQ+WRR or PQ+DRR scheduling can use the advantages of both PQ and WRR or DRR
scheduling and offset their disadvantages.
Through PQ+WRR or PQ+DRR scheduling, important protocol packets and delay-sensitive

service packets are put in a PQ queue and specified bandwidth is allocated to this queue. Other
packets are put into a WRR or DRR queue according to their priorities and scheduled in a polling
manner according to the weight of the queue.
Issue 04 (2013-06-15)

1385

Configuration Guide
7.3.2 Configuring Congestion Avoidance on the AC6605

After congestion avoidance is configured, the AC6605 processes packets of different colors
based on the WRED configuration.

Before configuring congestion avoidance, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This will help you complete
To prevent congestion and solve the problem of global TCP synchronization, you can configure
WRED to adjust the traffic on a network and remove the overload of the traffic on a network.
Before configuring congestion avoidance, complete the following tasks on the incoming
interface: Configuring traffic policing based on complex traffic classification and the remarking
action.
NOTE
Before configuring congestion avoidance, you need to perform either of the preceding tasks to color packets
as the basis of congestion avoidance.
Data Preparation
To configure congestion avoidance, you need the following data.
No.
Data
Upper threshold, lower threshold, and maximum drop percent of WRED
(Optional) Setting the Length of the Interface Queue

You can set the maximum number of packets that can be buffered in the specified interface queue
by setting the length of the interface queue.
Context
You must run the shutdown (interface view) command to shut down the interface before running
the qos queue max-length command. Otherwise, traffic is interrupted and an alarm is generated.
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

1386

Configuration Guide
Step 2 Run:

Step 3 Run:
qos queue queue-index length length-value
The length of the interface priority queue is set.

----End
Creating a WRED Drop Profile

This section describes how to create a WRED drop profile, and set the upper threshold, lower
threshold, and maximum drop percent of the WRED drop profile for packets of different colors.
Procedure
Step 1 Run:
system-view

Step 2 Run:
drop-profile drop-profile-name
A drop profile is created and the drop profile view is displayed.

There is a default WRED drop profile. You cannot delete the default WRED drop profile, but
can modify the values of the parameters.
Step 3 Run:
color { green | non-tcp | red | yellow } low-limit low-limit-percentage high-limit
high-limit-percentage discard-percentage discard-percentage
WRED parameters are set.

By default, the upper threshold, lower threshold, and maximum drop percent of a WRED drop
profile are 100.
----End
Applying the WRED Drop Profile

The configured WRED drop profile takes effect only after being applied. You can apply the
WRED drop profile to the system, an interface or a queue.
Context
You can apply a WRED drop profile to an interface or in an interface queue or to the system,
an interface, and an interface queue on the AC6605 as required. The following takes place when
the WRED drop profiles are applied:
l
Issue 04 (2013-06-15)
If a WRED drop profile is applied to the system and an interface simultaneously, the WRED
drop profile applied to the interface takes effect. After a WRED drop profile is applied to
the system, it takes effect on all the interfaces.
1387

Configuration Guide
If WRED drop profiles are applied to an interface and an interface queue on the AC6605,
the AC6605 matches packets with WRED drop profiles in the interface queue and the
interface in sequence. Then the AC6605 performs congestion avoidance for the matched
packets.
To set the same WRED drop profile on multiple interfaces, perform the configuration on the
port group to reduce the workload.
Before applying a WRED drop profile, run the drop-profile command to create a WRED drop
profile.
Procedure
l
Applying a WRED drop profile to the system

1.
Run:
system-view

2.
Run:
qos queue queue-index wred drop-profile-name
A WRED drop profile is applied to the system.

l
Applying a WRED drop profile to an interface

1.
Run:
system-view

2.
Run:

3.
Run:
qos wred drop-profile-name
A WRED drop profile is applied to the interface.

l
Applying a WRED drop profile to a port group

1.
Run:
system-view

2.
Run:

NOTE
Create a port group before performing this task. For details on how to create a port group, see
(Optional) Configuring a Port Group in the AC6605 Access Controller Configuration Guide
- Ethernet.
3.
Run:
qos wred drop-profile-name
The WRED drop profile is applied to a port group.

Issue 04 (2013-06-15)

1388

Configuration Guide
Applying a WRED drop profile to an interface queue

1.
Run:
system-view

2.
Run:

3.
Run:
qos queue queue-index wred drop-profile-name
The WRED drop profile is applied to an interface queue.

drop-profile-name specifies the name of a WRED drop profile and must be the same as the
name of a WRED drop profile in Creating a WRED Drop Profile.
----End

After congestion avoidance is configured, you can view the name, index, and parameters of the
WRED drop profile.
Prerequisites
The configurations of the WRED drop profile are complete.
Procedure
l
Run the display drop-profile [ all | name drop-profile-name ] command to check the
configuration of the WRED drop profile.
Run the display qos configuration interface interface-type interface-number command

----End
7.3.3 Configuring Congestion Management

After congestion management is configured, if congestion occurs on a network, the AC6605
determines the sequence of forwarding packets according to the defined scheduling policy.

Before configuring congestion management, familiarize yourself with the applicable
When congestion occurs, you can configure congestion management in the following situations:
l
Issue 04 (2013-06-15)
The same delay and jitter are set for various types of packets, and packets of core services
such as video and voice services need to be processed first.
1389

Configuration Guide
Packets of non-core services of the same priority, such as email, are processed in a fair
manner, and services of different priorities are processed according to the weights.
Before configuring congestion management, complete the following tasks: Configuring the
remarking action of inner priorities based on complex traffic classification.
NOTE
Before configuring congestion management, you need to perform either of the preceding tasks to map
packets to different queues for scheduling.
Data Preparation
To configure congestion management, you need the following data.
No.
Data
Mapping between the local precedence and queues.
Mode of queue scheduling.
Weight of queues in deficit round robin (DRR) scheduling mode.
Weight of queues in weighted round robin (WRR) scheduling mode.
(Optional) Minimum size of the static buffer for a queue.
(Optional) Maximum number of packets for a queue
Setting the Scheduling Mode for an Interface Queue

The AC6605 supports the following scheduling modes: PQ, DRR, WRR, PQ+DRR, and PQ
+WRR.
Context
The AC6605 supports eight interface queues that can use different scheduling algorithms. During
queue scheduling, packets in a PQ queue are first scheduled. If there are multiple PQ queues,
the packets are scheduled in descending order of priorities of these PQ queues. After packets in
PQ queues are scheduled, packets in WRR or DRR queues are scheduled in a polling manner.
If you need to set the same scheduling parameters on multiple interfaces, you can perform the
configuration on the port group to reduce the workload.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

1390

Configuration Guide

Or run the port-group port-group-name command to enter the port group view.
NOTE
Create a port group before performing this task. For details about creating a port group, see (Optional)
Configuring a Port Group in the AC6605 Access Controller Configuration Guide - Ethernet.
Step 3 Run:
qos { pq | wrr | drr }
The scheduling mode of an interface queue is set to PQ, WRR, or DRR.

By default, WRR scheduling is used.
qos queue queue-index wrr weight weight
The weight of an interface queue in WRR mode is set.

By default, the weight in WRR mode is 1.
You need to perform this step only when the scheduling mode of an interface queue is set to
WRR or PQ+WRR.
NOTE
When WRR scheduling is applied and the weight of a queue is set to 0, the queue applies PQ scheduling
and other queues apply WRR scheduling. That is, the overall scheduling mode is PQ+WRR.

qos queue queue-index drr weight weight
The weight of an interface queue in DRR mode is set.

By default, the weight in DRR mode is 1.
You need to perform this step only when the scheduling mode of an interface queue is set to
DRR or PQ+DRR.
NOTE
When DRR scheduling is applied and the weight of a queue is set to 0, the queue applies PQ scheduling
and other queues apply DRR scheduling. That is, the overall scheduling mode is PQ+DRR.
----End

After congestion management is configured, you can view the queue-based traffic statistics and
the scheduling parameters of the queues on a specified interface.
Prerequisites
The congestion management configurations are complete.
Procedure
l
Issue 04 (2013-06-15)
Run the display qos local-precedence-queue-map command to check the mappings

between local precedences and queues.
1391

Configuration Guide
Run the display qos configuration interface interface-type interface-number command

----End
7.3.4 Maintaining Congestion Avoidance and Congestion

Management
This section describes how to maintain traffic avoidance and congestion management.
Displaying the Queue-based Statistics

You can use display commands to view the queue-based traffic statistics such as the number of
forwarded and discarded packets.
Context
To view the queue-based traffic statistics, run the following command in any view.
Procedure
l
Run the following commands to view the queue-based traffic statistics based on device
model.
Run the display qos queue statistics interface interface-type interface-number
command on the device to view the queue-based traffic statistics.
----End
Clearing the Queue-based Statistics

You can use the reset command to clear the queue-based traffic statistics.
Context
To re-collect the queue-based statistics on an interface, you can use the following command in
the user view to clear the previous statistics.
CAUTION
The queue-based statistics cannot be restored after you clear them. So, confirm the action before
Procedure
l
Run the reset qos queue statistics interface interface-type interface-number command to
clear the queue-based traffic statistics on the interface.
----End
Issue 04 (2013-06-15)

1392

Configuration Guide
8 Configuration Guide - Security
Configuration Guide - Security
About This Chapter

This document describes security features of the AC6605 including AAA and user management,
Network Access Control (NAC), DHCP snooping, ARP security, IP source guard, IP source
trail, local attack defense, traffic suppression, and ACL from aspects of function introduction,
configuration methods, maintenance, and configuration examples.
This document guides you through the principle and configuration of security features.
8.1 AAA Configuration
The AAA-capable device checks validity of users and assigns rights to authorized users to ensure
network security.
8.2 NAC Configuration(for wired users)
This chapter describes NAC principles for wired users and configuration methods and provides
8.3 NAC Configuration(for wireless users)
This chapter describes NAC principles for wireless users and configuration methods and
8.4 DHCP Snooping Configuration
This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP)
snooping on the AC6605 to defend against DHCP attacks.
8.5 ARP Security Configuration
The ARP security technology ensures security and robustness of network devices by filtering
out untrusted ARP packets and perform timestamp suppression for some ARP packets.
8.6 Source IP Attack Defense Configuration
This chapter describes the source IP attack defense configuration.
8.7 Local Attack Defense Configuration
This chapter describes the principle and configuration of local attack defense.
8.8 Traffic Suppression Configuration
This chapter describes configuration procedures for traffic suppression and provides
8.9 ACL Configuration
Issue 04 (2013-06-15)

1393

Configuration Guide
The ACL classifies packets according to the rules. After these rules are applied to the interfaces
on the AC6605, the AC6605 can determine packets that are received and rejected.
Issue 04 (2013-06-15)

1394

Configuration Guide
8.1 AAA Configuration

The AAA-capable device checks validity of users and assigns rights to authorized users to ensure
network security.
8.1.1 AAA Overview

Authentication, Authorization, and Accounting (AAA) is a security technology.
Security Functions Provided by AAA

l
Authentication: verifies whether users are authorized for network access.
Authorization: authorizes users to use particular services.
Accounting: records the network resources used by users.
Users can only use one or two security services provided by AAA. For example, if a company
wants to authenticate employees that access certain network resources, the network administrator
only needs to configure an authentication server. If the company also wants to record operations
performed by employees on the network, an accounting server is needed.
AAA Architecture
AAA uses the client/server model, as shown in Figure 8-1. AAA architecture features good
scalability and facilitates centralized user information management.
Figure 8-1 AAA architecture
Access user
AAA client
AAA server
The AAA client authenticates a user who wants to access the network through the AAA client.
The AAA client then sends the user's authentication, authorization, and accounting information
to the AAA server.
Domain-based User Management

The device uses domains to manage users. You can apply the authentication, authorization, and
accounting schemes to a domain so that the device can authenticate, authorize, or charge users
in the domain using the schemes.
Each user of the device belongs to a domain. The domain to which a user belongs is determined
by the character string suffixed to the domain name delimiter that can be @, |, or %. For example,
if the user name is user@huawei, the user belongs to the huawei domain. If the user name does
not contain @, the user belongs to the default domain named default in the system.
The device has two default domains: default (global default domain for common access users)
and default_admin (global default domain for administrators). The two domains can be
modified but cannot be deleted. If the domain of an access user cannot be obtained, the default
domain is used.
Issue 04 (2013-06-15)

1395

Configuration Guide
The default domain is used for access users such as NAC access users. By default, local
authentication is performed for users in this domain.
The default_admin domain is used for administrators such as the administrators who log
in using HTTP, SSH, Telnet, FTP, and terminals. By default, local authentication is
performed for users in this domain.
The device supports a maximum of 32 domains, including the two default domains.
NOTE
A user-defined domain can be configured as a global default domain for common access users and administrators.
Authorization information configured in a domain has a lower priority than authorization

information delivered by an AAA server. That is, the authorization information delivered by an
AAA server is used preferentially. When the AAA server does not have or does not support
authorization, the authorization attributes configured in a domain take effect. In this manner,
you can increase services flexibly by means of domain management, regardless of the
authorization attributes provided by the AAA server.
8.1.2 AAA Features Supported by the Device

The device supports RADIUS or HWTACACS authentication, authorization, and accounting,
and local authentication and authorization.
The device supports the combination of local, RADIUS, and HWTACACS authentication,
authorization, and accounting. For example, the device provides local authentication, local
authorization, and RADIUS accounting. In practice, the following schemes are used separately:
l
Local authentication and authorization

If users need to be authenticated or authorized but no RADIUS server or HWTACACS
server is deployed on the network, use local authentication and authorization. Local
authentication and authorization feature fast processing and low operation cost, whereas
the amount of information that can be stored is limited by the device hardware capacity.
Local authentication and authorization are often used for administrators.
RADIUS authentication and accounting

RADIUS protects a network from unauthorized access, which is often used on the networks
demanding high security and remote user access control.
HWTACACS authentication, authorization, and accounting

HWTACACS protects a network from unauthorized access and supports command-line
authorization. Compared with RADIUS, HWTACACS is more reliable in transmission and
encryption, and is more suitable for security control.
Multiple authentication or authorization modes can be used in a scheme. For example, local
authentication is used as a backup of RADIUS authentication and HWTACACS authentication,
and local authorization is used as a backup of HWTACACS authorization.
Figure 8-2 shows the three AAA configuration processes.
Issue 04 (2013-06-15)

1396

Configuration Guide
Figure 8-2 AAA configuration process

Configuring local
authentication and
authorization
Configuring RADIUS
authentication and
accounting
Configuring HWTACACS
authentication, authorization,
and accounting
Configure AAA
schemes
Configure AAA
schemes
Configure AAA
schemes
Configure a local user
Configure the RADIUS

server template
Configure the
HWTACACS server
template
Configure a service
scheme
Configure a service
scheme
Configure a service
scheme
Apply AAA schemes for

a domain

a domain

a domain
Mandatory
Optional
8.1.3 Configuring Local Authentication and Authorization

After local authentication and authorization are configured, the device authenticates and
authorizes access users based on the local user information.
Local Authentication and Authorization

In local authentication and authorization, user information including the local user name,
password, and attributes is configured on the device. Local authentication and authorization
feature fast processing and low operation cost, whereas the amount of information that can be
stored is limited by the device hardware capacity.
Before configuring local authentication and authorization, completing the following task:
l
Configuring physical attributes for interfaces to ensure that the physical layer status of the
interfaces is Up
Configuring AAA Schemes

Context
To use local authentication and authorization, set the authentication mode in an authentication
scheme to local authentication and the authorization mode in an authorization scheme to local
authorization.
By default, the device performs local authentication and authorization for access users.
Issue 04 (2013-06-15)

1397

Configuration Guide
Procedure
l
Configuring an authentication scheme

1.
Run:
system-view

2.
Run:
aaa

3.
Run:
authentication-scheme authentication-scheme-name
An authentication scheme is created, and the corresponding authentication scheme

view or an existing authentication scheme view is displayed.
By default, there is an authentication scheme named default on the device. This default
scheme can be modified but cannot be deleted.
4.
Run:
authentication-mode local
The authentication mode is set to local authentication.

5.
(Optional) Run:
authentication-super { hwtacacs | radius | super [ none ]
The authentication mode used to upgrade user levels is configured.

6.
Run:
quit

7.
(Optional) Run:
domainname-parse-direction { left-to-right | right-to-left }
The direction in which the user name and domain name are parsed is configured.
l
Configuring an authorization scheme

1.
Run:
system-view

2.
Run:
aaa

3.
Run:
authorization-scheme authorization-scheme-name
An authorization scheme is created, and the corresponding authorization scheme view

or an existing authorization scheme view is displayed.
By default, there is a default authorization scheme named default on the device. This
default authorization scheme can be modified but cannot be deleted.
4.
Run:
authorization-mode local [ none ]
Issue 04 (2013-06-15)

1398

Configuration Guide
The authorization mode is configured.

5.
Run:
quit

6.
(Optional) Run:
authorization-modify mode { modify | overlay }
The update mode of user authorization information delivered by the authorization

server is configured.
By default, the update mode of user authorization information delivered by the
authorization server is overlay.
NOTE
This step is applicable to only wireless users.
----End
Configuring a Local User

Context
When local authentication and authorization are configured, configure authentication and
authorization information on the device, including the user name, password, and user level.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
A local user is created and the user password is configured.

NOTE
If the user name contains a domain name delimiter such as @, |, and %, the character string before the
delimiter is the user name and the character string behind the delimiter is the domain name. If the user
name does not contain a domain name delimiter, the entire character string is the user name and the domain
name is default.

local-user user-name service-type { 8021x | bind | ftp | http | ppp | ssh | telnet
| terminal | web | x25-pad } *
The access type is configured for the local user.

By default, a local user can use any access type.
Issue 04 (2013-06-15)

1399

Configuration Guide

local-user user-name idle-timeout minutes [ seconds ]
The idle timeout interval is configured for the local user.

local-user user-name ftp-directory directory
The FTP directory is configured for the local user.

By default, the FTP directory of a local user is empty.
When the device functions as an FTP server, you must configure the FTP directory that FTP
users can access. Otherwise, FTP users cannot access the device.
Step 7 (Optional) Configure the level of the local user or the group to which the local user belongs to.
l Run the local-user user-name privilege level level command to configure the level of the
local user.
l Run the local-user user-name user-group group-name command to add the local user to the
specified user group.
NOTE
Step 8 Run:
local-user user-name expire-date expire-date
The expiry date of the local account is specified.

By default, a local account is permanently valid.
local-user user-name state { active | block }
The state of the local user is configured.

By default, a local user is in active state.
The device processes requests from users in different states as follows:
l If a local user is in active state, the device accepts and processes the authentication request
from the user.
l If a local user is in blocking state, the device rejects the authentication request from the user.
local-user user-name access-limit max-number
The maximum number of connections that can be established by the local user is configured.
By default, the number of connections established by a user is not limited.
Step 11 Run:
return
The user view is displayed.

local-user change-password
Issue 04 (2013-06-15)

1400

Configuration Guide
The password of the local user is changed.

----End
(Optional) Configuring a Service Scheme

Context
Access users must obtain authorization information before going online. Authorization
information about users can be managed by configuring a service scheme.
NOTE
In the service scheme, you only need to run the admin-user privilege level command to configure AAA.
Other commands need to be configured only when they are referenced by other features such as IPsec in
the service scheme.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
service-scheme service-scheme-name
A service scheme is created and the service scheme view is displayed.

By default, no service scheme is configured on the device.
Step 4 Run:
admin-user privilege level level
The user is configured to log in to the device as the administrator and the administrator level for
login is specified.
level ranges from 0 to 15. If this command is not run, this parameter value is 16, indicating that
the parameter is invalid.
dns ip-address
The IP address of the primary DNS server is configured.

By default, no primary DNS server address is configured in a service scheme.
dns ip-address secondary
The IP address of the secondary DNS server is configured.

By default, no secondary DNS server address is configured in a service scheme.
Issue 04 (2013-06-15)

1401

Configuration Guide

auto-update url url-string version version-number
The URL and version number of the service scheme are configured.
By default, the URL and version number of a service scheme are not configured.
NOTE
----End
Configuring a Domain
Context
The created authentication and authorization schemes take effect only after being applied to a
domain. When local authentication and authorization are used, non-accounting is used by
default.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name
A domain is created, and the corresponding domain view or an existing domain view is displayed.
The device has two default domains: default and default_admin. The default domain is used
by common access users and the default_admin domain is used by administrators.
Step 4 Run:
An authentication scheme is applied to the domain.

By default, the authentication scheme named default is applied to a domain.
Step 5 Run:
An authorization scheme is applied to the domain.

By default, no authorization scheme is applied to a domain.
user-group group-name
A user group is applied to the domain.

Issue 04 (2013-06-15)

1402

Configuration Guide
By default, no user group is applied to a domain.

NOTE

A service scheme is applied to the domain.

By default, no service scheme is applied to a domain.
state { active | block }
The domain state is configured.

When a domain is in blocking state, users in this domain cannot log in. By default, a domain is
in active state after being created.
Step 9 Run:
quit
Exit from the domain view.

domain-name-delimiter delimiter
A domain name delimiter is configured.

A domain name delimiter can be any of the following: \ / : < > | @ ' %.
The default domain name delimiter is @.
Step 11 Run:
quit

interface wlan-ess wlan-ess-number
A WLAN-ESS interface is created and its view is displayed.

force-domain domain-name
The forcible authentication domain is configured on an interface.

By default, no forcible authentication domain is configured on an interface.
NOTE

permit-domain domain-name &<1-4>
The permitted domain is configured for wireless users.

By default, no permitted domain is specified for WLAN users.
Issue 04 (2013-06-15)

1403

Configuration Guide
NOTE
----End

Procedure
l
Run the display aaa configuration command to check the AAA summary.
Run the display authentication-scheme [ authentication-scheme-name ] command to

check the authentication scheme configuration.
Run the display authorization-scheme [ authorization-scheme-name ] command to check

the authorization scheme configuration.
Run the display access-user [ domain domain-name | interface interface-type interfacenumber [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address | mac-address macaddress | slot slot-id | ssid ssid-name | statistics | user-group user-group-name | user-id
user-number ] [ detail ] command to check the summary of all online wireless users.
Run the display domain [ name domain-name ] command to check the domain
configuration.
Run the display local-user command to check the brief information about local users.
----End
8.1.4 Configuring RADIUS AAA

RADIUS is often used to implement authentication, authorization, and accounting (AAA).
RADIUS Authentication, Authorization, and Accounting

RADIUS uses the client/server model and protects a network from unauthorized access. It is
often used in network environments that require high security and control remote user access.
Before configuring RADIUS AAA, completing the following task:
l
interfaces is Up

Context
To use RADIUS AAA, set the authentication mode in an authentication scheme to RADIUS and
the accounting mode in an accounting scheme to RADIUS.
If RADIUS authentication is configured, you can also configure local authentication or nonauthentication as the backup. This allows local authentication or non-authentication to be
implemented if RADIUS authentication fails. Similarly, if RADIUS accounting is configured,
you can also configure non-accounting as the backup.
Issue 04 (2013-06-15)

1404

Configuration Guide
Procedure
l

1.
Run:
system-view

2.
Run:
aaa

3.
Run:
Create an authentication scheme and enter its view, or directly enter the view of an
existing authentication scheme.
By default, there is an authentication scheme named default on the device. The default
authentication scheme can only be modified, but cannot be deleted.
4.
Run:
RADIUS authentication is configured.

By default, local authentication is used.
To use local authentication as the backup authentication mode, run the
authentication-mode radius local command to configure local authentication.
NOTE
If multiple authentication modes are configured in an authentication scheme, these

authentication modes are used according to the sequence in which they were configured. The
device uses the authentication mode that was configured later only when it does not receive
any response in the current authentication. The device stops the authentication if the current
authentication fails.
5.
(Optional) Run:

6.
Run:
quit
Return to the AAA view.

7.
(Optional) Run:
l
Configuring an accounting scheme

1.
Run:
system-view

2.
Run:
aaa
Issue 04 (2013-06-15)

1405

Configuration Guide

3.
Run:
accounting-scheme accounting-scheme-name
An accounting scheme is created and the accounting scheme view is displayed.

There is a default accounting scheme named default on the device. The default
accounting scheme can only be modified, but cannot be deleted.
4.
Run:
accounting-mode radius
The accounting mode is configured.

By default, non-accounting is used.
5.
(Optional) Run:
accounting start-fail { online | offline }
A policy for accounting-start failures is configured.

By default, users cannot go online if accounting-start fails.
6.
(Optional) Run:
accounting realtime interval
Real-time accounting is enabled and the interval for real-time accounting is set.
By default, real-time accounting is disabled.
7.
(Optional) Run:
accounting interim-fail [ max-times times ] { online | offline }
The maximum number of real-time accounting requests is set and a policy used after
a real-time accounting failure is configured.
After real-time accounting is enabled, the maximum number of real-time accounting
requests is 3 and the device keeps paid users online after a real-time accounting failure
by default.
----End
Configuring a RADIUS Server Template

Context
In a RADIUS server template, you must specify the IP address, port number, and shared key of
a specified RADIUS server. Other settings such as the RADIUS user name format, traffic unit,
and number of times RADIUS request packets are retransmitted have default values and can be
changed based on network requirements.
The RADIUS server template settings such as the RADIUS user name format and shared key
must be the same as those on the RADIUS server.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1406

Configuration Guide

radius-server authorization ip-address [ vpn-instance vpn-instance-name ] { servergroup group-name | shared-key { cipher | simple } key-string } * [ ack-reservedinterval interval ]
A RADIUS authorization server is configured.

By default, no RADIUS authorization server is configured.
Step 3 Run:
radius-server template template-name
The RADIUS server template view is displayed.

radius-server algorithm { loading-share | master-backup }
The algorithm for selecting RADIUS server is configured.

By default, the algorithm for selecting RADIUS servers is master/backup.
NOTE
Step 5 Configure the primary RADIUS authentication server.

l Run:
radius-server authentication ip-address port [ vpn-instance vpn-instance-name |
source { loopback interface-number | ip-address ip-address } ] *
The primary RADIUS authentication server for wired users is configured.

l Run:
radius-server authentication ip-address port [ source { loopback interfacenumber | ip-address ip-address } | weight weight-value ] * ]
The primary RADIUS authentication server for wireless users is configured.

By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port
number is 0.
radius-server authentication ip-address port [ vpn-instance vpn-instance-name |
source { loopback interface-number | ip-address ip-address } ] * secondary
The secondary RADIUS authentication server is configured.

By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port
number is 0.
NOTE
This step is applicable to only wired users.
Step 7 Configure the primary RADIUS accounting server.

l For wired users, run the radius-server accounting ip-address port [ vpn-instance vpninstance-name | source { loopback interface-number | ip-address ip-address } ] * command.
l For wireless users, run the radius-server accounting ip-address port [ source { loopback
interface-number | ip-address ip-address } | weight weight-value ] * ] command.
Issue 04 (2013-06-15)

1407

Configuration Guide
By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the port
number is 0.
radius-server accounting ip-address port [ vpn-instance vpn-instance-name | source
{ loopback interface-number | ip-address ip-address } ] * secondary
The secondary RADIUS accounting server is configured.

By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the port
number is 0.
NOTE
This step is applicable to only wired users.
Step 9 Run:
radius-server shared-key [ cipher | simple ] key-string
The RADIUS shared key is set.

By default, the RADIUS shared key is huawei and the password is in plain text.
radius-server user-name domain-included
The RADIUS user name format is set.

By default, the device sends the user name containing the domain name and delimiter to a
RADIUS server for authentication.
If the RADIUS server does not accept the user name with the domain name, run the undo radiusserver user-name domain-included command to delete the domain name from the user name.
radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The RADIUS traffic unit is set.

The default RADIUS traffic unit is byte on the device.
radius-server { retransmit retry-times | timeout time-value }
The number of times that RADIUS request packets are retransmitted and timeout interval are
set.
By default, the number of retransmission times is 3 and the timeout interval is 5 seconds.
radius-server nas-port-format { new | old }
The NAS port format of the RADIUS server is configured.

By default, the new NAS port format is used.
radius-server nas-port-id-format { new | old }
The ID format of the NAS port on the RADIUS server is set.

By default, the new format of the NAS port ID attribute is used.
Issue 04 (2013-06-15)

1408

Configuration Guide

radius-attribute nas-ip ip-address
The RADIUS NAS-IP-Address attribute is set.

radius-server accounting-stop-packet resend [ resend-times ]
Retransmission of accounting-stop packets is enabled and the number of accounting-stop packets

that can be retransmitted each time is set.
By default, the retransmission times is 0. That is, accounting-stop packets are not retransmitted.
NOTE
Step 17 Run:
radius-server dead-time dead-time
The time for the primary RADIUS server to return to the active state is set.
By default, the time for the primary RADIUS server to return to the active state is 5 minutes.
NOTE
Step 18 Run:
return

test-aaa user-name user-password radius-template template-name [ chap | pap ]
The device is configured to test whether a user can be authenticated using RADIUS
authentication.
----End

Context
NOTE
the service scheme.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1409

Configuration Guide

Step 2 Run:
aaa

Step 3 Run:

Step 4 Run:
login is specified.
dns ip-address


NOTE
----End
Context
The created authentication scheme, accounting scheme, and RADIUS server template take effect
only after being applied to a domain.
Issue 04 (2013-06-15)

1410

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name
A domain is created and the domain view is displayed.

Step 4 Run:

An accounting scheme is applied to the domain.

By default, the accounting scheme named default is applied to a domain. In this default
accounting scheme, non-accounting is used and the real-time accounting function is disabled.

NOTE


Step 8 Run:
radius-server template-name
A RADIUS server template is configured for the domain.

By default, no RADIUS server template is applied to a domain.
Issue 04 (2013-06-15)

1411

Configuration Guide

Step 10 Run:
quit


Step 12 Run:
quit



NOTE


NOTE
----End

Procedure
l

Issue 04 (2013-06-15)

1412

Configuration Guide
Run the display accounting-scheme [ accounting-scheme-name ] command to check the

accounting scheme configuration.
Run the display service-scheme [ name name ] command to check the configuration about
the service scheme.
Run the display radius-server configuration [ template template-name ] command to

check the RADIUS server template configuration.
Run the display radius-attribute [ template template-name ] disable command to check

the disabled RADIUS attributes.
Run the display radius-attribute [ template template-name ] translate command to check

the RADIUS attribute translation configuration.
configuration.
Run the display radius-server accounting-stop-packet { all | ip ip-address } command

to check the accounting-stop packets of the RADIUS server.
NOTE
----End
8.1.5 Configuring HWTACACS AAA

Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is
more suitable for security control.
HWTACACS Authentication, Authorization, and Accounting

Similar to RADIUS, HWTACACS uses the client/server model to implement AAA for access
users by communicating with the HWTACACS server.
HWTACACS protects a network from unauthorized access and supports command-line
authorization. Compared with RADIUS, HWTACACS is more suitable for security control.
Before configuring HWTACACS AAA, completing the following task:
l
interfaces is Up

Context
To use HWTACACS authentication, authorization, and accounting, set the authentication mode
in an authentication scheme to HWTACACS, the authorization mode in an authorization scheme
to HWTACACS, and the accounting mode in an accounting scheme to HWTACACS.
When HWTACACS authentication is used, you can configure local authentication or nonauthentication as a backup. This allows local authentication or non-authentication to be
implemented if HWTACACS authentication fails. When HWTACACS authorization is used,
you can configure local authorization or non-authorization as a backup.
Issue 04 (2013-06-15)

1413

Configuration Guide
Procedure
l

1.
Run:
system-view

2.
Run:
aaa

3.
Run:
An authentication scheme is created, and the corresponding authentication scheme

view or an existing authentication scheme view is displayed.
By default, there is an authentication scheme named default on the device. This default
scheme can be modified but cannot be deleted.
4.
Run:
authentication-mode hwtacacs
HWTACACS authentication is configured.

By default, local authentication is used.
To use local authentication as the backup authentication mode, run the
authentication-mode hwtacacs local command to configure local authentication.
NOTE
If multiple authentication modes are configured in an authentication scheme, these

authentication modes are used according to the sequence in which they were configured. The
device uses the authentication mode that was configured later only when it does not receive
any response in the current authentication. The device stops the authentication if the current
authentication fails.
5.
(Optional) Run:

6.
Run:
quit
Return to the AAA view.

7.
(Optional) Run:
l
Configuring an authorization scheme

1.
Run:
system-view

2.
Run:
aaa
Issue 04 (2013-06-15)

1414

Configuration Guide

3.
Run:
An authorization scheme is created, and the corresponding authorization scheme view

or an existing authorization scheme view is displayed.
By default, there is a default authorization scheme named default on the device. This
default authorization scheme can be modified but cannot be deleted.
4.
Run:
authorization-mode { hwtacacs | local }* [ none ]
The authorization mode is configured.

By default, local authorization is used.
If HWTACACS authorization is configured, you must configure an HWTACACS
server template and apply the template to the corresponding user domain.
NOTE
If multiple authorization modes are configured in an authorization scheme, authorization modes

are used in the sequence in which they were configured. The device uses the authorization
mode that was configured later only after the current authorization fails.
5.
(Optional) Run:
authorization-cmd privilege-level hwtacacs [ local ] [ none ]
Command-line authorization is enabled for users at a certain level.

By default, command-line authorization is disabled for users of levels 0 to 15.
If command line authorization is enabled, you must configure an HWTACACS server
template and apply the template to the corresponding user domain.
l
Configuring an accounting scheme

1.
Run:
system-view

2.
Run:
aaa

3.
Run:
An accounting scheme is created, and the corresponding accounting scheme view or

an existing accounting scheme view is displayed.
There is a default accounting scheme named default on the device. This default
accounting scheme can be modified but cannot be deleted.
4.
Run:
accounting-mode hwtacacs
The accounting mode is configured.

By default, non-accounting is used.
Issue 04 (2013-06-15)

1415

Configuration Guide
5.
(Optional) Run:
accounting start-fail { online | offline }
A policy for accounting-start failures is configured.

By default, users cannot go online if accounting-start fails.
6.
(Optional) Run:
accounting realtime interval
Real-time accounting is enabled and the interval for real-time accounting is set.
By default, real-time accounting is disabled.
7.
(Optional) Run:
accounting interim-fail [ max-times times ] { online | offline }
The maximum number of real-time accounting requests is set and a policy used after
a real-time accounting failure is configured.
After real-time accounting is enabled, the maximum number of real-time accounting
requests is 3 and the device keeps paid users online after a real-time accounting failure
by default.
----End
Configuring an HWTACACS Server Template

Context
In an HWTACACS server template, you must specify the IP address, port number, and shared
key of a specified HWTACACS server. Other settings such as the HWTACACS user name
format and traffic unit have default values and can be changed based on network requirements.
The HWTACACS server template settings such as the HWTACACS user name format and
shared key must be the same as those on the HWTACACS server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
hwtacacs enable
HWTACACS is enabled.
Step 3 Run:
hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template view is
displayed.
Step 4 Run:
hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
Issue 04 (2013-06-15)

1416

Configuration Guide
The IP address of the primary HWTACACS authentication server is set.

By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0 and its
port number is 0, and the server is not bound to any VPN instance.
hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The IP address of the secondary HWTACACS authentication server is set.

By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0 and
its port number is 0, and the server is not bound to any VPN instance.
Step 6 Run:
hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
The IP address of the primary HWTACACS authorization server is set.

By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and its
hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The IP address of the secondary HWTACACS authorization server is set.

By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0 and its
Step 8 Run:
hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpninstance-name ]
The primary HWTACACS accounting server is configured.

By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0 and its port
number is 0, and the server is not bound to any VPN instance.
hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpninstance-name ] secondary
The secondary HWTACACS accounting server is configured.

By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0 and its
hwtacacs-server source-ip ip-address
The HWTACACS source IP address is set.

By default, the HWTACACS source IP address is 0.0.0.0. The device uses the IP address of the
actual outbound interface as the source IP address in HWTACACS packets.
After you set the source IP address of HWTACACS packets on the device, this IP address is
used by the device to communicate with the HWTACACS server. The HWTACACS server also
uses a specified IP address to communicate with the device.
Issue 04 (2013-06-15)

1417

Configuration Guide

hwtacacs-server shared-key [ cipher | simple ] key-string
The HWTACACS shared key is configured.

By default, no HWTACACS shared key is configured.
hwtacacs-server user-name domain-included
The HWTACACS user name format is configured.

By default, the device sends the user name containing the domain name and delimiter to an
HWTACACS server for authentication.
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The HWTACACS traffic unit is set.

The default HWTACACS traffic unit is byte on the device.
hwtacacs-server timer response-timeout interval
The response timeout interval for the HWTACACS server is set.

By default, the response timeout interval for an HWTACACS server is 5 seconds.
If the device does not receive the response from the HWTACACS server within the timeout
period, the HWTACACS server is faulty. The device then uses other authentication and
authorization methods.
hwtacacs-server timer quiet interval
The interval for the primary HWTACACS server to return to the active state is set.
By default, the interval for the primary HWTACACS server to return to the active state is 5
minutes.
Step 16 Run:
quit

hwtacacs-server accounting-stop-packet resend { disable | enable number }
Retransmission of accounting-stop packets is enabled.

You can enable retransmission of accounting-stop packets and set the number of times that
packets are retransmitted. By default, the retransmission function is enabled and the number of
retransmission times is 100.
Step 18 Run:
return

hwtacacs-user change-password hwtacacs-server template-name
Issue 04 (2013-06-15)

1418

Configuration Guide
The password saved on the HWTACACS server is changed.

----End

Context
NOTE
the service scheme.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:

Step 4 Run:
login is specified.
dns ip-address


Issue 04 (2013-06-15)

1419

Configuration Guide

NOTE
----End
Context
The created authentication scheme, authorization scheme, accounting scheme, and
HWTACACS server template take effect only after being applied to a domain.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name
A domain is created, and the corresponding domain view or an existing domain view is displayed.
Step 4 Run:

An authorization scheme is applied to the domain.

By default, no authorization scheme is applied to a domain.
An accounting scheme is applied to the domain.

Issue 04 (2013-06-15)

1420

Configuration Guide
By default, the accounting scheme named default is applied to a domain. In this default
accounting scheme, non-accounting is used and the real-time accounting function is disabled.

NOTE


Step 9 Run:
hwtacacs-server template-name
An HWTACACS server template is applied to the domain.

By default, no HWTACACS server template is applied to a domain.

Step 11 Run:
quit


Step 13 Run:
quit


Issue 04 (2013-06-15)

1421

Configuration Guide

NOTE


NOTE
----End

Procedure
l

Run the display authorization-scheme [ authorization-scheme-name ] command to check

the authorization scheme configuration.
Run the display accounting-scheme [ accounting-scheme-name ] command to check the

accounting scheme configuration.
Run the display service-scheme [ name name ] command to check the configuration about
the service scheme.
Run the display hwtacacs-server template [ template-name [ verbose ] ] command to

check the HWTACACS server template configuration.
Run the display hwtacacs-server accounting-stop-packet { all | number | ip ipaddress } command to check the accounting-stop packets of the HWTACACS server.
configuration.
----End
8.1.6 Maintaining AAA

AAA maintenance includes clearing AAA statistics.
Clearing AAA Statistics
Issue 04 (2013-06-15)

1422

Configuration Guide
Context
CAUTION
The AAA statistics cannot be restored after being cleared. Confirm your operation before
clearing the AAA statistics.
Run the following commands to clear the statistics.
Procedure
l
Run the reset aaa { offline-record | abnormal-offline-record | online-fail-record }

command to clear the offline records, the abnormal offline records and login failures
statistics.
Run the reset hwtacacs-server statistics { accounting | all | authentication |

authorization } command to clear the HWTACACS statistics.
Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } command

to clear the statistics on HWTACACS accounting-stop packets.
Run the reset radius-server accounting-stop-packet { all | ip ip-address } command to

clear the statistics on RADIUS accounting-stop packets.
NOTE
----End

This section provides several AAA configuration examples, including networking requirements,
configuration notes, and configuration roadmap.
Example for Configuring RADIUS Authentication and Accounting

As shown in Figure 8-3, users access the network through Switch A and belong to the domain
huawei. Switch B functions as the network access server of the destination network. Request
packets from users need to traverse the network where Switch A and Switch B are located to
reach the authentication server. Users can access the destination network through Switch B only
after being authenticated. The remote authentication on Switch B is described as follows:
l
The RADIUS server will authenticate access users for SwitchB. If RADIUS authentication
fails, local authentication is used.
The RADIUS server at 129.7.66.66/24 functions as the primary authentication and

accounting server. The RADIUS server at 129.7.66.67/24 functions as the secondary
authentication and accounting server. The default authentication port and accounting port
are 1812 and 1813.
Issue 04 (2013-06-15)

1423

Configuration Guide
Figure 8-3 Networking diagram of RADIUS authentication and accounting

Domain Huawei
Switch B
Switch A
Network
129.7.66.66/24
129.7.66.67/24
Destination
Network
1.
Configure a RADIUS server template.
2.
Configure an authentication scheme and an accounting scheme.
3.
Apply the RADIUS server template, authentication scheme, and accounting scheme to the
domain.
NOTE
Perform the following configurations only on Switch B.
Procedure
Step 1 Configure a RADIUS server template.
# Configure a RADIUS template shiva.
[Quidway] radius-server template shiva
# Configure the IP address and port numbers of the primary RADIUS authentication and
accounting server.
[Quidway-radius-shiva] radius-server authentication 129.7.66.66 1812
[Quidway-radius-shiva] radius-server accounting 129.7.66.66 1813
# Configure the IP address and port numbers of the secondary RADIUS authentication and
accounting server.
[Quidway-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary
[Quidway-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
Issue 04 (2013-06-15)

1424

Configuration Guide
# Set the key and retransmission count for the RADIUS server, and configure the device not to
encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS
server.
[Quidway-radius-shiva]
radius-server shared-key cipher hello

radius-server retransmit 2
undo radius-server user-name domain-included
quit
Step 2 Configure authentication and accounting schemes.

# Create an authentication scheme auth. In the authentication scheme, the system performs
RADIUS authentication first, and performs local authentication if RADIUS authentication fails.
[Quidway] aaa
[Quidway-aaa] authentication-scheme auth
[Quidway-aaa-authen-auth] authentication-mode radius local
[Quidway-aaa-authen-auth] quit
# Configure the accounting scheme abc that uses RADIUS accounting and the policy that the
device is kept online when accounting fails.
[Quidway-aaa] accounting-scheme abc
[Quidway-aaa-accounting-abc] accounting-mode radius
[Quidway-aaa-accounting-abc] accounting start-fail online
[Quidway-aaa-accounting-abc] quit
Step 3 Configure a domain huawei and apply authentication scheme auth, accounting scheme abc,
and RADIUS server template shiva to the domain.
[Quidway-aaa] domain huawei
[Quidway-aaa-domain-huawei]
authentication-scheme auth
accounting-scheme abc
radius-server shiva
quit
NOTE
After the domain huawei is configured, if a user enters the user name in the format of user@huawei, the device
authenticates the user in the domain huawei. If the user name does not contain the domain name or the domain
name in the user name does not exist, the device authenticates the user in the default domain.
The domain that a user belongs to depends on the RADIUS client but not the RADIUS server. After the undo
radius-server user-name domain-included command is executed on SwitchB, SwitchB sends the user name
without the domain name to the RADIUS server when receiving the user name in the format of user@huawei.
However, SwitchB places the user in the domain huawei for authentication.

Run the display radius-server configuration template command on Switch B, and you can
see that the configuration of the RADIUS server template meets the requirements.
<Quidway> display radius-server configuration template shiva
-----------------------------------------------------------------------------Server-template-name
: shiva
Protocol-version
: standard
Traffic-unit
: B
Shared-secret-key
: ****************
Timeout-interval(in second)
: 5
: 129.7.66.66
:1812 :LoopBack:NULL
Source-IP:0.0.0.0
Primary-accounting-server
: 129.7.66.66
Source-IP:0.0.0.0
Secondary-authentication-server : 129.7.66.67
Source-IP:0.0.0.0
Secondary-accounting-server
: 129.7.66.67
Source-IP:0.0.0.0
Retransmission
: 2
Domain-included
: NO
Issue 04 (2013-06-15)

1425

Configuration Guide
NAS-IP-Address
: 0.0.0.0
Calling-station-id MAC-format
: xxxx-xxxx-xxxx
------------------------------------------------------------------------------
----End
Configuration Files
Configuration files on Switch B
#
radius-server template shiva
radius-server shared-key cipher %$%$1"y;E[c;<.(_RS/w*!ÌOxof%$%$
radius-server authentication 129.7.66.67 1812 secondary
radius-server accounting 129.7.66.66 1813
radius-server accounting 129.7.66.67 1813 secondary
#
aaa
authentication-mode radius local
accounting start-fail online
domain huawei
radius-server shiva
#
return
Example for Configuring HWTACACS Authentication, Accounting, and

Authorization
As shown in Figure 8-4, the customer requirements are as follows:
l
The HWTACACS server will authenticate access users for SwitchB. If HWTACACS
authentication fails, local authentication is used.
HWTACACS authentication is required before the level of access users is upgraded. If

HWTACACS authentication fails, local authentication is used.
The HWTACACS server will authorize access users for SwitchB. If HWTACACS
authorization fails, local authorization is used.
HWTACACS accounting is used by SwitchB for access users.
Real-time accounting is performed every 3 minutes.
The IP addresses of primary and secondary HWTACACS servers are 129.7.66.66/24 and
129.7.66.67/24. The port number for authentication, accounting, and authorization is 49.
Issue 04 (2013-06-15)

1426

Configuration Guide
Figure 8-4 Networking diagram of HWTACACS authentication, accounting, and authorization

Domain Huawei
Switch B
Switch A
Network
129.7.66.66/24
129.7.66.67/24
Destination
Network
1.
Configure an HWTACACS server template.
2.
Configure authentication, authorization, and accounting schemes.
3.
Apply the HWTACACS server template, authentication scheme, authorization scheme, and
accounting scheme to the domain.
NOTE
Perform the following configurations only on SwitchB.
Procedure
Step 1 Enable HWTACACS.
[Quidway] hwtacacs enable
NOTE
The HWTACACS function is enabled by default. If the HWTACACS configuration has not been modified,
you do not need to run this command.
Step 2 Configure an HWTACACS server template.

# Configure the HWTACACS server template ht.
[Quidway] hwtacacs-server template ht
# Configure the IP addresses and port numbers of the primary HWTACACS authentication,
authorization, and accounting servers.
Issue 04 (2013-06-15)

1427

Configuration Guide
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49

[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49
[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP addresses and port numbers of the secondary HWTACACS authentication,
authorization, and accounting servers.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary
[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary
[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure the shared key of the HWTACACS server.

[Quidway-hwtacacs-ht] hwtacacs-server shared-key cipher hello
[Quidway-hwtacacs-ht] quit
Step 3 Configure the authentication scheme, authorization scheme, and accounting scheme.
# Create an authentication scheme l-h. In the authentication scheme, the system performs
HWTACACS authentication first, and performs local authentication if HWTACACS
authentication fails. HWTACACS authentication is used if the level of users is upgraded.
[Quidway] aaa
[Quidway-aaa] authentication-scheme l-h
[Quidway-aaa-authen-l-h] authentication-mode hwtacacs local
[Quidway-aaa-authen-l-h] authentication-super hwtacacs
[Quidway-aaa-authen-l-h] quit
# Create an authorization scheme hwtacacs. In the authorization scheme, the system performs
HWTACACS authorization first, and performs local authorization if HWTACACS
authorization fails.
[Quidway-aaa] authorization-scheme hwtacacs
[Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs local
[Quidway-aaa-author-hwtacacs] quit
# Create an accounting scheme hwtacacs and set HWTACACS accounting.

[Quidway-aaa] accounting-scheme hwtacacs
[Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs
[Quidway-aaa-accounting-hwtacacs] accounting start-fail online
# Set the interval of real-time accounting to 3 minutes.

[Quidway-aaa-accounting-hwtacacs] accounting realtime 3
[Quidway-aaa-accounting-hwtacacs] quit
Step 4 Configure a domain huawei, and apply the authentication scheme l-h, authorization scheme
hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain.
[Quidway-aaa] domain huawei
[Quidway-aaa] quit
[Quidway] quit
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
quit

Run the display hwtacacs-server template command on SwitchB, and you can see that the
configuration of the HWTACACS server template meets the requirements.
<Quidway> display hwtacacs-server template ht
--------------------------------------------------------------------------HWTACACS-server template name
: ht
: 129.7.66.66:49:-
Issue 04 (2013-06-15)

1428

Configuration Guide
Primary-authorization-server
: 129.7.66.66:49:Primary-accounting-server
: 129.7.66.66:49:Secondary-authentication-server : 129.7.66.67:49:Secondary-authorization-server : 129.7.66.67:49:Secondary-accounting-server
: 129.7.66.67:49:Current-authentication-server
: 129.7.66.66:49:Current-authorization-server
: 129.7.66.66:49:Current-accounting-server
: 129.7.66.66:49:Source-IP-address
: 0.0.0.0
Shared-key
: ****************
Quiet-interval(min)
: 5
Response-timeout-Interval(sec) : 5
Domain-included
: Yes
Traffic-unit
: B
---------------------------------------------------------------------------
Run the display domain command on SwitchB, and you can see that the configuration of the
domain meets the requirements.
<Quidway> display domain name huawei
Domain-name
Domain-state
Authentication-scheme-name
Accounting-scheme-name
Authorization-scheme-name
Service-scheme-name
RADIUS-server-template
HWTACACS-server-template
User-group
:
:
:
:
:
:
:
:
:
huawei
Active
l-h
hwtacacs
hwtacacs
ht
-
----End
Configuration Files
Configuration files on Switch B
#
hwtacacs-server template ht
hwtacacs-server authentication 129.7.66.66
hwtacacs-server authentication 129.7.66.67 secondary
hwtacacs-server authorization 129.7.66.66
hwtacacs-server authorization 129.7.66.67 secondary
hwtacacs-server accounting 129.7.66.66
hwtacacs-server accounting 129.7.66.67 secondary
hwtacacs-server shared-key cipher %$%$|)&LT+J>dN>=IqD<gO/Fj$xo%$%$
#
aaa
authentication-mode hwtacacs local
authentication-super hwtacacs
authorization-mode hwtacacs local
accounting-mode hwtacacs
accounting realtime 3
accounting start-fail online
domain default
domain default_admin
domain huawei
Issue 04 (2013-06-15)

1429

Configuration Guide
hwtacacs-server ht
#
return
8.2 NAC Configuration(for wired users)

This chapter describes NAC principles for wired users and configuration methods and provides
8.2.1 NAC Overview

Network Admission Control (NAC) is an end-to-end access security framework and includes
802.1x authentication, MAC address authentication, and Portal authentication.
With the development of enterprise network, threats increasingly bring risks, such as viruses,
Trojan horses, spyware, and malicious network attacks. On a traditional enterprise network, the
intranet is considered as secure and threats come from extranet. However, 80% security threats
actually come from the intranet. The intranet threats will cause serious damage in a wide range.
Even worse, the system and network will break down. In addition, when internal users browse
websites on the external network, the spyware and Trojan horse software may be automatically
installed on users' computers, which cannot be sense by the users. Te malicious software may
spread on the internal network.
The traditional security measures cannot meet requirements on border defense due to increasing
security challenges. The security model should be converted into active mode to solve security
problems from the roots (terminals), improving information security level of the entire
enterprise.
The NAC solution integrates terminal security and access control and takes the check, audit,
secure, and isolation measures to improve the proactive protection capability of terminals. This
solution ensures security of each terminal and the entire enterprise network.
NAC includes three components: NAC terminal, network access device, and access server.
l
NAC terminal: functions as the NAC client and interacts with network access devices to
authenticate access users. If 802.1x authentication is used, users must install client software.
Network access device: function as the network access control point that enforces enterprise
security policies. It allows, rejects, isolates, or restricts users based on the security policies
customized for enterprise networks.
Access server: includes the access control server, management server, antivirus server, and
patch server. It authenticates users, checks terminal security, repairs and upgrades the
system, and monitors and audits user actions.
8.2.2 NAC Features Supported by the Device

The device functions as a NAD in the NAC solution and supports 802.1x authentication (also
called dot1x authentication), MAC address authentication, Portal authentication.
802.1x Authentication
The IEEE 802.1x standard (802.1x) is an interface-based network access control protocol. It
authenticates and controls access devices connected to an access control device interface on a
LAN. User devices connected to the interface can access resources on the LAN after being
authenticated.
Issue 04 (2013-06-15)

1430

Configuration Guide
MAC Address Authentication

MAC address authentication controls a user's network access permission based on the user's
interface and MAC address. The user does not need to install any client software. The user's
MAC address serves as the user name and password. After detecting the MAC address of a user
for the first time at an interface where the MAC address authentication is enabled, the device
starts authenticating the user.
NOTE
802.1x authentication and MAC address authentication cannot be enabled on the same interface.
Portal Authentication
Portal authentication is also referred to as Web authentication. When a user opens a browser for
the first time and enters any website address, the user is forcibly redirected to an authentication
page of a Portal server and can access network resources only after being authenticated.
The Portal protocol is based on a client/server structure and uses the User Datagram Protocol
(UDP) as the transmission protocol. The Portal protocol is mainly used in information exchange
between the Portal server and other devices. In Portal authentication, the Portal protocol is used
in communication between the Portal server and a device that is used as a client.
NOTE
If 802.1x authentication, MAC address authentication, or MAC address bypass authentication is enabled
on a Layer 2 interface, portal authentication cannot be configured on the VLANIF interface of a VLAN to
which the Layer 2 interface is added.
Comparison of Three Authentication Modes

Table 8-1 provides the comparison among 802.1x authentication, MAC address authentication,
and Portal authentication.
Table 8-1 Comparison of authentication modes
Issue 04 (2013-06-15)
Item
802.1x
Authentication
Portal
Authentication
MAC Address
Authentication
Client requirement
Required
Required in Portal
authentication, not
required in forcible
web authentication
Not required
Advantage
Direct control over

connection/
disconnection of the
network access
information interface
and high security
when 802.1x
authentication is
deployed in the
access layer
Flexible deployment
No client required

1431

Configuration Guide
Item
802.1x
Authentication
Portal
Authentication
MAC Address
Authentication
Disadvantage
Inflexible
deployment
Low security
Complex
management
requiring MAC
address registration
Application scenario
New network with

concentrated users
and high information
security
requirements
Scattered users
Dumb terminals
(printers and fax
machines) that
require access
authentication

This section provides the default NAC configuration. You can change the configuration as
needed.
Table 8-2 describes the default configuration of 802.1x authentication.
Table 8-2 Default configuration of 802.1x authentication
Parameter
Default setting
802.1x authentication
Disabled
User authentication mode
CHAP authentication
Handshake timer (Handshake-period)
15 seconds
Quiet timer (quiet-period)
60 seconds
Periodic re-authentication timer

(reauthenticate-period)
3600 seconds
Server timeout timer (server-timeout)
30 seconds
Client timeout timer (client-timeout)
30 seconds
User name request timeout timer (tx-period)
30 seconds
Maximum number of times that an

authentication request packet is sent
Table 8-3 describes the default configuration of MAC address authentication.

Table 8-3 Default configuration of MAC address authentication
Issue 04 (2013-06-15)
Parameter
Default setting
MAC address authentication
Disabled

1432

Configuration Guide
Parameter
Default setting
User name format
User names and passwords in MAC address

authentication are MAC addresses without
hyphens.
User authentication domain
Default
Quiet timer (quiet-period)
60 seconds

(Reauthenticate-period)
1800 seconds
Server timeout timer (server-timeout)
30 seconds
Table 8-4 describes the default configuration of Portal authentication.

Table 8-4 Default configuration of Portal authentication
Parameter
Default setting
Portal authentication
Disabled
Portal protocol versions supported by the

device
v2, v1
Number of the destination port that the device

uses to send packets to the Portal server
50100
Number of the port that the device uses to

listen to Portal protocol packets
2000
Offline detection period
300 seconds
8.2.4 Configuring 802.1x Authentication

You can configure 802.1x authentication to implement interface-based network access control.
This means you can authenticate and control access users connected to an access control device
interface.
Prerequisites
802.1x only provides a user authentication solution. To implement this solution, the AAA
function must also be configured. Therefore, the following tasks must be complete before you
configure 802.1x authentication:
l
Configuring the authentication domain and AAA scheme on the AAA client.
Configuring the user name and password on the RADIUS or HWTACACS server if
RADIUS or HWTACACS authentication is used.
Configuring the user name and password manually on the network access device if local
authentication is used.
Issue 04 (2013-06-15)

1433

Configuration Guide
For the configuration of AAA client, see 8.1 AAA Configuration in the AC6605 Access
Controller Configuration Guide-Security.
Enabling 802.1x Authentication

Context
The 802.1x configuration takes effect on an interface only after 802.1x authentication is enabled
globally and on the interface.
If there are online users who log in through 802.1x authentication on the interface, disabling the
802.1x authentication is prohibited.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x enable
Global 802.1x authentication is enabled.

By default, global 802.1x authentication is disabled.
Step 3 Enable 802.1x authentication on the interface in the system or interface view.
l In the system view:
1.
Run:
dot1x enable interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
802.1x authentication of the interface is enabled.

l In the interface view:
1.
Run:

2.
Run:
dot1x enable
802.1x authentication of the interface is enabled.

By default, 802.1x authentication of an interface is disabled.
----End
(Optional) Configuring the Authorization State of an Interface

Context
You can configure the authorization state of an interface to control whether an access user must
be authenticated before accessing network resources. The interface supports the following
authentication states:
Issue 04 (2013-06-15)

1434

Configuration Guide
Auto mode: The interface is initially in Unauthorized state and sends and receives EAPOL
packets only. Users cannot access network resources. After a user passes the authentication,
the interface turns to Authorized state. Users are allowed to access network resources in
this state.
Authorized-force mode: The interface is always in Authorized state and allows users to
access network resources without authentication.
Unauthorized-force mode: The interface is always in Unauthorized state and does not allow
users to access network resources.
Procedure
Step 1 Run:
system-view

Step 2 Configure the authorization state of an interface in the system or interface view.
1.
Run:
dot1x port-control { auto | authorized-force | unauthorized-force } interface
{ interface-type interface-number1 [ to interface-number2 ] } &<1-10>
The authorization state of the interface is configured.

1.
Run:

2.
Run:
dot1x port-control { auto | authorized-force | unauthorized-force }
The authorization state of the interface is configured.

By default, the authorization state of an interface is auto.
----End
(Optional) Configuring the Access Control Mode of an Interface

Context
After 802.1x authentication is enabled, the device supports two access control modes of an
interface:
l
Interface-based mode: After the first user of the interface passes the authentication, other
access users can access the network without being authenticated. However, when the
authenticated user goes offline, other users can no longer access the network. The
authentication scheme is applicable to group users.
MAC address-based mode: All users of the interface must be authenticated. When a user
goes offline, other users can still access the network. The authentication mode is applicable
to individual users.
NOTE
When 802.1x authentication users are online, you cannot change the access control mode of an interface.
Issue 04 (2013-06-15)

1435

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Configure the access control mode of an interface in the system or interface view.
1.
Run:
dot1x port-method { mac | port } interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10>
The access control mode of the interface is configured.

1.
Run:

2.
Run:
dot1x port-method { mac | port }
The access control mode of the interface is configured.

By default, an interface uses the MAC address-based mode.
----End
(Optional) Setting the User Authentication Mode

Context
During 802.1x authentication, users exchange authentication information with the device using
EAP packets. The device uses two modes to exchange authentication information with the
RADIUS server.
l
EAP termination: The device directly parses EAP packets, encapsulates user authentication
information into a RADIUS packet, and sends the packet to the RADIUS server for
authentication. EAP termination is classified into PAP or CHAP authentication.
PAP is a two-way handshake authentication protocol. It transmits passwords in plain
text format in RADIUS packets.
CHAP is a three-way handshake authentication protocol. It transmits only the user
names (not passwords) in RADIUS packets. CHAP is more secure and reliable than
PAP. If high security is required, CHAP is recommended.
After the device directly parses EAP packets, user information in the EAP packets is
authenticated by a local AAA module, or sent to a RADIUS or HWTACACS server.
EAP relay (specified by eap): The device encapsulates EAP packets into RADIUS packets
and sends the RADIUS packets to the RADIUS server. The device does not parse the
received EAP packets but encapsulates them into RADIUS packets. This mechanism is
called EAP over Radius (EAPoR).
The EAP relay mechanism requires that the RADIUS server be capable of parsing many EAP
packets and carrying out authentication. Therefore, if the RADIUS server has high processing
Issue 04 (2013-06-15)

1436

Configuration Guide
capabilities, the EAP relay is used. If the RADIUS server has low processing capabilities, EAP
termination is recommended, and the device helps the RADIUS server to parse EAP packets.
NOTE
The EAP relay can be configured for 802.1x users only when RADIUS authentication is used.
Procedure
Step 1 Run:
system-view

----End
(Optional) Enabling MAC Address Bypass Authentication

Context
On an interface where MAC address bypass authentication is enabled, if the terminal on which
the 802.1x client software cannot be installed or used requires fast authentication, MAC address
authentication is performed first during bypass authentication. The interface uses the MAC
address of the terminal for authentication first, and triggers 802.1x authentication after MAC
address authentication fails.
NOTE
After MAC address bypass authentication is configured on the interface where 802.1x authentication is
not enabled, 802.1x authentication is enabled on the interface.
Procedure
Step 1 Run:
system-view

Step 2 Enable MAC address bypass authentication on the interface in the system view or interface view.
1.
Run:
dot1x mac-bypass interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
MAC address bypass authentication is enabled on the interface.

By default, MAC address bypass authentication is disabled on an interface.
2.
(Optional) Run:
dot1x mac-bypass mac-auth-first interface { interface-type interface-number1
MAC address authentication is performed first during MAC address bypass authentication.
By default, MAC address authentication is not performed first during MAC address bypass
authentication.
Issue 04 (2013-06-15)

1437

Configuration Guide
1.
Run:

2.
Run:
dot1x mac-bypass
MAC address bypass authentication is enabled on the interface.

By default, MAC address bypass authentication is disabled on an interface.
3.
(Optional) Run:
dot1x mac-bypass mac-auth-first
MAC address authentication is performed first during MAC address bypass authentication.
By default, MAC address authentication is not performed first during MAC address bypass
authentication.
4.
Run:
quit

NOTE
802.1x authentication is disabled on the interface when MAC address bypass authentication is disabled on
the interface using the undo dot1x mac-bypass command.

dot1x timer mac-bypass-delay delay-time-value
The value of the delay timer for MAC address bypass authentication is set.
By default, the value of the delay timer for MAC address bypass authentication is 30s.
NOTE
If MAC address authentication is performed first during MAC address bypass authentication, the delay
timer does not take effect.
----End
(Optional) Setting the Maximum Number of Concurrent Access Users for 802.1x
Authentication on an Interface
Context
The administrator can set the maximum number of concurrent access users for 802.1x
authentication on the interface. When the number of access users reaches the maximum number
allowed, new users for 802.1x authentication cannot access networks through the interface.
NOTE
Issue 04 (2013-06-15)
If the number of current online users on an interface has exceeded the maximum number, online users
are not affected but new access users are limited.
This function is effective only when the MAC address-based access mode is configured on the
interface. When the interface-based access mode is configured on the interface, the maximum number
of concurrent access users on the interface is automatically set to 1. In this case, after one user is
authenticated on the interface, other users can go online without being authenticated.

1438

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Set the maximum number of concurrent access users on an interface in the system or interface
view.
1.
Run:
dot1x max-user user-number interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
The maximum number of concurrent access users is set for 802.1x authentication on the
interface.
1.
Run:

2.
Run:
dot1x max-user user-number
The maximum number of concurrent access users is set for 802.1x authentication on the
interface.
By default, a maximum of 256 users can access an interface.
NOTE
The maximum number of device access users is 256.
----End
(Optional) Configuring Timers for 802.1x Authentication

Context
During 802.1x authentication, multiple timers implement systematic interactions between access
users, access devices, and the authentication server. You can change the values of timers by
running the dot1x timer command to adjust the interaction process. This command is necessary
in special network environments. It is recommended that you retain the default settings of the
timers. You can configure the following types of timers in 802.1x authentication:
l
Server timeout timer (server-timeout): The device starts this timer after sending a RADIUS
Access-Request packet to the authentication server. If the authentication server does not
respond within the period set by the timer, the device retransmits the authentication request
packet to the authentication server.
Client timeout timer (client-timeout): After sending an EAP-Request/MD5-Challenge

request packet to the client, the device starts this timer. If the client does not respond within
the period set by the timer, the device retransmits the packet.
User name request timeout timer (tx-period): This timer defines two intervals. After
sending an EAP-Request/Identity request packet to the client, the device starts the timer.
If the client does not respond within the first interval set by the timer, the device retransmits
Issue 04 (2013-06-15)

1439

Configuration Guide
the authentication request packet. The device multicasts the EAP-Request/Identity request
packet at the second interval to detect the client that does not actively send the EAPOLStart connection request packet for compatibility. The timer defines the interval for sending
the multicast packet.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x timer { client-timeout client-timeout-value | server-timeout server-timeoutvalue | tx-period tx-period-value }
The 802.1x timers are configured.

By default, client-timeout is set to 30 seconds; server-timeout is set to 30 seconds; txperiod is set to 30 seconds.
NOTE
The client timeout timer, the server timeout timer, and the user name request timeout timer are enabled by
default.
----End
(Optional) Configuring the Quiet Function in 802.1x Authentication

Context
After the quiet function is enabled, when the number of times that a user fails 802.1x
authentication reaches the maximum number allowed, the device quiets the user, and during the
quiet period, the device discards the 802.1x authentication requests from the user. This prevents
the impact of frequent user authentications on the system.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x quiet-period
The quiet function is enabled.

By default, the quiet function is disabled.
dot1x quiet-times fail-times
The maximum number of authentication failures within 60 seconds before the device quiets the
802.1x authentication user is configured.
Issue 04 (2013-06-15)

1440

Configuration Guide
By default, an 802.1x user enters the quiet state after three authentication failures within 60
seconds.
dot1x timer quiet-period quiet-period-value
The quiet timer is set.

By default, the quiet timer is 60 seconds.
----End
(Optional) Configuring Re-authentication for 802.1x Authentication Users

Context
If the administrator modifies user information on the authentication server, parameters such as
the user access permission and authorization attribute are changed. If a user has passed 802.1x
authentication, you must re-authenticate the user to ensure user validity.
After the user goes online, the device saves user authentication information. After reauthentication is enabled for 802.1x authentication users, the device sends the saved
authentication information of the online user to the authentication server for re-authentication.
If the user's authentication information does not change on the authentication server, the user is
kept online. If the authentication information has been changed, the user is forced to go offline,
and then re-authenticated according to the changed authentication information.
You can configure re-authentication for 802.1x authentication users using either of the following
methods:
l
Re-authenticate all online 802.1x authentication users on a specified interface periodically.
Re-authenticate an online 802.1x authentication user once with a specified MAC address.
Configure periodic re-authentication for all online 802.1x authentication users on a

specified interface.
Procedure
1.
Run:
system-view

2.
Enable periodic re-authentication for all online 802.1x authentication users on the
specified interface in the system or interface view.
In the system view:
a.
Run:
dot1x reauthenticate interface { interface-type interface-number1
Periodic 802.1x re-authentication is enabled on the interface.

In the interface view:
a.
Run:

b.
Issue 04 (2013-06-15)
Run:
1441

Configuration Guide

dot1x reauthenticate
Periodic 802.1x re-authentication is enabled on the interface.

c.
Run:
quit

By default, periodic 802.1x re-authentication is disabled on an interface.
3.
(Optional) Run:
dot1x timer reauthenticate-period reauthenticate-period
The re-authentication interval for online 802.1x authentication users is set.

By default, the device re-authenticates online 802.1x authentication users at the
interval of 3600 seconds.
l
Configure re-authentication for an online 802.1x authentication user with a specified MAC
address.
1.
Run:
system-view

2.
Run:
dot1x reauthenticate mac-address mac-address
Re-authentication is enabled for the online 802.1x authentication user with the
specified MAC address.
By default, re-authentication for the online 802.1x authentication user with a specified
MAC address is disabled.
----End
(Optional) Configuring the Handshake Function for 802.1x Online Users

Context
You can configure the handshake function for online users to ensure that the users are online in
real time. The device sends a handshake request packet at intervals to online users that pass the
authentication. If the user does not respond to the handshake packet after the maximum number
of retransmission times, the device disconnects the user.
If the 802.1x client cannot exchange the handshake packet with the device, the device does not
receive any handshake response packet within the handshake period. You must disable the
handshake function for online users to prevent the device from mistakenly disconnecting the
users.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x handshake
Issue 04 (2013-06-15)

1442

Configuration Guide
The handshake function is enabled for 802.1x online users.

By default, the handshake function is disabled for 802.1x online users.
dot1x handshake packet-type { request-identity | srp-sha1-part2 }
The type of 802.1x authentication handshake packets is set.

By default, the type of 802.1x authentication handshake packets is request-identity.
dot1x timer handshake-period handshake-period-value
The interval at which the device handshakes with 802.1x online users is set.
By default, the interval for sending handshake packets is 15.
dot1x retry max-retry-value
The maximum number of times an authentication request can be sent is set.

By default, an authentication request can be set twice.
----End
(Optional) Configuring the Guest VLAN Function

Context
After the guest VLAN function is enabled, the device allows users to access resources in the
Guest VLAN without 802.1x authentication. For example, the users can obtain the client
software, upgrade the client, or run other upgrade programs.
Procedure
Step 1 Run:
system-view

Step 2 Configure the guest VLAN function in the system or interface view.
1.
Run:
authentication guest-vlan vlan-id interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
The guest VLAN to which the interface is added is configured.

1.
Run:

2.
Run:
authentication guest-vlan vlan-id
Issue 04 (2013-06-15)

1443

Configuration Guide
The guest VLAN to which the interface is added is configured.

By default, an interface is not added to the guest VLAN.
----End
(Optional) Configuring the Restrict VLAN Function

Context
You can configure the restrict VLAN function on the device interface to enable users who fail
authentication to access some network resources (for example, to update the virus library). The
users are added to the restrict VLAN when failing authentication and can access resources in
the restrict VLAN. The user fails authentication in this instance because the authentication server
rejects the user for some reasons (for example, the user enters an incorrect password) not because
the authentication times out or the network is disconnected.
Similar to the guest VLAN, the restrict VLAN allows users to access limited network resources
before passing 802.1x authentication. Generally, fewer network resources are deployed in the
restrict VLAN than in the guest VLAN; therefore, the restrict VLAN limits access to network
resources from unauthenticated users more strictly.
Procedure
Step 1 Run:
system-view

Step 2 Configure the restrict VLAN function in the system or interface view.
1.
Run:
authentication restrict-vlan vlan-id interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
A restrict VLAN where the interface is added is configured.

1.
Run:

2.
Run:
authentication restrict-vlan vlan-id
A restrict VLAN where the interface is added is configured.

By default, an interface is not added to the restrict VLAN.
----End
Issue 04 (2013-06-15)

1444

Configuration Guide
(Optional) Configuring 802.1x Authentication Triggered by a DHCP Packet

Context
In the 802.1x authentication network, if a user uses a built-in 802.1x client of a PC operating
system (such as Windows XP), the user cannot enter the user name and password proactively
to trigger authentication.
For such users, the administrator configures 802.1x authentication triggered by a DHCP packet.
After 802.1x authentication triggered by a DHCP packet is enabled, the device triggers 802.1x
authentication for a user upon receiving a DHCP packet from the user. A built-in 802.1x
authentication page of the operating system is automatically displayed on the user terminal. The
user enters the user name and password for authentication.
Alternatively, 802.1x authentication triggered by a DHCP packet enables the user to implement
authentication using the built-in 802.1x client of the operating system. After being authenticated,
the user accesses an 802.1x client download web page to download and install the 802.1x client
software, which facilitates fast network deployment.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x dhcp-trigger
802.1x authentication triggered by a DHCP packet is enabled.

By default, 802.1x authentication triggered by a DHCP packet is disabled
----End

Context
You can run the commands to check the configured parameters after completing the 802.1x
authentication configuration.
Procedure
l
Run the display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to

interface-number2 ] } &<1-10> ] command to check the 802.1x authentication
configuration.
Run the display mac-address { authen | guest } [ interface-type interface-number |

vlan vlan-id ] * [ verbose ] command to check the current authen or guest MAC address
entries in the system.
----End
8.2.5 Configuring MAC Address Authentication

MAC address authentication controls a user's network access right based on the user's access
interface and MAC address. The user does not need to install any client software. The user device
Issue 04 (2013-06-15)

1445

Configuration Guide
MAC address is used as the user name and password. When detecting the user's MAC address
the first time, the network access device starts authenticating the user.
Prerequisites
MAC address authentication only provides a user authentication solution. To implement this
solution, the AAA function must also be configured. Therefore, the following tasks must be
complete before you configure MAC address authentication:
l
Enabling MAC Address Authentication

Context
The MAC address authentication configuration takes effect on an interface only after MAC
address authentication is enabled globally and on the interface.
After MAC address authentication is enabled, if there are online users who log in through MAC
address authentication on the interface, disabling MAC address authentication is prohibited.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-authen
Global MAC address authentication is enabled.

By default, global MAC address authentication is disabled.
Step 3 Enable MAC address authentication on an interface in the system or interface view.
In the system view:
1.
Run:
mac-authen interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
MAC address authentication is enabled on the interface.

1.
Run:
Issue 04 (2013-06-15)

1446

Configuration Guide

2.
Run:
mac-authen
MAC address authentication is enabled on the interface.

By default, MAC address authentication is disabled on an interface.
----End
(Optional) Configuring the User Authentication Domain

Context
When the MAC address or the fixed user name without a domain name is used as the user name
in MAC address authentication, the user is authenticated in a default domain if the administrator
does not configure an authentication domain. In this case, many users are authenticated in the
default domain, making the authentication scheme inflexible.
NOTE
l When the fixed user name is used for MAC address authentication and the authentication domain is
specified in the user name, the user is authenticated in the specified authentication domain.
l Before configuring an authentication domain for the MAC address authentication user, ensure that the
authentication domain has been created.
Procedure
l
Run:
system-view

l
Run:
mac-authen domain isp-name [ mac-address mac-address mask mask ]
The authentication domain is configured for the MAC address authentication user.
By default, MAC address authentication uses the default domain.
----End
(Optional) Setting the Maximum Number of Access Users for MAC Address
Authentication on an Interface
Context
To limit the number of access users for MAC address authentication on an interface, the
administrator can set the maximum number of access users. When the number of access users
reaches the limit, new users cannot access the network through the interface.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1447

Configuration Guide

Step 2 Set the maximum number of concurrent access users on an interface in the system or interface
view.
1.
Run:
mac-authen max-user user-number interface { interface-type interface-number1
The maximum number of access users for MAC address authentication is set on the
interface.
1.
Run:

2.
Run:
mac-authen max-user user-number
The maximum number of access users for MAC address authentication is set on the
interface.
By default, a maximum of 256 MAC address authentication users can access an interface.
----End
(Optional) Configuring Timers of MAC Address Authentication

Context
During MAC address authentication, multiple timers implement systematic interactions between
access users or devices and the authentication server. You can configure the following types of
timers in MAC address authentication:
l
Quiet timer (quiet-period): The device must enter a quiet period after the user fails to be
authenticated. During the quiet period, the device does not process authentication requests
from the user.
Server timeout timer (server-timeout): The device starts this timer after sending a RADIUS
Access-Request packet to the authentication server. If the authentication server does not
respond within the period set by the timer, the device retransmits the authentication request
packet to the authentication server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-authen timer { quiet-period quiet-value | server-timeout
value }
server-timeout-
The timer parameters are set for MAC address authentication.

By default, quiet-period is set to 60 seconds, and server-timeout is set to 30 seconds.
Issue 04 (2013-06-15)

1448

Configuration Guide
NOTE
Timers for setting quiet-period, and server-timeout are enabled by default.
----End
(Optional) Configuring Re-authentication for MAC Address Authentication Users

Context
the user access permission and authorization attribute are changed. If a user has passed MAC
address authentication, you must re-authenticate the user to ensure user validity.
After the user goes online, the device saves user authentication information. After reauthentication is enabled for MAC address authentication users, the device sends the saved
kept online. If the authentication information has been changed, the user is forced to go offline,
and then re-authenticated according to the changed authentication information.
You can configure re-authentication for MAC address authentication users using either of the
following methods:
l
Re-authenticate all online MAC address authentication users on a specified interface at an

interval.
Re-authenticate the online user once with a specified MAC address.
Re-authenticate all online MAC address authentication users on a specified interface at an

interval.
Procedure
1.
Run:
system-view

2.
Enable periodic re-authentication for all online MAC address authentication users on
the specified interface in the system or interface view.
In the system view:
a.
Run:
mac-authen reauthenticate interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
Periodic re-authentication is enabled for all online MAC address authentication

users on the specified interface.
a.
Run:

b.
Run:
mac-authen reauthenticate
Periodic re-authentication is enabled for all online MAC address authentication

users on the specified interface.
Issue 04 (2013-06-15)

1449

Configuration Guide
c.
Run:
quit

By default, periodic re-authentication is disabled for all online MAC address
authentication users on the specified interface.
3.
(Optional) Run:
mac-authen timer reauthenticate-period reauthenticate-period-value
The re-authentication interval for online MAC address authentication users is set.
By default, the device re-authenticates online MAC address authentication users at
the interval of 1800 seconds.
l
Configure re-authentication for an online MAC address authentication user with a specified
MAC address.
1.
Run:
system-view

2.
Run:
mac-authen reauthenticate mac-address mac-address
Re-authentication is enabled for the online MAC address authentication user with the
specified MAC address.
By default, re-authentication for an online MAC address authentication user with a
specified MAC address is disabled.
----End

Context
You can run the commands to check the configured parameters after completing the MAC
address authentication configuration.
Procedure
l
Run the display mac-authen [ interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10> ] command to check the configuration of MAC address
authentication.
Run the display mac-address { authen | guest } [ interface-type interface-number |

vlan vlan-id ] * [ verbose ] command to check the current authen or guest MAC address
entries in the system.
----End
8.2.6 Configuring Portal Authentication

In Portal authentication, users do not need a specific client. The Portal server provides users with
free portal services and a Portal authentication page.
Issue 04 (2013-06-15)

1450

Configuration Guide
Prerequisites
Portal authentication only provides a user authentication solution. To implement this solution,
the AAA function must also be configured. Therefore, the following tasks must be complete
before you configure Portal authentication:
l
\
Configuring Portal Server Parameters

Context
During Portal authentication, you must configure parameters for the Portal server (for example,
the IP address for the Portal server) to ensure smooth communication between the device and
the Portal server.
Procedure
l
Configuring parameters for the external Portal server (binding URL)

1.
Run:
system-view

2.
Run:
web-auth-server server-name
A Portal server template is created and the Portal server template view is displayed.
By default, no Portal server template is created.
3.
Run:
server-ip server-ip-address &<1-10>
An IP address is configured for the Portal server.

By default, no IP address is configured for the Portal server.
NOTE
The IP address for the Portal server is the IP address for the external Portal server.
4.
Run:
url url-string
A URL is configured for the portal server.

By default, a Portal server does not have a URL.
----End
Issue 04 (2013-06-15)

1451

Configuration Guide
Enabling Portal Authentication

Context
The device can communicate with the Portal server after the parameters of the Portal server are
configured. To enable Portal authentication for access users, you must enable Portal
authentication of the device.
To enable Portal authentication on an external Portal server, you must only bind the configured
Portal server template to a VLANIF interface.
Procedure
l
Enable Portal authentication on the device if the authentication server is an external Portal
server.
1.
Run:
system-view

2.
Run:

3.
Run:
The Portal server template is bound to the VLANIF interface.

By default, no Portal server template is bound to a VLANIF interface.
----End
(Optional) Configuring Parameters for Information Exchange with the Portal

server
Context
In Portal authentication network deployment, you can configure parameters for information
exchange between the device and the Portal server to improve communication security.
Procedure
Step 1 Run:
system-view

Step 2 Run:
web-auth-server version v2 [ v1 ]
Portal protocol versions supported by the device are configured.

By default, the device uses Portal of v1 and v2.
Issue 04 (2013-06-15)

1452

Configuration Guide
NOTE
To ensure smooth communication, use the default setting so that the device uses both versions.
Step 3 Run:
web-auth-server listening-port port-number
The port number through which the device listens to Portal protocol packets is set.
By default, the device listens to the Portal protocol packets through port 2000.
Step 4 Run:
web-auth-server reply-message
The device is enabled to transparently transmit the authentication responses sent by the
authentication server to the Portal server.
By default, the device transparently transmits the authentication responses sent by the
Step 5 Run:
The Portal server template view is displayed.

Step 6 Run:
source-ip ip-address
The source IP address for communication with a Portal server is configured.

By default, no source IP address is configured on the device.
Step 7 Run:
port port-number [ all ]
The destination port number through which the device sends packets to the Portal server is set.
By default, port 50100 is used as the destination port when the device sends packets to the Portal
server.
Step 8 Run:
shared-key { cipher | simple } key-string
The shared key that the device uses to exchange information with the Portal server is configured.
By default, no shared key is configured.
----End
(Optional) Setting Access Control Parameters for Portal Authentication Users

Context
During deployment of the Portal authentication network, you can set access control parameters
for Portal authentication users to flexibly control the user access. For example, you can set
authentication free rules for Portal authentication users so that the users can access specified
network resources without being authenticated or when the users fail authentication. You can
configure the source authentication subnet to allow the device to authenticate only users in the
source authentication subnet, while users in other subnets cannot pass Portal authentication.
Issue 04 (2013-06-15)

1453

Configuration Guide
Procedure
l
Set access control parameters for Portal authentication users when an external Portal server
is used.
1.
Run:
system-view

2.
Run:
portal
length
port ]
number
id } *
free-rule rule-id { destination { any | ip { ip-address mask { mask| ip-mask } [ tcp destination-port port | udp destination-port
| any } } | source { any | { interface interface-type interface| ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan} } *
The Portal authentication free rule is set.

By default, no Portal authentication free rule is set.
3.
Run:
portal max-user user-number
The maximum number of concurrent Portal users is set.

By default, the number of Portal authentication users is the maximum number of Portal
authentication users supported by the device.
----End
(Optional) Setting the Offline Detection Interval for Portal Authentication Users
Context
If a Portal authentication user goes offline due to power failure or network interruption, the
device and Portal server may still store user information, which leads to incorrect accounting.
In addition, a limit number of users can access the device. If a user goes offline improperly but
the device still stores user information, other users cannot access the network.
After the offline detection interval is set for Portal authentication users, if a user does not respond
within the interval, the device considers the user offline. The device and Portal server then delete
the user information and release the occupied resources to ensure efficient resource use.
NOTE
This function applies only to Layer 2 Portal authentication.
Procedure
Step 1 Run:
system-view

Step 2 Run:
portal timer offline-detect time-length
The period for detecting Portal authentication user logout is set.

Issue 04 (2013-06-15)

1454

Configuration Guide
By default, the interval for detecting Portal authentication user logout is 300s.
----End

Context
You can run the commands to check the configured parameters after completing the Portal
Procedure
l
When an external Portal server is used, run the following commands to check the
configuration.
Run the display web-auth-server configuration command to check the configuration
of the Portal authentication server.
----End
8.2.7 Maintaining NAC

This section describes how to clear statistics for 802.1x authentication and MAC address
authentication.
Clearing 802.1x Authentication Statistics

Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run the following
command.
Procedure
l
Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10> ] command in the user view to clear the statistics for 802.1x
authentication.
----End
Clearing MAC Address Authentication Statistics
Issue 04 (2013-06-15)

1455

Configuration Guide
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run the following
command.
Procedure
l
Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to

interface-number2 ] } &<1-10> ] command in the user view to clear the statistics for MAC
address authentication.
----End

This section provides several NAC configuration examples, including network requirements,
configuration roadmap, and configuration procedure.
Example for Configuring 802.1x Authentication

As shown in Figure 8-5, many users on a company access network through GE0/0/1 of the
Switch (used as an access device). After the network operates for a period of time, attacks are
detected. The administrator must control network access rights of user terminals to ensure
network security. The Switch allows user terminals to access Internet resources only after they
are authenticated.
Figure 8-5 Networking diagram for configuring 802.1x authentication
User
RADIUS Server
192.168.2.30
User
GE0/0/2
GE0/0/1
VLAN 10
VLAN 20
LAN Switch
Switch
Intranet
Update Server
VLAN100
Printer
Issue 04 (2013-06-15)

1456

Configuration Guide
To control the network access permission of users, the administrator can configure 802.1x
authentication on the Switch after the server with the IP address 192.168.2.30 is used as the
RADIUS server.
1.
Create and configure a RADIUS server template, an AAA scheme, and an ISP domain.
Bind the RADIUS server template and the AAA scheme to the ISP domain. The Switch
can then exchange information with the RADIUS server.
2.
Configure 802.1x authentication.

a.
Enable 802.1x authentication globally and on the interface.
b.
Enable MAC address bypass authentication to authenticate terminals (such as printers)

that cannot install 802.1x authentication client software.
c.
A maximum of 200 802.1x authentication users are allowed to access an interface,

preventing excessive concurrent access users.
d.
Set the maximum number of times that an authentication request packet is sent to a
user to 3 to avoid repeated authentication.
e.
Configure VLAN100 as the guest VLAN so that users can access resources in the
guest VLAN without authentication.
Procedure
Step 1 Create VLANs and configure the VLAN allowed by the interface to ensure network
communication.
# On the Switch, set GE0/0/1 connecting to users as a trunk interface, and add GE0/0/1 to VLAN
10.
NOTE
Configure the interface type and VLANs according to the actual situation. In this example, users are added
to VLAN 10.
# On the Switch, set GE0/0/2 connecting to the RADIUS server as an access interface, and add
GE0/0/2 to VLAN 20.
# Create VLANIF10 and VLANIF20 and assign IP addresses to the VLANIF interfaces so that
user terminals, Switch, and internal devices on the enterprise network can set up routes. In this
example, the IP address of VLANIF10 is 192.168.1.20/24 and the IP address of VLANIF20 is
192.168.2.29/24.
Issue 04 (2013-06-15)

1457

Configuration Guide
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain.
# Create and configure RADIUS server template rd1.
[Quidway] radius-server template rd1
[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812
[Quidway-radius-rd1] radius-server shared-key cipher hello
[Quidway-radius-rd1] radius-server retransmit 2
[Quidway-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Quidway] aaa
[Quidway-aaa] authentication-scheme abc
[Quidway-aaa-authen-abc] authentication-mode radius
[Quidway-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS server template
rd1 to authentication domain isp1.
[Quidway-aaa] domain isp1
[Quidway-aaa-domain-isp1] authentication-scheme abc
[Quidway-aaa-domain-isp1] radius-server rd1
[Quidway-aaa-domain-isp1] quit
[Quidway-aaa] quit
# Configure the default domain isp1 in the system view.When a user enters the user name in the
format of user@isp1, the user is authenticated in the authentication domain isp1. If the user name
does not carry the domain name or carries a nonexistent domain name, the user is authenticated
in the default domain.
[Quidway] domain isp1
Step 3 Configure 802.1x authentication.

# Enable 802.1x authentication globally and on an interface.
[Quidway] dot1x enable
[Quidway-GigabitEthernet0/0/1] dot1x enable
# Configure MAC address bypass authentication.

[Quidway-GigabitEthernet0/0/1] dot1x mac-bypass
# Set the maximum number of concurrent access users for 802.1x authentication on an interface
to 200.
[Quidway-GigabitEthernet0/0/1] dot1x max-user 200
# Set the maximum number of times that an authentication request packet is sent to the user to
3.
[Quidway] dot1x retry 3
# Configure VLAN100 as the guest VLAN in 802.1x authentication.

[Quidway] vlan batch 100
[Quidway] authentication guest-vlan 100 interface gigabitethernet 0/0/1
Issue 04 (2013-06-15)

1458

Configuration Guide
Step 4 View the 802.1x configuration.

[Quidway] display dot1x interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 status: UP 802.1x protocol is Enabled[mac-bypass]
Port control type is Auto
Authentication method is MAC-based
Reauthentication is disabled
Maximum users: 200
Current users: 1
Guest VLAN 100 is not
effective
Critical VLAN is disabled
Restrict VLAN is disabled
Authentication Success: 4
Failure:
EAPOL Packets: TX
: 8
RX
:
Sent
EAPOL Request/Identity Packets :
EAPOL Request/Challenge Packets :
Multicast Trigger Packets
:
EAPOL Success Packets
:
EAPOL Failure Packets
:
Received EAPOL Start Packets
:
EAPOL LogOff Packets
:
EAPOL Response/Identity Packets :
EAPOL Response/Challenge Packets:
0
16
4
4
0
4
0
4
3
4
4
----End
Configuration Files
# Configuration file of the Switch
#
#
domain isp1
#
dot1x enable
dot1x retry 3
#
radius-server template rd1
radius-server shared-key cipher %$%$lrWRXXUmJ/5W\uBqID/6EULC%$%$
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
authentication-scheme abc
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.20 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
dot1x mac-bypass
dot1x max-user 200
#
Issue 04 (2013-06-15)

1459

Configuration Guide
#
return
Example for Configuring MAC Address Authentication

As shown in Figure 8-6, many printers on a company access network through GE0/0/1 of the
Switch (used as an access device). After the network operates for a period of time, the
administrator controls the network access rights of the printers to improve network security. The
Switch allows a printer to access Internet resources only after the printer is authenticated.
Figure 8-6 Networking diagram for configuring MAC address authentication
RADIUS Server
192.168.2.30
Printer
GE0/0/1
GE0/0/2
VLAN 10
VLAN 20
LAN Switch
Switch
Intranet
Update Server
VLAN100
Printer
Printers cannot install and use the 802.1x client. The administrator can configure MAC address
authentication on the Switch to control the network access rights of the printers.
The configuration roadmap is as follows (configured on the Switch):
1.
Create and configure a RADIUS server template, an AAA scheme, and an ISP domain;
bind the RADIUS server template and the AAA scheme to the ISP domain. The Switch
2.
Configure MAC address authentication.

a.
Enable MAC address authentication globally and on the interface.
b.
A maximum of 100 MAC address authentication users are allowed to access an

interface, preventing excessive concurrent access users.
c.
Configure VLAN100 as the guest VLAN, so that users can access resources in the
guest VLAN without authentication.
Procedure
communication.
Issue 04 (2013-06-15)

1460

Configuration Guide
10.
NOTE
to VLAN 10.
GE0/0/2 to VLAN 20.
192.168.2.29/24.
domain.
[Quidway] aaa
[Quidway-aaa] quit
Issue 04 (2013-06-15)

1461

Configuration Guide
Step 3 Configure MAC address authentication.

# Enable MAC address authentication globally and on the interface.
[Quidway] mac-authen
[Quidway-GigabitEthernet0/0/1] mac-authen
#Set the maximum number of concurrent MAC authentication access users on the interface to
100.
[Quidway-GigabitEthernet0/0/1] mac-authen max-user 100
Step 4 Run the display mac-authen interface command to view the configuration of MAC address
authentication.
[Quidway] display mac-authen interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 state: UP. MAC address authentication is enabled
Maximum users: 100
Current users: 2
Authentication Success: 0, Failure: 0
Guest VLAN is disabled
----End
Configuration Files
#
vlan batch 10 20 30 100
#
domain isp1
#
mac-authen
#
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.20 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
mac-authen
mac-authen max-user 100
#
#
return
Issue 04 (2013-06-15)

1462

Configuration Guide
Example for Configuring Portal Authentication

As shown in Figure 8-7, many users on a company access network through GE0/0/1 of the
Switch (used as an access device). After the network operates for a period of time, attacks are
detected. The administrator must control network access rights of user terminals to ensure
network security. The Switch allows user terminals to access Internet resources only after they
are authenticated.
Figure 8-7 Networking diagram for configuring Portal authentication
RADIUS Server
192.168.2.30
User
GE0/0/1
GE0/0/2
VLAN 10
VLAN 20
LAN Switch
Switch
Intranet
Portal Server
192.168.2.20
User
To control the network access permission of users, the administrator can configure Portal
authentication on the Switch after the server with the IP address 192.168.2.30 is used as the
RADIUS server, and configure the IP address 192.168.3.20 as the IP address for the Portal server.
The configuration roadmap is as follows (configured on the Switch):
1.
Bind the RADIUS server template and the AAA scheme to the ISP domain. The Switch
2.
Configure Portal authentication.

a.
Create and configure a Portal server template to ensure normal information exchange
between the device and the Portal server.
b.
Enable Portal authentication to authenticate access users.
c.
Configure a shared key that the device uses to exchange information with the Portal
server to improve communication security.
d.
Configure the maximum number of concurrent Portal authentication users to prevent

excessive concurrent users.
e.
Configure the offline detection period for Portal authentication users to ensure that
the device deletes the information of offline users.
Procedure
communication.
Issue 04 (2013-06-15)

1463

Configuration Guide

10.
NOTE
to VLAN 10.
GE0/0/2 to VLAN 20.
192.168.2.29/24.
domain.
[Quidway] aaa
[Quidway-aaa] quit
Issue 04 (2013-06-15)

1464

Configuration Guide
Step 3 Configure Portal authentication.

# Create and configure Portal server template abc.
[Quidway] web-auth-server abc
[Quidway-web-auth-server-abc] server-ip 192.168.2.20
[Quidway-web-auth-server-abc] url http://192.168.2.30:8080/webagent
[Quidway-web-auth-server-abc] quit
# Enable Portal authentication.

[Quidway-Vlanif10] web-auth-server abc
# Set the shared key in cipher text to 12345.

[Quidway-web-auth-server-abc] shared-key cipher 12345
# Set the maximum number of concurrent Portal users to 100.

[Quidway] portal max-user 100
# Set the user offline detection period to 500s.

[Quidway] portal timer offline-detect 500
Step 4 # Verify the configuration.

# Run the display web-auth-server configuration command to check the configuration of the
Portal authentication server.
[Quidway] display web-auth-server configuration
Listening port
: 2000
Portal
: version 1, version 2
Include reply message : enabled
-----------------------------------------------------------------------Web-auth-server Name : abc
IP-address
: 192.168.3.20
Shared-key
: %$%$C[>q!et)j7"I{`7hK)`7T*!u%$%$
Port / PortFlag
: 50100 / NO
URL
:
Bounded Vlanif
: 10
-----------------------------------------------------------------------1 Web authentication server(s) in total
----End
Configuration Files
#
vlan batch 10 20
#
domain isp1
#
web-auth-server abc
server-ip 192.168.2.20
port 50100
shared-key cipher %$%$9|vQ3(`Js#[:m\+~xK:W7cZQ%$%$
url http://192.168.2.30:8080/webagent
server-detect interval 60 max-times 3 critical-num 0 action
Issue 04 (2013-06-15)

1465

Configuration Guide
log
user-sync
#
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.20 255.255.255.0
web-auth-server abc
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
#
#
return

This chapter describes NAC principles for wireless users and configuration methods and
8.3.1 NAC Overview

Network Admission Control (NAC) is an end-to-end access security framework and includes
802.1x authentication, MAC address authentication, and Portal authentication.
Traditional network security technologies focus on threats brought by external computers but
not threats brought by internal computers. Moreover, current network devices cannot prevent
attacks initiated by devices on internal networks. NAC security architecture considers internal
network security from the perspective of user terminals and provides end-to-end security.
Issue 04 (2013-06-15)

1466

Configuration Guide
Figure 8-8 Diagram of typical NAC networking

NAC terminal
Network
access device
Access server
Intranet
As shown in Figure 8-8, the NAC mainly includes:

l
User: Access users must be authenticated. For 802.1x authentication is used, users must
install client software.
Network access device (NAD): It authenticates and authorizes access users. The NAD
usually must work with an AAA server to prevent access from unauthorized terminals,
minimize threats from unsecured terminals, and prevent unauthorized access from
authorized terminals to protect core resources.
Access control server (ACS): It checks terminal health and manages terminals based on
specific policies. It manages user behavior and checks for rule violations to prevent
malicious attacks from terminals.
8.3.2 NAC Features Supported by the Device

The device functions as an NAD in the NAC scheme and supports 802.1x authentication, MAC
address authentication, Portal authentication.
802.1x Authentication
The IEEE 802.1x standard (802.1x) is an interface-based network access control protocol. It
authenticates and controls access devices connected to an access control device interface on a
LAN. User devices connected to the interface can access resources on the LAN after being
authenticated.
The device implements 802.1x authentication on access users after 802.1x authentication is
enabled.
MAC Address Authentication

MAC address authentication controls a user's network access permission based on the user's
interface and MAC address. The user does not need to install any client software. The user's
MAC address serves as the user name and password. After detecting the MAC address of a user
for the first time at an interface where the MAC address authentication is enabled, the device
starts authenticating the user.
The device implements MAC address authentication on access users after MAC address
authentication is enabled.
Issue 04 (2013-06-15)

1467

Configuration Guide
Portal Authentication
Portal authentication is also referred to as Web authentication. When a user opens a browser for
the first time and enters any website address, the user is forcibly redirected to an authentication
page of a Portal server and can access network resources only after being authenticated.
The Portal protocol is based on a client/server structure and uses the User Datagram Protocol
(UDP) as the transmission protocol. The Portal protocol is mainly used in information exchange
between the Portal server and other devices. In Portal authentication, the Portal protocol is used
in communication between the Portal server and a device that is used as a client.
After the Portal server is designated and Portal authentication is enabled, the device implements
Portal authentication on access users.
NOTE
If a user uses an iPad or iPhone with IOS 6 or a later version to access the network,the iPad or iPhone can
open a web authentication page only when they have a DNS address configured or automatically obtained
a DNS address.
Comparison of Three Authentication Modes

Table 8-5 provides the comparison among 802.1x authentication, MAC address authentication,
and Portal authentication.
Table 8-5 Comparison of authentication modes
Issue 04 (2013-06-15)
Item
802.1x
Authentication
Portal
Authentication
MAC Address
Authentication
Client requirement
Required
Required in Portal
authentication, not
required in forcible
web authentication
Not required
Advantage
Direct control over

connection/
disconnection of the
network access
information interface
and high security
when 802.1x
authentication is
deployed in the
access layer
Flexible deployment
No client required
Disadvantage
Inflexible
deployment
Low security
Complex
management
requiring MAC
address registration
Application scenario
New network with

concentrated users
and high information
security
requirements
Scattered users
Dumb terminals
(printers and fax
machines) that
require access
authentication

1468

Configuration Guide

This section provides the default NAC configuration. You can change the configuration as
needed.
Table 8-6 describes the default configuration of 802.1x authentication.
Table 8-6 Default configuration of 802.1x authentication
Parameter
Default setting
802.1x authentication
Disabled
User authentication mode
CHAP authentication

(reauthenticate-period)
3600 seconds
Table 8-7 describes the default configuration of MAC address authentication.

Table 8-7 Default configuration of MAC address authentication
Parameter
Default setting
MAC address authentication
Disabled
Table 8-8 describes the default configuration of Portal authentication.

Table 8-8 Default configuration of Portal authentication
Issue 04 (2013-06-15)
Parameter
Default setting
Portal authentication
Disabled
Portal protocol versions supported by the

device
v2, v1
Number of the destination interface that the

device uses to send packets to the Portal
server
50100
Number of the interface that the device uses

to listen to Portal protocol packets
2000
Offline detection period
300 seconds

1469

Configuration Guide
8.3.4 Configuring 802.1x Authentication

You can configure 802.1x authentication to implement interface-based network access control.
This means you can authenticate and control access users connected to an access control device
interface.
Prerequisites
802.1x authentication is only an implementation scheme to authenticate the user identity. To
complete the user identity authentication, you must select the RADIUS or local authentication
method and complete the following configuration tasks:
l
Configure an Internet Service Provider (ISP) authentication domain to which the users
belong, and a local authentication scheme or a RADIUS authentication scheme.
Configure the corresponding user name and password on the RADIUS server if RADIUS
Add the user name and password manually on the network access device if local
Enabling 802.1x Authentication

Context
The 802.1x configuration takes effect on an interface only after 802.1x authentication is enabled
on the interface.
If there are online users who log in through 802.1x authentication on the interface, disabling the
802.1x authentication is prohibited.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A WLAN-ESS interface is created, and the WLAN-ESS interface view is displayed.

Step 3 Run:
dot1x-authentication enable
802.1X authentication is configured on the interface.

----End
(Optional) Setting the User Authentication Mode

Context
During 802.1x authentication, users exchange authentication information with the device using
EAP packets. The device uses two modes to exchange authentication information with the
RADIUS server.
Issue 04 (2013-06-15)

1470

Configuration Guide
EAP termination: The device directly parses EAP packets, encapsulates user authentication
information into a RADIUS packet, and sends the packet to the RADIUS server for
authentication. EAP termination is classified into PAP or CHAP authentication.
PAP is a two-way handshake authentication protocol. It transmits passwords in plain
text format in RADIUS packets.
CHAP is a three-way handshake authentication protocol. It transmits only the user
names (not passwords) in RADIUS packets. CHAP is more secure and reliable than
PAP. If high security is required, CHAP is recommended.
After the device directly parses EAP packets, user information in the EAP packets is
authenticated by a local AAA module, or sent to a RADIUS or HWTACACS server.
EAP relay (specified by eap): The device encapsulates EAP packets into RADIUS packets
and sends the RADIUS packets to the RADIUS server. The device does not parse the
received EAP packets but encapsulates them into RADIUS packets. This mechanism is
called EAP over Radius (EAPoR).
The EAP relay mechanism requires that the RADIUS server be capable of parsing many EAP
packets and carrying out authentication. Therefore, if the RADIUS server has high processing
capabilities, the EAP relay is used. If the RADIUS server has low processing capabilities, EAP
termination is recommended, and the device helps the RADIUS server to parse EAP packets.
NOTE
The EAP relay can be configured for 802.1x users only when RADIUS authentication is used.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dot1x authentication-method { chap | eap | pap }
The authentication mode is set for 802.1x users.

By default, the CHAP authentication mode is used for 802.1x users.
----End
(Optional) Configuring Re-authentication for 802.1x Authentication Users

Context
the user access permission and authorization attribute are changed. If a user has passed 802.1x
authentication, you must re-authenticate the user to ensure user validity.
After the user goes online, the device saves user authentication information. After reauthentication is enabled for 802.1x authentication users, the device sends the saved
Issue 04 (2013-06-15)

1471

Configuration Guide
online normally. If the authentication information has been changed, the user is forced to go
offline. The user then must be re-authenticated according to the changed authentication
information.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dot1x timer reauthenticate-period reauthenticate-period-value
802.1x re-authentication is enabled and the re-authentication interval is set on an interface.

By default, 802.1x re-authentication is disabled and the re-authentication interval is 3600
seconds.
NOTE
In local forwarding mode, if 802.1x re-authentication is enabled, the PVID on the WLAN-ESS bound to
the VAP must be the same as the VLAN ID in the EAP packets sent from users to the device. Otherwise,
users will fail in re-authentication and be forced offline.
----End
(Optional) Configuring the Guest VLAN Function

Context
After the guest VLAN function is enabled, the device allows users to access resources in the
Guest VLAN without 802.1x authentication. For example, the users can obtain the client
software, upgrade the client, or run other upgrade programs.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dot1x guest-vlan vlan-id
A guest VLAN is configured on the WLAN-ESS interface.

Issue 04 (2013-06-15)

1472

Configuration Guide
By default, no guest VLAN is configured on a WLAN-ESS interface.

----End
(Optional) Configuring the Restrict VLAN Function

Context
You can configure the restrict VLAN function on the device interface to enable users who fail
authentication to access some network resources (for example, to update the virus library). The
users are added to the restrict VLAN when failing authentication and can access resources in
the restrict VLAN. The user fails authentication in this instance because the authentication server
rejects the user for some reasons (for example, the user enters an incorrect password) not because
the authentication times out or the network is disconnected.
Similar to the guest VLAN, the restrict VLAN allows users to access limited network resources
before passing 802.1x authentication. Generally, fewer network resources are deployed in the
restrict VLAN than in the guest VLAN; therefore, the restrict VLAN limits access to network
resources from unauthenticated users more strictly.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dot1x restrict-vlan vlan-id
A restrict VLAN is configured on a WLAN-ESS interface.

By default, no restrict VLAN is configured on the WLAN-ESS interface.
----End
(Optional) Configuring the User Group Function

Context
In NAC applications, there are many access users, but user types are limited. You can create
user groups on the device and associate each user group to an ACL. In this way, users in the
same group share rules in the ACL.
After creating user groups, you can set VLANs for the user groups, so that users in different user
groups have different network access rights. The administrator can then flexibly manage users.
Isolation flags can be set in user groups to isolate users in the same group or in different groups.
The inter-group isolation flag isolates users in the same group, and the intra-group isolation flat
isolates users in a group from users in other groups.
Issue 04 (2013-06-15)

1473

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
A user group is created and the user group view is displayed.

Step 3 Run:
acl-id acl-number
An ACL is bound to the user group.

By default, no ACL is bound to a user group.
NOTE
Before running this command, ensure that an ACL has been created using the acl command and ACL rules
are configured using the rule command.
Step 4 Run:
user-vlan vlan-id
The user group VLAN is configured.

By default, no user group VLAN is configured.
Step 5 Run:
user-isolated { inter-group | inner-group }*
Inter-group and intra-group user isolation are configured.

By default, inter-group or intra-group isolation is not configured in a user group.
----End

Context
You can run the commands to check the configured parameters after completing the 802.1x
Procedure
Step 1 Run the display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10> ] command to check the 802.1x authentication configuration.
Step 2 Run the display user-group [ group-name ] command to check the user group configuration.
Step 3 Run the display access-user user-group group-name command to check brief information
about all users bound to the user group.
----End
Issue 04 (2013-06-15)

1474

Configuration Guide
8.3.5 Configuring MAC Address Authentication

MAC address authentication controls a user's network access right based on the user's access
interface and MAC address. The user does not need to install any client software. The user device
MAC address is used as the user name and password. When detecting the user's MAC address
the first time, the network access device starts authenticating the user.
Prerequisite
MAC address authentication is only an implementation scheme to authenticate the user identity.
To complete the user identity authentication, you must select the RADIUS or local authentication
method and complete the following configuration tasks:
l
Configure an ISP authentication domain to which users belong, and a local authentication
scheme or a RADIUS authentication scheme.
Enabling MAC Address Authentication

Context
The MAC address authentication configuration takes effect on an interface only after MAC
address authentication is enabled on the interface.
After MAC address authentication is enabled, if there are online users who log in through MAC
address authentication on the interface, disabling MAC address authentication is prohibited.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
mac-authentication enable
MAC address authentication is configured on the interface.

----End
Issue 04 (2013-06-15)

1475

Configuration Guide

Context
After creating user groups, you can set VLANs for the user groups, so that users in different user
groups have different network access rights. The administrator can then flexibly manage users.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
acl-id acl-number

NOTE
Step 4 Run:
user-vlan vlan-id
The user group VLAN is configured.

By default, no user group VLAN is configured.
Step 5 Run:

----End
Issue 04 (2013-06-15)

1476

Configuration Guide

Context
You can run the commands to check the configured parameters after completing the MAC
Procedure
Step 1 Run the display user-group [ group-name ] command to check the user group configuration.
----End
8.3.6 Configuring Portal Authentication

In Portal authentication, users do not need a specific client. The Portal server provides users with
free portal services and a Portal authentication page.
Prerequisites
Portal authentication is only an implementation scheme to authenticate user identities. To
complete user identity authentication, select either RADIUS authentication or local
authentication and complete the following configuration tasks:
l
Configure an ISP authentication domain to which users belong, and a local authentication
scheme or a RADIUS authentication scheme.
Configuring Portal Server Parameters

Context
During Portal authentication, you must configure parameters for the Portal server (for example,
the IP address for the Portal server) to ensure smooth communication between the device and
the Portal server.
Procedure
l
Configuring parameters for the external Portal server (binding URL)

1.
Run:
system-view

2.
Run:
A Portal server template is created and the Portal server template view is displayed.
3.
Issue 04 (2013-06-15)
Run:
1477

Configuration Guide

server-ip server-ip-address &<1-10>
An IP address is configured for the Portal server.

NOTE
The IP address for the Portal server is the IP address for the external Portal server.
4.
Run:
url url-string
A URL is configured for the portal server.

By default, a Portal server does not have a URL.
l
Setting parameters of the URL corresponding to an external Portal server (binding URL
template)
1.
Configure the URL template.

a.
b.
Run the url-template name template-name command to create a URL template

and enter the URL template view.
By default, no URL template exists on the device.
c.
Run the url [ ssid ssid ] [ redirect-only ] url-string command to configure the
redirection URL corresponding to the Portal server.
By default, no redirection URL is configured for a Portal server.
d.
Run the url-parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip apip-value | ap-mac ap-mac-value | redirect-url redirect-url-value | ssid ssidvalue | sysname sysname-value | user-ipaddress user-ipaddress-value | usermac user-mac-value } * command to set the parameters carried in the URL.
By default, a URL does not carry parameters.
e.
Run the url-parameter mac-address format delimiter delimiter { normal |

compact } command to set the MAC address format in the URL.
By default, the MAC address format in URL is XXXXXXXXXXXX.
f.
Run the parameter { start-mark parameter-value | assignment-mark

parameter-value | isolate-mark parameter-value } * command to set the
characters in the URL.
By default, the start character is ?, assignment character is =, and delimiter is &.
g.
2.
Set parameters for the external Portal server.

a.
Run the web-auth-server server-name command to create a Portal server

template and enter the Portal server template view.
b.
Run the server-ip server-ip-address &<1-10> command to set the IP address

corresponding to the Portal server.
c.
Run the url-template url-template command to bind a URL template to the

Portal server template.
By default, no URL template is bound to a Portal server template.
----End
Issue 04 (2013-06-15)

1478

Configuration Guide
Enabling Portal Authentication

Context
The device can communicate with the Portal server after the parameters of the Portal server are
configured. To enable Portal authentication for access users, you must enable Portal
authentication of the device.
To enable Portal authentication on a Portal server, you must only bind the configured Portal
server template to a VLANIF interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
web-authentication enable
Portal authentication is enabled on the interface.

By default, Portal authentication is disabled on an interface.
web-authentication first-mac
The function that prefers MAC addresses as accounts for Portal authentication is enabled.
By default, MAC addresses are not preferred as accounts for Portal authentication.
NOTE
When Portal authentication with the MAC address as the account is used, ensure that the MAC address without
hyphen (-) is added on the RADIUS server. For example, you can use the MAC address 286ED488B74F but
not 286E-D488-B74F.
----End
(Optional) Configuring Parameters for Information Exchange with the Portal

server
Context
In Portal authentication network deployment, you can configure parameters for information
exchange between the device and the Portal server to improve communication security.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1479

Configuration Guide

Step 2 Run:
web-auth-server version v2 [ v1 ]
Portal protocol versions supported by the device are configured.

By default, the device uses Portal of v1 and v2.
NOTE
To ensure smooth communication, use the default setting so that the device uses both versions.
Step 3 Run:
web-auth-server listening-port port-number
The port number through which the device listens to Portal protocol packets is set.
By default, the device listens to the Portal protocol packets through port 2000.
Step 4 Run:
web-auth-server reply-message
The device is enabled to transparently transmit the authentication responses sent by the
By default, the device transparently transmits the authentication responses sent by the
Step 5 Run:
The Portal server template view is displayed.

Step 6 Run:
source-ip ip-address
The source IP address for communication with a Portal server is configured.

By default, no source IP address is configured on the device.
Step 7 Run:
port port-number [ all ]
The destination port number through which the device sends packets to the Portal server is set.
By default, port 50100 is used as the destination port when the device sends packets to the Portal
server.
Step 8 Run:
shared-key
{ cipher | simple } key-string
The shared key that the device uses to exchange information with the Portal server is configured.
----End
Issue 04 (2013-06-15)

1480

Configuration Guide
(Optional) Setting Access Control Parameters for Portal Authentication Users

Context
During deployment of the Portal authentication network, you can set access control parameters
for Portal authentication users to flexibly control the user access. For example, you can set
authentication free rules for Portal authentication users so that the users can access specified
network resources without being authenticated or when the users fail authentication. You can
configure the source authentication subnet to allow the device to authenticate only users in the
source authentication subnet, while users in other subnets cannot pass Portal authentication.
Procedure
Step 1 Run:
system-view

Step 2 Run:
portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length
| ip-mask } | any } } | source { any | ip { ip-address mask { mask-length | ipmask } | any } } } *
The Portal authentication free rule is set.

By default, no Portal authentication free rule is set.
Step 3 Run:
portal max-user user-number
The maximum number of concurrent Portal users is set.

----End
(Optional) Setting the Offline Detection Interval for Portal Authentication Users
Context
If a Portal authentication user goes offline due to power failure or network interruption, the
device and Portal server may still store user information, which leads to incorrect accounting.
In addition, a limit number of users can access the device. If a user goes offline improperly but
the device still stores user information, other users cannot access the network.
After the offline detection interval is set for Portal authentication users, if a user does not respond
within the interval, the device considers the user offline. The device and Portal server then delete
the user information and release the occupied resources to ensure efficient resource use.
Procedure
Step 1 Run:
system-view

Step 2 Run:
portal timer offline-detect time-length
Issue 04 (2013-06-15)

1481

Configuration Guide
The offline detection interval is set for Portal authentication users.

By default, the offline detection interval is 300 seconds.
----End

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
acl-id acl-number

NOTE
Step 4 Run:

----End

Context
You can run the commands to check the configured parameters after completing the Portal
Issue 04 (2013-06-15)

1482

Configuration Guide
Procedure
l
When an external Portal server is used, run the following commands to check the
configuration.
Run the display portal [ interface vlanif interface-number ] command to check the
Portal authentication configuration.
Run the display portal free-rule [ rule-id ] command to show the configuration of
authentication-free rules.
Run the display web-auth-server configuration command to check the configuration
of the Portal authentication server.
Run the display user-group [ group-name ] command to check the user group
configuration.
Run the display access-user user-group group-name command to check summary
information about all users in the user group.
----End

This section provides several NAC configuration examples, including network requirements,
Example for Configuring 802.1x Authentication

As shown in Figure 8-9, a large number of user terminals in a company connect to the Internet
through a wireless medium. The administrator needs to control network access rights of user
terminals to ensure network security. The AC allows user terminals to access Internet resources
only after they are authenticated.
Figure 8-9 Networking diagram for configuring 802.1x authentication
Update Server
RADIUS Server
192.168.2.30
VLAN 10
Internet
AP
LAN Switch
AC
To control network access rights of user terminals to the Internet, the administrator can configure
802.1x authentication on the AC after the server with the IP address 192.168.2.30 is used as the
RADIUS server.
The configuration roadmap is as follows (configured on the AC):
Issue 04 (2013-06-15)

1483

Configuration Guide
1.
Bind the RADIUS server template and the AAA scheme to the ISP domain. The AC can
then exchange information with the RADIUS server.
2.
Configure 802.1x authentication.

a.
Create a WLAN-ESS interface and enable 802.1x authentication on the interface.
b.
Set the authentication mode to EAP.
c.
Configure VLAN10 as the guest VLAN so that users can access resources in the guest
VLAN without authentication.
d.
Configure re-authentication for 802.1x users.
Procedure
Step 1 Create and configure a RADIUS server template, an AAA scheme, and an ISP domain.
[Quidway] aaa
# Create ISP domain isp1, and bind AAA scheme abc and RADIUS server template rd1 to ISP
domain isp1.
[Quidway-aaa] quit
Step 2 Configure 802.1x authentication.

# Create a WLAN-ESS interface 0 and enable 802.1x authentication on the interface.
[Quidway] interface wlan-ess 0
[Quidway-Wlan-Ess0] dot1x-authentication enable
# Set the authentication mode for 802.1x users.

[Quidway-Wlan-Ess0] dot1x authentication-method eap
# Configure VLAN10 as the guest VLAN in 802.1x authentication.

[Quidway-Wlan-Ess0] dot1x guest-vlan 10
[Quidway-Wlan-Ess0] quit
# Configure re-authentication for 802.1x users.

[Quidway] dot1x timer reauthenticate-period 1000
Step 3 View the 802.1x configuration.

[Quidway] display dot1x
Global 802.1x is Enabled
Authentication method is CHAP
Max users: 256
Issue 04 (2013-06-15)

1484

Configuration Guide
Current users: 0
DHCP-trigger is Disabled
Handshake is Disabled
Quiet function is Disabled
Parameter set:Handshake Period
Client Timeout
Quiet Period
15s
30s
120s
Reauthen Period
Server Timeout
Quiet-times
1000s
120s
3
Wlan-Ess0 status: DOWN 802.1x protocol is Enabled

Port control type is Auto
Authentication method is MAC-based
Reauthentication is disabled
Maximum users: 256
Guest VLAN 10 is not effective
Restrict VLAN is disabled
----End
Configuration Files
# Configuration file of the AC
#
vlan batch 10
#
#
aaa
domain isp1
radius-server rd1
#
interface Wlan-Ess0
dot1x authentication-method eap
dot1x guest-vlan 10
Example for Configuring MAC Address Authentication

only after they are authenticated. The company requires that user terminals do not need to install
a dial-in software for access authentication.
Issue 04 (2013-06-15)

1485

Configuration Guide
Figure 8-10 Networking diagram for configuring MAC address authentication
Update Server
RADIUS Server
192.168.2.30
VLAN 10
Internet
AP
LAN Switch
AC
To control network access rights of user terminals to the Internet and allow them to be
authenticated without installing a dial-in software, the administrator can configure MAC address
authentication on the AC after the server with the IP address 192.168.2.30 is used as the RADIUS
server.
1.
Create and configure a RADIUS server template, an AAA scheme, and an ISP domain;
bind the RADIUS server template and the AAA scheme to the ISP domain. The AC can
2.
Configure MAC address authentication.
Procedure
[Quidway] aaa
domain isp1.
[Quidway-aaa] quit
Step 2 Configure MAC address authentication.

# Create a WLAN-ESS interface 0 and enable MAC address authentication on the interface.
Issue 04 (2013-06-15)

1486

Configuration Guide

[Quidway-Wlan-Ess0] mac-authentication enable
Step 3 View MAC address authentication.

[Quidway] display mac-authen
MAC address authentication is Enabled.
Username format: use MAC address without-hyphen as username
Quiet period is 60s
Offline detect period is 300s
Server response timeout value is 30s
Reauthenticate period is 60s
Guest user reauthenticate period is 180s
Maximum users: 256
Current users: 0
Global domain is not configured
Wlan-Ess1 state: UP.
Maximum users: 256
MAC address authentication is enabled
----End
Configuration Files
#
#
aaa
domain isp1
radius-server rd1
#
interface Wlan-Ess0
Example for Configuring Portal Authentication

only after they are authenticated.
Figure 8-11 Networking diagram for configuring Portal authentication
Portal Server
192.168.3.20
Internet
AP
Issue 04 (2013-06-15)
RADIUS Server
192.168.2.30
LAN Switch
AC

1487

Configuration Guide
To control network access rights of user terminals to the Internet, the administrator can configure
Portal authentication on the AC after the server with the IP address 192.168.2.30 is used as the
RADIUS server, and configure the IP address 192.168.3.20 as the IP address for the Portal server.
1.
Bind the RADIUS server template and the AAA scheme to the ISP domain. The AC can
2.
Configure Portal authentication.

a.
Create and configure a Portal server template to ensure normal information exchange
between the device and the Portal server.
b.
Enable Portal authentication to authenticate access users.
c.
Configure a shared key that the device uses to exchange information with the Portal
server to improve communication security.
d.
Configure the maximum number of concurrent Portal authentication users to prevent

excessive concurrent users.
e.
Configure the offline detection period for Portal authentication users to ensure that
the device deletes the information of offline users.
Procedure
[Quidway] aaa
domain isp1.
[Quidway-aaa] quit

# Create and configure Portal server template abc.
[Quidway-web-auth-server-abc] server-ip 192.168.3.20
# Enable Portal authentication.

Issue 04 (2013-06-15)

1488

Configuration Guide

[Quidway-Wlan-Ess0] web-authentication enable
[Quidway-Wlan-Ess0] quit
# Set the shared key in cipher text to 12345.

[Quidway-web-auth-server-abc] shared-key cipher 12345
# Set the maximum number of concurrent Portal users to 100.

[Quidway] portal max-user 100
# Set the user offline detection period to 500s.

[Quidway] portal timer offline-detect 500
Step 3 # Verify the configuration.

# Run the display web-auth-server configuration command to check the configuration of the
Portal authentication server.
<Quidway> display web-auth-server configuration
Listening port
: 2000
Portal
: version 1, version 2
Include reply message : enabled
-----------------------------------------------------------------------Web-auth-server Name : abc
IP-address
: 192.168.3.20
Shared-key
: %$%$qqZ$ZM:$i&]T9sF7KE~Xi%yp%$%$
Source-IP
: Port / PortFlag
: 50100 / NO
URL
:
Redirection
: Enable
Sync
: Disable
Sync Seconds
: 300
Sync Max-times
: 3
Detect
: Disable
Detect Seconds
: 60
Detect Max-times
: 3
Detect Critical-num : 0
Detect Action
:
Bound Vlanif
:
VPN Instance
:
Bound WAN Interface :
-----------------------------------------------------------------------1 Web authentication server(s) in total
----End
Configuration Files
#
portal max-user 100
portal timer offline-detect 500
#
web-auth-server abc
server-ip 192.168.3.20
port 50100
shared-key cipher %$%$9|vQ3(`Js#[:m\+~xK:W7cZQ%$%$
#
#
Issue 04 (2013-06-15)

1489

Configuration Guide
aaa
domain isp1
radius-server rd1
#
interface Wlan-Ess0
#
return
8.4 DHCP Snooping Configuration

This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP)
snooping on the AC6605 to defend against DHCP attacks.
8.4.1 Introduction to DHCP Snooping

This section describes the DHCP snooping function.
DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clients
and a DHCP server. DHCP snooping creates and maintains a DHCP snooping binding table,
and filters untrusted DHCP messages according to the table. The binding table contains the MAC
address, IP address, lease, binding type, VLAN ID, and interface number.
DHCP snooping ensures that authorized users can access the network by recording the mapping
between IP addresses and MAC addresses of clients. In this manner, DHCP snooping acts as a
firewall between DHCP clients and a DHCP server.
DHCP snooping prevents attacks including DHCP Denial of Service (DoS) attacks, bogus DHCP
server attacks, and bogus DHCP messages for extending IP address leases.
NOTE
In this manual, DHCP snooping includes DHCPv4 snooping and DHCPv6 snooping.
8.4.2 DHCP Snooping Features Supported by the AC6605

This section describes the DHCP snooping features supported by the AC6605.
The AC6605 supports security features such as the trusted interface, DHCP snooping binding
table, binding of the IP address, MAC address, interface number, VLAN ID, and Option 82. In
this manner, security of the device enabled with DHCP is ensured.
Applying DHCP Snooping on the AC6605 on a Layer 2 Network

When being deployed on a Layer 2 network, the AC6605 is located between the DHCP relay
and the Layer 2 user network. Figure 8-12 shows the DHCP snooping application on the
AC6605 where DHCP snooping is enabled.
Issue 04 (2013-06-15)

1490

Configuration Guide
Figure 8-12 Networking diagram for applying DHCP snooping on the AC6605 on a Layer 2
network
L3 network
Trusted
Untrusted
DHCP relay
Switch
L2 network
DHCP server
User
network
Applying DHCP Snooping on the AC6605 That Functions as the DHCP Relay
Agent
The AC6605 provides Layer 3 routing functions, and can function as the DHCP relay agent on
a network. As shown in Figure 8-13, the AC6605 that is enabled with DHCP snooping function
as the DHCP relay agent.
Issue 04 (2013-06-15)

1491

Configuration Guide
Figure 8-13 Networking diagram for applying DHCP snooping on the AC6605 that functions
as the DHCP relay agent
L3 network
Trusted
Untrusted
Switch
DHCP relay
L2
network
DHCP
server
User
network
NOTE
When the AC6605 is deployed on a Layer 2 network or functions as the DHCP relay agent, DHCP snooping
is enabled. The AC6605 can defend against attacks shown in Table 8-9.
When the AC6605 functions as the DHCP relay agent, it supports association between ARP and DHCP
snooping. The AC6605, however, does not support association between ARP and DHCP snooping when
it is deployed on a Layer 2 network.
Type of Attacks Defended Against by DHCP Snooping

DHCP snooping provides different operation modes according to the type of attacks, as shown
in Table 8-9.
Table 8-9 Matching table between type of attacks and DHCP snooping operation modes
Issue 04 (2013-06-15)
Type of Attacks
DHCP Snooping Operation Mode
Bogus DHCP server attack
Setting an interface to trusted or untrusted
DoS attack by changing the value of the

CHADDR field
Checking the CHADDR field in DHCP

messages
Attack by sending bogus messages to

extend IP address leases
Checking whether DHCP request messages

match entries in the DHCP snooping binding
table
DHCP flooding attack
Limiting the rate of sending DHCP messages

1492

Configuration Guide
8.4.3 Preventing Bogus DHCP Server Attacks

To prevent bogus DHCP server attacks, configure trusted and untrusted interfaces.

Before configuring defense against bogus DHCP server attacks, familiarize yourself with the
A bogus DHCP server on the network may send a DHCP Offer message to the DHCP client.
The DHCP Offer message contains incorrect information such as the incorrect gateway address,
incorrect DNS server, and incorrect IP address. As a result, the DHCP client cannot connect to
the network or may connect to an incorrect network.
To prevent a bogus DHCP server attack, configure DHCP snooping on the AC6605, configure
the network-side interface to be trusted and the user-side interface to be untrusted, and configure
the AC6605 to discard DHCP Reply messages received from untrusted interfaces.
To locate the bogus DHCP server, enable bogus DHCP server detection on the AC6605. The
AC6605 obtains relevant information about the DHCP server and logs the information, which
helps you maintain the network.
Before configuring defense against bogus DHCP server attacks, complete the following task:
l
Configuring the DHCP server
Data Preparation
To configure defense against bogus DHCP server attacks, you need the following data.
No.
Data
Type and number of the interface that will be

configured as the trusted interface
Enabling DHCP Snooping

After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN.
Otherwise, DHCP snooping does not take effect.
Context
Enable DHCP snooping in the following sequence:
l
Enable DHCP snooping globally.
Issue 04 (2013-06-15)

1493

Configuration Guide
Enable DHCP snooping on an interface or in a VLAN.
Enabling DHCP snooping in the VLAN view
Procedure
1.
Run:
system-view

2.
Run:
dhcp enable
DHCP is enabled globally.

3.
Run:
dhcp snooping enable [ ipv4]
DHCP snooping is enabled globally.

4.
Run:
vlan vlan-id

5.
Run:
dhcp snooping enable
DHCP snooping is enabled in a VLAN.

6.
Run:
quit

7.
(Optional) Run:

8.
(Optional) Run:
dhcp snooping disable
DHCP snooping is disabled on the specified interface in the VLAN.

To disable DHCP snooping on a specified interface in a VLAN, perform steps 7 and
8.
l
Enabling DHCP snooping in the interface view

1.
Run:
system-view

2.
Run:
dhcp enable

3.
Run:
dhcp snooping enable [ ipv4 ]

Issue 04 (2013-06-15)

1494

Configuration Guide
4.
Run:

5.
Run:
DHCP snooping is enabled on an interface.

----End
Configuring an Interface as a Trusted Interface

Generally, the interface connected to the DHCP server is configured as trusted and other
interfaces are configured as untrusted.
Context
After DHCP snooping is enabled on an interface, the interface is an untrusted interface by default.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface is the network-side interface connected to the DHCP server.
Or, run:
vlan vlan-id

Step 3 Run the following command in the interface view, :
dhcp snooping trusted
Or, in the VLAN view, run: dhcp snooping trusted interface interface-type interfacenumber
The interface is configured as a trusted interface.
DHCP Reply messages sent from an untrusted interface are discarded.
The interface must be added to the VLAN so that the dhcp snooping trusted interface command
takes effect.
----End
(Optional) Enabling Detection of Bogus DHCP Servers

Before enabling detection of bogus DHCP servers, ensure that DHCP snooping is enabled
globally and on the interface. Otherwise, the detection function does not take effect.
Issue 04 (2013-06-15)

1495

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server detect
Detection of bogus DHCP servers is enabled.

By default, detection of bogus DHCP servers is disabled on the AC6605.
----End

Checking the Configuration of Preventing Bogus DHCP Server Attacks.
Prerequisites
The configurations of preventing bogus DHCP server attacks are complete.
Procedure
l
Run the display dhcp snooping configuration command to check information about
global DHCP snooping.
Run the display dhcp snooping interface interface-type interface-number command to

check information about DHCP snooping on the interface.
Run the display dhcp { snooping | static } user-bind { interface interface-type interfacenumber | ip-address ip-address | | mac-address mac-address | vlan vlan-id [ interface
interface-type interface-number ] | all [ verbose ] } command to check the information
about DHCP bind-table.
----End
8.4.4 Preventing DoS Attacks by Changing the CHADDR Field

This section describes how to prevent attackers from attacking the DHCP server by modifying
the CHADDR field.

Before configuring defense against DoS attacks by changing the CHADDR field, familiarize
yourself with the applicable environment, complete the pre-configuration tasks, and obtain the
data required for the configuration. This will help you complete the configuration task quickly
and accurately.
The attacker may change the client hardware address (CHADDR) carried in DHCP messages
to apply for IP addresses continuously. The AC6605, however, only checks validity of packets
based on the source MAC address in the frame header. Attack packets can still be forwarded
and the MAC address limit cannot take effect.
Issue 04 (2013-06-15)

1496

Configuration Guide
To prevent the attacker from changing the CHADDR field, configure DHCP snooping on the
AC6605 to check the CHADDR field carried in DHCP Request messages. If the CHADDR field
matches the source MAC address in the frame header, the message is forwarded. Otherwise, the
message is discarded.
Before configuring defense against DoS attacks by changing the CHADDR field, complete the
following task:
l
Data Preparation
To configure defense against DoS attacks by changing the CHADDR field, you need the
following data.
No.
Data
Type and number of the interface enabled

with the check function

Context
l
Procedure
1.
Run:
system-view

2.
Run:
dhcp enable

3.
Run:

4.
Run:
vlan vlan-id
Issue 04 (2013-06-15)

1497

Configuration Guide

5.
Run:

6.
Run:
quit

7.
(Optional) Run:

8.
(Optional) Run:

8.
l

1.
Run:
system-view

2.
Run:
dhcp enable

3.
Run:

4.
Run:

5.
Run:

----End
Checking the CHADDR Field in DHCP Request Messages

If the CHADDR field in DHCP Request messages matches the source MAC address in the
Ethernet frame header, the messages are forwarded. Otherwise, the messages are discarded.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1498

Configuration Guide

Step 2 Run:

The interface is the user-side interface.
Step 3 Run:
dhcp snooping check dhcp-chaddr enable
The interface or the interface in a VLAN is configured to check if the CHADDR field in DHCP
Request messages matches the source MAC address in the Ethernet frame header.
By default, an interface or the interface in a VLAN does not check the CHADDR field in DHCP
Request messages on the AC6605.
----End

Checking the Configuration of Preventing the DoS Attack by Changing the CHADDR Field.
Prerequisites
The configurations of preventing DoS attacks by changing the CHADDR field are complete.
Procedure
l

----End
8.4.5 Preventing the Attacker from Sending Bogus DHCP Messages

for Extending IP Address Leases
This section describes how to prevent the attackers from attacking the DHCP server by forging
the DHCP messages for extending IP address leases.

Before configuring defense against attacks by sending bogus DHCP messages to extend IP
address leases, familiarize yourself with the applicable environment, complete the preconfiguration tasks, and obtain the data required for the configuration. This will help you
If an attacker continuously sends bogus DHCP Request messages to extend IP address leases,
some expired IP addresses cannot be reclaimed and some DHCP users may fail to apply for IP
addresses.
Issue 04 (2013-06-15)

1499

Configuration Guide
To prevent the attacker from sending bogus DHCP messages to extend IP address leases, create
a DHCP snooping binding table on the AC6605 to check DHCP Request messages. If the source
IP address, source MAC address, VLAN, and interface of the DHCP Request messages match
entries in the binding table, the DHCP Request messages are then forwarded. Otherwise, the
DHCP Request messages are discarded.
The AC6605 checks DHCP Request messages as follows:
1.
Checks whether the destination MAC address is all-f. If the destination MAC address is
all-f, the AC6605 considers that the DHCP Request message is a broadcast message that a
user sends to goes online for the first time and does not check the DHCP Request message
against the binding table. Otherwise, the AC6605 considers that the user sends the DHCP
Request message is renew lease of the IP address and checks the DHCP Request message
against the binding table.
2.
Checks whether the CHADDR field in the DHCP Request message matches an entry in the
binding table. If not, a user goes online for the first time and the AC6605 forwards the
message directly. If yes, the AC6605 checks whether the VLAN ID, IP address, and
interface information of the message match the binding table. If all these fields match the
binding table, the AC6605 forwards the message; otherwise, the AC6605 discards the
message.
Before configuring defense against attacks by sending bogus DHCP messages to extend IP
address leases, complete the following tasks:
l
Configuring the DHCP relay agent
Data Preparation
To configure defense against attacks by sending bogus DHCP messages to extend IP address
leases, you need the following data.
No.
Data

with detection of bogus DHCP servers

Context
l
Issue 04 (2013-06-15)

1500

Configuration Guide
Procedure
l

1.
Run:
system-view

2.
Run:
dhcp enable

3.
Run:

4.
Run:
vlan vlan-id

5.
Run:

6.
Run:
quit

7.
(Optional) Run:

8.
(Optional) Run:

8.
l

1.
Run:
system-view

2.
Run:
dhcp enable

3.
Run:

4.
Run:
Issue 04 (2013-06-15)

1501

Configuration Guide

5.
Run:

----End
Enabling Checking of DHCP Request Messages

To prevent unauthorized users from sending DHCP Request messages to request IP address
renewal, the AC6605 matches the received DHCP Request messages to determine whether to
forward the DHCP Request messages.
Context
Binding entries of DHCP users are created automatically after DHCP snooping is enabled. If a
user uses a static IP address, manually configure a binding entry for the user.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface is a user-side interface.
Or, run:
vlan vlan-id

Step 3 Run:
dhcp snooping check dhcp-request enable(interface view)
The interface is enabled to check DHCP Request messages.

