Huawei Certification HCNP Lab Guide HCNP IERN V1 6 OSPF BGP ACL Multicast 473 Pages

S7700&S9700 Series Switches
V200R008C00
Configuration Guide - Ethernet

Switching
Issue 07
Date 2017-11-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 07 (2017-11-30) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
Configuration Guide - Ethernet Switching About This Document
About This Document
Intended Audience
This document describes how to configure the components for Ethernet switching services.
This document provides procedures and examples to illustrate the methods and application
scenarios for the Ethernet switching configurations.
This document is intended for:
l Data configuration engineers

l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation

which, if not avoided, could result in death
or serious injury.

which, if not avoided, may result in minor
or moderate injury.

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 07 (2017-11-30) Huawei Proprietary and Confidential ii

Symbol Description
NOTE Calls attention to important information,

best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n

times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Security Conventions
l Password setting
Issue 07 (2017-11-30) Huawei Proprietary and Confidential iii

– When configuring a password, the cipher text is recommended. To ensure device

security, change the password periodically.
– When you configure a password in plain text that starts and ends with %^%#, %#
%#, %@%@ or @%@% (the password can be decrypted by the device), the
password is displayed in the same manner as the configured one in the
configuration file. Do not use this setting.
– When you configure a password in cipher text, different features cannot use the
same cipher-text password. For example, the cipher-text password set for the AAA
feature cannot be used for other features.
l Encryption algorithm
The switch currently supports the 3DES, AES, RSA, SHA1, SHA2, and MD5. 3DES,
RSA, and AES are reversible, whereas SHA1, SHA2, and MD5 are irreversible. Using
the encryption algorithms DES , 3DES, RSA (RSA-1024 or lower), MD5 (in digital
signature scenarios and password encryption), or SHA1 (in digital signature scenarios) is
a security risk. If protocols allow, use more secure encryption algorithms, such as AES,
RSA (RSA-2048 or higher), SHA2, or HMAC-SHA2.
l Personal data
Some personal data (such as MAC or IP addresses of terminals) may be obtained or used
during operation or fault location of your purchased products, services, features, so you
have an obligation to make privacy policies and take measures according to the
applicable law of the country to protect personal data.
l The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual
are mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.
Declaration
This manual is only a reference for you to configure your devices. The contents in the manual,
such as web pages, command line syntax, and command outputs, are based on the device
conditions in the lab. The manual provides instructions for general scenarios, but do not cover
all usage scenarios of all product models. The contents in the manual may be different from
your actual device situations due to the differences in software versions, models, and
configuration files. The manual will not list every possible difference. You should configure
your devices according to actual situations.
The specifications provided in this manual are tested in lab environment (for example, the
tested device has been installed with a certain type of boards or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Mappings between Product Software Versions and NMS

Versions
The mappings between product software versions and NMS versions are as follows.
Issue 07 (2017-11-30) Huawei Proprietary and Confidential iv

S7700&S9700 Product Software NMS

Version
V200R008C00 eSight V300R003C20
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 07 (2017-11-30) V200R008C00

Mistakes in the document are corrected.





This version has the following updates:
Some contents are modified according to updates in the product.

Initial commercial release.
Issue 07 (2017-11-30) Huawei Proprietary and Confidential v

Configuration Guide - Ethernet Switching Contents
Contents
About This Document.....................................................................................................................ii

1 Ethernet Switching Overview..................................................................................................... 1
1.1 Introduction to Ethernet Switching.................................................................................................................................2
1.2 Basic Concepts of Ethernet.............................................................................................................................................3
1.2.1 Ethernet Network Layers.............................................................................................................................................3
1.2.2 Introduction to Ethernet Cable Standards....................................................................................................................4
1.2.3 CSMA/CD................................................................................................................................................................... 6
1.2.4 Minimum Frame Length and Maximum Transmission Distance................................................................................7
1.2.5 Duplex Modes of Ethernet...........................................................................................................................................8
1.2.6 Auto-Negotiation of Ethernet...................................................................................................................................... 8
1.2.7 Collision Domain and Broadcast Domain................................................................................................................. 10
1.2.8 MAC Sub-layer..........................................................................................................................................................10
1.2.9 LLC Sub-layer........................................................................................................................................................... 14
1.3 Switching on the Ethernet.............................................................................................................................................15
1.3.1 Layer 2 Switching......................................................................................................................................................15
1.3.2 Layer 3 Switching......................................................................................................................................................16
1.4 Application Environment............................................................................................................................................. 19
1.4.1 Building an Enterprise Network................................................................................................................................ 19
1.5 References.................................................................................................................................................................... 20
2 MAC Address Table Configuration.........................................................................................21

2.1 Introduction to the MAC Address................................................................................................................................ 22
2.2 Principles...................................................................................................................................................................... 22
2.2.1 Definition and Classification of MAC Address Entries............................................................................................ 22
2.2.2 Elements and Functions of a MAC Address Table....................................................................................................24
2.2.3 MAC Address Entry Learning and Aging................................................................................................................. 25
2.2.4 MAC Address Learning Control............................................................................................................................... 27
2.2.5 MAC Address Flapping.............................................................................................................................................28
2.2.6 MAC Address-Triggered ARP Entry Update............................................................................................................31
2.3 Application................................................................................................................................................................... 32
2.3.1 Configuring MAC Address Flapping Prevention to Block User Attacks................................................................. 32
2.3.2 Configuring MAC Address Flapping Detection to Quickly Detect Loops............................................................... 32
2.3.3 Configuring MAC Address-Triggered ARP Entry Update to Improve VRRP Switchover Performance.................33
Issue 07 (2017-11-30) Huawei Proprietary and Confidential vi

2.4 Configuration Task Summary.......................................................................................................................................35

2.5 Configuration Notes..................................................................................................................................................... 37
2.6 Default Configuration...................................................................................................................................................38
2.7 Configuring a MAC Address Table..............................................................................................................................39
2.7.1 Configuring a MAC Address Table...........................................................................................................................39
2.7.1.1 Configuring a Static MAC Address Entry..............................................................................................................39
2.7.1.2 Configuring a Blackhole MAC Address Entry.......................................................................................................40
2.7.1.3 Setting the Aging Time of Dynamic MAC Address Entries.................................................................................. 41
2.7.1.4 Disabling MAC Address Learning......................................................................................................................... 41
2.7.1.5 Configuring the MAC Address Limiting Function................................................................................................ 50
2.7.1.6 Enabling MAC Address Alarm Functions..............................................................................................................53
2.7.1.7 Configuring a MAC Hash Algorithm..................................................................................................................... 55
2.7.1.8 Configuring the Extended MAC Entry Resource Mode........................................................................................ 56
2.7.2 Configuring MAC Address Flapping Prevention...................................................................................................... 57
2.7.2.1 Configuring a MAC Address Learning Priority for an Interface........................................................................... 57
2.7.2.2 Preventing MAC Address Flapping Between Interfaces with the Same Priority...................................................58
2.7.3 Configuring MAC Address Flapping Detection........................................................................................................59
2.7.3.1 Configuring Global MAC Address Flapping Detection.........................................................................................59
2.7.3.2 Configuring MAC Address Flapping Detection in a VLAN..................................................................................61
2.7.4 Configuring the Switch to Discard Packets with an All-0 MAC Address................................................................ 62
2.7.5 Configuring the Switch to Discard Packets That Do Not Match Any MAC Address Entry.................................... 63
2.7.6 Enabling MAC Address-Triggered ARP Entry Update............................................................................................ 64
2.7.7 Enabling Port Bridge................................................................................................................................................. 65
2.7.8 Configuring Re-marking of Destination MAC Addresses........................................................................................ 66
2.8 Maintaining the MAC Address Table...........................................................................................................................74
2.8.1 Displaying MAC Address Entries............................................................................................................................. 74
2.8.2 Deleting MAC Address Entries................................................................................................................................. 75
2.8.3 Displaying MAC Address Flapping Information...................................................................................................... 75
2.9 Configuration Examples............................................................................................................................................... 75
2.9.1 Example for Configuring Static MAC Address Entries............................................................................................ 75
2.9.2 Example for Configuring Blackhole MAC Address Entries..................................................................................... 77
2.9.3 Example for Configuring MAC Address Limiting on an Interface...........................................................................79
2.9.4 Example for Configuring MAC Address Limiting in a VLAN.................................................................................80
2.9.5 Example for Configuring MAC Address Limiting in a VSI..................................................................................... 82
2.9.6 Example for Configuring MAC Address Flapping Prevention................................................................................. 91
2.9.7 Example for Configuring MAC Address Flapping Detection...................................................................................93
2.10 Common Misconfigurations....................................................................................................................................... 95
2.10.1 MAC Address Entries Failed to Be Learned on an Interface.................................................................................. 95
2.11 FAQs........................................................................................................................................................................... 98
2.11.1 How Do I Enable and Disable MAC Address Flapping Detection?........................................................................98
2.11.2 How Do I Check MAC Address Flapping Information?.........................................................................................99
2.11.3 What Should I Do When Finding a MAC Address Flapping Alarm?..................................................................... 99
Issue 07 (2017-11-30) Huawei Proprietary and Confidential vii

2.11.4 How Do I Rapidly Determine a Loop?....................................................................................................................99

2.12 Reference.................................................................................................................................................................. 100
3 Link Aggregation Configuration............................................................................................101

3.1 Introduction to Link Aggregation...............................................................................................................................102
3.2 Principles.................................................................................................................................................................... 102
3.2.1 Concepts.................................................................................................................................................................. 102
3.2.2 Link Aggregation in Manual Mode......................................................................................................................... 105
3.2.3 Link Aggregation in LACP Mode........................................................................................................................... 105
3.2.4 Load Balancing Modes of Link Aggregation.......................................................................................................... 111
3.2.5 Link Aggregation in CSS Scenarios........................................................................................................................ 113
3.2.6 E-Trunk.................................................................................................................................................................... 114
3.3 Applications................................................................................................................................................................ 118
3.3.1 Switches Directly Connected Through Link Aggregation...................................................................................... 118
3.3.2 Switches Connected Across a Transmission Device Through Link Aggregation................................................... 119
3.3.3 Switches Connecting to Transmission Devices Through Link Aggregation...........................................................119
3.3.4 A Switch Connecting to a Server Through Link Aggregation................................................................................ 120
3.3.5 A Switch Connecting to a CSS Through Link Aggregation................................................................................... 121
3.3.6 Using E-Trunk to Implement Link Aggregation Across Devices........................................................................... 122
3.4 Configuration Task Summary.....................................................................................................................................123
3.5 Configuration Notes................................................................................................................................................... 124
3.6 Default Settings.......................................................................................................................................................... 129
3.7 Configuring Ethernet Link Aggregation.....................................................................................................................129
3.7.1 Configuring Link Aggregation in Manual Mode.................................................................................................... 129
3.7.1.1 (Optional) Setting the Maximum Number of LAGs and the Maximum Number of Member Interfaces in Each
LAG.................................................................................................................................................................................. 129
3.7.1.2 Creating an LAG.................................................................................................................................................. 131
3.7.1.3 Setting the Manual Load Balancing Mode........................................................................................................... 132
3.7.1.4 Adding Member Interfaces to an Eth-Trunk.........................................................................................................133
3.7.1.5 (Optional) Setting the Lower Threshold for the Number of Active Interfaces.................................................... 135
3.7.1.6 (Optional) Configuring a Load Balancing Mode................................................................................................. 136
3.7.1.7 Checking the Configuration..................................................................................................................................138
3.7.2 Configuring Link Aggregation in LACP Mode...................................................................................................... 138
3.7.2.1 (Optional) Setting the Maximum Number of LAGs and the Maximum Number of Member Interfaces in Each
LAG.................................................................................................................................................................................. 138
3.7.2.2 Creating an LAG.................................................................................................................................................. 140
3.7.2.3 Setting the LACP Mode....................................................................................................................................... 141
3.7.2.4 Adding Member Interfaces to an Eth-Trunk.........................................................................................................142
3.7.2.5 (Optional) Setting the Upper and Lower Thresholds for the Number of Active Interfaces................................. 144
3.7.2.6 (Optional) Configuring a Load Balancing Mode................................................................................................. 145
3.7.2.7 (Optional) Setting the LACP System Priority...................................................................................................... 147
3.7.2.8 (Optional) Setting the LACP Interface Priority....................................................................................................148
3.7.2.9 (Optional) Configuring LACP Preemption.......................................................................................................... 148
3.7.2.10 (Optional) Setting the Timeout Interval for Receiving LACPDUs.................................................................... 149
Issue 07 (2017-11-30) Huawei Proprietary and Confidential viii

3.7.2.11 Checking the Configuration................................................................................................................................150

3.7.3 Configuring Preferential Forwarding of Local Traffic in a CSS............................................................................. 151
3.7.4 Creating an Eth-Trunk Sub-interface.......................................................................................................................152
3.7.5 Configuring an E-Trunk...........................................................................................................................................153
3.7.5.1 Setting the LACP System ID and LACP Priority of an E-Trunk......................................................................... 153
3.7.5.2 Creating an E-Trunk and Setting the E-Trunk Priority.........................................................................................154
3.7.5.3 Configuring Local and Remote IP Addresses of an E-Trunk...............................................................................155
3.7.5.4 Binding an E-Trunk to a BFD Session................................................................................................................. 155
3.7.5.5 Adding an Eth-Trunk to an E-Trunk.....................................................................................................................156
3.7.5.6 (Optional) Configuring the Working Mode of an Eth-Trunk in an E-Trunk........................................................ 156
3.7.5.7 (Optional) Setting the Password for Encrypting Packets..................................................................................... 157
3.7.5.8 (Optional) Setting the Timeout Interval of Hello Packets.................................................................................... 158
3.7.5.9 (Optional) Setting the Revertive Switching Delay............................................................................................... 159
3.7.5.10 (Optional) Disabling Revertive Switching on an E-Trunk................................................................................. 159
3.8 Maintaining Link Aggregation................................................................................................................................... 160
3.9 Configuration Examples............................................................................................................................................. 161
3.9.1 Example for Configuring Link Aggregation in Manual Mode................................................................................161
3.9.2 Example for Configuring Link Aggregation in LACP Mode..................................................................................164
3.9.3 Example for Configuring an Inter-Chassis Eth-Trunk to Forward Traffic Preferentially Through Local Member
Interfaces (CSS)................................................................................................................................................................168
3.9.4 Example for Configuring Connecting an E-Trunk to a VPLS Network..................................................................172
3.10 Common Configuration Errors................................................................................................................................. 183
3.10.1 Traffic Is Unevenly Load Balanced Among Eth-Trunk Member Interfaces Because the Load Balancing Mode Is
Incorrect............................................................................................................................................................................183
3.10.2 Eth-Trunk at Both Ends Cannot Be Up Because the Lower Threshold for the Number of Active Interfaces Is
Incorrect............................................................................................................................................................................183
3.11 FAQ...........................................................................................................................................................................184
3.11.1 Can an Eth-Trunk Be Configured with an IP Address?.........................................................................................184
3.11.2 How Do I Add Member Interfaces to an Eth-Trunk?............................................................................................ 184
3.11.3 How Do I Delete Member Interfaces from an Eth-Trunk?....................................................................................184
3.11.4 What Is the Function of the Delay for LACP Preemption?...................................................................................184
3.12 References................................................................................................................................................................ 185
4 VLAN Configuration................................................................................................................ 186

4.1 VLAN Overview........................................................................................................................................................ 187
4.2 Principles.................................................................................................................................................................... 188
4.2.1 Basic Concepts of VLAN........................................................................................................................................ 188
4.2.1.1 VLAN Tags...........................................................................................................................................................188
4.2.1.2 Link and Interface Types...................................................................................................................................... 190
4.2.1.3 Default VLAN...................................................................................................................................................... 191
4.2.1.4 Adding and Removing VLAN Tags..................................................................................................................... 192
4.2.2 LNP..........................................................................................................................................................................198
4.2.3 VLAN Assignment.................................................................................................................................................. 200
Issue 07 (2017-11-30) Huawei Proprietary and Confidential ix

4.2.4 Intra-VLAN Communication.................................................................................................................................. 205

4.2.5 Inter-VLAN Communication...................................................................................................................................208
4.2.6 Intra-VLAN Layer 2 Isolation................................................................................................................................. 212
4.2.7 Inter-VLAN Layer 3 Isolation................................................................................................................................. 213
4.2.8 Management VLAN................................................................................................................................................ 214
4.2.9 Protocol Packet Transparent Transmission in a VLAN...........................................................................................214
4.3 Applications................................................................................................................................................................214
4.3.1 Using VLAN Assignment to Implement Layer 2 Isolation.....................................................................................214
4.3.2 Using VLANIF Interfaces to Implement Inter-VLAN Layer 3 Connectivity......................................................... 216
4.3.3 Using a Traffic Policy to Implement Inter-VLAN Access Control......................................................................... 218
4.3.4 Using a VLANIF Interface to Implement Layer 3 Connectivity Between the Switch and Router......................... 219
4.6 Default Configuration.................................................................................................................................................222
4.7 Configuring VLAN Technology.................................................................................................................................223
4.7.1 Assigning VLANs................................................................................................................................................... 223
4.7.1.1 Configuring Interface-based VLAN Assignment (Statically Configured Interface Type)...................................223
4.7.1.2 Configuring Interface-based VLAN Assignment (LNP Dynamically Negotiates the Link Type)...................... 227
4.7.1.3 Configuring MAC Address-based VLAN Assignment........................................................................................229
4.7.1.4 Configuring IP Subnet-based VLAN Assignment............................................................................................... 231
4.7.1.5 Configuring Protocol-based VLAN Assignment................................................................................................. 233
4.7.1.6 Configuring Policy-based VLAN Assignment.....................................................................................................235
4.7.2 Configuring Inter-VLAN Communication.............................................................................................................. 237
4.7.3 Configuring a Traffic Policy to Implement Intra-VLAN Layer 2 Isolation............................................................ 239
4.7.4 Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation............................................................ 240
4.7.5 Configuring an mVLAN..........................................................................................................................................241
4.7.6 Configuring Transparent Transmission of Protocol Packets in a VLAN................................................................ 242
4.8 Maintaining VLAN.....................................................................................................................................................244
4.8.1 Collecting VLAN Traffic Statistics......................................................................................................................... 244
4.8.2 Clearing VLAN Traffic Statistics............................................................................................................................ 244
4.8.3 Clearing LNP Packet Statistics................................................................................................................................245
4.8.4 Enabling GMAC Ping to Detect Layer 2 Network Connectivity............................................................................ 245
4.8.5 Enabling GMAC Trace to Locate Faults................................................................................................................. 246
4.9.1 Example for Configuring Interface-based VLAN Assignment (Statically Configured Link Type)....................... 247
4.9.2 Example for Configuring Interface-based VLAN Assignment (LNP Dynamically Negotiates the Link Type).....249
4.9.3 Example for Configuring MAC Address-based Assignment(the Switch Connects to Downstream Terminals).... 253
4.9.4 Example for Configuring MAC Address-based VLAN Assignment (the Switch Connects to Downstream Layer 2
Switching Devices)...........................................................................................................................................................255
4.9.5 Example for Configuring IP Subnet-based VLAN Assignment............................................................................. 257
4.9.6 Example for Configuring Protocol-based VLAN Assignment................................................................................260
4.9.7 Example for Configuring VLANIF Interfaces to Implement Inter-VLAN Communication.................................. 264
Issue 07 (2017-11-30) Huawei Proprietary and Confidential x

4.9.8 Example for Configuring VLANIF Interfaces to Implement Intra-VLAN Communication.................................. 265
4.9.9 Example for Configuring VLANIF Interfaces to Implement Communication of Hosts on Different Network
Segments in the Same VLAN...........................................................................................................................................269
4.9.10 Example for Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation..................................... 272
4.9.11 Example for Configuring an mVLAN to Implement Remote Management......................................................... 278
4.9.12 Example for Configuring Transparent Transmission of Protocol Packets in a VLAN......................................... 281
4.10 Common Misconfigurations..................................................................................................................................... 283
4.10.1 A VLANIF Interface Fails to Be Created..............................................................................................................283
4.10.2 A VLANIF Interface Goes Down......................................................................................................................... 284
4.10.3 Users in a VLAN Cannot Communicate............................................................................................................... 285
4.10.4 IP Addresses of the Connected Interfaces Between Switches Cannot Be Pinged.................................................288
4.11 FAQ...........................................................................................................................................................................289
4.11.1 How Do I Create VLANs in a Batch?................................................................................................................... 289
4.11.2 How Do I Add Interfaces to a VLAN in a Batch?.................................................................................................289
4.11.3 How Do I Restore the Default VLAN Configuration of an Interface?..................................................................290
4.11.4 How Do I Change the Link Type of an Interface?.................................................................................................290
4.11.5 How Do I Rapidly Query the Link Types and Default VLANs of All Interfaces?............................................... 292
4.11.6 How Do I Delete a Single VLAN or VLANs in a Batch?.....................................................................................293
4.11.7 Can Multiple Network Segments Be Configured in a VLAN?............................................................................. 294
4.11.8 How Is the Inter-VLAN Communication Fault Rectified?....................................................................................294
4.11.9 Do VLANs Need to Be Assigned on the Intermediate Device That Transparently Transmits Packets?.............. 296
4.11.10 Why Are MAC-VLAN Entries Invalid?..............................................................................................................296
4.11.11 Can the Switch Collect Statistics on Only Traffic Destined for the VLANIF Interface Enabled with Traffic
Statistics?.......................................................................................................................................................................... 297
4.12 References................................................................................................................................................................ 297
5 VLAN Aggregation Configuration........................................................................................ 298

5.1 Introduction to VLAN Aggregation........................................................................................................................... 299
5.2 Principles.................................................................................................................................................................... 300
5.3 Application Scenario.................................................................................................................................................. 305
5.6 Configuring VLAN Aggregation................................................................................................................................307
5.6.1 Creating a Sub-VLAN............................................................................................................................................. 307
5.6.2 Creating a Super-VLAN.......................................................................................................................................... 308
5.6.3 Configuring a VLANIF Interface Corresponding to a Super-VLAN......................................................................309
5.6.4 (Optional) Enabling Proxy ARP on the VLANIF Interface Corresponding to a Super-VLAN..............................310
5.6.5 Checking the Configuration.....................................................................................................................................311
5.7.1 Example for Configuring VLAN Aggregation........................................................................................................311
5.8 FAQ.............................................................................................................................................................................314
5.8.1 How Do I Implement Communication Between Some Sub-VLANs in a Super-VLAN........................................ 314
5.8.2 Can a Traffic Policy Be Configured in a Super-VLAN or Sub-VLAN to Make the Traffic Policy Take Effect.... 315
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xi

6 VLAN Switch Configuration.................................................................................................. 316

6.1 Introduction to VLAN Switch.................................................................................................................................... 317
6.5 Configuring VLAN Switch........................................................................................................................................ 322
6.5.1 Configuring Switch-vlan......................................................................................................................................... 322
6.5.2 Configuring Stack-vlan............................................................................................................................................323
6.6 Maintaining VLAN Switch........................................................................................................................................ 324
6.7.1 Example for Implementing Inter-VLAN Communication Using VLAN Switch................................................... 325
7 MUX VLAN Configuration..................................................................................................... 328

7.1 Introduction to MUX VLAN...................................................................................................................................... 329
7.4 Configuring the MUX VLAN.................................................................................................................................... 333
7.4.1 Configuring a Principal VLAN for MUX VLAN................................................................................................... 333
7.4.2 Configuring a Group VLAN for a Subordinate VLAN...........................................................................................334
7.4.3 Configuring a Separate VLAN for a Subordinate VLAN....................................................................................... 334
7.4.4 Enabling the MUX VLAN Function on an Interface.............................................................................................. 335
7.5.1 Example for Configuring MUX VLAN on the Access Device...............................................................................336
7.5.2 Example for Configuring MUX VLAN on the Aggregation Device...................................................................... 339
8 VLAN Termination Configuration........................................................................................ 342

8.1 Introduction to VLAN Termination............................................................................................................................343
8.2.1 Using a Dot1q Termination Sub-interface to Implement Inter-VLAN Communication.........................................344
8.2.2 Using a Dot1q Termination Sub-interface to Connect to a VPN.............................................................................345
8.2.3 Using a QinQ Termination Sub-interface to Connect to a VPN..............................................................................347
8.6 Configuring VLAN Termination................................................................................................................................ 351
8.6.1 Configuring a Dot1q Termination Sub-interface to Implement Inter-VLAN Communication...............................351
8.6.2 Configuring a Dot1q Termination Sub-interface and Connecting It to an L2VPN.................................................352
8.6.2.1 Configuring a Dot1q Termination Sub-interface..................................................................................................353
8.6.2.2 Configuring L2VPN............................................................................................................................................. 353
8.6.3 Configuring a Dot1q Termination Sub-interface and Connecting It to an L3VPN.................................................354
8.6.3.1 Configuring a Dot1q Termination Sub-interface..................................................................................................355
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xii


8.6.4 Configuring a QinQ Termination Sub-interface and Connecting It to an L2VPN.................................................. 356
8.6.4.1 Configuring a QinQ Sub-interface....................................................................................................................... 356
8.6.5 Configuring a QinQ Termination Sub-interface and Connecting It to an L3VPN.................................................. 358
8.6.5.1 Configuring a QinQ Sub-interface....................................................................................................................... 358
8.7.1 Example for Configuring Dot1q Termination Sub-interfaces to Implement Inter-VLAN Communication........... 359
8.7.2 Example for Configuring Dot1q Termination Sub-interfaces to Implement Inter-VLAN Communication Across
Different Networks........................................................................................................................................................... 362
8.7.3 Example for Connecting Dot1q Sub-interfaces to a VLL Network........................................................................ 366
8.7.4 Example for Connecting QinQ Termination Sub-interfaces to a VLL Network.....................................................375
8.7.5 Example for Connecting Dot1q Termination Sub-interfaces to a VPLS Network..................................................385
8.7.6 Example for Connecting QinQ Termination Sub-interfaces to a VPLS Network...................................................394
8.7.7 Example for Connecting Dot1q Termination Sub-interfaces to an L3VPN............................................................ 405
8.7.8 Example for Connecting QinQ Termination Sub-interfaces to an L3VPN............................................................. 419
9 Voice VLAN Configuration.....................................................................................................435

9.1 Introduction to Voice VLAN...................................................................................................................................... 436
9.2 Typical Networking.................................................................................................................................................... 436
9.3 Principles.................................................................................................................................................................... 437
9.4 Applicable Scenario....................................................................................................................................................439
9.7 Configuring a Voice VLAN........................................................................................................................................441
9.7.1 Configuring a MAC Address-based Voice VLAN.................................................................................................. 441
9.7.1.1 Enabling the Voice VLAN Function.....................................................................................................................441
9.7.1.2 Configuring a Mode in Which the Priority of Voice Packets Is Increased Based on MAC Addresses................442
9.7.1.3 Configuring an OUI for a Voice VLAN............................................................................................................... 443
9.7.1.4 Configuring a Mode in Which an Interface Is Added to a Voice VLAN............................................................. 443
9.7.1.5 (Optional) Configuring the Secure or Normal Mode of a Voice VLAN.............................................................. 444
9.7.1.6 (Optional) Configuring the 802.1p Priority and DSCP Priority for a Voice VLAN............................................ 446
9.7.2 Configuring a VLAN ID-based Voice VLAN......................................................................................................... 447
9.7.2.1 Enabling the Voice VLAN Function.....................................................................................................................447
9.7.2.2 Configuring a Mode in Which the Priority of Voice Packets Is Increased Based on VLAN IDs........................ 448
9.7.2.3 Configuring a Mode in Which an Interface Is Added to a Voice VLAN............................................................. 448
9.7.2.4 Configuring the Switch to Advertise Voice VLAN Information to an IP Phone................................................. 449
9.7.2.5 (Optional) Configuring the 802.1p Priority and DSCP Priority for a Voice VLAN............................................ 450
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xiii


9.8.1 Example for Configuring a MAC Address-based Voice VLAN (IP Phones Send Untagged Voice Packets).........451
9.8.2 Example for Configuring a VLAN ID-based Voice VLAN (IP Phones Send Tagged Voice Packets)................... 453
10 QinQ Configuration................................................................................................................456
10.1 Introduction to QinQ................................................................................................................................................ 457
10.2 Principles.................................................................................................................................................................. 457
10.2.1 QinQ Fundamentals............................................................................................................................................... 458
10.2.2 Basic QinQ............................................................................................................................................................ 460
10.2.3 Selective QinQ.......................................................................................................................................................461
10.2.4 TPID...................................................................................................................................................................... 463
10.2.5 QinQ Mapping....................................................................................................................................................... 464
10.3 Applications..............................................................................................................................................................466
10.3.1 Public User Services on a Metro Ethernet Network..............................................................................................467
10.3.2 Enterprise Network Connection Through Private Lines....................................................................................... 468
10.4 Configuration Task Summary...................................................................................................................................469
10.5 Configuration Notes................................................................................................................................................. 469
10.6 Configuring QinQ.....................................................................................................................................................471
10.6.1 Configuring Basic QinQ........................................................................................................................................ 471
10.6.2 Configuring Selective QinQ.................................................................................................................................. 472
10.6.2.1 Configuring VLAN ID-based Selective QinQ................................................................................................... 472
10.6.2.2 Configuring MQC-based Selective QinQ...........................................................................................................474
10.6.2.3 Configuring 802.1p Priority-based Selective QinQ........................................................................................... 482
10.6.3 Configuring the TPID Value in an Outer VLAN Tag............................................................................................483
10.6.4 Configuring the Device to Add Double VLAN Tags to Untagged Packets.......................................................... 484
10.6.5 Configuring QinQ Mapping.................................................................................................................................. 485
10.6.5.1 Configuring 1-to-1 QinQ Mapping.....................................................................................................................486
10.6.5.2 Configuring 2-to-1 QinQ Mapping.....................................................................................................................487
10.7 Maintaining QinQ.....................................................................................................................................................487
10.7.1 Displaying VLAN Translation Resource Usage....................................................................................................487
10.8 Configuration Examples........................................................................................................................................... 488
10.8.1 Example for Configuring Basic QinQ................................................................................................................... 488
10.8.2 Example for Configuring Selective QinQ............................................................................................................. 492
10.8.3 Example for Configuring Selective QinQ and VLAN Mapping........................................................................... 495
10.8.4 Example for Configuring Traffic Selective QinQ and Traffic Policy................................................................... 497
10.8.5 Example for Configuring Flow-based Selective QinQ..........................................................................................500
10.8.6 Example for Connecting a Single-Tag VLAN Mapping Sub-Interface to a VLL Network..................................504
10.8.7 Example for Connecting a Double-Tag VLAN Mapping Sub-Interface to a VLL Network................................ 513
10.8.8 Example for Connecting a VLAN Stacking Sub-interface to a VLL Network.....................................................523
10.8.9 Example for Connecting a Single-tag VLAN Mapping Sub-interface to a VPLS Network................................. 533
10.8.10 Example for Connecting a Double-tag VLAN Mapping Sub-interface to a VPLS Network............................. 543
10.8.11 Example for Connecting a VLAN Stacking Sub-interface to a VPLS Network................................................. 554
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xiv

10.9 Common Misconfigurations..................................................................................................................................... 565

10.9.1 QinQ Traffic Forwarding Fails Because the Outer VLAN Is Not Created........................................................... 565
10.9.2 QinQ Traffic Forwarding Fails Because the Interface Does Not Transparently Transmit the Outer VLAN ID...566
10.9.3 An Interface Configured with Selective QinQ Fails to Transparently Transmit the Single VLAN ID.................567
10.10 FAQ.........................................................................................................................................................................567
10.10.1 Does the Switch Support QinQ?..........................................................................................................................567
10.10.2 What Are Causes for QinQ Traffic Forwarding Failures?.................................................................................. 567
10.10.3 Why Does a Standard Card Fail to Transparently Transmit Single-Tagged Packets from a VLAN?.................567
10.10.4 Can I Rapidly Delete All QinQ Configurations of an Interface?........................................................................ 568
10.10.5 Can I Directly Delete Inner VLAN IDs from QinQ Configuration?...................................................................568
10.10.6 Can the Switch Add Double VLAN Tags to Untagged Packets?........................................................................568
10.11 References...............................................................................................................................................................568
11 VLAN Mapping Configuration............................................................................................ 569

11.1 Introduction to VLAN Mapping............................................................................................................................... 570
11.2 Principles.................................................................................................................................................................. 570
11.3 Applications.............................................................................................................................................................. 572
11.4 Configuration Notes..................................................................................................................................................575
11.5 Configuring VLAN Mapping................................................................................................................................... 576
11.5.1 Configuring VLAN ID-based VLAN Mapping.....................................................................................................576
11.5.1.1 Configuring 1 to 1 VLAN Mapping................................................................................................................... 576
11.5.2 Configuring 802.1p Priority-based VLAN Mapping.............................................................................................579
11.5.3 Configuring MQC-based VLAN Mapping............................................................................................................580
11.6 Maintaining VLAN Mapping................................................................................................................................... 587
11.6.1 Displaying VLAN Translation Resource Usage....................................................................................................587
11.7.1 Example for Configuring VLAN ID-based 1 to 1 VLAN Mapping......................................................................588
11.7.2 Example for Configuring VLAN ID-based N to 1 VLAN Mapping.....................................................................591
11.7.3 Example for Configuring VLAN ID-based 2 to 2 VLAN Mapping......................................................................592
11.7.4 Example for Configuring Traffic Policy-based 2 to 2 VLAN Mapping................................................................596
11.8 Common Configuration Errors................................................................................................................................. 601
11.8.1 Communication Failure After VLAN Mapping Configuration.............................................................................601
12 GVRP Configuration.............................................................................................................. 603

12.1 Introduction to GVRP...............................................................................................................................................604
12.2 Principles.................................................................................................................................................................. 605
12.2.1 Basic Concepts...................................................................................................................................................... 605
12.2.2 Packet Structure..................................................................................................................................................... 608
12.2.3 Working Procedure................................................................................................................................................ 609
12.3 Applications..............................................................................................................................................................612
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xv

12.5 Default Configuration...............................................................................................................................................614

12.6 Configuring GVRP................................................................................................................................................... 615
12.6.1 Enabling GVRP..................................................................................................................................................... 615
12.6.2 (Optional) Setting the Registration Mode for a GVRP Interface.......................................................................... 616
12.6.3 (Optional) Setting the GARP Timers.....................................................................................................................617
12.6.4 Checking the Configuration...................................................................................................................................618
12.7 Maintaining GVRP................................................................................................................................................... 619
12.7.1 Clearing GVRP Statistics...................................................................................................................................... 619
12.8.1 Example for Configuring GVRP........................................................................................................................... 619
12.9 FAQ...........................................................................................................................................................................623
12.9.1 Why Is the CPU Usage High When VLANs Are Created or Deleted Through GVRP in Default Configuration?
.......................................................................................................................................................................................... 623
12.10 References.............................................................................................................................................................. 624
13 VCMP Configuration..............................................................................................................625
13.1 Introduction to VCMP.............................................................................................................................................. 626
13.2 Principles.................................................................................................................................................................. 626
13.2.1 VCMP Concepts.................................................................................................................................................... 626
13.2.2 Implementation...................................................................................................................................................... 628
13.3 Applicable Scenario..................................................................................................................................................634
13.6 Configuring VCMP.................................................................................................................................................. 637
13.7 Maintaining VCMP.................................................................................................................................................. 640
13.7.1 Displaying VCMP Running Information.............................................................................................................. 640
13.7.2 Clearing VCMP Running Information.................................................................................................................. 641
13.8.1 Example for Configuring VCMP to Implement Centralized VLAN Management...............................................641
14 STP/RSTP Configuration....................................................................................................... 647

14.1 Introduction to STP/RSTP........................................................................................................................................648
14.2 Principles.................................................................................................................................................................. 648
14.2.1 Background............................................................................................................................................................648
14.2.2 Basic Concepts...................................................................................................................................................... 649
14.2.3 BPDU Format........................................................................................................................................................ 656
14.2.4 STP Topology Calculation.....................................................................................................................................658
14.2.5 Improvements in RSTP......................................................................................................................................... 665
14.2.6 RSTP Technology Details......................................................................................................................................671
14.3 Applications..............................................................................................................................................................672
14.7 Configuring STP/RSTP............................................................................................................................................ 676
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xvi

14.7.1 Configuring Basic STP/RSTP Functions.............................................................................................................. 676

14.7.1.1 Configuring the STP/RSTP Mode...................................................................................................................... 676
14.7.1.2 (Optional) Configuring the Root Bridge and Secondary Root Bridge............................................................... 676
14.7.1.3 (Optional) Setting a Priority for a Switching Device......................................................................................... 677
14.7.1.4 (Optional) Setting a Path Cost for a Port............................................................................................................ 678
14.7.1.5 (Optional) Setting a Priority for a Port............................................................................................................... 679
14.7.1.6 Enabling STP/RSTP........................................................................................................................................... 680
14.7.2 Setting STP Parameters that Affect STP Convergence......................................................................................... 681
14.7.2.1 Setting the STP Network Diameter.................................................................................................................... 681
14.7.2.2 Setting the STP Timeout Interval....................................................................................................................... 682
14.7.2.3 Setting STP Timers.............................................................................................................................................682
14.7.2.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree Calculation........ 683
14.7.3 Setting RSTP Parameters that Affect RSTP Convergence....................................................................................685
14.7.3.1 Setting the RSTP Network Diameter..................................................................................................................685
14.7.3.2 Setting the RSTP Timeout Interval.....................................................................................................................686
14.7.3.3 Setting RSTP Timers.......................................................................................................................................... 686
14.7.3.5 Setting the Link Type for a Port......................................................................................................................... 689
14.7.3.6 Setting the Maximum Transmission Rate of an Interface.................................................................................. 689
14.7.3.7 Switching to the RSTP Mode............................................................................................................................. 690
14.7.3.8 Configuring Edge Ports and BPDU Filter Ports................................................................................................. 691
14.7.4 Configuring RSTP Protection Functions............................................................................................................... 692
14.7.4.1 Configuring BPDU Protection on a Switching Device...................................................................................... 692
14.7.4.2 Configuring TC Protection on a Switching Device............................................................................................693
14.7.4.3 Configuring Root Protection on a Port............................................................................................................... 694
14.7.4.4 Configuring Loop Protection on a Port.............................................................................................................. 694
14.7.5 Setting Parameters for Interoperation Between Huawei and Non-Huawei Devices............................................. 695
14.8 Maintaining STP/RSTP............................................................................................................................................ 696
14.8.1 Clearing STP/RSTP Statistics............................................................................................................................... 696
14.8.2 Monitoring STP/RSTP Topology Change Statistics..............................................................................................697
14.9.1 Example for Configuring Basic STP Functions.................................................................................................... 697
14.9.2 Example for Configuring Basic RSTP Functions..................................................................................................701
14.10 FAQ.........................................................................................................................................................................705
14.10.1 How to Prevent Low Convergence for STP Edge Ports that Connect Terminals?..............................................706
14.10.2 Can Switches Using RSTP and STP Be Connected?.......................................................................................... 706
14.10.3 Why Is the Recommended Value of STP Network Radius Within 7?.................................................................706
14.10.4 In What Situations Do I Need to Configure STP Edge Ports?............................................................................ 707
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xvii

14.10.5 What Precautions Should Be Taken When Configuring the Formats of Sent and Received BPDUs on an STP
Interface?.......................................................................................................................................................................... 707
14.10.6 How Do I Configure a User-Side Interface on an STP Switch?..........................................................................707
14.10.7 How Do I Prevent Terminals' Failures to Ping the Gateway or Slow Speeds for Obtaining IP Addresses When
They Connect to an STP Network?.................................................................................................................................. 707
14.10.8 Can the Switch Work with Non-Huawei Devices Running STP or RSTP?........................................................ 708
14.10.9 What Is the Function of Automatic Edge-port Detecting?.................................................................................. 708
14.11 References...............................................................................................................................................................708
15 MSTP Configuration...............................................................................................................710
15.1 Introduction to MSTP............................................................................................................................................... 711
15.2 MSTP Principles.......................................................................................................................................................712
15.2.1 MSTP Background................................................................................................................................................ 712
15.2.2 Basic MSTP Concepts........................................................................................................................................... 713
15.2.3 MST BPDUs..........................................................................................................................................................721
15.2.4 MSTP Topology Calculation................................................................................................................................. 725
15.2.5 MSTP Fast Convergence....................................................................................................................................... 727
15.2.6 MSTP Multi-Process............................................................................................................................................. 728
15.3 Application Environment......................................................................................................................................... 735
15.7 Configuring MSTP................................................................................................................................................... 740
15.7.1 Configuring Basic MSTP Functions......................................................................................................................740
15.7.1.1 Configuring the MSTP Mode............................................................................................................................. 741
15.7.1.2 Configuring and Activating an MST Region..................................................................................................... 741
15.7.1.4 (Optional) Configuring a Priority for a Switching Device in an MSTI..............................................................744
15.7.1.5 (Optional) Configuring a Path Cost of a Port in an MSTI..................................................................................745
15.7.1.6 (Optional) Configuring a Port Priority in an MSTI............................................................................................ 745
15.7.1.7 Enabling MSTP.................................................................................................................................................. 746
15.7.2 Configuring MSTP Multi-Process.........................................................................................................................747
15.7.2.1 Creating an MSTP Process................................................................................................................................. 748
15.7.2.2 Adding a Port to an MSTP Process.................................................................................................................... 748
15.7.2.4 (Optional) Configuring a Priority for a Switching Device in an MSTI..............................................................751
15.7.2.5 (Optional) Configuring a Path Cost of a Port in an MSTI..................................................................................752
15.7.2.6 (Optional) Configuring a Port Priority in an MSTI............................................................................................ 753
15.7.2.7 Configuring TC Notification in MSTP Multi-process....................................................................................... 753
15.7.2.8 Enabling MSTP.................................................................................................................................................. 754
15.7.3 Configuring MSTP Parameters on an Interface.................................................................................................... 755
15.7.3.1 Setting the MSTP Network Diameter.................................................................................................................755
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xviii

15.7.3.2 Setting the MSTP Timeout Interval....................................................................................................................756

15.7.3.3 Setting the Values of MSTP Timers................................................................................................................... 757
15.7.3.5 Setting the Link Type of a Port...........................................................................................................................760
15.7.3.6 Setting the Maximum Transmission Rate of an Interface.................................................................................. 760
15.7.3.7 Switching to the MSTP Mode............................................................................................................................ 761
15.7.3.8 Configuring a Port as an Edge Port and BPDU Filter Port................................................................................ 762
15.7.3.9 Setting the Maximum Number of Hops in an MST Region...............................................................................763
15.7.3.10 Checking the Configuration..............................................................................................................................764
15.7.4 Configuring MSTP Protection Functions.............................................................................................................. 764
15.7.4.1 Configuring BPDU Protection on a Switching Device...................................................................................... 764
15.7.4.2 Configuring TC Protection on a Switching Device............................................................................................765
15.7.4.3 Configuring Root Protection on an Interface..................................................................................................... 766
15.7.4.4 Configuring Loop Protection on an Interface.....................................................................................................767
15.7.4.5 Configuring Share-Link Protection on a Switching Device............................................................................... 768
15.7.5 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices..................................769
15.7.5.1 Configuring a Proposal/Agreement Mechanism................................................................................................ 769
15.7.5.2 Configuring the MSTP Protocol Packet Format on an Interface........................................................................770
15.7.5.3 Enabling the Digest Snooping Function............................................................................................................. 771
15.8 Maintaining MSTP................................................................................................................................................... 771
15.8.1 Clearing MSTP Statistics.......................................................................................................................................771
15.8.2 Monitoring the Statistics on MSTP Topology Changes........................................................................................ 772
15.9.1 Example for Configuring MSTP........................................................................................................................... 772
15.9.2 Example for Configuring MSTP + VRRP Network..............................................................................................780
15.9.3 Example for Connecting CEs to the VPLS in Dual-Homing Mode Through MSTP............................................790
15.9.4 Example for Configuring MSTP Multi-Process for Layer 2 Single-Access Rings and Layer 2 Multi-Access Rings
.......................................................................................................................................................................................... 808
15.10 FAQ.........................................................................................................................................................................815
15.10.1 How to Configure the MSTP Region?................................................................................................................ 815
15.10.2 Can a Huawei STP Switch Work with a Non-Huawei STP Device?.................................................................. 815
15.10.3 Why Cannot Information About an STP Instance with a Non-Zero ID Be Displayed?......................................815
15.10.4 How to Prevent Low Convergence for STP Edge Ports that Connect Terminals?..............................................816
15.10.5 How Do I Configure a User-Side Interface on an STP Switch?..........................................................................816
15.10.6 How Do I Prevent Terminals' Failures to Ping the Gateway or Slow Speeds for Obtaining IP Addresses When
They Connect to an STP Network?.................................................................................................................................. 816
15.11 References...............................................................................................................................................................817
16 VBST Configuration............................................................................................................... 818

16.1 Introduction to VBST............................................................................................................................................... 819
16.2 Principles.................................................................................................................................................................. 821
16.3 Applicable Scenario..................................................................................................................................................825
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xix


16.7 Configuring VBST................................................................................................................................................... 832
16.7.1 Configuring Basic VBST Functions......................................................................................................................832
16.7.1.1 (Optional) Setting the Device Priority................................................................................................................832
16.7.1.2 (Optional) Setting the Path Cost for a Port.........................................................................................................833
16.7.1.3 (Optional) Configuring Port Priorities................................................................................................................834
16.7.1.4 (Optional) Manually Configuring the Mapping between MSTIs and VLANs.................................................. 835
16.7.1.5 Enabling VBST...................................................................................................................................................836
16.7.2 Setting VBST Parameters That Affect VBST Convergence................................................................................. 838
16.7.2.1 Setting the Network Diameter............................................................................................................................ 838
16.7.2.2 Setting Values of VBST Timers..........................................................................................................................839
16.7.2.3 Setting the VBST Timeout Interval.................................................................................................................... 840
16.7.2.4 Setting the Link Type of a Port...........................................................................................................................841
16.7.2.5 Setting the Maximum Transmission Rate of a Port............................................................................................841
16.7.2.6 Manually Switching to the VBST Mode............................................................................................................ 842
16.7.2.7 Configuring a VBST Convergence Mode.......................................................................................................... 843
16.7.2.8 Configuring a Port as an Edge Port and BPDU Filter Port................................................................................ 843
16.7.3 Configuring Protection Functions of VBST.......................................................................................................... 845
16.7.3.1 Configuring BPDU Protection on the Switch.....................................................................................................845
16.7.3.2 Configuring TC Protection on the Switch.......................................................................................................... 846
16.7.3.3 Configuring Root Protection on a Port............................................................................................................... 847
16.7.3.4 Configuring Loop Protection on a Port.............................................................................................................. 848
16.7.4 Setting Parameters for Interworking Between a Huawei Datacom Device and a Non-Huawei Device............... 849
16.8 Maintaining VBST................................................................................................................................................... 850
16.8.1 Displaying VBST Running Information and Statistics......................................................................................... 850
16.8.2 Clearing VBST Statistics.......................................................................................................................................851
16.9.1 Example for Configuring VBST............................................................................................................................851
17 SEP Configuration...................................................................................................................861
17.1 Introduction to SEP.................................................................................................................................................. 862
17.2 Principles.................................................................................................................................................................. 862
17.2.1 Principles of SEP................................................................................................................................................... 863
17.2.2 Basic Concepts of SEP.......................................................................................................................................... 865
17.2.3 SEP Implementation Mechanisms.........................................................................................................................869
17.3 Applications..............................................................................................................................................................883
17.3.1 Open-Ring Networking......................................................................................................................................... 883
17.3.2 Closed-Ring Networking....................................................................................................................................... 884
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xx

17.3.3 Multi-Ring Networking......................................................................................................................................... 885

17.3.4 Hybrid SEP+MSTP Ring Networking.................................................................................................................. 886
17.3.5 Hybrid SEP+RRPP Ring Networking................................................................................................................... 887
17.3.6 SEP Multi-Instance................................................................................................................................................888
17.3.7 Association Between SEP and VPLS.................................................................................................................... 889
17.3.8 Association Between SEP and CFM..................................................................................................................... 891
17.6 Configuring SEP.......................................................................................................................................................894
17.6.1 Configuring Basic SEP Functions......................................................................................................................... 894
17.6.1.1 Configuring a SEP Segment............................................................................................................................... 894
17.6.1.2 Configuring a Control VLAN.............................................................................................................................895
17.6.1.3 Configuring a Protected Instance....................................................................................................................... 896
17.6.1.4 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface..................................897
17.6.2 Specifying an Interface to Block........................................................................................................................... 900
17.6.2.1 Setting an Interface Blocking Mode................................................................................................................... 900
17.6.2.2 Configuring the Preemption Mode..................................................................................................................... 902
17.6.3 Configuring SEP Multi-Instance........................................................................................................................... 903
17.6.4 Configuring the Topology Change Notification Function.....................................................................................905
17.6.4.1 Reporting Topology Changes in a Lower-Layer Network - SEP Topology Change Notification..................... 905
17.6.4.2 Reporting Topology Changes in a Lower-Layer Network - Enabling the Devices in a SEP Segment to Process
SmartLink Flush Packets.................................................................................................................................................. 907
17.6.4.3 Reporting Topology Changes in an Upper-Layer Network - Configuring Association Between SEP and CFM
.......................................................................................................................................................................................... 908
17.7 Maintaining SEP.......................................................................................................................................................909
17.7.1 Clearing SEP Statistics.......................................................................................................................................... 909
17.8.1 Example for Configuring SEP on a Closed Ring Network................................................................................... 909
17.8.2 Example for Configuring SEP on a Multi-Ring Network..................................................................................... 915
17.8.3 Example for Configuring a Hybrid SEP+MSTP Ring Network........................................................................... 927
17.8.4 Example for Configuring a Hybrid SEP+RRPP Ring Network............................................................................ 935
17.8.5 Example for Configuring SEP Multi-Instance...................................................................................................... 947
17.8.6 Example for Configuring Association Between SEP and VPLS (Reporting Topology Changes of a Lower-Layer
Network)........................................................................................................................................................................... 954
18 RRPP Configuration............................................................................................................... 967