By default, an interface is disabled from checking DHCP Request messages.
NOTE
The dhcp snooping check dhcp-request enable(interface view) command can also check whether the
Release packet matches the binding table, preventing unauthorized users from releasing the IP addresses
of authorized users.
----End
(Optional) Configuring the Option 82 Function

After the Option 82 function is enabled, the AC6605 can generate binding entries for users on
different interfaces according to the Option 82 field in DHCP messages, which prevents the
bogus DHCP server then replies incorrect messages.
Issue 04 (2013-06-15)

1502

Configuration Guide
Procedure
l

1.
Run:
system-view

2.
Run:

The interface is the user-side interface.
3.
Run:
dhcp option82 insert enable
The Option 82 is appended to DHCP messages.

Or, run:
dhcp option82 rebuild enable
The Option 82 is forcibly appended to DHCP messages.

After the dhcp option82 insert enable command is used, the Option 82 is
appended to DHCP messages if original DHCP messages do not carry the Option
82 field; If the DHCP message contains an Option 82 field previously, the
AC6605 checks whether the Option 82 field contains the Remote-id. If the Option
82 field contains the Remote-id, the AC6605 retains the original Option 82 field.
If not, the AC6605 inserts the Remote-id to the Option 82 field. By default, the
Remote-id is the MAC address of the AC6605.
After the dhcp option82 rebuild enable command is used, the Option 82 field is
appended to DHCP messages if original DHCP messages do not carry the Option
82 field; the original Option 82 field is removed and a new one is appended if the
original DHCP messages carry the Option 82 field.
l
In the VLAN view:

1.
Run:
system-view

2.
Run:
vlan vlan-id

3.
Run:
dhcp option82 insert enable interface { interface-name | interface-type
interface-number } [ to interface-number ]
The Option 82 is appended to DHCP messages.

Or, run:
dhcp option82 rebuild enable interface { interface-name | interface-type
interface-number } [ to interface-number ]
The Option 82 is forcibly appended to DHCP messages.

Issue 04 (2013-06-15)

1503

Configuration Guide
The prerequisites for the upper commands to take effect are the interfaces are added
to the VLAN in step 2.
After the dhcp option82 insert enable interface { interface-name | interfacetype interface-number } [ to interface-number ] command is used, the Option 82
is appended to DHCP messages if original DHCP messages do not carry the Option
82 field; If the DHCP message contains an Option 82 field previously, the
AC6605 checks whether the Option 82 field contains the Remote-id. If the Option
82 field contains the Remote-id, the AC6605 retains the original Option 82 field.
If not, the AC6605 inserts the Remote-id to the Option 82 field. By default, the
Remote-id is the MAC address of the AC6605.
After the dhcp option82 rebuild enable interface { interface-name | interfacetype interface-number } [ to interface-number ] command is used, the Option 82
field is appended to DHCP messages if original DHCP messages do not carry the
Option 82 field; the original Option 82 field is removed and a new one is appended
if the original DHCP messages carry the Option 82 field.
----End
(Optional) Setting the Format of the Option 82 Field

You can set the format of the Option 82 field globally or on an interface. If the format of the
Option 82 field is set on an interface, the format of the Option 82 field on the interface takes
effect. If the format of the Option 82 field is not set on an interface, the globally configured
format of the Option 82 field takes effect.
Procedure
l
Setting the format of the Option 82 field in the system view

1.
Run:
system-view

2.
Run:
dhcp option82 [ circuit-id | remote-id ] format { default | common |
extend | user-defined text }
The format of the Option 82 field is set.

NOTE
If the customized format of the Option 82 field is used (that is, user-defined is specified), it is
recommended that you specify the interface type, slot ID, and interface number in text.
Setting the format of the Option 82 field in the interface view

1.
Run:
system-view

2.
Run:

3.
Run:
dhcp option82 [ vlan vlanid ] [ circuit-id | remote-id ] format { default
| common | extend | user-defined text }
Issue 04 (2013-06-15)

1504

Configuration Guide
The format of the Option 82 field is set.

NOTE
If the customized format of the Option 82 field is used (that is, user-defined is specified), it is
recommended that you specify the interface type, slot ID, and interface number in text.
----End

Checking the Configuration of Preventing the Attacker from Sending Bogus DHCP Messages
for Extending IP Address Leases.
Prerequisites
The configurations of preventing the attacker from sending bogus DHCP messages for extending
IP address leases are complete.
Procedure
l

Run the display dhcp { snooping | static } user-bind { dai-status | interface interfacetype interface-number | ip-address ip-address | ipsg-status | mac-address mac-address |
vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to
check the information about DHCP bind-table.
Run the display dhcp option82 configuration { interface interface-type interfacenumber | vlan vlan-id } command to check the status of the Option 82 field.
----End
8.4.6 Setting the Maximum Number of DHCP Snooping Users

This section describes how to set the maximum number of DHCP snooping users. This is because
authorized users cannot access the network when an attacker applies for IP addresses
continuously.

Before configuring the maximum number of DHCP snooping users, familiarize yourself with
To prevent malicious users from applying for IP addresses, you can set the maximum number
of DHDCP snooping users.
When the number of DHCP snooping users reaches the maximum value, users cannot
successfully apply for IP addresses.
Issue 04 (2013-06-15)

1505

Configuration Guide
Before setting the maximum number of DHCP snooping users, complete the following tasks:
l
Enabling DHCP snooping globally
Enabling check of the DHCP snooping binding table
Data Preparation
To set the maximum number of DHCP snooping users, you need the following data.
No.
Data
Type and number of the interface, VLAN ID,

and maximum number of DHCP snooping
users

Context
l
Procedure
1.
Run:
system-view

2.
Run:
dhcp enable

3.
Run:

4.
Run:
vlan vlan-id

5.
Run:
Issue 04 (2013-06-15)

1506

Configuration Guide

6.
Run:
quit

7.
(Optional) Run:

8.
(Optional) Run:

8.
l

1.
Run:
system-view

2.
Run:
dhcp enable

3.
Run:

4.
Run:

5.
Run:

----End
Setting the Maximum Number of DHCP Snooping Users

If an unauthorized user applies for IP addresses maliciously, authorized users cannot access the
network. To address this problem, you can set the maximum number of access users.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp snooping max-user-number max-user-number
Issue 04 (2013-06-15)

1507

Configuration Guide
The maximum number of access users allowed in the system view is set.
By default, the maximum number of access users allowed by all the interfaces of the AC6605
is 1024.
Step 3 Run:

Or, run:
vlan vlan-id

Step 4 Run:
dhcp snooping max-user-number max-user-number
The maximum number of DHCP snooping users allowed on an interface or in a VLAN is set.
By default, a maximum of 1024 users can access an interface of the AC6605 or a VLAN.
If the maximum number of access users is set on an interface, in a VLAN, or in the system, all
the configurations take effect.
----End
(Optional) Configuring MAC Address Security on an Interface

MAC addresses of DHCP users in the dynamic binding table can be converted to static MAC
addresses, and packets of these users can be forwarded. MAC addresses of static users in the
static binding table cannot be converted to static MAC addresses. Therefore, you need to
configure static MAC addresses for the static users to have the packets forwarded normally.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface is a user-side interface.
Step 3 Run:
dhcp snooping sticky-mac
MAC address security of DHCP snooping is enabled on the interface.

By default, MAC address security of DHCP snooping is disabled on the AC6605.
The dhcp snooping sticky-mac command takes effect only after DHCP snooping is enabled
globally.
If the dhcp snooping sticky-mac command is run, the interface neither learns the MAC address
of the received IP packet nor forwards or sends the received IP packet. The DHCP messages
Issue 04 (2013-06-15)

1508

Configuration Guide
received by the interface are sent to the CPU of the main control board, and then a dynamic
binding table is generated. After the dynamic binding table is generated, static MAC addresses
are sent to the corresponding interface. That is, dynamic MAC addresses are converted to static
MAC addresses. The static MAC address entry includes information about the MAC address
and VLAN ID of the user. Subsequently, only the packets whose source MAC address matches
the static MAC address can pass through the interface; otherwise, the packets are discarded.
MAC addresses of static users in the static binding table cannot be converted to static MAC
addresses. You need to configure static MAC addresses for the static users to have the packets
forwarded normally.
----End

Checking the Configuration of the Maximum Number of DHCP Snooping Users.
Prerequisites
The configurations of setting the maximum number of users are complete.
Procedure
l

check information about DHCP snooping on an interface.
Run the display mac-address snooping [ interface-type interface-number [ vlan vlanid ] | vlan vlan-id [interface-type interface-number ] ] [ verbose ] command to view static
MAC address entries converted from dynamic MAC address entries by the dhcp snooping
sticky-mac command.
----End
8.4.7 Limiting the Rate of Sending DHCP Messages

This section describes how to prevent attackers from sending a large number of DHCP Request
messages to attack the AC6605.

Before configuring limiting on the rate of sending packets, familiarize yourself with the
If an attacker sends DHCP messages continuously on a network, the DHCP protocol stack of
the AC6605 is affected.
To prevent an attacker from sending a large number of DHCP messages, you can configure
DHCP snooping on the AC6605 to check DHCP messages and limit the rate of sending DHCP
messages. Only a certain number of DHCP messages can be sent to the protocol stack during a
certain period. Excessive DHCP messages are discarded.
Issue 04 (2013-06-15)

1509

Configuration Guide
Before limiting the rate of sending packets, complete the following tasks:
l
Data Preparation
To limit the rate of sending packets, you need the following data.
No.
Data
Rate at which DHCP messages are sent to the

protocol stack

Context
l
Procedure
1.
Run:
system-view

2.
Run:
dhcp enable

3.
Run:

4.
Run:
vlan vlan-id

5.
Run:

Issue 04 (2013-06-15)

1510

Configuration Guide
6.
Run:
quit

7.
(Optional) Run:

8.
(Optional) Run:

8.
l

1.
Run:
system-view

2.
Run:
dhcp enable

3.
Run:

4.
Run:

5.
Run:

----End
Setting the Maximum Rate of Sending DHCP Messages

You can set the maximum rate of sending DHCP messages globally, in a VLAN, or on an
interface. If the maximum rate of sending DHCP messages is set globally, in a VLAN, and on
an interface simultaneously, the maximum rate of sending DHCP messages takes effect on an
interface, in a VLAN, and globally in descending order.
Procedure
l
Setting the maximum rate of sending DHCP messages in the system view
1.
Run:
system-view

2.
Issue 04 (2013-06-15)
Run:
1511

Configuration Guide

dhcp snooping check dhcp-rate enable
The function of checking the rate of sending DHCP messages is enabled.

By default, the function of checking the rate of sending DHCP messages is disabled
globally.
3.
Run:
dhcp snooping check dhcp-rate rate
The rate of sending DHCP messages is set.

By default, the maximum rate of sending DHCP messages is 100 pps. The DHCP
messages exceeding the rate are discarded.
l
Setting the maximum rate of sending DHCP messages in the VLAN view
1.
Run:
system-view

2.
Run:
vlan vlan-id

3.
Run:
The function of checking the rate of sending DHCP messages is enabled in the VLAN
view.
By default, the function of checking the rate of sending DHCP messages is disabled
in the VLAN view.
4.
Run:
dhcp snooping check dhcp-rate rate
The rate of sending DHCP messages is set.

By default, the maximum rate of sending DHCP messages is 100 pps. The DHCP
messages exceeding the rate are discarded.
l
Setting the maximum rate of sending DHCP messages in the interface view
1.
Run:
system-view

2.
Run:

3.
Run:
dhcp snooping check dhcp-rate { enable | enable rate | rate } [ alarm dhcprate [ enable ] [ threshold threshold-value ] ]
The following functions are configured on an interface:

The function of checking the rate of sending DHCP messages to the DHCP stack
is enabled.
The rate limit of sending DHCP messages to the DHCP stack is set.
Issue 04 (2013-06-15)

1512

Configuration Guide
The DHCP message discard alarm is enabled.

The alarm threshold for discarded DHCP messages is set.
By default, the function of checking the rate of sending DHCP messages to the DHCP
stack is disabled on an interface; the rate limit of sending DHCP messages to the DHCP
stack is 100 pps; the DHCP message discard alarm is disabled; the alarm threshold
for discarded DHCP messages is 100.
----End

Checking the Configuration of Limiting the Rate of Sending DHCP Messages.
Prerequisites
The configurations of limiting the rate of sending DHCP messages are complete.
Procedure
l
----End
8.4.8 Configuring the Packet Discarding Alarm Function

An alarm is generated when the number of discarded packets exceeds the threshold.

Before configuring the packet discarding alarm function, familiarize yourself with the applicable
With DHCP snooping configured, the AC6605 discards packets sent from an attacker. Table
8-10 shows the relationship between the type of attacks and the type of discarded packets.
Table 8-10 Relationship between the type of attacks and the type of discarded packets
Issue 04 (2013-06-15)
Type of Attacks
Type of Discarded Packets
Bogus attack
DHCP Reply messages received from

untrusted interfaces
DoS attack by changing the CHADDR field
DHCP Request messages whose CHADDR

field does not match the source MAC address
in the frame header
Attack by sending bogus messages to extend

IP address leases
DHCP Request messages that do not match

entries in the binding table

1513

Configuration Guide
Type of Attacks
Type of Discarded Packets
Attack by sending a large number of DHCP

Request messages and ARP packets
Messages exceeding the rate limit
After the packet discarding alarm function is enabled, an alarm is generated when the number
of discarded packets on the AC6605 reaches the alarm threshold.
Before configuring the packet discarding alarm function, complete the following tasks:
l
Configuring the AC6605 to discard DHCP Reply messages on the untrusted interface at
the user side
Configuring the checking of DHCP messages
Configuring the checking of the CHADDR field in DHCP Request messages
Configuring the checking of the rate of sending DHCP messages
Data Preparation
To configure the packet discarding alarm function, you need the following data.
No.
Data
Alarm threshold for the number of discarded

packets

Context
l
Procedure
1.
Run:
system-view
Issue 04 (2013-06-15)

1514

Configuration Guide

2.
Run:
dhcp enable

3.
Run:

4.
Run:
vlan vlan-id

5.
Run:

6.
Run:
quit

7.
(Optional) Run:

8.
(Optional) Run:

8.
l

1.
Run:
system-view

2.
Run:
dhcp enable

3.
Run:

4.
Run:

5.
Run:

----End
Issue 04 (2013-06-15)

1515

Configuration Guide
Configuring the Packet Discarding Alarm Function

After the alarm function is enabled, alarm messages are displayed if DHCP attacks occur.
Context
The packet discarding alarm function can be configured globally and on the interface.
l
The packet discarding alarm function configured globally takes effect for all interfaces.
The packet discarding alarm function configured on an interface takes effect for a specified
interface. If the packet discarding alarm function is not configured on an interface, the
global configuration is used.
Configuring the packet discarding alarm function globally
Procedure
1.
Run:
system-view

2.
Run:
dhcp snooping alarm threshold threshold
The alarm threshold of the number of globally discarded packets is set.

By default, the global alarm threshold of the number of discarded DHCP messages is
100 pps.
l
Configuring the packet discarding alarm function on an interface

1.
Run:
system-view

2.
Run:

3.
Run:
The functions of checking the DHCP request messages refer to the CHADDR field
and DHCP Request packet discarding alarm are enabled on the interface, and the
threshold that triggers the alarm is set.
By default, the AC6605 does not check DHCP request messages refer to the CHADDR
field or generate alarms for packet discarded. The alarm threshold for the rate of
discarded DHCP request messages is 100 pps.
4.
Run:
dhcp snooping check dhcp-request enable
The functions of checking the DHCP request messages and DHCP Request packet
discarded alarm are enabled on the interface, and the threshold that triggers the alarm
is set.
Issue 04 (2013-06-15)

1516

Configuration Guide
By default, the AC6605 does not check DHCP request messages field or generate
alarms for packet discarded. The alarm threshold for the rate of discarded DHCP
request messages is 100 pps.
5.
(Optional) Run:
dhcp snooping alarm { dhcp-chaddr | dhcp-reply | dhcp-request } { enable
[ check { dhcp-giaddr | dhcp-chaddr | dhcp-request } enable | threshold
threshold ] }
The alarm function is enabled for discarding of DHCP messages received from
untrusted interfaces, and the alarm threshold is set.
By default, the packet discarding alarm is disabled, and the threshold that triggers the
alarm on discarded packets is 100.
After dhcp snooping alarm command is configured, the AC6605 discards the
following types of packets:
DHCP Request messages that do not match entries in the DHCP Snooping binding
table
DHCP Reply messages received by untrusted interfaces
DHCP Request messages whose source MAC address does not match the
CHADDR field
----End

Checking the Configuration of Packet Discarding Alarm Function.
Prerequisites
The configurations of the packet discarding alarm function are complete.
Procedure
l

----End
8.4.9 Maintaining DHCP Snooping

This section describes how to maintain DHCP snooping.
Clearing DHCP Snooping Statistics

The statistics on globally discarded packets and the statistics on discarded packets on the
interface are cleared.
Context
The statistics cannot be restored after being cleared.
Issue 04 (2013-06-15)

1517

Configuration Guide
To clear the statistics on DHCP snooping discarded packets, run the following commands in the
user view.
Procedure
l
Run the reset dhcp snooping statistics global command to clear the statistics on globally
discarded packets.
Run the reset dhcp snooping statistics interface interface-type interface-number

command to clear the statistics on discarded packets on the interface.
Run the reset dhcp snooping statistics vlan vlan-id command to clear the statistics on
discarded packets on the VLAN.
----End
Resetting the DHCP Snooping Binding Table

After DHCP snooping is enabled, multiple binding entries are generated when DHCP users go
online. DHCP users can delete dynamic binding entries in batches according to the VLAN ID,
interface, IP address of the VPLS.
Context
NOTE
After the networking environment changes, DHCP snooping binding entries do not age immediately.
However, the following information in DHCP snooping binding entries may change, causing packet
forwarding failure:
l
VLAN ID in packets
Interface number
Before changing the networking environment, clear all DHCP snooping binding entries manually so that
a device generates a new DHCP snooping binding table according to the new networking environment.
To clear entries in the DHCP snooping binding table, run the following command in the user
view or system view.
Procedure
l
Run the reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interfacenumber ]* | ip-address ip-address ] command to reset the DHCP snooping binding table.
----End

This section provides several configuration examples of DHCP snooping.
Example for Preventing Bogus DHCP Server Attacks

This section describes the configuration of preventing bogus DHCP server attacks, including
the configuration of the trusted interface and the alarm function for discarded DHCP Reply
packets.
As shown in Figure 8-14, the Switch is deployed between the user network and the Layer 2
network of the ISP. To prevent bogus DHCP server attacks, it is required that DHCP snooping
Issue 04 (2013-06-15)

1518

Configuration Guide
be configured on the Switch, the user-side interface be configured as an untrusted interface, the
network-side interface be configured as the trusted interface, and the alarm function for discarded
DHCP Reply packets be configured.
Figure 8-14 Networking diagram for preventing bogus DHCP server attacks
ISP network
L3 network
L2 network
DHCP relay
GE0/0/1
Switch
DHCP
server
GE0/0/2
User
network
The configuration roadmap is as follows: (Assume that the DHCP server has been configured.)
1.
Enable DHCP snooping globally and on the interface.
2.
Enable bogus DHCP server detection.
3.
Configure the interface connected to the DHCP server as the trusted interface.
4.
Configure the alarm function for discarded DHCP Reply packets.
Data Preparation
l
GE 0/0/1 being the trusted interface and GE 0/0/2 being the untrusted interface
Alarm threshold being 120

NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.
Issue 04 (2013-06-15)

1519

Configuration Guide
[Quidway] dhcp snooping enable
# Enable bogus DHCP server detection.

[Quidway] dhcp server detect
# Enable DHCP snooping on the user-side interface.

[Quidway-GigabitEthernet0/0/2] dhcp snooping enable
Step 2 Configure the interface as the trusted interface or an untrusted interface.

# Configure the interface on the DHCP server side as the trusted interface.
[Quidway-GigabitEthernet0/0/1] dhcp snooping trusted
# Configure the user-side interface as an untrusted interface.

After DHCP snooping is enabled on GE 0/0/2, GE 0/0/2 is an untrusted interface by default.
Step 3 Configure the alarm function for discarded DHCP Reply packets.
# Configure the Switch to discard the Reply messages received by untrusted interfaces, and set
the alarm threshold.
[Quidway-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-reply enable
[Quidway-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-reply threshold 120

Run the display dhcp snooping configuration command on the Switch, and you can view that
DHCP snooping is enabled globally and in the interface view.
<Quidway> display dhcp snooping configuration
dhcp server detect
#
#
dhcp snooping alarm dhcp-reply enable
#
----End
Configuration Files
#
dhcp enable
dhcp server detect
#
Issue 04 (2013-06-15)

1520

Configuration Guide
#
dhcp snooping alarm dhcp-reply enable
dhcp snooping alarm dhcp-reply threshold 120
#
return
Example for Preventing DoS Attacks by Changing the CHADDR Field

This section describes the configuration of preventing DoS attacks by changing the CHADDR
field, including the configuration of the function of checking the CHADDR field of DHCP
Request messages on the user-side interface and the alarm function for discarded packets.
As shown in Figure 8-15, the Switch is deployed between the user network and the ISP Layer
2 network. To prevent DoS attacks by changing the CHADDR field, it is required that DHCP
snooping be configured on the Switch. The CHADDR field of DHCP Request messages is
checked. If the CHADDR field of DHCP Request messages matches the source MAC address
in the frame header, the messages are forwarded. Otherwise, the messages are discarded. The
alarm function for discarded packets is configured.
Figure 8-15 Networking diagram for preventing DoS attacks by changing the CHADDR field
ISP network
L3 network
L2 network
DHCP relay
GE0/0/1
Switch
DHCP
server
GE0/0/2
User
network
1.
Issue 04 (2013-06-15)

1521

Configuration Guide
2.
3.
Enable the function of checking the CHADDR field of DHCP Request messages on the
user-side interface.
4.
Configure the alarm function for discarded packets.
Data Preparation
l
Alarm threshold
NOTE
Procedure



Step 3 Enable the function of checking the CHADDR field of DHCP Request messages on the userside interface.
[Quidway-GigabitEthernet0/0/2] dhcp snooping check dhcp-chaddr enable

DHCP snooping is enabled globally and in the interface view.
#
dhcp enable
#
Issue 04 (2013-06-15)

1522

Configuration Guide

#
----End
Configuration Files
#
dhcp enable
#
#
#
return
Example for Preventing Attackers from Sending Bogus DHCP Messages for
Extending IP Address Leases
This section describes the configuration of preventing attackers from sending bogus DHCP
messages for extending IP address leases, including the configuration of the function of checking
the DHCP Request messages on the user-side interface and the alarm function for discarded
packets.
As shown in Figure 8-16, the Switch is deployed between the user network and the ISP Layer
2 network. To prevent attackers from sending bogus DHCP messages for extending IP address
leases, it is required that DHCP snooping be configured on the Switch and the DHCP snooping
binding table be created. If the received DHCP Request messages match entries in the binding
table, they are forwarded; otherwise, they are discarded. The alarm function for discarded packets
is configured.
Issue 04 (2013-06-15)

1523

Configuration Guide
Figure 8-16 Networking diagram for preventing attackers from sending bogus DHCP messages
for extending IP address leases
ISP network
L3 network
L2 network
DHCP relay
GE0/0/1
Switch
DHCP
server
GE0/0/2
User
network
1.
2.
3.
Use the operation mode of the DHCP snooping binding table to check DHCP Request
messages.
4.
Data Preparation
l
ID of the VLAN that each interface belongs to
Static IP addresses from which packets are forwarded
Alarm threshold
NOTE
Procedure
Issue 04 (2013-06-15)

1524

Configuration Guide



Step 3 Configure the function of checking DHCP Request messages and the alarm function for
discarded packets.
[Quidway-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-request enable
Step 4 Check the DHCP snooping binding entries.

Run the display dhcp snooping user-bind all command. You can view all the DHCP snooping
binding entries of users.
<Quidway> display dhcp snooping user-bind all
DHCP Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - map vlan
IP Address
MAC Address
VSI/VLAN(O/I/P) Interface
Lease
-------------------------------------------------------------------------------10.1.1.3
0000-005e-008a
3 /-- /-GigabitEthernet0/0/2
2010.08.14-12:58
-------------------------------------------------------------------------------print count:
1
total count:
1

DHCP snooping is enabled globally and on the interface.
#
#
dhcp snooping alarm dhcp-request enable
#
----End
Configuration Files
#
dhcp enable
Issue 04 (2013-06-15)

1525

Configuration Guide

#
#
dhcp snooping alarm dhcp-request enable
#
return
Example for Limiting the Rate of Sending DHCP Messages

This section describes the configuration of limiting the rate of sending DHCP messages,
including the configuration of the rate of sending DHCP messages to the protocol stack and the
alarm function for discarded packets.
As shown in Figure 8-17, to prevent the attacker from sending a large number of DHCP Request
messages, it is required that DHCP snooping be enabled on the Switch to control the rate of
sending DHCP Request messages to the protocol stack. At the same time, the alarm function for
discarded packets needs to be enabled.
Figure 8-17 Networking diagram for limiting the rate of sending DHCP messages
Attacker
L2 network
GE0/0/1
L3 network
L2 network
DHCP client
GE0/0/2
Switch
GE0/0/3
DHCP relay
DHCP server
1.
Enable DHCP snooping globally and in the interface view.
2.
3.
Set the rate of sending DHCP Request messages to the protocol stack on interfaces.
4.
Configure the alarm function for discarded packets on interfaces.
Issue 04 (2013-06-15)

1526

Configuration Guide
Data Preparation
l
Rate of sending DHCP Request messages
Alarm threshold
NOTE
Procedure
# Enable DHCP snooping on the user-side interface. The configuration procedures of

GigabitEthernet 0/0/2 and GE0/0/3 are similar to the configuration procedure of
GigabitEthernet 0/0/1, and is not mentioned here.


After DHCP snooping is enabled on GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2,
GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 is an untrusted interface by default.
Step 3 Configure the rate of sending DHCP messages to the DHCP protocol stack and the alarm function
for discarded packets.
# Configure the rate of sending DHCP messages to the DHCP protocol stack and the alarm
function for discarded packets on interfaces. The configuration procedures of GigabitEthernet
0/0/2 andGE0/0/3 are similar to the configuration procedure of GigabitEthernet 0/0/1, and is not
mentioned here.
[Quidway-GigabitEthernet0/0/1] dhcp snooping check dhcp-rate enable 50 alarm dhcprate enable threshold 50

DHCP snooping is enabled globally or in interface view.
[Quidway] display dhcp snooping configuration
#
#
Issue 04 (2013-06-15)

1527

Configuration Guide
dhcp snooping check dhcp-rate
dhcp snooping alarm dhcp-rate
#
#
#
enable
50
enable
threshold 50
enable
50
enable
threshold 50
enable
50
enable
threshold 50
Run the display dhcp snooping interface command on the Switch, and you can view the
configuration of DHCP snooping in interface view.
[Quidway] display dhcp snooping interface gigabitethernet0/0/3
DHCP snooping running information for interface GigabitEthernet0/0/3 :
DHCP snooping
: Enable
Trusted interface
: Yes
Dhcp user max number
: 1024
(default)
Current dhcp user number
: 0
Check dhcp-giaddr
: Disable (default)
Check dhcp-chaddr
: Disable (default)
Alarm dhcp-chaddr
: Disable (default)
Check dhcp-request
: Disable (default)
Alarm dhcp-request
: Disable (default)
Check dhcp-rate
: Enable
Dhcp-rate limit(pps)
: 50
Alarm dhcp-rate
: Enable
Alarm dhcp-rate threshold
: 50
Discarded dhcp packets for rate limit
: 0
Alarm dhcp-reply
: Disable (default)
[Quidway] display dhcp snooping interface gigabitethernet 0/0/1
DHCP snooping
: Enable
Trusted interface
: No
: 1024
(default)
: 0
Check dhcp-giaddr
: Disable (default)
Check dhcp-chaddr
: Disable (default)
Alarm dhcp-chaddr
: Disable (default)
Check dhcp-request
: Disable (default)
Alarm dhcp-request
: Disable (default)
Check dhcp-rate
: Enable
: 50
Alarm dhcp-rate
: Enable
: 50
: 0
Alarm dhcp-reply
: Disable (default)
[Quidway] display dhcp snooping interface GigabitEthernet 0/0/2
DHCP snooping
: Enable
Trusted interface
: No
: 1024
(default)
: 0
Check dhcp-giaddr
: Disable (default)
Check dhcp-chaddr
: Disable (default)
Alarm dhcp-chaddr
: Disable (default)
Check dhcp-request
: Disable (default)
Issue 04 (2013-06-15)

1528

Configuration Guide
Alarm dhcp-request
Check dhcp-rate
Alarm dhcp-rate
Alarm dhcp-reply
:
:
:
:
:
:
:
Disable
Enable
50
Enable
50
0
Disable
(default)
(default)
----End
Configuration Files
#
dhcp enable
#
interface gigabitethernet0/0/1
#
#
#
return
enable
50
enable
threshold 50
enable
50
enable
threshold 50
enable
50
enable
threshold 50
Example for Applying DHCP Snooping on a Layer 2 Network

This section describes the configuration of DHCP snooping on a Layer 2 network, including the
configuration of the trusted interface, the function of checking DHCP messages, the function of
limiting the rate of sending DHCP messages, and the Option 82 function.
As shown in Figure 8-18, DHCP clients are connected to the Switch through VLAN 10. DHCP
client1 uses the dynamically allocated IP address and DHCP client2 uses the statically configured
IP address. It is required that DHCP snooping be configured on user-side interfaces
GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 of the Switch to prevent the following type of
attacks:
l
Bogus DHCP server attacks
DoS attacks by changing the value of the CHADDR field
Attacks by sending bogus messages to extend IP address leases
Attacks by sending a large number of DHCP Request messages
Issue 04 (2013-06-15)

1529

Configuration Guide
Figure 8-18 Networking diagram for configuring DHCP snooping
DHCP relay
DHCP server
GE0/0/3
Switch
GE0/0/1
GE0/0/2
DHCP client1
DHCP client2
IP:10.1.1.1/24
MAC:0001-0002-0003
1.
Enable DHCP snooping globally and in the interface view.
2.
Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.
3.
Configure the DHCP snooping binding table and check DHCP Request messages by
matching them with entries in the binding table to prevent attackers from sending bogus
DHCP messages for extending IP address leases.
4.
Configure the function of checking the CHADDR field in DHCP Request messages to
prevent attackers from changing the CHADDR field in DHCP Request messages.
5.
Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers
from sending a large number of DHCP Request messages.
6.
Configure the Option 82 function.
7.
Data Preparation
l
VLAN that the interface belongs to being 10
GigabitEthernet0/0/2 being untrusted interfaces and GigabitEthernet 0/0/3 being the trusted
interface
Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding
MAC address being 0001-0002-0003
Rate of sending DHCP messages to the protocol stack being 90
Mode of the Option 82 function being insert
Issue 04 (2013-06-15)

1530

Configuration Guide
Alarm threshold of the number of discarded packets being 120

NOTE
Procedure
# Enable DHCP snooping on the interface at the user side. The configuration procedure of
GigabitEthernet 0/0/2 is the same as the configuration procedure of GigabitEthernet 0/0/1, and
is not mentioned here.
Step 2 Configure the interface as trusted.

# Configure the interface connecting to the DHCP server as the trusted interface and enable
DHCP snooping on all the interfaces connecting to the DHCP client. If the interface on the client
side is not configured as trusted, the default mode of the interface is untrusted after DHCP
snooping is enabled on the interface. This prevents bogus DHCP server attacks.
Step 3 Configure the checking for certain types of packets and alarm function.
# Enable the checking of DHCP Request messages and alarm function on the interfaces on the
DHCP client side to prevent attackers from sending bogus DHCP messages for extending IP
address leases. The configuration of GigabitEthernet 0/0/2 is the same as the configuration of
[Quidway-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable
# Enable the checking of the CHADDR field and alarm function on the interfaces on the DHCP
client side to prevent attackers from changing the CHADDR field in DHCP Request messages.
The configuration of GigabitEthernet 0/0/2 is the same as the configuration of
[Quidway-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable
Step 4 Check the DHCP snooping binding entries.

Run the display dhcp snooping user-bind all command. You can see the DHCP snooping
binding entries of users.
DHCP Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - map vlan
IP Address
MAC Address
VSI/VLAN(O/I/P) Interface
Lease
-------------------------------------------------------------------------------10.1.1.1
0001-0002-0003
10 /-- /-GigabitEthernet0/0/2
Issue 04 (2013-06-15)

1531

Configuration Guide
2010.08.14-12:58
-------------------------------------------------------------------------------print count:
1
total count:
1
Step 5 Limit the rate of sending DHCP messages.

# Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request
messages.
[Quidway] dhcp snooping check dhcp-rate enable
[Quidway] dhcp snooping check dhcp-rate 90
Step 6 Configure the Option 82 function.

# Configure the user-side interface to append the Option 82 field to DHCP messages. The
configuration of GigabitEthernet 0/0/2 is the same as the configuration of GigabitEthernet 0/0/1,
and is not mentioned here.
[Quidway-GigabitEthernet0/0/1] dhcp option82 insert enable
Step 7 Configure the alarm function for discarded packets.

# Enable the alarm function for discarded DHCP Reply packets, and set the alarm threshold of
the number of discarded packets. The configuration of GigabitEthernet 0/0/2 is similar to the
configuration of GigabitEthernet 0/0/1, and is not mentioned here.
[Quidway-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply enable

Run the display dhcp snooping configuration command on the Switch. You can see that DHCP
snooping is enabled globally. You can also view the statistics on alarms.
[Quidway] display dhcp snooping configuration
#
dhcp enable
dhcp snooping check dhcp-rate 90
#
user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface
GigabitEthernet 0/0/2 vlan 10
#
dhcp snooping alarm dhcp-reply enable threshold 120
#
#
#
Run the display dhcp snooping interface command. You can see information about DHCP
snooping on the interface.
Issue 04 (2013-06-15)

1532

Configuration Guide
[Quidway] display dhcp snooping interface

DHCP snooping
Trusted interface
Check dhcp-giaddr
Check dhcp-chaddr
Alarm dhcp-chaddr
Check dhcp-request
Alarm dhcp-request
Check dhcp-rate
Alarm dhcp-rate
Alarm dhcp-reply
Alarm dhcp-reply threshold
Discarded dhcp packets for check reply
[Quidway] display dhcp snooping interface
DHCP snooping
Trusted interface
Check dhcp-giaddr
Check dhcp-chaddr
Alarm dhcp-chaddr
Check dhcp-request
Alarm dhcp-request
Check dhcp-rate
Alarm dhcp-rate
Alarm dhcp-reply
gigabitethernet 0/0/1
: Enable
: No
: 1024
(default)
: 0
: Disable (default)
: Enable
: Disable (default)
: Enable
: Disable (default)
: Enable
: 50
: Enable
: 50
: 0
: Enable
: 120
: 0
: Enable
: Yes
: 1024
(default)
: 0
: Disable (default)
: Disable (default)
: Disable (default)
: Disable (default)
: Disable (default)
: Disable (default)
: Disable (default)
: 50
: 0
: Disable (default)
Run the display dhcp option82 configuration interface command. You can see the
configuration of Option 82 on the interface.
[Quidway] display dhcp option82 configuration interface GigabitEthernet 0/0/1
#
#
----End
Configuration Files
#
dhcp enable
dhcp snooping check dhcp-rate 90
#
#
#
#
Issue 04 (2013-06-15)

1533

Configuration Guide
#
return
8.5 ARP Security Configuration

The ARP security technology ensures security and robustness of network devices by filtering
out untrusted ARP packets and perform timestamp suppression for some ARP packets.
8.5.1 ARP Security Overview

ARP attacks are common and have great impact on networks. The AC6605 defends against ARP
attacks on the interface that is nearest to the attack source.
Ethernet is commonly used for access to networks. ARP, running as an open protocol on the
Ethernet, offers chances for hackers to attack networks because of its simplicity, openness, and
lack of security measures.
ARP Attack Type

There are a lot of ARP attack types:
l
ARP attacks may aim at user hosts or the AC6605.
Attacks can be initiated by using virus or unauthorized software.
Depending on attack impact, ARP attacks are classified into address spoofing attack and
Denial of Service (DoS) attack.
Address spoofing attack
The attacker sends incorrect MAC addresses to the gateway. The gateway updates
the ARP entries. As a result, user hosts cannot go online.
The attacker sends an incorrect ARP reply to a user host. After obtaining the incorrect
gateway address, the user host cannot go online.
DoS attack
The attacker sends a lot of bogus ARP request and reply packets to the device. The
ARP table of the device overflows and the device cannot cache valid ARP entries.
As a result, the device cannot forward valid packets.
The attacker sends a lot of bogus ARP request and reply packets to the device or
triggers ARP Miss packets on the device. The device will be busy processing these
ARP packets, and cannot process valid service packets.
A typical scenario where ARP Miss packets are triggered is as follows: An attack
uses tools to scan the devices on the local network segment or other network
segments, the AC6605 searches for the corresponding ARP entries before
responding to the attacker. The MAC addresses corresponding to the destination IP
addresses of the packets do not exist; therefore, the ARP module of the AC6605
sends ARP Miss packets to the upper-layer software, requesting the upper-layer
software to send ARP request packets to obtain destination MAC addresses of the
packets. If the attacker sends a lot of scanning packets, a lot of ARP Miss packets
will be generated.
Issue 04 (2013-06-15)

1534

Configuration Guide
ARP anti-spoofing can prevent unauthorized users; however, the ARP DoS attacks have
greater impact on networks.
ARP Attack Impact

If a user undergoes an ARP attack, the gateway information on the user host is modified or
thieved, and the user cannot go online.
If an access switch undergoes an ARP attack, many users in the LAN cannot go online.
If a router undergoes an ARP attack, more users cannot go online because multiple switches are
connected to the router.
ARP Attack Defense Policy

An attack defense policy should be deployed on the node nearest to the attack source to minimize
attack impact and improve attack defense efficiency.
l
The attacks aiming at user hosts have less impact. The user hosts can be configured with
antivirus software. When the software detects a fake gateway address, it clears the local
ARP cache, and sends ARP request packets.
To prevent the attacks aiming at routers, the techniques such as bidirectional binding and
active defense can be used on the routers. A router is the egress of the entire LAN, so the
ARP attacks aiming at the router actually attempt to attack the entire LAN. When the router
undergoes an ARP attack, the entire LAN is affected. Therefore, deploying ARP attack
defense policies on a router cannot completely prevent attacks.
All ARP packets are forwarded by switches; therefore, if a switch does not accept ARP
attack packets, the network will not be attacked.
The ARP attack defense techniques such as bidirectional binding prevent unauthorized users
from going online. These preventive measures are taken before an attack is initiated. If an attacker
thieves data of an authorized user, a lot of authorized users will be logged out. Such attacks can
be detected only after the authorized users are logged out. On most networks, ARP packet rate
is limited or CAR is configured to prevent such attacks. If such an attack still occurs, the measures
such as isolation and object-specific rate limit can be used.
The AC6605 switch can prevent ARP attacks.
Positioning of ARP Attack Defense on the AC6605

Hierarchical network security includes service-level security, network-level security, and
device-level security. Service-level security depends on the service security mechanisms and
non-blocking network construction. Network-level security depends on network traffic
classification and separation, association with clients and security control servers, and refined
control. Device-level security depends on the reliability design of the device. ARP attack defense
on the AC6605 is a device-level security measure.
8.5.2 ARP Security Supported by the AC6605

The ARP security features supported by the AC6605 include ARP entry limiting, ARP antispoofing, defense against ARP gateway attacks, source address-based ARP packet suppression,
source address-based ARP Miss packet suppression, defense against ARP man-in-the-middle
attacks, and limitation on the transmission rate of ARP packets.
Issue 04 (2013-06-15)

1535

Configuration Guide
ARP Entry Limiting

You can configure strict ARP entry learning so that the AC6605 can learn only the response
messages of the ARP requests sent locally.
You can set the maximum number of ARP entries that can be dynamically learned by an
interface. This prevents malicious use of ARP entries and ensures that the AC6605 can learn the
ARP entries of authorized users.
ARP Anti-Spoofing
ARP spoofing means that attackers use ARP packets sent by authorized users to construct bogus
ARP packets and modify ARP entries on the gateway. As a result, the authorized users are
disconnected from the network.
The AC6605 can prevent ARP spoofing by using the following methods:
l
Fixed MAC address: After learning an ARP entry, the AC6605 does not allow modification
to the MAC address in the ARP entry until this ARP entry ages. The AC6605 then prevents
ARP entries of authorized users from being modified without permission.
The fixed MAC address methods have two modes: fixed-mac and fixed-all. In fixed-mac
mode, MAC addresses cannot be modified, but VLAN IDs and interface numbers can be
modified. In fixed-all mode, MAC addresses, VLAN IDs, and interface numbers cannot
be modified.
Send-ack: When the AC6605 receives an ARP packet with a changed MAC address, it does
not immediately change the MAC address in the corresponding ARP entry. Instead, the
AC6605 sends a unicast ARP Request packet to the user with the original MAC address
mapped to the source IP address of the ARP packet, and then determines whether to change
the MAC address, VLAN ID, or interface number in the ARP entry depending on the
response from the user.
Defense Against ARP Gateway Attacks

An ARP gateway attack means that an attacker sends gratuitous ARP packets with the source
IP address as the bogus gateway address on a local area network (LAN). After receiving these
packets, the host replaces its gateway address with the address of the attacker. As a result, none
of the hosts on a LAN can access the network.
When the AC6605 receives ARP packets with the bogus gateway address, the following
situations can occur:
l
The source IP address in the ARP packets is the same as the IP address of the interface that
receives the packets.
The source IP address in the ARP packets is the virtual IP address of the incoming interface
but the source MAC address of ARP packets is not the virtual MAC address of the Virtual
Router Redundancy Protocol (VRRP) group when the VRRP group is in virtual MAC
address mode.
In either of the preceding situation, the AC6605 generates ARP anti-attack entries and discards
the packets in a period (the default value is 3 minutes). This can prevent ARP packets with the
bogus gateway address from being broadcast in a VLAN.
To ensure that packets sent by hosts on the internal network are forwarded to the gateway or to
prevent malicious users from intercepting these packets, the AC6605 sends gratuitous ARP
packets at a specified interval to update the gateway address in ARP entries of the hosts.
Issue 04 (2013-06-15)

1536

Configuration Guide
Source Address-based ARP Packet Suppression

When a large number of ARP packets are sent from a source IP address or MAC address, the
CPU resources of the AC6605 and the bandwidth reserved for ARP packets are occupied.
The AC6605 can suppress the transmission rate of the ARP packets with a specified source IP
address or MAC address. If the number of ARP packets with a specified source IP address or
MAC address received by the AC6605 within a specified period exceeds the set threshold, the
AC6605 does not process the excess ARP request packets.
Source Address-based ARP Miss Packet Suppression

When a host sends a large number of IP packets with unreachable destination IP addresses to
attack the device, the AC6605 suppresses the ARP Miss packets with the specified source IP
address.
If a large number of IP packets whose destination IP address cannot be resolved are sent to the
AC6605 from a source IP address, the ARP Miss packets are triggered. The AC6605 collects
statistics on the ARP Miss packets. If a source IP address triggers the ARP Miss packets
continuously in a period and the triggering rate exceeds the threshold, the AC6605 considers
that an attack occurs. The AC6605 delivers ACL rules for the first 16 source addresses and
discards IP packets from these source addresses within a certain period of time (50s by default).
For IP packets from other source addresses, the AC6605 controls the packet rate according to
the rate limit.
Defense Against ARP Man-in-the-Middle Attacks

A man-in-the-middle on the network may send a packet carrying its own MAC address and the
IP address of the server to the client. The client learns the MAC address and IP address contained
in the packet and considers the man-in-the-middle as the server. Then, the man-in-the-middle
sends a packet carrying its own MAC address and the IP address of the client to the server. The
server can learn the IP address and MAC address of the man-in-the-middle and consider the
man-in-the-middle as the client. In this way, the man-in-the-middle obtains the data exchanged
between the server and the client.
To prevent man-in-the-middle attacks, configure the AC6605 to check ARP packets. If the
packets received on the interface or the interface in a VLAN match the binding table, the packets
are forwarded; otherwise, the packets are discarded.
Rate Limit on ARP Packets and ARP Miss Packets

The AC6605 limits the rate of sending ARP packets or ARP Miss packets globally, based on
the interface, or based on the VLAN ID. This prevents a large number of ARP packets or ARP
Miss packets from being sent to the security module. The performance of the system is not
degraded.
8.5.3 Checking Source MAC Addresses of ARP Packets

If the source MAC address in the ARP packet header is inconsistent with the source MAC address
in the Ethernet frame header, the ARP packet is considered as an attack packet. Such attack
packets can be prevented by checking the source MAC addresses of the packets.
After receiving an ARP packet, the AC6605 checks validity of the ARP packet, including:
Issue 04 (2013-06-15)

1537

Configuration Guide
Packet length
Source MAC address in the Ethernet frame header
ARP request type and ARP reply type
Hardware address length
Protocol address length
Whether the ARP packet is an Ethernet frame
The AC6605 discards invalid packets. The packet with different source MAC addresses in the
ARP packet header and Ethernet frame header is possibly an attack packet although it is allowed
by the ARP protocol. After the arp anti-attack packet-check sender-mac command is used,
the AC6605 checks the source MAC addresses in the ARP packet header and Ethernet frame
header, and discards the packets with inconsistent source MAC addresses.
The ARP protocol defines that the ARP packet with consistent source MAC addresses in the
ARP packet header and the Ethernet frame header is a valid packet. However, such a packet may
be an attack packet. The AC6605 provides the commands for source MAC address check, and
discards the packets that match certain conditions.
Before configuring source MAC address check, complete the following task:
l
Setting link layer protocol parameters and the IP addresses for interfaces so that the link
layer protocol is Up
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp anti-attack packet-check sender-mac
The AC6605 checks the consistency between the source MAC addresses in the ARP packet
header and Ethernet frame header and discards the packet whose source MAC addresses are
inconsistent.
----End
8.5.4 Configuring Defense Against ARP DoS Attacks

If the AC6605 receives a lot of ARP attack packets, the MAC address table overflows or the
CPU usage is high. The AC6605 prevents ARP DoS attacks by discarding and limiting the rate
of attack packets.

Before configuring defense against ARP DoS attacks, familiarize yourself with the applicable
Issue 04 (2013-06-15)

1538

Configuration Guide
The ARP DoS attack packets can be ARP request packets, ARP Miss packets, and gratuitous
ARP packets. Table 8-11 provides various attack scenarios and measures taken by the
AC6605 to prevent ARP DoS attacks.
Table 8-11 ARP DoS attack defense scenarios and methods
Packet
Type
Scenario
Measures Taken by AC6605
ARP request
packet
l An attacker sends a lot of ARP

request packets to the AC6605.
As a result, the CPU usage of the
AC6605 is high and ARP entry
table overflows.
The general idea is to suppress the

ARP packets:
l Limit the ARP packet rate based
on source MAC addresses and
source IP addresses.
l Limit the rate of ARP packets in
the system, in a VLAN, or on an
interface.
l Limit the number of dynamic
ARP entries learned by an
interface and limit the number of
ARP request and reply packets
received by the attack interface.
ARP Miss
packet
Gratuitous
ARP packet
An attack sends a lot of IP sweeping

packets with invalid destination
MAC addresses to the AC6605. As a
result, the AC6605 generates a lot of
ARP Miss packets and temporary
ARP entries.
The AC6605 prevents such attacks as

follows:
The AC6605 functions as the

gateway and sends gratuitous ARP
packets to the hosts in a VLAN,
requesting the hosts to update the
gateway MAC address. This prevents
malicious modification of the
gateway MAC address.
After identifying an attack, the

AC6605 discards gratuitous ARP
packets.
l Limit the ARP Miss packet rate

based on source MAC addresses
and source IP addresses.
l Limit the rate of ARP Miss
packets in the system, in a VLAN,
or on an interface.
If an attack sends a lot of fake

gratuitous ARP packets, the CPU of
the AC6605 will be overloaded.
Before configuring ARP DoS attack defense, complete the following task:
Issue 04 (2013-06-15)

1539

Configuration Guide
Setting link layer protocol parameters and IP addresses for interfaces so that the link layer
protocol is Up
Data Preparation
To configure ARP DoS attack defense, you need the following data.
No.
Data
Source address and rate limit for ARP packet suppression
(Optional) Alarm threshold of ARP packets discarded when

the rate of ARP packets exceeds the limit
Source address and rate limit for ARP Miss packet suppression
(Optional) Alarm threshold of ARP Miss packets discarded

when the rate of ARP Miss packets exceeds the limit
Configuring Source MAC Address-based ARP Packet Suppression

Procedure
Step 1 Run:
system-view

Step 2 Run:
arp speed-limit source-mac maximum maximum
The rate limit of ARP packet is set.

Step 3 Run:
arp speed-limit source-mac [ mac_addr ] maximum maximum
The rate limit of ARP packets with the specified MAC address is set.
If the MAC address is specified, the rate limit of ARP packets is specified by maximum in step
3. If no MAC address is specified, the rate limit of ARP packets is specified by maximum in step
2.
By default, the rate limit of ARP packets is 0 pps, indicating that the rate of ARP packets is not
limited.
----End
Configuring Source Address-based ARP Suppression

Context
This section describes how to configure source IP address-based ARP packet suppression.
Issue 04 (2013-06-15)

1540

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp speed-limit source-ip maximum maximum
The rate limit of ARP packets is set.

Step 3 Run:
arp speed-limit source-ip ip-address maximum maximum
The rate limit of ARP packets with a specified source IP address is set.
After the preceding configurations are complete, the rate limit of ARP packets with a specified
source IP address is limited to the value specified by maximum in step 3, and the rate limit of
ARP packets with other source IP addresses is limited to the value specified by maximum in step
2.
If the rate limit of ARP packets is set to 0, ARP packets are not suppressed.
By default, the rate limit for ARP packets with the same source IP address is 0. That is, the
AC6605 does not limit the rate of ARP packets with the same source IP address.
----End
Setting the Aging Time of Fake ARP Entries

By setting the aging time of fake ARP entries, you can control the frequency of sending ARP
Miss packets to the upper-layer software. The possibility of attacks to the system is reduced.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp-fake expire-time expire-time
The aging time of fake ARP entries is set.

By default, the aging time of fake ARP entries is 1s.
----End
Follow-up Procedure
After the aging time of fake ARP entries is set, the same ARP Miss packet is sent once in the
aging time. After the aging time of fake ARP entries is reached, fake ARP entries are deleted.
Issue 04 (2013-06-15)

1541

Configuration Guide
If no ARP entry matches the packets forwarded by a device, ARP Miss packets are re-generated
and reported. The device generates fake ARP entries again. The fake ARP entries are deleted
until the device generates correct ARP entries.
Configuring Rate Limiting of ARP Packets

Procedure
l
Configuring rate limiting of ARP packets in the system view

1.
Run:
system-view

2.
Run:
arp anti-attack rate-limit enable
Rate limiting of ARP packets is enabled.

By default, rate limiting of ARP packets is disabled globally.
3.
Run:
arp anti-attack rate-limit packet-number [ interval-value ]
The rate limit duration and the rate limit of ARP packets are set.
After the rate limit duration and the rate limit of ARP packets are set, ARP packets
whose rate exceeds the rate limit in the rate limit duration are discarded. By default,
the rate limit of ARP packets is 100 and the rate limit duration of ARP packets is 1s.
4.
(Optional) Run:
arp anti-attack rate-limit alarm enable
The alarm function for the ARP packets discarded when the rate of ARP packets
exceeds the rate limit is enabled.
By default, the alarm function is disabled when the rate of ARP packets exceeds the
rate limit.
5.
(Optional) Run:
arp anti-attack rate-limit alarm threshold threshold
The alarm threshold for the number of ARP packets discarded when the rate of ARP
packets exceeds the rate limit is set.
By default, the alarm threshold for the number of ARP packets discarded is 100.
l
Configuring rate limiting of ARP packets in the interface view

1.
Run:
system-view

2.
Run:

3.
Run:
arp anti-attack rate-limit enable
Issue 04 (2013-06-15)

1542

Configuration Guide
Rate limiting of ARP packets is enabled.

By default, rate limiting of ARP packets is disabled.
4.
Run:
arp anti-attack rate-limit packet-number [ interval-value ] [ block timer
timer ]
The rate limiting period and rate limit value are configured for ARP packets, and the
device is configured to discard all ARP packets on the interface when the rate limit is
exceeded.
By default, the rate limit duration of ARP packets on an interface is 1s, and a maximum
of 100 ARP packets are allowed to pass through in 1s. The function of discarding ARP
packets whose rates exceed the threshold are disabled.
NOTE
This command only limits the rate of ARP packets sent to the CPU. The ARP packets forwarded
by the chip are not affected.
5.
(Optional) Run:
arp anti-attack rate-limit alarm enable
The alarm function for the ARP packets discarded when the rate of ARP packets
exceeds the rate limit is enabled.
By default, the alarm function is disabled when the rate of ARP packets exceeds the
rate limit.
6.
(Optional) Run:
arp anti-attack rate-limit alarm threshold threshold
The alarm threshold for the number of ARP packets discarded when the rate of ARP
packets exceeds the rate limit is set.
By default, the alarm threshold for the number of ARP packets discarded is 100.
----End
Configuring the AC6605 to Send Gratuitous ARP Packets

By configuring the AC6605 to send gratuitous ARP packets, you can ensure that user packets
are sent to the correct gateway and prevent malicious attackers from intercepting user packets.
Context
The AC6605 periodically sends ARP request packets with the destination IP address being the
gateway address to update the gateway MAC address in ARP entries of users on the network.
This ensures that packets of users on the network are forwarded to the gateway and prevents
hackers from intercepting these packets.
When the AC6605 function as the gateway, you can enable the function of sending gratuitous
ARP packets globally or on a VLANIF interface. If the function of sending gratuitous ARP
packets is enabled globally and on a VLANIF interface simultaneously, the function enabled on
the VLANIF interface takes effect.
Issue 04 (2013-06-15)

1543

Configuration Guide
Procedure
Step 1 Run:
system-view


Step 3 Run:
arp gratuitous-arp send enable
The function of sending gratuitous ARP packets is enabled.

By default, the function of sending gratuitous ARP packets is disabled.
arp gratuitous-arp send interval interval-time
The interval for sending gratuitous ARP packets is set.

By default, the interval for sending gratuitous ARP packets is 60 seconds.
----End

Prerequisites
The configurations of ARP anti-attack are complete.
Procedure
l
Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit |

arp-speed-limit | arpmiss-speed-limit | entry-check | gateway-duplicate | log-traptimer | packet-check | all } and display arp anti-attack configuration check user-bind
interface interface-type interface-number commands to view the ARP anti-attack
configuration.
----End
8.5.5 Configuring ARP Anti-Spoofing

ARP spoofing attacks include ARP entry attack, gateway attack, and man-in-the-middle attack.
The AC6605 provides measures to defend against these attacks.

Before configuring ARP anti-spoofing, familiarize yourself with the applicable environment,
Issue 04 (2013-06-15)

1544

Configuration Guide
As shown in Table 8-12, the AC6605 provides various methods to prevent ARP spoofing attacks.
Table 8-12 ARP anti-spoofing scenarios and methods
Scenario
Description
Selfprotection
An ARP spoofing attack is initiated

by modifying ARP entries.
The AC6605 enhances the ARP selfprotection capability, including:

l Strict ARP entry learning: The
AC6605 learns only the reply
packets of the locally sent ARP
request packets.
l Defense against address spoofing:
The AC6605 maintains fixed
ARP entries, and checks packets
against fixed MAC addresses,
interfaces, and VLAN IDs. In
addition, the AC6605 can prevent
address spoofing attacks by using
the acknowledgment mechanism.
l ARP learning triggered by
DHCP: When the DHCP server
assigns an IP address to a user, the
AC6605 sends a DHCP ACK
packet to the user. In addition, the
AC6605 obtains the MAC
address of the user and generates
the ARP entry corresponding to
the IP address. The AC6605 does
not need to learn ARP entries
from ARP packets; therefore, the
attacker cannot initiate ARP
attacks.
ARP
gateway anticollision
Issue 04 (2013-06-15)
The attacker sends an ARP packet in

which the source IP address in the
ARP packet header is the gateway
address to the host. The host changes
the gateway MAC address to the
MAC address of the attacker. The
host then sends ARP packets to the
attacker.
The AC6605 functions as the

gateway and discards the ARP packet
in which the source IP address is its
own IP address.
This method is applicable only when
the ARP packets of all hosts are
forwarded by the gateway.

1545

Configuration Guide
Scenario
Description
Man-in-themiddle attack
The attacker modifies information

about both host and gateway:
The AC6605 generates a binding

table to check ARP packets against
binding entries, and discards the
unmatched packets. The AC6605
only supports DHCP snooping
binding table.
l Modify gateway information on

the host: The attacker sends an
ARP packet in which the source
IP address is the gateway address.
The host then changes the
gateway MAC address to the
MAC address of the attacker.
This method is applicable only when

the ARP packets of all hosts are
forwarded by the gateway.
l Modify host information on the

gateway: The attacker sends an
ARP packet in which the source
IP address is the host address. The
gateway then changes the host
MAC address to the MAC address
of the attacker.
Before configuring ARP anti-spoofing, complete the following task:
l
Setting the parameters of the link layer protocol and the IP addresses for interfaces so that
the link layer protocol is Up
Data Preparation
To configure ARP anti-spoofing, you need the following data.
No.
Data
Mode of defense against ARP address spoofing
DHCP snooping binding table check methods for man-in-themiddle attacks
(Optional) Alarm threshold for the ARP packets discarded

because they do not match the binding table
Enabling Strict ARP Entry Learning

Context
Strict ARP entry learning means that the AC6605 learns only the ARP Reply packets
corresponding to the ARP Request packets that it sends.
Issue 04 (2013-06-15)

1546

Configuration Guide
Procedure
l
Configuring strict ARP entry learning globally

1.
Run:
system-view

2.
Run:
arp learning strict
Strict ARP learning is enabled.

By default, strict ARP learning is disabled.
l
Configuring strict ARP entry learning on a VLANIF interface

1.
Run:
system-view

2.
Run:

3.
Run:
arp learning strict { force-enable | force-disable | trust }
The strict ARP entry learning function is enabled on the VLANIF interface.
force-enable: enables strict ARP entry learning on a VLANIF interface.
force-disable: disables strict ARP entry learning on a VLANIF interface.
trust: indicates that the configuration of strict ARP entry learning on a VLANIF
interface is the same as that configured globally.
By default, the configuration of strict ARP entry learning on a VLANIF interface is
the same as that configured globally.
----End
Configuring Interface-based ARP Entry Limiting

Context
If attackers occupy a large number of ARP entries, the AC6605 cannot learn ARP entries of
authorized users. To prevent such attacks, set the maximum number of ARP entries that can be
dynamically learned by an interface.
Procedure
l
Configuring interface-based ARP entry limiting on the interface

1.
Run:
system-view

2.
Issue 04 (2013-06-15)
Run:
1547

Configuration Guide


3.
On the non-VLANIF interface, run:

arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum
Interface-based ARP entry limiting is configured on the interface.

On the VLANIF interface, run:
arp-limit maximum maximum
Interface-based ARP entry limiting is configured on the interface.

On the non-VLANIF interface, vlan vlan-id1 must be specified.
----End
Configuring ARP Anti-spoofing

Procedure
Step 1 Run:
system-view

Step 2 Run:
arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable
ARP anti-spoofing is enabled.

You can use only one ARP anti-spoofing mode at one time. If you run the arp anti-attack entrycheck command multiple times, only the latest configuration takes effect.
By default, ARP anti-spoofing is disabled on the AC6605.
----End
Configuring ARP Gateway Anti-collision

Procedure
Step 1 Run:
system-view

Step 2 Run:
arp anti-attack gateway-duplicate enable
ARP gateway anti-collision is enabled.

After ARP gateway anti-collision is enabled, the AC6605 generates ARP anti-collision entries
and discards packets with the same source MAC address in the Ethernet header in a period of
Issue 04 (2013-06-15)

1548

Configuration Guide
time. This can prevent ARP packets with a bogus gateway address from being broadcast in a
VLAN.
----End
Preventing Man-in-the-Middle Attacks

Context
To prevent man-in-the-middle attacks, configure the AC6605 to check ARP packets. If the
packets received on the interface or the interface in a VLAN match the binding table, the packets
are forwarded; otherwise, the packets are discarded.
In addition, you can configure the alarm function. When the number of discarded packets exceeds
the threshold, an alarm is generated.
NOTE
This function applies only to DHCP users. Binding entries of DHCP users are created automatically after
DHCP snooping is enabled.
For details about the DHCP snooping configuration, see Enabling DHCP Snooping.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Or, run:
vlan vlan-id

Step 3 Run:
arp anti-attack check user-bind enable
The ARP packet checking function is enabled on the interface.

By default, the interfaces or the interface in a VLAN are not enabled with the ARP packet
checking function.
Step 4 In the interface view, run:
arp anti-attack check user-bind check-item { ip-address | mac-address | vlan }*
Or in the VLAN view, run:

arp anti-attack check user-bind check-item { ip-address | mac-address | interface }
*
The check items of ARP packets are configured.

By default, the check items consist of IP address, MAC address, VLAN, and interface. The
packets that do not match the binding table are discarded.
Issue 04 (2013-06-15)

1549

Configuration Guide
NOTE
If a device is configured with a static binding table, ARP packet checking does not take effect. The device
still checks packets based on the static binding table.
Step 5 (Optional) In the interface view, run:

arp anti-attack check user-bind alarm enable
The alarm function for the discarded ARP packets is enabled.

By default, the alarm function is disabled.
CAUTION
The ARP packets check function cannot be configured on both the VLAN and interface by arp
anti-attack check user-bind enable command; otherwise, the ARP packets check alarm is
invalid.
Step 6 (Optional) In the interface view, run:
arp anti-attack check user-bind alarm threshold threshold
The alarm threshold of the number of ARP packets discarded because they do not match the
binding table is set.
By default, the alarm threshold of the number of ARP packets discarded because they do not
match the binding table is 100.
----End
Configuring DHCP to Trigger ARP Learning

Context
This task is performed to enable DHCP-triggered ARP learning. When the DHCP server assigns
an IP address to the user, the AC6605 obtains the MAC address of the user and generates the
ARP entry corresponding to the IP address after responding to DHCP ACK messages. In this
manner, the AC6605 does not need to learn ARP entries of the user hosts.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp learning dhcp-trigger
The AC6605 is configured to learn ARP entries according to the DHCP ACK message received
on the VLANIF interface.
Issue 04 (2013-06-15)

1550

Configuration Guide
By default, the AC6605 does not learn ARP entries when receiving DHCP ACK messages. When
the traffic passes, ARP learning is triggered.
NOTE
l The arp learning dhcp-trigger command can be used on a VLANIF interface only when DHCP
snooping is enabled .
l When both VRRP and DHCP relay are configured on the network, neither the DHCP snooping function
nor the arp learning dhcp-trigger command can be configured on the VRRP master and backup
devices.
----End

Prerequisites
The ARP anti-attack configurations are complete.
Procedure
l
Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit |

arp-speed-limit | arpmiss-speed-limit | entry-check | gateway-duplicate | log-traptimer | packet-check | all } and display arp anti-attack configuration check user-bind
interface interface-type interface-number commands to check the configuration of ARP
anti-attack.
Run the display arp anti-attack gateway-duplicate item command to check information
about bogus gateway address attack on the network.
----End
8.5.6 Maintaining ARP Security

This section describes how to maintain ARP security.
Displaying the Statistics About ARP Packets

You can use the display command to view the statistics on ARP packets.
Procedure
l
Run the display arp packet statistics command to view the statistics on ARP packets.
----End
Example
Run the display arp packet statistics command to view the statistics on ARP packets.
<Quidway> display arp packet statistics
ARP Pkt Received:
sum 199992
ARP-Miss Msg Received:
sum
0
ARP Learnt Count:
sum
4
ARP Pkt Discard For Limit:
sum
0
ARP Pkt Discard For SpeedLimit:
sum
ARP Pkt Discard For Proxy Suppress:
sum
Issue 04 (2013-06-15)
0
0

1551

Configuration Guide
ARP Pkt Discard For Other:

sum 18220
ARP-Miss Msg Discard For SpeedLimit:
sum
ARP-Miss Msg Discard For Other:
sum
0
Clearing the Statistics on ARP Packets

You can use the reset command to clear the statistics on ARP packets.
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run this command.
Run the following command in the user view to clear the statistics.
Procedure
l
Run the reset arp packet statistics command to clear the statistics on ARP packets.
----End
Clearing the Statistics on Discarded ARP Packets

Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run this command.
To clear the statistics on discarded ARP packets, run the following commands in the user view.
Procedure
l
Run the reset arp anti-attack statistics check user-bind interface interface-type
interface-number command to clear the statistics on the packets discarded because they do
not match the binding table.
Run the reset arp anti-attack statistics rate-limit command to clear the statistics on the
ARP packets discarded because the transmission rate exceeds the limit.
----End
Debugging ARP Packets
Issue 04 (2013-06-15)

1552

Configuration Guide
Context
CAUTION
If a running fault occurs, run the following debugging commands in the user view to locate the
fault.
Procedure
l
Run the debugging arp packet [ slot slot-id | interface interface-type interface-number ]
command to debug ARP packets.
Run the debugging arp process [ slot slot-id | interface interface-type interfacenumber ] command to debug the processing of ARP packets.
----End
Enabling Log and Alarm Functions for Potential Attacks

Procedure
Step 1 Run:
system-view

Step 2 Run:
arp anti-attack log-trap-timer time
The interval for sending an ARP alarm an log is set for potential attacks.
The log and alarm functions for potential attacks take effect for all the ARP packets.
time specifies the interval for writing an ARP log and sending an alarm. By default, the value is
0, indicating that log and alarm functions are disabled.
----End

This section provides several configuration examples of ARP security.
Example for Configuring ARP Security Functions

As shown in Figure 8-19, the Switch is connected to a server through GigabitEthernet 0/0/3 and
is connected to four users in VLAN 10 and VLAN 20 through GigabitEthernet 0/0/1 and
GigabitEthernet 0/0/2. There are the following ARP attacks on the network:
Issue 04 (2013-06-15)

1553

Configuration Guide
The server may send several packets with an unreachable destination IP address, and the
number of these packets is larger than the number of packets from common users.
After virus attacks occur on User 1, a large number of ARP packets are sent. Among these
packets, the source IP address of certain ARP packets changes on the local network segment
and the source IP address of certain ARP packets is the same as the IP address of the
gateway.
User 3 constructs a large number of ARP packets with a fixed IP address to attack the
network.
User 4 constructs a large number of ARP packets with an unreachable destination IP address
to attack the network.
It is required that ARP security functions be configured on the Switch to prevent the preceding
attacks. The suppression rate of ARP Miss packets set on the server should be greater than the
suppression rate of other users.
Figure 8-19 Networking diagram for configuring ARP security functions
Switch
GE 0/0/3
Server
GE 0/0/1
VLAN20
VLAN10
User1
GE 0/0/2
User2
User3
User4
1.
Enable strict ARP learning.
2.
Enable interface-based ARP entry restriction.
3.
Enable the ARP anti-spoofing function.
4.
Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway
address.
5.
Configure the rate suppression function for ARP packets.
6.
Configure the rate suppression function for ARP Miss packets.
7.
Enable log and alarm functions for potential attacks.
Issue 04 (2013-06-15)

1554

Configuration Guide
Data Preparation
l
Number of limited ARP entries on the interface being 20
Anti-spoofing mode used to prevent attacks that is initiated by User 1 being fixed-mac
IP address of the server being 2.2.2.2/24
IP address of User 4 that sends a large number of ARP packets being 2.2.4.2/24
Maximum suppression rate for ARP packets of User 4 being 10 pps and maximum
suppression rate for ARP packets of other users being 15 pps
Maximum suppression rate for ARP Miss packets of common users being 20 pps and
maximum suppression rate for ARP Miss packets on the server being 50 pps
Interval for writing an ARP log and sending an alarm being 300 seconds
Procedure
Step 1 Enable strict ARP learning.
[Quidway] arp learning strict
Step 2 Configure interface-based ARP entry restriction.

# The number of limited ARP entries on each interface is 20. The following lists the configuration
of GigabitEthernet 0/0/1, and the configurations of other interfaces are the same as the
configuration of GigabitEthernet 0/0/1.
[Quidway-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20
Step 3 Enable the ARP anti-spoofing function.

# Set the ARP anti-spoofing mode to fixed-mac to prevent ARP spoofing attacks initiated by
User 1.
[Quidway] arp anti-attack entry-check fixed-mac enable
Step 4 Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway
address.
# Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway
address to prevent User 1 from sending ARP packets with the bogus gateway address.
[Quidway] arp anti-attack gateway-duplicate enable
Step 5 Configure the rate suppression function for ARP packets.

# Set the suppression rate for ARP packets sent by User 4 to 10 pps. To prevent all users from
sending a large number of ARP packets incorrectly, set the suppression rate for ARP packets of
the system to 15 pps.
[Quidway] arp speed-limit source-ip maximum 15
[Quidway] arp speed-limit source-ip 2.2.2.4 maximum 10
Step 6 Configure the rate suppression function for ARP Miss packets.
# Set the suppression rate for ARP Miss packets of the system to 20 pps to prevent users from
sending a large number of IP packets with an unreachable destination IP address.
[Quidway] arp-miss speed-limit source-ip maximum 20
Issue 04 (2013-06-15)

1555

Configuration Guide
# Set the suppression rate for ARP Miss packets on the server to 50 pps to prevent the server
from sending a large number of IP packets with an unreachable destination IP address, and to
prevent communication on the network when the rate for the server to send IP packets with an
unreachable destination IP address is not as required.
[Quidway] arp-miss speed-limit source-ip 2.2.2.2 maximum 50
Step 7 Enable log and alarm functions for potential attacks.

[Quidway] arp anti-attack log-trap-timer 300

After the configuration, run the display arp learning strict command. You can see information
about strict ARP learning.
<Quidway> display arp learning strict
The global configuration:arp learning strict
Interface
LearningStrictState
----------------------------------------------------------------------------------------------------------------------Total:0
Force-enable:0
Force-disable:0
You can use the display arp-limit command to check the maximum number of ARP entries
learned by the interface.
<Quidway> display arp-limit interface gigabitethernet 0/0/1
Interface
LimitNum
VlanID
LearnedNum(Mainboard)
--------------------------------------------------------------------------GigabitEthernet0/0/1
20
10
0
--------------------------------------------------------------------------Total:1
You can use the display arp anti-attack configuration all command to check the configuration
of ARP anti-attack.
<Quidway> display arp anti-attack configuration all
ARP anti-attack packet-check function: disable
ARP gateway-duplicate anti-attack function: disabled
ARP anti-attack log-trap-timer: 300 second(s)
(The log and trap timer of speed-limit, default is 0 and means disabled.)
ARP anti-attack entry-check mode:
Vlanif
Mode
------------------------------------------------------------------------------All
fixed-mac
------------------------------------------------------------------------------ARP rate-limit configuration:
------------------------------------------------------------------------------Global configuration:
Interface configuration:
Vlan configuration:
------------------------------------------------------------------------------ARP miss rate-limit configuration:
------------------------------------------------------------------------------Global configuration:
Interface configuration:
Vlan configuration:
------------------------------------------------------------------------------ARP speed-limit for source-MAC configuration:
MAC-address
suppress-rate(pps)(rate=0 means function disabled)
Issue 04 (2013-06-15)

1556

Configuration Guide
------------------------------------------------------------------------------All
0
------------------------------------------------------------------------------The number of configured specified MAC address(es) is 0, spec is 512.
ARP speed-limit for source-IP configuration:
IP-address
------------------------------------------------------------------------------2.2.4.2
10
Others
15
------------------------------------------------------------------------------The number of configured specified IP address(es) is 1, spec is 512.
ARP miss speed-limit for source-IP configuration:
IP-address
------------------------------------------------------------------------------2.2.2.2/32
50
Others
20
------------------------------------------------------------------------------The number of configured specified IP address(es) is 1, spec is 512.
You can use the display arp packet statistics command to view the number of discarded ARP
packets and the number of learned ARP entries.
<Quidway> display arp packet statistics
ARP Pkt Received:
sum 154333
ARP-Miss Msg Received:
sum
0
ARP Learnt Count:
sum
8
ARP Pkt Discard For Limit:
sum
5
ARP Pkt Discard For SpeedLimit:
sum
0
ARP Pkt Discard For Proxy Suppress:
sum
0
ARP Pkt Discard For IP Pool Check:
sum
0
ARP Pkt Discard For Other:
sum 151597
ARP-Miss Msg Discard For SpeedLimit:
sum
0
ARP-Miss Msg Discard For Other:
sum
3
ARP Pkt Discard For Gratuitous ARP:
sum
0
ARP Pkt Discard For Destination MAC check:
sum
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10 20 30
#
arp speed-limit source-ip maximum 15
arp-miss speed-limit source-ip maximum 20
arp learning strict
arp anti-attack log-trap-timer 300
#
arp anti-attack entry-check fixed-mac enable
arp anti-attack gateway-duplicate enable
arp-miss speed-limit source-ip 2.2.2.2 maximum 50
arp speed-limit source-ip 2.2.4.2 maximum 10
#
arp-limit vlan 10 maximum 20
#
#
Issue 04 (2013-06-15)

1557

Configuration Guide

#
return
Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks

As shown in Figure 8-20, two users are connected to the Switch through GigabitEthernet 0/0/1
and GigabitEthernet 0/0/2 respectively. Assume that the user connected to GigabitEthernet 0/0/2
is an attacker. To prevent the man-in-the-middle attacks, you can configure the IP source guard
function. After the IP source guard function is configured on the Switch, the Switch checks the
IP packets according to the binding table. Only the IP packets that match the content of the
binding table can be forwarded; the other IP packets are discarded. In addition, you can enable
the alarm function for discarded packets.
Figure 8-20 Networking diagram for prevent man-in-the-middle attacks
Attacker
Switch
GE 0/0/2
GE 0/0/1
Server
Client
IP:10.0.0.1/24
MAC:1-1-1
VLAN ID:10
1.
Enable the IP source guard function.
2.
Configure the check items for ARP packets.
3.
Configure a static binding table.
4.
Enable the alarm function for discarded packets.
Data Preparation
l
Interfaces enabled with IP source guard: GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2
Check items: IP address + MAC address + VLAN
Alarm threshold of the number of discarded ARP packets: 80
Issue 04 (2013-06-15)

1558

Configuration Guide
IP address of the client configured in the static binding table: 10.0.0.1/2; MAC address:
1-1-1; VLAN ID: 10
Procedure
Step 1 Configure the IP source guard function.
# Enable the IP source guard function on GigabitEthernet 0/0/1 connected to the client.
[Quidway-GigabitEthernet0/0/1] arp anti-attack check user-bind enable
[Quidway-GigabitEthernet0/0/1] arp anti-attack check user-bind check-item ipaddress mac-address vlan
# Enable the IP source guard function on GigabitEthernet 0/0/2 connected to the attacker.
[Quidway] interface 0/0/2
[Quidway-GigabitEthernet0/0/2] arp anti-attack check user-bind enable
[Quidway-GigabitEthernet0/0/2] arp anti-attack check user-bind check-item ipaddress mac-address vlan
Step 2 Configure the alarm function for discarded packets.

# Set the alarm threshold of the ARP packets discarded because they do not match the binding
table on GigabitEthernet 0/0/1 connected to the client.
[Quidway-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable
[Quidway-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm threshold 80
# Set the alarm threshold of the ARP packets discarded because they do not match the binding
table on GigabitEthernet 0/0/2 connected to the attacker.
[Quidway-GigabitEthernet0/0/2] arp anti-attack check user-bind alarm enable
[Quidway-GigabitEthernet0/0/2] arp anti-attack check user-bind alarm threshold 80
Step 3 Configure the check items of the static binding table.

# Configure Client in the static binding table.
[Quidway] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001
interface gigabitethernet 0/0/1 vlan 10

Run the display arp anti-attack configuration check user-bind interface command. You can
view the configuration of the IP source guard function on the interface.
<Quidway> display arp anti-attack configuration check user-bind interface
arp anti-attack check user-bind alarm threshold 80
<Quidway> display arp anti-attack configuration check user-bind interface
The preceding information indicates that GigabitEthernet 0/0/1 does not discard ARP packets,
whereas GigabitEthernet 0/0/2 has discarded ARP packets. The anti-attack function takes effect.
----End
Issue 04 (2013-06-15)

1559

Configuration Guide
Configuration Files
#
vlan batch 10
#
gigabitethernet 0/0/1 vlan 10
#
#
#
return
8.6 Source IP Attack Defense Configuration

This chapter describes the source IP attack defense configuration.
8.6.1 Overview of IP Source Guard

This section describes the IP source guard function.
The source IP address spoofing is a common attack on the network, for example, the attacker
forges an authorized user and sends IP packets to the server or forges the source IP address of
users for communication. As a result, authorized users cannot obtain network services. To solve
the problem, the AC6605 provides IP source guard.
IP Source Guard
IP source guard filters IP packets on interfaces so that invalid packets cannot pass through the
interfaces and security of the interfaces is improved.
The attacker sends a packet carrying the IP address and MAC address of an authorized user to
the server. The server considers the attacker as an authorized user and learns the IP address and
MAC address. The actual user, however, cannot obtain service from the server. Figure 8-21
shows the diagram of IP/MAC spoofing attack.
Issue 04 (2013-06-15)

1560

Configuration Guide
Figure 8-21 IP/MAC spoofing attack

DHCP server
IP:1.1.1.1/24
MAC:1-1-1
Switch
IP:1.1.1.3/24
MAC:3-3-3
IP:1.1.1.2/24
MAC:2-2-2
Attacker
IP:1.1.1.3/24
MAC:3-3-3
DHCP client
To prevent IP/MAC spoofing attacks, configure the IP source guard function on the AC6605.
Then the AC6605 matches the IP packets reaching an interface with the entries in the binding
table. If the packets match entries in the binding table, the packets can pass through the interface;
otherwise, the packets are discarded.
8.6.2 IP Source Guard Features Supported by the AC6605

This section describes the IP source guard features supported by the AC6605.
IP Source Guard
IP source guard checks IP packets against the binding table, including source IP addresses, source
MAC addresses, interface numbers, and VLAN IDs. In the interface view, you can configure
the IP packet check based on the following times:
l
IP+MAC
IP+VLAN
IP+MAC+VLAN
...
In the VLAN view, you can configure IP packet checking based on the following times:
l
IP+MAC
IP+Interface
IP+MAC+Interface
...
The AC6605 provides two binding mechanisms:

l
Issue 04 (2013-06-15)
After the DHCP snooping function is enabled for DHCP users, the binding table is
dynamically generated for the DHCP users.
1561

Configuration Guide
When users use static IP addresses, you need to configure the binding table by running
commands.
NOTE
For details about the DHCP snooping configuration, see 8.4 DHCP Snooping Configuration.
URPF
URPF only functions at the inbound interface of the AC6605. If URPF is enabled on an interface,
the URPF check is conducted to packets received by the interface.
The AC6605 supports two kinds of URPF check modes: strict check and loose check.
l
Strict check: The source addresses of packets must exist in the routing table or ARP table
of the AC6605. Packets can be forwarded only when the outbound interface is the same as
the inbound interface of the packets. Otherwise, packets are dropped.
Loose check: Regardless whether the source addresses of packets exist in the routing table
or ARP table of the AC6605, or whether the corresponding outbound interfaces match the
inbound interfaces of the packets, packets are forwarded.
NOTE
The AC6605 supports the checking of the source IPv4 addresses of the packets passing the inbound
interface.
CAUTION
It is recommended that URPF be enabled before services are configured. If URPF is needed after
service deployment, configure URPF when service traffic volume on the LPU is low. Ensure
that FIB entries are sufficient for current services after the maximum number of FIB entries
supported by the LPU reduces to half.
8.6.3 Configuring IP Source Guard

This section describes how to configure IP source guard.

Before configuring IP source guard, familiarize yourself with the applicable environment,
After the IP source guard function is configured on the AC6605, the AC6605 checks the IP
packets according to the binding table. Only the IP packets that match binding entries can be
forwarded; the other IP packets are discarded.
Before configuring IP source guard, complete the following task:
Issue 04 (2013-06-15)

1562

Configuration Guide
Enabling DHCP Snooping if there are DHCP users
Data Preparation
To configure IP source guard, you need the following data.
No.
Data
(Optional) User information in a static

binding entry, including the IPv4 address,
MAC address, VLAN ID, and interface
number of the user

with the IP source guard function
Alarm threshold for checking the received IP

packets.
(Optional) Configuring a Static User Binding Entry

Context
Before forwarding the data of the users who assigned IP addresses statically, the AC6605 cannot
automatically learn the MAC addresses of the users or generate binding table entries for these
users. You need to create the binding table manually.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-bind static { { ip-address ip-address &<1-10> } | mac-address mac-address }
[ interface interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlanid ] ]
A static user binding entry is configured.

----End
Enabling IP Source Guard

Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

1563

Configuration Guide
Step 2 Run:

This is a user-side interface.
Or, run:
vlan vlan-id

Step 3 Run:
ip source check user-bind enable
The IP source guard function is enabled on the interface.

By default, the AC6605 are not enabled with the IP source guard function.
----End
Configuring the Check Items of IP Packets

Context
After the function of checking IP packets is enabled, the AC6605 checks the received IP packets
against the binding table. The check items include the source IPv4 address, source MAC address,
VLAN ID, and interface number.
Procedure
Step 1 Run:
system-view

Step 2 Run:

This is a user-side interface.
Or, run:
vlan vlan-id

Step 3 In the interface view, run:
ip source check user-bind check-item { ip-address | mac-address | vlan }*
Or in the VLAN view, run:

ip source check user-bind check-item { ip-address | mac-address | interface }*
The check items of IP packets are configured.

When receiving an IP packet, the interface checks the IP packet according to the check items,
including the source IPv4 address, source MAC address, VLAN, or the combination of these
Issue 04 (2013-06-15)

1564

Configuration Guide
three items. If the IP packet matches the binding table according to the check items, the packet
is forwarded; otherwise, the packet is discarded.
By default, the check items consist of the IPv4 address, MAC address, VLAN ID, and interface
number.
NOTE
This command is valid only for dynamic binding entries.
----End

Prerequisites
The configurations of IP source guard are complete.
Procedure
Step 1 display dhcp static user-bind { interface interface-type interface-number | ip-address ipaddress | mac-address mac-address | vlan vlan-id } * [ verbose ] command to view information
about the static binding table.
Step 2 display dhcp static user-bind all [ verbose ] command to view information about the static
binding table.
Step 3 Run the display ip source check user-bind interface interface-type interface-number
command to view the configuration of the IP source guard function on the interface.
----End
8.6.4 Configuring URPF

This section describes how to configure URPF.

Before configuring URPF, complete the pre-configuration tasks, and obtain the data required
To prevent source address spoofing attacks on a network, configure URPF to check whether the
source IP address of a packet matches the inbound interface. If the source IP address matches
the inbound interface, the source IP address is considered as valid and the packets are allowed
to pass; otherwise, the source IP address is considered as pseudo and the packets are discarded.
Before configuring URPF, complete the following task:
l
Issue 04 (2013-06-15)
Setting parameters of the link layer protocol to ensure that the link layer protocol is in Up
state on the interfaces
1565

Configuration Guide
Data Preparation
To configure URPF, you need the following data.
Setting the URPF Check Mode on an Interface

Procedure
Step 1 Run:
system-view

Step 2 Run:

NOTE
URPF must be configured on the physical interface.
Step 3 Run:
urpf { loose | strict } [ allow-default-route ]
The URPF check mode is configured on the interface.

URPF determines the mode for processing a default route by specifying allow-default-route.
l When the allow-default-route parameter is specified and the source address of packets does
not exist in the routing table or ARP table, the packets are discarded in URPF strict or loose
check mode even if a corresponding default route is found. If the source address of packets
exists in the routing table or ARP table,
Packets pass the URPF check and are forwarded in URPF strict check mode if the outgoing
interface of a default route is the same as the incoming interface of the packets. packets
are discarded if the outgoing interface of a default route is different from the incoming
interface of the packets.
Packets pass the URPF check and are forwarded in URPF loose check mode regardless
of whether the outgoing interface of a default route is the same as the incoming interface
of the packets.
l When the allow-default-route parameter is not specified, the AC6605 does not process the
default route.
NOTE
URPF does not check the packets matching the redirection action in the traffic policy.
----End

Prerequisites
The URPF configurations are complete.
Issue 04 (2013-06-15)

1566

Configuration Guide
Procedure
l
Run the display this command in the interface view to check whether URPF is enabled on
the interface.
----End

This section provides a configuration example of IP source guard.
Example for Configuring IP Source Guard

As shown in Figure 8-22, Host A is connected to the Switch through GigabitEthernet 0/0/1 and
Host B is connected to the Switch through GigabitEthernet 0/0/2. You need to configure the IP
source guard function on the Switch so that Host B cannot forge the IP address and MAC address
on Host A and the IP packets from Host A can be sent to the server.
Figure 8-22 Networking diagram for configuring IP source guard
Server
Switch
GE 0/0/1
GE 0/0/2
Packets:
SIP:10.0.0.1/24
SMAC:1-1-1
Host A
IP:10.0.0.1/24
MAC:1-1-1
Host B (Attacker)
IP:10.0.0.2/24
MAC:2-2-2
Assume that the user obtains an IP address through DHCP. The configuration roadmap is as
follows:
1.
Enable the IP source guard function on the interfaces connected to Host A and Host B.
2.
Configure the check items of IP packets.
3.
Configure a static binding table.
Issue 04 (2013-06-15)

1567

Configuration Guide
Data Preparation
l
Interface connected to Host A: GigabitEthernet 0/0/1; interface connected to Host B:

IP address of Host A: 10.0.0.1/24; MAC address of Host A: 1-1-1
VLAN where Host A resides: VLAN 10

NOTE
This configuration example provides only the commands related to the IP Source Guard configuration.
Procedure
Step 1 Enable the IP source guard function.
# Enable the IP source guard function on GigabitEthernet 0/0/1 connected to Host A.
[Quidway-GigabitEthernet0/0/1] ip source check user-bind enable
# Enable the alarm function for checking the received IP packets on GigabitEthernet 0/0/1
connected to Host A.
[Quidway-GigabitEthernet0/0/1] ip source check user-bind alarm enable
[Quidway-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 200
# Enable the IP source guard function on GigabitEthernet 0/0/2 connected to Host B.

[Quidway-GigabitEthernet0/0/2] ip source check user-bind enable
# Enable the alarm function for checking the received IP packets on GigabitEthernet 0/0/2
connected to Host B.
[Quidway-GigabitEthernet0/0/2] ip source check user-bind alarm enable
[Quidway-GigabitEthernet0/0/2] ip source check user-bind alarm threshold 200
Step 2 Configure the check items of the static binding table.

# Configure Host A in the static binding table.
[Quidway] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001
interface gigabitethernet 0/0/1 vlan 10

Run the display dhcp snooping user-bind all command on the Switch to view information
about the binding table.
DHCP static Bind-table:,Flags:O - outer vlan ,I - inner vlan ,P - map vlan,
IP Address
MAC Address
VSI/VLAN(O/I/P) Interface,
--------------------------------------------------------------------------------,
10.0.0.1
0001-0001-0001 10 /-- /-GE0/0/1,
--------------------------------------------------------------------------------,
print count:
1
total count:
1,
The preceding information indicates that Host A exists in the static binding table, whereas Host
B does not exist.
----End
Issue 04 (2013-06-15)

1568

Configuration Guide
Configuration Files
#
#
ip source check user-bind alarm enable
ip source check user-bind alarm threshold 200
#
ip source check user-bind alarm enable
ip source check user-bind alarm threshold 200
#
return
8.7 Local Attack Defense Configuration

This chapter describes the principle and configuration of local attack defense.
8.7.1 Local Attack Defense Overview

This section describes the background and functions of local attack defense.
On a network, a large number of packets including valid packets and malicious attack packets
need to be delivered to the CPU. The malicious attack packets will affect other services or even
interrupt the system. When the AC6605 processes excess valid packets, the CPU usage becomes
high. As a result, the CPU performance deteriorates and services are interrupted.
To protect the CPU and ensure that it can process services, the packets to be sent to the CPU
need to be limited. For example, filtering and classifying packets to be sent to the CPU, limiting
the number of such packets and their rate, and setting the priority of such packets. Packets that
do not conform to certain rules are directly discarded to ensure that the CPU can process normal
services.
The local attack defense feature of the AC6605 applies to packets directing at the CPU. This
feature protects the AC6605 against attacks and ensures that the existing services run properly
upon attacks.
8.7.2 Local Attack Defense Features Supported by the AC6605

The AC6605 implements the local attack defense feature through the blacklist and CPCAR.
Blacklist
A blacklist refers to a group of unauthorized users. You can define the blacklist through ACL
rules. To defend against malicious attacks, the AC6605 adds users with a specific characteristic
into a blacklist by using ACL rules and discards the packets sent from the users in the blacklist.
CPCAR (Control Plane Committed Access Rate)

Switches provide the CPCAR function. With this function, switches limit the rate of protocol
packets sent to the control plane and schedule these packets in queues to ensure security of the
control plane. Switches identify protocol packets based on ACLs and apply the default CIR value
to protocol packets so that a limited number of protocol packets are sent to the control plane.
Issue 04 (2013-06-15)

1569

Configuration Guide
Security of the control plane is ensured. CPCAR is used to set the rate of sending the classified
packets to the CPU. You can set the committed information rate (CIR) and the committed burst
size (CBS). By setting different CAR rules for different packets, you can reduce the number of
different packets sent to the CPU to prevent CPU overload. CPCAR can also be used to set the
total rate of packets sent to the CPU. When the total rate exceeds the upper limit, the system
discards the packets, preventing CPU overload.
CPCAR Precautions
Switches have a default CIR value for each type of protocol packet. You can adjust CIR values
for certain types of protocol packets based on services and network environment.
NOTE
The CIR values listed in the following tables are for reference only. Adjust CIR values based on services and
network environment to prevent high CPU usage.
OSPF
When there are a large number of OSPF neighbors and LSAs, OSPF protocol packets are
transmitted at a rate higher than the default CIR rate. This may lead to many problems. For
example, Hello packets are discarded, it takes a long time to establish OSPF neighbor
relationships, or neighbor relationships cannot be established. To avoid the problems, set
an appropriate CIR value to prevent CPU overload. For details, see Table 8-13.
Table 8-13 Recommended CIR values for OSPF packets
Neighbo
r Count
LSA
Count in
Each
Area
Number
of
External
Routes
CIR
Value
(kbit/s)
Average
CPU
Usage
(%)
Memory
Usage
(%)
OSPF
Process
Recover
y Time
(s)
10
1000
500
544
17
34
15
1500
500
576
18
34
20
2000
500
640
20
34
25
2500
500
672
21
35
40
1000
500
640
23
34
50
1500
500
768
24
34
60
2000
500
960
30
35
90
1000
500
1024
21
34
50
1500
500
1152
35
35
90
2000
500
1216
35
35
60
1000
500
1152
24
34
60
1500
500
1216
39
35
60
2000
500
1344
47
35
90
20
30
40
Issue 04 (2013-06-15)

1570

Configuration Guide
Neighbo
r Count
LSA
Count in
Each
Area
Number
of
External
Routes
CIR
Value
(kbit/s)
Average
CPU
Usage
(%)
Memory
Usage
(%)
OSPF
Process
Recover
y Time
(s)
50
1000
500
1536
39
35
60
1500
500
1600
59
35
90
2000
500
1664
56
35
90
If the OSPF neighbor count and LSA count are not listed in the table, refer to the values
higher than the OSPF neighbor count and LSA count. For example, the number of OSPF
neighbors is 20, and the estimated LSAs in each area is 1800. A CIR value of 960 kbit/s is
recommended (neighbor count: 20, LSA count in each area: 2000).
l
ARP Request and ARP Reply

When switches need to learn a lot of ARP entries, the default CIR value for ARP packets
cannot meet requirements for sending ARP packets, causing ARP entries to be learned
slowly. When a large number ARP entries exist and these entries are aged out
simultaneously, the default CIR value for ARP Reply packets cannot meet requirements
for sending ARP Reply packets. This may lead to the loss of ARP Reply packets and
deletion of some ARP entries because their aging time cannot be updated. To avoid the
problems, run the display arp statistics all command to check statistics on ARP entries
and adjust CIR values for ARP Request and ARP Reply packets based on the ARP entry
quantity. For details, see Table 8-14.
Table 8-14 Recommended CIR values for ARP Request and ARP Reply packets
Number of ARP Entries
Recommended CIR (kbit/s)
<1k
128
1k to 3k
256
3k to 4k
512
4k to 5k
768
IGMP and PIM (IPv4)

Multicast protocol packets include IGMP packets and PIM (IPv4) packets. When switches
have a large number of multicast groups, the default CIR value cannot meet requirements
for protocol packet exchange. This may result in the loss of multicast protocol packets and
failure to receive multicast programs. To prevent multicast packets from being discarded,
adjust the CIR value for multicast packets. Set an appropriate CIR value to prevent CPU
overload. For details, see Table 8-15, , and Table 8-16.
Issue 04 (2013-06-15)

1571

Configuration Guide
Table 8-15 Recommended CIR values for Layer 2 multicast protocol packets
Packet Type
Number of Multicast
Groups
Recommended CIR
(kbit/s)
IGMP
250
128
500
256
>1000
512
Table 8-16 Recommended CIR values for Layer 3 multicast protocol packets
Packet Type
Number of Multicast
Groups
Recommended CIR
(kbit/s)
IGMP
250
128
500
256
>1000
512
500
128
1000
256
2000
512
>3000
768
PIM (IPv4)
8.7.3 Configuring an Attack Defense Policy

This section describes how to configure an attack defense policy.

Before configuring an attack defense policy, familiarize yourself with the applicable
When a large number of users access the AC6605, the CPU of the AC6605 may be attacked by
the packets sent by attackers or the CPU needs to process a large number of packets.
Before configuring an attack defense policy, complete the following tasks.
l
Issue 04 (2013-06-15)
Connecting interfaces and setting the physical parameters of each interface to ensure that
the physical layer is in Up state
1572

Configuration Guide
Data Preparation
To configure an attack defense policy, you need the following data.
No.
Data
Name and description of the attack defense policy
Number and rules of the ACL for blacklist users
CIR and CBS of the packets sent to the CPU
Creating an Attack Defense Policy

You can create an attack defense policy by name.
Procedure
Step 1 Run:
system-view

Step 2 Run:
cpu-defend policy policy-name
An attack defense policy is created and the attack defense policy view is displayed.
The AC6605 supports up to 13 attack defense policies. Attack defense policy default is
automatically generated in the system by default and is applied to all devices. Attack defense
policy default cannot be deleted and its parameters cannot be modified. The rest of 12 policies
can be created and deleted.
description text
The description of the attack defense policy is set.

----End
Configuring the Blacklist

A blacklist is a set of unauthorized users. The packets that match ACL rules bound to the blacklist
are discarded.
Context
You can create a blacklist and add users matching bound ACL rules to the blacklist. The packets
sent from the users in the blacklist are discarded by default. The AC6605 supports flexible setting
of the blacklist through ACLs.
Procedure
Step 1 Run:
Issue 04 (2013-06-15)

1573

Configuration Guide
system-view

Step 2 Run:
The attack defense policy view is displayed.

Step 3 Run:
blacklist blacklist-id acl acl-number
A customized blacklist is created.

A maximum of 8 blacklists can be configured on the AC6605
The ACL used by the blacklist can be a basic ACL, an advanced ACL, or a layer 2 ACL. For
details about the configuration procedure, see 8.9.3 Configuring an ACL.
By default, no blacklist is configured on the AC6605.
----End
(Optional) Configuring the Rule for Sending Packets to the CPU

The rule for sending packets to the CPU can be car or deny. You can configure only the rule
for sending packets of BGP, FTP, and OSPF connections to the CPU for linkup-car.
Context
NOTE
The rule applied to the same packet sent to the CPU can be car or deny. If both car and deny are set, the
rule that was configured later takes effect.
After FTP, BGP and OSPF connections are set up, if the CIR and CBS of linkup-car are not set, the default
CIR and CBS are used for sending packets of FTP, BGP and OSPF connections.
You are advised to use the default CAR value on the AC6605.
The priorities of application layer association, rate limit for protocol packets (limit for the number of packets
sent to the CPU and limit for the number of bytes sent to the CPU), rate limit for all the packets on an
interface, and rate limit for packets in queues are as follows:
l
The rate limit defined by application layer association has the highest priority.
The rate limit for protocol packets has the secondary highest priority. If the rate limit for the number
of packets sent to the CPU and the rate limit for the number of bytes sent to the CPU are set, a smaller
value takes effect.
The rate limit for packets in queues has the secondary lowest priority.
The rate limit for all the packets on an interface has the lowest priority.
Procedure
Step 1 Run:
system-view

cpu-defend application-apperceive
Issue 04 (2013-06-15)
[ bgp | ftp | tftp | ospf ] enable

1574

Configuration Guide
The application-layer protocol apperception is enabled.

Step 3 Run:

Step 4 Run:
linkup-car packet-type { bgp | ftp | ospf } cir cir-value [ cbs cbs-value ]
The rate limit for packets of BGP, FTP, or OSPF packets is set.
Step 5 Run:
car packet-type packet-type cir cir-value [ cbs cbs-value ]
The rate limit for packets sent to the CPU is set.

Step 6 Run:
deny packet-type packet-type
The action taken for the packets sent to the CPU is set to deny.
By default, the AC6605 limits the rate of packets sent to the CPU. On the AC6605, you can use
the display cpu-defend configuration command to view the rate limit configuration for packets
sent to the CPU. If no attack defense policy is applied to the AC6605, the display cpu-defend
configuration command displays the default rate limit.
Step 7 Run:
quit

----End
Applying the Attack Defense Policy

After an attack defense policy is created, you must apply the attack defense policy in the system
view. Otherwise, the attack defense policy does not take effect.
Context
When the AC6605 is stacked, the attack defense policy is applied to all switches in a stack.
Procedure
l
Applying the attack defense policy in the system view

1.
Run:
system-view

2.
Run:
cpu-defend-policy policy-name global
An attack defense policy is applied.

----End
Issue 04 (2013-06-15)

1575

Configuration Guide

This section describes how to check the configuration of the attack defense policy.
Procedure
l
Run the display cpu-defend policy [ policy-name ]command to display information about
the attack defense policy.
Run the display cpu-defend statistics [ packet-type packet-type ] [ all | slot slot-id ]
command to display statistics on packets sent to the CPU.
Run the display cpu-defend configuration [ packet-type packet-type ] [ all | slot slotid ] command to display the CAR configurations of packets sent to the CPU.
----End
8.7.4 Configuring Attack Source Tracing

The attack source tracing technology analyzes the influence of packets on the CPU and notifies
users through logs or alarms for possible attack packets.

Before configuring attack source tracing, familiarize yourself with the applicable environment,
A large number of attack packets may attack the CPUs of devices on the network. The attack
source tracing technology analyzes the influence of packets on the CPU and notifies users
through logs or alarms for possible attack packets.
Before configuring attack source tracing, complete the following task.
l
Connecting interfaces and setting the physical parameters of each interface to ensure that
the physical layer is in Up state
Data Preparation
To configure attack source tracing, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Name and description of the attack defense policy
Rate for checking the received IP packets
Alarm threshold of attack source tracing

1576

Configuration Guide
Creating an Attack Defense Policy

You can create an attack defense policy by name.
Procedure
Step 1 Run:
system-view

Step 2 Run:
An attack defense policy is created and the attack defense policy view is displayed.
The AC6605 supports up to 13 attack defense policies. Attack defense policy default is
automatically generated in the system by default and is applied to all devices. Attack defense
policy default cannot be deleted and its parameters cannot be modified. The rest of 12 policies
can be created and deleted.
description text
The description of the attack defense policy is set.

----End
Configuring Attack Source Tracing

Configuring attack source tracing involves the configuration of automatic attack source tracing
and the alarm function of attack source tracing.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
auto-defend enable
Automatic attack source tracing is enabled.

By default, automatic attack source tracing is disabled.
Step 4 Run:
auto-defend threshold threshold
The threshold of attack source tracing is set.

By default, the threshold of attack source tracing is 128 pps.
Issue 04 (2013-06-15)

1577

Configuration Guide

auto-defend alarm enable
The alarm function of attack source tracing is enabled.

By default, the alarm function of attack source tracing is disabled.
Step 6 Run:
auto-defend alarm threshold threshold
The alarm threshold for attack source tracing is set.

By default, the alarm threshold for attack source tracing is 128 pps.
----End
(Optional) Setting the Attack Source Tracing Mode

The AC6605 provides multiple attack source tracing modes. You can specify the mode by using
commands.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
auto-defend enable

auto-defend trace-type
{ source-mac | source-ip | source-portvlan } *
The attack source tracing type is configured.

By default, the AC6605 traces attack sources based on source MAC addresses, source IP
addresses, and source ports+VLANs.
----End
(Optional) Specifying Protocol Types Supporting Source Tracing

You can enable source tracing for the packets of certain protocols.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1578

Configuration Guide

Step 2 Run:

Step 3 Run:
auto-defend enable

auto-defend protocol { { arp | icmp | dhcp | igmp | ttl-expired | tcp | telnet } *
| all }
The protocol types supporting source tracing are specified.

By default, the AC6605 traces the sources of ARP, ICMP, DHCP, IGMP, TCP, and Telnet
packets and the packets with TTL 1.
----End
(Optional) Configuring the Auto-Defend Function for Source Tracing

After finding the attack source, the AC6605 takes measures to defend against the attack. These
measures can be configured by commands.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
auto-defend enable

By default, automatic attack source tracing is disabled. The timer is 300s.
auto-defend action [ deny timer second
| error-down ]
The AC6605 discards packets sent from an attack source or shut down the interface that receives
attack packets.
By default, the auto-defend function is disabled.
----End
Issue 04 (2013-06-15)

1579

Configuration Guide
Applying the Attack Defense Policy

After an attack defense policy is created, you must apply the attack defense policy in the system
view. Otherwise, the attack defense policy does not take effect.
Context
When the AC6605 is stacked, the attack defense policy is applied to all switches in a stack.
Procedure
l
Applying the attack defense policy in the system view

1.
Run:
system-view

2.
Run:
cpu-defend-policy policy-name global
An attack defense policy is applied.

----End

Procedure
l
Run the display cpu-defend policy policy-name command to view the attack defense
policy.
Run the display auto-defend attack-source [ detail ] command to view the list of attack
sources configured globally.
----End
8.7.5 Maintaining the Attack Defense Policy

This section describes how to clear statistics about the attack sources and the packets sent to the
CPU.
Clearing Statistics About Packets Destined for the CPU

Statistics about ARP packets cannot be restored being cleared.
Procedure
Step 1 Run the reset cpu-defend statistics [ packet-type packet-type ] { all | slot slot-id } command
to clear statistics about packets directing at the CPU.
----End
Clearing Statistics About Attack Sources

Statistics about ARP packets cannot be restored after being cleared.
Issue 04 (2013-06-15)

1580

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
reset auto-defend attack-source
The statistics about the attack source are cleared.

Step 3 Run:
reset auto-defend attack-source trace-type { source-mac [ mac-address ] | sourceip [ ip-address ] | source-portvlan [ interface interface-type interface-num vlanid vlan-id [ cvlan-id vlan-id ] ] }
The statistics about the attack source are cleared based on source MAC addresses, source IP
addresses, and source ports+VLAN IDs.
----End

This section provides several configuration examples of the attack defense policy.
Example for Configuring an Attack Defense Policy

This section provides an example of configuring an attack defense policy, including the
configuration of ACL, attack defense policy, the rule for sending packets to the CPU and
application of the attack defense policy.
As shown in Figure 8-23, three local user networks net1, net2 and net3 access the Internet
through the Switch. The Switch is connected to a large number of users, and receives many
packets to be sent to the CPU. In this case, the CPU of the Switch may be attacked by packets
directing at the CPU. To protect the CPU and enable the Switch to process services normally,
you need to configure local attack defense.
You need to configure the following attack defense features on the Switch:
l
Users on net1 often attack the network and are added to the blacklist. In this manner, they
cannot access the network.
Set the CAR for sending ARP Request packets to the CPU to prevent attacks of ARP
Request packets.
Set the CIR for sending FTP packets to the CPU when FTP connections are set up.
Issue 04 (2013-06-15)

1581

Configuration Guide
Figure 8-23 Networking diagram for configuring the attack defense policy
Net1: 1.1.1.0/24
GE 0/0/1
GE0/0/2
Internet
Switch
Net2: 2.2.2.0/24
Net3: 3.3.3.0/24
1.
Configure the ACL and define rules for filtering the packets to be sent to the CPU.
2.
Create an attack defense policy and configure the whitelist, blacklist, and user-defined flow.
3.
Configure the rule for sending packets to the CPU.
4.
Apply the attack defense policy.
Data Preparation
l
Name of the attack defense policy
IDs of the blacklist
ACL rule and number
Rate of sending ARP Requests packets to the CPU
Rate limit of sending FTP packets to the CPU when FTP connection is set up
Procedure
Step 1 Configure the rule for filtering packets to be sent to the CPU.
# Define ACL rules.
[Quidway] acl number 2001
[Quidway-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255
[Quidway-acl-basic-2001] quit
Step 2 Create an attack defense policy.

# Create an attack defense policy and configure the blacklist.
[Quidway] cpu-defend policy test1
[Quidway-cpu-defend-policy-test1] blacklist 1 acl 2001
Issue 04 (2013-06-15)

1582

Configuration Guide
Step 3 Configure the rule for sending packets to the CPU.

# Set the CIR for ARP Request packets.
[Quidway-cpu-defend-policy-test1] car packet-type arp-request cir 128
# Set the CIR for sending FTP packets to the CPU when FTP connections are set up.
[Quidway-cpu-defend-policy-test1] link-car packet-type ftp cir 128
[Quidway-cpu-defend-policy-test1] quit
Step 4 Apply the attack defense policy.

[Quidway] cpu-defend-policy test1 global

# View information about the configured attack defense policy.
<Quidway> display cpu-defend policy test1
Related slot : <0>
Configuration :
Blacklist 1 ACL number : 2001
Car packet-type arp-request : CIR(128)
linkup-car packet-type ftp : CIR(128)
Car all-packets pps : 500 (default)
CBS(24064)
CBS(24064)
# View information about CAR.

<Quidway> display cpu-defend configuration packet-type arp-request
Car Configurations On Slot 0.
---------------------------------------------------------------------Packet Name
Status
Cir(Kbps)
Cbs(Byte) Queue Port-Type
---------------------------------------------------------------------arp-request
Enabled
128
24064
3
UNI
----------------------------------------------------------------------
----End
Configuration Files
#
acl number 2001
#
cpu-defend policy test1
blacklist 1 acl 2001
car packet-type arp-request cir 5000 cbs 24064
linkup-car packet-type ftp cir 5000 cbs 24064
#
cpu-defend-policy test1 global
#
return
8.8 Traffic Suppression Configuration

This chapter describes configuration procedures for traffic suppression and provides
8.8.1 Introduction to Traffic Suppression

This section describes the traffic suppression function.
Broadcast packets, multicast packets, and unknown unicast packets entering the AC6605 are
forwarded on all the interfaces in a VLAN. These three types of packets consume great
Issue 04 (2013-06-15)

1583

Configuration Guide
bandwidth, reduces available bandwidth of the system, and affects forwarding and processing
capabilities.
The traffic suppression function limits the traffic entering the interface, and protects the
AC6605 against the three types of traffic. It also guarantees available bandwidth and processing
capabilities of the AC6605 when the traffic is heavy.
8.8.2 Traffic Suppression Features Supported by the AC6605

This section describes the traffic suppression features supported by the AC6605.
The traffic suppression function can be configured on VLAN and Ethernet interfaces of the
AC6605.
The AC6605 can suppress the broadcast, multicast, and unicast traffic, and restrict broadcast
storms.
8.8.3 Configuring Traffic Suppression

This section describes how to configure traffic suppression on a specified interface.

Before configuring traffic suppression, complete the pre-configuration tasks, and obtain the data
required for the configuration. This will help you complete the configuration task quickly and
accurately.
To limit the rate of incoming broadcast, multicast, and unknown unicast packets on an interface
and protect the device against traffic attacks, you can configure traffic suppression on the
interface.
None
Data Preparation
To configure traffic suppression, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Type and number of the interface where

traffic suppression needs to be configured
Type of traffic (broadcast, multicast, or

unknown unicast traffic) that needs to be
suppressed
Mode in which traffic is suppressed (packet

rate, rate percentage on a physical interface)
1584

Configuration Guide
No.
Data
Limited rate, including the packet rate,

bandwidth percentage
Configuring Traffic Suppression on an Interface

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
{ broadcast-suppression | multicast-suppression | unicast-suppression } { percentvalue | packets packets-per-second }
Traffic suppression is configured.

Traffic suppression for three types of traffic can be configured on an interface of the AC6605.
Select one of the following traffic suppression modes for the traffic on an interface:
l To configure traffic suppression based on the packet rate, you must select the packets
parameter.
l To configure traffic suppression based on the bandwidth percentage, set the percent-value
parameter.
NOTE
l If traffic suppression is configured for a type of traffic on an interface, the latest configuration
overrides the previous configuration when the configuration of traffic suppression for this type of
traffic at different rate is sent.
----End
(Optional) Enabling the Function of Defense Against Attacks of ICMP Packets on

an Interface
You can set the threshold of ICMP packets to defend against attacks of ICMP packets on an
interface.
Context
On a network, ICMP packets are often used to attack devices. If a large number of ICMP request
packets are broadcast on the user side, they are sent to the CPU for processing. The CPU usage
is occupied seriously. As a result, other services cannot be processed normally.
The function of defense against attacks of ICMP packets on an interface is added on the S-switch.
Issue 04 (2013-06-15)

1585

Configuration Guide
To make suppression of ICMP packets take effect, disable the fast ICMP reply function.
Procedure
Step 1 Run:
system-view

Step 2 Run:
icmp rate-limit enable
Rate limit on ICMP packets is enabled on an interface.

By default, rate limit on ICMP packets is enabled on an interface.
Step 3 Run:
icmp rate-limit { total | interface interface-type interface-number [ to interfacenumber ] } threshold threshold-value
The rate threshold of ICMP packets is set on an interface.

By default, the rate thresholds of ICMP packets is 100 pps on an interface or globally.
----End

Prerequisites
The traffic suppression configurations are complete.
Procedure
l
Run the display flow-suppression interface interface-type interface-number command to

check the traffic suppression configuration.
----End
Example
Run the display flow-suppression interface interface-type interface-number command to view
the traffic suppression configuration on a specified interface.
<Quidway> display flow-suppression interface gigabitethernet 0/0/1
storm type
rate mode
set rate value
------------------------------------------------------------------------------unknown-unicast
percent
percent: 80%
multicast
percent
percent: 80%
broadcast
percent
percent: 80%
-------------------------------------------------------------------------------

This section provides several configuration examples of traffic suppression.
Example for Configuring Traffic Suppression

Issue 04 (2013-06-15)

1586

Configuration Guide
As shown in Figure 8-24, the Switch is connected to the Layer 2 network and Layer 3 router.
To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer
2 network, you can configure traffic suppression on GE 0/0/1.
Figure 8-24 Networking diagram for configuring traffic suppression
L2 network
GE0/0/1
GE0/0/2
L3 network
Switch
Configure traffic suppression in the interface view of GE 0/0/1.
Data Preparation
l
GE 0/0/1 where traffic suppression is configured
Traffic suppression for broadcast, unknown unicast and multicast packets based on the rate
percentage
Maximum rate of broadcast, unknown unicast and multicast packets being 80 percent of
the interface rate after traffic suppression is configured
Procedure
Step 1 Enter the interface view.
Step 2 Configure traffic suppression for broadcast packets.

[Quidway-GigabitEthernet0/0/1] broadcast-suppression 80
Step 3 Configure traffic suppression for multicast packets.

[Quidway-GigabitEthernet0/0/1] multicast-suppression 80
Step 4 Configure traffic suppression for unknown unicast packets.

[Quidway-GigabitEthernet0/0/1] unicast-suppression 80

Run the display flow-suppression interface command. You can see the configuration of traffic
suppression on GE 0/0/1.
<Quidway> display flow-suppression interface gigabitethernet 0/0/1
storm type
rate mode
set rate value
------------------------------------------------------------------------------unknown-unicast
percent
percent: 80%
multicast
percent
percent: 80%
Issue 04 (2013-06-15)

1587

Configuration Guide
broadcast
percent
percent: 80%
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Quidway
#
unicast-suppression 80
multicast-suppression 80
broadcast-suppression 80
#
return
8.9 ACL Configuration

The ACL classifies packets according to the rules. After these rules are applied to the interfaces
on the AC6605, the AC6605 can determine packets that are received and rejected.
8.9.1 ACL Overview

This section describes the basic concept of ACLs.
An ACL is composed of a list of rules. Each rule contains a permit or deny clause. These rules
are defined to use information in packets to classify the packets. After these rules are applied to
the AC6605, the AC6605 determines which packets to receive and reject.
8.9.2 ACL Features Supported by the AC6605

This section describes the ACL features supported by the AC6605.
ACL Classification
The AC6605 supports basic ACLs, Layer 2 ACLs and advanced ACLs for IPv4 packets.
l
Basic ACL: matches packets based on information such as source IP addresses, fragment
flags, and time ranges.
Advanced ACL: matches packets based on information such as source and destination IP
addresses, source and destination port numbers, packet priorities, and time ranges.
Layer 2 ACL: matches packets based on Layer 2 information in packets, such as source
and destination MAC addresses, and Layer 2 protocol types.
Application of ACLs
ACLs defined on the AC6605 can be applied in the following scenarios:
l
Issue 04 (2013-06-15)
Hardware-based application: The ACL is sent to the hardware. For example, when QoS is
configured, the ACL is imported to classify packets. Note that when the ACL is imported
by QoS, the packets matching the ACL rule in deny mode are discarded. If the action in
the ACL is set to be in permit mode, the packets matching the ACL are processed by the
AC6605 according to the action defined by the traffic behavior in QoS. For details on the
traffic behavior, see the AC6605 Access Controller Configuration Guide - QoS.
1588

Configuration Guide
Software-based application: When the ACL is imported by the upper-layer software, for
example, the ACL is imported when the control function is configured for login users, you
can use the ACL to control FTP, Telnet and SSH users. When the AC6605 functions as a
TFTP client, you can configure an ACL to specify the TFTP servers that the AC6605 can
access through TFTP.
When the ACL is imported by the upper-layer software, the packets matching the ACL are
processed by the AC6605 according to the action deny or permit defined in the ACL. For
details on login user control, see the AC6605 Access Controller Configuration Guide Basic Configurations.
NOTE
l When the ACL is sent to the hardware and is imported by QoS to classify packets, the AC6605 does
not process packets not matching the ACL rule according to the action defined in the traffic behavior.
l When the ACL is imported by the upper-layer software and is used to control FTP , Telnet, or SSH
login users, the AC6605 discards the packets that do not match the ACL rule.
8.9.3 Configuring an ACL

This section describes how to create an ACL, set the time range, configure the description of an
ACL,, and set the step of an ACL.

Before configuring an ACL, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the data required for the configuration. This will help you
ACLs can be used in multiple services, such as routing policies and packet filtering, to distinguish
the types of packets and process them accordingly.
None.
Data Preparation
To configure an ACL, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Number or name of the ACL
Name of the time range when the ACL takes effect, start time, and end time
Description of the ACL
Number of ACL rule and the rule that identifies the type of packets, including
protocol, source address, source port, destination address, destination port, the type
and code of Internet Control Message Protocol (ICMP), IP precedence, and Type of
Service (ToS) value
1589

Configuration Guide
No.
Data
Step of the ACL
Creating an ACL
You can create an ACL based on the number or name.
Context
An ACL is composed of multiple lists of rules containing permit or deny clauses. Before
creating an ACL rule, you need to create an ACL.
To create an ACL, you need to specify the following parameters:
l
When creating an ACL based on the number, you need to specify the ACL number. The
ACL number specifies the type of an ACL. For example, the ACL with the number ranging
from 2000 to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to
3999 is an advanced ACL.
When creating an ACL based on the name, you need to specify the ACL name. You can
specify the number or type for a named ACL. If the number of a named ACL is not specified,
the system automatically allocates a number to the named ACL.
Creating an ACL based on the number
Procedure
1.
Run:
system-view

2.
Run:
acl [ number ] acl-number
An ACL with the specified number is created.

The value of a basic ACL ranges from 2000 to 2999.
The value of an advanced ACL ranges from 3000 to 3999.
The value of a Layer 2 ACL ranges from 4000 to 4999.
l
Creating an ACL based on the name

1.
Run:
system-view

2.
Run:
acl name acl-name [ advance | basic | link | user | acl-number ]
An ACL with the specified name is created.

If the number of a named ACL is not specified, the AC6605 automatically allocates
a number to the named ACL. The following situations are involved:
Issue 04 (2013-06-15)

1590

Configuration Guide
If the type of a named ACL is specified, the number of the named ACL allocated
by the AC6605 is the maximum value of the named ACL of the type.
If the number and the type of a named ACL are not specified, the AC6605 considers
the named ACL as the advanced ACL and allocates 3999 to the named ACL6.
The AC6605 does not allocate the number to a named ACL repeatedly.
----End
(Optional) Setting the Time Range

When a time range is specified for an ACL, the ACL takes effect only in this time range. If no
time range is specified for the ACL, the ACL remains effective until it is deleted or the rules of
the ACL are deleted.
Procedure
Step 1 Run:
system-view

Step 2 Run:
time-range time-range-name { starting-time to ending-time days | from time1 date1
[ to time2 date2 ] }
A time range is set.

You can set the same name for multiple time ranges to describe a special period. For example,
three time ranges are set with the same name test:
l Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59, a definite time range
l Time range 2: 8:00-18:00 on Monday to Friday, a periodic time range
l Time range 3: 14:00-18:00 on Saturday and Sunday, a periodic time range
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and
Sunday in the year 2009.
----End
(Optional) Configuring the Description of an ACL

You can configure the description of an ACL to describe the function of an ACL.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
Or, run:
acl name acl-name
Issue 04 (2013-06-15)

1591

Configuration Guide

Step 3 Run:
The description of the ACL is configured.

The description of an ACL is a string of up to 127 characters, describing the usage of the ACL.
By default, no description is configured for an ACL.
----End
Configuring a Basic ACL

Basic ACLs can classify data packets based on the source IP address.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A basic ACL is created based on the number.

Or, run:
acl name acl-name [ basic | acl-number ]
A basic ACL is created based on the name.

The value of a basic ACL ranges from 2000 to 2999.
Step 3 Run:
source-wildcard | any } | time-range time-name ]*
An ACL rule is created.

----End
Configuring an Advanced ACL

Advanced ACLs can classify data packets based on the source IP address, destination IP address,
source port number, destination port number, and protocol type.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

1592

Configuration Guide
An advanced ACL is created based on the number.

Or, run:
acl name acl-name [ advance | acl-number ]
An advanced ACL is created based on the name.

The value of an advanced ACL ranges from 3000 to 3999.
l When protocol is specified as the Transmission Control Protocol (TCP), run:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination
{ destination-address destination-wildcard | any } | destination-port { eq | gt
| lt | range port-start } port | dscp dscp | fragment | logging | precedence
precedence | source { source-address source-wildcard | any } | source-port { eq
| gt | lt | range port-start } port | tcp-flag { ack | fin | psh | rst | syn |
urg }* | time-range time-name | tos tos | ttl-expired ]*

l When protocol is specified as the User Datagram Protocol (UDP), run:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination
{ destination-address destination-wildcard | any } | destination-port { eq | gt
| lt | range port-start } port | dscp dscp | fragment | logging | precedence
precedence | source { source-address source-wildcard | any } | source-port { eq
| gt | lt | range port-start } port | time-range time-name | tos tos | ttlexpired ]*

l When protocol is specified as ICMP, run:
rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination
{ destination-address destination-wildcard | any } | dscp dscp | fragment |
logging | icmp-type { icmp-name | icmp-type icmp-code } | precedence precedence
| source { source-address source-wildcard | any } | time-range time-name | tos
tos | ttl-expired ]*

l When protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip
| ospf } [ destination { destination-address destination-wildcard | any } |
dscp dscp | fragment | logging | precedence precedence | source { source-address
source-wildcard | any } | time-range time-name | tos tos | ttl-expired ]*

You can configure different advanced ACLs on the AC6605 according to the protocol carried
by IP. Different parameter combinations are available for different protocol types.
NOTE
dscp dscp and precedence precedence cannot be specified simultaneously.

dscp dscp and tos tos cannot be specified simultaneously.
----End
Configuring a Layer 2 ACL

Layer 2 ACLs can classify data packets based on the link layer information including the source
MAC address, source VLAN ID, Layer 2 protocol type, and destination MAC address.
Issue 04 (2013-06-15)

1593

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
A Layer 2 ACL is created based on the number.

Or, run:
acl name acl-name [ link | acl-number ]
A Layer 2 ACL is created based on the name.

The value of a Layer 2 ACL ranges from 4000 to 4999.
Step 3 Run:
rule [ rule-id ] { permit | deny } [ { ether-ii | 802.3 | snap } | l2-protocol typevalue [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | sourcemac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] |
8021p 802.1p-value ] * [ time-range time-range-name ]

----End
(Optional) Setting the Step Between ACL Rules

The AC6605 can automatically allocate numbers to ACLs according to the step between ACL
rules.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
Or, run:
acl name acl-name

Step 3 Run:
step step-value
The step between ACL rules is set.

When changing ACL configurations, pay attention to the following point:
l The undo step command sets the default step of an ACL and re-arranges the numbers of
ACL rules.
Issue 04 (2013-06-15)

1594

Configuration Guide
l By default, the value of step-value is 5.

----End

Prerequisites
The ACL configurations are complete.
Procedure
l
Run the display acl { acl-number | all } command to check the ACL rule based on the
number.
Run the display acl name acl-name command to check the ACL rule based on the name.
Run the display time-range { all | time-name } command to check the time range.
Run the display acl resource [ slot slot-id ] command to check information about ACL
resources.
----End
8.9.4 Maintaining an ACL

This section describes how to maintain an ACL.
Clearing Statistics About an ACL

You can clear the ACL statistics according to the ACL number or ACL name.
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run the command.
Procedure
l
Run the reset acl counter { acl-number | all } command in the user view to clear counters
of ACL rules.
----End

This section provides configuration examples of ACLs.
Example for Configuring a Basic ACL

Issue 04 (2013-06-15)

1595

Configuration Guide
As shown in Figure 8-25, GE 0/0/1 of the Switch is connected to the user, and GE 0/0/2 is
connected to the upstream router. It is required that the Switch does not trust the packets from
user A whose IP address is 10.0.0.2/24.
Figure 8-25 Networking diagram for configuring a basic ACL
PC A
IP:10.0.0.2/24
GE0/0/1
GE0/0/2
Switch
PC B
1.
Configure the ACL.
2.
Configure the traffic classifier.
3.
Configure the traffic behavior.
4.
Configure the traffic policy.
5.
Apply the traffic policy to an interface.
Data Preparation
l
ACL number
IP address of user A
Names of traffic classifier, traffic behavior, and traffic policy
Interface where the traffic policy is applied
Procedure
Step 1 Configure the traffic classifier that is based on the ACL rules.
# Define the ACL rules.
[Quidway] acl 2000
[Quidway-acl-basic-2000] rule permit source 10.0.0.2 0.0.0.255
Issue 04 (2013-06-15)

1596

Configuration Guide
# Configure the traffic classifier and define the ACL rules.

[Quidway] traffic classifier tc1
[Quidway-classifier-tc1] if-match acl 2000
[Quidway-classifier-tc1] quit
Step 2 Configure the traffic behavior.

[Quidway] traffic behavior tb1
[Quidway-behavior-tb1] deny
[Quidway-behavior-tb1] quit
Step 3 Configure the traffic policy.

# Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic
policy.
[Quidway] traffic policy tp1
[Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1
[Quidway-trafficpolicy-tp1] quit
# Apply the traffic policy to GE 0/0/1.

[Quidway-GigabitEthernet0/0/1] traffic-policy tp1 inbound

# Check the configuration of the ACL rules.
Basic ACL 2000, 1 rule
Acl's step is 5

<Quidway> display traffic classifier user-defined
Classifier: tc1
Operator: AND
# Check the configuration of the traffic policy.

<Quidway> display traffic policy user-defined tp1
Policy: tp1
Classifier: tc1
Operator: AND
Behavior: tb1
Deny
----End
Configuration Files
#
acl number 2000
#
traffic classifier tc1 operator and
if-match acl 2000
#
traffic behavior tb1
deny
#
traffic policy tp1
Issue 04 (2013-06-15)

1597

Configuration Guide
classifier tc1 behavior tb1

#
traffic-policy tp1 inbound
#
return
Example for Configuring an Advanced ACL

As shown in Figure 8-26, the departments of the company are connected through the Switchs.
It is required that the IPv4 ACL be configured correctly. The personnel of the R&D department
and marketing department cannot access the salary query server at 10.164.9.9 from 8:00 to 17:30,
whereas the personnel of the president's office can access the server at any time.
Figure 8-26 Networking diagram for configuring IPv4 ACLs
Salary query server

10.164.9.9
GE0/0/2
GE0/0/4
Switch
GE0/0/1
GE0/0/3
Marketing department
10.164.2.0/24
President's office
10.164.1.0/24
R&D department
10.164.3.0/24
1.
Assign IP addresses to interfaces.
2.
Configure the time range.
3.
Configure the ACL.
4.
5.
6.
7.
Issue 04 (2013-06-15)

1598

Configuration Guide
Data Preparation
l
VLAN that the interface belongs to
Name of the time range
ACL ID and rules
Name of the traffic classifier and classification rules
Name of the traffic behavior and actions
Name of the traffic policy, and traffic classifier and traffic behavior associated with the
traffic policy
Interface that a traffic policy is applied to
Procedure
Step 1 Assign IP addresses to interfaces.
# Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces.
Add GigabitEthernet 0/0/1, GigabitEthernet 0/0/2, and GigabitEthernet 0/0/3 to VLAN 10,
VLAN 20, and VLAN 30 respectively, and add GigabitEthernet 0/0/4 to VLAN 100. The first
IP address of the network segment is taken as the address of the VLANIF interface. Take
GigabitEthernet 0/0/1 as an example. The configurations of other interfaces are similar to the
configuration of GigabitEthernet 0/0/1, and are not mentioned here.
[Quidway] vlan batch 10 20 30 100
Step 2 Configure the time range.

# Configure the time range from 8:00 to 17:30.
[Quidway] time-range satime 8:00 to 17:30 working-day
Step 3 Configure ACLs.

# Configure the ACL for the personnel of the marketing department to access the salary query
server.
[Quidway] acl 3002
[Quidway-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination
10.164.9.9 0.0.0.0 time-range satime
[Quidway-acl-adv-3002] quit
# Configure the ACL for the personnel of the R&D department to access the salary query server.
[Quidway] acl 3003
[Quidway-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination
10.164.9.9 0.0.0.0 time-range satime
[Quidway-acl-adv-3003] quit
Step 4 Configure ACL-based traffic classifiers.

Issue 04 (2013-06-15)

1599

Configuration Guide
# Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[Quidway] traffic classifier c_market
[Quidway-classifier-c_market] if-match acl 3002
[Quidway-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Quidway] traffic classifier c_rd
[Quidway-classifier-c_rd] if-match acl 3003
[Quidway-classifier-c_rd] quit
Step 5 Configure traffic behaviors.

# Configure the traffic behavior b_market to reject packets.
[Quidway] traffic behavior b_market
[Quidway-behavior-b_market] deny
[Quidway-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.

[Quidway] traffic behavior b_rd
[Quidway-behavior-b_rd] deny
[Quidway-behavior-b_rd] quit
Step 6 Configure traffic policies.

# Configure the traffic policy p_market and associate the traffic classifier c_market and the
traffic behavior b_market with the traffic policy.
[Quidway] traffic policy p_market
[Quidway-trafficpolicy-p_market] classifier c_market behavior b_market
[Quidway-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic
behavior b_rd with the traffic policy.
[Quidway] traffic policy p_rd
[Quidway-trafficpolicy-p_rd] classifier c_rd behavior b_rd
[Quidway-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy.

# Apply the traffic policy p_market to GigabitEthernet 0/0/2.
[Quidway-GigabitEthernet0/0/2] traffic-policy p_market inbound
# Apply the traffic policy p_rd to GigabitEthernet 0/0/3.

[Quidway-GigabitEthernet0/0/3] traffic-policy p_rd inbound

<Quidway> display acl all
Total nonempty ACL number is 2
Advanced ACL 3002, 1 rule
Acl's step is 5
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime (Inactive)
Advanced ACL 3003, 1 rule
Issue 04 (2013-06-15)

1600

Configuration Guide
Acl's step is 5
satime (Inactive)

Classifier: c_market
Operator: AND
Classifier: c_rd
Operator: AND

<Quidway> display traffic policy user-defined
Policy: p_market
Classifier: c_market
Operator: AND
Behavior: b_market
Deny
Policy: p_rd
Classifier: c_rd
Operator: AND
Behavior: b_rd
Deny
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10 20 30 40 100
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
satime
#
acl number 3003
satime
#
traffic classifier c_market operator and
if-match acl 3002
traffic classifier c_rd operator and
if-match acl 3003
#
traffic behavior b_market
deny
traffic behavior b_rd
deny
#
traffic policy p_market
classifier c_market behavior b_market
traffic policy p_rd
classifier c_rd behavior b_rd
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
Issue 04 (2013-06-15)

1601

Configuration Guide
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.9.1 255.255.255.0
#
#
traffic-policy p_market inbound
#
traffic-policy p_rd inbound
#
#
return
Example for Configuring a Layer 2 ACL

As shown in Figure 8-27, the Switch that functions as the gateway is connected to the PC. It is
required that the ACL configured to prevent the packets with the source MAC address as 00e0f201-0101 and the destination MAC address as 0260-e207-0002 from passing through.
Figure 8-27 Networking diagram for configuring layer 2 ACLs
GE0/0/1
GE0/0/2
IP network
Switch
00e0-f201-0101
1.
Configure the ACL.
2.
Issue 04 (2013-06-15)

1602

Configuration Guide
3.
4.
5.
Data Preparation
l
ACL ID and rules
Name of the traffic classifier and classification rules
Name of the traffic behavior and actions
Name of the traffic policy, and traffic classifier and traffic behavior associated with the
traffic policy
Interface that a traffic policy is applied to
Procedure
# Configure the required layer 2 ACL.
[Quidway] acl 4000
[Quidway-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff
destination-mac 0260-e207-0002 ffff-ffff-ffff
Step 2 Configure the traffic classifier that is based on the ACL.

# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Quidway] traffic classifier tc1
[Quidway-classifier-tc1] if-match acl 4000
[Quidway-classifier-tc1] quit
Step 3 Configure the traffic behavior.

# Configure the traffic behavior tb1 to reject packets.
[Quidway] traffic behavior tb1
[Quidway-behavior-tb1] deny
[Quidway-behavior-tb1] quit
Step 4 Configure the traffic policy.

# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Quidway] traffic policy tp1
[Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1
[Quidway-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy.

# Apply the traffic policy tp1 to GE 0/0/1.
[Quidway-GigabitEthernet0/0/1] traffic-policy tp1 inbound

Issue 04 (2013-06-15)

1603

Configuration Guide

L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101

Classifier: tc1
Operator: AND

<Quidway> display traffic policy user-defined tp1
Policy: tp1
Classifier: tc1
Operator: AND
Behavior: tb1
Deny
----End
Configuration Files
#
sysname Quidway
#
acl number 4000
rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101
#
traffic classifier tc1 operator and
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
traffic-policy tp1 inbound
#
return
Issue 04 (2013-06-15)

1604

Configuration Guide
9 Configuration Guide - Reliability
Configuration Guide - Reliability
About This Chapter

This document describes the configuration of BFD, VRRP, GigabitEthernet OAM to ensure
reliability of GigabitEthernet services on the AC6605.
The document provides the configuration procedures and configuration examples to illustrate
the service configuration methods and application scenario.
9.1 Ethernet OAM Configuration
This chapter describes Ethernet OAM and its configurations, and how to implement link-level
Ethernet OAM detection and network-level Ethernet OAM detection to improve network
reliability.
9.2 BFD Configuration
A BFD session rapidly detects a link fault on a network.
9.3 VRRP Configuration
A VRRP backup group allows a backup to take over network traffic from a master if the master
fails.
Issue 04 (2013-06-15)

1605

Configuration Guide
9.1 Ethernet OAM Configuration

This chapter describes Ethernet OAM and its configurations, and how to implement link-level
Ethernet OAM detection and network-level Ethernet OAM detection to improve network
reliability.
9.1.1 Introduction to Ethernet OAM

Ethernet OAM can effectively improve management and maintenance capabilities on Ethernet
networks, which ensures the stable network operation. Ethernet OAM is applicable mainly to
Ethernet networks.
Background
The Ethernet has developed as the major Local Area Network (LAN) technology because it
features easy implementation and low cost. Recently, along with the applications of Gigabit
Ethernet and the later 10-Gigabit Ethernet, Ethernet has been extended to the Metropolitan Area
Network (MAN) and Wide Area Network (WAN).
Compared with MANs and WANs, reliability and stability are not highly required for LANs.
Therefore, a mechanism for network Operations, Administration and Maintenance (OAM) is
always required for the Ethernet. The lack of the OAM mechanism prevents Ethernet from
effectively functioning as the Internet Service Provider (ISP) network. In this manner, Ethernet
OAM is becoming a trend.
Functions
Ethernet OAM has the following functions:
l
Fault management
Ethernet OAM can detect the network connectivity by sending detection messages
regularly or through manual triggering.
Ethernet OAM can locate faults on the Ethernet by using means similar to the Packet
Internet Groper (ping) and traceroute tools on IP networks.
Ethernet OAM can work with the Automatic Protection Switching (APS) to trigger
protection switching when detecting connectivity faults. This ensures service
interruption in no more than 50 ms to achieve carrier-class reliability.
Performance management
Performance management is used to measure the packet loss ratio, delay, and jitter during
the transmission of packets. It also collects statistics on various kinds of traffic.
Performance management is implemented at the access point of users. By using the
performance management tools, the ISP can monitor the network status and locate faults
through the Network Management System (NMS). The ISP checks whether the forwarding
capacity of the network complies with the Service Level Agreement (SLA) signed with
users.
Ethernet OAM improves network management and maintenance capabilities on the Ethernet
and guarantees a steady network.
Issue 04 (2013-06-15)

1606

Configuration Guide
9.1.2 Ethernet OAM Supported by the AC6605

This section describes the Ethernet OAM features supported by the AC6605.
EFM OAM
802.3ah, also referred to as Ethernet in the First Mile (EFM), defines the specifications of the
Ethernet physical layer and OAM used for user access. EFM OAM detects the link in the last
mile. EFM OAM is a link-level OAM mechanism. The AC6605 provides the following EFM
OAM functions:
l
Peer discovery
When the EFM OAM function is enabled on an interface of the AC6605 and the peer
interface, the two interfaces match their EFM OAM configurations by sending and
responding to OAM Protocol Data Units (OAMPDUs). If the EFM OAM configurations
on both interfaces match, the two interfaces start the EFM OAM handshake. During the
handshake, the two interfaces send OAMPDUs periodically to maintain the neighbor
relationship.
Link monitoring
When an interface detects an errored frame event or an errored frame error seconds event,
the interface sends an OAMPDU to notify the peer device of the event.
An errored frame event occurs when the number of errored frames detected on an
interface reaches or exceeds the specified threshold within a certain period.
An errored code event occurs when the number of errored codes reaches or exceeds the
specified threshold within a certain period.
An errored frame seconds occurs when that the number of errored frame seconds
detected on an interface reaches or exceeds the specified threshold within a certain
period.
The detection duration is measured in seconds. If at least one errored frame is detected
within a second, this second is called an errored frame second.
Fault notification
When an errored frame event or severe fault event occurs on the local device, the local node
sends fault notification messages to notify the peer device. At the same time, the local
device records the fault event in the log and reports the fault to the NMS. Fault events
include the following:
When the device is restarted using the reboot command
Fault of a physical link
Timeout of OAMPDUs
Errors reported by the OAM module
When the AC or DC power supply of the device is powered off
When receiving the notification message, the peer records the event contained in the
message to the log and reports it to the NMS.
Each interface enabled with EFM OAM works in a certain mode. EFM OAM has two operation
modes: active mode and passive mode. OAM discovery and remote loopback are initiated only
by the interface in active mode.
Issue 04 (2013-06-15)

1607

Configuration Guide
Fault Association
You can configure the following types of association between an EFM OAM module and an
interface.
l
After EFM OAM detects a fault, the OAM management module blocks the interface
intermittently. That is, the module shuts down the interface for seven seconds, and then it
unblocks the interface.
When EFM OAM detects a fault, the interface bound to the EFM OAM module is shut
down or a Port-Down event is sent. When the interface is Down, a fault notification message
is sent to the EFM OAM module of the peer device through association.
Association between an EFM OAM module and an interface

After association between an EFM OAM module and an interface is configured, when the
EFM OAM module detects a link fault, no packets except OAMPDUs can be forwarded
through the bound interface, and Layer 2 and Layer 3 services are blocked. Therefore, the
association between an EFM OAM module and an interface may greatly affect services.
When the current interface detects link fault recovery through EFM OAM, all packets can
be forwarded on the interface and Layer 2 and Layer 3 services are unblocked.
In addition, you can configure the association between EFM OAM and an interface only
after EFM OAM at both ends are in detect state.
Association between EFM OAM modules

After a fault is detected, the OAM management module transmits a fault notification
message through association.
An EFM OAM module on an interface transmits a fault message to an EFM OAM
module on the other interface.
EFM OAM modules on the two interfaces report faults to each other.
9.1.3 Configuring Basic EFM OAM

By configuring basic EFM OAM functions, you can detect connectivity of the direct link between
devices.

Before configuring basic EFM OAM functions, familiarize yourself with the applicable
As shown in Figure 9-1, you can perform the configuration task to detect the connectivity
between two directly connected devices.
Figure 9-1 Diagram of configuring EFM OAM
EFM OAM
interface 1
(Active mode)
Issue 04 (2013-06-15)
interface 2
(Passive mode)

1608

Configuration Guide
None.
Data Preparation
To configure EFM OAM, you need the following data.
No.
Data
(Optional) Maximum size of an EFM OAMPDU
Enabling EFM OAM Globally

You must enable EFM OAM globally before configuring EFM OAM functions.
Context
Do as follows on the devices at both ends of the link:
Procedure
Step 1 Run:
system-view

Step 2 Run:
efm enable
EFM OAM is enabled globally.

By default, EFM OAM is disabled globally.
----End
Configuring the Working Mode of EFM OAM on an Interface

EFM OAM working mode is an attribute of an EFM OAM-enabled interface, and consists of
the active mode and the passive mode.
Context
NOTE
The working mode of EFM OAM on the interface can be configured only after EFM OAM is enabled
globally and before EFM OAM is enabled on the interface. The working mode of EFM OAM on the
interface cannot be modified after EFM OAM is configured on the interface.

Issue 04 (2013-06-15)

1609

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
The interface view of an interface at one end of the link is displayed.

Step 3 Run:
efm mode { active | passive }
The working mode of EFM OAM on the interface is configured.

By default, EFM OAM on an interface works in active mode.
At least one interface at both ends of the link must be configured to work in active mode. The
interface in active mode initiates OAM discovery after EFM OAM is enabled on the interface.
Instead of initiating OAM discovery, the interface in passive mode waits for an OAMPDU sent
from the interface in active mode. If both interfaces are configured to work in active mode, you
can implement link detection. If both interfaces are configured to work in passive mode, OAM
discovery fails.
----End
(Optional) Setting the Maximum Size of an EFM OAMPDU

You can configure the largest size of EFM OAMPDUs. On the current interface, the EFM
OAMPDUs whose sizes exceed the set size are regarded as illegal and thus discarded.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
efm packet max-size size
The maximum size of an EFM OAMPDU is set.

By default, the maximum size of an EFM OAMPDU on an interface is 128 bytes.
EFM OAMPDUs longer than 128 bytes are discarded as invalid packets.
If the maximum size of an EFM OAMPDU on both interfaces of the link is configured
differently, the two interfaces negotiate and determine the value during the OAM discovery
Issue 04 (2013-06-15)

1610

Configuration Guide
process. The smaller maximum size of an EFM OAMPDU set on the local interface and the peer
is selected.
----End
Enabling EFM OAM on an Interface

You can perform point-to-point EFM link detection only after enabling EFM OAM on interfaces
on both ends of a link.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
efm enable
EFM OAM is enabled on the interface.

By default, EFM OAM on an interface is disabled.
----End

By viewing EFM OAM configurations, you can check whether the configurations are successful.
Prerequisites
The configurations of the EFM OAM function are complete.
Procedure
l
Run the display efm { all | interface interface-type interface-number } command to check
information about EFM OAM on an interface.
Run the display efm session { all | interface interface-type interface-number } command
to check the status of the EFM OAM protocol on an interface.
----End
Example
Run the display efm command. You can view all the EFM OAM configurations on the local
interface and part of the EFM OAM configurations on the remote interface. For example:
Issue 04 (2013-06-15)

1611

Configuration Guide
<Quidway> display efm interface gigabitethernet 0/0/1

Item
Value
---------------------------------------------------Interface:
EFM Enable Flag:
enable
Mode:
active
Loopback IgnoreRequest:
no
OAMPDU MaxSize:
128
OAMPDU Timeout:
3000
ErrCodeNotification:
disable
ErrCodePeriod:
1
ErrCodeThreshold:
1
ErrFrameNotification:
disable
ErrFramePeriod:
1
ErrFrameThreshold:
1
ErrFrameSecondNotification: disable
ErrFrameSecondPeriod:
60
ErrFrameSecondThreshold:
1
Hold Up Time:
0
ThresholdEvtTriggerErrDown: disable
TriggerIfDown:
disable
TriggerMacRenew:
disable
Remote MAC:
00e0-fc7f-724f
Remote EFM Enable Flag:
enable
Remote Mode:
passive
Remote MaxSize:
128
Remote Loopback IgnoreRequest: no
Remote State:
--
Run the display efm session command. If the EFM OAM protocol on the interface is in the
Detect state, it means that the configuration succeeds. The two interfaces succeed in negotiation
and enter the Detect state.
<Quidway> display efm session interface gigabitethernet 0/0/1
Interface
EFM State
Loopback Timeout
-------------------------------------------------------------------GigabitEthernet0/0/1
detect
--
9.1.4 Configuring EFM OAM Link Monitoring

By configuring EFM OAM detection for errored codes, errored frames, and errored frame
seconds, you can more effectively detect link layer faults.

Before configuring the EFM OAM link monitoring function, familiarize yourself with the
Link monitoring can be used to detect and locate faults at the link layer in different scenarios.
It uses the event notification OAMPDU. When a link fails, the local link notifies the remote
OAM entity of the fault after detecting a fault through events.
Before configuring EFM OAM link monitoring, complete the following tasks:
l
Issue 04 (2013-06-15)
Configuring EFM OAM

1612

Configuration Guide
Data Preparation
To configure EFM OAM link monitoring, you need the following data.
No.
Data
(Optional) Period and threshold for detecting errored frames of EFM OAM
(Optional) Period and threshold for detecting errored codes of EFM OAM
(Optional) Period and threshold for detecting errored frame seconds of EFM OAM
(Optional) Detecting Errored Frames of EFM OAM

When an interface is enabled to detect errored frames, the AC6605 generates an errored frame
event and notifies the peer, if the number of errored frames reaches or exceeds the threshold
within a set period.
Context
Do as follows on the devices at one end or both ends of the link:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
efm error-frame period period
The period for detecting errored frames on the interface is set.

By default, the period for detecting errored frames on an interface is 1 second.
Step 4 Run:
efm error-frame threshold threshold
The threshold for detecting errored frames on the interface is set.

By default, the threshold for detecting errored frames on an interface is 1.
Step 5 Run:
efm error-frame notification enable
The interface is enabled to detect errored frames.

By default, an interface cannot detect errored frames.
----End
Issue 04 (2013-06-15)

1613

Configuration Guide
(Optional) Detecting Errored Codes of EFM OAM

When an interface is enabled to detect errored codes, the AC6605 generates an errored code
event and notifies the peer, if the number of errored codes reaches or exceeds the threshold within
a set period.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
efm error-code period period
The period for detecting errored codes on the interface is set.

By default, the period for detecting errored codes on an interface is 1 second.
Step 4 Run:
efm error-code threshold threshold
The threshold for detecting errored codes on the interface is set.

By default, the threshold for detecting errored codes on an interface is 1.
Step 5 Run:
efm error-code notification enable
The interface is enabled to detect errored codes.

By default, an interface cannot detect errored codes.
----End
(Optional) Detecting Errored Frame Seconds of EFM OAM

When an interface is enabled to detect errored frame seconds, the AC6605 generates an errored
frame seconds summary event and notifies the peer, if the number of errored frame seconds
reaches or exceeds the threshold within a set period.
Context
An errored frame second is a one-second interval during which at least one errored frame is
detected. It specifies the seconds when errored frames are deteced.
Issue 04 (2013-06-15)

1614

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
efm error-frame-second period period
The period for detecting errored frame seconds on the interface is set.
By default, the period for detecting errored frame seconds on an interface is 60 seconds.
Step 4 Run:
efm error-frame-second threshold threshold
The threshold for detecting errored frame seconds on the interface is set.
By default, the threshold for detecting errored frame seconds on an interface is 1.
Step 5 Run:
efm error-frame-second notification enable
The interface is enabled to detect errored frame seconds.

By default, an interface cannot detect errored frame seconds.
----End
(Optional) Associating a Threshold Crossing Event with an Interface

After a threshold crossing event is associated with an interface, the system sets the administrative
state of the interface to Down. In this manner, all services on the interface are interrupted.
Context
When an interface on a link is enabled to detect errored frames, errored codes, or errored frame
seconds, the link is considered unavailable, if the number of errored frames, errored codes, or
errored frame seconds detected by the interface reaches or exceeds the threshold within a set
period. The errored frame event, errored code event, and errored frame seconds summary event
are called threshold crossing events. In this case, you can associate a threshold crossing event
with the interface so that the system sets the administrative state of the interface to Down. As a
result, the link actually goes Down and all services on the interface are interrupted.
Do as follows on the device at one end or devices at both ends of a link:
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

1615

Configuration Guide
Step 2 Run:
The view of an interface at one end of the link is displayed.

Step 3 Run:
efm threshold-event trigger error-down
A threshold crossing event is associated with the interface.

By default, no threshold crossing event is associated with interfaces.
----End
Follow-up Procedure
After a threshold crossing event is associated with an interface, you can configure the interface
to go administratively Up by using either of the following methods:
l
Run the efm holdup-timer command in the interface view to configure the interface to go
administratively Up after the auto-recovery delay.
Run the shutdown command and then the undo shutdown command in the interface view
to restore the administrative state of the interface to Up.

By viewing EFM OAM configurations, you can check whether the configurations are successful.
Prerequisites
The configurations of the EFM OAM link monitoring function are complete.
Procedure
l
Run the display efm { all | interface interface-type interface-number } command to check
information about EFM OAM on an interface.
Run the display efm session { all | interface interface-type interface-number } command
to check the status of the EFM OAM protocol on an interface.
----End
Example
Run the display efm command. You can view information about link monitoring on the
interface. For example:
Item
Value
---------------------------------------------------------Interface:
EFM Enable Flag:
enable
Mode:
active
no
OAMPDU MaxSize:
128
OAMPDU Timeout:
3000
enable
ErrCodePeriod:
1
ErrCodeThreshold:
1
enable
Issue 04 (2013-06-15)

1616

Configuration Guide
ErrFramePeriod:
ErrFrameThreshold:
ErrFrameSecondNotification:
Hold Up Time:
ThresholdEvtTriggerErrDown:
TriggerIfDown:
TriggerMacRenew:
RemoteMAC
Remote EFM Enable Flag
Remote Mode
Remote MaxSize
Remote Loopback IgnoreRequest:
Remote State:
1
1
enable
60
1
0
enable
disable
disable
00e0-fc7f-7258
enable
passive
128
no
--
9.1.5 Testing the Packet Loss Ratio on the Physical Link

By testing the packet loss ratio on a physical link, you can take effective measures to ensure
better performance of the link.

Before testing the packet loss ratio on a physical link, familiarize yourself with the applicable
CAUTION
Forwarding of service data is affected after EFM OAM remote loopback is enabled. Enable EFM
OAM remote loopback on the link that need not forward service data.
You can perform the configuration task to detect the packet loss ratio on a link.
As shown in Figure 9-2, enable EFM OAM on Switch A and SwitchB and enable remote
loopback on GE0/0/1 on Switch A. Send test packets from Switch A to SwitchB. You can get
the packet loss ratio on the link by observing the receiving of test packets on Switch A.
Figure 9-2 Diagram of testing the packet loss ratio on the link
Test packets
EFM OAM
SwitchA
GE 0/0/1
(Active mode)
SwitchB
GE0/0/1
(Passive mode)
Flow of test packets
Issue 04 (2013-06-15)

1617

Configuration Guide
Before testing the packet loss ratio on the link, complete the following tasks:
l
Configuring EFM OAM
Data Preparation
To test the packet loss ratio on the link, you need the following data.
No.
Data
Timeout period for remote loopback
Destination MAC address, VLAN ID, outbound interface, size, number, and sending
rate of test packets
Enabling EFM OAM Remote Loopback

You can configure the EFM OAM remote loopback function to locate faults on the remote end
and assess the link quality.
Context
EFM OAM remote loopback is a method of monitoring link performance. Its working process
is as follows:
1.
An OAM entity working in active mode initiates a remote loopback request to the remote
OAM entity.
2.
The remote OAM entity ignores or accepts the request.
3.
The remote loopback function is disabled manually or automatically.
Procedure
Step 1 Enable a device that initiates a request with the remote loopback function.
1.
Run:
system-view

2.
Run:

3.
Run:
efm loopback start [ timeout timeout ]
The remote EFM OAM loopback function is enabled on the interface.
Issue 04 (2013-06-15)

1618

Configuration Guide
CAUTION
Remote loopback may cause an exception in forwarding of data packets and protocol
packets; therefore, you are not advised to configure other services on the loopback interface.
By default, the timeout period for remote loopback is 20 minutes. After the timeout period,
remote loopback is automatically disabled. You can set the timeout period to 0 for a link
to remain in the remote loopback state.
The following requirements must be met to implement remote loopback:
l The EFM OAM protocols on the local interface and the peer are in the Detect state.
l EFM OAM on the local interface works in active mode.
Before changing the value of timeout timeout, run the efm loopback stop command to
disable remote loopback on the interface.
You can use the display efm session command to check whether the EFM OAM protocols
running on the local interface and the peer are in the Detect state.
Step 2 (Optional) Configure a receiving device to ignore the remote loopback request.
1.
Run:
system-view

2.
Run:

3.
Run:
efm loopback ignore-request
The interface is configured to ignore the remote loopback request.

By default, the interface accepts and processes the remote loopback request.
----End
Sending Test Packets

The sent test packets are a type of Ethernet packets that are constructed for testing the packet
loss ratio on a link. This function can be used with the EFM OAM remote loopback function to
test the packet loss ratio on the link.
Context
Do as follows on the device with an active interface on the link:
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

1619

Configuration Guide
test-packet start interface interface-type interface-number [ -c count | -p speed

| -s size ] *
Test packets are sent.

By default, the size of a test packet is 64 bytes; the number of test packets sent is 5.
The outbound interface for the test packets is the interface that connects the link to be tested.
----End
Follow-up Procedure
The parameter in this command cannot be modified when test packets are being sent.
Press Ctrl+C to stop sending test packets.
Checking the Statistics on Returned Test Packets

By viewing statistics of returned test packets, you can calculate the packet loss ratio.
Context
Procedure
Step 1 Run:
display test-packet result
Statistics of the returned test packets are displayed.

The displayed information includes:
l Number of sent test packets
l Number of received test packets
l Number of discarded test packets
l Total number of bytes of sent test packets
l Total number of bytes of received test packet
l Total number of bytes of discarded test packet
l Time to start the sending of test packet
l Time to end the sending of test packet
You can obtain the packet loss ratio on the link based on the preceding data.
----End
(Optional) Manually Disabling EFM OAM Remote Loopback

The EFM OAM remote loopback function can automatically time out or be disabled manually.
Context
Issue 04 (2013-06-15)

1620

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
efm loopback stop
Remote loopback is disabled on the interface.

If EFM OAM remote loopback is left enabled, the link fails to forward service data for a long
time. To prevent this, EFM OAM remote loopback on the AC6605 can be automatically disabled
after a timeout period. By default, the timeout period for remote loopback is 20 minutes. After
20 minutes, remote loopback stops. If you need to disable remote loopback manually, perform
the preceding operation procedures.
----End

Procedure
Step 1 Run the display efm session { all | interface interface-type interface-number } command to
check the status of the EFM OAM session on an interface.
----End
Example
Run the display efm session command on the device with an active interface on the link. If the
EFM OAM protocol on the active interface is in the Loopback (control) state, which indicates
that the active interface initiates remote loopback, the configuration is successful.
<SwitchA> display efm session interface gigabitethernet 0/0/1
Interface
EFM State
Loopback Timeout
Loopback(control)
20
Run the display efm session command on the device with a passive interface on the link. If the
EFM OAM protocol on the passive interface is in the Loopback (be controlled) state, which
indicates that the passive interface responds to remote loopback, it indicates that the
configuration is successful.
<SwitchB> display efm session interface gigabitethernet 0/0/1
Interface
EFM State
Loopback Timeout
Loopback(be controlled)
--
Run the display efm session command on either of the devices on the link. If the EFM OAM
protocol on the interface is in the Detect or Discovery state, the configuration is successful.
<SwitchA> display efm session interface gigabitethernet 0/0/1
Interface
EFM State
Loopback Timeout
Issue 04 (2013-06-15)

1621

Configuration Guide
detect
--
9.1.6 Configuring Associating between EFM OAM and an Interface

After EFM OAM is associated with an interface, services may be greatly affected. For example,
all the Layer 2 and Layer 3 services may be blocked.

Before configuring the association between EFM OAM and an interface, familiarize yourself
data. This can help you complete the configuration task quickly and accurately.
As shown in Figure 9-3, EFM OAM is enabled on Switch A and Switch B. EFM OAM is
associated with GE 0/0/1 on Switch A. When the EFM OAM module on Switch A detects a
connectivity fault between Switch A and Switch B, no other packets except EFM protocol
packets can be forwarded on the interface GE 0/0/1 and Layer 2 and Layer 3 services are blocked.
Therefore, the association of EFM OAM and the current interface may greatly affect services.
When the current interface detects the link fault recovery through EFM OAM, all packets can
be forwarded on the interface and Layer 2 and Layer 3 services are unblocked.
Figure 9-3 Diagram of associating EFM OAM with an interface
EFM
OAM
GE0/0/1
GE0/0/1
SwitchA
SwitchB
Interface associated with EFM OAM
Before associating EFM OAM with an interface, complete the following tasks:
l
Configuring EFM OAM
Data Preparation
To associate EFM OAM with an interface, you need the following data.
Issue 04 (2013-06-15)
No.
Data
(Optional) Faulty-state hold timer

1622

Configuration Guide
Associating EFM OAM with an Interface

By associating EFM OAM with a physical interface, you can use the OAM management module
to notify the bound interface management module of fault information after EFM OAM detects
a fault.
Context
After EFM OAM is enabled on an interface, the status of this interface changes when the interface
receives an OAM PDU control request packet with the Link Fault Status flag.
There are two ways to associate EFM OAM with an interface:
l
Associating an error event with an interface and setting the interface to the blocking state
when the error event occurs.
Associating an error event with an interface and setting the interface to the disabled state
when the error event occurs.
Associating a threshold crossing event with an interface.
Procedure
l
Associate an error event with an interface and set the interface to the blocking state when
the error event occurs.
Setting the interface to the blocking state is applicable to a scenario where traffic can be
switched back automatically after the faulty link recovers. After the associated interface is
blocked, all traffic is interrupted except EFM protocol packets.
1.
Run:
system-view

2.
Run:

3.
Run:
efm trigger if-down
EFM OAM is associated with the interface.

By default, EFM OAM is not associated with an interface.
The efm trigger if-down command is valid in the interface view only after EFM OAM
is enabled on the interface with the efm enable command.
When EFM OAM is associated with the current interface and detects a link fault on
the current interface, no other packets except EFM protocol packets can be forwarded
on the interface and Layer 2 and Layer 3 services are blocked. Therefore, the
association between EFM OAM and an interface may greatly affect services. When
EFM OAM on an interface detects link fault recovery, all packets can be forwarded
on the interface and Layer 2 and Layer 3 services are unblocked.
Before configuring the association between EFM OAM and an interface, ensure that
the EFM OAM protocol on both ends of the link is in the detect state.
Issue 04 (2013-06-15)

1623

Configuration Guide
If Layer 2 and Layer 3 services are blocked due to a misoperation, you can run the
undo efm trigger if-down command in the interface view to restore services.
l
Associate an error event with an interface and set the interface to the disabled state when
the error event occurs.
1.
Run:
system-view

2.
Run:

3.
Run:
efm { critical-event | dying-gasp | link-fault | timeout } trigger errordown
An error event is associated with the interface.

By default, an error event is not associated with an interface.
After the efm trigger error-downcommand is used to associate an error event with
an interface, protocol status of the interface goes Down and all services on the interface
are interrupted when EFM OAM detects faults specified by critical-event, dyinggasp, link-fault, or timeout. Even if EFM OAM on the interface detects link fault
recovery , protocol status of the interface do not change. Traffic can be switched back
only after you have manually detected link quality.
----End
(Optional) Setting the Faulty-State Hold Timer

By setting the EFM OAM faulty-state hold timer on physical interfaces, you can prevent
interfaces from alternating between the Up and Down states frequently when links are unstable.
Context
Do as follows on the device at one end or devices at both ends of a link:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
efm holdup-timer time
The faulty-state hold timer is set.

By default, the timeout period of the faulty-state hold timer is 0s.
Issue 04 (2013-06-15)

1624

Configuration Guide
After the efm trigger if-down command is used to associate EFM OAM with an interface, when
EFM OAM detects a connectivity fault, the faulty state displayed on the interface remains
unchanged within the set timeout period of the faulty-state hold timer, even though the fault is
rectified. EFM OAM does not detect whether the connectivity fault is cleared until the timeout
period of the faulty-state hold timer expires.
----End

By viewing the TriggerIfDown field, you can check whether the configurations are successful.
Prerequisites
The configurations of Associating EFM OAM with an Interface function are complete.
Procedure
Step 1 Run the display efm { all | interface interface-type interface-number } command to check the
EFM OAM configuration information on an interface.
----End
Example
Run the display efm command. If the item "TriggerIfDown" is displayed as "enable", it means
that the configuration succeeds.
Item
Value
---------------------------------------------------Interface:
EFM Enable Flag:
enable
Mode:
active
no
OAMPDU MaxSize:
128
OAMPDU Timeout:
3000
disable
ErrCodePeriod:
1
ErrCodeThreshold:
1
disable
ErrFramePeriod:
1
ErrFrameThreshold:
1
ErrFrameSecondNotification:
disable
60
1
Hold Up Time:
0
ThresholdEvtTriggerErrDown:
enable
TriggerIfDown:
enable
TriggerMacRenew:
disable
Remote MAC:
0018-8200-0001
enable
Remote Mode:
passive
Remote MaxSize:
128
Remote Loopback IgnoreRequest: no
Remote State:
--
9.1.7 Maintaining Ethernet OAM

This section describes how to maintain Ethernet OAM. Detailed operations include deleting
CCM statistics, monitoring Ethernet OAM.
Issue 04 (2013-06-15)

1625

Configuration Guide
Debugging EFM OAM

After debugging, you need to disable the debugging function in time.
Context
CAUTION
When an EFM OAM fault occurs, run the following debugging command in the user view to
view the debugging information to locate and analyze the fault.
Procedure
Step 1 Run the debugging efm interface interface-type interface-number { all | error | event |
message | packet { all | receive | send } | process } command in the user view to enable the
debugging of the EFM OAM module on the specified interface.
----End

This section provides several configuration examples of Ethernet OAM.
Example for Configuring EFM OAM

As shown in Figure 9-4, a user network is connected to an ISP network through Switch A and
Switch B. Switch A functions as the CE device, and Switch B functions as the underlayer PE
(UPE) device. The networking requirements are as follows:
l
Automatic connectivity detection can be performed between Switch A and Switch B. After
detecting connectivity faults, Switch A and Switch B generate alarms.
Switch B monitors the errored frames, errored codes, and errored frame seconds on GE
0/0/1. When the number of errored frames, errored codes, or errored frame seconds exceeds
the threshold, Switch B generates an alarm.
Figure 9-4 Networking diagram for configuring EFM OAM
Switch A
User
network
Switch B
GE 0/0/1
Internet
GE 0/0/1
Issue 04 (2013-06-15)

1626

Configuration Guide
1.
Enable EFM OAM globally on Switch A and Switch B.
2.
Configure EFM OAM on GE 0/0/1 of Switch A to work in passive mode.
3.
Enable EFM OAM on GE 0/0/1 on Switch B. Enable EFM OAM on GE 0/0/1 on Switch
A.
4.
Configure GE 0/0/1 of Switch B to detect the errored frames, errored codes, and errored
frame seconds.
Data Preparation
l
Period for detecting errored frames on GE 0/0/1 of Switch B (5 seconds) and threshold of
number of errored frames (5)
Period for detecting errored codes on GE 0/0/1 of Switch B (5 seconds) and threshold of
number of errored codes (5)
Period for detecting errored frame seconds on GE 0/0/1 of Switch B (120 seconds) and
threshold of number of errored frame seconds (5)
Procedure
Step 1 Enable EFM OAM globally.
# Enable EFM OAM globally on Switch A.
[SwitchA] efm enable
# Enable EFM OAM globally on Switch B.

[SwitchB] efm enable
Step 2 Configure EFM OAM on GE 0/0/1 of Switch A to work in passive mode.

[SwitchA-GigabitEthernet0/0/1] efm mode passive
Step 3 Enable EFM OAM on GE 0/0/1 of Switch B and GE 0/0/1 of Switch A.

# Enable EFM OAM on GE 0/0/1 of Switch A.
[SwitchA-GigabitEthernet0/0/1] efm enable
# Enable EFM OAM of GE 0/0/1 on Switch B.

[SwitchB-GigabitEthernet0/0/1] efm enable
Step 4 Configure GE 0/0/1 of Switch B to detect the errored frames, errored codes, and errored frame
seconds.
# Configure GE 0/0/1 of Switch B to detect the errored frames.
Issue 04 (2013-06-15)

1627

Configuration Guide
[SwitchB-GigabitEthernet0/0/1] efm error-frame period 5

[SwitchB-GigabitEthernet0/0/1] efm error-frame threshold 5
[SwitchB-GigabitEthernet0/0/1] efm error-frame notification enable
# Configure GE 0/0/1 of Switch B to detect the errored codes.

[SwitchB-GigabitEthernet0/0/1] efm error-code period 5
[SwitchB-GigabitEthernet0/0/1] efm error-code threshold 5
[SwitchB-GigabitEthernet0/0/1] efm error-code notification enable
# Configure n GE 0/0/1 of Switch B to detect the errored frames seconds.

[SwitchB-GigabitEthernet0/0/1]
efm error-frame-second period 120

efm error-frame-second threshold 5
quit

# If EFM OAM is configured correctly on Switch A and Switch B, GE 0/0/1 and GE 0/0/1 start
the handshake after negotiation. Run the display efm session command on Switch A or Switch
B, and you can find that the EFM OAM protocol is in detect state.
[SwitchB] display efm session interface gigabitethernet 0/0/1
Interface
EFM State
Loopback Timeout
detect
--
# Run the display efm command on Switch B. If the function of detecting errored frames, errored
codes, and errored frame seconds on GE 0/0/1 is configured corrected, the following information
is displayed:
[SwitchB] display efm interface gigabitethernet 0/0/1
Item
Value
------------------------------------Interface:
EFM Enable Flag:
enable
Mode:
active
no
OAMPDU MaxSize:
128
OAMPDU Timeout:
5000
enable
ErrCodePeriod:
5
ErrCodeThreshold:
5
enable
ErrFramePeriod:
5
ErrFrameThreshold:
5
ErrFrameSecondNotification: enable
120
5
Hold Up Time:
10
ThresholdEvtTriggerErrDown: enable
TriggerIfDown:
disable
TriggerMacRenew:
disable
Remote MAC:
0010-0010-0010
enable
Remote Mode:
passive
Remote MaxSize:
128
Remote State:
--
----End
Configuration Files
l

#
sysname SwitchA
Issue 04 (2013-06-15)

1628

Configuration Guide
#
efm enable
#
efm mode passive
efm enable
#
return

#
sysname SwitchB
#
efm enable
#
efm enable
efm error-frame period 5
efm error-frame threshold 5
efm error-frame notification enable
efm error-frame-second period 120
efm error-frame-second threshold 5
efm error-code period 5
efm error-code threshold 5
efm error-code notification enable
#
return
Example for Testing the Packet Loss Ratio on a Link

As shown in Figure 9-5, a user network is connected to an ISP network through Switch A and
Switch B. Switch A functions as the CE device, and Switch B functions as the UPE device. The
link between Switch A and Switch B is newly established. The ISP needs to test the packet loss
ratio on the link on Switch B before using the link.
Figure 9-5 Networking diagram for testing the packet loss ratio on the link
SwitchA
User
network
SwitchB
GE 0/0/1
Internet
GE 0/0/1
Issue 04 (2013-06-15)

1629

Configuration Guide
1.
Enable EFM OAM on Switch A and Switch B. Configure EFM OAM on GE 0/0/1 of Switch
A to work in passive mode.
2.
Enable EFM OAM remote loopback on Switch B.
3.
Send test packets from Switch B to Switch A.
4.
Check the returned test packets on Switch B.
Data Preparation
l
Timeout interval for EFM OAM remote loopback
Size, number, and sending rate of test packets
Procedure
Step 1 Configure basic functions of EFM OAM.
# Enable EFM OAM globally on Switch B.
[SwitchB] efm enable
# Enable EFM OAM globally on Switch A.

[SwitchA] efm enable
# Configure EFM OAM on GE 0/0/1 of Switch A to work in passive mode.

[SwitchA-GigabitEthernet0/0/1] bpdu enable
[SwitchA-GigabitEthernet0/0/1] efm mode passive
# Enable EFM OAM on GigabitEthernet 0/0/1 of Switch A.

[SwitchA-GigabitEthernet0/0/1] efm enable
# Enable EFM OAM on GE 0/0/1 of Switch B.

[SwitchB-GigabitEthernet0/0/1] bpdu enable
[SwitchB-GigabitEthernet0/0/1] efm enable

# If EFM OAM is configured correctly on Switch A and Switch B, GE 0/0/1 and GE 0/0/1 start
the handshake after negotiation. Run the display efm session command on Switch A or Switch
B, and you can find that the EFM OAM protocol is in detect state.
Interface
EFM State
Loopback Timeout
detect
--
Step 2 Enable EFM OAM remote loopback.

# Enable EFM OAM remote loopback on Switch B.
Issue 04 (2013-06-15)

1630

Configuration Guide

[SwitchB-GigabitEthernet0/0/1] efm loopback start

Run the display efm session command on Switch B. If the EFM OAM protocol on GE 0/0/1 is
in Loopback (control) state, that is, GE 0/0/1 initiates remote loopback, the configuration is
successful. The displayed information is as follows:
Interface
EFM State
Loopback Timeout
Loopback(control)
20
Run the display efm session command on Switch A. If the EFM OAM protocol on GE 0/0/1 is
in Loopback (be controlled) state, that is, GE 0/0/1 responds to remote loopback, it indicates
that the configuration is successful. The displayed information is as follows:
[SwitchA] display efm session interface gigabitethernet 0/0/1
Interface
EFM State
Loopback Timeout
Loopback(be controlled) --
Step 3 Send test packets from Switch B to Switch A.

[SwitchB] test-packet start interface gigabitethernet 0/0/1
Please wait..............
Info: The test is completed.
Step 4 Check the returned test packets on Switch B.

[SwitchB] display test-packet result
Test Result
Value
-----------------------------------------PacketsSend :
5
PacketsReceive :
5
PacketsLost :
Lost = 0 (0% loss)
BytesSend :
128
BytesReceive :
128
BytesLost :
0
StartTime :
2009-02-21 18:07:01
EndTime :
2009-02-21 18:07:02
You can obtain the packet loss ratio on the link based on the preceding data.
Step 5 Disable EFM OAM remote loopback.
[SwitchB-GigabitEthernet0/0/1] efm loopback stop
NOTE
By default, the timeout interval for remote loopback is 20 minutes. After 20 minutes, remote loopback
stops. To disable remote loopback, you can perform the preceding step.

Run the display efm session command on Switch A or Switch B. If the EFM OAM protocol on
the interfaces is in Detect or Discovery state, the configuration is successful. The displayed
information on Switch B is as follows:
Interface
EFM State
Loopback Timeout
detect
--
----End
Issue 04 (2013-06-15)

1631

Configuration Guide
Configuration Files
l

#
sysname SwitchA
#
efm enable
#
efm mode passive
efm enable
#
return

#
sysname SwitchB
#
efm enable
#
efm enable
#
return
9.2 BFD Configuration

A BFD session rapidly detects a link fault on a network.
9.2.1 BFD Overview

BFD is a uniform detection mechanism for an entire network. It detects faults quickly and
monitors the forwarding and connectivity of links or IP routes of the network.
On a network, a link fault is detected in either of the following methods:
l
Hardware detection signals, such as those provided by the Synchronous Digital Hierarchy
(SDH) alarm function, are used to detect a link fault rapidly.
If the hardware detection method is unavailable, the Hello mechanism of a routing protocol
is used to detect faults.
The following problems exist in the preceding methods:

l
Hardware is used by only part of mediums to detect faults.
The routing protocol-specific Hello mechanism takes more than 1 second to detect a fault.
If data is forwarded at gigabit rates, a large amount of data is dropped.
On a small-scale Layer 3 network, if no routing protocol is deployed, the routing protocolspecific Hello mechanism does not detect faults. This means that a fault between
interconnected systems is difficult to locate.
BFD is developed to resolve these problems.

BFD provides the following functions:
l
Detects faults rapidly along paths between neighboring forwarding engines, with light loads
and high speeds.
Uses a single mechanism to monitor any kind of medium and protocol layer in real time.
Detection time and costs vary.
Issue 04 (2013-06-15)

1632

Configuration Guide
9.2.2 BFD Features Supported by the AC6605

This section describes the BFD features supported by the AC6605.
The AC6605s send BFD control packets based on the negotiated period. If an AC6605 does not
receive the packet of the peer within the detection time, the AC6605 sets the BFD session in
Down state. The upper-layer application can take actions according to the status of the BFD
session.
BFD Session Establishment Supported by the AC6605

BFD uses the local discriminator and remote discriminator to differentiate multiple BFD sessions
between the same pair of systems. According to the difference in the modes of creating the local
discriminator and the remote discriminator, the AC6605 supports the following BFD session
types:
l
Static BFD sessions with manually specified discriminators
Static BFD sessions with automatically negotiated discriminators
Dynamic BFD sessions triggered by a protocol
A dynamic BFD session triggered by a protocol is implemented as follows:

l
The local discriminator is allocated automatically.
The remote discriminator is learned by the local end.
When the two ends of a BFD session create discriminators in different modes:
l
If the discriminators on the local end are specified manually, the discriminators on the
remote end must also be specified manually.
If you configure a static BFD session with automatically negotiated discriminators on the
local end, you can configure a static BFD session with automatically negotiated
discriminators or configure a dynamic BFD session on the peer end.
If a static BFD session with automatically negotiated discriminators and a dynamic BFD
session are configured at the local end, the following principles are applicable:
If the dynamic BFD session and static BFD session with automatically negotiated
discriminators share the same configurations (the source address, destination address,
outbound interface, and VPN index), the two BFD sessions coexist.
If the dynamic BFD session named DYN_local discriminator is configured earlier than
the static BFD session with automatically negotiated discriminators, the name of the
dynamic BFD session is changed to the name of the static BFD session.
The two BFD sessions use the smaller values of BFD parameters.
Single-Hop BFD
Single-hop BFD detects connectivity of the forwarding link between two directly connected
devices.
Between the two systems detected by the single-hop BFD session, only one BFD session can be
set up on a specified interface enabled with a specified data protocol. Therefore, each BFD
session is bound to an interface. On the AC6605, BFD sessions are bound to Layer 2 interfaces.
Issue 04 (2013-06-15)

1633

Configuration Guide
Multi-Hop BFD
Multi-hop BFD detects IP connectivity of paths between two non-directly-connected devices.
These paths may span multiple hops or overlap. Multi-hop BFD is often used to detect reachable
routes between two devices.
The AC6605 provides multi-hop BFD for static routes. Generally, static routes do not have the
detection mechanism. When a network fails, the administrator needs to check the static routes
manually. You can use multi-hop BFD to check the status of static routes. The RM module
determines whether a static route is available according to the status of the BFD session.
BFD for Static Routes

Static routes do not have a detection mechanism. When the network fails, the administrator needs
to check the static routes manually.
Through BFD for static routes, the BFD session can be used to detect the status of IPv4 static
routes on a public network. The RM module determines whether the static route is available
according to the BFD session status.
NOTE
For details on how to configure BFD for static routes, see Configuring BFD for IPv4 Static Routes on a
Public Network in the AC6605 Access Controller Configuration Guide - IP Routing.
BFD for Routing Protocols

BFD uses the local discriminator and remote discriminator to differentiate multiple BFD sessions
between the same pair of systems. OSPF support dynamic setup of BFD sessions.
The BFD session dynamically triggered by a routing protocol is implemented as follows:
l
The local discriminator is allocated automatically.
The remote discriminator is learned by the local end.
When the neighbor relationship of a routing protocol is set up successfully, the routing protocol
requests BFD to establish a BFD session through the RM module. The neighbor relationship of
the routing protocol then can be rapidly detected. The detection parameters of the BFD session
are negotiated by both ends through the routing protocol.
When a BFD session detects a fault, the BFD session becomes Down. BFD triggers route
convergence through the RM module.
When the neighbor is unreachable, the routing protocol requests BFD to delete the session
through the RM module.
Dynamically Changing Values of BFD Parameters

After a BFD session is set up, you can change the values of related parameters, such as the
expected interval for sending BFD packets, the minimum interval for receiving BFD packets,
and local detection multiplier, without affecting the status of the session.
9.2.3 Configuring Single-hop BFD

A single-hop BFD session rapidly detects faults on direct links over a network.
Issue 04 (2013-06-15)

1634

Configuration Guide

Before configuring a single-hop BFD session, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data.
To fast check directly connected links, configure single-hop BFD.
Before configuring single-hop BFD, complete the following tasks:
l
Connecting each interface correctly
Configuring IP addresses for Layer 3 interfaces
Data Preparation
To configure single-hop BFD, you need the following data.
No.
Data
BFD configuration name
Peer IP address, local interface type and number for the directly-connected link
detected by BFD, and default multicast address used by BFD if it checks the physical
layer status of the link
BFD session parameters: local and remote discriminators
Enabling BFD Globally

Context
Do as follows on AC6605s at both ends of the link to be detected.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd

By default, BFD is disabled globally. Before configuring the BFD functions, you must enable
BFD globally; otherwise, the configuration fails.
----End
Issue 04 (2013-06-15)

1635

Configuration Guide
(Optional) Setting the Multicast IP Address of BFD

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
The BFD view is displayed.

Step 3 Run:
default-ip-address ip-address
The multicast IP address of BFD is set.

To implement single-hop BFD on a Layer 2 forwarding link, BFD needs to use a multicast IP
address. By default, BFD uses the multicast IP address 224.0.0.184.
NOTE
l If this multicast IP address is used by other protocols on the network, you must change the multicast
IP address. The AC6605s at both ends of the BFD session must use the same multicast IP address.
l If multiple BFD sessions exist on a path, for example, Layer 3 interfaces are connected through Layer
2 switching devices that support BFD, you must configure different default multicast IP addresses for
the devices where different BFD sessions are established. In this manner, BFD packets can be correctly
forwarded.
----End
Creating a BFD Session

Context
Procedure
Step 1 Run:
system-view

Step 2 Run the following command as required.
l If the VLANIF interface has an IP address, run:
bfd cfg-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ] [interface interfacetype interface-number ] [ source-ip source-ip ]
Issue 04 (2013-06-15)

1636

Configuration Guide
When creating a single-hop BFD session for the first time, you must bind the single-hop
BFD session to the peer IP address and the local address. In addition, the configuration
of the single-hop BFD session cannot be changed after being created.
When BFD configuration items are created, the system checks only the format of the IP
address rather than the correctness. A BFD session cannot be established if an incorrect
peer IP address or source IP address is bound.
When BFD and URPF are used together, URPF checks the source IP address of the
received BFD packets. In this case, you need to specify the correct source IP address of
BFD packets by setting the source-ip parameter when binding a BFD session to prevent
BFD packets from being discarded incorrectly.
l For a Layer 2 interface, run:
bfd cfg-name bind peer-ip default-ip interface interface-type interface-number [ sourceip source-ip ]
Step 3 Set the discriminators.
l Run:

l Run:

When you set the discriminators, ensure that the local discriminator at the local end is the same
as the remote discriminator at the peer end; otherwise, the BFD session fails to be set up. After
local and remote discriminators are set successfully, they cannot be modified.
NOTE
For the BFD sessions that use the default multicast IP address, the local and remote discriminators must
be different.
Step 4 Run:
commit

----End

Procedure
l
Run the display bfd interface [ interface-type interface-number ] command to check

information about the interface where BFD is enabled.
----End
Example
Run the display bfd interface command, and you can view information about the BFD session
on a specified interface.
<Quidway> display bfd interface GigabitEthernet0/0/1
-------------------------------------------------------------------------------Interface Name
MIndex
Sess-Count
BFD-State
Issue 04 (2013-06-15)

1637

Configuration Guide
-------------------------------------------------------------------------------GigabitEthernet0/0/1
1025
1
up
9.2.4 Configuring the Multi-Hop BFD

By configuring a multi-hop BFD session, you can fast detect and monitor multi-hop links on a
network.

Before configuring a multi-hop BFD session, familiarize yourself with the applicable
environment and data preparation.
To rapidly detect the faults occur during IP Switch forwarding, configure the multi-hop BFD.
Before configuring multi-hop BFD, complete the following tasks:
l
Correctly connecting each interface and configuring IP addresses for them
Configuring a routing protocol to ensure that the network layer is reachable
Data Preparation
To configure the multi-hop BFD, you need the following data.
No.
Data
Remote IP address
BFD session parameters: local discriminator and remote discriminator

You can perform related BFD configurations only after enabling BFD globally.
Context
Perform the following procedure on the Switch:
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

1638

Configuration Guide
bfd

----End
Creating a BFD Session

Context
If Unicast Reverse Path Forwarding (URPF) is enabled on a device on the transmission path of
BFD packets, this device checks the source IP address of the BFD packets. In this case, you can
specify the correct source IP address of BFD packets by setting the source-ip parameter when
creating a BFD session to prevent BFD packets from being discarded.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd cfg-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ] [ source-ip
source-ip ]
A BFD session is created.

l When creating a BFD session for the first time, you must bind the BFD session to the peer
IP address. In addition, the configuration of the BFD session cannot be changed after being
created.
l When the BFD configuration items are created, the system checks only the format of the IP
address rather than the correctness. A BFD session cannot be established if an incorrect peer
IP address or source IP address is bound.
l When BFD and URPF are used together, URPF checks the source IP address of the received
BFD packets. In this case, you need to specify the correct source IP address of BFD packets
by setting the source-ip parameter when creating a BFD session to prevent BFD packets
from being discarded incorrectly.
Step 3 Set the identifiers.
l Run:

l Run:

NOTE
When you set the discriminators, ensure that the local discriminator at the local end is the same as the
remote discriminator at the peer end; otherwise, the BFD session fails to be set up.
Step 4 Run:
commit
Issue 04 (2013-06-15)

1639

Configuration Guide

----End

Procedure
l
Run the display bfd configuration { all | static [ for-ip | name cfg-name ] |
discriminator local-discr-value | dynamic | peer-ip peer-ip [ vpn-instance vpn-name ] |
static-auto } [ verbose ] command to check the configuration of BFD.
Run the display bfd session { { all |static } [ for-ip ] | discriminator discr-value |
dynamic | peer-ip peer-ip [ vpn-instance vpn-name ] | static-auto } [ verbose ] command
to check information about a BFD session.
Run the display bfd statistics session { { all | static } [ for-ip ] | discriminator discrvalue | dynamic | peer-ip peer-ip [ vpn-instance vpn-name ] | static-auto } command to
check the statistics on a BFD session.
----End
Example
Run the display bfd configuration command, and you can view the configuration of a BFD
session.
<Quidway> display bfd configuration static name bfd1 verbose
-------------------------------------------------------------------------------BFD Session Configuration Name : bfd1
-------------------------------------------------------------------------------Local Discriminator
: 20
Remote Discriminator
: 10
BFD Bind Type
: Interface(Vlanif110)
Bind Session Type
: Static
Bind Peer IP Address
: 11.1.1.1
Bind Interface
: Vlanif110
TOS-EXP
: 7
Local Detect Multi
: 3
Min Tx Interval (ms)
: 1000
Min Rx Interval (ms)
: 1000
Proc Interface Status : Disable
WTR Interval (ms)
: Bind Application
: No Application Bind
Session Description
: --------------------------------------------------------------------------------
Run the display bfd session command, and you can view information about a BFD session.
<Quidway> display bfd session discriminator 22 verbose
-------------------------------------------------------------------------------Session MIndex : 4096
(One Hop) State : Up
Name : bfd1
: 22
: 11
Session Detect Mode
: Asynchronous Mode Without Echo Function
BFD Bind Type
: Interface(GigabitEthernet0/0/1)
Bind Session Type
: Static
: 224.0.0.184
NextHop Ip Address
: 224.0.0.184
Bind Interface
: GigabitEthernet0/0/1
FSM Board Id
: 0
TOS-EXP
: 7
: 1000
: 1000
Actual Tx Interval (ms): 1000
Actual Rx Interval (ms): 1000
Local Detect Multi
: 3
Detect Interval (ms)
: 3000
Echo Passive
: Disable
Acl Number
: Destination Port
: 3784
TTL
: 255
Process PST
: Disable
WTR Interval (ms)
: Local Demand Mode
: Disable
Issue 04 (2013-06-15)

1640

Configuration Guide
Active Multi
: 3
Last Local Diagnostic : No Diagnostic
Bind Application
Session TX TmrID
: 16394
Session Detect TmrID
: 16395
Session Init TmrID
: Session WTR TmrID
: Session Echo Tx TmrID : PDT Index
: FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description
: --------------------------------------------------------------------------------
Run the display bfd statistics session command, and you can view statistics a BFD session.
<Quidway> display bfd statistics session all
-------------------------------------------------------------------------------Session MIndex : 4096
Name : bfd1
-------------------------------------------------------------------------------Session Type
: Static
Bind Type
: IP
Local/Remote Discriminator
: 22/11
Received Packets
: 178
Send Packets
: 177
Received Bad Packets
: 0
Send Bad Packets
: 0
Down Count
: 0
ShortBreak Count
: 0
Send Lsp Ping Count
: 0
Dynamic Session Delete Count
: 0
Create Time
: 2007/10/14 22:26:53
Last Down Time
: 0000/00/00 00:00:00
Total Time From Last DOWN
: ---D:--H:--M:--S
Total Time From Create
: 000D:00H:03M:03S
-------------------------------------------------------------------------------Total Session Number : 1
9.2.5 Configuring a BFD Session with Automatically Negotiated

Discriminators
A static BFD session with automatically negotiated discriminators is configured to check the
interworking between a device and another device on which a BFD session has been dynamically
established. The static BFD session with automatically negotiated discriminators is applicable
to static routes.

Before configuring a static BFD session with automatically negotiated discriminators,
obtain data required for the configuration.
If a dynamic BFD session is used by a remote device, a static BFD session with automatically
negotiated discriminators must be created on a local device to interwork with the remote device
and support a static route tracking BFD.
Before configuring a BFD session with automatically negotiated discriminators, complete the
following tasks:
Issue 04 (2013-06-15)

1641

Configuration Guide
Correctly connecting interfaces
Correctly configuring an IP address for a Layer 3 interface
Data Preparation
No.
Data
Name of a BFD session
IP addresses of local and remote ends of a link checked by BFD, and name and
number of the local interface

You can perform related BFD configurations only after enabling BFD globally.
Context
Perform the following procedure on the Switch that uses a static BFD session with automatically
negotiated discriminators to detect link faults:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd

----End
Configuring a Static BFD Session with Automatically Negotiated Discriminators

Context
Do as follows on the Switch where the static BFD session with automatically negotiated
discriminators is used to detect the link.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

1642

Configuration Guide
bfd cfg-name bind peer-ip ip-address [ vpn-instance vpn-name ] [ interface

interface-type interface-number] source-ip ip-address auto
A BFD session with different parameters is created according to the detected link type.
When creating a BFD session, you must:
l When creating a single-hop BFD session for the first time, you must bind the single-hop BFD
session to the peer IP address and the local address. In addition, the configuration of the
single-hop BFD session cannot be changed after being created.
l Specify the source IP address.
l Specify the peer IP address instead of the multicast IP address.
----End

Context
The configurations of creating a static BFD session with automatically negotiated discriminators
are complete.
Procedure
Step 1 Run the display bfd session { all | static | dynamic | discriminator discr-value | peer-ip peerip [ vpn-instance vpn-name ] } [ verbose ] command to check information about a BFD session.
----End
Example
# Display detailed information about all the BFD sessions.
<Quidway> display bfd session all verbose
-------------------------------------------------------------------------------Session MIndex : 258
(Multi Hop) State : Up
Name : bfd1
: 8192
: 8192
Session Detect Mode
BFD Bind Type
: Peer IP Address
Bind Session Type
: Static_Auto
: 11.1.1.1
Bind Interface
: Bind Source IP Address : 11.1.1.2
FSM Board Id
: 0
TOS-EXP
: 7
: 1000
: 1000
Local Detect Multi
: 3
: 3000
Echo Passive
: Disable
Acl Number
: Destination Port
: 3784
TTL
: 253
WTR Interval (ms)
: Active Multi
: 3
Bind Application
: AUTO
Session TX TmrID
: Session Detect TmrID
: Session Init TmrID
: Session WTR TmrID
Session Description
: --------------------------------------------------------------------------------
Issue 04 (2013-06-15)

1643

Configuration Guide
Total UP/DOWN Session Number : 1/0
You can view that a BFD session with the type as Static_Auto is established. The local
discriminator and the remote discriminator of this BFD session are 8192 and 8192 respectively,
which are obtained through automatic negotiation.
9.2.6 Adjusting BFD Parameters

Adjusting BFD parameters allows a BFD session to check network links effectively and quickly.

Before adjusting BFD parameters, familiarize yourself with the applicable environment and
complete pre-configuration task for a BFD session, and obtain data required for configuring the
BFD session.
After a BFD session is set up, the sending interval, receiving interval, and local detection
multiplier are adjusted on the basis of network status and performance requirements.
The Wait to Recovery (WTR) time for a BFD session is set to prevent frequent master/slave
switchovers caused by BFD session flapping.
The description of a BFD session is added to describe a link monitored by a BFD session.
If none of the preceding parameters is set, the default configurations are used.
Before adjusting BFD parameters, you need to set up a BFD session.
Data Preparation
To adjust BFD parameters, you need the following data.
No
Data
Local intervals at which BFD packets are sent and received
Local BFD detection multiplier
Priority of BFD packets
Adjusting the BFD Detection Time

Context
To reduce the usage of system resource, when detecting that the BFD session becomes Down,
the system sets the intervals for sending and receiving BFD packets at the local end to a random
Issue 04 (2013-06-15)

1644

Configuration Guide
value between 1000 and 3000 milliseconds. When the BFD session recovers, the intervals set
by the user are used.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd configuration-name
The BFD session view is displayed.

Step 3 Run:
min-tx-interval interval
The expected interval for sending BFD packets is set.

By default, the interval for sending BFD control packets is 1000 ms.
Step 4 Run:
detect-multiplier multiplier
The local detection time multiplier is set.

By default, the local detection multiplier is 3.
Step 5 Run:
commit
The configuration takes effect.

----End
Adding the Description of a BFD Session

Descriptions of BFD sessions help you distinguish between different BFD sessions.
Context
NOTE
The description command takes effect only on statically configured BFD sessions not on BFD sessions
that are dynamically configured or BFD sessions that are created by using automatically negotiated
discriminators.
Perform the following procedure on the Switch:
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

1645

Configuration Guide
Step 2 Run:
bfd cfg-name

Step 3 Run:
The description of a BFD session is added.

description is a string of 1 to 51 characters.
The default description of a BFD session is Null.
You can run the undo description command to delete the description of a BFD session.
----End
Configuring the BFD WTR

The Wait to Recovery (WTR) time for a BFD session is used to prevent frequent master/slave
switchovers triggered by BFD session flapping.
Context
The WTR time for a BFD session is used to prevent frequent master/slave switchovers caused
by BFD session flapping. If a BFD session changes from Down to Up, BFD reports the change
to an upper-layer application after the WTR time expires.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd cfg-name

Step 3 Run:
wtr wtr-value
The WTR is configured.

By default, the WTR is 0.
Step 4 Run:
commit

----End
Issue 04 (2013-06-15)

1646

Configuration Guide
Setting the Priority of BFD Packets

Context
You can change the priority of BFD packets to:
l
Check whether packets of different priorities on the same link can be forwarded.
Ensure that BFD packets with a higher priority are forwarded first.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd configuration-name

Step 3 Run:
tos-exp tos
The priority of BFD packets is set.

By default, the priority of BFD packets is 7, which is the highest priority. The value 0 is the
lowest priority.
Step 4 Run:
commit

----End

Procedure
Step 1 Run the display bfd configuration { all | static [ for-ip | name cfg-name ] | discriminator
local-discr-value | dynamic | peer-ip peer-ip [ vpn-instance vpn-name ] | static-auto }
[ verbose ] commands to check the configuration of BFD.
Step 2 Run the display bfd session { { all | static } [ for-ip ] | discriminator discr-value | dynamic |
peer-ip peer-ip [ vpn-instance vpn-name ] | static-auto } [ verbose ] command to check
information about a BFD session.
----End
Example
# Run the display bfd configuration command, and you can view the configuration of BFD.
Issue 04 (2013-06-15)

1647

Configuration Guide
<Quidway> display bfd configuration static for-ip verbose

-------------------------------------------------------------------------------BFD Session Configuration Name : bfd2
: 20
: 10
BFD Bind Type
Bind Session Type
: Static
: 11.1.1.1
Bind Interface
: Vlanif110
TOS-EXP
: 7
Local Detect Multi
: 3
: 1000
: 1000
WTR Interval (ms)
: Bind Application
Session Description
: -------------------------------------------------------------------------------Total Commit/Uncommit CFG Number : 1/0
Run the display bfd session command, and you can view information about a BFD session.
<Quidway> display bfd session all for-ip verbose
-------------------------------------------------------------------------------Session MIndex : 258
Name : bfd2
: 20
: 10
Session Detect Mode
BFD Bind Type
Bind Session Type
: Static
: 11.1.1.1
NextHop Ip Address
: 11.1.1.1
Bind Interface
: Vlanif110
FSM Board Id
: 0
TOS-EXP
: 7
: 1000
: 1000
Local Detect Multi
: 3
: 3000
Echo Passive
: Disable
Acl Number
: Destination Port
: 3784
TTL
: 255
WTR Interval (ms)
: Active Multi
: 3
Bind Application
Session TX TmrID
: 4491
: 4492
Session Init TmrID
: Session WTR TmrID
Session Description
: -------------------------------------------------------------------------------Total UP/DOWN Session Number : 1/0
9.2.7 Configuring the Interval for Trap Messages Are Sent

The interval at which trap messages are sent is set, helping a device to suppress BFD trap
messages.

Before configuring the interval at which trap messages are sent, familiarize yourself with the
If BFD is enabled with the SNMP trap function, the NMS receives messages indicating that the
BFD session is Up or Down. If the BFD session flaps, the NMS will receive a large number of
Issue 04 (2013-06-15)

1648

Configuration Guide
trap messages. In this case, BFD trap messages need to be suppressed. Setting the interval at
which trap messages are sent prevents overflow of trap messages.
Before configuring the interval at which trap messages are sent, enable BFD globally.
Data Preparation
To configure the interval at which trap messages are sent, you need the following data.
No.
Data
Interval at which trap messages are sent
Configuring the Interval at Which Trap Messages Are Sent

When BFD sessions flap, the NMS receives a great number of trap messages. The interval at
which trap messages are sent is set, helping a device suppress trap messages.
Context
Do as follows on the Switch that needs to be configured with the interval at which trap messages
are sent:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
BFD is enabled globally, and the global BFD view is displayed.

Step 3 Run:
snmp-agent bfd trap-interval interval
The interval at which trap messages are sent is set.

By default, the interval at which trap messages are sent is 120 seconds.
----End

By viewing the interval at which trap messages are sent, you can check whether the
configurations are successful.
Prerequisites
The configurations of the interval at which trap messages are sent are complete.
Issue 04 (2013-06-15)

1649

Configuration Guide
Procedure
l
Run the display current-configuration configuration bfd command to view the

configuration of the BFD trap function.
----End
Example
Run the display current-configuration configuration bfd command, and you can view that
the interval at which trap messages are sent is 300 seconds.
<Quidway> display current-configuration configuration bfd
#
bfd
snmp-agent bfd trap-interval 300
#
return
9.2.8 Maintaining BFD

This section describes how to maintain BFD by deleting BFD statistics, and monitoring BFD
operations.
Clearing BFD Statistics

Deleting previous BFD statistics before collecting BFD statistics within a specified period of
time is recommended.
Context
CAUTION
BFD statistics cannot be restored after being deleted. Exercise caution when using the command.
Procedure
l
Run the reset bfd statistics { all | discriminator discr-value } command in the user view
to delete BFD statistics.
----End
Debugging BFD
Debugging is used to troubleshoot BFD performance problems.
Issue 04 (2013-06-15)

1650

Configuration Guide
Context
CAUTION
Debugging affects system performance. After debugging is complete, run undo debugging
all command to disable debugging immediately.
If a BFD fault occurs, run the following debugging command in the user view to locate the fault.
Procedure
Step 1 Run the debugging bfd { all | defect-detect | error | event | fsm | ha | packet | process | productinterface | session-management | timer } command in the user view to enable the debugging
of the BFD module.
----End

This section provides several configuration examples of BFD.
Example for Configuring Single-Hop BFD on a Layer 2 Interface

Interfaces of the AC6605 are Layer 2 interfaces. If you need to detect the connectivity of the
Layer 2 forwarding link between two directly connected AC6605s, configure single-hop BFD,
and bind the BFD session to a multicast IP address and local interface.
As shown in Figure 9-6, a BFD session is created to detect the connectivity of the Layer 2 link
between Switch A and Switch B.
Figure 9-6 Networking diagram of single-hop BFD (for Layer 2 forwarding link)
GE 0/0/1
SwitchA
GE 0/0/1
SwitchB
1.
Configure a BFD session on Switch A to detect the direct link from Switch A to Switch B.
2.
Configure a BFD session on Switch B to detect the direct link from Switch B to Switch A.
Data Preparation
Issue 04 (2013-06-15)

1651

Configuration Guide
Type and number of the interface bound to the BFD session
Local and remote identifiers of the BFD session
Use the default values of the minimum sending interval, the minimum receiving interval, and
the local detection multiplier of BFD control packets.
Procedure
Step 1 Configure single-hop BFD on Switch A.
# Enable BFD on Switch A.
[SwitchA] bfd
[SwitchA-bfd] quit
# Create a BFD session on Switch A.

[SwitchA] bfd atob bind peer-ip default-ip interface gigabitethernet 0/0/1
Step 2 Configure single-hop BFD on Switch B.

# Enable BFD on Switch B.
[SwitchB] bfd
[SwitchB-bfd] quit
# Create a BFD session on Switch B.

[SwitchB] bfd btoa bind peer-ip default-ip interface gigabitethernet 0/0/1

After the configuration, run the display bfd session command on Switch A and Switch B, and
you can find that a single-hop BFD session is set up and is in Up state.
<SwitchA> display bfd session all verbose
-------------------------------------------------------------------------------Session MIndex : 4097
Name : atob
: 1
: 2
Session Detect Mode
BFD Bind Type
: Interface(GigabitEthernet0/0/1)
Bind Session Type
: Static
: 224.0.0.184
NextHop Ip Address
: 224.0.0.184
Bind Interface
FSM Board Id
: 0
TOS-EXP
: 7
: 1000
: 1000
Local Detect Multi
: 3
: 3000
Echo Passive
: Disable
Acl Number
: Destination Port
: 3784
TTL
: 255
Issue 04 (2013-06-15)

1652

Configuration Guide

WTR Interval (ms)
: Active Multi
: 3
Bind Application
Session TX TmrID
: Session Detect TmrID
: Session WTR TmrID
Session Description
----End
Configuration Files
l

#
sysname SwitchA
#
bfd
#
bfd atob bind peer-ip default-ip interface GigabitEthernet0/0/1
commit
#
return

#
sysname SwitchB
#
bfd
#
bfd btoa bind peer-ip default-ip interface GigabitEthernet0/0/1
commit
#
return
Example for Configuring Single-Hop BFD on a VLANIF Interface

The AC6605s are connected through the VLANIF interface at Layer 3. To detect the connectivity
of the link between two directly connected AC6605s, you can configure single-hop BFD to bind
the BFD session to the VLANIF interface and its IP address.
As shown in Figure 9-7, a BFD session is created to detect the connectivity of the link between
Switch A and Switch B.
Figure 9-7 Networking diagram for configuring single-hop BFD on a VLANIF interface
VLANIF 13
10.1.1.5/24
GE 0/0/1
SwitchA
Issue 04 (2013-06-15)
VLANIF 13
10.1.1.6/24
GE 0/0/1
SwitchB

1653

Configuration Guide
1.
Create VLAN 13 on Switch A and Switch B.
2.
Configure GE 0/0/1 interfaces on Switch A and Switch B as hybrid interfaces.
3.
Create VLANIF 13 on Switch A and Switch B and set their IP address.
4.
Create a BFD session on Switch A to detect the link between Switch A and Switch B.
5.
Create a BFD session on Switch B to detect the link between Switch B and Switch A.
Data Preparation
l
Numbers of VLANIF interfaces bound to BFD sessions
IP addresses of VLANIF interfaces
Local and remote discriminators of BFD sessions
Default values of minimum intervals for sending BFD control packets, minimum intervals for
receiving BFD control packets, and local detection multipliers
Procedure
Step 1 On Switch A and Switch B, create VLAN 13, configure GE 0/0/1 interfaces as hybrid interfaces,
and add GE 0/0/1 interfaces to VLAN 13.
[SwitchA] vlan 13
[SwitchB] vlan 13
Step 2 Set IP addresses of VLANIF 13 interfaces so that Switch A can communicate with Switch B at
Layer 3.
[SwitchA] interface vlanif13
Issue 04 (2013-06-15)

1654

Configuration Guide
[SwitchB] interface vlanif13

After the configuration, run the display interface vlanif command on Switch A or Switch B.
You can view that the status of VLANIF 13 is Up.
[SwitchA] display interface vlanif 13
Vlanif13 current state : UP
Line protocol current state : UP
Last line protocol up time : 2012-02-17
02:35:56
Description:HUAWEI, Quidway Series, Vlanif13 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-827d-75f5
Current system time: 2012-02-20 11:23:28
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes
Output: 0 packets, 0 bytes
Input bandwidth utilization : -Output bandwidth utilization : --
Step 3 Configure single-hop BFD on Switch A.

# Enable BFD on Switch A.
[SwitchA] bfd
[SwitchA-bfd] quit
# Create a BFD session on SwitchA.

Step 4 Configure single-hop BFD on Switch B.

# Enable BFD on Switch B.
[SwitchB] bfd
[SwitchB-bfd] quit


After the configuration, run the display bfd session command on Switch A and Switch B. You
can view that the single-hop BFD session is set up and the status is Up.
Take the display on Switch A as an example.
-------------------------------------------------------------------------------Session MIndex : 4097
Name : atob
: 1
: 2
Issue 04 (2013-06-15)

1655

Configuration Guide
Session Detect Mode

BFD Bind Type
Bind Session Type
: Static
: 10.1.1.6
Bind Interface
: Vlanif13
FSM Board Id
: 0
TOS-EXP
: 7
: 1000
: 1000
Local Detect Multi
: 3
: Echo Passive
: Disable
Acl Number
: Destination Port
: 3784
TTL
: 255
WTR Interval (ms)
: Active Multi
: Last Local Diagnostic : No Diagnostic
Bind Application
Session TX TmrID
: 16392
: Session WTR TmrID
Session Description
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 13
#
bfd
#
interface Vlanif13
ip address 10.1.1.5 255.255.255.0
#
#
bfd atob bind peer-ip 10.1.1.6 interface Vlanif13
commit
#
return

#
sysname SwitchB
#
vlan batch 13
#
bfd
#
interface Vlanif13
ip address 10.1.1.6 255.255.255.0
#
#
bfd btoa bind peer-ip 10.1.1.5 interface Vlanif13
Issue 04 (2013-06-15)

1656

Configuration Guide
commit
#
return
Example for Configuring Multi-Hop BFD

As shown in Figure 9-8, a BFD session is used to test the multi-hop path between Switch A and
Switch C.
Interfaces of the AC6605 are Layer 2 interfaces. To configure multi-hop BFD, you need to add
an interface to a VLAN, create a VLANIF interface, and assign an IP address to the VLANIF
interface.
Figure 9-8 Networking diagram of multi-hop BFD
GE 0/0/1
GE 0/0/2
GE 0/0/1
VLAN 10
SwitchA
GE 0/0/1
VLAN 20
SwitchB
SwitchC
1.
Configure a BFD session on Switch A to detect the multi-hop path from Switch A to Switch
C.
2.
Configure a BFD session on Switch C to detect the multi-hop path from Switch C to Switch
A.
Data Preparation
l
Peer IP address bound to the BFD session
Local and remote identifiers of the BFD session
IP address of VLANIF 10 on Switch A: 10.1.1.1/16
IP address of VLANIF 10 on Switch B: 10.1.1.2/16
IP address of VLANIF 20 on Switch B: 10.2.1.1/16
IP address of VLANIF 20 on Switch C: 10.2.1.2/16
Use the default values of the minimum sending interval, the minimum receiving interval, and
the local detection multiplier of a BFD control packet.
Issue 04 (2013-06-15)

1657

Configuration Guide
Procedure
Step 1 Add interfaces to VLANs, create VLANIF interfaces, and assign an IP address to each VLANIF
interface.
# Create a VLAN on Switch A and add the interface to the VLAN.
# Create a VLANIF interface and assign an IP address to the VLANIF interface.

The configurations of Switch B and Switch C are the same as the configuration of Switch A,
and are not mentioned here.
Step 2 Configure a reachable static route between Switch A and Switch C.
The configuration of Switch C is the same as the configuration of Switch A, and is not mentioned
here.
Step 3 Configure multi-hop BFD on Switch A and Switch C.
# Create a BFD session with Switch C on Switch A.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atoc bind peer-ip 10.2.1.2
[SwitchA-bfd-session-atoc] discriminator local 10
[SwitchA-bfd-session-atoc] discriminator remote 20
[SwitchA-bfd-session-atoc] commit
[SwitchA-bfd-session-atoc] quit
# Create a BFD session with Switch A on Switch C.

[SwitchC] bfd
[SwitchC-bfd] quit
[SwitchC] bfd ctoa bind peer-ip 10.1.1.1
[SwitchC-bfd-session-ctoa] discriminator local 20
[SwitchC-bfd-session-ctoa] discriminator remote 10
[SwitchC-bfd-session-ctoa] commit
[SwitchC-bfd-session-ctoa] quit

After the configuration is complete, run the display bfd session command on Switch A and
Switch C, and you can find that a BFD session is set up and is in Up state.
-------------------------------------------------------------------------------Session MIndex : 4096
(Multi Hop) State : Up
Name : atoc
: 10
: 20
Session Detect Mode
Issue 04 (2013-06-15)

1658

Configuration Guide
BFD Bind Type

: Peer IP Address
Bind Session Type
: Static
: 10.2.1.2
Bind Interface
: FSM Board Id
: 0
TOS-EXP
: 7
: 1000
: 1000
Local Detect Multi
: 3
: 3000
Echo Passive
: Disable
Acl Number
: Destination Port
: 3784
TTL
: 255
WTR Interval (ms)
: Active Multi
: 3
Last Local Diagnostic : Control Detection Time Expired
Bind Application
Session TX TmrID
: 16445
: 16447
Session WTR TmrID
Session Description
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.0.0
#
#
bfd atoc bind peer-ip 10.2.1.2
commit
#
ip route-static 10.2.0.0 255.255.0.0 10.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.2 255.255.0.0
#
interface Vlanif20
ip address 10.2.1.1 255.255.0.0
#
#
Issue 04 (2013-06-15)

1659

Configuration Guide
#
return

#
sysname SwitchC
#
bfd
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.2 255.255.0.0
#
#
bfd ctoa bind peer-ip 10.1.1.1
commit
#
ip route-static 10.1.0.0 255.255.0.0 10.2.1.1
#
return
9.3 VRRP Configuration

A VRRP backup group allows a backup to take over network traffic from a master if the master
fails.
9.3.1 VRRP Overview

The Virtual Router Redundancy Protocol (VRRP) groups multiple routers into one virtual router,
and sets the default gateway address as the IP address of the virtual router.
All hosts on a network are configured with the same default route to an egress gateway. These
hosts send all packets whose destination addresses are not on the local network segment to the
default egress gateway, such as Switch A in Figure 9-9. The default egress gateway allows the
hosts and external networks to communicate. If the egress gateway is Down, all hosts using this
gateway fail to communicate with external networks.
Issue 04 (2013-06-15)

1660

Configuration Guide
Figure 9-9 LAN default gateway
Gateway:10.0.0.1
IP Address:10.0.0.2/24
10.0.0.1/24
Gateway:10.0.0.1
Network
Gateway:10.0.0.1
SwitchA
Ethernet
A common method to improve the system reliability is to deploy multiple egress gateways. In
addition, a mechanism for selecting one of routes to these gateways is required.
VRRP is a fault-tolerant protocol defined in RFC 3768. VRRP allows the hosts to select one of
routes to multiple egress gateways by separating logical devices from physical devices.
On a LAN (for example, an Ethernet) with multicast and broadcast capabilities, VRRP uses
logical gateways to provide high availability for transmission links, preventing a gateway failure
from interrupting services, without changing the configuration of routing protocols.
9.3.2 VRRP Features Supported by the AC6605

VRRP features include the VRRP backup group in master/backup mode, VRRP backup group
in load balancing mode, tracking of the interface status, fast VRRP switchover, ping of the virtual
IP address, VRRP security authentication, smooth VRRP switching, and Management Virtual
Router Redundancy Protocol (mVRRP).
Master/Backup Mode
In VRRP, it is the basic mode for the backup of IP addresses. In the master/backup mode, a
VRRP backup group consists of a master Switch and multiple backup Switches. Different
Switches have different priorities in this backup group. The Switch with the highest priority
serves as the master Switch.
l
The master Switch undertakes all the services in normal condition.
The backup Switches undertake the services only when the master Switch fails.
Load Balancing Mode

In the load balancing mode, two or more backup groups are created. Multiple backup groups
undertake services at the same time.
In the load balancing mode, the VRRP backup groups have the following features:
l
In the AC6605, a Switch can join several VRRP backup groups and has different priorities
in different backup groups. Multiple virtual Switches carry out load balancing.
Each backup group consists of a master Switch and several backup Switches.
Issue 04 (2013-06-15)

1661

Configuration Guide
The master Switch of each backup group can be different.
Tracking the Interface Status

In the AC6605, the interfaces can be tracked. When the interface status changes, the priority of
the Switch is automatically adjusted. The priorities of Switches in the backup group change and
a new master Switch is elected.
VRRP Fast Switchover

The AC6605 supports bidirectional forwarding detection (BFD), which detects connectivity of
links and routes on the network. VRRP monitors the status of BFD sessions to perform fast
switchover between the master and backup switches. You can configure up to eight BFD
sessions. The switchover can be complete within 1 second. Working with the BFD sessions,
VRRP shortens the duration of the switchover.
Enable/Disable the Ping Function to the Virtual IP Address

To ping through virtual IP addresses that are used in the VRRP backup group, you can monitor
the operating status of the virtual Switches but the VRRP backup group may suffer the ICMP
attack. In the AC6605, you can run a command to enable the function to ping the virtual IP
address.
VRRP Security Functions

For different security levels of networks, you can set different authentication modes and
authentication keys in the header of VRRP packets.
In a secure network, you can adopt the default configuration. That is, the Switch does not
authenticate the VRRP packets to be sent and received. The Switch considers all the received
packets as real and valid VRRP packets. In this case, no authentication key is required.
VRRP provides simple text authentication and MD5 authentication for networks that are
vulnerable to attacks. In simple text authentication mode, a string of 1 to 8 characters can be
configured as the authentication key. In MD5 authentication mode, a string of 1 to 8 characters
in plain text or a string of 24 characters in encrypted text can be configured as the authentication
key.
9.3.3 Configuring the VRRP Backup Group

By configuring the VRRP backup group in master/backup mode or load balancing mode, you
can implement the communication between hosts inside a LAN and external networks.

Before configuring a VRRP backup group, familiarize yourself with the applicable environment,
The VRRP backup group works in master/backup mode or load balancing mode.
Issue 04 (2013-06-15)

1662

Configuration Guide
The master/backup switchover is a basic function provided by VRRP. The master/backup

mode is as follows:
Only one backup group exist.
The Switch with the highest priority in the backup group serves as the master Switch
and undertakes the services.
Except for the master Switch, other Switchs in the backup group serve as the backup
Switchs and work in the Backup state.
If the master Switch fails, backup Switchs select a new master Switch based on their
priorities to provide routing service.
In the load balancing mode, multiple backup groups are created to share the traffic of a
network. One Switch can join different backup groups. The load balancing mode is as
follows:
Switch A serves as the master device in backup group 1 and the backup device in backup
group 2.
Switch B serves as the master device in backup group 2 and the backup device in backup
group 1.
Some hosts on the network use backup group 1 as their gateway and others use backup
group 2 as their gateway.
In this case, they can back up each other and share the traffic.
NOTE
The VLANIF interface support VRRP.
Before configuring the VRRP backup group, complete the following tasks:
l
Configuring network layer attributes for the interface to connect the network
Data Preparation
To configure the VRRP backup group, you need the following data.
No.
Data
Backup group ID
Virtual IP address of the backup group
Priorities of Switchs in the VRRP backup group
Creating a Backup Group and Configuring a Virtual IP Address

By creating a VRRP backup group, you can use the default gateway address on a LAN to be the
IP address of the VRRP backup group.
Context
Do as follows on each Switch of a backup group:
Issue 04 (2013-06-15)

1663

Configuration Guide
Procedure
l
Run:
system-view

l
Run:

l
Run:
vrrp vrid virtual-router-id virtual-ip virtual-address
A backup group is created and its virtual IP address is specified.

NOTE
l On the AC6605, VRRP functions can be configured only on VLANIF interfaces.

l The virtual IP address must be in the same network segment as the IP address of the VLANIF
interface.
l Virtual IP addresses of backup groups must be different.
l Both ends of the same backup group must be configured with the same virtual router IDs.
l Virtual router IDs on different interfaces can be the same.
When you assign the first virtual IP address to a VRRP backup group, the system creates
this backup group. Then, when you assign another virtual IP address to the backup group,
the system adds this address into the virtual IP address list of this backup group.
For users who require equivalent VRRP reliability, a backup group can be configured with
multiple virtual IP addresses. Different addresses serve different user groups. This is easy
to manage and can prevent users' default gateway addresses from varying with the VRRP
configuration. A maximum number of 16 virtual IP addresses can be configured for a
backup group.
For a VRRP backup working in load balancing mode, you need to repeat the procedure to
configure multiple backup groups on an interface. At least two backup groups are required
on an interface. Backup groups are identified by VRIDs and their virtual IP addresses cannot
be identical.
NOTE
You can configure up to VRRP groups on each interface of the AC6605. To configure 24 VRRP
groups on an interface, you need to set the CPCAR of VRRP packets to 256 kbps.
Issue 04 (2013-06-15)

1664

Configuration Guide
CAUTION
l When configuring VRRP and static ARP simultaneously on the AC6605, do not use
the IP addresses in the static ARP entries as the virtual IP addresses of VRRP groups.
Otherwise, incorrect host routes are generated, which affects forwarding between
devices.
l The virtual MAC address of a VRRP backup group cannot be configured as a static
MAC address or blackhole MAC address.
l Do not create VRRP groups on the VLANIF interfaces corresponding to super VLANs
because the configuration degrades the system performance.
----End
Configuring Priorities for Interfaces Where a Backup Group Is Created

Configuring priorities for interfaces on which a VRRP backup group is created allows the VRRP
status on an interface to become Master. The master device forwards network traffic.
Context
In master/backup mode, only one backup group is created. Switchs have different priorities in
this backup group. The Switch with the highest priority serves as the master and other Switchs
are backups.
In load balancing mode, two backup groups or more are created. Every Switch has different
priorities in different backup groups. Every Switch plays a role based on its priority in a specific
backup group. Different priorities are set for every Switch to allow that the masters of VRRP
backup groups are distributed on different Switchs.
Do as follows on the interface of each Switch in each backup group:
Procedure
l
Run:
system-view

l
Run:

l
Run:
vrrp vrid virtual-router-id priority priority-value
The priority of the Switch in a VRRP backup group is configured.

By default, the priority is 100. Priority 0 is reserved for special purpose. Priority 255 is
reserved for the IP address owner and this priority cannot be configured. A priority ranges
from 1 to 254.
----End
Issue 04 (2013-06-15)

1665

Configuration Guide
(Optional) Configuring the Mode of Sending VRRP Packets in Super-VLAN

You can configure the mode for sending VRRP advertisement packets for a super VLAN on
VLANIF interfaces as required.
Context
Perform the following steps on a VRRP Switch that is configured with a super-VLAN:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The VLAN interface view is displayed.

Step 3 Run:
vrrp advertise send-mode { sub-vlan-id | all }
The mode for sending VRRP advertising messages is configured.

By default, a super VLAN sends VRRP Advertisement packets only to the sub-VLAN with the
smallest VLAN ID among all the sub-VLANs in Up state.
----End

By viewing the status of a VRRP backup group, you can check whether the configurations are
successful.
Prerequisites
The configurations of the VRRP backup group function are complete.
Procedure
l
Run the display vrrp [ interface interface-type interface-number [ virtual-router-id ] ]

[ brief ] command to check the status of VRRP backup group.
----End
Example
In the master/backup mode, after the configuration, you can run the display vrrp command to
view the status of a VRRP backup group.
<Quidway> display vrrp
Vlanif100 | Virtual Router 1
State
: Master
Virtual IP
: 10.1.1.111
PriorityRun
: 120
PriorityConfig
: 120
Issue 04 (2013-06-15)

1666

Configuration Guide
MasterPriority
: 120
Preempt
: YES
Delay Time
TimerRun
: 1s
TimerConfig
: 1s
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0101
Check TTL
: YES
Config type
: normal-vrrp
Config track link-bfd down-number : 0
: 20s
In the load balancing mode, after the configuration, you can run the display vrrp command to
view the status of a Switch in different backup groups.
State
: Master
Virtual IP
: 10.1.1.111
PriorityRun
: 120
PriorityConfig
: 120
MasterPriority
: 120
Preempt
: YES
Delay Time
TimerRun
: 1s
TimerConfig
: 1s
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0101
Check TTL
: YES
Config type
: normal-vrrp
State
: Backup
Virtual IP
: 10.1.1.112
PriorityRun
: 100
PriorityConfig
: 100
MasterPriority
: 120
Preempt
: YES
Delay Time
TimerRun
: 1s
TimerConfig
: 1s
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0102
Check TTL
: YES
Config type
: normal-vrrp
: 0s
: 0s
9.3.4 Configuring VRRP to Track the Status of an Interface

By configuring a VRRP backup group to track the interface status, you can implement the backup
function when the interface fails.

Before configuring a VRRP backup group to track interface status, familiarize yourself with the
applicable environment and complete the pre-configuration task of configuring a VRRP backup
group.
VRRP tracking interface status provides the backup function when the interface where the VRRP
backup group resides is faulty or when another interface on the Switch is faulty.
Interface status tracking works as follows:
Issue 04 (2013-06-15)

1667

Configuration Guide
1.
When a tracked interface goes Down, the priority of the Switch that houses the interface is
automatically reduced by a specific amount so that it is lower than prioties of other
Switchs in the group.
2.
A master/backup switchover within the VRRP backup group is completed. The Switch with
the highest priority becomes the master Switch.
Before configuring VRRP to track the status of an interface, complete the following tasks:
l
Configuring network layer attributes for interfaces to connect the network
Configuring a VRRP backup group
Data Preparation
To configure VRRP to track the status of an interface, you need the following data.
No.
Data
Backup group ID
Interfaces to be tracked and the values by which the priority increases or decreases
Configuring VRRP to Track the Status of an Interface

By configuring a VRRP backup group to track interface status, you can implement the fast VRRP
master/backup switchover.
Context
The backup is performed when other interfaces on a Switch are unavailable. This feature is
required in NAT applications.
Do as follows on the Switch that has an interface to be tracked:
Procedure
l
Run:
system-view

l
Run:

l
Run:
vrrp vrid virtual-router-id track interface interface-type interface-number
[ increased value-increased | reduced value-reduced ]
A interface to be tracked is specified.

By default, when a tracked interface goes Down, the priorities of Switches in the
tracking backup group decrease by 10.
Issue 04 (2013-06-15)

1668

Configuration Guide
increased value-increased: specifies the value by which a priority increases when the
tracked interface goes Down. The value ranges from 1 to 255. The maximum value of
the priority is 254 because 255 is reserved for only the IP address owner.
reduced value-reduced: specifies the value by which the priority decreases when a
tracked interface goes Down. The value ranges from 1 to 255. The lowest priority that
can be assigned is 1. When the priority is decreased to 1, a VRRP Advertisement packet
with priority 0 is sent.. The priority 0 is reserved for system use. When a backup device
receives a VRRP Advertisement packet with the priority 0, it immediately switches to
be the master device.
When a VRRP backup group tracks BFD sessions and interfaces concurrently, the
allowable maximum number of tracked BFD sessions and interfaces is eight.
When a BFD session or an interface tracked by the VRRP backup group goes Down,
the priority of the VRRP backup group may increase or reduce. If it is configured
that the priority always increases every time a BFD session or interface goes Down,
the priority of the VRRP backup group in the Backup state can exceed that in the
Master state when all the tracked BFD sessions or interfaces go Down.
If it is configured that the priority does not always increase every time a BFD session
or interface goes Down, as long as one or some BFD sessions or interfaces go Down,
the priority of the VRRP backup group in the Backup state can exceed that in the
Master state, thus triggering VRRP fast switchover. Thus, the increase of the priority
caused by the down of other BFD sessions or interfaces has no impact on VRRP fast
switchover.
NOTE
You can configure up to eight tracked interfaces on a VRRP group. If an AC6605 is the IP address
owner, interfaces of the AC6605 cannot be tracked.
----End

By viewing the status of an interface tracked by a VRRP backup group, you can check whether
the configurations are successful.
Prerequisites
The configurations of enabling VRRP to track the status of an interface are complete.
Procedure
l

[ brief ] command to check the VRRP status.
----End
Example
Run the display vrrp command command to view the Track IF field and the IF State field.
The Track IF field indicates the type and number of the tracked interface, and the IF State field
indicates the interface status, which is either Up or Down.
State
: Master
Issue 04 (2013-06-15)

1669

Configuration Guide
Virtual IP
: 10.1.1.111
PriorityRun
: 130
PriorityConfig
: 130
MasterPriority
: 130
Preempt
: YES
Delay Time : 0s
TimerRun
: 1s
TimerConfig
: 1s
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0101
Check TTL
: YES
Config type
: normal-vrrp
Track IF
IF State
: UP
priority reduced
: 10
9.3.5 Configuring VRRP Security

On a network at security risks, you can protect devices against attacks by configuring an
authentication mode for VRRP packets.

Before configuring VRRP security authentication, familiarize yourself with the applicable
environment and complete pre-configuration task of configuring a VRRP backup group.
A Switch on a secure security considers all received and sent VRRP packets real and valid by
default. The router does not authenticate packets and there is no need to configure an
authentication key.
VRRP provides simple text authentication and MD5 authentication for routers on networks that
are vulnerable to attacks. In simple text authentication mode, a string of 1 to 8 characters can be
configured as an authentication key. In MD5 authentication mode, a string of 1 to 8 characters
in plain text or a string of 24 characters in encrypted text can be configured as the authentication
key.
The process of simple text authentication is as follows:
l
Device that sends packets adds the authentication key into VRRP packets.
Device that receives packets compares the received authentication key with the local
authentication key. If they are the same, VRRP packets are valid. Otherwise, the Switch
discards the received VRRP packets and sends a Trap packet to the Network Management
System (NMS).
The process of MD5 authentication is as follows:

l
The Switch adds the authentication key to the VRRP packet.
The receiver generates a summary based on the locally configured authentication key and
compares the summary of the received VRRP packet with the locally generated summary.
If they are the same, the receiver considers the received VRRP packet valid. If they are
different, the receiver considers the received VRRP packet illegal and discards it, and then
reports a trap message to the network management system.
Before configuring the VRRP security function, complete the following tasks:
Issue 04 (2013-06-15)

1670

Configuration Guide
Configuring network layer attributes for interfaces to connect the network
Configuring the VRRP backup group
Data Preparation
To configure the VRRP security function, you need the following data.
No.
Data
Backup group ID
Virtual IP address of the backup group
Authentication key of the VRRP packet
Configuring the Authentication Mode of VRRP Packets

VRRP packets can be authenticated in simple text mode or MD5 mode.
Context
Perform the following steps on the Switch that needs to be configured with an authentication
mode for VRRP packets:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
A backup group is created and its virtual IP address is specified.

Step 4 (optional) Run:
The priority of the Switch in the backup group is configured.

Step 5 Run:
vrrp vrid virtual-router-id authentication-mode { simple key | md5 md5-key }
The authentication mode for VRRP packets is configured.

The authentication key on the master device must be the same as the authentication key on a
backup device.
Issue 04 (2013-06-15)

1671

Configuration Guide
All devices in a VRRP backup group must be configured with the same authentication mode;
otherwise, the negotiation between the master and backup routers cannot succeed.
----End

By viewing the authentication mode and authentication key for VRRP packets, you can check
whether the configurations are successful.
Prerequisites
The configurations of the VRRP security function are complete.
Procedure
Step 1 Run the display vrrp [ interface interface-type interface-number [ virtual-router-id ] ]
command to check the status of VRRP.
----End
Example
After the configuration is complete, run the display vrrp command to view the packet
authentication mode.
State
: Master
Virtual IP
: 10.1.1.111
PriorityRun
: 120
PriorityConfig
: 120
MasterPriority
: 120
Preempt
: YES
Delay Time : 20s
TimerRun
: 1s
TimerConfig
: 1s
Auth Type
: MD5
Auth key : >6M*PO438G/Q=^Q`MAF4<1!!
Virtual Mac
: 0000-5e00-0101
Check TTL
: YES
Config type
: normal-vrrp
In the above command output, the Auth Type field displays MD5, and the Auth key field
displays >6M*PO438G/Q=^Q`MAF4<1!!. That is, VRRP backup group 1 is using MD5
authentication, and the authentication key is >6M*PO438G/Q=^Q`MAF4<1!!.
9.3.6 Adjusting and Optimizing VRRP

By adjusting parameters of a VRRP backup group, you can optimize the functions of a VRRP
backup group.

Before optimizing VRRP functions, familiarize yourself with the applicable environment and
complete pre-configuration tasks for configuring a VRRP backup group.
Issue 04 (2013-06-15)

1672

Configuration Guide
You can configure parameters for VRRP packets to optimize the backup group functions.
l
By increasing the interval at which the VRRP backup group sends VRRP advertisement
packets, you can reduce the network load caused by negotiation packets.
Configurations of intervals for sending VRRP packets affect the master router election
differently in VRRP for IPv4 and VRRP6 as follows:
In VRRP for IPv4, the members in a VRRP backup group are configured with the same
interval for sending VRRP packets, which prevents multiple backup routers from being
switched to master routers simultaneously in one VRRP backup group.
By configuring the preemption mode and preemption delay time of the Switch in the backup
group, you can increase or reduce the speed of the master/backup switchover.
By enabling the test on the reachability of the virtual IP address, you can ping the virtual
IP address to check the network connectivity.
By prohibiting the system from checking number of hops in VRRP packets, you can
improve the compatibility of Huawei routers with different vendors' routers.
Before adjusting and optimizing VRRP, complete the following tasks:
l
Configuring network layer attributes for interfaces to connect to the network
Configuring the VRRP backup group
Data Preparation
To adjust and optimize VRRP, you need the following data.
No.
Data
Interval for sending VRRP advertisement packets
Preemption delay of the Switchs in the backup group
Timeout period for the master to send gratuitous ARP packets
Configuring the Interval for Sending VRRP Advertising Messages

By increasing the interval for sending VRRP advertisement packets on a virtual Switch, you can
reduce network load.
Context
The master Switch sends VRRP advertisement packets to other backup Switchs at preset
intervals. If the backup Switchs do not receive VRRP advertising messages when a timer expires,
the backup Switch with the highest priority automatically becomes the master Switch.
Perform the following steps on the Switch to adjust the interval for sending VRRP advertisement
packets:
Perform the following step as required to configure VRRP for IPv4 or VRRP for IPv6.
Issue 04 (2013-06-15)

1673

Configuration Guide
Procedure
l
Run:
system-view

l
Run:

l
Run:
vrrp vrid virtual-router-id timer advertise advertise-interval
The interval for sending VRRP advertisement packets is configured.

The default interval for sending VRRP advertisement packets is 1 second. If multiple
backup groups exist, sending VRRP advertisement packets at very short intervals may lead
to frequent VRRP switchover. If this is the case, you can increase the interval.
NOTE
l If the advertise-interval parameters set for two VRRP devices are the same, the two devices can
work in master and slave mode.
l If the advertise-interval parameters set for two VRRP devices are different, both the two devices
are in master state.
----End
Configuring the Preemption Delay Time of Backup Group Switch s

By setting a preemption delay time for Switchs in a VRRP backup group, you can speed up or
slow down a master/backup switchover.
Context
Perform the following steps on the VRRP backup Switch of which the latency of preemption
needs to be adjusted:
Procedure
l
Run:
system-view

l
Run:

l
Run:
vrrp vrid virtual-router-id preempt-mode timer delay delay-value
The preemption delay of Switchs in the backup group is configured.

The preemption mode is enabled by default and the delay period is 0. This means that
preemption is immediate. If the priority of a backup Switch becomes higher than that of
the current master Switch, the backup immediately becomes a new master Switch. The
Issue 04 (2013-06-15)

1674

Configuration Guide
original master Switch becomes a backup Switch. After a preemption delay time is set, the
backup Switch is delayed to preempt the master Switch status.
Run the vrrp vrid virtual-router-id preempt-mode disable command to configure
Switchs in the backup group with the non-preemption mode. In the non-preemption mode,
if a Switch in the backup group becomes the master Switch and works normally, other
Switchs do not become the master Switch even if they are configured with higher priorities
later.
If the IP address owner recovers from a fault, it switches to be the master Switch
immediately regardless any preemption delay that may have been set. The preemption delay
refers to a delay period for the backup Switch to be switched to be the master Switch. The
preemption delay is unavailable for the IP address owner. If a VRRP backup group needs
to be configured with a preemption delay, the master virtual Switch cannot be configured
as the IP address owner.
Run the undo vrrp vrid virtual-router-id preempt-mode command to restore the default
preemption mode.
NOTE
On each Switch to be configured with a delay mode in a VRRP backup group, it is recommended to
configure backup Switchs with the immediate preemption mode (whose delay time is 0 seconds) and
configure the master Switch with the preemption mode (whose delay time is specified). Configuring
the delay time for the master Switch can ensure that the original primary link has enough time to
restore and work stably, and then switch back. At the same time, the backup link works normally. If
the data is switched back to the original primary link, the application is not affected.
----End
Enabling the Reachability Test of the Virtual IP Address

By enabling the reachability test for a virtual IP address, you can use the ping function to detect
network reachability.
Context
On the AC6605, you can ping the virtual IP address to check the following items:
l
Availability of the master Switch in a backup group
Accessibility of external networks through the virtual IP address that serves as the default
gateway.
Do as follows on the Switch that needs to be enabled with a reachable virtual IP address:
Procedure
Step 1 Run:
system-view

Step 2 Run:
vrrp virtual-ip ping enable
Testing reachability of a virtual address is enabled.

By default, the ping function is enabled. The master Switch responds to ping packets to the
virtual IP address of this backup group.
Issue 04 (2013-06-15)

1675

Configuration Guide
Pinging a virtual address may cause ICMP attacks. Run the undo vrrp virtual-ip ping
enable command to disable the function of testing reachability of a virtual IP address.
----End
Disabling a Switch from Checking Number of Hops in VRRP Packets

By prohibiting the check of TTLs in VRRP packets, you can improve compatibility between
devices from different vendors.
Context
The system detects number of hops in received VRRP packets, as defined in RFC 3768. The
packets with the number of hops not being 255 are discarded.
In certain networking environments where Huawei devices and non-Huawei devices work
together, checking the number of hops in VRRP packets may result in VRRP packets being
discarded mistakenly. To prevent this, you can disable the system from checking the number of
hops in VRRP packets.
Do as follows on the Switch that is prohibited from checking the number of hops of VRRP
packets:
Procedure
l
Run:
system-view

l
Run:

l
Run:
vrrp un-check ttl
Checking TTLs in VRRP packets is disabled.

By default, TTLs in VRRP packets are detected. You can run the undo vrrp un-check
ttl command to enable the router to check TTLs in VRRP packets.
----End
Configuring the Timeout Time of Sending Gratuitous ARP Packets by the Master
router
By adjusting the interval for sending gratuitous ARP packets on the master device, you can
reduce the number of VRRP packets on the network.
Context
Perform the following procedure on the Switch to send gratuitous ARP packets:
Issue 04 (2013-06-15)

1676

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
vrrp gratuitous-arp timeout time
A timeout period is configured for the master Switch to send gratuitous ARP packets.
The master Switch sends ARP packets with the virtual MAC address. By default, the master
router sends a gratuitous ARP packet every 120 seconds.
Run the undo vrrp gratuitous-arp timeout command in the system view to restore the default
timeout period for sending gratuitous ARP packets.
Run the vrrp gratuitous-arp timeout disable command in the system view to disable the master
Switch from sending gratuitous ARP packets.
----End

By viewing adjustments made to VRRP backup group parameters, you can check whether the
configurations are correct.
Prerequisites
The configurations for adjusting and optimizing VRRP functions are complete.
Procedure
l

[ brief ] command to check the status of VRRP.
----End
Example
Run the display vrrp command to view modified VRRP parameters. In this example, the
TimerRun field and the TimerConfig field display 20. The default interval of 1 second for
sending VRRP advertisement packets is modified to 20 seconds.
State
: Master
Virtual IP
: 100.1.1.111
PriorityRun
: 120
PriorityConfig
: 120
MasterPriority
: 120
Preempt
: YES
Delay Time : 0s
TimerRun
: 20s
TimerConfig
: 20s
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0101
Check TTL
: YES
Config type
: normal-vrrp
Issue 04 (2013-06-15)

1677

Configuration Guide
9.3.7 Configuring mVRRP Backup Groups

An mVRRP backup group can be bound to other member backup groups and determine the
status of member backup groups according to the bindings. This is applicable to the scenario
where a device is dual-homed to master and slave devices on a MAN.

Before configuring an mVRRP backup group, familiarize yourself with the applicable
Application Environment
Figure 9-10 mVRRP determines the dual-homing of the master and slave Switches
NPE1
mVRRP
UPE
NPE2
As shown in Figure 9-10, when the convergence layer of the Metro Ethernet (ME) dual NPEs
are deployed for high reliability. The master and standby Switches are determined by mVRRP
between NPEs.
The mVRRP backup group is actually the ordinary VRRP backup group. The difference is that
the mVRRP backup group can be bound to other backup groups of different services. The status
of the backup group of related services depends on the binding relationship.
The mVRRP backup group can be bound to several backup group members. The mVRRP backup
group cannot be bound to other management backup groups.
According to different applications, the binding relationship of the mVRRP backup group is as
follows:
l
The VRRP backup group is bound to the mVRRP backup group: UPEs are dual-homed to
NPEs. VRRP is run between NPEs. The master NPE and backup NPE are determined by
the configured priority of VRRP. Multiple VRRP backup groups run between NPEs with
different services.
If each VRRP backup group needs to maintain its own state machine, a huge number of
VRRP packets exist among NPEs. To simplify the process and decrease occupancy of
Issue 04 (2013-06-15)

1678

Configuration Guide
bandwidth, you can set one VRRP backup group as the mVRRP backup group. Other
backup group members are bound to the mVRRP backup group. The master and slave
Switches are determined directly by the binding relationship.
l
The service interfaces are bound to the mVRRP backup group. If the UPEs are dual-homed
to NPEs through two physical links. You can bind the member interfaces to the mVRRP
backup group to determine the master member interfaces and the slave interfaces.
Before configuring mVRRP, complete the following tasks:
l
Configuring attributes of network layer of interfaces for connectivity
Data Preparation
To configure mVRRP, you need the following data.
No.
Data
ID of the mVRRP and IDs of VRRP backup group members
Virtual IP address of the mVRRP and virtual IP addresses of VRRP backup group
members
Priority of the mVRRP
Number of the member interface
PW peer IP address
Configuring mVRRP Backup Group

Each VRRP backup group needs to maintain its own state machine by sending VRRP packets.
Configuring an mVRRP backup group can reduce bandwidth consumption of VRRP packets.
Context
Do as follows on each Switch of an mVRRP backup group:
Procedure
l
For VRRP for IPv4:

1.
Run:
system-view

2.
Run:

3.
Run:
Issue 04 (2013-06-15)

1679

Configuration Guide
A backup group is created and a virtual IP address is assigned to the backup group.
4.
Run:
The priority of the VRRP backup group is configured.

5.
Run:
admin-vrrp vrid virtual-router-id
This VRRP backup group is configured as an mVRRP backup group.

----End
(Optional) Configuring Member VRRP Backup Groups and Binding them to the
mVRRP Backup Group
Through the bindings between member VRRP backup groups and the mVRRP backup group,
the state machines of member VRRP backup groups can be consistent with the state machine of
the mVRRP backup group.
Context
Do as follows on each Switch on which the member VRRP backup groups need to be bound to
an mVRRP backup group.
Procedure
l
For VRRP for IPv4:

1.
Run:
system-view

2.
Run:
The interface view of a VRRP member is displayed.

3.
Run:
A backup group is created with a virtual IP address.

The status of the member VRRP backup group is determined by the mVRRP backup
group. Therefore, the member VRRP backup group needs not a priority.
4.
Run:
vrrp vrid virtual-router-id1 track admin-vrrp interface interface-type
interface-number [ .subinterface-number ] vrid virtual-router-id2
The member VRRP backup group is bound to the mVRRP backup group.
After the member VRRP backup group is bound to the mVRRP backup group, the
state machine of the member VRRP backup group becomes dependent. That is, the
member VRRP backup group deletes the protocol timer, and no longer sends or
receives packets, and implements its state machine by directly copying the status of
the mVRRP backup group. The backup member can be bound to only one mVRRP.
Issue 04 (2013-06-15)

1680

Configuration Guide

NOTE
Only a single member VRRP backup group can be configured on a single interface.
----End

By viewing all bindings in an mVRRP backup group, you can check whether the configurations
are successful.
Prerequisites
The configurations of the mVRRP backup groups function are complete.
Procedure
l
Run the display vrrp binding admin-vrrp [ interface interface-type1 interfacenumber1 ] [ vrid virtual-router-id ] member-vrrp [ interface interface-type2 interfacenumber2 ] [ vrid virtual-router-id ] command to check the binding between the mVRRP
backup group and the member VRRP backup groups.
Run the display vrrp binding admin-vrrp [ interface interface-type1 interfacenumber1 ] [ vrid virtual-router-id ] member-interface [ interface interface-type2
interface-number2 ] command to check the binding between the mVRRP backup group
and member VRRP backup groups.
Run the display vrrp admin-vrrp command to check the status of all mVRRP backup
groups in the current configuration.
----End
Example
After the configuration, you can run the display vrrp binding admin-vrrp command to view
all binding information about the member VRRP backup group, interface member, and PW
member.
<Quidway> display vrrp binding admin-vrrp
Interface: Vlanif 100, admin-vrrp vrid: 6, state: Master
Member-vrrp number: 1
Interface: Vlanif 200, vrid: 8, state: Master
Member-interface number: 1
Interface: Vlanif 300, state: Up
9.3.8 Configuring VRRP Version Upgrade

After being upgraded from version 2 to version 3, VRRP can support IPv4 networks.

Before configuring VRRP version upgrade, familiarize yourself with the applicable
Issue 04 (2013-06-15)

1681

Configuration Guide
Currently, VRRPv2 is adopted. VRRP for IPv4 supports both VRRPv2 packets and VRRPv3
packets, whereas VRRP for IPv6 supports only VRRPv3 packets. You can undertake this
configuration task to upgrade the VRRP version as required.
Before configuring VRRP version upgrade, complete the following tasks:
l
Installing the device and powering it on properly
Ensuring that VRRPv2 is running on the device
Data Preparation
To configure VRRP version upgrade, you need the following data.
No.
Data
VRRP version number
Configuring VRRPv3
After VRRPv3 is configured, VRRP backup groups can receive both VRRPv2 and VRRPv3
Advertisement packets.
Context
Do as follows on each Switch in a VRRP backup group.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vrrp version v3
The VRRP version of the current device is set to VRRPv3.

vrrp version-3 send-packet-mode { v2-only | v3-only | v2v3-both }
The mode for sending Advertisement packets in VRRPv3 is set.

The default VRRP version is v2. If the VRRP version is switched to v3, the default mode for
sending advertisement packets is v3-only.
----End
Issue 04 (2013-06-15)

1682

Configuration Guide

You can view VRRP version information to check whether the configuration is successful.
Prerequisites
The configurations of VRRP version upgrade are complete.
Procedure
l
Run the display vrrp protocol-information command to view VRRP version information.
----End
Example
After the configuration, run the display vrrp protocol-information command, and you can
view that the VRRP protocol version is v3 and the mode for sending Advertisement packets is
send v3 only.
<Quidway> display vrrp protocol-information
VRRP protocol information is shown as below:
VRRP protocol version : v3
Send advertisement packet mode : send v3 only
9.3.9 Maintaining VRRP

This section describes how to maintain VRRP. Detailed operations include deleting VRRP
statistics, and monitoring VRRP operating status.
Debugging VRRP
After debugging, you need to disable the debugging function in time.
Context
CAUTION
When a VRRP fault occurs, run the following debugging commands in the user view to debug
VRRP and locate the fault.
Procedure
l
Run the debugging vrrp packet command in the user view to enable the debugging of
VRRP packets.
Run the debugging vrrp state command in the user view to enable the debugging of VRRP
status.
Issue 04 (2013-06-15)

1683

Configuration Guide
Run the debugging vrrp timer command in the user view to enable the debugging of VRRP
timer.
----End

This section provides several configuration examples of VRRP.
Example for Configuring VRRP in Master/Backup Mode

As shown in Figure 9-11, Host A communicates with Host B through the default gateway.
l
The VRRP group that consists of SwitchA and SwitchB functions as the default gateway
of Host A.
SwitchA functions as the gateway. When SwitchA fails, SwitchB becomes the gateway.
After SwitchA recovers, it preempts to be the master router within 20 seconds.
Figure 9-11 Networking of a VRRP group in master/backup mode
Backup group 1
Virtual IP Address:
SwitchA
10.1.1.111
Master
GE 0/0/1
GE 0/0/2
GE 0/0/2
SwitchC
HostA
10.1.1.100/24
GE 0/0/1
GE 0/0/3
GE 0/0/2
GE 0/0/1
GE
Issue 04 (2013-06-15)
HostB
20.1.1.100/24
SwitchB
Backup
Device
Interface
VLANIF interface
IP address
SwitchA
GE 0/0/1
VLANIF100
10.1.1.1/24
SwitchA
GE 0/0/2
VLANIF200
192.168.1.1/24
SwitchB
GE 0/0/1
VLANIF100
10.1.1.2/24
SwitchB
GE 0/0/2
VLANIF400
192.168.2.1/24
SwitchC
GE 0/0/1
VLANIF300
20.1.1.1/24

1684

Configuration Guide
Device
Interface
VLANIF interface
IP address
SwitchC
GE 0/0/2
VLANIF200
192.168.1.2/24
SwitchC
GE 0/0/3
VLANIF400
192.168.2.2/24
1.
Configure VLANIF interfaces and assign IP addresses to the VLANIF interface.
2.
Configure the OSPF protocol between Switch A, Switch B, and Switch C to implement
interworking between them.
3.
Create VRRP group 1 on VLANIF 100 of Switch A. Set the highest priority for Switch A
in the VRRP group to ensure that Switch A functions as the master. Configure the
preemption mode on Switch A.
4.
Create VRRP group 1 on VLANIF 100 of Switch B and use the default priority.
Data Preparation
l
ID and virtual IP address of the VRRP group
Priorities of Switch A and Switch B in the VRRP group
Preemption mode
Procedure
Step 1 Configure VLANIF interfaces and assign IP addresses to the VLANIF interface.
# Create VLANs and add physical interfaces to VLANs.
# Configure an IP address for the VLANIF interface on SwitchA.
[SwitchA] interface
[SwitchA-Vlanif100]
[SwitchA-Vlanif100]
[SwitchA] interface
[SwitchA-Vlanif200]
[SwitchA-Vlanif200]
vlanif 100
ip address 10.1.1.1 24
quit
vlanif 200
ip address 192.168.1.1 24
quit
# Configure an IP address for the VLANIF interface on Switch B.

Issue 04 (2013-06-15)

1685

Configuration Guide
# Configure an IP address for the VLANIF interface on Switch C.

Step 2 Configure the OSPF protocol between Switch A, Switch B, and Switch C.
[SwitchA] ospf 1
[SwitchB]
[SwitchC]
[SwitchC-ospf-1-area-0.0.0.0]
network 192.168.1.0 0.0.0.255

network 192.168.2.0 0.0.0.255
network 20.1.1.0 0.0.0.255
quit
# Configure the default gateway address of Host A to 10.1.1.111 and the default gateway address
of Host B to 20.1.1.1.
Step 3 Configure a VRRP group.
# On Switch A, assign an IP address to the VLANIF interface. Create VRRP group 1 and set
the priority of Switch A in the VRRP group to 120 so that Switch A functions as the master.
[SwitchA] interface
[SwitchA-Vlanif100]
[SwitchA-Vlanif100]
[SwitchA-Vlanif100]
[SwitchA-Vlanif100]
vlanif 100
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
quit
# On Switch B, assign an IP address to the VLANIF interface. Create VRRP group 1 and retain
the default priority of SwitchB in the VRRP group so that Switch B functions as the backup.
Issue 04 (2013-06-15)

1686

Configuration Guide

[SwitchB-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111

l The VRRP group can function as the gateway.
After the preceding configuration, Host A can ping Host B. Run the display vrrp command on
Switch A, and you can find that Switch A is the master switch. Run the display vrrp command
on Switch B, and you can find that Switch B is the backup switch.
[SwitchA] display vrrp
state : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES
Delay Time : 20s
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
[SwitchB] display vrrp
state : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
Preempt : YES
Delay Time : 0s
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Run the display ip routing-table command on Switch A and Switch B. You can find a direct
route to the virtual IP address in the routing table of Switch A. In the routing table of Switch B,
this direct route is an OSPF route. The displayed information on Switch A and Switch B is as
follows:
Destinations : 9
Routes : 10
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.1
Vlanif100
10.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
20.1.1.0/24 OSPF
10
2
D 192.168.1.2
Vlanif200
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
192.168.1.0/24 Direct 0
0
D 192.168.1.1
Vlanif200
192.168.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
192.168.1.2/32 Direct 0
0
D 192.168.1.2
Vlanif200
192.168.2.0/24 OSPF
10
2
D 10.1.1.2
Vlanif100
Issue 04 (2013-06-15)

1687

Configuration Guide
Destinations : 9
Destination/Mask
Proto
10.1.1.0/24 Direct
10.1.1.2/32 Direct
20.1.1.0/24 OSPF
127.0.0.0/8
Direct
127.0.0.1/32 Direct
192.168.1.0/24 OSPF
192.168.2.0/24 Direct
192.168.2.1/32 Direct
192.168.2.2/32 Direct
Pre
0
0
10
0
0
10
0
0
0
Routes : 10
Cost
Flags NextHop
0
D 10.1.1.2
0
D 127.0.0.1
2
D 192.168.2.2
0
D 127.0.0.1
0
D 127.0.0.1
2
D 10.1.1.1
0
D 192.168.2.1
0
D 127.0.0.1
0
D 192.168.2.2
Interface
Vlanif100
InLoopBack0
Vlanif200
InLoopBack0
InLoopBack0
Vlanif100
Vlanif200
InLoopBack0
Vlanif200
l When Switch A fails, Switch B becomes the master switch.

Run the shutdown command on VLANIF 100 of Switch A to simulate a link fault.
Run the display vrrp command on Switch B to view information about the VRRP status. You
can find that Switch B is the master switch.
state : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
Preempt : YES
Delay Time : 0s
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
l When Switch A recovers, it preempts to be the master.

Run the undo shutdown command on VLANIF 100 of Switch A. Wait for 20 seconds after
VLANIF 100 recovers to the Up state, and then run the display vrrp command on Switch A to
view the VRRP status. You can find that Switch A is the master switch.
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100 200
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif200
ip address 192.168.1.1 255.255.255.0
#
#
Issue 04 (2013-06-15)

1688

Configuration Guide
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100 400
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif400
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
#
interface Vlanif200
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif300
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.2.2 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 20.1.1.0 0.0.0.255
Issue 04 (2013-06-15)

1689

Configuration Guide
#
return
Example for Configuring VRRP in Load Balancing Mode

l
Switch A is the master device in VRRP group 1 and the backup device in VRRP group 2.
Switch B is the master device in VRRP group 2 and the backup device in VRRP group 1.
Host A on the internal network uses VRRP group 1 as the gateway, and Host C uses VRRP
group 2 as the gateway. The VRRP groups share data flows and back up each other.
Figure 9-12 Networking of VRRP in load balancing mode
Backup group 2
SwitchA
Virtual IP Address:
10.1.1.112 group 1:Master
group 2:Backup
GE 0/0/1
GE 0/0/2
HostA
GE 0/0/2
10.1.1.100/24
GE 0/0/1
SwitchC
GE 0/0/3
HostC
10.1.1.101/24
GE 0/0/1
HostB
20.1.1.100/24
GE 0/0/2
SwitchB
group 2:Master
group 1:Backup
Backup group 1
Virtual IP Address:
10.1.1.111
Issue 04 (2013-06-15)
Device
Interface
VLANIF interface
IP address
SwitchA
GE 0/0/1
VLANIF100
10.1.1.1/24
SwitchA
GE 0/0/2
VLANIF200
192.168.1.1/24
SwitchB
GE 0/0/1
VLANIF100
10.1.1.2/24
SwitchB
GE 0/0/2
VLANIF400
192.168.2.1/24
SwitchC
GE 0/0/1
VLANIF300
20.1.1.1/24
SwitchC
GE 0/0/2
VLANIF200
192.168.1.2/24
SwitchC
GE 0/0/3
VLANIF400
192.168.2.2/24

1690

Configuration Guide
1.
Implement networking between Switch A, Switch B, and Switch C.
2.
Create two VRRP groups on VLANIF 100 of Switch A. Configure Switch A as the master
device in VRRP group 1 and the backup device in VRRP group 2.
3.
Create two VRRP groups on VLANIF 100 of Switch B. Configure Switch B as the master
device in VRRP group 2 and the backup device in VRRP group 1.
Data Preparation
l
IDs and virtual IP addresses of the VRRP groups
Priorities of Switch A and Switch B in the VRRP groups
Procedure
Step 1 Configure interworking between devices on the network.
# Configure the default gateway of Host A to the virtual IP address 10.1.1.111 of VRRP group
1, the default gateway of Host B to 20.1.1.1, and the default gateway of Host C to the virtual IP
address 10.1.1.112 of VRRP group 2.
# Configure OSPF between Switch A, Switch B, and Switch C.
Step 2 Configure VRRP groups.
# On Switch A, assign an IP address to VLANIF 100. Create VRRP group 1 and set the priority
of Switch A in VRRP group 1 to 120 so that Switch A functions as the master. Create VRRP
group 2 and retain the default priority (100) of Switch A in VRRP group 2 so that Switch A
functions as the backup device in VRRP group 2.
[SwitchA-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
[SwitchA-Vlanif100] vrrp vrid 1 priority 120
[SwitchA-Vlanif100] vrrp vrid 2 virtual-ip 10.1.1.112
# On Switch B, assign an IP address to VLANIF 100. Create VRRP group 1 and retain the default
priority (100) of Switch B in VRRP group 1 so that Switch B functions as the backup. # Create
VRRP group 2 on Switch B and set the priority of Switch B in VRRP group 2 to 120 so that
Switch B functions as the master in VRRP group 2.
[SwitchB-Vlanif100] vrrp vrid 2 priority 120
Issue 04 (2013-06-15)

1691

Configuration Guide

After the preceding configuration, Host A and Host C can ping Host B successfully.
Tracert Host B from Host A and Host C. Packets from Host A to Host B pass through Switch
A and Switch C. Packets from Host C to Host B pass through Switch B and Switch C. That is,
load balancing is implemented between Switch A and Switch B.
<HostA> tracert 20.1.1.100
traceroute to 20.1.1.100(20.1.1.100), max hops: 30 ,packet length: 40,press
CTRL_C to break
1 10.1.1.1 120 ms 50 ms 60 ms
2 192.168.1.2 100 ms 60 ms 60 ms
3 20.1.1.100 130 ms 90 ms 90 ms
<HostC> tracert 20.1.1.100
traceroute to 20.1.1.100(20.1.1.100), max hops: 30 ,packet length: 40,press
CTRL_C to break
1 10.1.1.2 30 ms 60 ms 40 ms
2 192.168.2.2 90 ms 60 ms 60 ms
3 20.1.1.100 70 ms 60 ms 90 ms
Run the display vrrp command on Switch A, you can find that Switch A is the master in VRRP
group 1 and the backup in VRRP group 2.
state : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
Preempt : YES
Delay Time : 0s
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
state : Backup
Virtual IP : 10.1.1.112
PriorityRun : 100
Preempt : YES
Delay Time : 0s
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Virtual Mac : 0000-5e00-0102
Check TTL : YES
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100 200
#
interface Vlanif100
Issue 04 (2013-06-15)

1692

Configuration Guide
ip address 10.1.1.1 255.255.255.0

#
interface Vlanif200
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100 400
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
#
interface Vlanif200
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif300
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.2.2 255.255.255.0
#
Issue 04 (2013-06-15)

1693

Configuration Guide

#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
return
Example for Configuring VRRP Fast Switchover

As shown in Figure 9-13, Switch A, Switch B, Switch C, Switch D and the Universal Medium
Gateway (UMG) form a simple next generation network (NGN).
The networking is as follows:
l
The UMG connects to Switch A and Switch B through Switch C and Switch D.
Switch A and Switch B run VRRP. Switch A functions as the master, and Switch B
functions as the backup.
When Switch A fails, or when the link between Switch A and Switch B fails, the active/standby
switchover should be completed within 1 second. That is, fast switchover is required on the
bearer network.
Figure 9-13 Networking of VRRP fast switchover
Backbone
Network
SwitchA
GE 0/0/1
GE 0/0/2
GE 0/0/2
Backup group 10
Virtual IP address: 10.1.1.3/24
SwitchC
SwitchB
GE 0/0/1
SwitchD
VLAN
UMG
Issue 04 (2013-06-15)

1694

Configuration Guide
Device
Interface
VLANIF interface
IP address
SwitchA
GE 0/0/1
VLANIF100
10.1.1.1/24
SwitchA
GE 0/0/2
VLANIF200
192.168.0.1/24
SwitchB
GE 0/0/1
VLANIF100
10.1.1.2/24
SwitchB
GE 0/0/2
VLANIF200
192.168.0.2/24
1.
Implement networking between the Switches.
2.
Configure a BFD session on Switch A and Switch B to monitor Switch A and its downlink
Switch A - Switch C - Switch D - Switch B.
3.
Enable VRRP to track the BFD session on Switch B. When the BFD session becomes
Down, the priority of Switch B increases by 40 and then the switchover is triggered.
NOTE
This example describes only the configurations on Switch A and Switch B.
Data Preparation
l
Local and remote discriminators of the BFD session
ID and virtual IP address of the VRRP group
Priorities of the AC6605s in the VRRP group
Procedure
Step 1 Configure interworking between the Switches.
Assign IP addresses to all interfaces. # Configure OSPF between Switch A, Switch B, and Switch
C.
Step 2 Create a BFD session.
# Create a BFD session on Switch A.
[SwitchA] bfd
[SwitchA-bfd] quit

Issue 04 (2013-06-15)

1695

Configuration Guide
[SwitchB] bfd
[SwitchB-bfd] quit
Run the display bfd session command on Switch A and Switch B, and you can see that the BFD
session is Up. Take Switch A for example. The display is as follows:
[SwitchA] display bfd session all
-------------------------------------------------------------------------------Local Remote PeerIpAddr
State
Type
InterfaceName
-------------------------------------------------------------------------------1
2
10.1.1.2
Up
Static
Vlanif200
-------------------------------------------------------------------------------Total UP/DOWN Session Number : 1/0
Step 3 Configure VRRP fast switchover.

# Create VRRP group 10 on Switch A and set the priority of Switch A in VRRP group 10 to 160
so that Switch A functions as the master in VRRP group 10.
[SwitchA] interface
[SwitchA-Vlanif100]
[SwitchA-Vlanif100]
[SwitchA-Vlanif100]
vlanif 100
quit
# Create VRRP group 10 on Switch B and set the priority of Switch B in VRRP group 10 to 140
so that Switch B functions as the backup in VRRP group 10.
[SwitchB-Vlanif100] vrrp vrid 10 priority 140
# Configure VRRP to track the status of the BFD session on the backup device. If the BFD
session becomes Down, the priority of Switch B increases by 40.
[SwitchB-Vlanif100] vrrp vrid 10 track bfd-session 2 increased 40
Run the display vrrp command on Switch A or Switch B, and you can see that Switch A is the
master and Switch B is the backup. You can also view the tracked BFD session and its status on
Switch B.
state : Master
Virtual IP : 10.1.1.3
PriorityRun : 160
Preempt : YES
Delay Time : 0s
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Virtual Mac : 0000-5e00-0110
Check TTL : YES
state : Backup
Issue 04 (2013-06-15)

1696

Configuration Guide
PriorityRun : 140
Preempt : YES
Delay Time : 0s
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Virtual Mac : 0000-5e00-0110
Check TTL : YES
Track BFD : 2 Priority increased : 40
BFD-Session State : UP

# Run the shutdown command on VLANIF 200 of Switch A to simulate a link fault.
[SwitchA-Vlanif200] shutdown
On Switch B, VRRP fast switchover is performed after BFD fails.

%May 10 15:48:30 2008 SwitchB BFD/5/BFD:Slot=1;IO(1) BFD Session(Discr:2) FSM
Change To Down(Detect)
%May 10 15:48:30 2008 SwitchB VRRP/5/BfdWarning:
Virtual Router 10 | BFD-SESSION 2 : BFD_STATE_UP --> BFD_STATE_DOWN
%May 10 15:48:30 2008 SwitchB VRRP/5/StateWarning:
Vlanif100 | Virtual Router 10 : BACKUP --> MASTER
Run the display vrrp command on Switch A, and you can see that the status of Switch A changes
to Initialize.
state : Initialize
PriorityRun : 160
MasterPriority : 0
Preempt : YES
Delay Time : 0s
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Virtual Mac : 0000-5e00-0110
Check TTL : YES
Run the display vrrp command on Switch B, and you can see that Switch B becomes the master,
and the status of the BFD session changes to Down.
state : Master
PriorityRun : 180
Preempt : YES
Delay Time : 0s
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Virtual Mac : 0000-5e00-0110
Check TTL : YES
Issue 04 (2013-06-15)

1697

Configuration Guide

Track BFD : 2 Priority increased : 40
BFD-Session State : DOWN
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100 200
#
bfd
#
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif200
ip address 192.168.0.1 255.255.255.0
#
#
#
bfd atob bind peer-ip 10.1.1.2 interface Vlanif 200
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
bfd
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
vrrp vrid 10 track bfd-session 2 increased 40
#
interface Vlanif200
ip address 192.168.0.2 255.255.255.0
#
#
Issue 04 (2013-06-15)

1698

Configuration Guide

#
bfd btoa bind peer-ip 10.1.1.1 interface Vlanif 200
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
return
Issue 04 (2013-06-15)

1699

Configuration Guide
10 Configuration Guide - Network Management
10
Configuration Guide - Network

Management
About This Chapter

This document describes the configuration procedures and configuration examples of the SNMP,
RMON,NTP, LLDP, NQA and Ping and Tracert features on the AC6605. The document
provides guides to configure the network management functions of the AC6605.
10.1 SNMP Configuration
The Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. It uses a central computer (a network management station)
that runs network management software to manage network elements. There are three SNMP
versions, SNMPv1, SNMPv2c, and SNMPv3. You can configure one or more versions, if
needed.
10.2 LLDP Configuration
This chapter describes the LLDP concept, configuration procedures, and configuration
examples.
10.3 NTP Configuration
This chapter describes how to configure Network Time Protocol (NTP) to make clocks of the
devices on the network identical.
10.4 Ping and Tracert
This chapter describes basic concepts and applications of the ping and tracert commands.
10.5 NQA Configuration
This chapter describes how to configure the Network Quality Analysis (NQA) to monitor the
network operating status and collect network operation indexes in real time.
10.6 RMON Configuration
This chapter describes how to monitor the Ethernet interface through Remote Network
Monitoring (RMON).
10.7 Packet Capture Configuration
This section describes the concept and configuration of the packet capture function and provides
a configuration example.
Issue 04 (2013-06-15)

1700

Configuration Guide
10.1 SNMP Configuration

The Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. It uses a central computer (a network management station)
that runs network management software to manage network elements. There are three SNMP
versions, SNMPv1, SNMPv2c, and SNMPv3. You can configure one or more versions, if
needed.
10.1.1 Introduction to SNMP

SNMP provides a set of standard protocols for the communication between the network
management station (NM station) and devices, allowing the NM station to normally manage
devices and receive alarms reported by the devices.
SNMP Overview
Get and Set operations can be performed on a managed device that runs the SNMP agent to
manage device objects by NM stations These objects are uniquely identified in the Management
Information Base (MIB).
As network services develop, more devices are deployed on existing networks. The devices are
not close to the central equipment room where a network administrator works. When faults occur
on the remote devices, the network administrator cannot detect, locate or rectify faults
immediately because the devices do not report the faults. This affects maintenance efficiency
and greatly increases maintenance workload.
To solve this problem, equipment vendors have provided network management functions in
some products. These functions allow the NM station to query the status of remote devices, and
devices can send alarms to the NM station in the case of particular events.
SNMP operates at the application layer of the IP suite and defines how to transmit management
information between the NM station and devices. SNMP defines several device management
operations that the NM station can perform and allows devices to send alarms to notify the NM
station of device faults.
An SNMP-managed network consists of three components: NM station, agent, and managed
device. The NM station uses the MIB to identify and manage device objects. The operations
used for device management include GetRequest, GetNextRequest, GetResponse, GetBulk,
SetRequest, and notification from the agent to the NM station. The following sections give details
on the components, MIB, and operations.
SNMP Components
SNMP device management uses the following three components:
l
NM station: sends various query packets to query managed devices and receives alarms
from these devices.
Agent: is a network-management process on a managed device. An agent has the following

functions:
Receives and parses query packets sent from the NM station.
Issue 04 (2013-06-15)

1701

Configuration Guide
Reads or writes management variables based on the query type, and generates and sends
response packets to the NM station.
Sends an alarm to the NM station when triggering conditions defined on each protocol
module corresponding to the alarm are met. For example, the system view is displayed
or closed, or the device is restarted.
l
Managed device: is managed by an NM station and generates and reports alarms to the NM
station.
Figure 10-1 shows the relationship between the NM station and agent.
Figure 10-1 SNMP structure
UDP Port161
Request
Response
Agent
NM Station
UDP Port162
Agent
NM Station
MIB
SNMP uses a hierarchical naming convention to identify managed objects and to distinguish
between managed objects. This hierarchical structure is similar to a tree with the nodes
representing managed objects, Figure 10-2 shows a managed object that can be identified by
the path from the root to the node representing it.
Figure 10-2 Structure of a MIB tree
1
2
1
1
1 B
5
A
2
6
As shown in Figure 10-2, object B is uniquely identified by a string of numbers, {1.2.1.1}. Such
a number string is called an Object Identifier (OID). A MIB tree is used to describe the hierarchy
of data in a MIB that collects the definitions of variables on the managed devices.
Issue 04 (2013-06-15)

1702

Configuration Guide
A user can use a standard MIB or define a MIB based on certain standards. Using a standard
MIB can reduce the costs on proxy deployment and therefore reduce the costs on the entire
network management system.
SNMP Operations
SNMP uses Get and Set operations to replace a complex command set. The operations described
in Figure 10-3 can implement all functions.
Figure 10-3 Schematic diagram of SNMP operations
get-request
get-response
get-next-request
get-response
NM Station
UDP Port162
set-request
get-response
Agent
UDP Port161
trap
Table 10-1 gives details on the SNMP operations.

Table 10-1 SNMP operations
Issue 04 (2013-06-15)
Operation
Function
GetRequest
Retrieves the value of a variable. The NM station sends the

request to a managed device to obtain the value of an object
on the device.
GetNextRequest
Retrieves the value of the next variable. The NM station

sends the request to a managed device to obtain the status
of the next object on the device.
GetResponse
Responds to GetRequest, GetNextRequest, and

SetRequest operations. It is sent from the managed device
to the NM station.
GetBulk
Request from the NMS-to-agent, equaling continuous

GetNextRequest operations.
SetRequest
Sets the value of a variable. The NM station sends the

request to a managed device to adjust the status of an object
on the device.
Trap
Reports an event to the NM station.

1703

Configuration Guide
SNMP Features Supported by the AC6605

This section compares SNMP versions in terms of their support for features and usage scenarios.
Use it as a reference when you select the SNMP version during network deployment.
The AC6605 supports SNMPv1, SNMPv2c, and SNMPv3. Table 10-2 lists the features
supported by SNMP, and Table 10-3 shows the support of different SNMP versions for the
features. Table 10-4 describes the usage scenarios of SNMP versions, which will help you
choose a proper version for the communication between an NM station and managed devices
based on the network operation conditions.
NOTE
When multiple NM stations using different SNMP versions manage the same device in a network,
SNMPv1, SNMPv2c, and SNMPv3 can all be configured on the device for its communication with all the
NM stations.
Table 10-2 Description of features supported by SNMP

Feature
Description
Access control
Restricts a user's device administration rights.

It gives specific users the rights to manage
specified objects on devices and therefore
provides fine management.
Authentication and encryption
Authenticates and encrypts the packets

transmitted between the NM station and
managed devices. This prevents data packets
from being intercepted or modified,
improving data sending security.
Error code
Identifies particular faults. An administrator

uses error codes to quickly locate and rectify
faults. The more error codes received, the
more they help an administrator in device
management.
Trap
Sent from managed devices to the NM

station. These traps allow an administrator to
discover device faults immediately.
After sending traps, the managed devices do
not require the acknowledgement from the
NM station.
Issue 04 (2013-06-15)

1704

Configuration Guide
Feature
Description
Inform
Sent from managed devices to the NM

station.
The managed devices require the
acknowledgement from the NM station after
sending informs. If a managed device does
not receive an acknowledgement after
sending an inform, it will resend the inform
to the NM station and generate alarm logs.
Even if the NM station restarts, it can still
synchronize the informs sent during the
restart process.
If the managed device does not receive an
acknowledgement from the NM station after
sending an inform, it will store the inform in
its memory. In this regard, using informs may
consume lots of system resources.
Allows an administrator to perform GetNext
operation in batches. In a large-scale network,
GetBulk reduces the administrator's
workload and improves management
efficiency.
GetBulk
Table 10-3 Different SNMP versions' support for the features

Feature
SNMPv1
SNMPv2c
SNMPv3
Access control
Community-namebased access control

supported
Community-namebased access control

supported
User or user-groupbased access control

supported
Authentication and
encryption
Not supported
Not supported
Supported, and the

supported
authentication and
encryption modes are
as follows:
Authentication
mode:
l MD5
l SHA
Encryption mode:
DES56
Issue 04 (2013-06-15)
Error code
6 error codes
supported
16 error codes
supported
16 error codes
supported
Trap
Supported
Supported
Supported

1705

Configuration Guide
Feature
SNMPv1
SNMPv2c
SNMPv3
Inform
Not supported
Supported
Not supported
GetBulk
Not supported
Supported
Supported
Table 10-4 Usage scenarios of different SNMP versions

Version
Usage Scenario
SNMPv1
Applies to small-scale networks whose

networking is simple and security
requirements are low or whose security and
stability are good, such as campus networks
and small enterprise networks.
SNMPv2c
Applies to medium and large-scale networks

whose security requirements are not strict or
whose security is good (for example, VPNs)
but whose services are so busy that traffic
congestion may occur.
Using informs can ensure that the messages
sent from managed devices are received by
the NM station.
SNMPv3
This version is applicable to networks of

various scales, especially the networks that
have strict requirements on security and can
be managed only by authorized
administrators, such as the scenario where
data between the NM station and managed
devices needs to be transmitted over a public
network.
If you plan to build a new network, choose an SNMP version based on your usage scenario. If
you plan to expand or upgrade an existing network, choose an SNMP version to match the SNMP
version running on the NM station to ensure the normal communication between managed
devices and the NM station.
10.1.2 Configuring a Device to Communicate with an NM Station

by Running SNMPv1
After SNMPv1 is configured, a managed device and an NM station can run SNMPv1 to
communicate with each other. To ensure normal communication, you need to configure both
sides. This section describes only the configurations on a managed device (the agent side). For
details about configurations on an NM station, see the pertaining NM station operation guide.
The NM station manages a device in the following manners:
Issue 04 (2013-06-15)

1706

Configuration Guide
Sends requests to the managed device to perform the GetRequest, GetNextRequest,

GetResponse, GetBulk, or SetRequest operation, obtaining data and setting values.
Receives alarms from the managed device and locates and rectify device faults based on
the alarm information.
In the following configuration, after basic SNMP functions are configured, the NM station can
manage the device in these manners. For details on how to configure finer management such as
accurate access control or alarm module specification, see the following configuration
procedures.