18.1 Introduction to RRPP................................................................................................................................................968
18.2 Principles.................................................................................................................................................................. 969
18.2.1 Basic RRPP Concepts............................................................................................................................................970
18.2.2 RRPP Packets........................................................................................................................................................ 974
18.2.3 Implementation of a Single RRPP Ring (When the Ring is Complete)................................................................ 977
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xxi

18.2.4 Implementation of a Single RRPP Ring (When the Ring is Faulty)..................................................................... 978
18.2.5 Implementation of a Single RRPP Ring (When the Fault is Recovered).............................................................. 980
18.2.6 Implementation of Multiple Rings........................................................................................................................ 983
18.2.7 RRPP Multi-Instance............................................................................................................................................. 992
18.3 Application Scenarios...............................................................................................................................................994
18.3.1 Application of a Single Ring................................................................................................................................. 994
18.3.2 Application of Tangent RRPP Rings..................................................................................................................... 995
18.3.3 Application of Intersecting RRPP Rings............................................................................................................... 996
18.3.4 Application of the RRPP and STP Network..........................................................................................................997
18.3.5 Application of Intersecting RRPP Rings of Multi-Instance in MAN....................................................................998
18.3.6 Application of Tangent RRPP Rings of Multi-Instance in MAN..........................................................................999
18.3.7 Application of Multiple Instances Single-homed to an RRPP Aggregation Ring.............................................. 1000
18.3.8 Application of the RRPP Multi-instance Ring and SmartLink Network............................................................ 1001
18.3.9 Application of RRPP Snooping........................................................................................................................... 1002
18.4 Configuration Task Summary.................................................................................................................................1005
18.5 Configuration Notes............................................................................................................................................... 1006
18.6 Default Configuration.............................................................................................................................................1007
18.7 Configuring RRPP.................................................................................................................................................. 1008
18.7.1 Configuring RRPP............................................................................................................................................... 1008
18.7.1.1 Configuring Interfaces on an RRPP Ring.........................................................................................................1008
18.7.1.2 Creating an RRPP Domain and the Control VLAN......................................................................................... 1009
18.7.1.3 Creating an Instance......................................................................................................................................... 1010
18.7.1.4 Configuring a Protected VLAN........................................................................................................................1011
18.7.1.5 (Optional) Setting the RRPP Working Mode................................................................................................... 1012
18.7.1.6 Creating and Enabling an RRPP Ring.............................................................................................................. 1013
18.7.1.7 Enabling RRPP................................................................................................................................................. 1014
18.7.1.8 (Optional) Creating a Ring Group.................................................................................................................... 1014
18.7.1.9 (Optional) Setting the Values of the Hello Timer and Fail Timer in an RRPP Domain...................................1015
18.7.1.10 (Optional) Setting the Value of the Link-Up Timer........................................................................................1016
18.7.1.11 Checking the Configuration............................................................................................................................1016
18.7.2 Configuring RRPP Snooping...............................................................................................................................1017
18.7.2.1 Enabling RRPP Snooping.................................................................................................................................1017
18.7.2.2 (Optional) Configuring the VSI Associated with RRPP Snooping.................................................................. 1018
18.8 Maintaining RRPP.................................................................................................................................................. 1019
18.8.1 Clearing RRPP Statistics..................................................................................................................................... 1019
18.9 Configuration Examples......................................................................................................................................... 1019
18.9.1 Example for Configuring a Single RRPP Ring with a Single Instance...............................................................1020
18.9.2 Example for Configuring Intersecting RRPP Rings with a Single Instance (RRPP Defined by the National
Standard of China)..........................................................................................................................................................1024
18.9.3 Example for Configuring Intersecting RRPP Rings with a Single Instance (RRPP Defined by Huawei)..........1034
18.9.4 Example for Configuring Tangent RRPP Rings..................................................................................................1045
18.9.5 Example for Configuring a Single RRPP Ring with Multiple Instances............................................................ 1053
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xxii

18.9.6 Example for Configuring Intersecting RRPP Rings with Multiple Instances (RRPP Defined by the National
Standard of China)..........................................................................................................................................................1061
18.9.7 Example for Configuring Intersecting RRPP Rings with Multiple Instances (RRPP Defined by Huawei)....... 1077
18.9.8 Example for Configuring Tangent RRPP Rings with Multiple Instances........................................................... 1093
18.10 Common Configuration Errors............................................................................................................................. 1103
18.10.1 A Loop Occurs After the RRPP Configuration is Complete............................................................................. 1103
18.10.2 After the Primary Port of a Transit Node on an RRPP Ring Network Becomes Down and Then Recovers, the
Transit Node and Other Transit Nodes Cannot Register With the Master Node............................................................1104
18.11 FAQ.......................................................................................................................................................................1104
18.11.1 What Should Be Noted When Configuring RRPP? ..........................................................................................1105
18.11.2 Can RRPP and VRRP Be Used Together on a Switch?.....................................................................................1105
18.11.3 Can Data Packets Be Blocked in the Control VLAN of RRPP?....................................................................... 1105
18.12 References.............................................................................................................................................................1105
19 ERPS (G.8032) Configuration.............................................................................................. 1106

19.1 Introduction to ERPS.............................................................................................................................................. 1107
19.2 Principles................................................................................................................................................................ 1108
19.2.1 Basic ERPS Concepts.......................................................................................................................................... 1108
19.2.2 RAPS PDUs......................................................................................................................................................... 1115
19.2.3 ERPS Single-ring Principles................................................................................................................................ 1117
19.2.4 ERPS Multi-ring Principles................................................................................................................................. 1122
19.2.5 ERPS Multi-instance............................................................................................................................................1125
19.3 Applicable Scenario................................................................................................................................................1127
19.4 Configuration Task Summary................................................................................................................................. 1128
19.5 Configuration Notes................................................................................................................................................1128
19.6 Default Settings.......................................................................................................................................................1129
19.7 Configuring ERPS.................................................................................................................................................. 1130
19.7.1 Configuring ERPSv1........................................................................................................................................... 1130
19.7.1.1 Creating an ERPS Ring.....................................................................................................................................1130
19.7.1.2 Configuring the Control VLAN........................................................................................................................1130
19.7.1.3 Configuring an ERP Instance and Activating the Mapping Between the ERP Instance and VLAN............... 1131
19.7.1.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role......................................................... 1133
19.7.1.5 (Optional) Configuring Timers in an ERPS Ring.............................................................................................1135
19.7.1.6 (Optional) Configuring the MEL Value............................................................................................................1135
19.7.1.7 (Optional) Configuring Association Between ERPS and Ethernet CFM......................................................... 1136
19.7.2 Configuring ERPSv2........................................................................................................................................... 1137
19.7.2.1 Creating an ERPS Ring.....................................................................................................................................1137
19.7.2.2 Configuring the Control VLAN........................................................................................................................1139
19.7.2.3 Configuring an ERP Instance and Activating the Mapping Between the ERP Instance and VLAN............... 1139
19.7.2.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role......................................................... 1141
19.7.2.5 Configuring the Topology Change Notification Function................................................................................ 1143
19.7.2.6 (Optional) Configuring ERPS Protection Switching........................................................................................ 1144
19.7.2.7 (Optional) Configuring Timers in an ERPS Ring.............................................................................................1145
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xxiii

19.7.2.8 (Optional) Configuring Association Between ERPS and Ethernet CFM......................................................... 1146
19.8 Maintaining ERPS.................................................................................................................................................. 1147
19.8.1 Clearing ERPS Statistics......................................................................................................................................1147
19.9.1 Example for Configuring ERPS Multi-instance.................................................................................................. 1147
19.9.2 Example for Configuring Intersecting ERPS Rings............................................................................................ 1156
19.10 Common Configuration Errors............................................................................................................................. 1164
19.10.1 Traffic Forwarding Fails in an ERPS Ring........................................................................................................1164
19.11 References.............................................................................................................................................................1164
20 LDT and LBDT Configuration............................................................................................1166

20.1 Introduction to LBDT and LDT..............................................................................................................................1167
20.2 Principles................................................................................................................................................................ 1168
20.3 Applicable Scenario................................................................................................................................................1171
20.4 Configuration Notes................................................................................................................................................1173
20.5 Default Configuration............................................................................................................................................. 1174
20.6 Configuring LDT to Detect Loops..........................................................................................................................1175
20.6.1 Enabling LDT...................................................................................................................................................... 1175
20.6.2 (Optional) Setting the Interval for Sending LDT Packets................................................................................... 1177
20.6.3 Configuring an Action Taken After a Loop Is Detected......................................................................................1177
20.6.4 (Optional) Setting the Recovery Time of an Interface.........................................................................................1178
20.6.5 Checking the Configuration.................................................................................................................................1179
20.7 Configuring LBDT to Detect Loops.......................................................................................................................1179
20.7.1 Enabling LBDT....................................................................................................................................................1180
20.7.2 (Optional) Setting the Interval for Sending LBDT Packets.................................................................................1182
20.7.3 Configuring an Action Taken After a Loop Is Detected......................................................................................1182
20.7.4 (Optional) Setting the Recovery Time of an Interface.........................................................................................1183
20.8.1 Example for Configuring LDT to Detect Loops on the Downstream Network.................................................. 1184
20.8.2 Example for Configuring LDT to Detect Loops on the Local Network..............................................................1187
20.8.3 Example for Configuring LBDT to Detect Loopbacks on an Interface.............................................................. 1191
20.8.4 Example for Configuring LBDT to Detect Loops on the Downstream Network................................................1193
20.8.5 Example for Configuring LBDT to Detect Loops on the Local Network........................................................... 1196
21 HVRP Configuration............................................................................................................ 1199

21.1 Introduction to HVRP.............................................................................................................................................1200
21.2 Principles................................................................................................................................................................ 1200
21.2.1 Basic Concepts.................................................................................................................................................... 1200
21.2.2 Working Process.................................................................................................................................................. 1201
21.3 Applications............................................................................................................................................................1204
21.5 Default Configuration.............................................................................................................................................1207
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xxiv

21.6 Configuring HVRP................................................................................................................................................. 1207

21.6.1 Enabling HVRP Globally.................................................................................................................................... 1208
21.6.2 Enabling HVRP on an Interface.......................................................................................................................... 1208
21.6.3 (Optional) Setting the VLAN Registration Timer............................................................................................... 1209
21.6.4 (Optional) Setting the Aging Timer of Registered VLANs.................................................................................1210
21.6.5 (Optional) Configuring Permanent VLANs........................................................................................................ 1210
21.6.6 (Optional) Aging All VLANs.............................................................................................................................. 1211
21.7.1 Example for Configuring HVRP......................................................................................................................... 1211
21.8 References.............................................................................................................................................................. 1215
22 Layer 2 Protocol Transparent Transmission Configuration..........................................1217

22.1 Introduction to Layer 2 Protocol Transparent Transmission.................................................................................. 1218
22.2 Principles................................................................................................................................................................ 1219
22.3 Application Environment....................................................................................................................................... 1224
22.4 Configuration Task Summary.................................................................................................................................1225
22.6 Configuring Layer 2 Protocol Transparent Transmission...................................................................................... 1228
22.6.1 Configuring Interface-based Layer 2 Protocol Transparent Transmission..........................................................1228
22.6.1.1 (Optional) Defining Characteristic Information About a Layer 2 Protocol..................................................... 1228
22.6.1.2 Configuring Layer 2 Protocol Transparent Transmission Mode...................................................................... 1229
22.6.1.3 Enabling Layer 2 Protocol Transparent Transmission on an Interface.............................................................1230
22.6.2 Configuring VLAN-based Layer 2 Protocol Transparent Transmission.............................................................1231
22.6.2.3 Enabling VLAN-based Layer 2 Protocol Transparent Transmission on an Interface...................................... 1233
22.6.3 Configuring QinQ-based Layer 2 Protocol Transparent Transmission............................................................... 1234
22.6.3.3 Enabling QinQ-based Layer 2 Transparent Transmission on an Interface.......................................................1236
22.6.4 Displaying Statistics About Layer 2 Protocol Packets That Are Transparently Transmitted on an Interface.....1237
22.6.5 Clearing Statistics About Layer 2 Protocol Packets That Are Transparently Transmitted on an Interface........ 1237
22.7.1 Example for Configuring Interface-based Layer 2 Protocol Transparent Transmission..................................... 1238
22.7.2 Example for Configuring VLAN-based Layer 2 Protocol Transparent Transmission........................................ 1241
22.7.3 Example for Configuring QinQ-based Layer 2 Protocol Transparent Transmission.......................................... 1246
22.8 FAQ.........................................................................................................................................................................1251
22.8.1 How to Configure BPDU Tunnel to Transparently Transmit BPDUs?...............................................................1252
22.8.2 How to View and Change MAC Addresses of BPDUs?..................................................................................... 1252
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xxv

22.9 References.............................................................................................................................................................. 1252
Issue 07 (2017-11-30) Huawei Proprietary and Confidential xxvi

Configuration Guide - Ethernet Switching 1 Ethernet Switching Overview
1 Ethernet Switching Overview
About This Chapter
Ethernet is a simple, cost-effective, and easy-to-implement LAN technology and widely used.
1.1 Introduction to Ethernet Switching

1.2 Basic Concepts of Ethernet
1.3 Switching on the Ethernet
1.4 Application Environment
1.5 References
Issue 07 (2017-11-30) Huawei Proprietary and Confidential 1

1.1 Introduction to Ethernet Switching

Definition
The earliest Ethernet standard was the DEC-Intel-Xerox (DIX) standard jointly developed by
the Digital Equipment Corporation (DEC), Intel, and Xerox in 1982. After years of
development, Ethernet has become the most widely used local area network (LAN) type, and
many Ethernet standards have been put into use, including standard Ethernet (10 Mbit/s), fast
Ethernet (100 Mbit/s), gigabit Ethernet (1000 Mbit/s), and 10G Ethernet (10 Gbit/s). IEEE
802.3 was defined based on Ethernet and is compatible with Ethernet standards.
In the TCP/IP suite, the IP packet encapsulation format on an Ethernet network is defined in
RFC 894, and the IP packet encapsulation format on an IEEE 802.3 network is defined in
RFC 1042. Currently, the format defined in RFC 894 is most commonly used. This format is
called Ethernet_II or Ethernet DIX.
NOTE
To distinguish Ethernet frames of the two types, Ethernet frames defined in RFC 894 are called
Ethernet_II frames and Ethernet frames defined in RFC 1042 IEEE 802.3 are called frames in this
document.
History
In 1972, when Robert Metcalfe (father of Ethernet) was hired by Xerox, his first job was to
connect computers in Xerox's Palo Alto Research Center (PARC) to the Advanced Research
Projects Agency Network (ARPANET), progenitor of the Internet. In 1972 also, Robert
Metcalfe designed a network to connect computers in the PARC. That network was based on
the Aloha system (a radio network system) and connected many computers in the PARC, so
Metcalfe originally named the network Alto Aloha network. The Alto Aloha network started
operating in May 1973, and Metcalfe then gave it an official name Ethernet, which is the
prototype of Ethernet. The network operated at a rate of 2.94 Mbit/s and used thick coaxial
cable as transmission medium. In June 1976, Metcalfe and his assistant David Boggs
published a paper Ethernet Distributed Packet Switching for Local Computer Networks. At
the end of 1977, Metcalfe and his three co-workers were gained a patent on "Multipoint data
communication system with collision detection." Since then, Ethernet was known to the
public.
As Ethernet technology develops rapidly, Ethernet has become the most widely used LAN
technology and replaced most of other LAN standards, such as token ring, fiber distributed
data interface (FDDI), and attached resource computer network (ARCNET). After rapid
development of 100M Ethernet in the 20th century, gigabit Ethernet and even 10G Ethernet
are now expanding their applications as promoted by international standardization
organizations and industry-leading enterprises.
Purpose
Ethernet is a universal communication protocol standard used for local area networks (LANs).
This standard defines the cable type and signal processing method used for LANs.
Ethernet networks are broadcast networks established based on the Carrier Sense Multiple
Access with Collision Detection (CSMA/CD) mechanism. Collisions restrict Ethernet
performance. Early Ethernet devices such as hubs work at the physical layer, and cannot

confine collisions to a particular scope. This restricts network performance improvement.

Working at the data link layer, switches are able to confine collisions to a particular scope.
Switches help improve Ethernet performance and have replaced hubs as mainstream Ethernet
devices. However, switches do not restrict broadcast traffic on the Ethernet. This affects
Ethernet performance. Dividing a LAN into virtual local area networks (VLANs) on switches
or using Layer 3 switches can solve this problem.
As a simple, cost-effective, and easy-to-implement LAN technology, Ethernet has become the
mainstream in the industry. Gigabit Ethernet and even 10G Ethernet make Ethernet the most
promising network technology.
1.2 Basic Concepts of Ethernet
1.2.1 Ethernet Network Layers
Ethernet uses passive medium and transmits data in broadcast mode. It defines protocols used
on the physical layer and data link layer, interfaces between the two layers, and interfaces
between the data link layer and upper layers.
Physical Layer
The physical layer determines basic physical attributes of Ethernet, including data coding,
time scale, and electrical frequency.
The physical layer is the lowest layer in the Open Systems Interconnection (OSI) reference
model and is closest to the physical medium (communication channel) that transmits data.
Data is transmitted on the physical layer in binary bits (0 or 1). Transmission of bits depends
on transmission devices and physical media, but the physical layer does not refer to a specific
physical device or a physical media. Actually, the physical layer is located above a physical
medium and provides the data link layer with physical connections to transmit original bit
streams.
Data Link Layer

The data link layer is the second layer in the OSI reference model, located between the
physical layer and network layer. The data link layer obtains service from the physical layer
and provides service for the network layer. The basic service that the data link layer provides
is to reliably transmit data from the network layer of a source device to the network layer of
an adjacent destination device.
The physical layer and data link layer depend on each other. Therefore, different working
modes of the physical layer must be supported by corresponding data link layer modes. This
hinders Ethernet design and application.
Some organizations and vendors propose to divide the data link layer into two sub-layers: the
Media Access Control (MAC) sub-layer and the Logical Link Control (LLC) sub-layer. Then
different physical layers correspond to different MAC sub-layers, and the LLC sub-layer
becomes totally independent, as shown in Figure 1-1.

Figure 1-1 Hierarchy of Ethernet data link layer
Network
layer
LLC layer
Data link
layer
MAC layer
Physical
layer
The following sections describe concepts involved in the physical layer and data link layer.
1.2.2 Introduction to Ethernet Cable Standards
Introduction to Ethernet Cable Standards

Currently, mature Ethernet physical layer standards are:
l 10BASE-2
l 10BASE-5
l 10BASE-T
l 10BASE-F
l 100BASE-T4
l 100BASE-TX
l 100BASE-FX
l 1000BASE-SX
l 1000BASE-LX
l 1000BASE-TX
l 10GBASE-T
l 10GBASE-LR
l 10GBASE-SR
In the preceding standards, 10, 100, 1000 and 10G stand for transmission rates, and BASE
represents baseband.
l 10M Ethernet cable standards

Table 1-1 lists the 10M Ethernet cable standards defined in IEEE 802.3.
Table 1-1 10M Ethernet cable standards
Name Cable Maximum

Transmission Distance
10BASE-5 Thick coaxial cable 500 m
10BASE-2 Thin coaxial cable 200 m

Name Cable Maximum

10BASE-T Twisted pair cable 100 m
10BASE-F Fiber 2000 m
NOTE
Coaxial cables have a fatal defect: Devices are connected in series and therefore a single-point
failure can cause the breakdown of the entire network. As the physical standards of coaxial cables,
10BASE-2 and 10BASE-5 have fallen into disuse.
l 100M Ethernet cable standards
100M Ethernet is also called Fast Ethernet (FE). Compared with 10M Ethernet, 100M
Ethernet has a faster transmission rate at the physical layer, but they have no difference
at the data link layer.
Table 1-2 lists the 100M Ethernet cable standards.
Table 1-2 100M Ethernet cable standards

Name Cable Maximum
100Base-T4 Four pairs of Category 3 100 m

twisted pair cables
100Base-TX Two pairs of Category 5 100 m

twisted pair cables
100Base-FX Single-mode fiber or multi- 2000 m

mode fiber
Both 10Base-T and 100Base-TX apply to Category 5 twisted pair cables. They have
different transmission rates. The 10Base-T transmits data at 10 Mbit/s, whereas the
100Base-TX transmits data at 100 Mbit/s.
The 100Base-T4 is rarely used now.
l Gigabit Ethernet cable standards
Gigabit Ethernet is developed on the basis of the Ethernet standard defined in IEEE
802.3. Based on the Ethernet protocol, Gigabit Ethernet increases the transmission rate to
10 times the FE transmission rate, reaching 1 Gbit/s. Table 1-3 lists the Gigabit Ethernet
cable standards.
Table 1-3 Gigabit Ethernet cable standards

Interface Name Cables Maximum
1000Base-LX Single-mode fiber or multi- 316 m

mode fiber

Interface Name Cables Maximum

1000Base-SX Multi-mode fiber 316 m
1000Base-TX Category 5 twisted pair cable 100 m
Gigabit Ethernet technology can upgrade the existing Fast Ethernet from 100 Mbit/s to
1000 Mbit/s.
The physical layer of Gigabit Ethernet uses 8B10B coding. In traditional Ethernet
technology, the data link layer delivers 8-bit data sets to its physical layer. After
processing the data sets, the physical layer sends them to the data link layer. The data
sets are still 8 bits after processing.
The situation is different on the Gigabit Ethernet of optical fibers. The physical layer
maps the 8-bit data sets transmitted from the data link layer to 10-bit data sets and then
sends them out.
l 10G Ethernet cable standards
10G Ethernet is currently defined in supplementary standard IEEE 802.3ae, which will
be combined with IEEE 802.3 later. Table 1-4 lists the 10G Ethernet cable standards.
Table 1-4 10G Ethernet cable standards

Name Cables Maximum
10GBASE-T CAT-6A or CAT-7 100 m
10GBase-LR Single-mode optical fiber 10 km
10GBase-SR Multi-mode optical fiber Several hundred meters
l 100G Ethernet cable standards

The standard for 40G/100G Ethernet is defined in IEEE 802.3ba, which was published in
2010. 100G Ethernet will be widely used as network technologies develop.
1.2.3 CSMA/CD
l Definition of CSMA/CD
Ethernet was originally designed to connect computers and other digital devices on a
shared physical line. The computers and digital devices can access the shared line only in
half-duplex mode. Therefore, a mechanism of collision detection and avoidance is
required to prevent multiple devices from contending for the line. This mechanism is
called the carrier Sense Multiple Access with Collision Detection (CSMA/CD).
The concept of CSMA/CD is described as follows:
– Carrier sense (CS)
Before transmitting data, a station checks whether the line is idle to reduce chances
of collision.

– Multiple access (MA)

Data sent by a station can be received by multiple stations.
– Collision detection (CD)
If two stations transmit electrical signals at the same time, the voltage amplitude
doubles the normal amplitude as signals of the two stations accumulate. The
situation results in collision.
The stations stop transmission after detecting the collision, and resume the
transmission after a random delay.
l CSMA/CD working process
CSMA/CD works as follows:
a. A station continuously detects whether the shared line is idle.
n If the line is idle, the station sends data.
n If the line is in use, the station waits until the line becomes idle.
b. If two stations send data at the same time, a collision occurs on the line, and signals
on the line become unstable.
c. After detecting the instability, the station immediately stops sending data.
d. The station sends a series of disturbing pulses. After a period of time, the station
resumes the data transmission.
The station sends disturbing pulses to inform other stations, especially the station
that sends data at the same time, that a collision occurred on the line.
After detecting a collision, the station waits for a random period of time, and then
resumes the data transmission.
1.2.4 Minimum Frame Length and Maximum Transmission

Distance
Due to the limitation of the CSMA/CD algorithm, an Ethernet frame must be longer than or
equal to a specified length. On the Ethernet, the minimum frame length is 64 bytes, which is
determined jointly by the maximum transmission distance and the collision detection
mechanism.
The use of minimum frame length can prevent the following situation: station A finishes
sending the last bit, but the first bit does not arrive at station B, which is far from station A.
Station B considers that the line is idle and begins to send data, leading to a collision.
Figure 1-2 Ethernet_II frame format
6bytes 6bytes 2bytes 46~1500bytes 4bytes

DMAC SMAC Type Data CRC
The upper layer protocol must ensure that the Data field of a packet contains at least 46 bytes,
so that the total length of the Data field, the 14-byte Ethernet frame header, and the 4-byte
check code at the frame tail can reach the minimum frame length, as shown in Figure 1-2. If
the Data field is less than 46 bytes, the upper layer must pad the field to 46 bytes.

1.2.5 Duplex Modes of Ethernet
The physical layer of Ethernet can work in either half-duplex or full-duplex mode.
l Half-duplex mode
The half-duplex mode has the following features:
– Data only be sent or received at any time.
– The CSMA/CD mechanism is used.
– The maximum transmission distance is limited.
Hubs work in half-duplex mode.
l Full-duplex mode
After Layer 2 switches replace hubs, the shared Ethernet changes to the switched
Ethernet, and the half-duplex mode is replaced by the full-duplex mode. As a result, the
transmission rate increases greatly, and the maximum throughput doubles the
transmission rate.
The full-duplex mode solves the problem of collisions and eliminates the need for the
CSMA/CD mechanism.
The full-duplex mode has the following features:
– Data can be sent and received at the same time.
– The maximum throughput doubles the transmission rate.
– This mode does not have the limitation on the transmission distance.
All network cards, Layer 2 devices (except hubs), and Layer 3 devices produced support
the full-duplex mode.
The following hardware components are required to realize the full-duplex mode:
– Full-duplex network cards and chips
– Physical media with separate data transmission and receiving channels
– Point-to-point connection
1.2.6 Auto-Negotiation of Ethernet
l Purpose of auto-negotiation
The earlier Ethernet adopts the 10 Mbit/s half-duplex mode; therefore, mechanisms such
as CSMA/CD are required to guarantee system stability. With development of
technologies, the full-duplex mode and 100M Ethernet emerge, which greatly improve
the Ethernet performance. How to achieve the compatibility between the earlier and new
Ethernet networks becomes a new problem.
The auto-negotiation technology is introduced to solve this problem. In auto-negotiation,
the devices on two ends of a link can choose the same operation parameters by
exchanging information. The main parameters to be negotiated are mode (half-duplex or
full-duplex), speed, and flow control. After the negotiation succeeds, the devices on two
ends operate in the negotiated mode and rate.
The auto-negotiation of duplex mode and speed is defined in the following standards:
– 100M Ethernet standard: IEEE 802.3u
In IEEE 802.3u, auto-negotiation is defined as an optional function.

– Gigabit Ethernet standard: IEEE 802.3z

In IEEE 802.3z, auto-negotiation is defined as a mandatory and default function.
l Principle of auto-negotiation
Auto-negotiation is an Ethernet procedure by which two connected devices choose
common transmission parameters. It allows a network device to transmit the supported
operating mode to the peer and receives the operating mode from the peer. In this
process, the connected devices first share their capabilities regarding these parameters
and then choose the highest performance transmission mode they both support.
When no data is transmitted over a twisted pair on an Ethernet network, pulses of high
frequency are transmitted at an interval of 16 ms to maintain the connections at the link
layer. These pulses form a Normal Link Pulse (NLP) code stream. Some pulses of higher
frequency can be inserted in the NLP to transmit more information. These pulses form a
Fast Link Pulse (FLP) code stream, as shown in Figure 1-3. The basic mechanism of
auto-negotiation is to encapsulate the negotiation information into FLP.
Figure 1-3 Pulse insertion
16ms
1ms
16 small pulses are inserted

into every pulse
Similar to an Ethernet network that uses twisted pair cables, an Ethernet network that
uses optical modules and optical fibers also implements auto-negotiation by sending
code streams. These code streams are called Configuration (C) code streams. Different
from electrical interfaces, optical interfaces do not negotiate traffic transmission rates
and they work in duplex mode. Optical interfaces only negotiate flow control parameters.
If auto-negotiation succeeds, the Ethernet card activates the link. Then, data can be
transmitted on the link. If auto-negotiation fails, the link is unavailable.
If one end does not support auto-negotiation, the other end that supports auto-negotiation
adopts the default operating mode, which is generally 10 Mbit/s half-duplex.
Auto-negotiation is implemented based on the chip design at the physical layer. As
defined in IEEE 802.3, auto-negotiation is implemented in any of the following cases:
– A faulty link recovers.
– A device is power recycled.
– Either of two connected devices resets.
– A renegotiation request packet is received.
In other cases, two connected devices do not always send auto-negotiation code streams.
Auto-negotiation does not use special packets or bring additional protocol costs.
l Auto-negotiation rules for interfaces
Two connected interfaces can communicate with each other only when they are working
in the same working mode.
– If both interfaces work in the same non-auto-negotiation mode, the interfaces can
communicate.

– If both interfaces work in auto-negotiation mode, the interfaces can communicate

through negotiation. The negotiated working mode depends on the interface with
lower capability (specifically, if one interface works in full-duplex mode and the
other interface works in half-duplex mode, the negotiated working mode is half-
duplex). The auto-negotiation function also allows the interfaces to negotiate about
the flow control function.
– If a local interface works in auto-negotiation mode and the remote interface works
in a non-auto-negotiation mode, the negotiated working mode of the local interface
depends on the working mode of the remote interface.
1.2.7 Collision Domain and Broadcast Domain
Collision Domain
On a legacy Ethernet network using thick coaxial cables as a transmission medium, multiple
nodes on a shared medium share the bandwidth on the link and compete for the right to use
the link. A network collision occurs when more than one node attempts to send a packet on
this link at the same time. The carrier sense multiple access with collision detection
(CSMA/CD) mechanism is used to solve the problem of collisions. Once a collision occurs on
a link, the CSMA/CD mechanism prevents data transmission on this link within a specified
time. Collisions are inevitable on an Ethernet network, and the probability that collision
occurs increases when more nodes are deployed on a shared medium. All nodes on a shared
medium constitute a collision domain. All the nodes in a collision domain compete for
bandwidth. Packets sent from a node, including unicast, multicast, and broadcast packets, can
reach all the other nodes in the collision domain.
Broadcast Domain
Packets are broadcast in a collision domain, which results in a low bandwidth efficiency and
degrades packet processing performance of network devices. Therefore, broadcasting of
packets must be restricted. For example, the ARP protocol sends broadcast packets to obtain
MAC addresses mapping specified IP addresses. The all 1s MAC address FFFF-FFFF-FFFF
is the broadcast MAC address. All nodes must process data frames with this MAC address as
the destination MAC address. A broadcast domain is a group of nodes, among which
broadcast packet from one node can reach all the other nodes. A network bridge forwards
unicast packets according to its MAC address table and forwards broadcast packets to all its
ports. Therefore, nodes connected to all ports of a bridge belong to a broadcast domain, but
each port belongs to a different collision domain.
1.2.8 MAC Sub-layer
Functions of the MAC Sub-layer

The MAC sub-layer has the following functions:
l Provides access to physical links.
The MAC sub-layer is associated with the physical layer. That is, different MAC sub-
layers provide access to different physical layers.
Ethernet has two types of MAC sub-layers:
– Half-duplex MAC: provides access to the physical layer in half-duplex mode.
– Full-duplex MAC: provides access to the physical layer in full-duplex mode.

The two types of MAC sub-layers are integrated in a network interface card. After the
network interface card is initialized, auto-negotiation is performed to choose an
operation mode, and then a MAC sub-layer is chosen according to the operation mode.
l Identifies stations at the data link layer.
The MAC sub-layer reserves a unique MAC address for each station.
The MAC sub-layer uses a MAC address to uniquely identify a station.
MAC addresses are managed by Institute of Electrical and Electronics Engineers (IEEE)
and allocated in blocks. An organization, generally a device manufacturer, obtains a
unique address block from IEEE. The address block is called an Organizationally Unique
Identifier (OUI). Using the OUI, the organization can allocate MAC addresses to
16777216 devices.
A MAC address has 48 bits, which are generally expressed in 12-digit dotted
hexadecimal notation. For example, the 48-bit MAC address
000000001110000011111100001110011000000000110100 is represented by
00e0:fc39:8034.
The first 6 digits in dotted hexadecimal notation stand for the OUI, and the last 6 digits
are allocated by the vendor. For example, in 00e0:fc39:8034, 00e0:fc is the OUI
allocated by IEEE to Huawei, and 39:8034 is the address number allocated by Huawei.
The second bit of a MAC address indicates whether the address is globally unique or
locally unique. Ethernet uses globally unique MAC addresses.
MAC addresses are divided into the following types:
– Physical MAC address
A physical MAC address is burned into hardware (such as a network interface card)
and uniquely identifies a terminal on the Ethernet.
– Broadcast MAC address
A broadcast MAC address indicates all the terminals on a network.
The 48 bits of a broadcast MAC address are all 1s, such as ffff.ffff.ffff.
– Multicast MAC address
A multicast MAC address indicates a group of terminals on a network.
The eighth bit of a multicast MAC address is 1, such as
000000011011101100111010101110101011111010101000.
l Transmits data over the data link layer. After receiving data from the LLC sub-layer, the
MAC sub-layer adds the MAC address and control information to the data, and then
transmits the data to the physical link. In the process, the MAC sub-layer provides other
functions such as the check function.
Data is transmitted at the data link layer as follows:
a. The upper layer delivers data to the MAC sub-layer.
b. The MAC sub-layer stores the data in the buffer.
c. The MAC sub-layer adds the destination MAC address and source MAC address to
the data, calculates the length of the data frame, and forms an Ethernet frame.
d. The Ethernet frame is sent to the peer according to the destination MAC address.
e. The peer compares the destination MAC address with entries in the MAC address
table.
n If a matching entry is found, the frame is accepted.
n If no matching entry is found, the frame is discarded.

The preceding describes frame transmission in unicast mode. After an upper-layer

application is added to a multicast group, the data link layer generates a multicast MAC
address according to the application, and then adds the multicast MAC address to the
MAC address table. The MAC sub-layer receives frames with the multicast MAC
address and transmits the frames to the upper layer.
Ethernet Frame Structure

l Format of an Ethernet_II frame
Figure 1-4 Format of an Ethernet_II frame

6bytes 6bytes 2bytes 46~1500bytes 4bytes
DMAC SMAC Type Data CRC
Table 1-5 describes the fields in an Ethernet_II frame.
Table 1-5 Fields in an Ethernet_II frame

Field Description
DMAC It indicates the destination MAC address. DMAC specifies the

receiver of the frame.
SMAC It indicates the source MAC address. SMAC specifies the station
that sends the frame.
Type The 2-byte Type field identifies the upper layer protocol of the Data
field. The receiver can know the meaning of the Data field
according to the Type field.
Ethernet allows multiple protocols to coexist on a LAN. The
hexadecimal values in the Type field of an Ethernet_II frame stand
for different protocols.
l Frames with the Type field value 0800 are IP frames.
l Frames with the Type field value 0806 are Address Resolution
Protocol (ARP) frames.
l Frame with the Type field value 8035 are Reverse Address
Resolution Protocol (RARP) frames.
l Frames with the Type field value 8137 are Internetwork Packet
Exchange (IPx) and Sequenced Packet Exchange (SPx) frames.
Data The minimum length of the Data field is 46 bytes, which ensures
that the frame is at least 64 bytes in length. The 46-byte Data field is
required even if only 1-byte information needs to be transmitted.
If the payload of the Data field is less than 46 bytes, the Data field
must be padded to 46 bytes.
The maximum length of the Data field is 1500 bytes.

Field Description
CRC The Cyclic Redundancy Check (CRC) field provides an error

detection mechanism.
Each sending device calculates a CRC code containing the DMAC,
SMAC, Type, and Data fields. Then the CRC code is filled into the
4-byte CRC field.
The fields of a Ethernet_II frame are described as follows:

– DMAC
It indicates the destination MAC address. DMAC specifies the receiver of the
frame.
– SMAC
It indicates the source MAC address. SMAC specifies the station that sends the
frame.
– Type
The 2-byte Type field identifies the upper layer protocol of the Data field. The
receiver can know the meaning of the Data field according to the Type field.
Ethernet allows multiple protocols to coexist on a LAN. The hexadecimal values in
the Type field of an Ethernet_II frame stand for different protocols.
n Frames with the Type field value 0800 are IP frames.
n Frames with the Type field value 0806 are Address Resolution Protocol (ARP)
frames.
n Frame with the Type field value 8035 are Reverse Address Resolution
Protocol (RARP) frames.
n Frames with the Type field value 8137 are Internetwork Packet Exchange
(IPx) and Sequenced Packet Exchange (SPx) frames.
– Data
The minimum length of the Data field is 46 bytes, which ensures that the frame is at
least 64 bytes in length. The 46-byte Data field is required even if only 1-byte
information needs to be transmitted.
If the payload of the Data field is less than 46 bytes, the Data field must be padded
to 46 bytes.
The maximum length of the Data field is 1500 bytes.
– CRC
The Cyclic Redundancy Check (CRC) field provides an error detection mechanism.
Each sending device calculates a CRC code containing the DMAC, SMAC, Type,
and Data fields. Then the CRC code is filled into the 4-byte CRC field.
l Format of an IEEE 802.3 frame

Figure 1-5 Format of an IEEE 802.3 frame

6byte 6byte 2byte 38~1492byte 4byte
DMAC SMAC Length LLC SNAP Data CRC
DSAP SSAP Control org code Type

1byte 1byte 1byte 3byte 2byte
As shown in Figure 1-5, the format of an IEEE 802.3 frame is similar to that of an
Ethernet_II frame except that the Type field is changed to the Length field in an IEEE
802.3 frame, and the LLC field and the Sub-Network Access Protocol (SNAP) field
occupy 8 bytes of the Data field.
Table 1-6 Format of an IEEE 802.3 frame

Field Description
Length The Length field specifies the number of bytes in the Data field.
LLC The LLC field consists of three sub-fields: Destination Service

Access Point (DSAP), Source Service Access Point (SSAP), and
Control.
SNAP The SNAP field consists of the Org Code field and the Type field.
Three bytes in the Org Code field are all 0s. The Type field
functions the same as the Type field in Ethernet_II frames.
NOTE
For description about other fields, see the description of Ethernet_II frames.
Based on the values of DSAP and SSAP, IEEE 802.3 frames can be divided into the
following types:
– If DSAP and SSAP are both 0xff, the IEEE 802.3 frame changes to a Netware-
Ethernet frame that carries NetWare data.
– If DSAP and SSAP are both 0xaa, the IEEE 802.3 frame changes to an
Ethernet_SNAP frame.
Ethernet_SNAP frames can be encapsulated with data of multiple protocols. The
SNAP can be considered as an extension of the Ethernet protocol. SNAP allows
vendors to define their own Ethernet transmission protocols.
The Ethernet_SNAP standard is defined by IEEE 802.1 to guarantee
interoperability between IEEE 802.3 LANs and Ethernet networks.
– Other values of DSAP and SSAP indicate IEEE 802.3 frames.
1.2.9 LLC Sub-layer

The MAC sub-layer supports two types of frame: IEEE 802.3 frames and Ethernet_II frames.
In an Ethernet_II frame, the Type field identifies the upper layer protocol. Therefore, only the
MAC sub-layer is required on a device, and the LLC sub-layer does not need to be realized.

In an IEEE 802.3 frame, the LLC sub-layer defines useful features in addition to traditional
services of the data link layer. All these features are provided by the sub-fields of DSAP,
SSAP, and Control.
The following lists three types of point-to-point services:
l Connectionless service
Currently, the Ethernet implements this service.
l Connection-oriented service
A connection is set up before data is transmitted. The reliability of data is guaranteed
during the transmission.
l Connectionless data transmission with acknowledgement
A connection is not required before data transmission. The acknowledgement
mechanism is used to improve the reliability.
The following is an example that describes the applications of SSAP and DSAP. Assume that
terminals A and B use connection-oriented services. Data is transmitted in the following
process:
1. A sends a frame to B to require the establishment of a connection with B.
2. If B has enough resources, it returns an acknowledgement message that contains a
Service Access Point (SAP). The SAP identifies the connection required by A.
3. After receiving the acknowledgement message, A knows that B has set up a local
connection with A. After creating a SAP, A sends a message containing the SAP to B.
The connection is set up.
4. The LLC sub-layer of A encapsulates the data into a frame. The DSAP field is filled in
with the SAP sent by B; the SSAP field is filled in with the SAP created by A. Then the
LLC sub-layer sends the frame to the MAC sub-layer of A.
5. The MAC sub-layer of A adds the MAC address and the Length field into the frame, and
then sends the frame to the data link layer.
6. After the frame is received at the MAC sub-layer of B, the frame is transmitted to the
LLC sub-layer. The LLC sub-layer figures out the connection to which the frame belongs
according to the DSAP field.
7. After checking and acknowledging the frame based on the connection type, the LLC sub-
layer of B transmits the frame to the upper layer.
8. After the frame reaches its destination, A instructs B to release the connection by
sending a frame. At this time, the communications end.
1.3 Switching on the Ethernet
1.3.1 Layer 2 Switching

A Layer 2 device works at the second layer of the OSI model and forwards data packets based
on media access control (MAC) addresses. Ports on a Layer 2 device send and receive data
independently and belong to different collision domains. Collision domains are isolated at the
physical layer so that collisions will not occur between hosts (or networks) connected through
this Layer 2 device due to uneven traffic rates on these hosts (or networks).
A Layer 2 device parses and learns source MAC addresses of Ethernet frames and maintains a
mapping table of MAC addresses and ports. This table is called a MAC address table. When

receiving an Ethernet frame, the device searches for the destination MAC address of the frame
in the MAC table to determine through which port to forward this frame.
1. When the Layer 2 device receives an Ethernet frame, it records the source MAC address
and the inbound port of the frame in the MAC address table to guide Layer 2 forwarding.
If the same MAC address entry exists in the MAC address table, the device resets the
aging time of the entry. An aging mechanism is used to maintain entries in the MAC
address table. Entries that are not updated within the aging time are deleted from the
MAC address table.
2. The device looks up the MAC address table based on the destination MAC address of the
Ethernet frame. If no matching entry is found, the device forwards the frame to all its
ports except the port from which the frame is received. If the destination MAC address
of the frame is a broadcast address, the device forwards the frame to all its ports except
the port from which the frame is received. If a matching entry is found in the MAC
address table, the device forwards the frame to the port specified in the entry.
According to the preceding forwarding process, a Layer 2 device maintains a MAC address
table and forwards Ethernet frames based on destination MAC addresses. This forwarding
mechanism fully uses network bandwidth and improves network performance. Figure 1-6
shows an example of Layer 2 switching
Figure 1-6 Layer 2 switching example

MAC Address Port
MAC A Port 1
PC B
MAC B Port 2
MAC C Port 3
PC A Port 2
Port 1
Port 3
PC C
MAC C MAC A Type Data MA
CC
MA
CA
Typ
e D
a ta
Although Layer 2 devices can isolate collision domains, they cannot isolate broadcast
domains. As described in the Layer 2 forwarding process, broadcast packets and packets that
do not match nay entry in the MAC address table are forwarded to all ports (except the port
from which the frame is received). Packet broadcasting consumes much bandwidth on
network links and brings security issues. Routers can isolate broadcast domains, but high
costs and low forwarding performance of routers limit the application of routers in Layer 2
forwarding. The virtual local area network (VLAN) technology is introduced to solve this
problem in Layer 2 switching.
1.3.2 Layer 3 Switching

Background of Layer 3 Switches
In early stage of network deployment, most local area networks (LANs) were established
using Layer 2 switches, and routers completed communication between LANs. At that time,

intra-LAN traffic accounted for most of network traffic and little traffic was transmitted
between LANs. A few routers were enough to handle traffic transmission between LANs.
As data communication networks expand and more services emerge on the networks,
increasing traffic needs to be transmitted between networks. Routers cannot adapt to this
development trend because of their high costs, low forwarding performance, and small port
quantities. New devices capable of high-speed Layer 3 forwarding are required. Layer 3
switches are such devices.
Routers use CPUs to complete Layer 3 forwarding, whereas Layer 3 switches use hardware to
complete Layer 3 forwarding. Hardware forwarding has a much higher performance than
software forwarding (CPU based forwarding). Switches cannot replace routers in all scenarios
because routers provide rich interface types, good service class control, and powerful routing
capabilities that Layer 3 switches cannot provide.
Layer 3 Forwarding Mechanism

Layer 3 switches divide a Layer 2 network into multiple VLANs. They implement Layer 2
switching within the VLANs and Layer 3 IP connectivity between VLANs. Two hosts on
different networks communicate with each other through the following process:
1. Before the source host starts communicating with the destination host, it compares its
own IP address with the IP address of the destination host. If IP addresses of the two
hosts have the same network ID (calculated by an AND operation between the IP
addresses and masks), the hosts are located on the same network segment. In this case,
the source host sends an Address Resolution Protocol (ARP) request to the destination
host. After receiving an ARP reply from the destination host, the source host obtains the
MAC address of the destination host and sends packets to this destination MAC address.
2. If the source and destination hosts are located on different network segments, the source
host sends an ARP request to obtain the MAC address mapping the gateway IP address.
After receiving an ARP reply from the gateway, the source host sends packets to the
MAC address of the gateway. In these packets, the source IP address is the IP address of
the source host, and destination IP address is still the IP address of the destination host.
The following is the detailed Layer 3 switching process.
As shown in Figure 1-7, the source and destination hosts connect to the same Layer 3 switch
but belong to different VLANs (network segments). Both the two hosts are located on the
directly connected network segments of the Layer 3 switch, so the routes to the IP addresses
of the hosts are direct routes.

Figure 1-7 Layer 3 forwarding
Figure 1-7 shows the MAC addresses, IP addresses, and gateway addresses of the hosts,
MAC address of the Layer 3 switch, and IP addresses of Layer 3 interfaces configured in
VLANs on the Layer 3 switch. The process of a ping from PC A to PC B is as follows (the
Layer 3 switch has not created any MAC address entry):
1. PC A finds that the destination IP address 10.2.1.2 (PC B) is on a different network
segment than its own IP address. Therefore, PC A sends an ARP request to request for
the MAC address mapping the gateway address 10.1.1.1.
2. L3 Switch receives the ARP request from PC A and finds that 10.1.1.1 is the IP address
of its own Layer 3 interface. L3 switch then sends an ARP reply to PC A. The ARP reply
carries the MAC address of its Layer 3 interface (MAC Switch). In addition, L3 switch
adds the mapping between the IP address and MAC address of PC A (10.1.1.2 and MAC
A) to its ARP table. The IP address and MAC address of PC A are carried in the ARP
request sent from PC A.
3. After PC A receives the ARP reply from the gateway (L3 Switch), it sends an ICMP
request packet. In the ICMP request packet, the destination MAC address (DMAC) is
MAC Switch; the source MAC address (SMAC) is MAC A; the source IP address (SIP)
is 10.1.1.2; the destination IP address (DIP) is 10.2.1.2.
4. When L3 Switch receives the ICMP request packet, it updates the matching MAC
address entry according to the source MAC address and VLAN ID of the packet. Then
L3 Switch looks up the MAC address table according to the destination MAC address
and VLAN ID of the packet and finds the entry with the MAC address of its Layer 3
interface, the packet needs to be forwarded at Layer 3. Then L3 Switch looks up Layer 3
forwarding entries of the switching chip to guide Layer 3 forwarding.
5. The switching chip loops up Layer 3 forwarding entries according to the destination IP
address of the packet. The entry lookup fails because no entry has been created. The
switching chip then sends the packet to the CPU for software processing.

6. The CPU looks up the software routing table according to the destination IP address of
the packet and finds a directly connected network segment, network segment of PC B.
Then the CPU looks up its ARP table, and the lookup still fails. Therefore, L3 Switch
sends an ARP request to all ports in VLAN 3 (network segment of PC B), to request the
MAC address mapping IP address 10.2.1.2.
7. After PC B receives the ARP request from L3 Switch, it checks the ARP request and
finds that 10.2.1.2 is its own IP address. PC B then sends an ARP reply carrying its
MAC address (MAC B). Meanwhile, PC B records the mapping between the IP address
and MAC address of L3 Switch (10.2.1.1 and MAC Switch) in its ARP table.
8. When L3 Switch receives the ARP reply from PC B, it records the mapping between the
IP address and MAC address of PC B (10.2.1.2 and MAC B) in its ARP table. L3 Switch
changes the destination MAC address in the ICMP request packet sent from PC A to
MAC B and changes the source MAC address to its own MAC address (MAC Switch),
and then sends the ICMP request to PC B. The Layer 3 forwarding entry containing the
IP address and MAC address of PC B, outbound VLAN ID, and outbound port is also
added to the Layer 3 forwarding of the switching chip. Subsequent packets sent from PC
A to PC B are directly forwarded according to this hardware entry.
9. When PC B receives the ICMP request packet from L3 Switch, it sends an ICMP reply
packet to PC A. The forwarding process for the ICMP reply packet is similar to that for
the ICMP request packet except that the ICMP reply packet is directly forwarded to PC
A by the switching chip according to the hardware entry. The reason is that L3 Switch
has obtained the mapping between the IP address and MAC address of PC A and added
matching Layer 3 forwarding entry to the L3 forwarding table of the switching chip.
10. Subsequent packets exchanged between PC A and PC B are forwarded following the
same process: MAC address table lookup, Layer 3 forwarding table lookup, and
hardware forwarding by the switching chip.
In a summary, a Layer 3 switch provides high-speed Layer 3 switching through one routing
process (forwarding the first packet to the CPU and creating a hardware Layer 3 forwarding
entry) and multiple switching processes (hardware forwarding of subsequent packets).
1.4.1 Building an Enterprise Network

As shown in Figure 1-8, an enterprise needs to build a network to provide access to various
terminals, including IP phones, PCs, network printers, and servers.