Before configuring a device to communicate with an NM station by running SNMPv1,
SNMP needs to be deployed in a network to allow the NM station to manage network devices.
If the network has a few devices and its security is good, such as a campus network or a small
enterprise network, SNMPv1 can be deployed to ensure the normal communication between the
NM station and managed devices.
Before configuring a device to communicate with an NM station by running SNMPv1, complete
the following task:
l
Configuring a routing protocol to ensure that the Switch and NM station are routable
Data Preparation
Before configuring a device to communicate with an NM station by running SNMPv1, you need
the following data.
No.
Data
SNMP version, SNMP community name, destination address of alarm messages,

administrator's contact information and location, and the maximum SNMP packet
size
(Optional) ACL number, IP address of the NM station, and MIB object
(Optional) Name of the alarm-sending module, source address of trap messages,

queue length for trap messages, and lifetime of trap messages
Configuring Basic SNMPv1 Functions

After basic SNMP functions are configured, an NM station can perform basic operations such
as Get and Set operations on a managed device, and the managed device can send alarms to the
NM station.
Issue 04 (2013-06-15)

1707

Configuration Guide
Context
Steps Step 3, Step 4, and Step 5 are mandatory for the configuration of basic SNMP functions.
After the configurations are complete, basic SNMP communication can be conducted between
the NM station and managed device.
Procedure
Step 1 Run:
system-view

snmp-agent
The SNMP agent function is enabled.

By default, the SNMP agent function is disabled. Running any command with the parameter
snmp-agent can enable the SNMP agent function, so this step is optional.
Step 3 Run:
snmp-agent sys-info version v1
The SNMP version is set.

By default, SNMPv3 is enabled.
After SNMPv1 is enabled on the managed device, the device supports both SNMPv1 and
SNMPv3. This means that the device can be monitored and managed by NM stations running
SNMPv1 or SNMPv3.
Step 4 Run:
snmp-agent community { read | write } [ cipher ] community-name [ acl acl-number |
mib-view view-name ] *
The community name is set.

The community name will be saved in encrypted format in the configuration file.
After the community name is set, if no MIB view is configured, the NM station that uses the
community name has rights to access objects in the Viewdefault view.
Step 5 Choose either of the following commands as needed to configure a destination IP address for
the alarms and error codes sent from the device.
l To configure a destination IPv4 address for the alarms and error codes sent from the device,
run:
snmp-agent target-host trap address udp-domain ip-address [ udp-port portnumber | source interface-type interface-number | { public-net | vpn-instance
vpn-instance-name } ] * params securityname security-string [ v1 | v2c | v3
[ authentication | privacy ] ] [ private-netmanager ] [ notify-filter-profile
profile-name | ext-vb ] *
The descriptions of the command parameters are as follows:

l The default destination UDP port number is 162. In some special cases (for example, port
mirroring is configured to prevent a well-known port from being attacked), the parameter
udp-port can be used to specify a non-well-known UDP port number. This ensures normal
communication between the NM station and managed device.
Issue 04 (2013-06-15)

1708

Configuration Guide
l The parameter securityname identifies the alarm sender, which will help you learn the alarm
source.
l If the NM station and managed device are both Huawei products, the parameter privatenetmanager can be configured to add more information to alarms, such as the alarm type,
alarm sequence number, and alarm sending time. The information will help you locate and
rectify faults more quickly.
snmp-agent sys-info { contact contact | location location }
The equipment administrator's contact information or location is configured.

This step is required when the NM station administrator must know equipment administrators'
contact information and locations when the NM station manages many devices. This allows the
NM station administrator to contact the equipment administrators quickly for fault location and
rectification.
To configure both the equipment administrator's contact information and location, you must run
the command twice to configure them separately.
snmp-agent packet max-size byte-count
The maximum size of an SNMP packet that the device can receive or send is set.
By default, the maximum size of an SNMP packet that the device can receive or send is 12000
bytes.
After the maximum size is set, the device will discard any SNMP packet that is larger than the
set size. The allowable maximum size of an SNMP packet for a device depends on the size of a
packet that the NM station can process; otherwise, the NM station cannot process the SNMP
packets sent from the device.
----End
Follow-up Procedure
After the configurations are complete, basic communication can be conducted between the NM
station and managed device.
l
Access control allows any NM station that uses the community name to monitor and manage
all the objects on the managed device.
The managed device sends alarms generated by the modules that are enabled by default to
the NM station.
If finer device management is required, follow directions below to configure a managed device:
l
To allow a specified NM station that uses the community name to manage specified objects
on the device, follow the procedure described in Controlling the NM Station's Access to
the Device.
To allow a specified module on the managed device to report alarms to the NM station,
follow the procedure described in Configuring the Trap Function.
If the NM station and managed device are both Huawei products, follow the procedure
described in Enabling the SNMP Extended Error Code Function to allow the device to
send more types of error codes. This allows more specific error identification and facilitates
your fault location and rectification.
Issue 04 (2013-06-15)

1709

Configuration Guide
(Optional) Controlling the NM Station's Access to the Device

This section describes how to specify an NM station and manageable MIB objects for SNMPbased communication between the NM station and managed device to improve communication
security.
Context
If a device is managed by multiple NM stations that use the same community name, note the
following points:
l
If all the NM stations that use the community name need to have rights to access the objects
in the Viewdefault view (1.3.6.1), skip the following steps.
If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), skip Step5.
If all the NM stations need to manage specified objects on the device, skip Step2, Step3,
and Step4.
If some of the NM stations that use the community name need to manage specified objects
on the device, perform all the following steps.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
A basic ACL is created to filter the NM station users that can manage the device.
Step 3 Run:
rule [ rule-id ] { deny | permit } source { source-ip-address source-wildcard |
any }
A rule is added to the ACL.

Step 4 Run:
quit

Step 5 Run:
snmp-agent mib-view { excluded | included } view-name oid-tree
A MIB view is created, and manageable MIB objects are specified.

By default, an NM station has rights to access the objects in the Viewdefault view (1.3.6.1).
l If a few MIB objects on a device or some objects in the current MIB view do not or no longer
need to be managed by the NM station, excluded needs to be specified in the related command
to exclude these MIB objects.
l If a few MIB objects on the device or some objects in the current MIB view need to be
managed by the NM station, included needs to be specified in the related command to include
these MIB objects.
Issue 04 (2013-06-15)

1710

Configuration Guide
Step 6 Run:
snmp-agent community { read | write } { community-name | cipher community-name } [
mib-view view-name | acl acl-number ]*
The NM station's access rights are specified.

l read needs to be configured in the command if the NM station administrator needs the read
permission in the specified view in some cases. For example, a low-level administrator needs
to read certain data. write needs to be configured in the command if the NM station
administrator needs the read and write permissions in the specified view in some cases. For
example, a high-level administrator needs to read and write certain data.
l cipher is used to display the community name in cipher text. It can be configured in the
command to improve security. If the parameter is configured, the administrator needs to
remember the community name. If the community name is forgotten, it cannot be obtained
by querying the device.
l If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), mib-view view-name does not need to be
configured in the command.
l If all the NM stations that use the community name need to manage specified objects on the
device, acl acl-number does not need to be configured in the command.
l If some of the NM stations that use the community name need to manage specified objects
on the device, both mib-view and acl need to be configured in the command.
----End
Follow-up Procedure
After the access rights are configured, especially after the IP address of the NM station is
specified, if the IP address changes (for example, the NM station changes its location, or IP
addresses are reallocated due to network adjustment), you need to change the IP address of the
NM station in the ACL. Otherwise, the NM station cannot access the device.
(Optional) Enabling the SNMP Extended Error Code Function

This section describes how to enable the extended SNMP error code function when both the NM
station and managed device are Huawei products. After this function is enabled, more types of
error codes are provided to help you locate and rectify faults more quickly and accurately.
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent extend error-code enable
The SNMP extended error code function is enabled.

By default, SNMP standard error codes are used. After the extended error code function is
enabled, extended error codes can be sent to the NM station.
----End
Issue 04 (2013-06-15)

1711

Configuration Guide
(Optional) Configuring the Trap Function

This section describes how to specify the alarms to be sent to the NM station, which will help
you to locate important problems. After relevant parameters are set, the security of alarm sending
can be improved.
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent trap enable
Alarm sending is enabled.

NOTE
If the snmp-agent trap enable command is run to enable the trap functions of all modules, note the
following points:
l To disable the trap functions of all modules, you need to run the snmp-agent trap disable command.
l To restore the trap functions of all modules to the default status, you need to run the undo snmp-agent
trap enable or undo snmp-agent trap disable command.
l To disable one trap function of a module, you need to run the undo snmp-agent trap enable featurename command.
Step 3 Run:
snmp-agent trap enable feature-name feature-name trap-name trap-name
A trap function of a feature module is enabled. This means that an alarm of a specified feature
can be sent to the NM station.
The undo snmp-agent trap enable feature-name command can be used to disable a trap
function of a module.
Step 4 Run:
snmp-agent trap source interface-type interface-number
The source interface for trap messages is specified.

After the source interface is specified, its IP address becomes the source IP address of trap
messages. Configuring the IP address of the local loopback interface as the source interface is
recommended, which can ensure device security.
The source interface specified on the Switch for trap messages must be consistent with that
specified on the NM station; otherwise, the NM station will not accept the trap messages sent
from the Switch.
Step 5 Run:
snmp-agent trap queue-size size
The length of the queue storing trap messages to be sent to the destination host is set.
The queue length depends on the number of generated trap messages. If the Switch frequently
generates trap messages, a longer queue length can be set to prevent trap messages from being
lost.
Issue 04 (2013-06-15)

1712

Configuration Guide
Step 6 Run:
snmp-agent trap life seconds
The lifetime of every trap message is set.

The lifetime of every trap message depends on the number of generated trap messages. If the
Switch frequently generates trap messages, a longer lifetime can be set for every trap message
to prevent trap messages from being lost.
----End

After SNMPv1 functions are configured, you can view the SNMPv1 configurations.
Prerequisites
The configurations of basic SNMPv1 functions are complete.
Procedure
l
Run the display snmp-agent community command to check the configured community
name.
Run the display snmp-agent sys-info version command to check the enabled SNMP
version.
Run the display acl acl-number command to check the rules in the specified ACL.
Run the display snmp-agent mib-view command to check the MIB view.
Run the display snmp-agent sys-info contact command to check the equipment
administrator's contact information.
Run the display snmp-agent sys-info location command to check the location of the
device.
Run the display snmp-agent target-host command to view information about all
destination hosts, such as the IP addresses.
Run the display snmp-agent trap command to view whether the router is enabled to send
alarms to the NM station.
Run the display snmp-agent statistics command to view the statistics of SNMP packets.
Run the display snmp-agent extend error-code status command to check whether the
SNMP extended error code feature is enabled.
----End

by Running SNMPv2c
After SNMPv2c is configured, a managed device and an NM station can run SNMPv2c to
Issue 04 (2013-06-15)

1713

Configuration Guide

procedures.

Before configuring a device to communicate with an NM station by running SNMPv2c,
If your network is a large scale with many devices and its security requirements are not strict or
its security is good (for example, a VPN network) but services on the network are so busy that
traffic congestion may occur, SNMPv2c can be deployed to ensure communication between the
NM station and managed devices.
Before configuring a device to communicate with an NM station by running SNMPv2c, complete
the following task:
l
Data Preparation
Before configuring a device to communicate with an NM station by running SNMPv2c, you
Issue 04 (2013-06-15)
No.
Data
SNMP version, SNMP community name, address of the alarm destination host,
administrator's contact information and location, and the maximum SNMP packet
size
(Optional) ACL number, IP address of the NM station, MIB object

queue length for trap messages, lifetime of trap messages, expiry time of informs,
allowable number of inform retransmissions, allowable maximum number of informs
to be acknowledged, aging time of log messages, and allowable maximum number
of log messages about the trap and inform events in the log buffer

1714

Configuration Guide
Configuring Basic SNMPv2c Functions

NM station.
Context
Steps Step 3, Step 4, and Step 5 are mandatory for the configuration of basic SNMP functions.
After the configurations, basic SNMP communication can be conducted between the NM station
and managed device.
Procedure
Step 1 Run:
system-view

snmp-agent

Step 3 Run:
snmp-agent sys-info version v2c

By default, SNMPv3 is enabled.
After SNMPv2c is enabled on the managed device, the device supports both SNMPv2c and
SNMPv3. This means that the device can be monitored and managed by NM stations running
SNMPv2c and SNMPv3.
Step 4 Run:
snmp-agent community { read | write } [ cipher ] community-name [ acl acl-number |
mib-view view-name ] *
The community name is set.

The community name will be saved in encrypted format in the configuration file.
After the community name is set, if no MIB view is configured, the NM station that uses the
community name has rights to access objects in the Viewdefault view.
Step 5 Choose one of the following commands as needed to configure the destination IP address for
l If the network is an IPv4 network, configure the device to send either traps or informs to the
NM station.
Issue 04 (2013-06-15)

1715

Configuration Guide

NOTE
The differences between traps and informs are as follows:

l The traps sent by the managed device do not need to be acknowledged by the NM station.
l The informs sent by the managed device need to be acknowledged by the NM station. If no
acknowledgement message from the NM station is received within a specified time period, the
managed device will resend the inform until the number of retransmissions reaches the maximum.
When the managed device sends an inform, it records the inform in the log. If the NM station and
link between the NM station and managed device recovers from a fault, the NM station can still
learn the inform sent during the fault occurrence and rectification.
In this regard, informs are more reliable than traps, but the device may need to buffer a lot of informs
because of the inform retransmission mechanism and this may consume many memory resources.
If the network is stable, using traps is recommended. If the network is unstable and the device's memory
capacity is sufficient, using informs is recommended.
To configure a destination IP address for the traps and error codes sent from the device,
run:
snmp-agent target-host trap address udp-domain ip-address [ udp-port portnumber | source interface-type interface-number | { public-net | vpninstance vpn-instance-name } ] * params securityname security-string [ v1 |
v2c | v3 [ authentication | privacy ] ] [ private-netmanager ] [ notifyfilter-profile profile-name | ext-vb ] *
To configure a destination IP address for the informs and error codes sent from the device,
run:
snmp-agent target-host inform ip-address [ udp-port port-number | source
interface-type interface-number | | public-net ] * params securityname
security-string v2c [ notify-filter-profile profile-name | ext-vb ] *

source.
NOTE
An IPv6 network supports only traps, not informs.


rectification.
Issue 04 (2013-06-15)

1716

Configuration Guide

bytes.
----End
Follow-up Procedure
l
Access control allows any NM station that uses the community name to monitor and manage
all the objects on the managed device.
The managed device sends alarms generated by the modules that are open by default to the
NM station.
If finer device management is required, follow directions below to configure the managed
device:
l
To allow a specified NM station that uses the community name to manage specified objects
of the device, follow the procedure described in Controlling the NM Station's Access to
the Device.

This section describes how to specify an NM station and manageable MIB objects for SNMPbased communication between the NM station and managed device to improve communication
security.
Context
If a device is managed by multiple NM stations that use the same community name, note the
following points:
l
If all the NM stations that use the community name need to have rights to access the objects
in the Viewdefault view (1.3.6.1), skip the following steps.
If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), skip Step5.
and Step4.
Issue 04 (2013-06-15)

1717

Configuration Guide
If some of the NM stations that use the community name need to manage specified objects
on the device, perform all the following steps.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
Step 3 Run:
any }

Step 4 Run:
quit

Step 5 Run:

l If a few MIB objects on a device or some objects in the current MIB view do not or no longer
need to be managed by the NM station, excluded needs to be specified in the related command
managed by the NM station, included needs to be specified in the related command to include
these MIB objects.
Step 6 Run:
snmp-agent community { read | write } { community-name | cipher community-name } [
mib-view view-name | acl acl-number ]*
The NM station's access rights are specified.

l read needs to be configured in the command if the NM station administrator needs the read
permission in the specified view in some cases. For example, a low-level administrator needs
to read certain data. write needs to be configured in the command if the NM station
administrator needs the read and write permissions in the specified view in some cases. For
example, a high-level administrator needs to read and write certain data.
l cipher is used to display the community name in cipher text. It can be configured in the
command to improve security. If the parameter is configured, the administrator needs to
remember the community name. If the community name is forgotten, it cannot be obtained
by querying the device.
Issue 04 (2013-06-15)

1718

Configuration Guide
l If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), mib-view view-name does not need to be
configured in the command.
l If all the NM stations that use the community name need to manage specified objects on the
device, acl acl-number does not need to be configured in the command.
l If some of the NM stations that use the community name need to manage specified objects
on the device, both mib-view and acl need to be configured in the command.
----End
Follow-up Procedure

Procedure
Step 1 Run:
system-view

Step 2 Run:

----End

can be improved.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 04 (2013-06-15)

1719

Configuration Guide

NOTE
following points:
Step 3 Run:
The undo snmp-agent trap enable feature-name feature-name trap-name trap-name
command can be used to disable a trap function of a module.
Step 4 Configure trap function parameters based on the trap usage or inform usage selected during the
configuration of basic SNMPv2c functions.
If traps are used, follow the procedure described in Configuring trap parameters; if informs
are used, follow the procedure described in Configuring inform parameters.
Configuring trap parameters:
1.
Run:

messages. Configuring the IP address of the local loopback interface as the source interface
is recommended, which can ensure device security.
specified on the NM station; otherwise, the NM station will not accept the trap messages
sent from the Switch.
2.
Run:
The queue length depends on the number of generated trap messages. If the Switch
frequently generates trap messages, a longer queue length can be set to prevent trap
messages from being lost.
3.
Run:

The lifetime of every trap message depends on the number of generated trap messages. If
the Switch frequently generates trap messages, a longer lifetime can be set for every trap
message to prevent trap messages from being lost.
Configuring inform parameters:
Issue 04 (2013-06-15)

1720

Configuration Guide
1.
Run:
snmp-agent inform { timeout seconds | resend-times times | pending number }*
The timeout period for waiting for Inform ACK messages, number of inform
retransmissions, and allowable maximum number of informs to be acknowledged are set.
If the network is unstable, you need to specify the number of inform retransmissions and
allowable maximum number of informs to be acknowledged when you set a timeout period
for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform
ACK messages is 15 seconds; the number of inform retransmissions is 3; the allowable
maximum number of informs waiting to be acknowledged is 39.
Setting the number of inform retransmissions to a value smaller than or equal to 10 is
recommended. Otherwise, device performance will be affected.
2.
Run:
snmp-agent inform { timeout seconds | resend-times times } *address udpdomain ip-address[ vpn-instance vpn-instance-name ] params securityname
security-string
The timeout period for waiting for Inform ACK messages from a specified NM station and
the number of inform retransmissions are set.
If the network is unstable, you need to specify the number of inform retransmissions and
allowable maximum number of informs to be acknowledged when you set a timeout period
for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform
ACK messages is 15 seconds, and the number of inform retransmissions is 3.
Setting the number of inform retransmissions to a value smaller than or equal to 10 is
recommended. Otherwise, device performance will be affected.
3.
Run:
snmp-agent notification-log enable
The alarm logging function is enabled.

If the link between the managed device and the NM station fails, the managed device will
stop sending informs to the NM station because the NM station is unroutable but the
managed device will continue logging informs. If the link recovers, the NM station will
learn the informs logged by the managed device during the link failure.
After the alarm logging function is enabled, the system logs only informs, not traps.
By default, the alarm logging function is disabled.
4.
Run:
snmp-agent notification-log { global-ageout ageout | global-limit limit }*
The aging time of alarm logs and maximum number of alarm logs allowed to be stored in
the log buffer are set.
By default, the aging time of alarm logs is 24 hours. If the aging time expires, alarms logs
will be automatically deleted.
By default, the log buffer can store a maximum of 500 alarm logs. If the number of alarm
logs in the log buffer exceeds 500, the device will delete the alarm logs from the earliest
one.
----End
Issue 04 (2013-06-15)

1721

Configuration Guide

After SNMPv2c functions are configured, you can view the SNMPv2c configurations.
Prerequisites
The configurations of basic SNMPv2c functions are complete.
Procedure
l
Run the display snmp-agent community command to check the configured community
name.
version.
device.
Run the display snmp-agent target-host command to check information about the target
host.
Run the display snmp-agent inform [ address udp-domain ip-address [ vpn-instance

vpn-instance-name ] params securityname security-string ] command to check inform
parameters and device statistics with the NM station being specified or not.
Run the display snmp-agent notification-log info command to check alarm logs stored
in the log buffer.
----End

by Running SNMPv3
After SNMPv3 is configured, a managed device and an NM station can run SNMPv3 to
l

Issue 04 (2013-06-15)

1722

Configuration Guide
procedures.

Before configuring a device to communicate with an NM station by running SNMPv3,
Assume your network has a strict requirement on security, only authorized administrators can
manage network devices, and the security and accuracy of transmitted network data need to be
ensured. For example, the data between the NM station and managed devices is transmitted over
a public network. In this case, SNMPv3 can be deployed. The authentication and encryption
functions provided by SNMPv3 ensure the security of data sending and normal communication
between the NM station and managed devices.
Before configuring a device to communicate with an NM station by running SNMPv3, complete
the following task:
l
Data Preparation
Before configuring a device to communicate with an NM station by running SNMPv3, you need
the following data.
No.
Data
SNMP version, user name and user group name, address of the alarm destination host,
administrator's contact information and location, and maximum SNMP packet size
(Optional) ACL number, IP address of the NM station, and MIB object

queue length for trap messages, and lifetime of trap messages
Configuring Basic SNMPv3 Functions

NM station.
Issue 04 (2013-06-15)

1723

Configuration Guide
Context
Steps 5, 6, and 7 are mandatory for the configuration of basic SNMP functions. After the
configurations, basic SNMP communication can be conducted between the NM station and
managed device.
Procedure
Step 1 Run:
system-view

snmp-agent


By default, SNMPv3 is enabled. So, this step is optional.
Step 4 Run:
snmp-agent group v3 group-name [ authentication | privacy ]
An SNMPv3 user group is configured.

If the network or network devices are in an environment lacking security (for example, the
network is vulnerable to attacks), authentication or privacy can be configured in the command
to enable data authentication or encryption.
The available authentication and encryption modes are as follows:
l No authentication and no encryption: authentication and privacy are not configured in the
command. This mode is applicable to secure networks managed by a specified administrator.
l Authentication without encryption: Only authentication is configured in the command. This
mode is applicable to secure networks managed by many administrators who may frequently
perform operations on the same device. In this mode, only the authenticated administrators
can access the managed device.
l Authentication and encryption: privacy is configured in the command. This mode is
applicable to insecure networks managed by many administrators who may frequently
perform operations on the same device. In this mode, only the authenticated administrators
can access the managed device, and transmitted data is encrypted to guard against
interception and data leaking.
Step 5 Run:
snmp-agent usm-user v3 user-name group-name [ authentication-password { md5 | sha }
[ password ] | privacy-password des56 [ password ] | acl acl-number ]
A user is added to the SNMPv3 user group.

Step 6 Choose one of the following commands as needed to configure the destination IP address for
Issue 04 (2013-06-15)

1724

Configuration Guide
l To configure a destination IPv4 address for the alarms and error codes sent from the device,
run:
snmp-agent target-host trap address udp-domain ip-address [ udp-port portnumber | source interface-type interface-number | { public-net | vpn-instance
vpn-instance-name } ] * params securityname security-string [ v1 | v2c | v3
[ authentication | privacy ] ] [ private-netmanager ] [ notify-filter-profile
profile-name | ext-vb ] *

source.
NOTE
To enable SNMPv3 to send trap messages, set securityname to an existing user name and ensure that
the user has the right to send trap messages.

rectification.
bytes.
----End
Follow-up Procedure
Issue 04 (2013-06-15)

1725

Configuration Guide
Access control allows any NM station in the configured SNMPv3 user group to monitor
and manage all the objects on the managed device.
The managed device sends alarms generated by the modules that are open by default to the
NM station.
If finer device management is required, follow directions below to configure the managed
device:
l
To allow a specified NM station in an SNMPv3 user group to manage specified objects of

the device(such as NM station with the specified IP address), follow the procedure
described in Controlling the NM Station's Access to the Device.

This section describes how to specify an NM station and manageable MIB objects for SNMPv3based communication between the NM station and managed device to improve communication
security.
Context
If a device is managed by multiple NM stations that are in the same SNMPv3 user group, note
the following points:
l
If all the NM stations need to have rights to access the objects in the Viewdefault view
(1.3.6.1), skip the following steps.
If some of the NM stations need to have rights to access the objects in the Viewdefault view
(1.3.6.1), skip Step5.
and Step4.
If some of the NM stations need to manage specified objects on the device, perform all the
following steps.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
Step 3 Run:
any }
Issue 04 (2013-06-15)

1726

Configuration Guide

Step 4 Run:
quit

Step 5 Run:

l If a few MIB objects on the device or some objects in the current MIB view do not or no
longer need to be managed by the NM station, excluded needs to be specified in the command
managed by the NM station, included needs to be specified in the command to include these
MIB objects.
Step 6 Run:
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view
| write-view write-view | notify-view notify-view ]* [ acl acl-number ]
The read and write permissions are configured for the user group.
l read-view needs to be configured in the command if the NM station administrator needs the
read permission in the specified view in some cases. For example, a low-level administrator
needs to read certain data. write-view needs to be configured in the command if the NM
station administrator needs the read and write permissions in the specified view in some
cases. For example, a high-level administrator needs to read and write certain data.
l notify-view needs to be configured in the command if you want to filter out irrelevant alarms
and configure the managed device to send only the alarms of specified MIB objects to the
NM station. If the parameter is configured, only the alarms of the MIB objects specified by
notify-view will be sent to the NM station.
l authentication or privacy can be configured in the command to improve security. If
authentication is configured, only authentication is performed. If privacy is configured,
both authentication and encryption are performed. For details, see the authentication and
encryption selection guide.
l If some NM stations that are in the same SNMPv3 user group need to have rights to access
the objects in the Viewdefault view (1.3.6.1), [ read-view read-view | write-view writeview | notify-view notify-view ] does not need to be configured in the command.
l If all the NM stations that are in the same SNMPv3 user group need to manage specified
objects on the device, acl acl-number does not need to be configured in the command.
l If some of the NM stations that are in the same SNMPv3 user group need to manage specified
objects on the device, both the MIB view and ACL need to be configured in the command.
----End
Follow-up Procedure
Issue 04 (2013-06-15)

1727

Configuration Guide

Procedure
Step 1 Run:
system-view

Step 2 Run:

----End

can be improved.
Procedure
Step 1 Run:
system-view

Step 2 Run:

NOTE
following points:
Step 3 Run:
Issue 04 (2013-06-15)

1728

Configuration Guide
The undo snmp-agent trap enable feature-name command can be used to disable a trap
function of a module.
Step 4 Run:

messages. Configuring the IP address of the local loopback interface as the source interface is
recommended, which can ensure device security.
specified on the NM station; otherwise, the NM station will not accept the trap messages sent
from the Switch.
Step 5 Run:
The queue length depends on the number of generated trap messages. If the Switch frequently
generates trap messages, a longer queue length can be set to prevent trap messages from being
lost.
Step 6 Run:

The lifetime of every trap message depends on the number of generated trap messages. If the
Switch frequently generates trap messages, a longer lifetime can be set for every trap message
to prevent trap messages from being lost.
----End

After SNMPv3 functions are configured, you can view the SNMPv3 configurations.
Prerequisites
The configurations of basic SNMPv3 functions are complete.
Procedure
l
Run the display snmp-agent usm-user [ engineid engineid | group group-name |

username user-name ]* command to check user information.
version.
Issue 04 (2013-06-15)

1729

Configuration Guide
device.
Run the display snmp-agent target-host command to view information about all
destination hosts, such as the IP addresses.
----End
10.1.5 SNMP Configuration Examples

This section provides several configuration examples of SNMP. The configuration roadmap in
the examples will help you understand the configuration procedures. Each configuration
example provides information about the networking requirements, configuration notes, and
configuration roadmap.
Example for Configuring a Device to Communicate with an NM Station by Using

SNMPv1
This section provides an example to describe how to configure a device to communicate with
an NM station by using SNMPv1 and how to specify the MIB objects that can be managed by
the NM station.
As shown in Figure 10-4, two NM stations (NMS1 and NMS2) and the Switch are connected
across a public network. According to the network planning, NMS2 can manage every MIB
object except HGMP on the Switch, and NMS1 does not manage the Switch.
On the Switch, only the modules that are enabled by default are allowed to send alarms to NMS2.
This prevents an excess of unwanted alarms from being sent to NMS2. Excessive alarms can
make faults location difficult.
Equipment administrator's contact information needs to be configured on the Switch. This allows
the NMS administrator to contact the equipment administrator quickly if a fault occurs.
Figure 10-4 Networking diagram for configuring a device to communicate with an NM station
by using SNMPv1
NMS1
1.1.1.1/24
GE0/0/1
VLANIF100
1.1.2.1/24
IP Network
Switch
NMS2
1.1.1.2/24
Issue 04 (2013-06-15)

1730

Configuration Guide
1.
Enable the SNMP agent.
2.
Configure the Switch to run SNMPv1.
3.
Configure an ACL to allow NMS2 to manage every MIB object except HGMP on the
Switch.
4.
Configure the trap function to allow the Switch to send alarms to NMS2.
5.
Configure the equipment administrator's contact information on the Switch.
6.
Configure NMS2.
Data Preparation
l
SNMP version
Community name
ACL number
IP address of the NM station
Length of the trap packet queue
Lifetime of trap packets
Equipment administrator's contact information
Procedure
Step 1 Configure available routes between the Switch and the NM stations. Details for the configuration
procedure are not provided here.
Step 2 Enable the SNMP agent.
[Quidway] snmp-agent
Step 3 Configure the Switch to run SNMPv1.

[Quidway] snmp-agent sys-info version v1
# Check the configured SNMP version.

[Quidway] display snmp-agent sys-info version
SNMP version running in the system:
SNMPv1 SNMPv3
Step 4 Configure the NM stations' access rights.

# Configure an ACL to allow NMS2 to manage and disallow NMS1 from managing the
Switch.
[Quidway] acl 2001
[Quidway-acl-basic-2001] rule 5 permit source 1.1.1.2 0.0.0.0
[Quidway-acl-basic-2001] rule 6 deny source 1.1.1.1 0.0.0.0
# Configure a MIB view and allow NMS2 to manage every MIB object except HGMP on the
Switch.
Issue 04 (2013-06-15)

1731

Configuration Guide
[Quidway] snmp-agent mib-view included allexthgmp iso

[Quidway] snmp-agent mib-view excluded allexthgmp 1.3.6.1.4.1.2011.6.7
# Configure a community name to allow NMS2 to manage the objects in the MIB view.
[Quidway] snmp-agent community write adminnms2 mib-view allexthgmp acl 2001
Step 5 Configure the trap function.

securityname 1.1.3.1
trap enable
target-host trap address udp-domain 1.1.1.2 params
trap source Loopback0
trap queue-size 200
trap life 60
Step 6 Configure the equipment administrator's contact information.

[Quidway] snmp-agent sys-info contact call Operator at 010-12345678
Step 7 Configure NMS2.

For details on how to configure NMS2, see the relevant NMS configuration guide.
After the configurations are complete, run the following commands to verify that the
configurations have taken effect.
# Check information about the SNMP community name.
<Quidway> display snmp-agent community
Community name:adminnms2
Group name:adminnms2
Acl:2001
Storage-type: nonVolatile
# Check the configured ACL.

Basic ACL 2001, 2 rules
Acl's step is 5
# Check the MIB view.

<Quidway> display snmp-agent mib-view viewname allexthgmp
View name:allexthgmp
MIB Subtree:hwCluster
Subtree mask:FF80(Hex)
View Type:excluded
View status:active
# Check the target host.

<Quidway> display snmp-agent target-host
Target-host NO. 1
----------------------------------------------------------IP-address
: 1.1.1.2
Source interface : VPN instance
: Security name
: 1.1.3.1
Port
: 162
Type
: trap
Version
: v1
Level
: No authentication and privacy
NMS type
: NMS
With ext-vb
: No
-----------------------------------------------------------
Issue 04 (2013-06-15)

1732

Configuration Guide
# When an alarm is generated, run the display trapbuffer command to view the details.
<Quidway> display trapbuffer
Trapping buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 256
Channel number : 3 , Channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 98
#Oct 11 2010 18:57:59 RouterA DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011
.5.25.191.3.1 configurations have been changed. The current change number is 95,
the change loop count is 0, and the maximum number of records is 4095.
# Check the equipment administrator's contact information.

<Quidway> display snmp-agent sys-info contact
The contact person for this managed node:
call Operator at 010-12345678
----End
Configuration Files
#
vlan batch 100
#
acl number 2001
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
#
interface LoopBack0
ip address 1.1.3.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
network 1.1.3.1 0.0.0.0
#
snmp-agent
snmp-agent local-engineid 000007DB7FFFFFFF00001AA7
snmp-agent community write adminnms2 mib-view allexthgmp acl 2001
snmp-agent sys-info contact call Operator at 010-12345678
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname
1.1.3.1
snmp-agent
snmp-agent
snmp-agent
snmp-agent
snmp-agent
snmp-agent
#
return
Issue 04 (2013-06-15)
mib-view included allexthgmp iso

mib-view excluded allexthgmp hwCluster
trap source LoopBack0
trap queue-size 200
trap life 60
trap enable

1733

Configuration Guide

SNMPv2c
an NM station by using SNMPv2c and how to specify the MIB objects that can be managed by
the NM station.
make faults location difficult. Informs need to be used to ensure that alarms are received by
NMS2 because alarms sent by the Switch have to travel across the public network to reach
NMS2.
by using SNMPv2c
NMS1
1.1.1.1/24
IP Network
GE0/0/1
VLANIF100
1.1.2.1/24
Switch
NMS2
1.1.1.2/24
1.
2.
Configure the Switch to run SNMPv2c.
3.
Switch.
4.
Configure the Switch to send informs to NMS2 to ensure alarm sending reliability.
5.
6.
Configure NMS2.
Issue 04 (2013-06-15)

1734

Configuration Guide
Data Preparation
l
SNMP version
Community name
ACL number
Inform alarm timeout interval
Number of retransmission attempts for an Inform alarm
Maximum number of pending Inform alarms
Aging time of trap logs
Procedure
Step 3 Configure the Switch to run SNMPv2c.

[Quidway] snmp-agent sys-info version v2c

SNMPv2c SNMPv3

Switch.
[Quidway] acl 2001
# Configure a MIB view.

[Quidway] snmp-agent mib-view included allexthgmp iso
[Quidway] snmp-agent mib-view excluded allexthgmp 1.3.6.1.4.1.2011.6.7
# Configure a community name to allow NMS2 to manage the objects in the MIB view.
[Quidway] snmp-agent community write adminnms2 mib-view allexthgmp acl 2001

securityname 1.1.2.1
Issue 04 (2013-06-15)
trap enable
target-host inform address udp-domain 1.1.1.2 params
v2c
inform timeout 15 resend-times 3 pending 39
notification-log enable
notification-log global-ageout 12

1735

Configuration Guide

Step 7 Configure NMS2.

# Check information about the SNMP community name.
<Quidway> display snmp-agent community
Community name:adminnms2
Group name:adminnms2
Acl:2001

Acl's step is 5

<Quidway> display snmp-agent mib-view viewname allexthgmp
View name:allexthgmp
View Type:excluded
View status:active

Target-host NO. 1
----------------------------------------------------------IP-address
: 1.1.1.2
: Security name
: 1.1.2.1
Port
: 162
Type
: inform
Version
: v2c
Level
NMS type
: NMS
With ext-vb
: No
-----------------------------------------------------------
Issue 04 (2013-06-15)

1736

Configuration Guide

----End
Configuration Files
#
vlan batch 100
#
acl number 2001
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 000007DB7FFFFFFF00001AA7
snmp-agent community write adminnms2 mib-view allexthgmp acl 2001
snmp-agent sys-info version v2c v3
snmp-agent target-host inform address udp-domain 1.1.1.2 params securityname
1.1.2.1 v2c
snmp-agent mib-view included allexthgmp iso
snmp-agent mib-view excluded allexthgmp hwCluster
snmp-agent notification-log enable
snmp-agent notification-log global-ageout 12
#
return

SNMPv3
an NM station by using SNMPv3 and how to specify the MIB objects that can be managed by
the NM station.
make faults location difficult.
Issue 04 (2013-06-15)

1737

Configuration Guide
The data transmitted between NMS2 and the Switch needs to be encrypted and the NMS
administrator needs to be authenticated because the data has to travel across the public network.
by using SNMPv3
GE0/0/1
VLANIF100
1.1.2.1/24
NMS1
1.1.1.1/24
IP Network
Switch
NMS2
1.1.1.2/24
1.
2.
Configure the Switch to run SNMPv3.
3.
Switch and configure data encryption.
4.
Configure the trap function to allow the Switch to send alarms to NMS2.
5.
6.
Configure NMS2.
Data Preparation
l
SNMP version
User group name
User name and password
Authentication and encryption algorithms
ACL number
Issue 04 (2013-06-15)

1738

Configuration Guide
Procedure
Step 3 Configure the Switch to run SNMPv3.

[Quidway] snmp-agent sys-info version v3

SNMPv3

Switch.
[Quidway] acl 2001
# Configure a MIB view.

[Quidway] snmp-agent mib-view included testview iso
[Quidway] snmp-agent mib-view excluded testview 1.3.6.1.4.1.2011.6.7
# Configure an SNMPv3 user group and add a user to the group, and configure authentication
for the NMS administrator and encryption for the data transmitted between the Switch and
NMS2.
[Quidway] snmp-agent group v3 testgroup privacy write-view testview notify-view
testview acl 2001
[Quidway] snmp-agent usm-user v3 testuser testgroup authentication-password md5
87654321 privacy-password des56 87654321

[Quidway] snmp-agent trap enable
[Quidway] snmp-agent target-host trap address udp-domain 1.1.1.2 params
securityname testuser v3
[Quidway] snmp-agent trap source LOOPBACK 0
[Quidway] snmp-agent trap queue-size 200
[Quidway] snmp-agent trap life 60

Step 7 Configure the NMS2.

# Check information about the user group.
<Quidway> display snmp-agent group testgroup
Issue 04 (2013-06-15)

1739

Configuration Guide
Group name: testgroup

Security model: v3 AuthPriv
Readview: ViewDefault
Writeview: testview
Notifyview: testview
Acl:2001
# Check information about the user.

<Quidway> display snmp-agent usm-user
User name: testuser
Engine ID: 000007DB7F00000100004C3F active

Acl's step is 5

<Quidway> display snmp-agent mib-view viewname testview
View name:testview
MIB Subtree:iso
Subtree mask:80(Hex)
View Type:included
View status:active
View name:testview
View Type:excluded
View status:active

Target-host NO. 1
----------------------------------------------------------IP-address
: 1.1.1.2
: Security name
: testuser
Port
: 162
Type
: trap
Version
: v3
Level
NMS type
: NMS
With ext-vb
: No
-----------------------------------------------------------
Issue 04 (2013-06-15)

1740

Configuration Guide


----End
Configuration Files
#
vlan batch 100
#
acl number 2001
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
#
interface LoopBack0
ip address 1.1.3.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
network 1.1.3.1 0.0.0.0
#
snmp-agent
snmp-agent local-engineid 000007DB7FFFFFFF000004A7
snmp-agent group v3 testgroup privacy write-view testview notify-view testview
acl 2001
testuser v3
snmp-agent mib-view included testview iso
snmp-agent mib-view excluded testview hwCluster
snmp-agent usm-user v3 testuser testgroup authentication-password md5 N'!2Z
[^HZ0T&P'@XIM=F#Q!! privacy-password des56 N'!2Z[^HZ0T&P'@XIM=F#Q!!
snmp-agent trap source LoopBack0
snmp-agent trap queue-size 200
snmp-agent trap life 60
#
return
10.2 LLDP Configuration

This chapter describes the LLDP concept, configuration procedures, and configuration
examples.
Issue 04 (2013-06-15)

1741

Configuration Guide
10.2.1 Introduction to LLDP

The Link Layer Discovery Protocol (LLDP) is a Layer 2 discovery protocol defined in the IEEE
802.1ab standard.
Background
Currently, the Ethernet technology is widely used in the network. Compared with small-scale
networks, large-scale networks require that the network management system (NMS) have more
functions and higher processing capability. For example, the NMS needs to obtain the topology
of connected devices and configuration conflicts between devices.
Currently, many NMSs use the automated discovery function to trace the topology changes.
However, most of them at best analyze the Layer 3 network topology and group devices into
different IP subnets. These NMSs provide only the data concerning the basic events such as
adding or deleting of devices, but do not determine the connected interfaces between devices or
obtain information about configuration conflicts.
The Layer 2 discovery protocol precisely discovers the interfaces on each device and obtains
connection information between devices. In addition, it displays the paths between clients,
switches, routers, application servers, and network servers. The Layer 2 information helps you
quickly know the device topology, detect configuration conflicts between devices, and locate
network faults.
The LLDP protocol is a Layer 2 discovery protocol defined in the IEEE 802.1ab standard.
LLDP working mechanism

Figure 10-7 LLDP diagram
Organizationally
defined local device
LLDP MIB extension
(Optional)
Organizationally
defined remote device
LLDP MIB extension
(Optional)
PTOPO MIB
(Optional)
Entity MIB
(Optional)
LLDP local system MIB
LLDP remote system MIB

Interface MIB
(Optional)
LLDP agent
LLDP frames
Local device information
Issue 04 (2013-06-15)
Other MIBs
(Optional)
LLDP/LSAP
Remote device information

1742

Configuration Guide
LLDP is implemented by the MIB.

l
The LLDP module updates the LLDP local system MIB and its own extended MIB
(Organizationally defined local device LLDP MIB extension in the figure) by interacting
with the PTOPO MIB, Entity MIB, Interface MIB, and Other MIBs.
The LLDP module sends the LLDP packets carrying its own information to the peer device
through the interface connected to the peer device.
The LLDP module receives the LLDP packets from the peer device, and then updates the
LLDP remote system MIB stored on the local device.
By using the MIB, the device obtains the neighbor information, including the remote interface
connected to the local device and the bridge MAC address of the peer device.
MIB
Management information bases (MIBs) are classified into LLDP Local System MIBs and the
LLDP Remote System MIBs.
l
LLDP Local System MIB: stores information about the local device, including the device
ID, port ID, system name, system description, port description, system capability, and
management address.
LLDP Remote System MIB: stores information about neighbor devices, including the
device ID, port ID, system name, system description, port description, system capability,
and management address.
LLDP Agent
An LLDP agent manages LLDP operations for an interface.
The LLDP agent performs the following operations:
l
Maintains information in the LLDP local system MIB.
Obtains and sends LLDP local system MIB information to neighbor devices when the status
of the local device status changes. If the local device status keeps unchanged, the LLDP
agent also obtains and sends LLDP local system MIB information to neighbor devices at
intervals.
Identifies and processes received LLDP packets.
Maintains information in the LLDP remote system MIB.
Sends LLDP traps to the NMS when information in the LLDP local system MIB or the
LLDP remote system MIB changes.
LLDP Management Address

The LLDP management address (short for management address) is used by the NMS to identify
the AC6605 and implement network management. A management address identifies a device.
It makes the network topology clear and facilitates network management. The management
address is carried in the Management Address Type-Length-Value (TLV) field of an LLDP
packet to be transmitted to neighbor devices.
LLDP Trap
When information in the LLDP local system MIB or the LLDP remote system MIB changes,
the device sends traps to the NMS, requesting the NMS to update the topology. The information
changes include:
Issue 04 (2013-06-15)

1743

Configuration Guide
Change of global LLDP status
Change of local management address
Change of neighbor information, excluding the change of neighbor management address
The LLDP trap function is applied to all interfaces.
LLDP Packet
Figure 10-8 shows the LLDP packet format.
Figure 10-8 LLDP packet format
DA: indicates the destination address of the LLDP packet. It is the multicast address 01-80C2-00-00-0E.
SA: indicates the bridge MAC address of the neighbor device.
LLDP Ethertype: indicates the LLDP packet type. If a packet contains this field, it is an
LLDP packet and it is sent to the LLDP module. The value of this field is 0x88CC.
LLDPDU: indicates the LLDP data unit. It is the major content of an LLDP packet.
FCS: indicates the Frame Check Sequence.
LLDPDU in the LLDP packet contains the Layer 2 information discovered by the device, so it
is the most important part in the LLDP packet.
Figure 10-9 shows the LLDPDU structure.
Figure 10-9 LLDPDU structure
The basic unit in the LLDPDU is TLV.

l
T: information type
L: information length
V: content value
The LLDPDU carries different types of TLVs to meet the LLDP interaction requirements. The
device sends or receives the local and remote information by using these TLVs.
Issue 04 (2013-06-15)

1744

Configuration Guide
The LLDPDU starts with Chassis ID TLV, Port ID TLV, and Time to Live TLV, and ends with
End of LLDPDU TLV; therefore, these four TLVs are mandatory for an LLDPDU. The other
TLVs are optional. The device can add and remove the optional TLVs.
10.2.2 LLDP Feature Supported by the AC6605

This section describes the usage scenarios of the LLDP feature and TLV types supported by the
AC6605.
Usage Scenario
The LLDP feature of the AC6605 is applicable to three types of networks.
The network where an interface has only one neighbor
The interfaces between two Switches or the interfaces between a Switch and a media endpoint
(ME) are directly connected, so each interface has only one neighbor. As shown in Figure
10-10, SwitchA is directly connected to SwitchB and ME. Each interface on SwitchA and
SwitchB has only one neighbor.
Figure 10-10 Each interface has only one neighbor
Internet
NMS
Switch A
Switch B
ME
The network where an interface has multiple neighbors

The interfaces between two Switches are connected through an unknown network, so each
interface has multiple neighbors. As shown in Figure 10-11, SwitchA, SwitchB, and SwitchC
are connected through an unknown network. The devices on the unknown network may not have
the LLDP function or not be managed by the network management system (NMS); however,
they must have the ability to transparently transmit LLDP packets. On this network, each
interface of SwitchA, SwitchB, and SwitchC has multiple neighbors.
Issue 04 (2013-06-15)

1745

Configuration Guide
Figure 10-11 Each interface has multiple neighbors
SNMP
SNMP
NMS
SwitchD
SwitchF
LL LLDPDU
D
PD
U
SwitchE
10.10.10.1
LLDPDU
LL
D
PD
LL
D
PD
10.10.10.2
SwitchA
SwitchB
LLDP interface
10.10.10.3
SwitchC
SNMP packet
NMS: Network Management System
LLDPDU packet
The network where link aggregation is configured

As shown in Figure 10-12, a link aggregation group is configured between the Switches. Each
interface in the link aggregation group has only one neighbor.
Figure 10-12 Link aggregation is configured on the network
Network
Enterprise
User
Issue 04 (2013-06-15)
NMS
Eth-Trunk
SwitchA
SwitchB

Enterprise
User
1746

Configuration Guide
TLV Types Supported by the AC6605

Besides the mandatory TLVs Chassis ID TLV, Port ID TLV, Time to Live TLV, and End of
LLDPDU, the AC6605 supports the following optional TLVs.
l
Basic TLV
Type
Description
Management Address TLV
Management IP address
Port Description TLV
Interface description
System Capabilities TLV
Capacities of the local device, including:

l other: other capability
l repeater
l bridge
l wlanAccessPoint: wireless access point
l router
l telephone: wireless device
l docsisCableDevice: management
station
l stationOnly: station
Issue 04 (2013-06-15)
System Description TLV
Device description
System Name TLV
Device name
Organizationally Specific TLV defined in 802.1

Type
Description
Port VLAN TLV
VLAN ID of an interface
Port protocol VLAN TLV
Protocol VLAN ID of an interface
VLAN Name TLV
VLAN name
Protocol identity TLV
Protocol types supported by an interface
Organizationally Specific TLV defined in 802.3

Type
Description
EEE TLV
Whether a port supports Energy-Efficient

Ethernet (EEE)
Link Aggregation TLV
Whether a port supports link aggregation

and is enabled with link aggregation
MAC/PHY Configuration/Status TLV
Rate and duplex status of a port, whether

auto-negotiation is supported, and whether
auto-negotiation is enabled

1747

Configuration Guide
Type
Description
Maximum Frame Size TLV
Maximum frame length supported by a

port, namely, the maximum transmission
unit (MTU)
Power Via MDI TLV
Power capability of a port, for example,

whether the port supports PoE and whether
the port is a powering device or powered
device
LLDP-MED TLV
Type
Description
LLDP-MED Capabilities TLV
MED type of a device and the type of an

LLDP MED TLV that can be encapsulated
in an LLDPDU
Inventory TLV
Manufacturer of the device
Location Identification TLV
Location identification, which identifies

the location of the local device
Network Policy TLV
VLAN ID, Layer 2 priority, and DSCP of

a voice VLAN
Extended Power-via-MDI TLV
Power capability of the device
By default, LLDP advertises all types of TLVs except the Location Identification TLV.
10.2.3 Configuring LLDP

This section describes how to configure LLDP.

The LLDP function on network devices allows the NMS to obtain device capabilities, device
topology, management addresses, device identifications, and interface identifications.
Before configuring LLDP, complete the following tasks:
l
Configuring a reachable route between the Switch and the NMS and setting the SNMP
parameters
Configuring an LLDP management address
Issue 04 (2013-06-15)

1748

Configuration Guide
NOTE
The LLDP management address contained in an LLDP packet is used to identify a device. Therefore, the
management address of a device must be unique and easy to manage, for example, the IP address of the
management port. The IP address to be set as the management address must already exist on the device.
That is, this IP address must be configured before (Optional) Configuring an LLDP Management
Address.
Data Preparation
To configure LLDP, you need the following data.
No.
Data
IP address to be set as the LLDP management address
(Optional) Interval for sending LLDP packets
(Optional) Delay to send LLDP packets
(Optional) Hold time multiplier of device information stored on neighbors
(Optional) Delay to re-enable the LLDP function on an interface
(Optional) Delay to send neighbor change traps to the NMS
Enabling Global LLDP

After LLDP is enabled on the Switch and its neighbors, the Switch and its neighbors obtain
status information of each other by exchanging LLDP packets. The NMS obtains Layer 2
connection status from the Switch for network topology analysis.
Procedure
Step 1 Run:
system-view

Step 2 Run:
lldp enable
LLDP is enabled globally.

Step 3 Run:

----End
(Optional) Disabling LLDP on an Interface

After global LLDP is enabled, all the interfaces on the device are enabled with LLDP. To disable
LLDP on some interfaces, run the undo lldp enable command on these interfaces.
Issue 04 (2013-06-15)

1749

Configuration Guide
Prerequisites
LLDP has been enabled globally.
Context
LLDP can be enabled in the system view and the interface view:
l
After LLDP is enabled in the system view, all interfaces are enabled with LLDP.
After LLDP is disabled in the system view, all LLDP settings are restored to the default
settings except the setting of LLDP trap. Therefore, LLDP is also disabled on all interfaces.
An interface can send and receive LLDP packets only after LLDP is enabled in both the
system view and the interface view.
After LLDP is disabled globally, the commands for enabling and disabling LLDP on an
interface do not take effect.
If LLDP needs to be disabled on some interfaces, enable LLDP globally first, and then run
the undo lldp enable command on these interfaces. To re-enable LLDP on these interfaces,
run the lldp enable command in the views of these interfaces.
NOTE
l On an Eth-Trunk, LLDP can only be enabled on member interfaces. The interfaces enabled with LLDP
and not enabled with LLDP can exist in the same Eth-Trunk.
l LLDP can be enabled and disabled only on the physical interfaces such as Ethernet, GE, and XGE
interfaces. Before enabling or disabling LLDP on an interface, ensure that LLDP has been enabled
globally.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
undo lldp enable
LLDP is disabled on the interface.

----End
(Optional) Configuring an LLDP Management Address

The LLDP management address uniquely identifies a device on the NMS.
Prerequisites
Issue 04 (2013-06-15)

1750

Configuration Guide
Context
If the configured management address is invalid or no management address is configured, the
system sets an IP address in the address list as the management address. The system selects the
IP address in the following priority order: loopback interface address, console port address, and
then VLANIF interface address. Among the IP addresses of the same type, the system selects
the smallest one. If the system does not find a management address, the bridge MAC address is
used as the management address.
Procedure
Step 1 Run:
system-view

Step 2 Run:
lldp management-address ip-address
The LLDP management address is configured.

The value of ip-address must be a valid unicast IP address existing on the device. Using the IP
address of the console port as the LLDP management address is recommended.
----End
(Optional) Configuring the TLV in the LLDPDU

The LLDPDUs contain different types of TLVs. The devices send and receive device
information by using these TLVs. The TLVs that can be encapsulated in an LLDP packet include
basic TLVs, organizationally specific TLVs, and TLVs related to media endpoint discovery
(MED).
Prerequisites
l
LLDP has been enabled on the interfaces.
Context
To enable an interface to send the 802.3 Power via MDI TLV, run the lldp tlv-enable dot3-tlv
power command. The 802.3 Power via MDI TLV has the following formats:
l
802.1ab format: [TLV type | TLV information string length | 802.3 OUI | MDI power
support | PSE power pair | power class]
802.3at format: [TLV type | TLV information string length | 802.3 OUI | MDI power support
| PSE power pair | power class | type/source/priority | PD requested power value | PSE
allocated power value]
Based on 802.1ab, 802.3at extends three fields: type/source/priority, PD requested power value,
and PSE allocated power value.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1751

Configuration Guide

Step 2 Run:

Step 3 Run:
lldp tlv-enable { basic-tlv { all | management-address | port-description | systemcapability | system-description | system-name } | dot1-tlv
{ all | port-vlan-id | protocol-vlan-id [ vlan-id ] | vlan-name [ vlan-id ] |
protocol-identity } | dot3-tlv { all | eee | link-aggregation
| mac-physic | max-frame-size | power } | med-tlv { all | capability | inventory |
location-id { civic-address device-type country-code
{ ca-type ca-value }&<1-10> | elin-address Tel-Number } | network-policy | powerover-ethernet } }
The TLVs supported by the interface are specified.

By default, LLDP advertises all types of TLVs except the Location Identification TLV.
NOTE
l When the supported TLVs on the device are basic TLVs, TLVs in the IEEE 802.1 format, and TLVs
in the IEEE 802.3 format, the lldp tlv-enable command with the all parameter advertises all TLVs.
When the supported TLVs on the device are LLDP-MED TLVs, the lldp tlv-enable command with
the all parameter advertises all TLVs except Location Identification TLV.
If the all parameter is not specified, only one type of TLV can be sent. To send multiple types of TLVs,
run the command multiple times.
l You can specify the other types of LLDP-MED TLVs only after specifying the LLDP-MED
Capabilities TLV.
To disable the LLDP-MED Capabilities TLV, you must disable the other types of LLDP-MED TLVs
first.
To disable the MAC/PHY Configuration/Status TLVs, you must disable the LLDP-MED Capabilities
TLV first.
l The 802.3 MAC/PHY Configuration/Status TLVs are advertised automatically after the LLDP-MED
Capabilities TLV is advertised.
l If you disable the LLDP-MED TLVs and use the all keyword, the MAC/PHY Configuration/Status
TLVs are not disabled automatically.
Step 4 Run:
lldp dot3-tlv power {802.1ab | 802.3at }
The standard with which the 802.3 Power via MDI TLV sent by the interface complies is set.
By default, the 802.3 Power via MDI TLV conforms to 802.1 ab.
NOTE
Before selecting a format of the 802.3 Power via MDI TLV, you must know the TLV format supported by
the peer device. The TLV format on the local device must be also supported by the peer device.
----End
(Optional) Configuring LLDP Timers

The LLDP timers include interval for sending LLDP packets, delay to send LLDP packets, hold
time multiplier of device information stored on neighbors, delay to re-enable LLDP on an
interface, and delay to send neighbor change traps to the NMS.
Issue 04 (2013-06-15)

1752

Configuration Guide
Prerequisites
Context
Interval for sending LLDP packets and delay to send LLDP packets
When the LLDP status of the device keeps unchanged and the device does not discover new
neighbors, the interface module sends LLDP packets to the neighbors at a certain interval. After
the LLDP transmission interval is set on the device, the LLDP enabled interfaces send LLDP
packets to neighbors at this interval. The interfaces may send LLDP packets at different time
points. The LLDP transmission interval should be set properly and adjusted according to network
loads.
l
A long interval reduces the LLDP packet interaction frequency, and thus saves system
resource. However, if the interval is too long, the device cannot notify neighbors of its
status in time, and the NMS cannot discover the network topology changes in real time.
A short interval increases the LLDP packet transmission frequency and enables the NMS
to discover network topology changes in real time. However, if the interval is too short, the
LLDP packets are exchanged frequently, and thus the system load is increased and
resources are saved.
There is a delay before the interface module sends an LLDP packet to the neighbor when the
device status changes frequently. After the LLDP transmission delay is set on the device, the
LLDP enabled interfaces send LLDP packets to neighbors after a delay (the delay is the same
as or longer than the delay you specified). The interfaces may send LLDP packets at different
time points. If the device status changes frequently, extend the delay to prevent the device from
frequently sending traps to the NMS. A delay suppresses the network topology flapping. The
LLDP transmission delay should be set properly and adjusted according to network loads.
l
A long delay reduces the LLDP packet interaction frequency, and thus saves system
resource. However, if the delay is too long, the device cannot notify neighbors of its status
in time, and the NMS cannot discover the network topology changes in real time.
A short delay increases the LLDP packet transmission frequency and enables the NMS to
discover network topology changes in real time. However, if the delay is too short, the
LLDP packets are exchanged frequently, and thus the system load is increased and
resources are saved.
You should consider the value of delay when adjusting the value of interval because it is restricted
by the value of delay.
l
The value of interval ranges from 5 to 32768.
The value of interval must be equal to or greater than four times the value of delay.
Therefore, if you want to set interval to be smaller than four times the value of delay, first
reduce the delay value to be equal to or smaller than a quarter of the new interval value,
and then reduce the interval value.
NOTE
If the interval value is smaller than four times the delay value, the system displays an error message when
you run the undo lldp message-transmission delay command. To run the undo lldp messagetransmission delay command in this case, increase the interval value to at least four times the delay value
first.
Hold time multiplier of device information on neighbors

Issue 04 (2013-06-15)

1753

Configuration Guide
The hold time multiplier is the Time to Live (TTL) of the packets sent by the local device. You
can specify the storage time of device information on the neighbors. After receiving the LLDP
packets, the neighbors update the aging time of the device information from the sender according
to the TTL.
The storage time calculation formula is: TTL = Min (65535, (interval x hold)).
l
TTL is the device information storage time. It is the smaller value between 65535 and
(interval x hold).
interval is the interval at which the device sends LLDP packets to neighbors. This parameter
is set by lldp message-transmission interval.
hold is the hold time multiplier of device information on neighbors.
After the LLDP function is disabled on the device, its neighbors wait until the TTL of the device
information expires, and then delete the device information. This prevents network topology
flapping. The hold time multiplier of device information on neighbors must be set to a proper
value.
l
A great value of the hold time multiplier prevents network topology flapping. However, if
the value is too large, the device cannot notify neighbors of its status in time, and the NMS
cannot discover the network topology changes in real time.
A small value of the hold time multiplier enables the NMS to discover topology change in
time. However, if the value is too small, the neighbors update device information too
frequently. This increases the load on the system and wastes resources.
The default value is recommended.
Delay to re-enable LLDP on an interface

There is a delay before LLDP is re-enabled on an interface. The delay suppresses the topology
flapping of the neighbors caused by the frequent LLDP status changes. The delay to re-enable
the LLDP function on an interface must be set properly.
l
A great value of the delay prevents network topology flapping. However, if the value is too
large, the device cannot notify neighbors of its status in time, and the NMS cannot discover
the network topology changes in real time.
A small value of the delay enables the NMS to discover topology change in time. However,
if the value is too small, the neighbors update device information too frequently. This
increases the load on the system and wastes resources.
The default value is recommended.
Delay to send neighbor change traps to the NMS

There is a delay before the device sends LLDP traps to the NMS. When the neighbor information
changes frequently, extend the delay to prevent the device from sending traps to the NMS too
frequently. This command suppresses the topology flapping. After the delay is set on the device,
the LLDP enabled interfaces send LLDP traps to neighbors after a delay (the delay is the same
as or longer than the delay you specified). The interfaces may send LLDP packets at different
time points.
The delay is applied to only the following traps: traps for adding neighbors, traps for deleting
neighbors, neighbor aging traps, and traps for discarding neighbor packets
(LLDP_1.0.8802.1.1.2.0.0.1 lldpRemTablesChange).
Issue 04 (2013-06-15)

1754

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
lldp message-transmission interval interval
The interval for sending LLDP packets is set.

By default, the interval for sending LLDP packets is 30 seconds.
Step 3 Run:
lldp message-transmission delay delay
The delay to send LLDP packets is set.

By default, the delay to send LLDP packets is 2 seconds.
Step 4 Run:
lldp message-transmission hold-multiplier hold
The hold time multiplier of device information stored on neighbors is set.

The default value is 4.
NOTE
l You can extend the storage time of device information on the neighbors by increasing the value of
hold.
l The value of hold ranges from 2 to 10; however, when the value of (hold x interval) is greater than
65535, the hold value is invalid.
Step 5 Run:
lldp restart-delay delay
The delay to re-enable LLDP on an interface is set.

If LLDP is disabled on an interface, the system re-enables LLDP for the interface after a delay.
Step 6 Run:
lldp trap-interval interval
The delay to send neighbor change traps to the NMS is set.

----End
(Optional) Enabling the LLDP Trap Function

To send traps to the NMS when the neighbor information changes, you need to enable the LLDP
trap function on the Switch.
Issue 04 (2013-06-15)

1755

Configuration Guide
Context
After the LLDP trap function is enabled, the Switch sends traps to the NMS in one of the
following cases:
l
The LLDP function is enabled or disabled globally. The traps are

LLDP_1.3.6.1.4.1.2011.5.25.134.2.1 hwLldpEnabled and
LLDP_1.3.6.1.4.1.2011.5.25.134.2.2 hwLldpDisabled.
The local management address changes. The trap is LLDP_1.3.6.1.4.1.2011.5.25.134.2.5

hwLldpLocManIPAddrChange.
Neighbor information changes. The trap is LLDP_1.0.8802.1.1.2.0.0.1

lldpRemTablesChange. A trap is not generated if the management address of a neighbor
changes.
The LLDP trap function is applied to all interfaces. The LLDP trap function can take effect no
matter whether the LLDP function is enabled globally. If the network topology is unstable,
disable the LLDP function to prevent frequent trap sending.
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent trap enable feature-name lldptrap
The LLDP trap function is enabled.

By default, the LLDP trap function is enabled on the AC6605.
----End

Prerequisites
All configurations are complete.
Procedure
l
Run the display lldp local [ interface interface-type interface-number ] command to view
local LLDP status.
Run the display lldp neighbor [ interface interface-type interface-number ] command to

view neighbor information of an interface.
Run the display lldp neighbor brief command to view brief information about neighbors.
Run the display lldp tlv-config command to view the TLV types supported by the interface.
Run the display lldp statistics [ interface interface-type interface-number ] command to

view statistics about LLDP packets sent and received by an interface.
----End
Issue 04 (2013-06-15)

1756

Configuration Guide
10.2.4 Maintaining LLDP

This section describes how to clear LLDP statistics and monitor LLDP status.
Clearing LLDP Statistics

To clear LLDP statistics, run the following reset command in the user view.
Procedure
l
Run the reset lldp statistics [ interface interface-type interface-number ] command to

clear LLDP statistics.
----End

This section provides LLDP configuration examples.
Example for Configuring LLDP on the Device That Has a Single Neighbor
After LLDP is configured on the network devices, the NMS can obtain the network topology.
The following example describes how to configure LLDP on the devices that have a single
neighbor.
As shown in Figure 10-13, SwitchA is directly connected to SwitchB and media endpoint (ME).
The NMS needs to obtain Layer 2 information about SwitchA, SwitchB, and ME. By using the
Layer 2 information, a network administrator can know the detailed network topology
information and configuration conflicts. These requirements can be met by configuring LLDP
on SwitchA and SwitchB.
In addition, the administrator requires that SwitchA and SwitchB send LLDP traps to the NMS
when the LLDP management address changes, global LLDP is enabled or disabled, or the
neighbor information changes. This ensures that the administrator detects topology changes in
time.
The ME supports the LLDP function. Reachable routes exist between the NMS and Switches.
The SNMP parameters are set on all devices.
Issue 04 (2013-06-15)

1757

Configuration Guide
Figure 10-13 Configuring LLDP on the device that has a single neighbor
Internet
NMS
10.10.10.1
GE0/0/1
Switch A
GE0/0/2
GE0/0/1
10.10.10.2
Switch B
ME
1.
Enable global LLDP on SwitchA and SwitchB.
2.
Enable SwitchA and SwitchB to process LLDP BPDUs.
3.
Configure management addresses for SwitchA and SwitchB.
4.
Enable the LLDP trap function on SwitchA and SwitchB.
Data Preparation
l
Management address 10.10.10.1 for SwitchA and management address 10.10.10.2 for
SwitchB
Procedure
Step 1 Enable global LLDP on SwitchA and SwitchB.
[SwitchA] lldp enable
[SwitchB] lldp enable
Step 2 Enable SwitchA and SwitchB to process LLDP BPDUs.

Issue 04 (2013-06-15)

1758

Configuration Guide
Step 3 Configure management addresses for SwitchA and SwitchB.

[SwitchA] lldp management-address 10.10.10.1
[SwitchB] lldp management-address 10.10.10.2
Step 4 Enable the LLDP trap function on SwitchA and SwitchB.

[SwitchA] snmp-agent trap enable feature-name lldptrap
[SwitchB] snmp-agent trap enable feature-name lldptrap

# Check whether the LLDP function is enabled, management addresses are configured, and the
LLDP trap function is enabled.
l View the configurations on SwitchA.
[SwitchA] display lldp local
System information
-------------------------------------------------------------------------Chassis
type
:macAddress
Chassis ID
:00e0fc33-0011
System name
:SwitchA
System description :Quidway
Huawei Versatile Routing Platform
Software
VRP (R) Software, Version 5.110 (AC6605 V200R002C00)
Copyright (c) 2000-2011 Huawei Technologies Co.,
Ltd
System capabilities
supported
:bridge
System capabilities
enabled
:bridge
LLDP Up time
:2011/2/13
18:31:37
MED system information
-------------------------------------------------------------------------Device class
:Network Connectivity
(MED inventory information of master board)
HardwareRev
:VER A
FirmwareRev
:NA
SoftwareRev
:Version 5.110 V200R002C00
SerialNum
:NA
Manufacturer name :NA
Model name
:NA
Asset tracking identifier :NA
System configuration
-------------------------------------------------------------------------LLDP Status
:enabled
(default is disabled)
Issue 04 (2013-06-15)

1759

Configuration Guide
LLDP Message Tx Interval

LLDP Message Tx Hold Multiplier
LLDP Refresh Delay
LLDP Tx Delay
LLDP Notification Interval
LLDP Notification Enable
Management Address
:30
:4
:2
:2
:5
:enabled
:IP: 10.10.10.1
(default
(default
(default
(default
(default
(default
is
is
is
is
is
is
30s)
4)
2s)
2s)
5s)
disabled)
Remote Table Statistics:

-------------------------------------------------------------------------Remote Table Last Change Time
:0 days, 0 hours, 0 minutes, 0 seconds
Remote Neighbors Added
:0
Remote Neighbors Deleted
:0
Remote Neighbors Dropped
:0
Remote Neighbors Aged
:0
Total Neighbors
:1
Port information:
-------------------------------------------------------------------------Interface GigabitEthernet0/0/1:
LLDP Enable Status
:enabled
Total Neighbors
:1
Port ID subtype
Port ID
Port description
:interfaceName
:GigabitEthernet0/0/1
:HUAWEI, Quidway Series, GigabitEthernet0/0/1 Interface
Port And Protocol vlan ID(PPVID) don't supported

Port VLAN ID(PVID) :1
VLAN name of VLAN 1: VLAN1
Protocol identity
:STP RSTP/MSTP LACP EthOAM CFM
Auto-negotiation supported
:Yes
Auto-negotiation enabled
:Yes
OperMau
:speed(100)/duplex(Full)
Power port class
:PD
PSE power supported
:No
PSE power enabled
:No
PSE pairs control ability:No
Power pairs
:Unknown
Port power classification:Unknown
Link aggregation supported:Yes
Link aggregation enabled :No
Aggregation port ID
:0
Maximum frame Size
:1600
EEE support
Transmit Tw
Receive Tw
Fallback Receive Tw
Echo Transmit Tw
Echo Receive Tw
:Yes
:36
:36
:36
:36
:36
MED port information

Media policy type
:Unknown
Unknown Policy
:Yes
VLAN tagged
:No
Media policy VlanID
Media policy L2 priority
Media policy Dscp
:0
:0
:0
Power Type
:Unknown
PoE PSE power source
:Unknown
Port PSE Priority
:Unknown
Port Available power value:0.2(w)
Issue 04 (2013-06-15)

1760

Configuration Guide
# View the neighbor information of SwitchA.

<SwitchA> display lldp neighbor interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 has 1 neighbors:
Neighbor index : 1
Chassis type
:macAddress
Chassis ID
:00e0-fc33-0011
Port ID type
:interfaceName
Port ID
Port description
System name
:SwitchB
Huawei Versatile Routing Platform Software
Copyright (c) 2000-2011 Huawei Technologies Co., Ltd
System capabilities supported
:bridge
System capabilities enabled
:bridge
Management address type :ipV4
Management address
: 10.10.10.2
Expired time
:118s
Protocol identity
:Yes
:Yes
OperMau
Power port class
:PD
PSE power supported
:No
PSE power enabled
:No
Power pairs
:Unknown
Aggregation port ID
:0
Maximum frame Size
:1600
EEE support
Transmit Tw
Receive Tw
Fallback Receive Tw
Echo Transmit Tw
Echo Receive Tw
:Yes
:36
:36
:36
:36
:36
MED Device information

Device class
HardwareRev
:LE01MCUA VER.A
FirmwareRev
:NC
SoftwareRev
:Version 5.110 V200R002C00
SerialNum
:NA
Manufacturer name :HUAWEI TECH CO., LTD
Model name
:NA
Media policy type
:Unknown
Unknown Policy
:Yes
VLAN tagged
:No
Media policy VlanID
:0
Media policy L2 priority :0
Media policy Dscp
:0
Issue 04 (2013-06-15)

1761

Configuration Guide
Power Type
:Unknown
:Unknown
Port PSE Priority
:Unknown
l View the configurations on SwitchB.

Similar to information about SwitchA.
----End
Configuration Files
l

#
sysname SwitchA
#
lldp enable
#
undo port hybrid vlan 1
#
lldp management-address 10.10.10.1
#
return

#
sysname SwitchB
#
lldp enable
#
#
#
return
Example for Configuring LLDP on the Device That Has Multiple Neighbors
After LLDP is configured on the network devices, the NMS can obtain the network topology.
The following example describes how to configure LLDP on the devices that have multiple
neighbors.
As shown in Figure 10-14, SwitchA, SwitchB, and SwitchC are connected through an unknown
network. The unknown network is not managed by the NMS, but can transparently transmit
LLDP packets. The NMS needs to obtain Layer 2 information about SwitchA, SwitchB, and
SwitchC. By using the Layer 2 information, a network administrator can know the detailed
network topology information and configuration conflicts. These requirements can be met by
configuring LLDP on SwitchA, SwitchB, and SwitchC.
The NMS has reachable routes to SwitchA, SwitchB, and SwitchC and SNMP parameters are
set on all devices.
Issue 04 (2013-06-15)

1762

Configuration Guide
Figure 10-14 Configuring LLDP on the device that has multiple neighbors
SNMP
SNMP
NMS
LL LLDPDU
D
PD
U
SwitchE
10.10.10.1
LLDPDU
LL
D
PD
U
SwitchD
SwitchF
LL
D
PD
U
10.10.10.2
SwitchA
SwitchB
10.10.10.3
SwitchC
LLDP interface
SNMP packet
NMS: Network Management System
LLDPDU packet
1.
Enable global LLDP on SwitchA, SwitchB, and SwitchC.
2.
Enable SwitchA, SwitchB, and SwitchC to process LLDP BPDUs.
3.
Configure management addresses for SwitchA, SwitchB, and SwitchC.
Data Preparation
l
Management addresses for SwitchA, SwitchB, and SwitchC
Procedure
Step 1 Enable global LLDP on SwitchA, SwitchB, and SwitchC.
Issue 04 (2013-06-15)

1763

Configuration Guide
Same as the configurations on SwitchA.

Step 2 Enable SwitchA, SwitchB, and SwitchC to process LLDP BPDUs.
[SwitchA-interface GigabitEthernet0/0/1] bpdu enable
Step 3 Configure management addresses for SwitchA, SwitchB, and SwitchC.
[SwitchC] lldp management-address 10.10.10.3

# Check whether LLDP function is enabled and management addresses are configured.
System information
-------------------------------------------------------------------------Chassis
type
:macAddress
Chassis ID
:00e0fc33-0011
System name
:SwitchA
Software
Ltd
System capabilities
supported
:bridge
System capabilities
enabled
:bridge
LLDP Up time
:2011/2/13
18:31:37
-------------------------------------------------------------------------Device class
HardwareRev
:VER A
Issue 04 (2013-06-15)

1764

Configuration Guide
FirmwareRev
:NA
SoftwareRev
:Version 5.110 V200R002C00
SerialNum
:NA
Manufacturer name :NA
Model name
:NA
-------------------------------------------------------------------------LLDP Status
:enabled
:30
(default is 30s)
LLDP Message Tx Hold Multiplier :4
(default is 4)
LLDP Refresh Delay
:2
(default is 2s)
LLDP Tx Delay
:2
(default is 2s)
:5
(default is 5s)
:enabled
Management Address
:IP: 10.10.10.1
:0
:0
:0
:0
Total Neighbors
:2
Port information:
LLDP Enable Status
:enabled
Total Neighbors
:2
Port ID subtype
Port ID
Port description
:interfaceName

Protocol identity
:Yes
:Yes
OperMau
Power port class
:PD
PSE power supported
:No
PSE power enabled
:No
Power pairs
:Unknown
Aggregation port ID
:0
Maximum frame Size
:1600
EEE support
Transmit Tw
Receive Tw
Fallback Receive Tw
Echo Transmit Tw
Echo Receive Tw
:Yes
:36
:36
:36
:36
:36

Media policy type
Issue 04 (2013-06-15)
:Unknown

1765

Configuration Guide
Unknown Policy
:Yes
VLAN tagged
:No
Media policy VlanID
Media policy Dscp
:0
:0
:0
Power Type
:Unknown
:Unknown
Port PSE Priority
:Unknown
---- More ----

<SwitchA> display lldp neighbor interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 has 2 neighbors:
Neighbor index : 1
Chassis type
:macAddress
Chassis ID
:00e0-fc33-0012
Port ID type
:interfaceName
Port ID
Port description
System name
:SwitchB
:bridge
:bridge
Management address
: 10.10.10.2
Expired time
:118s
Protocol identity
:Yes
:Yes
OperMau
Power port class
:PD
PSE power supported
:No
PSE power enabled
:No
Power pairs
:Unknown
Aggregation port ID
:0
Maximum frame Size
:1600
EEE support
Transmit Tw
Receive Tw
Fallback Receive Tw
Echo Transmit Tw
Echo Receive Tw
:Yes
:36
:36
:36
:36
:36

Device class
HardwareRev
FirmwareRev
SoftwareRev
SerialNum
Issue 04 (2013-06-15)
:VER A
:NC
:Version 5.110 V200R002C00
:NA

1766

Configuration Guide

Model name
:NA
Media policy type
:Unknown
Unknown Policy
:Undefined
VLAN tagged
:No
Media policy VlanID
:0
Media policy Dscp
:0
Power Type
:Unknown
:Unknown
Port PSE Priority
:Unknown
Neighbor index : 2
Chassis type
:macAddress
Chassis ID
:00e0-fc33-0013
Port ID type
:interfaceName
Port ID
Port description
System name
:SwitchC
:bridge
:bridge
Management address
: 10.10.10.3
Expired time
:118s
Protocol identity
:Yes
:Yes
OperMau
Power port class
:PD
PSE power supported
:No
PSE power enabled
:No
Power pairs
:Unknown
Aggregation port ID
:0
Maximum frame Size
:1600
EEE support
Transmit Tw
Receive Tw
Fallback Receive Tw
Echo Transmit Tw
Echo Receive Tw
:Yes
:36
:36
:36
:36
:36

Device class
HardwareRev
FirmwareRev
SoftwareRev
SerialNum
Issue 04 (2013-06-15)
:VER A
:NC
:Version 5.110 V200R002C00
:NA

1767

Configuration Guide

Model name
:NA
Media policy type
:Unknown
Unknown Policy
:Undefined
VLAN tagged
:No
Media policy VlanID
:0
Media policy Dscp
:0
Power Type
:Unknown
:Unknown
Port PSE Priority
:Unknown

Same as information about SwitchA.
l View the configurations on SwitchC.
----End
Configuration Files
l

#
sysname SwitchA
#
#
lldp enable
#
#
bpdu enable
#
return

#
sysname SwitchB
#
#
lldp enable
#
#
bpdu enable
#
return

#
sysname SwitchC
#
#
lldp enable
#
Issue 04 (2013-06-15)

1768

Configuration Guide
#
bpdu enable
#
return
Example for Configuring LLDP on the Network Where Link Aggregation Is

Configured
After LLDP is configured on the interfaces of network devices, the NMS can obtain the network
topology. The following example describes how to configure LLDP on the network where link
aggregation is configured.
As shown in Figure 10-15, SwitchA and SwitchB need to be connected by an Eth-Trunk. The
NMS needs to obtain the Layer 2 information between the Switches. By using the Layer 2
information, a network administrator can know the detailed topology information and
configuration errors on the devices outside the unknown network. These requirements can be
met by configuring LLDP on SwitchA and SwitchB.
The NMS has reachable routes to SwitchA and SwitchB and SNMP parameters are set on all
devices.
Figure 10-15 Configuring LLDP on the network where link aggregation is configured
GE1/0/3 GE1/0/2
10.10.10.1
GE2/0/2
GE2/0/3
10.10.10.2
GE1/0/1 Eth-Trunk1 GE2/0/1

SwitchA
SwitchB
1.
Add the physical interfaces of SwitchA and SwitchB to the Eth-Trunk.
2.
Enable global LLDP on SwitchA and SwitchB.
3.
Enable SwitchA and SwitchB to process LLDP BPDUs.
4.
Configure management addresses for SwitchA and SwitchB.
Data Preparation
l
Management address 10.10.10.1 for SwitchA and management address 10.10.10.2 for
SwitchB
Number of the Eth-Trunk between SwitchA and SwitchB, and numbers of the interfaces
added to the Eth-Trunk
Issue 04 (2013-06-15)

1769

Configuration Guide
Procedure
Step 1 Configure the Eth-Trunk between SwitchA and SwitchB.
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 0/0/1
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 100
Step 2 Enable global LLDP on SwitchA and SwitchB.
Step 3 Enable SwitchA and SwitchB to process LLDP BPDUs.
[SwitchA-Eth-Trunk1] bpdu enable
Step 4 Configure management addresses for SwitchA and SwitchB.

# Check whether the physical interfaces are added to Eth-Trunk1.
[SwitchA] display eth-trunk 1
WorkingMode: NORMAL
Hash arithmetic: According to SIP-XORDIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber:
8
Operate status: up
Number Of Up Port In Trunk:
3
-------------------------------------------------------------------------------
Issue 04 (2013-06-15)

1770

Configuration Guide
PortName
Weight
1
Status
Up
Up
Up
1
1
# View the LLDP configurations.

System information
-------------------------------------------------------------------------Chassis
type
:macAddress
Chassis ID
:00e0fc33-0011
System name
:SwitchA
Software
Ltd
System capabilities
supported
:bridge
System capabilities
enabled
:bridge
LLDP Up time
:2011/4/13
18:35:45
-------------------------------------------------------------------------Device class
HardwareRev
:VER A
FirmwareRev
:NA
SoftwareRev
:Version 5.110 V200R002C00
SerialNum
:NA
Manufacturer name :HUAWEI TECH CO.,LTD
Model name
:NA
-------------------------------------------------------------------------LLDP Status
:enabled
:30
(default is 30s)
LLDP Message Tx Hold Multiplier :4
(default is 4)
LLDP Refresh Delay
:2
(default is 2s)
LLDP Tx Delay
:2
(default is 2s)
:5
(default is 5s)
:enabled
Management Address
:IP: 10.10.10.1
:1
:0
:0
:0
Total Neighbors
:3
Port information:
LLDP Enable Status
:enabled
Total Neighbors
:1
Issue 04 (2013-06-15)

1771

Configuration Guide
Port ID subtype
Port ID
Port description
:interfaceName

VLAN Name of VLAN 1: VLAN1
Protocol identity
:Yes
:Yes
OperMau
Power port class
:PD
PSE power supported
:No
PSE power enabled
:No
Power pairs
:Unknown
Aggregation port ID
:1
Maximum frame Size
:1600
EEE support
Transmit Tw
Receive Tw
Fallback Receive Tw
Echo Transmit Tw
Echo Receive Tw
:Yes
:36
:36
:36
:36
:36

Media policy type
:Unknown
Unknown Policy
:Yes
VLAN tagged
:No
Media policy VlanID
Media policy Dscp
:0
:0
:0
Power Type
:Unknown
:Unknown
Port PSE Priority
:Unknown
Interface GigabitEthernet0/0/2:
LLDP Enable Status
:enabled
Total Neighbors
:1
Port ID subtype
Port ID
Port description
:interfaceName

Protocol identity
:Yes
:Yes
OperMau
Power port class
:PD
PSE power supported
:No
PSE power enabled
:No
Power pairs
:Unknown
Issue 04 (2013-06-15)

1772

Configuration Guide

Link aggregation enabled :Yes
Aggregation port ID
:1
Maximum frame Size
:1600
EEE support
Transmit Tw
Receive Tw
Fallback Receive Tw
Echo Transmit Tw
Echo Receive Tw
:Yes
:36
:36
:36
:36
:36

Media policy type
:Unknown
Unknown Policy
:Yes
VLAN tagged
:No
Media policy VlanID
Media policy Dscp
:0
:0
:0
Power Type
:Unknown
:Unknown
Port PSE Priority
:Unknown
Interface GigabitEthernet0/0/3:
LLDP Enable Status
:enabled
Total Neighbors
:1
Port ID subtype
Port ID
Port description
:interfaceName

Protocol identity
:Yes
:Yes
OperMau
Power port class
:PD
PSE power supported
:No
PSE power enabled
:No
Power pairs
:Unknown
Link aggregation enabled :Yes
Aggregation port ID
:1
Maximum frame Size
:1600
EEE support
Transmit Tw
Receive Tw
Fallback Receive Tw
Echo Transmit Tw
Echo Receive Tw
:Yes
:36
:36
:36
:36
:36

Media policy type
:Unknown
Unknown Policy
:Yes
VLAN tagged
:No
Media policy VlanID
Issue 04 (2013-06-15)
:0

1773

Configuration Guide

Media policy Dscp
:0
:0
Power Type
:Unknown
:Unknown
Port PSE Priority
:Unknown

[SwitchA] display lldp neighbor brief
Local Intf
Neighbor Dev
Neighbor Intf
Exptime
GE0/0/1
SwitchB
GE0/0/1
GE0/0/2
SwitchB
GE0/0/2
GE0/0/3
SwitchB
GE0/0/3
115
115
115

----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif1
ip address 10.10.10.1 255.255.255.0
#
lldp enable
#
port link-type
trunk
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
return

#
sysname SwitchB
#
interface Vlanif1
ip address 10.10.10.2 255.255.255.0
#
vlan batch 100
#
lldp enable
#
port link-type
trunk
#
Issue 04 (2013-06-15)

1774

Configuration Guide
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
return
10.3 NTP Configuration

This chapter describes how to configure Network Time Protocol (NTP) to make clocks of the
devices on the network identical.
10.3.1 Introduction to NTP

This part describes the application and working principles of NTP.
Network Time Protocol (NTP) synchronizes clocks of all devices in a network. It keeps all the
clocks of these devices consistent, and enables devices to implement various applications based
on the uniform time.
Any local system that runs NTP can be time synchronized by other clock sources, and also
functions as a clock source to synchronize other clocks. In addition, mutual synchronization can
be performed by exchanging NTP packets.
NTP packets are encapsulated in UDP packets for transmission and the port used by the NTP
protocol is 123.
NTP Application
NTP is applied to the following situations where all the clocks of hosts or Switchs in a network
need to be consistent:
l
Network management: Analysis on logs or debugging information collected from different

Switchs should be performed based on time.
Charging system: requires the clocks of all devices to be consistent.
Completing certain functions: For example, restart of all the Switchs in a network requires
the clocks of all the Switchs be consistent.
Several systems working together on the same complicate event: Systems have to take the
same clock for reference to ensure a proper sequence of implementation.
Incremental backup between the backup server and clients: Clocks on the backup server
and clients should be synchronized.
User login time: Some applications need to know the time when user logs in to the system
and the file revision time.
When all the devices on a network need to be synchronized, it is almost impossible for an
administrator to manually change the system clock by executing command lines. This is because
the work load is heavy and clock accuracy cannot be ensured. NTP can quickly synchronize the
clocks of network devices and ensure their precision.
NTP has the following advantages:
Issue 04 (2013-06-15)

1775

Configuration Guide
Defines clock accuracy by means of stratum to synchronize the time of network devices in
a short time
Supports access control and MD5 authentication
Transmits packets in unicast, manycast, or broadcast mode
Principles of NTP
Figure 10-16 shows the principles of NTP. Switch A and Switch B are connected through a
WAN. They both have their own system clocks. NTP implements automatic synchronization of
their clocks.
Suppose:
l
Before the system clocks of Switch A and Switch B are synchronized, the clock of Switch
A is set to 10:00:00 am and the clock of Switch B is set to 11:00:00 am.
Switch B functions as an NTP time server. That is, Switch A synchronizes its clock with
that of Switch B.
One-way transmission of data packets between Switch A and Switch B takes one second.
Processing of data packets on the Switch A or the Switch B takes one second.
Issue 04 (2013-06-15)

1776

Configuration Guide
Figure 10-16 NTP basic principle diagram
NTP packet 10:00:00am
Step 1:
Network
SwitchA
SwitchB
NTP packet 10:00:00am
Step 2:
11:00:01am
Network
SwitchA
SwitchB
NTP packet 10:00:00am 11:00:01am 11:00:02am
Step 3:
Network
SwitchA
SwitchB
NTP packet received at

10:00:03
Step 4:
Network
SwitchA
SwitchB
The process of synchronizing system clocks is as follows:

1.
Switch A sends an NTP packet to Switch B. The packet carries the originating timestamp
when it leaves Switch A, which is 10:00:00 am (T1).
2.
When the NTP packet reaches Switch B, Switch B adds its receiving timestamp to the NTP
packet, which is 11: 00:01 am (T2).
3.
When the NTP packet leaves Switch B, Switch B adds its transmitting timestamp to the
NTP packet, which is 11:00:02 am (T3).
4.
When Switch A receives the response packet, it adds a new receiving timestamp to it, which
is 10:00:03 am (T4).
Switch A uses the received information to calculate the following two important values:
l Delay for the NTP message cycle: Delay = (T4 - T1) - (T3 - T2).
l Offset of Switch A relative to Switch B: Offset = ((T2 - T1) + (T3 - T4))/2.
According to the delay and the offset, Switch A sets its own clock again to synchronize
with the clock of Switch B.
Issue 04 (2013-06-15)

1777

Configuration Guide
The preceding example is only a simple description of the NTP operating principle. As
described in RFC 1305, NTP uses a complex algorithm to ensure the precision of clock
synchronization.
The server and client are two relative concepts. The device that provides standard time is
referred to as a time server, and the device that enjoys the time service is referred to as a
client.
10.3.2 NTP Supported by the AC6605

This part describes NTP operating modes supported by the AC6605.
The Switch supports the following NTP working modes
l
Unicast Client/Server Mode
Peer Mode
Broadcast Mode
Multicast Mode
Manycast Mode
Unicast Client/Server Mode

In this mode, you need to configure only the client. The server needs to be configured with only
one NTP primary clock.
Note that the client can be synchronized to the server but the server cannot be synchronized to
the client.
After the configuration, the following actions occur:
1.
The client sends a synchronization request packet to the server, with the mode field being
set to 3. The value 3 indicates the client mode.
2.
Upon receiving the request packet, the server automatically works in the server mode and
sends a response packet with the mode field being set to 4. The value 4 indicates the server
mode.
3.
After receiving the response packet, the client performs clock filtering and selection, and
finally, is synchronized with the optimal server.
Peer Mode
In this mode, you need to configure NTP only on the symmetric active end. The symmetric active
end and symmetric passive end can be synchronized with each other.
Note that the clock with a lower stratum is synchronized to the one with a higher stratum.
After the configurations, the following actions occur:
l
The symmetric active end sends a synchronization request packet to the symmetric passive
end with the mode field being set to 1. The value 1 indicates the symmetric active mode.
Upon receiving the request packet, the symmetric passive end automatically works in
symmetric passive mode and sends a response packet with the mode field being set to 2.
The value 2 indicates the symmetric passive mode.
Issue 04 (2013-06-15)

1778

Configuration Guide
Broadcast Mode
In this mode, you need to configure both the server and the client.
l
The server periodically sends clock synchronization packets to the broadcast address
255.255.255.255.
The client senses broadcast packets from the server.
After receiving the first broadcast packet, to estimate the network delay, the client enables
a temporary Client/Server model for exchanging messages with the remote server.
The client then works in broadcast client mode, and continues to sense the incoming
broadcast packets to synchronize the local clock.
Multicast Mode
l
The server periodically sends clock synchronization packets to the configured multicast
address. By default, the multicast address is 224.0.1.1.
The client senses multicast packets from the server.
After receiving the first multicast packet, to estimate the network delay, the client enables
a temporary Client/Server model for exchanging messages with the remote server.
The client works in multicast client mode, and continues to sense the incoming multicast
packets to synchronize the local clock.
Manycast Mode
l
The manycast client periodically sends clock synchronization packets manycast server with
specified multicast address. By default, the multicast address is 224.0.1.1.
The manycast server senses manycast packets from the manycast client and responds to
the client with unicast packet.
After receiving the first unicast packet by manycast client, to estimate the network delay,
the client creates an ephemeral association with the server for exchanging unicast packets.
The server works in manycast server mode, and continues to sense the incoming manycast
packets.
10.3.3 Configuring Basic NTP Functions

This section describes how to configure basic NTP functions, including the NTP operating
modes.
Issue 04 (2013-06-15)

1779

Configuration Guide

Before configuring basic NTP functions, familiarize yourself with the applicable environment,
NTP has the following operation modes:
l
Client/Server mode
Peer mode
Broadcast mode
Multicast mode
In actual applications, a proper operation mode needs to be selected according to the networking
topology to meet various clock synchronization requirements.
For the unicast Client/Sever mode and the peer mode, all the NTP packets sent locally can have
the same interface IP address as the source IP address.
Before configuring basic functions of NTP, you need to complete the following tasks:
l
Configuring the link layer protocol for the interface
Configuring an IP address and a routing protocol for the interface to ensure that NTP packets
can reach destinations
Data Preparation
To configure basic functions of NTP, you need the following data.
No.
Data
Primary NTP clock and its stratum
Interfaces to send and receive NTP packets
NTP version
Preparing the data according to the operation mode

l Client/Server mode: IP address of the server and the VPN instance that the server
belongs to
l Peer mode: IP address of the symmetric passive end and the VPN instance that it
belongs to
l Broadcast mode: interfaces to send and receive broadcast NTP packets and the
maximum sessions set up dynamically on the client
l Multicast mode: IP address of the multicast group, the TTL value of the multicast
packets, the interfaces to send and receive the multicast packets, and the maximum
number of the session dynamically set up on the client
5
Issue 04 (2013-06-15)
Interface disabled from receiving NTP packets

1780

Configuration Guide
Configuring the NTP Primary Clock

The stratum configured for the master clock on the server must be lower than the stratum
configured for the clock on the client. Otherwise, the clock on the client cannot synchronize with
the master clock on the server.
Context
If you want to configure a Switch to provide a primary NTP clock, do as follows on the
Switch functioning as the NTP server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ntp-service refclock-master [ ip-address ] [ stratum ]
A primary NTP server is displayed.

ip-address is the IP address of the local reference clock. Its value is 127.127.t.u. Here, "t" ranges
from 0 to 37. Currently, "t" can be only 1, indicating the local reference clock. "u" indicates the
NTP process number, ranging from 0 to 3.
When no IP address is specified, the local clock whose IP address is 127.127.1.0 functions as
the primary NTP clock by default, with the stratum being 8.
----End
Configuring the Time Interval to Update Client Clock

When the server clock is changed, the client clock should be synchronized to the server clock
within the configured time interval.
Context
If you want to configure the time interval to update the client clock, do as follows on the
Switch functioning as a client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ntp-service sync-interval interval
The time interval to update client clock is configured.

Issue 04 (2013-06-15)

1781

Configuration Guide
interval is the time interval to update the client clock. Its value ranges from 180 to 600 seconds.
----End
Configuring the Unicast Client/Server Mode

In Client/Server mode, the clock on the client synchronizes with the master clock on the server.
Context
Commonly, specify the IP address of the NTP server on the client. The client and server can
then exchange NTP packets using this IP address.
If the source interface to send NTP packets is specified on the server, the IP address of the server
configured on the client should be the same; otherwise, the client cannot process NTP packets
sent from the server and clock synchronization fails.
Procedure
l
Configuring the NTP Client

Do as follows on the Switch functioning as a client:
1.
Run:
system-view

2.
(Optional) Run:
ntp-service source-interface interface-type interface-number [ vpninstance vpn-instance-name ]
The local source interface that receives the NTP packet is configured.
3.
Run:
ntp-service unicast-peer ip-address [ version number | authenticationkeyid key-id | source-interface interface-type interface-number |
preference | vpn-instance vpn-instance-name | maxpoll max-number |
minpoll min-number | preempt ] *
The NTP server with specified IPv4 address is configured.

The IP address of the NTP server is configured.
Step 2 is optional. If source-interface is specified in Step 3, use it preferentially.
ip-address is the address of the NTP server. It can be the IPv4 address of the host other
than a broadcast address, a multicast address, or the IP address of the reference clock.
NOTE
When the unicast NTP server is specified, the local Switch functions as the client automatically.
The server needs to be configured with only a primary clock.
(Optional) Configuring the NTP Server

Do as follows on the Switch working as a server:
1.
Run:
system-view

Issue 04 (2013-06-15)

1782

Configuration Guide
2.
Run:
The local source interface that sends NTP packets is specified.

----End
Configuring the Peer Mode

This part describes how to configure the NTP peer mode. In this mode, clocks on the two peers
synchronize with each other based on the stratum. Each side can send the clock synchronization
request message to the peer and reply the clock synchronization request message from the peer.
Procedure
l
Configuring the NTP Symmetric Active End

1.
Run:
system-view

2.
(Optional) Run:

3.
Run:
ntp-service unicast-peer ip-address [ version number | authenticationkeyid key-id | source-interface interface-type interface-number |
preference | vpn-instance vpn-instance-name | maxpoll max-number |
minpoll min-number | preempt ] *
The NTP peer with specified IPv4 address is configured.

Step 2 is optional. If source-interface is specified in both Step 2 and Step 3, use the
source interface specified in Step 3 preferentially.
ip-address is the address of the NTP peer. It can be the IPv4 address of a host other
than a broadcast address, a multicast address, or the IP address of the reference clock.
NOTE
After the NTP peer is specified, the local Switch runs in symmetric active mode. The symmetric
passive end need not be configured.
(Optional) Configuring the Source Interface of the NTP Symmetric Passive End
1.
Run:
system-view

2.
Run:

Commonly, specify the IP address of the NTP server on the client. The client and
server can then exchange NTP packets using this IP address
Issue 04 (2013-06-15)

1783

Configuration Guide
If the source interface to send NTP packets is specified on the symmetric active end,
the IP address of the NTP peer configured on the symmetric passive end should be
the same; otherwise, the passive end cannot process NTP packets sent from the active
end and clock synchronization fails.
----End
Configuring the Broadcast Mode

This part describes how to configure the NTP broadcast mode on the LAN to synchronize clocks
on the LAN.
Procedure
l
Configuring an NTP Broadcast Server

Do as follows on the Switch functioning as an NTP broadcast server:
1.
Run:
system-view

2.
Run:
vlan vlan-id

3.
Run:
The interface that sends NTP broadcast packets is specified.

4.
Run:
ntp-service broadcast-server [ version number | authentication-keyid keyid ]*
The local Switch is set as an NTP broadcast server.

After the configurations, the local Switch periodically sends the clock synchronization
packets to the broadcast address 255.255.255.255.
NOTE
Broadcast mode can be used only in the same LAN.
Configuring an NTP Broadcast Client

Do as follows on the Switch functioning as an NTP broadcast client:
1.
Run:
system-view

2.
(Optional) Run:
ntp-service max-dynamic-sessions number
The number of local sessions allowed to be set up dynamically is set.

3.
Run:
vlan vlan-id
Issue 04 (2013-06-15)

1784

Configuration Guide

4.
Run:
The interface that receives NTP broadcast packets is specified.

5.
Run:
ntp-service broadcast-client
The local Switch is configured as an NTP broadcast client.

Step 2 is optional. By default, a maximum of 100 NTP sessions can be set up
dynamically.
After the configurations, the local Switch senses the broadcast NTP packets sent from
the server and synchronizes the local clock.
Running the ntp-service max-dynamic-sessions command does not affect the
existence of NTP sessions. When the number of the sessions reaches or exceeds the
maximum, the new session cannot be set up further.
----End
Configuring the Multicast Mode

This part describes how to configure the NTP multicast mode to synchronize clocks in a multicast
domain.
Procedure
l
Configuring an NTP Multicast Server

Do as follows on the Switch functioning as an NTP multicast server:
1.
Run:
system-view

2.
Run:
vlan vlan-id

3.
Run:
quit

4.
Run:
The interface that sends NTP multicast packets is specified.

5.
Run:
ntp-service multicast-server [ ip-address ] [ authentication-keyid key-id
| ttl ttl-number | version number ] *
The local Switch is set to be an NTP multicast server.

Issue 04 (2013-06-15)

1785

Configuration Guide
After the configurations, the local Switch periodically sends clock synchronization
packets to the multicast address 224.0.1.1.
l
Configuring an NTP Multicast Client

Do as follows on the Switch functioning as an NTP multicast client:
1.
Run:
system-view

2.
(Optional) Run:
The number of local sessions allowed to be set up dynamically is set.

3.
Run:
vlan vlan-id

4.
Run:
quit

5.
Run:
The interface that receives NTP multicast packets is specified.

6.
Run:
ntp-service multicast-client [ ip-address ]
The local Switch is set to be an NTP multicast client.

Step 2 is optional. By default, up to 100 NTP sessions can be set up dynamically.
After the configurations, the local Switch senses the multicast NTP packets sent from
the server and synchronizes the local clock.
Running the ntp-service max-dynamic-sessions command does not affect the
existence of NTP sessions. When the number of the sessions reaches or exceeds the
maximum, the new session cannot be set up further.
----End
(Optional)Disabling the Interface from Receiving NTP Packets

To prevent a host on the LAN from synchronizing the clock on the specified server, you can
disable the specified interface on the host from receiving NTP packets.
Context
Do as follows on the Switch that needs to be disabled from receiving NTP packets.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1786

Configuration Guide

Step 2 Run:
vlan vlan-id

Step 3 Run:
quit

Step 4 Run:
quit

Step 5 Run:
The interface that receives NTP packets is specified.

Step 6 Run:
ntp-service in-interface disable
The interface on the Switch is disabled from receiving NTP packets.

----End
(Optional) Setting the Maximum Number of Dynamic NTP Sessions

Context
Do as follows on the AC6605 that functions as a client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The maximum number of dynamic NTP sessions is set.

----End
Disabling NTP Service

If you do not want to use NTP IPv4 services, run the ntp-service disable command. This will
disable all NTP IPv4 or IPv6 services.
Issue 04 (2013-06-15)

1787

Configuration Guide
Context
To prevent a device from synchronizing the clock with IPv4 external servers or peers, you can
disable NTP IPv4 service on the device. Also, if it not required to provide the reference clock
source for IPv4 external clients, you can disable NTP IPv4 service.
Do as follows on the Switch that needs to be disabled from NTP services.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ntp-service disable
NTP service is disabled on the Switch.

By default, NTP service is enabled.
----End

After basic NTP functions are configured, you can view the configuration.
Prerequisites
The configurations of the Basic NTP Functions are complete.
Procedure
l
Run the display ntp-service status command to view the status of the NTP service.
Run the display ntp-service sessions [ verbose ] command to view the status of NTP
sessions.
Run the display ntp-service trace command to view the summary information on each
passing NTP server when tracing from the local device to the reference clock source.
----End
Example
<Quidway> display ntp-service status
clock status: synchronized
clock stratum: 2
reference clock ID: LOCAL(0)
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.00 ms
peer dispersion: 10.00 ms
reference time: 15:51:36.259 UTC Apr 25 2010(C6179088.426490A3)
Issue 04 (2013-06-15)

1788

Configuration Guide
Run the display ntp-service sessions [ verbose ] command to view the status of NTP sessions.
<Quidway> display ntp-service sessions
source
reference
stra reach poll now offset delay
disper
********************************************************************************
[12345]127.127.1.0
LOCAL(0)
7
1
64
2
0.0
15.6
note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured,
6 vpn-instance
Run the display ntp-service trace command to view the summary information on each passing
NTP server when tracing from the local device to the reference clock source.
<Quidway> display ntp-service trace
server 127.0.0.1,stratum 5, offset 0.024099,
refid 127.127.1.0
synch
synch
synch
synch
distance
distance
distance
distance
0.06337
0.04575
0.03075
0.01096
10.3.4 Configuring NTP Security Mechanisms

This section describes how to configure NTP security mechanisms to guarantee reliable clock
synchronization on networks demanding high security.

Before configuring NTP security mechanisms, familiarize yourself with the applicable
NTP supports two security mechanisms: access authority and NTP authentication.
l
Access authority
Access authority is a type of simple security method provided by the AC6605 to protect
local NTP services.
The AC6605 provides four access authority levels. When an NTP access request packet
reaches the local end, it is matched in an order from the minimum access authority to the
maximum access authority. The first matched authority level takes effect. The matching
order is as follows:
peer: indicates the minimum access authority. The remote end can send the request of
the local time and the control query to the local end. The local clock can also be
synchronized with that of the remote server.
server: indicates the remote end can perform the time request and control query to the
local end but the local clock cannot be synchronized with that of the remote end.
synchronization: indicates that the remote end can perform only the time request to the
local end.
query: indicates the maximum access authority. The remote end can perform only the
control query to the local end.
NTP authentication
NTP authentication is required in some networks with high security demands.
Issue 04 (2013-06-15)

1789

Configuration Guide
The configuration of NTP authentication involves configuring NTP authentication on both

the client and the server.
During the configuration of NTP authentication, pay attention to the following rules:
Configure NTP authentication on both the client and the server; otherwise, the
authentication does not take effect.
If NTP authentication is enabled, a reliable key needs to be configured at the same time.
The authentication key configured on the server and that on the client should be
consistent.
In NTP peer mode, the symmetric active end equals the client, and the symmetric passive
end equals the server.
Before configuring NTP security mechanisms, complete the following tasks:
l
Configuring the link layer protocol on the interface
Configuring the network layer address and routing protocol to make the server and client
reachable
Configuring ACL rules if the access authority is configured
Data Preparation
To configure NTP security mechanisms, you need the following data.
No.
Data
ACL rules
Shared key and its ID that are used in NTP authentication
NTP primary clock and its stratum
Interfaces that send and receive NTP packets
NTP version
Preparing the following data according to the NTP operation mode:

l Client/Server mode: IP address of the server and the VPN instance the server
belongs to
l Peer mode: IP address of the symmetric passive end and the VPN instance it
belongs to
l Broadcast mode: interfaces to send and receive broadcast NTP packets and the
maximum number of the sessions set up dynamically on the client
l Multicast mode: IP address of the multicast group and the TTL values of the
multicast packets
Issue 04 (2013-06-15)

1790

Configuration Guide
Setting NTP Access Authorities

When receiving an access request packet, the NTP server matches the request packet with the
access authority in descending order (from peer, server, synchronization to query). The first
matched authority takes effect.
Context
Do as follows on the Switch.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ntp-service access { peer | query | server | synchronization } acl-number
Access authority for the NTP service on the local Switch is configured.
You can configure the ntp-service access command depending on the actual situations.
Table 10-5 shows the detailed NTP access authorities.
Table 10-5 Description of the NTP access authorities
NTP Operation Mode
Limited NTP Query
Supported Devices
Unicast NTP Client/Server

mode
Synchronizing the client with

the server
Client
Unicast NTP Client/Server

mode
Clock synchronization
request from the client
Server
NTP peer mode
Clock synchronization with

each other
Symmetric active end
NTP peer mode
Clock synchronization
request from the active end
Symmetric passive end
NTP multicast mode

the server
NTP multicast client
NTP broadcast mode

the server
NTP broadcast client
----End
Enabling NTP Authentication

This part describes how to set NTP Autokey authentication and MD5 authentication on the
device.
Issue 04 (2013-06-15)

1791

Configuration Guide
Context
NTP client synchronizes to authenticated NTP servers to ensure that time service is reliable
across the network. Authentication prevents the modification of NTP message data from
malicious network attacks.
Procedure
l
Configuring NTP MD5 authentication

NOTE
l Configure the same authentication key on the server and client and affirm that the key is reliable;
otherwise, NTP authentication fails.
l Enable NTP authentication before performing actual authentication.
1.
Run:
system-view

2.
Run:
ntp-service authentication enable
NTP authentication is enabled.

3.
Run:
ntp-service authentication-keyid key-id authentication-mode md5 { plain
plain-text | [ cipher ] password-key }
The NTP authentication key is configured.

4.
Run:
ntp-service reliable authentication-keyid key-id
The authentication key is declared to be reliable.

----End
Configuring NTP Authentication in Unicast Client/Server Mode

By configuring the authentication key ID used in the synchronization with the specific NTP
server on the NTP client, you can apply NTP authentication in Client/Server mode.
Context
Do as follows on the Switch that functions as an NTP unicast client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ntp-service unicast-server ip-address [ authentication-keyid key-id | version
number | source-interface interface-type interface-number | vpn-instance vpninstance-name | preference ]*
Issue 04 (2013-06-15)

1792

Configuration Guide
The ID of the authentication key used for the synchronization of the server and client clocks is
configured.
----End
Configuring NTP Authentication in Peer Mode

By configuring the authentication key ID used in the synchronization with the peer on the local
end, you can apply NTP authentication in peer mode.
Context
Do as follows on the Switch that functions as the symmetric active end.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ntp-service unicast-peer ip-address [ version number | authentication-keyid key-id
| source-interface interface-type interface-number | vpn-instance vpn-instancename | preference ] *
The ID of the authentication key used for the synchronization of the clocks on the NAT peer is
configured.
----End
Configuring NTP Authentication in Broadcast Mode

By configuring the authentication key ID used in the synchronization with the NTP broadcast
server on the local Switch, you can apply NTP authentication in broadcast mode.
Context
Do as follows on the Switch that functions as an NTP broadcast server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
quit

Issue 04 (2013-06-15)

1793

Configuration Guide
Step 4 Run:
The interface that receives NTP broadcast packets is specified.

Step 5 Run:
ntp-service broadcast-server [ authentication-keyid key-id | version number ]*
The ID of the authentication key used by the NTP broadcast server is configured.
For configuring the broadcast client, see "Configuring the Broadcast Mode".
----End
Configuring NTP Authentication in Multicast Mode

By configuring the authentication key ID used in the synchronization with the NTP multicast
server on the local Switch, you can apply NTP authentication in multicast mode.
Context
Do as follows on the Switch that functions as an NTP multicast server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
quit

Step 4 Run:
The interface to send multicast NTP packets is specified.

Step 5 Run:
ntp-service multicast-server [ authentication-keyid key-id | version number ]*
The ID of the authentication key used by the NTP multicast server is configured.
For configuring the multicast client, see "Configuring the Broadcast Mode".
----End

After NTP security mechanisms are configured, you can view the configuration.
Issue 04 (2013-06-15)

1794

Configuration Guide
Prerequisites
The configurations of the NTP Security Mechanisms are complete.
Procedure
l
Run the display ntp-service sessions [ verbose ] command to view the status of NTP
sessions.
----End
Example
<Quidway> display ntp-service status
clock stratum: 2
root delay: 0.00 ms
reference time: 15:51:36.259 UTC Apr 25 2010(C6179088.426490A3)
Run the display ntp-service sessions [ verbose ] command to view the status of NTP sessions.
<Quidway> display ntp-service sessions
clock source: 127.127.1.0
clock stratum: 7
clock status: configured, master, sane, valid
reach: 17
current poll: 64
now: 43
offset: 0.0000 ms
delay: 0.00 ms
disper: 0.84 ms
10.3.5 Maintaining NTP

This section describes how to reset NTP packets through the resetting commands in case of an
NTP operation fault.
Context
CAUTION
reset ntp-service statistics packet command helps you to reset the statistics of all NTP packets.
Once reset, statistics cannot be restored. Therefore, use caution when resetting the statistics.
To reset the statistics of global IPv4 NTP packets, run the following reset ntp-service statistics
packet command in the user view.
Issue 04 (2013-06-15)

1795

Configuration Guide
Procedure
l
Run the reset ntp-service statistics packet [ peer [ ip-address [ vpn-instance vpn-instancename ] ] ] command to reset the statistics of NTP packets.
----End

This section provides several configuration examples of NTP.
Example for Configuring NTP Authentication in Unicast Client/Server Mode

Figure 10-17 shows the diagram of NTP.
l
Switch A functions as a unicast NTP server. The clock of Switch A is the master clock with
the stratum being 2.
Switch B functions as a unicast NTP client. Its clock needs to be synchronized with the
clock of Switch A.
Switch C and Switch D function as NTP clients of Switch B.
NTP authentication needs to be enabled.
Figure 10-17 Networking diagram for configuring the unicast client/server mode
VLANIF111
10.0.0.2/24
VLANIF100
2.2.2.2/24
SwitchA
IP
Network
VLANIF110
VLANIF111
SwitchC
VLANIF111
10.0.0.1/24
1.0.1.11/24
10.0.0.3/24
SwitchB
SwitchD
1.
Configure Switch A as an NTP server and configure the master clock on Switch A.
2.
Configure Switch B as an NTP client. Switch B synchronizes its clock with the clock of
Switch A.
3.
Configure Switch C and Switch D to synchronize their clocks with the clock of Switch B.
4.
Configure NTP authentication on Switch A, Switch B, Switch C, and Switch D.
Issue 04 (2013-06-15)

1796

Configuration Guide

NOTE
When configuring NTP authentication in unicast client/server mode, pay attention to the following
points:
l You must enable NTP authentication on the client before specifying the IP address of the NTP
server and authentication key to be sent to the server; otherwise, NTP authentication is not
performed before clock synchronization.
l To implement authentication successfully, configure both the server and the client.
Data Preparation
l
IP address of the reference clock
Stratum count of the NTP master clock
Key ID
Password
Procedure
Step 1 Configure the IP addresses of the Switches and ensure that the routes between them are reachable.
Configure the IP addresses according to Figure 10-17 so that Switch A, Switch B, Switch C and
Switch D are routable.
The configuration procedure is not mentioned.
Step 2 Configure a master NTP clock on Switch A and enable NTP authentication.
# On Switch A, set the clock as a master NTP clock with stratum being 2.
[SwitchA] ntp-service refclock-master 2
# Enable NTP authentication on Switch A, configure the authentication key, and declare the key
to be reliable.
[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 42 authentication-mode md5 Hello
[SwitchA] ntp-service reliable authentication-keyid 42
The authentication keys configured on the server and the client must be the same.
Step 3 Configure Switch B as the NTP server and enable the NTP authentication.
# Enable NTP authentication on Switch B, configure the authentication key, and declare the key
to be reliable.
<SwitchB>
[SwitchB]
[SwitchB]
[SwitchB]
system-view
ntp-service authentication-keyid 42 authentication-mode md5 Hello
ntp-service reliable authentication-keyid 42
# # Configure Switch A to be the NTP server of Switch B and use the authentication key.
[SwitchB] ntp-service unicast-server 2.2.2.2 authentication-keyid 42
Step 4 Specify the NTP server for Switch C.

# Configure Switch B as the NTP server of Switch C.
Issue 04 (2013-06-15)

1797

Configuration Guide
<SwitchC>
[SwitchC]
[SwitchC]
[SwitchC]
[SwitchC]

system-view
ntp-service
ntp-service
ntp-service
ntp-service
authentication enable
authentication-keyid 42 authentication-mode md5 Hello
reliable authentication-keyid 42
unicast-server 10.0.0.1 authentication-keyid 42
Step 5 Specify the NTP server for Switch D.

# Configure Switch B as the NTP server of Switch D.
<SwitchD>
[SwitchD]
[SwitchD]
[SwitchD]
[SwitchD]
system-view
ntp-service
ntp-service
ntp-service
ntp-service
authentication enable
authentication-keyid 42 authentication-mode md5 Hello
reliable authentication-keyid 42
unicast-server 10.0.0.1 authentication-keyid 42

After the configurations, Switch B can synchronize its clock with the clock of Switch A.
Check the NTP status of Switch B, and you can view that the status of the clock is synchronized.
This means that the synchronization is complete. The stratum of the clock of Switch B is 3, one
stratum lower than the clock stratum of Switch A.
[SwitchB] display ntp-service status
clock stratum: 3
reference clock ID: 2.2.2.2
root delay: 31.26 ms
reference time: 11:55:56.833 UTC Mar 2 2006(C7B15BCC.D5604189)
After the configurations, Switch C can synchronize its clock with the clock of Switch B.
Check the NTP status of Switch C, and you can view that the status of the clock is synchronized.
This means that the synchronization is complete. The stratum of the clock of Switch C is 4, one
stratum lower than the clock stratum of Switch B.
[SwitchC] display ntp-service status
clock stratum: 4
Check the NTP status of Switch D, and you can see that the status of the clock is synchronized.
This means that the synchronization is complete. The stratum of the clock of Switch C is 4, one
stratum lower than the clock stratum of Switch B.
[SwitchD] display ntp-service status
clock stratum: 4
Issue 04 (2013-06-15)

1798

Configuration Guide

Check the NTP status of Switch A.

[SwitchA] display ntp-service status
clock stratum: 2
root delay: 0.00 ms
reference time: 12:01:48.377 UTC Mar 2 2006(C7B15D2C.60A15981)
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 2.2.2.2 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 2.2.2.0 0.0.0.255
#
ntp-service authentication-keyid 42 authentication-mode md5 %@ENC;8HX
\#Q=^Q`MAF4<1!!
ntp-service refclock-master 2
#
return

#
sysname SwitchB
#
vlan batch 110 111
#
interface Vlanif110
ip address 1.0.1.11 255.255.255.0
#
interface Vlanif111
ip address 10.0.0.1 255.255.255.0
#
#
Issue 04 (2013-06-15)

1799

Configuration Guide

ospf 1
area 0.0.0.0
network 1.0.1.0 0.0.0.255
network 10.0.0.0 0.0.0.255
#
\#Q=^Q`MAF4<1!!
ntp-service unicast-server 2.2.2.2 authentication-keyid 42
#
return

#
sysname SwitchC
#
vlan batch 111
#
interface Vlanif111
ip address 10.0.0.2 255.255.255.0
#
#
\#Q=^Q`MAF4<1!!
#
return

#
sysname SwitchD
#
vlan batch 111
#
interface Vlanif111
ip address 10.0.0.3 255.255.255.0
#
#
\#Q=^Q`MAF4<1!!
#
return
Example for Configuring the Common NTP Peer Mode

As shown in Figure 10-18, three Switches reside on the LAN.
l
The clock of Switch C is the master clock and the clock stratum is 2.
Switch C is the NTP server of Switch D. That is, Switch D is the client.
Switch D is the passive peer of Switch E. That is, Switch E is the active end.
Issue 04 (2013-06-15)

1800

Configuration Guide
Figure 10-18 Networking diagram for configuring the NTP peer mode
SwitchC
GE 0/0/1
3.0.1.31/24
GE 0/01
3.0.1.32/24
GE 0/0/1
3.0.1.33/24
SwitchE
SwitchD
1.
Configure the clock on Switch C as the master clock. The clock on Switch D should be
synchronized to the clock on Switch C.
2.
Configure Switch E and Switch D as the NTP peers so that Switch E should send clock
synchronization requests to Switch D.
3.
The clocks on Switch C, Switch D and Switch E can be synchronized.
Data Preparation
l
IP address of Switch C
IP address of Switch D
Procedure
Step 1 Configure IP addresses for Switch C, Switch D, and Switch E.
Configure an IP address for each interface according to Figure 10-18. After configurations, the
three Switches can ping each other.
The configuration procedure is not mentioned.
Step 2 Configure the unicast NTP client/server mode.
# On Switch C, set the clock as a master NTP clock with stratum being 2.
[SwitchC] ntp-service refclock-master 2
# Configure Switch C as the NTP server of Switch D.

[SwitchD] ntp-service unicast-server 3.0.1.31
After the configurations, the clock of Switch D is synchronized with the clock of Switch C.
Issue 04 (2013-06-15)

1801

Configuration Guide
This means that the synchronization is complete. The stratum of the clock of Switch D is 3, one
stratum lower than the clock stratum of Switch C.
clock stratum: 3
reference time: 06:52:33.465 UTC Mar 7 2006(C7B7AC31.773E89A8)
Step 3 Configure the unicast NTP peer mode.

# Configure Switch D as the passive peer of Switch E.
<SwitchE> system-view
[SwitchE] ntp-service unicast-peer 3.0.1.32
No master clock is configured on Switch E, so the clock on Switch E should be synchronized

to the clock on Switch D.
View the status of Switch E after clock synchronization.
Check the NTP status of Switch E, and you can see that the status of the clock is synchronized.
This means that the synchronization is complete. The stratum of the clock of Switch E is 4, one
stratum lower than the clock stratum of Switch D.
[SwitchE] display ntp-service status
clock stratum: 4
reference time: 06:55:50.784 UTC Mar 7 2006(C7B7ACF6.C8D002E2)
----End
Configuration Files
l

#
sysname SwitchC
#
vlan batch 100
#
interface Vlanif100
ip address 3.0.1.31 255.255.255.0
#
#
Issue 04 (2013-06-15)

1802

Configuration Guide
#
return

#
sysname SwitchD
#
vlan batch 100
#
interface Vlanif100
ip address 3.0.1.32 255.255.255.0
#
#
ntp-service unicast-server 3.0.1.31
#
return

#
sysname SwitchE
#
vlan batch 100
#
interface Vlanif100
ip address 3.0.1.33 255.255.255.0
#
#
ntp-service unicast-peer 3.0.1.32
#
return
Example for Configuring NTP Authentication in Broadcast Mode

l
Switch C and Switch D are on the same network segment; Switch A is on another network
segment; Switch F connects the two network segments.
As the NTP broadcast server, Switch C uses the local clock as the NTP master clock, which
is a stratum-3 clock. Switch C sends broadcast packets through VLANIF10, namely,
GigabitEthernet0/0/1.
Switch D uses VLANIF10, namely, GigabitEthernet0/0/1, to listen to the broadcast packets.
Switch A uses VLANIF20, namely, GigabitEthernet0/0/1, to listen to the broadcast packets.
NTP authentication needs to be enabled.
Issue 04 (2013-06-15)

1803

Configuration Guide
Figure 10-19 Networking diagram for configuring the NTP broadcast mode
GE 0/0/1
VLANIF10
3.0.1.31/24
GE 0/0/1
GE 0/0/1
GE 0/0/2
SwitchC
VLANIF10
VLANIF20 VLANIF20
SwitchA 1.0.1.11/24 1.0.1.2/24 SwitchF 3.0.1.2/24
GE 0/0/1
VLANIF10
3.0.1.32/24
SwitchD
1.
Configure Switch C as the NTP broadcast server.
2.
Configure Switch A and Switch D as the NTP broadcast clients.
3.
Configure NTP authentication on Switch A, Switch C, and Switch D.
Data Preparation
l
IP address of each interface
IDs of VLANs to which the interfaces belong
Authentication key and key ID
Procedure
Step 1 Configure the IP addresses of the Switches.
Configure the IP address of each interface according to Figure 10-19.
# Configure the IP address of the VLANIF interface on Switch C.
[SwitchC] vlan 10
[SwitchC-Vlan10] quit
[SwitchC-Vlanif10]ip address 3.0.1.31 24
[SwitchC-Vlanif10]quit
# Configure the IP address of the VLANIF interface on Switch D.

Issue 04 (2013-06-15)

1804

Configuration Guide
[SwitchD] vlan 10
[SwitchD-Vlan10] quit
[SwitchD-Vlanif10] ip address 3.0.1.32 24
# Configure the IP address of the VLANIF interface on Switch F.

<SwitchF> system-view
[SwitchF] vlan 10
[SwitchF-Vlan10] quit
[SwitchF] interface gigabitethernet 0/0/2
[SwitchF-GigabitEthernet0/0/2] port hybrid
[SwitchF-GigabitEthernet0/0/2] quit
[SwitchF] interface vlanif 10
[SwitchF-Vlanif10] ip address 3.0.1.2 24
[SwitchF-Vlanif10] quit
[SwitchF] vlan 20
[SwitchF-vlanif20] ip address 1.0.1.2 24
[SwitchF-vlanif20] quit
pvid vlan 10
untagged vlan 10
pvid vlan 20
untagged vlan 20
# Configure the IP address of the VLANIF interface on Switch A.

[SwitchA] vlan 20
[SwitchA-vlanif20] ip address 1.0.1.11 24
[SwitchA-vlanif20] quit
Step 2 Configure the routes between them are reachable.The configuration procedure is not mentioned.
Step 3 Configure the NTP broadcast server and enable NTP authentication.
# Configure the clock of Switch C as the NTP master clock with the stratum being 3.
# Enable NTP authentication.

[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 16 authentication-mode md5 Hello
[SwitchC] ntp-service reliable authentication-keyid 16
# Configure Switch C as an NTP broadcast server. Broadcast packets are encrypted by using the
authentication key ID 16 and then sent through VLANIF10.
[SwitchC-vlanif10] ntp-service broadcast-server authentication-keyid 16
[SwitchC-vlanif10] quit
Step 4 Configure Switch D, which resides on the same network segment with the server.
Issue 04 (2013-06-15)

1805

Configuration Guide

<SwitchD>
[SwitchD]
[SwitchD]
[SwitchD]
system-view
ntp-service authentication-keyid 16 authentication-mode md5 Hello
# Configure Switch D as the NTP broadcast client and configure Switch D to listen to NTP
broadcast packets through VLANIF10.
[SwitchD]interface vlanif 10
[SwitchD-vlanif10] ntp-service broadcast-client
[SwitchD-vlanif10] quit
After the configurations, the clock of Switch D is synchronized with the clock of Switch C.
Step 5 Configure Switch A, which resides on different network segment from the server.
[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 16 authentication-mode md5 Hello
[SwitchA] ntp-service reliable authentication-keyid 16
# Configure Switch A as the NTP broadcast client and configure Switch A to listen to NTP
broadcast packets through VLANIF20.
[SwitchA]interface vlanif 20
[SwitchA-vlanif20] ntp-service broadcast-client

After the configurations, the clock on Switch D can be synchronized to the clock on Switch C,
but the clock on Switch A cannot be synchronized
because Switch A and Switch C are on different network segments and Switch A cannot receive
the broadcast packets sent from Switch C.
clock stratum: 4
root delay: 0.00 ms
reference time: 12:17:21.773 UTC Mar 7 2006(C7B7F851.C5EAF25B)
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 20
#
Issue 04 (2013-06-15)

1806

Configuration Guide
interface Vlanif20
ip address 1.0.1.11 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.0.1.0 0.0.0.255
#
\#Q=^Q`MAF4<1!!
#
return

#
sysname SwitchC
#
vlan batch 10
#
interface Vlanif10
ip address 3.0.1.31 255.255.255.0
ntp-service broadcast-server authentication-keyid 16
#
#
\#Q=^Q`MAF4<1!!
#
return

#
sysname SwitchD
#
vlan batch 10
#
interface Vlanif10
ip address 3.0.1.32 255.255.255.0
#
#
\#Q=^Q`MAF4<1!!
#
return

#
sysname SwitchF
#
vlan batch 10 20
#
interface Vlanif10
ip address 3.0.1.2 255.255.255.0
Issue 04 (2013-06-15)

1807

Configuration Guide
#
interface Vlanif20
ip address 1.0.1.2 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 1.0.1.0 0.0.0.255
network 3.0.1.0 0.0.0.255
#
return
Example for Configuring the Common NTP Multicast Mode

l
Switch C and Switch D are on the same network segment; Switch A is on another network
segment; Switch F connects the two network segments.
As the NTP multicast server, Switch C uses the local clock as the NTP master clock, which
is a stratum-2 clock. Switch C sends multicast packets through VLANIF 10, namely,
GigabitEthernet0/0/1.
Switch D uses VLANIF 10, namely, GigabitEthernet0/0/1, to listen to the multicast packets.
Switch A uses VLANIF 20, namely, GigabitEthernet0/0/1, to listen to the multicast packets.
Figure 10-20 Networking diagram for configuring the NTP multicast mode
GE 0/0/1
VLANIF10
3.0.1.31/24
GE 0/0/1
GE 0/0/1
GE 0/0/2
VLANIF10
VLANIF20 VLANIF20
SwitchA 1.0.1.11/24 1.0.1.2/24 SwitchF 3.0.1.2/24
SwitchC
GE 0/0/1
VLANIF10
3.0.1.32/24
SwitchD
1.
Issue 04 (2013-06-15)
Configure Switch C as the NTP multicast server.

1808

Configuration Guide
2.
Configure Switch A and Switch D as the NTP multicast clients.
Data Preparation
l
IP address of each interface
Procedure
Step 1 Configure the IP addresses of the Switches.
Configure the IP address of each interface according to Figure 10-20.
# Configure the IP address of the VLANIF interface on Switch C.
[SwitchC] vlan 10
[SwitchC-Vlan10] quit
[SwitchC-Vlanif10]ip address 3.0.1.31 24
[SwitchC-Vlanif10]quit
# Configure the IP address of the VLANIF interface on Switch D.

[SwitchD] vlan 10
[SwitchD-Vlan10] quit
[SwitchD-Vlanif10] ip address 3.0.1.32 24
# Configure the IP address of the VLANIF interface on Switch F.

<SwitchF> system-view
[SwitchF] vlan 10
[SwitchF-Vlanif10] ip address 3.0.1.2 24
[SwitchF-Vlanif10] quit
[SwitchF] vlan 20
[SwitchF-vlanif20] ip address 1.0.1.2 24
[SwitchF-vlanif20] quit
pvid vlan 10
untagged vlan 10
pvid vlan 20
untagged vlan 20
# Configure the IP address of the VLANIF interface on Switch A.

[SwitchA] vlan 20
Issue 04 (2013-06-15)

1809

Configuration Guide
[SwitchA-vlanif20] ip address 1.0.1.11 24
Step 2 Configure the routes between them are reachable.The configuration procedure is not mentioned.
Step 3 Configure the NTP multicast server.
# Configure the clock of Switch C as the NTP master clock with the stratum being 2.
# Configure Switch C as the NTP multicast client and configure Switch C to sense NTP multicast
packets through VLANIF10.
[SwitchC-vlanif10] ntp-service multicast-server
[SwitchC-vlanif10] quit
Step 4 Configure Switch D, which resides on the same network segment with the server.
# Configure Switch D as the NTP multicast client and configure Switch D to sense NTP multicast
[SwitchD-vlanif10] ntp-service multicast-client
[SwitchD-vlanif10] quit
Step 5 Configure Switch A, which resides on different network segment from the server.
# Configure Switch A as the NTP multicast client and configure Switch A to sense NTP multicast
[SwitchA-vlanif20] ntp-service multicast-client

After the configurations, the clock on Switch D can be synchronized to the clock on Switch C,
but the clock on Switch A cannot be synchronized
because Switch A and Switch C are on different network segments and Switch A cannot receive
the multicast packets sent from Switch C.
clock stratum: 3
Issue 04 (2013-06-15)

1810

Configuration Guide

reference time: 17:03:32.022 UTC Apr 25 2005(C61734FD.800303C0)
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 20
#
interface Vlanif20
ip address 1.0.1.11 255.255.255.0
ntp-service multicast-client
#
ospf 1
area 0.0.0.0
network 1.0.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 10
#
#
interface Vlanif10
ip address 3.0.1.31 255.255.255.0
ntp-service multicast-server
#
#
return

#
sysname SwitchD
#
vlan batch 10
#
interface Vlanif10
ip address 3.0.1.32 255.255.255.0
ntp-service multicast-client
#
#
Return

#
sysname SwitchF
#
vlan batch 10 20
#
interface Vlanif10
ip address 3.0.1.2 255.255.255.0
Issue 04 (2013-06-15)

1811

Configuration Guide
#
interface Vlanif20
ip address 1.0.1.2 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 1.0.1.0 0.0.0.255
network 3.0.1.0 0.0.0.255
#
return
10.4 Ping and Tracert

This chapter describes basic concepts and applications of the ping and tracert commands.
10.4.1 Ping
The ping command is used to check network connectivity and host reachability. The word "ping"
is derived from the sonar operation, indicating a pulse of sound.
Figure 10-21 shows the ping process.After you run the ping command, an Internet Control
Message Protocol (ICMP) Echo Request message is sent to the destination. The destination then
returns an ICMP Echo Reply message immediately when receiving the ICMP Echo Request
message.
Figure 10-21 Principle of the ping operation
Source
Destination
ICMP Echo Request message
ICMP Echo Reply message
Ping tests IP reachability and status of the link between the source and the destination by checking
whether the destination sends back an ICMP Echo Reply message and measuring the interval
between sending the ICMP Echo Request message and receiving the ICMP Echo Reply message.
Issue 04 (2013-06-15)

1812

Configuration Guide
Figure 10-22 Format of ICMP Echo Request and Echo Reply messages
0
15
Type
23
Checksum
Code
31
Sequence number
Identifier
Data
Figure 10-22 shows the format of ICMP Echo Request and Echo Reply messages. The length
of the Data field is a variable. You can specify the length of the Data field in the ping command.
10.4.2 Tracert
Tracert, also called Trace Route, is used to check the IP addresses and the number of gateways
between the source and the destination. Tracert is helpful in testing network reachability and
locating the fault on the network.
The AC6605 implements tracert based on ICMP. Tracert records the gateways that the ICMP
message passes along the path between a source host and a destination. In this manner, you can
check network connectivity and locate the fault.
Figure 10-23 Principle of the tracert operation
Switch
Step 1
Step 2
Step 3
TTL=1
Router-A
Router-B
Log Host
TTL=2
TTL=3
UDP datagram
ICMP Time Exceeded message
ICMP Destination Unreachable message
Take the networking in Figure 10-23 as an example to show tracert implementation on the
AC6605. On the AC6605, run the tracert command. The destination IP address is the IP address
of the log host and other parameters adopt the default values.
1.
The AC6605 sends a UDP datagram to the log host, with the TTL value being 1 and the
destination UDP port number being 33434.
2.
After receiving the UDP datagram from the AC6605, Router-A finds that the destination
IP address carried in the datagram is not its own address. Then, Router-A reduces the TTL
value by 1. Finding that the TTL value reaches 0, Router-A sends an ICMP Time Exceeded
message to the AC6605.
Issue 04 (2013-06-15)

1813

Configuration Guide
3.
After receiving the ICMP Time Exceeded message, the AC6605 increases the TTL value
and the UDP port number in the UDP datagram by 1 respectively and then sends out the
UDP datagram again.
4.
Perform Step 2 and Step 3, the log host receives the UDP datagram from the AC6605.
5.
After receiving the UDP datagram from the AC6605, the log host finds that the destination
is itself. It begins to process the datagram. The log host tries to find the upper layer protocol
corresponding to the destination UDP port number carried in the datagram. In most cases,
the UDP ports whose number is greater than 30000 are not used by any protocols. Therefore,
the log host sends an ICMP Destination Unreachable message to the AC6605 to notify the
source that the destination port is unreachable.
6.
After receiving the ICMP Destination Unreachable message from the log host, the
AC6605 knows that the UDP datagram has reached the destination and thus stops running
the tracert program.
In the preceding steps, the tracert program on the source records the IP addresses of the gateways
between the source and the destination through the ICMP Time Exceeded message mentioned
in Step 3.
10.4.3 Configuring Ping/Tracert to Locate a Connection Fault in an

IP Network
This section describes the execution of the ping and tracert commands.

Application Environment
The Customer Edge (CE) connected to the AC6605 cannot access the Internet. You need to run
the ping and tracert commands to check network connectivity.
Before performing ping and tracert operations, complete the following tasks:
l
Checking the physical connections between the CE and the AC6605
Correctly configuring an IP address for the CE device
Data Preparation
To perform ping and tracert operations, you need the following data.
No.
Data
IP address of the CE device
IP address of the gateway
Checking Network Connectivity Through the Ping Operation

Issue 04 (2013-06-15)

1814

Configuration Guide
Context
Do as follows on the AC6605:
Procedure
Step 1 Run:
ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i
interface-type interface-number | -m time | -n | -p pattern | -q | -r | -s
packetsize | -t timeout | -tos tos-value | -v ] * host
Network connectivity is tested.

Only some of the parameters are specified in the preceding ping command. For details on more
parameters, refer to the AC6605 Access Controller Command Reference.
The output of the ping command is as follows:
l Response to each ICMP Echo Request message: If no Echo Reply message is received within
a certain period, a message of "Request time out" is displayed in the output. Otherwise, the
bytes of the data, the sequence number of the message, the TTL value carried in the Reply
message are displayed.
l Statistics: total number of sent and received messages, percentage of message loss, and
minimum value, average value, and maximum value of the response time.
<Quidway> ping 202.38.160.244
PING 202.38.160.244 : 56 data bytes, press CTRL_C
Reply from 202.38.160.244 : bytes=56 sequence=1
--202.38.160.244 ping statistics-5 packet(s) transmitted
0.00% packet loss
to break
ttl=255 time
ttl=255 time
ttl=255 time
ttl=255 time
ttl=255 time
=
=
=
=
=
1ms
2ms
1ms
3ms
2ms
----End
Locating Faults on the Network Through the Tracert Operation

Context
Do as follows on the AC6605:
Procedure
Step 1 Run:
tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | -p port | -q nqueries
| -w timeout ]* host
The tracert operation is performed to locate the fault on the network.

Only some of the parameters are specified in the preceding tracert command. For details on
more parameters, refer to the AC6605 Access Controller Command Reference.
The output of the tracert command displays a list of gateways traversed between the source and
the destination hosts.
Issue 04 (2013-06-15)

1815

Configuration Guide
<Quidway> tracert 18.26.0.115

traceroute to 18.26.0.115 (18.26.0.115), max hops: 30 ,packet length: 40
1 128.3.112.1 (128.3.112.1) 0 ms 0 ms 0 ms
2 128.32.216.1 (128.32.216.1) 19 ms 19 ms 19 ms
3 128.32.216.1 (128.32.216.1) 39 ms 19 ms 19 ms
4 128.32.136.23 (128.32.136.23) 19 ms 39 ms 39 ms
5 128.32.168.22 (128.32.168.22) 20 ms 39 ms 39 ms
6 128.32.197.4 (128.32.197.4) 59 ms 119 ms 39 ms
7 131.119.2.5 (131.119.2.5) 59 ms 59 ms 39 ms
8 129.140.70.13 (129.140.70.13) 80 ms 79 ms 99 ms
9 129.140.71.6 (129.140.71.6) 139 ms 139 ms 159 ms
10 129.140.81.7 (129.140.81.7) 199 ms 180 ms 300 ms
11 129.140.72.17 (129.140.72.17) 300 ms 239 ms 239 ms
12 * * *
13 128.121.54.72 (128.121.54.72) 259 ms 499 ms 279 ms
14 * * *
15 * * *
16 * * *
17 * * *
18 18.26.0.115 (18.26.0.115) 339 ms 279 ms 279 ms
----End
10.4.4 Debugging Ping and Tracert

This section describes how to locate faults through ICMP messages.
Context
CAUTION
If you run the ping or the tracert command on the two AC6605s but the ping or tracert operation
fails, you can run the following command respectively on each AC6605 to further locate the
fault after confirming that the physical link between the two AC6605s is normal.
Procedure
Step 1 Run the debugging ip icmp command to enable ICMP packet debugging.
Through this command, you can check the transmission of ICMP messages during the running
of the ping or tracert the command and thus locate which device fails.
----End

This section provides a configuration example of ping and tracert operations.
Example for Performing Ping and Tracert Operations

Issue 04 (2013-06-15)

1816

Configuration Guide
As shown in Figure 10-24, after configuring Switch A, you check the link between Switch A
and the log host. If Switch A and the log host are disconnected, you cannot know which device
fails because there are other network devices between Switch A and the log host. To locate on
which link segment the fault occurs, you can perform ping and tracert operations.
Figure 10-24 Networking diagram of ping and tracert operations
1.1.1.2/8
2.1.1.2/8
SwitchA
Router
1.1.1.1/8
2.1.1.1/8
SwitchB
LAN switch
PC
3.1.1.1/8
3.1.1.2/8
Log host
1.
Run the ping command on Switch A to check the connectivity between Switch A and the
log host.
2.
Run the tracert command to locate the fault after you find that the link is faulty.
Data Preparation
l
IP addresses of the interfaces on Switch B (In this example, IP addresses of the interfaces
are 1.1.1.2/8 and 2.1.1.1/8.)
IP addresses of the interfaces on Router (In this example, IP addresses of the interfaces are
2.1.1.2/8 and 3.1.1.1/8.)
IP address of the log host (In this example, the IP address of the log host is 3.1.1.2/8.)
Procedure
Step 1 Run the ping command.
# Run the ping command on Switch A to check the connectivity between Switch A and the log
host.
Request time out
Request time out
Request time out
Request time out
Request time out
--- 3.1.1.2 ping statistics ---
Issue 04 (2013-06-15)

1817

Configuration Guide
5 packet(s) transmitted
100.00% packet loss
The display on Switch A shows that the log host is unreachable, which indicates that a fault
occurs on some link segment between Switch A and the log host.
Step 2 Run the tracert command.
# Run the tracert command on Switch A to locate which link segment fails.
<Quidway> tracert 3.1.1.2
traceroute to 3.1.1.2(3.1.1.2), max hops: 30 ,packet length: 40
1 1.1.1.2
4 ms 5 ms 5 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
...
The preceding display shows that the ICMP Echo Request message passes Switch B but does
not reach Router. It indicates that the link between Switch B and Router fails. After the link
between Switch B and Router is recovered, you can repeat Step 1 and Step 2 to ensure that Switch
A and the log host can communicate properly.
----End
Configuration Files
None.
10.5 NQA Configuration

This chapter describes how to configure the Network Quality Analysis (NQA) to monitor the
network operating status and collect network operation indexes in real time.
10.5.1 Introduction to NQA

This section helps you understand the background and functions of Network Quality Analysis
(NQA).
As the value-added services on networks are developed, users and carriers demand higher
Quality of Service (QoS). To ensure users with the committed bandwidth, network operators
should collect the statistics of latency, jitter, and packet loss of the device. This helps them
analyze network performance in time.
NQA on the AC6605 meets the preceding requirements.
NQA measures the performance of each protocol running on the network and helps network
operators collect network operation statistics, such as the total HTTP delay, TCP connection
delay, file transfer rate, FTP connection delay, Domain Name System (DNS) resolution delay,
and DNS resolution error ratio. By collecting these statistics, network operators provide users
with network services of various grades.
NQA is an efficient tool for diagnosing and locating faults on a network.
Issue 04 (2013-06-15)

1818

Configuration Guide
10.5.2 Comparisons Between NQA and Ping

This part describes the differences between NQA and Ping tests.
NQA is the extension and enhancement of Ping.
By sending an Internet Control Message Protocol (ICMP) Echo-Request packet from the local
and expecting an ICMP Echo-Reply packet from the specified destination, the Ping program can
test the round-trip time (RTT) of an ICMP packet. In addition to testing the RRT of an ICMP
packet between the local and the desination, NQA can detect whether network services, such as
TCP, UDP, FTP, HTTP and the Simple Network Management Protocol (SNMP), are enabled
and test the response time of each service.
Figure 10-25 Diagram of the NQA test
Server
IP/MPLS
Network
NQA Client
In NQA, the RTT of each packet or timeout period of the packet is not displayed on the terminal
in real time, unlike the Ping program. Test results are displayed only when you run the display
nqa results command after a test is complete.
You can also configure the Network Management System (NM Station) to control each NQA
operation parameter and enable NQA tests.
10.5.3 NQA Server and NQA Clients

This part describes the relationships between NQA client, NQA server, and NQA test instance.
NQA test instance and NQA Client

NQA can be used to test many items. You must create a test instance for each item and each of
these test instances is a type of NQA test.
You need to create NQA test instances on NQA clients. Each test instance has an administrator
name and an operation tag as unique identification.
In the test view, configure the related test parameters. Note that a part of parameters applies to
only certain test types whereas others apply to all the test types.
NQA Server
In most types of tests, you need to configure only the NQA clients. In TCP, UDP, and Jitter tests,
however, you must configure the NQA server.
An NQA server processes the test packets received from the clients. As shown in Figure
10-26, the NQA server responds to the test request packet received from the client through the
monitoring function.
Issue 04 (2013-06-15)

1819

Configuration Guide
Figure 10-26 Relationship between the NQA client and the NQA server
IP/MPLS
Network
NQA Server
NQA Client
You can create multiple TCP or UDP monitoring services on an NQA server. Each monitoring
service corresponds to a specific destination address and a port number. The destination address
and port number can be repeatedly specified.
Performing NQA Tests

After being configured with the destination address and the port number, the NQA server can
respond to test request packets. The IP address and port number specified in the monitoring
service must be consistent with those configured on the clients.
After creating a test group and configuring the related parameters, you must enable the NQA
test by using the start command and the display nqa results command to view test results.
10.5.4 NQA Supported by the AC6605

This part describes NQA test types and scheduling modes supported by the AC6605.
Features Provided by NQA

l
Cooperates with the NM Station:

The NM Station can completely manage all NQA functions.
Supports the NQA MIB.
Supports the Disman-traceroute-MIB.
Supports the Disman-NSLookUp-MIB.
Supports the Disman-ping-MIB.
Jitter tests support the continuous sending of 3000 packets and support voice traffic
simulation.
Supports statistics collection at the millisecond and microsecond level.
Supports hot backup:

This function implements the synchronization of the configurations of NQA tests between
the master control board and the slave board. Therefore, after the master/slave switchover,
NQA tests can be performed normally.
Supports test task scheduling:

Implements the scheduling of test tasks to decrease the concurrent tasks on the device.
Supports the configuration of different start time and end time for a single test:
Supports three modes of starting tests: immediate, timely, and delayed.
Supports several modes of ending tests: automatic, immediate, timely, delayed, and
ending the test when the lifetime of the test expires.
Issue 04 (2013-06-15)

1820

Configuration Guide
Supports auto distributing the start time and the test interval when several tests are
performed at a time.
l
Supports the auto-delay function, with which the system resources can be effectively
utilized so that tests can be completed within a specified period.
Supports the collection of the uni-directional delay statistics and bi-directional delay
statistics. In addition, you can set a threshold and enable collecting statistics about the
packets in the test results that exceed the threshold.
Supports the collection of statistics on packet loss in one direction.
Supports the flexible alarm mechanism. That is, the upper and lower thresholds are set to
monitor the feature of the tested objects according to their OIDs. When the test result
exceeds the threshold, alarms are triggered based on the preset events.
10.5.5 Configuring the ICMP Test

This section describes how to configure an Internet Control Message Protocol (ICMP) test to
check the IP network connectivity.

Before configuring an ICMP test, familiarize yourself with the applicable environment, complete
An ICMP test has a similar function with the ping command, but its output is more detailed.
Before configuring the ICMP test, configure reachable routes between the NQA client and the
tested device.
Data Preparation
To configure the ICMP test, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Administrator name and test name of the NQA test
Destination IP address
(Optional) Virtual Private Network (VPN) instance name, source interface that sends
test packets, source IP address, size of the Echo-Request packets, TTL value, ToS,
padding character, interval for sending test packets, and percentage of the failed NQA
test
Start mode and end mode

1821

Configuration Guide
Configuring ICMP Test Parameters

This part describes how to set ICMP test parameters.
Context
Do as follows on the NQA client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa test-instance admin-name test-name
An NQA test instance is created and the test instance view is displayed.
Step 3 Run:
test-type icmp
The test type is set to ICMP.

Step 4 Run:
destination-address ipv4 ip-address
The destination IP address is configured.

Step 5 (Optional) Perform the following as required to configure other ICMP test parameters ( For
detailed parameter configurations, see the chapter Configuring Universal NQA Test
Parameters ):
l To configure the source interface that sends test packets, run the source-interface interfacetype interface-number command.
l To configure the source IP address, run the source-address ipv4 ip-address command.
source-address ipv4 ip-address equals the "-a" option in the ping command.
l To configure the size (packet header excluded) of the Echo-Request packet, run the
datasize size command.
datasize size equals the "-s" option in the ping command.
l To configure the time-to-live (TTL) value, run the ttl number command.
ttl number equals the "-h" option in the ping command.
l To configure the type of service (ToS) field in the IP packet header, run the tos value
command.
tos equals the "-tos" option in the ping command.
l To configure padding characters, run the datafill fillstring command.
datafill equals the "-p" option in the ping command.
l To configure the interval for sending the test packets, run the interval seconds interval
command.
interval seconds equals the "-m" option in the ping command.
l To configure the percentage of the failed NQA test, run the fail-percent percent command.
Issue 04 (2013-06-15)

1822

Configuration Guide
l To configure the NQA test packets to be sent without searching the routing table, run the
sendpacket passroute command.
Step 6 Run:
start
The NQA test is started.

Select the start mode as required because the start command has several forms.
l To perform the NQA test immediately, run the start now [ end { at [ yyyy/mm/dd ]
hh:mm:ss | delay { seconds second | hh:mm:ss } | lifetime { seconds second | hh:mm:ss } } ]
command.
The test instance is started immediately.
l To perform the NQA test at the specified time, run the start at [ yyyy/mm/dd ] hh:mm:ss
[ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } | lifetime
{ seconds second | hh:mm:ss } } ] command.
The test instance is started at a specified time.
l To perform the NQA test after a certain delay period, run the start delay { seconds second
| hh:mm:ss } [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } |
lifetime { seconds second | hh:mm:ss } } ] command.
The test instance is started after a certain delay.
----End

After configuring the ICMP test, you can view the test result.
Prerequisites
The configurations of the ICMP Test function are complete.
Context
NOTE
NQA test results cannot be displayed automatically on a terminal. You must run the display nqa results
command to view test results. By the default, the command output contains the records about only the last
five test results.
Procedure
Step 1 Run the display nqa results [ test-instance admin-name test-name ] command to view the test
results on the NQA client.
----End
Example
Run the display nqa results command. If the following is displayed, it means that the test is
successful.
l
testflag is inactive
The test is finished
Issue 04 (2013-06-15)

1823

Configuration Guide
Completion:success
For the ICMP test, you can also view the minimum time, maximum time, and RTT(Round Trip
Time ).
<Quidway> display nqa results
NQA entry(admin, test) :testflag is inactive ,testtype is icmp
1 . Test 1 result
Send operation times: 3
Receive response times: 3
Completion:success
RTD OverThresholds number: 0
Attempts number:1
Drop operation number:0
Disconnect operation number:0
Operation timeout number:0
System busy operation number:0
Connection fail number:0
Operation sequence errors number:0
RTT Stats errors number:0
Destination ip address:10.112.58.3
Min/Max/Average Completion Time: 2/5/3
Sum/Square-Sum Completion Time: 9/33
Last Good Probe Time: 2010-06-21 15:33:09.2
Lost packet ratio: 0 %
10.5.6 Configuring the FTP Download Test

This section describes how to configure a File Transfer Protocol (FTP) download test to check
the FTP download performance.

Before configuring an FTP download test, familiarize yourself with the applicable environment,
In an FTP download test, the local device functions as an NQA FTP client, intending to download
the specified file from an FTP server.
The test result contains statistics about each FTP phase, including the time to set up an FTP
control connection and the time to transport the data.
Before configuring the FTP download test, complete the following tasks:
l
Configuring the FTP user name and password and the login directory
Configuring routes between the NQA FTP client and the FTP server
Data Preparation
To configure the FTP download test, you need the following data.
Issue 04 (2013-06-15)
No.
Data
Administrator name and test name

1824

Configuration Guide
No.
Data
(Optional) Source IP address of the FTP operation and VPN instance name and source
and destination port numbers of the FTP operation
Name of the file to be downloaded
Start mode and end mode of the test
Configuring the FTP Download Test Parameters

This part describes how to set parameters for the FTP download test.
Context
Do as follows on the NQA client (FTP client):
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type ftp
The test type is set to FTP.

Step 4 Run:

Step 5 (Optional) Perform the following as required to configure other parameters of the FTP Download
test ( For detailed parameter configurations, see the chapter Configuring Universal NQA Test
Parameters ):
l To configure the FTP source port number, run the source-port port-number command.
l To configure the FTP destination port number, run the destination-port port-number
command.
l To configure the NQA test packet to be sent without searching the routing table, run the
Step 6 Run:
ftp-operation get
The FTP operation type is set to Get.

Issue 04 (2013-06-15)

1825

Configuration Guide
By default, the FTP operation type is Get.

Step 7 Run:
ftp-username name
The FTP user name is configured.

Step 8 Run:
ftp-password { password | cipher cipher-password }
The FTP password used during the login is configured.

Step 9 Run:
ftp-filename file-name
The name of the file to be downloaded is configured.

NOTE
During the FTP test, select a file with a relatively small size for the test. If the file is large, the test may fail
because of timeout.
Step 10 Run:
start

command.
----End

After configuring the FTP download test, you can view the test result.
Prerequisites
The configurations of the FTP Download Test function are complete.
Context
NOTE
five tests.
Issue 04 (2013-06-15)

1826

Configuration Guide
Procedure
----End
Example
Run the display nqa results command. If the test is successful, the following is displayed.
l
CtrlConnTime: indicates the time when the connection is established.
DataConnTime: indicates the duration of data transmission.
SumTime: indicates the duration of the FTP operation.

NQA entry(admin, ftp) :testflag is inactive ,testtype is ftp
1 . Test 1 result
SendProbe:1
ResponseProbe:1
Completion :success
MessageBodyOctetsSum: 448
Stats errors number: 0
Operation timeout number: 0
Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 438/438/438
DataConnTime Min/Max/Average: 218/218/218
SumTime Min/Max/Average: 656/656/656
Average RTT:380
10.5.7 Configuring the FTP Upload Test

This section describes how to configure an FTP upload test to check the FTP upload performance.

Before configuring an FTP upload test, familiarize yourself with the applicable environment,
In an FTP upload test, the local device functions as an FTP client, intending to upload the
specified file to an FTP server.
The test result contains the statistics about each FTP phase, including the time to set up an FTP
control connection and the time to transport the data.
In an FTP upload test, you can specify the file to be uploaded or the bytes to be uploaded. If
certain bytes are specified, the FTP client then automatically generates the test files for
uploading.
Before configuring the FTP upload test, complete the following tasks:
l
Configuring the FTP user name and password and the login directory
Configuring routes between the NQA client and the FTP server
Issue 04 (2013-06-15)

1827

Configuration Guide
Data Preparation
To configure the FTP upload test, you need the following data.
No.
Data
(Optional) Source IP address of the FTP operation and VPN instance name and source
and destination port numbers of the FTP operation
Name or size of the uploaded file
Configuring the FTP Upload Test Parameters

This part describes how to set parameters for the FTP upload test.
Context
Do as follows on the NQA client (FTP client):
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type ftp
The test type is set to FTP.

Step 4 Run:

Step 5 (Optional) Perform the following as required to configure other parameters for the FTP upload
test ( For detailed parameter configurations, see the chapter Configuring Universal NQA Test
Parameters ):
l To configure the source port, run the source-port port-numbercommand.
Issue 04 (2013-06-15)

1828

Configuration Guide
l To configure the destination port, run the destination-port port-number command.

Step 6 Run:
ftp-operation put
The FTP operation type is set to Put.

By default, the FTP operation type is Get.
Step 7 Run:
ftp-username name
The FTP user name is configured.

Step 8 Run:
ftp-password password
The FTP password used during the login is configured.

Step 9 Perform the following as required to upload the file.
l To upload the file with a specified name, run the ftp-filename file-name command.
NOTE
l If no file path is specified, the system searches for the file in the current path. If the specified file
name does not exist, a file is created according to the specified file name, and the size of the file is
set to 1 MB.
l The file name cannot contain characters such as ~, *, /, \, ', ", but the file path can contain these
characters.
l The file name can contain the extension name but cannot contain the extension name only, such
as .txt.
l To upload the file with a specified size, run the ftp-filesize size command. The client then
automatically creates a file name "nqa-ftp-test.txt" to upload.
NOTE
During the FTP test, select a file with a relatively small size. If the file is large, the test may fail because
of timeout.
Step 10 Run:
start

command.
Issue 04 (2013-06-15)

1829

Configuration Guide

----End

After configuring the FTP upload test, you can view the test result.
Prerequisites
The configurations of the FTP Upload Test function are complete.
Context
NOTE
five tests.
Procedure
Step 1 Run the display nqa results command to view the test results on the NQA client.
----End
Example
l
CtrlConnTime
DataConnTime
SumTime

1 . Test 1 result
SendProbe:1
ResponseProbe:1
Completion :success
Average RTT:380
10.5.8 Configuring the HTTP Test

This section describes how to configure a Hypertext Transfer Protocol (HTTP) test to check the
responding speed of the HTTP service in each phase.

Before configuring an HTTP test, familiarize yourself with the applicable environment,
Issue 04 (2013-06-15)

1830

Configuration Guide
Through the NQA HTTP test, you can obtain the responding speed in three phases:
l
Time of DNS resolution: It is a period from the time the client sends the DNS packet to the
resolver for resolving the name of the HTTP server to an IP address to the time the DNS
resolution packets containing the IP address is returned.
Time to set up a TCP connection: It is the time taken by the client to set up a TCP connection
with an HTTP server through three-way handshake.
Transaction time: It is a period from the time the client sends the Get or Post packets to an
HTTP server to the time the Echo packet sent by the client reaches the HTTP server.
Before configuring the HTTP test, complete the following tasks:
l
Configuring the HTTP server
Configuring routes between the NQA client and the HTTP server
Data Preparation
To configure the HTTP test, you need the following data.
No.
Data
Name of the HTTP server
l (Optional) Source address, Source port number

l (Optional) Destination port number
l (Optional) Fail percent
HTTP operation type
Web page to be visited and the HTTP version
Configuring HTTP Test Parameters

This part describes how to set HTTP test parameters.
Context
Do as follows on the NQA client (HTTP client):
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1831

Configuration Guide

Step 2 Run:
An NQA test is created and the view is displayed.

Step 3 Run:
test-type http
The test type is set to HTTP.

Step 4 Run:

Step 5 (Optional) Perform the following as required to configure other parameters for the HTTP test
( For detailed parameter configurations, see the chapter Configuring Universal NQA Test
Parameters ):
l To configure the source port, run the source-port port-number command.
l To configure the destination port, run the destination-port port-number command.
l To configure the percentage of the failed NQA HTTP tests, run the fail-percent percent
command.
Step 6 Run:
http-operation get
The HTTP operation type is configured.

By default, the HTTP operation type is Get.
Step 7 Run:
http-url deststring [ verstring ]
The web page to be visited and the HTTP version are configured.
NOTE
When information on the HTTP version is not configured, by default, HTTP1.0 is supported. HTTP1.1 can
be supported through your configurations.
Step 8 Run:
start

command.
Issue 04 (2013-06-15)

1832

Configuration Guide

----End

After configuring the HTTP test, you can view the test result.
Prerequisites
The configurations of the HTTP Test function are complete.
Context
NOTE
five tests.
Procedure
----End
Example
l
DNSRTT: indicates the time when the DNS sends a query request.
TCPConnectRTT: indicates the time when the TCP connection is established.
TransactionRTT and RTT: indicates the durations of data transmission and HTTP test
respectively.

NQA entry(admin, http) :testflag is inactive ,testtype is http
1 . Test 1 result
SendProbe:3
ResponseProbe:3
Completion:success
RTD OverThresholdsnumber: 0
TargetAddress: 100.2.1.200
DNSQueryError number: 0
HTTPError number: 0
TcpConnError number : 0
DNSRTT Sum/Min/Max:0/0/0
TCPConnectRTT Sum/Min/Max: 6/1/4
TransactionRTT Sum/Min/Max: 3/1/1
RTT Sum/Min/Max/Avg: 7/1/5/2
DNSServerTimeout:0 TCPConnectTimeout:0 TransactionTimeout: 0
Lost packet ratio:0%
10.5.9 Configuring the DNS Test

This section describes how to configure a Domain Name System (DNS) test to check the DNS
resolution speed.
Issue 04 (2013-06-15)

1833

Configuration Guide

Before configuring a DNS test, familiarize yourself with the applicable environment, complete
The DNS test is performed to obtain the speed at which the specified domain name is resolved
to an IP address.
Before configuring the DNS test, complete the following tasks:
l
Configuring the DNS server
Configuring routes between the NQA client and the DNS server
Data Preparation
To configure the DNS test, you need the following data.
No.
Data
Host name to be resolved
Configuring the DNS Test Parameters

This part describes how to set DNS test parameters.
Context
Do as follows on the NQA client (DNS client):
Procedure
Step 1 Run
system-view

Step 2 Run:
dns resolve
Enable dynamic DNS resolution. By default, the function is disabled.

Issue 04 (2013-06-15)

1834

Configuration Guide
Step 3 Run:
Step 4 Run:
test-type dns
The test type is set to DNS.

Step 5 Run:
dns-server ipv4 ip-address
The IPv4 address of the DNS server is configured.

Step 6 Run:
destination-address url urlstring
The name of the destination host is configured.

NOTE
For detailed parameter configurations, see the chapter Configuring Universal NQA Test Parameters
Step 7 Run:
start

command.
----End

After configuring the DNS test, you can view the test result.
Prerequisites
The configurations of the DNS Test function are complete.
Issue 04 (2013-06-15)

1835

Configuration Guide
Context
NOTE
five tests.
Procedure
----End
Example
NQA entry(t, t) :testflag is inactive ,testtype is dns
1 . Test 1 result
Completion:success
Attempts number:1
10.5.10 Configuring the Traceroute Test

This section describes how to configure a traceroute test to check the connectivity to each hop
on the network.

Before configuring a traceroute test, familiarize yourself with the applicable environment,
An NQA Traceroute test can provide functions similar to those provided by the tracert
command, but outputs more detailed information.
Before configuring a traceroute test, configure reachable routes between the NQA client and the
device to be tested.
Data Preparation
To configure a traceroute test, you need the following data.
Issue 04 (2013-06-15)

1836

Configuration Guide
No.
Data
Administrator and name of an NQA test instance
Destination IP address
(Optional) VPN instance name, maximum hops, initial TTL and maximum TTL value
of the packet, and source IP address and destination port of the packet
Start and end modes of a test
Configuring Parameters for a Traceroute Test

This part describes how to configure parameters for a traceroute test.
Context
Procedure
Step 1 Run
system-view

Step 2 Run:
Step 3 Run:
test-type trace
A traceroute test is created.

Step 4 Run:
The destination address of the traceroute test is configured.

Step 5 Run the following commands as required ( For detailed parameter configurations, see the chapter
Configuring Universal NQA Test Parameters ):
l To configure the maximum hops, run:
tracert-hopfailtimes times
l To configure the initial TTL and maximum TTL values of a packet, run:
tracert-livetime first-ttl first-ttl max-ttl max-ttl
l To configure the source IP address, run:

source-address ipv4 ip-address
l To configure the destination port number, run:

destination-port port-number
l To configure a NQA test packets to be sent without searching the routing table, run:
Issue 04 (2013-06-15)

1837

Configuration Guide
sendpacket passroute
Step 6 Run:
start
An NQA test is started.

l To start the NQA test immediately, run the start now [ end { at [ yyyy/mm/dd ] hh:mm:ss |
delay { seconds second | hh:mm:ss } | lifetime { seconds second | hh:mm:ss } } ] command.
l To start the NQA test at the specified time, run the start at [ yyyy/mm/dd ] hh:mm:ss [ end
{ at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } | lifetime { seconds
second | hh:mm:ss } } ] command.
l To start the NQA test after a certain delay, run the start delay { seconds second |
hh:mm:ss } [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } |
----End

After configuring a traceroute test, you can view the test result.
Prerequisites
The configurations of the traceroute test are complete.
Context
NOTE
NQA test results cannot be displayed automatically on the terminal. You need to run the display nqa
results command to view test results. By the default, the command output contains the records about only
the last five tests.
Procedure
----End
Example
Run the display nqa results command. If the statistics about each hop are displayed, it means
that the traceroute test is successful.
NQA entry(t, t) :testflag is inactive ,testtype is trace
1 . Test 1 result
Completion:success
Attempts number:1
Issue 04 (2013-06-15)

1838

Configuration Guide

Last good path Time:2010-06-21 15:41:01.7
1 . Hop 1
10.5.11 Configuring the SNMP Query Test

This section describes how to configure a Simple Network Management Protocol (SNMP) query
test to check the communications between the host and SNMP agent.

Before configuring an SNMP query test, familiarize yourself with the applicable environment,
Through the SNMP Query test, you can obtain the statistics of the communication between hosts
and SNMP agents.
Before configuring the SNMP Query test, complete the following tasks:
l
Configuring the SNMP agent
Configuring routes between the NQA client and the SNMP agent
Data Preparation
To configure the SNMP query test, you need the following data.
No.
Data
IP address of the SNMP agent
(Optional) Source IP addresses and source port numbers of test packets, interval for
sending test packets, and percentage of the failed NQA tests
Configuring the SNMP Query Test Parameters

This part describes how to set SNMP query test parameters.
Issue 04 (2013-06-15)

1839

Configuration Guide
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type snmp
The test type is set to SNMP Query.

Step 4 Run:
The destination IP address, that is, the IP address of the SNMP agent, is configured.
NOTE
The SNMP function must be enabled on the destination host; otherwise, the destination host fails to receive
Echo packets.
Step 5 (Optional) Perform the following as required to configure other parameters for the SNMP test
Parameters ):
l To configure the source port number, run the source-port port-number command.
l To configure the interval for sending test packets, run the interval seconds interval
command.
l To configure the percentage of the failed NQA tests, run the fail-percent percent command.
Step 6 Run:
start

command.
Issue 04 (2013-06-15)

1840

Configuration Guide

----End

After configuring the SNMP query test, you can view the test result.
Prerequisites
The configurations of the SNMP Query Test function are complete.
Context
NOTE
five tests.
Procedure
----End
Example
NQA entry(admin, snmp) :testflag is inactive ,testtype is snmp
1 . Test 1 result
Completion:success
Attempts number:0
10.5.12 Configuring the TCP Test

This section describes how to configure a Transmission Control Protocol (TCP) test to check
the responding speed of a TCP port.
Issue 04 (2013-06-15)

1841

Configuration Guide

Before configuring a TCP test, familiarize yourself with the applicable environment, complete
To obtain the time for the specified port to respond to a TCP connection request, you can create
an NQA TCP test instance.
Before configuring the TCP test, configure reachable routes between the NQA client and the
TCP server.
Data Preparation
To configure the TCP test, you need the following data.
No.
Data
IP address and port number monitored by the TCP server
(Optional) Destination port numbers of the probe packets sent by the TCP client and
source IP addresses , source port numbers of test packets, interval for sending test
packets, and percentage of the failed NQA tests
Configuring the TCP Server

The IP address and number of the port monitored by the server must be identical with those
configured on the client.
Context
Do as follows on the NQA server (TCP server):
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-server tcpconnect [ vpn-instance vpn-instance-name ] ip-address port-number
The TCP monitoring service is configured.

Issue 04 (2013-06-15)

1842

Configuration Guide
NOTE
Note that the IP address and port number monitored by the server should be consistent with those configured
on the client.
----End
Configuring the TCP Client

This part describes how to set TCP test parameters.
Context
Do as follows on the NQA client (TCP client):
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type tcp
The test type is set to TCP.

Step 4 Run:

Step 5 To configure the destination port number, run the destination-port port-numbercommand.
Step 6 (Optional) Perform the following as required to configure other parameters for the TCP test ( For
detailed parameter configurations, see the chapter Configuring Universal NQA Test
Parameters ):
l To configure the source port number, run the source-port port-numbercommand.
command.
l To configure the percentage of the failed NQA tests, run the fail-percent percentcommand.
Step 7 Run:
start

Issue 04 (2013-06-15)

1843

Configuration Guide
command.
The differences between the TCP Public tests and the TCP Private tests are as follows:
l The TCP Public tests do not require the destination port to be configured on the client.
Connection requests are initiated and sent to the TCP port 7 of the destination address. The
server should monitor the TCP port 7.
l The TCP Private tests require the destination port be specified and the related monitoring
services enabled on the server.
----End

After configuring the TCP test, you can view the test result.
Prerequisites
The configurations of the TCP Test function are complete.
Context
NOTE
five tests.
Procedure
l
Run the display nqa results [ test-instance admin-name test-name ] command to view the
test results on the NQA client.
Run the display nqa-server command to view the information about the NQA server.
----End
Example
NQA entry(admin, tcp) :testflag is inactive ,testtype is tcp
1 . Test 1 result
Completion:success
Issue 04 (2013-06-15)

1844

Configuration Guide
Attempts number:0
Run the display nqa-server command,the status of the NQA server is displayed.
<Quidway> display nqa-server
NQA Server Max: 100
NQA Concurrent TCP Server : 1
NQA Server Num: 1

NQA Concurrent UDP Server: 0
nqa-server tcpconnect 10.112.58.3 2000 ACTIVE
10.5.13 Configuring the UDP Test

This section describes how to configure a User Datagram Protocol (UDP) test to check the
responding speed of a UDP port.

Before configuring a UDP test, familiarize yourself with the applicable environment, complete
To obtain the time for the specified port to respond to a UDP connection request, you can create
a UDP test instance.
Before configuring the UDP test, configure reachable routes between the NQA client and the
UDP server.
Data Preparation
To configure the UDP test, you need the following data.
Issue 04 (2013-06-15)
No.
Data
IP address and port of the UDP server
Destination IP address and the port of the probe packets sent by the UDP client
(Optional) Source IP addresses and source port numbers of test packets, interval for
sending test packets, and percentage of the failed NQA tests

1845

Configuration Guide
Configuring the UDP Server

Context
Do as follows on the NQA server (UDP server):
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-server udpecho [ vpn-instance vpn-instance-name ] ip-address port-number
The UDP monitoring service is configured.

Note that the IP address and port number monitored by the server should be consistent with those
----End
Configuring the UDP Client

This part describes how to set UDP test parameters.
Context
Do as follows on the NQA client (UDP client):
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type udp
The test type is set to UDP.

Step 4 Run:

Step 5 Run:
Issue 04 (2013-06-15)

1846

Configuration Guide
The destination port number is configured.

Step 6 (Optional) Perform the following as required to configure other parameters for the UDP test
Parameters ):
command.
Step 7 Run:
start

command.
----End

After configuring the UDP test, you can view the test result.
Prerequisites
The configurations of the UDP Test function are complete.
Context
NOTE
five tests.
Issue 04 (2013-06-15)

1847

Configuration Guide
Procedure
l
----End
Example
NQA entry(admin, udp) :testflag is inactive ,testtype is udp
1 . Test 1 result
Completion:success
Attempts number:1
Run the display nqa-server command. If the status of the NQA server is displayed, it means
that the configuration succeeds.
<Quidway> display nqa-server
NQA Server Max: 100
NQA Concurrent TCP Server : 0
NQA Server Num: 1

NQA Concurrent UDP Server: 1
nqa-server udpecho 10.112.58.3 3000 ACTIVE
10.5.14 Configuring the Jitter Test

This section describes how to configure a jitter test to check jitter on the network. You can
perform a jitter test only when both the client and the server are Huawei devices.

Before configuring a jitter test, familiarize yourself with the applicable environment, complete
The jitter time refers to the interval for sending two adjacent packets minus the interval for
receiving the two packets.
The process of a Jitter test is as follows:
1.
The source sends a packet to the destination at a specified interval.
2.
After receiving the packet, the destination adds a timestamp to the packet and returns them
to the source.
Issue 04 (2013-06-15)

1848

Configuration Guide
3.
After receiving the returned packets, the source subtracts the interval for the source to send
two adjacent packets from the interval for the destination to receive the two packets and
then obtains the jitter time.
The maximum, minimum, and average jitter time calculated based on the information received
on the source can clearly show the network status.
In a Jitter test, you can set the number of packets to be sent consecutively. Through this setting,
certain traffic can be simulated within a certain period. For example, if you set 3000 UDP packets
to be sent at an interval of 20 milliseconds. Then, in one minute, G.711 traffic is simulated.
NOTE
To improve the test accuracy, you can configure the Network Time Protocol (NTP) on both the client and
the server.
Before configuring the Jitter test, configure reachable routes between the NQA client and the
NQA server.
Data Preparation
To configure the Jitter test, you need the following data.
No.
Data
IP address and the port number monitored by the UDP server
Destination IP addresses and port numbers of the probe packets sent by the UDP
client
(Optional) VPN instance name, source IP address and port number of the probe packet
sent by the UDP client, number of probe packets and test packets sent each time,
interval for sending probe packets and test packets, percentage of the failed NQA
tests, and version number carried in the Jitter packet
Configuring the Jitter Server

Context
Do as follows on the NQA server (Jitter server):
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1849

Configuration Guide

Step 2 Run:
nqa-server udpecho [ vpn-instance vpn-instance-name ]ip-address
port-number
The UDP monitoring service is configured.

Note that the IP address and port number monitored by the Jitter server should be consistent
with those configured on the client.
----End
Configuring the Jitter Client

This part describes how to configure the client of the jitter test.
Context
NOTE
The system supports the collection of the statistics about the maximum uni-directional transmission delay.
Perform the following steps on the NQA client (Jitter client).
Procedure
Step 1 Run:
system-view

Step 2 (Optional) To configure the version number of Jitter packets, run the nqa-jitter tag-version
version-number command in the system view.
If Version 2 is adopted, after collecting the packet loss across a uni-directional link is enabled,
you can find the packet loss across the link from the source to the destination (or from the
destination to the source or from an unknown direction). According to these statistics, the
network administrator can easily detect network faults and malicious attacks.
Step 3 Run:
Step 4 Run:
test-type jitter
The test type is set to Jitter.

Step 5 Run:

Step 6 Run:

Issue 04 (2013-06-15)

1850

Configuration Guide
NOTE
A port number larger than 10000 is recommended for a jitter test instance. A small port number may be conflict
with the default port number of a protocol, causing a test failure.
Step 7 (Optional) Perform the following as required to configure other parameters for the Jitter test
Parameters ):
l To configure the probe times in the NQA test, run the probe-count number command.
l To configure the number of test packets sent each time, run the jitter-packetnum number
command.
The Jitter test is used to collect statistics and perform analysis of the transmission delay
variation of the UDP packets. The system sends multiple test packets for each test to make
the statistics more accurate. The more test packets are sent, the more accurate the statistics
and analysis are. This process, however, is time consuming.
NOTE
The number of the Jitter tests depends on the probe-count command. The number of test packets sent
during each test depends on the jitter-packetnum command. During the actual configuration, the
product of the number of test times and the number of the test packets must be less than 3000.
l To configure the interval for sending test packets, run the interval { milliseconds interval |
seconds interval } command.
The shorter the interval for sending the Jitter test packets is, the faster the test is completed.
If the interval, however, is set to a very small value, the jitter statistics result may have a
greater error.
l To send the NQA test packet without searching the routing table, run the sendpacket
passroute command.
Step 8 Run:
start

command.
----End
Issue 04 (2013-06-15)

1851

Configuration Guide

After configuring the jitter test, you can view the test result.
Prerequisites
The configurations of the Jitter Test function are complete.
Context
NOTE
five tests.
Procedure
l
----End
Example
<Quidway> display nqa results test-instance admin jitter
NQA entry(admin, jitter) :testflag is inactive ,testtype is jitter
1 . Test 1 result
SendProbe:60
ResponseProbe:60
Completion:success
RTD OverThresholds number:0
Min/Max/Avg/Sum RTT:1/98/8/461
RTT Square Sum:23037
NumOfRTT:60
Min Positive SD:1
Min Positive DS:1
Max Positive SD:96
Max Positive DS:8
Positive SD Number:15
Positive DS Number:8
Positive SD Sum:172
Positive DS Sum:18
Positive SD Square Sum :9868
Positive DS Square Sum :86
Min Negative SD:1
Min Negative DS:1
Max Negative SD:20
Max Negative DS:10
Negative SD Number:18
Negative DS Number:8
Negative SD Sum:163
Negative DS Sum:28
Negative SD Square Sum :2519
Negative DS Square Sum :194
Min Delay SD:0
Min Delay DS:0
Avg Delay SD:3
Avg Delay DS:3
Max Delay SD:49
Max Delay DS:48
Packet Loss SD:0
Packet Loss DS:0
Packet Loss Unknown:0
Jitter out value:0.3020833
Jitter in value:0.3854167
NumberOfOWD:60
OWD SD Sum:65
OWD DS Sum:57
TimeStamp unit: ms
Packet Rewrite Number: 0
Packet Rewrite Ratio: 0%
Packet Disorder Number: 0
Packet Disorder Ratio: 0%
Fragment-disorder Number: 0
Fragment-disorder Ratio: 0%
10.5.15 Configuring Universal NQA Test Parameters

This section describes how to set and use universal parameters for NQA test instances.
Issue 04 (2013-06-15)

1852

Configuration Guide

Before setting universal parameters for NQA test instances, familiarize yourself with the
NQA supports not only the configuration of the parameters for various types of tests, but also
the configuration of universal options of a test group.
Commonly, the default configurations of the universal parameters are adopted.
Before configuring universal NQA parameters, create NQA tests correctly.
Configuring Universal Parameters for the NQA Test Instance

This part describes the application of each parameter in the NQA test instance.
Context
Perform the following steps on the NQA client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The NQA test instance view is displayed.

Step 3 Configure global parameters for the test instance as required. Before configuring the global
parameters, run the test-type command to specify the test type.
l Run:
agetime hh:mm:ss
The aging time is set for the NQA test instance.

l Run:
datafill fillstring
The fill string is set for the NQA test instance.

NOTE
This parameter cannot be configured for SNMP, TCP, FTP, HTTP, and DNS test instances.
You can configure padding characters for only UDP, ICMP, Jitter and Trace tests.
l Run:
datasize size
The packet size is set for the NQA test instance.

Issue 04 (2013-06-15)

1853

Configuration Guide

NOTE
This parameter cannot be configured for SNMP, TCP, FTP, HTTP, and DNS test instances.
l Run:
description string
The description is configured for the NQA test instance.

l Run:
The destination IP address is set for the NQA test instance.

l Run:
destination-address url urlstring
The destination URL address is set for the NQA test instance.
NOTE
The destination URL address can be configured for DNS and HTTP test instances.
l Run:
The destination port number is set for the NQA test instance.
NOTE
The destination port number can be configured only for UDP, Jitter, TCP, Trace, FTP, and HTTP test
instances.
l Run:
dns-server ipv4 ip-address
The DNS server address is configured for the NQA test instance.
NOTE
The DNS server address can be configured only for DNS and HTTP test instances.
l Run:
fail-percent percent
The failure percentage is set for the NQA test instance.

NOTE
This parameter cannot be configured for Trace, FTP, and DNS test instances.
l Run:
frequency interval
The test period is set for the NQA test instance.

l Run:
ftp-filename file-name
The file name and file path are configured for the FTP test instance.
NOTE
The file name and file path can be configured only for the FTP test instance.
l Run:
ftp-filesize size
The size of the file is set for the FTP test instance.
NOTE
The size of the file can be configured only for the FTP test instance.
l Run:
ftp-operation { get | put }
Issue 04 (2013-06-15)

1854

Configuration Guide
The operation type is configured for the FTP test instance.

NOTE
The operation type can be configured only for the FTP test instance.
l Run:
ftp-password { password | cipher cipher-password }
The user password is set for the FTP test instance.

NOTE
The user password can be configured only for the FTP test instance.
l Run:
ftp-username name
The user name is set for the FTP test instance.

NOTE
The user name can be configured only for the FTP test instance.
l Run:
http-operation get
The test type is set for the HTTP test instance.

NOTE
The operation type can be configured only for the HTTP test instance.
l Run:
http-url deststring [ verstring ]
The relative file path and version are configured for the HTTP test instance.
NOTE
The relative file path and version can be configured only for the HTTP test instance.
l Run:
interval { milliseconds
interval | seconds interval }
The interval for sending packets is set for the NQA test instance.
NOTE
The interval for sending packets can be configured only for the ICMP, UDP, SNMP, Jitter, and TCP
test instances.
l Run:
jitter-packetnum number
The number of test packets is set for the NQA test instance.
l Run:
probe-count number
The number of probes for one time is set.

NOTE
This parameter cannot be configured for FTP and DNS test instances.
l Run:
probe-failtimes times
The number of permitted maximum probe failures, that is, the threshold to trigger the trap
message, is set for the NQA test instance.
l Run:
records history number
The maximum number of history records is set for the NQA test instance.
Issue 04 (2013-06-15)

1855

Configuration Guide
l Run:
records result number
The maximum number of result records is set for the NQA test instance.
l Run:
sendpacket passroute
The NQA test is configured to send packets without searching for the routing table.
NOTE
This parameter cannot be configured for DNS test instance.
l Run:
set-df
Packet fragmentation is prohibited.

NOTE
This function can be configured only for the Trace test instances.
l Run:
send-trap { all | { probefailure | rtd | testcomplete | testfailure } * }
The condition for triggering the trap message is configured.

l Run:
source-address ipv4 ip-address
The source IP address is set for the NQA test instance.

l Run:
source-interface interface-type interface-number
The source interface is configured for the NQA test instance.

NOTE
The source interface can be configured for ICMPtest instances.
l Run:
source-port port-number
The source port number is set for the NQA test instance.
NOTE
This parameter can be configured for UDP, SNMP, TCP, FTP, and HTTP test instances.
l Run:
test-failtimes times
The trap threshold for continuous probe failures is set for the NQA test instance.
l Run:
timeout time
The timeout period is set for the NQA test instance.

l Run:
ttl number
The TTL value in the NQA test packet is set.

NOTE
This parameter cannot be configured for DNS and Trace test instances.
l Run:
tos value
Type of Service (TOS) is set for the test packet.

Issue 04 (2013-06-15)

1856

Configuration Guide

NOTE
This parameter cannot be configured for DNS and Trace test instances.
l Run:
tracert-hopfailtimes times
The hop fail times are set for the Trace test instance.
NOTE
This parameter can be configured only for Trace test instance.
l Run:
tracert-livetime first-ttl first-ttl max-ttl max-ttl
The lifetime is set for the Trace test instance.

NOTE
This parameter can be configured only for Trace test instance.
----End

After setting universal parameters for NQA test instances, you can view the test result.
Prerequisites
The configurations of the Universal NQA Test Parameters function are complete.
Procedure
Step 1 Run the display nqa-agent [admin-name test-name ] [ verbose ] to view the status of the test
instance configured on the NQA client.
----End
Example
<Quidway> display nqa-agent
nqa test-instance a a
test-type pwe3trace
local-pw-id 1
vc-type bgp
nqa status : normal
nqa test-instance a b
test-type icmpjitter
destination-address ipv4 100.1.1.201
source-address ipv4 100.1.1.200
hardware-based enable
ttl 100
tos 100
timeout 20
nqa status : normal
10.5.16 Configuring Round-Trip Delay Thresholds

This section describes how to set a round-trip delay transmission threshold in an NQA test
instance.
Issue 04 (2013-06-15)

1857

Configuration Guide

Before setting a round-trip transmission delay threshold, familiarize yourself with the applicable
If the round-trip transmission delay threshold is configured for a NQA test instance, the NQA
test result will contain the statistics on the test packets that exceed the set threshold. This provides
the basis for the network manager to analyze the operation status of the specified service.
Before configuring the round-trip transmission delay threshold, complete the following tasks:
l
Running the device normally
Creating NQA test instances and configuring related parameters correctly
Data Preparation
To configure the round-trip transmission delay threshold, you need the following data.
No.
Data
Round-trip transmission delay threshold
Configuring Round-Trip Delay Thresholds

This part describes how to set a round-trip transmission delay threshold. When the transmission
duration exceeds the threshold, a trap message is sent to the Network Management System
(NMS).
Context
Do as follows on the Switch to perform the NQA test:
Procedure
Step 1 Run:
system-view

Step 2 Run:
An NQA test instance is created and the NQA instance view is displayed.
Step 3 Run:
test-type test-type
Issue 04 (2013-06-15)

1858

Configuration Guide
The test type is configured.

Step 4 Run:


Step 6 Run:
threshold rtd rtd-value
The round-trip transmission delay threshold is configured.

Step 7 Run:
send-trap rtd
The trap function is enabled.

----End

After setting the round-trip transmission delay threshold, you can view the configuration.
Prerequisites
The configurations of the Round-Trip Delay Thresholds Test function are complete.
Procedure
Step 1 Run the display nqa-agent [ admin-name test-name ] [ verbose ] to view the status of the test
instance configured on the NQA client.
----End
Example
Run the display nqa-agent verbose command. If the test is successful, the following is
displayed. For example:
<Quidway> display nqa-agent verbose
nqa test-instance admin jitter
test-type jitter
destination-port 80
threshold rtd 2000
send-trap rtd
nqa status : normal
10.5.17 Configuring the Trap Function

This section describes how to configure the trap function in an NQA test instance. After the trap
function is configured, a trap message is sent to the NMS in case of transmission success or
transmission failure.
Issue 04 (2013-06-15)

1859

Configuration Guide

Before configuring the trap function, familiarize yourself with the applicable environment,
Trap messages are generated regardless of whether the NQA test is successful or fails. You can
control whether to send trap messages to the NM station by enabling or disabling the trap
function.
NQA supports three types of trap messages as defined in the DISMAN-PING-MIB.
l
Trap message sent when an NQA probe fails

This message checks whether the probe Echo packets are received.
If the number of packets that have no responses reaches the upper limit, trap messages are
sent to a specified NM station.
Trap message sent when an NQA test fails

This message checks whether the test fails.
If the number of the times that a test fails exceeds the limit, trap messages are sent to a
specified NM station.
Trap message sent when an NQA test is successful

This message checks whether the test is successful.
If Echo packets are received during an NQA test, trap messages are sent to a specified NM
station.
NQA also supports the sending of trap messages to the NM station when the uni-directional
transmission delay or the round-trip transmission delay exceeds the threshold.
l
For all tests supporting traps, if the round-trip transmission delay exceeds the threshold and
the trap function is enabled, trap messages are sent to the NM station with the specified IP
address.
For all the Jitter tests, if the uni-directional transmission delay exceeds the threshold and
the trap function is enabled, trap messages are sent to the NM station with the specified IP
address.
Trap messages carry information such as destination IP address, operation status, destination IP
address of the test packet, minimum RTT, maximum RTT and total RTT, number of sent probe
packets, number of received packets, RTT square sum, and time of the last successful probe.
Before configuring the trap function, complete the following tasks:
l
Configuring routes between the NQA client and the NM station
Creating an NQA test and configuring related parameters correctly
Data Preparation
To configure the trap function, you need the following data.
Issue 04 (2013-06-15)

1860

Configuration Guide
No.
Data
NQA events that trigger the trap function
l (Optional) Number of test failures that trigger sending a trap message

l (Optional) Number of probe failures that trigger sending a trap message
Sending Trap Messages When Test Failed

A trap message is sent to the NMS when the transmission of NQA test packets fails.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type { jitter | icmpjitter }

Step 4 Run:


Step 6 Run:
send-trap testfailure
Sending trap messages when tests fail is enabled.

By default, the trap function is disabled.
Step 7 Run:
test-failtimes times
The number of test failures that trigger sending a trap message is configured.
By default, a trap message is sent for each test failure.
----End
Issue 04 (2013-06-15)

1861

Configuration Guide
Sending Trap Messages When Probes Failed

A trap message is sent to the NMS when the NQA test fails.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type tcp

Step 4 Run:


Step 6 Run:
send-trap probefailure
Sending trap messages when probes fail is enabled.

Step 7 Run:
probe-failtimes times
The number probe failures that trigger sending a Trap message is configured.
By default, a trap message is sent for each probe failure.
----End
Sending Trap Messages When Probes Are Complete

A trap message is sent to the NMS when the NQA test is complete.
Context
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1862

Configuration Guide

Step 2 Run:
Step 3 Run:

Step 4 Run:


Step 6 Run:
send-trap testcomplete
Sending trap messages when tests are completed is enabled.

----End
Sending Trap Messages When the Transmission Delay Exceeds Thresholds

A trap message is sent to the NMS when the test result exceeds the threshold.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:

Step 4 Run:

Issue 04 (2013-06-15)

1863

Configuration Guide

Step 6 Run:
send-trap rtd
Sending trap messages when the transmission delay exceeds the threshold is enabled.
----End

After the trap function is enabled in an NQA test instance, you can view trap messages in the
trap buffer.
Prerequisites
The configurations of the Trap function are complete.
Procedure
Step 1 Run the display trapbuffer [ size value ] to view the trap messages sent in an NQA test.
----End
Example
Run the display trapbuffer [ size value ] command. If information about the trap messages is
displayed, it means that the configuration succeeds.
For example:
<Quidway> display trapbuffer size 2
Trapping buffer configuration and contents:enabled
Channel number : 3 , channel name : trapbuffer
#May 6 2009 12:54:17 CBB6-PE3 SINDEX/4/INDEXMAP:OID
1.3.6.1.4.1.2011.5.25.110.2.0.1 ShortIFIndexMapTable changed.
#May 6 2009 11:02:37 CBB6-PE3 SRM_BASE/4/ENTITYREGSUCCESS: OID
1.3.6.1.4.1.2011.5.25.129.2.1.18 Physical entity register succeeded.
(EntityPhysicalIndex=17367040, BaseTrapSeverity=2, BaseTrapProbableCause=70144,
BaseTrapEventType=5, EntPhysicalContainedIn=1677721
6, EntPhysicalName="SRU slot 9", RelativeResource="", ReasonDescription="MPU9")
10.5.18 Maintaining NQA

This section describes how to maintain an NQA test instance. You can restart the test instance
and clear the statistics on the test result to maintain a test instance.
Issue 04 (2013-06-15)

1864

Configuration Guide
Restarting NQA Test Instances

If a test instance fails, you can try to restart the test instance in the next test period.
Prerequisites
To restart an NQA test instance, run the following command in the NQA instance view.
Context
CAUTION
Restarting an NQA test instance interrupts the running of tests.
Procedure
Step 1 Run the system-view command, enter the system view.
Step 2 Run the nqa test-instance admin-name test-name command, enter the NQA test instance view.
Step 3 Run the restart command in the NQA instance view to restart an NQA test instance.
----End
Clearing NQA Statistics

When the statistics on the current test instance are saved to the FTP server, you can clear test
results on the device.
Prerequisites
NQA statistics cannot be restored after you clear them. So, confirm the action before you use
the command.
Context
NOTE
Statistics about the test being performed cannot be cleared.
Procedure
Step 1 Run the reset mtrace statistics command, statistics about MTrace packets are cleared.
Step 2 Run the system-view command, enter the system view.
Step 3 Run the nqa test-instance admin-name test-name command, enter the NQA test instance view.
Step 4 Run the clear-records command in the NQA view to clear history statistics on NQA tests and
test results.
----End
Issue 04 (2013-06-15)

1865

Configuration Guide
Debugging NQA
This part describes how to debug test instances.
Prerequisites
When a fault occurs, run the following debugging command in the user view to debug NQA
Context
CAUTION
Procedure
Step 1 Run the debugging nqa all command in the NQA view to enable NQA debugging.
----End

This section provides several configuration examples of NQA.
Example for Configuring the ICMP Test

As shown in Figure 10-27, Switch A and Switch B must be connected at Layer 3 through the
VLANIF interface.
Switch A functions as the NQA client to check whether Switch B is reachable.
Figure 10-27 Networking diagram for configuring the ICMP test
SwitchB
SwitchA
GE0/0/1
VLANIF10
NQA agent 10.1.1.1/24
GE0/0/1
VLANIF10
10.1.1.2/24
Issue 04 (2013-06-15)

1866

Configuration Guide
1.
Perform the NQA ICMP test to check whether the route between the local end (Switch A)
and the specified destination end (Switch B) is reachable and check the RTT of a test packet.
Data Preparation
l
Host address of Switch B
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
[SwitchA] vlan 10
[SwitchB] vlan 10
[SwitchB-Vlan10] quit
Step 2 Configure the VLANIF interface and assign an IP address to the VLANIF interface.
Step 3 Enable the NQA client and create an NQA ICMP test.
[SwitchA] nqa test-instance admin icmp
[SwitchA-nqa-admin-icmp] test-type icmp
[SwitchA-nqa-admin-icmp] destination-address ipv4 10.1.1.2
Step 4 Perform the test immediately.

[SwitchA-nqa-admin-icmp] start now
Step 5 Verify the test result.

[SwitchA-nqa-admin-icmp] display nqa results test-instance admin icmp
NQA entry(admin, icmp) :testflag is inactive ,testtype is icmp
1 . Test 1 result
Completion:success
Attempts number:1
Issue 04 (2013-06-15)

1867

Configuration Guide

----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin icmp
test-type icmp
#
return

#
sysname SwitchB
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return
Example for Configuring the FTP Download Test

l
Switch B functions as the FTP server.
A user with the name user1 and the password hello intends to log in to the FTP server to
download the test.txt file.
Figure 10-28 Networking diagram for configuring the FTP download test
SwitchA
GE0/0/1
VLANIF10
FTP Client 10.1.1.1/24
Issue 04 (2013-06-15)
SwitchB
GE0/0/1
VLANIF10
10.1.1.2/24

1868

Configuration Guide
1.
Configure Switch A as the NQA client.
2.
Create and perform the FTP test on Switch A to check whether a connection between
Switch A and the FTP server can be set up and to check the time for downloading a file
from the FTP server.
Data Preparation
l
Source IP address for the test
Operation file of the FTP test
Procedure
Step 1 Configure the IP addresses of Switch A and Switch B. The configuration details are not
mentioned here.
Step 2 Configure Switch B as the FTP server.
[SwitchB] ftp server enable
[SwitchB] aaa
[SwitchB-aaa] local-user user1 password cipher hello
[SwitchB-aaa] local-user user1 service-type ftp
[SwitchB-aaa] local-user user1 ftp-directory flash:
[SwitchB-aaa] quit
Step 3 Configure an NQA FTP test on Switch A.

[SwitchA] nqa test-instance admin ftp
[SwitchA-nqa-admin-ftp] test-type ftp
[SwitchA-nqa-admin-ftp] destination-address ipv4 10.1.1.2
[SwitchA-nqa-admin-ftp] source-address ipv4 10.1.1.1
[SwitchA-nqa-admin-ftp] ftp-operation get
[SwitchA-nqa-admin-ftp] ftp-username user1
[SwitchA-nqa-admin-ftp] ftp-password hello
[SwitchA-nqa-admin-ftp] ftp-filename test.txt
Step 4 Perform the test.

[SwitchA-nqa-admin-ftp] start now

[SwitchA-nqa-admin-ftp] display nqa results test-instance admin ftp
1 . Test 1 result
SendProbe:1
ResponseProbe:1
Completion :success
Issue 04 (2013-06-15)

1869

Configuration Guide
Average RTT:656
Lost packet ratio:0 %
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin ftp
test-type ftp
ftp-username user1
ftp-password hello
ftp-filename test.txt
#
return

#
sysname SwitchB
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
FTP server enable
#
aaa
local-user user1 password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
local-user user1 service-type ftp
local-user user1 ftp-directory flash:
#
return
Example for Configuring the FTP Upload Test

You are required to test the speed of uploading a file from Switch C to the FTP server.
Issue 04 (2013-06-15)

1870

Configuration Guide
Figure 10-29 Networking diagram for configuring the FTP upload test
SwitchA
GE0/0/1
SwitchC
SwitchB
GE0/0/1
VLANIF10 VLANIF10
FTP 10.1.1.1/24 10.1.1.2/24
Client
GE0/0/2
GE0/0/2
VLANIF20 VLANIF20
10.2.1.1/24 10.2.1.2/24 FTP
Server
1.
Configure Switch A as the NQA client and the FTP client. Create and perform the FTP test
on Switch A to check whether a connection between Switch A and the FTP server can be
set up and to test the time for uploading a file to the FTP server.
2.
A user with the name user1 and the password hello logs in to the FTP server to upload a
file whose size is 10k.
Data Preparation
l
Source IP address for the test
Size of the uploaded file
Procedure
Step 1 Configure reachable routes between Switch A and Switch B, between Switch A and Switch C,
and between Switch B and Switch C. The configuration details are not mentioned here.
Step 2 Configure Switch C as the FTP server.
[SwitchC] ftp server enable
[SwitchC] aaa
[SwitchC-aaa] local-user user1 password cipher hello
[SwitchC-aaa] local-user user1 service-type ftp
[SwitchC-aaa] local-user user1 ftp-directory flash:
[SwitchC-aaa] quit
Step 3 Configure an NQA FTP test on Switch A and create a file of 10K bytes for uploading.
[SwitchA] nqa test-instance admin ftp
[SwitchA-nqa-admin-ftp] test-type ftp
[SwitchA-nqa-admin-ftp] destination-address ipv4 10.2.1.2
[SwitchA-nqa-admin-ftp] source-address ipv4 10.1.1.1
[SwitchA-nqa-admin-ftp] ftp-operation put
[SwitchA-nqa-admin-ftp] ftp-username user1
[SwitchA-nqa-admin-ftp] ftp-password hello
[SwitchA-nqa-admin-ftp] ftp-filename nqa-ftp-test.txt
[SwitchA-nqa-admin-ftp] ftp-filesize 10
Issue 04 (2013-06-15)

1871

Configuration Guide

[SwitchA-nqa-admin-ftp] start now

# Verify the NQA test result on Switch A.
[SwitchA-nqa-admin-ftp] display nqa results test-instance admin ftp
1 . Test 1 result
SendProbe:1
ResponseProb:1
Completion :success
Average RTT:1157
Lost packet ratio:0 %
# On Switch C, you can see that a file named nqa-ftp-test.txt is added.

<SwitchC> dir
Directory of flash:
Idx
0
1
Attr
-rw-rw-
Size(Byte)
331
10240
Date
Time(LMT)
Feb 06 2009 18:34:34
Feb 06 2009 18:37:06
FileName
private-data.txt
nqa-ftp-test.txt
2540 KB total (1536 KB free)
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin ftp
test-type ftp
ftp-filesize 10
ftp-username user1
ftp-password hello
ftp-filename nqa-ftp-test.txt
ftp-operation put
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 10 20
Issue 04 (2013-06-15)

1872

Configuration Guide
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
FTP server enable
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
#
#
aaa
local-user user1 password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
local-user user1 service-type ftp
local-user user1 ftp-directory flash:
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
Example for Configuring the HTTP Test

As shown in Figure 10-30, Switch is connected to the HTTP server through a WAN.
Figure 10-30 Networking diagram for configuring the HTTP test
HTTP Server
10.2.1.1/24
Switch
10.1.1.2/24
GE0/0/1
VLANIF10
10.1.1.1/24
Issue 04 (2013-06-15)
IP
Network

1873

Configuration Guide
1.
Configure the Switch as the NQA client.
2.
Create and perform the HTTP test on the Switch to check whether the a connection between
the Switch and the HTTP server can be set up and to check the time for transferring a file
between them.
Data Preparation
l
Host address of the HTTP server
HTTP operation type
Procedure
Step 1 Configure reachable routes between Switch and HTTP Server. The configuration details are not
mentioned here.
Step 2 Enable the NQA client and create an NQA HTTP test.
[Quidway] nqa test-instance admin http
[Quidway-nqa-admin-http] test-type http
[Quidway-nqa-admin-http] destination-address ipv4 10.2.1.1
[Quidway-nqa-admin-http] http-operation get
[Quidway-nqa-admin-http] http-url www.huawei.com

[Quidway-nqa-admin-http] start now

[Quidway-nqa-admin-http] display nqa results test-instance admin http
NQA entry(admin, http) :testflag is inactive ,testtype is http
1 . Test 1 result
SendProbe:3
ResponseProbe:3
Completions: success
RTD OverThresholdsnumber: 0
TargetAddress: 10.2.1.1
DNSQueryError number: 0
HTTPError number: 0
TcpConnError number : 3
DNSRTT Sum/Min/Max:0/0/0
TCPConnectRTT Sum/Min/Max: 0/0/0
TransactionRTT Sum/Min/Max: 11/3/4
RTT Sum/Min/Max/Avg: 18/5/7/6
DNSServerTimeout:0 TCPConnectTimeout:0 TransactionTimeout: 0
Lost packet ratio:0%
----End
Configuration Files
#
sysname quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
Issue 04 (2013-06-15)

1874

Configuration Guide
#
nqa test-instance admin http
test-type http
http-url www.huawei.com
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return
Example for Configuring the DNS Test

As shown in Figure 10-31, Switch functions as the DNS client to access the host whose IP
address is 10.2.1.1/24 through a domain named server.com.
Figure 10-31 Networking diagram for configuring the DNS test
server.com
10.2.1.1/24
Switch
GE 0/0/1 10.1.1.2/24
VLANIF100
10.1.1.1/24
IP
Network
DNS Server
10.3.1.1/24
1.
Configure the Switch as the NQA client.
2.
Create and perform the DNS test on the Switch to check whether a connection between the
Switch and the DNS server can be set up and to check the speed of responding to an address
resolution request.
Data Preparation
l
Name of the host to be accessed
Issue 04 (2013-06-15)

1875

Configuration Guide
Procedure
Step 1 Configure reachable routes between Switch A and the DNS server, between Switch A and the
host to be accessed, and between the DNS server and the host to be accessed. The configuration
details are not mentioned here.
Step 2 Create an NQA DNS test.
[Quidway] dns server 10.3.1.1
[Quidway] nqa test-instance admin dns
[Quidway-nqa-admin-dns] test-type dns
[Quidway-nqa-admin-dns] dns-server ipv4 10.3.1.1
[Quidway-nqa-admin-dns] destination-address url server.com

[Quidway-nqa-admin-dns] start now

[Quidway] display nqa results test-instance admin dns
NQA entry(admin, dns) :testflag is inactive ,testtype is dns
1 . Test 1 result
Completion:success
Attempts number:1
Destination ip address:
10.3.1.1
----End
Configuration Files
#
sysname Quidway
#
dns server 10.3.1.1
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin dns
test-type dns
destination-address url server.com
dns-server ipv4 10.3.1.1
#
ip route-static 10.3.1.0 255.255.255.0 10.1.1.2
#
return
Issue 04 (2013-06-15)

1876

Configuration Guide
Example for Configuring the Traceroute Test

The traceroute test is used to check the IP address of the VLANIF 110 interface of Switch C on
Switch A.
Figure 10-32 Networking diagram for configuring the traceroute test
GE 0/0/1
GE 0/0/1
GE 0/0/2
GE 0/0/1
VLANIF100 VLANIF100
VLANIF110 VLANIF110
10.1.1.1/24 10.1.1.2/24
10.2.1.1/24 10.2.1.2/24
SwitchA
SwitchB
SwitchC
1.
2.
Create and perform the traceroute test on Switch A to check the statistics on each hop from
Switch A to Switch C.
Data Preparation
l
Destination address for the traceroute test
Procedure
Step 2 Create an NQA traceroute test on Switch A and set the destination IP address to 10.2.1.2.
[SwitchA] nqa test-instance admin trace
[SwitchA-nqa-admin-trace] test-type trace
[SwitchA-nqa-admin-trace] destination-address ipv4 10.2.1.2

[SwitchA-nqa-admin-trace] start now

# Verify the NQA test result on Switch A.
[SwitchA-nqa-admin-trace] display nqa results test-instance admin trace
NQA entry(admin, trace) :testflag is inactive ,testtype is trace
1 . Test 1 result
Completion:success
Attempts number:1
Issue 04 (2013-06-15)

1877

Configuration Guide

Last good path Time:2006-8-5 14:38:58.5
1 . Hop 1
2 . Hop 2
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin trace
test-type trace
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
Issue 04 (2013-06-15)

1878

Configuration Guide
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
Example for Configuring the SNMP Query Test

As shown in Figure 10-33, SNMP agent is enabled on Switch C. The NQA SNMP query test
is used to measure the time from sending an SNMP query packet to receiving an Echo packet.
Figure 10-33 Networking diagram for configuring the SNMP query test
SwitchA
GE0/0/1
GE0/0/1
SwitchB
GE0/0/2
VLANIF100 VLANIF100
10.1.1.1/24 10.1.1.2/24
SwitchC
GE0/0/1
VLANIF110 VLANIF110
10.2.1.1/24 10.2.1.2/24
SNMP Agent
1.
2.
Create and perform the SNMP query test on Switch A.
3.
Enable SNMP agent on Switch C.
Data Preparation
l
Host address of the SNMP agent
Procedure
Step 2 Enable SNMP agent on Switch C.
[SwitchC] snmp-agent
Step 3 Create an SNMP query test on Switch A.

Issue 04 (2013-06-15)

1879

Configuration Guide
[SwitchA] nqa test-instance admin snmp
[SwitchA-nqa-admin-snmp] test-type snmp
[SwitchA-nqa-admin-snmp] destination-address ipv4 10.2.1.2

[SwitchA-nqa-admin-snmp] start now

[SwitchA-nqa-admin-snmp] display nqa results test-instance admin snmp
NQA entry(admin, snmp) :testflag is inactive ,testtype is snmp
1 . Test 1 result
Completion:success
Attempts number:1
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin snmp
test-type snmp
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
Issue 04 (2013-06-15)

1880

Configuration Guide

#
return

#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100006294
snmp-agent sys-info version all
#
return
Example for Configuring the TCP Test

As shown in Figure 10-34, the NQA TCP Private test is used to obtain the time for setting up
a TCP connection between Switch A and Switch B.
Figure 10-34 Networking diagram for configuring the TCP test
SwitchA
SwitchC
SwitchB
GE0/0/1
GE0/0/1
VLANIF100 VLANIF100
10.1.1.1/24 10.1.1.2/24
GE0/0/2
GE0/0/1
VLANIF110 VLANIF110
10.2.1.1/24 10.2.1.2/24
NQA Server
1.
Configure Switch A as the NQA client and configure Switch C as the NQA server.
2.
Configure the monitoring port number on the NQA server and create an NQA TCP test on
the NQA client.
Data Preparation
l
Host address of the server
Port number used to monitor the TCP service on the server
Issue 04 (2013-06-15)

1881

Configuration Guide
Procedure
Step 2 Configure the NQA server on Switch C.
# Configure the IP address and port number used to monitor TCP connections on the NQA server.
[SwitchC] nqa-server tcpconnect 10.2.1.2 9000
Step 3 # Configure Switch A.

# Enable the NQA client and create a TCP Private test.
[SwitchA] nqa test-instance admin tcp
[SwitchA-nqa-admin-tcp] test-type tcp
[SwitchA-nqa-admin-tcp] destination-address ipv4 10.2.1.2
[SwitchA-nqa-admin-tcp] destination-port 9000

[SwitchA-nqa-admin-tcp] start now

[SwitchA-nqa-admin-tcp] display nqa results test-instance admin tcp
NQA entry(admin, tcp) :testFlag is inactive ,testtype is tcp
1 . Test 1 result
Completion:success
Attempts number:1
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin tcp
test-type tcp
destination-port 9000
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return
Issue 04 (2013-06-15)

1882

Configuration Guide

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
nqa-server tcpconnect 10.2.1.2 9000
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
Example for Configuring the UDP Test

As shown in Figure 10-35, the NQA UDP Public test is used to obtain RTT of a UDP packet
transmitted between Switch A and Switch C.
Figure 10-35 Networking diagram for configuring the UDP test
SwitchA
SwitchB
GE0/0/1
GE0/0/1
VLANIF100 VLANIF100
10.1.1.1/24 10.1.1.2/24
Issue 04 (2013-06-15)
SwitchC
GE0/0/2
GE0/0/1
VLANIF110 VLANIF110
10.2.1.1/24 10.2.1.2/24
NQA Server

1883

Configuration Guide
1.
2.
Configure the monitoring port number on the NQA server and create an NQA UDP Public
test on the NQA client.
Data Preparation
l
Port number used to monitor the UDP service on the server
Procedure
# Configure the IP address and UDP port number monitored by the NQA server.
[SwitchC] nqa-server udpecho 10.2.1.2 6000

# Enable the NQA client and create a UDP Public test.
[SwitchA] nqa test-instance admin udp
[SwitchA-nqa-admin-udp] test-type udp
[SwitchA-nqa-admin-udp] destination-address ipv4 10.2.1.2
[SwitchA-nqa-admin-udp] destination-port 6000

[SwitchA-nqa-admin-udp] start now

[SwitchA-nqa-admin-udp] display nqa results test-instance admin udp
NQA entry(admin, udp) :testflag is inactive ,testtype is udp
1 . Test 1 result
Completion:success
Attempts number:1
----End
Configuration Files
l

#
sysname SwitchA
#
Issue 04 (2013-06-15)

1884

Configuration Guide
vlan batch 100

#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin udp
test-type udp
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname SwitchB
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
nqa-server udpecho 10.2.1.2 6000
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
Example for Configuring the Jitter Test

As shown in Figure 10-36, the NQA Jitter test needs to be used to obtain the jitter time of
transmitting a packet from Switch A to Switch C. Switch A and Switch C synchronize the clock
from Switch B so that the test precision is improved.
Issue 04 (2013-06-15)

1885

Configuration Guide
NOTE
For information about clock synchronization, see "NTP" in the AC6605 Access Controller Feature
Description - Network Management.
Figure 10-36 Networking diagram for configuring the Jitter test
SwitchA
GE 0/0/1
GE 0/0/1
SwitchB
VLANIF100 VLANIF100
10.1.1.1/24 10.1.1.2/24
GE 0/0/2
SwitchC
GE 0/0/1
VLANIF110 VLANIF110
10.2.1.1/24 10.2.1.2/24 NQA Server
1.
Configure Switch C as the NTP client and configure Switch B as the NTP server.
2.
3.
Configure the service type and port number monitored by the NQA server.
4.
Create and perform the NQA Jitter test on the NQA client.
Data Preparation
l
Port number used to monitor the UDP service on the server
Procedure
# Configure the IP address and UDP port number monitored by the NQA server.

# Enable the NQA client and create an NQA Jitter test.
[SwitchA] nqa test-instance admin jitter
[SwitchA-nqa-admin-jitter] test-type jitter
[SwitchA-nqa-admin-jitter] destination-address ipv4 10.2.1.2
[SwitchA-nqa-admin-jitter] destination-port 9000

[SwitchA-nqa-admin-jitter] start now

Issue 04 (2013-06-15)

1886

Configuration Guide
[SwitchA-nqa-admin-jitter] display nqa results test-instance admin jitter

NQA entry(admin, jitter) :testflag is inactive ,testtype is jitter
1 . Test 1 result
SendProbe:60
ResponseProbe:60
Completion:success
RTD OverThresholds number:0
RTT Square Sum:23037
NumOfRTT:60
Min Positive SD:1
Min Positive DS:1
Max Positive SD:96
Max Positive DS:8
Positive SD Sum:172
Positive DS Sum:18
Min Negative SD:1
Min Negative DS:1
Max Negative SD:20
Max Negative DS:10
Negative SD Sum:163
Negative DS Sum:28
Min Delay SD:0
Min Delay DS:0
Avg Delay SD:3
Avg Delay DS:3
Max Delay SD:49
Max Delay DS:48
Packet Loss SD:0
Packet Loss DS:0
Jitter out value:0.3020833
Jitter in value:0.3854167
NumberOfOWD:60
OWD SD Sum:65
OWD DS Sum:57
TimeStamp unit: ms
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin jitter
test-type jitter
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
Issue 04 (2013-06-15)

1887

Configuration Guide
ip address 10.2.1.1 255.255.255.0

#
#
#
return

#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
Example for Configuring the Test of Sending NQA Threshold Traps to the NMS
As shown in Figure 10-37, the trap threshold are configured and the function of sending trap
messages is enabled when a Jitter test is configured. After the Jitter test is complete, Switch A
sends a trap message to the NMS when the interval for transmitting the test packet from
Switch A to Switch C or from Switch C to Switch A exceeds the configured unidirectional
transmission threshold, or when the RTT of the test packet exceeds the configured bidirectional
transmission threshold. Network administrators can view the cause of a trap in the trap message
received by the NMS.
Figure 10-37 Network diagram for configuring the NQA threshold
Ethernet0/0/2
VLANIF110
20.1.1.1/24
SwitchA
Issue 04 (2013-06-15)
NM Station
20.1.1.2/24
Ethernet0/0/1
SwitchB
Ethernet0/0/1
VLANIF130 SwitchC
VLANIF120
30.1.1.2/24
10.1.1.1/24
Ethernet0/0/2
Ethernet0/0/1
VLANIF130
VLANIF120
30.1.1.1/24 NQA Server
10.1.1.2/24

1888

Configuration Guide
NOTE
For the information about clock synchronization, see "NTP" in the AC6605 Access Controller Feature
Description - Network Management.
1.
Configure a Jitter test.
2.
Configure the NQA thresholds.
3.
Enable the function of sending trap messages.
4.
Configure the function of sending trap messages to the NMS.
Data Preparation
l
IP address and port number of the server-side host.
Type of the monitored service and monitoring port number
RTD threshold and OWD threshold
IP address of the NMS
Procedure
Step 2 Configure a Jitter test.
# Configure the IP address and UDP port number monitored by the NQA server on Switch C.
# # Enable the NQA client on Switch A and create an NQA Jitter test on it.
[SwitchA-nqa-admin-jitter] test-type jitter
[SwitchA-nqa-admin-jitter] destination-address ipv4 30.1.1.2
[SwitchA-nqa-admin-jitter] destination-port 9000
Step 3 Configure the NQA thresholds.

# Configure the RTD threshold on Switch A.
[SwitchA-nqa-admin-jitter] threshold rtd 20
Step 4 Enable the function of sending trap messages.

[SwitchA-nqa-admin-jitter] send-trap rtd
[SwitchA-nqa-admin-jitter] quit
Step 5 Configure the function of sending trap messages to the NMS.

[SwitchA] snmp-agent trap enable
[SwitchA] snmp-agent sys-info version v2c
[SwitchA] snmp-agent target-host trap address udp-domain 20.1.1.2 params
securityname public v2c
Issue 04 (2013-06-15)

1889

Configuration Guide

[SwitchA-nqa-admin-jitter] start now
[SwitchA-nqa-admin-jitter] quit
[SwitchA] quit

# Verify the NQA test result of each Switch.
<SwitchA> display nqa results
NQA entry(test, jitter) :testflag is inactive ,testtype is jitter
1 . Test 1 result
Send operation times:3000
Receive response times:3000
Completion :success
RTD RTD OverThresholds number:25
RTT Square Sum:5665
NumOfRTT:3000
Min Positive SD:1
Min Positive DS:0
Max Positive SD:27
Max Positive DS:0
Positive SD Sum:2128
Positive DS Sum:0
Min Negative SD:1
Min Negative DS:1
Max Negative SD:16
Max Negative DS:2
Negative SD Sum:129
Negative DS Sum:1998
Min Delay SD:0
Min Delay DS:0
Avg Delay SD:0
Avg Delay DS:0
Max Delay SD:13
Max Delay DS:12
Packet Loss SD:0
Packet Loss DS:0
Average of Jitter:1
jitter out value:0.7489559
jitter in value:0.6627117
NumberOfOWD:0
OWD SD Sum:81
OWD DS Sum:62
TimeStamp unit: ms
# Verify that a trap message is generated in the trap buffer.

#Jul 9 00:28:34 2009 Quidway NQA/4/RTDTHRESHOLD:OID
1.3.6.1.4.1.2011.5.25.111.6.16 NQA entry RTD over threshold. (OwnerIndex=admin,
TestName=jitter)
#Jul 9 00:28:34 2009 Quidway NQA/4/SDTHRESHOLD:OID 1.3.6.1.4.1.2011.5.25.111.6.17
NQA entry OWD-SD over threshold. (OwnerIndex=admin, TestName=jitter)
#Jul 9 00:28:34 2009 Quidway NQA/4/DSTHRESHOLD:OID 1.3.6.1.4.1.2011.5.25.111.6.
18 NQA entry OWD-DS over threshold. (OwnerIndex=admin, TestName=jitter)
# Verify that the NMS can receive the trap message successfully. The displayed information is
not provided here.
----End
Issue 04 (2013-06-15)

1890

Configuration Guide
Configuration Files
l

#
sysname SwitchA
#
vlan batch 110 120
#
interface Vlanif110
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif120
ip address 10.1.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.0
#
nqa test-instance test jitter
test-type jitter
threshold rtd 20
send-trap rtd
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100007B29
snmp-agent sys-info version v2c v3
public v2c
#
return

#
sysname SwitchB
#
vlan batch 120 130
#
interface Vlanif120
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif130
ip address 30.1.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.1
network 10.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
Issue 04 (2013-06-15)

1891

Configuration Guide

#
sysname SwitchC
#
vlan batch 130
#
interface Vlanif130
ip address 30.1.1.2 255.255.255.0
#
#
#
ospf 1
area 0.0.0.1
network 30.1.1.0 0.0.0.255
#
return
10.6 RMON Configuration

This chapter describes how to monitor the Ethernet interface through Remote Network
Monitoring (RMON).
10.6.1 Introduction to RMON

This part describes working principles of RMON.
RMON
RMON is implemented based on the Simple Network Management Protocol (SNMP)
architecture, and is compatible with the existing SNMP framework. There are two concepts
involved in RMON, namely, the Network Management Workstation (NM Station) and the agent.
A RMON agent collects statistics of various traffic in a network, including the number of packets
on a network segment within a period and the number of correct packets sent to a host.
Compared with SNMP, RMON monitors remote network devices more efficiently and actively.
It provides an efficient solution to monitor the running of sub-networks, which reduces the
communication traffic between the NM Station and the agent. Large-sized networks can thus be
managed in a simple and effective manner.
RMON allows multiple monitors. It collects data in the following ways:
l
Use a dedicated RMON Probe.

The NM Station obtains management information directly from the RMON Probe and
controls network resources. This ensures that the NM Station can obtain overall information
on the RMON MIB.
Embed a RMON agent into a network device (a Switch for example) to enable the device
to be of the RMON Probe capability.
The NM Station uses the basic SNMP commands for exchanging data with the RMON
agent and collecting the network management information. This process is restricted by
device resources and hence the NM Station collects only information on four groups (alarm,
event, history, and statistics) and not the complete information on the RMON MIB.
Issue 04 (2013-06-15)

1892

Configuration Guide
Currently, the AC6605 implements the monitoring and statistics collection function only on the
Ethernet interfaces of network devices.
10.6.2 RMON Suported by the AC6605

This part describes the support for RMON on the AC6605.
Features of RMON
The AC6605 implements RMON by embedding agent modules to network devices to form a
complete system with other modules. The RMON NM Station is completely compatible with
the SNMP NM Station; so, the administrator can handle it properly without additional training.
RMON in the AC6605 supports four groups, namely, statistics, history, alarm, and event, as
defined in RFC 2819, and a Performance-MIB defined by Huawei. The following describes each
group.
l
Statistic group
The statistics group collects the basic statistics of each monitored sub-network. The
statistics include date flows on a network segment, distribution of various packets, error
frames, and collisions.
The statistics group has one table: ethernetStatsTable.
NOTE
The RMON statistics result is not consistent with the output of the display interface command.
Although data is collected from the bottom layer in both the cases, the RMON information is more
comprehensive.
History group
A history group periodically collects the network state statistics and stores them for future
reference. The history group has the following tables:
historyControlTable: is used to set the control information, such as sampling intervals.
etherHistoryTable: provides network administrators with other history statistics, such
as the traffic on a network segment, error packets, broadcast packets, utilization, and
collisions.
Each entry in the historyControlTable corresponds to a maximum of 10 pieces of history
records in the etherHistoryTable. The previous pieces are overwritten in a circular
manner if the threshold of records in etherHistoryTable is crossed.
Alarm group
An alarm group allows predefining a set of thresholds for alarm variables (any object in
the local MIB). A monitor records logs or sends trap messages to the NM Station when the
sampled data in a certain direction crosses a threshold.
As defined in RFC 2819, the alarm function has a hysteresis mechanism to limit the
generation of alarms. If this mechanism is adopted, an alarm event is generated when the
sampled data in a direction crosses the threshold. No more events will be generated until
the sampled data in the opposite direction crosses the threshold.
The AC6605 does not apply this mechanism because it will not generate the alarms for a
long period. For the AC6605, the alarms are re-generated if the smapling value turns to the
noraml threshold.
The alarm group contains one table: alarmTable.
l
Issue 04 (2013-06-15)
Event group
1893

Configuration Guide
An event group stores all the events generated by the RMON agent in a table. It records
logs or sends trap messages to the NM Station when an event occurs.
The event group implements the output of three events: log, trap, and log-trap. Each event
entry corresponds to a maximum of 10 pieces of logs. The previous logs are overwritten in
a circular manner if the threshold of logs is crossed.
The event group has two tables: eventTable and logTable.
l
Performance-MIB
The RMON prialarm group is an enhancement of alarmTable defined in RFC 2819.
Compared with the alarmTable, the RMON prialarm group supports the setting of alarm
objects and time spans of alarm entries through expressions.
The RMON Performance-MIB has one table: prialarmTable.
In the AC6605, to save system resources, each entry is given a specific time span. The time
span indicates the period for an entry to keep the invalid state. The entry is deleted when
the time span goes down to 0.
Table 10-6 shows the capacity of various tables and the maximum time span of each table.
Table 10-6 Time span of each table
Table
Entry Capacity (Byte)
Maximum Time Span(s)
ethernetStatsTable
100
600
historyControlTable
100
600
alarmTable
60
6000
eventTable
60
600
logTable
600
prialarmTable
50
6000
NOTE
logTable does not have a time span. Each log entry can have a maximum of 10 pieces of logs. The
excessive logs supersede the older ones in a circular manner.
When an interface board or an interface card is removed, the corresponding entries in the
ethernetStatsTable and historyControlTable become invalid. If the time spans of tables are
respectively set to 1200s, the entries in the tables are deleted when the time spans go down
to 0.
If an interface is added before its corresponding entries are deleted from the table, these
entries can take effect again.
10.6.3 Configuring RMON

This section describes how to monitor the network status and traffic through RMON.
Issue 04 (2013-06-15)

1894

Configuration Guide

Before configuring RMON, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
To monitor network status and collect traffic statistics on a network segment, you can configure
RMON.
Enabling the RMON function does not need any special requirement. You can enable it in
advance, or configure it when you suspect that the traffic of the sub-network where interface
resides is abnormal. You can configure RMON depending on actual situations.
It is recommended to configure the statistics table in advance, configure two history control
policies on the interface where the traffic is abnormal, configure the alarm for one or more
suspicious entries, set the high and low thresholds, and view the alarm information.
NOTE
RMON only stores traffic statistics and information or abnormalities but cannot avoid the generation of
these statistics or information. To clear abnormalities, you need to adopt the other management measures.
Before configuring RMON, complete the following tasks:
l
Configuring parameters for Ethernet interfaces
Configuring basic SNMP functions
Data Preparation
To configure RMON, you need the following data.
No.
Data
Interface on which the statistics function is enabled
Statistics table to be used and related parameters
HistoryControl table to be used and related parameters
Event table to be used and related parameters
Alarm table to be used and related parameters
Prialarm table to be used and related parameters
Enabling the RMON Statistics Function on the Interface

You need to enable traffic statistics function on the interface where traffic statistics are collected.
If the traffic statistics function is not enabled on the interface, statistics values of in both
ethernetStatsTable and HistoryControlTable are 0.
Issue 04 (2013-06-15)

1895

Configuration Guide
Context
Do as follows on the Switch on which traffic statistics should be collected:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
rmon-statistics enable
The RMON statistics function is enabled on the interface.

If the statistics function is not enabled on the interface, the statistics value in ethernetStatsTable
and historyControlTable of RMON is 0.
----End
Configuring the ethernetStatsTable

EthernetStatsTable records traffic information that RMON collects on interfaces.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
rmon statistics entry-number [ owner owner-name ]
The ethernetStatsTable is configured.

To monitor the statistics of an interface on a device, a network administrator needs to create a
table entry for this interface and specify the interface OID, entry index, and entry state. The
network administrator can then read the corresponding entry to obtain the latest statistics.
NOTE
The interface enabled with the statistics function cannot be added to an Eth-trunk.
----End
Issue 04 (2013-06-15)

1896

Configuration Guide
Configuring the HistoryControlTable

HistoryControlTable provides the historical data management function. With this function, you
can sample traffic of a certain interface, set the maximum number of items to be saved and the
sampling interval, collect traffic statistics on the specific interface periodically, and save the
statistics to etherHistoryTable for future use.
Context
As recommended by the RMON specifications, each monitored interface should be configured
with more than two history control entries. One entry is sampled every 30 seconds while another
entry is sampled every 30 minutes.
The short sampling interval enables a monitor to probe the sudden changes of traffic modes, and
the long sampling interval is applicable if the interface status is relatively stable.
Currently, the AC6605 reserves up to 10 pieces of the latest records for each history control
entry.
NOTE
To reduce the effect on the performance of the system, the sampling interval of the history table should be
longer than 10 seconds, and the same port should not be configured with too many history control entries
and alarm entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
rmon history entry-number buckets number interval sampling-interval [ owner ownername ]
The historyControlTable is configured.

----End
Configuring the EventTable

After EventTable is configured, when the number of events exceeds the alarm threshold, the
router generates logs, sends traps, or generates logs and sends traps.
Context
Do as follows on the Switch that is monitored:
The RMON event management module is responsible for adding events to the corresponding
rows in the eventTable and defining the methods of processing events:
Issue 04 (2013-06-15)

1897

Configuration Guide
log: sending only logs
log-trap: sending both logs and trap messages to the NM Station
none: marking that no event occurs
trap: sending trap messages to the NM Station
Procedure
Step 1 Run:
system-view

Step 2 Run:
rmon event entry-number [ description string ] { log | trap object | log-trap
object | none } [ owner owner-name ]
The eventTable is configured.

----End
Configuring the AlarmTable

The RMON alarm management function monitors a specified trap variable identified by its OID
at a specified sampling interval. When the monitored variable exceeds the defined threshold, an
alarm is generated.
Context
The RMON alarm management is responsible for monitoring a specified alarm variable
(identified by OID) at a specified sampling interval. An alarm event occurs when the monitored
variable exceeds the defined threshold. Generally, the event is recorded in the log table, or
RMON sends a trap message to the NM Station.
If the events that correspond to the alarm upper limit and lower limit (event-entry1, evententry2) are not configured in the eventTable, an alarm is not generated even if the alarm condition
is satisfied. At this time, the status of alarm recording is undercreation and not VALID.
If an event corresponding to either the alarm upper limit or the alarm lower limit is configured,
an alarm is triggered once the alarm condition is satisfied. (At this time, the status of alarm
recording is VALID.) If an incorrect alarm variable is configured (for example, an inexistent
OID is specified), the status of alarm recording is undercreation and no alarm is generated.
Do as follows on the Switch that is monitored:
Procedure
Step 1 Run:
system-view

Step 2 Run:
rmon alarm entry-number alarm-OID sampling-time { absolute | changeratio | delta }
rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2
event-entry2 [ owner owner-name ]
Issue 04 (2013-06-15)

1898

Configuration Guide
The alarmTable is configured.

----End
Configuring the PrialarmTable

Compared with AlarmTable, PrialarmTable is enhanced with the function of setting the trap
object through an expression.
Context
Based on the alarmTable in RFC 2819, the RMON prialarm management is enhanced with two
functions: setting the alarm object in the form of expressions and limiting the time to live (TTL)
value of a prialarm entry.
Compared with the alarmTable, the prialarmTable has several additional entries:
l
Expression of alarm variables. It can be an arithmetic expression composed of the OIDs of

alarm variables(+, -, *, / or brackets).
Description of the prialarm entry in a character string.
Prialarm state period, in seconds. It must be larger than the sampling interval.
Two prialarm state types: Forever or Cycle. If Cycle is set, an alarm does not occur and the
entry is deleted after the specified prialarm state period.
If the events that correspond to the alarm upper limit and lower limit (event-entry1, evententry2) are not configured in the eventTable, an alarm does not occur even if the alarm conditions
are satisfied. (The alarm record is in the undercreation state rather than in the VALID state.)
If either the alarm upper limit event or the alarm lower limit event is configured, the alarm is
triggered once the conditions for an alarm are satisfied. (The alarm record is in the VALID state.)
Do as follows on the Switch that is monitored.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rmon prialarm entry-number prialarm-formula description-string sampling-interval
{ absolute | changeratio | delta } rising-threshold threshold-value1 event-entry1
falling-threshold threshold-value2 event-entry2 entrytype { cycle entry-period |
forever } [ owner owner-name ]
The prialarmTable is configured.

----End

After configuring RMON, you can view the traffic statistics collected by RMON.
Prerequisites
The configurations of the RMON are complete.
Issue 04 (2013-06-15)

1899

Configuration Guide
Procedure
l
Run the display rmon alarm [ entry-number ] command to view the RMON alarm
information.
Run the display rmon event [ entry-number ] command to view the RMON events.
Run the display rmon eventlog [ entry-number ] command to view the RMON event logs.
Run the display rmon history [ ethernet interface-number | gigabitethernet interfacenumber ] command to view the RMON history information.
Run the display rmon prialarm [ entry-number ] command to view the information of the
RMON prialarmTable.
Run the display rmon statistics [ ethernet interface-number | gigabitethernet interfacenumber ] command to view the RMON statistics.
----End
Example
Run the display rmon alarm command. If information about the alarm table is displayed, it
means that the configuration succeeds.
<Quidway> display rmon alarm 1
Alarm table 1 owned by Test300 is VALID.
Samples absolute value
: 1.3.6.1.2.1.16.1.1.1.6.1 <etherStatsBroadcastPkts.1>
Sampling interval
: 30(sec)
Rising threshold
: 500(linked with event 1)
Falling threshold
When startup enables
: risingOrFallingAlarm
Latest value
: 1975
Run the display rmon event command. If information about the event table is displayed, it
<Quidway> display rmon event
Event table 1 owned by Test300 is VALID.
Description: null
Will cause log when triggered, last triggered at 0days 00h:24m:10s.34th.
Description: forUseofPrialarm.
Will cause snmp-trap when triggered, last triggered at 0days 00h:26m:10s.73th.
Run the display rmon eventlog command. If information about the event logs is displayed, it
<Quidway> display rmon eventlog
Generates eventLog 1.1 at 0days 00h:39m:30s.05th.
Description: The 1.3.6.1.2.1.16.1.1.1.6.1 defined in alarm table 1,
less than or equal to 100 with alarm value 0. Alarm sample type is absolute.
Run the display rmon history command to display the RMON history.
<Quidway> display rmon history
History control entry 1 owned by Test300 is VALID
Samples interface
: Ethernet0/0/1<ifEntry.402653698>
Sampling interval
: 30(sec) with 10 buckets max
Last Sampling time
: 0days 00h:09m:43s
Latest sampled values :
octets
:645
, packets
:7
broadcast packets
:7
, multicast packets :0
undersize packets
:6
, oversize packets :0
fragments packets
:0
, jabbers packets
:0
CRC alignment errors :0
, collisions
:0
Dropped packet:
:0
, utilization
:0
Issue 04 (2013-06-15)

1900

Configuration Guide
Run the display rmon prialarm command. If information about the extended alarm table is
displayed, it means that the configuration succeeds.
<Quidway> display rmon prialarm 1
Prialarm table 1 owned by Test300 is VALID.
Samples delta value
: .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
Sampling interval
: 30(sec)
Rising threshold
Falling threshold
This entry will exist
: forever
Latest value
: 16
Run the display rmon statistics command to display the RMON statistics.
<Quidway> display rmon statistics
Statistics entry 1 owned by Test300 is VALID.
Interface : Ethernet0/0/1<ifEntry.402653698>
Received :
octets
:142915224 , packets
:1749151
broadcast packets
:11603
, multicast packets:756252
undersized packets :0
, oversized packets:0
fragments packets
:0
, jabbers packets :0
CRC alignment errors:0
, collisions
:0
Dropped packet (insufficient resources):1795
Packets received according to length (octets):
64
:150183
, 65-127 :150183
, 128-255 :1383
256-511:3698
, 512-1023:0
, 1024-1518:0
10.6.4 Maintaining RMON

When an RMON operation fault occurs, you can run the debuggingcommand in the user view
to locate the fault and analyze its cause.
Context
CAUTION
When an RMON fault occurs, run the following debugging command in the user view to locate
the fault.
Perform the configuration in the user view.
Procedure
l
Run the debugging rmon to enable RMON debugging.
----End

This section provides several configuration examples of RMON and RMON2.
Examples for Configuring RMON

Issue 04 (2013-06-15)

1901

Configuration Guide
GigabitEthernet0/0/1 on the Switch belongs to a VLAN.
As shown in Figure 10-38, it is required that the network connected to GigabitEthernet0/0/1 be
monitored to obtain real-time and history statistics of broadcast, multicast, and unknown unicast
packets on the network.
If the number of broadcast, multicast, and unknown unicast packets in the VLAN becomes
abnormal, the Switch sends a Trap message to the NMS.
Figure 10-38 Networking diagram of configuring RMON
PC
GE 0/0/1
.....
.
IP
Network
Switch
NMS
PC
VLAN
To send a Trap message to the NMS, you need to use SNMP commands to enable the Trap
function and set a corresponding community name.
l
Enable the statistics function.
Configure the etherStatsTable.
Configure the historyControlTable.
Configure the eventTable.
Configure the alarmTable.
Data Preparation
l
Interval for sampling data
Threshold for triggering alarms
Community name for communicating with the NMS
1.
Issue 04 (2013-06-15)
Configure reachable routes between the Switch and the NMSs. The configuration procedure
is not mentioned.
1902

Configuration Guide
2.
Enable the statistics function.

# Enable the RMON statistics function on the interface.
[Switch-GigabitEthernet0/0/1] rmon-statistics enable
# Configure the etherStatsTable.

[Switch-GigabitEthernet0/0/1] rmon statistics 1 owner User01
# Verify the configuration. You can check the traffic on the subnet.
[Switch-GigabitEthernet0/0/1] display rmon statistics gigabitethernet 0/0/1
Statistics entry 1 owned by User01 is VALID.Received :
Interface : GigabitEthernet0/0/1<ifEntry.514>
Received :
octets
:156
, packets
:1
broadcast packets
:0
, multicast packets:1
undersized packets :0
, oversized packets:0
fragments packets
:0
, jabbers packets :0
CRC alignment errors:0
, collisions
:0
Dropped packet (insufficient resources):0
Packets received according to length (octets):
64
:0
, 65-127 :0
, 128-255 :1
256-511:0
, 512-1023:0
, 1024-1518:0
3.
# Configure Switch.
# Sample the traffic on the subnet every 30 seconds and save the latest 10 history entries.
[Switch-GigabitEthernet0/0/1] rmon history 1 buckets 10 interval 30 owner
User01
# Verify the configuration. Only the last sampling record is displayed through CLI. To
display all the history records, use the special NMS software.
[Switch] display rmon history gigabitethernet 0/0/1
History control entry 1 owned by User01 is VALID
Samples interface
: GigabitEthernet0/0/1<ifEntry.514>
Sampling interval
: 30(sec) with 10 buckets max
Last Sampling time
: 0days 01h:56m:21s
Latest sampled
values :
octets
:11385
, packets
:
0
broadcast packets
:0
, multicast packets :
9
undersize packets
:0
, oversize packets :
0
fragments packets
:0
, jabbers packets
:
0
, collisions
:
0
Dropped packet:
:0
, utilization
:
0
History
record:
Record No.1 (Sample time: 1days 07h:37m:
29s)
octets
:11182
, packets
:
0
broadcast packets
:0
, multicast packets :
8
undersize packets
:0
, oversize packets :
0
fragments packets
:0
, jabbers packets
:
0
, collisions
:
0
Dropped packet:
:0
, utilization
:0
Issue 04 (2013-06-15)

1903

Configuration Guide
4.
Configure the eventTable.

# Set the device to record logs for RMON event 1.
[Switch] rmon event 1 description logevent log owner User01
# Set the device to send Trap messages to the NMS for RMON event 2 and set the
community name to public.
[Switch] rmon event 2 description prialarmevent trap public owner User01
# Display the alarms.

[Switch] display rmon event
Event table 1 owned by User01 is VALID.
Description: logevent.
Will cause log when triggered, last triggered at 0days 00h:00m:00s.
Event table 2 owned by User01 is VALID.
Description: prialarmevent.
Will cause snmp-trap when triggered, last triggered at 0days 00h:00m:00s.
5.
Configure the alarmTable for broadcast packets.

# Sample the broadcast packets every 30 seconds. Trigger event 1 when 10000 or more
broadcast packets are received. Trigger event 2 when 100 broadcast or less broadcast
packets are received.
[Switch] rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.1 30 absolute rising-threshold
10000 2 falling-threshold 100 1 owner User01

[Switch] display rmon alarm 1
Alarm table 1 owned by User01 is VALID.
: 1.3.6.1.2.1.16.1.1.1.6.1<etherStatsBroadcastPkts.
1>
Sampling interval
: 30(sec)
Rising threshold
Falling threshold
Latest value
: 0
6.
Configure the alarmTable for multicast packets.

# Sample the multicast packets every 30 seconds. Trigger event 1 when 50000 or more
multicast packets are received. Trigger event 2 when 100 or less multicast packets are
received.

Alarm table 2 owned by User01
:
Sampling interval
:
Rising threshold
:
Falling threshold
:
:
Latest value
:
7.
is VALID.
1.3.6.1.2.1.16.1.1.1.5<etherStatsPkts.1>
30(sec)
50000(linked with event 2)
100(linked with event 1)
risingOrFallingAlarm
0
Configure the alarmTable for unknown unicast packets.

# Sample the unicast packets every 30 seconds. Trigger event 1 when 1000 or more unicast
packets are received. Trigger event 2 when 10 or less unicast packets are received.

Alarm table 3 owned by User01 is VALID.
: 1.3.6.1.2.1.2.2.1.12.898<ifInNUcastPkts.898>
Sampling interval
: 30(sec)
Issue 04 (2013-06-15)

1904

Configuration Guide
Rising threshold
Falling threshold
Latest value

: 0
Configuration Files
#
sysname Switch
#
snmp-agent
snmp-agent local-engineid 000007DB7F000001000071B6
#
rmon-statistics enable
rmon statistics 1 owner user01
rmon history 1 buckets 10 interval 30 owner user01
#
rmon event 1 description logevent log owner User01
rmon event 2 description prialarmeven trap public owner User01
rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.1 30 absolute rising-threshold 10000 2 fallingthreshold 100 1 owner User01
#
return
10.7 Packet Capture Configuration

This section describes the concept and configuration of the packet capture function and provides
a configuration example.
10.7.1 Packet Capture Overview

The packet capture function captures packets matching the specified rules and sends these
packets to a remote server. This function improves network maintenance efficiency and reduces
maintenance costs.
Switches on a network transmit various services, and network administrators often need to
capture packets on switches to locate faults. The AC6605 switch does not support remote
mirroring; therefore, administrators need to capture packets using local mirroring onsite. If
packets need to be captured on an optical interface, an optical-to-electrical converter must be
installed on the interface, reducing maintenance efficiency. The packet capture function allows
administrators to capture packet remotely. The captured packet information is saved in a
*.cap file on a TFTP or FTP server.
10.7.2 Packet Capture Functions Supported by the AC6605

Capturing Service Packets
When a fault occurs on an AC6605 switch, you can configure the packet capture function. The
switch then captures packets matching the specified rules, and sends captured packet information
to a TFTP or FTP server for you to analyze. This function improves maintenance efficiency and
reduces maintenance cost.
Issue 04 (2013-06-15)

1905

Configuration Guide
Capturing Packets Sent to the CPU

Some faults cannot be located by capturing service packets. The AC6605 can capture packets
sent to the CPU, and send captured packet information to a TFTP or FTP server. You can analyze
the packets sent to the CPU to find causes of the fault.
10.7.3 Capturing Service Packets

Before capturing service packets on an AC6605 switch, familiarize yourself with the applicable
When a fault occurs on an AC6605 switch, you can configure the packet capture function. The
switch then captures packets matching the specified rules, and sends captured packet information
to a TFTP or FTP server for you to analyze. This function improves maintenance efficiency and
reduces maintenance cost.
Before capturing service packets, complete the following task:
l
Ensuring that routes are reachable between the AC6605 and the FTP or TFTP server
Data Preparation
To capture service packets, you need the following data.
No.
Data
Number of the interface on which packets are captured
Number of the ACL matching packets to be captured
IP address, user name, and password of the FTP server, or IP address of the TFTP
server
Procedure
Step 1 Run:
system-view

Step 2 Run:
capture-packet { interface interface-type interface-number | acl acl-number }*
[ vlan vlan-id | cvlan cvlan-id ]* destination { { ftp-server ftp-server-address
[ server-port ] user-name user-name password password | tftp-server serveraddress } file file-name | terminal } [car cir car-value | time-out time-out-value
| packet-num number | packet-len { length | total-packet } ]*
The AC6605 is configured to capture service packets.

Issue 04 (2013-06-15)

1906

Configuration Guide
The packet capture configuration is not saved in the configuration file, and becomes invalid
when packet capture is complete.
The AC6605 can capture only upstream packets and cannot capture downstream packets.
Before using the capture-packet command again, wait until the last command execution is
complete.
The system limits the rate of captured packets. The default rate limit is 64 kbit/s. If the rate of
packets exceeds the limit, some packets may be discarded.
If captured packet information fails to be sent to the TFTP or FTP server, the AC6605 switch
saves captured packet information locally.
----End
10.7.4 Capturing Packets Sent to the CPU

Before capturing packets sent to the CPU on an AC6605 switch, familiarize yourself with the
configuration. This can help you complete the configuration task quickly and accurately.
Some faults cannot be located by capturing service packets. The AC6605 can capture packets
sent to the CPU, and send captured packet information to a TFTP or FTP server. You can analyze
the packets sent to the CPU to find causes of the fault. This function improves network
maintenance efficiency and reduces maintenance cost.
Before capturing packets sent to the CPU, complete the following tasks:
l
Ensuring that routes are reachable between the AC6605 and the FTP or TFTP server
Data Preparation
To packets sent to the CPU, you need the following data.
No.
Data
Number of the interface on which packets are captured
Number of the ACL matching packets to be captured
IP address, user name, and password of the FTP server, or IP address of the TFTP
server
Procedure
Step 1 Run:
system-view

Issue 04 (2013-06-15)

1907

Configuration Guide
Step 2 Run:
capture-packet cpu { interface interface-type interface-number | acl acl-number }*
[ vlan vlan-id | cvlan cvlan-id ]* destination { { ftp-server ftp-server-address
[ server-port ] user-name user-name password password | tftp-server serveraddress } file file-name | terminal } [ time-out time-out-value | packet-num
number | packet-len {length | total-packet } ]*
The AC6605 is configured to capture packets sent to the CPU.

The packet capture configuration is not saved in the configuration file, and becomes invalid
when packet capture is complete.
The AC6605 can capture only upstream packets and cannot capture downstream packets.
Before using the capture-packet cpu command again, wait until the last command execution
is complete.
The system limits the rate of captured packets. The default rate limit is 64 kbit/s. If the rate of
packets exceeds the limit, some packets may be discarded.
If captured packet information fails to be sent to the TFTP or FTP server, the AC6605 switch
saves captured packet information locally.
----End

This section provides an example of packet capture configuration.
Example for Capturing Packets

This example illustrates how to capture packets on a switch and send captured packet information
to a TFTP or FTP server for fault analysis.
Switch connects to the network through GE0/0/1 and can communicate with the FTP server.
All the packets sent from GE0/0/1 to the network need to be captured and saved in the
packet.cap file on the FTP server. The packets sent to the CPU of Switch need to be captured
and saved in the packet_cpu.cap file on the FTP server. Captured packet information needs to
be displayed on the terminal.
Figure 10-39 Networking diagram of packet capture
GE0/0/1
Switch
Internet
FTP server
192.168.1.10
Issue 04 (2013-06-15)

1908

Configuration Guide
1.
Capture packets sent upstream from GE0/0/1. Save captured packet information on the FTP
server and display captured packet information on the terminal.
2.
Capture packets sent to the CPU. Save captured packet information on the FTP server and
display captured packet information on the terminal.
Data Preparation
l
Number of the uplink interface: GE0/0/1
FTP server IP address, FTP user name, and password: 192.168.1.10, user1, and 123456
Files used to save captured packet information: packet.cap (service packets) and
packet_cpu.cap (packets sent to the CPU)
Procedure
Step 1 Capture packets sent upstream from GE0/0/1. Save captured packet information on the FTP
server and display captured packet information on the terminal.
[Switch] capture-packet interface gigabitethernet 0/0/1 destination ftp-server
192.168.1.10 username user1 password 123456 file capture.cap terminal
Info: Test Connecting ftp server ...
Info: Captured packets will be shown on terminal and stored on capture.cap(ftp 1
92.168.1.10) .
[Switch]
Packet: 1
------------------------------------------------------01 80 c2 00 00 0e 00 18 82 01 23 45 81 00 00 14
88 cc 02 07 04 00 18 82 01 23 45 04 15 05 47 69
67 61 62 69 74 45 74 68 65 72 6e 65 74 30 2f 30
2f 31 06 02 00 78 08 00 0a 09 53 35 33 48 49 2d
32 30 36 0c a0 53 35 33 32 38 43 2d 48 49 20 0d
0a 48 75 61 77 65 69 20 56 65 72 73 61 74 69 6c
65 20 52 6f 75 74 69 6e 67 20 50 6c 61 74 66 6f
72 6d 20 53 6f 66 74 77 61 72 65 20 0d 0a 20 56
------------------------------------------------------Packet: 2
------------------------------------------------------01 80 c2 00 00 0a 00 e0 fc 09 bc f9 81 00 00 14
88 a7 00 03 00 00 01 b4 9a 09 00 01 00 0e 00 00
00 00 00 18 82 01 23 45 00 07 00 0d 53 35 33 48
49 2d 32 30 36 00 0f 00 15 53 35 33 30 30 20 56
32 30 30 52 30 30 31 43 30 30 00 12 00 1d 56 65
72 73 69 6f 6e 20 35 2e 31 31 30 20 56 32 30 30
52 30 30 31 43 30 30 00 11 00 1d 56 65 72 73 69
6f 6e 20 35 2e 31 31 30 20 56 32 30 30 52 30 30
------------------------------------------------------Packet: 3
------------------------------------------------------01 80 c2 00 00 0e 00 18 82 01 23 45 81 00 00 14
88 cc 02 07 04 00 18 82 01 23 45 04 15 05 47 69
67 61 62 69 74 45 74 68 65 72 6e 65 74 30 2f 30
2f 31 06 02 00 78 08 00 0a 09 53 35 33 48 49 2d
32 30 36 0c a0 53 35 33 32 38 43 2d 48 49 20 0d
0a 48 75 61 77 65 69 20 56 65 72 73 61 74 69 6c
65 20 52 6f 75 74 69 6e 67 20 50 6c 61 74 66 6f
72 6d 20 53 6f 66 74 77 61 72 65 20 0d 0a 20 56
------------------------------------------------------------------------capture report-----------------------
Issue 04 (2013-06-15)

1909

Configuration Guide
file: capture.cap(ftp 192.168.1.10)

capture: interface GigabitEthernet0/0/1
acl: vlan: - cvlan: car: 64kbp timeout: 60s
packets: 100 (expected) 3 (actual)
length: 128 (expected)
-------------------------------------------------------
Step 2 Capture packets sent to the CPU. Save captured packet information on the FTP server and display
captured packet information on the terminal.
[Switch] capture-packet cpu destination ftp-server 10.138.77.34 username user1
password 123456 file capture_cpu.cap terminal
Info: Test Connecting ftp server ...
Info: Captured packets will be shown on terminal and stored on capture_cpu.cap(f
tp 192.168.1.10) .
[Switch]
Packet: 1
------------------------------------------------------01 80 c2 00 00 0e 00 18 82 01 23 45 81 00 00 14
88 cc 02 07 04 00 18 82 01 23 45 04 15 05 47 69
67 61 62 69 74 45 74 68 65 72 6e 65 74 30 2f 30
2f 31 06 02 00 78 08 00 0a 09 53 35 33 48 49 2d
32 30 36 0c a0 53 35 33 32 38 43 2d 48 49 20 0d
0a 48 75 61 77 65 69 20 56 65 72 73 61 74 69 6c
65 20 52 6f 75 74 69 6e 67 20 50 6c 61 74 66 6f
72 6d 20 53 6f 66 74 77 61 72 65 20 0d 0a 20 56
------------------------------------------------------Packet: 2
------------------------------------------------------01 80 c2 00 00 0e 00 18 82 01 23 45 81 00 00 14
88 cc 02 07 04 00 18 82 01 23 45 04 15 05 47 69
67 61 62 69 74 45 74 68 65 72 6e 65 74 30 2f 30
2f 31 06 02 00 78 08 00 0a 09 53 35 33 48 49 2d
32 30 36 0c a0 53 35 33 32 38 43 2d 48 49 20 0d
0a 48 75 61 77 65 69 20 56 65 72 73 61 74 69 6c
65 20 52 6f 75 74 69 6e 67 20 50 6c 61 74 66 6f
72 6d 20 53 6f 66 74 77 61 72 65 20 0d 0a 20 56
------------------------------------------------------Packet: 3
------------------------------------------------------01 80 c2 00 00 0a 00 e0 fc 09 bc f9 81 00 00 14
88 a7 00 03 00 00 01 b4 9a 09 00 01 00 0e 00 00
00 00 00 18 82 01 23 45 00 07 00 0d 53 35 33 48
49 2d 32 30 36 00 0f 00 15 53 35 33 30 30 20 56
32 30 30 52 30 30 31 43 30 30 00 12 00 1d 56 65
72 73 69 6f 6e 20 35 2e 31 31 30 20 56 32 30 30
52 30 30 31 43 30 30 00 11 00 1d 56 65 72 73 69
6f 6e 20 35 2e 31 31 30 20 56 32 30 30 52 30 30
------------------------------------------------------------------------capture report----------------------file: capture_cpu.cap(ftp 192.168.1.10)
capture: cpu
acl: vlan: - cvlan: car: -- timeout: 60s
packets: 100 (expected) 3 (actual)
length: 128 (expected)
-------------------------------------------------------

Captured packet information is displayed on the FTP server.
----End
Issue 04 (2013-06-15)

1910

Configuration Guide
Configuration Files
None
Issue 04 (2013-06-15)

1911

Configuration Guide
11 Configuration Guide - System Management (AC)
11
Configuration Guide - System

Management (AC)
About This Chapter

This section describes the configuration procedures of system management.
A user can log in to the device through a console port, or by using Telnet. The user can maintain
the device locally or remotely after login.
When a user uses a console port or Telnet, to log in to the device, the system manages the session
between the user and the device on the corresponding user interface.
When the device is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the device, you need to manage system software and configuration
files efficiently.
11.4 Upgrading the Devices
The following describes how to upgrade the AC6605 and AP.
11.5 Displaying the Device Status
This chapter describes the functions and applications of the display commands and how to use
the display commands to view the running status of the device.
11.6 (Optional) Activating a License
This section describes how to activate a license on the AC6605.
Issue 04 (2013-06-15)

1912

Configuration Guide

A user can log in to the device through a console port, or by using Telnet. The user can maintain
the device locally or remotely after login.
11.1.1 Logging In to the Device Through a Console Port

After the device is powered on for the first time, you can log in to it from a PC through the
console port to configure and manage the device. Telnet can then be used for login.
Before logging in to the device through a console port, complete the following tasks:
l
Preparing the console cable
Installing the terminal emulation software on the PC

NOTE
You can use the built-in terminal emulation software (such as the HyperTerminal of Windows 2000/
XP) on the PC. If no built-in terminal emulation software is available, use the third-party terminal
emulation software. For details, see the software user guide or online help.
Context
PC terminal attributes, including the transmission rate, data bit, parity bit, stop bit, and flow
control mode must be configured to match those configured for the console port. Default values
for terminal attributes are used during the first login to the device.
Procedure
Step 1 Use the terminal simulation software to log in to the device through a console port. The Windows
XP HyperTerminal is used as an example in this section.
NOTE
The settings of the terminal communication parameters must be consistent with those of the physical
attribute parameters on the user interface of the console port. If the user authentication mode is set on the
user interface of the console port, you can log in to the device only after you are authenticated.
1.
Insert the DB9 connector of the console cable delivered with the product to the 9-pin serial
port on the PC, and insert the RJ-45 connector to the console port of the device.
2.
Choose Start > All Program > Accessories > Communications > HyperTerminal on
the PC to start the HyperTerminal. Set up a connection, as shown in Figure 11-1.
Issue 04 (2013-06-15)

1913

Configuration Guide
3.
Set an interface, as shown in Figure 11-2.

4.
Issue 04 (2013-06-15)
Set communication parameters to match the Switch defaults, as shown in Figure 11-3.

1914

Configuration Guide
5.
After the preceding configurations are complete, press Enter. At the following commandline prompt, set an authentication password. The system automatically saves the set
password.
An initial password is required for the first login via the
console.
Set a password and keep it safe! Otherwise you will not be able to login via
the
console.
Please configure the login password
(6-16)
Enter
Password:
Confirm Password:
<Quidway>
You can run commands to configure the device. Enter a question mark (?) whenever you
need help.
----End

l
Run the display users [ all ] command to check the user log information on the user
interface.
Run the display user-interface console 0 command to check the user interface information.
Run the display local-user command to check the local user attributes.
Issue 04 (2013-06-15)

1915

Configuration Guide
Run the display access-user command to check the online user information.
Follow-up Procedure
1.
Run the display device command to check whether you have logged in to the LSW or AC
unit. The following information indicates that you have logged in to the LSW unit.
AC6605-26-PWR's Device
status:
Slot Sub Type
Online
Power
Register
Status
Role
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0
AC6605-26
Present
PowerOn
Registered
Normal
Master
4
POWER
Present
PowerOn
Registered
Normal
NA
2.
Run the console switch command or press Ctrl+Y to switch from the LSW unit to the AC
unit. After the preceding configurations are complete, press Enter. At the following
command-line prompt, set an authentication password. The system automatically saves the
set password.
Info: Switch console to
AC.
An initial password is required for the first login via the
console.
Set a password and keep it safe! Otherwise you will not be able to login via
the
console.
Please configure the login password
(6-16)
Enter
Password:
Confirm Password:
<Quidway>
3.
Run the display device command to check AC unit information.

AC6605-AC's Device
status:
Slot Sub Type
Online
Power
Register
Status
Role
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0
AC6605-26
Present
PowerOn
Registered
Normal
Master
4.
Run the console switch command or press Ctrl+Y to switch from the AC unit to the LSW
unit.
<Quidway>
l
Info: Switch console to AC. This information indicates that you have logged in to the AC
unit.
Info: Switch console to LSW. This information indicates that you have logged in to the
LSW unit.
Issue 04 (2013-06-15)

1916

Configuration Guide
NOTE
11.1.2 Logging In to the Device Through Telnet

After logging in to the device on the console port and completing the configuration, you can log
in to the remote device using the Telnet protocol and maintain the remote device.
Before logging in to the device through Telnet, complete the following task:
l
Configuring routes between a terminal and the device
Table 11-1 describes the tasks in the configuration process for login through Telnet.
Table 11-1 Tasks in the configuration process for login through Telnet
No.
Task
Description
Configuring the Telnet

server functions and
parameters
Enable Telnet server

functions and configure the
server parameters.
Configuring the Telnet

user login interface
Configure the user level,

authentication mode, call-in
and call-out permission, and
other basic attributes for the
VTY user interface.
Configuring a local
Telnet user (AAA
authentication mode)
Configure the user name and

password when the AAA
authentication mode is used.
Logging in to the device

through Telnet from a
terminal
Use the Telnet client software

to log in to the device from a
terminal.
Remarks
Tasks 1, 2, and 3 can

be performed in any
sequence.
Table 11-2 Default settings of the parameters for logging in to the device through Telnet
Issue 04 (2013-06-15)
Parameter
Default Setting
Telnet service
Enabled
Telnet server port number
23

1917

Configuration Guide
Parameter
Default Setting
VTY user interface authentication mode
No authentication mode
User level
The default command access level for the

VTY user interface is 0.
Procedure
l
Configuring the Telnet server functions and parameters

Before connecting to the device through Telnet from a user terminal, make sure that the
Telnet service is enabled on the device.
Table 11-3 Actions for configuring the Telnet server functions and parameters
Action
Command
Description
Enter the system

view.
system-view
Enable the Telnet

service.
telnet server enable
By default, the Telnet service is

enabled.
The default listening port
number is 23.
(Optional)
Configuring the
listening port of
the Telnet server
telnet server port port-number
After the listening port number

of the Telnet server is changed,
attackers do not know the new
listening port number. This
effectively prevents attackers
from accessing the listening
port.
Configuring the Telnet user login interface

Configure the user level, call-in and call-out permission, and other basic attributes for the
VTY user interface.
Table 11-4 Actions for configuring the Telnet user login interface
Action
Issue 04 (2013-06-15)
Command
Description
Enter the system view.
system-view
Enter the VTY user

interface view.
user-interface vty first-uinumber [ last-ui-number ]

1918

Configuration Guide
Action
Command
Description
The default user level for
the VTY user interface is 0.
Configure the user level for

the user interface.
Configure the user

authentication mode.
To run the commands of a

higher level, configure a
higher user level.
authentication-mode
{ password | aaa }
If the user level configured

for the user interface
conflicts with the user's
operation permission, the
user permission takes
precedence.
The password and AAA
authentication modes are
supported. Configure either
authentication mode as
required.
By default, the call-in and
call-out permission for the
user interface is not
configured.
(Optional) Configure the

call-in and call-out
permission for the user
interface.
(Optional) Configuring
other attributes of the user
interface.
For details, see 11.2.2

Configuring the VTY
User Interface.
For details, see 11.2.2

Configuring the VTY
User Interface.
Configure this action to

prevent a user with a certain
address or address segment
from logging in to the
device or prevent a user
who has logged in to the
device from logging in to
another device.
Use the default settings for
other attributes of the VTY
user interface. You can
configure attributes based
on the usage requirements.
Configuring a local Telnet user (AAA authentication mode)

Configure the administrator's user name and password to ensure that only the administrator
can log in to the device.
Table 11-5 Actions for configuring a local Telnet user (AAA authentication mode)
Action
Issue 04 (2013-06-15)
Command
Description
Enter the system view.
system-view
Enter the AAA view.
aaa

1919

Configuration Guide
Action
Description
Configure the local user

name and password.
local-user user-name
password cipher
password
Configure the service type

for the local user.
service-type telnet
Configure the level for the

local user.
Command
privilege level level
After login, a user can only

run the commands at levels
equal to or lower than the
user level, which ensures
the device security.
If the user level configured
for the user interface
conflicts with the user's
operation permission, the
user permission takes
precedence.
Logging in to the device through Telnet from a terminal

You can use Windows command line prompts or third-party software to log in to the device
through Telnet from a terminal. Windows command line prompts are used as an example.
Perform the following operations on the terminal:
1.
Access the command line window.
2.
Run the telnet ip-address port command to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025
3.
Press Enter and enter the login user name and password configured for the AAA
authentication mode. The command line prompt of the user view is displayed. You
have logged in to the device. (In password authentication, the system only prompts
you to enter the password. The following information is only for reference.)
Login
authentication
Username:huawei
Password:
Info: The max number of VTY users is 20, and the
number
of current VTY users on line is
1.
The current login time is 2012-10-21 17:14:36-05:13.
NOTE
The AC6605 provides the wired side and wireless side whose IP addresses are unique. You can use
the IP addresses to connect to the wired side and wireless side in Telnet mode.
----End

l
Issue 04 (2013-06-15)
Run the display users [ all ] command to check the connections on the user interface.
1920

Configuration Guide
Run the display tcp status command to check all TCP connections.
Run the display telnet server status command to check the current connections of the
Telnet server.

When a user uses a console port or Telnet, to log in to the device, the system manages the session
between the user and the device on the corresponding user interface.
11.2.1 Configuring the Console User Interface

When a user logs in to the device using the console user interface to maintain the device locally,
the user can configure the attributes of the corresponding user interface to ensure the device
security as required.
Before configuring a console user interface, complete the following tasks:
l
Log in to the device using a terminal.

NOTE
To log in to the device using the console interface to maintain the device locally, configure the console
user interface including the physical attributes, terminal attributes, user level, and user authentication mode.
Users can set these parameters based on the site requirements or retain the default values.
Procedure
l
Configure the physical attributes of the console user interface.

1.
Run:
system-view

2.
Run:

3.
Run:
speed speed-value
The baud rate is set.

By default, the baud rate is 9600 bit/s.
4.
Run:
flow-control { hardware | none | software }
The flow control mode is set. By default, the flow-control mode is none.
5.
Run:
parity { even | mark | none | odd | space }
The parity mode is set.

By default, the value is none.
Issue 04 (2013-06-15)

1921

Configuration Guide
6.
Run:
stopbits { 1.5 | 1 | 2 }
The stop bit is set.

By default, the value is 1 bit.
7.
Run:
databits { 5 | 6 | 7 | 8 }
The data bit is set.

By default, the data bit is 8.
8.
Run:
quit
The user quits the console user interface view.

NOTE
When a user logs in to the Switch through a console port, the physical attributes set for the console
port on the HyperTerminal must be consistent with the attributes of the console user interface on the
Switch, or the user will not be able to log in.
Configure terminal attributes on the console user interface.

1.
Run:
system-view

2.
Run:

3.
Run:
shell

4.
Run:

If the connection remains idle for the timeout period, the system automatically
terminates the connection.
5.
Run:
quit

l
Configuring User Privilege of the User.

1.
Run:
system-view

2.
Run:
Issue 04 (2013-06-15)

1922

Configuration Guide

3.
Run:
The user privilege is set.

level determines the level of commands the user is authorized to run. For details about
command levels, see "Command Level".
4.
Run:
quit

l
Configuring the user authentication mode.

1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:
quit

5.
Run:
aaa

6.
Run:

7.
Run:
local-user user-name service-type terminal
The service type of the local user is set to terminal.

8.
Run:
quit

1.
Run:
system-view

Issue 04 (2013-06-15)

1923

Configuration Guide
2.
Run:

3.
Run:
The user authentication mode is set to password.

4.
Run:
The authentication password is configured. You can enter a password in plain text or
cipher text.
NOTE
l The password can be in plain text or cipher text. When the cipher password parameter is
not specified, enter the plain text password in interactive mode. When the cipher
password parameter is specified, enter either plain or cipher password.
l The password in plain text is a string of 6 to 16 case-sensitive characters. The password
must contain at least two of the following characters: upper-case character, lower-case
character, digit, and special character. Special character except the question mark (?) and
space.
l Password entered in interactive mode is not displayed on the screen.
5.
Run:
quit

----End

l
Run the display users [ all ] command to view user information on the user interface.
Run the display user-interface console ui-number [ summary ] command to view the
information about the user interface.
Run the display access-user command to view online users.
11.2.2 Configuring the VTY User Interface

When a user logs in to the device using Telnet or SSH to maintain the device locally or remotely,
the user can configure a VTY user interface to ensure the device security as required.
Before configuring a VTY user interface, complete the following tasks:
l
Log in to the device using a terminal.

NOTE
Parameters excluding the ACL number that restricts the call-in and call-out permissions on the VTY
interface, authentication mode on the user interface, user name and password have default values. You can
set parameters based on the site requirements.
Issue 04 (2013-06-15)

1924

Configuration Guide
Procedure
l
Configuring the maximum number of VTY user interfaces.

1.
Run:
system-view

2.
Run:
user-interface maximum-vty number
The maximum number of VTY user interfaces is set.

NOTE
When the maximum number of VTY user interfaces is set to zero, no user (including the
network administrator) can use a VTY user interface to log in to the device.
If the maximum number of the VTY user interfaces that you set is smaller than the
number of current online users, the system displays a configuration failure message.
After increasing the number of VTY user interfaces, you must configure the
authentication mode for new VTY users.
l
(Optional) Configuring restrictions on call-in and call-out permissions on the VTY

interface.
1.
Run:
system-view

2.
Run:

3.
Run:
acl acl-number { inbound | outbound }
Restrictions on call-in and call-out permissions on the VTY user interface are
configured.
To restrict users at a specified address or address segment to log in to the device,
use the inbound parameter.
To restrict users who have log in to a device to log in to other devices, use the
outbound parameter.
4.
Run:
quit
The user quits the VTY user interface view.

l
Configure terminal attributes on the VTY user interface.

1.
Run:
system-view

2.
Run:

Issue 04 (2013-06-15)

1925

Configuration Guide
3.
Run:
shell

4.
Run:

If the connection remains idle for the timeout period, the system automatically
terminates the connection.
5.
Run:
screen-length screen-length [ temporary ]
The number of lines displayed on the terminal screen is set.

The temporary parameter specifies the temporary number of lines displayed on the
terminal screen.
The default number of lines displayed on the terminal screen is 24.
6.
Run:
screen-width screen-length
The number of columns displayed on the terminal screen is set.

The default number of columns displayed on the terminal screen is 80. Each character
is a column.
NOTE
This command is valid only for information displayed by the display interface description
command.
7.
Run:
The history command buffer is set.

By default, the history command buffer can store up to 10 commands.
8.
Run:
quit

l
Configuring the user level on the VTY user interface.

1.
Run:
system-view

2.
Run:

3.
Run:
The user level is set.

Issue 04 (2013-06-15)

1926

Configuration Guide
level determines the level of commands the user is authorized to run. For details about
command levels, see "Command Level".
4.
Run:
quit

l
Configuring the user authentication mode.

1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:
quit

5.
Run:
aaa

6.
Run:

7.
Run:
local-user user-name service-type { telnet | ssh }
The service type of the local user is set to Telnet or SSH.

8.
Run:
quit

1.
Run:
system-view

2.
Run:

3.
Run:
Issue 04 (2013-06-15)

1927

Configuration Guide
The user authentication mode is set to password.

4.
Run:
The authentication password is configured. You can enter a password in plain text or
cipher text.
NOTE
l The password can be in plain text or cipher text. When the cipher password parameter is
not specified, enter the plain text password in interactive mode. When the cipher
password parameter is specified, enter either plain or cipher password.
l The password in plain text is a string of 6 to 16 case-sensitive characters. The password
must contain at least two of the following characters: upper-case character, lower-case
character, digit, and special character. Special character except the question mark (?) and
space.
l Password entered in interactive mode is not displayed on the screen.
5.
Run:
quit

----End

l
Run the display users [ all ] command to view user information on the user interface.
Run the display user-interface maximum-vty command to view the maximum number
of VTY user interfaces.
Run the display user-interface console ui-number [ summary ] command to view the
information about the user interface.
Run the display vty mode command to view the VTY mode.

When the device is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the device, you need to manage system software and configuration
files efficiently.
11.3.1 Configuring System Startup Files on the Wireless Side

You need to specify the system software and configuration file for system startup so that the
device will start and initialize with the specified software and configuration file. Specify new
patch files if the system needs to load new patches.
Before configuring the system startup files, complete the following tasks:
l
Starting the device and logging in to the device locally or remotely
Saving the startup files in the root directory of the device
Issue 04 (2013-06-15)

1928

Configuration Guide
Context
NOTE
You must configure the system startup files or patches on the wired side. However, you need to specify
the configuration file for next startup both on the wired and wireless sides.
Before specifying the files for next startup, you can run the display startup command to view
the specified files for next startup.
l
If no system software is specified for next startup, the device will start with current system
software. To change the system software to be loaded for next startup (during an upgrade
for example), upload the new system software to the device and specify it as the system
file for next startup. The system software package must use .cc as the file name extension
and be saved to the root directory of the storage device.
If no configuration file is specified for next startup, the device will start with the default
configuration file (vrpcfg.zip for example). If no configuration file is stored in the default
directory, the device uses the default parameters for initialization. The configuration file
name extension must be .cfg or .zip. In addition, the configuration file must be saved to the
root directory of the storage device.
A patch file uses .pat as the file name extension. The specified patch file to be loaded for
next startup must also be saved to the root directory of the storage device.
Procedure
Step 1 Run the startup saved-configuration configuration-file command to specify the configuration
file for next startup.
The configuration file name extension must be .cfg or .zip. In addition, the configuration file
must be saved to the root directory of the flash memory on the wireless side.
NOTE
The configuration of the system startup files or patch files must be performed on the wired side. For details,
see 1.8 Configuring System Startup.
----End

After the configuration is complete, run the display startup command to view the system
software, configuration file and patch file for next startup.
11.3.2 Restarting the Device

To ensure that the specified system software and files take effect, restart the device after system
startup configuration is complete.
Before restarting the device, complete the following task:
l
Configuring system startup files
Context
NOTE
You can restart the device only on the wired side.
Issue 04 (2013-06-15)

1929

Configuration Guide
Use either of the following methods to restart the device:

l
Restart the device immediately after configuration: The device restarts immediately after
the reboot command is run.
Restart the device at scheduled time: The device can be restarted at a specified time later.
When the configuration is complete, you can configure the device to restart at time when
few services are running to minimize the impact of device restart on services.
CAUTION
l Do not restart the device unless necessary because device restart causes service interruption
in a short time.
l Save the current configuration so that it will take effect after the device restarts.
l Run the reboot command to restart the device. All operations (including operations of users
connected using SSH, telnet, or STAs) performed when the device is restarting may not be
correctly executed and may cause severe impact on the device. You are advised to forbid all
operations when the device is restarting.
Procedure
l
Restart the Device Immediately

In the user view, run the reboot [ fast ] command to restart the device.
fast indicates quick restart of the device. The system does not ask you whether to save
the configuration file in fast startup.
Restart the Device at Scheduled Time

In the user view, run the schedule reboot { at time | delay interval [ force ] } command
to restart the device at scheduled time.
at time specifies the time to restart the device.
delay interval [ force ] specifies the waiting time before restarting the device.
If the parameter force is not specified, the system compares the configuration file with
the current configuration. If the current configuration is different from the the
configuration file, the system asks you whether to save the current configuration. After
you complete the selection, the system prompts you to confirm the configured restart
time. Enter Y or y to make the configured restart time take effect. If the parameter
force is specified, the system does not display any message, and the restart time takes
effect directly. The current configuration is not compared or saved.
----End

l
If scheduled restart is configured, run the display schedule reboot command to check the
configuration of device restart.
11.4 Upgrading the Devices

The following describes how to upgrade the AC6605 and AP.
Issue 04 (2013-06-15)

1930

Configuration Guide
11.4.1 Upgrading the AC

The following describes how to upgrade the AC.
Context
NOTE
The AC6605 can be upgraded only on the wired side.
Procedure
Step 1 Prepare for the upgrade.
1.
Check the version of the running system software.

<Quidway> display version
Software
VRP (R) software, Version 5.70 (AC6605
V200R002C00)
Copyright (C) 2003-2012 HUAWEI TECH CO.,
LTD
Quidway AC6605-PWR Routing Switch uptime is 0 week, 1 day, 23 hours, 33
minutes
H852V26S 0(Master) : uptime is 0 week, 1 day, 23 hours, 33
minutes
512M bytes DDR
Memory
128M bytes
FLASH
Pcb
Version : VER
A
Basic BOOTROM Version : 000 Compiled at Feb 10 2012,
17:00:24
CPLD
Version :
258
Software Version : VRP (R) Software, Version 5.70
(V200R002C00)
PWRCARD I
information
Pcb
Version : PWR VER A
2.
Check the running status of the AC6650.

AC6605-26-PWR's Device
status:
Slot Sub Type
Online
Power
Register
Status
Role
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0
AC6605-26
Present
PowerOn
Registered
Normal
Master
4
POWER
Present
PowerOn
Registered
Normal
NA
Step 2 Load the system software and BootROM program.