Figure 1-8 Using Ethernet technology to build an enterprise network
Network
Aggregation/Core Layer
Access Layer ……
Terminal ……
Ethernet technology can connect various terminals to a network to allow employees to surf on
the Internet, make IP calls, access shared resources on servers, and print files using remote
printers over the network. The IT administrators of the enterprise can manage the network in a
centralized manner.
1.5 References
The following table lists the references for this document.
Document Description Remarks
IEEE 802.3 Carrier sense multiple access with collision -

detection (CSMA/CD) access method and
physical layer specifications
IEEE 802.3ae Media Access Control (MAC) Parameters, -

Physical Layers, and Management parameters
for 10Gb/s Operation
RFC 894 A Standard for the Transmission of IP -

Datagrams over Ethernet Networks
RFC 1042 A Standard for the Transmission of IP -

Datagrams over IEEE 802 Networks

Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration
2 MAC Address Table Configuration
About This Chapter
This chapter describes how to configure the Media Access Control (MAC) address table on
your switch. A MAC address table is a Layer 2 forwarding table that stores MAC addresses
learned from other devices. Your switch maintains a MAC address table for Layer 2 data
forwarding. Each workstation and server has a unique MAC address. When the switch
exchanges data with connected workstations and servers, the switch records their MAC
addresses, access interfaces, and VLAN IDs to facilitate unicast forwarding.
2.1 Introduction to the MAC Address
2.2 Principles
2.3 Application
2.4 Configuration Task Summary
2.5 Configuration Notes
2.6 Default Configuration
2.7 Configuring a MAC Address Table
A MAC address uniquely identifies a device. A network device maintains a MAC address
table for Layer 2 data forwarding.
2.8 Maintaining the MAC Address Table
2.9 Configuration Examples
2.10 Common Misconfigurations
2.11 FAQs
2.12 Reference

2.1 Introduction to the MAC Address

A MAC address defines the location of a network device. It consists of 48 bits and is
displayed as a 12-digit hexadecimal number. Bits 0 to 23 are assigned by an institution such
as the IETF to identify vendors, and bits 24 to 47 are the unique ID assigned by vendors to
identify their network adapters.
MAC addresses fall into the following types:
l Physical MAC address: uniquely identifies a terminal on an Ethernet network and is the
globally unique hardware address.
l Broadcast MAC address: used to broadcast a message to all terminals on a LAN. The
broadcast address is all 1s (FF-FF-FF-FF-FF-FF).
l Multicast MAC address: used to broadcast a message to group of terminals on a LAN.
All MAC addresses besides the broadcast MAC address with a 1 as the eighth bit are
multicast MAC addresses; for example, 01-00-00-00-00-00. Multicast MAC addresses
starting from 01-80-c2 are BPDU MAC address and are often used as the destination
MAC address of protocol packets.
2.2 Principles
2.2.1 Definition and Classification of MAC Address Entries
Definition of a MAC Address Table
A MAC address table records MAC addresses that have been learned by the switch, interfaces
on which MAC addresses are learned, and VLANs that the interfaces belong to. Before
forwarding a packet, the switch looks up the destination MAC address of the packet in the
MAC address table. If a MAC address entry matches the destination MAC address, the switch
forwards the packet from the outbound interface recorded in the MAC address entry. If no
matching MAC address entry exists, the switch broadcasts the packet to all interfaces in the
corresponding VLAN, except the interface that received the packet.
Classification of MAC Address Entries

MAC address entries are classified as dynamic, static, and blackhole entries. In addition, there
are MAC address entries that are related to service types, for example, secure MAC, MUX
MAC, authen MAC, and guest MAC. They are maintained by services and are converted from
dynamic MAC address entries.

Table 2-1 Characteristics and functions of different MAC address entries

MAC Address Entry Characteristics Function
Type
Dynamic MAC address l Dynamic MAC address l You can check whether
entry entries are obtained by data is forwarded
learning the source MAC between two connected
addresses of packets devices by checking the
received by an interface, dynamic MAC address
and can be aged. entries.
l Dynamic MAC address l You can obtain the
entries are lost after a number of users
system restart, LPU hot communicating on an
swap, or LPU reset. interface by checking
the number of specified
dynamic MAC address
entries.
Static MAC address entry l Static MAC address When static MAC address
entries are manually entries are configured,
configured and delivered authorized users can use
to each LPU. Static MAC network resources and
address entries never age. other users are prevented
l The static MAC address from using the bound MAC
entries saved in the addresses to initiate attacks.
system are not lost after a
system restart, LPU hot
swap, or LPU reset.
l After an interface is
statically bound to a
MAC address, other
interfaces discard packets
from that source MAC
address.
l Each static MAC address
entry can have only one
outbound interface.
l Statically binding an
interface to a MAC
address does not affect the
learning of dynamic MAC
address entries on the
interface.

MAC Address Entry Characteristics Function

Type
Blackhole MAC address l Blackhole MAC address Blackhole MAC address

entry entries are manually entries can filter out
configured and delivered unauthorized users.
to each LPU. Blackhole
MAC address entries
never age.
l The blackhole MAC
address entries saved in
the system are not lost
after a system restart,
LPU hot swap, or LPU
reset.
l After blackhole MAC
address entries are
configured, the switch
discards packets from or
destined for the blackhole
MAC addresses.
2.2.2 Elements and Functions of a MAC Address Table

Elements
Each entry in a MAC address table is identified by a MAC address and a VLAN ID or virtual
switch interface (VSI). The destination host's MAC address can be bound to multiple VLAN
IDs or VSIs in the MAC address table if it joins multiple VLANs or VSIs. Table 2-2 lists four
example MAC address entries with their associated VLAN ID/VSI names and outbound
interfaces. For example, the first MAC address entry is used to forward the packets destined
for 0011-0022-0034 and VLAN 10 through outbound interface GE3/0/1.
Table 2-2 MAC address entries

MAC Address VLAN ID/VSI Name Outbound Interface
0011-0022-0034 10 GE3/0/1
0011-0022-0034 20 GE2/0/4
0011-0022-0035 30 Eth-Trunk 20
0011-0022-0035 huawei GE2/0/5
Functions
The MAC address table is used for unicast forwarding of packets. In Figure 2-1, when
packets sent from PC1 to PC3 reach the switch, the switch searches its MAC address table for

an entry matching the destination MAC address and VLAN ID of the packet. In this example,
it finds that MAC3 and VLAN 10 correspond to the outbound interface Port3. The switch
then forwards packets to PC3 through Port3.
Figure 2-1 Forwarding based on the MAC address table
MAC Address VLANID Port

MAC1 10 Port1
MAC2 10 Port2 PC2
MAC3 10 Port3
PC1 Swtich
Port2
Port1
PC3
Port3
MAC3 MAC1 VLAN10 Type Data MAC
3 MAC
1 VLAN
10 T
y pe
Data
2.2.3 MAC Address Entry Learning and Aging
MAC Address Entry Learning

MAC address entries are usually learned from the source MAC addresses of received data
frames.
Figure 2-2 MAC address entry learning
PortA
Data frame
HostA SwitchA
In Figure 2-2, HostA sends a data frame to SwitchA. When receiving the data frame,
SwitchA obtains the MAC address of HostA and the VLAN ID from the frame.
l If the MAC address entry does not exist in the MAC address table, SwitchA adds an
entry with the MAC address, PortA, and VLAN ID to the MAC address table.
l If the MAC address entry exists in the MAC address table, SwitchA resets the aging
timer of the MAC address entry.
NOTE
l If PortA is a member interface of Eth-TrunkA, the outbound interface in the MAC address entry is
Eth-TrunkA.
l If the default VLAN is not changed, the VLAN ID of all MAC address entries will be VLAN 1.
l The switch will not learn the BPDU MAC addresses (addresses in the 0180-c200-xxxx format).
The switch will only learn and update MAC address entries when receiving data frames.
When the switch is equipped with multiple LPUs, MAC address entries learned by each LPU

are synchronized to other LPUs to prevent unnecessary broadcast packets and improve the
packet forwarding efficiency.
MAC Address Entry Aging

A switch needs to update its MAC address table continuously to adapt to changing network
topologies. Dynamic MAC address entries are not always valid. Each entry has a life cycle
(aging time) and will be deleted when the aging time expires. If an entry is updated within the
aging time, the aging timer of the entry is reset.
Figure 2-3 MAC address entry aging
t1: The entry with MAC

t2-t3: No packet matching
address 00e0-fc00-0001
this MAC address is
and VLAN ID 1 is learned,
received, so hit flag is 0.
and the hit flag is set to 1.
1 2 3 4
0 T T T T
t1 t2 t3 Time
t2: The hit flag of the entry t3: The entry with MAC
with MAC address 00e0-fc00- address 00e0-fc00-0001
0001 and VLAN ID 1 is set to and VLAN ID 1 is deleted
0, but the entry is not deleted. because its hit flag is 0.
In Figure 2-3, the aging time of MAC address entries is set to T. At t1, packets with source
MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an interface, which has joined VLAN
1. If no entry with MAC address 0e0-fc00-0001 and VLAN 1 exists in the MAC address
table, an entry is created with the hit flag of 1.
At each T, the switch checks all of its dynamic MAC address entries.
1. At t2, the switch finds that the hit flag of the MAC address entry is 1 and sets it to 0. The
MAC address entry is not deleted at this time.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the device
between t2 and t3, the hit flag of the matching MAC address entry remains 0.
3. At t3, the switch finds that the hit flag of the matching MAC address entry is 0. The
switch then deletes the MAC address entry because the aging time of the MAC address
entry has expired.
A dynamic MAC address entry can be stored on the switch for a period of T to 2T.
You can set the aging (T) time of MAC address entries to control the life cycle of dynamic
MAC address entries in a MAC address table.

NOTE
l By default, the switch does not age the MAC address entries that match the destination MAC
addresses of packets. Use the mac-address destination hit aging enable command to configure the
switch to age MAC address entries regardless of whether any packets destined for that MAC address
are received.
l When the interface frequently alternates between Up and Down, MAC address entries may be not
aged within two aging periods. If this occurs, you are advised to check the link quality or run the
port link-flap protection enable command to configure link flapping protection.
2.2.4 MAC Address Learning Control

Hackers can send a large number of packets with different source MAC addresses to a switch,
causing useless MAC addresses to fill up the MAC address table. As a result, the switch
cannot learn source MAC addresses of valid packets and the switch wastes bandwidth
broadcasting these invalid packets.
The switch has the following MAC address learning control methods to protect against this
issue:
l Disabling MAC address learning on a VLAN or an interface
l Limiting the number of MAC address entries that can be learned from a VLAN or an
interface
Table 2-3 MAC address learning control

MAC Address Principle Application Scenario
Learning
Control Method
Disabling MAC After MAC address learning is l In most cases, attack packets
address learning disabled on a VLAN or an enter the switch through the
on a VLAN or an interface, the switch does not same interface. Therefore,
interface learn new dynamic MAC address both methods are effective in
entries on that VLAN or preventing these attack
interface. The learned dynamic packets from using up MAC
MAC address entries will age out address entry resources on the
when the aging time expires. switch.
They can also be manually l Limiting the number of MAC
deleted using commands. address entries that can be
learned from a VLAN or an
interface can also be used to
limit the number of access
users.

MAC Address Principle Application Scenario

Learning
Control Method
Limiting the The switch can only learn a

number of MAC specified number of MAC
address entries that address entries from a VLAN or
can be learned an interface.
from a VLAN or When the number of learned
an interface MAC address entries reaches the
limit, the switch generates an
alarm to notify the network
administrator.
After that, the switch cannot
learn new MAC address entries
from the VLAN or interface and
discards any packets with source
MAC addresses not in the MAC
address table.
2.2.5 MAC Address Flapping
What Is MAC Address Flapping

MAC address flapping occurs when a MAC address is learned by two interfaces in the same
VLAN and the MAC address entry learned later overrides the earlier one. Figure 2-4 shows
an example of MAC address flapping. The outbound interface for the MAC address entry
with MAC address 0011-0022-0034 and VLAN 2 changes from GE1/0/1 to GE1/0/2. MAC
address flapping can cause an increase in the CPU usage on the switch.
MAC address flapping does not occur frequently on a network unless a network loop exists. If
MAC address flapping frequently occurs on your network, you can quickly locate the fault
and eliminate the loops by checking the alarms and MAC address flapping records.

Figure 2-4 MAC address flapping
How to Detect MAC Address Flapping

MAC address flapping detection determines whether MAC address flapping occurs by
checking whether outbound interfaces in MAC address entries change frequently.
With MAC address flapping detection, the switch can generate an alarm when MAC address
flapping occurs. The alarm contains the flapping MAC address, VLAN ID, and outbound
interfaces between which the MAC address flaps. You can locate the cause of the loop using
the alarm. Alternatively, the switch can be configured to automatically remove the interface
from the VLAN (using the quit-vlan action) or shut down the interface (using the error-
down action).
Figure 2-5 MAC address flapping detection
Network
Port1
MAC:11-22-33 SwitchA
Port2 Access interface

MAC:11-22-33
User
SwitchB
SwitchC Broadcast SwitchD

storm
Incorrect connection Data flow

In Figure 2-5, a network cable is incorrectly connected between SwitchC to SwitchD,

creating a loop between SwitchB, SwitchC, and SwitchD. When Port1 of SwitchA receives a
broadcast packet, SwitchA forwards the packet to SwitchB. The packet then goes through the
loop and is sent back to Port2 of SwitchA. After MAC address flapping detection is
configured on SwitchA, SwitchA can detect that the source MAC address of the packet flaps
from Port1 to Port2. If the MAC address flaps between Port1 and Port2 frequently, SwitchA
reports a MAC address flapping alarm to alert the network administrator.
NOTE
MAC address flapping detection allows a switch to detect changes in traffic transmission paths based on
learned MAC addresses, but the switch does not know the entire network topology. It is recommended
that this function be used on the interface connected to a user network where loops may occur.
How to Prevent MAC Address Flapping

During network planning, you can use the following methods to prevent MAC address
flapping:
l Increase the MAC address learning priority of an interface: When the same MAC
address is learned on interfaces with different priorities, the MAC address entry on the
interface with the highest priority takes precedence.
l Prevent MAC address entries from being overridden on interfaces with the same priority:
When the same MAC address is learned on interfaces with the same priority, the MAC
address learned later will not override the original entry. Therefore, a false entry cannot
override an existing correct entry.
NOTE
If an authorized device associated with the correct entry is powered off, the MAC address entry of
another device can be learned. This will prevent the original entry to being learned when it is powered
back on.
In Figure 2-6, Port1 of the switch is connected to a server. To prevent unauthorized users
from connecting to the switch using the server's MAC address, you can set a high MAC
address learning priority for Port1.
Figure 2-6 MAC address flapping prevention

MAC:11-22-33
MAC:11-22-33
Server
Unauthorized
user
Port1
Switch
Authorized Authorized Authorized

user 1 user 2 user 3

2.2.6 MAC Address-Triggered ARP Entry Update

On an Ethernet network, a host sends and receives Ethernet data frames using MAC
addresses. The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses.
When two devices on different network segments communicate with each other, they need to
map IP addresses to MAC addresses and outbound interfaces according to ARP entries.
The outbound interfaces in matching MAC address and ARP entries are usually consistent. In
Figure 2-7, the outbound interface in both the MAC address entry and ARP entry is GE1/0/1.
l Between T1 and T2, the interface for the entry changes.
l At T2, after a packet is received from a peer device, the outbound interface in the MAC
address entry is changed to GE1/0/2. However, the outbound interface in the ARP entry
remains GE1/0/1.
l At T3, the ARP entry expires, and the outbound interface in the ARP entry is changed to
GE1/0/2 through an ARP aging probe. Between T2 and T3, GE1/0/1 is unavailable,
meaning communication between devices on different network segments is interrupted.
Figure 2-7 Without MAC address-triggered ARP entry update

MAC address entry ARP entry
T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

11-22-34 2 GE1/0/1 10.2.2.2 11-22-34 2 GE1/0/1
Before port switching
Port switching
& ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T2 11-22-34 2 GE1/0/2 10.2.2.2 11-22-34 2 GE1/0/1
After port switching &
ARP aging probe
T3 11-22-34 2 GE1/0/2 10.2.2.2 11-22-34 2 GE1/0/2
MAC address-triggered ARP entry update enables a device to update the outbound interface
in an ARP entry immediately after the outbound interface in the corresponding MAC address
entry changes. In Figure 2-8, MAC address-triggered ARP entry update is enabled. At T2,
after the outbound interface in the MAC address entry is changed to GE1/0/2, the outbound
interface in the ARP entry is immediately changed to GE1/0/2. This prevents communication
interruptions encountered in the previous example.
Figure 2-8 With MAC address-triggered ARP entry update

MAC address entry ARP entry
T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

11-22-34 2 GE1/0/1 10.2.2.2 11-22-34 2 GE1/0/1
Before port switching
Port switching
& ARP aging probe
T2 11-22-34 2 GE1/0/2 10.2.2.2 11-22-34 2 GE1/0/2
After port switching &
ARP aging probe
T3 11-22-34 2 GE1/0/2 10.2.2.2 11-22-34 2 GE1/0/2

NOTE
The MAC address-triggered ARP entry update function is often used on networks where devices in a
Virtual Router Redundancy Protocol (VRRP) group connect to servers (for more information, see 2.3.3
Configuring MAC Address-Triggered ARP Entry Update to Improve VRRP Switchover
Performance), or Layer 3 traffic switching scenarios where STP and Smart Link are used.
2.3 Application
2.3.1 Configuring MAC Address Flapping Prevention to Block

User Attacks
In Figure 2-9, users need to access the server connected to Port1 of the switch. If an
unauthorized user sends packets using the server's MAC address as the source MAC address,
the server's MAC address is learned on another interface of the switch. Then packets sent to
the server are sent to the unauthorized user. As a result, users cannot access the server, and
important data may be intercepted by the unauthorized user. To prevent this, set a higher
MAC address learning priority for the interface connected to the server than other interfaces.
Figure 2-9 Networking diagram of MAC address flapping prevention

MAC:11-22-33
MAC:11-22-33
Server
Unauthorized
user
Port1
Switch

2.3.2 Configuring MAC Address Flapping Detection to Quickly

Detect Loops
When a loop occurs, MAC address flapping will occur at the failure point. You can use MAC
address flapping detection to locate these loops.
When one of the following situations occurs, enable MAC address flapping detection to check
whether a loop occurs:
l A MAC address entry alternatively appears and disappears.
l Ping operations alternatively succeed and fail.
l A high CPU usage alarm is generated.
Table 2-4 compares loop detection technologies.

Table 2-4 Comparison of loop detection technologies

Feature Advantages Disadvantages
MAC address l Checks all interfaces and The switch can only report alarms
flapping detection VLANs on a switch. after detecting a loop but cannot
l Is easy to configure as it eliminate the loop.
requires only one command.
This function is enabled by
default.
Loop detection l Detects loops based on This function is not enabled by

VLANs. default and needs to be configured
l The switch can eliminate a using multiple commands.
loop after detecting the
loop.
Loopback l Detects loops based on This function is not enabled by

detection interfaces and VLANs. default and needs to be configured
l The switch can eliminate a using multiple commands.
loop after detecting the
loop.
2.3.3 Configuring MAC Address-Triggered ARP Entry Update to

Improve VRRP Switchover Performance
The Virtual Router Redundancy Protocol (VRRP) groups multiple routing devices into a
virtual router. The virtual IP address of the virtual router is used as the default gateway
address for communication with an external network. When a gateway device fails, VRRP
selects another gateway device to transmit service traffic, ensuring reliable communication.
When a VRRP group is connected to servers, you can configure MAC address-triggered ARP
entry update to speed up VRRP active/standby switchovers. This function can reduce the
service interruption time when a link or device fails.
In Figure 2-10, HostA is dual-homed to SwitchA and SwitchB through the switch. A VRRP
group is configured on SwitchA and SwitchB to implement link redundancy. If the link
between SwitchA and the switch fails, MAC address entries and ARP entries on the switch
are updated to ensure that traffic is switched to the link between the switch and SwitchB.

Figure 2-10 VRRP networking
SwitchA SwitchB
(VRRP Master) (VRRP Backup)
Port1 Port1
Port1 Port2
Before After
Switch
switchover switchover
HostA
In Figure 2-11, a server is connected to a VRRP group. Generally, a server selects only one
network interface to send packets, only selecting another if there is a network or traffic
transmission failure.
l SwitchA functions as the master device, and the server uses Port2 to send packets.
SwitchA learns the ARP entry and MAC address entry matching the server on Port2, and
SwitchB learns the server MAC address on Port1.
l When the server detects that Port2 is faulty, the server sends packets through Port1.
SwitchA then learns the server MAC address on Port1. If the server does not send an
ARP Request packet to SwitchA, SwitchA maintains the ARP entry on Port2. In this
case, packets sent from SwitchA to the server are still forwarded through Port2 until the
ARP entry is aged out.
To solve the problem, configure MAC address-triggered ARP entry update on the switches.
This function enables a switch to update the corresponding ARP entry when the outbound
interface in a MAC address entry changes.
Figure 2-11 VRRP group connects to a server
SwitchA(VRRP Master) SwitchB(VRRP Backup)
Port2 Port2
Port1 Port1
Port1 Port2
Server

Table 2-5 Configuration task summary for a MAC address table

Scenario Description Task
Bind static MAC Configure static MAC address entries 2.7.1.1 Configuring a
addresses and to bind MAC addresses and interfaces, Static MAC Address
interfaces improving security of authorized users. Entry
Filter out attack Configure blackhole MAC address 2.7.1.2 Configuring a

packets entries to filter out packets from Blackhole MAC
unauthorized users, thereby protecting Address Entry
the system against attacks.
Flexibly control aging For stable networks, set a long aging 2.7.1.3 Setting the
of dynamic MAC time or set the aging time as 0 to not Aging Time of
address entries age dynamic MAC address entries. For Dynamic MAC
other scenarios, set a short aging time. Address Entries
Control MAC address Certain network attacks aim to exhaust 2.7.1.4 Disabling MAC
learning MAC address entries. To protect Address Learning
against this kind of attack, disable 2.7.1.5 Configuring the
MAC address learning or limit the MAC Address
number of MAC address entries that Limiting Function
can be learned.
Monitor the MAC You can configure various alarm 2.7.1.6 Enabling MAC
address table functions about MAC addresses to Address Alarm
monitor the usage of MAC address Functions
entries.
l Alarm threshold for MAC address
usage: When the MAC address
usage exceeds the upper threshold,
the switch generates an alarm.
When the MAC address usage falls
below the lower threshold, the
switch reports a clear message.
l MAC address learning or aging
alarm: When a MAC address entry
is learned or aged out, the switch
generates an alarm.
l MAC address hash conflict alarm:
If the switch cannot learn MAC
address entries even when its MAC
address table is not full, the switch
generates an alarm.

Quickly update Configure the MAC address-triggered 2.7.6 Enabling MAC

outbound interfaces ARP entry update function. When the Address-Triggered
in ARP entries outbound interface in a MAC address ARP Entry Update
entry changes, the device updates the
outbound interface in the
corresponding ARP entry before ARP
probing. This function shortens service
interruption time.
Prevent MAC address MAC address flapping occurs on a 2.7.2 Configuring

flapping network when the network has a loop MAC Address
or undergoes certain attacks. You can Flapping Prevention
use the following methods to prevent
MAC address flapping:
l Configure the MAC address
learning priorities for interfaces.
When the same MAC address is
learned by interfaces of different
priorities, the MAC address entry
on the interface with the highest
priority overrides the MAC address
entries on other interfaces.
l Prevent MAC address entries from
being overridden on interfaces with
the same priority.
Detect MAC address MAC address flapping occurs when a 2.7.3 Configuring
flapping MAC address is learned by two MAC Address
interfaces in the same VLAN and the Flapping Detection
MAC address entry learned later
overrides the earlier one.
MAC address flapping detection
enables a switch to check whether any
MAC address flaps exist between
interfaces and determine whether a
loop exists. When MAC address
flapping occurs, the switch sends an
alarm to the NMS. The network
maintenance personnel can locate the
loop based on the alarm information
and historical records for MAC address
flapping. This greatly simplifies
network maintenance. If the network
connected to the switch does not
support loop prevention protocols,
configure the switch to shut down the
interfaces where MAC address
flapping occurs to reduce the impact of
MAC address flapping on the network.

Discard packets with A faulty host or device may send 2.7.4 Configuring the
an all-0 source or packets with an all-0 source or Switch to Discard
destination MAC destination MAC address to a switch. Packets with an All-0
address Configure the switch to discard such MAC Address
packets and send an alarm to the NMS
to help the network administrator
locate the faulty host or device.
Discard packets in After a DHCP user goes offline, the 2.7.5 Configuring the
which destination MAC address entry of the user ages Switch to Discard
MAC addresses do out. If there are packets destined for Packets That Do Not
not match the MAC this user, the system cannot find the Match Any MAC
address table MAC address entry. The system then Address Entry
broadcasts the packets to all interfaces
in the VLAN. In this case, all users
receive the packets, which brings
security risks. After the switch is
configured to discard packets that do
not match any MAC address entry, the
switch discards such packets. This
function mitigates the burden on the
switch and enhances security.
Forward packets from By default, an interface discards 2.7.7 Enabling Port

an interface when the packets whose source and destination Bridge
source and MAC addresses are the same. After the
destination MAC port bridge function is enabled on the
addresses are the interface, the interface forwards such
same packets. This function applies to a
switch that connects to devices
incapable of Layer 2 forwarding or
functions as an access device in a data
center.
Involved Network Elements

Other network elements are not required.
License Support
The MAC address table is a basic feature of a switch and is not under license control.

Version Support
Table 2-6 Products and versions supporting MAC
Product Product Software Version

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Feature Dependencies and Limitations

l Dynamic MAC address entries can be learned on an interface only after the interface is
added to an existing VLAN.
l Among existing MAC address entries, only MAC addresses of the dynamic type can be
overwritten as MAC addresses of other types.
l Each static MAC address entry can have only one outbound interface.
l When the aging time of dynamic MAC address entries is set to 0, dynamic MAC address
entries do not age. To age MAC address entries, delete the aging time configuration.
l When MAC address learning is disabled in a VLAN and an interface in the VLAN
(excluding X series cards) and the discard action is configured for the interface, the
interface does not discard packets from this VLAN. For example, MAC address learning
is disabled in VLAN 2 but enabled in VLAN 3; Port1 in VLAN 2 and VLAN 3 has
MAC address learning disabled and the discard action is defined. In this situation, Port1
discards packets from VLAN 3 but forwards packets from VLAN 2.
l When the interface frequently alternates between Up and Down, MAC address entries
may be not aged within two aging period. At this time, you are advised to check the link
quality or run the port link-flap protection enable command to configure link flapping
protection.
Table 2-7 Default configuration of a MAC address table
Parameter Default Setting
Aging time of dynamic MAC address 300s

entries

MAC address learning Enabled
MAC address learning priority of an 0

interface
Prevent MAC address entries from being Disabled

overridden on interfaces with the same
priority
MAC address flapping detection Enabled
Aging time of flapping MAC address 300s

entries
MAC address-triggered ARP entry update Disabled
Alarm for the MAC address usage Enabled
Alarm for MAC address learning or aging Disabled
Alarm for MAC address hash conflicts Disabled
Discard packets with an all-0 MAC address Disabled
Alarm for packets with an all-0 MAC Disabled

address
Port bridge Disabled
2.7 Configuring a MAC Address Table

A MAC address uniquely identifies a device. A network device maintains a MAC address
table for Layer 2 data forwarding.
2.7.1 Configuring a MAC Address Table

You can configure functions and parameters for a MAC address table to ensure secure
communication between authorized users. The following configurations are optional and can
be performed in any order.
2.7.1.1 Configuring a Static MAC Address Entry

MAC addresses and interfaces are bound statically in static MAC address entries.
Context
A switch cannot distinguish packets from authorized and unauthorized users when it learns
source MAC addresses of packets to maintain the MAC address table. Therefore, if an
unauthorized user uses the MAC address of an attacker as the source MAC address of attack
packets and connects to another interface of the switch, the switch will learn an incorrect
MAC address entry. As a result, packets destined for the authorized user are forwarded to the
unauthorized user. To improve security, you can create static MAC address entries to bind

MAC addresses of authorized users to specified interfaces. This prevents unauthorized users
from intercepting data of authorized users.
Static MAC address entries have the following characteristics:
l A static MAC address entry will not be aged out. After being created, a static MAC
address entry will not be lost after a system restart, and can only be deleted manually.
l The VLAN bound to a static MAC address entry must already exist and be assigned to
the interface bound to the entry.
l The MAC address in a static MAC address entry must be a unicast MAC address, and
cannot be a multicast or broadcast MAC address.
l A static MAC address entry takes precedence over a dynamic MAC address entry. The
system discards packets with flapping static MAC addresses.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
mac-address static mac-address interface-type interface-number vlan vlan-id
A static MAC address entry is created.
NOTE
For details on how to configure a static MAC address entry for a VSI, see mac-address static vlanif and
mac-address static vsi.
----End
Checking the Configuration

Run the display mac-address static command to check configured static MAC address
entries.
2.7.1.2 Configuring a Blackhole MAC Address Entry
Context
To protect a device or network against MAC address attacks from hackers, configure MAC
addresses of untrusted users as blackhole MAC addresses. The device then directly discards
received packets where the source or destination MAC addresses match the blackhole MAC
address entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:

mac-address blackhole mac-address [ vlan vlan-id | vsi vsi-name ]
A blackhole MAC address entry is configured.
----End

Run the display mac-address blackhole command to check configured blackhole MAC
address entries.
2.7.1.3 Setting the Aging Time of Dynamic MAC Address Entries
Context
Setting the aging time for dynamic MAC address entries helps control the number of learned
MAC address entries. The aging time needs to be set properly for dynamic MAC address
entries so that the switch can delete unneeded MAC address entries. On network topologies
that change frequently, a shorter aging time makes the switch more sensitive to these network
changes. On more stable network topologies, a longer aging time can be used.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address aging-time aging-time
The aging time is set for dynamic MAC address entries.

The aging time can be 0 or an integer that ranges from 60 to 1000000, measured in seconds.
The default value is 300. The value 0 indicates that dynamic MAC address entries will never
be aged out.
NOTE
When the aging time is 0, MAC address entries are fixed. To clear the fixed MAC address entries, set
the aging time to a non-0 value. The system then automatically deletes the MAC address entries after
twice the aging time.
----End

Run the display mac-address aging-time command to view the aging time of dynamic MAC
address entries.
2.7.1.4 Disabling MAC Address Learning
Background
The MAC address learning function is enabled by default on the switch. When receiving a
data frame, the switch records the source MAC address of the data frame and the interface

that receives the data frame in a MAC address entry. When receiving data frames destined for
this MAC address, the switch forwards the data frames through the outbound interface
according to the MAC address entry. The MAC address learning function reduces broadcast
packets on a network. After MAC address learning is disabled on an interface, the switch does
not learn source MAC addresses of data frames received by the interface. Dynamic MAC
address entries learned on the interface are not immediately deleted, but will be removed after
they are aged out or are manually deleted.
Procedure
l Disable MAC address learning on an interface.
a. Run:
system-view

b. Run:
interface interface-type interface-number
The interface view is displayed.

c. Run:
mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.

By default, MAC address learning is enabled on an interface.
By default, the switch takes the forward action after MAC address learning is
disabled. That is, the switch forwards packets according to the MAC address table.
When the action is set to discard, the switch looks up the source MAC address of
the packet in the MAC address table. If the source MAC address is found in the
MAC address table, the switch forwards the packet according to the matching MAC
address entry. If the source MAC address is not found, the switch discards the
packet.
l Disable MAC address learning in a VLAN.
a. Run:
system-view

b. Run:
vlan vlan-id
The VLAN view is displayed.

c. Run:
mac-address learning disable
MAC address learning is disabled in the VLAN.

By default, MAC address learning is enabled in a VLAN.
NOTE
When MAC address learning is disabled in a VLAN and an interface in the VLAN and the
discard action is configured for the interface, the interface does not discard packets from this
VLAN. For example, MAC address learning is disabled in VLAN 2 but enabled in VLAN 3; Port1
has MAC address learning disabled and performs the discard action; Port1 has been added to
VLAN 2 and VLAN 3. In this scenario, Port1 discards packets from VLAN 3 but forwards packets
from VLAN 2.
l Disable MAC address learning for a specified flow.

a. Configure a traffic classifier.

i. Run:
system-view

ii. Run:
traffic classifier classifier-name [ operator { and | or } ]
[ precedence precedence-value ]
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which
means that:
○ If the traffic classifier contains ACL rules, packets match the traffic
classifier only when they match one ACL rule and all the non-ACL rules.
○ If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long
as they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
iii. Configure matching rules according to the following table.
NOTE
The if-match ip-precedence and if-match tcp commands are only valid for IPv4
packets.
The X1E series cards do not support traffic classifiers with advanced ACLs containing
the ttl-expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the
X1E card does not support nest top-most vlan-id vlan-id, remark 8021p [ 8021p-
value | inner-8021p ], remark cvlan-id cvlan-id, or remark vlan-id vlan-id.
Matchin Command Remarks

g Rule
Inner and if-match cvlan-id start-vlan-id -

outer [ to end-vlan-id ] [ vlan-id vlan-
VLAN id ]
IDs in
QinQ
packets
802.1p if-match 8021p 8021p-value If you enter multiple 802.1p

priority in &<1-8> priority values in one
VLAN command, a packet
packets matches the traffic
classifier as long as it
matches any one of the
802.1p priorities, regardless
of whether the relationship
between rules in the traffic
classifier is AND or OR.


g Rule
Inner if-match cvlan-8021p 8021p- -

802.1p value &<1-8>
priority in
QinQ
packets
Outer if-match vlan-id start-vlan-id -

VLAN ID [ to end-vlan-id ] [ cvlan-id
or inner cvlan-id ]
and outer
VLAN
IDs of
QinQ
packets
Drop if-match discard A traffic classifier

packet containing this matching
rule can only be bound to
traffic behaviors containing
traffic statistics collection
and flow mirroring actions.
Double if-match double-tag -

tags in
QinQ
packets
EXP if-match mpls-exp exp-value If you enter multiple MPLS

priority in &<1-8> EXP priority values in one
MPLS command, a packet
packets matches the traffic
MPLS EXP priorities,
regardless of whether the
relationship between rules
in the traffic classifier is
AND or OR.
The SA cards of the S
series do not support
matching of EXP priorities
in MPLS packets.
Destinatio if-match destination-mac mac- -

n MAC address [ [ mac-address-mask ]
address mac-address-mask ]
Source if-match source-mac mac- -

MAC address [ [ mac-address-mask ]


g Rule
Protocol if-match l2-protocol { arp | ip | -

type field mpls | rarp | protocol-value }
in the
Ethernet
frame
header
All if-match any -

packets
DSCP if-match [ ipv6 ] dscp dscp- l If you enter multiple

priority in value &<1-8> DSCP values in one
IP packets command, a packet
matches the traffic
DSCP values,
regardless of whether
the relationship between
rules in the traffic
classifier is AND or
OR.
l If the relationship
between rules in a
traffic classifier is AND,
the if-match [ ipv6 ]
dscp and if-match ip-
precedence commands
cannot be used in the
traffic classifier
simultaneously.


g Rule
IP if-match ip-precedence ip- l The if-match [ ipv6 ]

precedenc precedence-value &<1-8> dscp and if-match ip-
e in IP precedence commands
packets cannot be configured in
a traffic classifier in
which the relationship
between rules is AND.
l If you enter multiple IP
precedence values in
one command, a packet
matches the traffic
IP precedence values,
regardless of whether
rules in the traffic
classifier is AND or
OR.
Layer 3 if-match protocol { ip | ipv6 } -

protocol
type
First Next if-match ipv6 next-header The ES0D0G24SA00,

Header header-number first-next- ES0D0X12SA00, and
field in header ES0D0G24CA00 cards of
the IPv6 the S7700, and
packet EH1D2G24SSA0,
header EH1D2S24CSA0 and
EH1D2X12SSA0 cards of
the S9700 do not support
the routes whose prefix
length ranges from 64 to
128.
SYN Flag if-match tcp syn-flag { syn- -

in the flag-value | ack | fin | psh | rst |
TCP syn | urg }
packet
Inbound if-match inbound-interface A traffic policy containing

interface interface-type interface-number this matching rule cannot
be applied to the outbound
direction or in the interface
view.


g Rule
Outbound if-match outbound-interface A traffic policy containing

interface interface-type interface-number this matching rule cannot
be applied to the inbound
direction on the X1E card.
The traffic policy
containing this matching
rule cannot be applied in
the interface view.
ACL rule if-match acl { acl-number | acl- l When an ACL is used to

name } define a traffic
classification rule, it is
recommended that the
ACL be configured first.
l If an ACL in a traffic
classifier defines
multiple rules, a packet
matches the ACL as
long as it matches one
of rules, regardless of
whether the relationship
between rules in the
traffic classifier is AND
or OR.
ACL6 if-match ipv6 acl { acl-number | Before specifying an ACL6

rule acl-name } in a matching rule,
configure the ACL6.
Flow ID if-match flow-id flow-id The traffic classifier

containing if-match flow-
id and the traffic behavior
containing remark flow-id
must be bound to different
traffic policies.
The traffic policy
containing if-match flow-
id can be only applied to an
interface, a VLAN, a card,
or the system in the
inbound direction.
X1E cards and SA cards of
S series cards do not
support matching of flow
IDs.
iv. Run:
quit
Exit from the traffic classifier view.

b. Configure a traffic behavior.

i. Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed.

ii. Run:
mac-address learning disable
MAC address learning is disabled in the traffic behavior view.

iii. Run:
quit
Exit from the traffic behavior view.

iv. Run:
quit
Exit from the system view.

c. Configure a traffic policy.
i. Run:
system-view

ii. Run:
traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.
If no matching order is specified when you create a traffic policy, the default
matching order is config.
After a traffic policy is applied, you cannot use the traffic policy command to
modify the matching order of traffic classifiers in the traffic policy. To modify
the matching order, delete the traffic policy, create a traffic policy, and specify
the matching order.
When creating a traffic policy, you can specify the matching order of matching
rules in the traffic policy. The matching order can be either automatic order or
configuration order:
○ If automatic order is used, traffic classifiers are matched based on the
priorities of their types. Traffic classifiers based on Layer 2 and Layer 3
information, Layer 2 information, and Layer 3 information are matched in
descending order of priority. The traffic classifier with the highest priority
is matched first. If data traffic matches multiple traffic classifiers, and the
traffic behaviors conflict with each other, the traffic behavior
corresponding to the highest priority rule takes effect.
○ If configuration order is used, traffic classifiers are matched based on
their priorities. The traffic classifier with the highest priority is matched
first. A smaller priority value indicates a higher priority of a traffic
classifier. If precedence-value is not specified, the system allocates a
priority to the traffic classifier. The allocated priority value is [(max-
precedence + 5) / 5] x 5, where max-precedence specifies the maximum
priority of a traffic classifier. For details about the priority of a traffic
classifier, refer to the traffic classifier command.
iii. Run:

classifier classifier-name behavior behavior-name
A traffic behavior is bound to a traffic classifier in a traffic policy.

iv. Run:
quit
Exit from the traffic policy view.

v. Run:
quit

d. Apply the traffic policy.
n Applying a traffic policy to an interface
1) Run:
system-view

2) Run:

3) Run:
traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the interface.

A traffic policy can be applied to only one direction on an interface, but a
traffic policy can be applied to different directions on different interfaces.
After a traffic policy is applied to an interface, the system performs traffic
policing for all relevant packets that match traffic classification rules on
the interface.
n Applying a traffic policy to a VLAN
1) Run:
system-view

2) Run:
vlan vlan-id

3) Run:
A traffic policy is applied to the VLAN.

Only one traffic policy can be applied to a VLAN in the inbound or
outbound direction.
After a traffic policy is applied, the system performs traffic policing for
the packets that belong to that VLAN and match the relevant traffic
classification rules. However, the traffic policy does not take effect for
packets in VLAN 0.
n Applying a traffic policy to the system or an LPU
1) Run:
system-view

2) Run:
traffic-policy policy-name global { inbound | outbound } [ slot
slot-id ]
A traffic policy is applied to the system or an LPU.

Only one traffic policy can be applied to the system or LPU for one
direction. A traffic policy cannot be applied to the same direction in the
system and on the LPU simultaneously.

l Run the display traffic classifier user-defined [ classifier-name ] command to check the
traffic classifier configuration on the device.
l Run the display traffic behavior user-defined [ behavior-name ] command to check the
traffic behavior configuration on the device.
l Run the display traffic policy user-defined [ policy-name [ classifier classifier-name ] ]
command to check the user-defined traffic policy configuration.
l Run the display traffic-applied [ interface [ interface-type interface-number ] | vlan
[ vlan-id ] ] { inbound | outbound } [ verbose ] command to check traffic actions and
ACL rules associated with the system, a VLAN, or an interface.
l Run the display traffic policy { interface [ interface-type interface-number ] | vlan
[ vlan-id ] | global } [ inbound | outbound ] command to check the traffic policy
configuration on the device.
l Run the display traffic-policy applied-record [ policy-name ] command to check the
record of the specified traffic policy.
2.7.1.5 Configuring the MAC Address Limiting Function
Context
The MAC address limiting function controls the number of access users to protect MAC
addresses from hackers. When hackers send a large number of forged packets with different
source MAC addresses to the switch, the MAC address table of the switch will be filled with
useless MAC address entries. As a result, the switch cannot learn source MAC addresses of
valid packets.
You can limit the number of MAC address entries learned on the switch. When the number of
learned MAC address entries reaches the limit, the switch does not learn new MAC address
entries. You can also configure an action to take when the number of MAC address entries
reaches the limit. This prevents exhaustion of MAC address entries and improves network
security.
Procedure
l Limit the number of MAC address entries learned on an interface.
a. Run:
system-view

b. Run:

c. Run:
mac-limit maximum max-num
The maximum number of MAC address entries that can be learned on the interface
is set.
By default, the number of MAC address entries learned on an interface is not
limited.
d. Run:
mac-limit action { discard | forward }
The action to take when the number of learned MAC address entries reaches the
limit is configured.
By default, the switch discards packets with new MAC addresses when the number
of learned MAC address entries reaches the limit.
e. Run:
mac-limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned MAC
address entries reaches the limit.
l Limit the number of MAC address entries learned in a VLAN.
a. Run:
system-view

b. Run:
vlan vlan-id

c. Run:
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not limited.
d. Run:
SA boards of S series and F series cards do not support the discard action.
e. Run:
By default, the switch generates an alarm when the number of learned MAC
address entries reaches the limit.

l Limit the number of MAC address entries learned in a VSI.

a. Run:
system-view

b. Run:
vsi vsi-name
The VSI view is displayed.

c. Run:
The maximum number of MAC address entries learned in the VSI is set.
By default, the number of MAC address entries learned in a VSI is not limited.
d. Run:
Only E (excluding X48SEC) and FA series cards support this configuration.

e. Run:
By default, the switch sends an alarm when the number of learned MAC address
entries reaches the limit.
l Limit the number of MAC address entries learned in a slot.
a. Run:
system-view

b. Run:
mac-limit slot slot-id maximum max-num
The maximum number of MAC address entries learned in a slot is set.
By default, the number of MAC address entries learned in a slot is not limited.
c. Run:
mac-limit slot slot-id action { discard | forward }
d. Run:
mac-limit slot slot-id alarm { disable | enable }

By default, the switch sends an alarm when the number of learned MAC address
entries reaches the limit.
----End

Run the display mac-limit command to check limiting on MAC address learning.
2.7.1.6 Enabling MAC Address Alarm Functions
Context
When alarm functions are enabled, the switch sends an alarm when the MAC address usage
exceeds the threshold, a MAC address changes, or a MAC address hash conflict occurs. The
alarms enable you to know the running status of the MAC address table in real time.
MAC address entry resources are key resources for the switch. Monitoring the use of the
MAC address table is important for ensuring normal system operations. The switch provides
three alarm functions for MAC address entries.
Table 2-8 Three alarm functions for MAC address entries

Alarm Function Description
MAC address An alarm is generated when the MAC address usage is higher than
usage out of the 80%, and a clear alarm is generated when the MAC address usage is
specified range lower than 70%.
A threshold-exceeding alarm indicates that the MAC address usage
is too high. You are advised to redistribute traffic or expand your
network.
The clear alarm will only be generated if a threshold-exceeding
alarm has already been generated.
MAC address An alarm is generated when a MAC address entry is learned or aged.
learning or aging The switch does not send an alarm when a MAC address entry is
learned or aged in a VSI.

Alarm Function Description
MAC address hash To improve the MAC address forwarding performance, the MAC
conflict address table of the switch is saved using a hash chain. When
multiple MAC addresses map the same key value in accordance with
the hash algorithm, some MAC addresses may not be learned. This
is called a MAC address hash conflict.
When this occurs, MAC address entries cannot be learned even
though the MAC address table is not full.
A MAC address hash conflict does not affect traffic forwarding. The
switch broadcasts traffic destined for the conflicting MAC addresses,
occupying bandwidth and system resources. You can replace the
device or network adapter of a terminal to prevent MAC address
hash conflicts.
NOTE
The SA boards of S series do not support the alarm function.
Procedure
l Enable the alarm function for MAC address usage out of the specified range.
a. Run:
system-view

b. Run:
mac-address threshold-alarm upper-limit upper-limit-value lower-limit
lower-limit-value
The upper and lower alarm thresholds for the MAC address usage are set.
By default, the upper and lower alarm thresholds for the MAC address usage are 80%
and 70% respectively. An alarm is generated when the MAC address usage is higher than
80%, and a clear alarm is generated when the MAC address usage is lower than 70%.
l Enable the alarm function for MAC address learning or aging.
a. Run:
system-view

b. (Optional) Run:
mac-address trap notification interval interval-time
The interval at which the switch checks MAC address learning or aging is set.
By default, the switch checks MAC address learning or aging at intervals of 10s.
c. Run:

d. Run:
mac-address trap notification { aging | learn | all }
The alarm function for MAC address learning and aging is enabled on the interface.
By default, the alarm function for MAC address learning or aging is disabled.

l Enable the alarm function for MAC address hash conflicts.

a. Run:
system-view

b. Run:
mac-address trap hash-conflict enable
The alarm function for MAC address hash conflicts is enabled.

By default, the alarm function for MAC address hash conflicts is disabled.
c. (Optional) Run:
mac-address trap hash-conflict history history-number
The number of MAC address hash conflict alarms reported per interval is set.
By default, 10 MAC address hash conflict alarms are reported per interval.
d. (Optional) Run:
mac-address trap hash-conflict interval interval-time
The interval at which MAC address hash conflict alarms are reported is set.
By default, MAC address hash conflict alarms are reported at intervals of 60s.

Run the display current-configuration command to check MAC address alarm functions on
the switch.
2.7.1.7 Configuring a MAC Hash Algorithm

A proper MAC hash algorithm can reduce MAC address hash conflicts. Generally, the default
hash algorithm is the best one, so do not change the hash algorithm unless you have special
requirements.
Context
A device usually uses a hash algorithm to learn MAC address entries to improve MAC
address forwarding performance. When multiple MAC addresses map the same key value, a
MAC address hash conflict may occur. This means that the device may fail to learn many
MAC addresses and can only broadcast packets destined for these MAC addresses, leading to
heavy increase in broadcast traffic. In this case, use an appropriate hash algorithm to mitigate
the hash conflict.
A proper MAC hash algorithm can reduce MAC address hash conflicts. You are not advised
to change the default hash algorithm unless you have special requirements.

NOTE
l MAC addresses on an interface card are stored using the following modes:
l Hash bucket
The interface card that uses the hash bucket performs hash calculation for VLAN IDs and
MAC addresses in MAC address entries to be stored and obtains hash bucket indexes. The
MAC addresses with the same hash bucket index are stored in the same hash bucket. If a hash
bucket with the maximum storage space cannot accommodate learned MAC addresses of the
hash bucket, a hash conflict occurs and MAC addresses cannot be stored. The maximum
number of MAC addresses learned by the interface card through the hash bucket may be not
reached.
l TCAM chip
The interface card that uses the TCAM mode stores all learned MAC addresses in the TCAM
chip in sequence. As long as the number of learned MAC addresses does not reach the
maximum value, MAC addresses can be learned. In TCAM mode, the device must be
equipped with the enhanced interface card that uses the TCAM chip.
SA, EA, and FA cards use the hash bucket and do not provide the TCAM chip, so the maximum
number of MAC addresses learned by the SA, EA, or FA card may be not reached. Other interface
cards excluding SA, EA, and FA cards use the TCAM mode by default.
l X1E series cards do not support this configuration.
l You are not advised to change the default hash algorithm unless you have special requirements.
l An appropriate hash algorithm can reduce hash conflicts, but cannot completely prevent them.
l After the hash algorithm is changed, restart the card to make the configuration take effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-upper
| lsb } slot slot-id
The MAC hash algorithm is configured on the specified LPU.

The default hash algorithm is crc32-lower.
----End

Run the display mac-address hash-mode command to check the running and configured
hash algorithms.
2.7.1.8 Configuring the Extended MAC Entry Resource Mode
Context
When the switch transmits heavy traffic, MAC address entries increase accordingly. However,
the switch has a limited space for MAC address entries. If the MAC address table size cannot
meet service requirements, service running efficiency is reduced. LPUs of the switch provide
the extended entry space register. You can configure an extended MAC entry resource mode
to increase the MAC address table size.

Procedure
Step 1 (Optional) Run:
display resource-assign configuration
The extended entry resource mode is displayed.
Step 2 Run:
system-view
Step 3 Run:
assign resource-mode slot slot-id mode enhanced-mac
The extended MAC entry resource mode is configured.
NOTE
After the extended MAC entry resource mode is configured, you must restart the LPU of the switch to make
the configuration take effect.
----End
Run the display resource-assign configuration command to check the configured and
current extended entry resource modes.
2.7.2 Configuring MAC Address Flapping Prevention

MAC address flapping prevention mechanisms ensure that MAC addresses are learned on
correct interfaces to prevent attacks from unauthorized users.
NOTE
SA cards of S series do not support this configuration.
2.7.2.1 Configuring a MAC Address Learning Priority for an Interface
Context
MAC address flapping occurs when a MAC address is learned by two interfaces in the same
VLAN and the MAC address entry learned later overrides the earlier one. To prevent MAC
address flapping, set different MAC address learning priorities for interfaces. When interfaces
learn the same MAC address, the MAC address entry learned by the interface with the highest
priority overrides the MAC address entries learned by the other interfaces.
NOTE
This configuration is not supported on the SA boards of S series.
Procedure
1. Run:
system-view

2. Run:

3. Run:
mac-learning priority priority-id
The MAC address learning priority of the interface is set.

By default, the MAC address learning priority of an interface is 0. A larger priority value
indicates a higher MAC address learning priority.

Run the display current-configuration command to check the MAC address learning
priorities of interfaces.
2.7.2.2 Preventing MAC Address Flapping Between Interfaces with the Same
Priority
Context
Preventing MAC address flapping between interfaces with the same priority can improve
network security.
If the switch is configured to prevent MAC address flapping between interfaces with the same
priority, the following problem may occur: If the network device (such as a server) connected
to an interface of switch is powered off and the same MAC address is learned on another
interface, the switch cannot learn the correct MAC address on the original interface after the
network device is powered on.
NOTE
This configuration does not take effect on the SA boards of S series.
Procedure
Step 1 Run:
system-view

Step 2 Run:
undo mac-learning priority priority-id allow-flapping
The device is configured to prevent MAC address flapping between interfaces with the same
priority.
By default, the device allows MAC address flapping between interfaces with the same
priority.
----End

Run the display current-configuration command to check whether MAC address flapping is
allowed between interfaces with the same priority.

2.7.3 Configuring MAC Address Flapping Detection

MAC address flapping detection enables a device to detect any MAC address that flaps
between interfaces. When MAC address flapping occurs, the device sends an alarm to the
NMS. You can configure MAC address flapping detection in a VLAN or the system. Global
MAC address flapping detection is recommended.
Global MAC address flapping detection configured by the mac-address flapping detection is
similar to VLAN-based MAC address flapping detection configured by the loop-detect eth-
loop command. If your device supports both functions, disable one function to improve
system usage. Global MAC address flapping detection is recommended. VLAN-based MAC
address flapping detection allows the device to detect MAC address flapping in up to 32
VLANs.
2.7.3.1 Configuring Global MAC Address Flapping Detection
Context
Global MAC address flapping detection enables the switch to check all MAC addresses to
detect MAC address flapping.
NOTE
l Configuring an action to take for MAC address flapping on an uplink interface may cause
interruptions for important uplink traffic. Therefore, configuring an action is not recommended.
l The switch enabled with MAC address flapping detection can detect loops on a single point, but
cannot obtain the entire network topology. If the network connected to the switch supports loop
prevention protocols, use the loop prevention protocols instead of MAC address flapping detection
to eliminate loops.
l If only a few VLANs on the user network encounter loops, it is recommended that you set the loop
prevention action to quit-vlan.
l If a large number of VLANs on the user network encounter loops, it is recommended that you set the
loop prevention action to error-down to improve system performance. Additionally, the remote
switch can detect the error-down event so that it can quickly switch any traffic to a backup link.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address flapping detection
Global MAC address flapping detection is enabled.

By default, global MAC address flapping detection is enabled. The switch detects MAC
address flapping in all VLANs.
mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
One or more VLANs are excluded from MAC address flapping detection.
By default, the system performs MAC address flapping detection in all VLANs. In special
scenarios, a MAC address flapping event does not need to be handled and you can exclude a

VLAN from MAC address flapping detection. For example, when a switch is connected to a
server with two network adapters in active-active mode, the server's MAC address may be
learned on two interfaces of the switch.
mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
all } security-level { high | middle | low }
The security level of MAC address flapping detection is configured in one or more specified
VLANs.
By default, the security level of MAC address flapping detection is middle. That is, the
system considers that MAC address flapping occurs when a MAC address flaps 10 times.
mac-address flapping aging-time aging-time
The aging time of flapping MAC addresses is set.

By default, the aging time of flapping MAC addresses is 300 seconds. If the aging time of
dynamic MAC addresses is long, a MAC address flapping event may be detected after a long
time. To ensure that the system detects MAC address flapping quickly, shorten the aging time
of flapping MAC addresses.
Step 6 (Optional) Configure an action to take after MAC address flapping is detected on an interface
and the priority of the action.
1. Run:

2. Run:
mac-address flapping action { quit-vlan | error-down }
An action is specified for on the interface if MAC address flapping occurs on the
interface.
By default, no action is configured. If an interface is connected to a user network that
does not support loop prevention protocols, MAC address flapping may occur when
there is a loop on the user network. Use this command to configure an action to take
when MAC address flapping is detected on the interface. If the action is set to error-
down, the switch shuts down the interface. If the action is set to quit-vlan, the switch
removes the interface from the VLAN where the MAC address flapping occurs. This
action can only shut down one interface per aging interval.
NOTE
– Do not use the quit-vlan action together with dynamic VLAN functions such as GVRP,
HVRP.
– When a MAC address flaps between an interface configured with the error-down action and
an interface configured with the quit-vlan action, the former interface is shut down and the
latter interface is removed from the VLAN. If a loop could be generated between interfaces,
configure the same action for all the interfaces.
3. Run:
mac-address flapping action priority priority
The priority of the action against MAC address flapping is set.
----End


Run the display mac-address flapping command to check information about MAC address
flapping detection in a VLAN.
Action to Take After MAC Address Flapping Occurs

After MAC address flapping detection is configured, the switch reports alarms when it detects
MAC address flapping. If the same alarm is reported multiple times, a loop may exist on the
network. To remove the loop, run the shutdown command to shut down the interface
specified in the MAC address flapping alarm. Alternatively, configure an action against MAC
address flapping on the interface to remove the loop.
When configuring an action against MAC address flapping on an interface to remove a loop,
pay attention to the following points:
l When the action is set to error-down, the interface cannot be automatically restored
after it is shut down. You can only restore the interface by running the shutdown and
undo shutdown commands or the restart command in the interface view.
To enable the interface to go Up automatically, you must run the error-down auto-
recovery cause mac-address-flapping command in the system view before the interface
enters the error-down state. This command enables an interface in error-down state to go
Up and sets a recovery time. The interface goes Up automatically after the time expires.
l If the action is set to quit-vlan, the interface can be automatically restored after a
specified time period after it is removed from the VLAN. The default recovery time is 10
minutes. The recovery delay time can be set using the mac-address flapping quit-vlan
recover-time time-value command in the system view.
2.7.3.2 Configuring MAC Address Flapping Detection in a VLAN
Context
After MAC address flapping detection is configured in a VLAN, the device checks all MAC
addresses in the VLAN to detect MAC address flapping. You can configure the device to
block the flapping MAC address or interface where MAC address flapping occurs, or to report
an alarm.
NOTE
This configuration is not supported on the S9700.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created and the VLAN view is displayed.

Step 3 Run:
loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-
times | alarm-only }

MAC address flapping detection is configured.
When detecting MAC address flapping in a VLAN, the device can take either of the following
actions:
l Block the interface or MAC address. When block-mac is specified in the command, the
device does not block the interface but blocks traffic from the flapping MAC address.
l Send an alarm to the NMS.
----End

Run the display loop-detect eth-loop [ vlan vlan-id ] command to check information about
MAC address flapping detection in a VLAN.
Action to Take After MAC Address Flapping Occurs

After MAC address flapping detection is configured in a VLAN, the device checks all MAC
addresses in the VLAN to detect MAC address flapping. If MAC address flapping occurs on
an interface, the system blocks the interface if it is configured to do so. After a specified
period of time, the system unblocks the interface. If no MAC address flapping is detected
within 20 seconds, the system unblocks the interface and starts a new round of detection. If
MAC address flapping is detected again within 20 seconds, the system blocks the interface.
This process repeats for a specified number of times. If MAC address flapping persists, the
interface is permanently blocked.
After an interface or a MAC address is permanently blocked because of MAC address

flapping, the interface or MAC address can be restored only by using the reset loop-detect
eth-loop command in the corresponding VLAN view.
1. Run the system-view command to enter the system view.

2. Run the reset loop-detect eth-loop vlan vlan-id { all | interface interface-type interface-
number | mac-address mac-address } command to unblock the specified interface or
MAC address.
NOTE
Before using the reset loop-detect eth-loop command, run the display loop-detect eth-loop command
to check the blocked interface or MAC address.
2.7.4 Configuring the Switch to Discard Packets with an All-0

MAC Address
Context
A faulty network device may send packets with an all-0 source or destination MAC address to
the switch. You can configure the switch to discard such packets and send an alarm to the
network management system (NMS) to help the network administrator locate the faulty
device.
You can configure the switch to discard packets with an all-0 source or destination MAC
address.

Procedure
Step 1 Run:
system-view
Step 2 Run:
drop illegal-mac enable
The switch is enabled to discard packets with an all-0 MAC address.
By default, the switch does not discard packets with an all-0 MAC address.

drop illegal-mac alarm
The switch is configured to send an alarm to the NMS when receiving packets with an all-0
MAC address.
By default, the switch does not send an alarm when receiving packets with an all-0 MAC
address.
NOTE
The drop illegal-mac alarm command allows the switch to generate only one alarm. You must run the
drop illegal-mac alarm command again if more than one alarm is required.
----End

Run the display current-configuration command to check whether the switch is enabled to
discard packets with an all-0 MAC address.
2.7.5 Configuring the Switch to Discard Packets That Do Not

Match Any MAC Address Entry
Context
After a DHCP user goes offline, the MAC address entry of the user ages out. If there are
packets destined for this user, the switch cannot find the MAC address entry and therefore
broadcasts the packets to all interfaces in the VLAN. In this case, all users receive the packets,
which brings security risks. To reduce the load on the switch and enhance security, configure
the switch to discard packets that do not match any MAC address entries.
After the switch is configured to discard packets that do not match any MAC address entries,
such packets are discarded, which reduces the load on the switch and enhances system
security.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
Step 3 Run:
mac-miss action discard
The switch is configured to discard packets that do not match any MAC address entries.
By default, the switch broadcasts the packets that do not match any MAC address entries in a
VLAN.
----End

Run the display current-configuration command to check whether the switch is configured
to discard packets that do not match any MAC address entries.
2.7.6 Enabling MAC Address-Triggered ARP Entry Update
Context
MAC address-triggered ARP entry update enables the switch to update the corresponding
ARP entry when the outbound interface in a MAC address entry changes.
Each network device uses an IP address to communicate with other devices. On an Ethernet
network, a host, switching device, or routing device sends and receives Ethernet data frames
based on MAC addresses. The ARP protocol maps IP addresses to MAC addresses. When
two devices on different network segments communicate with each other, they need to map IP
addresses to MAC addresses and outbound interfaces according to ARP entries.
Generally, MAC address entries and ARP entries are consistent. In some scenarios, ARP
entries may not be updated immediately after MAC address entries are updated. In Figure
2-12, SwitchA and SwitchB run VRRP to enhance reliability, and the VRRP group functions
as the gateway of the server. VRRP packets are transmitted on the direct link between the two
switches. The server selects one of network interfaces to send packets. When the server
detects a network failure or traffic forwarding failure, it switches traffic to the other interface.
l SwitchA functions as the master device, and the server uses Port2 to send packets.
SwitchA learns the ARP entry and MAC address entry on Port2, and SwitchB learns the
server MAC address on Port1.
l When the server detects that Port2 is faulty, the server sends packets through Port1.
SwitchA then learns the server MAC address on Port1. If the server does not send an
ARP Request packet to SwitchA, SwitchA still maintains the ARP entry on Port2. In this
case, packets sent from SwitchA to the server are still forwarded through Port2 until the
ARP entry is aged out.
To solve the problem, configure MAC address-triggered ARP entry update on SwitchA and
SwitchB. This function enables the switches to update the corresponding ARP entry when the
outbound interface in a MAC address entry changes.

Figure 2-12 Networking for configuring MAC address-triggered ARP entry update upon a
VRRP active/standby switchover
Switch A(VRRP Master) Switch B(VRRP Backup)
Port2 Port2
Port1 Port1
Port1 Port2
Server
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address update arp
The MAC address-triggered ARP entry update function is enabled.

By default, the MAC address-triggered ARP entry update function is disabled.
NOTE
l This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when
the corresponding MAC address entries change.
l The MAC address-triggered ARP entry update function does not take effect after ARP entry fixing
is enabled using the arp anti-attack entry-check enable command.
l After the MAC address-triggered ARP entry update function is enabled, the switch updates an ARP
entry only when the outbound interface in the corresponding MAC address entry changes.
----End

Run the display current-configuration command to check whether the MAC address-
triggered ARP entry update function is enabled.
2.7.7 Enabling Port Bridge

Context
By default, an interface does not forward packets whose source and destination MAC
addresses are the same. When the interface receives this kind of a packet, it discards the
packet as an invalid packet.

After the port bridge function is enabled on the interface, the interface forwards such a packet
if the destination MAC address of the packet is in the MAC address table.
The port bridge function is used in the following scenarios:
l The switch connects to devices that do not support Layer 2 forwarding. When users
connected to the devices need to communicate, the devices send packets of the users to
the switch for packet forwarding. Because source and destination MAC addresses of the
packets are the same, a port bridge needs to be enabled on the interface so that the
interface can forward such packets.
l The switch is used as an access device in a data center and is connected to servers. Each
server is configured with multiple virtual machines. The virtual machines need to
transmit data to each other. If servers perform data switching for virtual machines, the
data switching speed and server performance are reduced. To improve the data
transmission rate and server performance, enable a port bridge on the interfaces
connected to the servers so that the switch forwards data packets between the virtual
machines.
NOTE
This configuration is not supported on the ES1D2G48SBC0 and ES1D2G48TBC0 boards of S7700 and
the EH1D2G48TBC0 and EH1D2G48SBC0 boards of S9700.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
port bridge enable
The port bridge function is enabled on the interface.

By default, the port bridge function is disabled on an interface.
----End

Run the display current-configuration command to check whether the port bridge function
is enabled.
2.7.8 Configuring Re-marking of Destination MAC Addresses
Context
The re-marking function enables the switch to change the specified fields of packets
according to traffic classification rules. After the re-marking action is configured, the switch
still processes outgoing packets based on the original priority but the downstream device

processes the packets based on the re-marked priority. You can also configure an action to re-
mark the destination MAC address of packets in a traffic behavior so that the downstream
device can identify packets and provide differentiated services.
NOTE
X1E series cards do not support this configuration.
Procedure
1. Configure a traffic classifier.
a. Run:
system-view

b. Run:
and is the logical operator between the rules in the traffic classifier, which means
that:
n If the traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rules, packets match the
The logical operator or means that packets match the traffic classifier as long as
they match one of rules in the classifier.
c. Configure matching rules according to the following table.
NOTE
The if-match ip-precedence and if-match tcp commands are only valid for IPv4 packets.
The X1E series cards do not support traffic classifiers with advanced ACLs containing the
ttl-expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the X1E card
does not support nest top-most vlan-id vlan-id, remark 8021p [ 8021p-value |
inner-8021p ], remark cvlan-id cvlan-id, or remark vlan-id vlan-id.
Matching Command Remarks

Rule

VLAN IDs id ]
in QinQ
packets


Rule

VLAN command, a packet matches
packets the traffic classifier as long as
it matches any one of the

802.1p value &<1-8>
priority in
QinQ
packets
Outer if-match vlan-id start-vlan-id [ to -

VLAN ID end-vlan-id ] [ cvlan-id cvlan-id ]
or inner
and outer
VLAN IDs
of QinQ
packets
Drop if-match discard A traffic classifier containing

packet this matching rule can only
be bound to traffic behaviors
containing traffic statistics
collection and flow mirroring
actions.

tags in
QinQ
packets

MPLS command, a packet matches
relationship between rules in
the traffic classifier is AND
or OR.
The SA cards of the S series
do not support matching of
EXP priorities in MPLS
packets.


Rule

Source if-match source-mac mac-address -

MAC [ [ mac-address-mask ] mac-
address address-mask ]

in the
Ethernet
frame
header
All if-match any -

packets
DSCP if-match [ ipv6 ] dscp dscp-value l If you enter multiple

priority in &<1-8> DSCP values in one
matches the traffic
DSCP values, regardless
of whether the
AND or OR.
between rules in a traffic
classifier is AND, the if-
match [ ipv6 ] dscp and
if-match ip-precedence
commands cannot be used
in the traffic classifier
simultaneously.


Rule

precedence precedence-value &<1-8> dscp and if-match ip-
in IP precedence commands
packets cannot be configured in a
traffic classifier in which
rules is AND.
precedence values in one
command, a packet
matches the traffic
matches any one of the IP
precedence values,
AND or OR.

protocol
type

Header header-number first-next-header ES0D0X12SA00, and
field in the ES0D0G24CA00 cards of the
IPv6 S7700, and
EH1D2X12SSA0 cards of the
S9700 do not support the
routes whose prefix length
ranges from 64 to 128.
SYN Flag if-match tcp syn-flag { syn-flag- -

in the TCP value | ack | fin | psh | rst | syn |
packet urg }

interface interface-type interface-number this matching rule cannot be
applied to the outbound
view.

applied to the inbound
The traffic policy containing
this matching rule cannot be
applied in the interface view.


Rule

classifier defines multiple
rules, a packet matches
the ACL as long as it
matches one of rules,
AND or OR.
ACL6 rule if-match ipv6 acl { acl-number | Before specifying an ACL6

acl-name } in a matching rule, configure
the ACL6.

containing if-match flow-id
and the traffic behavior
traffic policies.
if-match flow-id can be only
applied to an interface, a
VLAN, a card, or the system
in the inbound direction.
X1E cards and SA cards of S
series cards do not support
matching of flow IDs.
d. Run:
quit

2. Configure a traffic behavior.
a. Run:

b. Run:
remark destination-mac mac-address
An action is configured to re-mark destination MAC addresses of packets. The

destination MAC address to be re-marked must be a unicast MAC address.
c. Run:

quit

d. Run:
quit

3. Configure a traffic policy.
a. Run:
A traffic policy is created and the traffic policy view is displayed, or the view of an
existing traffic policy is displayed. If you do not specify a matching order for traffic
classifiers in the traffic policy, the default matching order config is used.
change the matching order of traffic classifiers in the traffic policy. To change the
matching order, delete the traffic policy and create a new traffic policy with the
required matching order.
When creating a traffic policy, you can specify the matching order of traffic
classifiers in the traffic policy. The traffic classifiers can be matched in automatic
order (auto) or configuration order (config):
n If the matching order is auto, traffic classifiers are matched in descending
order of priorities pre-defined in the system: traffic classifiers based on Layer
2 and Layer 3 information, traffic classifiers based on Layer 2 information, and
finally traffic classifiers based on Layer 3 information. If a data flow matches
multiple traffic classifiers that are associated with conflicting traffic behavior,
the traffic behavior associated with the traffic classifier of the highest priority
takes effect.
n If the matching order is config, traffic classifiers are matched in descending
order of priorities either manually or dynamically allocated to them. This is
determined by the precedence value; a traffic classifier with a smaller
precedence value has a higher priority and is matched earlier. If you do not
specify precedence-value when creating a traffic classifier, the system
allocates a precedence value to the traffic classifier. The allocated value is
[(max-precedence + 5)/5] x 5, where max-precedence is the greatest value
among existing traffic classifiers.
NOTE
If more than 128 rate limiting ACL rules are configured in the system, traffic policies must
be applied to the interface view, VLAN view, and system view in sequence. To update an
ACL rule, delete all the associated traffic policies from the interface, VLAN, and system.
Then, reconfigure the traffic policies and reapply them to the interface, VLAN, and system.
b. Run:
A traffic behavior is bound to a traffic classifier in the traffic policy.

c. Run:
quit

d. Run:
quit

4. Apply the traffic policy.

– Applying a traffic policy to an interface
i. Run:
system-view

ii. Run:

iii. Run:

policing for all relevant packets that match traffic classification rules on the
interface.
– Applying a traffic policy to a VLAN
i. Run:
system-view

ii. Run:
vlan vlan-id

iii. Run:

Only one traffic policy can be applied to a VLAN in the inbound or outbound
direction.
After a traffic policy is applied, the system performs traffic policing for the
packets that belong to that VLAN and match the relevant traffic classification
rules. However, the traffic policy does not take effect for packets in VLAN 0.
– Applying a traffic policy to the system or an LPU
i. Run:
system-view

ii. Run:
traffic-policy policy-name global { inbound | outbound } [ slot slot-
id ]

Only one traffic policy can be applied to the system or LPU for one direction.
A traffic policy cannot be applied to the same direction in the system and on
the LPU simultaneously.


2.8 Maintaining the MAC Address Table
2.8.1 Displaying MAC Address Entries

Table 2-9 Commands used to display MAC address entries
Purpose Command
Display all MAC address entries. display mac-address
Display static MAC address entries. display mac-address static
Display MAC address entries learned in a display mac-address dynamic vlan vlan-id
VLAN.
Display MAC address entries learned on an display mac-address dynamic interface-

interface. type interface-number
Display a specified MAC address. display mac-address mac-address
Display the aging time of dynamic MAC display mac-address aging-time

address entries.
Display statistics on MAC address entries. l Display the total statistics: display mac-
address total-number
l Display the statistics of various types of
MAC address entries: display mac-
address summary
Display the system MAC address. display bridge mac-address

Purpose Command
Display the MAC address of an interface. display interface interface-type interface-

number
Hardware address indicates the MAC
address of the interface.
Display the MAC address of a VLANIF display interface vlanif vlan-id

interface. Hardware address indicates the MAC
address of the VLANIF interface.
2.8.2 Deleting MAC Address Entries
Table 2-10 Commands used to delete MAC address entries
Purpose Command
Delete all MAC address entries. undo mac-address
Delete MAC address entries in a VLAN. undo mac-address vlan vlan-id
Delete MAC address entries on an interface. undo mac-address interface-type interface-

number
2.8.3 Displaying MAC Address Flapping Information
Table 2-11 Commands used to display MAC address flapping records
Purpose Command
Display alarms about MAC address Run the display trapbuffer command to
flapping. check whether the following alarms exist:
l OID 1.3.6.1.4.1.2011.5.25.42.2.1.7.12
l OID 1.3.6.1.4.1.2011.5.25.160.3.7
l OID 1.3.6.1.4.1.2011.5.25.160.3.8
Display detailed MAC address flapping display mac-address flapping record

records.
2.9.1 Example for Configuring Static MAC Address Entries

Networking Requirements
In Figure 2-13, the user PC with MAC address 0002-0002-0002 connects to the GE1/0/1 of
the Switch, and the server with MAC address 0004-0004-0004 connects to GE1/0/2 of the
Switch. The user PC and server communicate in VLAN 2.
l To prevent unauthorized users from using the user PC's MAC address to initiate attacks,
configure a static MAC address entry for the user PC on the Switch.
l To prevent unauthorized users from using the server's MAC address to intercept
information sent to other users, configure a static MAC address entry for the server on
the Switch.
NOTE
This example applies to scenarios with a small number of users. When there are many users, use
dynamic MAC address entries. For details, see Example for Configuring Port Security.
Figure 2-13 Example network for configuring static MAC address entries
Network
Switch
GE1/0/1 GE1/0/2
VLAN 2
PC:2-2-2 Server:4-4-4
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN 2 and add the interfaces connected to the PC and server for Layer 2
forwarding.
2. Configure static MAC address entries to prevent attacks from unauthorized users.
Procedure
Step 1 Create static MAC address entries.
# Create VLAN 2 and add GigabitEthernet1/0/1 and GigabitEthernet1/0/2 to VLAN 2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access

[Switch-GigabitEthernet1/0/1] port default vlan 2

[Switch-GigabitEthernet1/0/1] quit
# Configure static MAC address entries.

[Switch] mac-address static 2-2-2 GigabitEthernet 1/0/1 vlan 2
[Switch] mac-address static 4-4-4 GigabitEthernet 1/0/2 vlan 2
Step 2 Verify the configuration.
# Run the display mac-address static vlan 2 command in any view to check whether the
static MAC address entries are successfully added to the MAC address table.
[Switch] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/- GE1/0/1 static
0004-0004-0004 2/- GE1/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 2
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
port default vlan 2
#
mac-address static 0002-0002-0002 GigabitEthernet1/0/1 vlan 2
mac-address static 0004-0004-0004 GigabitEthernet1/0/2 vlan 2
#
return
2.9.2 Example for Configuring Blackhole MAC Address Entries
In Figure 2-14, the Switch receives packets from an unauthorized PC that has the MAC
address of 0005-0005-0005 and belongs to VLAN 3. This MAC address entry can be
configured as a blackhole MAC address entry so that the Switch filters out packets from the
unauthorized PC.

Figure 2-14 Example network for configuring a blackhole MAC address entry
MAC Address VLAN ID Unauthorized

5-5-5 3 user
Switch

1. Create a VLAN for Layer 2 forwarding.
2. Configure a blackhole MAC address entry to filter out packets from the unauthorized
PC.
Procedure
Step 1 Configure a blackhole MAC address entry.
# Create VLAN 3.
[Switch] vlan 3
[Switch-vlan3] quit
# Configure a blackhole MAC address entry.

[Switch] mac-address blackhole 0005-0005-0005 vlan 3

# Run the display mac-address blackhole command in any view to check whether the
blackhole MAC address entry is successfully added to the MAC address table.
[Switch] display mac-address blackhole
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0005-0005-0005 3/- - blackhole
-------------------------------------------------------------------------------
Total items displayed = 1
----End
Configuration Files

#
sysname Switch
#
vlan batch 3
#
mac-address blackhole 0005-0005-0005 vlan 3
#
return
2.9.3 Example for Configuring MAC Address Limiting on an

Interface
In Figure 2-15, user network 1 and user network 2 connect to the Switch through the LSW,
and the LSW connects to the Switch through GE1/0/1. User network 1 and user network 2
belong to VLAN 10 and VLAN 20 respectively. On the Switch, MAC address limiting can be
configured on GE1/0/1 to control the number of access users.
Figure 2-15 Example network for configuring MAC address limiting on an interface
Network
Switch
GE1/0/1
LSW
User User
network 1 network 2
VLAN 10 VLAN 20
1. Create VLANs and add the downlink interface to the VLANs to implement Layer 2
forwarding.
2. Configure MAC address limiting on the interface to control the number of access users.

Procedure
Step 1 Configure MAC address limiting.
# Create VLAN 10 and VLAN 20, and add GigabitEthernet1/0/1 to VLAN 10 and VLAN 20.
[Switch] vlan batch 10 20
[Switch-GigabitEthernet1/0/1] port link-type hybrid
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 10 20
# Configure a MAC address limiting rule on GigabitEthernet1/0/1: In the following

configuration, a maximum of 100 MAC address entries can be learned on the interface. When
the number of learned MAC address entries reaches the limit, the Switch discards packets
with new source MAC address entries and generates an alarm.
[Switch-GigabitEthernet1/0/1] mac-limit maximum 100 action discard alarm enable
[Switch-GigabitEthernet1/0/1] return
# Run the display mac-limit command in any view to check whether the MAC address
limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
GE1/0/1 - - 100 - discard enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
port link-type hybrid
port hybrid tagged vlan 10 20
mac-limit maximum 100
#
return
2.9.4 Example for Configuring MAC Address Limiting in a VLAN
In Figure 2-16, user network 1 is connected to GE1/0/1 of the Switch through LSW1, and
user network 2 is connected to GE1/0/2 of the Switch through LSW2. GE1/0/1 and GE1/0/2
belong to VLAN 2. To control the number of access users, configure MAC address limiting in
VLAN 2.

Figure 2-16 Example network for MAC address limiting
Network
Switch
GE1/0/1 GE1/0/2
LSW LSW
User User
network 1 VLAN 2 network 2
1. Create a VLAN and add interfaces for Layer 2 forwarding.

2. Configure MAC address limiting in the VLAN to prevent MAC address attacks and
control access users.
Procedure
Step 1 Configure MAC address limiting.
# Add GigabitEthernet1/0/1 and GigabitEthernet1/0/2 to VLAN 2.

[Switch] vlan 2
[Switch-vlan2] quit
[Switch-GigabitEthernet1/0/1] port hybrid pvid vlan 2
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 2
# Configure the following MAC address limiting rule in VLAN 2: In the following
configuration, a maximum of 100 MAC addresses can be learned. When the number of
learned MAC address entries reaches the limit, the Switch forwards packets with new source
MAC address entries and sends an alarm, but does not add the MAC address entries to the
MAC address table.

[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 action forward alarm enable
[Switch-vlan2] return

<Switch> display mac-limit

----------------------------------------------------------------------------
- 2 - 100 - forward enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100 action forward
#
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
#
return
2.9.5 Example for Configuring MAC Address Limiting in a VSI
In Figure 2-17, the enterprise establishes a backbone network. MAC address limiting needs to
be configured in VSIs on the PEs for access control of CEs, ensuring the backbone network
security.

Figure 2-17 Networking of MAC address limiting in a VSI

Loopback1 Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE2/0/0 GE2/0/0
VLANIF20 VLANIF30
4.4.4.4/24 5.5.5.5/24
PE1 PE2
GE1/0/0 GE1/0/0
GE1/0/0 VLANIF20 P VLANIF30 GE2/0/0
VLANIF10 4.4.4.2/24 5.5.5.2/24 VLANIF40
GE1/0/0 GE1/0/0
VLANIF10 VLANIF40
10.1.1.1/24 10.1.1.2/24
CE1 CE2
1. Configure a routing protocol on the backbone network to implement the interworking.

2. Set up remote LDP sessions between PEs.
3. Set up a tunnel between PEs to transmit user data.
4. Enable MPLS L2VPN on PEs.
5. Configure a VSI and specify LDP as the signaling protocol on PEs.
6. Configure MAC address limiting in the VSI on PEs to control access of CEs.
Procedure
Step 1 Create VLANs on the CE, PE, and P devices, add interfaces to respective VLANs, and assign
IP addresses to VLAN interfaces.
# Configure CE1.
[HUAWEI] sysname CE1
[CE1] vlan 10
[CE1-vlan10] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 255.255.255.0
[CE1-Vlanif10] quit
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
# Configure CE2.
[CE2] vlan 40
[CE2-vlan40] quit
[CE2-Vlanif40] ip address 10.1.1.2 255.255.255.0
[CE2-Vlanif40] quit

# Configure PE1.
[HUAWEI] sysname PE1
[PE1] vlan batch 10 20
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 4.4.4.4 255.255.255.0
[PE1-Vlanif20] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet1/0/0] quit
# Configure the P.
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface vlanif 20
[P-Vlanif20] ip address 4.4.4.2 255.255.255.0
[P-Vlanif20] quit
[P-Vlanif30] ip address 5.5.5.5 255.255.255.0
[P-Vlanif30] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type trunk
[P-GigabitEthernet1/0/0] port trunk allow-pass vlan 20
[P-GigabitEthernet1/0/0] quit
[P-GigabitEthernet2/0/0] port link-type trunk
[P-GigabitEthernet2/0/0] port trunk allow-pass vlan 30
# Configure PE2.
[PE2-Vlanif30] ip address 5.5.5.2 255.255.255.0
[PE2-Vlanif30] quit
Step 2 Configure an IGP. OSPF is used in this example.

Configure OSPF to advertise the loopback interface addresses (LSR IDs) with 32-bit mask
length of PE1, P, and PE2.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure the P.

[P] router id 2.2.2.2

[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, run the display ip routing-table command on PE1, P,
and PE2. The command output shows that PE1, P, and PE2 have learned routes from each
other. The display on PE1 is used as an example.
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack1

2.2.2.2/32 OSPF 10 1 D 4.4.4.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 4.4.4.2 Vlanif20
4.4.4.0/24 Direct 0 0 D 4.4.4.4 Vlanif20
4.4.4.4/32 Direct 0 0 D 127.0.0.1 Vlanif20
5.5.5.0/24 OSPF 10 2 D 4.4.4.2 Vlanif20
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
Step 3 Configure basic MPLS functions and LDP.

# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure the P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit

[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
After the configuration is complete, run the display mpls ldp session command on PE1, P,
and PE2. You can see that a peer relationship is set up between PE1 and P, and between P and
PE2. The peer relationship is in Operational state. Run the display mpls lsp command to
check the LSP status. The display on PE1 is used as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.2:0 Operational DU Passive 000:15:29 3717/3717
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
Step 4 Create a remote LDP session between PEs.
# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
After the configuration is complete, run the display mpls ldp session command on PE1 or
PE2. You can see that the peer relationship between PE1 and PE2 is in Operational state. That
is, the peer relationship is set up.
Step 5 Enable MPLS L2VPN on each PE.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit

Step 6 Configure a VSI on PEs.

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] pwsignal ldp
[PE1-vsi-a2-ldp] vsi-id 2
[PE1-vsi-a2-ldp] peer 3.3.3.3
[PE1-vsi-a2-ldp] quit
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Step 7 Bind the VSI to PE interfaces.

# Configure PE1.
[PE1-Vlanif10] l2 binding vsi a2
[PE1-Vlanif10] quit
# Configure PE2.
[PE2-Vlanif40] l2 binding vsi a2
[PE2-Vlanif40] quit

After the configuration is complete, run the display vsi name a2 verbose command on PE1.
You can see that VSI a2 sets up a PW to PE2, and the VSI status is Up.
[PE1] display vsi name a2 verbose
***VSI Name : a2
Administrator VSI : no
Isolate Spoken : disable
VSI Index : 0
PW Signaling : ldp
Member Discovery Style : static
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 0 hours, 5 minutes, 1 seconds
VSI State : up
VSI ID : 2
*Peer Router ID : 3.3.3.3
Negotiation-vc-id : 2
primary or secondary : primary
ignore-standby-state : no
VC Label : 4098
Peer Type : dynamic
Session : up
Tunnel ID : 0x1
Broadcast Tunnel ID : 0x1

Broad BackupTunnel ID : 0x0

CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0
Control Word : disable
Interface Name : Vlanif10

State : up
Access Port : false
Last Up Time : 2010/12/30 11:31:18
Total Up Time : 0 days, 0 hours, 1 minutes, 35 seconds
**PW Information:
*Peer Ip Address : 3.3.3.3

PW State : up
Local VC Label : 4098
Remote VC Label : 4098
Remote Control Word : disable
PW Type : label
Local VCCV : alert lsp-ping
Remote VCCV : alert lsp-ping
Tunnel ID : 0x1
Ckey : 0x2
Nkey : 0x1
Main PW Token : 0x1
Slave PW Token : 0x0
Tnl Type : LSP
OutInterface : Vlanif20
Backup OutInterface :
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03
PW Total Up Time : 0 days, 0 hours, 1 minutes, 35 seconds
CE1 (10.1.1.1) can ping CE2 (10.1.1.2) successfully.

[CE1] ping 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=90 ms
--- 10.1.1.2 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/68/94 ms
Step 9 Configure MAC address limiting in the VSI on PE1.

# Configure the following MAC address limiting rule in the VSI: A maximum of 300 MAC
addresses can be learned. When the number of learned MAC addresses reaches the limit, the
PE discards packets with new source MAC addresses and sends an alarm to the NMS.
[PE1] vsi a2 static
[PE1-vsi-a2] mac-limit maximum 300 action discard alarm enable
[PE1-vsi-a2] return

<PE1> display mac-limit


----------------------------------------------------------------------------
- a2 - 300 - discard enable
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
port link-type trunk
port trunk allow-pass vlan 10
#
return

#
sysname CE2
#
vlan batch 40
#
interface Vlanif40
ip address 10.1.1.2 255.255.255.0
#
#
return
l PE1 configuration file

#
sysname PE1
#
router id 1.1.1.1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
mac-limit maximum 300
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3
remote-ip 3.3.3.3
#
interface Vlanif10
l2 binding vsi a2
#
interface Vlanif20

ip address 4.4.4.4 255.255.255.0

mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#

vlan batch 30 40
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
l2 binding vsi a2
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
2.9.6 Example for Configuring MAC Address Flapping Prevention

In Figure 2-18, users need to access the server connected to a switch interface. If an
unauthorized user uses the MAC address of the server as the source MAC address to send
packets to another interface, then that MAC address is learned on the interface. In this
scenario, packets sent from users to the server are forwarded to the unauthorized user. As a
result, users cannot access the server, and important data may be intercepted by the
unauthorized user.
MAC address flapping prevention can be configured to protect the server against attacks from
malicious users.

Figure 2-18 Networking of MAC address flapping prevention
Server
MAC:11-22-33
GE1/0/1 VLAN 10
Switch
GE1/0/2 PC4
MAC:11-22-33
LSW
PC1 PC2 PC3
VLAN10
1. Create a VLAN and add interfaces for Layer 2 forwarding.

2. Configure MAC address flapping prevention on the server-side interface.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Add GigabitEthernet1/0/1 and GigabitEthernet1/0/2 to VLAN 10.

[Switch] vlan 10
[Switch-vlan10] quit
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
Step 2 # Set the MAC address learning priority of GigabitEthernet1/0/1 to 2.

[Switch-GigabitEthernet1/0/1] mac-learning priority 2
# Run the display current-configuration command in any view to check whether the MAC
address learning priority is set correctly.

[Switch] display current-configuration interface gigabitethernet 1/0/1

#
mac-learning priority 2
#
return
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
mac-learning priority 2
#
#
return
2.9.7 Example for Configuring MAC Address Flapping Detection
As shown in Figure 2-19, a loop occurs on a user network because two LSWs are incorrectly
connected using a network cable. This loop causes MAC address flapping on the Switch.
To detect loops in a timely manner, configure MAC address flapping detection on the Switch.
This function enables the Switch to detect loops by checking whether a MAC address flaps
between interfaces. To remove loops on the network, configure an action against MAC
address flapping on the interfaces.

Figure 2-19 Example network for MAC address flapping detection
Network
Switch
GE1/0/1 GE1/0/2
LSW1 LSW2
Incorrect connection
1. Enable MAC address flapping detection.

2. Set the aging time of flapping MAC addresses.
3. Configure an action against MAC address flapping on the interfaces to remove loops.
Procedure
Step 1 Enable MAC address flapping detection.
[Switch] mac-address flapping detection
Step 2 Set the aging time of flapping MAC addresses.

[Switch] mac-address flapping aging-time 500
Step 3 Configure the action against MAC address flapping as error-down on the GE1/0/1 and
GE1/0/2.
[Switch-GigabitEthernet1/0/1] mac-address flapping action error-down
[Switch-GigabitEthernet1/0/2] mac-address flapping action error-down
Step 4 Enable error-down interfaces to go Up automatically and set the automatic recovery time. In
the following configuration, it is set to 500s.
[Switch] error-down auto-recovery cause mac-address-flapping interval 500
When the MAC address learned on the GE moves to GE1/0/2, GE1/0/2 is shut down
automatically. You can run the display mac-address flapping record command to view
MAC address flapping records.

[Switch] display mac-address flapping record

S : start time
E : end time
(Q) : quit vlan
(D) : error down
-------------------------------------------------------------------------------
Move-Time VLAN MAC-Address Original-Port Move-Ports
MoveNum
-------------------------------------------------------------------------------
S:2012-04-01 17:22:36 1 0000-0000-0007 GE1/0/1 GE1/0/2(D) 83
E:2012-04-01 17:22:44
-------------------------------------------------------------------------------
Total items on slot 1: 1
----End
Configuration Files
#
sysname Switch
#
error-down auto-recovery cause mac-address-flapping interval 500
#
mac-address flapping aging-time 500
#
mac-address flapping action error-down
#
mac-address flapping action error-down
#
return
2.10.1 MAC Address Entries Failed to Be Learned on an Interface
Fault Symptom
MAC address entries cannot be learned on an interface, causing Layer 2 forwarding failures.
Procedure
Step 1 Check the configuration on the device.
Check Item Verification Method Follow-up Operation
Whether the Run the display vlan vlan- Run the vlan vlan-id command in the
VLAN that the id command in any view. If system view to create the VLAN.
interface belongs the system displays the
to has been message "Error: The
created VLAN does not exist", the
VLAN has not been created.

Whether the Run the display vlan vlan- Run one of the following commands in
interface id command in any view to the interface view to add the interface
transparently check whether the interface to the VLAN.
transmits packets name exists. If not, the l Run the port trunk allow-pass
from the VLAN interface does not vlan command if the interface is a
transparently transmit trunk interface.
packets from the VLAN.
l Run the port hybrid tagged vlan
or port hybrid untagged vlan
command if the interface is a
hybrid interface.
l Run the port default vlan
command if the interface is an
access interface.
Whether a Run the display mac- If a blackhole MAC address entry is

blackhole MAC address blackhole displayed and you want to delete it,
address entry is command in any view to run the undo mac-address blackhole
configured check whether a blackhole command.
MAC address entry is
configured.
Whether MAC Run the display this | Run the undo mac-address learning
address learning is include learning command disable command in the interface view
disabled on the in the interface view and or VLAN view to enable MAC address
interface or in the VLAN view to check learning.
VLAN whether the mac-address
learning disable
configuration exists. If so,
MAC address learning is
disabled on the interface or
in the VLAN.
Whether MAC Run the display this | l Run the mac-limit command in the
address limiting is include mac-limit interface view or VLAN view to
configured on the command in the interface increase the maximum number of
interface and in view and VLAN view to learned MAC address entries.
the VLAN check whether MAC l Run the undo mac-limit command
address limiting is in the interface view or VLAN
configured. If so, the view to remove the MAC address
maximum number of limit.
learned MAC address
entries is set.

Whether port Run the display this | l Run the undo port-security
security is include port-security enable command in the interface
configured on the command in the interface view to disable port security.
interface view to check whether port l Run the port-security max-mac-
security is configured. num command in the interface
view to increase the maximum
number of secure dynamic MAC
address entries on the interface.
If the fault persists, go to step 2.

Step 2 Check whether a loop is causing MAC address entry flapping.
1. Run the mac-address flapping detection command in the system view to configure
MAC address flapping detection.
2. The system checks all MAC addresses in the VLAN to detect MAC address flapping.
3. If a loop is causing MAC address flapping, use the following methods to remove MAC
address flapping:
– Eliminate the loop.
– Run the mac-learning priority command in the interface view to configure the
MAC address learning priority for the interface to ensure that MAC addresses are
learned by the correct interface.
If no loop was detected, go to step 3.
Step 3 Check whether the number of learned MAC address entries has reached the maximum value.
If so, the device cannot learn new MAC address entries.
l If the number of MAC address entries on the interface is less than or equal to the number
of hosts connected to the interface, the device is connected to more hosts than it
supports. Adjust your network plan accordingly.
l If the interface has learned more MAC address entries than the hosts connected to the
interface, the interface may be undergoing a MAC address attack from the attached
network. Use the following table to locate the attack source.
Scenario Solution
The interface connects to another network Run the display mac-address command
device. on the connected device to view MAC
address entries. Use the displayed MAC
address entries to locate the interface
connected to the malicious host. If the
located interface is connected to another
network device, repeat this step until you
find the malicious host.

Scenario Solution
The interface connects to a host. – Disconnect the host after obtaining

permission from the administrator.
When the attack stops, connect the
host to the network again.
– Run the port-security enable
command on the interface to enable
port security or run the mac-limit
command to set the maximum number
of MAC address entries to 1.
The interface connects to a hub. – Analyze packets mirrored from the

interface or use a another tool to
analyze packets received by the
interface to locate the attacking host.
Disconnect the host after obtaining
permission from the administrator.
Connect the host to the hub again only
after confirming that it no longer
sends attacking packets.
– Disconnect hosts connected to the hub
one by one after obtaining permission
from the administrator. If the fault is
rectified after a host is disconnected,
the host is the attacker. After the host
stops the attack, connect it to the hub
again.
----End
2.11 FAQs
2.11.1 How Do I Enable and Disable MAC Address Flapping

Detection?
Version Enable MAC Address Disable MAC Address

Flapping Detection Flapping Detection
Versions earlier than Run the loop-detect eth-loop Run the undo loop-detect eth-
V200R001 support alarm-only in the VLAN view. loop alarm-only in the VLAN
only MAC address view.
flapping detection in
a VLAN.


V200R001 and later Run the mac-address flapping Run the undo mac-address
versions support detection in the system view. flapping detection in the
global MAC address system view.
all VLANs. By
default, global MAC
address flapping
detection is enabled.
2.11.2 How Do I Check MAC Address Flapping Information?

Version Command
Versions earlier than display trapbuffer

V200R001
V200R001 and later display trapbuffer or display mac-address flapping record

versions
2.11.3 What Should I Do When Finding a MAC Address Flapping

Alarm?
If the alarm is reported only once, ignore it.
If the alarm is reported multiple times, find the first and second interfaces where the MAC
address is learned. Shut down the second interface to locate the loop. Then adjust the
networking to remove the loop.
2.11.4 How Do I Rapidly Determine a Loop?
Check whether MAC address flapping occurs to rapidly determine a loop on a network.
Generally, a loop occurs if a MAC address flapping alarm is generated consecutively.
Enable MAC address flapping detection according to the following table.

Versions earlier than Run the loop-detect eth-loop Run the undo loop-detect eth-
V200R001 support alarm-only in the VLAN view. loop alarm-only in the VLAN
only MAC address view.
a VLAN.


V200R001 and later Run the mac-address flapping Run the undo mac-address
versions support detection in the system view. flapping detection in the
global MAC address system view.
all VLANs. By
default, global MAC
address flapping
detection is enabled.
Check whether MAC address flapping occurs according to the following table.
Version Command
Versions earlier than display trapbuffer

V200R001
V200R001 and later display trapbuffer or display mac-address flapping record

versions
2.12 Reference
The following table lists the references of this document.
IEEE 802.1D Standard for Information technology-- -

Telecommunications and information
exchange between systems--IEEE
standard for local and metropolitan area
networks--Common specifications--
Media access control (MAC) Bridges
IEEE 802.1Q IEEE standard for Local and -

Metropolitan Area Networks: Virtual
Bridged Local Area Networks

Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration
3 Link Aggregation Configuration
About This Chapter
This chapter describes how to configure link aggregation. Link aggregation bundles multiple
Ethernet links into a logical link to increase bandwidth, improve reliability, as well as load
balance traffic.
3.1 Introduction to Link Aggregation

3.2 Principles
3.3 Applications
3.6 Default Settings
3.7 Configuring Ethernet Link Aggregation
3.8 Maintaining Link Aggregation
Maintaining link aggregation includes monitoring the link aggregation running status and
clearing LACPDU statistics.
3.10 Common Configuration Errors
3.11 FAQ
3.12 References

3.1 Introduction to Link Aggregation
Definition
Ethernet link aggregation, also called Eth-Trunk, bundles multiple physical links to form a
logical link to increase link bandwidth. The bundled links implement redundancy, increasing
reliability.
Purpose
As the network scale expands, users have increasingly high requirements on the bandwidth
and reliability of the Ethernet backbone network. Originally, to increase the bandwidth, users
used high-speed cards or devices with high-speed interface cards to replace old interface cards
or devices. This solution, however, is costly and inflexible.
Link aggregation increases bandwidth by bundling a group of physical interfaces into a single
logical interface, without the need to upgrade hardware. In addition, link aggregation provides
link backup mechanisms, greatly improving link reliability.
Link aggregation has the following advantages:
l Increased bandwidth
The bandwidth of the link aggregation interface is the sum of bandwidth of member
interfaces.
l Higher reliability
When an active link fails, traffic on this active link is switched to another active link,
improving reliability of the link aggregation interface.
l Load balancing
In a link aggregation group (LAG), traffic is load balanced among active links of
member interfaces.
3.2 Principles
3.2.1 Concepts
In Figure 3-1, DeviceA and DeviceB are connected through three Ethernet physical links.
These three Ethernet physical links are bundled into an Eth-Trunk link, increasing bandwidth
and reliability.

Figure 3-1 Eth-Trunk networking
Link aggregation concepts are described as follows:

l LAG and LAG interface
A link aggregation group (LAG) is a logical link composed of multiple Ethernet links.
Each LAG corresponds to a logical interface, either a link aggregation interface or an
Eth-Trunk. The Eth-Trunk can be used as a common Ethernet interface with one
difference: The Eth-Trunk uses one or more member interfaces to forward data.
l Member interface and member link
The interfaces that constitute an Eth-Trunk are member interfaces. A link corresponding
to a member interface is a member link.
l Active and inactive interfaces and links
There are two types of interfaces in an LAG: active interfaces that forward data and
inactive interfaces that do not forward data.
The link connected to an active interface is an active link, whereas the link connected to
an inactive interface is an inactive link.
l Upper threshold for the number of active interfaces
When the number of active interfaces reaches this threshold, any additional member
links will be set to Down. This guarantees higher network reliability by allowing those
links to act as backups.
NOTE
The upper threshold for the number of active interfaces does not apply to the manual load
balancing mode.
l Lower threshold for the number of active interfaces
When the number of active interfaces falls below the lower threshold, the Eth-Trunk
goes Down. This ensures that an active Eth-Trunk has the minimum required bandwidth.
For example, if the Eth-Trunk is required to provide a minimum bandwidth of 2 Gbit/s
and each member link's bandwidth is 1 Gbit/s, the minimum number of Up member links
must be set to 2 or larger.
l Link aggregation mode
There are two link aggregation modes: manual and Link Aggregation Control Protocol
(LACP). Table 3-1 compares the two modes.

Table 3-1 Comparisons between link aggregation modes

Item Manual Mode LACP Mode
Definition You must manually create An Eth-Trunk is created

an Eth-Trunk and add using LACP. LACP
member interfaces to the provides a standard
Eth-Trunk. This mode negotiation mechanism for
does not require devices to a switching device so that
support LACP. the switching device can
be configured to
automatically form and
start aggregated links.
After an aggregated link is
formed, LACP is
responsible for
maintaining the link. If
link aggregation
conditions or requirements
change, LACP can adjust
or remove the aggregated
link.
LACP required No Yes
Data forwarding Generally, all links are Generally, only some links
active links. If one active are active links. If an
link fails, traffic is load active link fails, the
balanced among the system selects a link
remaining active links. among inactive links to
replace it. This ensures
that the total number of
links performing data
forwarding remains
unchanged.
Support for inter-device No Yes

link aggregation
Fault detection This mode can only detect This mode can detect
member link member link
disconnections, but cannot disconnections and other
detect other faults such as faults such as link layer
link layer faults and faults and incorrect link
incorrect link connections. connections.
NOTE
For more information, see 3.2.2 Link Aggregation in Manual Mode and 3.2.3 Link Aggregation in
LACP Mode.
l Link aggregation modes supported by the device
– Intra-card: Member interfaces of an Eth-Trunk are located on the same card.

– Inter-card: Member interfaces of an Eth-Trunk are located on different cards.