1.
Use the FTP, TFTP, or BootROM menu to copy the system software and BootROM
program to the root directory of the storage device.
2.
Specify the system software to be loaded for starting the device.

<Quidway> startup system-software s-s6605-b018.cc
Issue 04 (2013-06-15)

1931

Configuration Guide

NOTE
If the following information is displayed after you run the startup system-software file command,
press Y to update the BootROM. If the BootROM is updated successfully, go to step c; if the
BootROM update fails, go to step b.
<Quidway> startup system-software s-s6605-b018.cc
Warning: Basic BOOTROM will be upgraded. Continue?(Y/N)[N]: y
Upgrading BOOTROM,please wait for a moment
Info: BOOTROM UPGRADE OK
Info: Succeeded in setting the software for booting system
3.
(Optional) Upgrade the BootROM loaded when the device is started.

<Quidway> upgrade basic-bootrom s-s6605-b018.cc
Warning: Basic BOOTROM will be upgraded. Continue?(Y/N)[N]: y
Upgrading BOOTROM,please wait for a moment
[Slot 0]:
Info: BOOTROM UPGRADE OK.
Step 3 Restart the device.

When the system asks you whether to save the configuration, press Y or N. After the
configuration is complete, press Y to restart the device.
<Quidway> reboot
Info: The system is now comparing the configuration, please wait.
Warning: All the configuration will be saved to the configuration file for the next
startup:flash:/vrpcfg.zip, Continue?[Y/N]:y
Now saving the current configuration to the slot 0.
Info: Save the configuration successfully.
System will reboot! Continue?[Y/N]:
y
Info: system is rebooting ,please wait
----End
11.4.2 Configuring the Automatic AP Upgrade Function

Context
An AP needs to negotiate with an AC about the software version when the AP goes online or
the software version on the AC changes. If the software version on the AP is different from that
on the AC, the AP starts to upgrade the software.
An AP starts to upgrade in the following scenarios:
l
Automatic upgrade: Before an AP goes online, the AP discovers that the software version
on it is older than that on the AC or FTP server. At this time, the AP starts to upgrade the
software.
Online upgrade: When an AP is working, the AP discovers that the software version on it
is older than that on the AC or FTP server. At this time, the AP starts to upgrade the software.
An AP supports the following upgrade modes:

l
AC mode: An AP downloads the upgrade version file from an AC.
FTP mode: After the FTP function is configured on an AC by using the ap-update ftpserver command, an AP downloads the upgrade version file from the specified FTP server.
SFTP mode: After the FTP function is configured on an AC by using the ap-update sftpserver command, an AP downloads the upgrade version file from the specified SFTP
server.
Issue 04 (2013-06-15)

1932

Configuration Guide
An AP supports three upgrade methods:

l
One AP-based upgrade: Before upgrade in batches, an upgrade test is implemented on an

AP to check whether the upgraded version is normal. This ensures that the upgrade in
batches can succeed.
AP domain and type-based upgrade: APs in a hotspot area are upgraded to satisfy the
requirement of users to upgrade AP according to areas.
AP type-based upgrade: APs of one type are upgraded in batches.
Note the following during the configuration:

l
The AC or FTP or SFTP upgrade mode must be pre-configured on the AC.
In AC mode, the AC can be configured up to 128 loaded AP versions of the same type at
one time. In FTP or SFTP mode, the number of loaded AP versions at one time is not
restricted.
When the AC mode is used, it takes a relatively long time to upgrade multiple APs together.
To shorten the service interruption time, it is recommended that you use the FTP or SFTP
mode to upgrade APs.
Configure the ac-mode.
Procedure
1.
Run:
system-view

2.
Run:
wlan
The WLAN view is displayed.

3.
Run:
ap-update mode ac-mode
The AP upgrade mode is configured as ac-mode.

By default, the upgrade mode is ac-mode.
4.
To configure the upgrade file name for the AP, you can choose different configurations
as follows:
Run:
ap-update load ap-id ap-id update-filename file-name
The upgrade file for the specified AP is configured.

Run:
ap-update update-filename filename ap-type type-id region region-id
The upgrade files for APs in the same AP domain and of the same type are
configured.
Run:
ap-update update-filename filename ap-type type-id
The upgrade files for APs of the same type are configured.
5.
If the software version is upgraded when the AP is working, perform the following
operations:
One AP-based upgrade:
Issue 04 (2013-06-15)

1933

Configuration Guide
a.
Run:
ap-update reset ap-id ap-id
The specified AP is configured to be reset after the upgrade.

AP domain and type-based upgrade:
a.
Run:
ap-update multi-load ap-type type-id region region-id
APs in the same AP domain and of the same type are configured to be upgraded
in batches.
b.
Run:
ap-update multi-reset ap-type type-id region region-id
APs in the same AP domain and of the same type are configured to be reset in
batches.
AP typed-based upgrade:
a.
Run:
ap-update multi-load ap-type type-id
APs are configured to be upgraded in batches according to the type.

b.
After the upgrade, run:

ap-update multi-reset ap-type type-id
APs of the same type are configured to be reset in batches.

l
Configure the FTP mode.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
ap-update mode ftp-mode
The AP upgrade mode is configured as FTP mode.

4.
Run:
ap-update ftp-server server-ip-address [ ftp-username ftpusername | ftppassword { cipher | simple }ftppassword ] *
Basic FTP information, including the FTP server IP address, the FTP user name, and
password are configured.
NOTE
The AP upgrade version file must be stored in the FTP working directory on the FTP server.
5.
as follows:
Run:

Run:
Issue 04 (2013-06-15)

1934

Configuration Guide
configured.
Run:
6.
operations:
a.
Run:
The specified AP is configured to reset after the upgrade.

a.
Run:
APs in the same AP domain and of the same type are configured to upgrade in
batches.
b.
Run:
batches.
a.
Run:

b.

APs of the type are configured to be reset in batches.

l
Configure the sftp-mode.

NOTE
Ensure that the software versions of the AC and AP are the same. Otherwise, the AP cannot be
upgraded in SFTP mode.
1.
Run:
system-view

2.
Run:
wlan

3.
Run:
ap-update mode sftp-mode
The AP upgrade mode is configured as sftp-mode.

4.
Run:
ap-update sftp-server server-ip-address [ sftp-username sftpusername |
sftp-password { cipher | simple }sftppassword ] *
Basic SFTP information, including the IP address of the SFTP server, the SFTP user
name, and password are configured.
Issue 04 (2013-06-15)

1935

Configuration Guide
By default, the IP address of the SFTP server is 255.255.255.255. The SFTP user name
is anonymous, and the password is anonymous@huawei.com.
NOTE
The AP upgrade version file must be stored in the SFTP working directory on the SFTP server.
5.
as follows:
Run:

Run:
ap-update update-filename filename ap-typetype-id region region-id
configured.
Run:
6.
operations:
a.
Run:
The specified AP is configured to reset after the upgrade.

a.
Run:
APs in the same AP domain and of the same type are configured to upgrade in
batches.
b.
Run:
batches.
a.
Run:

b.

APs of the same type are configured to be reset in batches.

----End
11.4.3 Verifying the Configuration

Prerequisites
The upgrade for the AC6605 or AP is complete.
Issue 04 (2013-06-15)

1936

Configuration Guide
Procedure
l
Verify the AC6605 upgrade.
Run the display startup command to verify that the system software is the target
version.
Run the display device command to verify that the LPUs have been successfully
registered.
Verify the AP upgrade.
Run the display ap all command to verify that the AP is in normal state.
----End
11.5 Displaying the Device Status

This chapter describes the functions and applications of the display commands and how to use
the display commands to view the running status of the device.
11.5.1 Displaying Information About the Device

You can use the display commands to view component information about the device.
Context
When a fault occurs on the device or a board, you can view device information to check whether
the device is working properly.
Procedure
l
Run:
display device
The component information and device status is displayed.

----End
11.5.2 Displaying the Version

You can use the display commands to view version information about the device.
Context
You can view version information about the device to determine whether the device needs to be
upgraded or whether the upgrade succeeds.
Procedure
l
Run:
display version [slot slot-id ]
The version information of the device is displayed.

----End
Issue 04 (2013-06-15)

1937

Configuration Guide
11.5.3 Displaying the Current Configuration

You can use the display commands to view the current configuration of the device.
Procedure
l
Run:
display current-configuration
The information of the current configuration is displayed.

----End
11.6 (Optional) Activating a License

This section describes how to activate a license on the AC6605.
Context
A license file controls the capacity, functions, and validity period of a software version. It is
generated by a dedicated encryption tool based on the contract signed with Huawei and delivered
as an electronic file.
Licenses of an AC6605 control the maximum number of APs that the AC6605 can manage.
Purchase licenses for an AC based on the number of APs that need to be managed.
NOTE
l The license function is enabled on the AC6605 by default.

l To enable the AC6605 to manage more APs, purchase AP licenses from Huawei. An AC6605 can manage
a maximum of 512 APs after AP licenses are loaded.
l A license enters Normal or Demo state after it is activated. When the Normal or Demo state times out, the
license enters Trial state. The license in Trial state supports the same number of APs as that it supports in
Normal or Demo state. The trial period of a license is 60 days. When the trial period expires, the license
becomes invalid. Then the AC can manage only the four commissioning APs, and all the other APs go
offline. A license in Normal state is a commercial license, and a license in Demo state is a non-commercial
license.
l After a license file is loaded to an AC, the maximum number of APs allowed by the AC is controlled by the
license.
Procedure
l
Load the license file to the AC Unit of the AC6605. Three methods are available. For details
about these methods, see the License Application Guide.
Use the AC6605 as an FTP server.
Use the AC6605 as an FTP client.
Use the AC6605 as a TFTP client.
Run the license active file-name command to activate the license.
Run the display license state command to check the license state on the AC6605.
----End
Example
Run the license active file-name command to activate the license file license.dat.
Issue 04 (2013-06-15)

1938

Configuration Guide
<Quidway> license active license.dat

Info: The License is being activated. Please wait for a
moment.
Info: Succeeded in activating the License file on the master board.
Run the display license command to view information about the license file.
<Quidway> display license
Info: Active License on master board: flash:/license.dat
R&D of Huawei Technologies Co., Ltd.
Product name
: AC6605
Product version
: V200R001
License Serial No : LIC20120423008110
Creator
: Huawei Technologies Co., Ltd.
Created Time
: 2012-04-23 14:31:53
Feature name
: ACCESS
Authorize type
: DEMO
Expired date
: 2012-07-01
Trial days
: 60
Configure items :
Item name : H85SWLANAC00
value : 1024
Run the display license state command to check information about the activated license.
<Quidway> display license state
Info: Master board license state: Trial. The remain days is 59.
Issue 04 (2013-06-15)

1939

Configuration Guide
12 Configuration Guide - WLAN
12
Configuration Guide - WLAN
About This Chapter

This document describes the WLAN configuration procedures and provides configuration
examples.
12.1 Precautions for the Configuration
This section describes prerequisites for configuring the WLAN service and configuration notes.
12.2 WLAN Service Configuration
You can configure the WLAN service to enable users to easily access a wireless network and
move around within the coverage of the wireless network.
12.3 WLAN Security Configuration
As wireless local area network (WLAN) technology uses radio signals to transmit service data,
service data can easily be intercepted or tampered by attackers when being transmitted on the
open wireless channels. WLAN security can be configured to protect WLAN networks against
attacks and secure information and services of authorized users.
12.4 Radio Resource Management
Radio resource management enables a WLAN to adapt to changes in the radio environment by
dynamically adjusting radio resources. This improves service quality for wireless users.
12.5 WLAN Reliability Configuration
This chapter describes the WLAN reliability configuration, involving dual-link backup, service
holding upon CAPWAP link disconnection, and channel switching without service interruption.
12.6 Roaming Configuration
Roaming allows a STA to move from an AP to another AP in the same ESS on a WLAN network
with nonstop service transmission.
12.7 WLAN QoS Configuration
WLAN QoS enables network administrators to plan and allocate network resources based on
service characteristics, meeting user requirements and improving network usage.
12.8 WDS Configuration
This chapter describes WLAN Wireless Distribution System (WDS) configurations. Different
from APs on a traditional WLAN, APs on a WDS network are connected in wireless mode and
can set up multi-hop wireless links.
Issue 04 (2013-06-15)

1940

Configuration Guide
12.1 Precautions for the Configuration

This section describes prerequisites for configuring the WLAN service and configuration notes.
VLAN Deployment
Packets transmitted on a WLAN include management packets and service data packets.
l
Management packets must be forwarded through Control And Provisioning of Wireless

Access Points (CAPWAP) tunnels.
Service data packets can be forwarded directly or through CAPWAP tunnels.
In practice, management packets and service data packets must have different VLANs
configured. That is, management packets must have management VLANs configured, and
service data packets must have service VLANs configured.
l
Management VLAN: transmits packets that are forwarded through CAPWAP tunnels,
including management packets and service data packets forwarded through CAPWAP
tunnels.
Service VLAN: transmits service data packets.

NOTE
In tunnel forwarding mode, management VLAN and service VLAN must be different.
The following describes the forwarding process of management and service data packets. Here,
VLAN m and VLAN m' represent management VLANs, while VLAN s and VLAN s' represent
service VLANs.
l
When an AP connects to an AC through a Layer 2 network, VLAN m is the same as VLAN

m', and VLAN s is the same as VLAN s'.
When an AP connects to an AC through a Layer 3 network, VLAN m is different from

VLAN m', and VLAN s is different from VLAN s'.
Figure 12-1 shows the process of forwarding management packets through CAPWAP
tunnels.
Figure 12-1 Forwarding management packets through CAPWAP tunnels
AC
Switch
AP
802.3
UDP/IP
CAPWAP
Payload
VLAN m 802.3
UDP/IP
CAPWAP Payload
VLAN m 802.3
UDP/IP
CAPWAP
Payload
VLAN m 802.3
UDP/IP
CAPWAP
Payload
802.3
UDP/IP
CAPWAP
Payload
VLAN mVLAN mmanagement VLAN
Issue 04 (2013-06-15)

1941

Configuration Guide
In Figure 12-1:
In the uplink direction (from the AP to the AC): When receiving management packets,
the AP encapsulates the packets in CAPWAP packets. The switch tags the packets with
VLAN m. The AC decapsulates the CAPWAP packets and removes the tag VLAN m'.
In the downlink direction (from the AC to the AP): When receiving downstream
management packets, the AC encapsulates the packets in CAPWAP packets and tags
them with VLAN m'. The switch removes the tag VLAN m from the packets. The AP
decapsulates the CAPWAP packets.
l
Figure 12-2 shows the process of directly forwarding service data packets.
Figure 12-2 Forwarding service data packet directly
Internet
Switch
AP
STA
VLAN s 802.3
Payload
VLAN s 802.3
Payload
VLAN s 802.3
Payload
802.11
Payload
802.11
Payload
Payload
VLAN s, VLAN s: service VLAN

In Figure 12-2, service data packets are not encapsulated in CAPWAP packets.
In the uplink direction (from the STA to the Internet): When upstream service data
packets in 802.11 format are sent from the STA to the AP, the AP converts the packets
into 802.3 packets, tags the packets with VLAN s, and forwards the packets to the
destination.
In the downlink direction (from the Internet to the STA): When downstream service
data packets in 802.3 format reach the AP (the packets are tagged with VLAN s' by
upstream devices), the AP converts the 802.3 packets into 802.11 packets and forwards
them to the STA.
l
Issue 04 (2013-06-15)
Figure 12-3 shows the process of forwarding service data packets through CAPWAP
tunnels.

1942

Configuration Guide
Figure 12-3 Forwarding service data packets through CAPWAP tunnels
Internet
AC
Switch
AP
VLAN s 802.3
Payload
VLAN m 802.3 UDP/IP CAPWAP VLAN s 802.3
Payload
Payload
Payload
802.3
UDP/IP CAPWAP VLAN s 802.3 Payload
STA
802.11
Payload
802.11
Payload
Payload
VLAN m, VLAN m: management VLAN

VLAN s: service VLAN
In Figure 12-3, service data packets are encapsulated in CAPWAP packets and transmitted
through CAPWAP data tunnels.
In the uplink direction (from the STA to the Internet): When upstream service data
packets in 802.11 format are sent from the STA to the AP, the AP converts the packets
into 802.3 packets, tags the packets with VLAN s, and encapsulates them in CAPWAP
packets. The upstream switch tags the packets with VLAN m. The AC decapsulates the
CAPWAP packets and removes the tag VLAN m' from the packets.
In the downlink direction (from the Internet to the STA): When downstream service
data packets reach the AC, the AC encapsulates the packets in CAPWAP packets, allows
the packets carrying VLAN s to pass through, and tags the packets with VLAN m'. The
switch removes VLAN m from the packets. The AP decapsulates the CAPWAP packets,
removes VLAN s, converts the 802.3 packets into 802.11 packets, and forwards them
to the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated packets. The
intermediate devices between the AC and AP only need to transparently transmit VLAN
m and do not need to be configured with VLAN s encapsulated in the CAPWAP packets.
In WLAN networking, management VLANs and service VLANs must be properly planned. The
following assumes that an AP connects to an AC through a Layer 2 network.
Issue 04 (2013-06-15)

1943

Configuration Guide
In Figure 12-4, to implement direct forwarding, ensure that the AP can exchange
management VLAN packets with the AC and exchange service VLAN packets with
upstream devices.
Figure 12-4 VLAN deployment in direct forwarding mode
Internet
VLAN101
SW2
VLAN101
VLAN100 VLAN100
VLAN100
AC
CA
PW
AP
VLAN101 VLAN100
tu
nn
el
VLAN101 VLAN100
SW1
AP
STA
Management VLAN: VLAN100

Service VLAN: VLAN101
Management packet
Data packet
Issue 04 (2013-06-15)
In Figure 12-5, to implement tunnel forwarding, ensure that the AP can exchange
management VLAN packets with the AC and the AC can exchange service VLAN packets
with upstream devices.

1944

Configuration Guide
Figure 12-5 VLAN deployment in tunnel forwarding mode
Internet
VLAN101
SW2
VLAN101 VLAN101
VLAN100 VLAN100
VLAN100
AC
VLAN100
CA
PW
AP
VLAN100
AP
STA
tu
nn
el
SW1

Management packet
Data packet
APs Supported by the Device

l
APs mentioned in this document are Huawei AP products. You are advised to use Huawei
APs to connect to the AC.
You can run the display ap-type command to check the default AP types supported by the
device.
If an AP that needs to connect to the AC is not within the default AP types supported by
the device, run the ap-type command to add the AP type so that the AP can connect to the
AC.
AC Wired Side and Wireless Side

The AC has the wired side and wireless side. Figure 12-6 shows the interfaces that connect the
wired side and wireless side. For details about the login modes on the wired side and wireless
side, see 11.1 Configuring User Login.
Issue 04 (2013-06-15)

1945

Configuration Guide
Figure 12-6 Interfaces connecting the wired side and wireless side
AC
AC
wired
side
XGE0/0/27
AC
XGE0/0/1 wireless
side
License Support
To use the WLAN AC function, apply for and purchase a license from the agent according to
the device model:
l
AP resource license-16AP for WLAN access controller

You can configure the WLAN service to enable users to easily access a wireless network and
move around within the coverage of the wireless network.
12.2.1 Overview
Compared with a wired local area network (LAN), a wireless LAN (WLAN) is easier to deploy
and requires lower maintenance cost. One or more APs can provide wireless access for an area.
Wired LANs use wired cables or optical fibers as transmission media, which are expensive and
have fixed locations. As people have increasing requirements on network mobility, wired LANs
cannot meet these requirements. WLAN technology is then developed. Currently, WLAN has
become a cost-efficient network access mode. WLAN technology allows you to easily access a
wireless network and move around within the coverage of the wireless network.
A WLAN has the wired side and wireless side. On the wired side, an AP connects to the Internet
using Ethernet. On the wireless side, a STA communicates with an AP using 802.11. In this
configuration guide, the device functions as an Access Controller (AC) and uses the centralized
architecture.
Centralized Architecture
In centralized architecture, an AC manages and controls multiple APs (Fit APs) in centralized
manner, as shown in Figure 12-7.
Issue 04 (2013-06-15)

1946

Configuration Guide
Figure 12-7 WLAN centralized architecture
STA
STA
Fit AP
CA
P
STA
AC
WAP
CAP
STA
STA
WA
P
DNS DHCP
server server
Campus
egress
gateway
Fit AP
Campus
network
Internet
NMS
In centralized architecture, APs work with an AC to implement wireless access.

l
The AC implements all security, control, and management functions, including mobile user
management, identity authentication, VLAN assignment, radio management, and data
forwarding.
Fit APs implement wireless radio access, including radio signal transmission and detection
response, data encryption and decryption, and data transmission acknowledgment.
The AC and APs communicate using Control and Provisioning of Wireless Access Points
(CAPWAP). They can be connected across a Layer 2 or Layer 3 network.
The centralized architecture applies to enterprise networks and carrier networks because it allows
centralized management and maintenance. The centralized architecture is used in the following
sections.
Concepts
The WLAN feature involves the following concepts:
l
Station (STA): a terminal that supports 802.11 standards, such as a PC that has a wireless
NIC or a mobile phone that supports WLAN.
Radio signal: high-frequency electromagnetic wave that has long-distance transmission

capabilities. Radio signals provide transmission media for 802.11-compliant WLANs.
Radio signals described in this document are electromagnetic waves in 2.4 GHz or 5 GHz
frequency band.
Access point (AP): a device that provides 802.11-compliant wireless access for STAs to
connect wired networks to wireless networks. APs fall into two categories:
Fat AP: provides wireless access for STAs in the autonomous architecture. A Fat AP
provides wireless connection, security, and management functions.
Fit AP: provides wireless access for STAs in the centralized architecture. A Fit AP
provides only reliable, high-performance wireless connection and depends on an access
controller (AC) to provide other functions.
Issue 04 (2013-06-15)
AC: a device that controls and manages all the APs on a WLAN in the centralized
architecture. For example, an AC can connect to an authentication server to authenticate
WLAN users.
1947

Configuration Guide
Control And Provisioning of Wireless Access Points (CAPWAP): an encapsulation and

transmission mechanism defined in RFC 5415 to implement communication between APs
and ACs.
Virtual access point (VAP): a WLAN service entity on an AP. You can create different
VAPs on an AP to provide wireless access service for different user groups.
AP region: a collection of APs. AP regions are configured based on AP deployment on

enterprise networks. Generally, a region maps a hotspot.
Service set identifier (SSID): a unique identifier that identifies a wireless network. When
you search for available wireless networks on your laptop, SSIDs are displayed to identify
the available wireless networks.
SSIDs are classified into two types:
Basic service set identifier (BSSID): a link-layer MAC address of a VAP on an AP.
Figure 12-8 shows the relationship between VAP and BSSID.
Figure 12-8 Relationship between VAP and BSSID
STA1:
I join the guest network
VAP1:
SSID: guest
BSSID: 0025.9e45.24a0
AP
VAP2:
SSID: internal
BSSID: 0025.9e45.24a9
STA2:
I join the internal network
Extended service set identifier (ESSID): an identifier of one or a group of wireless

networks. For example, in Figure 12-8, SSID guest identifies a wireless network, and
SSID internal identifies another wireless network. A STA scans all wireless networks
and selects a wireless network based on the SSID. Generally, an SSID refers to an
ESSID.
NOTE
Multiple APs can use one ESSID to provide roaming service for users; however, their BSSIDs
must be unique because the MAC address of each AP is unique.
Basic service set (BSS): an area covered by an AP. STAs in a BSS can communicate with
each other.
Extend service set (ESS): a group of BSSs that share the same SSID.
Figure 12-9 shows the relationship between SSID, BSSID, BSS, and ESS.
Issue 04 (2013-06-15)

1948

Configuration Guide
Figure 12-9 Relationship between SSID, BSSID, BSS, and ESS
ESS
AP1
AP2
BSSID:
0025.9e45.24a0
BSS
BSSID:
0025.9e45.3100
BSS
SSID=huawei
SSID=huawei

This section provides the default WLAN service configuration.
Table 12-1 Default WLAN service configuration
Parameter
Default Setting
Country code
CN (China)
AP authentication mode
MAC authentication
AP region
AP profile
ap-profile-0
Data forwarding mode
Direct forwarding
12.2.3 Configuration Process

This section describes the process for configuring the WLAN service.
Context
Table 12-2 shows the WLAN service configuration process.
Table 12-2 WLAN service configuration process
Issue 04 (2013-06-15)
No.
Task
Description
Remarks
12.2.4 Configuring
AC System
Parameters
Ensure that radio

parameters (channel
and power) of an AP
that associates with
an AC comply with
local laws and
regulations.
Tasks 1, 2, and 3
must be performed in
sequence.

1949

Configuration Guide
No.
Task
Description
12.2.5 Managing
APs on the AC
Connect the AP to an
AC correctly.
12.2.6 Configuring
the WLAN Service
VAP
Provide
differentiated
WLAN services for
users.
Remarks
12.2.4 Configuring AC System Parameters

You can configure AC system parameters to identify an AC and ensure that radio parameters
(channel and power) of an AP that associates with the AC comply with local laws and regulations.
Before configuring AC system parameters, complete the following task:
l
The configuration tasks are mandatory and can be performed in any sequence. The AC function
takes effect only when all configuration tasks are completed.
Configuring Country Codes

Context
A country code identifies the country to which AP radios belong. Different countries support
different AP radio attributes, including the transmit power and supported channels.
When configuring country codes, consider the following scenarios:
l
If an AC manages the APs that are deployed in the same country, the AC only needs to
have a global country code configured.
If an AC manages the APs that are deployed in different countries, the AC needs to have
a country code configured in the WLAN view and a country code configured in the AP
region view. You can configure country codes in different AP region views to enable APs
in different countries to comply with local radio requirements. As shown in Figure
12-10, the AC manages APs in AP region 1 in country 1 and APs in AP region 2 in Country
2. The country code of Country 1 needs to be configured in the WLAN view, and the country
code of Country 2 needs to be configured in the view of AP region 2.
Issue 04 (2013-06-15)

1950

Configuration Guide
Figure 12-10 Multiple country codes

NM platform
Country 1
AP region 1
AC
AP
Enterprise
HQ
Switch
Enterprise
branch
Switch
Internet
PC Country 2
AP region 2
AP
AP
STA
STA
STA
AP
STA
NOTE
l When configuring an AC for the first time, configure a correct global country code to comply with
local laws and regulations.
l If country codes are configured in both the WLAN view and AP region view, the country code
configured in the AP region view takes effect. If no country code is configured in the AP region view,
the country code configured in the WLAN view takes effect.
l An AP has a preconfigured country code before delivery. To enable an AP to connect to an AC, ensure
that the AP and AC have the same country code.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan ac-global country-code country-code
A global country code is configured for the AC.

Changing a country code will delete related VAPs.
By default, the global country code of an AC is CN.
NOTE
For details about country codes, see wlan ac-global country-code.
Step 3 (Optional) Configure a country code in the AP region view.

1.
Run:
wlan

Issue 04 (2013-06-15)

1951

Configuration Guide
2.
Run:
ap-region id region-id
The AP region view is displayed.

NOTE
The AP region must have been created. For details on how to configure an AP region, see Configuring
an AP Region.
3.
Run:
country-code country-code
A country code is configured in the AP region view.

By default, no country code is configured in the AP region view.
----End
Configuring an AC Identifier
Context
An AC's identifiers include the carrier ID, AC ID, and AC network element name.
Carrier IDs can identify ACs of different carriers, and AC IDs can identify ACs of the same
carrier. When deploying a WLAN, use an AC ID and a carrier ID to identify an AC and facilitate
AC maintenance and management.
Each AC is a network element. You can configure network element names for ACs so that the
ACs can be identified by an NMS.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan ac-global { ac id ac-id | carrier id { cmcc | ctc | cuc | other } }
A carrier ID and an AC ID are configured for the AC.

By default, no carrier ID or AC ID is configured for an AC.
----End
Configuring a Source Interface

Context
Before an AP establishes a CAPWAP tunnel with an AC, a source interface must be specified
for the AC.
You can specify a VLANIF or loopback interface on the device as the AC source interface:
Issue 04 (2013-06-15)

1952

Configuration Guide
WLANIF interface: applies to the scenario where the APs that associate with the AC belong
to the same management VLAN.
Loopback interface: applies to the scenario where the APs that associate with the AC belong
to different management VLANs. When the APs belong to multiple management VLANs,
the AC must have multiple VLANIF interfaces configured. If one of the VLANIF interfaces
is specified as the source interface, all the APs cannot go online when the source interface
fails. A loopback interface remains Up after being created. When a loopback interface is
used as the source interface and a VLANIF interface becomes faulty, only the AP that
connects to the VLANIF interface cannot go online.
Specify a VLANIF interface as the source interface.
Procedure
1.
Run:
system-view

2.
Run:
vlan vlan-id
A VLAN is created.
NOTE
The created VLAN is a management VLAN.
3.
Run:
quit
Exit from the VLAN view.

4.
Run:
A VLANIF interface is created and the VLANIF interface view is displayed.

5.
Run:
An IP address and a subnet mask are configured for the VLANIF interface.
6.
Run:
quit
Exit from the VLANIF interface view.

7.
Run:
wlan

8.
Run the wlan ac source interface vlanif vlan-id command to specify the the VLANIF
interface as the source interface of the CAPWAP tunnel established between the AP
and AC.
NOTE
If a source interface has been configured on the device, you must run the undo wlan ac source
interface command first before configuring a new source interface.
After the undo wlan ac source interface command is executed, all APs get offline on the AC.
Therefore, exercise caution before running the command.
Issue 04 (2013-06-15)

1953

Configuration Guide
Specify a loopback interface as the source interface.

1.
Run:
system-view

2.
Run:
interface loopback loopback-number
A loopback interface is created and the loopback interface view is displayed.

3.
Run:
An IP address and a subnet mask are configured for the loopback interface.
NOTE
The IP address of a loopback interface must use a 32-bit mask.
4.
Run:
quit
The loopback interface view is displayed.

5.
Run:
wlan

6.
Run the wlan ac source interface loopback loopback-number command to specify

the the loopback interface as the source interface of the CAPWAP tunnel established
between an AP and the AC.
NOTE
If a source interface has been configured on the device, you must run the undo wlan ac source
interface command first before configuring a new source interface.
After the undo wlan ac source interface command is executed, all APs get offline on the AC.
Therefore, exercise caution before running the command.
----End
(Optional) Configuring a Network Element Name

Context
A network element is a physical device or service unit on the network topology. Each AC is a
network element.
You can configure network element names for ACs so that the ACs can be identified by an NMS.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan
Issue 04 (2013-06-15)

1954

Configuration Guide

Step 3 Run:
ac sysnetid ac-sysnetid
A network element name is configured for the AC.

By default, no network element name is configured for an AC.
----End

Procedure
l
Run the display wlan ac-global command to check AC system parameters.
Run the display ap-region id region-id command to check the country code configured in
the specified AP region view.
Run the display wlan ac source interface command to check the AC source interface.
----End
12.2.5 Managing APs on the AC

An AC determines whether to allow APs to access a WLAN and configures AP parameters and
AP regions for APs so that APs can go online.
Before configuring the AC to manage APs, complete the following tasks:
l
Configuring Layer 2 or Layer 3 interworking between APs and the AC
(Optional) Configuring a DHCP server to allocate IP addresses to APs and STAs

NOTE
For details on how to configure a DHCP server, see DHCP Configuration. To use a DHCP server to
assign IP addresses to APs and STAs, configure the AC as the DHCP server or use an independent
DHCP server.
l When an enterprise branch has no independent DHCP server, configure an AC as the DHCP
server.
l An independent DHCP server applies to large WLANs of large- and medium-sized campus
networks.
A service DHCP address pool assigns IP addresses to STAs, and a management DHCP address pool
assigns IP addresses to APs. The two types of DHCP address pools must be configured separately.
If the device functions as a DHCP server to assign IP addresses to APs, and the AC and APs are in
different network segments, run any of the following commands to specify AC's IP address for the
APs.
l option 43 hex hex-string
l option 43 sub-option 3 { ascii ascii-string | hex hex-string }
The following configuration tasks must be performed in sequence: (Optional) Adding AP
Types, (Optional) Configuring CAPWAP Tunnel Parameters, (Optional) Configuring
Issue 04 (2013-06-15)

1955

Configuration Guide
Automatic Upgrade When APs Go Online, Adding APs, Configuring AP Regions,

Configuring an AP Profile and Binding It to an AP, and Configuring the Data Forwarding
Mode. The other configuration tasks can be performed in any sequence.
(Optional) Adding AP Types

Context
Only APs of the device types supported by an AC can connect to the AC. You can run the
display ap-type all command to view the list of AP types supported by an AC. If the APs to be
added are not specified in the list, add these AP types.
NOTE
If some AP types are preconfigured on an AC before delivery, modifying attributes of these APs is not
allowed. These attributes include the maximum number of access users, antenna gain, number of wiredside interfaces, and number and type of radios on the APs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

display ap-type all
The list of AP types supported by the AC is displayed. You can check whether the AP types to
be added are specified in the list.
Step 4 Run:
ap-type { id type-id | type ap-type }
An AP type is added and the AP type view is displayed.

NOTE
Before adding an AP type, specify type ap-type. Otherwise, the AP type cannot be added.

type-desc type-desc
The AP type description is configured.

By default, the AP type description is ap-type-type-id. For example, if the added AP type ID is
201, the AP type description is ap-type-201.
max-sta-num max-sta-num
The maximum number of access users is configured.

Issue 04 (2013-06-15)

1956

Configuration Guide
By default, a maximum of 128 access users are allowed on an AP.

antenna-gain antenna-gain
The antenna gain is configured.

By default, the antenna gain of an AP is 0 dB.
lineate-port number lineate-port-num
The number of wired-side interfaces is configured.

By default, an AP supports eight wired-side interfaces.
NOTE
Currently, AP types preconfigured on an AC before delivery support only one wired-side interface.

lineate-port { port0-type | port1-type | port2-type | port3-type | port4-type |
port5-type | port6-type | port7-type } port-type
The wired-side interface type is configured.

By default, the wired-side interface type is FE.
radio number radio-num
The number of radios is configured.

By default, an AP supports four radios.
Step 11 Run:
radio { radio0-type radio-type | radio1-type radio-type | radio2-type radio-type |
radio3-type radio-type } *
The radio type is configured.

By default, the radio type on an AP is 802.11a.
Step 12 Run:
radio { radio0-max-spatial-streams max-spatial-streams | radio1-max-spatialstreams max-spatial-streams | radio2-max-spatial-streams max-spatial-streams |
radio3-max-spatial-streams max-spatial-streams } *
The maximum number of spatial streams on a radio is configured.

By default, an AP radio supports only one spatial stream.
When an AP sends information to a STA, the AP divides the data flow into multiple spatial
streams. Each spatial stream is sent through a different antenna to ensure higher data transmission
rate and larger coverage area.
Step 13 Run:
radio { radio0-max-antennas { smart-antenna-array | max-antennas } | radio1-maxantennas { smart-antenna-array | max-antennas } | radio2-max-antennas { smartantenna-array | max-antennas } | radio3-max-antennas { smart-antenna-array | maxantennas } } *
The maximum number of antennas on a radio is configured.

Issue 04 (2013-06-15)

1957

Configuration Guide
By default, an AP radio has only one antenna.

Step 14 Run:
radio { radio0-max-vap radio-max-vap | radio1-max-vap radio-max-vap | radio2-maxvap radio-max-vap | radio3-max-vap radio-max-vap } *
The maximum number of VAPs on a radio is configured.

By default, an AP radio supports a maximum of eight VAPs.
----End
(Optional) Configuring CAPWAP Tunnel Parameters

Context
After an AP is powered on and obtains an AC IP address, the AP begins to establish CAPWAP
tunnels with the AC. CAPWAP tunnels include control tunnels and data tunnels.
The AC sends management packets through CAPWAP control tunnels to manage APs in a
centralized manner. To improve link reliability and prevent CAPWAP control tunnels from
being terminated when the service traffic volume is high, configure a high priority for CAPWAP
management packets.
CAPWAP tunnels use Datagram Transport Layer Security (DTLS) encryption mechanism and
heartbeat detection mechanism to ensure security:
l
DTLS encryption mechanism: When the AP establishes CAPWAP tunnels with the AC,
the AP determines whether to perform DTLS negotiation with the AC. The DTLS protocol
can be used to encrypt packets exchanged between the AP and AC to ensure management
packet integrity and privacy. Currently, the device can only encrypt management packets
using the pre-shared key (PSK).
Heartbeat detection mechanism: The AP and AC periodically exchange Echo packets to

determine whether the control tunnel is working properly and periodically exchange
Keepalive packets to determine whether the data tunnel is working properly. If the AP or
AC does not receive any response from each other after Echo or Keepalive packets are sent
for the specified number of times, the AP and AC consider that the control or data tunnel
is terminated. The tunnel needs to be re-established.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Configure CAPWAP tunnel parameters as required.
Issue 04 (2013-06-15)

1958

Configuration Guide
Procedure
Command
Description
Configure the priority of

CAPWAP management
packets.
capwap control-priority { ac | ap }
priority-value
By default, the priority

value of CAPWAP
management packets is
7.
NOTE
A larger priority value
indicates a higher
priority and link
reliability. The default
value 7 is recommended.
Configu
re DTLS
encrypti
on.
Enable DTLS
encryption for
control
tunnels.
control-link dtls encrypt
Allow the AP
to establish a
DTLS session
with the AC
using the
default PSK.
dtls default-key { enable | disable }
Configure the
PSK used for
DTLS
encryption.
By default, DTLS encryption is

disabled for control tunnels.
By default, an AP uses the default PSK

to establish a DTLS session with the
AC.
dtls psk { simple | cipher } psk-value

By default, no PSK is configured for
DTLS encryption of management
packets.
An AP can use a default

or configured PSK to
establish a DTLS
session with an AC.
If an AP is allowed to
use the default PSK to
establish a DTLS
session with an AC,
and a PSK is
configured for DTLS
encryption, the
following situations
occur:
l The AP uses the
default PSK during
login and uses the
configured PSK for
re-login after being
restarted.
l When the AP and
AC have different
PSKs, the AP uses
the default PSK to
establish a DTLS
session with the AC
after three
consecutive
attempts to
establish a DTLS
session.
CAUTION
When an AP rolls back
from V200R002 to
V200R001, disable
DTLS encryption on the
AC. Otherwise, the AP
cannot go online.
Issue 04 (2013-06-15)

1959

Configuration Guide
Procedure
Command
Description
Set the
CAPW
AP
heartbea
t
detectio
n
mechani
sm.
Configure the
heartbeat
detection
interval.
capwap keep-alive interval intervalvalue
By default, the
CAPWAP heartbeat
detection interval is
25s.
Configure the
number of
CAPWAP
heartbeat
detections.
capwap keep-alive times times-value
By default, a maximum
number of six
CAPWAP heartbeat
detections can be
performed.
If dual-link backup is
enabled, a maximum of
three CAPWAP
heartbeat detections
can be performed.
----End
(Optional) Configuring Automatic Upgrade When APs Go Online

Context
In automatic upgrade mode, an AP checks whether its version is the same as that configured on
the AC, SFTP server, or FTP server during login. If the two versions are different, the AP
upgrades its version, restarts, and goes online again. If the two versions are the same, the AP
does not upgrade its version.
Table 12-3 lists the automatic upgrade modes supported by APs.
Table 12-3 AP automatic upgrade modes
Issue 04 (2013-06-15)
Upgrade Mode
Function
Scenario
AC mode
An AP downloads the
upgrade file from an AC.
This mode applies to the

scenario where a small
number of APs need to go
online.
FTP mode
An AP downloads the
upgrade file from an FTP
server.

scenario where high network
security is not required in file
transmission. In FTP mode,
data is transmitted in plain
text, bringing potential
security risks. There is no
limitation on the number of
APs that can simultaneously
download the upgrade file.

1960

Configuration Guide
Upgrade Mode
Function
Scenario
SFTP mode
An AP downloads the
upgrade version file from an
SFTP server.

scenario demanding high
network security. In SFTP
mode, data is encrypted,
ensuring data integrity and
privacy. There is no
limitation on the number of
APs that can simultaneously
download the upgrade file.
NOTE
If multiple APs are upgraded simultaneously in AC mode, the upgrade takes a long time and many AC
resources are consumed. To reduce service interruption caused by AP upgrade, the FTP or SFTP mode is
recommended.
Prerequisites
The AP version file has been uploaded to the AC, SFTP server, or FTP server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

l AC mode
Run:
The AP upgrade mode is set to AC mode.

By default, the AP upgrade mode is AC mode.
l FTP mode
1.
Run:
The AP upgrade mode is set to FTP mode.

2.
Run:
ap-update ftp-server server-ip-address [ ftp-username ftp-username ] [ ftppassword { cipher | simple } ftp-password ]
Basic FTP information is configured.

Issue 04 (2013-06-15)

1961

Configuration Guide
By default, the FTP server IP address is 255.255.255.255, the FTP user name is
anonymous, and the FTP password is anonymous@huawei.com.
NOTE
You are advised to use an external FTP server to upgrade APs. If the AC functions as an FTP server, a
maximum of five FTP clients can be connected. Therefore, a maximum of five APs can be upgraded even
if many APs are online.
l SFTP mode
1.
Run:
The AP upgrade mode is set to SFTP mode.

2.
Run:
ap-update sftp-server server-ip-address [ sftp-username sftp-username ]
[ sftp-password { cipher | simple } sftp-password ]
Basic SFTP information is configured.

By default, the SFTP server IP address is 255.255.255.255, the SFTP user name is
anonymous, and the SFTP password is anonymous@huawei.com.
NOTE
You are advised to use an external SFTP server to upgrade APs. If the AC functions as an SFTP server, a
maximum of five SFTP clients can be connected. Therefore, a maximum of five APs can be upgraded
simultaneously even if many APs are online.
Step 4 Perform either of the following operations to configure the upgrade file of APs:
l Run:
The upgrade file name for APs of a specified type and in a specified AP region is specified.
l Run:
The upgrade file name for APs of a specified type is specified.

NOTE
In practice, to upgrade APs that have the same type and associate with the same AC, specify the upgrade
file name for APs of a specified type. To upgrade APs in a specified hotspot area, specify the upgrade file
name for APs of a specified type in a specified AP region.
----End
Adding APs
Context
You can add APs in any of the following modes:
l
Adding APs offline: AP attributes including the AP type, MAC address, or serial number
(SN) are configured on the AC before APs go online. APs start to connect to the AC if their
AP types, MAC addresses, or SNs match the configured ones.
Discovering APs in the whitelist: The AP authentication mode is set to no authentication;

alternatively, the AP authentication mode is set to MAC or SN authentication and the AP
whitelist is configured on the AC. When an AP in the whitelist connects to the AC, the AC
discovers the AP, and the AP goes online.
Issue 04 (2013-06-15)

1962

Configuration Guide
Manually confirming APs added to the list of unauthorized APs: The AP authentication
mode is set to MAC or SN authentication, and the AP whitelist is configured on the AC.
When an AP out of the whitelist connects to the AC, the AC adds the AP to the list of
unauthorized APs. After the AP identity is confirmed, the AP can go online.
After you add an AP to an AC offline and configure AP parameters, for example, AP region or
profile to which the AP is bound to, the AP can go online and use the configured data to work.
When the AC is configured to automatically discover APs, an AP uses the default parameters
to work after going online.
Adding an AP offline is recommended when the MAC address or SN of the AP is already learned.
Procedure
l
Add an AP offline.
1.
Run:
system-view

2.
Run:
wlan

3.
Run:
ap-auth-mode { mac-auth | sn-auth }
The AP authentication mode is set to MAC or SN authentication.

By default, the AP authentication mode is MAC address authentication.
4.
Run:
ap id ap-id { type-id type-id | ap-type ap-type } { mac ap-mac | sn apsn } *
The specified AP is added offline.

By default, no AP is added offline.
NOTE
If the AP authentication mode is set to MAC authentication, specify the MAC address of an
AP when adding the AP offline. If the AP authentication mode is set to SN authentication,
specify the SN of an AP when adding the AP offline.
When an AP connects to the AC, the AP enters the normal state if the MAC address or SN of
the AP is on the whitelist.
Configure the AC to discover APs in the whitelist.
Set the AP authentication mode to no authentication.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
ap-auth-mode no-auth
Issue 04 (2013-06-15)

1963

Configuration Guide
The AP authentication mode is set to no authentication.

NOTE
When an AP connects to the AC, the AP enters the normal state if the MAC address or
SN of the AP is on the whitelist.
Set the AP authentication mode to MAC or SN authentication.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Configure the AP whitelist.

If the AP authentication mode is set to MAC authentication, run:
ap-whitelist mac ap-mac1 to ap-mac2
The AP with the specified MAC address is added to the whitelist.

If the AP authentication mode is set to SN authentication, run:
ap-whitelist sn ap-sn1 to ap-sn2
The AP with the specified SN is added to the whitelist.

NOTE
Confirm the AP added to the list of unauthorized APs.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Run:
display unauthorized-ap record
Information about unauthorized APs is displayed.

5.
Run:
ap-confirm { all | { mac ap-mac | sn ap-sn } [ id ap-id ] }
Issue 04 (2013-06-15)

1964

Configuration Guide
The specified authorized AP is confirmed. The AP then enters the normal state.
----End
Configuring an AP Region
Context
After an AP goes online, the AC adds the AP to an AP region. If an AP region is specified for
the AP, the AC adds the AP to the specified AP region. If no AP region is specified for the AP,
the AC adds the AP to the default AP region.
Adjusting the parameters (supported channel or power) of an AP may cause the parameters of
neighboring APs to be adjusted. To quicken adjustment, minimize the impact, and reduce the
workload, all the APs connecting to the same AC can be divided into several regions. The impact
of adjustment on an AP is limited within the local region.
You can add APs to an AP region using two methods:
l
To add all the APs deployed at a hotspot to the same AP region, create an AP region and
change the default AP region to the new AP region. After the APs are powered on, they
automatically connect to the WLAN and join the new AP region.
To add online APs to the same AP region, create an AP region for the current hotspot and
import all the APs in the default AP region into the new AP region.
Create an AP region and add APs to the AP region.
Procedure
1.
Run:
system-view

2.
Run:
wlan

3.
Run:
ap-region id region-id
An AP region is created and the AP region view is displayed.

4.
(Optional) Run:
ap-region-name region-name
The AP region name is configured.

By default, the AP region name is ap-region-region-id. If AP region 6 is created, its
region name is ap-region-6.
5.
Run:
deploy-mode { densely-deploy | discrete-deploy | normal-deploy }
The AP deployment mode in the AP region is configured.

By default, the AP deployment mode in an AP region is normal-deploy.
6.
Run:
quit
Issue 04 (2013-06-15)

1965

Configuration Guide
Exit from the AP region view.

7.
Run:
ap id ap-id
The AP view is displayed.

NOTE
ap-id identifies an AP on an AC. An AC assigns a unique ID to each AP. You can specify apid to configure parameters for a specified AP.
8.
Run:
region-id region-id
The AP is added to the created AP region.

By default, an AP is added to AP region 0.
NOTE
An AP joins an AP region after going online. If no AP region is created, the AP joins default
AP region 0.
Change the default AP region.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
default-ap-region id region-id
The default AP region ID is changed.

By default, the default AP region ID is 0.
l
Merge two AP regions.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
ap-region merge region-id1 into region-id2
Two AP regions are merged into one region with region ID as region-id2.
By default, no AP regions are merged.
Issue 04 (2013-06-15)

1966

Configuration Guide

NOTE
Before merging AP regions into a new AP region, ensure that:

l The new AP region has been created.
l Some APs have joined the AP region specified by region-id1.
----End
Configuring an AP Profile and Binding an AP to the AP Profile

Context
An AP profile is a set of AP parameters. If an AP is bound to an AP profile, the AP inherits all
the parameters configured in the AP profile. An AP can be bound to only one AP profile, but
multiple APs can be bound to the same AP profile.
After an AP goes online, the AC adds the AP to an AP profile. If no AP profile is specified for
the AP, the AP is added to the default AP profile.
Procedure
l
Create an AP profile and add APs to the AP profile.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
ap-profile { id profile-id | name profile-name }
An AP profile is created and the AP profile view is displayed.

4.
Issue 04 (2013-06-15)
Configure optional parameters in the AP profile.

1967

Configuration Guide
Issue 04 (2013-06-15)
Procedure
Command
Description
Configure the MTU of

an AP Ethernet
interface.
eth-port-mtu mtu-value
The size of data

packets is limited at
the network layer.
When a network
layer device
receives an IP
packet, it determines
the outbound
interface and
obtains the MTU
configured on the
interface. The
device then
compares the MTU
with the IP packet
length. If the IP
packet length is
longer than the
MTU, the device
fragments the IP
packet. Each
fragment has the
smaller or equal size
as the MTU.
Enable the Telnet

function on APs.
telnet enable
Enable the SSH

function on APs.
ssh enable
Enable the console

function on APs.
console enable
By default, the MTU of an AP

Ethernet interface is 1500 bytes.
By default, the Telnet function is

enabled on an AP.
By default, the SSH function is

enabled on an AP.
By default, the console function is

enabled on an AP.

To prevent
unauthorized users
from remotely
logging to an AP
through Telnet,
disable the Telnet
function on the AP.
To prevent
unauthorized users
from remotely
logging to an AP
through SSH,
disable the SSH
function on the AP.
To prevent
unauthorized users
from logging to an
AP through console,
disable the console
function on the AP.
1968

Configuration Guide
Procedure
Command
Description
Configure
management VAP for
offline APs.
offline-management enable
APs are often

deployed in corners
or high locations.
When an AP
becomes faulty, it is
inconvenient to
connect to the AP
through a console
port or network
cable.
By default, management VAP is

disabled for offline APs.
After management
VAP is enabled for
offline APs, an AP
automatically
generates a
management VAP
when it becomes
faulty. Maintenance
personnel set the IP
addresses of their
laptops to IP
addresses on
192.168.0.x/24,
associate the laptops
to hidden WLAN
named
hw_manage, and
enter key
hw_manage.
Maintenance
personnel then can
connect to the AP
for fault location.
NOTE
To make
management VAP
for offline APs to
take effect, you can
enable the WDS
function only on the
5 GHz frequency
band.
Config
ure
Extens
ible
Authen
ticatio
n
Protoc
Issue 04 (2013-06-15)
Specify the
EAPOLStart
packets to
be
encapsulate
d by APs.
eapol-start transform { specific |

all }
By default, an AP encapsulates
EAPOL-Start packets with the
destination MAC address as the
AP's BSSID in broadcast,
multicast, or unicast packets.

Different vendors
use different
methods to
encapsulate EAP
packets in
broadcast,
multicast, or unicast
packets. In 802.1x
1969

Configuration Guide
Procedure
Command
ol
(EAP)
packet
conver
sion.
authentication,
when an AP sends
EAPOL-Start and
EAPOL-Response
EAPOL-Start packets sent to an
packets to an AC,
AC in multicast packets.
the method that the
AP uses to
encapsulate the two
types of packets
must be the same as
the method that the
access device
eapol-response transform
directly connected
{ specific | all }
to the AC uses.
Otherwise, the two
types of packets
only the EAPOL-Response
packets with the destination MAC cannot be processed
by the access device
addresses as the AP's BSSID.
directly connected
to the AP.
eapol-response { broadcast |
multicast | unicast mac-address } Consequently, the
user cannot pass
802.1x
EAPOL-Response packets sent to authentication.
an AC in multicast packets.
Configure
APs to
encapsulate
sent
EAPOLStart
packets in
broadcast,
multicast, or
unicast
packets.
Specify the
EAPOLResponse
packets to
be
encapsulate
d by APs.
Configure
APs to
encapsulate
sent
EAPOLResponse
packets in
broadcast,
multicast, or
unicast
packets.
Config
ure the
alarm
suppre
ssion
functio
n on
APs.
Issue 04 (2013-06-15)
Description
eapol-start { broadcast |
multicast | unicast mac-address }
Enable the
alarm
suppression
function on
APs.
ap alarm-restriction enable
Configure
the alarm
suppression
period on
APs.
ap alarm-restriction period time
By default, the alarm suppression

function is enabled on an AP.
To prevent an AP
from sending a large
number of duplicate
alarms to an AC,
configure the alarm
suppression
function on the AP.
By default, the alarm suppression

period on an AP is 60s.

1970

Configuration Guide
5.
Procedure
Command
Description
Configure the
sampling interval on
APs.
sample-time time
When you query the

traffic and rate of a
STA, a radio, an AP,
or an AP Ethernet
interface, wirelessside packet error
ratio (PER),
wireless channel
usage (%), wirelessside radio sent
packet loss ratio
(%), or PER (%) of
an AP Ethernet
interface, an AP
reports average
values collected
within the sampling
interval to the AC.
Configure the interval

for collecting statistics
on an AP.
statistics-interval time
By default, the sampling interval

on an AP is 30s.
By default, the interval for

collecting statistics on an AP is
60s.
When you query

CPU usage and
memory usage on an
AP, the AP reports
average values
collected within an
interval to the AC.
Run:
quit
Exit from the AP profile view.

6.
Run:
ap id ap-id

7.
Run:
profile-id profile-id
The AP is bound to a specified AP profile.

By default, an AP is bound to AP profile named ap-profile-0.
l
Change the default AP profile.

1.
Run:
system-view

2.
Run:
wlan

Issue 04 (2013-06-15)

1971

Configuration Guide
3.
Run:
default-ap-profile { id profile-id | name profile-name }
The default AP profile is configured.

By default, an AP is bound to AP profile named ap-profile-0.
NOTE
To bind APs to an AP profile in batches, configure the AP profile as the default AP profile.
----End
Configuring the Data Forwarding Mode

Context
Packets transmitted on a WLAN include control packets and data packets. Control packets are
forwarded through CAPWAP control tunnels. Data packets are forwarded in tunnel forwarding
(centralized forwarding) or direct forwarding (local forwarding) mode according to whether data
packets are forwarded through CAPWAP data tunnels.
Table 12-4 lists the comparisons between tunnel forwarding and direct forwarding.
Table 12-4 Comparisons between tunnel forwarding and direct forwarding
Data
Forwarding
Mode
Advantage
Disadvantage
Tunnel
forwarding
An AC forwards all data packets,

ensuring security and facilitating
centralized management and
control.
Service data must be forwarded by an

AC, reducing packet forwarding
efficiency and burdening the AC.
Direct
forwarding
Service data does not need to be

forwarded by an AC, improving
packet forwarding efficiency and
reducing the burden on the AC.
Service data is difficult to manage and

control in a centralized manner.
Procedure
l
Configure the data forwarding mode for an AP.

NOTE
All the VAPs created on an AP use the same data forwarding mode.
1.
Run:
system-view

2.
Run:
wlan

Issue 04 (2013-06-15)

1972

Configuration Guide
3.
Run:
forward-mode type ap
The data forwarding mode is configured for an AP.

By default, the data forwarding mode applies to a VAP.
4.
Run:
forward-mode ap ap-id mode { direct-forward | tunnel }
The data forwarding mode is set to direct forwarding or tunnel forwarding.

l
Configure the data forwarding mode for a VAP.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
forward-mode type service-set
The data forwarding mode is configured for a VAP.

By default, the data forwarding mode applies to a VAP.
4.
Run:
service-set { name service-set-name | id service-set-id }
A service set is created and the service set view is displayed.

NOTE
The service set name is mandatory when you create a service set.
5.
Run:
forward-mode { direct-forward | tunnel }
The data forwarding mode is set to direct forwarding or tunnel forwarding.

By default, the data forwarding mode is direct forwarding.
----End
(Optional) Configuring a Network Element Name or System Name on an AP

Context
You can configure a network element name or system name for an AP for identification. This
configuration facilitates AC management over APs. For example, if you set the network element
name or system name of an AP as the AP deployment location, you can easily locate the AP
when the AP becomes faulty.
To manage all the APs that connect to the same AC, differentiate the APs based on the AP system
name. To manage APs that connect to different ACs, differentiate the APs based on the AP
network element name.
Issue 04 (2013-06-15)

1973

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap id ap-id

Step 4 Configure a system name or network element name for the AP as required.
l
Run:
ap-sysname ap-sysname
A system name is configured for the AP.

By default, the system name of an AP is ap-ap-id. For example, the system name of AP 3
is ap-3.
NOTE
APs that connect to the same AC must have different system names.
Run:
ap sysnetid ap-sysnetid
A network element name is configured for the AP.

By default, no network element name is configured for an AP.
NOTE
APs on the same WLAN must have different network element names.
----End
(Optional) Configuring a Management VLAN on an AP

Context
Generally, the PVID of the access device interface to which an AP directly connects is configured
as the management VLAN ID. For details, see 12.1 Precautions for the Configuration.
Management packets sent by the AP are then transmitted on CAPWAP tunnels. When the packets
arrive at the access device, the access device adds the PVID to the packets as their VLAN tags.
If the PVID of the access device has been used as the default VLAN tag of wired users, the PVID
cannot be configured as the management VLAN ID on the access device interface. In this case,
configure a management VLAN on the AP. The AP then encapsulates the control packets sent
to the AC in CAPWAP packets and adds the management VLAN ID to the packets as their
VLAN tags. You only need to configure the access device to allow only the packets carrying
the management VLAN ID to pass.
Issue 04 (2013-06-15)

1974

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap id ap-id

Step 4 Run:
management-vlan vlan-id
A management VLAN is configured for the AP.

By default, no management VLAN is configured for an AP.
----End
(Optional) Configuring LLDP on an AP

Context
The Link Layer Discovery Protocol (LLDP) helps the NMS obtain detailed Layer 2 information,
such as the network topology, device interface status, and management address.
After LLDP is configured on an AP, the AP can send LLDP packets carrying local system status
information to directly connected neighbors and parse LLDP packets received from neighbors.
After the AP discovers a neighbor, the AP sends neighbor information to the AC. The NMS then
obtains AP's LLDP information from the AC to learn about the network topology.
To enable an AP to discover neighbors, enable LLDP on the AP and access device to which the
AP directly connects.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
wlan ap lldp enable
LLDP is enabled globally.

Issue 04 (2013-06-15)

1975

Configuration Guide
By default, LLDP is disabled globally.

Step 4 Run:
ap id ap-id

Step 5 Run:
lldp enable
LLDP is enabled on the AP.

By default, LLDP is enabled on an AP.
NOTE
An AP can discover neighbors only when LLDP is enabled globally and on the AP.
Step 6 Run:
lldp admin-status { rx | tx | txrx }
The LLDP operating mode is configured for the AP.

By default, the LLDP operating mode of an AP is TxRx.
lldp tlv-enable basic-tlv { all | management-address | port-description | systemcapability | system-description | system-name }
The TLVs that an AP advertises in an LLDP packet are specified.

By default, an AP advertises all basic TLVs in an LLDP packet.
lldp report-interval interval-time
The interval at which the AP reports neighbor information to an AC is configured.

By default, an AP reports neighbor information to an AC at an interval of 30s.
lldp restart-delay delay-time
The delay in re-enabling LLDP on the AP is configured.

By default, the delay in re-enabling LLDP on an AP is 2s.
lldp message-transmission interval interval
The interval at which the AP sends LLDP packets to neighbors is configured.

By default, the interval at which an AP sends LLDP packets to neighbors is 30s.
lldp message-transmission delay delay
The delay in sending LLDP packets to neighbors on the AP is configured.

By default, the delay in sending LLDP packets to neighbors is 2s on an AP.
lldp message-transmission hold-multiplier hold
Issue 04 (2013-06-15)

1976

Configuration Guide
The hold time multiplier of AP information on neighbors is configured.

By default, the hold time multiplier of AP information on neighbors is 4.
----End
(Optional) Configuring an AC to Cache AP Data

Context
The NMS needs to periodically obtain performance statistics (including AP and radio
performance statistics and information about users on an AP) from an AC that obtains the
information from the AP. Querying performance statistics requires many packets to be
exchanged, leading to deterioration of query performance or even query timeout.
Data caching is a method to improve query performance, in which an AC periodically queries
performance statistics and caches the data. When the NMS requires the data, the NMS obtains
the data from the buffer but not from the AP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap-collect-time enable
The AC is enabled to cache AP data.

By default, an AC does not cache AP data.
ap collect-time time-value
The period during which the AC caches AP data is configured.

By default, the AC caches AP data for 15 minutes.
----End
(Optional) Configuring the User Name and Password for Logins to an AP

Context
You can locally log in to an AP through the Console port or remotely log in to an AP through
Telnet or STelnet. You can access the AP configuration page after entering the correct user name
and password. To prevent unauthorized users from using the default user name and password to
log in to the AP, change the default user name and password.
Issue 04 (2013-06-15)

1977

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
wlan ap username username-value password { cipher cipher-password | simple simplepassword }
The user name and password for logins to an AP are configured.

By default, the user name is admin and password is admin.
NOTE
Before remotely logging in to an AP through Telnet or STelnet, ensure that the Telnet or STelnet function
has been enabled using the telnet enable or ssh enable command.
----End
(Optional) Configuring Alarm Thresholds on an AP

Context
You can configure alarm thresholds on an AP to monitor the AP in real time. When the configured
thresholds are exceeded, the AP generates alarms or logs to notify the AC of AP status.
The default alarm thresholds are recommended.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap id ap-id

Step 4 Run:
cpu warn-threshold threshold
The CPU usage alarm threshold is configured.

By default, the CPU usage alarm threshold on an AP is 90%.
Issue 04 (2013-06-15)

1978

Configuration Guide
Step 5 Run:
mem warn-threshold threshold
The memory usage alarm threshold is configured.

By default, the memory usage alarm threshold on an AP is 80%.
Step 6 Run:
high-temperature threshold value
The high temperature alarm threshold is configured.

By default, the high temperature alarm threshold on an AP is 60C.
Step 7 Run:
low-temperature threshold value
The low temperature alarm threshold is configured.

By default, the low temperature alarm threshold on an AP is -10C.
Step 8 Configure optical module alarm thresholds on an AP.
NOTE
Currently, only the WA653SN and AP6610DN-AGN support optical modules.
1.
Run:
optical high-rx-power threshold value
The upper receive power threshold of an AP's optical module is configured.

By default, the upper receive power threshold of an AP's optical module is 1000 uW.
2.
Run:
optical low-rx-power threshold value
The lower receive power threshold of an AP's optical module is configured.

By default, the lower receive power threshold of an AP's optical module is 25 uW.
3.
Run:
optical high-temperature threshold value
The high temperature alarm threshold of an AP's optical module is configured.

By default, the high temperature alarm threshold of an AP's optical module is 70C.
4.
Run:
optical low-temperature threshold value
The low temperature alarm threshold of an AP's optical module is configured.

By default, the low temperature alarm threshold of an AP's optical module is -5C.
----End
(Optional) Configuring Log Backup for APs

Context
Logs record user operations and system running information. After logs are backed up to a server,
network administrators can summarize and analyze AP logs to learn about the operations
performed on APs for fault location.
Issue 04 (2013-06-15)

1979

Configuration Guide
Two log backup modes are available on the device:

l
Manual log backup: To locate faults on an AP, manually back up logs about the AP to a
log server.
Periodic log backup: An AP sends all existing logs to a log server, saves new logs locally,
and sends the new logs to the log server periodically.
Configure periodic log backup.
Procedure
1.
Run:
system-view

2.
Run:
wlan

3.
Run:
The AP profile view is displayed.

4.
Run:
log-record-level { alert | critical | debug | emergency | error | info |
notice | warning }
The level of AP logs to be backed up is configured.

By default, the level of AP logs to be backed up is warning.
5.
Run:
log-server-ip server-ip-address
A log server IP address is configured and log backup is enabled.

By default, the log server IP address is 0.0.0.0, and log backup is disabled.
6.
Run:
log-cycle-backup mode { disable | ftp | sftp }
The AP log backup mode is configured.

By default, the AP log backup mode is disable.
7.
Run:
log-cycle-backup log-server-ip ip-address [ username username ]
[ password { simple | cipher } password ]
Basic information about the log server that the AP periodically backs up logs to is
configured, including the IP address, user name, and password of the log server.
By default, the log server IP address is 0.0.0.0, user name is anonymous, and password
is anonymous@huawei.com.
8.
Run:
log-cycle-backup cycle time
The AP log backup period is configured.

By default, the AP log backup period is 4 hours.
Issue 04 (2013-06-15)

1980

Configuration Guide
Configure manual log backup.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
ap log-manual-backup ap-id ap-id
Logs of the specified AP are manually backed up to the log server.

4.
Run:
log-record-level { alert | critical | debug | emergency |error | info |
notice | warning }
The level of AP logs to be backed up is configured.

By default, the level of AP logs to be backed up is warning.
5.
Run:
log-server-ip server-ip-address
A log server IP address is configured and log backup is enabled.

By default, the log server IP address is 0.0.0.0, and log backup is disabled.
6.
Run:
log-cycle-backup mode { disable | ftp | sftp }
The AP log backup mode is configured.

By default, log backup is disabled on an AP.
7.
Run:
log-cycle-backup log-server-ip ip-address [ username username ]
[ password { simple | cipher } password ]
Basic information about the log server that the AP periodically backs up logs to is
configured, including the IP address, user name, and password of the log server.
By default, the log server IP address is 0.0.0.0, user name is anonymous, and password
is anonymous@huawei.com.
----End
(Optional) Configuring Log Suppression on APs

Context
If a STA keeps attempting to connect to an AP because of signal interference or instability, the
AP sends a large number of duplicate login and logoff logs to the AC in a short period, causing
a huge waste of resources.
To address this problem, enable log suppression. The AP sends only one log about a user to the
AC within the log suppression period.
Issue 04 (2013-06-15)

1981

Configuration Guide
Procedure
Step 1 Run:
system-view

Step 2 Run:
access-user syslog-restrain enable
Log suppression is enabled on APs.

By default, log suppression is enabled on an AP.
access-user syslog-restrain period period
The log suppression period is set.

By default, the log suppression period on an AP is 300s.
----End
(Optional) Configuring the Interval for Collecting AP Performance Statistics

Context
To view AP performance statistics within a specified period, including the packet loss ratio and
traffic on an AP's uplink interface, configure the interval for collecting AP performance statistics.
After the interval is configured, you can run the display ap-performance-statistic id ap-id
command to view AP performance statistics.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap id ap-id

Step 4 Run:
performance-statistic cycle time
The interval for collecting AP performance statistics is set.

By default, the interval for collecting AP performance statistics is 15 minutes.
----End
Issue 04 (2013-06-15)

1982

Configuration Guide
(Optional) Changing the MAC Address or SN of an AP

Context
To replace the AP that associates with an AC with a new AP without reconfiguring data for the
new AP, change the MAC address or SN of the new AP to be that of the previous AP. After the
modification, the new AP with the ID of the previous AP re-associates with the AC and inherits
all the data configured on the previous AP.
Additionally, you can correct an AP's MAC address or SN that is incorrectly entered when the
AP is added offline.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap modify ap-id { mac ap-mac | sn ap-sn }
The MAC address or SN of an AP is changed.

You can run the display ap { all | id ap-id } command to view the MAC address or SN of the
previous AP.
----End

Procedure
l
Run the display ap { all | id ap-id | by-mac ap-mac | by-sn ap-sn } command to check AP
information.
Run the display ap-type { all | id type-id | type ap-type } command to check the AP type.
Run the display ap-auth-mode command to check the AP authentication mode.
Run the display ap-license command to check the number of APs allowed to connect to
the AC.
Run the display capwap config command to check the CAPWAP configuration.
Run the display ap-profile { all | default | id profile-id | name profile-name } command
to check AP profile information.
Run the display forward-mode { ap ap-id | service-set service-set-id } command to check

the configured data forwarding mode.
Run the display ap-region { default | all | id region-id } command to check the AP region
configuration.
Run the display ap-update mode command to check the AP upgrade mode.
Issue 04 (2013-06-15)

1983

Configuration Guide
Run the display ap-update update-filename ap-type type-id command to check the
upgrade file name of the specified AP type.
Run the display ap-update ftp-server command to check the FTP server configuration
during AP version upgrade.
Run the display ap-update sftp-server command to check the SFTP server configuration
during AP version upgrade.
Run the display wlan ap lldp command to check the global LLDP enabling status.
Run the display lldp ap-neighbor [ ap-id [ port port-number ] ] command to check LLDP
neighbor information on a specified AP.
Run the display ap-whitelist { mac | sn } command to check the AP whitelist.
Run the display ap collect-time command to check the period during which the AC caches
AP data.
Run the display wlan ap username [ ap-id ap-id ] command to check the user name and
password used to log in to an AP.
Run the display ap-performance-statistic id ap-id command to check AP performance

statistics.
Run the display optical-info ap-id ap-id command to check optical module information
on a specified AP.
Run the display ap id ap-id cpu warn-threshold command to check the CPU usage alarm
threshold on a specified AP.
Run the display ap id ap-id mem warn-threshold command to check the memory usage
alarm threshold on a specified AP.
----End
12.2.6 Configuring the WLAN Service VAP

When an AP is working properly, you can configure service virtual access points (VAPs) on the
AP to provide differentiated WLAN services for users.
Before configuring the WLAN service VAP, complete the following task:
l
12.2.5 Managing APs on the AC
When a user discovers a WLAN and connects to the WLAN, the user connects to a VAP. A
VAP is a functional entity on an AP. You can create different VAPs on an AP to provide wireless
access services for different users so that these users can obtain different network resources. A
VAP is also the binding relationship between an AP, a radio, and an ESS profile.
Figure 12-11 shows the WLAN service VAP configuration procedure.
Issue 04 (2013-06-15)

1984

Configuration Guide
Figure 12-11 WLAN service VAP configuration flowchart

Create a
WMM
profile
Create a
security
profile
Create a
traffic
profile
Create a
WLAN-ESS
interface
Configure a
radio profile
Configure a
service set
Bind the WMM

profile to the
radio profile
Bind the security profile,

the traffic profile and the
WLAN-ESS interface to
the service set
Configure
a radio
Bind the radio profile
and the service set to
the radio
Submit the configuration to

complete the VAP service
configuration
Creating a WMM Profile

Context
802.11 provides services of the same quality for all applications. Different applications, however,
have different requirements for wireless networks. 802.11 cannot provide differentiated services
for different applications.
To provide differentiated services for different applications, the Wi-Fi Alliance defines the WiFi Multimedia (WMM) standard, which classifies data packets into four access categories (ACs)
in descending order of priorities, that is, AC-voice (AC-VO), AC-video (AC-VI), AC-best effort
(AC-BE), and AC-background (AC-BK). This standard ensures that high-priority packets
preempt channels.
A WMM profile is created to implement the WMM protocol. After a WMM profile is created,
packets with higher AP or STA priority preempt a wireless channel first, ensuring better quality
for voice and video services on WLANs.
NOTE
For details on how to configure parameters in a WMM profile, see 12.7.4 Configuring WMM.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

1985

Configuration Guide

Step 2 Run:
wlan

Step 3 Run:
wmm-profile { id profile-id | name profile-name }
A WMM profile is created and the WMM profile view is displayed.

NOTE
When creating a WMM profile, pay attention to the following:

l After a WMM profile is created, the profile retains the default settings. The default settings are
recommended. For details on how to configure a WMM profile, see 12.7.4 Configuring WMM.
l The profile name is mandatory when you create a WMM profile.
----End
Configuring a Radio Profile

Context
A radio profile defines the following parameters: radio type, radio rate, channel mode, radio
power mode, packet loss threshold, error packet threshold, collision rate threshold, packet
fragmentation threshold, Request To Send/Clear To Send (RTS/CTS) threshold, maximum
number of retransmission attempts for long/short frames, whether short preamble is supported,
delivery traffic indication message (DTIM) interval, Beacon frame interval, and WMM profile
name or ID. If a radio is bound to a radio profile, the radio inherits all the parameters defined in
the radio profile.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
radio-profile { id profile-id | name profile-name }
A radio profile is created and the radio profile view is displayed.

NOTE
When creating a radio profile, pay attention to the following:

l After a radio profile is created, the profile retains the default settings.
l The profile name is mandatory when you create a radio profile.
Step 4 (Optional) Configure optional parameters in the radio profile.

Issue 04 (2013-06-15)

1986

Configuration Guide
Procedure
Command
Description
Configure the channel

mode.
channel-mode { auto | fixed }
An AP supports two
channel modes:
By default, the channel mode is

automatic mode.
l Automatic mode:
An AP selects a
channel for a radio
based on the
WLAN radio
environment, so
you do not need to
specify channels
for radios.
l Manual mode: A
channel is manually
configured for a
radio to avoid
frequent channel
adjustment (this
may cause
intermittent service
interruption).
Configure the power

mode.
power-mode { auto | fixed }

By default, the power mode is
automatic mode.
An AP supports two
power modes:
l Automatic mode:
The AP selects the
transmit power for a
radio based on the
WLAN radio
environment.
l Manual mode: The
transmit power is
manually
configured for a
radio.
Configure the radio type.
radio-type { 80211a | 80211an |

80211gn | 80211b | 80211bg |
80211bgn | 80211g | 80211n }
By default, the radio type is 802.11bg.
NOTE
When configuring the wireless distribution
system (WDS), set the radio type to
80211an, 80211gn, 80211bgn, or 80211n.
Different radios have

different radio types:
l The radio type of a
2.4-GHz radio can
be 802.11b,
802.11bg,
802.11bgn,
802.11g, 802.11n,
or 802.11gn.
5-GHz radio can
be 802.11a,
802.11n, or
802.11an.
Issue 04 (2013-06-15)

1987

Configuration Guide
Procedure
Command
Description
Set the rate mode to

automatic mode and
configure the maximum
rate.
rate auto max-rate rate-value

{ rate_1 | rate_2 | rate_5_5 | rate_6 |
rate_9 | rate_11 | rate_12 | rate_18 |
rate_48 | rate_54 }
If you configure the

maximum rate for a
radio but the radio does
not support the
configured maximum
rate, the configuration
fails. For example, if a
maximum rate of 54
Mbit/s is configured
for an 802.11b radio,
the configuration fails
because the radio does
not support the rate of
54 Mbit/s.
NOTE
When the radio type is 802.11an, 802.11gn,
802.11bgn, or 802.11n, this command
cannot be used to configure the maximum
rate of these radios. To configure the
maximum rate of these radios, run the
80211n mcs command.
Configure the interval at

which an AP sends
Beacon frames.
Issue 04 (2013-06-15)
beacon-interval beacon-interval
By default, the interval for sending
Beacon frames is 100 ms.

An AP broadcasts
Beacon frames at
intervals to notify
STAs of an existing
802.11 network.
1988

Configuration Guide
Procedure
Command
Description
Configure the DTIM

interval.
dtim-interval dtim-interval
The DTIM interval

specifies how many
Beacon frames are sent
before the Beacon
frame that contains the
DTIM. An AP sends a
Beacon fame to wake a
STA in power-saving
mode, indicating that
the saved broadcast
and multicast frames
will be transmitted to
the STA.
By default, the DTIM interval is 1.
l A short DTIM
interval helps
transmit data in a
timely manner, but
the STA is waken
frequently, causing
high power
consumption.
l A long DTIM
interval lengthens
the dormancy time
of a STA and saves
power, but
degrades the
transmission
capability of the
STA.
Issue 04 (2013-06-15)

1989

Configuration Guide
Procedure
Command
Description
Configure an AP to
support the short
preamble.
short-preamble { enable | disable }
The preamble is a
section of bits in the
header of a data frame.
It synchronizes signals
transmitted between
the sender and receiver
and can be a short or
long preamble.
By default, an AP supports the short

preamble.
l A short preamble
ensures better
network
synchronization
performance and is
recommended.
l A long preamble is
usually used for
compatibility with
earlier network
adapters of clients.
Issue 04 (2013-06-15)

1990

Configuration Guide
Procedure
Command
Description
Configure the packet

fragmentation threshold.
fragmentation-threshold
If an 802.11 MAC
frame exceeds the
packet fragmentation
threshold, the frame
needs to be
fragmented.
By default, the packet fragmentation

threshold is 2346 bytes.
l When the packet

fragmentation
threshold is too
small, packets are
fragmented into
smaller frames.
These frames are
transmitted at a
high extra cost,
resulting in low
channel efficiency.
l When the packet
fragmentation
threshold is too
large, long packets
are not fragmented,
increasing the
transmission time
and error
probability. If an
error occurs,
packets are
retransmitted. This
wastes the channel
bandwidth. The
default packet
fragmentation
threshold is
recommended.
Configu
re the
collision
rate
threshol
d,
packet
loss
threshol
d, and
error
packet
threshol
d.
Issue 04 (2013-06-15)
Configure the
collision rate
threshold.
conflict-rate-threshold conflict-ratethreshold
By default, the collision rate threshold
is 60%.

This configuration
helps determine
whether the radio
environment is good.
When the collision
rate, packet loss ratio,
or error packet ratio of
a radio reaches the
threshold, the system
considers that the radio
environment
deteriorates. When this
occurs, the system
1991

Configuration Guide
Procedure
Configure the
packet loss
threshold and
error packet
threshold.
Enable beamforming.
Command
Description
per-threshold per-threshold
needs to improve the

radio environment.
By default, the packet loss threshold

and error packet threshold is 30%.
beamforming enable
By default, beamforming is disabled.
Beamforming can
enhance signals at a
particular angle (for
target users), attenuate
signals at another angle
(for non-target users or
obstacles), and extend
the radio coverage
area.
NOTE
WA6x3xN and WA6x1
series APs do not
support beamforming.
AP6x10SN/DN series
except AP6310SN-GN
supports beamforming.
Specify the parameter

reflected by the blinking
frequency of the Wireless
LED on an AP.
wifi-light { signal-strength | traffic }

By default,
l If WDS is enabled on an AP, the
blinking frequency of the Wireless
LED reflects the strength of signals
received by the AP.
l If WDS is not enabled on an AP, the
LED reflects the service traffic
volume on the radio.
Issue 04 (2013-06-15)

On a WDS network,
you need to adjust AP
locations and antenna
directions to obtain
strong signals between
WDS-capable APs.
The blinking frequency
of the Wireless LED
shows the signal
strength.
NOTE
This command takes
effect only when the AP
has WDS enabled. If the
AP has no WDS
enabled, the Wireless
LED always shows
service traffic volume.
1992

Configuration Guide
Procedure
Command
Description
Configure the RTS-CTS

operation mode.
rts-cts-mode { cts-to-self | disable |

rts-cts }
The RTS/CTS
handshake mechanism
prevents data
transmission failures
caused by channel
conflicts. If STAs
perform RTS/CTS
handshakes before
sending data, RTS
frames consume high
channel bandwidth.
The default RTS-CTS
operation mode is
recommended.
By default, the RTS-CTS operation

mode is cts-to-self.
l If the RTS/CTS
handshake
mechanism is not
used, there may be
hidden STAs. If
base stations A and
C simultaneously
send information to
base station B
because base
station C does not
know that base
station A is sending
information to base
station B, signal
conflict occurs. As
a result, signals fail
to be sent to base
station B.
l The RTS/CTS
handshake
mechanism reduces
the transmission
rate and even
causes the network
delay.
NOTE
To reduce the network
delay, disable RTSCTS.
Configu
re the
RTS
mechani
sm.
Issue 04 (2013-06-15)
Configure the
RTS
threshold.
rts-cts-threshold rts-cts-threshold
By default, the RTS threshold is 2347
bytes.

If STAs perform RTS/

CTS handshakes
before sending data,
many RTS frames
consume high channel
1993

Configuration Guide
Procedure
Configu
re
802.11n
.
Command
Description
Configure the
maximum
number of
retransmissio
n attempts for
frames
smaller than
or equal to the
RTS
threshold.
short-retry retry-number
Configure the
maximum
number of
retransmissio
n attempts for
frames longer
than the RTS
threshold.
long-retry retry-number
bandwidth. To prevent
this problem, set the
RTS threshold and
maximum number of
retransmission
attempts for long/short
frames. The RTS
threshold specifies the
length of frames to be
sent. When the length
of frames to be sent by
a STA is smaller than
the RTS threshold, no
RST/CTS handshake is
performed. The default
RTS threshold is
recommended.
Configure the
guard interval
(GI) mode.
80211n guard-interval-mode
{ short | normal }
Enable the
MAC
Protocol Data
Unit (MPDU)
aggregation
function.
Issue 04 (2013-06-15)
By default, the maximum number of

retransmission attempts for frames
smaller than or equal to the RTS
threshold is 7.

longer than the RTS threshold is 4.
NOTE
This configuration is
applicable only when the
RTS-CTS operation
mode is rts-cts.
By default, the normal GI is used.
80211n a-mpdu enable

By default, the MPDU aggregation

There are two types of

GI: short GI and
normal GI. When
configuring 802.11n,
you can configure the
normal GI in 802.11a/g
or short GI in 802.11n.
The short GI reduces
the extra cost and
improves the
transmission rate.
An 802.11 packet is
sent as an MPDU,
requiring channel
competition and
backoff and consuming
channel resources. The
802.11n MPDU
aggregation function
aggregates multiple
MPDUs into an
aggregate MAC
Protocol Data Unit (AMPDU), so that N
MPDUs can be
transmitted through
1994

Configuration Guide
Procedure
Configure the
maximum
length of an
A-MPDU.
Command
Description
80211n a-mpdu max-lengthexponent length-capability
one channel
competition and
backoff. This function
saves the channel
resources to be
consumed for sending
N-1 MPDUs. The
MPDU aggregation
function improves
channel efficiency and
802.11 network
performance.
By default, the maximum length of an

A-MPDU is 3 bytes.
----End
Binding a WMM Profile to a Radio Profile

Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
The radio profile view is displayed.

Step 4 Run:
A WMM profile is bound to the radio profile.

By default, no WMM profile is bound to a radio profile.
Issue 04 (2013-06-15)

1995

Configuration Guide
NOTE
A radio profile can be applied to a radio only after a WMM profile is bound to the radio profile.
----End
Creating a Security Profile

Context
As WLAN technology uses radio signals to transmit service data, service data can easily be
intercepted or tampered by attackers when being transmitted on the open wireless channels.
Security is critical to WLANs. You can create a security profile to configure security policies,
which protect privacy of users and ensure data transmission security on WLANs.
A security profile provides four WLAN security policies: Wired Equivalent Privacy (WEP), WiFi Protected Access (WPA), WPA2, and WLAN Authentication and Privacy Infrastructure
(WAPI). Each security policy has a series of security mechanisms, including the link
authentication mechanism used to establish a wireless link, user authentication mechanism used
when users attempt to connect to a wireless network, and data encryption mechanism used during
data transmission.
If no security policy is configured during the creation of a security profile, the default
authentication mode (open system authentication) is used. When a user searches for a wireless
network, the user can connect to the wireless network without being authenticated.
For details on how to configure security policies, see 12.3 WLAN Security Configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
security-profile { id profile-id | name profile-name }
A security profile is created and the security profile view is displayed.

By default, no security profile is created.
NOTE
After a security profile is created, the profile retains the default settings.
The profile name is mandatory when you create a security profile.
----End
Creating a Traffic Profile

Issue 04 (2013-06-15)

1996

Configuration Guide
Context
You can create a traffic profile to customize priority mapping and traffic policing functions for
a WLAN.
l
Priority mapping: If Wi-Fi Multimedia (WMM) is enabled on both a STA and an AP, the
STA sends packets carrying the priority. When receiving the packets, the AP needs to
convert the 802.11 packets into 802.3 packets. If the packets need to be forwarded to the
AC, the AP needs to encapsulate the 802.3 packets in CAPWAP packets. To ensure endto-end QoS and retain the priorities of packets during transmission, configure the device
to map priorities of different packets.
Traffic policing: To protect network resources, limit the rate of packets sent by a STA.
For details on how to configure parameters in a traffic profile, see 12.7.5 Configuring Priority
Mapping and 12.7.6 Configuring Traffic Policing.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
traffic-profile { id profile-id | name profile-name }
A traffic profile is created.

By default, no traffic profile is created.
NOTE
After a traffic profile is created, the profile retains the default settings.
The profile name is mandatory when you create a traffic profile.
----End
Configuring a WLAN-ESS Interface

Context
A VAP is a functional entity on an AP. Multiple VAPs can be created on an AP to provide access
services for different STAs. To differentiate VAPs that different STAs associate with, you must
create a dynamic interface for each VAP. Additionally, to speed up the configuration, you need
to use a profile to create multiple dynamic interfaces simultaneously. WLAN-DBSS interfaces
and WLAN-ESS interfaces are developed to solve the preceding problems.
Each VAP maps a WLAN-DBSS interface on an AC. A WLAN-DBSS interface is a virtual
Layer 2 interface and similar to a hybrid Layer 2 Ethernet interface. It has Layer 2 attributes and
supports network access control (NAC). A WLAN-DBSS interface inherits the attributes of its
WLAN-ESS interface. An AC dynamically creates a WLAN-DBSS interface on a WLAN-ESS
interface for each VAP and deletes the WLAN-DBSS interface when the VAP becomes invalid.
Issue 04 (2013-06-15)

1997

Configuration Guide
A WLAN-ESS interface is a profile used to configure attributes for WLAN-DBSS interfaces.

All the WLAN-DBSS interfaces belonging to the same WLAN-ESS interface have the same
attributes.
Figure 12-12 shows the relationship between a WLAN-ESS interface and a WLAN-DBSS
interface.
l
When a service set bound to a WLAN-ESS interface is bound to a radio, a WLAN-DBSS

interface is automatically created and inherits the configuration of the WLAN-ESS
interface.
When the service set bound to a radio is deleted, the created WLAN-DBSS interface is also
deleted.
Figure 12-12 Relationship between a WLAN-ESS interface and a WLAN-DBSS interface
WLAN-ESS
interface
Inherits attributes of
Bound to
Service set
Bound to
Binding succeeds,
and create
Radio
WLAN-DBSS
interface
Procedure
Step 1 Run:
system-view

Step 2 Run:
A WLAN-ESS interface is created.

The interface description is configured.

By default, the description of a WLAN-ESS interface is "HUAWEI, Quidway Series, WlanEss0 Interface" (WLAN-ESS0 is used as an example).
dhcp enable
DHCP is enabled on the WLAN-ESS interface.

By default, DHCP is disabled on a WLAN-ESS interface.
Issue 04 (2013-06-15)

1998

Configuration Guide
NOTE
This configuration takes effect only when the AC dynamically allocates IP addresses to STAs and data
packets are forwarded between the AC and AP in tunnel forwarding mode.
Before using this command, run the dhcp enable command in the system view to enable DHCP globally.
Step 5 Run:
port link-type hybrid
The link type of the WLAN-ESS is set to hybrid.

By default, the link type of an interface is hybrid.
Step 6 Run:
port hybrid pvid vlan vlan-id
The default VLAN ID of a hybrid interface is configured.

By default, VLAN 1 is the default VLAN of all interfaces.
Step 7 Run:
port hybrid untagged vlan vlan-id
The hybrid interface is added to a VLAN. Frames of the VLAN then pass through the hybrid
interface in untagged mode.
By default, a hybrid interface is added to VLAN 1 in untagged mode.
----End
Configuring a WLAN Service Set

Context
The administrator needs to deliver service parameters to an AP so that the AP can provide
network access service for wireless users. A service set is a group of service parameters,
including the SSID, whether to hide the SSID, service VLAN, maximum number of access users,
and user association timeout period.
After configuring a service set, bind the service set to an AP radio. Then all the service parameters
in the service set are applied to a VAP. Subsequently, the AP provides differentiated wireless
services for users based on these service parameters.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
A service set is created.

Issue 04 (2013-06-15)

1999

Configuration Guide
The service set name is mandatory when you create a service set.
Step 4 Configure mandatory parameters for the service set.
Procedure
Command
Description
Configure the SSID.
ssid ssid
By default, no SSID is
set for a service set.
Configure a service
VLAN.
service-vlan vlan-id
By default, the service

VLAN ID is 1.
Step 5 Configure optional parameters for the service set.
Issue 04 (2013-06-15)
Procedure
Command
Description
Set the maximum number

of access users for the
service set.
max-user-number max-user-number
By default, the
maximum number of
access users in a
service set is 32.
Configure the user

association timeout
period.
association-timeout associationtimeout
By default, the user

association timeout
period is 5 minutes.
Configure the AP to hide

the SSID in a Beacon
frame.
ssid-hide
When creating a
WLAN, configure an
AP to hide the SSID of
the WLAN to ensure
security. Only the users
that learn about the
SSID can connect to
the WLAN.
By default, the SSID is not hidden in a

Beacon frame.

2000

Configuration Guide
Procedure
Command
Description
Configure management
VAP for offline APs.
offline-management enable
APs are often deployed

in corners or high
locations. When an AP
becomes faulty, it is
inconvenient to
connect to the AP
through a console port
or network cable.
By default, management VAP is

disabled for offline APs.
Each AP supports only

one management VAP.
When management
VAP is enabled for
offline APs in a service
set and the service set is
bound to an AP radio,
the AP creates a new
management VAP and
deletes the VAP named
hw_manage.
Maintenance
personnel can set the IP
addresses of their
laptops to IP addresses
on 192.168.0.x/24,
associate the laptops
with the new
management VAP.
Maintenance
personnel then can
connect to the AP for
fault location.
NOTE
l Management VAP
for offline APs can
be enabled only
when the offlinemanagement
enable command is
executed in the AP
profile view and
service set view.
l To make
management VAP
for offline APs to
take effect, you can
enable the WDS
function only on the
5 GHz frequency
band but on the 2.4
GHz frequency
band.
Issue 04 (2013-06-15)

2001

Configuration Guide
Procedure
Command
Description
Enable tunnel forwarding

for 802.1x authentication
packets, HTTP
authentication packets
and WAPI authentication
packets.
tunnel-forward protocol { all |

dot1x | http | wapi }
When 802.1x, Portal

and WAPI
authentication is used,
authentication packets
cannot be forwarded by
an AP to an AC through
a CAPWAP tunnel for
centralized
authentication, if the
data forwarding mode
is direct forwarding.
After tunnel
forwarding is enabled
for 802.1x
authentication packets,
HTTP authentication
packets and WAPI
authentication packets,
the AP can encapsulate
the authentication
packets in CAPWAP
packets, allowing the
AC to implement
centralized
authentication.
Configu
re
dynamic
ARP
detectio
n.
Issue 04 (2013-06-15)
By default, tunnel forwarding is

enabled for 802.1x authentication
packets, HTTP authentication packets
and WAPI authentication packets.
Enable
dynamic ARP
detection.
dai enable
Set the ARP

attack alarm
threshold.
arp-attack threshold threshold-value
By default, dynamic ARP detection is

disabled.
By default, the ARP attack alarm

threshold is 15.

Dynamic ARP
detection prevents man
in the middle attacks,
protects data of
authorized user from
being intercepted by
unauthorized users
during transmission,
and protects an AP
against CPU attacks.
2002

Configuration Guide
Procedure
Command
Description
Enable DHCP snooping

on an AP.
dhcp snooping
After DHCP snooping

is enabled, if a STA
that associates with an
AP obtains an IP
address through
DHCP, the AC
generates a dynamic
binding table based on
the STA IP
information received
from the AP to prevent
DHCP attacks (such as
bogus DHCP server
attacks and DHCP
server DoS attacks).
Enable IP source guard

on an AP.
ip source guard enable
By default, DHCP snooping is disabled

on an AP.
By default, IP source guard is disabled

on an AP.
IP source guard checks

IP packets against the
binding table to defend
against source IP
address spoofing
attacks.
NOTE
IP source guard takes
effect only when both
the dhcp snooping and
ip source guard enable
commands are executed.
Configure a DHCP
trusted port on an AP.
Issue 04 (2013-06-15)
dhcp trust port

By default, no DHCP trusted port is
configured on an AP.

If a private DHCP
server exists at the user
side, STAs may obtain
incorrect IP addresses
and network
configuration
parameters and cannot
communicate properly.
To prevent this
problem, an AP
discards the DHCP
OFFER, ACK, and
NAK packets received
from the private DHCP
server and reports
information (IP
address for example)
about the unauthorized
DHCP server to the
connected AC.
2003

Configuration Guide
Procedure
Command
Description
Configu
re an AP
to insert
the
Option
82 field
in
DHCP
packets
sent
from a
STA.
Enable an AP
to insert the
Option 82
field in DHCP
packets sent
from a STA.
Configure the
format of the
remote-ID in
the Option 82
field inserted
in DHCP
packets sent
from a STA.
dhcp option82 remote-id format

{ ap-mac | ap-mac-ssid }
A STA obtains an IP
address through DHCP
after going online.
When the DHCP
Request packet sent by
the STA reaches an AP,
the AP inserts the
Option 82 field in the
packet to send the AP's
MAC address or SSID
to the DHCP server.
According to the
Option 82 field, the
DHCP server can
determine the AP
through which the STA
goes online.
Configure the type for a

service set.
By default, an AP is disabled from

inserting the Option 82 field in DHCP
packets sent from a STA.
The default format of remote-id in

Option 82 carried in DHCP packets
sent by STAs is ap-mac.
type (service set view)
By default, the type of

a service set is service.
----End
Binding a Security Profile, a Traffic Profile, and an WLAN-ESS Interface to a

Service Set
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
The service set view is displayed.

Step 4 Run:
security-profile { name profile-name | id profile-id }
A security profile is bound to the service set.

By default, no security profile is bound to a service set.
Step 5 Run:
traffic-profile { name profile-name | id profile-id }
Issue 04 (2013-06-15)

2004

Configuration Guide
A traffic profile is bound to the service set.

By default, no traffic profile is bound to a service set.
Step 6 Run:
wlan-ess wlan-ess-number
A WLAN-ESS interface is bound to the service set.

By default, no WLAN-ESS interface is bound to a service set.
NOTE
Before changing the WLAN-ESS interface bound to a service set, unbind the service set from its AP radio.
----End
Configuring a Radio
Context
Each AP has one or multiple radio modules, which receive and send wireless signals, adjust the
power, and configure channels.
You can configure a radio to configure radio parameters on an AP radio module, including the
antenna gain, power, channel, and number of available antennas.
After a VAP is created, the VAP inherits all the parameters configured in the radio bound to the
VAP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap ap-id radio radio-id
The specified AP radio view is displayed.

NOTE
When radio-id is set to 0, a 2.4-GHz radio is specified. When radio-id is set to 1, a 5-GHz radio is specified.

radio enable
The radio is enabled.

By default, the radio is enabled.
Issue 04 (2013-06-15)

2005

Configuration Guide
The antenna gain is configured for the radio.

By default, the antenna gain of a radio is 4 dBi.
available-antenna-number { all | available-antenna-number }
The number of available antennas on a radio is set. Excess antennas will then be shut down to
save power.
By default, all antennas on a radio are available.
NOTE
The value of available-antenna-number must be equal to or smaller than the number of antennas on a radio.

power-level power-level
The power level of the radio is specified.

By default, the power level of a radio is 0, indicating full power. The actual power is determined
by an AP type.
In automatic power mode, the AP can automatically adjust the radio power level based on the
radio environment.
For WA601 and WA631 APs, each time the radio power level goes one level higher, its transmit
power decreases by 3 dbm. For other types of APs, each time the radio power level goes one
level higher, its transmit power decreases by 1 dbm.
channel { 20mhz | 40mhz-minus | 40mhz-plus } channel
A channel is configured for the radio.

By default, the bandwidth of a radio channel is 20 MHz.
To avoid signal interference, ensure that adjacent APs work in non-overlapping channels.
NOTE
40mhz-minus and 40mhz-plus take effect only when the radio type is 802.11n.
Different countries support different wireless channels, You can run the display ap configurable
channel [ ap-id ap-id ] command to check the channels supported by all the APs or specified APs that
associate with an AC.

users-traffic-scheduler enable
The multi-user traffic scheduling function is enabled for the radio.

By default, the multi-user traffic scheduling function is disabled.
80211n mcs mcs-value
The modulation coding scheme (MCS) value is configured for the 802.11n radio.
By default, when one spatial stream exists, the MCS value is 7. When two spatial streams exist,
the MCS value is 15. When there are three spatial streams, the MCS value is 23.
Issue 04 (2013-06-15)

2006

Configuration Guide
A larger MCS value indicates a higher transmission rate.

NOTE
This command takes effect only when the radio type is set to 802.11a/n, 802.11b/g/n, 802.11g/n, or 802.11n
using the radio-type command.
----End
Binding a Radio Profile and a Service Set to a Radio

Context
A VAP is a functional entity on an AP. You can create different VAPs on an AP to provide
wireless access services for different users so that these users can obtain different network
resources. A VAP is also a binding between an AP radio, radio profile, and a service set. Binding
a radio profile to a radio enables an AP to send and receive radio signals, and binding a service
set to a radio enables an AP to have WLAN service parameters. A service VAP is generated
when a radio profile and service set are bound to a radio.
You can create a single VAP or create multiple VAPs in batches based on the AP ID and type.
The method to bind a radio profile and service set to a radio varies according to the method to
create VAPs:
l
Bind a radio profile and service set in the radio view: To create a single VAP, enter the
radio view to bind a radio profile and service set to the radio.
Bind the radio profile and service set to a radio in the WLAN view:
To create VAPs in batches based on the AP ID, enter the WLAN view to specify the
radio profile and service set for the VAPs.
To create VAPs in batches based on the AP type, enter the WLAN view to specify the
radio profile and service set for the VAPs.
You can also change the radio profile and service set to be bound to a radio based on the AP
type.
Procedure
l
Bind a radio profile and service set in the radio view.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
The radio view is displayed.

4.
Run:
A radio profile is bound to the radio.

Issue 04 (2013-06-15)

2007

Configuration Guide
By default, no radio profile is bound to a radio.

5.
Run:
service-set { name service-set-name | id service-set-id } [ wlan wlan-id ]
A service set is bound to the radio.

By default, no service set is bound to a radio.
l
Bind the radio profile and service set to a radio in the WLAN view.
1.
Run:
system-view

2.
Run:
wlan

3.
Run either of the following commands to bind the radio profile and service set to a
radio.
Run:
batch ap { ap-id [ to ap-id ] } &<1-10> radio { radio-id [ to radioid ] } &<1-4> { service-set { service-set-id [ to service-set-id ] }
&<1-16> | radio-profile { id profile-id | name profile-name } } *
The radio profile and service set are bound to the specified radio of the specified
AP ID.
Run:
service-batch ap-type { id ap-type-id | name ap-type-value } radio
radio-id radio-profile { id radio-profile-id | name radio-profilename } service-set id { service-set-id [ to service-set-id ] } &<1-16>
The radio profile and service set are bound to the specified radio of the specified
AP type.
l
Change the radio profile and service set to be bound to the specified radio of the specified
AP type.
1.
Run:
system-view

2.
Run:
wlan

3.
Run:
service-batch modify ap-type { id ap-type-id | name ap-type-value } radio
radio-id { radio-profile { id radio-profile-id | name radio-profile-name }
| service-set id { service-set-id [ to service-set-id ] } &<1-16> } *
The radio profile and service set bound to the specified radio of the specified AP type
are changed.
----End
Committing the Configuration

Issue 04 (2013-06-15)

2008

Configuration Guide
Context
The WLAN service parameters configured on an AC take effect only after you run the
commit command to commit the configuration to APs.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the wlan command to enter the WLAN view.
Step 3 Run the commit { all | ap ap-id } command to deliver the configuration to APs.
----End

Procedure
l
Run the display wmm-profile { all | id profile-id | name profile-name } command to check
information about all WMM profiles or a specified WMM profile.
Run the display radio-profile { all | id profile-id | name profile-name } command to check
information about all radio profiles or a specified radio profile.
Run the display binding radio-profile { id profile-id | name profile-name } command to

check the binding between an AP radio and a specified radio profile.
Run the display interface wlan-ess [ wlan-ess-number ] command to check the running
status and statistics about a specified WLAN-ESS interface.
Run the display security-profile { all | { id profile-id | name profile-name } [ detail ] }

command to check information about all security profiles or a specified security profile.
Run the display traffic-profile { all | id profile-id | name profile-name } command to

check information about all traffic profiles or a specified traffic profile.
Run the display radio config ap-id ap-id radio-id radio-id command to check the current
configuration of a specified AP radio.
Run the display service-set { all | id service-set-id | name service-set-name | ssid ssid }
command to check information about all service sets or a specified service set.
Run the display vap { all [ type { service-set | bridge-profile } ] | ap ap-id [ radio radioid ] [ type { service-set | bridge-profile } ] | service-set { id service-set-id | name serviceset-name } | bridge-profile { id bridge-profile-id | name bridge-profile-name } } command
to check VAP information.
Run the display service-batch ap-type { id ap-type-id | name ap-type-value } radio radioid command to check the service configuration of the specified radio on the AP of a
specified AP type.
Run the display wlan commit status [ ap ap-id ] command to check the configuration
delivery status of the specified AP that associates with the AC.
----End
12.2.7 Maintaining WLANs

Maintaining WLANs includes upgrading APs online, resetting APs, monitoring APs, monitoring
STAs, and restoring the factory settings of APs.
Issue 04 (2013-06-15)

2009

Configuration Guide
Performing an In-Service Upgrade on APs

Context
To upgrade the functions or versions of an existing WLAN, perform an in-service upgrade on
APs on the WLAN.
In an in-service upgrade, an AP is already online. If the AP finds that its version is different from
the AP version specified on the AC, SFTP server, or FTP server, the AP starts to upgrade its
version.
Unlike automatic upgrade, an in-service upgrade allows an AP to work properly without
affecting services. To minimize the impact of an AP upgrade, you are advised to configure APs
to download upgrade files in the daytime and reset the APs at night.
In an in-service upgrade, you can upgrade a single AP, upgrade APs based on both the AP region
and AP type, or upgrade APs based on the AP type.
l
Upgrade of a single AP: allows you to upgrade a single AP to check whether the upgrade
version can function properly. If the upgrade is successful, upgrade other APs in batches.
AP upgrade based on the AP region and AP type: allows you to upgrade APs in a specified
hotspot area.
AP upgrade based on the AP type: allows you to upgrade APs of the same type.
Note the following during the configuration:

NOTE
l In an in-service upgrade, if APs fail to load the upgrade file and are reset, APs are upgraded
automatically.
l Upgrading multiple APs in AC mode takes a long period of time. To reduce the service interruption
time, you are advised to use the FTP or SFTP mode.
Prerequisites
The AP version file has been uploaded to the AC, SFTP server, or FTP server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

l AC mode
Run:
The AP upgrade mode is set to AC mode.

Issue 04 (2013-06-15)

2010

Configuration Guide

l FTP mode
1.
Run:
The AP upgrade mode is set to FTP mode.

2.
Run:
ap-update ftp-server server-ip-address [ ftp-username ftp-username ] [ ftppassword { cipher | simple } ftp-password ]
Basic FTP information is configured.

By default, the FTP server IP address is 255.255.255.255, the FTP user name is
anonymous, and the FTP password is anonymous@huawei.com.
NOTE
You are advised to use an external FTP server to upgrade APs. If the AC functions as an FTP server, a
maximum of five FTP clients can be connected. Therefore, a maximum of five APs can be upgraded even
if many APs are online.
l SFTP mode
1.
Run:
The AP upgrade mode is set to SFTP mode.

2.
Run:
ap-update sftp-server server-ip-address [ sftp-username sftp-username ]
[ sftp-password { cipher | simple } sftp-password ]
Basic SFTP information is configured.

By default, the SFTP server IP address is 255.255.255.255, the SFTP user name is
anonymous, and the SFTP password is anonymous@huawei.com.
NOTE
You are advised to use an external SFTP server to upgrade APs. If the AC functions as an SFTP server, a
maximum of five SFTP clients can be connected. Therefore, a maximum of five APs can be upgraded
simultaneously even if many APs are online.
Step 4 Configure in-service upgrade.

l Perform an in-service upgrade on a single AP.
1.
Run:
The upgrade file name is specified.

By default, no upgrade file is specified for an AP.
2.
Run:
The specified AP is reset for upgrade.

l Upgrade APs of the same AP type and in the same AP region.
1.
Run:
The upgrade file name for APs of a specified type and in a specified AP region is
specified.
Issue 04 (2013-06-15)

2011

Configuration Guide
By default, no upgrade file is configured for APs of a specified type and in a specified
AP region.
2.
Run:
APs of the same AP type and in the same AP region are upgraded in batches.
3.
Run:
APs of the same AP type and in the same AP region are reset in batches.
l Upgrade APs of the same AP type.
1.
Run:
The upgrade file name for APs of a specified type is specified.

By default, no upgrade file is configured for APs of a specified type.
2.
Run:
APs are upgraded in batches based on the AP type.

3.
Run:
APs of the specified AP type are reset in batches.

----End
Resetting an AP
Context
If an AP cannot work properly after being upgraded, reset the AP. You can run the display ap
all command to check the AP State field to determine whether an AP is working properly. If the
AP State field displays config, config-failed, committing, or commit-failed, an AP fails to
work properly.
CAUTION
Exercise caution when resetting an AP because services on the AP will be interrupted.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap-reset { all | id ap-id | ap-type { type ap-type | type-id type-id } }
Issue 04 (2013-06-15)

2012

Configuration Guide
APs are reset.

----End
Monitoring APs
Context
To monitor the AP running status after the basic WLAN service configuration is complete, run
the following commands in any view.
Procedure
l
Run the display ap-run-info id ap-id command to check the running status of a specified
AP.
Run the display uncontrol ap { all | bssid bssid } command to check unauthorized APs.
Run the display ap-elabel ap id ap-id command to check the electronic label of a specified
AP.
Run the display ap-performance-statistic id ap-id command to check AP performance

statistics.
Run the display actual channel-power ap-id ap-id radio-id radio-id command to check
the channel and power of a specified radio.
Run the display lldp ap-neighbor [ ap-id [ port port-number ] ] command to check LLDP
neighbor information on a specified AP.
Run the display ap id ap-id around-ssid-list command to check the neighbor SSID of a
specified AP.
Run the display ap-service-config acl ap ap-id command to check ACL rules on a specified
AP.
Run the display ap-service-config free-rule ap ap-id command to check nonauthentication rules on a specified AP.
Run the display statistics arp ap-id ap-id command to check ARP packet statistics on a
specified AP.
Run the display statistics icmp ap-id ap-id command to check ICMP packet statistics on
a specified AP.
----End
Monitoring STAs
Procedure
l
Run the display statistics ssid ssid-name ap ap-id radio radio-id command to check
statistics about packets carrying a specified SSID on a specified AP radio.
Run the display statistics mac ap-id ap-id radio-id radio-id command to check statistics
about the MAC layer of a specified AP radio.
Run the display station assoc-info { sta mac-address | ap ap-id [ radio radio-id [ serviceset service-set-id ] ] } command to check access information on a specified STA, STAs on
a specified AP, STAs on a specified AP radio, or STAs in a specified service set.
Issue 04 (2013-06-15)

2013

Configuration Guide
Run the display station assoc-num { service-set service-set-id | ap ap-id [ radio radioid ] } command to check the number of STAs in a specified service set or on a specified
AP.
Run the display station statistics { sta mac-address | ap ap-id } command to check
statistics on a specified STA, including the number of packets or bytes sent and received
by the STA and rate of the STA. If an AP is specified, this command displays the number
of STAs that associate with, disassociate from, and re-associate with the AP.
Run the display station status sta mac-address command to check the status of a specified
STA, including the SSID of the WLAN to which the STA connects, online duration, uplink
signal noise ratio, and uplink receiving power of the STA.
Run the display statistics sta mac-address command to check statistics about online STAs.
Run the display ap id ap-id sta-signal strength command to check the average signal
strength of STAs on a specified AP.
----End
Restoring the Factory Settings of an AP

Context
You can delete the current and historical user configurations and restore the factory settings of
APs.
When the configuration on an AP is incorrect or deleted, you can restore the factory settings of
the AP.
CAUTION
Restoring the factory settings of an AP will reset the AP and restore all the AP configurations
to factory settings.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap-manufacturer-config id ap-id
The factory settings of the specified AP are restored.

----End
Issue 04 (2013-06-15)

2014

Configuration Guide
Checking the Connectivity Between an AP and a Network Device

Context
When a network fault occurs on an AP, check the connectivity between the AP and network
devices to determine on which network device the network fault occurs.
Prerequisites
The AP works properly and has obtained an IP address. For details, see Adding APs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap-ping id ap-id [ -c count | -s packetsize | -m time | -t timeout ]
host
Check the connectivity between the specified AP to the destination address.

----End
Clearing the List of Unauthorized APs

Context
You can clear the list of unauthorized APs to clear the removed or unauthenticated APs that
disconnect with an AC. This operation helps re-collect and confirm unauthenticated APs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
clear unauthorized-ap record
Clear the list of unauthorized APs.

----End
Issue 04 (2013-06-15)

2015

Configuration Guide
Displaying Neighbor Information

Context
You can view neighbor information on a specified AP radio to learn about the AP location and
neighbor relationship, helping locate unauthorized APs and plan the WLAN.
Procedure
l
Run the display neighbor ap-id ap-id radio-id radio-id command to check neighbor
information on a specified AP radio.
----End

This section provides WLAN service configuration examples, including networking
requirements, configuration roadmap, and configuration procedure.
Example for Configuring the WLAN Service on a Small-Scale Network

As shown in Figure 12-13, the AP is directly connected to the AC. An enterprise branch needs
to deploy WLAN services for mobile office so that branch users can access the enterprise internal
network from anywhere at any time.
The following requirements must be met:
l
A WLAN named test is available.
Branch users are assigned IP addresses on 192.168.11.0/24.
Figure 12-13 WLAN service configuration networking on a small-scale network

Management VLAN:
VLAN100
AP region ID: 10
AP
STA
GE0/0/1 AC
VLAN100
GE0/0/2
VLAN101
Internet
STA
Issue 04 (2013-06-15)

2016

Configuration Guide
1.
Configure the AP, AC, and upstream device to implement Layer 2 interconnection.
2.
Configure the AC as a DHCP server to assign IP addresses to STAs and the AP from an IP
address pool of an interface.
3.
Configure AC system parameters, including the country code, AC ID, carrier ID, and source
interface used by the AC to communicate with the AP.
4.
Set the AP authentication mode and add the AP to an AP region.
5.
Configure a VAP and deliver VAP parameters to the AP so that STAs can access the
WLAN.
a.
Configure a WMM profile and radio profile on the AP, retain the default settings of
the WMM profile and radio profile, bind the WMM profile to the radio profile to
enable STAs to communicate with the AP.
b.
Configure a WLAN-ESS interface so that radio packets can be sent to the WLAN
service module after reaching the AC.
c.
Configure a security profile and traffic profile on the AP, retain the default settings
of the security profile and traffic profile, configure a service set, bind the WLAN-ESS
interface, security profile, and traffic profile to apply security policies and QoS
policies to STAs.
d.
Configure a VAP and deliver VAP parameters to the AP so that STAs can access the
Internet through the WLAN.
NOTE
The AC6605 has the wired side and wireless side. XGE0/0/27 connects the wired side to the wireless side
and XGE0/0/1 connects the wireless side to the wired side. For details about the login modes on the wired
side and wireless side, see 11.1 Configuring User Login.
Procedure
Step 1 Configure the AC wired side and wireless side so that the AP and AC can transmit CAPWAP
packets.
# Configure the AC wired side: add wired-side interface GE0/0/1 to management VLAN 100,
and add XGE0/0/27 that connects the wired side to the wireless side to the same VLAN.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on GE0/0/1
that connects the AC wired side to the AP. If port isolation is not configured, many broadcast packets will
be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.
[Quidway] sysname AC-LSW
[AC-LSW] vlan batch 100
[AC-LSW] interface gigabitethernet 0/0/1
[AC-LSW-GigabitEthernet0/0/1] port link-type trunk
[AC-LSW-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-LSW-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-LSW-GigabitEthernet0/0/1] quit
[AC-LSW] interface xgigabitethernet 0/0/27
[AC-LSW-XGigabitEthernet0/0/27] port link-type trunk
[AC-LSW-XGigabitEthernet0/0/27] port trunk allow-pass vlan 100
[AC-LSW-XGigabitEthernet0/0/27] quit
# Add XGE0/0/1 that connects the AC wireless side to the wired side to VLAN 100.
Issue 04 (2013-06-15)

2017

Configuration Guide
[Quidway] sysname AC
[AC] vlan batch 100
[AC] interface xgigabitethernet 0/0/1
[AC-XGigabitEthernet0/0/1] port link-type trunk
[AC-XGigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-XGigabitEthernet0/0/1] quit
Step 2 Configure the AC to communicate with the upstream device.

NOTE
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
# Add XGE0/0/1 that connects the AC wireless side to the wired side to service VLAN 101.
[AC] vlan batch 101
# Add XGE0/0/27 that connects the AC wired side to the wireless side and AC uplink interface
GE0/0/2 to VLAN 101.
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP address
pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on VLANIF
101.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 4 Configure AC system parameters.

# Configure the country code.
[AC] wlan ac-global country-code cn
# Configure the AC ID and carrier ID.

[AC] wlan ac-global ac id 1 carrier id other
# Configure the source interface.

[AC] wlan
[AC-wlan-view] wlan ac source interface vlanif 100
Step 5 Manage the AP on the AC.

Issue 04 (2013-06-15)

2018

Configuration Guide
# Check the AP type ID after obtaining the MAC address of the AP.
[AC-wlan-view] display ap-type all
All AP types information:
-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
# Add the AP offline based on the AP type ID. Assume that the AP type is AP6010DN-AGN,
and the MAC address of the AP is 5489-9846-1dd4.
[AC-wlan-view] ap-auth-mode mac-auth
[AC-wlan-view] ap id 0 type-id 19 mac 5489-9846-1dd4
[AC-wlan-ap-0] quit
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you do
not need to run the ap-auth-mode mac-auth command.
# Configure an AP region and add the AP to the AP region.

[AC-wlan-view] ap-region id 10
[AC-wlan-ap-region-10] quit
[AC-wlan-view] ap id 0
[AC-wlan-ap-0] region-id 10
[AC-wlan-ap-0] quit
# After powering on the AP, run the display ap all command on the AC to check the AP running
status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information(Normal-1,UnNormal-0):
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1
Step 6 Configure WLAN service parameters.

# Create a WMM profile named wmm.
[AC-wlan-view] wmm-profile name wmm id 1
[AC-wlan-wmm-prof-wmm] quit
Issue 04 (2013-06-15)

2019

Configuration Guide
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create WLAN-ESS interface 1.

NOTE
To enable the AC to allocate IP addresses to STAs, run the dhcp enable command on the WLAN-ESS
interface to enable DHCP on the AC.
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit
# Create a security profile named security.

[AC] wlan
[AC-wlan-view] security-profile name security id 1
[AC-wlan-sec-prof-security] quit
# Create a traffic profile named traffic.

[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create a service set named test and bind the WLAN-ESS interface, security profile, and traffic
profile to the service set.
[AC-wlan-view] service-set
[AC-wlan-service-set-test]
name test id 1
ssid test
wlan-ess 1
security-profile name security
traffic-profile name traffic
service-vlan 101
forward-mode tunnel
quit
Step 7 Configure a VAP and deliver VAP parameters to the AP.

# Configure a VAP.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] radio-profile name radio
Warning: Modify the Radio type may cause some parameters of Radio resume defaul
t value, are you sure to continue?[Y/N]:y
[AC-wlan-radio-0/0] service-set name test
[AC-wlan-radio-0/0] quit
# Commit the configuration.

[AC-wlan-view] commit ap 0
Warning: Committing configuration may cause service interruption,continue?[Y/N
]y

After the configuration is complete, run the display vap ap 0 radio 0 command. The command
output shows that the VAP has been created.
[AC-wlan-view] display vap ap 0 radio 0
All VAP Information(Total-1):
SS: Service-set
BP: Bridge-profile
Issue 04 (2013-06-15)

2020

Configuration Guide
-----------------------------------------------------------------AP ID Radio ID SS ID
BP ID
WLAN ID BSSID
Type
0
0
1
1
5489-9846-5640 service
------------------------------------------------------------------
STAs discover the WLAN with SSID test and attempt to associate with the WLAN. You can
run the display station asso-info command on the AC. The command output shows that the
STAs associate with the WLAN test.
[AC-wlan-view] display station assoc-info ap 0 radio 0
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------9021-55dc-3e17
0
0
1
test
-----------------------------------------------------------------------------Total stations: 1
----End
Configuration Files
l
Configuration file of the AC wired side

#
sysname AC-LSW
#
#
port trunk pvid vlan 100
#
#
interface XGigabitEthernet0/0/27
#
return
Configuration file of the AC wireless side

#
sysname AC
#
#
dhcp enable
#
wlan ac-global carrier id other ac id 1
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface Wlan-Ess1
dhcp enable
Issue 04 (2013-06-15)

2021

Configuration Guide
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 0 type-id 19 mac 5489-9846-1dd4 sn AB35015384
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
service-set id 1 wlan 1
#
return
Example for Configuring the WLAN Service on a Medium-Scale Network

As shown in Figure 12-14, an enterprise AC connects to the egress gateway Router of the campus
network and connects to the AP through access switch SwitchA.
The enterprise requires a WLAN with SSID test so that users can access the enterprise internal
network from anywhere at any time. The Router needs to function as a DHCP server to assign
IP addresses on 10.10.10.0/24 to users and manage users on the AC.
Issue 04 (2013-06-15)

2022

Configuration Guide
Figure 12-14 WLAN service configuration networking on a medium-scale network
Internet
Router
GE0/0/2
VLAN102
GE2/0/0
VLANIF102
11.1.1.1
AC
GE0/0/2
VLAN100
GE0/0/1
VLAN100
SwitchA
GE0/0/1
VLAN100
AP
STA
STA

AP region ID: 10
1.
Configure the AP, AC, and upstream device to implement network interconnection.
2.
Configure the AC as a DHCP server to assign an IP address to the AP from an interface IP

address pool, configure the AC as a DHCP relay agent, and configure the Router connected
to the AC to assign IP addresses to STAs.
3.
Configure the WLAN service so that users can connect to the Internet through the WLAN.
NOTE
Procedure
Step 1 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
Issue 04 (2013-06-15)

2023

Configuration Guide
NOTE
that connects SwitchA to the AP. If port isolation is not configured, many broadcast packets will be
transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
0/0/1
link-type trunk
trunk pvid vlan 100
0/0/2
link-type trunk
# Add GE0/0/1 that connects the AC wired side to SwitchA to VLAN 100 and add XGE0/0/27
that connects the AC wired side to the wireless side to VLAN 100.
[AC-LSW-GigabitEthernet0/0/1] port-isolate enable
[AC] vlan batch 100

# Add XGE0/0/1 that connects the AC wireless side to the wired side to service VLAN 101 and
VLAN 102.
[AC] vlan batch 101 102
[AC-Vlanif101] quit
[AC-Vlanif102] quit
# Configure a default route on the AC wired side.

[AC] ip route-static 0.0.0.0 0.0.0.0 11.1.1.1
Issue 04 (2013-06-15)

2024

Configuration Guide
# Add GE0/0/2 that connects the AC wired side to the Router to VLAN 102.
Step 3 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address pool.
[AC] dhcp enable
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC] dhcp relay detect enable
[AC-Vlanif101] dhcp select relay
[AC-Vlanif101] dhcp relay server-ip 11.1.1.1
[AC-Vlanif101] quit
# Configure the Router as a DHCP server to allocate IP addresses to STAs.

<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] gateway-list 10.10.10.1
[Router-ip-pool-sta] network 10.10.10.0 mask 24
[Router-ip-pool-sta] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 11.1.1.1 24
[Router-Vlanif102] dhcp select global
[Router-Vlanif102] quit
[Router] vlan batch 102
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.10.10.0 24 11.1.1.2



[AC] wlan

Issue 04 (2013-06-15)

2025

Configuration Guide

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

Issue 04 (2013-06-15)

2026

Configuration Guide

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit

[AC] wlan

name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit

# Configure a VAP.

]y

After the configuration is complete, run the display vap ap 0 radio 0 command. The command
output shows that the VAP has been created.
SS: Service-set
BP: Bridge-profile
BP ID
WLAN ID BSSID
Type
Issue 04 (2013-06-15)

2027

Configuration Guide
0
0
1
1
5489-9846-5640 service
------------------------------------------------------------------
STAs discover the WLAN with SSID test and attempt to associate with the WLAN. You can
run the display station asso-info command on the AC. The command output shows that the
STAs associate with the WLAN test.
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------9021-55dc-3e17
0
0
1
test
-----------------------------------------------------------------------------Total stations: 1
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100
#
#
#
return
Configuration file of the Router

#
sysname Router
#
dhcp enable
#
ip pool sta
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 11.1.1.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.10.0 24 11.1.1.2
#
return

#
sysname AC-LSW
#
#
Issue 04 (2013-06-15)

2028

Configuration Guide
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 11.1.1.1
#
interface Vlanif102
ip address 11.1.1.2 255.255.255.0
#
#
interface WLAN-ESS1
#
ip route-static 0.0.0.0 0.0.0.0 11.1.1.1
#
wlan
ap-region id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring the WLAN Service on a Large-Scale Network
Issue 04 (2013-06-15)

2029

Configuration Guide
As shown in Figure 12-15, an enterprise AC connects to the egress gateway Router through
SwitchB and connects to APs through SwitchB and SwitchA. The enterprise requires a WLAN
with SSID test so that users can access the enterprise internal network from anywhere at any
time. The gateway needs to function as a DHCP server to assign IP addresses to STAs and APs.
The WLAN needs to be deployed with minimal modification to the existing network
architecture. The AC manages APs in a centralized manner, and STAs' service data does not
need to be forwarded to the AC.
Figure 12-15 WLAN service configuration networking on a large-scale network
Internet
Router
GE2/0/0
VLANIF201172.16.101.1/24
GE0/0/3
VLANIF201172.16.101.10/24
SwitchB
GE0/0/3
VLAN100
VLAN101
VLAN102
GE0/0/1
VLAN100
VLAN101
GE0/0/2
VLANIF200
172.16.100.10/24
GE0/0/1
VLANIF100192.168.10.1/24
VLANIF101192.168.11.1/24
VLANIF102192.168.12.1/24
STA1
Issue 04 (2013-06-15)
AC
SwitchA
GE0/0/2
VLAN100
VLAN102
AP2
AP1
Management VLAN: VLAN

100
Service VLAN: VLAN 101
AP region ID: 10
GE0/0/1
VLAN200
STA2
Management VLAN: VLAN

100
AP region ID: 10

2030

Configuration Guide
Table 12-5 Data plan

Item
Data
WLAN service
No authentication, no encryption
AC source interface
VLANIF 200: 172.16.100.2/24
AC carrier ID/AC ID
Other/1
AP region
10
Service set
l SSID: test
l Data forwarding mode: direct forwarding
DHCP server
Router functioning as a DHCP server to assign IP

addresses to APs and STAs
APs' gateway
VLANIF 100: 192.168.10.1/24
APs' IP address pool
192.168.10.2 to 192.168.10.254/24
STA1's gateway
VLANIF 101: 192.168.11.1/24
STA1's IP address pool
192.168.11.2 to 192.168.11.254/24
STA2's gateway
VLANIF 102: 192.168.12.1/24
STA2's IP address pool
192.168.12.2 to 192.168.12.254/24
1.
Configure SwitchA and SwitchB to implement Layer 2 interconnection and configure

SwitchB, Router, and AC to implement Layer 3 interconnection.
2.
Configure the Router as a DHCP server to assign IP addresses from a global address pool
to STAs and APs.
3.
NOTE
In this example, SwitchA is a Huawei box switch, and SwitchB is a Huawei chassis switch.
Procedure
Step 1 Configure networking parameters.
# Configure SwitchA. Add GE0/0/1 to management VLAN 100 and configure GE0/0/1 to allow
packets from service VLAN 101 to pass through. Add GE0/0/2 to VLAN 100 and configure
GE0/0/2 to allow packets from service VLAN 102 to pass through. Configure GE0/0/3 to allow
packets from VLAN 100, VLAN 101 and VLAN 102 to pass through.
Issue 04 (2013-06-15)

2031

Configuration Guide
NOTE
Configure port isolation on GE0/0/1 and GE0/0/2 that connect SwitchA to the APs. If port isolation is not
configured, many broadcast packets will be transmitted in the VLANs or WLAN users on different APs
can directly communicate at Layer 2.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101 102
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
# Configure SwitchB. Configure GE0/0/1 to allow packets from VLAN 100, VLAN 101 and
VLAN 102 to pass through, GE0/0/2 to allow packets from VLAN 200 to pass through, and
GE0/0/3 to allow packets from VLAN 201 to pass through.
[SwitchB] vlan batch 100 101 102 200 201
# Configure the AC wired side and configure GE0/0/1 that connects the AC wired side to
SwitchB and XGE0/0/27 that connects the AC wired side to wireless side to allow packets from
VLAN 200 to pass through.
Issue 04 (2013-06-15)

2032

Configuration Guide

# Configure XGE0/0/1 that connects the AC wireless side to wired side to allow packets from
[AC] vlan batch 200
[AC-Vlanif200] quit
# Configure the Router to allow packets from VLAN 201 to pass through.
# Configure routes from the Router to SwitchB.

# Configure a default route on SwitchB with the outbound interface as the Router's VLANIF
201.
# Configure a route on the AC with the next hop as SwitchB's VLANIF 200.
[AC] ip route-static 192.168.10.0 24 172.16.100.10
Step 2 Configure a DHCP server to allocate IP addresses to APs and STAs.

# Configure SwitchB as a DHCP relay agent.
[SwitchB-Vlanif100] dhcp select relay
[SwitchB-Vlanif100] dhcp relay server-ip 172.16.101.1
# Configure the Router as a DHCP server to allocate IP addresses to APs and STAs.
[Router] ip pool ap
Issue 04 (2013-06-15)

2033

Configuration Guide
[Router-ip-pool-ap] network 192.168.10.0 mask 24

[Router-ip-pool-ap] gateway-list 192.168.10.1
[Router-ip-pool-ap] option 43 sub-option 3 ascii 172.16.100.2
[Router-ip-pool-ap] quit
[Router] ip pool sta1
[Router-ip-pool-sta1] network 192.168.11.0 mask 24
[Router-ip-pool-sta1] gateway-list 192.168.11.1
[Router-ip-pool-sta1] quit
[Router] ip pool sta2
[Router-ip-pool-sta2] network 192.168.12.0 mask 24
[Router-ip-pool-sta2] gateway-list 192.168.12.1
[Router-ip-pool-sta2] quit



[AC] wlan
Step 4 Manage APs on the AC.

# Check the AP type ID after obtaining the MAC addresses of the APs.
-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
# Add the APs offline based on the AP type ID. Assume that the AP type is AP6010DN-AGN,
and the MAC addresses of the APs are 5489-9846-1dd4 and 5489-9846-2ae0 respectively.
[AC-wlan-ap-0] quit
Issue 04 (2013-06-15)

2034

Configuration Guide
[AC-wlan-view] ap id 1 type-id 19 mac 5489-9846-2ae0

[AC-wlan-ap-1] quit
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap-auth-mode mac-auth command.
# Configure an AP region and add the APs to the AP region.

[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
# After powering on the APs, run the display ap all command on the AC to check the AP running
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
1
AP6010DN-AGN
5489-9846-2ae0
0/10
normal
ap-1
-----------------------------------------------------------------------------Total number: 2

# Create a WMM profile named wmm and retain the default settings in the profile.
[AC-wlan-view] quit
# Create a WLAN-ESS interface.

[AC] interface
[AC-WLAN-ESS0]
[AC-WLAN-ESS0]
[AC-WLAN-ESS0]
[AC-WLAN-ESS0]
[AC-WLAN-ESS0]
[AC] interface
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
wlan-ess 0
dhcp enable
quit
wlan-ess 1
dhcp enable
quit
# Create a security profile named security and retain the default settings: open system
authentication and no encryption.
# Create a traffic profile named traffic and retain the default settings in the profile.
Issue 04 (2013-06-15)

2035

Configuration Guide

# Create service sets named test and test1 and bind the WLAN-ESS interface, security profile,
and traffic profile to the service sets.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test
[AC-wlan-service-set-test] wlan-ess 0
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101
[AC-wlan-service-set-test] forward-mode direct
[AC-wlan-service-set-test] quit
[AC-wlan-view] service-set name test1 id 2
[AC-wlan-service-set-test1] ssid test
[AC-wlan-service-set-test1] wlan-ess 1
[AC-wlan-service-set-test1] security-profile name security
[AC-wlan-service-set-test1] traffic-profile name traffic
[AC-wlan-service-set-test1] service-vlan 102
[AC-wlan-service-set-test1] forward-mode direct
[AC-wlan-service-set-test1] quit
Step 6 Configure VAPs and deliver VAP parameters to APs.

# Configure VAPs.
Warning: Modify the Radio type may cause some parameters of Radio resume default
value, are you sure to continue?[Y/N]:y
Warning: Modify the Radio type may cause some parameters of Radio resume default
value, are you sure to continue?[Y/N]:y
[AC-wlan-radio-1/0] service-set name test1

[AC-wlan-view] commit all
Warning: Committing configuration may cause service interruption,continue?[Y/N]y

After the configuration is complete, run the display vap all command. The command output
shows that VAPs have been created.
SS: Service-set
BP: Bridge-profile
BP ID
WLAN ID BSSID
Type
0
0
1
1
5489-9846-5640 service
1
0
2
1
5489-9846-5689 service
------------------------------------------------------------------
STAs discover the WLAN with SSID test or test1 and associate with the WLAN. You can run
the display station asso-info command on the AC. The command output shows that the STAs
associate with the WLAN test or test1.
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------9021-55dc-3e17
0
0
1
test
Issue 04 (2013-06-15)

2036

Configuration Guide
-----------------------------------------------------------------------------Total stations: 1
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------9021-55dc-3e17
1
0
1
test1
-----------------------------------------------------------------------------Total stations: 1
----End
Configuration Files
l

#
sysname SwitchA
#
#
#
#
#
return

#
sysname SwitchB
#
vlan batch 100 to 102 200 201
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 192.168.12.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 172.16.100.10 255.255.255.0
#
interface Vlanif201
ip address 172.16.101.10 255.255.255.0
#
Issue 04 (2013-06-15)

2037

Configuration Guide

#
#
#
ip route-static 0.0.0.0 0.0.0.0 172.16.101.1
#
return
Configuration file of the Router

#
sysname Router
#
vlan batch 201
#
dhcp enable
#
ip pool sta1
network 192.168.11.0 mask 255.255.255.0
#
ip pool sta2
network 192.168.12.0 mask 255.255.255.0
#
ip pool ap
network 192.168.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 172.16.100.2
#
interface Vlanif201
ip address 172.16.101.1 255.255.255.0
#
#
ip route-static 192.168.10.0 255.255.255.0 172.16.101.10
ip route-static 192.168.11.0 255.255.255.0 172.16.101.10
ip route-static 192.168.12.0 255.255.255.0 172.16.101.10
#
return

#
sysname AC-LSW
#
vlan batch 200
#
#
#
return

#
sysname AC
#
vlan batch 200
Issue 04 (2013-06-15)

2038

Configuration Guide
#
dhcp enable
#
#
interface Vlanif200
ip address 172.16.100.2 255.255.255.0
#
#
interface WLAN-ESS0
#
interface WLAN-ESS1
#
wlan
ap-region id 10
region-id 10
ap id 1 type-id 19 mac 5489-9846-2ae0 sn 190901007618
region-id 10
wlan-ess 1
ssid test
service-vlan 101
service-set name test1 id 2
wlan-ess 1
ssid test
service-vlan 102
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
ap 1 radio 0
radio-profile id 1
#
ip route-static 192.168.10.0 24 172.16.100.10
#
return
12.3 WLAN Security Configuration

As wireless local area network (WLAN) technology uses radio signals to transmit service data,
service data can easily be intercepted or tampered by attackers when being transmitted on the
open wireless channels. WLAN security can be configured to protect WLAN networks against
attacks and secure information and services of authorized users.
Issue 04 (2013-06-15)

2039

Configuration Guide
12.3.1 WLAN Security Overview

WLAN security technology enables authorized users to securely associate with APs, encrypts
service data, detects and defends against unauthorized APs, and isolates users to facilitate
centralized user management and protect wireless channel resources.
WLAN networks are easy to deploy and expand, flexible, and cost-effective. As WLAN
technology uses radio signals to transmit service data, service data can easily be intercepted or
tampered by attackers when being transmitted on the open wireless channels. Security has
become a major factor that hinders WLAN technology development. To ensure data security for
wireless users, WLAN technology provides various security features.
12.3.2 WLAN Security Features Supported by the Device

WLAN security provides the following mechanisms to secure WLAN networks: Wireless
Intrusion Detection System (WIDS) and Wireless Intrusion Prevention System (WIPS) that
defend against intrusion from unauthorized devices; STA security policies including link
authentication, access authentication, and data encryption; STA blacklist and whitelist functions
that control STA access; user isolation that facilitates centralized management of wireless
users.
Figure 12-16 shows application of WLAN security mechanisms in a STA access process.
Figure 12-16 Application of WLAN security mechanisms
STA
Fit-AP
AC
CAPWAP
Link authentication
phase
Link authentication
Open system/shared key
authentication
Data encryption
WEP/TKIP/CCMP/WPI
Key negotiation
phase
Access authentication
phase
Access authentication
MAC/Portal/PSK/
802.1x/WAI
STA blacklist or
whitelist
User isolation
Detect and defend
against unauthorized
devices
WIDS/WIPS
Issue 04 (2013-06-15)
After a Control and Provisioning of Wireless Access Points (CAPWAP) tunnel is

established between the AC and AP, the STA can access the AP. STA access includes three
phases: scanning, link authentication, and association. When access authentication and data
encryption are configured, the STA and AC enter access authentication and key negotiation
phases after the STA associates with the AP. After being authenticated, the STA can access
2040

Configuration Guide
the WLAN and WLAN packets are encrypted using the negotiated key. Security
technologies used in a STA access process are called WLAN Security Policy. Security
policies supported include wired equivalent privacy (WEP), Wi-Fi Protected Access
(WPA), WPA2, and WLAN Authentication and Privacy Infrastructure (WAPI). These
security policies use different encryption and authentication modes and apply to different
scenarios.
NOTE
MAC address authentication and Portal authentication are interface-based STA authentication
methods. For details, see Configuring MAC Address Authentication and Configuring Portal
Authentication. 802.1x authentication is an authentication method used by WPA and WPA2. For
details, see Configuring 802.1x Authentication.
STA blacklist and whitelist functions can be configured to control STA access to WLAN
networks before STAs are authenticated.
In public places, users may need to connect to the Internet wirelessly. To ensure security
of data transmitted between users and facilitate accounting management, configure user
isolation. After user isolation is configured, WLAN users associated with the same virtual
access point (VAP) cannot directly communicate with each other. User traffic is processed
on the AC, protecting wireless channel resources from being occupied.
To prevent intrusion to WLAN networks, configure WIDS/WIPS to defend against the

detected unauthorized devices.
WIDS/WIPS
WLAN networks are vulnerable to threats from unauthorized APs and users, and ad-hoc
networks. The device supports the following mechanisms:
l
WIDS: detects unauthorized APs.
WIPS: disconnects authorized users from rogue APs.
To detect and defend against unauthorized devices, three AP working modes are defined in
WIDS and WIPS:
l
Access mode: An AP transmits data of wireless users and does not monitor wireless devices
on the network.
Monitoring mode: An AP scans wireless devices on the network and listens on all 802.11
frames on wireless channels. In this mode, all WLAN services on the AP are disabled and
the AP cannot transmit data of wireless service.
Hybrid mode: An AP can monitor wireless devices while transmitting data of wireless
service.
An AP can implement the WIDS or WIPS function only when it works in monitoring or hybrid
mode.
Monitoring APs listen on 802.11 management frames and data frames sent from neighboring
wireless devices to collect information about wireless devices and periodically send collected
information to the AC.
l
Issue 04 (2013-06-15)
After an AC identifies a rogue AP (neither managed by the AC nor in the SSID whitelist),
it sends rogue AP information to a monitoring AP. The monitoring AP uses the rogue AP's
identity information to broadcast Deauthentication frames. After STAs associating with
the rogue AP receive the Deauthentication frame, they disassociate from the rogue AP.
This countermeasure prevents STAs from associating with rogue APs.