– Inter-chassis: Member interfaces of an Eth-Trunk are located on member devices of
a CSS. For details, see 3.2.5 Link Aggregation in CSS Scenarios.
– Inter-device: The inter-device link aggregation refers to Enhanced Trunk (E-Trunk).
E-Trunk allows links between multiple devices to be aggregated using LACP. For
details, see 3.2.6 E-Trunk.
3.2.2 Link Aggregation in Manual Mode

Link aggregation can work in manual mode or static LACP mode depending on whether
LACP is used.
In manual mode, you must manually create an Eth-Trunk and add member interfaces to the
Eth-Trunk. Manual mode can be used when two directly connected devices require a high link
bandwidth between them, but the remote device does not support the LACP protocol.
In Figure 3-2, an Eth-Trunk is created between DeviceA and DeviceB. In manual mode, three
active links participate in data forwarding and load balance traffic. When one link becomes
faulty, the remaining two links can still load balance traffic assuming the remaining pipes
have sufficient bandwidth.
Figure 3-2 Link aggregation in manual mode

DeviceA DeviceB
A%
B%
Eth-Trunk
C%
A%+B%+C%=100%
One link is faulty
DeviceA DeviceB
D%
E%
Eth-Trunk
D%+E%=100%
3.2.3 Link Aggregation in LACP Mode

Background
While an Eth-Trunk in manual mode can increase bandwidth, it can only detect member link
disconnections. It cannot detect other faults such as link layer faults and incorrect link
connections.
The Link Aggregation Control Protocol (LACP) can improve fault tolerance of the Eth-Trunk,
implement backup, and ensure high reliability of member links.
LACP provides a standard negotiation mechanism for a switching device so that the switching
device can be configured to automatically form and start aggregated links. After an
aggregated link is formed, LACP is responsible for maintaining the link. If link aggregation
conditions or requirements change, LACP can adjust or remove the aggregated link.
For example, in Figure 3-3, four interfaces on DeviceA are bundled into an Eth-Trunk and the
Eth-Trunk is connected to the corresponding interfaces on DeviceB. One of the interfaces on

DeviceA is incorrectly connected to an interface on DeviceC so DeviceA may incorrectly

send data destined for DeviceB to DeviceC. An Eth-Trunk in manual mode cannot quickly
detect this fault.
If LACP is enabled on DeviceA and DeviceB, the Eth-Trunk correctly selects active links to
forward data after LACP negotiations. This ensures that data reaches the correct destination.
Figure 3-3 Incorrect Eth-Trunk connection

DeviceA DeviceB
Eth-Trunk
DeviceC
Concepts
l LACP system priority
LACP system priorities are set on devices at both ends of an Eth-Trunk. In LACP mode,
active member interfaces selected by both devices must be consistent with each other;
otherwise, an LAG cannot be established. To ensure consistency between active member
interfaces at both ends, set a higher priority for one device. The remote device will select
active member interfaces based on the priority. A smaller LACP system priority value
indicates a higher LACP system priority.
l LACP interface priority
Interface LACP priorities are used to prioritize interfaces of an Eth-Trunk. Interfaces
with higher priorities are selected as active interfaces. A smaller LACP interface priority
value indicates a higher LACP interface priority.
l M:N backup of member interfaces
In LACP mode, LACP is used to negotiate parameters to determine active links in an
LAG. This is also called the M:N mode, where M is the number of active links and N is
the number of backup links. This mode guarantees high reliability and allows traffic to
be load balanced among the active links.
In Figure 3-4, M+N links with the same attributes (in the same LAG) are set up between
two devices. When data is transmitted over the aggregated link, traffic is only load
balanced between the active links; no data is transmitted over the backup links.
Therefore, the actual bandwidth of the aggregated link is the sum of the active links'
bandwidth, and the maximum bandwidth of the aggregated link is the total bandwidth
between the active and backup links.
If one of active links fails, LACP selects a link from the backup links to replace the
faulty link. The actual bandwidth remains the same, but the maximum bandwidth of the
aggregated link is reduced accordingly.

Figure 3-4 Networking of M:N backup

DeviceA DeviceB
Eth-Trunk
Eth-Trunk 1 Eth-Trunk 1
Active link
Backup link
M:N backup is mainly applied to ensure a consistent bandwidth between two devices. If
no available backup link is found and the number of active links is smaller than the lower
threshold for the number of active interfaces, the system shuts down the LAG.
Implementation of Link Aggregation in LACP Mode

LACP, as specified in IEEE 802.3ad, implements dynamic link aggregation and de-
aggregation, allowing both ends to exchange Link Aggregation Control Protocol Data Units
(LACPDUs).
After member interfaces are added to an Eth-Trunk in LACP mode, each end sends
LACPDUs to inform its remote end of its system priority, MAC address, member interface
priorities, interface numbers, and keys. The remote end then compares this to its own
information and selects which interfaces to be aggregated. The two ends perform LACP
negotiation to select active interfaces and links.
Figure 3-5 shows the format of an LACPDU.

Figure 3-5 Fields in an LACPDU

Destination Address
Source Address
Length/Type
Subtype=LACP
Version Number
TLV_type=Actor Information
Actor_Information_Length=20
Actor_System_Priority
Actor_System
Actor_Key
Actor_Port_Priority
Actor_Port
Actor_State
Reserved
TLV_type=Partner Information
Partner_Information_Length=20
Partner_System_Priority
Partner_System
Partner_Key
Partner_Port_Priority
Partner_Port
Partner_State
Reserved
TLV_type=Collector Information
Collector_Information_Length=16
CollectorMaxDelay
Reserved
TLV_type=Terminator
Terminator_Length=0
Reserved
FCS
The following table describes the meaning of each field.

Item Description
Actor_Port/Partner_Port Interface of the Actor or Partner.
Actor_State/Partner_State Status of the Actor or Partner.
Actor_System_Priority/ System priority of the Actor or Partner.

Partner_System_Priority
Actor_System/Partner_System System ID of the Actor or Partner.
Actor_Key/Partner_Key Operational key of the Actor or Partner.
Actor_Port_Priority/Partner_Port_Priority Interface priority of the Actor or Partner.

NOTE
The device with the higher system priority becomes the Actor. If the two devices have the same system
priority, the device with a smaller MAC address functions as the Actor.
l An Eth-Trunk in LACP mode is set up as follows:

a. Devices at both ends send LACPDUs to each other.
In Figure 3-6, you need to create an Eth-Trunk in LACP mode on DeviceA and
DeviceB and add member interfaces to the Eth-Trunk. LACP then is enabled on the
member interfaces, and devices at both ends send LACPDUs to each other.
Figure 3-6 LACPDUs sent in LACP mode
DeviceA LACPDU DeviceB
LACPDU
b. Devices at both ends determine the Actor and active links.

In Figure 3-7, devices at both ends receive LACPDUs from each other. When each
device receives LACPDUs from the other device, they check and record
information about that device and compare system priorities. The device with the
higher system priority becomes the Actor. If the two devices have the same system
After devices at both ends select the Actor, they select active interfaces according to
the priorities of the Actor's interfaces. Then active interfaces are selected, active
links in the LAG are specified, and load balancing is implemented among these
active links.
Figure 3-7 Selecting the Actor in LACP mode
LACP port priority LACP port priority

DeviceA
1 3 DeviceB
2 2
3 1
The device with higher The device with lower
system priority system priority
Compare system priority
and determine the Actor
LACP port priority LACP port priority
DeviceA 1 3 DeviceB
2 2
3 1
Actor
The Actor determines
active links
LACP port priority
DeviceA LACP port priority DeviceB
1 3
2 2
3 1
Actor

l LACP preemption
When LACP preemption is enabled, interfaces with higher priorities in an LAG will
always be the active interfaces as long as they are available.
In Figure 3-8, Port 1 and Port 2 are active interfaces because their LACP priorities are
higher, and Port 3 is used as the backup interface.
Figure 3-8 LACP preemption
DeviceA LACP port priority DeviceB

Port 1 10 Port 1
Port 2 20 Eth-Trunk Port 2
Port 3 30 Port 3
Actor
Active link
Backup link
LACP preemption is used in the following scenarios:

– Port 1 becomes faulty, causing Port 3 to replace Port 1 to transmit services. After
Port 1 recovers, if LACP preemption is not enabled on the Eth-Trunk, Port 1
remains in the backup state. If LACP preemption is enabled on the Eth-Trunk, Port
1 will replace Port 3 once it is restored.
– With LACP preemption enabled, setting a higher LACP priority value for Port 3
will allow it to replace Port 1 or Port 2 as an active interface. If LACP preemption
is not enabled, the system does not re-select active interfaces even if the priority of
a backup interface is set higher than that of an active interface.
l LACP preemption delay
If a backup link is switched to an active link through LACP preemption, it will wait for a
set period of time before switching. This period is called LACP preemption delay. The
LACP preemption delay is used to prevent unstable data transmission over an Eth-Trunk
link caused by frequent status changes of member links.
l Switchover between active and inactive links
In LACP mode, a link switchover in an LAG is triggered if a device at one end detects
one of the following events:
– An active link goes Down.
– Ethernet OAM detects a link fault.
– LACP detects a link fault.
– An active interface becomes unavailable.
– When LACP preemption is enabled, a backup interface's priority is changed to be
higher than that of the current active interface.
When any of the preceding events occurs, the following actions are performed:
a. Shut down any faulty link.
b. Select the backup link with the highest priority among the backup links to replace
the faulty active link.
c. The highest priority backup link becomes the active link and begins forwarding
data.

3.2.4 Load Balancing Modes of Link Aggregation
Background
A data flow is a group of data packets with one or more identical attributes. The attributes
include the source MAC address, destination MAC address, source IP address, destination IP
address, source TCP/UDP port number, and destination TCP/UDP port number.
Load balancing can be classified as packet- or flow-based load balancing.
l Packet-based load balancing

This type of load balancing allows devices to fully use the multiple physical links
between both devices of the Eth-Trunk, transmitting data frames of the same data flow
over different physical links. A potential problem arises in that the second data frame
may arrive at the remote device earlier than the first data frame, resulting in out-of-order
packets.
l Flow-based load balancing
This type of load balancing allows the system to use a hash algorithm to calculate the
address in a data frame and generates a HASH-KEY value. Then the system searches for
the outbound interface in the Eth-Trunk forwarding table based on the generated HASH-
KEY value. Each MAC or IP address corresponds to a specific HASH-KEY value, so the
system uses different outbound interfaces to forward data. This mode ensures that frames
of the same data flow are forwarded on the same physical link and implements load
balancing of data flows. Flow-based load balancing ensures the correct sequence of data
transmission, but cannot ensure efficient bandwidth usage.
NOTE
Switches support only flow-based load balancing.
Forwarding Principle
In Figure 3-9, an Eth-Trunk is deployed in the data link layer between the LLC and MAC
sub-layers.
Figure 3-9 Eth-Trunk in the Ethernet protocol stack
LLC
Data link Eth-Trunk
layer
MAC
Physical layer PHY
The Eth-Trunk module maintains a forwarding table that consists of the following entries:
l HASH-KEY value
The HASH-KEY value is calculated through the hash algorithm based on the MAC
address or IP address in a data packet.
l Interface number

Eth-Trunk forwarding entries are related to the number of member interfaces in an Eth-
Trunk. Different HASH-KEY values map to different outbound interfaces.
For example, an Eth-Trunk supports a maximum of eight member interfaces. If physical
interfaces 1, 2, 3, and 4 are bundled into an Eth-Trunk, the Eth-Trunk forwarding table
contains four entries, as shown in Figure 3-10. In the Eth-Trunk forwarding table, the
HASH-KEY values are 0, 1, 2, 3, 4, 5, 6, and 7, and the corresponding interface numbers
are 1, 2, 3, 4, 1, 2, 3, and 4.
Figure 3-10 Example of an Eth-Trunk forwarding table
HASH-KEY 0 1 2 3 4 5 6 7
PORT 1 2 3 4 1 2 3 4
The Eth-Trunk module forwards a packet according to the Eth-Trunk forwarding table:
1. The Eth-Trunk module receives a packet from the MAC sub-layer, and then extracts its
source MAC address/IP address or destination MAC address/IP address.
2. The Eth-Trunk module calculates the HASH-KEY value using the hash algorithm.
3. Using the HASH-KEY value, the Eth-Trunk module searches the Eth-Trunk forwarding
table for the interface number, and then sends the packet from the corresponding
interface.
Load Balancing Modes

To prevent out-of-order data packets, an Eth-Trunk uses flow-based load balancing. Data
forwarding varies depending on the load balancing mode.
You can use the following flow-based load balancing modes:
l Based on source MAC addresses of packets
l Based on destination MAC addresses of packets
l Based on source IP addresses of packets
l Based on destination IP addresses of packets
l Based on the Exclusive-Or result of source and destination MAC addresses of packets
l Based on the Exclusive-Or result of source and destination IP addresses of packets
l Enhanced load balancing: based on VLAN IDs and source physical interface numbers
for Layer 2, IPv4, IPv6, and MPLS packets
When configuring a load balancing mode, pay attention to the following points:
l The load balancing mode is only effective for traffic on the outbound interface. If traffic
on the inbound interface is not balanced, change the load balancing mode of the uplink
outbound interface.
l Data flows should be load balanced among all active links. If data flows are transmitted
over one link, traffic congestion may occur and services will be affected.
For example, when data packets have only one destination MAC address and IP address,
use load balancing based on the source MAC address and IP address of packets. If load
balancing based on the destination MAC address and IP address is used, traffic is
transmitted over one link, causing congestion.

3.2.5 Link Aggregation in CSS Scenarios

Concepts
l CSS
A CSS is a logical device formed by connecting multiple devices through CSS cables. In
Figure 3-11, DeviceB and DeviceC are connected in a CSS.
l Inter-chassis Eth-Trunk
Different physical device interfaces in a CSS aggregate to form a logical Eth-Trunk
interface. When a device in the CSS or a physical device interface in the Eth-Trunk fails,
traffic can be transmitted between devices through CSS cables. The inter-chassis Eth-
Trunk ensures reliable transmission and implements device backup.
l Preferential forwarding of local traffic
As shown in Figure 3-11 (b), traffic from DeviceB or DeviceC is only forwarded
through local member interfaces. In Figure 3-11 (a), traffic is forwarded across devices
through CSS cables.
Figure 3-11 Inter-chassis Eth-Trunk
DeviceA DeviceA
Eth-Trunk Eth-Trunk
CSS CSS
DeviceB DeviceC DeviceB DeviceC
a. The Eth-Trunk is not configured b. The Eth-Trunk is configured to

to preferentially forward local preferentially forward local
interface traffic. interface traffic.
Data flow 1
Data flow 2
CSS cable

Preferential Forwarding of Local Traffic by an Inter-Chassis Eth-Trunk

In a CSS, an Eth-Trunk is configured to be the outbound interface of traffic to ensure reliable
transmission. Member interfaces of the Eth-Trunk are located on different devices. When the
CSS forwards traffic, the Eth-Trunk may select an inter-chassis member interface based on
the hash algorithm. This forwarding mode occupies bandwidth resources between devices and
reduces traffic forwarding efficiency.
In Figure 3-11, DeviceB and DeviceC form a CSS, and the CSS connects to DeviceA through
an Eth-Trunk. After the Eth-Trunk in the CSS is configured to preferentially forward local
traffic, the following features are realized:
l Forwarding received traffic by the local device
If DeviceB has member interfaces of the Eth-Trunk and these interfaces are properly
functioning, the Eth-Trunk forwarding table of DeviceB contains only local member
interfaces. Therefore, the hash algorithm selects a local member interface, and traffic is
only forwarded through DeviceB.
l Forwarding received traffic by another device
If DeviceB does not have any member interfaces of the Eth-Trunk or all member
interfaces are faulty, the Eth-Trunk forwarding table of DeviceB contains all available
member interfaces. Therefore, the hash algorithm selects a member interface on
DeviceC, and traffic is forwarded through DeviceC.
NOTE
l This function is only valid for known unicast packets, and does not work with unknown unicast
packets, broadcast packets, and multicast packets.
l Before configuring an Eth-Trunk to preferentially forward local traffic, ensure that member
interfaces of the local Eth-Trunk have sufficient bandwidth to forward local traffic; otherwise, traffic
may be discarded.
3.2.6 E-Trunk
Enhanced Trunk (E-Trunk) is an extension of LACP. It controls and implements link
aggregation among multiple devices. E-Trunk implements device-level link reliability, instead
of the card-level link reliability implemented by LACP.
E-Trunk is mainly applied to a scenario where a CE is dual-homed to a VPLS, VLL, or PWE3
network. Without E-Trunk, a CE can connect to only one PE by using an Eth-Trunk link. If
the Eth-Trunk or PE fails, the CE cannot communicate with the PE. By using E-Trunk, the CE
can be dual-homed to PEs to protect PEs and links between the CE and PEs, enabling device-
level protection.

Figure 3-12 E-Trunk networking

PE1
Eth-Trunk10
Eth-Trunk20
E-Trunk1
CE
Eth-Trunk10 PE2
Basic Concepts
l LACP system priority
LACP system priorities are used to differentiate priorities of devices at both ends of an
Eth-Trunk link. A smaller value indicates a higher LACP system priority.
l System ID
In LACP, the system ID is used to determine the priorities of the two devices at both
ends of an Eth-Trunk link if their LACP priorities are the same. A smaller system ID
indicates a higher priority. By default, the system ID is the MAC address of an Eth-
Trunk.
To enable a CE to consider the PEs as a single device, you must configure the same
system LACP priority and system ID for the PEs at both ends of an E-Trunk link.
l E-Trunk priority
The E-Trunk priority determines the master/backup status of two devices in an LAG. A
device with a higher E-Trunk priority becomes the master device, and the other one
becomes the backup device. A smaller E-Trunk priority value indicates a higher E-Trunk
priority.
l E-Trunk ID
An E-Trunk ID is an integer that identifies an E-Trunk.
l Working mode
The working mode depends on the working mode of the Eth-Trunk added to the E-
Trunk. The Eth-Trunk can work in one of the following modes:
– Automatic
– Forced master
– Forced backup
l Timeout interval
The master and backup devices in an E-Trunk periodically send hello packets to each
other. If the backup device does not receive any hello packets within the timeout interval,
it becomes the master device.

E-Trunk Working Principle

The E-Trunk working process is as follows:
l Master/Backup status negotiation

Using Figure 3-12 as an example, the CE is directly connected to PE1 and PE2, and E-
Trunk1 runs between PE1 and PE2.
– PE
The same Eth-Trunk and E-Trunk are created on PE1 and PE2. In addition, the Eth-
Trunks are added to the E-Trunk.
– CE
An Eth-Trunk in LACP mode is configured on the CE. The CE is connected to PE1
and PE2 through the Eth-Trunk.
The E-Trunk is invisible to the CE.
a. Determine the E-Trunk master/backup status.
PE1 and PE2 negotiate the E-Trunk master/backup status by exchanging E-Trunk
packets. After the negotiation, one PE functions as the master and the other as the
backup.
The master/backup status of a PE depends on the E-Trunk priority and E-Trunk ID
carried in E-Trunk packets. The PE with the higher E-Trunk priority functions as
the master device. If the E-Trunk priorities of the PEs are the same, the PE with the
smaller E-Trunk system ID functions as the master device.
b. Determine the master/backup status of a member Eth-Trunk in the E-Trunk.
The master/backup status of a member Eth-Trunk in the E-Trunk is determined by
its E-Trunk status and the remote Eth-Trunk status.
In Figure 3-12, PE1 and PE2 are at both ends of the E-Trunk link. In this example,
PE1 is considered the local device and PE2 is the remote device.
Figure 3-12 describes the status of each member Eth-Trunk in the E-Trunk.
Table 3-2 Master/Backup status of an E-Trunk and its member Eth-Trunks

Local E-Trunk Working Mode Remote Eth- Local Eth-
Status of the Local Trunk Status Trunk Status
Eth-Trunk
- Forced master - Master
- Forced backup - Backup
Master Automatic Down Master
Backup Automatic Down Master
Backup Automatic Up Backup
In normal situations:
n PE1 functions as the master and Eth-Trunk 10 of PE1 enters the master state
with a link status of Up.

n PE2 functions as the backup and Eth-Trunk 10 of PE2 enters the backup state
with a link status of Down.
If the link between the CE and PE1 fails, the following occurs:
i. PE1 sends an E-Trunk packet containing information about faulty Eth-Trunk
10 of PE1 to PE2.
ii. After receiving the E-Trunk packet, PE2 finds that Eth-Trunk 10 on PE1 is
faulty. Eth-Trunk 10 on PE2 becomes the master. Through LACP negotiation,
Eth-Trunk 10 on PE2 becomes Up.
The Eth-Trunk status on PE2 becomes Up, and traffic from the CE is
forwarded through PE2, preventing traffic interruption.
If PE1 fails, the following occurs:
i. If the PEs are configured with BFD, PE2 detects that the BFD session status
becomes Down and then switches to be the master, and Eth-Trunk 10 on PE2
enters the master state.
ii. If the PEs are not configured with BFD, PE2 will not receive any E-Trunk
packets from PE1 before the timeout, causing PE2 to take over as the master.
Eth-Trunk 10 on PE2 will also function as the master.
Through LACP negotiation, Eth-Trunk 10 on PE2 becomes Up. The traffic of
the CE is forwarded through PE2. This protects traffic destined for the remote
CE.
l Sending and receiving of E-Trunk packets
E-Trunk packets carrying the source IP address and port number configured on the local
device are sent through UDP. E-Trunk packets are sent in the following situations:
– The packet sending timer times out.
– The configurations change. For example, the E-Trunk priority, packet sending
interval, timeout interval multiplier, or the source/destination IP address of the E-
Trunk changes, or member Eth-Trunks are added or deleted.
– A member Eth-Trunk fails or recovers.
E-Trunk packets need to carry their timeout interval. The remote device uses this interval
as the timeout interval of the local device.
l BFD
BFD enables a device to quickly detect a fault on the remote device based on the timeout
interval of received packets. The IP address of the remote device needs to be specified on
the local device, and a BFD session needs to be established to detect the reachability of
the route to the remote device. Then the E-Trunk can detect any fault detected by BFD.
l Switchback mechanism
If the Eth-Trunk on the local device in master state goes Down or the local device fails,
the remote device becomes the master and the member Eth-Trunk becomes Up.
When the local device recovers, the local Eth-Trunk enters the LACP negotiation state.
After LACP informs the local E-Trunk that the negotiation capability is Up, the local
device starts the switchback delay timer. After the switchback delay timer expires, the
local Eth-Trunk becomes the master and goes Up after LACP negotiation.

E-Trunk Constraints
Using Figure 3-12 as an example, to improve reliability links between the CE and PEs and
guarantee that traffic is properly switched between these links, pay attention to the following
points:
l The configurations at both ends of the E-Trunk link must be consistent. The Eth-Trunks
linked directly to the PEs and the CE must be configured with the same working rate and
duplex mode so that both Eth-Trunks have the same key and join the same E-Trunk.
After the Eth-Trunks are added to the E-Trunk, both PEs must contain the LACP system
priorities and IDs. The interfaces connecting the CE to PE1 and PE2 must be added to
the same Eth-Trunk. The Eth-Trunk on the CE can have a different ID from that of the
PEs. For example, the CE is configured with Eth-Trunk 1, and both PEs are configured
with Eth-Trunk 10.
l To ensure Layer 3 connectivity, the IP address of the local PE must be the same as the
local address of the remote PE and the IP address of the remote PE must be the same as
the remote address of the local PE. Therefore, it is recommended that the addresses of
the PEs are configured as loopback interface addresses.
l The E-Trunk must be bound to a BFD session.
l The two PEs must be configured with the same security key.
3.3 Applications
3.3.1 Switches Directly Connected Through Link Aggregation

In Figure 3-13, traffic of services with different priorities is sent to the core network through
the UPE and PE-AGG. Eth-Trunk 1 is established to ensure the bandwidth and reliability of
the link between the UPE and PE-AGG.
Figure 3-13 Link aggregation networking
Core
Network
PE-AGG
Eth-Trunk 1
UPE
…… ……
VoIP DATA
IPTV

If devices at both ends of the Eth-Trunk support LACP, LACP mode is recommended;
otherwise, you must use manual mode.
QoS can be implemented on an Eth-Trunk as a common interface. This allows for traffic
shaping, congestion management, and congestion avoidance on outgoing traffic at both ends
(UPE and PE-AGG) of Eth-Trunk 1, ensuring that high-priority packets are sent promptly.
3.3.2 Switches Connected Across a Transmission Device Through

Link Aggregation
In Figure 3-14, a transmission device needs to be deployed between two switches that are far
away from each other to ensure reliable communication. In addition, link aggregation is
configured between the two switches to enhance link bandwidth and reliability.
In addition to the configuration notes in 3.5 Configuration Notes, pay attention to the
following points:
l The switches at both ends must use link aggregation in LACP mode.
l The transmission device between switches must be configured to transparently transmit
LACPDUs.
Figure 3-14 Switches connected across a transmission device through link aggregation
Transmission
device
3.3.3 Switches Connecting to Transmission Devices Through Link

Aggregation
In Figure 3-15, one core site and multiple access sites are deployed. The sites are far away
from each other, so transmission devices need to be deployed between devices to ensure
communication. At each site, link aggregation is deployed between the switch and the
transmission device to improve reliability.
following point:
l The link aggregation mode on the transmission device must be the same as that of the
switch. Configure the transmission device according to its operation guide.

Figure 3-15 Switches connecting to transmission devices through link aggregation

Core site
Transmission
device
Transmission Transmission
device device
Access Access
site 1 site 3
Transmission
device
Access
site 2
3.3.4 A Switch Connecting to a Server Through Link Aggregation

In Figure 3-16, two or more network adapters of the server are aggregated to form a network
adapter group to improve server bandwidth and reliability. This grouping can implement load
balancing and redundancy.
following points:
l Network adapters of the server must be the same model.
l The link aggregation modes on the server and access device must match.
Intel network adapter is used as an example. A server often uses static or IEEE 802.3ad
dynamic link aggregation. When the server uses static link aggregation, the access device
must use the manual mode. When the server uses IEEE 802.3ad dynamic link
aggregation, the access device must use the LACP mode.
NOTE
Different models of network adapters use different link aggregation configurations. See the corresponding
network adapter operation guide for more information.

Figure 3-16 A switch connecting to a server through link aggregation
Network
Eth-Trunk 1
3.3.5 A Switch Connecting to a CSS Through Link Aggregation

In Figure 3-17, the switch connects to a CSS using link aggregation, and the Eth-Trunk is
configured to preferentially forward local traffic. Preferentially forwarding local traffic
ensures reliable transmission, reduces the load on devices in the CSS, and improves
forwarding efficiency.

Figure 3-17 Preferentially forwarding local traffic
Network
CSS
VLAN 2 VLAN 3
VLAN 2 data flow

VLAN 3 data flow
3.3.6 Using E-Trunk to Implement Link Aggregation Across

Devices
In Figure 3-18, the Enhanced Trunk (E-Trunk) protects the links between CE1 and the two
PEs (PE1 and PE2) on the network. CE1 is connected to PE1 and PE2 using two Eth-Trunks
in LACP mode, which are formed into an E-Trunk to implement redundancy and enhance
network reliability.

Figure 3-18 E-Trunk networking

Loopback1
PE1
Eth-Trunk10
Eth-Trunk20
E-Trunk1 Internet
CE1
Eth-Trunk10 PE2
Loopback1

Table 3-3 describes the link aggregation configuration tasks.
Table 3-3 Link aggregation configuration tasks

Scenario Task
Switches Directly Connected Through Link Perform either of these two operations:
Aggregation l 3.7.1 Configuring Link Aggregation in
Manual Mode
l 3.7.2 Configuring Link Aggregation in
LACP Mode
Switches Connected Across a Transmission 3.7.2 Configuring Link Aggregation in

Device Through Link Aggregation LACP Mode
A Switch Connecting to a Server Through Perform either of these two operations:

Link Aggregation l 3.7.1 Configuring Link Aggregation in
Manual Mode
l 3.7.2 Configuring Link Aggregation in
LACP Mode

Scenario Task
A Switch Connecting to a CSS Through 1. Perform either of these two operations:

Link Aggregation l 3.7.1 Configuring Link
Aggregation in Manual Mode
l 3.7.2 Configuring Link
Aggregation in LACP Mode
2. 3.7.3 Configuring Preferential
Forwarding of Local Traffic in a CSS
Using E-Trunk to Implement Link These two operations must be performed:

Aggregation Across Devices 1. 3.7.2 Configuring Link Aggregation in
LACP Mode
2. 3.7.5 Configuring an E-Trunk

License Support
Ethernet link aggregation is a basic feature of a switch and is not under license control.
Version Support
Table 3-4 Products and versions supporting link aggregation

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

Configuration Notes Before an Eth-Trunk Is Configured

l Each Eth-Trunk contains a maximum of eight member interfaces.

If the device is equipped with cards specified in the assign trunk command, you can run
the assign trunk command to set the maximum number of LAGs and the maximum
number of member interfaces in each LAG and run the display trunk configuration
command to view the configuration.
l Member interfaces cannot be configured with some services or static MAC address
entries. For example, when an interface is added to an Eth-Trunk, the interface must use
the default link type.
l An Eth-Trunk cannot be added to another Eth-Trunk.
l Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
Interfaces that use different Ethernet types and rates cannot join the same Eth-Trunk. For
example, GE and FE interfaces cannot join the same Eth-Trunk, and GE electrical and
optical interfaces can join the same Eth-Trunk.
l Both devices of the Eth-Trunk must use the same number of physical interfaces,
interface rate, duplex mode, and flow control mode.
l If an interface of the local device is added to an Eth-Trunk, an interface of the remote
device directly connected to the interface of the local device must also be added to the
Eth-Trunk so that the two ends can communicate.
l Both devices of an Eth-Trunk must use the same link aggregation mode.
l In V200R008 and earlier versions, the assign trunk command fails to be executed on the
device enabled with SVF, and Eth-Trunk specifications can only use the default settings.
l When the number of active interfaces falls below the lower threshold, the Eth-Trunk
goes Down. This ensures that the Eth-Trunk has a minimum available bandwidth.
In the following scenarios, there are other configuration notes in addition to the preceding
ones.
Table 3-5 Configuration notes in different scenarios

Usage Scenario Precaution
Switches Connected Across a Transmission l The switches at both ends must use link
Device Through Link Aggregation aggregation in LACP mode.
l The transmission device between
switches must be configured to
transparently transmit LACPDUs.
Switches Connecting to Transmission l The link aggregation mode on the

Devices Through Link Aggregation transmission device must be the same as
that of the switch. Configure the
transmission device according to its
operation guide.

A Switch Connecting to a Server Through l Network adapters of the server must be

Link Aggregation the same model.
l The link aggregation modes on the
server and access device must match.
Intel network adapter is used as an
example. A server often uses static or
IEEE 802.3ad dynamic link aggregation.
When the server uses static link
aggregation, the access device must use
the manual mode. When the server uses
IEEE 802.3ad dynamic link aggregation,
the access device must use the LACP
mode.

Switches Are Connected Through Inter-card Interfaces on different cards of a switch can
Link Aggregation join the same Eth-Trunk, that is, inter-card
Eth-Trunk. Interfaces on cards without Eth-
Trunk specification extension can constitute
an inter-card Eth-Trunk. Before interfaces
on a card with Eth-Trunk specification
extension and interfaces on another card
constitute an inter-card Eth-Trunk, use the
eth-trunk load-balance hash-mode
command to configure the hash mode for
the card with Eth-Trunk specification
extension.
l When interfaces on different cards with
Eth-Trunk specification extension form
an Eth-Trunk, ensure that the cards use
the same hash mode.
l When interfaces on the card with Eth-
Trunk specification extension form an
Eth-Trunk with interfaces on the card
without Eth-Trunk specification
extension, configure the normal hash
mode on the card with Eth-Trunk
specification extension.
In earlier versions of V200R010C00, only X
series cards among cards with Eth-Trunk
specification extension support the hash
mode configuration. The hash mode on
other cards with Eth-Trunk specification
extension has a fixed value of advance. In
V200R010C00 and later versions, interfaces
on only X series cards among cards with
Eth-Trunk specification extension can form
Eth-Trunks with interfaces on cards without
Eth-Trunk specification extension.
Interfaces on other cards with Eth-Trunk
specification extension cannot form Eth-
Trunks with interfaces on cards without Eth-
Trunk specification extension.
In V200R010C00 and later versions, cards
with Eth-Trunk specification extension
support the hash mode configuration. When
the hash mode on a card with Eth-Trunk
specification extension is set to normal,
interfaces on the card with Eth-Trunk
specification extension can form an Eth-
Trunk with interfaces on the card without
Eth-Trunk specification extension.


NOTE
Cards are classified into cards with and without
Eth-Trunk specification extension depending on
the support for the assign trunk command.
Cards with Eth-Trunk specification extension are
as follows:
l S7700: FC series, SC series, EE series, and X
series cards
l S9700: FC series, SC series, EE series, X
series, and EH1D2X48SEC0 cards
Configuration Notes After an Eth-Trunk Is Configured

l An Ethernet interface can be added to only one Eth-Trunk. To add an Ethernet interface
to another Eth-Trunk, delete it from the original one first.
l After an interface is added to an Eth-Trunk, only the Eth-Trunk learns MAC address
entries or ARP entries, but the member interface does not.
l Before deleting an Eth-Trunk, delete member interfaces from the Eth-Trunk.
Specifications
Link aggregation mode:
l Manual
l LACP
Link aggregation modes supported by the device:
l Intra-card: Member interfaces of an Eth-Trunk are located on the same card.
l Inter-card: Member interfaces of an Eth-Trunk are located on different cards.
l Inter-chassis: Member interfaces of an Eth-Trunk are located on member devices of a
CSS. For details, see 3.2.5 Link Aggregation in CSS Scenarios.
l Inter-device: The inter-device link aggregation refers to Enhanced Trunk (E-Trunk). E-
Trunk allows links between multiple devices to be aggregated using LACP. For details,
see 3.2.6 E-Trunk.
Load balancing modes supported by the device:
To prevent data packet mis-sequencing, an Eth-Trunk uses flow-based load balancing.
You can use the following load balancing modes based on actual networking:
l Based on source MAC addresses of packets
l Based on destination MAC addresses of packets
l Based on source IP addresses of packets
l Based on destination IP addresses of packets
l Based on the Exclusive-Or result of source and destination MAC addresses of packets
l Based on the Exclusive-Or result of source and destination IP addresses of packets
l Enhanced load balancing: based on VLAN IDs and source physical interface numbers
for Layer 2, IPv4, IPv6, and MPLS packets

Table 3-6 Default parameter settings of link aggregation

Link aggregation mode Manual mode
Upper threshold for the number of active 8

member links If the device is equipped with cards
specified in the assign trunk command, you
can run the assign trunk command to set
the maximum number of LAGs and the
maximum number of member interfaces in
each LAG and run the display trunk
configuration command to view the
configuration.
Lower threshold for the number of active 1

member links
LACP system priority 32768
LACP interface priority 32768
LACP preemption Disabled
LACP preemption delay 30s
Timeout interval at which LACPDUs are 90s

received
Preferentially forwarding local traffic on an Enabled

Eth-Trunk
3.7 Configuring Ethernet Link Aggregation

3.7.1 Configuring Link Aggregation in Manual Mode
Link aggregation implements load balancing, increases bandwidth, and improves transmission
reliability.
3.7.1.1 (Optional) Setting the Maximum Number of LAGs and the Maximum
Number of Member Interfaces in Each LAG
Context
A switch supports a fixed maximum number of LAGs and a fixed maximum number of
member interfaces in each LAG. When a chassis switch is only equipped with the following

cards, you can run the assign trunk command to set the maximum number of LAGs and the
maximum number of member interfaces in each LAG. This implements flexible networking
and meets requirements of various services:
l The FC-series, SC-series, the EE card of the E series, and X1E-series cards that using
advanced hash mode on the S7700.
l The EH1D2X48SEC0, FC-series, SC-series, the EE card of the E series, and X1E-series
cards that using advanced hash mode on the S9700.
Cards are classified into low-specification cards and high-specification cards depending on
the support for Eth-Trunk specification extension. The card that supports Eth-Trunk
specification extension is called high-specification card, and the card that does not support
Eth-Trunk specification extension is called low-specification card. The X1E card using the
advanced hash mode can be considered as a high-specification card, and the X1E card using
the normal hash mode can be considered as a low-specification card. The X1E card using the
normal hash mode does not support Eth-Trunk specification extension. For details about the
hash mode, see eth-trunk load-balance hash-mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:
assign trunk { trunk-group group-number | trunk-member member-number }*
The maximum number of LAGs and the maximum number of member interfaces in each
LAG are set.
By default, the device supports a maximum of 128 LAGs and 8 member interfaces in each
LAG. member-number can be 2, 4, 8, 16, or 32, and member-number multiplied by group-
number cannot exceed 2048.
l When this command is used to change Eth-Trunk specifications on a switch of
V200R003, V200R005, or V200R006, you need to restart the switch to make the
configuration take effect.
V200R007 or later, you need to save the configuration restart the switch to make the
l When this command is used to change Eth-Trunk specifications, there is no buildrun
information on the switch. You can run the display trunk configuration command to
check the configuration.
l When the switch is configured with all high-specification cards, this command takes
effect. When a low-specification card is installed on this switch, the index of the Eth-
Trunk cannot be larger than 127. If the index of the Eth-Trunk is larger than 127, the
low-specification card fails to be registered and the switch generates the alarm
L2IFPPI_1.3.6.1.4.1.2011.5.25.219.2.2.13_hwBoardPowerOff.

NOTE
You can run the display reset-reason command to check the registration failure cause. The system
displays the message "This LPU only supports the trunks with index 127 or smaller than 127." If
the low-specification card must be used, you must delete the Eth-Trunk with the index larger than
127.
The index is the internal number that the switch allocates to each Eth-Trunk, and is different from
the Eth-Trunk ID. If the configured number of Eth-Trunks supported by the switch is larger than
128 and many Eth-Trunks are created on the switch, the index larger than 127 may be occupied.
The low-specification card can only use the index of 127 or smaller, the system checks the index
and limits its registration. If the non-registered low-specification card is reserved, this card cannot
be registered even if the switch restarts.
l If incoming traffic enters the Eth-Trunk on the low-specification card (excluding X1E
series cards), outgoing traffic goes out of the Eth-Trunk on the high-specification card,
and the Eth-Trunk on the high-specification card has more than eight member interfaces,
traffic may be unevenly load balanced on the Eth-Trunk of the high-specification card
and known unicast traffic can be only sent out from the eight Eth-Trunk member
interfaces.
l On the switch used as the WLAN AC, when the X1E card is deployed at the user side
and connects to downstream APs through an inter-card Eth-Trunk, if the the X1E card is
used at the network side, the number of used Eth-Trunks cannot reach the value specified
by this command and the minimum of used Eth-Trunks may be half of the value
specified by this command.
l If you use this command to modify Eth-Trunk specifications, the existing Eth-Trunk
configuration will be invalid or lost. Exercise caution when you run this command.
– When the configured Eth-Trunk specifications are reduced and the Eth-Trunks that
exceed the specifications are configured, the configuration of excess Eth-Trunks is
invalid.
– When the configured value of group-number is larger than 128 or the configured
value of member-number is larger than 16, the switch can only use the enhanced
mode to load balance known unicast packets. The common mode is invalid for the
known unicast packets.
l The assign trunk command fails to be executed on the device enabled with SVF.
----End
3.7.1.2 Creating an LAG
Context
Each LAG corresponds to an Eth-Trunk. Before configuring link aggregation, create an Eth-
Trunk.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id

An Eth-Trunk is created and the Eth-Trunk interface view is displayed.
The value of trunk-id ranges from 0 to 127.
If the device is equipped with cards specified in the assign trunk command, you can run the
assign trunk command to set the maximum number of LAGs and the maximum number of
member interfaces in each LAG and run the display trunk configuration command to view
the configuration.
If the specified Eth-Trunk already exists, this command directly displays the Eth-Trunk
interface view.
----End
3.7.1.3 Setting the Manual Load Balancing Mode
Context
Link aggregation can work in manual load balancing mode and LACP mode.
In manual load balancing mode, you must manually create an Eth-Trunk and add member
interfaces to the Eth-Trunk. All active links forward data and evenly load balance traffic. The
manual load balancing mode is used when the peer device does not support LACP.
If an Eth-Trunk interface has member interfaces, you can switch the Eth-Trunk interface's
working mode between manual mode and LACP mode. However, if the Eth-Trunk interface is
added to an E-Trunk, you cannot change its working mode.
To delete existing member interfaces, run the undo eth-trunk command in the interface view
or the undo trunkport interface-type interface-number command in the Eth-Trunk interface
view.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The Eth-Trunk interface view is displayed.
Step 3 Run:
mode manual load-balance
The Eth-Trunk is configured to work in manual mode.
By default, an Eth-Trunk works in manual mode.
Before configuring an Eth-Trunk, ensure that both ends use the same Eth-Trunk mode. If the
local end works in manual load balancing mode, the remote end must use the manual mode.

NOTE
When configuring an Eth-Trunk on the EH1D2S24CEA0 card of the S9700, do not configure the Eth-
Trunk to work in manual mode.
----End
3.7.1.4 Adding Member Interfaces to an Eth-Trunk
Context
Before adding member interfaces to an Eth-Trunk, see 3.5 Configuration Notes for
information about configuration notes.
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member
interface view.
Interfaces on different cards of the switch can join the same Eth-Trunk. A hash mode of the
XlE card needs to be configured when interfaces on the X1E card form an Eth-Trunk with
interfaces on another card:
l Ensure that cards use the same hash mode. If interfaces on the X1E card form an Eth-
Trunk with interfaces on another card, the hash mode on the X1E card cannot be
changed. To change the hash mode, first remove interfaces on the X1E card from the
Eth-Trunk.
l When interfaces on the X1E card form an Eth-Trunk with interfaces on another high-
specification card except the X1E card, use advanced hash mode.
l When interfaces on the X1E card form an Eth-Trunk with interfaces on another low-
specification card, use normal hash mode.
NOTE
On the X1E card, if the index of the Eth-Trunk is larger than 127 or the Eth-Trunk has more than eight
member interfaces (see display trunk index-map), the hash mode cannot be changed to normal.
High-specification cards are as follows:
l The FC-series, SC-series, the EE card of the E series, and X1E-series cards that using advanced
hash mode on the S7700.
l The EH1D2X48SEC0, FC-series, SC-series, the EE card of the E series, and X1E-series cards that
using advanced hash mode on the S9700.
Figure 3-19 Recommended deployment mode (when the member interfaces of multiple Eth-
Trunks are deployed on different cards)
0 2 4 ...
Slot 1 ...
1 3 5 ...
Eth-Trunk1 Eth-Trunk2 Eth-Trunk3
0 2 4 ...
Slot 2 ...
1 3 5 ...

Figure 3-20 Deployment mode that is not recommended (when the member interfaces of
multiple Eth-Trunks are deployed on different cards)
0 2 4 ...
Slot 1 ...
1 3 5 ...
Eth-Trunk1
0 2 4 ...
... Eth-Trunk3
Slot 2
1 3 5 ...
Eth-Trunk2
0 2 4 ...
Slot 3 ...
1 3 5 ...
Procedure
l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run:
system-view

b. (Optional) Run:
eth-trunk load-balance hash-mode { advanced | normal } slot slot-id
A hash mode of the X1E card is configured so that interfaces on the X1E card can
form an Eth-Trunk with interfaces on another card.
c. Run:

d. Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8> [ mode { active | passive } ]
A member interface is added to the Eth-Trunk.
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface cannot be
added to the Eth-Trunk, any subsequent interfaces in the batch will also not be added to the
Eth-Trunk.
l Add member interfaces to an Eth-Trunk in the member interface view.
a. Run:
system-view

b. (Optional) Run:
c. Run:
The member interface view is displayed.

d. Run:
eth-trunk trunk-id [ mode { active | passive } ]
The member interface is added to an Eth-Trunk.

When adding an interface to an Eth-Trunk, pay attention to the following points:
– An Ethernet interface can be added to only one Eth-Trunk. To add an Ethernet
interface to another Eth-Trunk, delete it from the original one first.
– After interfaces are added to an Eth-Trunk, the Eth-Trunk learns MAC addresses
and ARP entries but member interfaces do not.
– After an Eth-Trunk is switched to a Layer 3 interface using the undo portswitch
command, its member interfaces will not support DLDP, EFM, or LLDP.
– Before deleting an Eth-Trunk, first delete the member interfaces from the Eth-
Trunk.
----End
3.7.1.5 (Optional) Setting the Lower Threshold for the Number of Active
Interfaces
Context
The lower threshold for the number of active interfaces affects the status and bandwidth of an
Eth-Trunk. To ensure that the Eth-Trunk functions properly and is resistant to member link
status changes, set the lower threshold for the number of active interfaces appropriately.
When the number of active interfaces falls below the lower threshold, the Eth-Trunk goes
Down. This ensures that an active Eth-Trunk has the minimum required bandwidth.
The upper threshold for the number of active interfaces does not apply to the manual mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
least active-linknumber link-number

The lower threshold for the number of active interfaces is set.

By default, the lower threshold for the number of active interfaces is 1.
The lower threshold for the number of active interfaces on the local switch can be different
from that on the remote switch. If the two values are different, the larger one is used.
----End
3.7.1.6 (Optional) Configuring a Load Balancing Mode
Context
An Eth-Trunk uses flow-based load balancing. Flow-based load balancing ensures that frames
of the same data flow are forwarded on the same physical link. Different data flows are
forwarded on different physical links to balance the network load.
You can configure a common load balancing mode in which IP addresses or MAC addresses
of packets are used to load balance packets; you can also configure an enhanced load
balancing mode for Layer 2 packets, IP packets, and MPLS packets.
Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for the
interfaces at both ends of the link can be different without affecting each other.
When more than 128 Eth-Trunks or 16 member interfaces are configured using the assign
trunk { trunk-group group-number | trunk-member member-number }* command, only the
enhanced mode can be used for load balancing. If the enhanced mode is not used, problems
such as packet loss and uneven load balancing may occur.
NOTE
SA series cards do not support the enhanced load balancing mode. SA series cards still use the common
load balancing mode even if enhanced load balancing is configured.
Procedure
l Configure a common load balancing mode.
a. Run:
system-view

b. Run:

c. Run:
load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-
dst-mac }
A load balancing mode of the Eth-Trunk is set.

The default load balancing mode is src-dst-ip.
Other load balancing modes are as follows:
n dst-ip: based on destination IP addresses
n dst-mac: based on destination MAC addresses

n src-ip: based on source IP addresses

n src-mac: based on source MAC addresses
n src-dst-ip: based on the Exclusive-Or result of source and destination IP
addresses
n src-dst-mac: based on the Exclusive-Or result of source and destination MAC
addresses
l Configure an enhanced load balancing mode.
a. Run:
system-view

b. Run:
load-balance-profile profile-name
A load balancing profile is created and its view is displayed. Only one load
balancing profile can be created.
c. Run the following commands as required. You can configure load balancing modes
for Layer 2 packets, IPv4 packets, IPv6 packets, and MPLS packets respectively.
n Run:
l2 field [ dmac | l2-protocol | smac | sport | vlan ] *
A load balancing mode of Layer 2 packets is set.

By default, load balancing of Layer 2 packets is based on the source MAC
address (smac) and destination MAC address (dmac).
n Run:
ipv4 field [ dip | l4-dport | l4-sport | protocol | sip | sport |
vlan ] *
A load balancing mode of IPv4 packets is set.

By default, load balancing of IPv4 packets is based on the source IP address
(sip) and destination IP address (dip).
n Run:
vlan ] *

n Run:
mpls field [ 2nd-label | dip | dmac | sip | smac | sport | top-label
| vlan ] *
A load balancing mode of MPLS packets is set.

By default, load balancing of MPLS packets is based on the two outer labels
(top-label and 2nd-label) of each packet.
NOTE
In an S9706, S9712, S7706, or S7712 CSS, the CSS links use the profile configured by
the load-balance-profile command to load balance traffic. If no profile for enhanced
load balancing is created, the CSS links use the default enhanced load balancing mode.
If traffic is not evenly distributed on the CSS links, some links may be congested and
packets may be dropped. To prevent this problem, it is recommended that you choose
multiple keywords in the mpls field, l2 field, ipv4 field, and ipv6 field commands
when configuring load balancing modes for various packets.

d. Run:
quit

e. Run:

f. Run:
load-balance enhanced profile profile-name
The load balancing profile is applied.

NOTE
The preceding load balancing modes apply only to known unicast traffic. To configure a load
balancing mode for unknown unicast traffic, run the unknown-unicast load-balance { dmac |
smac | smacxordmac | enhanced } command in the system view.
When the enhanced load balancing mode is used for unknown unicast traffic, specify the VLAN
ID in the load balancing profile. When the outbound interface is an Eth-Trunk and is added to a
user VLAN, multicast traffic on the device equipped with all X1E cards can be load balanced
based on the user VLAN. If other cards are installed on the device, multicast traffic on the device
cannot be load balanced based on the user VLAN.
----End
3.7.1.7 Checking the Configuration
Procedure
l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number |
verbose ] ] command to check the Eth-Trunk configuration.
l Run the display trunkmembership eth-trunk trunk-id command to check information
about Eth-Trunk member interfaces.
l Run the display eth-trunk [ trunk-id ] load-balance command to check the load
balancing mode of the Eth-Trunk.
l Run the display load-balance-profile [ profile-name ] command to check the load
balancing profile of the Eth-Trunk.
l Run the display trunk configuration command to check the maximum number of
LAGs and the maximum number of member interfaces in each LAG.
----End
3.7.2 Configuring Link Aggregation in LACP Mode

Link aggregation implements load balancing, increases bandwidth, and improves transmission
reliability.
3.7.2.1 (Optional) Setting the Maximum Number of LAGs and the Maximum
Number of Member Interfaces in Each LAG

Context
A switch supports a fixed maximum number of LAGs and a fixed maximum number of
member interfaces in each LAG. When a chassis switch is only equipped with the following
cards, you can run the assign trunk command to set the maximum number of LAGs and the
maximum number of member interfaces in each LAG. This implements flexible networking
and meets requirements of various services:
l The FC-series, SC-series, the EE card of the E series, and X1E-series cards that using
advanced hash mode on the S7700.
l The EH1D2X48SEC0, FC-series, SC-series, the EE card of the E series, and X1E-series
cards that using advanced hash mode on the S9700.
Cards are classified into low-specification cards and high-specification cards depending on
the support for Eth-Trunk specification extension. The card that supports Eth-Trunk
specification extension is called high-specification card, and the card that does not support
Eth-Trunk specification extension is called low-specification card. The X1E card using the
advanced hash mode can be considered as a high-specification card, and the X1E card using
the normal hash mode can be considered as a low-specification card. The X1E card using the
normal hash mode does not support Eth-Trunk specification extension. For details about the
hash mode, see eth-trunk load-balance hash-mode.
Procedure
Step 1 Run:
system-view
Step 2 Run:
assign trunk { trunk-group group-number | trunk-member member-number }*
The maximum number of LAGs and the maximum number of member interfaces in each
LAG are set.
By default, the device supports a maximum of 128 LAGs and 8 member interfaces in each
LAG. member-number can be 2, 4, 8, 16, or 32, and member-number multiplied by group-
number cannot exceed 2048.

V200R003, V200R005, or V200R006, you need to restart the switch to make the
V200R007 or later, you need to save the configuration restart the switch to make the
l When this command is used to change Eth-Trunk specifications, there is no buildrun
information on the switch. You can run the display trunk configuration command to
check the configuration.
l When the switch is configured with all high-specification cards, this command takes
effect. When a low-specification card is installed on this switch, the index of the Eth-
Trunk cannot be larger than 127. If the index of the Eth-Trunk is larger than 127, the
low-specification card fails to be registered and the switch generates the alarm
L2IFPPI_1.3.6.1.4.1.2011.5.25.219.2.2.13_hwBoardPowerOff.

NOTE
You can run the display reset-reason command to check the registration failure cause. The system
displays the message "This LPU only supports the trunks with index 127 or smaller than 127." If
the low-specification card must be used, you must delete the Eth-Trunk with the index larger than
127.
The index is the internal number that the switch allocates to each Eth-Trunk, and is different from
the Eth-Trunk ID. If the configured number of Eth-Trunks supported by the switch is larger than
128 and many Eth-Trunks are created on the switch, the index larger than 127 may be occupied.
The low-specification card can only use the index of 127 or smaller, the system checks the index
and limits its registration. If the non-registered low-specification card is reserved, this card cannot
be registered even if the switch restarts.
l If incoming traffic enters the Eth-Trunk on the low-specification card (excluding X1E
series cards), outgoing traffic goes out of the Eth-Trunk on the high-specification card,
and the Eth-Trunk on the high-specification card has more than eight member interfaces,
traffic may be unevenly load balanced on the Eth-Trunk of the high-specification card
and known unicast traffic can be only sent out from the eight Eth-Trunk member
interfaces.
l On the switch used as the WLAN AC, when the X1E card is deployed at the user side
and connects to downstream APs through an inter-card Eth-Trunk, if the the X1E card is
used at the network side, the number of used Eth-Trunks cannot reach the value specified
by this command and the minimum of used Eth-Trunks may be half of the value
specified by this command.
l If you use this command to modify Eth-Trunk specifications, the existing Eth-Trunk
configuration will be invalid or lost. Exercise caution when you run this command.
– When the configured Eth-Trunk specifications are reduced and the Eth-Trunks that
exceed the specifications are configured, the configuration of excess Eth-Trunks is
invalid.
– When the configured value of group-number is larger than 128 or the configured
value of member-number is larger than 16, the switch can only use the enhanced
mode to load balance known unicast packets. The common mode is invalid for the
known unicast packets.
l The assign trunk command fails to be executed on the device enabled with SVF.
----End
3.7.2.2 Creating an LAG
Context
Each LAG corresponds to an Eth-Trunk. Before configuring link aggregation, create an Eth-
Trunk.
Procedure
Step 1 Run:
system-view
Step 2 Run:

The value of trunk-id ranges from 0 to 127.
the configuration.
If the specified Eth-Trunk already exists, this command directly displays the Eth-Trunk
interface view.
----End
3.7.2.3 Setting the LACP Mode
Context
Link aggregation can work in manual mode or LACP mode.
In LACP mode, you must manually create an Eth-Trunk and add member interfaces to the
Eth-Trunk. LACP then determines active interfaces through negotiation.
If an Eth-Trunk interface has member interfaces, you can switch the Eth-Trunk interface's
working mode between manual mode and LACP mode. However, if the Eth-Trunk interface is
added to an E-Trunk, you cannot change its working mode.
To delete existing member interfaces, run the undo eth-trunk command in the interface view
or the undo trunkport interface-type interface-number command in the Eth-Trunk interface
view.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
mode lacp
The Eth-Trunk is configured to work in LACP mode.
By default, an Eth-Trunk works in manual mode.
Before configuring an Eth-Trunk, ensure that both ends use the same Eth-Trunk mode. If the
local end works in LACP mode, the remote end must use the LACP mode.
----End

3.7.2.4 Adding Member Interfaces to an Eth-Trunk
Context
Before adding member interfaces to an Eth-Trunk, see 3.5 Configuration Notes for
information about configuration notes.
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member
interface view.
Interfaces on different cards of the switch can join the same Eth-Trunk. A hash mode of the
XlE card needs to be configured when interfaces on the X1E card form an Eth-Trunk with
interfaces on another card:
l Ensure that cards use the same hash mode. If interfaces on the X1E card form an Eth-
Trunk with interfaces on another card, the hash mode on the X1E card cannot be
changed. To change the hash mode, first remove interfaces on the X1E card from the
Eth-Trunk.
l When interfaces on the X1E card form an Eth-Trunk with interfaces on another high-
specification card except the X1E card, use advanced hash mode.
l When interfaces on the X1E card form an Eth-Trunk with interfaces on another low-
specification card, use normal hash mode.
NOTE
On the X1E card, if the index of the Eth-Trunk is larger than 127 or the Eth-Trunk has more than eight
member interfaces (see display trunk index-map), the hash mode cannot be changed to normal.
High-specification cards are as follows:
l The FC-series, SC-series, the EE card of the E series, and X1E-series cards that using advanced
hash mode on the S7700.
l The EH1D2X48SEC0, FC-series, SC-series, the EE card of the E series, and X1E-series cards that
using advanced hash mode on the S9700.
Figure 3-21 Recommended deployment mode (when the member interfaces of multiple Eth-
Trunks are deployed on different cards)
0 2 4 ...
Slot 1 ...
1 3 5 ...
Eth-Trunk1 Eth-Trunk2 Eth-Trunk3
0 2 4 ...
Slot 2 ...
1 3 5 ...

Figure 3-22 Deployment mode that is not recommended (when the member interfaces of
multiple Eth-Trunks are deployed on different cards)
0 2 4 ...
Slot 1 ...
1 3 5 ...
Eth-Trunk1
0 2 4 ...
... Eth-Trunk3
Slot 2
1 3 5 ...
Eth-Trunk2
0 2 4 ...
Slot 3 ...
1 3 5 ...
Procedure
l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run:
system-view

b. (Optional) Run:
c. Run:

d. Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8> [ mode { active | passive } ]
A member interface is added to the Eth-Trunk.
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface cannot be
added to the Eth-Trunk, any subsequent interfaces in the batch will also not be added to the
Eth-Trunk.
l Add member interfaces to an Eth-Trunk in the member interface view.
a. Run:
system-view

b. (Optional) Run:
c. Run:

d. Run:
eth-trunk trunk-id [ mode { active | passive } ]
The member interface is added to an Eth-Trunk.

When adding an interface to an Eth-Trunk, pay attention to the following points:
– An Ethernet interface can be added to only one Eth-Trunk. To add an Ethernet
interface to another Eth-Trunk, delete it from the original one first.
– After interfaces are added to an Eth-Trunk, the Eth-Trunk learns MAC addresses
and ARP entries but member interfaces do not.
– After an Eth-Trunk is switched to a Layer 3 interface using the undo portswitch
command, its member interfaces will not support DLDP, EFM, or LLDP.
– Before deleting an Eth-Trunk, first delete the member interfaces from the Eth-
Trunk.
----End
3.7.2.5 (Optional) Setting the Upper and Lower Thresholds for the Number of
Active Interfaces
Context
The number of Up member links affects the status and bandwidth of an Eth-Trunk. To ensure
that the Eth-Trunk functions properly and is resistant to member link status changes, set the
following thresholds for the number of active interfaces:
l Lower threshold: When the number of active interfaces falls below this threshold, the
Eth-Trunk goes Down. This ensures that an active Eth-Trunk has the minimum required
bandwidth.
l Upper threshold: Used for improving network reliability with stable bandwidth. When
the number of active interfaces reaches this threshold, you can add new member
interfaces to the Eth-Trunk, but excess member interfaces only go Up to back up active
interfaces that go Down.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
least active-linknumber link-number
The lower threshold for the number of active interfaces is set.

By default, the lower threshold for the number of active interfaces is 1.
The lower threshold for the number of active interfaces on the local device can be different
from that on the remote device. If the two values are different, the larger one is used.
Step 4 Run:
max active-linknumber link-number
The upper threshold for the number of active interfaces is set.

By default, the upper threshold for the number of active interfaces is 8.
the configuration.
The upper thresholds configured by the max active-linknumber command on both ends must
be the same; otherwise, the Eth-Trunk status flaps if an active interface fails.
The upper threshold for the number of active interfaces must be greater than or equal to the
lower threshold for the number of active interfaces.
----End
3.7.2.6 (Optional) Configuring a Load Balancing Mode
Context
An Eth-Trunk uses flow-based load balancing. Flow-based load balancing ensures that frames
of the same data flow are forwarded on the same physical link. Different data flows are
forwarded on different physical links to balance the network load.
You can configure a common load balancing mode in which IP addresses or MAC addresses
of packets are used to load balance packets; you can also configure an enhanced load
balancing mode for Layer 2 packets, IP packets, and MPLS packets.
Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for the
interfaces at both ends of the link can be different without affecting each other.
When more than 128 Eth-Trunks or 16 member interfaces are configured using the assign
trunk { trunk-group group-number | trunk-member member-number }* command, only the
enhanced mode can be used for load balancing. If the enhanced mode is not used, problems
such as packet loss and uneven load balancing may occur.
NOTE
SA series cards do not support the enhanced load balancing mode. SA series cards still use the common
load balancing mode even if enhanced load balancing is configured.
Procedure
l Configure a common load balancing mode.

a. Run:
system-view

b. Run:

c. Run:
load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-
dst-mac }
A load balancing mode of the Eth-Trunk is set.

The default load balancing mode is src-dst-ip.
Other load balancing modes are as follows:
n dst-ip: based on destination IP addresses
n dst-mac: based on destination MAC addresses
n src-ip: based on source IP addresses
n src-mac: based on source MAC addresses
n src-dst-ip: based on the Exclusive-Or result of source and destination IP
addresses
n src-dst-mac: based on the Exclusive-Or result of source and destination MAC
addresses
l Configure an enhanced load balancing mode.
a. Run:
system-view

b. Run:
load-balance-profile profile-name
A load balancing profile is created and its view is displayed. Only one load
balancing profile can be created.
c. Run the following commands as required. You can configure load balancing modes
for Layer 2 packets, IPv4 packets, IPv6 packets, and MPLS packets respectively.
n Run:
l2 field [ dmac | l2-protocol | smac | sport | vlan ] *
A load balancing mode of Layer 2 packets is set.

By default, load balancing of Layer 2 packets is based on the source MAC
address (smac) and destination MAC address (dmac).
n Run:
vlan ] *

n Run:
vlan ] *


n Run:
mpls field [ 2nd-label | dip | dmac | sip | smac | sport | top-label
| vlan ] *
A load balancing mode of MPLS packets is set.

By default, load balancing of MPLS packets is based on the two outer labels
(top-label and 2nd-label) of each packet.
NOTE
In an S9706, S9712, S7706, or S7712 CSS, the CSS links use the profile configured by
the load-balance-profile command to load balance traffic. If no profile for enhanced
load balancing is created, the CSS links use the default enhanced load balancing mode.
If traffic is not evenly distributed on the CSS links, some links may be congested and
packets may be dropped. To prevent this problem, it is recommended that you choose
multiple keywords in the mpls field, l2 field, ipv4 field, and ipv6 field commands
when configuring load balancing modes for various packets.
d. Run:
quit

e. Run:

f. Run:
load-balance enhanced profile profile-name
The load balancing profile is applied.

NOTE
The preceding load balancing modes apply only to known unicast traffic. To configure a load
balancing mode for unknown unicast traffic, run the unknown-unicast load-balance { dmac |
smac | smacxordmac | enhanced } command in the system view.
When the enhanced load balancing mode is used for unknown unicast traffic, specify the VLAN
ID in the load balancing profile. When the outbound interface is an Eth-Trunk and is added to a
user VLAN, multicast traffic on the device equipped with all X1E cards can be load balanced
based on the user VLAN. If other cards are installed on the device, multicast traffic on the device
cannot be load balanced based on the user VLAN.
----End
3.7.2.7 (Optional) Setting the LACP System Priority
Context
LACP system priority differentiates priorities of devices at both ends. In LACP mode, active
interfaces selected by devices at both ends must be consistent; otherwise, the LAG cannot be
set up. To keep active interfaces consistent at both ends, you can set the priority of one device
to be higher than the other device. The device with a lower priority will select active
interfaces based on those selected by the device with a higher priority.

Procedure
Step 1 Run:
system-view
Step 2 Run:
lacp priority priority
The LACP priority is set.
A smaller priority value indicates a higher LACP priority. By default, the LACP priority is
32768.
The device with a smaller priority value functions as the Actor. If both devices have the same
----End
3.7.2.8 (Optional) Setting the LACP Interface Priority
Context
In LACP mode, LACP interface priorities are set to prioritize interfaces of the same device.
Interfaces with higher priorities are selected as active interfaces.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
lacp priority priority
The LACP priority of the member interface is configured.
By default, the LACP interface priority is 32768. A smaller priority value indicates a higher
LACP priority.
By default, the system selects active interfaces based on interface priorities. However, low-
speed member interfaces with high priorities may be selected as active interfaces. To select
high-speed member interfaces as active interfaces, run the lacp selected { priority | speed }
command to configure the system to select active interfaces based on the interface rate.
----End
3.7.2.9 (Optional) Configuring LACP Preemption

Context
The LACP preemption function ensures that the interface with the highest LACP priority
always functions as an active interface. For example, the interface with the highest priority
becomes inactive due to a fault. If LACP preemption is enabled, the interface becomes active
again after it recovers; if LACP preemption is disabled, the interface cannot become active
interface after it recovers.
The LACP preemption delay is the period after which an inactive interface switches to active.
The LACP preemption delay prevents unstable data transmission on an Eth-Trunk link due to
frequent link status changes.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
lacp preempt enable
LACP preemption is enabled.
By default, LACP preemption is disabled. To ensure normal running of an Eth-Trunk, enable

or disable LACP preemption at both ends of the Eth-Trunk.
Step 4 Run:
lacp preempt delay delay-time
The LACP preemption delay is set.
By default, the LACP preemption delay is 30 seconds. If both devices of an Eth-Trunk use
different preemption delays, the longer preemption delay is used.
----End
3.7.2.10 (Optional) Setting the Timeout Interval for Receiving LACPDUs
Context
If the Eth-Trunk on the local device cannot detect a self-loop or fault that occurred on a
member interface in the LAG on the remote device, data on the local device will still be load
balanced among the active interfaces. As a result, data traffic on the faulty link is discarded.
After the timeout interval at which LACPDUs are received is set, if a local member interface
does not receive any LACPDUs within the configured timeout interval, the local member
interface becomes Down.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
lacp timeout { fast [ user-defined user-defined ] | slow }
The timeout interval at which LACPDUs are received is set.
By default, the timeout interval at which an Eth-Trunk receives LACPDUs is 90 seconds.
l After you run the lacp timeout command, the local end notifies the remote end of the
timeout interval by sending LACPDUs. When fast is specified, the interval for sending
LACPDUs is 1 second. When slow is specified, the interval for sending LACPDUs is 30
seconds.
l The timeout interval for receiving LACPDUs is three times the interval for sending
LACPDUs. When fast is specified, the timeout interval for receiving LACPDUs is 3
seconds. When slow is specified, the timeout interval for receiving LACPDUs is 90
seconds.
l You can use different timeout intervals at both ends. However, to facilitate maintenance,
you are advised to use the same timeout interval at both ends.
l Each member interface in an Eth-Trunk processes a maximum of 20 LACPDUs every
second; a card on a switch processes a maximum of 50 LACPDUs every second. Extra
LACPDUs are discarded.
----End
Procedure
l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number |
verbose ] ] command to check the Eth-Trunk configuration.
l Run the display trunkmembership eth-trunk trunk-id command to check information
l Run the display eth-trunk [ trunk-id ] load-balance command to check the load
balancing mode of the Eth-Trunk.
l Run the display load-balance-profile [ profile-name ] command to check the load
balancing profile of the Eth-Trunk.
l Run the display trunk configuration command to check the maximum number of
LAGs and the maximum number of member interfaces in each LAG.
----End

3.7.3 Configuring Preferential Forwarding of Local Traffic in a

CSS
On a network where a CSS and an Eth-Trunk are used, configuring the Eth-Trunk to
preferentially forward local traffic increases bandwidth use efficiency between devices in the
CSS and improves traffic forwarding efficiency.
Context
You can configure an Eth-Trunk to preferentially forward local traffic (or not) according to
the following guidelines:
l If active interfaces in the local Eth-Trunk have sufficient bandwidth to forward traffic on
the local device, configure the Eth-Trunk to preferentially forward local traffic. This
improves traffic forwarding efficiency and increases bandwidth use efficiency between
devices in the CSS.
l If active interfaces in the local Eth-Trunk do not have sufficient bandwidth to forward
traffic on the local device, do not configure the Eth-Trunk to preferentially forward local
traffic. A portion of the traffic on the local device is then forwarded through member
interfaces of an Eth-Trunk on another device, preventing packet loss.
NOTE
The S9703 does not support this configuration.
Pre-configuration Tasks
Before configuring an Eth-Trunk to preferentially forward local traffic, complete the
following tasks:
l Create an Eth-Trunk and add physical interfaces to the Eth-Trunk.

l Establish a CSS.
l Ensure that member interfaces of the local Eth-Trunk have sufficient bandwidth to
forward local traffic.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of an Eth-Trunk is displayed.
Step 3 Run:
local-preference enable
The Eth-Trunk is configured to preferentially forward local traffic.
By default, an Eth-Trunk forwards traffic preferentially through local member interfaces.

NOTE
This function is only valid for known unicast packets, and does not work with unknown unicast packets,
broadcast packets, and multicast packets.
----End
3.7.4 Creating an Eth-Trunk Sub-interface

To transmit both Layer 2 and Layer 3 services over the same physical link, create a sub-
interface on a Layer 2 Eth-Trunk.
Context
If Layer 2 switching devices belong to different VLANs, and hosts in the VLANs need to
communicate with each other, you need to create sub-interfaces on the Eth-Trunk connecting
a Layer 3 device to a Layer 2 switching device, bind a VLAN to each sub-interface, and
configure an IP address for each sub-interface.
After the configuration is complete, hosts in the VLANs can use these sub-interfaces to
communicate with each other. Eth-Trunk sub-interfaces can be configured to terminate Dot1q
and QinQ VLAN tags.
After Layer 2 Eth-Trunk sub-interfaces are configured, the Eth-Trunk provides Layer 2
functions and the sub-interfaces provide Layer 3 functions.
Figure 3-23 Typical application scenario of Layer 2 Eth-Trunk sub-interfaces
VPLS/MPLS/IP
PE1 PE2
Eth-Trunk
Sub-interface
Eth-Trunk
CE1 CE2
S1 S2 S3 S4
VLAN VLAN

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
quit

Step 4 Run:
interface eth-trunk trunk-id.subnumber
An Eth-Trunk sub-interface is created.

subnumber specifies the number of a sub-interface. The value ranges from 1 to 4096.
NOTE
Only E series, X1E series, F series, and SC series cards on the S7700&S9700 support Eth-Trunk sub-
interfaces. For details about the cards, see the Hardware Description
Eth-Trunk sub-interfaces can only be configured on the Layer 3 interface, hybrid interface, and trunk
interface.
Step 5 Run:
ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the sub-interface.

When configuring multiple IP addresses for an Eth-Trunk sub-interface, use the sub keyword
to indicate the IP addresses configured after the first one.
----End
3.7.5 Configuring an E-Trunk

The Enhanced Trunk (E-Trunk) protocol implements link aggregation between multiple
devices to improve link reliability between devices. It is an extension to LACP which only
implements link aggregation on a single device.
3.7.5.1 Setting the LACP System ID and LACP Priority of an E-Trunk
Context
In an E-Trunk, the two PEs must be configured with the same LACP system ID and priority
so that the CE considers the two PEs as one device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
lacp e-trunk system-id mac-address
The LACP system ID is set for the E-Trunk.
By default, the MAC address of an Ethernet interface on the MPU is used as the LACP
system ID.
The master and backup devices in an E-Trunk must use the same LACP system ID.
Step 3 Run:
lacp e-trunk priority priority
The LACP priority of an E-Trunk member is set.
By default, the LACP priority of an E-Trunk member is 32768.
The master and backup devices in an E-Trunk must use the same LACP priority.
----End
3.7.5.2 Creating an E-Trunk and Setting the E-Trunk Priority
Context
The E-Trunk priority determines whether an E-Trunk member device is the master or backup
device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
e-trunk e-trunk-id
An E-Trunk is created and the E-Trunk view is displayed or the view of an existing E-Trunk
view is directly displayed.
The member devices in an E-Trunk must be configured with the same E-Trunk ID.
A maximum of 16 E-Trunks can be created on a device.
Step 3 Run:
priority priority
The E-Trunk priority is set.
The E-Trunk priority is used for master/backup negotiation between two devices. The device
with a higher priority is the master. A smaller E-Trunk priority value indicates a higher E-
Trunk priority.
If the two devices have the same priority, the device with a smaller system ID is the master.

By default, the E-Trunk priority of a member device is 100.
----End
3.7.5.3 Configuring Local and Remote IP Addresses of an E-Trunk
Context
E-Trunk packets are sent with the source IP address and protocol port number configured on
the local device. When you change the local or remote IP address on a device, you must
change the corresponding address on the remote device. Otherwise, protocol packets will be
discarded.
Procedure
Step 1 Run:
system-view

Step 2 Run:
e-trunk e-trunk-id
The E-Trunk view is displayed.

Step 3 Run:
peer-address peer-ip-address source-address source-ip-address
The local and remote IP addresses of the E-Trunk are configured.

The remote IP address of the local device must be the same as the local IP address of the
remote device. For example, when an E-Trunk is created between device A and device B and
the local and remote IP addresses on device A are 10.1.1.1 and 10.2.2.2 respectively, the local
and remote IP addresses on device B must be 10.2.2.2 and 10.1.1.1 respectively.
----End
3.7.5.4 Binding an E-Trunk to a BFD Session
Context
When the local device of an E-Trunk cannot promptly detect whether the remote device is
faulty by sending E-Trunk packets, it can instead use the Bidirectional Fast Detection (BFD)
protocol. You need to specify the remote IP address on the local device and create a BFD
session to check the reachability of the route to the remote device. The E-Trunk then can
detect faults reported by the BFD session and the device can handle the faults quickly.
Procedure
Step 1 Run:
system-view

Step 2 Run:
e-trunk e-trunk-id


Step 3 Run:
e-trunk track bfd-session session-name bfd-session-name
The E-Trunk is bound to a BFD session.

BFD sessions are used to quickly detect faults of links between the two E-Trunk member
devices.
----End
3.7.5.5 Adding an Eth-Trunk to an E-Trunk
Context
After an E-Trunk is configured, you can add Eth-Trunks to it.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Only Eth-Trunks in LACP mode can be added to an E-Trunk.
Step 3 Run:
e-trunk e-trunk-id [ remote-eth-trunk eth-trunk-id ]
The Eth-Trunk is added to an E-Trunk.

An Eth-Trunk can be added to only one E-Trunk.
The devices at both ends of an E-Trunk do not need to have the same Eth-Trunk ID. When
adding Eth-Trunks with different IDs in LACP mode on PEs to an E-Trunk, you must specify
remote-eth-trunk for the E-Trunk to function properly.
----End
3.7.5.6 (Optional) Configuring the Working Mode of an Eth-Trunk in an E-Trunk
Context
You can configure the working mode for only the Eth-Trunks that have been added to an E-
Trunk. The working mode of an Eth-Trunk can be automatic, forced master, or forced backup.
Procedure
Step 1 Run:
system-view


Step 2 Run:

Only Eth-Trunks in LACP mode can be added to an E-Trunk.
Step 3 Run:
e-trunk mode { auto | force-master | force-backup }
A working mode of the Eth-Trunk in the E-Trunk is configured.

By default, an Eth-Trunk in an E-Trunk works in automatic mode.
The e-trunk mode command is valid only for the Eth-Trunk in an E-Trunk. When the Eth-
Trunk is deleted from the E-Trunk, the configuration is deleted automatically.
When an Eth-Trunk is in auto mode, its master/backup status depends on the E-Trunk status
of the local device and fault information of the remote Eth-Trunk.
l If the local E-Trunk is the master, the local Eth-Trunk works in master state.
l If the local E-Trunk is the backup and the remote Eth-Trunk fails, the local Eth-Trunk
works in master state. When the local Eth-Trunk receives a notification that the remote
Eth-Trunk has recovered, the local Eth-Trunk becomes the backup again.
NOTE
While the E-Trunk is running, changing the hello packet sending interval or timeout interval will cause the E-
Trunk to alternate between the master and the backup. Before changing the hello packet sending interval or
timeout interval, you are advised to configure member Eth-Trunks to work in forced master/backup state.
After the new configuration takes effect, restore the working mode to auto.
----End
3.7.5.7 (Optional) Setting the Password for Encrypting Packets
Context
You can set a password for encrypting E-Trunk packets transmitted over an E-Trunk link to
improve system security. The two member devices of an E-Trunk must use the same
password.
Procedure
Step 1 Run:
system-view

Step 2 Run:
e-trunk e-trunk-id

Step 3 Run:
security-key { simple simple-key | cipher cipher-key }
The password for encrypting packets is configured.

NOTICE
If simple is specified, the password is saved in plaintext in the configuration file. In this case,
other users can obtain the password by querying the configuration file, which poses a security
risk. You are advised to specify cipher so that the password is saved in ciphertext.
To ensure device security, change the password frequently.
----End
3.7.5.8 (Optional) Setting the Timeout Interval of Hello Packets
Context
If the backup device in an E-Trunk does not receive any hello packet from the master device
within the timeout interval, the backup device becomes the master. The timeout interval is the
one specified in the hello packets sent by the remote device, not the timeout interval
configured on the local device.
NOTE
While the E-Trunk is running, changing the hello packet sending interval or timeout interval will cause the E-
Trunk to alternate between the master and the backup. Before changing the hello packet sending interval or
timeout interval, you are advised to configure member Eth-Trunks to work in forced master/backup state.
After the new configuration takes effect, restore the working mode to auto.
Procedure
Step 1 Run:
system-view

Step 2 Run:
e-trunk e-trunk-id

Step 3 Run:
timer hello hello-times
The interval for sending hello packets is set.

By default, the value of hello-times is 10. The unit is 100 ms, so the default interval is 1s.
Step 4 Run:
timer hold-on-failure multiplier multiplier
The time multiplier for detecting hello packets is set.

The remote device checks the timeout interval in the received hello packet to determine
whether the local device times out. If the remote device is the backup and does not receive
hello packets from the local device within the timeout interval, the remote device becomes the
master.
The timeout interval is calculated using the following formula:

Timeout interval = Interval for sending hello packets x Time multiplier

The default time multiplier is 20. It is recommended that you set the time multiplier to 3 or
more.
----End
3.7.5.9 (Optional) Setting the Revertive Switching Delay
Context
In a scenario where an E-Trunk works with other services, a member Eth-Trunk may be
restored earlier than other services after the faulty master device recovers. If traffic is
immediately switched back to the master device, service traffic will be interrupted.
Setting the revertive switching delay prevents this problem. After the revertive switching
delay is set, the local Eth-Trunk becomes Up only after the delay expires. Then the local
device becomes the master again.
Procedure
Step 1 Run:
system-view

Step 2 Run:
e-trunk e-trunk-id

Step 3 Run:
timer revert delay delay-value
The revertive switching delay is set.

By default, the revertive switching delay is 120 seconds.
----End
3.7.5.10 (Optional) Disabling Revertive Switching on an E-Trunk
Context
You can disable revertive switching on an E-Trunk to prevent traffic from being discarded
when a faulty master device recovers and takes over services.
Procedure
Step 1 Run:
system-view

Step 2 Run:
e-trunk e-trunk-id

Step 3 Run:
revert disable
Revertive switching is disabled on the E-Trunk.
By default, revertive switching is enabled on an E-Trunk.
----End
Procedure
l Run the display e-trunk e-trunk-id command to check E-Trunk information.
----End
3.8 Maintaining Link Aggregation

Maintaining link aggregation includes monitoring the link aggregation running status and
clearing LACPDU statistics.
Maintenance Item Operation
Displaying inbound and 1. Run the system-view command to enter the system view.
outbound interfaces of 2. Run the collect forward-path sip source-ip-address dip
specified flows destination-ip-address [ sport source-port dport
destination-port [ protocol { protocol-number | gre | icmp |
igmp | ip | ipinip | ospf | tcp | udp } ] ] { ingress | egress |
both } [ interval interval-time ] command to configure the
device to collect inbound and outbound interfaces and
traffic information about packets with 5-tuple information.
3. Run the display forward-path command to check
information about collected packets with 5-tuple
information by the collect forward-path command and the
report ID by the display forward-path report report-id.
4. Run the display forward-path report report-id command
to check the inbound and outbound interfaces of packets
with 5-tuple information and statistics.
NOTE
You can run the display forward-path command to view report-
id.
Displaying the Eth-Trunk Run the display eth-trunk [ trunk-id [ interface interface-type
configuration interface-number | verbose ] ] command to check the Eth-
Trunk configuration.
Displaying the Eth-Trunk Run the display interface eth-trunk [ trunk-id ] command.
status

Maintenance Item Operation
Displaying information Run the display trunkmembership eth-trunk trunk-id

about Eth-Trunk member command.
interfaces
Displaying statistics on Run the display lacp statistics eth-trunk [ trunk-id [ interface
received and sent interface-type interface-number ] ] command.
LACPDUs in LACP
mode
Clearing LACPDU Run the reset lacp statistics eth-trunk [ trunk-id [ interface
statistics interface-type interface-number ] ] command in the user view.
NOTICE
The cleared LACPDU
statistics cannot be
restored.
3.9.1 Example for Configuring Link Aggregation in Manual Mode
In Figure 3-24, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20 through
Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB.
The customer hopes that SwitchA and SwitchB can provide increased link bandwidth to
enable inter-VLAN communication. They also want redundancy and to ensure quality data
transmission and link reliability.
Figure 3-24 Networking of link aggregation in manual mode
VLAN10 VLAN10
GE1/0/4 GE1/0/1 GE1/0/4

GE1/0/1
SwitchA GE1/0/2 Eth-Trunk GE1/0/2 SwitchB
GE1/0/3 GE1/0/3
GE1/0/5 Eth-Trunk 1 Eth-Trunk 1 GE1/0/5
VLAN20 VLAN20

1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link
bandwidth.
2. Create VLANs and add interfaces to the VLANs.
3. Configure a load balancing mode to ensure that traffic is load balanced among Eth-Trunk
member interfaces.
Procedure
Step 1 Create an Eth-Trunk on SwitchA and SwitchB, and add member interfaces to the Eth-Trunk.
[HUAWEI] sysname SwitchA
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3
[SwitchA-Eth-Trunk1] quit
[HUAWEI] sysname SwitchB
[SwitchB] interface eth-trunk 1
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3
[SwitchB-Eth-Trunk1] quit
Step 2 Create VLANs and add interfaces to the VLANs.

# Create VLAN 10 and VLAN 20 and add interfaces to VLAN 10 and VLAN 20. The
configuration for SwitchB is the same as that for SwitchA.
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type trunk
[SwitchA-GigabitEthernet1/0/4] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/4] quit
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through. The
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
Step 3 Configure a load balancing mode for Eth-Trunk 1. The configuration for SwitchB is the same
as that for SwitchA.
[SwitchA-Eth-Trunk1] load-balance src-dst-mac

Run the display eth-trunk 1 command in any view to check whether the Eth-Trunk is created
and whether member interfaces are added.
[SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet1/0/1 Up 1

The preceding command output shows that Eth-Trunk 1 has three member interfaces:
GigabitEthernet1/0/1, GigabitEthernet1/0/2, and GigabitEthernet1/0/3. The member interfaces
are all in Up state. The Operate status of Eth-Trunk 1 is Up.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
interface Eth-Trunk1
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
l SwitchB configuration file

#
sysname SwitchB
#
vlan batch 10 20
#
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return

3.9.2 Example for Configuring Link Aggregation in LACP Mode
In Figure 3-25, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20 through
Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB. The customer
hopes that SwitchA and SwitchB can provide increased link bandwidth to enable inter-VLAN
communication. Link aggregation in LACP mode can be configured on SwitchA and SwitchB
to improve the bandwidth and reliability. The requirements are as follows:
l Two active links provide load balancing.

l One link functions as the backup link. When a fault occurs on an active link, the backup
link replaces the faulty link to maintain reliable data transmission.
l Devices in the same VLAN can communicate.
Figure 3-25 Networking diagram for configuring link aggregation in LACP mode
VLAN 10 VLAN 10
GE1/0/4 GE1/0/1 GE1/0/1 GE1/0/4

GE1/0/2 Eth-Trunk GE1/0/2 SwitchB
SwitchA
GE1/0/3 GE1/0/3
GE1/0/5 Eth-Trunk 1 Eth-Trunk 1 GE1/0/5
VLAN 20 VLAN 20
Active link
Backup link
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to implement
link aggregation.
2. Add member interfaces to the Eth-Trunk.
3. Set the LACP system priority and determine which device is the Actor. The Partner
device selects active interfaces based on the interface priorities of the Actor.
4. Set the upper threshold for the number of active interfaces to improve reliability.
5. Set LACP interface priorities and determine active interfaces so that interfaces with
higher priorities are selected as active interfaces.

Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode. The
[SwitchA-Eth-Trunk1] mode lacp
Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration for SwitchB is the
same as that for SwitchA.
[SwitchA-GigabitEthernet1/0/1] eth-trunk 1
Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100
Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[SwitchA-Eth-Trunk1] max active-linknumber 2
Step 5 Set the LACP interface priority and determine active links on SwitchA.
[SwitchA-GigabitEthernet1/0/1] lacp priority 100
[SwitchA-GigabitEthernet1/0/2] lacp priority 100

# Create VLAN 10 and VLAN 20 and add interfaces to VLAN 10 and VLAN 20. The
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through. The
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20

# Check information about the Eth-Trunk of the switches and check whether negotiation is
successful on the link.

[SwitchA] display eth-trunk 1

Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 100 System ID: 00e0-fca8-0417
Least Active-linknumber: 1 Max Active-linknumber: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey
PortState Weight
GigabitEthernet1/0/1 Selected 1GE 100 6145 2865
11111100 1
11111100 1
GigabitEthernet1/0/3 Unselect 1GE 32768 6147 2865
11100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey
PortState
GigabitEthernet1/0/1 32768 00e0-fca6-7f85 32768 6145
2609 11111100
2609 11111100
2609 11110000
[SwitchB] display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768 System ID: 00e0-fca6-7f85
Least Active-linknumber: 1 Max Active-linknumber: 8
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo
PortKey PortState Weight
11111100 1
11111100 1
GigabitEthernet1/0/3 Unselect 1GE 32768 6147 2609
11100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo
PortKey PortState
GigabitEthernet1/0/1 100 00e0-fca8-0417 100 6145
2865 11111100
2865 11111100
2865 11110000
The preceding information shows that the LACP system priority value of SwitchA is 100,
which means it has a higher LACP system priority than SwitchB. Member interfaces
GigabitEthernet1/0/1 and GigabitEthernet1/0/2 are the active interfaces and are in Selected
state. Interface GigabitEthernet1/0/3 is in Unselect state. Two links are active and work in
load balancing mode, and one link is the backup link.
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
lacp priority 100
#
mode lacp
max active-linknumber 2
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
#
#
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
mode lacp
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return

3.9.3 Example for Configuring an Inter-Chassis Eth-Trunk to

Forward Traffic Preferentially Through Local Member Interfaces
(CSS)
NOTE
The S9703 does not support this configuration.
On the network shown in Figure 3-26, Switch3 and Switch4 are connected through CSS
cables to increase the total capacity. The two switches form one logical switch. To improve
reliability, physical interfaces on the two switches are added to an Eth-Trunk. When the
network runs properly, traffic from VLAN 2 is forwarded through GE1/0/1 and GE1/0/2, and
traffic from VLAN 3 is forwarded through GE1/0/1 and GE1/0/2. This increases bandwidth
use efficiency between devices but reduces traffic forwarding efficiency.
To improve traffic forwarding efficiency, traffic from VLAN 2 should be forwarded through
GE1/0/1 and traffic from VLAN 3 should be forwarded through GE1/0/2. To achieve this
goal, configure the Eth-Trunk to preferentially forward local traffic.

Figure 3-26 Preferentially forwarding traffic through the local member interface
Network
PE
GE1/0/1 GE1/0/2
Eth-Trunk 10
GE1/1/0/4 GE2/1/0/4 CSS
Switch3 GE1/1/0/3 GE2/1/0/3 Switch4
GE1/0/2 GE1/0/2
Switch1
Switch2
GE1/0/1 GE1/0/1
VLAN 2 VLAN 3
CSS cable
VLAN 2 data flow
VLAN 3 data flow
1. Create an Eth-Trunk.
2. Add member interfaces to the Eth-Trunk.
3. Configure the Eth-Trunk to preferentially forward local traffic.
4. Configure the Layer 2 forwarding function.
Procedure
Step 1 Create an Eth-Trunk and configure the Eth-Trunk to allow packets from all VLANs to pass
through.

# Configure the CSS.

[HUAWEI] sysname CSS
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] port trunk allow-pass vlan all
[CSS-Eth-Trunk10] quit
# Configure the PE.

[HUAWEI] sysname PE
[PE] interface eth-trunk 10
[PE-Eth-Trunk10] port link-type trunk
[PE-Eth-Trunk10] port trunk allow-pass vlan all
[PE-Eth-Trunk10] quit
Step 2 Add member interfaces to the Eth-Trunk.

[CSS] interface gigabitethernet 1/1/0/4
[CSS-GigabitEthernet1/1/0/4] eth-trunk 10
[CSS-GigabitEthernet1/1/0/4] quit
[CSS-GigabitEthernet2/1/0/4] eth-trunk 10
# Configure the PE.

[PE] interface gigabitethernet 1/0/1
[PE-GigabitEthernet1/0/1] eth-trunk 10
[PE-GigabitEthernet1/0/1] quit
[PE] interface gigabitethernet 1/0/2
[PE-GigabitEthernet1/0/2] eth-trunk 10
[PE-GigabitEthernet1/0/2] quit
Step 3 In the CSS view, configure the Eth-Trunk to preferentially forward local traffic.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] local-preference enable
[CSS-Eth-Trunk10] quit
Step 4 Configure the Layer 2 forwarding function.

[CSS] vlan batch 2 3
[CSS-GigabitEthernet1/1/0/3] port link-type trunk
[CSS-GigabitEthernet1/1/0/3] port trunk allow-pass vlan 2
[CSS-GigabitEthernet2/1/0/3] port link-type trunk
[CSS-GigabitEthernet2/1/0/3] port trunk allow-pass vlan 3
# Configure Switch1.
[HUAWEI] sysname Switch1
[Switch1] vlan 2
[Switch1-vlan2] quit
[Switch1] interface gigabitethernet 1/0/1
[Switch1-GigabitEthernet1/0/1] port link-type trunk
[Switch1-GigabitEthernet1/0/1] port trunk allow-pass vlan 2
[Switch1-GigabitEthernet1/0/1] quit


[Switch2] vlan 3

Run the display trunkmembership eth-trunk command in any view to check information
The display on the CSS is used as an example.
<CSS> display trunkmembership eth-trunk 10
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 2
Number Of Up Ports in Trunk = 2
Operate status: up
Interface GigabitEthernet1/1/0/4, valid, operate up, weight=1

Interface GigabitEthernet2/1/0/4, valid, operate up, weight=1
----End
Configuration Files
l CSS configuration file
#
sysname CSS
#
vlan batch 2 3
#
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet1/1/0/3
#
#
eth-trunk 10
#
eth-trunk 10
#
return
l PE configuration file

#
sysname PE
#
#
eth-trunk 10
#
eth-trunk 10
#
return
l Switch1 configuration file

#
sysname Switch1
#
vlan batch 2
#
#
#
return

#
sysname Switch2
#
vlan batch 3
#
#
#
return
3.9.4 Example for Configuring Connecting an E-Trunk to a VPLS

Network
If no E-Trunk is configured, a CE can be connected to only one PE using an Eth-Trunk link. If
the Eth-Trunk or PE fails, the CE cannot communicate with the PE. After an E-Trunk is
configured, the CE can be dual homed to PEs, improving link reliability between devices.
In Figure 3-27, CE1 is dual homed to PE1 and PE2 using two Eth-Trunks in LACP mode and
connected to a VPLS network.
CE1 communicates with CE2 on the VPLS network through PE1. If PE1 or the Eth-Trunk
link between CE1 and PE1 fails, CE1 cannot communicate with CE2. To prevent service
interruptions, configure an E-Trunk on PE1 and PE2. When communication between CE1 and
PE1 fails, traffic is switched to PE2 so that CE1 can communicate with CE2 through PE2.

When PE1 or the Eth-Trunk link between CE1 and PE1 recovers, traffic is switched back to
PE1.
The E-Trunk implements backup of LAGs between PE1 and PE2 and improves network
reliability.
Figure 3-27 Connecting an E-Trunk to a VPLS network

Loopback1
PE1
Eth-Trunk10
/1
Eth-Trunk20 1 /0 GE
GE /0/2 1 /0
/1 1 /3 Loopback1
1 /0 GE GE
GE /0/2 1/0
1 / 1
GE PE3
E-Trunk1
GE GE1/0/3
CE1 GE1 1 /0
/3 /2
/0 /
4 GE G E1 / 0 CE2
1 /0 / 0/ 3
GE
1 /0 /1 G E1
/2
Eth-Trunk10
PE2
Loopback1
Switch Interface VLANIF interface IP Address
PE1 GigabitEthernet1/0/1 - -
- GigabitEthernet1/0/2 - -
- GigabitEthernet1/0/3 VLANIF 100 10.1.1.1/24
- Loopback1 - 1.1.1.9/32
PE2 GigabitEthernet1/0/1 - -
- Loopback1 - 2.2.2.9/32
PE3 GigabitEthernet1/0/1 VLANIF 100 10.1.1.2/24

Switch Interface VLANIF interface IP Address
- GigabitEthernet1/0/3 GigabitEthernet1/0/3.1 -
- Loopback1 - 3.3.3.9/32
CE1 GigabitEthernet1/0/1 - -
CE2 GigabitEthernet1/0/3 - -
1. Configure an E-Trunk as follows:
– Create Eth-Trunks in LACP mode between CE1 and PE1, and between CE1 and
PE2. Add member interfaces to the Eth-Trunks.
– Create an E-Trunk on PE1 and PE2 and add the two Eth-Trunks to the E-Trunk.
– Set the following parameters of the E-Trunk:
n E-Trunk priority
n LACP system ID and LACP priority
n Interval for sending hello packets
n Time multiplier for detecting hello packets
n IP addresses of the local and remote devices
– Bind the E-Trunk to a BFD session.
2. Configure PEs so that CE1 can access the VPLS network.
– Configure a routing protocol on the backbone network to ensure that devices can
communicate with each other.
– Configure basic MPLS functions and the Label Distribution Protocol (LDP).
– Enable MPLS L2VPN on the PEs.
– Configure a virtual service instance (VSI) and specify LDP as the signaling
protocol.
– Create Eth-Trunk sub-interfaces and bind the VSI to the sub-interfaces.
Procedure
Step 1 Configure VLANs and IP addresses on pseudo wire (PW) side interfaces. Configure a routing
protocol on the backbone network to ensure that devices can communicate with each other.
The OSPF protocol is used in this example.

# Configure PE1.
[PE1] vlan batch 100
[PE1-Vlanif100] ip address 10.1.1.1 24
[PE1-Vlanif100] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 200
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# Configure PE3.
[PE3] ospf 1
[PE3-ospf-1] area 0


[PE3-ospf-1] quit
After the configuration is complete, PE1, PE2, and PE3 use OSPF to discover IP routes to
Loopback1 of one another, and they can ping each other. Run the display ip routing-table
command on PE1, PE2, and PE3 to verify that the PEs have learned the routes to one another.
NOTE
l Do not add the attachment circuit (AC) side interface and PW side interface of a PE to the same
VLAN. If they are added to the same VLAN, a loop may occur.
l When using OSPF, configure PE1, PE2, and PE3 to advertise 32-bit loopback addresses.
Step 2 Configure Eth-Trunks in LACP mode on CE1, PE1, and PE2, and add member interfaces to
the Eth-Trunks. Configure Layer 2 forwarding on CE1.
# Configure CE1.
[CE1] vlan batch 10
[CE1] interface eth-trunk 20
[CE1-Eth-Trunk20] port link-type trunk
[CE1-Eth-Trunk20] port trunk allow-pass vlan 10
[CE1-Eth-Trunk20] mode lacp
[CE1-Eth-Trunk20] trunkport GigabitEthernet 1/0/1 to 1/0/4
[CE1-Eth-Trunk20] quit
# Configure PE1.
[PE1] interface eth-trunk 10
[PE1-Eth-Trunk10] port link-type trunk
[PE1-Eth-Trunk10] mode lacp
[PE1-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2
[PE1-Eth-Trunk10] quit
# Configure PE2.
[PE2-Eth-Trunk10] port link-type trunk
[PE2-Eth-Trunk10] mode lacp
[PE2-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2
Step 3 Create an E-Trunk and set the LACP priority, LACP system ID, E-Trunk priority, local and
remote IP addresses, time multiplier for detecting hello packets, and interval for sending hello
packets.
# Configure PE1.
[PE1] e-trunk 1
[PE1-e-trunk-1] quit
[PE1] lacp e-trunk priority 1
[PE1] lacp e-trunk system-id 00E0-FC00-0000
[PE1] e-trunk 1
[PE1-e-trunk-1] priority 10
[PE1-e-trunk-1] timer hold-on-failure multiplier 3
[PE1-e-trunk-1] timer hello 9
[PE1-e-trunk-1] peer-address 2.2.2.9 source-address 1.1.1.9
# Configure PE2.
[PE2] e-trunk 1
[PE2] lacp e-trunk priority 1

[PE2] lacp e-trunk system-id 00E0-FC00-0000

[PE2] e-trunk 1
[PE2-e-trunk-1] priority 20
[PE2-e-trunk-1] timer hold-on-failure multiplier 3
[PE2-e-trunk-1] timer hello 9
[PE2-e-trunk-1] peer-address 1.1.1.9 source-address 2.2.2.9
Step 4 Add the Eth-Trunks to the E-Trunk.

# Configure PE1.
[PE1-Eth-Trunk10] e-trunk 1
# Configure PE2.
[PE2-Eth-Trunk10] e-trunk 1
Step 5 Bind the E-Trunk to a BFD session.

l Create a BFD session.
# Configure PE1.
[PE1] bfd
[PE1-bfd] quit
[PE1] bfd hello1 bind peer-ip 2.2.2.9 source-ip 1.1.1.9
[PE1-bfd-session-hello1] discriminator local 1
[PE1-bfd-session-hello1] discriminator remote 2
[PE1-bfd-session-hello1] commit
[PE1-bfd-session-hello1] quit
The IP addresses of the local and remote devices of a BFD session must be the same as
those of the E-Trunk.
# Configure PE2.
[PE2] bfd
[PE2-bfd] quit
[PE2] bfd hello2 bind peer-ip 1.1.1.9 source-ip 2.2.2.9
[PE2-bfd-session-hello2] discriminator local 2
[PE2-bfd-session-hello2] discriminator remote 1
[PE2-bfd-session-hello2] commit
[PE2-bfd-session-hello2] quit
l Bind E-Trunk 1 to the BFD session.

# Configure PE1.
[PE1] e-trunk 1
[PE1-e-trunk-1] e-trunk track bfd-session session-name hello1
# Configure PE2.
[PE2] e-trunk 1
[PE2-e-trunk-1] e-trunk track bfd-session session-name hello2
Step 6 Configure PEs so that CE1 can access the VPLS network.
1. Configure basic MPLS functions and LDP on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit


[PE1-Vlanif100] mpls
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
# Configure PE3.
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
After the configuration is complete, run the display mpls ldp session command on the
PEs. You can see that the LDP session status is Operational, indicating that LDP sessions
have been set up.
2. Enable MPLS L2VPN on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] quit
3. Create VSI ldp1 on PE1, PE2, and PE3 and specify LDP as the signaling protocol in the
VSI.
# Configure PE1.
[PE1] vsi ldp1 static
[PE1-vsi-ldp1] pwsignal ldp
[PE1-vsi-ldp1-ldp] vsi-id 2
[PE1-vsi-ldp1-ldp] peer 3.3.3.9
[PE1-vsi-ldp1-ldp] quit
[PE1-vsi-ldp1] quit
# Configure PE2.
[PE2-vsi-ldp1] quit
# Configure PE3.


[PE3-vsi-ldp1] quit
4. Configure an Eth-Trunk sub-interface on PE1 and PE2, and bind the VSI to the Eth-
Trunk sub-interface.
# Configure PE1.
[PE1] interface Eth-Trunk 10.1
[PE1-Eth-Trunk10.1] dot1q termination vid 10
[PE1-Eth-Trunk10.1] l2 binding vsi ldp1
[PE1-Eth-Trunk10.1] quit
# Configure PE2.
[PE2] interface Eth-Trunk 10.1
[PE2-Eth-Trunk10.1] dot1q termination vid 10
[PE2-Eth-Trunk10.1] l2 binding vsi ldp1
[PE2-Eth-Trunk10.1] quit
5. Configure a Dot1q sub-interface on PE3, and bind the VSI to the sub-interface.
# Configure PE3.
[PE3] interface gigabitethernet 1/0/3.1
[PE3-GigabitEthernet1/0/3.1] dot1q termination vid 10
[PE3-GigabitEthernet1/0/3.1] l2 binding vsi ldp1
[PE3-GigabitEthernet1/0/3.1] quit

l # Run the display eth-trunk command on CE1 to check the Eth-Trunk configuration.
l # Run the display e-trunk command to check E-Trunk information.
# Check information about E-Trunk 1 on PE1.
[PE1] display e-trunk 1
The E-Trunk information
E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120
Priority : 10 System-ID : 00e0-0f74-eb00
Peer-IP : 2.2.2.9 Source-IP : 1.1.1.9
State : Master Causation : PRI
Send-Period (100ms) : 9 Fail-Time (100ms) : 27
Receive : 41 Send : 42
RecDrop : 0 SndDrop : 0
Peer-Priority : 20 Peer-System-ID : 00e0-3b6c-6100
Peer-Fail-Time (100ms) : 27 BFD-Session : hello1
Description : -
------------------------------------------------------------------------------
--
The Member
information
Type ID LocalPhyState Work-Mode State Causation Remote-
ID
Eth-Trunk 10 Up auto Master ETRUNK_MASTER 10
# Check information about E-Trunk 1 on PE2.