2041

Configuration Guide
Security Policy
WLAN security policies include WEP, WPA, WPA2, and WAPI. Each security policy has a
series of security mechanisms, including the link authentication mechanism used to establish a
wireless link, user authentication mechanism used when users attempt to connect to a wireless
network, and data encryption mechanism used during data transmission.
WEP
A WEP security policy defines a link authentication mechanism and a data encryption
mechanism.
l
The link authentication mechanism supports the following authentication modes:

Open system authentication: WLAN clients are successfully authenticated as long as
the WLAN server supports open system authentication.
Shared-key authentication: WLAN clients and server have the same shared key preconfigured. The WLAN server checks whether a client has the same shared key to
determine whether the client can be authenticated. If the client has the same shared key
as the WLAN server, the client is authenticated. Otherwise, the authentication fails.
The data encryption mechanism uses WEP encryption. WEP encryption uses the RC4
algorithm that encrypts data using a 64-bit or 128-bit encryption key. An encryption key
contains a 24-bit initialization vector (IV) generated by the system, so the length of key
configured on the WLAN server and STA is 40 bits or 104 bits. WEP uses a static encryption
key. That is, all STAs associating with the same SSID use the same key to connect to the
wireless network. The WEP encryption algorithm is simple, and all STAs share the same
key. If the key is deciphered, the entire WLAN network encounters a security threat.
The usage scenarios of a WEP security policy are as follows:

l
Open system authentication+non-encryption+Portal authentication: applies to carrier

networks and public places. The Portal protocol is used for access authentication and
accounting.
Shared-key authentication+WEP encryption: applies to personal WLANs where high

security is not required. A shared key must be maintained.
WPA/WPA2
WEP shared-key authentication uses the RC4 symmetric stream cipher to encrypt data. This
authentication method requires the same static key pre-configured on the server and client. Both
the encryption mechanism and encryption algorithm can bring security risks to the network. The
Wi-Fi Alliance developed WPA to overcome WEP defects before more secure policies are
provided in 802.11i. WPA still uses the RC4 algorithm and defines the Temporal Key Integrity
Protocol (TKIP) encryption algorithm. Later, 802.11i defined WPA2. Different from WPA,
WPA2 uses an 802.1x authentication framework and supports Extensible Authentication
Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-Transport Layer
Security (EAP-TLS) authentication. In addition, WPA2 uses a more secure encryption
algorithm: Counter Mode with CBC-MAC Protocol (CCMP).
Both WPA and WPA2 support 802.1x authentication and TKIP/CCMP encryption algorithm,
ensuring better compatibility. The WPA and WPA2 protocols provide almost the same security
level and their difference lies in the protocol packet format.
A WPA/WPA2 security policy defines an access authentication mechanism and a data
encryption mechanism.
l
Issue 04 (2013-06-15)
WPA/WPA2 has an enterprise edition and a personal edition for access authentication:
2042

Configuration Guide
Enterprise edition (WPA/WPA2-802.1x authentication): uses a RADIUS server and the

EAP protocol for authentication. Users provide authentication information, including
the user name and password, and are authenticated by an authentication server
(generally a RADIUS server). Large-scale enterprise networks usually use the WPA/
WPA2 enterprise edition.
Personal edition: A dedicated authentication server is expensive and difficult to maintain
for small- and medium-scale enterprises and individual users. The WPA/WPA2
personal edition provides a simplified authentication mode: pre-shared key (WPA-PSK)
authentication. This mode does not require a dedicated authentication server. Users only
need to set a pre-shared key on each WLAN node (including WLAN server, wireless
router, and wireless network adapter). A WLAN client can access the WLAN if its preshared key is the same as that configured on the WLAN server. The shared key is used
only for authentication but not for encryption; therefore, it will not bring security risks
as the 802.11 shared-key authentication.
l
WPA/WPA2 supports TKIP and CCMP algorithms for data encryption:

TKIP uses the RC4 algorithm and the IV length and extends the IV length from 24 bits
to 48 bits. Each user obtains an independent key through dynamic negotiation. Message
integrity check (MIC) is used to ensure information integrity. TKIP is compatible with
WEP-capable hardware components so that the two encryption algorithms can be
simultaneously provided without increasing hardware costs. TKIP provides higher
security than WEP.
Different from WEP and TKIP that use a stream cipher algorithm, CCMP uses an
Advanced Encryption Standard (AES) block cipher. The block cipher algorithm
overcomes defects of the RC4 algorithm and provides higher security. Hardware
upgrading is required to support CCMP if customers' devices support only WEP
encryption.
The usage scenarios of a WPA/WPA2 security policy are as follows:

l
PSK+TKIP and PSK+CCMP: applies to personal and SOHO networks that do not require
high security. No authentication server is required. If customers' devices support only WEP
encryption, PSK+TKIP can be implemented without hardware upgrading, whereas PSK
+CCMP can be implemented only by hardware upgrading.
802.1x+TKIP and 802.1x+CCMP: applies to networks requiring high security such as

enterprise networks. An independent authentication server is required. If customers' devices
support only WEP encryption, 802.1x+TKIP can be implemented without hardware
upgrading, whereas 802.1x+CCMP can be implemented only by hardware upgrading.
WPA-WPA2 and TKIP-CCMP: User devices vary and support different authentication and
encryption modes. This security policy supports simultaneous configuration of WPA and
WPA2 on the AC so that multiple types of terminals can access the network, facilitating
network management. If the security policy is set to WPA-WPA2, any terminal that
supports WPA or WPA2 can be authenticated and access the WLAN; if the encryption
mode is set to TKIP-CCMP, any authenticated terminal that supports TKIP or CCMP can
implement service packet encryption.
WAPI
WAPI is a Chinese national standard for WLANs, which was developed based on IEEE 802.11.
WAPI provides higher security than WEP and WPA/WPA2 and consists of the following:
l
Issue 04 (2013-06-15)
WLAN Authentication Infrastructure (WAI): authenticates user identities and manages

keys.

2043

Configuration Guide
WLAN Privacy Infrastructure (WPI): protects data transmitted on WLANs and provides
the encryption, data verification, and anti-replay functions.
In a WAPI system, the WLAN client and server must authenticate each other and negotiate a
key. A WAPI security policy defines an access authentication mechanism and a data encryption
mechanism.
l
The access authentication mechanism uses WAI and supports two identity authentication
modes: certificate-based mode (WAPI-CERT) and pre-shared key-based mode (WAPIPSK).
WAPI-CERT: involves certificate authentication, unicast key negotiation, and multicast
key advertisement. A STA and an AC authenticate each other's certificate. The
certificates must be loaded on the STA and AC and verified by an authentication service
unit (ASU). After certificate authentication is complete, the STA and AC use the
temporal public key and private key to generate a base key (BK) for key negotiation.
The BK is used for subsequent negotiation of unicast keys for multicast key
advertisement.
WAPI-PSK: The STA and AC have the same pre-shared key configured before
authentication. The pre-shared key is converted in to a BK during authentication.
The data encryption mechanism uses WPI and symmetric cryptography. The STA and
AC negotiate a unicast encryption key and a unicast integrity key using a BK to encrypt
unicast data. Then they use the unicast encryption key and integrity key to encrypt multicast
keys and advertise the multicast keys. Finally, the STA and AC negotiate the multicast
encryption key and integrity key to encrypt broadcast and multicast data.
WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a
STA uses the same encryption key for a long time. Both the unicast session key (USK) and
multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when
its lifetime ends. To enhance security, WAPI provides the following key update
mechanisms:
Time-based key update: periodically updates a key.
Packet-based key update: updates a key when the number of packets encrypted using
the key reaches the specified value.
The usage scenarios of a WAPI security policy are as follows:

l
WAPI-CERT authentication+WPI encryption: applies to large-scale enterprise networks

or carrier networks that can deploy and maintain an expensive certificate system.
WAPI-PSK authentication+WPI encryption: applies to personal networks and small-scale

enterprise networks. No certificate system is required.
STA Blacklist and Whitelist

STA blacklist and whitelist functions allow authorized STAs to connect to the WLAN and reject
access from unauthorized STAs.
l
A whitelist contains MAC addresses of STAs that are allowed to connect to a WLAN. After
the whitelist function is enabled, only the STAs in the whitelist can connect to the WLAN,
and access from other STAs is rejected.
A blacklist contains MAC addresses of STAs that are not allowed to connect to a WLAN.
After the blacklist function is enabled, STAs in the blacklist cannot connect to the WLAN,
and other STAs can connect to the WLAN.
An AP or a VAP can be configured with only the blacklist or whitelist function.

If the whitelist or blacklist is empty, all STAs can connect to the WLAN.
Issue 04 (2013-06-15)

2044

Configuration Guide
The device supports the configuration of STA blacklist and whitelist functions for an AP or a
VAP. If an AP and a VAP are configured with the blacklist or whitelist function, a STA can
connect to the WLAN only when it is permitted by both the configuration on the AP and VAP.
User Isolation
The user isolation function prevents wireless users associated with the same VAP from
forwarding Layer 2 packets to each other. These users cannot directly communicate, ensuring
user data security and facilitating accounting management.
In public places (such as airports and cafes), carrier networks, medium- and large-scale
enterprises, and financial organizations, users may need to connect to the Internet wirelessly. If
accurate and reliable user authentication is not performed, unauthorized users are able to use
network resources, consuming bandwidth. This lowers the security and service quality of
authorized users and brings unacceptable loss to wireless access service providers. Layer 2
isolation, together with security mechanisms defined in IEEE 802.11i, and RADIUS
authentication/accounting mechanisms, can protect security for wireless users.

This section describes the default configuration of the WLAN security features.
Table 12-6 Default WLAN security configuration
Parameter
Default Setting
AP working mode
Normal mode
WIDS/WIPS
Disabled
Security policy
WEP
WEP security policy
Open system authentication+non-encryption
WPA security policy
802.1x+PEAP authentication+TKIP
encryption
WPA2 security policy
802.1x+PEAP authentication+CCMP
encryption
WAPI security policy
WAPI-CERT authentication+WPI
encryption
WAPI USK/MSK update mode
Time-based update
WAPI USK/MSK update parameters
l The default update interval is 86400

seconds.
l The default number of update packets is
10.
l The default number of retransmissions of
a key negotiation packet is 3.
Issue 04 (2013-06-15)
STA blacklist and whitelist
Disabled
User isolation
Disabled

2045

Configuration Guide
12.3.4 Configuring WIDS and WIPS

You can configure WIDS and WIPS to detect and defend against intrusion from unauthorized
devices on WLAN networks, ensuring security of authorized users.
Before configuring WIDS and WIPS, complete the following task:
l
The device supports the configuration of detection and defense against intrusion from
unauthorized devices.
l
Configuration of detection and defense against intrusion from unauthorized devices:

1.
Configuring WIDS for an AP
2.
Configuring WIPS for an AP
The configuration procedure is as follows:
Configuring WIDS for an AP

Context
There are security risks from unauthorized devices on WLAN networks, so administrators
deploy monitoring APs to monitor the WLAN networks. After the AP working mode is set to
monitoring or hybrid, the AP monitors wireless devices and reports wireless device information
to an AC. The AC can identify unauthorized devices.
NOTE
Currently, WIDS can be used only to detect rogue APs.
A monitoring AP reports wireless device information to an AC at a specified interval, including

information added and modified in the interval. Information may be lost on WLAN networks,
resulting in inconsistent device information on the AC and AP. To overcome this problem, set
a long interval at which the monitoring AP synchronizes all wireless device information to the
AC.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
Issue 04 (2013-06-15)

2046

Configuration Guide
The AP radio view is displayed.

Step 4 Run:
work-mode { hybrid | monitor }
The AP working mode is set to hybrid or monitoring.

By default, radios work in normal mode and transmit only WLAN user data.
Step 5 Run:
device detect enable
WIDS is enabled for the AP.

By default, no AP is enabled with WIDS.
NOTE
To change the working mode of a WIDS-enabled AP to normal, run the undo device detect enable
command to disable WIDS first. Then run the work-mode normal command to change the working mode
to normal.
The configured WIDS or WIPS takes effect on an AP only after a service set is bound to the AP on the AC
and the AC delivers the configurations to the AP.
Step 6 Run:
quit
Return to the WLAN view.

ssid-whitelist ssid ssid-name
The SSID whitelist is configured.

By default, no SSID whitelist is configured.

device report-duration duration
The interval at which the AP reports wireless device information to an AC is set.

By default, an AP reports wireless device information to an AC at an interval of 300 seconds.
device synchronization-duration duration
The interval at which the AP reports all wireless device information to an AC is set.
By default, an AP reports all wireless device information to an AC at an interval of 360 minutes.
Step 11 Run:
quit

----End
Issue 04 (2013-06-15)

2047

Configuration Guide
Configuring WIPS for an AP

Context
A monitoring AP reports wireless device information to an AC, and the AC identifies
unauthorized devices. You can configure the monitoring AP to defend against the unauthorized
devices based on the configured WIPS mode. The monitoring AP periodically sends control
frames to STAs to disconnect authorized STAs from unauthorized APs.
Currently, WIPS can be used to defend against rogue APs. A monitoring AP uses the IP address
of a rogue AP to broadcast Deauthentication frames to STAs, so that authorized STAs disconnect
from the rogue AP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:

Step 4 Run:
countermeasures enable
WIPS is enabled for the AP.

By default, no AP is enabled with WIPS.
Step 5 Run:
countermeasures mode rogue ap spoof-ssid
The WIPS mode is set.

By default, no WIPS mode is set.
Step 6 Run:
quit

----End

Context
After WIDS and WIPS are configured, you can check the WIDS and WIPS configuration and
detected device information.
Issue 04 (2013-06-15)

2048

Configuration Guide
Procedure
l
Run the display radio config ap-id ap-id radio-id radio-id command to check the
configuration of a specified radio.
Run the display ap ap-id command to check the configuration of a AP.
Run the display wlan ids detected { all | rogue ap | adhoc | ssid | mac-address macaddress } command to check information about wireless devices detected on the WLAN.
Run the display wlan ids rogue-history { all | ap | adhoc | ssid | mac-address macaddress } command to check historical records of deleted rogue wireless devices.
Run the display wlan ids countermeasures device { all | ap ap-id } command to check
information about devices on which countermeasures are taken.
----End
12.3.5 Configuring a WLAN Security Policy

WLAN security policies include WEP, WPA, WPA2, and WAPI. You can deploy one of them.
Before configuring a WLAN security policy, complete the following task:
l
Configure any one of the following security policies and check the configuration.
Configuring a WEP Security Policy

Context
The usage scenarios of a WEP security policy are as follows:
l
Open system authentication+non-encryption+Portal authentication: applies to carrier

networks and public places. The Portal protocol is used for access authentication and
accounting.
Shared-key authentication+WEP encryption: applies to personal WLANs where high

security is not required. A shared key must be maintained.
For details about how to configure Portal authentication, see Configuring Portal
Authentication.
Because a shared key is easy to be deciphered, the WEP security policy faces great security
threats. Enterprise networks can use WEP shared-key authentication+WEP encryption, together
with 802.1x authentication. An independent authentication server improves WLAN network
security. For details about how to configure 802.1x authentication, see Configuring 802.1x
Authentication.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

2049

Configuration Guide

Step 2 Run:
wlan

Step 3 Run:
The security profile view is displayed.

Step 4 Run:
security-policy wep
The WEP security policy is configured.

The default security policy is WEP.
By default, WEP uses open system authentication+non-encryption.
Step 5 Configure authentication and encryption modes.
l Configure open system authentication+non-encryption.
Run:
wep authentication-method open-system [ data-encrypt ]
WEP open system authentication is configured.

The parameter data-encrypt indicates open system authentication+WEP encryption. In this
scenario, run the wep key and wep default-key command to configure a WEP shared key.
The WEP shared key is used to generate an encryption key to encrypt WLAN data packets.
l Configure shared-key authentication+WEP encryption.
NOTE
In shared-key authentication mode, after a STA scans an SSID, if you double-click the SSID and enter
the key, association may fail. This is because open system authentication is used when you doubleclick the SSID, which is inconsistent with the configured authentication method. To associate with an
AP, manually create a WLAN network. You need to enter the SSID, identity authentication, and
encryption mode, key, and key index configured on the AC.
1.
Run:
wep authentication-method share-key
WEP shared-key authentication is configured.

2.
Run:
wep key { wep-40 | wep-104 } { pass-phrase | hex } key-id { simple simplekey-value | cipher cipher-key-value }
The WEP shared key and key index are configured.

3.
Run:
wep default-key key-id
The index of a shared key used in WEP is set.

By default, the shared key with index as 0 is used.
A maximum of four WEP keys can be configured, but only one WEP key can be used
at a time.
Step 6 Run:
Issue 04 (2013-06-15)

2050

Configuration Guide
quit

Step 7 (Optional) Configure authentication protocol packets to be forwarded over a CAPWAP tunnel.
NOTE
l When STA access authentication mode is 802.1x authentication or Portal authentication, STAs need
to send EAP or HTTP protocol packets to the AC for authentication. If data is forwarded in direct
forwarding mode, the AP sends the protocol packets as data packets. The AC then cannot complete
STA authentication and STA access authentication fails. You need to configure 802.1x or Portal
authentication packets to be forwarded over a CAPWAP tunnel, so the AC can process the
authentication packets. After being authenticated, STAs can access WLAN networks.
l WPA and WPA2 use EAP protocol packets for authentication. When the direct forwarding mode and
WPA or WPA2 security policy are used, perform this step.
l In direct forwarding mode, portal authentication applies only to the scenario where Layer 2 networking
is used between an AP and an AC. All Layer 2 interfaces between the AP and AC allow packets from
service VLANs to pass.
1.
Run:

2.
Run:
tunnel-forward protocol { all | dot1x | http }
Portal authentication packets are configured to be forwarded over a CAPWAP tunnel.

By default, authentication protocol packets are not forwarded over tunnels. If 802.1x
authentication is used together with Portal authentication, specify all in this command.
3.
Run:
quit

----End
Configuring a WPA/WPA2 Security Policy

Context
Both WPA and WPA2 support 802.1X authentication and TKIP/CCMP encryption algorithm.
The WPA and WPA2 protocols provide almost the same security level and their difference lies
in the protocol packet format.
The usage scenarios of a WPA/WPA2 security policy are as follows:
l
PSK+TKIP and PSK+CCMP: applies to personal and SOHO networks that do not require
high security. No authentication server is required. If customers' devices support only WEP
encryption, PSK+TKIP can be implemented without hardware upgrading, whereas PSK
+CCMP can be implemented only by hardware upgrading.
802.1X+TKIP and 802.1X+CCMP: applies to networks requiring high security such as

enterprise networks. An independent authentication server is required. If customers' devices
support only WEP encryption, 802.1X+TKIP can be implemented without hardware
upgrading, whereas 802.1X+CCMP can be implemented only by hardware upgrading.
WPA-WPA2 and TKIP-CCMP: User devices vary and support different authentication and
encryption modes. This security policy supports simultaneous configuration of WPA and
Issue 04 (2013-06-15)

2051

Configuration Guide
WPA2 on the AC so that multiple types of terminals can access the network, facilitating
network management. If the security policy is set to WPA-WPA2, any terminal that
supports WPA or WPA2 can be authenticated and access the WLAN; if the encryption
mode is set to TKIP-CCMP, any authenticated terminal that supports TKIP or CCMP can
implement service packet encryption.
For details about how to configure 802.1X authentication, see Configuring 802.1x
Authentication. When a WLAN-ESS interface uses 802.1X authentication, configure the AC
to function as an EAP relay.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:

Step 4 Run:
security-policy { wpa | wpa2 }
The security policy is configured.

l By default, WPA uses 802.1X+PEAP authentication+TKIP encryption.
l By default, WPA2 uses 802.1X+PEAP authentication+CCMP encryption.
l By default, WPA-WPA2 uses 802.1X+PEAP authentication + TKIP-CCMP encryption.
Step 5 Configure authentication and encryption modes.
l Configure 802.1X authentication+TKIP/CCMP/TKIP-CCMP encryption.
Run:
{ wpa | wpa2 | wpa-wpa2 } authentication-method dot1x { peap | tls } encryptionmethod { tkip | ccmp | tkip-ccmp }
The 802.1X authentication protocol and encryption algorithm are configured for WPA/
WPA2.
l Configure PSK authentication+TKIP/CCMP/TKIP-CCMP encryption.
Run:
{ wpa | wpa2 | wpa-wpa2 } authentication-method psk { pass-phrase | hex }
{ simple simple-key | cipher cipher-key } encryption-method { tkip | ccmp | tkipccmp }
The pre-shared key and encryption algorithm are configured for WPA/WPA2.
eap-key retrans-interval { wpa | wpa2 } time-interval
The interval for retransmitting EAPoL packets in WPA/WPA2 PSK authentication is configured.
Issue 04 (2013-06-15)

2052

Configuration Guide
The default interval for retransmitting EAPoL packets in WPA/WPA2 PSK authentication is
5 seconds.
Step 7 Run:
quit

Step 8 (Optional) Configure authentication protocol packets to be forwarded over a CAPWAP tunnel.
NOTE
l When STA access authentication mode is 802.1x authentication or Portal authentication, STAs need
to send EAP or HTTP protocol packets to the AC for authentication. If data is forwarded in direct
forwarding mode, the AP sends the protocol packets as data packets. The AC then cannot complete
STA authentication and STA access authentication fails. You need to configure 802.1x or Portal
authentication packets to be forwarded over a CAPWAP tunnel, so the AC can process the
authentication packets. After being authenticated, STAs can access WLAN networks.
l WPA and WPA2 use EAP protocol packets for authentication. When the direct forwarding mode and
WPA or WPA2 security policy are used, perform this step.
l In direct forwarding mode, portal authentication applies only to the scenario where Layer 2 networking
is used between an AP and an AC. All Layer 2 interfaces between the AP and AC allow packets from
service VLANs to pass.
1.
Run:

2.
Run:
tunnel-forward protocol { all | dot1x | http }
802.1x authentication packets are configured to be forwarded over a CAPWAP tunnel.

By default, authentication protocol packets are not forwarded over tunnels. If Portal
authentication is used together with 802.1x authentication, specify all in this command.
3.
Run:
quit

----End
Configuring a WAPI Security Policy

Context
WAPI allows only robust security network association (RSNA), providing higher security than
WEP, WPA, and WPA2.
The usage scenarios of a WAPI security policy are as follows:
l
WAPI-CERT authentication+WPI encryption: applies to large-scale enterprise networks

or carrier networks that can deploy and maintain an expensive certificate system.
NOTE
WAPI uses X.509 V3 certificates encoded in Base64 binary mode and saved in PEM format. The X.
509 V3 certificate file name extension is .cer. Before importing certificate files for WAPI, ensure
that the certificate files are saved on the root directory of the flash memory.
Issue 04 (2013-06-15)

2053

Configuration Guide
WAPI-PSK authentication+WPI encryption: applies to personal networks and small-scale

enterprise networks. No certificate system is required.
WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA
uses the same encryption key for a long time. Both the USK and MSK have a lifetime. The USK
or MSK needs to be updated when its lifetime ends. To enhance security, WAPI provides the
following key update mechanisms:
l
Time-based key update: periodically updates a key.
Packet-based key update: updates a key when the number of packets encrypted using the
key reaches the specified value.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:

Step 4 Run:
security-policy wapi
The security policy is configured.

By default, WAPI uses WAPI-CERT authentication+WPI encryption.
Step 5 Configure authentication mode for WAPI.
l Set the authentication mode to WAPI-PSK, that is, pre-shard key authentication.
Run:
wapi authentication-method psk { pass-phrase | hex } { simple simple-key |
cipher cipher-key }
Pre-shared key authentication and the authentication key are configured for WAPI.
l Set the authentication mode to WAPI-CERT, that is, certificate authentication.
1.
Run:
wapi authentication-method certificate
Certificate authentication is configured for WAPI.

2.
Run:
wapi import certificate { ac | asu | issuer } file-name file-name
[ password { cipher | simple } password ]
The AC certificate file, certificate of the AC certificate issuer, and ASU certificate file
are imported.
3.
Issue 04 (2013-06-15)
Run:
2054

Configuration Guide

wapi import private-key file-name file-name [ password { cipher cipherpassword | simple simple-password } ]
The AC private key file is imported.

4.
Run:
wapi asu ip ip-address
An IP address is configured for the ASU certificate server to which the AC sends
certificate files.
5.
(Optional) Run:
wapi cert-retrans-count cert-count
The number of retransmissions of certificate authentication packets is set.

The default number of retransmissions of certificate authentication packets is 3.
wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }
The interval for updating a base key (BK) and the BK lifetime percentage are set.
By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.
wapi sa-timeout sa-time
The timeout period of a security association (SA) is set.

The default timeout period of an SA is 60s.
If a STA is not authenticated within the timeout period, no SA is established and the STA cannot
connect to the AC.
wapi { usk | msk } key-update { disable | time-based | packet-based | timepacketbased }
The USK or MSK update mode is set.

By default, USKs and MSKs are updated based on time.
wapi { usk-update-interval usk-interval | usk-update-packey usk-packet | uskretrans-count usk-count }
The interval for updating a USK, number of packets that will trigger USK update, and number
of retransmissions of USK negotiation packets are set.
By default, the interval for updating a USK is 86400s; the number of packets that will trigger
USK update is 10; number of retransmissions of USK negotiation packets is 3.
wapi { msk-update-interval msk-interval | msk-update-packey msk-packet | mskretrans-count msk-count }
The interval for updating an MSK, number of packets that will trigger MSK update, and number
of retransmissions of MSK negotiation packets are set.
By default, the interval for updating an MSK is 86400s; the number of packets that will trigger
MSK update is 10; number of retransmissions of MSK negotiation packets is 3.
Step 11 Run:
quit
Issue 04 (2013-06-15)

2055

Configuration Guide

----End

Context
After a WLAN security policy is configured, check the configuration.
If a WAPI security policy is used, you can also view the certification content.
Procedure
l

command to check the configuration of the WLAN security policy.
Run the display wapi certificate file-name file-name command to check the certificate
content.
----End
12.3.6 Configuring the STA Blacklist or Whitelist

STA blacklist and whitelist functions allow authorized STAs to connect to the WLAN and reject
access from unauthorized STAs.
l
Configure the blacklist or whitelist function for an AP or VAP and check the configuration.
Configuring a STA Whitelist

Context
A STA whitelist contains MAC addresses of STAs that are allowed to connect to a WLAN.
When only a few STAs are allowed to connect to a WLAN, configure a STA whitelist and set
the STA access control mode to whitelist for an AP or VAP.
You can configure a STA whitelist for all VAPs of an AP or for a specified VAP. If an AP and
a VAP are configured with the blacklist or whitelist function, a STA can connect to the WLAN
only when it is permitted by both the configuration on the AP and VAP.
NOTE
If a STA whitelist is empty, all STAs can connect to the WLAN to access network resources.
Procedure
l
Issue 04 (2013-06-15)
Configuring a STA whitelist for APs

2056

Configuration Guide
1.
Run:
system-view

2.
Run:
wlan

3.
Run:
sta-whitelist mac-address
The MAC address of a STA is added to the whitelist.

By default, no MAC address is added to the STA whitelist. A STA whitelist supports
a maximum of 512 MAC addresses.
4.
Run:
sta-access-mode ap-id whitelist
The access control mode is set to the STA whitelist for a specified AP.
By default, the STA access control mode is disable, indicating that STA access is not
controlled by the blacklist or whitelist.
5.
l
Run the commit { all | ap ap-id } command to deliver the configuration to APs.
Configuring a STA whitelist for a VAP

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
sta-whitelist-profile { name list-name | id list-id }
A STA whitelist profile is created, and the STA whitelist profile view is displayed.
By default, no STA whitelist profile is created. A maximum of 128 STA whitelist
profiles can be created.
4.
Run:
sta-mac mac-address
The MAC address of a STA is added to the whitelist profile.

A STA whitelist profile supports a maximum of 512 MAC addresses.
5.
Run:
quit

6.
Run:
service-set { id profile-id | name profile-name }

7.
Issue 04 (2013-06-15)
Run:
2057

Configuration Guide

sta-access-mode whitelist
The access control mode is set to the STA whitelist for the VAP.
8.
Run:
sta-whitelist-profile { name list-name | id list-id }
The service set is bound to the STA whitelist profile.

By default, no service set is bound to a STA whitelist profile.
9.
Run:
quit

10. Run the commit { all | ap ap-id } command to deliver the configuration to APs.
----End
Configuring a STA Blacklist

Context
A STA blacklist contains MAC addresses of STAs that are not allowed to connect to a WLAN.
When only a few STAs are not allowed to connect to a WLAN, configure a STA blacklist and
set the STA access control mode to blacklist for an AP or VAP.
You can configure a STA blacklist for all VAPs of an AP or for a specified VAP. If an AP and
a VAP are configured with the blacklist or whitelist function, a STA can connect to the WLAN
only when it is permitted by both the configuration on the AP and VAP.
Procedure
l
Configuring a STA blacklist for the APs

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
sta-blacklist mac-address
The MAC address of a STA is added to the blacklist.

By default, no MAC address is added to the STA blacklist. A STA blacklist supports
a maximum of 512 MAC addresses.
4.
Run:
sta-access-mode ap-id blacklist
The access control mode is set to the STA blacklist for the AP.
Issue 04 (2013-06-15)

2058

Configuration Guide
5.
l
Configuring a STA blacklist for a VAP

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
sta-blacklist-profile { name list-name
| id list-id }
A STA blacklist profile is created, and the STA blacklist profile view is displayed.
By default, no STA blacklist profile is created. A maximum of 128 STA blacklist
profiles can be created.
4.
Run:
sta-mac mac-address
The MAC address of a STA is added to the blacklist profile.

A STA blacklist profile supports a maximum of 512 MAC addresses.
5.
Run:
quit

6.
Run:
service-set { id profile-id | name profile-name }

7.
Run:
sta-access-mode blacklist
The access control mode is set to the STA blacklist for the VAP.
8.
Run:
sta-blacklist-profile { name list-name | id list-id }
The STA blacklist profile is bound to the service set.

By default, no STA blacklist profile is bound to a service set.
9.
Run:
quit

----End
Issue 04 (2013-06-15)

2059

Configuration Guide

After the blacklist or whitelist function is configured, you can check the STA access control
mode of APs and the configured blacklist or whitelist.
Procedure
l
Run the display sta-access-mode ap ap-id command to check the STA access control mode
of a specified AP.
Run the display sta-whitelist command to view the STA whitelist.
Run the display sta-whitelist-profile { name list-name | id list-id | all } command to view
whitelists in a STA whitelist profile.
Run the display sta-blacklist command to view the STA blacklist.
Run the display sta-blacklist-profile { name list-name | id list-id | all } command to view
blacklists in a STA blacklist profile.
----End
12.3.7 Configuring User Isolation

The user isolation function prevents wireless users associated with the same VAP from
forwarding Layer 2 packets to each other. These users cannot directly communicate, ensuring
user data security and facilitating accounting management.
Context
In public places (such as airports and cafes), carrier networks, medium- and large-scale
enterprises, and financial organizations, users may need to connect to the Internet wirelessly. If
accurate and reliable user authentication is not performed, unauthorized users are able to use
network resources, consuming bandwidth. This lowers the security and service quality of
authorized users and brings unacceptable loss to wireless access service providers. Layer 2
isolation, together with security mechanisms defined in IEEE 802.11i, and RADIUS
authentication/accounting mechanisms, can protect security for wireless users.
User isolation configuration depends on the data forwarding mode.
l
In direct forwarding mode, user isolation must be configured in a service set.
In tunnel forwarding mode, user isolation must be configured in a service set and on a
WLAN-ESS interface.
Before configuring user isolation, complete the following task:
l
Configuring WLAN basic services
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

2060

Configuration Guide

Step 2 Run:
wlan

Step 3 Configure user isolation.
l Configuring user isolation in direct forwarding mode
1.
Run:

2.
Run:
user-isolate
User isolation is configured.

3.
Run:
quit

l Configuring user isolation in tunnel forwarding mode
1.
Run:

2.
Run:
user-isolate
User isolation is configured.

3.
Run:
quit

4.
Run:
quit

5.
Run:
The WLAN-ESS interface view is displayed.

6.
Run:
port-isolate enable
Port isolation is enabled.

7.
Run:
quit

8.
Run:
wlan

----End
Issue 04 (2013-06-15)

2061

Configuration Guide

l
Run the display service-set { id service-set-id | name service-set-name | ssid ssid }

command to view the service set configuration to check whether user isolation is enabled.
12.3.8 Maintaining WLAN Security

Maintaining WLAN security includes displaying WLAN security information and clearing
WLAN security information..
Displaying WLAN Security Configuration

Context
After WLAN security is configured, you can run the following display commands to check the
WLAN security configuration.
Procedure
l
Run the display radio config ap-id ap-id radio-id radio-id command to view the security
configuration parameters of the specified radio, including the working mode, wireless
intrusion detection status, and wireless intrusion prevention status.

command to view the security profile configuration.
Run the display sta-access-mode ap ap-id command to view the STA access control mode
of the specified AP.
Run the display sta-whitelist command to view the STA whitelist.
Run the display sta-whitelist-profile { name list-name | id list-id | all } command to view
the whitelist of the STA whitelist profile.
Run the display sta-blacklist command to view the STA blacklist.
Run the display sta-blacklist-profile { name list-name | id list-id | all } command to view
the blacklist of the STA blacklist profile.
Run the display service-set { id service-set-id | name service-set-name | ssid ssid }

command to check whether user isolation is enabled in the specified service set.
----End
Clearing Detected Device Information

Context
After WIDS and WIPS are configured, you can clear information about detected wireless device
and historical records about unauthorized devices.
NOTE
Cleared data cannot be restored. Exercise caution when you clear information about wireless devices.
Procedure
l
Issue 04 (2013-06-15)
Run the reset wlan ids detected { all | rogue ap | adhoc | ssid | mac-address macaddress } command to clear information about detected wireless devices.
2062

Configuration Guide
Run the reset wlan ids rogue-history { all | ap | adhoc | ssid | mac-address macaddress } command to clear historical records about authorized devices.
----End

This section provides several WLAN security configuration examples, including networking
requirements, configuration roadmap, operation procedure, and configuration files.
Example for Configuring WIDS and WIPS Functions

As shown in Figure 12-17, the AC and AP1 are directly connected. An enterprise branch deploys
WLAN basic services and provides a WLAN with the SSID of test for employees to access
enterprise network resources. STAs automatically obtain IP addresses.
The branch locates in an open place, making the WLAN vulnerable to attacks. For example, an
attacker deploys a rogue AP (AP2) on the WLAN to establish connections with STAs to intercept
enterprise information, posing great threats to the enterprise network. To prevent such attack,
configure WIDS and WIPS functions to enable the AC to detect AP2, preventing STAs from
associating with AP2.
Figure 12-17 Networking diagram for configuring WIDS and WIPS against rogue APs
Management VLAN: VLAN 100

AP region ID: 10
AP (AP1)
Hybrid mode
AC
GE0/0/1
STA
GE0/0/2
Internet
VLANIF 100
192.168.10.1/24
STA
Rogue AP (AP2)
1.
Configure WLAN basic services so that STAs can access the WLAN. This example uses
default configurations.
2.
Configure WIDS and WIPS functions. Configure AP1 to work in monitoring or hybrid
mode to detect wireless device information and report the information to the AC. Configure
the AC to defend against rogue AP2 so that STAs disassociate from AP2.
NOTE
Issue 04 (2013-06-15)

2063

Configuration Guide
Procedure
packets.
NOTE
[AC] vlan batch 100

NOTE
[AC] vlan batch 101
Issue 04 (2013-06-15)

2064

Configuration Guide
101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
Issue 04 (2013-06-15)

2065

Configuration Guide
NOTE

[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit

[AC] wlan

Issue 04 (2013-06-15)

2066

Configuration Guide
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
Step 7 Configure WIDS and WIPS functions.

# Configure the WIDS function.
[AC-wlan-radio-0/0] work-mode hybrid
Warning: Modify the work mode may cause business interruption, are you sure to
continue?(y/n)[n]:y
[AC-wlan-radio-0/0] device detect enable
# Configure the WIPS function to defend against rogue APs.

[AC-wlan-radio-0/0] countermeasures enable
[AC-wlan-radio-0/0] countermeasures mode rogue ap spoof-ssid

# Configure a VAP.

]y

Run the display wlan ids countermeasures device all command to check information about
AP2.
[AC] display wlan ids countermeasures device all
Total number of countermeasures device: 1
Flags: a = adhoc, w = ap, c = client
#AP = number of active APs detecting, Ch = channel number
-------------------------------------------------------------------------------MAC address
Type #AP
Ch
Last Detected Time
SSID
-------------------------------------------------------------------------------000b-6b8f-fc6a -w
1
11
2012-01-22/15:33:21
test
--------------------------------------------------------------------------
STAs attempt to connect to the Internet through AP2. Countermeasures are taken on AP2, so
traffic between STAs and APs is unstable.
C:\Documents and Settings\huawei>ping www.baidu.com
Pinging www.a.shifen.com [220.181.112.143] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 220.181.112.143: bytes=32 time=1433ms TTL=255
Issue 04 (2013-06-15)

2067

Configuration Guide

Request timed out.
Request timed out.
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface WLAN-ESS1
dhcp enable
#
wlan
ap-region id 10
ap id 0 type-id 19 mac 60de-4476-e360 sn AB35015384
region-id 10
forward-mode tunnel
Issue 04 (2013-06-15)

2068

Configuration Guide
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
work-mode hybrid
device detect enable
countermeasures enable
countermeasures mode rogue ap spoof-ssid
#
return
Example for Configuring a WEP Security Policy (Shared-Key Authentication+WEP

Encryption)
As shown in Figure 12-18, the AC and AP are directly connected. The WLAN with the SSID
of test is available for residents to access the Internet. STAs automatically obtain IP addresses.
Because the WLAN is open to users, there are potential security risks to user data. Users do not
require high security, so a WEP security policy using shared-key authentication and WEP
encryption can be configured.
Figure 12-18 Networking diagram for configuring a WEP security policy
Management VLAN:
VLAN100
AP region ID: 10
AP
STA
GE0/0/1 AC
VLAN100
GE0/0/2
VLAN101
Internet
STA
1.
2.
Configure a WEP security policy using shared-key authentication and WEP encryption in
a security profile to ensure data security.
Issue 04 (2013-06-15)

2069

Configuration Guide
NOTE
Procedure
packets.
NOTE
[AC] vlan batch 100

NOTE
[AC] vlan batch 101
Issue 04 (2013-06-15)

2070

Configuration Guide

101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
Issue 04 (2013-06-15)

2071

Configuration Guide

[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit

[AC] wlan

Issue 04 (2013-06-15)

2072

Configuration Guide
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
Step 7 Configure a WEP security policy.

[AC-wlan-view] security-profile name security
[AC-wlan-sec-prof-security] security-policy wep
[AC-wlan-sec-prof-security] wep authentication-method share-key
[AC-wlan-sec-prof-security] wep key wep-40 pass-phrase 0 simple 12345
[AC-wlan-sec-prof-security] wep default-key 0

# Configure a VAP.

]y

The WLAN with SSID test is available for STAs connected to the AP.
If a STA has an incorrect shared key configured, the STA cannot access the WLAN.
NOTE
After the PC scans an SSID, if you double-click the SSID and enter the key, association may fail. You need
to add a WLAN on the PC.
l Configuration on the Windows XP operating system:
1. On the Association tab page of the Wireless network properties dialog box, add SSID test, set
the network authentication mode to shared-key mode and encryption mode to WEP, and configure
the network key and corresponding key index.
l Configuration on the Windows 7 operating system:
1. Access the Manage wireless networks page, click Add, and select Manually create a network
profile. Add SSID test, set the encryption and authentication modes, and click Next.
2. Scan SSIDs to search WLANs. Double-click SSID test, click the Security tab, and set the key
index on the Security tab page.
----End
Configuration Files
l

#
sysname AC-LSW
Issue 04 (2013-06-15)

2073

Configuration Guide
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface WLAN-ESS1
dhcp enable
#
wlan
ap-region id 10
region-id 10
wep key wep-40 pass-phrase 0 simple 12345
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Issue 04 (2013-06-15)

2074

Configuration Guide
Example for Configuring a WPA2 Security Policy (Pre-shared Key Authentication

+CCMP Encryption)
As shown in Figure 12-19, the AP deployed in a resident's home is directly connected to the
AC. The WLAN with the SSID of test is available for residents to access the Internet. STAs
automatically obtain IP addresses.
Because the WLAN is open to users, there are potential security risks if no security policy is
configured for the WLAN. Users do not require high WLAN security, so no authentication server
is required. A WEP or WPA/WPA2 (pre-shared key) security policy can be configured. STAs
support WPA/WPA2, TKIP encryption, and CCMP encryption, so pre-shared key authentication
and CCMP encryption are used to secure data transmission.
Figure 12-19 Networking diagram for configuring a WPA2 security policy
Management VLAN:
VLAN100
AP region ID: 10
AP
STA
GE0/0/1 AC
VLAN100
GE0/0/2
VLAN101
Internet
STA
1.
2.
Configure a WPA2 security policy using pre-shared key authentication and CCMP
encryption in a security profile to ensure data security.
NOTE
Procedure
packets.
Issue 04 (2013-06-15)

2075

Configuration Guide
NOTE
[AC] vlan batch 100

NOTE
[AC] vlan batch 101
101.
[AC] dhcp enable
[AC-Vlanif100] quit
Issue 04 (2013-06-15)

2076

Configuration Guide

[AC-Vlanif101] quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
Issue 04 (2013-06-15)

2077

Configuration Guide
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit

[AC] wlan

name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
Step 7 Configure a WPA2 security policy.

[AC-wlan-sec-prof-security] security-policy wpa2
[AC-wlan-sec-prof-security] wpa2 authentication-method psk pass-phrase simple
Issue 04 (2013-06-15)

2078

Configuration Guide
12345678 encryption-method ccmp


# Configure a VAP.

]y

l The WLAN with SSID test is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN. The STA can access
the WLAN after the wireless user enters the password.
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
Issue 04 (2013-06-15)

2079

Configuration Guide

#
#
interface WLAN-ESS1
dhcp enable
#
wlan
ap-region id 10
region-id 10
security-policy wpa2
wpa2 authentication-method psk pass-phrase simple 12345678 encryption-method
ccmp
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring a WPA Security Policy (802.1x Authentication)

As shown in Figure 12-20, the enterprise's AC connects to the egress gateway (Router) and
RADIUS server, and connects to the AP through SwitchA. The WLAN with the SSID of test is
available for employees to access network resources. The gateway also functions as a DHCP
server to provide IP addresses on the 10.10.10.0/24 network segment for STAs. The AC controls
and manages STAs.
Because the WLAN is open to users, there are potential security risks to enterprise information
if no security policy is configured for the WLAN. The enterprise requires high information
security, so a WPA security policy using 802.1x authentication and CCMP encryption can be
configured. The RADIUS server authenticates STA identities. The AC must be configured to
function as an EAP relay, so the AC supports 802.1x authentication.
Issue 04 (2013-06-15)

2080

Configuration Guide
Figure 12-20 Networking diagram for configuring a WPA security policy
Internet
Router
Gateway
GE2/0/0
GE0/0/2
RADIUS Server
12.1.1.1:1812
GE0/0/3
AC
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA
STA
1.
2.
Configure a RADIUS server template, apply it to an AAA domain, and enable 802.1x
authentication on the wireless side of the AC.
3.
Configure a WPA security policy using 802.1x authentication and CCMP encryption in a
security profile to ensure data security.
NOTE
l Ensure that the RADIUS server IP address, port number, and shared key are correct. When the AC
functions as an EAP relay, ensure that the RADIUS server supports the EAP protocol. Otherwise, the
RADIUS server cannot process 802.1x authentication requests.
l The AC6605 has a wired side and a wireless side. For details about how to log in to the wired and
wireless sides, see 11.1 Configuring User Login.
Issue 04 (2013-06-15)

2081

Configuration Guide

Configuration Item
Data
Management VLAN
VLAN 100
Service VLAN
VLAN 101
Source interface on the AC
VLANIF 100: 192.168.10.1/24
AC carrier ID/AC ID
Other/1
AP region ID
10
Service set
l SSID: test
l Data forwarding mode: tunnel forwarding
SwitchA VLAN
VLAN 100
DHCP server
l IP addresses that the AC assigns to APs:

192.168.10.2 to 192.168.10.254/24
l IP addresses that Router assigns to STAs: 10.10.10.2
to 10.10.10.254/24
Gateway for the AP
VLANIF 100: 192.168.10.1/24
Gateway for STAs
VLANIF 101: 10.10.10.1/24
parameters
l IP address: 12.1.1.1
l Authentication port number: 1812
l Shared key: huawei
l AAA domain: huawei.com
User name and password of STAs
l User name: test@huawei.com

l Password: 123456
Procedure
Step 1 Configure the access switch.
# Add GigabitEthernet0/0/1 of SwitchA connected to the AP to VLAN 100 (management
VLAN), and add GE0/0/2 of SwitchA connected to the AC to VLAN 100.
NOTE
In this example, tunnel forwarding is used. In direct forwarding mode, configure port isolation on GE0/0/1
of the SwitchA connected to the AP. If port isolation is not configured, unnecessary packets are broadcast
in the VLAN or WLAN users of different APs cannot communicate with each other at Layer 2.
Issue 04 (2013-06-15)
0/0/1
link-type trunk
trunk pvid vlan 100
0/0/2

2082

Configuration Guide

Step 2 Configure the AC and Router to implement network connectivity.

# Configure the wired side of the AC. Add VLAN 100 tags to packets from
GigabitEthernet0/0/1, and allow XGE0/0/27 to forward these packets to the wireless side of the
AC.
[AC-LSW-XGigabitEthernet0/0/27] port trunk allow-pass vlan 100 102 103
# On the wired side of the AC, configure the interface connected to Router to transparently
transmit packets of VLAN 102.
# On the wired side of the AC, configure the interface connected to the RADIUS server to
transparently transmit packets of VLAN 103.
# On the wireless side of the AC, configure XGE0/0/1 connected to the wired side to allow
packets of VLAN 100, VLAN 102, and VLAN 103 to pass through.
[AC] vlan batch 100 101 102 103
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif103] quit
[AC-XGigabitEthernet0/0/1] port trunk allow-pass vlan 100 102 103
# On the wireless side of the AC, configure a static route.

# Configure Router to allow packets of VLAN 102 to pass through.

Issue 04 (2013-06-15)

2083

Configuration Guide
Step 3 Configure an AAA domain to which a RADIUS server template is applied.

1.
Configure a RADIUS server template, an AAA authentication scheme, and domain

information.
NOTE
Ensure that the AC and RADIUS server have the same shared key.
[AC] radius-server template radius_huawei
[AC-radius-radius_huawei] radius-server authentication 12.1.1.1 1812
[AC-radius-radius_huawei] radius-server shared-key simple huawei
[AC-radius-radius_huawei] quit
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei
[AC-aaa-authen-radius_huawei] authentication-mode radius
[AC-aaa-authen-radius_huawei] quit
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
NOTE
After domain huawei.com is configured, the domain name is added to the authentication user name.
2.
Test whether a STA can be authenticated using RADIUS authentication. A user name
test@huawei.com and password 123456 have been configured on the RADIUS server.
[AC] test-aaa test@huawei.com 123456 radius-template radius_huawei
Info: Account test succeed.
Step 4 Configure the AC to assign IP addresses to the AP and Router to assign IP addresses to STAs.
# Configure the AC to assign IP addresses from an interface address pool to the AP.
[AC] dhcp enable
[AC-Vlanif100] quit
# Configure the AC as a DHCP relay and enable the DHCP relay to detect user entries.
[AC-Vlanif101] quit
# Configure Router as a DHCP server to assign IP addresses to STAs.

Issue 04 (2013-06-15)

2084

Configuration Guide



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
Issue 04 (2013-06-15)

2085

Configuration Guide

-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit

[AC] wlan

name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
Step 8 Enable 802.1x authentication on the WLAN-ESS interface.

[AC-wlan-view]
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
Issue 04 (2013-06-15)
quit
wlan-ess 1
force-domain huawei.com

2086

Configuration Guide
[AC-Wlan-Ess1] permit-domain huawei.com

[AC-Wlan-Ess1] quit
Step 9 Configure a WPA security policy.

[AC] wlan
[AC-wlan-sec-prof-security] security-policy wpa
[AC-wlan-sec-prof-security] wpa authentication-method dot1x peap encryption-method
ccmp

# Configure a VAP.

]y

l The wireless PC obtains an IP address after it associates with the WLAN.
l Use the 802.1x authentication client on a STA and enter the correct user name and password.
The STA is authenticated and can access the WLAN. You must configure the client for PEAP
authentication.
Configuration on the Windows XP operating system:
1.
On the Association tab page of the Wireless network properties dialog box, add
SSID test, set the authentication mode to WPA, encryption mode to CCMP, and
encryption algorithm to AES.
2.
On the Authentication tab page, set EAP type to PEAP and click Properties. In the
Protected EAP Properties dialog box, deselect Validate server certificate and
click Configure. In the displayed dialog box, deselect Automatically use my
Windows logon name and password and click OK.
Configuration on the Windows 7 operating system:

1.
Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID test. Set the authentication mode to WPAEnterprise, the encryption mode to CCMP, and the algorithm to AES. Click
Next.
2.
Scan SSIDs and double-click SSID test. On the Security tab page, set EAP type to
PEAP and click Settings. In the displayed dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
----End
Issue 04 (2013-06-15)

2087

Configuration Guide
Configuration Files
l
Configuration file of the access switch

#
sysname SwitchA
#
vlan batch 100
#
#
#
return
Configuration file of Router

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 11.1.1.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.10.0 24 11.1.1.2
#
return

#
sysname AC-LSW
#
#
#
#
#
#
return
l
Issue 04 (2013-06-15)

2088

Configuration Guide
#
sysname AC
#
#
dhcp enable
#
#
radius-server template radius_huawei
radius-server shared-key simple huawei
#
aaa
authentication-scheme radius_huawei
domain huawei.com
radius-server radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 11.1.1.2 255.255.255.0
#
interface Vlanif103
ip address 12.1.1.2 255.255.255.0
#
port trunk allow-pass vlan 100 102 to 103
#
interface WLAN-ESS1
permit-domain huawei.com
dhcp enable
#
wlan
wlan ac source interface Vlanif100
ap-region id 10
region-id 10
security-policy wpa
wpa authentication-method dot1x peap encryption-method ccmp
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
Issue 04 (2013-06-15)

2089

Configuration Guide
#
return
Example for Configuring a WAPI Security Policy (Pre-shared Key Authentication)

As shown in Figure 12-21, the AP deployed in a resident's home is directly connected to the
AC. The WLAN with the SSID of test is available for residents to access the Internet. STAs
require high WLAN security, so no extra authentication system is required. STAs support WAPI,
so a WAPI security policy using pre-shared key authentication can be configured. Unicast and
broadcast keys are updated based on time to secure data transmission.
Figure 12-21 Networking diagram for configuring a WAPI security policy
Management VLAN:
VLAN100
AP region ID: 10
AP
STA
GE0/0/1 AC
VLAN100
GE0/0/2
VLAN101
Internet
STA
1.
2.
Configure a WAPI security policy using pre-shared key authentication in a security profile
to ensure data security.
NOTE
Procedure
packets.
Issue 04 (2013-06-15)

2090

Configuration Guide
NOTE
[AC] vlan batch 100

NOTE
[AC] vlan batch 101
101.
[AC] dhcp enable
[AC-Vlanif100] quit
Issue 04 (2013-06-15)

2091

Configuration Guide

[AC-Vlanif101] quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
Issue 04 (2013-06-15)

2092

Configuration Guide
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit

[AC] wlan

name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
Step 7 Configure a WAPI security policy.

[AC-wlan-sec-prof-security] security-policy wapi
[AC-wlan-sec-prof-security] wapi authentication-method psk pass-phrase simple
Issue 04 (2013-06-15)

2093

Configuration Guide
01234567
[AC-wlan-sec-prof-security]
wapi
wapi
wapi
wapi
quit
usk key-update time-based

msk key-update time-based
msk-update-interval 20000
usk-update-interval 20000

# Configure a VAP.

]y

l The wireless PC obtains an IP address after it associates with the WLAN. The STA can access
the WLAN after the wireless user enters the password.
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
Issue 04 (2013-06-15)

2094

Configuration Guide

#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface Wlan-Ess1
dhcp enable
#
wlan
ap-region id 10
region-id 10
wapi authentication-method psk pass-phrase simple 01234567
wapi usk-update-interval 20000
wapi msk-update-interval 20000
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring a WAPI Security Policy (Certificate Authentication)

ASU certificate server, and connects to the AP through SwitchA. The WLAN with the SSID of
test is available for employees to access network resources. The gateway also functions as a
DHCP server to provide IP addresses on the 10.10.10.0/24 network segment for STAs. The AC
controls and manages STAs.
Because the WLAN is open to users, there are potential security risks to enterprise information
if no security policy is configured for the WLAN. To meet enterprise's high information security
requirement and implement bidirectional authentication between the WLAN clients and server,
configure a WAPI security policy. Compared with WPA/WPA2, an ASU certificate server and
WPI encryption provide higher security for WLAN networks.
Issue 04 (2013-06-15)

2095

Configuration Guide
Figure 12-22 Networking diagram for configuring a WAPI security policy
Internet
Router
Gateway
GE2/0/0
GE0/0/2
AC
ASU Certificate Server

12.1.1.1
GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA
STA

Configuration Item
Data
Management VLAN
VLAN 100
Service VLAN
VLAN 101
VLANIF 100: 192.168.100.1/24
AC carrier ID/AC ID
Other/1
AP region ID
10
Service set
l SSID: test
SwitchA VLAN
Issue 04 (2013-06-15)
VLAN 100

2096

Configuration Guide
Configuration Item
Data
DHCP server

192.168.10.2 to 192.168.10.254/24
to 10.10.10.254/24
Gateway for the AP
VLANIF 100: 192.168.10.1/24
Gateway for STAs
VLANIF 101: 10.10.10.1/24
ASU certificate server
IP address: 12.1.1.1
Certificates saved on the AC
l AC certificate: flash:/ac.cer
l Certificate of the AC certificate issuer: flash:/asu.cer
l ASU certificate: flash:/asu.cer
l AC private key certificate: flash:/ac.cer
1.
2.
Configure a WAPI security policy using certificate authentication in a security profile and
import the obtained certificates to ensure data security.
NOTE
Procedure
NOTE
Issue 04 (2013-06-15)
0/0/1
link-type trunk
trunk pvid vlan 100
0/0/2
link-type trunk

2097

Configuration Guide

AC.
[AC-LSW] vlan batch 100 102 103
# On the wired side of the AC, add the interface connected to Router to VLAN 102.
# On the wired side of the AC, add the interface connected to the ASU certificate server to VLAN
103.
[AC] vlan batch 100 101 102 103
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif103] quit


Issue 04 (2013-06-15)

2098

Configuration Guide
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit




[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
Issue 04 (2013-06-15)

2099

Configuration Guide
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
Issue 04 (2013-06-15)
wlan-ess 1
dhcp enable

2100

Configuration Guide
[AC-Wlan-Ess1] port hybrid untagged vlan 101

[AC-Wlan-Ess1] quit

[AC] wlan

name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
Step 7 Configure a WAPI security policy.

[AC-wlan-sec-prof-security] security-policy wapi
[AC-wlan-sec-prof-security] wapi authentication-method certificate
[AC-wlan-sec-prof-security] wapi asu ip 12.1.1.1
[AC-wlan-sec-prof-security] wapi import certificate ac file-name flash:/ac.cer
[AC-wlan-sec-prof-security] wapi import certificate asu file-name flash:/asu.cer
[AC-wlan-sec-prof-security] wapi import certificate issuer file-name flash:/
asu.cer
[AC-wlan-sec-prof-security] wapi import private-key file-name flash:/ac.cer

# Configure a VAP.

]y

l The wireless PC obtains an IP address after it associates with the WLAN. The wireless PC
is automatically authenticated and can access the WLAN.
----End
Configuration Files
l
Issue 04 (2013-06-15)

2101

Configuration Guide
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 11.1.1.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.10.0 24 11.1.1.2
#
return

#
sysname AC-LSW
#
vlan batch 100 102 to 103
#
#
#
#
#
return

#
sysname AC
#
#
Issue 04 (2013-06-15)

2102

Configuration Guide
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 11.1.1.2 255.255.255.0
#
interface Vlanif103
ip address 12.1.1.2 255.255.255.0
#
#
interface WLAN-ESS1
dhcp enable
wlan
ap-region id 10
region-id 10
wapi asu ip 12.1.1.1
wapi authentication-method certificate
wapi import certificate ac file-name flash:/ac.cer
wapi import certificate asu file-name flash:/asu.cer
wapi import certificate issuer file-name flash:/asu.cer
wapi import private-key file-name flash:/ac.cer
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring MAC Address Authentication on the Wireless Side

RADIUS server, and connects to the AP through SwitchA. The WLAN with the SSID of test is
available for wireless users and terminals to access network resources. The gateway also
functions as a DHCP server to provide IP addresses on the 10.10.10.0/24 network segment for
STAs. The AC controls and manages STAs.
Issue 04 (2013-06-15)

2103

Configuration Guide
The WLAN authentication client cannot be installed on wireless devices providing public
services, such as wireless printers and phones, so use MAC address authentication. The RADIUS
server authenticates wireless devices using their MAC addresses. No authentication is required
when STAs access the WLAN, facilitating the use of WLAN services.
Figure 12-23 Networking diagram for configuring MAC address authentication on the wireless
side
Internet
Router
Gateway
GE2/0/0
GE0/0/2
RADIUS Server
12.1.1.1:1812
GE0/0/3
AC
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA
STA
1.
2.
Configure a RADIUS server template and apply it to an AAA domain
3.
Configure MAC address authentication on the WLAN-ESS interface to authenticate STAs.

NOTE
Issue 04 (2013-06-15)

2104

Configuration Guide

Configuration Item
Data
WLAN service
Management VLAN
VLAN 100
Service VLAN
VLAN 101
VLANIF 100: 192.168.100.1/24
AC carrier ID/AC ID
Other/1
AP region ID
10
Service set
l SSID: test
SwitchA VLAN
VLAN 100
DHCP server

192.168.10.2 to 192.168.10.254/24
to 10.10.10.254/24
Gateway for the AP
VLANIF 100: 192.168.10.1/24
Gateway for STAs
VLANIF 101: 10.10.10.1/24
parameters
l IP address: 12.1.1.1
l Port number: 1812
MAC address of a STA
0011-2233-4455
Procedure
NOTE
Issue 04 (2013-06-15)
0/0/1
link-type trunk
trunk pvid vlan 100

2105

Configuration Guide


AC.
[AC-LSW] vlan batch 100 102 103
# On the wired side of the AC, configure the interface connected to Router to transparently
transmit packets of VLAN 102.
# On the wired side of the AC, configure the interface connected to the RADIUS server to
transparently transmit packets of VLAN 103.
[AC] vlan batch 100 101 102 103
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif103] quit


Issue 04 (2013-06-15)

2106

Configuration Guide
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

Step 4 Configure RADIUS authentication.

1.

information.
NOTE
The STA sends its MAC address as the user name to the RADIUS server for authentication, so the
AC needs to be disabled from adding a domain name to the user name.
[AC-radius-radius_huawei] undo radius-server user-name domain-included
[AC] aaa
[AC-aaa] quit
2.
Globally configure user names in MAC address authentication without the delimiter "-".
[AC] mac-authen username macaddress format without-hyphen
3.
Issue 04 (2013-06-15)
Test whether a STA can be authenticated using RADIUS authentication. In MAC address
authentication, STA's MAC address is used as the user name and password.
2107

Configuration Guide
[AC] test-aaa 001122334455 001122334455 radius_huawei




[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
Issue 04 (2013-06-15)

2108

Configuration Guide
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit

[AC] wlan

name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
Step 8 Configure MAC address authentication on the WLAN-ESS interface.

[AC] interface wlan-ess 1
[AC-Wlan-Ess1] mac-authentication enable
[AC-Wlan-Ess1] force-domain huawei.com
Issue 04 (2013-06-15)

2109

Configuration Guide
[AC-Wlan-Ess1] permit-domain huawei.com

[AC-Wlan-Ess1] quit

# Configure a VAP.

]y

l After the WLAN function is enabled on wireless devices, they can access the WLAN and
provide public services.
l After the STA connects to the WLAN, authentication is performed automatically. You can
directly access the WLAN.
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 11.1.1.1 255.255.255.0
dhcp select global
#
Issue 04 (2013-06-15)

2110

Configuration Guide

#
ip route-static 10.10.10.0 24 11.1.1.2
#
return

#
sysname AC-LSW
#
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
#
aaa
domain huawei.com
#
mac-authen username macaddress format without-hyphen
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 11.1.1.2 255.255.255.0
#
interface Vlanif103
ip address 12.1.1.2 255.255.255.0
#
Issue 04 (2013-06-15)

2111

Configuration Guide
#
interface Wlan-Ess1
dhcp enable
wlan
ap-region id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring Portal Authentication on the Wireless Side

As shown in Figure 12-24, the AC deployed in an open place connects to the egress gateway
(Router), RADIUS server, and Portal server, and connects to the AP through SwitchA. The
WLAN with the SSID of test is available for users to access network resources. The gateway
also functions as a DHCP server to provide IP addresses on the 10.10.10.0/24 network segment
for STAs. The AC controls and manages STAs.
Because the WLAN is open to users, there are potential security risks. To facilitate access to the
WLAN, use the default security policy on the AC. STAs are not authenticated and data is not
encrypted. To uniformly manage STAs and allow only paid users to access the Internet, configure
Portal authentication on the AC. Any user who attempts to access the Internet is redirected to
the Portal authentication web page. A paid user connects to the Internet after entering the user
name and password, and the RADIUS server starts accounting. An unpaid user must pay for the
WLAN service and use the obtained user name and password to complete Portal authentication.
Generally, the Portal authentication web page provides the paying function.
Issue 04 (2013-06-15)

2112

Configuration Guide
Figure 12-24 Networking diagram for configuring Portal authentication on the wireless side
Portal Server
Internet
Router
Gateway
13.1.1.1
GE2/0/0
GE0/0/2
GE0/0/4 RADIUS Server

GE0/0/3
AC
GE0/0/1
GE0/0/2
SwitchA
12.1.1.1
Authentication port: 1812
Accounting port: 1813
GE0/0/1
AP
STA
STA

Configuration Item
Data
WLAN service
Management VLAN
VLAN 100
Service VLAN
VLAN 101
VLANIF 100: 192.168.100.1/24
AC carrier ID/AC ID
Other/1
AP region ID
10
Service set
l SSID: test
l Data forwarding mode: tunnel forwarding
SwitchA VLAN
Issue 04 (2013-06-15)
VLAN 100

2113

Configuration Guide
Configuration Item
Data
DHCP server

192.168.10.2 to 192.168.10.254/24
to 10.10.10.254/24
Gateway for the AP
VLANIF 100: 192.168.10.1/24
Gateway for STAs
VLANIF101: 10.10.10.1/24
RADIUS server parameters
l Server IP address: 12.1.1.1

l Accounting port number: 1813
User name and password of STAs
l User name: test@huawei.com

l Password: 123456
Portal server parameters
l Server IP address: 13.1.1.1

1.
2.
Configure a RADIUS server template, apply it to an AAA domain, and use a RADIUS
server to authenticate STAs' identities and perform accounting.
3.
Configure Portal authentication. Hypertext Transfer Protocol (HTTP) request packets from
a user are redirected to the web page of the Portal server. After the user enters identity
information, the STA sends the user identity information to the RADIUS server.
NOTE
Procedure
NOTE
Issue 04 (2013-06-15)

2114

Configuration Guide
0/0/1
link-type trunk
trunk pvid vlan 100
0/0/2
link-type trunk

AC.
[AC-LSW] vlan batch 100 102 103 104
[AC-LSW-XGigabitEthernet0/0/27] port trunk allow-pass vlan 100 102 103 104
# On the wired side of the AC, add the interface connected to Router to VLAN 102.
# On the wired side of the AC, add the interface connected to the RADIUS server to VLAN 103.
# On the wired side of the AC, add the interface connected to the Portal server to VLAN 104.
packets of VLAN 100, VLAN 102, VLAN 103, and VLAN 104 to pass through.
[AC] vlan batch 100 101 102 103 104
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
Issue 04 (2013-06-15)

2115

Configuration Guide

[AC-Vlanif103] quit
[AC-Vlanif104] quit
[AC-XGigabitEthernet0/0/1] port trunk allow-pass vlan 100 102 103 104


[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

Step 4 Configure RADIUS authentication and accounting.

# Configure a RADIUS server template, an AAA authentication scheme, an AAA accounting
scheme, and domain information.
[AC-radius-radius_huawei] radius-server accounting 12.1.1.1 1813
[AC] aaa
Issue 04 (2013-06-15)

2116

Configuration Guide
[AC-aaa] accounting-scheme radius_huawei

[AC-aaa-accounting-radius_huawei] accounting-mode radius
[AC-aaa-accounting-radius_huawei] quit
[AC-aaa-domain-huawei.com] accounting-scheme radius_huawei
[AC-aaa] quit
# Test whether a STA can be authenticated using RADIUS authentication.


# Configuring Portal server parameters.
[AC] web-auth-server test
[AC-web-auth-server-test]
server-ip 13.1.1.1
port 50100
shared-key simple huawei
url http://13.1.1.1
quit
# Bind VLAN 101 to the Portal server.

[AC-Vlanif101] web-auth-server test direct
[AC-Vlanif101] quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
Issue 04 (2013-06-15)

2117

Configuration Guide
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
Issue 04 (2013-06-15)
wlan-ess 1
dhcp enable
quit

2118

Configuration Guide

[AC] wlan

name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
Step 9 Configure Portal authentication on the WLAN-ESS interface.

[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
quit

# Configure a VAP.

]y

l The wireless PC obtains an IP address after it associates with the WLAN.
l Open a browser on the STA to access the Internet. The Portal authentication web page is
automatically displayed. Enter the user name and password. The STA is authenticated and
can access the WLAN.
----End
Configuration Files
l

#
sysname SwitchA
#
vlan batch 100
#
Issue 04 (2013-06-15)

2119

Configuration Guide
#
#
return

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 11.1.1.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.10.0 24 11.1.1.2
#
return

#
sysname AC-LSW
#
#
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
Issue 04 (2013-06-15)

2120

Configuration Guide
#
#
radius-server accounting 12.1.1.1 1813
#
web-auth-server test
server-ip 13.1.1.1
port 50100
shared-key simple huawei
url http://13.1.1.1
#
aaa
accounting-scheme radius_huawei
domain huawei.com
accounting-scheme radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
web-auth-server test direct
#
interface Vlanif102
ip address 11.1.1.2 255.255.255.0
#
interface Vlanif103
ip address 12.1.1.2 255.255.255.0
#
interface Vlanif104
ip address 13.1.1.2 255.255.255.0
#
#
interface Wlan-Ess1
dhcp enable
wlan
ap-region id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
Issue 04 (2013-06-15)

2121

Configuration Guide

wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring a STA Whitelist

As shown in Figure 12-25, the AC and AP are directly connected. An enterprise provides a
WLAN with the SSID of test for management personnel to access the enterprise network. STAs
The WLAN has a fixed small coverage and faces no external attack risks. MAC addresses of
management personnel's wireless terminals can be added to a STA whitelist, preventing common
employees from accessing the WLAN.
Figure 12-25 Networking diagram for configuring a STA whitelist

AP region ID: 10
AP
AC
GE0/0/1
GE0/0/2
STA1
0011-2233-4455
Internet
VLANIF 100
192.168.10.1/24
STA2
0011-2233-4466
1.
2.
Configure a STA whitelist. Add MAC addresses of management personnel's wireless

terminals to the whitelist. To prevent configuration impacts on other VAPs, configure the
STA whitelist for a VAP, instead of an AP.
NOTE
Procedure
packets.
Issue 04 (2013-06-15)

2122

Configuration Guide
NOTE
[AC] vlan batch 100

NOTE
[AC] vlan batch 101
101.
[AC] dhcp enable
Issue 04 (2013-06-15)

2123

Configuration Guide
[AC-Vlanif100]
[AC-Vlanif100]
[AC] interface
[AC-Vlanif101]
[AC-Vlanif101]
[AC-Vlanif101]

quit
vlanif 101
ip address 192.168.11.1 24
quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
NOTE

Issue 04 (2013-06-15)

2124

Configuration Guide
[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit

[AC] wlan

Issue 04 (2013-06-15)
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit

2125

Configuration Guide
Step 7 Configure a STA whitelist for a VAP.

# Configure a STA whitelist profile and add MAC addresses of STA1 and STA2 to the whitelist.
[AC-wlan-view] sta-whitelist-profile name whitelist id 1
[AC-wlan-whitelist-prof-whitelist] sta-mac 0011-2233-4455
[AC-wlan-whitelist-prof-whitelist] sta-mac 0011-2233-4466
[AC-wlan-whitelist-prof-whitelist] quit
# Bind the service set to the STA whitelist profile and enable the STA whitelist function.
name test
sta-whitelist-profile id 1
quit

# Configure a VAP.

]y

STA1 and STA2 can connect to the WLAN, while STAs that are not in the whitelist cannot
access the WLAN.
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
return

#
sysname AC
Issue 04 (2013-06-15)

2126

Configuration Guide
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface WLAN-ESS1
dhcp enable
#
wlan
ap-region id 10
region-id 10
sta-whitelist-profile name whitelist id 1
sta-mac 0011-2233-4455
sta-mac 0011-2233-4466
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
sta-whitelist-profile id 1
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring a STA Blacklist

As shown in Figure 12-26, the AC and AP are directly connected. An enterprise provides a
WLAN with the SSID of test for employees to access the enterprise network. STAs automatically
obtain IP addresses.
The WLAN has a fixed small coverage and faces no external attack risks. Some faulty STAs
may frequently go online and offline, degrading WLAN network stability. To prevent this
situation, management personnel can add MAC addresses of the faulty STAs to a blacklist to
prevent these STAs from accessing the WLAN. STAs that are not in the blacklist can access the
WLAN.
Issue 04 (2013-06-15)

2127

Configuration Guide
Figure 12-26 Networking diagram for configuring a STA blacklist

AP region ID: 10
AP
AC
GE0/0/1
GE0/0/2
STA1
0011-2233-4455
Internet
VLANIF 100
192.168.10.1/24
STA2
0011-2233-4466
1.
2.
Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the blacklist
to prevent the STAs from associating with the AP.
NOTE
Procedure
packets.
NOTE
Issue 04 (2013-06-15)

2128

Configuration Guide
[AC] vlan batch 100


NOTE
[AC] vlan batch 101
101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit



[AC] wlan

Issue 04 (2013-06-15)

2129

Configuration Guide

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

Issue 04 (2013-06-15)

2130

Configuration Guide

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit

[AC] wlan

name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
Step 7 Configure a STA blacklist for an AP.

[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-view]
sta-blacklist 0011-2233-4455
sta-access-mode ap 0 blacklist

# Configure a VAP.

]y

Issue 04 (2013-06-15)

2131

Configuration Guide
STA1 and STA2 cannot access the WLAN.

----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface WLAN-ESS1
dhcp enable
#
wlan
ap-region id 10
region-id 10
sta-access-mode ap 0 blacklist
forward-mode tunnel
wlan-ess 1
Issue 04 (2013-06-15)

2132

Configuration Guide
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring User Isolation

As shown in Figure 12-27, the AC and AP are directly connected. The WLAN with the SSID
of test is available for residents to access the Internet. STAs automatically obtain IP addresses.
require high security, so a WEP security policy using shared-key authentication and WEP
encryption can be configured. The AC uses tunnel forwarding mode to uniformly manage
wireless users. To prevent WLAN channel resources from being occupied and prevent wireless
users from communicating at Layer 2, configure port isolation.
Figure 12-27 Networking diagram for configuring user isolation
Management VLAN:
VLAN100
AP region ID: 10
AP
STA
GE0/0/1 AC
VLAN100
GE0/0/2
VLAN101
Internet
STA
1.
2.
Configure user isolation and port isolation on the WLAN-ESS interface since data packets
are transmitted to the AC through the CAPWAP tunnel in tunnel forwarding mode.
3.
Configure a WEP security policy using shared-key authentication and WEP encryption in
a security profile to ensure data security.
Issue 04 (2013-06-15)

2133

Configuration Guide
NOTE
Procedure
packets.
NOTE
[AC] vlan batch 100

NOTE
[AC] vlan batch 101
Issue 04 (2013-06-15)

2134

Configuration Guide

101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
Issue 04 (2013-06-15)

2135

Configuration Guide

[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit

[AC] wlan

Issue 04 (2013-06-15)

2136

Configuration Guide
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
Step 7 Configure user isolation.

# Configure user isolation for the service set test.
[AC-wlan-view] service-set name test
[AC-wlan-service-set-test] user-isolate
[AC-wlan-service-set-test] quit
[AC-wlan-view] quit
# Configure port isolation on the WLAN-ESS interface.

[AC-WLAN-ESS1] port-isolate enable
[AC-WLAN-ESS1] quit
Step 8 Configure a WEP security policy.

[AC] wlan
[AC-wlan-sec-prof-security] security-policy wep
[AC-wlan-sec-prof-security] wep authentication-method share-key
[AC-wlan-sec-prof-security] wep key wep-40 pass-phrase 0 simple 12345
[AC-wlan-sec-prof-security] wep default-key 0

# Configure a VAP.

]y

If a STA has an incorrect shared key configured, the STA cannot access the WLAN.
STA1 and STA2 belong to the same service VLAN, VLAN 101. STA1 obtains the IP address
192.168.11.254 and STA2 obtains the IP address 192.168.11.255 after going online, but they
cannot ping each other.
Issue 04 (2013-06-15)

2137

Configuration Guide
NOTE
After the PC scans an SSID, if you double-click the SSID and enter the key, association may fail. You need
to add a WLAN on the PC.
1. On the Association tab page of the Wireless network properties dialog box, add SSID test, set
the network authentication mode to shared-key mode and encryption mode to WEP, and configure
the network key and corresponding key index.
1. Access the Manage wireless networks page, click Add, and select Manually create a network
profile. Add SSID test, set the encryption and authentication modes, and click Next.
2. Scan SSIDs to search WLANs. Double-click SSID test, click the Security tab, and set the key
index on the Security tab page.
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface WLAN-ESS1
port-isolate enable
Issue 04 (2013-06-15)

2138

Configuration Guide
dhcp enable
#
wlan
ap-region id 10
region-id 10
wep key wep-40 pass-phrase 0 simple 12345
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
12.4 Radio Resource Management

Radio resource management enables a WLAN to adapt to changes in the radio environment by
dynamically adjusting radio resources. This improves service quality for wireless users.
12.4.1 Overview
Radio resource management enables APs to check the surrounding radio environment,
dynamically adjust working channels and transmit power, and evenly distribute access users.
This function helps reduce radio signal interference, adjust radio coverage, and enable a wireless
network to quickly adapt to changes in the radio environment. With the radio resource
management function, the wireless network can provide high service quality for wireless users
and maintain an optimal radio resource utilization.
WLAN technology uses radio signals (such as 2.4 GHz or 5 GHz radio waves) as transmission
medium. Radio waves will attenuate when they are transmitted over air, degrading service
quality for wireless users. Radio resource management enables a WLAN to adapt to changes in
the radio environment by dynamically adjusting radio resources. This improves service quality
for wireless users.
12.4.2 Radio Resource Management Features Supported by the

Device
The device supports the following radio resource management features: radio calibration, load
balancing, 5G-prior access, and interference detection.
Radio Calibration
On a WLAN, operating status of APs is affected by the radio environment. For example, if
adjacent APs work on overlapping channels, a large-power AP can interfere with adjacent APs.
Issue 04 (2013-06-15)

2139

Configuration Guide
The radio calibration function can dynamically adjust channels and power of APs managed by
the same AC to ensure that the APs work at the optimal performance.
The device supports global radio calibration and partial radio calibration:
l
Global radio calibration: The device dynamically allocates channels and power to all the
APs in an AP region. Generally, this calibration mode is used on a newly deployed WLAN
or a WLAN where the radio environment deteriorates in most areas.
Partial radio calibration: The device dynamically allocates channels and power to specified
APs. Generally, this calibration mode is used when new APs are added to the network or
the radio environment deteriorates in some areas.
Background Neighbor Probing

During global or partial radio calibration, an AP needs to listen on Beacon frames on each
channel until all channels are probed. The probing process takes a long time and may cause
service interruption. If background neighbor probing is enabled, an AP does not need to traverse
all channels after receiving a probe message from the AC. Instead, the AP reports the previous
probe result to the AC. This reduces risks of service interruption caused by radio calibration.
If background neighbor probing is enabled before radio calibration, an AP determines whether
to switch to another channel for neighbor probing every 300s based on the service traffic volume
and threshold of user quantity. If the channel switching condition is met (the number of users
or traffic on the channel does not exceed the threshold), the AP switches to the new channel.
The AP then listens on Beacon frames on the new channel and saves the probing result. After
300 ms, the AP switches back to the original channel. If background neighbor probing is enabled,
an AP does not need to traverse all channels after receiving a probe message from the AC.
Instead, the AP reports the previous probe result to the AC. This reduces risks of service
interruption caused by radio calibration.
Load Balancing
As shown in Figure 1, AP1 and AP2 associate with an AC. Four users (STA1 to STA4) associate
with AP1, and one user (STA5) associates with AP2. If too many users connect to the Internet
through AP1, AP1 will be overloaded, whereas resources on AP2 are not used.
Load balancing can evenly distribute user traffic to different APs to ensure high performance
and bandwidth for each STA. The load balancing function applies to wireless networks with
high user densities to ensure proper distribution of traffic from STAs.
After load balancing is configured on an AC, the AC uses a load balancing algorithm to determine
whether a new STA (STA6 in Figure 1) can associate with an AP. The load balancing algorithm
prevents new STAs from associating with heavily-loaded APs to reduce loads on these APs.
NOTE
Load balancing can be implemented among APs only when the APs are connected to the same AC and all these
APs can be discovered by a STA.
Issue 04 (2013-06-15)

2140

Configuration Guide
Figure 12-28 WLAN load balancing
Internet
AC
Switch
AP2
AP1
STA1
STA2
STA6
(a new
STA)
STA3
STA4
STA5
5G-Prior Access
When an AP and STA support both 5 GHz and 2.4 GHz frequency bands, the AP can request
the STA to associate with the 5 GHz radio first.
Most STAs support both 5 GHz and 2.4 GHz frequency bands and they usually associate with
the 2.4 GHz radio by default when connecting to the Internet. To connect to the 5 GHz radio,
users must manually select the 5 GHz radio. When the 2.4 GHz frequency band has many users
or severe interference, the 5 GHz frequency band can provide better access service for wireless
users. The 5G-prior access function enable STAs to preferentially associate with the 5 GHz
radio.
Interference Detection
WLAN wireless channels are often affected by the radio environment, and the service quality
is therefore degraded. If interference detection is configured, an monitoring AP can learn the
radio environment in real time and report alarms to the AC in a timely manner.
Interference detection can detect AP co-channel interference, AP adjacent-channel interference,
and STA interference.
l
Issue 04 (2013-06-15)
AP co-channel interference: Two APs working in the same frequency band interfere with
each other. For example, on a large-scale WLAN (a university campus network), different
2141

Configuration Guide
APs often use the same channel. When there are overlapping areas among these APs, cochannel interference exists, degrading network performance.
l
AP adjacent-channel interference: Two APs with different center frequencies have

overlapping areas, resulting in adjacent-channel interference. When APs are placed too
close to each other or have strong signals, producing more noise and degrading network
performance.
STA interference: If there are many STAs that are managed by other APs around an AP,
services of the STAs managed by the local AP may be affected.
Restriction of Access from Weak-Signal or Low-Rate STAs

On a WLAN, an AP may receive weak radio signals from some STAs. After associating with
the AP, these STAs work at a low rate, affecting the network throughput. The function that
restricts access from weak-signal or low-rate STAs can prevent these STAs from accessing the
WLAN, reducing the impact of these STAs on other ones and improving WLAN performance.
In the case of good WLAN signal coverage, this function can be used to restrict WLAN access
from weak-signal or low-rate STAs at the edge of the coverage area.

This section provides the default radio resource management configuration.
Table 12-11 Default radio resource management configuration
Issue 04 (2013-06-15)
Parameter
Default Setting
Channel mode
Automatic mode
Power mode
Automatic mode
Partial radio calibration
Enabled
Partial radio calibration interval
720 minutes
Global radio calibration
Disabled
Load balancing mode
Session-based load balancing
5G-prior access
Disabled
Interference detection
Disabled
Restriction of access from weak-signal

STAs
Disabled
Restriction of access from low-rate STAs
Disabled
AP high density
Disabled
AP high density level
Low
AP signal-strength-based power
adjustment
Disabled

2142

Configuration Guide
12.4.4 Configuring Radio Calibration

The radio calibration function can dynamically adjust channels and power of APs managed by
the same AC to ensure that the APs work at the optimal performance.
Context
CAUTION
l
When radio calibration automatically triggers power adjustment, an alarm

(WLAN_1.3.6.1.4.1.2011.6.139.3.24.1.17 hwRadioNotSupportPowerLevelNotify)
indicating that the maximum transmit power exceeds the threshold may be generated. For
example, some local laws may restrict the maximum transmit power of APs. If the power
exceeds the locally specified maximum transmit power after radio calibration, an alarm is
generated.
Before configuring radio calibration, complete the following tasks:
l
Configuring WLAN Service
Configuring the channel mode and power mode in a radio profile to automatic mode for
APs (For details, see Configuring a Radio Profile.)
(Optional) Configure background neighbor probing.
Procedure
If background neighbor probing is enabled, an AP does not need to traverse all channels
after receiving a probe message from the AC. Instead, the AP reports the previous probe
result to the AC. This reduces risks of service interruption caused by radio calibration.
NOTE
Enabling background neighbor probing on APs may cause service interruption when Thinkpad x220
laptops use Windows7 operating system to connect to WLANs. You need to manually connect
Thinkpad x220 laptops to WLANs.
1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Run:
background scanning enable
Background neighbor probing is enabled on APs.

Issue 04 (2013-06-15)

2143

Configuration Guide
By default, background neighbor probing is disabled on APs.

5.
Configure the channel switching condition for background neighbor probing as

required:
If background neighbor probing is based on the service volume,
Run:
background scanning service-threshold service-threshold-value
The service threshold for background neighbor probing is set.

By default, the service threshold for background neighbor probing is 20%.
If background neighbor probing is based on the user quantity,
Run:
background scanning client-threshold client-threshold-value
The user threshold for background neighbor probing is set.

By default, the user threshold for background neighbor probing is 10.
l
Configure global radio calibration.

1.
Run:
system-view

2.
Run:
wlan

3.
Run either of the following commands to configure global radio calibration.

Run:
calibrate startup region region-id [ listen-uncontrol-neighbor ]
Global radio calibration is enabled in the specified AP region.

Run:
calibrate auto-startup region region-id time time [ listen-uncontrolneighbor ]
Scheduled global radio calibration is enabled in the specified AP region.

By default, scheduled global radio calibration is disabled.
l
Configure partial radio calibration.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Run:
calibrate enable
Partial radio calibration is enabled.

Issue 04 (2013-06-15)

2144

Configuration Guide
By default, partial radio calibration is enabled.

5.
Run:
calibrate-interval calibrate-interval
The radio calibration interval is set in the radio profile.

By default, the radio calibration interval is 720 minutes.
An AP checks the radio environment at the specified interval. If the radio environment
deteriorates, the AP calibrates radio parameters.
----End

l
the radio calibration interval and enabling status of partial radio calibration in a specified
radio profile.
Run the display calibrate auto-startup info region region-id command to check the
configuration of scheduled global calibration in a specified AP region.
12.4.5 Configuring Load Balancing

Load balancing can evenly distribute user traffic to different APs to ensure high performance
and bandwidth for each STA.
Before configuring load balancing, complete the following tasks:
l
Ensuring that APs for load balancing associate with the same AC
Perform either of the two tasks as required:
Configuring Static Load Balancing

Context
In static load balancing mode, APs providing the same services are manually added to a load
balancing group. When a STA needs to access a WLAN, it sends an Association Request packet
to an AC through an AP. The AC determines whether to allow access from the STA according
to the load balancing algorithm. Static load balancing can be implemented when the following
conditions are met:
l
All APs in a load balancing group work in the same frequency band (2.4 GHz or 5 GHz
band).
A radio can join only one load balancing group. If dual-band APs are used, traffic is load
balanced among APs working in the same frequency band. That is, a dual-band AP can
join two load balancing groups.
APs in a load balancing groups use different working channels.
Issue 04 (2013-06-15)

2145

Configuration Guide
Each load balancing group supports a maximum of three APs.
All APs in a load balancing group must belong to the same AP region.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
load-balance-group { name group-name | id group-id }
A load balancing group is created and the load balancing group view is displayed.
By default, no load balancing group is created.
NOTE
Specify a group name when creating a load balancing group.
Step 4 Run:
member ap-id ap-id radio-id radio-id
An AP radio is added to the load balancing group.

By default, no AP radio is added to a load balancing group.
NOTE
A load balancing group is a set of radios. A radio can join only one load balancing group.
Step 5 Configure the load balancing mode as required.

l Run:
traffic gap gap-threshold
The static load balancing mode is set to traffic-based load balancing.

By default, session-based load balancing is used.
l Run:
session gap gap-threshold
The static load balancing mode is set to session-based load balancing and the load difference
threshold is set.
By default, session-based load balancing is used, and the load difference threshold in sessionbased load balancing is 4%.
associate-threshold associate-threshold
The maximum number of association requests is set in the static load balancing group.
By default, the maximum number of association requests in a static load balancing group is 6.
Issue 04 (2013-06-15)

2146

Configuration Guide
When a STA requests to associate with a heavily loaded AP, the AP rejects the association
request of the STA. When the number of consecutive association requests of the STA exceeds
the maximum value, the AP allows the STA to associate with it.
----End

l
Run the display load-balance-group { all | id group-id | name group-name } command

to check the load balancing group configuration.
Configuring Dynamic Load Balancing

Context
Static load balancing limits the maximum number of AP radios to 3 and allows only radios in
the same frequency band to join a load balancing group. Additionally, a load balancing group
needs to be manually specified. Dynamic load balancing overcomes the limitations of static load
balancing.
In dynamic load balancing mode, a STA sends broadcast Probe Request frame to scan available
APs. The APs that receive the Probe Request frame all report the STA information to the AC.
The AC adds these APs to a load balancing group, and then uses a load balancing algorithm to
determine whether to allow access from the STA.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
sta-load-balance enable
Dynamic load balancing is enabled.

By default, dynamic load balancing is disabled.
Step 4 Configure the dynamic load balancing mode and load difference threshold as required.
l Set the load balancing mode to session-based load balancing.
1.
Run:
sta-load-balance mode session
The dynamic load balancing mode is set to session-based load balancing.

2.
Run:
sta-load-balance session gap value
Issue 04 (2013-06-15)

2147

Configuration Guide
The load difference threshold for session-based load balancing is set.

By default, the load difference threshold for session-based load balancing is 4%.
l Set the load balancing mode to traffic-based load balancing.
1.
Run:
sta-load-balance mode traffic
The dynamic load balancing mode is set to traffic-based load balancing.

2.
Run:
sta-load-balance traffic gap value
The load difference threshold for traffic-based load balancing is set.

By default, the load difference threshold for traffic-based load balancing is 20%.
sta-load-balance associate-threshold associate-threshold
The maximum number of association requests is set.

By default, the maximum number of association requests in dynamic load balancing is 6.
When a STA requests to associate with a heavily loaded AP, the AP rejects the association
request of the STA. When the number of consecutive association requests of the STA exceeds
the maximum value, the AP allows the STA to associate with it.
----End

l
Run the display sta-load-balance config command to check the STA dynamic load
balancing configuration.
12.4.6 Configuring 5G-Prior Access

You can configure 5G-prior access to enable STAs to preferentially associate with 5 GHz radios
so that wireless users can obtain better access service.
Before configuring 5G-prior access, complete the following tasks:
l
Ensuring that an AP supports both 5 GHz and 2.4 GHz frequency bands and has the same
SSID and security policy on the 5 GHz and 2.4 GHz radios
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan
Issue 04 (2013-06-15)

2148

Configuration Guide

Step 3 Run:
ap id ap-id

Step 4 Run:
access priority 5g
The STA access mode is set to 5G prior.

By default, a STA accesses a 2.4 GHz radio.
Step 5 Run:
quit

----End

l
Run the display ap command to check the STA radio access mode.
12.4.7 Configuring Interference Detection

After interference detection is configured, an AP sends an alarm to an ACan alarm message is
generated when the AP detects that co-channel interference, adjacent-channel interference, or
STA interference exceeds the alarm threshold.
Before configuring interference detection, complete the following task:
l
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:

Step 4 Run:
interference detect enable
Interference detection is enabled.

Issue 04 (2013-06-15)

2149

Configuration Guide
By default, interference detection is disabled.

Step 5 (Optional) Configure interference detection thresholds.
l Run:
set ap common-frequency interference threshold threshold-value
The alarm threshold for co-channel interference is set.

By default, the alarm threshold for co-channel interference is 50%.
l Run:
set ap adjacent-frequency interference threshold threshold-value
The alarm threshold for adjacent-channel interference is set.

By default, the alarm threshold for adjacent-channel interference is 50%.
l Run:
set station interference threshold threshold-value
The alarm threshold for STA interference is set.

By default, the alarm threshold for STA interference is 32.
Step 6 Run:
quit

----End

l
the interference detection configuration.
12.4.8 Restricting Access from Weak-Signal or Low-Rate STAs

You can restrict access from weak-signal or low-rate STAs to prevent these STAs from accessing
the WLAN.
Context
In the case of good WLAN signal coverage, you can restrict WLAN access from weak-signal
or low-rate STAs at the edge of the coverage area.
NOTE
This function takes effect only for the new STAs that need to access a WLAN but not for the existing STAs that
have connected to the WLAN.
Before restricting access from weak-signal or low-rate STAs, complete the following task:
l
Restrict access from weak-signal STAs.
Procedure
Issue 04 (2013-06-15)

2150

Configuration Guide
1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Run:
sta-access-limit signal-strength enable
Restriction of access from weak-signal STAs is enabled.

By default, restriction of access from weak-signal STAs is disabled.
5.
Run:
sta-access-limit signal-strength threshold threshold-value
The lower threshold for the STA signal strength is set.

By default, the lower threshold for the STA signal strength is -80 dBm.
6.
Run:
quit

7.
l
Restrict access from low-rate STAs.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Run:
sta-access-limit rate enable
Restriction of access from low-rate STAs is enabled.

By default, restriction of access from low-rate STAs is disabled.
5.
Run:
sta-access-limit rate rate-value { rate_1 | rate_2 | rate_5_5 | rate_6 |
rate_9 | rate_11 | rate_12 | rate_18 | rate_22 | rate_24 | rate_33 |
rate_36 | rate_48 | rate_54 }
The lower threshold for the STA access rate is set.

Issue 04 (2013-06-15)

2151

Configuration Guide
By default, the lower threshold for the STA access rate is 11 Mbit/s.
6.
Run:
quit

7.
----End

l
Run the display radio-profile { id profile-id | name profile-name } command to check the
configuration of restriction of access from weak-signal or low-rate STAs.
12.4.9 Maintaining Radio Resource Management

Maintaining radio resource management includes displaying and clearing radio calibration
statistics.
Displaying Radio Calibration Statistics

Context
During radio calibration, run the following command to view radio calibration statistics.
Procedure
l
Run the display statistics calibrate ap-id ap-id radio-id radio-id command to check radio
calibration statistics.
----End
Clearing Radio Calibration Statistics

Context
Before re-collecting radio calibration statistics, run the reset statistics calibrate command to
clear the existing statistics.
CAUTION
Radio calibration statistics cannot be restored after they are cleared. Confirm your operation
before running the command.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

2152

Configuration Guide

Step 2 Run:
wlan

Step 3 Run:

Step 4 Run:
reset statistics calibrate
Clear radio calibration statistics.

----End

This section provides radio resource management configuration examples. Each configuration
example includes networking requirements, configuration roadmap, and configuration
procedure.
Example for Configuring Partial Radio Calibration for an AP

As shown in Figure 12-29, AP1, AP2, and AP3 are managed by the same AC and join AP region
10.
When the radio environment of AP1 deteriorates, WLAN service quality of STAs in the coverage
area of AP1 is affected. AP1 is required to automatically adjust channels or power to ensure
WLAN service quality of STAs on it.
Issue 04 (2013-06-15)

2153

Configuration Guide
Figure 12-29 Networking for configuring partial radio calibration
STA
AP2
GE0/0/1
VLAN100
STA
AC
GE0/0/2
VLAN101
Internet
AP1
STA
STA
AP3
Management VLAN:
VLAN100
Service VLAN:
VLAN101
AP region ID: 10
1.
2.
Configure partial radio calibration for AP1 in the radio profile view to enable AP1 to
dynamically adjust channels and power. This configuration ensures that AP1 works at
optimal performance.
NOTE
Procedure
Step 1 Configure the WLAN service.
The following uses the configuration of AP1 as an example. For details, see Example for
Configuring the WLAN Service on a Small-Scale Network.
Step 2 Configure partial radio calibration for AP1.
<AC> system-view
[AC] wlan
[AC-wlan-view] radio-profile name radio
[AC-wlan-radio-prof-radio] channel-mode auto
[AC-wlan-radio-prof-radio] power-mode auto
Issue 04 (2013-06-15)

2154

Configuration Guide
[AC-wlan-radio-prof-radio] calibrate enable

[AC-wlan-radio-prof-radio] calibrate-interval 600
]y
[AC] quit
NOTE
l The default channel mode and power mode are auto. If the default settings are retained, you do not need to
run the channel-mode and power-mode commands.
l Radio calibration is enabled by default. If the default settings are retained, you do not need to run the calibrate
enable command.

l Run the display radio-profile name radio command to check the status and interval of
partial radio calibration. In the command output, the Calibrate switch field displays enable
and Calibrate interval(min) displays 600.
<AC> display radio-profile name radio
----------------------------------------------------------------------Profile ID
:
1
Profile
name
:radio
Radio type
:802.11b/
g
Rate
mode
:auto
Rate(Mbps)
:
54
Channel
mode
:auto
Power
mode
:auto
Calibrate interval(min)
:
600
PER threshold(%)
:
30
Conflict rate threshold(%)
:
60
RTS/CTS threshold(Byte)
:
2347
Fragmentation threshold(Byte)
:
2346
Short retry number limit
:
7
Long retry number limit
:
4
Support short
preamble
:support
DTIM interval (Beacon interval numbers):
1
Beacon interval(ms)
:
100
WMM profile ID
:
1
WMM profile
name
:wmm
Interference detect
switch
:disable
Calibrate
switch
:enable
Common frequency disturb threshold(%) :
50
Adjacent frequency disturb threshold(%):
50
Issue 04 (2013-06-15)

2155

Configuration Guide

Station disturb threshold
32
Radio device report duration(second)
:
300
RTS/CTS mode
:CTS-TOSELF
Wifi-light mode
:signalstrength
Beamforming
switch
:disable
Channel switch
announcement
:disable
Channel switch
mode
:continue
Signal strength
switch
:disable
Signal strength value
(dbm)
:-80
Background scan
neighbor
:disable
Service threshold(%)
:
20
Client threshold
:
10
Device synchronization duration(minute):
360
Rate limit
switch
:disable
Rate limit value(Mbps)
:
11
-----------------------------------------------------------------------
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
Issue 04 (2013-06-15)

2156

Configuration Guide
ip address 192.168.10.1 255.255.255.0

#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface WLAN-ESS1
dhcp enable
#
wlan
ap-region id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
calibrate-interval 600
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring Global Radio Calibration for APs

As shown in Figure 12-30, a WLAN containing three APs (AP1, AP2, and AP3) is deployed
on the campus network. The three APs join AP region 10.
The three APs are required to automatically adjust channels and power to achieve optimal
WLAN performance.
Issue 04 (2013-06-15)

2157

Configuration Guide
Figure 12-30 Networking for configuring global radio calibration
STA
AP1
GE0/0/1
VLAN100
GE0/0/2
VLAN100
STA
AP2
STA
GE0/0/4
VLAN101
Internet
AC
GE0/0/3
VLAN100
AP3
STA
Management VLAN:
VLAN100
Service VLAN:
VLAN101
AP region ID: 10
1.
2.
Configure global radio calibration for APs in the WLAN view to enable the APs to
dynamically adjust channels and power so that the APs work at optimal performance.
NOTE
Procedure
Step 1 Configure the AC wired side and wireless side so that APs and the AC can transmit CAPWAP
packets.
# Configure the AC wired side: add wired-side interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to
management VLAN 100, and add XGE0/0/27 that connects the wired side to the wireless side
to the same VLAN.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on GE0/0/1,
GE0/0/2, and GE0/0/3 that connect the AC wired side to the APs. If port isolation is not configured, many
broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate
at Layer 2.
Issue 04 (2013-06-15)

2158

Configuration Guide
[AC] vlan batch 100

[AC] vlan batch 101
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs.
# Configure the AC as the DHCP server to allocate IP addresses to the APs from the IP address
101.
[AC] dhcp enable
[AC-Vlanif100] quit
Issue 04 (2013-06-15)

2159

Configuration Guide

[AC-Vlanif101] quit



[AC] wlan

# Check the AP type IDs after obtaining the MAC addresses of the APs.
-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
# Add the APs offline based on the AP type ID. Assume that the type of APs 1 to 3 is AP6010DNAGN, and their MAC addresses are 0046-4b59-1ee0, 0046-4b59-1d20, and 0046-4b59-1d40
respectively.
[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-ap-1]
[AC-wlan-view]
[AC-wlan-ap-2]
[AC-wlan-view]
[AC-wlan-ap-3]
ap-auth-mode mac-auth
ap id 1 type-id 19 mac 0046-4b59-1ee0
quit
ap id 2 type-id 19 mac 0046-4b59-1d20
quit
quit
NOTE

Issue 04 (2013-06-15)

2160

Configuration Guide
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
# After powering on the three APs, run the display ap all command on the AC to check the AP
running status. The command output shows that the AP status is normal.
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------1
AP6010DN-AGN
0046-4b59-1ee0
0/10
normal
ap-1
2
AP6010DN-AGN
0046-4b59-1d20
0/10
normal
ap-2
3
AP6010DN-AGN
0046-4b59-1d40
0/10
normal
ap-3
-----------------------------------------------------------------------------Total number: 3

[AC-wlan-view] quit

NOTE
[AC] interface
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
wlan-ess 1
dhcp enable
quit
[AC] wlan
Issue 04 (2013-06-15)

2161

Configuration Guide
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
# Configure VAPs.

[AC-wlan-view] commit
Warning: Committing
]y
Warning: Committing
]y
Warning: Committing
]y
ap 1
configuration may cause service interruption,continue?[Y/N
ap 2
ap 3
Step 7 Configure global radio calibration.

<AC> system-view
[AC] wlan
[AC-wlan-view] calibrate startup region 10

l After the preceding configuration is complete, the AC begins to adjust the channels and power
of the three APs to ensure that the APs work at optimal performance.
l STAs can connect to the WLAN with SSID test.
----End
Configuration Files
l

#
sysname AC-LSW
#
#
Issue 04 (2013-06-15)

2162

Configuration Guide
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
wlan ac-global carrier id other ac id
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface WLAN-ESS1
dhcp enable
#
wlan
ap-region id 10
region-id 10
region-id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 1 radio 0
Issue 04 (2013-06-15)
sn 190901007618
sn 190901007619
sn 190901007620

2163

Configuration Guide
radio-profile id
service-set id 1
ap 2 radio 0
radio-profile id
service-set id 1
ap 3 radio 0
radio-profile id
service-set id 1
#
return
1
wlan 1
1
wlan 1
1
wlan 1
Example for Configuring Session-based Static Load Balancing

As shown in Figure 12-31, AP1 and AP2 connect to the AC and join AP region 10.
When a large number of STAs access the Internet through the same AP, the AP is heavily loaded,
reducing WLAN service quality. The enterprise wants STAs to be balanced on the two APs to
prevent one AP from being heavily loaded.
Figure 12-31 Networking for configuring session-based static load balancing
Internet
GE0/0/3
VLAN101
GE0/0/1
VLAN100
AC
GE0/0/2
VLAN100
AP1
STA1
STA2
AP2
STA4
STA3

AP region ID: 10
1.
Issue 04 (2013-06-15)
2164

Configuration Guide
2.
Configure session-based static load balancing to prevent new STAs from associating with
heavily-loaded APs.
NOTE
Procedure
Step 1 Configure the AC wired side and wireless side so that the APs and AC can transmit CAPWAP
packets.
# Configure the AC wired side: add wired-side interfaces GE0/0/1 and GE0/0/2 to management
VLAN 100, and add XGE0/0/27 that connects the wired side to the wireless side to the same
VLAN.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on GE0/0/1 and
GE0/0/2 that connect the AC wired side to the APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.
[AC] vlan batch 100

[AC] vlan batch 101
Issue 04 (2013-06-15)

2165

Configuration Guide

# Configure a DHCP server to assign IP addresses to the APs from the IP address pool on
VLANIF 100 and assign IP addresses to STAs from the IP address pool on VLANIF 101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
Issue 04 (2013-06-15)

2166

Configuration Guide
# Add the APs offline based on the AP type ID. Assume that the type of AP1 and AP2 is
AP6010DN-AGN, and their MAC addresses are 0046-4b59-1ee0 and 0046-4b59-1d20
respectively.
[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-ap-1]
[AC-wlan-view]
[AC-wlan-ap-2]
quit
quit
NOTE

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
# After powering on AP1 and AP2, run the display ap all command on the AC to check the AP
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------1
AP6010DN-AGN
0046-4b59-1ee0
0/10
normal
ap-1
2
AP6010DN-AGN
0046-4b59-1d20
0/10
normal
ap-2
-----------------------------------------------------------------------------Total number: 2

[AC-wlan-radio-prof-radio] channel-mode fixed
[AC-wlan-view] quit

NOTE
[AC] interface
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
Issue 04 (2013-06-15)
wlan-ess 1
dhcp enable
quit

2167

Configuration Guide
[AC] wlan
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
# Configure VAPs.
[AC-wlan-radio-1/0] channel 20mhz 1

Warning: Committing
]y
Warning: Committing
]y
ap 1
ap 2
Step 7 Configure a load balancing group, add AP1 and AP2 to the load balancing group, and set the
load balancing mode of the group to session-based load balancing.
[AC-wlan-view] load-balance-group name huawei
[AC-wlan-load-group-huawei] member ap-id 1 radio-id 0
[AC-wlan-load-group-huawei] member ap-id 2 radio-id 0
[AC-wlan-load-group-huawei] session gap 5
[AC-wlan-load-group-huawei] associate-threshold 10
[AC-wlan-load-group-huawei] quit

l After the preceding configuration is complete, STAs can discover the WLAN with SSID
test.
l When a new STA requests to access the Internet through an AP, the AC uses a static load
balancing algorithm to determine whether to allow access from the STA. If the load difference
between the APs is larger than 5%, the AC rejects the association request of the STA. If the
Issue 04 (2013-06-15)

2168

Configuration Guide
STA continues sending association requests to the AP for more than 10 times, the AC allows
the STA to associate with the AP.
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface WLAN-ESS1
dhcp enable
#
wlan
ap-region id 10
ap id 1 type-id 19 mac 0046-4b59-1ee0 sn 190901007618
region-id 10
ap id 2 type-id 19 mac 0046-4b59-1d20 sn 190901007619
region-id 10
Issue 04 (2013-06-15)

2169

Configuration Guide

forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
channel 20MHz 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
load-balance-group name huawei id
1
associate-threshold
10
session gap
5
member ap-id 1 radio-id 0
member ap-id 2 radio-id 0
#
return
Example for Configuring Traffic-based Dynamic Load Balancing

As shown in Figure 12-32, AP1 and AP2 connecting to the AC are dual-band APs and join AP
region 10. STAs in AP region 10 support 2.4 GHz and 5 GHz frequency bands. Both 2.4 GHz
and 5 GHz WLANs need to be deployed in AP region 10.
When a large number of STAs access the Internet through the same AP, the AP is heavily loaded,
reducing WLAN service quality. The enterprise wants STAs to be balanced on the two APs to
prevent one AP from being heavily loaded.
Issue 04 (2013-06-15)

2170

Configuration Guide
Figure 12-32 Networking for configuring traffic-based dynamic load balancing
Internet
GE0/0/3
VLAN101
GE0/0/1
VLAN100
AC
GE0/0/2
VLAN100
AP1
STA1
STA2
AP2
STA4
STA3

AP region ID: 10
1.
2.
Configure traffic-based dynamic load balancing to prevent new STAs from associating
with heavily-loaded APs.
NOTE
Procedure
packets.
VLAN.
Issue 04 (2013-06-15)

2171

Configuration Guide
NOTE
[AC] vlan batch 100

[AC] vlan batch 101
[AC] dhcp enable
[AC-Vlanif100] quit
Issue 04 (2013-06-15)

2172

Configuration Guide

[AC-Vlanif101] quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
respectively.
[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-ap-1]
[AC-wlan-view]
[AC-wlan-ap-2]
quit
quit
NOTE

Issue 04 (2013-06-15)

2173

Configuration Guide
[AC-wlan-ap-1]
[AC-wlan-ap-1]
[AC-wlan-view]
[AC-wlan-ap-2]
[AC-wlan-ap-2]
region-id 10
quit
ap id 2
region-id 10
quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------1
AP6610DN-AGN
0046-4b59-1ee0
0/10
normal
ap-1
2
AP6610DN-AGN
0046-4b59-1d20
0/10
normal
ap-2
-----------------------------------------------------------------------------Total number: 2

# Create a radio profile named radio, set the radio type to 802.11n, and bind the WMM profile
wmm to the radio profile.
[AC-wlan-radio-prof-radio] radio-type 80211n
[AC-wlan-radio-prof-radio] 80211n guard-interval-mode short
[AC-wlan-view] quit

NOTE
[AC] interface
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
wlan-ess 1
dhcp enable
quit
[AC] wlan
Issue 04 (2013-06-15)

2174

Configuration Guide
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
# Configure VAPs.
Warning: Modify the Radio type may cause some
[AC-wlan-radio-1/1] channel 40mhz-plus 157
[AC-wlan-radio-2/1] channel 40mhz-plus 149
parameters of Radio resume defaul

Warning: Committing
]y
Warning: Committing
]y
ap 1
ap 2
Step 7 Configure dynamic load balancing.

[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-view]
sta-load-balance
sta-load-balance
sta-load-balance
sta-load-balance
quit
enable
mode traffic
traffic gap 25
associate-threshold 10

l After the preceding configuration is complete, STAs can discover the WLAN with SSID
test.
l You can run the display sta-load-balance config command on the AC to check the dynamic
load balancing configuration.
<AC> display sta-load-balance config
Sta-load-balance
config:
-----------------------------------------------------------------------------Sta-load-balance enable
:
Issue 04 (2013-06-15)

2175

Configuration Guide
Yes
Sta-load-balance mode
:
Traffic
Sta-load-balance session gap threshold
: 4
Sta-load-balance traffic gap threshold
:
25
Sta-load-balance associate threshold
:
10
------------------------------------------------------------------------------
l If a new STA requests to connect to one of the four VAPs in AP region 10, the AC uses a
dynamic load balancing algorithm to determine whether to allow access from the STA. If
the load difference between the requested VAP and the lowest load is larger than 25%, the
AC rejects the association request of the STA. If the STA continues sending association
requests to the VAP for more than 10 times, the AC allows the STA to associate with the
VAP.
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
Issue 04 (2013-06-15)

2176

Configuration Guide

#
interface WLAN-ESS1
dhcp enable
#
wlan
ap-region id 10
ap id 1 type-id 19 mac 0046-4b59-1ee0 sn 190901007618
region-id 10
ap id 2 type-id 19 mac 0046-4b59-1d20 sn 190901007619
region-id 10
sta-load-balance
enable
sta-load-balance mode
traffic
sta-load-balance traffic gap
25
sta-load-balance associate-threshold 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
radio-type 80211n
channel-mode fixed
wmm-profile id 1
80211n guard-interval-mode short
ap 1 radio 0
radio-profile id 1
channel 20MHz 1
ap 1 radio
1
radio-profile id
1
channel 40MHz-plus
157
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
ap 2 radio 1
radio-profile id 1
channel 40MHz-plus 149
#
return
12.5 WLAN Reliability Configuration

This chapter describes the WLAN reliability configuration, involving dual-link backup, service
holding upon CAPWAP link disconnection, and channel switching without service interruption.
Issue 04 (2013-06-15)

2177

Configuration Guide
12.5.1 Overview
WLAN users have increasing requirements on wireless service reliability, so WLAN reliability
has become a concern of carriers.
As WLAN technologies develop, a lot of users access the Internet through the WLAN. Reliability
is a major problem to be solved in WLAN transmission. Configuring WLAN reliability can
effectively reduce network faults or impacts of service interruption and improve the WLAN
service quality.
12.5.2 WLAN Reliability Features Supported by the Device

WLAN reliability involves dual-link backup, service holding upon CAPWAP link
disconnection, and channel switching without service interruption.
Dual-Link Backup
In the AC+Fit AP network architecture, the AC manages and controls WLAN services for
wireless users in a centralized manner. One AC usually controls hundreds of APs and over ten
thousand STAs. When a fault occurs on the AC or the link between the AC and AP fails, the
services of all users connected to the AC are interrupted. If dual-link backup is enabled, the
standby AC controls the WLAN services for wireless users when a fault occurs on the active
AC or the link between the active AC and AP fails. This ensures that services are not interrupted
or reduces service interruption time. The networking mode for dual-link backup can be 1+1 duallink backup or N+1 link backup.
1+1 Dual-Link Backup
As shown in Figure 12-33, AC1 and AC2 provide dual links for STAs. AC1 is the active device,
serving AP1 and AP2. AC2 is the standby device. When the APs detect that AC1 fails, the
CAPWAP tunnels between APs and AC2 become the active tunnels, and AC2 becomes the
active AC. After AC1 recovers, it becomes the active AC or still functions as the standby AC
depending on the configuration.
Figure 12-33 1+1 Dual-link backup networking diagram
AC1
AC2
Switch
AP1
STA
Issue 04 (2013-06-15)
AP2
STA
STA
STA

Active CAPWAP link

Standby CAPWAP link
2178

Configuration Guide
N+1 Link Backup

As shown in Figure 12-34, AC1 functions as the active AC for AP1, AC2 functions as the active
AC for AP2, and AC3 functions as the standby AC for AP1 and AP2. When AC1 or AC2 is
faulty, the data from AP1 or AP2 is switched to AC3, ensuring nonstop service transmission.
Figure 12-34 N+1 link backup networking diagram
AC1
AC3
AC2
Switch
AP1
STA
AP2
STA
STA
STA
CAPWAP primary tunnel

CAPWAP backup tunnel
Service Holding Upon CAPWAP Link Disconnection

After the CAPWAP tunnel is established, the AP and AC periodically exchange echo and
keepalive packets to detect the connection status of the CAPWAP control and data tunnel. When
detecting a fault on the CAPWAP tunnel (physical Down or protocol Down), the AP switches
to the faulty state and stops forwarding packets. After the service holding function is enabled
and the direct forwarding mode is used, the AP can still forward data packets if the CAPWAP
tunnel is broken. Therefore, this function reduces loss for users and improves service reliability.
As shown in Figure 12-35, to reduce management and maintenance costs, some small- and
medium-sized enterprises deploy the AC at the headquarters to manage the APs and STAs in
branches. After service holding upon CAPWAP link disconnection is enabled in direct
forwarding mode, the online APs and STAs can still access the Internet and local network
resources if the AC is faulty.
Issue 04 (2013-06-15)

2179

Configuration Guide
Figure 12-35 Networking diagram for service holding upon CAPWAP link disconnection
Internet
AC
AP
Enterprise
branch
WAN
Enterprise
headquarters
NMS
New User Access After CAPWAP Link Disconnection

The service holding function takes effect only for existing online users but not for new users.
New users are not allowed to go online when the CAPWAP link is broken.
When the function that allows new user access upon CAPWAP link disconnection is enabled,
the AP can still allow new users to go online and access all network resources that are available
before the CAPWAP link is broken. After the broken CAPWAP link is restored, the AP forces
all the STAs that go online when the CAPWAP link is broken to go offline and re-associate with
the AP and reports information about the STAs through logs.
NOTE
This function takes effect only when the WLAN uses open system authentication, pre-shared key
authentication, or WPA/WPA2-PSK authentication.
This function allows all the users that enter the correct key to go online. The STA whitelist and blacklist
configured on the AC do not take effect after the CAPWAP link is broken.
As shown in Figure 12-36, when the function that allows new user access upon CAPWAP link
disconnection is disabled, the STA association and key negotiation are performed between the
AC and STA. After this function is enabled, the STA authentication, association, and key
negotiation are performed between the AP and STA.
Issue 04 (2013-06-15)

2180

Configuration Guide
Figure 12-36 New user access after CAPWAP link disconnection
Internet
AC
C
AP
W
AP
tu
nn
el
LAN
AP
(1)
(2)
STA
(1) Authentication packet exchange before user access permission after

CAPWAP link disconnection is disabled
(2) Authentication packet exchange before user access permission

after CAPWAP link disconnection is enabled
Channel Switching Without Service Interruption

In some WLAN application scenarios, the AP channel needs to be changed. For example, when
radio calibration for the AP is implemented, the AP channel may be changed. When the AP
channel is changed, the services of users connected to the AP are interrupted, affecting service
usage. If channel switching without service interruption is enabled, the services of users
connected to the AP are not interrupted when the AP channel is switched.

This section describes the default configuration of WLAN reliability.
Table 12-12 Default configuration of WLAN reliability
Issue 04 (2013-06-15)
Parameter
Default Setting
Active/Standby AC priority in dual-link

backup mode
CAPWAP heartbeat interval in dual-link

backup mode
25 seconds

2181

Configuration Guide
Parameter
Default Setting
Number of CAPWAP heartbeat packet

transmissions in dual-link backup mode
Global revertive switching in dual-link

backup mode
Enabled
Service holding upon CAPWAP link

disconnection
Disabled
Channel switchover announcement
Disabled
Channel switchover announcement mode
continue-transmitting (In this mode, data

transmission is continued on the current
channel.)
12.5.4 Configuring Dual-Link Backup

Context
Dual-link backup can be configured using either of the following methods:
l
Global configuration: The dual-link backup parameters are configured in the AC's WLAN
view and delivered to all APs except the specified APs. You can use this method to batch
enable dual-link backup.
AP-specific configuration: The active and standby ACs in dual-link backup mode are
configured for the specified AP in the AC's AP view. You can use this method to configure
the active and standby ACs for a single AP. AP-specific configuration takes precedence
over global configuration on the AC.
CAUTION
When dual-link backup is configured, the WLAN service configuration of the AP connected to
the active and standby ACs must be consistent on the two ACs. The configuration involves the
WMM profile, radio profile, radio, traffic profile, security profile, and security policies. Only
WEP authentication (open system authentication or shared key authentication) can be
configured. If the configurations are inconsistent, the AP may not work properly after an active/
standby switchover between ACs.
Before configuring dual-link backup, complete the following task:
l
Issue 04 (2013-06-15)
Configuring basic WLAN services (For details, see 12.2 WLAN Service
Configuration.)

2182

Configuration Guide
Procedure
l
Global configuration
1.
Run:
system-view

2.
Run:
wlan

3.
Run:
wlan ac protect enable
Dual-link backup is enabled globally.

By default, dual-link backup is disabled globally.
NOTE
Enabling dual-link backup globally will reset the online APs.
4.
Run:
wlan ac protect { priority priority-value | protect-ac ip-address }
The AC priority or standby AC IP address is configured in the WLAN view.

By default, no AC priority or standby AC IP address is configured in the WLAN view.
5.
Run:
wlan ac protect restore enable
Global revertive switching is enabled globally.

By default, global revertive switching is enabled.
NOTE
If global revertive switching is disabled on the original active AC, traffic of an AP cannot be
switched back to the original active AC when the link between the original active AC and the
AP restores.
6.
(Optional) Run:
capwap keep-alive interval interval-value and capwap keep-alive times
times-value
The CAPWAP heartbeat interval and number of heartbeat packet transmissions are
configured.
When dual-link backup is not enabled, the CAPWAP heartbeat interval is 25 seconds
and the number of heartbeat packet transmissions is 6 by default. When dual-link
backup is enabled, the CAPWAP heartbeat interval is 25 seconds and the number of
heartbeat packet transmissions is 3 by default.
NOTE
To configure dual-link backup on a WDS network,set the CAPWAP heartbeat interval to 25

seconds and set the number of heartbeat packet transmissions to at least 6. If this configuration
is not performed, the AC sends heartbeat packets 3 times at an interval of 25 seconds by default.
This may cause unstable WDS link status and result in user access failures.
7.
(Optional) Run:
ap-reset { all | id ap-id | ap-type { type ap-type | type-id type-id } }
Issue 04 (2013-06-15)

2183

Configuration Guide
The AP is reset.
NOTE
l For an AP that goes online after dual-link backup is configured, skip this step. For an online
AP, perform this step to reset it after dual-link backup is configured.
l You can also manually restart the AP to reset it.
AP-specific configuration
1.
Run:
system-view

2.
Run:
wlan

3.
Run:
Dual-link backup is enabled globally.

NOTE
Enabling dual-link backup globally will reset the online APs.
By default, dual-link backup is disabled globally.

4.
Run:
ap id ap-id

5.
Run:
protect-ac ip-address
The standby AC IP address is configured for the AP.

By default, no standby AC IP address is configured for an AP.
6.
Run:
priority priority-level
The AC priority is configured for the AP.

By default, no AC priority is configured in the AP view.
NOTE
l If priorities have been configured for the two ACs to which an AP connects, the AC with
higher priority becomes the active AC.
l If global revertive switching has been enabled globally, the original active AC establishes
a connection with the AP to become the active AC again after recovering from a failure.
7.
Run:
quit

8.
(Optional) Run:
ap-reset id ap-id
The AP is reset.
Issue 04 (2013-06-15)

2184

Configuration Guide

NOTE
l For an AP that goes online after dual-link backup is configured, skip this step. For an online
AP, perform this step to reset it after dual-link backup is configured.
l You can also manually restart the AP to reset it.
----End
12.5.5 Configuring Service Holding upon CAPWAP Link

Disconnection
Context
NOTE
Service holding upon CAPWAP link disconnection is only applicable to the direct forwarding mode.
Before configuring service holding upon CAPWAP link disconnection, complete the following
task:
l
Configuration.)
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap id ap-id

Step 4 Run:
keep-service enable
Service holding upon CAPWAP link disconnection is enabled.

By default, all services on the AP are interrupted after the CAPWAP link between the AP and
AC is disconnected. After service holding upon CAPWAP link disconnection is enabled, the
AP can still provide data services when the CAPWAP link is disconnected.
Step 5 Run:
quit

Step 6 Run:
commit { all | ap ap-id }
Issue 04 (2013-06-15)

2185

Configuration Guide
The services are delivered to the AP.

----End

l
Run the display ap { all | id ap-id | by-mac ap-mac | by-sn ap-sn } command to check
whether service holding upon CAPWAP link disconnection is enabled on the specified AP.
12.5.6 (Optional) Configuring Channel Switching Without Service

Interruption
Before configuring channel switching without service interruption, complete the following task:
l
Configuration.)
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
The specified radio profile view is displayed.

Step 4 Run:
channel-switch announcement enable
The AP is enabled to send an announcement after the channel is switched.

By default, the AP cannot send an announcement when the channel is switched.
Step 5 Run:
channel-switch mode continue-transmitting
Data transmission from the STA is configured to continue on the current channel when the
channel is switched.
NOTE
When the AP channel needs to be switched, the AP instructs the STA to switch the channel after a fixed
number of Beacon intervals so that the STA and AP switch the channel simultaneously. This prevents the
STA from reconnecting to the AP.
Step 6 Run:
Issue 04 (2013-06-15)

2186

Configuration Guide
The services are delivered to the AP.

----End

l
Run the display ap-profile { id profile-id | name profile-name } command to check

whether channel switching without service interruption is enabled.

This topic describes the WLAN reliability configuration examples, including networking
Example for Configuring Dual-link Backup (AP-Specific Configuration Mode)

An enterprise deploys WLAN area A to provide WLAN services. As shown in Figure 12-37,
the AP in area A is directly connected to the switch, the enterprise deploys two ACs in bypass
mode, and the switch connects to the Internet through the egress route. The enterprise requires
that dual-link backup be used to improve data transmission reliability.
Figure 12-37 Networking diagram for configuring dual-link backup
AC1
GE0/0/1
GE0/0/3
GE0/0/1
Area A
STA
AP

Internet
GE0/0/2
Switch
GE0/0/1
AC2
1.
Configure basic WLAN services.
2.
Configure dual-link backup based on the dual-AC bypass deployment mode to improve
data transmission reliability.
Issue 04 (2013-06-15)

2187

Configuration Guide
NOTE

Item
Data
WLAN service
WEP open system authentication and non-encryption
Management VLAN for APs
VLAN100
AP region
101
Service set
l Name: test
l SSID: test
l WLAN virtual interface: WLAN-ESS 1
Service VLAN
VLAN101
AC Carrier ID/AC ID
other/1
AC1 management IP address
VLANIF 100: 10.1.1.2/24
VLANIF 100: 10.1.1.3/24
IP address pool for APs
10.1.1.4-10.1.1.254/24
Gateway address for APs
10.1.1.1/24 (switch)
IP address pool for STAs
10.1.2.2-10.1.2.254/24
DHCP server
Switch, which assigns IP addresses to STAs and APs
Procedure
Step 1 Configure the switch and AC to enable the AC to communicate with the APs.
# Create VLAN100 (management VLAN) and VLAN101 (service VLAN) on the switch. Set
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the interface
to 100, and configure the interface to allow packets of VLAN100 and VLAN101 to pass. Set
the link type of GE0/0/2 and GE0/0/3 on the switch to trunk, and configure the interfaces to
allow packets of VLAN100 to pass.
NOTE
You are advised to configure port isolation on GE0/0/1. If port isolation is not configured, unnecessary packets
are broadcast in the VLANs or WLAN users connected to different APs can communicate with each other at
Layer 2.
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
Issue 04 (2013-06-15)

2188

Configuration Guide
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101

[Switch-GigabitEthernet0/0/1] port-isolate enable
# Add GE0/0/1 that connects the AC1's wired side to the switch to VLAN100 and add XGE0/0/27
that connects the AC1's wired side to the AC1's wireless side to VLAN100.
[Quidway] sysname AC-LSW1
[AC-LSW1] vlan batch 100
[AC-LSW1] interface gigabitethernet 0/0/1
[AC-LSW1-GigabitEthernet0/0/1] port link-type trunk
[AC-LSW1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-LSW1-GigabitEthernet0/0/1] quit
[AC-LSW1] interface xgigabitethernet 0/0/27
[AC-LSW1-XGigabitEthernet0/0/27] port link-type trunk
[AC-LSW1-XGigabitEthernet0/0/27] port trunk allow-pass vlan 100
[AC-LSW1-XGigabitEthernet0/0/27] quit
# Add XGE0/0/1 that connects the AC1's wireless side to the AC1's wired side to VLAN100.
[Quidway] sysname AC1
[AC1] vlan batch 100
[AC1] interface xgigabitethernet 0/0/1
[AC1-XGigabitEthernet0/0/1] port link-type trunk
[AC1-XGigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC1-XGigabitEthernet0/0/1] quit
Step 2 Configure the DHCP function on the switch to allocate IP addresses to APs and STAs.
# Configure VLANIF100 to use the interface address pool to allocate IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif100
[Switch-vlanif100] ip address 10.1.1.1 255.255.255.0
Issue 04 (2013-06-15)

2189

Configuration Guide
[Switch-vlanif100] dhcp select interface

[Switch-vlanif100] dhcp server excluded-ip-address 10.1.1.2 10.1.1.3
[Switch-vlanif100] quit
# Configure VLANIF101 to use the interface address pool to allocate IP addresses to STAs.
[Switch] interface
[Switch-vlanif101]
[Switch-vlanif101]
[Switch-vlanif101]
vlanif101
ip address 10.1.2.1 255.255.255.0
quit
Step 3 Configure AC1.

1.
Configure system parameters.

# Configure the country code for AC1.
[AC1] wlan ac-global country-code cn
# Configure the AC1 ID and carrier ID.

[AC1] wlan ac-global ac id 1 carrier id other
# Configure the source interface of AC1.

[AC1] interface
[AC1-vlanif100]
[AC1-vlanif100]
[AC1] wlan
[AC1-wlan-view]
2.
vlanif100
ip address 10.1.1.2 255.255.255.0
quit
wlan ac source interface vlanif 100
Configure AC1 to manage APs.

[AC1-wlan-view] display ap-type all
-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
# Add the AP offline according to the AP type. Assume that the AP type is AP6010DNAGN and MAC address is 286E-D42B-0CE5.
Issue 04 (2013-06-15)

2190

Configuration Guide
[AC1-wlan-view] ap-auth-mode mac-auth

[AC1-wlan-view] ap id 0 type-id 19 mac 286E-D42B-0CE5
[AC1-wlan-ap-0] quit
NOTE

[AC1-wlan-view] ap-region id 101
[AC1-wlan-ap-region-101] quit
[AC1-wlan-view] ap id 0
[AC1-wlan-ap-0] region-id 101
# Configure the AC1 priority and AC2 IP address in the AP view to implement dual-link
backup.
NOTE
l The AC priority configuration determines the active and standby ACs. One with higher priority
functions as the active AC, and the other functions as the standby AC. A smaller value indicates a
higher priority. When the AC priorities are the same, the AC with the maximum number of allowed
APs is selected as the active AC. When the numbers of allowed APs are the same, the AC with the
maximum number of allowed STAs is selected as the active AC. When the numbers of allowed APs
and STAs are the same, the AC with a smaller IP address is selected as the active AC.
l In this example, dual-link backup is configured using the AP-specific configuration method. You can
also use the global configuration method to configure dual-link backup in the WLAN view.
[AC1-wlan-ap-0] priority 3 protect 10.1.1.3
# After powering on the APs, run the display ap all command on the AC to check the AP
[AC1-wlan-view] display ap all
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
286e-d42b-0ce5
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1
3.
Configure WLAN service parameters.

# Create the WMM profile named wmm.
[AC1-wlan-view] wmm-profile name wmm id 1
[AC1-wlan-wmm-prof-wmm] quit
[AC1-wlan-view] radio-profile name radio id 1
[AC1-wlan-radio-prof-radio] wmm-profile name wmm
[AC1-wlan-radio-prof-radio] quit
[AC1-wlan-view] quit

[AC1] interface wlan-ess 1
[AC1-Wlan-Ess1] port link-type hybrid
Issue 04 (2013-06-15)

2191

Configuration Guide
[AC1-Wlan-Ess1] port hybrid untagged vlan 101

[AC1-Wlan-Ess1] quit

[AC1] wlan
[AC1-wlan-view] security-profile name security id 1
[AC1-wlan-sec-prof-security] quit

[AC1-wlan-view] traffic-profile name traffic id 1
[AC1-wlan-traffic-prof-traffic] quit
# Create a service set named test, bind the WLAN-ESS interface, security profile, and
traffic profile to the service set, and set the forwarding mode to direct forwarding.
[AC1-wlan-view] service-set
[AC1-wlan-service-set-test]
4.
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode direct-forward
quit
Configure VAPs and deliver VAP parameters to the APs.

# Configure a VAP.
[AC1-wlan-view] ap 0 radio 0
[AC1-wlan-radio-0/0] radio-profile name radio
Warning: Modify the Radio type may cause some parameters of Radio resume
defaul
[AC1-wlan-radio-0/0] service-set name test
[AC1-wlan-radio-0/0] quit

[AC1-wlan-view] commit ap 0
Warning: Committing configuration may cause service interruption,continue?[Y/
N
]y



[AC2] interface
[AC1-vlanif100]
[AC1-vlanif100]
[AC1] wlan
[AC1-wlan-view]
vlanif100
ip address 10.1.1.3 255.255.255.0
quit
NOTE
Configure basic parameters for AC2 according to the configurations of AC1.
# Configure the AC2 priority and AC1 IP address in the AP view to implement dual-link backup.
Issue 04 (2013-06-15)

2192

Configuration Guide
[AC2-wlan-ap-0] priority 6 protect 10.1.1.2
Step 5 Enable dual-link backup for AC1 and AC2.

# Enable dual-link backup and revertive switching globally for AC1.
[AC1-wlan-view] wlan ac protect enable
[AC1-wlan-view] wlan ac protect restore enable
# Enable dual-link backup and revertive switching globally for AC2.

# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
[AC1-wlan-view] ap-reset all
Warning: Reset AP! Continue? [Y/N]y
Info: Reset AP completely. Success count: 1. Failure count: 0.

Run the display wlan ac protect command on the active and standby ACs to check the duallink information and priority on the two ACs.
[AC1-wlan-view]display wlan ac protect
-----------------------------------------------------------Protect state
: enable
Protect AC
: 10.1.1.3
Priority
: 3
Protect restore : enable
-----------------------------------------------------------[AC2-wlan-view]display wlan ac protect
-----------------------------------------------------------Protect state
: enable
Protect AC
: 10.1.1.2
Priority
: 6
------------------------------------------------------------
When the AP detects a fault on the link connected to AC1, it instructs AC2 to take the active
role. This ensures service stability.
----End
Configuration Files
l
Configuration file of the switch

#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
#
Issue 04 (2013-06-15)

2193

Configuration Guide

#
#
Configuration file of the AC1's wired side

#
sysname LSW1
#
vlan batch 100
#
#
#
return
Configuration file of the AC1's wireless side

#
sysname AC1
#
vlan batch 100
#
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
interface Wlan-Ess1
#
wlan
ap-region id 101
ap id 0 type-id 19 mac 286E-D42B-0CE5 sn AB34002078
region-id 101
priority 3
protect-ac 10.1.1.3
region-id 101
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
Issue 04 (2013-06-15)

2194

Configuration Guide
#
return

#
sysname LSW2
#
vlan batch 100
#
#
#
return

#
sysname AC2
#
vlan batch 100
#
#
interface Vlanif100
ip address 10.1.1.3 255.255.255.0
#
#
interface Wlan-Ess1
#
wlan
ap-region id 101
region-id 101
priority 6
protect-ac 10.1.1.2
region-id 101
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring Dual-link Backup Globally (Global Configuration

Mode)
Issue 04 (2013-06-15)

2195

Configuration Guide
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. As shown in
Figure 12-38, AP1 and AP2 in area A are directly connected to the switch, the enterprise deploys
two ACs in bypass mode, and the switch connects to the Internet through the egress route. The
enterprise requires that dual-link backup be used to improve data transmission reliability.
Figure 12-38 Networking diagram for configuring dual-link backup
Area A
STA1
AC1
GE
0/0
/1
AP1
0
GE
GE0/0/1
GE0/0/3
Internet
4
/0/
Switch GE0/0/2
GE0/0/1
STA2
AP2

AC2
1.
2.
Configure dual-link backup based on the dual-AC bypass deployment mode to improve
NOTE
Issue 04 (2013-06-15)
Item
Data
WLAN service
WEP open system authentication and non-encryption
VLAN100
AP region
101

2196

Configuration Guide
Item
Data
Service set
l Name: test
l SSID: test
Service VLAN
VLAN101
AC Carrier ID/AC ID
other/1
VLANIF100: 10.1.1.2/24
VLANIF100: 10.1.1.3/24
10.1.1.4-10.1.1.254/24
10.1.1.1/24 (switch)
10.1.2.2-10.1.2.254/24
DHCP server
Procedure
the link type of GE0/0/1 and GE0/0/4 that connect the switch to the APs to trunk and PVID of
the interfaces to 100, and configure the interfaces to allow packets of VLAN100 and VLAN101
to pass. Set the link type of gigabitethernet0/0/2 and gigabitethernet0/0/3 on the switch to trunk,
and configure the interfaces to allow packets of VLAN100 to pass.
NOTE
You are advised to configure port isolation on GE0/0/1 and GE0/0/4. If port isolation is not configured,
unnecessary packets are broadcast in the VLANs or WLAN users connected to different APs can communicate
with each other at Layer 2.
Issue 04 (2013-06-15)

2197

Configuration Guide

[Switch-vlanif100] dhcp server excluded-ip-address 10.1.1.2 10.1.1.3
Issue 04 (2013-06-15)

2198

Configuration Guide


1.
Configure system parameters.



[AC1] interface
[AC1-vlanif100]
[AC1-vlanif100]
[AC1] wlan
[AC1-wlan-view]
2.
vlanif100
ip address 10.1.1.2 255.255.255.0
quit
Configure AC1 to manage APs.