[PE2] display e-trunk 1
The E-Trunk information
E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120
Priority : 20 System-ID : 00e0-3b6c-6100
Peer-IP : 1.1.1.9 Source-IP : 2.2.2.9
State : Backup Causation : PRI
Send-Period (100ms) : 9 Fail-Time (100ms) : 27
Receive : 43 Send : 42
RecDrop : 3 SndDrop : 0
Peer-Priority : 10 Peer-System-ID : 00e0-0f74-eb00
Peer-Fail-Time (100ms) : 27 BFD-Session : hello2

Description : -
------------------------------------------------------------------------------
--
The Member
information
Type ID LocalPhyState Work-Mode State Causation Remote-
ID
Eth-Trunk 10 Down auto Backup ETRUNK_BACKUP 10
According to the preceding information, the E-Trunk priority value on PE1 is 10 and the
E-Trunk status is Master; the E-Trunk priority value on PE2 is 20 and the E-Trunk status
is Backup. Link backup is achieved.
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
mode lacp
#
eth-trunk 20
#
eth-trunk 20
#
eth-trunk 20
#
eth-trunk 20
#
return

#
sysname PE1
#
vlan batch 100
#
lacp e-trunk system-id 00e0-fc00-0000
lacp e-trunk priority 1
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
mpls

mpls ldp
#
e-trunk 1
priority 10
peer-address 2.2.2.9 source-address 1.1.1.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello1
#
mode lacp
e-trunk 1
#
interface Eth-Trunk10.1
dot1q termination vid 10
l2 binding vsi ldp1
#
eth-trunk 10
#
eth-trunk 10
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bfd hello1 bind peer-ip 2.2.2.9 source-ip 1.1.1.9
discriminator local 1
discriminator remote 2
commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 200
#
lacp e-trunk system-id 00e0-fc00-0000
lacp e-trunk priority 1
#
bfd
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
mpls
mpls ldp

#
e-trunk 1
priority 20
peer-address 1.1.1.9 source-address 2.2.2.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello2
#
mode lacp
e-trunk 1
#
interface Eth-Trunk10.1
l2 binding vsi ldp1
#
eth-trunk 10
#
eth-trunk 10
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bfd hello2 bind peer-ip 1.1.1.9 source-ip 2.2.2.9
discriminator local 2
discriminator remote 1
commit
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return
#
sysname PE3
#
vlan batch 100 200
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
peer 2.2.2.9
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif200
ip address 10.1.2.2 255.255.255.0
mpls
mpls ldp

#
#
#
interface GigabitEthernet1/0/3.1
l2 binding vsi ldp1
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return
3.10.1 Traffic Is Unevenly Load Balanced Among Eth-Trunk

Member Interfaces Because the Load Balancing Mode Is Incorrect
Fault Description
Traffic is unevenly load balanced among Eth-Trunk member interfaces due to an incorrect
load balancing mode.
Procedure
1. Run the display eth-trunk command to check whether the load balancing mode of the
Eth-Trunk meets your network requirements. For example, source or destination IP
address-based load balancing is not recommended in Layer 2 networking.
2. Run the load-balance command to set an appropriate load balancing mode.
3.10.2 Eth-Trunk at Both Ends Cannot Be Up Because the Lower

Threshold for the Number of Active Interfaces Is Incorrect
Fault Description
The Eth-Trunk is Down because the lower threshold for the number of active interfaces is
incorrect.
Procedure
1. Run the display eth-trunk trunk-id command to check whether the lower threshold for
the number of active interfaces of an Eth-Trunk is set.

If the number of Eth-Trunk member interfaces in Up state is lower than the lower
threshold, the Eth-Trunk becomes Down.
2. Run the least active-linknumber link-number command in the Eth-Trunk view to
configure the lower threshold to be smaller than the number of Eth-Trunk member
interfaces in Up state.
The local and remote devices can use different lower thresholds for the number of active
interfaces. If the lower thresholds are different, the larger value is used.
3.11 FAQ
3.11.1 Can an Eth-Trunk Be Configured with an IP Address?

By default, an Eth-Trunk is a Layer 2 interface and cannot be configured with an IP address.
If an Eth-Trunk is changed to a Layer 3 interface, it can be configured with an IP address.
3.11.2 How Do I Add Member Interfaces to an Eth-Trunk?

Before adding a new member interface, ensure that the new member interface is the same type
as the other member interfaces and does not have any configurations.
1. Run the shutdown command in the interface view to set the new member interface to the
Down state.
If the new member interface that joins the Eth-Trunk is not Down, a temporary loop may
occur, which will affect services.
2. Run either of the following commands to add the new member interface to the Eth-
Trunk.
– Run the eth-trunk trunk-id command in the interface view.
– Run the trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8> command in the Eth-Trunk interface view.
3. After member interfaces at both ends join the Eth-Trunk, run the undo shutdown
command in the interface view to enable the new member interfaces.
3.11.3 How Do I Delete Member Interfaces from an Eth-Trunk?

1. Run the shutdown command in the interface view to set the member interface to the
Down state.
2. Run either of the following commands to delete the member interface from the Eth-
Trunk.
– Run the undo eth-trunk trunk-id command in the interface view.
– Run the undo trunkport interface-type { interface-number1 [ to interface-
number2 ] } &<1-8> command in the Eth-Trunk interface view.
3. Run the undo shutdown command in the interface view to set the member interface to
the Up state.
3.11.4 What Is the Function of the Delay for LACP Preemption?

When an Eth-Trunk interface in LACP mode goes Up and Down frequently due to unstable
physical links, LACP goes Up and Down accordingly. As a result, services transmitted on the
Eth-Trunk link are affected. After the LACP preemption delay is set, LACP negotiation is not
performed during the delay period. The possibility of LACP flapping is reduced, and services
will not be affected.
You can run the lacp preempt enable command to enable the LACP preemption function on
the current Eth-Trunk interface and run the lacp preempt delay delay-time command to
configure the preemption delay.
3.12 References
The following table lists the reference of this document.
Document Description Rema

rks
IEEE 802.3AD IEEE Std 802.3ad - 2005 IEEE Standard for Link -
Aggregation operation, Link Aggregation Control, Link
Aggregation Control Protocol, Marker protocol and
configuration capabilities and restrictions.

Configuration Guide - Ethernet Switching 4 VLAN Configuration
4 VLAN Configuration
About This Chapter
This chapter describes how to configure VLAN technology. VLAN technology provides
broadcast domain isolation, security hardening, flexible networking, and high extensibility.
4.1 VLAN Overview

4.2 Principles
4.3 Applications
4.7 Configuring VLAN Technology
4.8 Maintaining VLAN
4.11 FAQ
4.12 References

4.1 VLAN Overview
Definition
Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple
broadcast domains, each of which is called a VLAN. Hosts within a VLAN can communicate
with each other but cannot communicate directly with hosts in other VLANs. Consequently,
broadcast packets are confined to within a single VLAN.
Purpose
Ethernet technology implements data communication over shared media based on Carrier
Sense Multiple Access/Collision Detection (CSMA/CD). When an Ethernet network has a
large number of hosts, collision becomes a serious problem and can lead to broadcast storms.
As a result, network performance deteriorates, or can even result in a complete breakdown.
Using switches to connect LANs can mitigate collisions, but cannot isolate broadcast packets
or improve network quality.
VLAN technology divides a physical LAN into multiple VLANs to isolate broadcast
domains. Hosts within a VLAN can communicate with each other but cannot communicate
directly with hosts in other VLANs. Consequently, broadcast packets are confined to within a
single VLAN.
Figure 4-1 VLAN networking
VLAN 2
Router SwitchA SwitchB
VLAN 3
Figure 4-1 shows a typical VLAN networking environment. Two switches are deployed in
different locations (for example, on different floors of a building). Each switch is connected to
two PCs belonging to different VLANs, which likely belong to different entities or
companies.
Benefits
VLAN technology offers the following benefits:
l Limits broadcast domains. Broadcast domains are limited to conserve bandwidth and
improve network efficiency.

l Enhances LAN security. Packets from different VLANs are transmitted separately. Hosts
in a VLAN cannot communicate directly with hosts in another VLAN.
l Improves network robustness. A fault in a VLAN does not affect hosts in other VLANs.
l Allows flexible definition of virtual groups. With VLAN technology, hosts in different
geographical locations can be grouped together, thereby simplifying network
construction and maintenance.
4.2 Principles
4.2.1 Basic Concepts of VLAN
4.2.1.1 VLAN Tags
Definition and Function

A switch identifies packets from different VLANs according to the information contained in
VLAN tags. IEEE 802.1Q adds a 4-byte VLAN tag between the Source address and Length/
Type fields of an Ethernet frame, as shown in Figure 4-2.
Figure 4-2 IEEE 802.1Q tagged frame format

Traditional Ethernet data frame
6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes
Destination Source Data FCS
Length/Type
address address
VLAN data frame

6 bytes 6 bytes 4 bytes 2 bytes 46-1500 bytes 4 bytes
Destination Source VLAN Length/ Data FCS
address address Tag Type
TPID PRI CFI VID
2 bytes 3 bits 1 bit 12 bits
A VLAN tag contains four fields. Table 4-1 describes the fields.

Table 4-1 Fields in a VLAN tag
Field Leng Description Value

th
TPID 2 Tag Protocol Identifier (TPID), The value 0x8100 indicates an 802.1Q-
bytes indicating the frame type. tagged frame. An 802.1Q-incapable
device discards the 802.1Q frames.
IEEE 802.1Q protocol defines the
value of the field as 0x8100. However,
manufacturers can define their own
TPID values and users can then modify
the value to realize interconnection of
devices from different manufacturers.
PRI 3 bits Priority (PRI), indicating the The value ranges from 0 to 7. A larger
frame priority. value indicates a higher priority. If
congestion occurs, the switch sends
packets with higher priorities first.
CFI 1 bit Canonical Format Indicator The value 0 indicates that the MAC
(CFI), indicating whether a address is encapsulated in canonical
MAC address is encapsulated in format, and the value 1 indicates that
canonical format over different the MAC address is encapsulated in
transmission media. CFI is used non-canonical format. The CFI field
to ensure compatibility between has a fixed value of 0 on Ethernet
Ethernet and token ring networks.
networks.
VID 12 VLAN ID (VID), indicating the VLAN IDs range from 0 to 4095. The
bits VLAN to which a frame values 0 and 4095 are reserved, and
belongs. therefore valid VLAN IDs range from
1 to 4094.
The switch identifies the VLAN that a frame belongs to according to the information
contained in the VID field. Broadcast frames are forwarded only in the local VLAN. That is, a
broadcast domain is confined to within a single VLAN.
VLAN Tags in Received and Sent Frames

In a VLAN, Ethernet frames are classified into the following types:
l Tagged frame: frame with a 4-byte VLAN tag
l Untagged frame: frame without a 4-byte VLAN tag
Common devices process tagged and untagged frames as follows:

l User hosts, servers, hubs, and simplified Layer 2 switches can only receive and send
untagged frames.
l Switches, routers, and ACs can receive and send both tagged and untagged frames.
l Voice terminals and APs can receive and send tagged and untagged frames
simultaneously.

All frames processed in a switch carry VLAN tags so as to improve frame processing
efficiency.
4.2.1.2 Link and Interface Types
All frames processed in a switch carry VLAN tags. On a network, some devices connected to
a switch can only receive and send untagged frames. To enable communication between the
switch and these devices, the switch interfaces must be able to identify the untagged frames
and add or remove VLAN tags from the frames. Hosts in the same VLAN may be connected
to different switches, and more than one VLAN may span multiple switches. To enable
communication between hosts, interfaces between switches must be able to identify and send
VLAN frames.
To accommodate different connections and networking, Huawei defines four interface types
(access, trunk, hybrid, and QinQ) and two link types (access and trunk). Figure 4-3 shows
access, trunk, and hybrid interfaces. 10 QinQ Configuration shows the QinQ interface.
Figure 4-3 Link and interface types

2
3
Switch Switch
4
4
2
Trunk
Hub Switch Switch Hub
VLAN 2 VLAN 3 VLAN 4 VLAN 2 VLAN 3 VLAN 4
Access link
Trunk link Untagged frame
Access interface 2 Tagged frame, VID=2
Trunk interface 3 Tagged frame, VID=3
4 Tagged frame, VID=4
Hybrid interface
Link Types
As shown in Figure 4-3, Ethernet links fall into the following types, depending on the number
of allowed VLANs:
l Access link
An access link can transmit data frames of only one VLAN. It connects a switch to a user
terminal, such as a host, server, and simplified Layer 2 switch. Generally, user terminals

do not need to know the VLANs to which they belong and cannot identify tagged
frames; therefore, only untagged frames are transmitted along an access link.
l Trunk link
A trunk link can transmit data frames from multiple VLANs. It connects a switch to
another switch or a router. Frames on a trunk link must be tagged so that other network
devices can correctly identify VLAN information in the frames.
Interface Types
As shown in Figure 4-3, Ethernet interfaces are classified into the following types depending
on the objects connected to them and the way they process frames:
l Access interface
An access interface often connects to a user terminal such as a user host or server that
cannot identify VLAN tags, or is used when VLANs do not need to be differentiated.
Access interfaces can only receive and send untagged frames, and can add only a unique
VLAN tag to untagged frames.
l Trunk interface
A trunk interface often connects to a switch, router, AP, or voice terminal that can
receive and send tagged and untagged frames simultaneously. It allows tagged frames
from multiple VLANs and untagged frames from only one VLAN.
l Hybrid interface
A hybrid interface can connect to not only a user terminal (such as a user host or server)
or network device (such as a hub or simplified Layer 2 switch) that cannot identify tags,
but also a switch, router, voice terminal, or AP that can receive and send tagged and
untagged frames. It allows tagged frames from multiple VLANs. Frames sent out from a
hybrid interface are tagged or untagged according to the VLAN configuration.
Hybrid and trunk interfaces can be interchanged in some scenarios, but hybrid interfaces
must be used in specified scenarios, for example, 2 to 1 VLAN mapping scenario. Before
packets from multiple VLANs provided by a service provider enter a user network, the
outer VLAN tags must be removed. The trunk interface cannot be used here because the
trunk interface allows only untagged packets from the default VLAN of the interface to
pass through. For details about 2 to 1 VLAN mapping, see 11.2 Principles.
l QinQ interface
An 802.1Q-in-802.1Q (QinQ) interface often connects a private network to a public
network. It can add an additional 802.1Q tag to a tagged frame. QinQ supports up to
4094 x 4094 VLANs, thereby extending VLANs over the network. The outer tag is often
called the public tag and identifies the VLAN ID of the public network, whereas the
inner tag is often called the private tag and identifies the VLAN ID of the private
network.
For details about the QinQ interface and QinQ frame format, see 10.2.1 QinQ
Fundamentals.
4.2.1.3 Default VLAN
The default VLAN ID of an interface is called the port default VLAN ID (PVID). Frames
processed in a switch all carry VLAN tags. When the switch receives an untagged frame, it
adds a VLAN tag to the frame according to the default VLAN of the interface that receives
the frame. The PVID is used in the following scenarios:

l When an interface receives an untagged frame, the interface adds a tag with the PVID to
the frame and sends the frame to the switch for processing. When an interface receives a
tagged frame, the switch does not add a tag with the PVID to the frame.
l When an interface sends a frame in which the VLAN ID is the same as the PVID, the
switch removes the tag from the frame before sending it out from the interface.
Each interface has a default VLAN. By default, the default VLAN ID of all interfaces is
VLAN 1. You can change the default VLAN ID as required:
l The default VLAN of an access interface is the VLAN allowed by the access interface.
To change the default VLAN of an access interface, change the allowed VLAN.
l Trunk and hybrid interfaces allow multiple VLANs but have only one default VLAN.
Changing the allowed VLANs will not change the default VLAN.
4.2.1.4 Adding and Removing VLAN Tags
Ethernet data frames are tagged or untagged based on the interface type and default VLAN.
The following describes how access, trunk, and hybrid interfaces process data frames.
NOTE
A QinQ interface adds an additional tag to a tagged frame. For details, see 10 QinQ Configuration.
Access Interface
Figure 4-4 and Figure 4-5 shows how an access interface adds and removes VLAN tags.
Figure 4-4 Access interface adding VLAN tags
Receive a
frame
No
Carry tag?
Yes
Same No
Discard
VID and PVID?
Yes
Accept it and
add PVID Accept the frame
Further processing

Figure 4-5 Access interface removing VLAN tags

Prepare for
sending a frame
Remove tag
Send the frame
Trunk Interface
Figure 4-6 and Figure 4-7 shows how a trunk interface adds and removes VLAN tags.
Figure 4-6 Trunk interface adding VLAN tags
Receive a
frame
No
Carry tag?
Yes
No
Is VID
Add the PVID Discard
allowed?
Yes
Accept the frame
Further processing

Figure 4-7 Trunk interface removing VLAN tags
Prepare for
sending a frame
No Same as
PVID?
Yes
Remove tag
Retain tag Send the frame
Hybrid Interface
Figure 4-8 and Figure 4-9 shows how a hybrid interface adds and removes VLAN tags.

Figure 4-8 Hybrid interface adding VLAN tags
Receive a
frame
No
Carry tag?
Yes
No
Is VID
Add the PVID Discard
allowed?
Yes
Accept the frame
Further processing

Figure 4-9 Hybrid interface removing VLAN tags
Prepare for
sending a frame
No Does device
add tag to it?
Yes
Retain tag
Remove tag Send the frame

Frame Processing on Different Interfaces
Table 4-2 Frame processing based on the port type

Port Untagged Frame Tagged Frame Frame
Type Processing Processing Transmission
Access Accepts an untagged l Accepts the tagged After the PVID tag is
port frame and adds a tag with frame if the frame's stripped, the frame is
the default VLAN ID to VLAN ID matches the transmitted.
the frame. default VLAN ID.
l Discards the tagged
frame if the frame's
VLAN ID differs from
the default VLAN ID.
Trunk l Adds a tag with the l Accepts a tagged l If the frame's

port default VLAN ID to frame if the VLAN ID VLAN ID
the untagged frame carried in the frame is matches the
and then transmits it if permitted by the port. default VLAN ID
the default VLAN ID l Discards a tagged and the VLAN ID
is permitted by the frame if the VLAN ID is permitted by the
port. carried in the frame is port, the device
l Adds a tag with the denied by the port. removes the tag
default VLAN ID to and transmits the
the untagged frame frame.
and then discards it if l If the frame's
the default VLAN ID VLAN ID differs
is denied by the port. from the default
VLAN ID, but the
VLAN ID is still
permitted by the
port, the device
will directly
transmit the
frame.
Hybrid l Adds a tag with the l Accepts a tagged If the frame's VLAN
port default VLAN ID to an frame if the VLAN ID ID is permitted by the
untagged frame and carried in the frame is port, the frame is
accepts the frame if the permitted by the port. transmitted. The port
port permits the default l Discards a tagged can be configured
VLAN ID. frame if the VLAN ID whether to transmit
l Adds a tag with the carried in the frame is frames with tags.
default VLAN ID to an denied by the port.
untagged frame and
discards the frame if
the port denies the
default VLAN ID.
Interfaces process received frames as follows:

l Access, trunk, and hybrid interfaces add VLAN tags to received untagged frames. Trunk
and hybrid interfaces determine whether to accept untagged frames depending on
whether VLANs specified by the VLAN IDs in the frames are allowed, whereas an
access interface accepts the untagged frames unconditionally.
l Access, trunk, and hybrid interfaces determine whether to accept tagged frames
depending on whether VLANs specified by the VLAN IDs in the frames are allowed (the
VLAN ID allowed by an access interface is the default VLAN ID).
l Interfaces send frames as follows:
– An access interface directly removes VLAN tags from frames before sending the
frames.
– A trunk interface removes VLAN tags from frames only when their VLAN IDs are
the same as the PVID on the interface.
– A hybrid interface determines whether to remove VLAN tags from frames based on
the interface configuration.
Frames sent by an access interface are all untagged. On a trunk interface, only frames of
one VLAN are sent without tags, and frames of other VLANs are sent with tags. On a
hybrid interface, you can specify the VLANs of which frames are sent with or without
tags.
4.2.2 LNP
Definition
Link-type Negotiation Protocol (LNP) dynamically negotiates the link type of an Ethernet
interface. The negotiated link type can be access or trunk.
l When the link type on an Ethernet interface is negotiated as access, the interface joins
VLAN 1 by default.
l When the link type on an Ethernet interface is negotiated as trunk, the interface joins
VLAN 1 to VLAN 4094 by default.
Background
The switch supports the following link types on an Ethernet interface: access, hybrid, trunk,
and Dot1q tunnel. The four link types are applicable to different network positions and are
manually specified. If the network topology changes, link types of Ethernet interfaces also
need to be reconfigured and the configuration is complex. To simplify the configuration, LNP
supports auto-negotiation of the link types on Ethernet interfaces and allows Ethernet
interfaces to join VLANs after the auto-negotiation.
Implementation
When Layer 2 devices on the network shown in Figure 4-10 are successfully connected, the
physical status of interfaces becomes Up. After LNP negotiation is complete, user-side
interfaces on Switch4, Switch5, Switch6, and Switch7 join VLAN 1 as access interfaces, and
interfaces between switches become trunk interfaces and allow all VLANs.

Figure 4-10 Typical LNP networking
S1
S2 S3
Trunk
S4 S5 S6 S7
Access
User User User User

terminal terminal terminal terminal
l LNP negotiation conditions

After LNP is enabled, LNP negotiation is triggered in the following situations:
– The local device receives LNP packets from the remote device.
– The local configuration or interface status changes.
In addition to access, hybrid, trunk, and Dot1q tunnel, LNP provides the following link
types:
– negotiation-desirable: The local device actively sends LNP packets.
– negotiation-auto: The local device does not actively send LNP packets.
NOTE
An interface that is negotiated as a trunk interface allows all VLANs by default; therefore, a loop
prevention protocol needs to be deployed to prevent loops.
If a loop prevention protocol (for example, STP, RSTP, MSTP, or VBST) is deployed on a Layer 2
network, LNP negotiation can succeed on a blocked interface regardless of the link type.
l LNP negotiation
The link type of a Layer 2 Ethernet interface determines the negotiation result. Table 4-3
describes LNP negotiation results on a Layer 2 interface in Up state.
NOTE
l If the two ends of an Eth-Trunk link have different numbers of member interfaces, the LNP
negotiation may fail.
l If the link type of the Layer 2 Ethernet interface is set to access, hybrid, trunk, or Dot1q
tunnel, LNP negotiation does not take effect on the interface.
l The link type of an interface will be set to access when the negotiation fails.

Table 4-3 LNP negotiation

Local LNP Remote Link Type or Negotiated Status of
Negotiation Mode LNP Negotiation Local Link Remote Link
Mode Type Type
negotiation- Access (LNP negotiation Access Access

desirable/ enabled)
negotiation-auto
Hybrid (LNP negotiation Trunk Hybrid
enabled)
Dot1q tunnel (LNP Access Dot1q tunnel

negotiation enabled)
Trunk (LNP negotiation Trunk Trunk

enabled)
LNP negotiation not Access Uncertain

supported or disabled
negotiation- negotiation-desirable Trunk Trunk

desirable
negotiation- negotiation-auto Trunk Trunk

desirable
negotiation-auto negotiation-auto Access Access
LNP negotiation depends on communication between both ends. When the

communication is delayed, the link type may be incorrectly negotiated. After three
rounds of communication are complete, the link type in stable negotiation state.
Otherwise, the link type of the interface keeps in negotiation state. Before the link type
enters the stable negotiation state, the interface in blocking state does not forward
packets. This prevents forwarding errors.
The VLAN Central Management Protocol (VCMP) domain name affects LNP
negotiation. The link type can be negotiated as trunk only when domain names at both
ends are consistent; otherwise, the link type is negotiated as access interface.
4.2.3 VLAN Assignment

VLAN Assignment Modes
VLANs can be assigned based on interfaces, MAC addresses, policies, IP subnets, and
protocols. Table 4-4 compares different VLAN assignment modes.

Table 4-4 Comparisons among VLAN assignment modes

VLAN Implementation Advantage Disadvan Usage
Assignme tage Scenario
nt Mode
Interface- VLANs are assigned based It is simple to The Applies to

based on interfaces. define VLAN network networks
VLAN A network administrator members. administrat of any
assignment preconfigures a PVID for or needs to scale and
each interface on a switch. reconfigure with
When an untagged frame VLANs devices at
arrives at an interface, the when fixed
switch adds the PVID of VLAN locations.
the interface to the frame. members
The frame is then change.
transmitted in the VLAN
specified by the PVID.
MAC VLANs are assigned based When physical The Applies to

address- on source MAC addresses locations of users network small-scale
based of frames. change, the administrat networks
assignment A network administrator network or must where user
preconfigures mappings administrator predefine terminals
between MAC addresses does not need to VLANs for often
and VLAN IDs. When reconfigure all change
receiving an untagged VLANs for the members physical
frame, the switch adds the users. This on a locations
VLAN tag mapping the improves security network. but their
MAC address of the frame and access NICs
to the frame. Then the flexibility on a seldom
frame is transmitted in the network. change, for
specified VLAN. example,
mobile
computers.


nt Mode
IP subnet- VLANs are assigned based l When physical Users are Applies to
based on source IP addresses and locations of distributed scenarios
VLAN subnet masks. users change, regularly where there
assignment A network administrator the network and are high
preconfigures mappings administrator multiple requiremen
between IP addresses and does not need users are ts for
VLAN IDs. When to reconfigure on the mobility
receiving an untagged VLANs for the same and
frame, the switch adds the users. network simplified
VLAN tag mapping the IP l This mode segment. manageme
address of the frame to the reduces nt and low
frame. Then the frame is communicatio requiremen
transmitted in the specified n traffic and ts for
VLAN. allows a security.
broadcast For
domain to example,
span multiple this mode
switches. can be used
if a PC
with
multiple IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a new
VLAN
automatical
ly after the
PC's IP
address
changes.


nt Mode
Protocol- VLANs are assigned based This mode binds l The Applies to
based on protocol (suite) types service types to network networks
VLAN and encapsulation formats VLANs, adminis using
assignment of frames. facilitating trator multiple
A network administrator management and must protocols.
preconfigures mappings maintenance. preconfi
between protocol types and gure
VLAN IDs. When mappin
receiving an untagged gs
frame, the switch adds the between
VLAN tag mapping the all
protocol type of the frame protocol
to the frame. The frame is types
then transmitted in the and
specified VLAN. VLAN
IDs.
l The
switch
needs to
analyze
protocol
address
formats
and
convert
the
formats,
which
consum
es
excessi
ve
resourc
es.
Therefo
re, this
mode
slows
down
switch
respons
e time.


nt Mode
Policy- VLANs are assigned based l This mode Each Applies to

based on policies such as provides high policy complex
VLAN combinations of interfaces, security. MAC needs to be networks.
assignment MAC addresses, and IP addresses or IP manually
(MAC addresses. addresses of configured.
addresses, A network administrator users that have
IP preconfigures policies. been bound to
addresses, When receiving an VLANs
and untagged frame that cannot be
interfaces) matches a configured changed.
policy, the switch adds a l The network
specified VLAN tag to the administrator
frame. The frame is then can flexibly
transmitted in the specified select which
VLAN. policies to use
according to
the
management
mode and
requirements.
Priorities of VLAN Assignment Modes

If incoming untagged frames match multiple VLAN assignment modes, the VLAN
assignment modes are selected in descending order of priority: policy-based VLAN
assignment > MAC address-based or IP subnet-based VLAN assignment > protocol-based
VLAN assignment > interface-based VLAN assignment.
l If frames match both MAC address-based and IP subnet-based VLAN assignment
modes, MAC address-based VLAN assignment is used by default. You can change
priorities of the two VLAN assignment modes to select a preferred VLAN assignment
mode for packets.
l Interface-based VLAN assignment has the lowest priority but is commonly used.
Figure 4-11 illustrates the matching sequence of VLAN assignment modes.

Figure 4-11 Matching sequence of VLAN assignment modes

Receive frame
Discard frame
from remote device
No
Yes Does interface Yes Forward/Label

Carry tag?
Allow tagged frame? operation
No
Yes Allocate VLAN ID to

Policy-based VLAN frame and forward it
assignment? at Layer 2
No
MAC address-based VLAN Subnet-based VLAN

assignment preferred MAC address or assignment preferred
subnet-based VLAN
assignment
preferred?
Yes MAC address-based Subnet-based VLAN Yes

VLAN assignment enabled? assignment enabled?
No No
Yes
Is
Subnet-based Yes
MAC-VLAN
VLAN assignment
enabled?
enabled?
No No
Yes Protocol-based
VLAN enabled?
No
No
Is default VLAN Discard frame
ID set?
Yes
Allocate VLAN ID to
frame and forward it
at Layer 2
4.2.4 Intra-VLAN Communication

Packets transmitted between users in a VLAN go through three phases:
l Packet transmission from the source user host
Before sending a frame, the source host compares its IP address with the destination IP
address. If the two IP addresses are on the same network segment, the source host
obtains the MAC address of the destination host and fills the destination field MAC
address of the frame with the obtained MAC address. If the two IP addresses are on

different network segments, the frame needs to be forwarded by the gateway. The source
host obtains the gateway's MAC address, and uses it as the destination MAC address to
send the frame to the gateway.
l Ethernet switching in a switch
The switch determines whether to forward a received frame at Layer 2 or Layer 3 based
on the information in the destination MAC address, VLAN ID, and Layer 3 forwarding
bit.
– If the destination MAC address and VLAN ID of the frame match a MAC address
entry of the switch and the Layer 3 forwarding bit is set, the switch searches for a
Layer 3 forwarding entry based on the destination IP address. If no entry is found,
the switch sends the frame to the CPU. The CPU then searches for a route to
forward the frame at Layer 3.
– If the destination MAC address and VLAN ID of the frame match a MAC address
entry but the Layer 3 forwarding bit is not set, the switch directly forwards the
frame from the outbound interface specified in the matching MAC address entry.
– If the destination MAC address and VLAN ID of the frame do not match any MAC
address entry, the switch broadcasts the frame to all the interfaces allowing the
VLAN specified in the VID to obtain the MAC address of the destination host.
For details about Layer 2 and Layer 3 switching, see 1.3.1 Layer 2 Switching and 1.3.2
Layer 3 Switching.
l Adding and removing VLAN tags during the exchange between devices (for example,
between a switch and a user host, another switch, or another network device)
Frames processed in a switch all carry VLAN tags. The switch needs to add or remove
VLAN tags according to the interface setting to communicate with other network
devices. For details on how VLAN tags are added and removed on different interfaces,
see 4.2.1.4 Adding and Removing VLAN Tags.
After VLANs are assigned, broadcast packets are forwarded at Layer 2 in the same VLAN.
That is, users in the same VLAN can directly communicate at Layer 2. There are two intra-
VLAN communication scenarios depending on whether hosts in the same VLAN connect to
the same or multiple switches.
Intra-VLAN Communication Through the Same Switch

As shown in Figure 4-12, Host_1 and Host_2 connect to the same switch, belong to VLAN 2,
and are located on the same network segment. The interfaces connected to Host_1 and Host_2
are access interfaces.
Figure 4-12 Intra-VLAN communication through the same switch

Switch
IF_1 IF_2
access access
Host_1 VLAN 2 VLAN 2 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.1.1.3
Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on the switch):

1. Host_1 determines that the destination IP address is on the same network segment as its
IP address, and therefore broadcasts an ARP Request packet to obtain the MAC address
of Host_2. The ARP Request packet carries the all-F destination MAC address and
destination IP address of 10.1.1.3 (Host_2's IP address).
2. When the packet reaches IF_1 on the Switch, the Switch detects that the ARP Request
packet is untagged and adds VLAN 2 (PVID of IF_1) to the packet. The Switch then
adds the binding of the source MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) to
its MAC address table.
3. The Switch does not find a MAC address entry matching the destination MAC address
and VLAN ID of the ARP Request packet, so it broadcasts the ARP Request packet to
all interfaces that allow VLAN 2 (IF_2 in this example).
4. Before sending the ARP Request packet, IF_2 on the Switch removes the tag with
VLAN 2 from the packet.
5. Host_2 receives the ARP Request packet and records the mapping between the MAC
address and IP address of Host_1 in the ARP table. Then Host_2 compares the
destination IP address with its own IP address. If they are the same, Host_2 sends an
ARP Reply packet. The ARP Reply packet carries Host_2's MAC address of 2-2-2 and
Host_1's IP address of 10.1.1.2 as the destination IP address.
6. After receiving the ARP Reply packet, IF_2 on the Switch tags the packet with VLAN 2.
7. The Switch adds the mapping between the source MAC address, VLAN ID, and
interface (2-2-2, 2, IF_2) to its MAC address table, and then searches for an entry in its
MAC address table based on the destination MAC address and VLAN ID (1-1-1, 2). The
entry is found because the mapping has been recorded before (see step 5). The Switch
forwards the ARP Reply packet to IF_1.
8. Before forwarding the ARP Reply packet to IF_1, the Switch removes the tag with
VLAN 2 from the packet.
9. Host_1 receives the ARP Reply packet and records the mapping between the MAC
address and IP address of Host_2 in the ARP table.
Host_1 and Host_2 have learned the MAC address of each other, so they directly fill the
destination MAC address fields of packets with the learned MAC addresses of the packets in
subsequent communication.
In the preceding networking, if hosts in the same VLAN are on different network segments,
they encapsulate the gateway's MAC address into packets. If the Switch is a Layer 2 switch,
hosts cannot communicate. If the Switch is a Layer 3 switch, hosts can communicate through
VLANIF interfaces (with primary and secondary IP addresses configured). The principles are
similar to those in Inter-VLAN Communication Through the Same Switch, and are not
mentioned here.
Intra-VLAN Communication Through Multiple Switches

As shown in Figure 4-13, Host_1 and Host_2 connect to different switches, belong to VLAN
2, and are located on the same network segment. The switches are connected using a trunk
link over which frames can be identified and sent across switches.

Figure 4-13 Intra-VLAN communication through multiple switches

Switch_1 Switch_2
trunk trunk
VLAN 2 VLAN 2
IF_1 IF_2 IF_2 IF_1
access access
VLAN 2 VLAN 2
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.1.1.3
Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
forwarding entry exists on Switch_1 and Switch_2):
1. The first two steps are similar to steps 1 and 2 in Intra-VLAN Communication
Through the Same Switch. After the two steps are complete, Host_1 broadcasts the
ARP Request packet to IF_2 on Switch_1.
2. IF_2 on Switch_1 transparently transmits the ARP Request packet to IF_2 on Switch_2
without removing the tag of the packet, because the VLAN ID of the packet is different
from the PVID of IF_2 on Switch_1.
3. After receiving the ARP Request packet, IF_2 on Switch_2 determines that VLAN 2 is
an allowed VLAN and accepts the packet.
4. Following the four steps similar to steps 3 to 6 in Intra-VLAN Communication
Through the Same Switch, Switch_2 forwards the ARP Reply packet of Host_2 to
IF_2. IF_2 on Switch_2 transparently transmits the ARP Reply packet to IF_2 on
Switch_1, because IF_2 is a trunk interface and its PVID is different from the VLAN ID
of the packet.
5. After receiving the ARP Reply packet, IF_2 on Switch_1 determines that VLAN 2 is an
allowed VLAN and accepts the packet. Subsequent steps are similar to steps 7 to 9 in
Intra-VLAN Communication Through the Same Switch.
In addition to transmitting frames from multiple VLANs, a trunk link can transparently
transmit frames without adding or removing the tags of the packets.
In the preceding networking, if hosts in the same VLAN are on different network segments
and Switch_1 or Switch_2 is a Layer 2 switch, hosts cannot communicate. If Switch_1 or
Switch_2 is a Layer 3 switch, hosts can communicate through VLANIF interfaces. The
principles are similar to those in Inter-VLAN Communication Through the Same Switch,
and are not mentioned here.
4.2.5 Inter-VLAN Communication

After VLANs are assigned, broadcast packets are only forwarded in the same VLAN. That is,
hosts in different VLANs cannot communicate at Layer 2. Therefore, VLAN technology
isolates broadcast domains. In real-world applications, hosts in different VLANs often need to
communicate, so inter-VLAN communication needs to be implemented to resolve this.

Similar to intra-VLAN communication described in 4.2.4 Intra-VLAN Communication,

inter-VLAN communication goes through three phases: packet transmission from the source
host, Ethernet switching in a switch, and adding and removing VLAN tags during the
exchange between devices. According to the Ethernet switching principle, broadcast packets
are only forwarded in the same VLAN and hosts in different VLANs cannot directly
communicate at Layer 2. Layer 3 routing or VLAN translation technology is required to
implement inter-VLAN communication.
Inter-VLAN Communication Technologies

Huawei provides a variety of technologies to implement inter-VLAN communication. The
following two technologies are commonly used:
l VLANIF interface
A VLANIF interface is a Layer 3 logical interface that can be used to implement inter-
VLAN Layer 3 connectivity.
It is simple to configure a VLANIF interface, so VLANIF interfaces are the most
commonly used for inter-VLAN communication. However, a VLANIF interface needs to
be configured for each VLAN and each VLANIF interface requires an IP address. As a
result, this technology wastes IP addresses.
l Dot1q termination sub-interface
A sub-interface is also a Layer 3 logical interface that can be used to implement inter-
VLAN Layer 3 connectivity.
A Dot1q termination sub-interface applies to scenarios where a Layer 3 Ethernet
interface connects to multiple VLANs. In such a scenario, data flows from different
VLANs preempt bandwidth of the primary Ethernet interface; therefore, the primary
Ethernet interface may become a bottleneck when the network is busy.
For details about the Dot1q termination sub-interface, see 8 VLAN Termination
Configuration.
VLANIF interfaces and Dot1q termination sub-interfaces require that users in VLANs be
located on different network segments. (When hosts are located on the same network
segment, a host encapsulates the destination host' MAC address in packets. The switch
determines that packets should be forwarded at Layer 2. Layer 2 switching is performed only
in the same VLAN, and broadcast packets cannot reach different VLANs. In this case, the
switch cannot obtain destination hosts' MAC addresses and therefore cannot forward packets
to the destination host.) On a network, the following technologies can allow hosts on the same
network segment in different VLANs to communicate:
l VLAN aggregation
VLAN aggregation, also known as super-VLAN, associates a super-VLAN with multiple
sub-VLANs. The sub-VLANs share the IP address of the super-VLAN as the gateway IP
address to implement Layer 3 connectivity with an external network. Proxy ARP can be
enabled between sub-VLANs to implement Layer 3 connectivity between sub-VLANs.
VLAN aggregation conserves IP addresses in inter-VLAN Layer 3 communication.
VLAN aggregation applies to scenarios where multiple VLANs share a gateway.
For details about VLAN aggregation, see 5 VLAN Aggregation Configuration.
l VLAN Switch switch-vlan
VLAN Switch switch-vlan requires a pre-configured static forwarding path along
switching nodes on a network. When a switching node receives VLAN-tagged frames
matching VLAN Switch entries, it directly forwards the frames to corresponding

interfaces according to the static forwarding path, thus implementing Layer 2

communication.
Switch-VLAN does not require lookup of the MAC address table, so the forwarding
efficiency and security are enhanced. If a switching node connects to many user devices,
the network administrator needs to configure each user device in advance to establish a
static forwarding path. This increases the manual configuration workload and makes
network management inconvenient. Switch-VLAN applies to small-scale networks.
For details about VLAN Switch switch-vlan, see 6 VLAN Switch Configuration.
Inter-VLAN Communication Through the Same Switch

As shown in Figure 4-14, Host_1 (source host) and Host_2 (destination host) connect to the
same Layer 3 switch, are located on different network segments, and belong to VLAN 2 and
VLAN 3, respectively. After VLANIF 2 and VLANIF 3 are created on the switch and
allocated IP addresses, the default gateway addresses of the hosts are set to IP addresses of the
VLANIF interfaces.
Figure 4-14 Using VLANIF interfaces to implement inter-VLAN communication through the
same switch
VLANIF 2 VLANIF 3
IP: 10.1.1.1/24 IP: 10.2.2.1/24
MAC: 3-3-3 Switch MAC: 4-4-4
IF_1 IF_2
access access
VLAN 2 VLAN 3
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.2.2.2
Gateway address: 10.1.1.1 Gateway address: 10.2.2.1
forwarding entry exists on the switch):
1. Host_1 determines that the destination IP address is on a different network segment from
its own IP address, and therefore sends an ARP Request packet to request the gateway
MAC address. The ARP Request packet carries the destination IP address of 10.1.1.1
(gateway's IP address) and all-F destination MAC address.
2. When the ARP Request packet reaches IF_1 on the Switch, the Switch tags the packet
with VLAN 2 (PVID of IF_1). The Switch then adds the mapping between the source
MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) in its MAC address table.
3. The Switch detects that the packet is an ARP Request packet and the destination IP
address is the IP address of VLANIF 2. The Switch then encapsulates VLANIF 2's MAC
address of 3-3-3 into the ARP Reply packet and removes the tag with VLAN 2 from the
packet before sending it from IF_1. In addition, the Switch adds the binding of the IP
address and MAC address of Host_1 in its ARP table.
4. After receiving the ARP Reply packet from the Switch, Host_1 adds the binding of the
IP address and MAC address of VLANIF 2 on the Switch in its ARP table and sends a
packet to the Switch. The packet carries the destination MAC address of 3-3-3 and
destination IP address of 10.2.2.2 (Host_2's IP address).

5. After the packet reaches IF_1 on the Switch, the Switch tags the packet with VLAN 2.
6. The Switch updates its MAC address table based on the source MAC address, VLAN
ID, and inbound interface of the packet, and compares the destination MAC address of
the packet with the MAC address of VLANIF 2. If they are the same, the Switch
determines that the packet should be forwarded at Layer 3 and searches for a Layer 3
forwarding entry based on the destination IP address. If no entry is found, the Switch
sends the packet to the CPU. The CPU then searches for a routing entry to forward the
packet.
7. The CPU looks up the routing table based on the destination IP address of the packet and
detects that the destination IP address matches a directly connected network segment
(network segment of VLANIF 3). The CPU continues to look up its ARP table but finds
no matching ARP entry. Therefore, the Switch broadcasts an ARP Request packet with
the destination address of 10.2.2.2 to all interfaces in VLAN 3. Before sending the ARP
Request packet from IF_2, the Switch removes the tag with VLAN 2 from the packet.
8. After receiving the ARP Request packet, Host_2 detects that the IP address is its own IP
address and sends an ARP Reply packet with its own. Additionally, Host_2 adds the
mapping between the MAC address and IP address of VLANIF 3 to its ARP table.
9. After IF_2 on the Switch receives the ARP Reply packet, IF_2 tags the packet with
VLAN 3 to the packet and adds the binding of the MAC address and IP address of
Host_2 in its ARP table. Before forwarding the packet from Host_1 to Host_2, the
Switch removes the tag with VLAN 3 from the packet. The Switch also adds the binding
of Host_2's IP address, MAC address, VLAN ID, and outbound interface in its Layer 3
forwarding table.
The packet sent from Host_1 then reaches Host_2. The packet transmission process from
Host_2 to Host_1 is similar. Subsequent packets between Host_1 and Host_2 are first sent to
the gateway (Switch), and the Switch forwards the packets at Layer 3 based on its Layer 3
forwarding table.
Inter-VLAN Communication Through Multiple Switches

When hosts in different VLANs connect to multiple Layer 3 switches, you need to configure
static routes or a dynamic routing protocol in addition to VLANIF interface addresses. This is
because IP addresses of VLANIF interfaces can only be used to generate direct routes.
As shown in Figure 4-15, Host_1 (source host) and Host_2 (destination host) are located on
different network segments, connect to Layer 3 switches Switch_1 and Switch_2, and belong
to VLAN 2 and VLAN 3, respectively. On Switch_1, VLANIF 2 and VLANIF 4 are created
and allocated IP addresses of 10.1.1.1 and 10.1.4.1. On Switch_2, VLANIF 3 and VLANIF 4
are created and allocated IP addresses of 10.1.2.1 and 10.1.4.2. Static routes are configured on
Switch_1 and Switch_2. On Switch_1, the destination network segment in the static route is
10.1.2.0/24 and the next hop address is 10.1.4.2. On Switch_2, the destination network
segment in the static route is 10.1.1.0/24 and the next hop address is 10.1.4.1.

Figure 4-15 Using VLANIF interfaces to implement inter-VLAN communication through

multiple switches
Switch_1 Switch_2
Trunk
VLAN 4
IF_1 IF_2 IF_2 IF_1
access access
VLAN 2 VLAN 3
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.1.2.2
Gateway address: 10.1.1.1 Gateway address: 10.1.2.1
forwarding entry exists on Switch_1 and Switch_2):
1. The first six steps are similar to steps 1 to 6 in inter-VLAN communication when hosts
connect to the same switch. After the steps are complete, Switch_1 sends the packet to
its CPU and the CPU looks up the routing table.
2. The CPU of Switch_1 searches for the routing table based on the destination IP address
of 10.1.2.2 and finds a static route. In the static route, the destination network segment is
10.1.2.0/24 and the next hop address is 10.1.4.2. The CPU continues to look up its ARP
table but finds no matching ARP entry. Therefore, Switch_1 broadcasts an ARP Request
packet with the destination address of 10.1.4.2 to all interfaces in VLAN 4. IF_2 on
Switch_1 transparently transmits the ARP Request packet to IF_2 on Switch_2 without
removing the tag from the packet.
3. After the ARP Request packet reaches Switch_2, Switch_2 finds that the destination IP
address of the ARP Request packet is the IP address of VLANIF 4. Switch_2 then sends
an ARP Reply packet with the MAC address of VLANIF 4 to Switch_1.
4. IF_2 on Switch_2 transparently transmits the ARP Reply packet to Switch_1. After
Switch_1 receives the ARP Reply packet, it adds the binding of the MAC address and IP
address of VLANIF4 in its ARP table.
5. Before forwarding the packet of Host_1 to Switch_2, Switch_1 changes the destination
MAC address of the packet to the MAC address of VLANIF 4 on Switch_2 and the
source MAC address to the MAC address of VLANIF 4 on itself. In addition, Switch_1
records the forwarding entry (10.1.2.0/24, next hop IP address, VLAN, and outbound
interface) in its Layer 3 forwarding table. Similarly, the packet is transparently
transmitted to IF_2 on Switch_2.
6. After Switch_2 receives packets of Host_1 forwarded by Switch_1, the steps similar to
steps 6 to 9 in inter-VLAN communication when hosts connect to the same switch
are performed. In addition, Switch_2 records the forwarding entry (Host_2's IP address,
MAC address, VLAN, and outbound interface) in its Layer 3 forwarding table.
4.2.6 Intra-VLAN Layer 2 Isolation

You can add different users to different VLANs to implement Layer 2 isolation between users.
If an enterprise has many users, VLANs have to be allocated to all users that are not allowed

to communicate with each other. This user isolation method uses a large number of VLANs
and makes configuration more complex, increasing the maintenance workload of the network
administrator.
Huawei provides intra-VLAN Layer 2 isolation technologies including port isolation, MUX
VLAN, and Modular QoS Command-Line Interface (MQC).
Port Isolation
Port isolation can isolate interfaces in a VLAN. You can add interfaces to a port isolation
group to disable Layer 2 packet transmission between the interfaces. Interfaces in different
port isolation groups or out of port isolation groups can exchange packets with other
interfaces. In addition, interfaces can be isolated unidirectionally, providing more secure and
flexible networking.
For details about port isolation, see Configuring Port Isolation in S7700&S9700 Series
Switches Configuration Guide - Interface Management.
MUX VLAN
Multiplex VLAN (MUX VLAN) provides a mechanism to control network resources using
VLANs. It can implement inter-VLAN communication and intra-VLAN isolation.
For example, an enterprise has the following requirements:
l Employees can communicate with each other but customers are isolated.
l Both employees and customers can access enterprise servers.
You can deploy the MUX VLAN to meet the preceding requirements.
For details about the MUX VLAN feature, see 7 MUX VLAN Configuration.
Intra-VLAN Layer 2 Isolation Based on the Traffic Policy

A traffic policy is configured by binding traffic classifiers to traffic behaviors. You can define
traffic classifiers on a switch to match packets with certain characteristics and associate the
traffic classifiers with the permit or deny behavior in a traffic policy. The switch then permits
or denies packets matching the traffic classifiers. In this way, intra-VLAN unidirectional or
bidirectional isolation is implemented based on the traffic policy.
The switch supports intra-VLAN Layer 2 isolation based on MQC and simplified ACL-based
traffic policies. For details about MQC and simplified ACL-based traffic policies, see MQC
Configuration and ACL-based Simplified Traffic Policy Configuration in S7700&S9700
Series Switches Configuration Guide - QoS.
4.2.7 Inter-VLAN Layer 3 Isolation

After inter-VLAN Layer 3 connectivity is implemented between two VLANs, all users in the
VLANs can communicate. In some scenarios, communication between some users needs to
be prevented or only unidirectional communication is allowed. For example, user hosts and
servers often use unidirectional communication, and visitors to an enterprise are often allowed
to access only the Internet or some servers. In these scenarios, you need to configure inter-
VLAN isolation.
Inter-VLAN isolation is often implemented using a traffic policy. You can define traffic
classifiers on a switch to match packets with certain characteristics and associate the traffic

classifiers with the permit or deny behavior in a traffic policy. The switch then permits or
rejects the packets matching the traffic classifiers. This technology implements flexible inter-
VLAN isolation.
The switch supports inter-VLAN Layer 3 isolation based on MQC and simplified ACL-based
traffic policies. For details about MQC and simplified ACL-based traffic policies, see MQC
Configuration and ACL-based Simplified Traffic Policy Configuration in S7700&S9700
Series Switches Configuration Guide - QoS.
4.2.8 Management VLAN

To use a remote network management system (NMS) to manage devices in a centralized
manner, configure a management IP address on the switch. You can then use the management
IP address to log in to the switch using STelnet and manage the switch. If a user-side interface
is added to the VLAN corresponding to the management IP address, users connected to the
interface can also log in to the switch. This poses security risks to the switch.
To enhance security, you can configure the VLAN as the management VLAN (mVLAN).
Access or Dot1q tunnel interfaces cannot be added to the mVLAN. (The VLANs not specified
as the mVLAN are service VLANs.) Access and Dot1q tunnel interfaces are often connected
to users. When these interfaces are prevented from joining the mVLAN, users connected to
the interfaces cannot log in to the device, improving device security.
4.2.9 Protocol Packet Transparent Transmission in a VLAN

When a gateway device or Layer 2 switch is enabled with snooping functions such as DHCP/
IGMP/MLD snooping, the device needs to parse and process protocol packets such as ARP,
DHCP, and IGMP packets. That is, protocol packets received by an interface are sent to the
CPU for processing. The interface sends protocol packets without differentiating VLANs. If
the preceding functions are deployed, protocol packets from all VLANs are sent to the CPU
for processing.
If the device works as the gateway or provides the snooping functions for only some VLANs,
the device does not need to process protocol packets in other VLANs. After the protocol
packets in other VLANs are sent to the CPU, the CPU needs to forward them to other devices.
This mechanism is called software forwarding. Protocol packet processing in software
forwarding decreases the forwarding efficiency.
To address this issue, deploy protocol packet transparent transmission in VLANs where
protocol packets do not need to be processed. This function enables the device to
transparently transmit the protocol packets in the VLANs to other devices, which improves
the forwarding efficiency.
4.3 Applications
4.3.1 Using VLAN Assignment to Implement Layer 2 Isolation

Interface-based VLAN Assignment
As shown in Figure 4-16, there are multiple companies in a building. These companies share
network resources to reduce costs. Networks of the companies connect to different interfaces
of the same Layer 2 switch and access the Internet through an egress.