[AC1-wlan-view] display ap-type all
-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
# Add the AP offline according to the AP type. Assume that the type of AP1 and AP2 is
AP6010DN-AGN, and MAC addresses are 286E-D42B-0CE5 and 0025-9EE8-DF70.
[AC1-wlan-view]
[AC1-wlan-view]
[AC1-wlan-ap-0]
[AC1-wlan-view]
[AC1-wlan-ap-0]
ap id 0 type-id 19 mac 286E-D42B-0CE5
quit
ap id 1 type-id 19 mac 0025-9EE8-DF70
quit
NOTE
Issue 04 (2013-06-15)

2199

Configuration Guide

[AC1-wlan-view] ap-region id 101
[AC1-wlan-ap-region-101] quit
# After powering on the APs, run the display ap all command on the AC to check the AP
[AC1-wlan-view] display ap all
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
286e-d42b-0ce5
0/10
normal
ap-0
1
AP6010DN-AGN
0025-9EE8-DF70
0/10
normal
ap-1
-----------------------------------------------------------------------------Total number: 2
3.
Configure WLAN service parameters.

[AC1-wlan-view] wmm-profile name wmm id 1
[AC1-wlan-wmm-prof-wmm] quit
[AC1-wlan-view] radio-profile name radio id 1
[AC1-wlan-radio-prof-radio] wmm-profile name wmm
[AC1-wlan-radio-prof-radio] quit
[AC1-wlan-view] quit

[AC1] interface
[AC1-Wlan-Ess1]
[AC1-Wlan-Ess1]
[AC1-Wlan-Ess1]
wlan-ess 1
quit

[AC1] wlan
[AC1-wlan-view] security-profile name security id 1
[AC1-wlan-sec-prof-security] quit

[AC1-wlan-view] traffic-profile name traffic id 1
[AC1-wlan-traffic-prof-traffic] quit
# Create a service set named test, bind the WLAN-ESS interface, security profile, and
traffic profile to the service set, and set the forwarding mode to direct forwarding.
[AC1-wlan-view] service-set
Issue 04 (2013-06-15)
name test id 1
ssid test
wlan-ess 1

2200

Configuration Guide
[AC1-wlan-service-set-test] service-vlan 101

[AC1-wlan-service-set-test] forward-mode direct-forward
[AC1-wlan-service-set-test] quit
4.
Configure VAPs and deliver VAP parameters to the APs.

# Configure a VAP.
defaul
defaul

[AC1-wlan-view] commit all
Warning: Committing configuration may cause service interruption,continue?[Y/
N
]y



[AC2] interface
[AC1-vlanif100]
[AC1-vlanif100]
[AC1] wlan
[AC1-wlan-view]
vlanif100
ip address 10.1.1.3 255.255.255.0
quit
NOTE
Configure basic parameters for AC2 according to the configurations of AC1.
Step 5 Enable dual-link backup for AC1 and AC2.

# Configure the AC1 priority and AC2 IP address on AC1 to implement dual-link backup.
[AC1-wlan-view] wlan ac protect enable protect-ac 10.1.1.3 priority 2
# Configure the AC2 priority and AC1 IP address on AC2 to implement dual-link backup.
[AC2-wlan-view] wlan ac protect enable protect-ac 10.1.1.2 priority 5
# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
[AC1-wlan-view] ap-reset all
Warning: Reset AP! Continue? [Y/N]y
Info: Reset AP completely. Success count: 2. Failure count: 0.
Issue 04 (2013-06-15)

2201

Configuration Guide

Run the display wlan ac protect command on the active and standby ACs to check the duallink information and priority on the two ACs.
[AC1-wlan-view]display wlan ac protect
-----------------------------------------------------------Protect state
: enable
Protect AC
: 10.1.1.3
Priority
: 3
-----------------------------------------------------------[AC2-wlan-view]display wlan ac protect
-----------------------------------------------------------Protect state
: enable
Protect AC
: 10.1.1.2
Priority
: 6
------------------------------------------------------------
When the AP detects a fault on the link connected to AC1, it instructs AC2 to take the active
role. This ensures service stability.
----End
Configuration Files
l

#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
#
#
#
#

#
sysname LSW1
Issue 04 (2013-06-15)

2202

Configuration Guide
#
vlan batch 100
#
#
#
return

#
sysname AC1
#
vlan batch 100
#
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
interface Wlan-Ess1
#
wlan
wlan ac protect enable protect-ac 10.1.1.3 priority 2
ap-region id 101
region-id 101
ap id 1 type-id 19 mac 0025-9EE8-DF70 sn AB36011000
region-id 101
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
ap 1 radio 0
radio-profile id 1
#
return

#
sysname LSW2
#
vlan batch 100
#
Issue 04 (2013-06-15)

2203

Configuration Guide

#
#
return

#
sysname AC2
#
vlan batch 100
#
#
interface Vlanif100
ip address 10.1.1.3 255.255.255.0
#
#
interface Wlan-Ess1
#
wlan
wlan ac protect enable protect-ac 10.1.1.2 priority 5
ap-region id 101
region-id 101
ap id 1 type-id 19 mac 0025-9EE8-DF70 sn AB36011000
region-id 101
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
ap 1 radio 0
radio-profile id 1
#
return
Example for Configuring Service Holding upon CAPWAP Link Disconnection

the AP in area A is directly connected to the switch, user data is directly forwarded in AC bypass
deployment mode, and the switch connects to the Internet through the egress route. The
enterprise requires that data forwarding is not affected even when the AC is faulty to improve
Issue 04 (2013-06-15)

2204

Configuration Guide
Figure 12-39 Networking diagram for configuring service holding upon CAPWAP link
disconnection
Internet
tu
C
AP
W
AP
AP
Area A
AC
nn
el
Switch
GE0/0/2
GE0/0/1
GE0/0/1
STA
Control packet
Data packet
1.
2.
Configure service holding upon CAPWAP link disconnection to improve data transmission
reliability so that data forwarding is not affected even when the AC is faulty.
NOTE
Issue 04 (2013-06-15)
Item
Data
WLAN service
Non-authentication and non-encryption
VLAN100
AP region
101

2205

Configuration Guide
Item
Data
Service set
l Name: test
l SSID: test
Service VLAN
VLAN101
AC Carrier ID/AC ID
Other/1
10.1.1.3-10.1.1.254/24
10.1.1.1/24
AC source interface
VLANIF100: 10.1.1.2/24
Gateway address for STAs
VLANIF101: 10.1.2.1/24
10.1.2.2-10.1.2.254/24
DHCP server
Procedure
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the interface
to 100, and configure the interface to allow packets of VLAN100 and VLAN101 to pass. Set
the link type of GE0/0/2 on the switch to trunk, and configure the interface to allow packets of
VLAN100 to pass.
NOTE
You are advised to configure port isolation on GE0/0/1. If port isolation is not configured, unnecessary packets
are broadcast in the VLANs or WLAN users connected to different APs can communicate with each other at
Layer 2.
# Add GE0/0/1 that connects the AC wired side to the switch to VLAN100 and add XGE0/0/27
that connects the AC wired side to the wireless side to VLAN100.
Issue 04 (2013-06-15)

2206

Configuration Guide

# Add XGE0/0/1 that connects the AC wireless side to the wired side to VLAN100.
[AC] vlan batch 100
[Switch-vlanif100] dhcp server excluded-ip-address 10.1.1.2
[Switch] interface
[Switch-vlanif101]
[Switch-vlanif101]
[Switch-vlanif101]
vlanif101
ip address 10.1.2.1 255.255.255.0
quit



[AC] interface
[AC-vlanif100]
[AC-vlanif100]
[AC] wlan
[AC-wlan-view]
vlanif100
ip address 10.1.1.2 255.255.255.0
quit

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
Issue 04 (2013-06-15)

2207

Configuration Guide
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
# Add the AP offline according to the AP type. For example, the AP type is AP6010DN-AGN
and MAC address is 5489-9846-1dd4.
[AC-wlan-ap-0] quit
NOTE
# Configure an AP region, add the AP to the AP region, and configure service holding upon
CAPWAP link disconnection.
[AC-wlan-ap-0] keep-service enable
[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

[AC-wlan-view] quit

Issue 04 (2013-06-15)

2208

Configuration Guide

[AC-Wlan-Ess1] port link-type hybrid
[AC-Wlan-Ess1] quit

[AC] wlan

name test id 1
ssid test
wlan-ess 1
service-vlan 101
quit
Step 6 Configure VAPs and deliver VAP parameters to the APs.

# Configure a VAP.

]y

The WLAN with SSID test is available for STAs connected to the AP, and these STAs can
connect to the WLAN without authentication. If the AC is powered off, service data forwarding
for wireless users in area A is not affected.
----End
Configuration Files
l

#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
dhcp server excluded-ip-address 10.1.1.2#
interface Vlanif101
Issue 04 (2013-06-15)

2209

Configuration Guide
ip address 10.1.2.1 255.255.255.0

#
#
Configuration file of the AC's wired side

#
sysname LSW
#
vlan batch 100
#
#
#
return
Configuration file of the AC's wireless side

#
sysname AC
#
vlan batch 100
#
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
interface Wlan-Ess1
#
wlan
ap-region id 101
keep-service
enable
region-id 101
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
Issue 04 (2013-06-15)

2210

Configuration Guide
#
return
Example for Configuring Channel Switching Without Service Interruption

AP1 and AP2 in area A are directly connected to the switch, user data is directly forwarded in
AC bypass deployment mode, and the switch connects to the Internet through the egress route.
The enterprise requires that WLAN services not be interrupted even when the APs change their
working channels.
Figure 12-40 Networking diagram for configuring channel switching without service
interruption
Switch
GE0/0/3
GE0/0/1
AC
GE
0/0
/1
G
E0
/0
/2
Internet
Area A
AP2
STA
AP1
STA

1.
2.
Configure channel switching without service interruption to improve WLAN service

reliability so that services are not interrupted even when APs change their working
channels.
Issue 04 (2013-06-15)

2211

Configuration Guide
NOTE

Item
Data
WLAN service
Non-authentication and non-encryption
VLAN100
AP region
101
Service set
l Name: test
l SSID: test
Service VLAN
VLAN101
AC Carrier ID/AC ID
Other/1
10.1.1.3-10.1.1.254/24
10.1.1.1/24
AC source interface
VLANIF100: 10.1.1.2/24
Gateway address for STAs
VLANIF101: 10.1.2.1/24
10.1.2.2-10.1.2.254/24
DHCP server
Procedure
the link type of GE0/0/1 that connects the switch to AP1 and GE0/0/2 that connects the switch
to AP2 to trunk and PVID of the interfaces to 100, and configure the interfaces to allow packets
of VLAN100 and VLAN101 to pass. Set the link type of GE0/0/3 on the switch to trunk, and
configure the interface to allow packets of VLAN100 to pass.
NOTE
You are advised to configure port isolation on GE0/0/1 and GE0/0/2. If port isolation is not configured,
unnecessary packets are broadcast in the VLANs or WLAN users connected to different APs can communicate
with each other at Layer 2.
Issue 04 (2013-06-15)

2212

Configuration Guide

# Add GE0/0/1 that connects the AC wired side to the switch to VLAN100 and add XGE0/0/27
that connects the AC wired side to the wireless side to VLAN100.
# Add XGE0/0/1 that connects the AC wireless side to the wired side to VLAN100.
[AC] vlan batch 100
[Switch-vlanif100] dhcp server excluded-ip-address 10.1.1.2
[Switch] interface
[Switch-vlanif101]
[Switch-vlanif101]
[Switch-vlanif101]
vlanif101
ip address 10.1.2.1 255.255.255.0
quit



Issue 04 (2013-06-15)

2213

Configuration Guide
[AC] interface
[AC-vlanif100]
[AC-vlanif100]
[AC] wlan
[AC-wlan-view]
vlanif100
ip address 10.1.1.2 255.255.255.0
quit

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
# Add the AP offline according to the AP type. Assume that the type of AP1 and AP2 is
AP6010DN-AGN, and MAC addresses are 286E-D42B-0CE5 and 0025-9EE8-DF70.
[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-ap-0]
[AC-wlan-view]
[AC-wlan-ap-0]
ap id 0 type-id 19 mac 286E-D42B-0CE5
quit
ap id 1 type-id 19 mac 0025-9EE8-DF70
quit
NOTE

[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
Issue 04 (2013-06-15)

2214

Configuration Guide
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
286e-d42b-0ce5
0/10
normal
ap-0
1
AP6010DN-AGN
0025-9EE8-DF70
0/10
normal
ap-1
-----------------------------------------------------------------------------Total number: 2

# Create a radio profile named radio, configure channel switching without service interruption,
and bind the WMM profile wmm to the radio profile.
[AC-wlan-radio-prof-radio] channel-switch announcement enable
[AC-wlan-radio-prof-radio] channel-switch mode continue-transmitting

[AC-Wlan-Ess1] port link-type hybrid
[AC-Wlan-Ess1] quit

[AC] wlan

name test id 1
ssid test
wlan-ess 1
service-vlan 101
quit
Step 6 Configure VAPs and deliver VAP parameters to the APs.

# Configure a VAP.
Issue 04 (2013-06-15)

2215

Configuration Guide

[AC-wlan-view] commit all
]y

The WLAN with SSID huawei is available for STAs connected to AP1 and AP2, and these STAs
can connect to the WLAN without authentication. When radio calibration for AP1 or AP2 is
implemented to change the channel of AP1 or AP2, service data forwarding for wireless users
in area A is not affected.
----End
Configuration Files
l

#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
dhcp server excluded-ip-address 10.1.1.2
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
#
#
#
Configuration file of the AC's wired side

#
sysname LSW
#
vlan batch 100
#
#
#
return
l
Issue 04 (2013-06-15)
Configuration file of the AC's wireless side

2216

Configuration Guide
#
sysname AC
#
vlan batch 100
#
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
interface Wlan-Ess1
#
wlan
ap-region id 101
ap id 0 type-id 19 mac 286e-d42b-0ce5 sn
210235419610CB002287
region-id
101
ap id 1 type-id 19 mac 0025-9EE8-DF70 sn
210235419610CB000473
region-id
101
wlan-ess 1
ssid test
service-vlan 101
channel-switch announcement
enable
wmm-profile id 1
ap 0 radio
0
radio-profile id
0
service-set id 0 wlan
1
ap 1 radio
0
radio-profile id
0
service-set id 1 wlan
1
#
return
12.6 Roaming Configuration

12.6.1 Overview
Issue 04 (2013-06-15)

2217

Configuration Guide
The biggest advantage of WLAN networks is that a STA can move within a WLAN network
regardless of physical media locations. Roaming ensures that a STA moves within a WLAN
network without interrupting services. An extend service set (ESS) includes multiple APs. When
a STA moves from an AP to another AP, roaming ensures seamless transition of STA services
between APs.
12.6.2 Roaming Features Supported by the Device

WLAN roaming includes roaming between APs in the same service VLAN and roaming between
APs in different service VLANs.
Roaming Between APs in the Same Service VLAN

As shown in Figure 12-41, the APs before and after STA roaming belong to the same service
VLAN.
Figure 12-41 Networking diagram of roaming between APs in the same service VLAN
Internet
AC
AP1
VLAN10
VLAN10
SSID: Huawei
SSID: Huawei
Channel 1
AP2
Roam
STA
Channel 6
STA
Roaming Between APs in Different Service VLANs

Like wired LANs, to prevent broadcast storms, enterprise users on enterprise WLANs are
assigned different VLANs according to their floors and departments. If APs deployed at different
floors belong to different VLANs, services of a user are interrupted when the user roams between
two APs at different floors. Roaming between APs in different service VLANs prevents service
interruption in this case, improving WLAN service experience.
The APs before and after STA roaming belong to different service VLANs, as shown in Figure
12-42. To prevent services of a user from being interrupted during WLAN roaming, ensure that
the service VLAN of the user remains unchanged after the user roams between two APs. As
Issue 04 (2013-06-15)

2218

Configuration Guide
shown in Figure 12-42, the service VLAN of the STA remains VLAN10 after the STA roams
from AP1 to AP2.
Figure 12-42 Networking diagram of roaming between APs in different service VLANs
Internet
AC
AP1
VLAN10
VLAN20
SSID: Huawei
Channel 1
AP2
SSID: Huawei
Roam
STA
Channel 6
STA
12.6.3 Configuring Roaming Between APs in the Same Service

VLAN
If neighboring APs have the service VLAN, configure roaming between the APs in the same
service VLAN. After the configuration, services are not interrupted when a STA moves from
an AP to another AP in the same service VLAN.
Before configuring roaming between APs in the same service VLAN, complete the following
tasks:
l
Configuring basic WLAN services
Performing the following operations for each AP involved in roaming:

Associating the APs to the same AC
Configuring the same security policy
Setting the same SSID
Setting the same data forwarding mode
Configuring the same service VLAN
Issue 04 (2013-06-15)

2219

Configuration Guide
Procedure
You can perform the following operations in any sequence based on the site requirements:
Configuring Non-Fast Roaming Between APs in the Same Service VLAN

Procedure
Step 1 Configure non-fast roaming.
Any of the following security policies can be configured for an AP (For details on how to
configure a security policy, see Configuring WLAN Security Policies) :
l WEP open system authentication
l WEP shared key authentication
l WPA/WPA2-PSK
l WPA-802.1X
l WPA2-802.1X (Fast roaming is not supported by STAs.)
After basic service configurations are complete, the STAs can implement non-fast roaming.
NOTE
In direct forwarding mode, ARP entries on the access devices connected to the AP are not aged after users roam,
which causes temporary service interruption. To prevent this problem, it is recommended that DHCP snooping
be enabled in the AC service set view. The AP can then send gratuitous ARP packets to access devices to update
ARP entries in a timely manner, ensuring nonstop services during roaming.
Step 2 (Optional) Configure key negotiation between a STA and an AP.

If a STA uses the WPA/WPA2 security policy, during roaming, the STA needs to perform key
negotiation with an AC again. If the STA performs key negotiation with an AP, the roaming
switchover time is reduced and fast roaming can be implemented.
1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Run:
4-way-handshake ap
The STA that uses the WPA/WPA2 security policy is configured to perform key negotiation
with the AP during roaming.
By default, a STA that uses the WPA/WPA2 security policy perform key negotiation with
an AC during roaming.
5.
Run:
quit
Issue 04 (2013-06-15)

2220

Configuration Guide

6.
Run:
ap id ap-id

7.
Run:
The AP is bound to the AP profile.

By default, the AP is bound to the AP profile ap-profile-0.
8.
Run:
quit
Exit from the AP view.

9.
Run:
The configuration is submitted to the AP.

----End
Configuring Fast Roaming Between APs in the Same Service VLANs

Procedure
Step 1 Configure fast roaming.
Before configuring fast roaming, ensure that STAs support fast roaming technology and the
security policy configured for each AP involved in roaming is WPA2-802.1X. After basic
service configurations are complete, the STAs can implement fast roaming.
NOTE
In direct forwarding mode, ARP entries on the access devices connected to the AP are not aged after users roam,
which causes temporary service interruption. To prevent this problem, it is recommended that DHCP snooping
be enabled in the AC service set view. The AP can then send gratuitous ARP packets to access devices to update
ARP entries in a timely manner, ensuring nonstop services during roaming.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Run:
4-way-handshake ap
Issue 04 (2013-06-15)

2221

Configuration Guide
5.
Run:
quit

6.
Run:
ap id ap-id

7.
Run:

8.
Run:
quit

9.
Run:

----End

Procedure
l
Run the display ap-profile { id profile-id | name profile-name } command to check the
object with which a STA using the WPA/WPA2 security policy performs key negotiation
during roaming.
Run the display station roam-track sta sta-mac command to check the STA roaming
track.
Run the display station assoc-info sta mac-address command to check the access
information about the specified STA and check whether the AP connected to the STA
changes.
----End
12.6.4 Configuring Roaming Between APs in Different Service

VLANs
If neighboring APs have different service VLANs, configure roaming between the APs in
different service VLANs. After the configuration, services are not interrupted when a STA
moves from an AP to another AP in different service VLANs.
Before configuring roaming between APs in different service VLANs, complete the following
tasks:
Issue 04 (2013-06-15)

2222

Configuration Guide
Configuring basic WLAN services
Performing the following operations for each AP involved in roaming:

Associating the APs to the same AC
Configuring the same security policy
Setting the same SSID
Setting the same data forwarding mode
Configuring different service VLANs
Configuring two service VLANs for the APs before and after roaming on the WLANESS interface
Context
The service VLANs of the APs before and after roaming are different. When roaming between
APs in different VLANs is implemented, the service VLAN of the STA must remain the original
one after the STA roams to another AP. Therefore, the VLAN configuration varies depending
on the forwarding mode. This topic uses a Layer 2 network between the APs and AC as an
example to describe different VLAN configurations.
l
Direct forwarding mode

As shown in Figure 12-43, in direct forwarding mode, when a STA roams from AP1 to
AP2 and the data packets arrive at AP2, AP2 tags the packets with VLAN101 and forwards
them to the upper-level network. When a STA roams from AP2 to AP1 and the data packets
arrive at AP1, AP1 tags the packets with VLAN102 and forwards them to the upper-level
network.
Issue 04 (2013-06-15)

2223

Configuration Guide
in direct forwarding mode
STA: 802.11 Payload
AP1: VLAN101 802.3 Payload
Switch1: VLAN101 802.3 Payload
AC: VLAN101 802.3 Payload

SSID: test
Channel 1
AP1
STA
Switch1
Internet
Roam
AC
STA
AP2
Switch2

SSID: test
Channel 6
STA: 802.11 Payload
Data packet
AP2: VLAN101 802.3 Payload

Switch1: VLAN101 802.3 Payload
If the direct forwarding mode is used, configure the interfaces on Switch1 and Switch2
between the APs and AC and the AC interfaces (including the uplink, downlink, XGE0/0/1,
XGE0/0/27, and WLAN-ESS interfaces) to permit packets from VLAN101 and VLAN102
to pass through.
NOTE
If no switch exists between the APs and AC, configure the AC interfaces (including the uplink,
downlink, XGE0/0/1, XGE0/0/27, and WLAN-ESS interfaces) to permit packets from VLAN101 and
VLAN102 to pass through.
Tunnel forwarding mode

As shown in Figure 12-44, in tunnel forwarding mode, when a STA roams from AP1 to
AP2 and the data packets arrive at AP2, AP2 tags the packets with VLAN102, encapsulates
the packets in the CAPWAP tunnel, tags the packets with VLAN200, and forwards them
to the AC. When the packets arrive at the AC, the AC decapsulates the CAPWAP packets,
replaces the tag VLAN102 with VLAN101, and forwards the packets to the upper-level
network device. When a STA roams from AP2 to AP1 and the data packets arrive at AP1,
AP1 tags the packets with VLAN101, encapsulates the packets in the CAPWAP tunnel,
tags the packets with VLAN100, and forwards them to the AC. When the packets arrive at
Issue 04 (2013-06-15)

2224

Configuration Guide
the AC, the AC decapsulates the CAPWAP packets, replaces the tag VLAN101 with
VLAN102, and forwards the packets to the upper-level network device.
in tunnel forwarding mode
STA: 802.11 Payload

AP1: VLAN100 802.3 UDP/IP
CAPWAP VLAN101 802.3 Payload
Switch1: VLAN100 802.3 UDP/IP

Management VLAN:
VLAN100
SSID: test
Channel 1
AP1
Switch1
STA
Roam
Inte
AC
SSID: test
Channel 6
STA
AP2

Management VLAN:
VLAN200
Switch2
Data
STA: 802.11 Payload

AP2: VLAN200 802.3 UDP/IP
Switch2: VLAN200 802.3 UDP/IP

If the tunnel forwarding mode is used, configure the WLAN-ESS interface and uplink
interface on the AC to permit packets from VLAN101 and VLAN102 to pass through.
Procedure
You can perform the following operations in any sequence based on the site requirements:
Issue 04 (2013-06-15)

2225

Configuration Guide
Configuring Non-Fast Roaming Between APs in Different Service VLANs

Procedure
Step 1 Configure non-fast roaming.
Any of the following security policies can be configured for an AP (For details on how to
configure a security policy, see Configuring WLAN Security Policies) :
l WEP open system authentication
l WEP shared key authentication
l WPA/WPA2-PSK
l WPA-802.1X
l WPA2-802.1X (Fast roaming is not supported by STAs.)
After basic service configurations are complete, the STAs can implement non-fast roaming.
NOTE
l If the tunnel forwarding mode is used, you need to configure the WLAN-ESS interface and uplink interface
to allow packets from the service VLAN to pass through these interfaces.
l If the direct forwarding mode is used, you need to configure the interfaces of the switch (optional) between
the APs and AC and the AC interfaces (including the uplink, downlink, XGE0/0/1, XGE0/0/27, and WLANESS interfaces) to allow packets from the service VLAN to pass through.
l In direct forwarding mode, ARP entries on the access devices connected to the AP are not aged after users
roam, which causes temporary service interruption. To prevent this problem, it is recommended that DHCP
snooping be enabled in the AC service set view. The AP can then send gratuitous ARP packets to access
devices to update ARP entries in a timely manner, ensuring nonstop services during roaming.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Run:
4-way-handshake ap
5.
Run:
quit
Issue 04 (2013-06-15)

2226

Configuration Guide

6.
Run:
ap id ap-id

7.
Run:

8.
Run:
quit

9.
Run:

----End
Configuring Fast Roaming Between APs in Different Service VLANs

Procedure
Step 1 Configure fast roaming.
Before configuring fast roaming, ensure that STAs support fast roaming technology and the
security policy configured for each AP involved in roaming is WPA2-802.1X. After basic
service configurations are complete, the STAs can implement fast roaming.
NOTE
l If the tunnel forwarding mode is used, you need to configure the WLAN-ESS interface and uplink interface
to allow packets from the service VLAN to pass through these interfaces.
l If the direct forwarding mode is used, you need to configure the interfaces of the switch (optional) between
the APs and AC and the AC interfaces (including the uplink, downlink, XGE0/0/1, XGE0/0/27, and WLANESS interfaces) to allow packets from the service VLAN to pass through.
l In direct forwarding mode, ARP entries on the access devices connected to the AP are not aged after users
roam, which causes temporary service interruption. To prevent this problem, it is recommended that DHCP
snooping be enabled in the AC service set view. The AP can then send gratuitous ARP packets to access
devices to update ARP entries in a timely manner, ensuring nonstop services during roaming.

1.
Run:
system-view

2.
Run:
wlan

3.
Issue 04 (2013-06-15)
Run:
2227

Configuration Guide

4.
Run:
4-way-handshake ap
5.
Run:
quit

6.
Run:
ap id ap-id

7.
Run:

8.
Run:
quit

9.
Run:

----End

Procedure
l
Run the display ap-profile { id profile-id | name profile-name } command to check the
object with which a STA using the WPA/WPA2 security policy performs key negotiation
during roaming.
Run the display station roam-track sta sta-mac command to check the STA roaming
track.
Run the display station assoc-info sta mac-address command to check the access
information about the specified STA and check whether the AP connected to the STA
changes.
----End

This section describes examples of WLAN roaming configuration, including networking
Issue 04 (2013-06-15)

2228

Configuration Guide
Example for Configuring Non-Fast Roaming Between APs in the Same Service
VLAN
As shown in Figure 12-45, a department in a campus network deploys two APs that are managed
and controlled by an AC. The AC dynamically assigns IP addresses to the APs and STAs. All
users in the department belong to the same VLAN, that is, AP1 and AP2 use the same service
VLAN. The default security policy (WEP open system authentication) is used. User data is
forwarded through tunnels.
The department requires that services should not be interrupted when a STA moves from AP1
to AP2.
Figure 12-45 Networking diagram for configuring non-fast roaming between APs in the same
service VLAN
Internet
GE0/0/3
VLAN101
AC
GE0/0/1
VLAN100
GE0/0/2
VLAN100
AP1
SSID: test
Channel 1
AP2
Roam
STA
SSID: test
Channel 6
STA

AP region ID: 10
Issue 04 (2013-06-15)

2229

Configuration Guide
1.
The default security policy is used and access authentication is not required, which shortens
the roaming switchover time. Configure non-fast roaming between APs in the same service
VLAN to ensure nonstop service transmission during roaming.
2.
Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
3.
Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
APs.
4.
Configure basic WLAN services to enable the STAs to connect to the WLAN.
NOTE
Procedure
packets.
VLAN.
NOTE
[AC] vlan batch 100

[AC] vlan batch 101
Issue 04 (2013-06-15)

2230

Configuration Guide

[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
Issue 04 (2013-06-15)

2231

Configuration Guide
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
respectively.
[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-ap-1]
[AC-wlan-view]
[AC-wlan-ap-2]
quit
quit
NOTE

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------1
AP6010DN-AGN
0046-4b59-1ee0
0/10
normal
ap-1
2
AP6010DN-AGN
0046-4b59-1d20
0/10
normal
ap-2
-----------------------------------------------------------------------------Total number: 2

[AC-wlan-view] quit

Issue 04 (2013-06-15)

2232

Configuration Guide
NOTE
[AC] interface
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
[AC-WLAN-ESS1]
wlan-ess 1
dhcp enable
quit
[AC] wlan
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
# Configure VAPs.

Warning: Committing
]y
Warning: Committing
]y
ap 1
ap 2

After the configuration is complete, the STA can connect to the WLAN with the SSID test in
the coverage area of AP1.
Issue 04 (2013-06-15)

2233

Configuration Guide
Assume that the STA MAC address is 0025-86aa-0d1c. When the STA connects to the WLAN
with the SSID test in the coverage area of AP1, run the display station assoc-info sta
0025-86aa-0d1c command on the AC to check the STA access information.
<Quidway> display station assoc-info sta 0025-86aa-0d1c
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------0025-86aa-0d1c
1
0
1
test
-----------------------------------------------------------------------------Total stations: 1
When the STA moves from the coverage of AP1 to AP2, run the display station assoc-info sta
0025-86aa-0d1c command on the AC to check the STA access information. The STA is
associated with AP2.
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------0025-86aa-0d1c
2
0
1
test
-----------------------------------------------------------------------------Total stations: 1
Run the display station roam-track sta 0025-86aa-0d1c command on the AC to check the
STA roaming track.
-----------------------------------------------------------------------------AP ID Radio ID BSSID
TIME
-----------------------------------------------------------------------------1
0
8200-0001-0080
2012/12/23 14:40:37
2
0
60de-4476-e360
2012/12/23 14:40:39
-----------------------------------------------------------------------------Number of roam track: 1
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
#
return

#
sysname AC
Issue 04 (2013-06-15)

2234

Configuration Guide
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface Wlan-Ess1
dhcp enable
#
wlan
ap-region id 10
ap id 1 type-id 19 mac 0025-c401-9ae0 sn 190901007618
region-id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
channel 20MHz 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
#
return
Example for Configuring Fast Roaming Between APs in the Same Service VLAN
As shown in Figure 12-46, a department in a campus network deploys two APs that are managed
and controlled by an AC. The AC dynamically assigns IP addresses to the APs and STAs. All
users in the department belong to the same VLAN, that is, AP1 and AP2 use the same service
VLAN. The security policy WPA2-802.1X is used. User data is forwarded through tunnels.
to AP2.
Issue 04 (2013-06-15)

2235

Configuration Guide
Figure 12-46 Networking diagram for configuring fast roaming between APs in the same service
VLAN
Internet
GE0/0/3
VLAN101
AC
GE0/0/1
VLAN100
GE0/0/4
VLAN102
GE0/0/2
VLAN100
AP1
SSID: test
Channel 1
RADIUS server
192.168.0.2/24
AP2
Roam
STA
SSID: test
Channel 6
STA

AP region ID: 10
1.
The security policy WPA2-802.1X is used and access authentication is required, which
results in longer roaming switchover time. Configure fast roaming between APs in the same
service VLAN to ensure nonstop service transmission during roaming.
2.
CAPWAP packets.
3.
APs.
4.
5.
Configure key negotiation between STAs and APs to shorten the roaming switchover time.
NOTE
Procedure
packets.
Issue 04 (2013-06-15)

2236

Configuration Guide
VLAN.
NOTE
[AC] vlan batch 100

[AC] vlan batch 101
GE0/0/3 to VLAN 101 and add GE0/0/4 of the AC wired side connecting to the RADIUS server
to VLAN 102.
[AC-LSW] vlan batch 101 102
Issue 04 (2013-06-15)

2237

Configuration Guide
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
# Configure VLANIF 102.

[AC-Vlanif102] quit

1.

information.
NOTE
[AC] dot1x enable
[AC] aaa
[AC-aaa] quit
NOTE
2.



[AC] wlan

Issue 04 (2013-06-15)

2238

Configuration Guide

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
respectively.
[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-ap-1]
[AC-wlan-view]
[AC-wlan-ap-2]
quit
quit
NOTE

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------1
AP6010DN-AGN
0046-4b59-1ee0
0/10
normal
ap-1
2
AP6010DN-AGN
0046-4b59-1d20
0/10
normal
ap-2
-----------------------------------------------------------------------------Total number: 2
Issue 04 (2013-06-15)

2239

Configuration Guide

# Create an AP profile named huawei and configure key negotiation between the STA and AP.
[AC-wlan-view] ap-profile name huawei id 1
[AC-wlan-ap-prof-huawei] 4-way-handshake roam-policy ap
[AC-wlan-ap-prof-huawei] quit
[AC-wlan-ap-1] profile-id 1
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
# Create a WMM profile named wmm and retain the default parameter settings.
[AC-wlan-view] quit

NOTE
When the AC is configured to assign IP addresses to STAs, run the dhcp enable command to enable the
DHCP function on the WLAN-ESS interface.
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit
# Create a security profile named security and configure the security policy to WPA2-802.1X.
[AC] wlan
[AC-wlan-sec-prof-security] wpa2 authentication-method dot1x peap encryptionmethod ccmp
# Create a traffic profile named traffic and retain the default parameter settings.
Issue 04 (2013-06-15)
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit

2240

Configuration Guide
# Configure a VAP.

Warning: Committing
]y
Warning: Committing
]y
ap 1
ap 2

After the configuration is complete, the STA can discover the WLAN with the SSID test in the
coverage area of AP1. Use 802.1X authentication on the STA and enter the user name and
password. If the authentication succeeds, the STA can connect to the Internet. Configure the
STA according to the configured authentication mode PEAP.
1.
On the Association tab page of the Wireless network properties dialog box, add SSID
test, set the authentication mode to WPA2, encryption mode to CCMP, and encryption
algorithm to AES.
2.
Protected EAP Properties dialog box, deselect Validate server certificate and click
Configure. In the displayed dialog box, deselect Automatically use my Windows
logon name and password and click OK.

1.
Access the Manage wireless networks page, click Add, and select Manually create
a network profile. Add SSID test. Set the authentication mode to WPA2Enterprise, the encryption mode to CCMP, and the algorithm to AES. Click Next.
2.
certificate and click Configure. In the displayed dialog box, deselect Automatically
use my Windows logon name and password and click OK.
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------0025-86aa-0d1c
1
0
1
test
-----------------------------------------------------------------------------Total stations: 1
Issue 04 (2013-06-15)

2241

Configuration Guide
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------0025-86aa-0d1c
2
0
1
test
-----------------------------------------------------------------------------Total stations: 1
STA roaming track.
TIME
-----------------------------------------------------------------------------1
0
8200-0001-0080
2012/12/23 14:40:37
2
0
60de-4476-e360
2012/12/23 14:40:39
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
dot1x enable
#
Issue 04 (2013-06-15)

2242

Configuration Guide

#
#
aaa
domain peap.radius.com
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.0.1 255.255.255.0
#
#
interface Wlan-Ess1
dhcp enable
#
wlan
ap-profile name huawei id
1
4-way-handshake roam-policy ap
ap-region id 10
profile-id 1
region-id 10
profile-id 1
region-id 10
wpa2 authentication-method dot1x peap encryption-method ccmp
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
Issue 04 (2013-06-15)

2243

Configuration Guide
#
return
Example for Configuring Non-Fast Roaming Between APs in Different Service

VLANs
As shown in Figure 12-47, two APs are deployed in a campus network to provide WLAN
services for employees of two departments, and are managed and controlled by an AC. The AC
dynamically assigns IP addresses to the APs and STAs. The employees of the two departments
belong to different VLANs, that is, AP1 belongs to VLAN101 and AP2 belongs to VLAN102.
The default security policy (WEP open system authentication) is used. User data is forwarded
through tunnels.
to AP2.
Figure 12-47 Networking diagram for configuring non-fast roaming between APs in different
service VLANs
Internet
GE0/0/3
VLAN101
VLAN102
AC
GE0/0/1
VLAN100
GE0/0/2
VLAN100
AP1
SSID: test
Channel 1
AP2
Roam
STA
SSID: test
Channel 6
STA
Management VLAN: VLAN100 Management VLAN: VLAN100

AP region ID: 10
AP region ID: 10
Issue 04 (2013-06-15)

2244

Configuration Guide
1.
The default security policy is used and access authentication is not required, which shortens
the roaming switchover time. Configure non-fast roaming between APs in different service
VLANs to ensure nonstop service transmission during roaming.
2.
CAPWAP packets.
3.
APs.
4.
NOTE
Procedure
packets.
VLAN.
NOTE
[AC] vlan batch 100
Step 2 Connect the AC to the upper-level network device.

Issue 04 (2013-06-15)

2245

Configuration Guide
# Add the AC wireless-side interface XGE0/0/1 connected to the wired side to VLAN101 and
VLAN102.
[AC-XGigabitEthernet0/0/1] port trunk allow-pass vlan 101 102
# Add the AC wired-side interface XGE0/0/27 connected to the wireless side and AC uplink
interface GE0/0/3 to VLAN101 and VLAN102.
[AC-LSW] vlan batch 101 102
[AC-LSW-XGigabitEthernet0/0/27] port trunk allow-pass vlan 101 102
[AC-LSW-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
Step 3 Configure the AC to function as a DHCP server to assign IP addresses to the STAs and APs.
# Configure the DHCP server based on the interface address pool. VLANIF100 provides IP
addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs connected to AP1,
and VLANIF102 provides IP addresses for STAs connected to AP2.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
Issue 04 (2013-06-15)

2246

Configuration Guide
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
respectively.
[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-ap-1]
[AC-wlan-view]
[AC-wlan-ap-2]
quit
quit
NOTE

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------1
AP6010DN-AGN
0046-4b59-1ee0
0/10
normal
ap-1
2
AP6010DN-AGN
0046-4b59-1d20
0/10
normal
ap-2
-----------------------------------------------------------------------------Total number: 2

Issue 04 (2013-06-15)

2247

Configuration Guide

[AC-wlan-view] quit
# Create a WLAN-ESS interface. To implement roaming between APs in different service

VLANs, configure two service VLANs (VLAN101 and VLAN102) on each WLAN-ESS
interface.
NOTE
[AC] interface
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 0
dhcp enable
quit
wlan-ess 1
dhcp enable
quit
Create a security profile named security and retain the default parameter settings (open system
authentication and no encryption).
[AC] wlan
# Configure service sets for AP1 and AP2, and set the data forwarding mode to tunnel forwarding.
[AC-wlan-view] service-set name huawei-1
[AC-wlan-service-set-huawei-1] ssid test
[AC-wlan-service-set-huawei-1] wlan-ess 0
[AC-wlan-service-set-huawei-1] service-vlan 101
[AC-wlan-service-set-huawei-1] security-profile name security
[AC-wlan-service-set-huawei-1] traffic-profile name traffic
[AC-wlan-service-set-huawei-1] forward-mode tunnel
[AC-wlan-service-set-huawei-1] quit
# Configure a VAP.
[AC-wlan-radio-1/0] service-set name huawei-1
Issue 04 (2013-06-15)

2248

Configuration Guide

Warning: Committing
]y
Warning: Committing
]y
ap 1
ap 2

the coverage area of AP1.
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------0025-86aa-0d1c
1
0
1
test
-----------------------------------------------------------------------------Total stations: 1
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------0025-86aa-0d1c
2
0
1
test
-----------------------------------------------------------------------------Total stations: 1
STA roaming track.
TIME
-----------------------------------------------------------------------------1
0
8200-0001-0080
2012/12/23 14:40:37
2
0
60de-4476-e360
2012/12/23 14:40:39
----End
Configuration Files
l

#
sysname AC-LSW
#
#
Issue 04 (2013-06-15)

2249

Configuration Guide

#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.12.1 255.255.255.0
#
#
interface Wlan-Ess0
port hybrid pvid vlan
101
port hybrid untagged vlan 101 to
102
dhcp enable
#
interface Wlan-Ess1
102
102
dhcp enable
#
wlan
ap-region id 10
region-id 10
region-id 10
service-set name huawei-1 id 0
Issue 04 (2013-06-15)

2250

Configuration Guide
forward-mode tunnel
wlan-ess 0
ssid test
service-vlan 101
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 102
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
channel 20MHz 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
#
return
Example for Configuring Fast Roaming Between APs in Different Service VLANs
As shown in Figure 12-48, two APs are deployed in a campus network to provide WLAN
services for employees of two departments, and are managed and controlled by an AC. The AC
dynamically assigns IP addresses to the APs and STAs. The employees of the two departments
belong to different VLANs, that is, AP1 belongs to VLAN101 and AP2 belongs to VLAN102.
The security policy WPA2-802.1X is used. User data is forwarded through tunnels.
to AP2.
Issue 04 (2013-06-15)

2251

Configuration Guide
Figure 12-48 Networking diagram for configuring fast roaming between APs in different service
VLANs
Internet
GE0/0/3
VLAN101
VLAN102
AC
GE0/0/1
VLAN100
GE0/0/4
VLAN103
GE0/0/2
VLAN100
AP1
SSID: test
Channel 1
RADIUS server
192.168.0.2/24
AP2
SSID: test
Channel 6
Roam
STA
STA

AP region ID: 10

AP region ID: 10
1.
The security policy WPA2-802.1X is used and access authentication is required, which
results in longer roaming switchover time. Configure fast roaming between APs in the same
service VLAN to ensure nonstop service transmission during roaming.
2.
CAPWAP packets.
3.
APs.
4.
5.
Configure key negotiation between STAs and APs to shorten the roaming switchover time.
NOTE
Procedure
packets.
Issue 04 (2013-06-15)

2252

Configuration Guide
VLAN.
NOTE
[AC] vlan batch 100
Step 2 Connect the AC to the upper-level network device.

# Add the AC wireless-side interface XGE0/0/1 connected to the wired side to VLAN101 and
VLAN102.
[AC-XGigabitEthernet0/0/1] port trunk allow-pass vlan 101 102
# Add the AC wired-side interface XGE0/0/27 connected to the wireless side and AC uplink
interface GE0/0/3 to VLAN101 and VLAN102, and add GE0/0/4 of the AC connecting to the
RADIUS server to VLAN 103.
[AC-LSW] vlan batch 101 to 103
[AC-LSW-XGigabitEthernet0/0/27] port trunk allow-pass vlan 101 102
[AC-LSW-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
Issue 04 (2013-06-15)

2253

Configuration Guide
Step 3 Configure the AC to function as a DHCP server to assign IP addresses to the STAs and APs.
# Configure the DHCP server based on the interface address pool. VLANIF100 provides IP
addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs connected to AP1,
and VLANIF102 provides IP addresses for STAs connected to AP2.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
# Configure VLANIF 103.

[AC-Vlanif103] quit

1.

information.
NOTE
[AC] dot1x enable
[AC] aaa
[AC-aaa] quit
NOTE
2.



Issue 04 (2013-06-15)

2254

Configuration Guide
[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
respectively.
[AC-wlan-view]
[AC-wlan-view]
[AC-wlan-ap-1]
[AC-wlan-view]
[AC-wlan-ap-2]
quit
quit
NOTE

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
Issue 04 (2013-06-15)

2255

Configuration Guide
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------1
AP6010DN-AGN
0046-4b59-1ee0
0/10
normal
ap-1
2
AP6010DN-AGN
0046-4b59-1d20
0/10
normal
ap-2
-----------------------------------------------------------------------------Total number: 2

# Create an AP profile named huawei and configure key negotiation between the STA and AP.
[AC-wlan-view] ap-profile name huawei id 1
[AC-wlan-ap-prof-huawei] 4-way-handshake roam-policy ap
[AC-wlan-ap-prof-huawei] quit
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-view] quit
# Create a WLAN-ESS interface. To implement roaming between APs in different service

VLANs, configure two service VLANs (VLAN101 and VLAN102) on each WLAN-ESS
interface.
NOTE
[AC] interface
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 0
dhcp enable
quit
wlan-ess 1
dhcp enable
quit
# Create a security profile named security and configure the security policy to WPA2-802.1X.
[AC] wlan
[AC-wlan-sec-prof-security] wpa2 authentication-method dot1x peap encryption-
Issue 04 (2013-06-15)

2256

Configuration Guide
method ccmp
# Configure service sets for AP1 and AP2, and set the data forwarding mode to tunnel forwarding.
# Configure a VAP.

Warning: Committing
]y
Warning: Committing
]y
ap 1
ap 2

the coverage area of AP1. Use 802.1X authentication on the STA and enter the user name and
password. If the authentication succeeds, the STA can connect to the Internet. Configure the
STA according to the configured authentication mode PEAP.
Issue 04 (2013-06-15)
1.
On the Association tab page of the Wireless network properties dialog box, add SSID
test, set the authentication mode to WPA2, encryption mode to CCMP, and encryption
algorithm to AES.
2.
Protected EAP Properties dialog box, deselect Validate server certificate and click
2257

Configuration Guide
Configure. In the displayed dialog box, deselect Automatically use my Windows

logon name and password and click OK.
1.
Access the Manage wireless networks page, click Add, and select Manually create
a network profile. Add SSID test. Set the authentication mode to WPA2Enterprise, the encryption mode to CCMP, and the algorithm to AES. Click Next.
2.
certificate and click Configure. In the displayed dialog box, deselect Automatically
use my Windows logon name and password and click OK.
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------0025-86aa-0d1c
1
0
1
test
-----------------------------------------------------------------------------Total stations: 1
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------0025-86aa-0d1c
2
0
1
test
-----------------------------------------------------------------------------Total stations: 1
STA roaming track.
TIME
-----------------------------------------------------------------------------1
0
8200-0001-0080
2012/12/23 14:40:37
2
0
60de-4476-e360
2012/12/23 14:40:39
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
Issue 04 (2013-06-15)

2258

Configuration Guide

#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
dot1x enable
#
#
#
aaa
domain peap.radius.com
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif103
ip address 192.168.0.1 255.255.255.0
#
#
interface Wlan-Ess0
101
102
dhcp enable
#
interface Wlan-Ess1
Issue 04 (2013-06-15)

2259

Configuration Guide

102
102
dhcp enable
#
wlan
ap-profile name huawei id
1
4-way-handshake roam-policy ap
ap-region id 10
profile-id 1
region-id 10
profile-id 1
region-id 10
wpa2 authentication-method dot1x peap encryption-method ccmp
forward-mode tunnel
wlan-ess 0
ssid test
service-vlan 101
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 102
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
#
return
12.7 WLAN QoS Configuration

WLAN QoS enables network administrators to plan and allocate network resources based on
service characteristics, meeting user requirements and improving network usage.
12.7.1 Overview
WLAN Quality of Service (QoS) provides differentiated services for wireless users to satisfy
their traffic requirements.
Issue 04 (2013-06-15)

2260

Configuration Guide
Applications have differentiated network requirements. The traditional WLAN is mainly used
to transmit data due to its low transmission rate. With development of new WLAN technologies,
WLANs have been applied to media, financial, education, and enterprise networks. In addition
to data traffic, WLANs can also transmit delay-sensitive multimedia data, such as voice and
video. By enforcing QoS policies on a WLAN, the network administrator can properly plan and
assign network resources based on service characteristics. The WLAN then provides
differentiated access services for applications, meeting customer requirements and improving
network use efficiency.
12.7.2 WLAN QoS Features Supported by the Device

The device supports WLAN QoS features, including Wi-Fi Multimedia (WMM), priority
mapping, and traffic policing.
As shown in Figure 12-49, WLAN QoS has the following functions:
1.
High-efficiency use of wireless channels: The WMM standard enables the high-priority
users to preempt wireless channels.
2.
Efficient bandwidth use: Priority mapping preferentially transmits the data of high-priority
users.
3.
Network congestion prevention: Traffic policing limits users' transmission rate, preventing
network congestion.
Figure 12-49 WLAN QoS networking

3. Traffic policing on
the STA and VAP
STA
2. Priority
mapping between
the AP and AC
AC
AP
CAPWAP tunnel
Internet
1. WMM: High-priority
packets occupy
wireless channels
preferentially.
WMM
On a traditional WLAN, all STAs have the same chance to occupy a channel. Therefore, the
802.11 standard provides the same quality of service for all wireless applications. However, in
actual wireless applications, different applications have different requirements on service
quality. To provide differentiated services for different applications, the Wi-Fi Alliance defines
the Wi-Fi Multimedia (WMM) standard to enhance the 802.11 protocol. This standard changes
the channel competition mode.
Issue 04 (2013-06-15)

2261

Configuration Guide
WMM classifies data packets into the following access categories (ACs):
l
AC_VO (Voice)
AC_VI (Video)
AC_BE (Best Effort)
AC_BK (Background)
A set of Enhanced Distributed Channel Access (EDCA) parameters is set for each AC queue.
These parameters determine the capabilities of a queue to occupy a channel. By default, WMM
prioritizes AC_VO (Voice), AC_VI (Video), AC_BE (Best Effort), and AC_BK (Background)
in descending order.
The WMM function is implemented by configuring WMM profiles. This function identifies
high-priority packets and enables the high-priority packets to preempt channels.
Priority Mapping
802.3 and 802.11 packets use different fields to identify their priorities. For example, an 802.11
packet carries the user priority, an 802.3 VLAN packet carries the 802.1p priority, and an IP
packet carries the IP precedence or DSCP priority. Priority mapping must be configured on
network devices to retain priorities of packets when the packets traverse different networks.
As shown in Figure 12-50, the priority mapping process on a WLAN is as follows:
1.
After receiving an 802.11 packet from the STA, the AP maps the user priority to the 802.1p
priority.
2.
If tunnel forwarding mode is used, the 802.1p priority or IP precedence must be mapped
to a tunnel priority.
3.
The AC forwards an 802.3 packet received from the Internet to the AP directly or through
a tunnel. After receiving the 802.3 packet, the AP maps the 802.1p priority or IP
preference to the user priority.
Figure 12-50 Priority mapping
UP
802.11 packet
802.1p
802.3 packet
802.1p Predecence 802.1p Predecence

CAPWAP encapsulation
STA
AC
AP
CAPWAP tunnel
Internet
802.1p Predecence 802.1p Predecence

CAPWAP encapsulation
3
UP
802.11 packet
Issue 04 (2013-06-15)
802.1p Predecence
802.3 packet

2262

Configuration Guide
Traffic Policing
To effectively use limited network resources, you can configure traffic policing for special
service flows to limit the traffic rate for all users or a specified user on the VAP.
The device supports VAP-based and user-based traffic policing.
l
VAP-based traffic policing:

Traffic policing can be configured in a traffic profile to limit the rate of upstream and
downstream traffic of all users on the VAP bound to the traffic profile.
Traffic policing can be configured on a WLAN-ESS interface to limit the rate of
upstream and downstream traffic of all users on the VAP bound to the WLAN-ESS
interface. Each WLAN-ESS interface corresponds to an extended service set (ESS) and
each ESS has one SSID. Therefore, traffic policing on a WLAN-ESS interface is also
called SSID-based traffic policing.
User-based traffic policing:

downstream traffic of a specified user on the VAP bound to the traffic profile.
Traffic policing can be configured in a user profile and the user profile is bound to a
service set. In this way, traffic policing can limit the rate of upstream and downstream
traffic of a specified user on the VAP bound to the service set.
Traffic policing can be configured in a QoS profile and the QoS profile is bound to a
user group. After the configuration is delivered to the user group through an
authentication server, such as a RADIUS server, traffic policing limits the traffic rate
of a specified user. This method is applicable to scenarios where NAC is enabled on
users.

This section provides the default WLAN QoS configuration.
Table 12-17 Default WLAN QoS configuration
Issue 04 (2013-06-15)
Parameter
Default Setting
WMM
Enabled
Whether STAs that do not support WMM

are allowed to connect to a WMM-enabled
AP
Yes
Priorities of AC queues
AC_VO (Voice) > AC_VI (Video) > AC_BE

(Best Effort) > AC_BK (Background)
Traffic policing
Disabled
Mappings from user priorities of 802.11

packets to 802.1p priorities of 802.3
packets when data packets are sent from
STAs to an AP.
User priority 0 maps 802.1p priority 0, user

priority 1 maps user 802.1p priority 1, and so on.

2263

Configuration Guide
Parameter
Default Setting
Mappings from 802.1p priorities of 802.3

packets to user priorities of 802.11 packets
when data packets are sent from the
Internet to an AP.
IP precedence 0 maps user priority 0, IP

precedence 1 maps user priority 1, and so on.
Tunnel priority mappings when data

packets are sent from APs to an AC
IP precedence 0 in a user packet maps IP

precedence 0 in the CAPWAP header, IP
precedence 1 in a user packet maps IP
precedence priority 1 in the CAPWAP header,
and so on.
12.7.4 Configuring WMM

You can configure WMM profiles to provide different capabilities for different services on STAs
or APs to compete for channels to determine the quality of services.
Before configuring WMM, complete the following task:
l
Configuring Basic WLAN Services
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
The WMM profile view is displayed.

display wmm-profile { all | id profile-id | name profile-name }
The WMM profile configuration is displayed.

If the WMM configuration has not been modified, you can run the display wmm-profile { all
| id profile-id | name profile-name } command to view the default configuration of a WMM
profile and determine whether to modify the WMM configuration.
Step 5 Run:
wmm enable
WMM is enabled.
Issue 04 (2013-06-15)

2264

Configuration Guide
By default, WMM is enabled.

wmm mandatory enable
STAs that do not support WMM are not allowed to connect to a WMM-enabled AP.
By default, STAs that do not support WMM are allowed to connect to a WMM-enabled AP.
On a WLAN, wireless channels are open and all STAs have the same chance to occupy a channel.
You can configure WMM to distinguish high-priority packets and enable the high-priority
packets to preempt channels. You can also disable STAs that do not support WMM from
connecting to a WMM-enabled AP, which prevents those STAs from preempting channels of
WMM-capable STAs.
Step 7 Run:
wmm edca client { ac-vo | ac-vi | ac-be | ac-bk } { aifsn aifsn-value | ecw ecwmin
ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value } *
EDCA parameters are set for STAs.

Table 12-18 lists the default EDCA parameter settings for STAs.
Table 12-18 Default EDCA parameter settings for STAs
Packet Type
Exponent
Form of the
Maximum
Contention
Window
(ECWmax)
Exponent
Form of the
Minimum
Contention
Window
(ECWmin)
Arbitration
Inter Frame
Spacing
Number
(AIFSN)
Transmission
Opportunity
Limit
(TXOPLimit)
AC_VO
47
AC_VI
94
AC_BE
10
AC_BK
10
As shown in the table, queues of AC_VO, AC_VI, AC_BE, and AC_BK are in descending order
of priority.
Step 8 Run:
wmm edca ap { ac-vo | ac-vi | ac-be | ac-bk } { aifsn aifsn-value | ecw ecwmin
ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value | ack-policy { normal
| noack } } *
EDCA parameters are set for APs.

Table 12-19 lists the default EDCA parameter settings and ACK policy for APs.
Issue 04 (2013-06-15)

2265

Configuration Guide
Table 12-19 Default EDCA parameter settings and ACK policy for APs
Packet
Type
Exponent
Form of the
Maximum
Contention
Window
(ECWmax)
Exponent
Form of the
Minimum
Contention
Window
(ECWmin)
Arbitration
Inter Frame
Spacing
Number
(AIFSN)
Transmissi
on
Opportunit
y Limit
(TXOPLim
it)
ACK Policy
AC_VO
47
normal
AC_VI
94
normal
AC_BE
normal
AC_BK
10
normal
As shown in the table, queues of AC_VO, AC_VI, AC_BE, and AC_BK are in descending order
of priority.
NOTE
After high-density AP deployment is enabled, APs optimize EDCA parameters of AC_BE packets and adjust
the size of the contention window to reduce chances of collisions so that better experience can be provided for
users in high-density access scenarios. If EDCA parameters have been configured in WMM profiles, EDCA
parameters in AC_BE packets do not take effect.
Step 9 Run:
quit

----End

l
Run the display wmm-profile { all | id profile-id | name profile-name } command to check
the WMM profile configuration.
12.7.5 Configuring Priority Mapping

You can configure priority mapping to distinguish data priority and ensure that data of highpriority users is transmitted first.
Before configuring priority mapping, complete the following task:
l
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

2266

Configuration Guide

Step 2 Run:
wlan

Step 3 Run:
The traffic profile view is displayed.

Step 4 Run the following commands as required to configure priority mapping.
l Use either of the following methods to set mappings from user priorities of 802.11 packets
to 802.1p priorities of 802.3 packets when data packets are sent from STAs to an AP.
If you do not want to distinguish service priorities of 802.3 packets, map user priorities
of all 802.11 packets to a specified 802.1p priority of 802.3 packets.
Run:
8021p designate value
User priorities of all 802.11 packets are mapped to a specified 802.1p priority of 802.3
packets.
If you want to distinguish service priorities of 802.3 packets, map user priorities of 802.11
packets to different 802.1p priorities of 802.3 packets.
Run:
8021p up-mapping value0 value1 value2 value3 value4 value5 value6 value7
User priorities of 802.11 packets are mapped to different 802.1p priorities of 802.3
packets.
By default, mappings from user priorities of 802.11 packets to 802.1p priorities of 802.3
packets are shown in Table 12-20.
Table 12-20 Default mappings from user priorities of 802.11 packets to 802.1p priorities
of 802.3 packets
User-Priority
802.1p
l Use either of the following methods to set mappings from 802.1p priorities of 802.3 packets
to user priorities of 802.3 packets when data packets are sent from the Internet to an AP.
Issue 04 (2013-06-15)

2267

Configuration Guide
Run:
8021p-map-up value0 value1 value2 value3 value4 value5 value6 value7
802.1p priorities of 802.3 packets are mapped to user priorities of 802.11 packets.
By default, mappings from 802.1p priorities of 802.3 packets to user priorities of 802.3
Table 12-21 Mappings from 802.1p priorities of 802.3 packets to user priorities of 802.3
packets
802.1p
User-Priority
Run:
tos-map-up value0 value1 value2 value3 value4 value5 value6 value7
IP precedences of 802.3 packets are mapped to user priorities of 802.11 packets.

By default, mappings from IP precedences of 802.3 packets to user priorities of 802.11
Table 12-22 Mappings from IP precedences to user priorities
Precedence
User-Priority
l Use either of the following methods to set tunnel priority mappings when data packets are
sent from APs to an AC.
Issue 04 (2013-06-15)

2268

Configuration Guide

NOTE
The tunnel priority mapping is applicable to scenarios whether data packets are sent in tunnel forwarding
mode.
Run:
tunnel-priority up designate { tos | 8021p } priority-value
All IP precedences or 802.1p priorities are mapped to a tunnel priority.

Run:
tunnel-priority up map { tos-tos | tos-8021p | 8021p-tos | 8021p-8021p }
value0 value1 value2 value3 value4 value5 value6 value7
IP precedences or 802.1p priorities are mapped to different tunnel priorities.

By default, mappings from IP precedences of 802.3 packets to IP precedences in CAPWAP
headers are used. Default mappings from IP precedences of 802.3 packets to IP precedences
in CAPWAP headers are shown in Table 12-23.
Table 12-23 Default mappings from IP precedences of 802.3 packets to IP precedences in
CAPWAP headers
IP Precedences of 802.3 Packets
IP Precedences in CAPWAP Headers
Step 5 Run:
quit

----End

l

check the priority mapping configuration in a traffic profile.
12.7.6 Configuring Traffic Policing

You can configure traffic policing to limit the STA transmission rate or AP forwarding rate,
which prevents network congestion.
Issue 04 (2013-06-15)

2269

Configuration Guide
Before configuring traffic policing, complete the following task:
l
The following configuration tasks are optional and can be configured as required. VAP-based
traffic policing and user-based traffic policing can be configured simultaneously, but the rate
limit in VAP-based traffic policing must be larger than that in user-based traffic policing.
Configuring VAP-based Traffic Policing

Context
To protect network resources and prevent network congestion, you can configure VAP-based
traffic policing to limit the rate of traffic entering the WLAN.
VAP-based traffic policing:
l
downstream traffic of all users on the VAP bound to the traffic profile.
Traffic policing can be configured on a WLAN-ESS interface to limit the rate of upstream
and downstream traffic of all users on the VAP bound to the WLAN-ESS interface. Each
WLAN-ESS interface corresponds to an extended service set (ESS) and each ESS has one
SSID. Therefore, traffic policing on a WLAN-ESS interface is also called SSID-based
traffic policing.
Configuring traffic policing in a traffic profile
Procedure
1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Run:
rate-limit vap { up | down } rate-limit-value
The rate limit is configured for upstream and downstream traffic on all STAs
associated with a VAP.
By default, the rate limit for upstream and downstream traffic on all STAs associated
with a VAP is 4294967295, in kbit/s.
5.
Run:
quit
Issue 04 (2013-06-15)

2270

Configuration Guide

6.
l
Use either of the following methods to configure traffic policing on a WLAN-ESS interface.
Binding a QoS CAR profile to a WLAN-ESS interface
In this method, the rate of all traffic is monitored and limited within a proper range so
that network resources are protected.
1.
Run:
system-view

2.
Run:
qos car car-name cir cir-value [ cbs cbs-value [ pbs pbs-value
pir pir-value [ cbs cbs-value pbs pbs-value ] ]
] |
A QoS CAR profile is created.

3.
Run:

4.
Run:
qos car { inbound | outbound } car-name
The QoS CAR profile is bound to a WLAN-ESS interface.

By default, no QoS CAR profile is bound to a WLAN-ESS interface.
5.
Run:
quit

6.
Run:
wlan

7.
Binding a traffic policy to a WLAN-ESS interface

In this method, traffic is classified on the device and only traffic matching the traffic
classification rule is monitored. The matched traffic is limited within a proper range and
network resources are protected.
1.
Run:
system-view

2.
Configuring a traffic classifier

Configure a traffic classifier by selecting proper traffic classification rules. For
details, see Configuring Complex Traffic Classification.
3.
Run:
A traffic behavior is created.

4.
Run:
car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ]
[ green { discard | pass [ remark-dscp dscp-value | remark-8021p 8021pprecedence ] } ] [ yellow { discard | pass [ remark-dscp dscp-value |
Issue 04 (2013-06-15)

2271

Configuration Guide

remark-8021p 8021p-precedence ] } ] [ red { discard | pass [ remarkdscp dscp-value | remark-8021p 8021p-precedence ] } ]
Traffic policing behaviors are configured.

5.
Run:
quit

6.
Run:

7.
Run:
The traffic classifier is bound to the traffic behavior in the traffic policy.
8.
Run:
9.
Run:
The traffic policy is bound to a WLAN-ESS interface.

By default, no traffic policy is bound to a WLAN-ESS interface.
10. Run:
quit

11. Run:
wlan

----End

l

check the configuration of the rate limit for upstream and downstream traffic of all STAs
in the VAP in the traffic profile.
Run the display qos car { all | name car-name } command to check the configuration of
the QoS CAR profile.

command to check the configuration of the traffic policy.
Configuring User-based Traffic Policing

Context
To protect network resources and prevent network congestion, you can configure user-based
traffic policing to limit the rate of traffic entering the WLAN.
User-based traffic policing:
Issue 04 (2013-06-15)

2272

Configuration Guide
downstream traffic of a specified user on the VAP bound to the traffic profile.
Traffic policing can be configured in a user profile by binding a QoS CAR profile to a user
profile and then binding the user profile to a service set. In this way, traffic policing can
limit the rate of upstream and downstream traffic of a specified user on the VAP bound to
the service set.
Traffic policing can be configured in a QoS profile by configuring traffic policing

parameters in the QoS profile and binding the QoS profile to a user group. After the
configuration is delivered to the user group through an authentication server, such as a
RADIUS server, traffic policing limits the traffic rate of a specified user. This method is
applicable to scenarios where NAC is enabled on users.
Before configuring traffic policing, complete the following task:
l
Configuring traffic policing in a traffic profile
Procedure
1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Run:
rate-limit client { up | down } rate-limit-value
The rate limit is configured for upstream and downstream traffic on a specified STA
associated with a VAP.
By default, the rate limit for upstream and downstream traffic on a specified STA
associated with a VAP is 4294967295, in kbit/s.
5.
Run:
quit

6.
l
Configuring traffic policing in a user profile

1.
Run:
system-view

2.
Issue 04 (2013-06-15)
Run:
2273

Configuration Guide

qos car car-name cir cir-value [ cbs cbs-value [ pbs pbs-value
pir-value [ cbs cbs-value pbs pbs-value ] ]
] | pir
A QoS CAR profile is created.

3.
Run:
wlan

4.
Run:
user-profile { name profile-name | id profile-id }
A user profile is configured.

5.
Run:
qos car { inbound | outbound } car-name
A QoS CAR profile is bound to the user profile.

By default, no QoS CAR profile is bound to a user profile.
6.
Run:
quit
Exit from the user profile view.

7.
Run:

8.
Run:
user-profile { name profile-name | id profile-id }
A user profile is bound to a service set.

9.
Run:
quit
Exit from the service set view.

l
Configuring traffic policing in a QoS profile

NOTE
Modifications to a QoS profile take effect only for subsequent users and do not affect current online users.
1.
Run:
system-view

2.
Run:
qos-profile name profile-name
A QoS profile is created.

3.
(Optional) Run:
Description of a QoS profile is configured.

4.
Run:
car { inbound | outbound } cir cir-value [ pir pir-value [ cbs cbs-value
pbs pbs-value ] ]
Issue 04 (2013-06-15)

2274

Configuration Guide
Traffic policing parameters are configured in a QoS profile.

5.
Run:
quit
Exit from the QoS profile view.

6.
Run:

7.
Run:
qos-profile name
The QoS profile is bound to the user group in the user group view.
8.
Run:
quit
Exit from the user group view.

NOTE
After the user group configuration is complete, bind the user group to a specified AAA domain to
ensure that the authentication server can deliver the configuration to the user group.
----End

l

check the configuration of the rate limit for upstream and downstream traffic of a specified
STA in the VAP in the traffic profile.
Run the display user-profile { all | id profile-id | name profile-name } command to check
the user profile configuration.
Run the display qos-profile { all | name profile-name } command to check the QoS profile
configuration.

This section provides WLAN QoS configuration examples, including networking requirements,
Example for Configuring WMM

to deploy basic WLAN services for mobile office so that branch users can access internal network
resources anywhere at any time.
Voice, video, and data services are transmitted within the coverage of the AP. Users expect that
video services preferentially preempt channels and have the highest priority to use wireless
network resources.
Issue 04 (2013-06-15)

2275

Configuration Guide
Figure 12-51 Networking diagram for configuring WMM

Management VLAN:
VLAN100
AP region ID: 10
AP
STA
GE0/0/1 AC
VLAN100
GE0/0/2
VLAN101
Internet
STA
1.
Configure basic WLAN services so that users can connect to the wireless network.
2.
Configure parameters in the WMM profile used by the AP so that video services have
higher priorities over voice and data services and preferentially use the bandwidth.
NOTE
Procedure
packets.
NOTE
Issue 04 (2013-06-15)

2276

Configuration Guide
[AC] vlan batch 100

NOTE
[AC] vlan batch 101
101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit



[AC] wlan

Issue 04 (2013-06-15)

2277

Configuration Guide
-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

# Create a WMM profile named wmm and set WMM parameters.
[AC-wlan-wmm-prof-wmm] wmm edca ap ac-vo ecw ecwmin 3 ecwmax 4 txoplimit 94
Issue 04 (2013-06-15)

2278

Configuration Guide
[AC-wlan-wmm-prof-wmm]
wmm edca ap ac-vi ecw ecwmin 2 ecwmax 3 txoplimit 47

wmm edca client ac-vo ecw ecwmin 3 ecwmax 4 txoplimit 94
wmm edca client ac-vi ecw ecwmin 2 ecwmax 3 txoplimit 47
quit
# Create a radio profile named radio and bind WMM profile wmm to the radio profile.
[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit
# Create a security profile named security and retain the default configurations. The
authentication mode is open system authentication and the encryption mode is no encryption.
[AC] wlan
# Create a traffic profile named traffic and retain the default configurations in the profile.
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
# Configure a VAP.

]y

After the configuration is complete, run the display vap ap 0 radio 0 command. You can see
that the VAP is created.
Issue 04 (2013-06-15)

2279

Configuration Guide

SS: Service-set
BP: Bridge-profile
BP ID
WLAN ID BSSID
Type
0
0
1
1
60de-4476-e360 service
------------------------------------------------------------------
The STA searches the wireless network with the SSID test and attempts to associate with the
network. Then run the display station asso-info command on the AC. You can see that the STA
associates with the wireless network test.
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------9021-55dc-3e17
0
0
1
test
-----------------------------------------------------------------------------Total stations: 1
Run the display wmm-profile name wmm command on the AC to view the WMM profile
configuration. You can see that the priority of AC_VI packets is higher than that of AC_VO
packets, so video services occupy channels.
[AC-wlan-view] display wmm-profile name wmm
Profile ID
: 1
Profile name
: wmm
WMM switch
: enable
Mandatory switch: disable
Client EDCA parameters:
--------------------------------------------------ECWmax ECWmin AIFSN TXOPLimit
AC_VO 4
3
2
94
AC_VI 3
2
2
47
AC_BE 10
4
3
0
AC_BK 10
4
7
0
--------------------------------------------------AP EDCA parameters:
--------------------------------------------------ECWmax ECWmin AIFSN TXOPLimit Ack-Policy
AC_VO 4
3
1
94
normal
AC_VI 3
2
1
47
normal
AC_BE 6
4
3
0
normal
AC_BK 10
4
7
0
normal
---------------------------------------------------
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
Issue 04 (2013-06-15)

2280

Configuration Guide

#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface Wlan-Ess1
dhcp enable
#
wlan
ap-region id 10
region-id 10
wmm edca ap ac-vi aifsn 1 ecw ecwmin 2 ecwmax 3 txoplimit
47
wmm edca ap ac-vo aifsn 1 ecw ecwmin 3 ecwmax 4 txoplimit
94
wmm edca client ac-vi aifsn 2 ecw ecwmin 2 ecwmax 3 txoplimit
47
wmm edca client ac-vo aifsn 2 ecw ecwmin 3 ecwmax 4 txoplimit
94
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring Priority Mapping
Issue 04 (2013-06-15)

2281

Configuration Guide
Voice, video, and data services are transmitted within the coverage of the AP. Users expect that
video services are preferentially forwarded by the AP and AC and have the highest priority to
use wireless network resources.
Figure 12-52 Networking diagram for configuring priority mapping
Management VLAN:
VLAN100
AP region ID: 10
AP
STA
GE0/0/1 AC
VLAN100
GE0/0/2
VLAN101
Internet
STA
1.
2.
Configure priority mapping in the traffic profile so that video services have higher priorities
over voice and data services and preferentially use the bandwidth.
NOTE
Procedure
packets.
NOTE
Issue 04 (2013-06-15)

2282

Configuration Guide

[AC] vlan batch 100

NOTE
[AC] vlan batch 101
101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

Issue 04 (2013-06-15)

2283

Configuration Guide


[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
Issue 04 (2013-06-15)

2284

Configuration Guide
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

# Create a WMM profile named wmm and retain the default configurations in the profile.
[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit
[AC] wlan
# Create a traffic profile named traffic and configure priority mapping in the profile.
[AC-wlan-view] traffic-profile
[AC-wlan-traffic-prof-traffic]
name traffic id 1
8021p up-mapping 0 1 2 3 6 7 4 5
8021p-map-up 0 1 2 3 6 7 4 5
tunnel-priority up map 8021p-8021p 0 1 2 3 6 7 4 5
quit
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
# Configure a VAP.
Issue 04 (2013-06-15)

2285

Configuration Guide

]y

SS: Service-set
BP: Bridge-profile
BP ID
WLAN ID BSSID
Type
0
0
1
1
------------------------------------------------------------------
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------9021-55dc-3e17
0
0
1
test
-----------------------------------------------------------------------------Total stations: 1
Run the display traffic-profile name traffic command on the AC to view the traffic profile
configuration. You can find that the priority of video packets is higher than that of voice packets,
so video services preempt channels.
[AC-wlan-view] display traffic-profile name traffic
Profile ID
: 1
Profile name
: traffic
Client Limit Rate : 4294967295 Kbps(up)
: 4294967295 Kbps(down)
VAP Limit Rate
: 4294967295 Kbps(up)
: 4294967295 Kbps(down)
802.1p Mapping Mode: mapping
---------------------------User-priority 802.1p
0
0
1
1
2
2
3
3
4
6
5
7
6
4
7
5
---------------------------ToS to User-priority Mapping List:
---------------------------ToS User-priority
0
0
1
1
2
2
3
3
4
6
5
7
6
4
7
5
---------------------------Tunnel priority(up) Mapping Mode:8021p(inner) to 8021p(outer)
----------------------------
Issue 04 (2013-06-15)

2286

Configuration Guide
802.1p(inner) 802.1p(outer)
0
0
1
1
2
2
3
3
4
6
5
7
6
4
7
5
----------------------------
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface Wlan-Ess1
dhcp enable
#
wlan
ap-region id 10
region-id 10
Issue 04 (2013-06-15)

2287

Configuration Guide

8021p-map-up 0 1 2 3 6 7 4
5
8021p up-mapping 0 1 2 3 6 7 4
5
tunnel-priority up map 8021p-8021p 0 1 2 3 6 7 4 5
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
Example for Configuring Traffic Policing

The enterprise network administrator needs to set the rate limit of upstream traffic on each STA
associated with the AP to 2 Mbit/s and the limit of total rates of upstream traffic on all STAs
associated with the VAP to 30 Mbit/s.
Figure 12-53 Networking diagram for configuring traffic policing
Management VLAN:
VLAN100
AP region ID: 10
AP
STA
GE0/0/1 AC
VLAN100
GE0/0/2
VLAN101
Internet
STA
Issue 04 (2013-06-15)

2288

Configuration Guide
1.
2.
Set the rate for upstream packets in the traffic profile used by the AP to implement traffic
policing on upstream packets on a specified STA and on all STAs associated with the VAP.
NOTE
Procedure
packets.
NOTE
[AC] vlan batch 100

NOTE
[AC] vlan batch 101
Issue 04 (2013-06-15)

2289

Configuration Guide

101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit



[AC] wlan

-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------0
WA601
1
WA631
6
WA603SN
7
WA603DN
8
WA633SN
11
WA603DE
12
WA653DE
14
WA653SN
17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
-----------------------------------------------------------------------------Total number: 20
Issue 04 (2013-06-15)

2290

Configuration Guide
[AC-wlan-ap-0] quit
NOTE

[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------0
AP6010DN-AGN
5489-9846-1dd4
0/10
normal
ap-0
-----------------------------------------------------------------------------Total number: 1

# Create a WMM profile named wmm and retain the default configurations in the profile.
[AC-wlan-view] quit

NOTE
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
wlan-ess 1
dhcp enable
quit
[AC] wlan
# Create a traffic profile named traffic and set traffic policing parameters in the profile.
Issue 04 (2013-06-15)

2291

Configuration Guide
[AC-wlan-view] traffic-profile
name traffic id 1
rate-limit client up 2048
rate-limit vap up 30720
quit
name test id 1
ssid test
wlan-ess 1
service-vlan 101
forward-mode tunnel
quit
# Configure a VAP.

]y

SS: Service-set
BP: Bridge-profile
BP ID
WLAN ID BSSID
Type
0
0
1
1
------------------------------------------------------------------
-----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID SS-ID
SSID
-----------------------------------------------------------------------------9021-55dc-3e17
0
0
1
test
-----------------------------------------------------------------------------Total stations: 1
Run the display traffic-profile name traffic command on the AC to view the traffic profile
configuration. You can see that the rate limit of upstream traffic on a specified STA is 2048 kbit/
s (2 Mbit/s) and the total rate limits of upstream traffic on all STAs associated with the VAP is
30720 kbit/s (30 Mbit/s).
[AC-wlan-view] display traffic-profile name traffic
Profile ID
: 1
Profile name
: traffic
Client Limit Rate : 2048 Kbps(up)
: 4294967295 Kbps(down)
VAP Limit Rate
: 30720 Kbps(up)
Issue 04 (2013-06-15)

2292

Configuration Guide
: 4294967295 Kbps(down)
802.1p Mapping Mode: mapping
---------------------------User-priority 802.1p
0
0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
---------------------------ToS to User-priority Mapping List:
---------------------------ToS User-priority
0
0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
---------------------------Tunnel priority(up) Mapping Mode:8021p(inner) to 8021p(outer)
---------------------------802.1p(inner) 802.1p(outer)
0
0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
----------------------------
----End
Configuration Files
l

#
sysname AC-LSW
#
#
#
#
#
return

#
sysname AC
#
Issue 04 (2013-06-15)

2293

Configuration Guide
#
dhcp enable
#
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
interface Wlan-Ess1
dhcp enable
#
wlan
ap-region id 10
region-id 10
rate-limit client up
2048
rate-limit vap up 30720
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
12.8 WDS Configuration

This chapter describes WLAN Wireless Distribution System (WDS) configurations. Different
from APs on a traditional WLAN, APs on a WDS network are connected in wireless mode and
can set up multi-hop wireless links.
12.8.1 WLAN WDS Overview

A wireless distribution system (WDS) connects two or more wired or wireless LANs wirelessly
to establish a network.
Introduction
On a traditional WLAN, APs exchange data with STAs using wireless channels and connect to
a wired network through uplinks. To expand the coverage area of a wireless network, APs need
Issue 04 (2013-06-15)

2294

Configuration Guide
to be connected by switches. This deployment requires high costs and takes a long time. In some
places, such as subways, tunnels, and docks, it is difficult to connect APs to the Internet through
wired links. WDS technology can connect APs wirelessly in these places, which reduces network
deployment costs, makes the network easy to expand, and allows flexible networking.
WDS Concepts
Figure 12-54 WDS networking
WDS network
STA VAP:
VAP13
VAP0
AP VAP:
VAP12
AP3
(leaf)
AP2
(middle)
Root wired
interface
AP1
(root)
AC
Internet
STA
STA
Switch
Endpoint
wired interface
STA
LAN
: Service wireless virtual link
: Management wireless virtual link
PC
Service VAP: On a traditional WLAN, an AP is a physical entity that provides WLAN

services to STAs. A service virtual access point (VAP) is a logical entity that provides
access service for users. Multiple VAPs can be created on an AP to provide access service
for multiple user groups. As shown in Figure 12-54, VAP0 created on AP3 is a service
VAP.
NOTE
When you create service VAPs, the system allocates VAPs to service sets in sequence, starting from
VAP0 by default. That is, the system allocates VAP0 to the first service set and VAP1 to the second
service set.
Bridge VAP: On a WDS network, an AP is a physical entity that provides WDS service
for neighboring devices. A bridge VAP is a logical entity that provides WDS service. Bridge
VAPs include AP VAPs and STA VAPs, which work in pairs. AP VAPs provide
connections for STA VAPs. As shown in Figure 12-54, VAP13 created on AP3 is a STA
VAP, and VAP12 created on AP2 is an AP VAP.
Wireless virtual link: a connection set up between a STA VAP and an AP VAP on
neighboring APs. As shown in Figure 12-54, connections set up between AP1, AP2, and
AP3 are wireless virtual links. Wireless virtual links include service wireless virtual links
and management wireless virtual links.
Issue 04 (2013-06-15)

2295

Configuration Guide
Service wireless virtual link: a wireless virtual link that forwards user data on a WDS
network.
Management wireless virtual link: a wireless virtual link that forwards management and
control packets on a WDS network. A management wireless virtual link is used to
control link setup and deliver configuration parameters.
l
AP working mode: Depending on its location on a WDS network, an AP can work in root,
middle, or leaf mode, as shown in Figure 12-54.
Root: The AP directly connects to an AC through a wired link and uses an AP VAP to
set up wireless virtual links with a STA VAP.
Middle: The AP uses a STA VAP to connect to an AP VAP on an upstream AP and
uses an AP VAP to connect to a STA VAP on a downstream AP.
Leaf: The AP uses a STA VAP to connect to an AP VAP on an upstream AP.
Working mode of an AP's wired interface: On a WDS network, an AP's wired interface can
connect to either an upstream wired network or a downstream user host or LAN. Depending
on an AP's location, a wired interface works in root or endpoint mode.
Root: The wired interface connects to an upstream wired network.
endpoint: The wired interface connects to a downstream user host or LAN.
NOTE
On a WDS network, one wired interface must work in root mode to connect to the wired network.
Typical WDS applications

Hand-in-Hand WDS Networking
As shown in Figure 12-55, AP1 is a single-band AP that works at 2.4 GHz frequency band; AP2
and AP3 are all dual-band APs. AP1 and AP2 use 2.4 GHz radio to set up wireless virtual links
(WVLs), while AP2 and AP3 use 5 GHz radio to set up WVLs. AP3 connects STAs to the
WLAN through the 2.4 GHz radio. On a hand-in-hand WDS network, AP1, AP2, and AP3 use
different radios to set up WVLs.
Figure 12-55 Hand-in-hand WDS networking
AP3
(leaf)
AP2
(root/leaf)
AP1
(root) Switch
AC
Internet
5G
STA
STA
2.4G
PC
PC
NOTE
In the figure, AP2 on 2.4 GHz radio functions as a leaf node for AP1 and AP2 on 5 GHz radio functions
as a root node for AP3. Therefore, set the bridge operation mode of AP2 on 2.4 GHz radio to leaf and 5
GHz radio to root.
Issue 04 (2013-06-15)

2296

Configuration Guide
Back-to-Back WDS Networking

In outdoor scenarios, such as school campus, plantations, and mountain areas, wired networks
are difficult to deploy. When networks to be connected are far from each other or blocked by
obstacles, APs can be cascaded as trunk bridges in back-to-back mode. This networking ensures
sufficient bandwidth on wireless links for long distance data transmission. Figure 12-56 shows
the back-to-back WDS networking.
Figure 12-56 Back-to-back WDS networking
Internet
Switch
AC
PC
AP1
(root)
PC
AP2
(leaf)
AP3
(root)
AP4
(leaf)
STA
AP5
(leaf)
STA
STA
AP6
(leaf)
STA
STA
STA

Issue 04 (2013-06-15)

2297

Configuration Guide
12.8.2 Configuration Notes

This section describes WLAN WDS configuration notes.
l
This chapter provides only WDS configurations. After the WDS configurations are
complete, APs can connect to an AC through wireless bridges. To use WLAN services,
you also need to configure basic WLAN services. For configurations of basic WLAN
services, see 12.2 WLAN Service Configuration.
It is recommended that the WMM profile name, radio profile name, and security profile
name in WDS are different from those in basic WLAN services, facilitating the maintenance
on wireless bridges and basic WLAN services.
On the same frequency band, WDS cannot be configured on the channel where the radar
works.
If the CAPWAP heartbeat interval and the number of heartbeat packet transmissions are
set too small, WDS links may fail to be established. Therefore, you are advised to use the
default values.
If WDS and dual-link backup are enabled simultaneously, the AC sends CAPWAP
heartbeat packets three times at an interval of 25 seconds by default. This may cause
unstable WDS link status and result in user access failures. You are advised to run the
capwap keep-alive times times-value command to set the number of heartbeat packet
transmissions to 6.
On a WDS network, the distance between two APs connected through WVLs may range
from dozens of meters to dozens of kilometers. Therefore, the period to wait for ACK
packets during data transmission between two APs differs. In this case, before the AP in
WDS mode goes online, you need to log in to an AP through the serial interface and run
the config wds timeout radio-id distance-id command to set the ACK timeout interval for
the WDS link. Otherwise, the remote AP may not go online.
radio-id indicates a radio. The value can be 0 or 1. The value 0 indicates the 2.4 GHz
radio and the value 1 indicates the 5 GHz radio.
distance-id indicates the distance between the two APs. The value is an integer that
ranges from 1 to 6.
The value 1 indicates that the distance between the two APs is 0 km to 0.3 km.
The value 2 indicates that the distance between the two APs is 0.3 km to 3 km.
The value 3 indicates that the distance between the two APs is 3 km to 5 km.
NOTE
By default, the value of distance-id is 1. That is, the distance between the two APs ranges from
0 to 0.3 km. If the distance between the two APs is larger than 0.3 km, the period to wait for ACK
packets during data transmission between the two APs times out. Set the value of distance-id as
required.

This section describes the default WDS configuration. You can change the configuration as
required.
Table 12-24 lists the default WDS configuration.
Issue 04 (2013-06-15)

2298

Configuration Guide
Table 12-24 Default WDS configuration

Parameter
Default Setting
Wireless bridge
disable
Working mode of an AP wired interface
root
12.8.4 Configuring WDS

In AC+fit AP networking, WDS technology can connect APs wirelessly on complex networks,
which reduces network deployment costs, makes the network easy to expand, and allows flexible
networking.
Before configuring WDS, complete the following task:
l
Figure 12-57 shows the bindings between profiles and a radio during the WDS configuration.
Learn about the bindings before configuring WDS.
Figure 12-57 Bindings between profiles and a radio
Create a
WMM profile
Create a
radio profile
Create a
security profile
Bind the WMM profile

to the radio profile
Create a
bridge profile
Bind the security profile

to the bridge profile
Configure a
radio
Bind the radio

profile to the radio
Bind the bridge

profile to the radio
Configure the bridge

working mode
Complete the WDS

configuration
Issue 04 (2013-06-15)

2299

Configuration Guide
Learn about the bindings between profiles and a radio and then perform the configuration
procedures in sequence to configure WDS.
Creating a WMM Profile

Context
802.11 provides services of the same quality for all applications. Different applications, however,
have different requirements for wireless networks. 802.11 cannot provide differentiated services
for different applications.
To provide differentiated services for different applications, the Wi-Fi Alliance defines the WiFi Multimedia (WMM) standard, which classifies data packets into four access categories (ACs)
in descending order of priorities, that is, AC-voice (AC-VO), AC-video (AC-VI), AC-best effort
(AC-BE), and AC-background (AC-BK). This standard ensures that high-priority packets
preempt channels.
A WMM profile is created to implement the WMM protocol. After a WMM profile is created,
packets with higher AP or STA priority preempt a wireless channel first, ensuring better quality
for voice and video services on WLANs.
NOTE
For details on how to configure parameters in a WMM profile, see 12.7.4 Configuring WMM.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
A WMM profile is created and the WMM profile view is displayed.

NOTE
When creating a WMM profile, pay attention to the following:

l After a WMM profile is created, the profile retains the default settings. The default settings are
recommended. For details on how to configure a WMM profile, see 12.7.4 Configuring WMM.
l The profile name is mandatory when you create a WMM profile.
----End
Configuring a Radio Profile

Context
A radio profile defines the following parameters: radio type, radio rate, channel mode, radio
power mode, packet loss threshold, error packet threshold, collision rate threshold, packet
Issue 04 (2013-06-15)

2300

Configuration Guide
fragmentation threshold, Request To Send/Clear To Send (RTS/CTS) threshold, maximum

number of retransmission attempts for long/short frames, whether short preamble is supported,
delivery traffic indication message (DTIM) interval, Beacon frame interval, and WMM profile
name or ID. If a radio is bound to a radio profile, the radio inherits all the parameters defined in
the radio profile.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
A radio profile is created and the radio profile view is displayed.

NOTE
When creating a radio profile, pay attention to the following:

l After a radio profile is created, the profile retains the default settings.
l The profile name is mandatory when you create a radio profile.
Step 4 (Optional) Configure optional parameters in the radio profile.
Issue 04 (2013-06-15)

2301

Configuration Guide
Procedure
Command
Description
Configure the channel

mode.
channel-mode { auto | fixed }
An AP supports two
channel modes:
By default, the channel mode is

automatic mode.
l Automatic mode:
An AP selects a
channel for a radio
based on the
WLAN radio
environment, so
you do not need to
specify channels
for radios.
l Manual mode: A
channel is manually
configured for a
radio to avoid
frequent channel
adjustment (this
may cause
intermittent service
interruption).
NOTE
If the channel works
in manual mode, the
channel
configurations on
leaf APs, middle
APs, and root APs
must be the same.
Configure the power

mode.
power-mode { auto | fixed }

By default, the power mode is
automatic mode.
An AP supports two
power modes:
l Automatic mode:
The AP selects the
transmit power for a
radio based on the
WLAN radio
environment.
l Manual mode: The
transmit power is
manually
configured for a
radio.
Issue 04 (2013-06-15)

2302

Configuration Guide
Procedure
Command
Description
Configure the radio type.
radio-type { 80211a | 80211an |

80211gn | 80211b | 80211bg |
80211bgn | 80211g | 80211n }
Different radios have

different radio types:
By default, the radio type is 802.11b/g.

NOTE
When configuring the wireless distribution
system (WDS), set the radio type to
80211an, 80211gn, 80211bgn, or 80211n.

2.4-GHz radio can
be 802.11b,
802.11b/g,
802.11b/g/n,
802.11g, 802.11n,
or 802.11g/n.
5-GHz radio can be
802.11a, 802.11n,
or 802.11a/n.
Set the rate mode to

automatic mode and
configure the maximum
rate.
rate auto max-rate rate-value

{ rate_1 | rate_2 | rate_5_5 | rate_6 |
rate_48 | rate_54 }
NOTE
This command is not supported if the radio
type is 802.11an, 802.11gn, 802.11bgn, or
802.11n. To set the maximum rate of the
preceding radio types, see 80211n mcs.
Configure the interval at

which an AP sends
Beacon frames.
Issue 04 (2013-06-15)
beacon-interval beacon-interval
By default, the interval for sending
Beacon frames is 100 ms.

If you configure the

maximum rate for a
radio but the radio does
not support the
configured maximum
rate, the configuration
fails. For example, if a
maximum rate of 54
Mbit/s is configured
for an 802.11b radio,
the configuration fails
because the radio does
not support the rate of
54 Mbit/s.
An AP broadcasts
Beacon frames at
intervals to notify
STAs of an existing
802.11 network.
2303

Configuration Guide
Procedure
Command
Description
Configure the DTIM

interval.
dtim-interval dtim-interval
The DTIM interval

specifies how many
Beacon frames are sent
before the Beacon
frame that contains the
DTIM. An AP sends a
Beacon fame to wake a
STA in power-saving
mode, indicating that
the saved broadcast
and multicast frames
will be transmitted to
the STA.
By default, the DTIM interval is 1.
l A short DTIM
interval helps
transmit data in a
timely manner, but
the STA is waken
frequently, causing
high power
consumption.
l A long DTIM
interval lengthens
the dormancy time
of a STA and saves
power, but
degrades the
transmission
capability of the
STA.
Issue 04 (2013-06-15)

2304

Configuration Guide
Procedure
Command
Description
Configure an AP to
support the short
preamble.
short-preamble { enable | disable }
The preamble is a
section of bits in the
header of a data frame.
It synchronizes signals
transmitted between
the sender and receiver
and can be a short or
long preamble.
By default, an AP supports the short

preamble.
l A short preamble
ensures better
network
synchronization
performance and is
recommended.
l A long preamble is
usually used for
compatibility with
earlier network
adapters of clients.
Issue 04 (2013-06-15)

2305

Configuration Guide
Procedure
Command
Description
Configure the packet

fragmentation threshold.
If an 802.11 MAC
frame exceeds the
packet fragmentation
threshold, the frame
needs to be
fragmented.
By default, the packet fragmentation

threshold is 2346 bytes.
l When the packet

fragmentation
threshold is too
small, packets are
fragmented into
smaller frames.
These frames are
transmitted at a
high extra cost,
resulting in low
channel efficiency.
l When the packet
fragmentation
threshold is too
large, long packets
are not fragmented,
increasing the
transmission time
and error
probability. If an
error occurs,
packets are
retransmitted. This
wastes the channel
bandwidth. The
default packet
fragmentation
threshold is
recommended.
Configu
re the
collision
rate
threshol
d,
packet
loss
threshol
d, and
error
packet
threshol
d.
Issue 04 (2013-06-15)
Configure the
collision rate
threshold.
conflict-rate-threshold conflict-ratethreshold
By default, the collision rate threshold
is 60%.

This configuration
helps determine
whether the radio
environment is good.
When the collision
rate, packet loss ratio,
or error packet ratio of
a radio reaches the
threshold, the system
considers that the radio
environment
deteriorates. When this
occurs, the system
2306

Configuration Guide
Procedure
Configure the
packet loss
threshold and
error packet
threshold.
Enable beamforming.
Command
Description
per-threshold per-threshold
needs to improve the

radio environment.
By default, the packet loss threshold

and error packet threshold is 30%.
beamforming enable
By default, beamforming is disabled.
Beamforming can
enhance signals at a
particular angle (for
target users), attenuate
signals at another angle
(for non-target users or
obstacles), and extend
the radio coverage
area.
NOTE
WA6x3xN and WA6x1
series APs do not
support beamforming.
AP6x10SN/DN series
except AP6310SN-GN
supports beamforming.
Specify the parameter

reflected by the blinking
frequency of the Wireless
LED on an AP.
wifi-light { signal-strength | traffic }

By default,
l If WDS is enabled on an AP, the
LED the strength of signals
received by the AP.
l If WDS is not enabled on an AP, the
LED the service traffic volume on
the radio.
Issue 04 (2013-06-15)

On a WDS network,
you need to adjust AP
locations and antenna
directions to obtain
strong signals between
WDS-capable APs.
The blinking frequency
of the Wireless LED
shows the signal
strength.
NOTE
This command takes
effect only when the AP
has WDS enabled. If the
AP has no WDS
enabled, the Wireless
LED always shows
service traffic volume.
2307

Configuration Guide
Procedure
Command
Description
Configure the RTS-CTS

operation mode.
rts-cts-mode { cts-to-self | disable |

rts-cts }
The RTS/CTS
handshake mechanism
prevents data
transmission failures
caused by channel
conflicts. If STAs
perform RTS/CTS
handshakes before
sending data, RTS
frames consume high
channel bandwidth.
The default RTS-CTS
operation mode is
recommended.
By default, the RTS-CTS operation

mode is cts-to-self.
l If the RTS/CTS
handshake
mechanism is not
used, there may be
hidden STAs. If
base stations A and
C simultaneously
send information to
base station B
because base
station C does not
know that base
station A is sending
information to base
station B, signal
conflict occurs. As
a result, signals fail
to be sent to base
station B.
l The RTS/CTS
handshake
mechanism reduces
the transmission
rate and even
causes the network
delay.
NOTE
To reduce the network
delay, disable RTSCTS.
Configu
re the
RTS
mechani
sm.
Issue 04 (2013-06-15)
Configure the
RTS
threshold.
rts-cts-threshold rts-cts-threshold
By default, the RTS threshold is 2347
bytes.

If STAs perform RTS/

CTS handshakes
before sending data,
many RTS frames
consume high channel
2308

Configuration Guide
Procedure
Configu
re
802.11n
.
Command
Description
Configure the
maximum
number of
retransmissio
n attempts for
frames
smaller than
or equal to the
RTS
threshold.
short-retry retry-number
Configure the
maximum
number of
retransmissio
n attempts for
frames longer
than the RTS
threshold.
long-retry retry-number
bandwidth. To prevent
this problem, set the
RTS threshold and
maximum number of
retransmission
attempts for long/short
frames. The RTS
threshold specifies the
length of frames to be
sent. When the length
of frames to be sent by
a STA is smaller than
the RTS threshold, no
RST/CTS handshake is
performed. The default
RTS threshold is
recommended.
Configure the
guard interval
(GI) mode.
80211n guard-interval-mode
{ short | normal }
Enable the
MAC
Protocol Data
Unit (MPDU)
aggregation
function.
Issue 04 (2013-06-15)

smaller than or equal to the RTS
threshold is 7.

longer than the RTS threshold is 4.
NOTE
This configuration is
applicable only when the
RTS-CTS operation
mode is rts-cts.
By default, the normal GI is used.
80211n a-mpdu enable

By default, the MPDU aggregation

There are two types of

GI: short GI and
normal GI. When
configuring 802.11n,
you can configure the
normal GI in 802.11a/g
or short GI in 802.11n.
The short GI reduces
the extra cost and
improves the
transmission rate.
An 802.11 packet is
sent as an MPDU,
requiring channel
competition and
backoff and consuming
channel resources. The
802.11n MPDU
aggregation function
aggregates multiple
MPDUs into an
aggregate MAC
Protocol Data Unit (AMPDU), so that N
MPDUs can be
transmitted through
2309

Configuration Guide
Procedure
Configure the
maximum
length of an
A-MPDU.
Command
Description
80211n a-mpdu max-lengthexponent length-capability
one channel
competition and
backoff. This function
saves the channel
resources to be
consumed for sending
N-1 MPDUs. The
MPDU aggregation
function improves
channel efficiency and
802.11 network
performance.
By default, the maximum length of an

A-MPDU is 3 bytes.
----End
Binding a WMM Profile to a Radio Profile

Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:

Step 4 Run:
A WMM profile is bound to the radio profile.

By default, no WMM profile is bound to a radio profile.
Issue 04 (2013-06-15)

2310

Configuration Guide
NOTE
A radio profile can be applied to a radio only after a WMM profile is bound to the radio profile.
----End
Adding an AP
Context
You can add APs to the AC using any of the following methods:
l
Adding an AP offline
Configuring the AC to automatically discover an AP
Manually authenticating APs in the list of unauthorized APs
Depending on its location on a WDS network, an AP can work in root, middle, or leaf mode.
As shown in Figure 12-58, AP1 is a root node, AP2 is a middle node, and AP3 is a leaf node.
AP3
(leaf)
AP2
(middle)
AP1
(root)
Internet
STA
AC
LAN
STA
PC

APs in different modes can be added to the AC using different methods.

l
Root APs can be added to the AC using any of the three methods.
Middle APs can only be added to the AC offline.
Leaf APs can only be added to the AC offline.
Add an AP offline.
Procedure
1.
Run:
system-view

2.
Run:
wlan
Issue 04 (2013-06-15)

2311

Configuration Guide

3.
Run:

4.
Run:
ap id ap-id { type-id type-id | ap-type ap-type } { mac ap-mac | sn apsn } *
The specified AP is added offline.

By default, no AP is added offline.
NOTE
If the AP authentication mode is set to MAC authentication, specify the MAC address of an
AP when adding the AP offline. If the AP authentication mode is set to SN authentication,
specify the SN of an AP when adding the AP offline.
Configure the AC to discover APs in the whitelist.
Set the AP authentication mode to no authentication.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:
The AP authentication mode is set to no authentication.

NOTE
When an AP connects to the AC, the AP enters the normal state if the MAC address or
SN of the AP is on the whitelist.
Set the AP authentication mode to MAC or SN authentication.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Issue 04 (2013-06-15)
Configure the AP whitelist.

2312

Configuration Guide
If the AP authentication mode is set to MAC authentication, run:

ap-whitelist mac ap-mac1 to ap-mac2
The AP with the specified MAC address is added to the whitelist.

If the AP authentication mode is set to SN authentication, run:
ap-whitelist sn ap-sn1 to ap-sn2
The AP with the specified SN is added to the whitelist.

NOTE
Confirm the AP added to the list of unauthorized APs.

1.
Run:
system-view

2.
Run:
wlan

3.
Run:

4.
Run:
display unauthorized-ap record
Information about unauthorized APs is displayed.

5.
Run:
ap-confirm { all | { mac ap-mac | sn ap-sn } [ id ap-id ] }
The specified authorized AP is confirmed. The AP then enters the normal state.
----End
Configuring a Radio Profile and Binding the Radio Profile to a Radio

Context
Each AP has one or multiple radio modules, which receive and send wireless signals, adjust the
power, and configure channels.
You can configure a radio to configure radio parameters on an AP radio module, including the
antenna gain, power, channel, and number of available antennas.
After a VAP is created, the VAP inherits all the parameters configured in the radio bound to the
VAP.
Procedure
Step 1 Run:
system-view
Issue 04 (2013-06-15)

2313

Configuration Guide

Step 2 Run:
wlan

Step 3 Run:

NOTE
When radio-id is set to 0, a 2.4-GHz radio is specified. When radio-id is set to 1, a 5-GHz radio is specified.
Step 4 Run:
radio enable
The radio is enabled.

By default, the radio is enabled.
Step 5 Run:
The antenna gain is configured for the radio.

By default, the antenna gain of a radio is 4 dBi.
available-antenna-number { all | available-antenna-number }
The number of available antennas on a radio is set. Excess antennas will then be shut down to
save power.
By default, all antennas on a radio are available.
NOTE
The value of available-antenna-number must be smaller than or equal to the number of antennas on a radio.
Step 7 Run:
power-level power-level
The power level of the radio is specified.

By default, the power level of a radio is 0, indicating full power. The actual power is determined
by an AP type.
The power reduces by 1 dBm each time the AP power level increases by 1.
channel { 20mhz | 40mhz-minus | 40mhz-plus } channel
A channel is configured for the radio.

By default, the bandwidth of a radio channel is 20 MHz.
To avoid signal interference, ensure that adjacent APs work in non-overlapping channels.
Issue 04 (2013-06-15)

2314

Configuration Guide
NOTE
40mhz-minus and 40mhz-plus take effect only when the radio type is 802.11n.
If the channel works in manual mode, the channel configurations on leaf APs, middle APs, and root APs
must be the same.
Different countries support different wireless channels. You can run the display ap configurable
channel [ ap-id id ] command to check the channels supported by all the APs or the specified AP that
associate with an AC.

users-traffic-scheduler enable
The multi-user traffic scheduling function is enabled for the radio.

By default, the multi-user traffic scheduling function is disabled.
80211n mcs mcs-value
The modulation coding scheme (MCS) value is configured for the 802.11n radio.
By default, when one spatial stream exists, the MCS value is 7. When two spatial streams exist,
the MCS value is 15. When there are three spatial streams, the MCS value is 23.
A larger MCS value indicates a higher transmission rate.
NOTE
This command takes effect only when the radio type is set to 802.11a/n, 802.11b/g/n, 802.11g/n, or 802.11n
using the radio-type command.
Step 11 Run:
A radio profile is bound to the radio.

By default, no radio profile is bound to a radio.
----End
Enabling the Wireless Bridge Function and Configuring the Bridge Working Mode
Context
You need to enable the wireless bridge function and set the bridge working mode for APs to set
up wireless virtual links (WVLs). Depending on an AP's location on a WDS network, a wireless
bridge can work in root, middle, or leaf mode. As shown in Figure 12-59, AP1 is a root node,
AP2 is a middle node, and AP3 is a leaf node.
Issue 04 (2013-06-15)

2315

Configuration Guide

AP3
(leaf)
AP2
(middle)
AP1
(root)
Internet
STA
AC
LAN
STA
PC

On a WDS network, the distance between two APs connected through WVLs may range from
dozens of meters to dozens of kilometers. Therefore, the period to wait for ACK packets during
data transmission between two APs differs. In this case, before the AP in WDS mode goes online,
you need to log in to an AP through the serial interface and run the config wds timeout radioid distance-id command to set the ACK timeout interval for the WDS link. Otherwise, the remote
AP may not go online.
l
radio-id indicates a radio. The value can be 0 or 1. The value 0 indicates the 2.4 GHz radio
and the value 1 indicates the 5 GHz radio.
distance-id indicates the distance between the two APs. The value is an integer that ranges
from 1 to 6.
The value 1 indicates that the distance between the two APs is 0 km to 0.3 km.
The value 2 indicates that the distance between the two APs is 0.3 km to 3 km.
NOTE
By default, the value of distance-id is 1. That is, the distance between the two APs ranges from 0 to
0.3 km. If the distance between the two APs is larger than 0.3 km, the period to wait for ACK packets
during data transmission between the two APs times out. Set the value of distance-id as required.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Issue 04 (2013-06-15)

2316

Configuration Guide
Step 3 Run:

Step 4 Run:
bridge enable [ mode { root | middle | leaf } ]
The wireless bridge function is enabled and the bridge working mode is configured.
By default, the wireless bridge function is disabled.
NOTE
APs that support the WDS function include AP6010DN-AGN, AP6510DN-AGN, AP6610DN-AGN,
AP5010DN-AGN, and AP7110DN-AGN.
Middle APs and leaf AP must be added to the AC offline; otherwise, these APs cannot go online.
----End
Configuring a Security Profile and Setting the Security Policy to WPA2+PSK

+CCMP
Context
You need to configure a security profile and a security policy for the WDS to ensure security.
Currently, the security policy can only be WPA2+PSK+CCMP. For details about WPA2, PSK,
and CCMP, see 12.3.2 WLAN Security Features Supported by the Device in WLAN Security
Configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
A security profile is created and the security profile view is displayed.

Step 4 Run:
A security policy is configured for the security profile.

Step 5 Run:
wpa2 authentication-method psk { pass-phrase | hex } { simple simple-key | cipher
cipher-key } encryption-method ccmp
WPA2 pre-shared key authentication is configured.

----End
Issue 04 (2013-06-15)

2317

Configuration Guide
Configuring a Bridge Profile and Binding the Bridge Profile to the Radio
Context
A bridge profile contains the parameters of WVLs between APs. After a bridge profile is bound
to a radio, the radio has all attributes of the bridge profile and a bridge VAP is automatically
created. The radio uses different VAP parameters to set up and maintain WVLs between APs.
A bridge profile in the WDS has the same function as a service set in traditional WLAN services.
A bridge profile is bound to a specified AP radio to create a bridge VAP. Bridge VAPs include
AP VAPs and STA VAPs.
As shown in Figure 12-60, when a bridge VAP is created, VAPs 12, 13, 14, and 15 are generated.
VAPs 12 and 14 are AP VAPs and VAPs 13 and 15 are STA VAPs. VAPs 12 and 13 are used
for service WVLs, and VAPs 14 and 15 are used for management WVLs. APs in different modes
generate different bridge VAPs on a WDS network.
l
Root APs: When a bridge VAP is created, AP VAPs 12 and 14 are generated.
Middle APs: When a bridge VAP is created, AP VAPs 12 and 14 and STA VAPs 13 and
15 are generated.
Leaf APs: When a bridge VAP is created, STA VAPs 13 and 15 are generated.
Figure 12-60 WDS bridge VAP

VAP13 VAP12 VAP13 VAP12
AP3
AP2
AP1
AC
Internet
(leaf)
(middle)
(root)
VAP15 VAP14 VAP15 VAP14

STA VAPAP VAP STA VAP AP VAP

Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
bridge-profile { name profile-name | id profile-id }
A bridge profile is created and the bridge profile view is displayed.

Issue 04 (2013-06-15)

2318

Configuration Guide
Step 4 Run:
bridge-name name
A bridge profile identifier is set. Links are set up between bridges on a WDS network through
bridge profile identifiers.
By default, a bridge profile does not have an identifier.
Step 5 Run:
security-profile { name profile-name | id profile-id }
A security profile is bound to the bridge profile.

By default, no security profile is bound to a bridge profile.
NOTE
Currently, the security profile bound to a bridge profile must be WPA2+PSK+CCMP.

vlan tagged { vlan-id1 [ to vlan-id2 ] } &<1-10>
One or a group of tagged VLANs are configured in the bridge profile.

By default, no VLAN is configured in a bridge profile.
NOTE
A maximum of 256 VLANs can be configured in a bridge profile.

dhcp trust port
A DHCP trusted interface is configured in the bridge profile.

By default, a DHCP trusted interface is configured in the bridge profile.
NOTE
If DHCP snooping is enabled in the service set, run this command to configure the DHCP trusted interface.
Step 8 Run:
quit

Step 9 Run:
The radio view is displayed.

Step 10 Run:
bridge-profile { name profile-name | id profile-id }
A bridge profile is bound to the radio.

By default, no bridge profile is bound to a radio.
----End
Issue 04 (2013-06-15)

2319

Configuration Guide
(Optional) Configuring the Bridge Whitelist

Context
A bridge whitelist contains MAC addresses of neighboring APs that can connect to a bridge. If
the whitelist is used, only neighboring APs with MAC addresses in the whitelist can connect to
the bridge. On WDS networks, the whitelist can be configured only on root APs or middle APs.
NOTE
l Wireless virtual links can be set up only when neighboring APs with MAC addresses in the whitelist
succeed in authentication.
l If the bridge uses no whitelist, all the neighboring APs can connect to the bridge.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Create and configure a bridge whitelist.
1.
Run:
bridge-whitelist { name whitelist-name | id whitelist-id }
A bridge whitelist is created and the bridge whitelist view is displayed.

By default, no bridge whitelist is configured on an AP.
2.
Run:
peer ap mac mac-address
The MAC address of a neighboring AP is added to the bridge whitelist.

3.
Run:
quit

Step 4 Bind a bridge whitelist to the radio.
1.
Run:

2.
Run:
bridge-whitelist { name whitelist-name | id whitelist-id }
A bridge whitelist is bound to the radio.

By default, no bridge whitelist is bound to a radio.
Step 5 Run:
bridge whitelist enable
The bridge whitelist bound to the radio is enabled.

Issue 04 (2013-06-15)

2320

Configuration Guide
The bridge whitelist takes effect only after it is enabled.

By default, no bridge whitelist is enabled for a wireless bridge.
----End
Configuring an AP Wired Interface

Context
You can configure the wired interface on a root AP to connect to the AC or configure the wired
interface on an AP to deploy a Layer 2 network or directly associate with STAs.
On WDS networks, an AP wired interface can work in the following modes:
l
root mode: The AP adds VLANs to the wired interface to allow packets from the VLANs.
The wired interface that connects the root AP to the AC must work in root mode.
endpoint mode: You must manually add VLANs to the wired interface to allow packets
from the VLANs. When working in endpoint mode, the AP wired interface can directly
connect to a STA or be used to deploy Layer 2 networks.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
ap id ap-id

Step 4 Set parameters for an AP wired interface.
l Configure a wired interface to work in root mode.
1.
Run:
lineate-port mode root
The working mode of an AP wired interface is set to root.

By default, an AP wired interface works in root mode.
NOTE
After changing the working mode of an AP wired interface, run the ap-reset command to reset
the AP to make the configuration take effect.
l Configure a wired interface to work in endpoint mode.

1.
Run:
lineate-port mode endpoint
The working mode of an AP wired interface is set to endpoint.

By default, an AP wired interface works in root mode.
Issue 04 (2013-06-15)

2321

Configuration Guide

NOTE
After changing the working mode of an AP wired interface, run the ap-reset command to reset
the AP to make the configuration take effect.
2.
Run:
lineate-port pvid vlan vlan-id
The PVID of the AP wired interface is set.

By default, no PVID is configured on an AP wired interface.
3.
Run:
lineate-port vlan { tagged | untagged } { vlan-id1 [ to vlan-id2 ] } &<1-10>
A VLAN to which the wired interface belongs is configured.

By default, an AP wired interface is not added to any VLAN, and an AP wired interface
supports a maximum of 256 VLANs.
4.
Run:
lineate-port user-isolate enable
User isolation is enabled on an AP wired interface.

By default, user isolation is disabled on an AP wired interface.
----End
(Optional) Configuring STP

Context
Loops may occur on Layer 2 networks connected to an AP wired interface or between wireless
bridges on a WDS network because of the redundant links or faults on the network. This may
cause broadcast storms or MAC address flapping.
You can enable Spanning Tree Protocol (STP) on wireless bridges to calculate the shortest paths
from the wireless bridges to the root bridge, preventing loops between wireless bridges. To
prevent loops on the Layer 2 network connected to the AP wired interface, you can enable STP
on the network and on the AP wired interface.
NOTE
STP enabled on wirelss bridges only prevents loops on the service WVLs but cannot prevent loops on
management WVLs. Therefore, the WDS network must be properly deployed to prevent loops.
Procedure
Step 1 Enable STP on a wireless bridge.
1.
Run:
system-view

2.
Run:
wlan

3.
Run:
Issue 04 (2013-06-15)

2322

Configuration Guide

4.
Run:
bridge stp enable
STP is enabled on the wireless bridge.

By default, STP is disabled on a wireless bridge.
5.
Run:
quit

Step 2 Enable STP on an AP wired interface.
1.
Run:
ap id ap-id

2.
Run:
lineate-prot stp enable
STP is enabled on an AP wired interface.

By default, STP is disabled on an AP wired interface.
NOTE
The STP cost on Huawei switches (including AC) complies with 802.1t, while the STP cost on Huawei
APs complies with 802.1d. When a Huawei AP is connected to a Huawei switch and has STP enabled for
the WDS network, run the stp pathcost-standard dot1d-1998 command to set the correct STP cost on
the switch (or AC); otherwise, the path to the root AP may be blocked.
----End
Delivering Parameters to APs

Context
NOTE
The WLAN service parameters configured on an AC take effect only after you run the commit command
to deliver VAPs to an AP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
wlan

Step 3 Run:
commit ap ap-id
Issue 04 (2013-06-15)

2323

Configuration Guide
The AP parameters configured on the AC are delivered to the AP, and WDS configurations are
complete.
NOTE
When you run this command, you are advised to deliver the configurations to the leaf AP, middle AP, and
root AP in sequence.
----End

Prerequisites
The WDS configurations have been complete.
Procedure
l
Run the display bridge-profile { all | name profile-name | id profile-id | bridge-name

name } command to check information about the bridge profile.
Run the display vap { all | ap ap-id [ radio radio-id ] } type bridge-profile command to
check information about bridge VAPs.
NOTE
The display vap command can display information about service VAPs and bridge VAPs.
Run the display bridge-link { all | ap ap-id [ radio radio-id ] | bridge-profile { id profileid | name profile-name } } command to check information about the wireless bridges that
have set up wireless virtual links with APs.
Run the display bridge-whitelist { all | id whitelist-id | name whitelist-name } command

to check configurations about the bridge whitelist.
Run the display ap { all | id ap-id | by-mac ap-mac | by-sn ap-sn } command to check
configurations of the AP wired interface.
----End
12.8.5 Maintaining WDS

Context
When deploying or maintaining a WDS network, you need to adjust AP locations and antenna
directions to obtain strong signals. The blinking frequency of the Wireless LED shows the signal
strength of upstream APs (root AP or middle APs). A higher blinking frequency of the Wireless
LED indicates a stronger signal.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the wlan command to enter the WLAN view.
Step 3 Run the radio-profile { id profile-id | name profile-name } * command to create a radio profile
and enter the radio profile view.
Step 4 Run the wifi-light signal-strength command to configure the blinking frequency of the Wireless
LED to show the signal strength of upstream APs after WDS is enabled.
Issue 04 (2013-06-15)

2324

Configuration Guide
By default, the blinking frequency of the Wireless LED shows the signal strength of upstream
APs after WDS is enabled.
----End

This section provides WDS configuration examples, including networking requirements,
Example for Configuring WLAN WDS

An enterprise's office has three areas: area A, area B, and area C. AP1 in area A can connect to
SwitchA through cables, but AP2 in area B and AP3 in area C cannot. The enterprise needs to
provide Internet access for WLAN users in the three areas and wired users in area C, as shown
in Figure 12-61.
Figure 12-61 Configuring WLAN WDS
IP
backbone
network
AP3
(leaf)
AP2
(middle)
AP1
(root)
SwitchB
GE0/0/1
GE0/0/1
STA
GE0/0/2
GE0/0/1
AC
GE0/0/2
SwitchA
STA
Switch
Area C
L2
network
Area B
STA
Area A
STA
1.
Configure WDS so that AP2 and AP3 can access the AC through wireless links.
2.
Configure basic WLAN services to provide Internet access for WLAN users in the three
areas.
Issue 04 (2013-06-15)

2325

Configuration Guide
NOTE
SwitchA (access switch) and SwitchB (aggregation switch) in this example are both Huawei switches.
The AC6605 has the wired and wireless sides. For details about how to log in to the wired and wireless
sides of the AC6605, see 11.1 Configuring User Login.
Table 12-25 Data plan on APs

AP
Type
MAC
AP1
AP6010DN-AGN
0046-4b59-1ee0
AP2
AP6010DN-AGN
0046-4b59-1d20
AP3
AP6010DN-AGN
0046-4b59-1d40
Table 12-26 Data plan on the AC

Item
Data
VLAN
Management VLAN: 100

Service VLANs: 101, 102, 103, 104, 105, 106
l Area A: VLAN 101 for WLAN services
l Area B: VLAN 102 for WLAN services
l Area C: VLAN 103 for WLAN services
l Area C: VLANs 104, 105, and 106 on AP3 wired
interfaces
Service forwarding mode on

APs
Direct forwarding mode
IP address of the AC source

interface
VLANIF 100: 192.168.10.1/24
AP region
AP1: 101, AP2: 102, AP3: 103
WMM profile
Name: wp01
Radio profile
Name: rp01 and rp02
Security profile
l Name: sp01
l Security and authentication policy: WPA2+PSK
l Authentication key: 12345678
l Encryption mode: CCMP
Traffic profile
Name: tp01
Bridge profile
l Name: bp01
l Bridge identifier: ChinaNet01
Issue 04 (2013-06-15)

2326

Configuration Guide
Item
Data
Service set
l Name: ss01
l SSID: ChinaSer01
l Service data forwarding mode: direct forwarding mode
l Name: ss02
l SSID: ChinaSer02
l Name: ss03
l SSID: ChinaSer03
Bridge whitelist
Name: bw01 and bw02
Procedure
Step 1 Connect AC and AP1.
# Configure the access switch SwitchA. Add GE0/0/1 on SwitchA to VLAN 100 (management
VLAN), and the PVID of GE0/0/1 is VLAN 100. Configure GE0/0/1 and GE0/0/2 to allow
packets from VLANs 100 to 106 to pass through.
NOTE
Configure port isolation on GE0/0/1 that connects SwitchA and AP. Otherwise, unnecessary packets are
broadcast in the VLAN or WLAN users of different APs can communicate with each other at Layer 2.
[SwitchA] interface gigabitEthernet 0/0/1
[SwitchA] interface gigabitEthernet 0/0/2
# Configure the aggregation switch SwitchB. Configure GE0/0/1 to allow packets from VLANs
100 to 106 to pass through and configure GE0/0/2 to allow packets from VLAN 100 to pass
through.
[SwitchB] vlan batch 100 to 106
Issue 04 (2013-06-15)

2327

Configuration Guide

# Configure GE0/0/1 that connects the AC wired side to SwitchB and XGE0/0/27 that connects
the wired and wireless sides of the AC to allow packets from VLAN 100 to pass through.
[AC-LSW] vlan batch 100 to 106
[AC-LSW] interface gigabitEthernet 0/0/1
[AC-LSW] interface xgigabitEthernet 0/0/27
# Configure XGE0/0/1 that connects the wired and wireless side of the AC to allow packets from
[AC] vlan batch 100
[AC] interface xgigabitEthernet 0/0/1
Step 2 Configure the aggregation switch SwitchB to allocate IP addresses for STAs and configure the
AC to allocate IP addresses for APs.
# Configure SwitchB as a DHCP server to allocate IP addresses to STAs using an address pool.
[SwitchB-Vlanif101] dhcp select interface
# Enable DHCP on the AC wireless side to allocate IP addresses to APs using an address pool.
[AC] dhcp enable
[AC-Vlanif100] quit
Step 3 Set AC parameters.

# Configure a country code for the AC.
# Configure the carrier ID and AC ID.

[AC] wlan ac-global ac id 1 carrier id ctc
Issue 04 (2013-06-15)

2328

Configuration Guide
# Configure the AC source interface.

[AC] wlan
Step 4 Configure the AC to manage APs.

# Add an AP offline.
NOTE
In this example, the AP connects the wired and wireless networks, so a dual-band AP is used. The
AP6010DN-AGN is used as an example.
[AC-wlan-view]
[AC-wlan-ap-1]
[AC-wlan-view]
[AC-wlan-ap-2]
[AC-wlan-view]
[AC-wlan-ap-3]
ap id 1 ap-type AP6010DN-AGN mac 0046-4b59-1ee0

quit
ap id 2 ap-type AP6010DN-AGN mac 0046-4b59-1d20
quit
ap id 3 ap-type AP6010DN-AGN mac 0046-4b59-1d40
quit
# Create AP regions 101, 102, and 103.

# Add AP1 to AP region 101, AP2 to AP region 102, and AP3 to AP region 103.
[AC-wlan-view]
[AC-wlan-ap-1]
[AC-wlan-ap-1]
[AC-wlan-view]
[AC-wlan-ap-2]
[AC-wlan-ap-2]
[AC-wlan-view]
[AC-wlan-ap-3]
[AC-wlan-ap-3]
ap id 1
region-id 101
quit
ap id 2
region-id 102
quit
ap id 3
region-id 103
quit
Step 5 Set WDS bridge parameters.

# Create a WMM profile named wp01 and retain the default configurations in the profile.
[AC-wlan-view] wmm-profile name wp01
[AC-wlan-wmm-prof-wp01] quit
# Create the radio profile rp02 for the wireless bridge. Set the radio type to 802.11n, GI mode
to short interval, and DTIM interval to 1 and use the manual channel. Use the default settings
for other parameters and bind the radio profile rp02 to the WMM profile wp01.
[AC-wlan-view] radio-profile name rp02
[AC-wlan-radio-prof-rp02] wmm-profile name wp01
[AC-wlan-radio-prof-rp02] radio-type 80211an
[AC-wlan-radio-prof-rp02] 80211n guard-interval-mode short
[AC-wlan-radio-prof-rp02] channel-mode fixed
[AC-wlan-radio-prof-rp02] dtim-interval 1
[AC-wlan-radio-prof-rp02] quit
# Create bridge whitelists bw01 and bw02.

[AC-wlan-view] bridge-whitelist name bw01
[AC-wlan-br-whitelist-bw01] peer ap mac 0046-4b59-1d20
[AC-wlan-br-whitelist-bw01] quit
[AC-wlan-view] bridge-whitelist name bw02
[AC-wlan-br-whitelist-bw02] peer ap mac 0046-4b59-1d40
Issue 04 (2013-06-15)

2329

Configuration Guide
[AC-wlan-br-whitelist-bw02] peer ap mac 0046-4b59-1ee0

[AC-wlan-br-whitelist-bw02] quit
# Bind AP1 radio 1 to the radio profile rp02, set the wireless bridge working mode to root, and
bind the bridge whitelist bw01 to the radio.
[AC-wlan-view] ap 1
[AC-wlan-radio-1/1]
[AC-wlan-radio-1/1]
[AC-wlan-radio-1/1]
[AC-wlan-radio-1/1]
[AC-wlan-radio-1/1]
radio 1
radio-profile name rp02
bridge enable mode root
bridge-whitelist name bw01
quit
# Bind AP2 radio 1 to the radio profile rp02, set the wireless bridge working mode to middle,
and bind the bridge whitelist bw02 to the radio.
[AC-wlan-view] ap 2
[AC-wlan-radio-2/1]
[AC-wlan-radio-2/1]
[AC-wlan-radio-2/1]
[AC-wlan-radio-2/1]
[AC-wlan-radio-2/1]
radio 1
bridge enable mode middle
bridge-whitelist name bw02
quit
# Bind AP3 radio 1 to the radio profile rp02 and set the wireless bridge working mode to leaf.
[AC-wlan-view] ap 3
[AC-wlan-radio-3/1]
[AC-wlan-radio-3/1]
[AC-wlan-radio-3/1]
radio 1
bridge enable mode leaf
quit
# After the preceding configurations are complete, power on the APs. If the APs have been
powered on, restart the root AP to make the configuration take effect. Run the display ap all
and display bridge-link all commands on the AC to check whether the APs work properly and
whether WVLs are successfully established. If the WVLs are displayed and the status of all the
APs are normal, the management bridge is successfully established.
NOTE
If an AP supports the WDS function, the wireless bridge function is enabled on the AP after the AP is
powered on. The AP can also set up management WVLs.
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
/Region
ID
Type
MAC
ID
State
Sysname
-----------------------------------------------------------------------------1
AP6010DN-AGN
0046-4b59-1ee0
0/0
normal
ap-0
2
AP6010DN-AGN
0046-4b59-1d20
0/0
normal
ap-1
3
AP6010DN-AGN
0046-4b59-1d40
0/0
normal
ap-2
-----------------------------------------------------------------------------Total number: 3
[AC-wlan-view] display bridge-link all
---------------------------------------------------------------------AP ID
Radio ID
Bridge-link ID
WLAN ID
Peer MAC
---------------------------------------------------------------------1
1
0
15
0046-4b59-1d3f
2
1
0
16
0046-4b59-1efe
2
1
1
15
0046-4b59-1d5f
3
1
0
16
0046-4b59-1d3e
----------------------------------------------------------------------
Step 6 Configure a radio profile and a WLAN-ESS interface.

# Create the radio profile rp01 for user services, use the default settings, and bind the radio
profile to the WMM profile wp01.
Issue 04 (2013-06-15)

2330

Configuration Guide
[AC-wlan-view] radio-profile name rp01

[AC-wlan-radio-prof-rp01] wmm-profile name wp01
[AC-wlan-radio-prof-rp01] quit
[AC-wlan-view] quit
# Create a WLAN-ESS interface.

[AC] interface
[AC-WLAN-ESS1]
[AC] interface
[AC-WLAN-ESS2]
[AC] interface
[AC-WLAN-ESS3]
wlan-ess 1
quit
wlan-ess 2
quit
wlan-ess 3
quit
Step 7 Configure the bridge profile and service set.

# Create the security profile sp01, set security and authentication policy to WPA2PSK, set the
authentication key to 12345678, and set the encryption mode to CCMP.
NOTE
The AP that establishes the bridge on a WDS network supports only WPA2+PSK+CCMP.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security-policy wpa2
[AC-wlan-sec-prof-sp01] wpa2 authentication-method psk pass-phrase simple 12345678
encryption-method ccmp
[AC-wlan-sec-prof-sp01] quit
# Create a bridge profile with the name bp01 and identifier ChinaNet01, and bind the bridge
profile to the security profile sp01.
[AC-wlan-view] bridge-profile name bp01
[AC-wlan-bridge-prof-bp01] bridge-name ChinaNet01
[AC-wlan-bridge-prof-bp01] vlan tagged 100 to 106
[AC-wlan-bridge-prof-bp01] security-profile name sp01
[AC-wlan-bridge-prof-bp01] quit
# Create traffic profile tp01 and use the default settings.

[AC-wlan-view] traffic-profile name tp01
[AC-wlan-traffic-prof-tp01] quit
# Create and configure a service set with name ss01 and SSID ChinaSer01.
[AC-wlan-service-set-ss01]
name ss01
traffic-profile name tp01
security-profile name sp01
ssid ChinaSer01
service-vlan 101
wlan-ess 1
quit
name ss02
traffic-profile name tp01
security-profile name sp01
ssid ChinaSer02
service-vlan 102
wlan-ess 2
quit
[AC-wlan-view] service-set name ss03
[AC-wlan-service-set-ss03] traffic-profile name tp01
[AC-wlan-service-set-ss03] security-profile name sp01
Issue 04 (2013-06-15)

2331

Configuration Guide
ssid ChinaSer03
service-vlan 103
wlan-ess 3
quit
# Create a bridge VAP on AP1 radio 1 and bind the radio to the bridge profile. Create a service
VAP on AP1 radio 0 and bind the radio to the radio profile and service set.
[AC-wlan-view] ap 1
[AC-wlan-radio-1/0]
[AC-wlan-radio-1/0]
[AC-wlan-radio-1/0]
[AC-wlan-view] ap 1
[AC-wlan-radio-1/1]
[AC-wlan-radio-1/1]
[AC-wlan-radio-1/1]
radio 0
service-set name ss01
quit
radio 1
bridge-profile name bp01
channel 40mhz-plus 157
quit
[AC-wlan-view] ap 2
[AC-wlan-radio-2/0]
[AC-wlan-radio-2/0]
[AC-wlan-radio-2/0]
[AC-wlan-view] ap 2
[AC-wlan-radio-2/1]
[AC-wlan-radio-2/1]
[AC-wlan-radio-2/1]
radio 0
quit
radio 1
quit
[AC-wlan-view] ap 3
[AC-wlan-radio-3/0]
[AC-wlan-radio-3/0]
[AC-wlan-radio-3/0]
[AC-wlan-view] ap 3
[AC-wlan-radio-3/1]
[AC-wlan-radio-3/1]
[AC-wlan-radio-3/1]
radio 0
quit
radio 1
quit
Step 8 Configure AP wired interfaces.

# Set parameters for the AP1 wired interface.
[AC-wlan-ap-1] lineate-port mode root
[AC-wlan-ap-1] quit
# Set parameters for the AP3 wired interface.

[AC-wlan-view]
[AC-wlan-ap-3]
[AC-wlan-ap-3]
[AC-wlan-ap-3]
[AC-wlan-ap-3]
[AC-wlan-ap-3]
[AC-wlan-ap-3]
ap id 3
lineate-port
lineate-port
lineate-port
lineate-port
lineate-port
quit
vlan tagged 104 to 105

vlan untagged 106
stp enable
mode endpoint
user-isolate enable
NOTE
After changing the working mode of AP wired interfaces, reset the APs to make the configurations take
effect.
Step 9 Deliver parameters to APs.

The AP parameters configured on the AC take effect only after they are delivered to the APs.
Issue 04 (2013-06-15)

2332

Configuration Guide
Warning: Committing
] y
Warning: Committing
] y
Warning: Committing
] y
ap 3
ap 2
ap 1

WLAN users in areas A, B, and C and wired users in area C can access the Internet.
----End
Configuration File
l

#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif103
ip address 192.168.3.1 255.255.255.0
#
#
#
return
l
Issue 04 (2013-06-15)

2333

Configuration Guide
#
sysname AC-LSW
#
#
#
#
return

#
sysname AC
#
vlan batch 100
#
wlan ac-global carrier id ctc ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
#
interface Wlan-Ess1
#
interface Wlan-Ess2
#
interface Wlan-Ess3
#
wlan
ap-region id 101
ap-region id 102
ap-region id 103
ap id 1 type-id 19 mac 0046-4b59-1ee0 sn AB37026279
region-id 101
ap id 2 type-id 19 mac 0046-4b59-1d20 sn AB37034085
region-id 102
ap id 3 type-id 19 mac 0046-4b59-1d40 sn AB37010864
region-id 103
lineate-port stp enable
lineate-port mode endpoint
lineate-port pvid vlan 104
lineate-port user-isolate enable
lineate-port vlan tagged 105
lineate-port vlan untagged 106
wmm-profile name wp01 id 0
traffic-profile name tp01 id 0
security-profile name sp01 id 0
wpa2 authentication-method psk pass-phrase 12345678 encryption-method ccmp
service-set name ss01 id 0
wlan-ess 1
ssid ChinaSer01
service-vlan 101
wlan-ess 2
Issue 04 (2013-06-15)

2334

Configuration Guide
ssid ChinaSer02
service-vlan 102
wlan-ess 3
ssid ChinaSer03
service-vlan 103
bridge-profile name bp01 id 0
bridge-name ChinaNet01
vlan tagged 100 to 106
radio-profile name rp01 id 0
wmm-profile id 0
radio-profile name rp02 id 1
radio-type
80211an
channel-mode
fixed
wmm-profile id
1
80211n guard-interval-mode short
bridge-whitelist name bw01 id 0
peer ap mac 0046-4b59-1ee0
bridge-whitelist name bw02 id 1
peer ap mac 0046-4b59-1d20
peer ap mac 0046-4b59-1d40
ap 1 radio 0
radio-profile id 0
ap 1 radio 1
radio-profile id 1
bridge enable mode root
bridge-whitelist id 0
bridge-profile id 0
ap 2 radio 0
radio-profile id 0
ap 2 radio 1
radio-profile id 1
bridge enable mode middle
bridge-profile id 0
ap 3 radio 0
radio-profile id 0
ap 3 radio 1
radio-profile id 1
bridge enable mode leaf
bridge-profile id 0
#
return
Issue 04 (2013-06-15)

2335

AC6605 V200R002C00 Configuration Guide 04 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

AC6605 V200R002C00 Configuration Guide 04 PDF

Загружено:

Авторское право:

Доступные форматы

AC6605 Access Controller

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential

AC6605 Access Controller

About This Document

About This Document

Network planning engineers

Hardware installation engineers

Data configuration engineers

Onsite maintenance engineers

Network monitoring engineers

System maintenance engineers

Indicates a hazard with a high level or medium level of risk

Huawei Proprietary and Confidential

AC6605 Access Controller

About This Document

The keywords of a command line are in boldface.

Command arguments are in italics.

Items (keywords or arguments) in brackets [ ] are optional.

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

The parameter before the & sign can be repeated 1 to n times.

A line starting with the # sign is comments.

Interface Numbering Conventions

Password Setting Conventions

Huawei Proprietary and Confidential

AC6605 Access Controller

About This Document

Descriptions and figures are optimized, improving availability.

Configuring Interface Security

Configuring a VAP QoS Policy

WLAN WDS Features Supported by the Device

Example for Configuring WLAN WDS

Checking the Configuration

Optional) Configuring an AP Profile

Huawei Proprietary and Confidential

AC6605 Access Controller

Huawei Proprietary and Confidential

AC6605 Access Controller

1.7.1 File System Overview.............................................................................................................................................104

2 Configuration Guide - Device Management........................................................................228

Huawei Proprietary and Confidential

AC6605 Access Controller

3 Configuration Guide - Ethernet..............................................................................................322

Huawei Proprietary and Confidential

AC6605 Access Controller

3.2.4 Configuring Link Aggregation in Static LACP Mode............................................................................................344

Huawei Proprietary and Confidential

AC6605 Access Controller

3.7.1 MSTP Overview......................................................................................................................................................484

4 Configuration Guide - IP Service ..........................................................................................536

Huawei Proprietary and Confidential

AC6605 Access Controller

4.4.5 Configuration Examples..........................................................................................................................................620

5 Configuration Guide - IP Routing ........................................................................................648

Huawei Proprietary and Confidential

AC6605 Access Controller