Figure 4-16 Networking of interface-based VLAN assignment
Internet
L3 switch
L2 switch
Company_1 Company_2 Company_3

VLAN 2 VLAN 3 VLAN 4
To isolate services and ensure service security of different companies, add interfaces
connected to the companies to different VLANs. Each company has a virtual router and each
VLAN is a virtual work group.
MAC Address-based VLAN Assignment

As shown in Figure 4-17, a company has two office areas that connect to the company's
network through Switch_2 and Switch_3 respectively. Employees often move between the
two office areas.
Figure 4-17 Networking of MAC address-based VLAN assignment
Switch_1
Server
VLAN 10
Switch_2 Switch_3
Office Office
area 1 area 2
User_1 User_1
VLAN 10 VLAN 10

To enable employees to access network resources such as servers after they move from one
office area to the other, configure MAC address-based VLAN assignment on Switch_2 and
Switch_3. As long as the MAC address of User_1 remains unchanged, the user belongs to the
same VLAN and can still access the company's network resources after changing the location.
IP Subnet-based VLAN Assignment

As shown in Figure 4-18, a company has two departments: departments 1 and 2. The two
departments are assigned fixed IP network segments. Employees' locations often change to
strengthen learning and communication, but the company requires that network resource
access rights remain unchanged.
Figure 4-18 Networking of IP subnet-based VLAN assignment

Server of department 1
Switch_1 VLAN 10
Server of department 2
VLAN 20
Switch_2 Switch_3
Department Department
1 2
10.1.1.2 10.1.2.2 10.1.1.3 10.1.2.3

VLAN 10 VLAN 20 VLAN 10VLAN 20
To ensure that employees retain the rights to access network resources after changing
locations, configure IP subnet-based VLAN assignment on the company's central switch.
Different network segments of servers are assigned to different VLANs to isolate data flows
of different application services, improving security.
4.3.2 Using VLANIF Interfaces to Implement Inter-VLAN Layer 3

Connectivity
VLANIF interfaces are used to implement inter-VLAN Layer 3 connectivity when devices are
connected to the same Layer 3 switch or different Layer 3 switches.
Inter-VLAN Layer 3 Connectivity Between Devices Connected to the Same Layer

3 Switch
As shown in Figure 4-19, departments 1 and 2 of a small-scale company belong to VLAN 2
and VLAN 3, respectively, and connect to a Layer 3 switch (Switch) through Layer 2
switches. Packets exchanged between the two departments need to pass the Layer 3 switch.

Figure 4-19 Using VLANIF interfaces to implement inter-VLAN communication through the
same Layer 3 switch
Switch
(L3)
VLANIF 2 VLANIF 3
Switch_1
Switch_2
(L2)
(L2)
Department 1 Department 2
PC_1 PC_2
VLAN 2 VLAN 3
Assign VLANs on Switch_1 and Switch_2, configure Switch_1 and Switch_2 to transparently
transmit VLAN packets to the Layer 3 switch, and configure a VLANIF interface for each
VLAN on the Layer 3 switch to allow communication between VLAN 2 and VLAN 3.
Inter-VLAN Layer 3 Connectivity Between Devices Connected to Different Layer

3 Switches
As shown in Figure 4-20, departments 1 and 2 of a medium- or large-scale company are
connected across two or more Layer 3 switches, and belong to VLAN 2 and VLAN 3
respectively. Packets exchanged between the two departments need to pass the Layer 3
switches.
Figure 4-20 Using VLANIF interfaces to implement inter-VLAN communication through

multiple Layer 3 switches
Switch_1 Switch_2
(L3) (L3)
Layer 3 network
VLANIF 2 VLANIF 3
L2 Switch L2 Switch
PC_1 PC_2
VLAN 2 VLAN 3

Assign VLANs on the Layer 2 switches, and configure the Layer 2 switches to transparently
transmit VLAN packets to Layer 3 switches. Configure a VLANIF interface for each user
VLAN and interconnected VLANs on Switch_1 and Switch_2, and configure VLANIF
interfaces for interconnected VLANs on other Layer 3 devices. In addition, configure static
routes or a dynamic routing protocol between Switch_1 and Switch_2 (a dynamic routing
protocol is recommended when devices are connected across more than two Layer 3
switches).
4.3.3 Using a Traffic Policy to Implement Inter-VLAN Access

Control
As shown in Figure 4-21, to ensure communication security, a company divides the network
into visitor area, employee area, and server area, and assigns VLAN 10, VLAN 20, and
VLAN 30 to the areas respectively. The company has the following requirements:
l Employees, visitors, and servers can access the Internet.
l Visitors cannot communicate with employees and can access only Server_1 in the server
area.
Figure 4-21 Using a traffic policy to implement inter-VLAN access control
Internet
Router
Switch VLANIF 100

(L3)
VLANIF 10 VLANIF 30
VLANIF 20
L2 Switch L2 Switch L2 Switch
Visitor Employee Server

area area area
Visitor_1 Employee_1 Server_1
10.1.1.2/24 10.1.2.2/24 10.1.3.2/24
After the central switch (Switch) is configured with VLANIF 10, VLANIF 20, VLANIF 30,
and VLANIF 100 and a route to the router, employees, visitors, and servers can access the
Internet and communicate with each other. To control access rights of visitors, configure a
traffic policy on the central switch and define the following rules:
l ACL rule 1: denies the packets sent from the IP network segment of visitors to the IP
segment of employees.

l ACL rule 2: permits the packets from the IP network segment of visitors to the IP
address of Server_1, and denies the packets from the IP network segment of visitors and
to the IP segment of servers.
l ACL rule 3: denies the packets from the IP network segment of employees to the IP
segment of visitors.
l ACL rule 4: denies the packets from the IP network segment of servers to the IP segment
of visitors.
Apply the traffic policy to the inbound and outbound direction of the switch interface
connected to the visitor area. Visitors can then only access Server_1 and cannot communicate
with employees.
4.3.4 Using a VLANIF Interface to Implement Layer 3

Connectivity Between the Switch and Router
To reduce costs, most enterprises use switches to connect internal devices and an egress router
to connect to an ISP network, as shown in Figure 4-22.
Figure 4-22 Connection between the switch and router
Egress
Core switch
router
Enterprise intranet GE1/0/1 ISP
VLANIF 10 GE1/0/1.1 network
10.1.1.1/24 10.1.1.2/24
To access the ISP network, the core Layer 3 switch and egress router need to interwork at
Layer 3. Most Layer 3 switches do not support routed interfaces or support limited routed
interfaces. Generally, a VLANIF interface is used as a Layer 3 interface to communicate with
the Layer 3 sub-interface of the router, and then static route or a dynamic routing protocol is
configured to implement Layer 3 connectivity between the core switch and egress router.

Table 4-5 describes the VLAN configuration tasks. Figure 4-23 illustrates the logical
relationship between configuration tasks.

Figure 4-23 Logical relationship between configuration tasks
Assign VLANs
Configure VLANIF Configure protocol

Configure MQC-based
interfaces to packet transparent
intra-VLAN Layer 2 Configure mVLAN
implement inter-VLAN transmission in a
isolation
communication VLAN
Configure MQC to
implement inter-VLAN
isolation
Table 4-5 VLAN configuration task summary

Configuration Task Description
4.7.1 Assigning VLANs VLANs can isolate the hosts that do not need to
communicate with each other, which improves network
security, reduces broadcast traffic, and mitigates broadcast
storms.
4.7.2 Configuring Inter- After VLANs are assigned, users in different VLANs
VLAN Communication cannot directly communicate with each other. If users in
different VLANs need to communicate, configure VLANIF
interfaces to implement inter-VLAN Layer 3 connectivity.
NOTE
You can also configure a VLAN termination sub-interface or
VLAN Switch to implement inter-VLAN connectivity. For details
about the VLAN termination sub-interface and VLAN switching,
see 8.6.1 Configuring a Dot1q Termination Sub-interface to
Implement Inter-VLAN Communication and 6 VLAN Switch
Configuration.
4.7.3 Configuring a Traffic After VLANs are assigned, users in the same VLAN can
Policy to Implement Intra- directly communicate with each other. If some users in the
VLAN Layer 2 Isolation same VLAN need to be isolated, configure MQC-based
intra-VLAN Layer 2 isolation.
NOTE
Intra-VLAN isolation can also be implemented using port
isolation. For details about port isolation, see Configuring Port
Isolation in S7700&S9700 Series Switches Configuration Guide -
Interface Management.
4.7.4 Configuring a Traffic After VLANIF interfaces are configured to implement

Policy to Implement Inter- inter-VLAN connectivity, users in different VLANs can
VLAN Layer 3 Isolation communicate at Layer 3. If some users in different VLANs
require unidirectional communication or need to be
isolated, configure a traffic policy.

Configuration Task Description
4.7.5 Configuring an To use the NMS to manage devices in a centralized

mVLAN manner, assign VLANs and configure a VLAN as the
management VLAN.
4.7.6 Configuring An interface sends protocol packets of all VLANs to the

Transparent Transmission CPU for processing, affecting the forwarding efficiency.
of Protocol Packets in a You can configure protocol packet transparent transmission
VLAN in a VLAN so that the switch sends only protocol packets
in a specified VLAN. This function improves the
forwarding efficiency.

License Support
VLAN technology is a basic feature of a switch and is not under license control.
Version Support
Table 4-6 Products and versions supporting VLAN technology

Series Products Software Version
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l Table 4-7 describes the specifications of VLAN technology.

Table 4-7 Specifications of VLAN technology

Item Specification
Maximum number of VLANs in the 4096 (VLAN 0 and VLAN 4095 are
system reserved)
Maximum number of VLANIF interfaces S9703 and S7703: 2048; other models:
in the system 4094
l If LNP is used to dynamically negotiate the link type (LNP is enabled by default), it is
recommended that each interface should be added to a maximum of 1000 VLANs and a
maximum of 200 interfaces should be configured on a switch. If 4094 VLANs are
configured globally, it is recommended that a maximum of 50 interfaces should be
enabled with LNP. Otherwise, the alarm about a high CPU usage is generated for a short
time.
l You are advised to plan service and management VLANs so that any broadcast storms in
service VLANs do not affect switch management.
l In practice, specify VLANs from which packets need to be transparently transmitted by a
trunk interface. Do not use the port trunk allow-pass vlan all command if possible.
l In earlier versions of V200R005, before changing the interface type, restore the default
VLAN of the interface.
l In earlier versions of V200R005, before deleting a VLAN where a VLANIF interface
has been configured, run the undo interface vlanif vlan-id command to delete the
VLANIF interface.
l All interfaces join VLAN 1 by default. When unknown unicast, multicast, or broadcast
packets of VLAN 1 exist on the network, broadcast storms may occur. When VLAN 1 is
used, pay attention to the following points:
– You are not advised to use VLAN 1 as the management VLAN or service VLAN.
– Remove the interfaces that do not need to join VLAN 1 from VLAN 1 to prevent
loops. A trunk interface often permits packets from VLAN 1 to pass through. If a
trunk interface rejects packets from VLAN 1, some protocol packets such as
BPDUs transmitted in VLAN 1 may be incorrectly discarded. To prevent such
faults, take measures to prevent potential risks when packets of VLAN 1 are
allowed to pass through.
– If a spanning tree protocol is used and a trunk interface on the switch rejects packets
from VLAN 1, run the stp bpdu vlan command to enable the switch to encapsulate
the specified VLAN ID in outgoing STP BPDUs so that the spanning tree protocol
runs properly.
– You are advised to remove interfaces from VLAN 1 in Eth-Trunk or ring
networking.
– When the switch connects to an access device, to prevent broadcast storms in
VLAN 1, do not configure the uplink interface of the access device to transparently
transmit packets from VLAN 1.
– When an interface is bound to a VLANIF interface for Layer 3 forwarding, remove
the interface from VLAN 1 to prevent Layer 2 loops in VLAN 1.

Table 4-8 Default configuration of VLAN technology

Default Interf Negotiation-desirable

configu ace
ration type
of an
interfac Defa VLAN 1
e ult
VLA
N
VLA l VLAN 1 that access interfaces join in untagged mode (port default
N vlan 1)
that l VLANs 1 to 4094 that trunk interfaces join in tagged mode (port
an trunk allow-pass vlan 1 to 4094)
interf
ace
joins
Damping time 0s
Traffic statistics Disabled

collection in a
VLAN
Traffic statistics Disabled

collection on a
VLANIF
interface
4.7 Configuring VLAN Technology
4.7.1 Assigning VLANs

VLANs can isolate the hosts that do not need to communicate with each other, which
improves network security, reduces broadcast traffic, and mitigates broadcast storms.
The following VLAN assignment configurations can be performed in any sequence. You can
select one or more configurations according to your needs.
4.7.1.1 Configuring Interface-based VLAN Assignment (Statically Configured

Interface Type)
Context
Interface-based VLAN assignment is the simplest and most effective method. VLANs are
assigned based on interfaces. After an interface is added to a VLAN, the interface can forward
packets from the VLAN. Interface-based VLAN assignment allows hosts in the same VLAN
to communicate and prevents hosts in different VLANs from communicating, so broadcast
packets are limited in a VLAN.

Ethernet interfaces are classified into access, trunk, and hybrid interfaces according to the
objects connected to the Ethernet interfaces and number of VLANs from which untagged
frames are permitted (see Interface Types):
l Access interface
The switch processes only tagged frames and an access interface connected to devices
only receive and send untagged frames, so the access interface needs to add a VLAN tag
to received frames. That is, you must configure the default VLAN for the access
interface. After the default VLAN is configured, the access interface joins the VLAN.
An access interface needs to process only untagged frames. If a user connects a
switching device to a user-side interface without permission, the user-side interface may
receive tagged frames. You can configure the user-side interface to discard tagged
frames, preventing unauthorized access.
l Trunk interface
When a trunk interface connects to a device such as an AP or a voice terminal that can
receive and send tagged and untagged frames simultaneously, you need to configure the
default VLAN for the trunk interface so that the trunk interface can add the VLAN tag to
untagged frames.
l Hybrid interface
When a hybrid interface connects to an AP, a voice terminal, a hub, a host, or a server
that sends untagged frames to the switch, you need to configure the default VLAN for
the hybrid interface so that the hybrid interface can add the VLAN tag to untagged
frames.
Frames sent by a switch all carry VLAN tags. In some scenarios, VLAN tags need to be
removed from frames sent by a hybrid interface. For example, in VLAN stacking
scenarios, before packets from multiple VLANs on an ISP network enters a user
network, outer VLAN tags need to be removed from the packets. A trunk interface
allows untagged packets from only one VLAN, so the interface must be configured as
hybrid. For details about VLAN stacking, see 10 QinQ Configuration.
By default, the type of an interface is negotiation-auto.
Procedure
l Configuring the default VLAN for an access interface
a. Run:
system-view

b. Run:
vlan vlan-id
A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
c. Run:
quit
Return to the system view.

d. Run:
The view of the Ethernet interface to be added to the VLAN is displayed.

e. Run:

The Ethernet interface is configured as the access interface.

f. Run:
port default vlan vlan-id
The default VLAN is configured for the interface and the interface is added to the
specified VLAN.
g. (Optional) Run:
port discard tagged-packet
The interface is configured to discard incoming tagged packets.

l Configuring the default VLAN for a trunk interface
a. Run:
system-view

b. Run:
vlan vlan-id
VLAN is displayed.
c. Run:
quit

d. Run:

e. Run:
The Ethernet interface is configured as the trunk interface.

f. Run:
port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The interface is added to the specified VLAN.

g. (Optional) Run:
port trunk pvid vlan vlan-id
The default VLAN is configured for the trunk interface.

NOTE
When the VLAN allowed by an interface is the default VLAN of the interface, packets from the
VLAN are forwarded in untagged mode.
l Configuring the default VLAN for a hybrid interface
a. Run:
system-view

b. Run:
vlan vlan-id
VLAN is displayed.

c. Run:
quit

d. Run:

e. Run:
The Ethernet interface is configured as the hybrid interface.

f. Run the following commands as required.
n Run:
port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
all }
The hybrid interface is added to the VLAN in untagged mode.

n Run:
port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
all }
The hybrid interface is added to the VLAN in tagged mode.

g. (Optional) Run:
port hybrid pvid vlan vlan-id
The default VLAN is configured for the hybrid interface.

----End
Configuration Tips
Creating VLANs in a batch
To create multiple VLANs in a batch, run the vlan batch command in the system view.
For example:
l Create 10 contiguous VLANs: VLAN 11 to VLAN 20.
[HUAWEI] vlan batch 11 to 20
l Create 10 incontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to VLAN 30.
[HUAWEI] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are
more than 10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19
25 28 to 30 command creates four incontiguous VLAN ranges.
Configuring a name for a VLAN

When multiple VLANs are created on the device, you are advised to configure names for the
VLANs to facilitate management. After a name is configured for a VLAN, you can directly
enter the VLAN view using the name.
# Set the name of VLAN 10 to huawei.
[HUAWEI] vlan 10

[HUAWEI-vlan10] name huawei

[HUAWEI-vlan10] quit
# After a name is configured for a VLAN, you can directly enter the VLAN view using the
name.
[HUAWEI] vlan vlan-name huawei
[HUAWEI-vlan10] quit
Adding interfaces to a VLAN in a batch
To perform the same VLAN configuration for multiple Ethernet interfaces, use the port group,
which can reduce the workload. To add access interfaces to a VLAN in a batch, you can also
run the port interface-type { interface-number1 [ to interface-number2 ] }&<1-10> command
in the VLAN view. For details, see 4.11.2 How Do I Add Interfaces to a VLAN in a
Batch?.
Restoring the default VLAN configuration of an interface
If the VLAN planning of an interface is changed, you need to delete the original VLAN
configuration of the interface. If many incontiguous VLANs are configured on the interface,
you need to delete the original VLAN configuration multiple times. To reduce deletion
operations, restore the default VLAN configuration of the interface. For details, see 4.11.3
How Do I Restore the Default VLAN Configuration of an Interface?.
Changing the interface type
When the interface planning changes or the current interface type is different from the
configured one, the interface type needs to be changed. For details, see 4.11.4 How Do I
Change the Link Type of an Interface?.
Deleting a VLAN
If a VLAN is not in use, you are advised to delete it immediately to save VLAN resources and
reduce packets on a network. For details, see 4.11.6 How Do I Delete a Single VLAN or
VLANs in a Batch?.
4.7.1.2 Configuring Interface-based VLAN Assignment (LNP Dynamically

Negotiates the Link Type)
Context
The switch supports the following link types on an Ethernet interface: access, hybrid, trunk,
and Dot1q tunnel. The four link types are applicable to different network positions and are
manually specified. If the network topology changes, link types of Ethernet interfaces also
need to be reconfigured and the configuration is complex. To simplify the configuration, LNP
supports auto-negotiation of the link types on Ethernet interfaces and allows Ethernet
interfaces to join VLANs after the auto-negotiation.
When Link-type Negotiation Protocol (LNP) is deployed, the VLAN Central Management
Protocol (VCMP) needs to be deployed so that VLANs can be created and deleted in a
centralized manner and user configurations are simplified. For details about VCMP, see 13
VCMP Configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:
undo lnp disable
Global LNP is enabled.
By default, global LNP is enabled. That is, LNP is enabled on all interfaces.
Step 3 Run:
The view of the Ethernet interface that needs to be enabled with LNP is displayed.
Step 4 Run:
undo port negotiation disable
LNP is enabled on the Layer 2 Ethernet interface.
By default, LNP is enabled on all interfaces of the device.
NOTE
When performing this step, ensure that the interface is a Layer 2 interface. If the interface is not a Layer
2 interface, run the portswitch command to configure the interface as a Layer 2 interface.
When an LNP-capable device is used with an LNP-incapable device, the LNP-capable device
continuously sends LNP packets, which wastes bandwidth. You can run the port negotiation disable
command in the Layer 2 Ethernet interface view to disable LNP.
To ensure successful negotiation, ensure that LNP is enabled globally and in the interface view.
Step 5 Run:
port link-type { negotiation-desirable | negotiation-auto }
An LNP mode is configured.
By default, the LNP negotiation mode of a Layer 2 Ethernet interface is negotiation-

desirable.
There are limitations on the interface where the LNP mode is set to negotiation-desirable or
negotiation-auto:
l The sub-interface cannot be created.
l The MUX VLAN cannot be enabled.
l The interface cannot be used as the source or destination interface in VLAN Switch.
l The voice VLAN in auto mode cannot be configured on the interface.
Step 6 Configure the VLAN allowed by an interface.

l When a trunk interface is negotiated, perform the following operations.
a. Run:
port trunk allow-pass only-vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
none }
The VLAN allowed by the trunk interface is configured.

By default, a trunk interface allows all VLANs.
b. (Optional) Run:
port trunk pvid vlan vlan-id
The default VLAN of the interface is configured.

When the interface that connects to an AP or voice terminal receives untagged and
tagged frames, configure the default VLAN for the interface so that interface adds
the VLAN tag to untagged frames.
By default, the default VLAN of a trunk interface is VLAN 1.
l When an access interface is negotiated, perform the following operation.
Run:
The default VLAN is configured for the access interface and the access interface is
added to a specified VLAN.
By default, the default VLAN of an access interface and the VLAN that an access
interface joins are both VLAN 1.
----End
4.7.1.3 Configuring MAC Address-based VLAN Assignment
Context
In MAC address-based VLAN assignment mode, when physical locations of users change,
you do not need to reconfigure VLANs for the users. This improves security and access
flexibility on a network.
The switch that has MAC address-based VLAN assignment enabled processes only untagged
frames, and treats tagged frames in the same manner as interface-based VLAN assignment.
When receiving an untagged frame, an interface matches the source MAC address of the
frame against the MAC-VLAN table.
l If an entry is matched, the interface forwards the frame based on the VLAN ID and
priority in the entry.
l If no entry is found, the interface matches the frame against other matching rules.
The switch supports 1024 MAC-VLAN entries. The total number of MAC-VLAN entries is
the number of configured MAC-VLAN entries multiplied by the number of interfaces where
MAC-VLAN entries are delivered.
The switch supports a maximum of 1024 MAC-VLAN entries and a maximum of 100 MAC-
VLAN entries with the mask. The total number of MAC-VLAN entries is the number of
configured MAC-VLAN entries multiplied by the number of interfaces where MAC-VLAN
entries are delivered.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.

The VLAN ID ranges from 1 to 4094. If VLANs need to be created in a batch, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in a batch, and then
run the vlan vlan-id command to enter the view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
The vlan configuration command completes the VLAN configuration when the VLAN is not created.
Step 3 Run:
mac-vlan mac-address mac-address [ mac-address-mask | mac-address-mask-length ]
[ priority priority ]
A MAC address is associated with a VLAN.
NOTE
When the mac-vlan mac-address command with the same MAC address specified is executed multiple
times, MAC-VLAN entries take effect according to the longest match principle on X1E series cards, and
the MAC-VLAN entry with the 48-bit mask has the highest priority. On other cards, MAC-VLAN
entries take effect according to the longest match principle only when the mask has 47 bits or less than
47 bits, and the MAC-VLAN entry with the 48-bit mask has the lowest priority.
l The MAC address is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits,
such as 00e0 and fc01. If you enter less than four digits, 0s are padded before the input
digits. For example, if e0 is entered, 00e0 is displayed. The MAC address cannot be all
Fs, all 0s, or a multicast MAC address.
l If a MAC-VLAN entry with the mask specified (excluding the 48-bit mask or mask with
all Fs), run the undo mac-vlan mac-address command to delete the MAC-VLAN entry
and then run the mac-vlan mac-address command to change the priority.
l priority specifies the 802.1p priority of a MAC address-based VLAN. The value ranges
from 0 to 7. A larger value indicates a higher priority. The default value is 0. After the
802.1p priority of a MAC address-based VLAN is specified, the switch first forwards
high-priority frames in the case of congestion.
Step 4 Run:
quit

Step 5 Configure attributes for the Ethernet interface.
1. Run:
The view of the interface that allows the MAC address-based VLAN is displayed.
2. Run:
The interface is configured as the hybrid interface.

On access and trunk interfaces, MAC address-based VLAN assignment can be used only
when the MAC address-based VLAN is the same as the PVID. It is recommended that
MAC address-based VLAN assignment be configured on hybrid interfaces.
3. Run:
port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is configured to allow the MAC address-based VLAN.


vlan precedence mac-vlan
The device is configured to preferentially use MAC address-based VLAN assignment.
By default, the device preferentially uses MAC address-based VLAN assignment.

NOTE
The vlan precedence command is not supported on the X1E-series cards.
Step 7 Run:
mac-vlan enable
MAC address-based VLAN assignment is enabled.
By default, MAC address-based VLAN assignment is disabled.
NOTE
MAC address-based VLAN assignment cannot be used with the MUX VLAN and MAC address
authentication on the same interface.
MAC address-based VLAN assignment is invalid for packets with the VLAN ID of 0 only when the
mask of the MAC VLAN is specified. On the X1E-series cards, MAC address-based VLAN assignment
is invalid for packets with the VLAN ID of 0 regardless of whether the mask of the MAC VLAN is
specified.
----End
4.7.1.4 Configuring IP Subnet-based VLAN Assignment
Context
Both IP subnet-based and protocol-based VLAN assignment are called network layer-based
VLAN assignment, which reduces manual VLAN configuration workload and allows users to
easily join a VLAN, transfer from one VLAN to another, and exit from a VLAN. IP subnet-
based VLAN assignment applies to scenarios where there are high requirements for mobility
and simplified management and low requirements for security, for example, scenario where a
PC configured with multiple IP addresses need to access servers on different network
segments and scenario where the switch adds PCs to other VLANs when the PCs' IP
addresses change.
The switch that has IP subnet-based VLAN assignment enabled processes only untagged
frames, and treats tagged frames in the same manner as interface-based VLAN assignment.
After receiving untagged frames from an interface, the switch determines the VLANs to
which the frames belong according to source IP addresses or network segments and transmits
the frames in specified VLANs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id

NOTE
Step 3 Run:
ip-subnet-vlan [ ip-subnet-index ] ip ip-address { mask | mask-length }
An IP subnet is associated with a VLAN.
l ip-subnet-index specifies the index of an IP subnet. The index of an IP subnet can be

configured manually or automatically generated by the system according to the sequence
in which IP subnets were associated with a VLAN.
l ip-address specifies the source IP address or network segment associated with a VLAN.
The value is in dotted decimal notation.
l priority specifies the 802.1p priority of a VLAN associated with an IP address or a
network segment. The value ranges from 0 to 7. A larger value indicates a higher
priority. The default value is 0. After the 802.1p priority of a VLAN associated with an
IP address or a network segment is specified, the switch first forwards high-priority
frames in the case of congestion.
l The switch supports a maximum of 256 network segments and each VLAN supports a
maximum of 12 network segments.
Step 4 Run:
quit

1. Run:

2. Run:

On access and trunk interfaces, IP subnet-based VLAN assignment can be used only
when the IP subnet-based VLAN is the same as the PVID. It is recommended that IP
subnet-based VLAN assignment be configured on hybrid interfaces.
3. port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is configured to allow the IP subnet-based VLAN.

vlan precedence ip-subnet-vlan

The device is configured to preferentially use IP subnet-based VLAN assignment.
By default, the device preferentially uses MAC address-based VLAN assignment.
NOTE
The vlan precedence command is not supported on the X1E-series cards.
Step 7 Run:
ip-subnet-vlan enable
IP subnet-based VLAN assignment is enabled.
By default, IP subnet-based VLAN assignment is disabled.
NOTE
IP subnet-based VLAN assignment is invalid for packets with the VLAN ID of 0 on the X1E card.
----End
4.7.1.5 Configuring Protocol-based VLAN Assignment
Context
Both IP subnet-based and protocol-based VLAN assignment are called network layer-based
VLAN assignment, which reduces manual VLAN configuration workload and allows users to
easily join a VLAN, transfer from one VLAN to another, and exit from a VLAN. The switch
that has protocol-based VLAN assignment enabled processes only untagged frames, and treats
tagged frames in the same manner as interface-based VLAN assignment.
When receiving an untagged frame from an interface, the switch identifies the protocol profile
of the frame and then determines the VLAN that the frame belongs to.
l If protocol-based VLANs are configured on the interface and the protocol profile of the
frame matches a protocol-based VLAN, the switch adds the VLAN tag to the frame.
l If protocol-based VLANs are configured on the interface and the protocol profile of the
frame matches no protocol-based VLAN, the switch adds the PVID of the interface to
the frame.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id

NOTE
Step 3 Run:
protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc |
raw | snap } | mode { ethernetii-etype etype-id1 | llc dsap dsap-id ssap ssap-id
| snap-etype etype-id2 } }
Protocols are associated with VLANs and a protocol profile is specified.
l protocol-index specifies the index of a protocol profile.

A protocol profile depends on protocol types and encapsulation formats, and a VLAN
associated with a protocol can be defined in a protocol profile.
l When specifying the source and destination service access points, pay attention to the
following points:
– dsap-id and ssap-id cannot be both set to 0xaa.
– dsap-id and ssap-id cannot be both set to 0xe0. 0xe0 indicates llc, encapsulation
format of IPX packets.
– dsap-id and ssap-id cannot be both set to 0xff. 0xff indicates raw, encapsulation
format of IPX packets.

1. Run:
The view of the interface that allows the protocol-based VLAN is displayed.
2. Run:

On access and trunk interfaces, protocol-based VLAN assignment can be used only
when the protocol-based VLAN is the same as the PVID. It is recommended that
protocol-based VLAN assignment be configured on hybrid interfaces.
3. Run:
The hybrid interface is configured to allow the protocol-based VLAN.

4. Run:
protocol-vlan vlan vlan-id { all | protocol-index1 [ to protocol-index2 ] }
The interface is associated with a protocol-based VLAN.

– vlan-id must be the ID of a protocol-based VLAN.
– priority specifies the 802.1p priority of a protocol-based VLAN. The value ranges
from 0 to 7. A larger value indicates a higher priority. The default value is 0. After
the 802.1p priority of a protocol-based VLAN is specified, the switch first forwards
high-priority frames in the case of congestion.

NOTE
Protocol-based VLAN assignment is invalid for packets with the VLAN ID of 0 on the X1E card.
----End
4.7.1.6 Configuring Policy-based VLAN Assignment
Context
Policy-based VLAN assignment implements plug-and-play of user terminals and provides
secure data isolation for terminal users.
The switch provides policy-based VLAN assignment based on MAC and IP addresses or
based on MAC and IP addresses and interfaces.
To configure policy-based VLAN assignment, configure MAC and IP addresses or interfaces

of terminals on the switch and associate MAC and IP addresses or interfaces with VLANs.
Only terminals matching a policy can be added to a specific VLAN. If the IP or MAC
addresses of terminals added to a VLAN are changed, they will exit from the VLAN.
The switch that has policy-based VLAN assignment enabled processes only untagged frames,
and treat tagged frames in the same manner as VLANs configured based on ports.
When receiving an untagged frame, the switch determines the VLAN according to the policy
matching both MAC and IP addresses of the frame, and transmits the frame in the VLAN.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
NOTE
Step 3 Run:
policy-vlan mac-address mac-address ip ip-address [ interface interface-type
interface-number ] [ priority priority ]
Policy-based VLAN assignment is configured.

If interface interface-type interface-number is not specified, MAC-IP binding policies are

applied to all interfaces in a specified VLAN. Otherwise, MAC-IP binding policies are only
applied to a specified interface in a specified VLAN.
The device supports a maximum of 512 policies.
Step 4 Run:
quit

1. Run:
The view of the interface that allows the policy-based VLAN is displayed.
2. Run:

On access and trunk interfaces, policy-based VLAN assignment can be used only when
the policy-based VLAN is the same as the PVID. It is recommended that policy-based
VLAN assignment be configured on hybrid interfaces.
3. Run:
The hybrid interface is configured to allow the policy-based VLAN.
NOTE
Policy-based VLAN assignment is invalid for packets with the VLAN ID of 0.
----End
Procedure
l Run the display vlan command to check information about all VLANs or a specified
VLAN.
l Run the display lnp interface interface-type interface-number command to check the
auto-negotiation status of a specified Layer 2 interface, including the link type
negotiation result and auto-negotiation mode of the interface.
l Run the display lnp summary command to check the summary of auto-negotiation
information on all interfaces of the Layer 2 device, including the LNP-enabled Layer 2
Ethernet interface, link type negotiation mode and result of the interface, and link type
auto-negotiation mode of the interface.
l Run the display mac-vlan command to check the configuration of MAC address-based
VLAN assignment.
l Run the display ip-subnet-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check
the IP subnets associated with VLANs.
l Run the display protocol-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check
the protocols and indexes of the protocols associated with VLANs.

l Run the display protocol-vlan interface { all | interface-type interface-number }

command to check the configuration of association between interfaces and protocol-
based VLANs.
l Run the display policy-vlan { vlan vlan-id1 | all } command to check information about
policy-based VLANs.
----End
4.7.2 Configuring Inter-VLAN Communication

After VLANs are assigned, users in the same VLAN can communication with each other
while users in different VLANs cannot. If some users in different VLANs need to
communicate, configure inter-VLAN communication.
Context
A VLANIF interface is a Layer 3 logical interface and can implement inter-VLAN Layer 3
connectivity. It is simple to configure a VLANIF interface, so the VLANIF interface is the
most commonly used technology. Each VLAN corresponds to a VLANIF interface. After an
IP address is configured for a VLANIF interface, the VLANIF interface is used as the
gateway of the VLAN and forwards packets across network segments at Layer 3 based on IP
addresses.
Generally, a VLANIF interface requires only IP address. In some scenarios, you need to
configure multiple IP addresses for the VLANIF interface. For example, a switch connects to
a physical network through an interface, and hosts on this network belong to multiple network
segments (multiple PCs connect to the network through hubs or simplified Layer 2 switches,
or one PC uses dual network adapters to connect to the network). To enable the switch to
communicate with all hosts on the physical network, configure a primary IP address and
multiple secondary IP address for this interface.
If a VLAN goes Down because all interfaces in the VLAN go Down, the system immediately
reports the VLAN Down event to the corresponding VLANIF interface, instructing the
VLANIF interface to go Down. To avoid network flapping caused by the change of the
VLANIF interface status, enable VLAN damping on the VLANIF interface. After the last
interface in Up state in a VLAN goes Down, the device enabled with VLAN damping starts a
delay timer and informs the corresponding VLANIF interface of the VLAN Down event after
the timer expires. If an interface in the VLAN goes Up during the delay, the VLANIF
interface remains Up.
The Maximum Transmission Unit (MTU) determines the maximum number of bytes each
time a sender can send. If the size of packets exceeds the MTU supported by a receiver or a
transit node, the receiver or transit node fragments the packets or even discards them,
aggravating the network transmission load. To avoid this problem, set the MTU of the
VLANIF interface.
After configuring bandwidth for a VLANIF interface, you can use the NMS to query the
bandwidth. This facilitates traffic monitoring.

NOTE
As shown in 4.2.5 Inter-VLAN Communication, in addition to using a VLANIF interface to inter-

VLAN communication, you can also use the VLAN aggregation, Dot1q termination sub-interface, and
VLAN Switch switch-vlan. This section uses the VLANIF interface to implement inter-VLAN
communication.
l For details about the Dot1q termination sub-interface, see 8.6.1 Configuring a Dot1q
Termination Sub-interface to Implement Inter-VLAN Communication.
l For details about VLAN aggregation, see 5 VLAN Aggregation Configuration.
l For details about VLAN Switch switch-vlan, see 6.5.1 Configuring Switch-vlan.
After a VLANIF interface is configured, the corresponding VLAN cannot be configured in a sub-
interface view.
Before configuring inter-VLAN communication, complete the following tasks:
l Perform the task of 4.7.1 Assigning VLANs.

l Configure the default gateway address of hosts as the IP address of the VLANIF
interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif vlan-id
The VLANIF interface view is displayed.
A VLANIF interface goes Up only when at least one physical interface in the corresponding
VLAN is in Up state.
Step 3 Run:
An IP address is configured for the VLANIF interface to implement Layer 3 connectivity.
If IP addresses assigned to VLANIF interfaces belong to different network segments, you

need to configure a routing protocol on the device to provide reachable routes.
Each VLANIF interface can be configured with one primary IP address and multiple
secondary IP addresses. A maximum of 255 secondary IP addresses can be configured.
NOTE
An IP address of a VLANIF interface can be statically configured or dynamically obtained using DHCP.
For details about DHCP, see DHCP Configuration in S7700&S9700 Series Switches Configuration
Guide - IP Services.

damping time delay-time
The delay of VLAN damping is set.

The value ranges from 0 to 20, in seconds. By default, the delay is 0 seconds, indicating that
VLAN damping is disabled.

mtu mtu
The MTU of the VLANIF interface is set.
By default, the value is 1500 bytes.
NOTE
l After using the mtu command to change the MTU of an interface, restart the interface to make the
new MTU take effect. To restart the interface, run the shutdown command and then the undo
shutdown command, or run the restart command in the interface view.
l The MTU plus the Layer 2 frame header of a VLANIF interface must be smaller than the maximum
frame length of the remote interface by the jumboframe command; otherwise, some frames may be
discarded.
l If the MTU is too small whereas the packet size is large, the packet may be split into many
fragments. Consequently, the device may discard the packet due to the insufficient QoS queue
length. To prevent this problem, run the qos queue length command to increase the QoS queue
length.

bandwidth bandwidth
The bandwidth of the VLANIF interface is set.
----End

l Run the display interface vlanif [ vlan-id | main ] command to check the status,
configuration, and traffic statistics of the VLANIF interface.
NOTE
Only the VLANIF interface in Up state can forward packets at Layer 3. When the VLANIF
interface goes Down, rectify the fault according to 4.10.2 A VLANIF Interface Goes Down.
4.7.3 Configuring a Traffic Policy to Implement Intra-VLAN

Layer 2 Isolation
After VLANs are assigned, users in the same VLAN can communication with each other. If
users in a VLAN need to be isolated unidirectionally or bidirectionally, configure a traffic
policy.
Context
A traffic policy is configured by binding traffic classifiers to traffic behaviors. The
switchdevice classifies packets according to packet information, and associates a traffic
classifier with a traffic behavior to reject the packets matching the traffic classifier,
implementing intra-VLAN isolation.
The switch provides intra-VLAN Layer 2 isolation based on MQC and based on the
simplified ACL-based traffic policy.

Before configuring a traffic policy to implement intra-VLAN Layer 2 isolation, perform the
task of 4.7.1 Assigning VLANs.
Procedure
l Configure MQC to implement intra-VLAN Layer 2 isolation.
Perform the following MQC configurations to implement intra-VLAN Layer 2 isolation:

– Specify permit or deny in the traffic behavior.
– Apply the traffic policy to a VLAN or an interface that allows the VLAN.
For details about how to configure MQC, see Configuring Packet Filtering in
S7700&S9700 Series Switches Configuration Guide - QoS.
l Configure a simplified ACL-based traffic policy to implement intra-VLAN Layer 2
isolation.
For details about how to configure a simplified ACL-based traffic policy, see
Configuring ACL-based Packet Filtering in S7700&S9700 Series Switches
Configuration Guide - QoS.
----End
4.7.4 Configuring a Traffic Policy to Implement Inter-VLAN

Layer 3 Isolation
After inter-VLAN Layer 3 connectivity is configured, if some users in different VLANs
require unidirectional access or need to be isolated, configure inter-VLAN Layer 3 isolation.
Context
Inter-VLAN Layer 3 isolation is implemented using a traffic policy. A traffic policy is
configured by binding traffic classifiers to traffic behaviors. The switch classifies packets
according to IP addresses or other information in packets, and associates a traffic classifier
with a traffic behavior to reject the packets matching the traffic classifier, implementing inter-
VLAN Layer 3 isolation.
The switch provides inter-VLAN Layer 3 isolation based on MQC and based on the
simplified ACL-based traffic policy. You can select one of them according to your needs.
Before configuring a traffic policy to implement inter-VLAN Layer 3 isolation, perform the
task of 4.7.2 Configuring Inter-VLAN Communication.
Procedure
l Configure MQC to implement inter-VLAN Layer 3 isolation.
Perform the following MQC configurations to implement inter-VLAN Layer 3 isolation:

– Specify permit or deny in the traffic behavior.
– Apply the traffic policy to a VLAN or an interface that allows the VLAN.

For details about how to configure MQC, see Configuring Packet Filtering in
S7700&S9700 Series Switches Configuration Guide - QoS.
l Configure a simplified ACL-based traffic policy to implement inter-VLAN Layer 3
isolation.
For details about how to configure a simplified ACL-based traffic policy, see
Configuring ACL-based Packet Filtering in S7700&S9700 Series Switches
Configuration Guide - QoS.
----End
4.7.5 Configuring an mVLAN

Management VLAN (mVLAN) allows you to use the VLANIF interface of the mVLAN to
log in to the management switch to manage devices in a centralized manner.
Context
To use a remote network management system (NMS) to manage devices in a centralized
manner, configure a management IP address on the switch. You can then log in to the switch
in Telnet mode and manage the switch by using the management IP address. The management
IP address can be configured on a management interface or VLANIF interface. If a user-side
interface is added to the VLAN, users connected to the interface can also log in to the switch.
This brings security risks to the switch.
After a VLAN is configured as an mVLAN, no access interface or Dot1q tunnel interface can
be added to the VLAN. Access and Dot1q tunnel interfaces are often connected to users.
When these interfaces are prevented from joining the mVLAN, users connected to the
interfaces cannot log in to the device, improving device security.
Generally, a VLANIF interface needs to be configured with only one management IP

addresses. In specified scenarios, for example, users in the same mVLAN belong to multiple
different network segments, you need to configure a primary management IP address and
multiple secondary management IP addresses.
You can only log in to the local device using the management interface, whereas you can log
in to both local and remote devices using a VLANIF interface of an mVLAN. When logging
in to the remote device using the VLANIF interface of an mVLAN, you need to configure
VLANIF interfaces on both local and remote devices and assign IP addresses on the same
network segment to them.
Before configuring an mVLAN, perform the task of 4.7.1 Assigning VLANs.
NOTE
Only trunk and hybrid interfaces can join the mVLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
management-vlan
The VLAN is configured as the mVLAN.

VLAN 1 cannot be configured as the mVLAN.
Step 4 Run:
quit
Exit from the VLAN view.

Step 5 Run:
A VLANIF interface is created and its view is displayed.

Step 6 Run:
An IP address is assigned to the VLANIF interface.
----End
Follow-up Procedure
Log in to the switch to implement centralized management through the NMS. Select either of
the following login modes according to your needs:
l To manage local devices, log in to the local switch using Telnet, STelnet, HTTPS. For
details, see Configuring Telnet Login, Configuring STelnet Login, or Web System Login
Configuration in S7700&S9700 Series Switches Configuration Guide – Basic
Configurations.
l To manage remote devices, log in to the local device using Telnet or STelnet and log in
to remote devices using Telnet or STelnet from the local device.see (Optional) Using
Telnet to Log In to Another Device From the Local Device, or (Optional) Using STelnet
to Log In to Another Device From the Local Device in S7700&S9700 Series Switches
Configuration Guide – Basic Configurations.
The login IP address is the IP address of the VLANIF interface of an mVLAN.

l Run the display vlan command to check the mVLAN configuration. In the command
output, the VLAN marked with a * is the mVLAN.
4.7.6 Configuring Transparent Transmission of Protocol Packets

in a VLAN
This function allows the switch to transparently transmit protocol packets in a specified
VLAN, without sending the protocol packets to the CPU. The forwarding efficiency is
therefore improved.

Context
When the device used as the gateway or Layer 2 switches is enabled with snooping functions
such as DHCP/IGMP/MLD snooping, the device needs to parse and process protocol packets
such as ARP, DHCP, and IGMP packets. That is, protocol packets received by an interface are
sent to the CPU for processing. The interface sends protocol packets without differentiating
VLANs. If the preceding functions are deployed, protocol packets from all VLANs are sent to
the CPU for processing.
If the device is a gateway of some VLANs or snooping functions is deployed in some

VLANs, the device does not need to process protocol packets in other VLANs. After the
protocol packets in other VLANs are sent to the CPU, the CPU needs to forwards them to
other devices. This mechanism is called software forwarding. Software forwarding affects the
forwarding speed and efficiency of protocol packets because protocol packets need to be
processed.
To address this issue, deploy transparent transmission of protocol packets in VLANs where
protocol packets do not need to be processed. This function enables the device to
transparently transmit the protocol packets in the VLANs to other devices, which improves
the forwarding speed and efficiency.
The switch can transparently transmit the following protocol packets: CFM/ARP/BFD/
DHCP/DHCPV6/HTTP/IGMP/MLD/ND/PIM/PIMv6/PPPoE/TACACS.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
NOTE
Step 3 Run:
protocol-transparent
Transparent transmission of protocol packets in a VLAN is configured.
By default, transparent transmission of protocol packets in a VLAN is disabled.

NOTE
After transparent transmission of protocol packets is configured in a VLAN, the VLAN cannot be
configured as the multicast VLAN or control VLAN.
Before running this command, ensure that IGMP or MLD snooping has been disabled in the VLAN.
Otherwise, the configuration may fail.
----End

Run the display this command in the VLAN view to check the configuration of transparent
transmission of protocol packets in a VLAN.
4.8 Maintaining VLAN
4.8.1 Collecting VLAN Traffic Statistics
Context
You can enable traffic statistics collection in a VLAN and view traffic statistics about the
VLAN to monitor VLAN traffic.
Procedure
l Check VLAN traffic statistics.
a. (Optional) Run the vlan statistics interval command in the system view to set the
interval for VLAN traffic statistics collection.
b. Run the statistic enable command in the VLAN view to enable VLAN traffic
statistics collection.
c. Run the display vlan vlan-id statistics [ slot slot-id ] command in any view to
check traffic statistics about a specified VLAN.
l Check traffic statistics about a VLANIF interface.
a. Run the display interface vlanif [ vlan-id ] command in any view to check traffic
statistics about a VLANIF interface.
----End
4.8.2 Clearing VLAN Traffic Statistics
Context
Before collecting traffic statistics in a given period of time on an interface, clear existing
statistics on the interface.

NOTICE
The cleared VLAN traffic statistics cannot be restored. Exercise caution when you use the
reset vlan command.
To clear VLAN traffic statistics, run the reset vlan statistics command in the user view.
Procedure
l Run the reset vlan vlan-id statistics [ slot slot-id ] command to clear traffic statistics
about a specified VLAN.
----End
4.8.3 Clearing LNP Packet Statistics

Before recollecting statistics on LNP packets in a given period of time, clear existing
statistics.
Context
NOTICE
The cleared LNP packet statistics cannot be restored. Exercise caution when you run the reset
lnp statistics command.
Procedure
l Run the reset lnp statistics [ interface interface-type interface-number ] command in
the user view to clear LNP packet statistics.
----End
4.8.4 Enabling GMAC Ping to Detect Layer 2 Network

Connectivity
Context
Similar to IP ping, GMAC ping detects whether a fault occurs on an Ethernet link or monitors
the link quality. GMAC ping efficiently detects and locates Ethernet faults.
GMAC ping is applicable to networks where no MD, MA, or MEP is configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ping mac enable
GMAC ping is enabled globally.

By default, GMAC ping is disabled.
After GMAC ping is enabled on the device, the device can ping the remote device and
respond to received GMAC ping packets.
Step 3 Run:
ping mac mac-address vlan vlan-id [ interface interface-type interface-number | -
c count | -s packetsize | -t timeout | -p priority-value ] *
GMAC ping is performed to check connectivity of the link between the local and remote
devices.
A MEP is not required to initiate GMAC ping. The destination node can be not a MEP or
MIP. You can perform GMAC ping without configuring the MD, MA, or MEP on the source
device, intermediate device, and destination device.
The two devices must be configured with IEEE 802.1ag of the same version. If the local
device is configured with IEEE 802.1ag Draft 7 and the remote device is configured with
IEEE Standard 802.1ag-2007, the ping mac command does not take effect. That is, the local
device cannot ping the remote device.
----End
4.8.5 Enabling GMAC Trace to Locate Faults
Context
Similar to IP traceroute, GMAC ping detects whether a fault occurs on an Ethernet link or
monitors the link quality. GMAC trace efficiently detects and locates Ethernet faults.
GMAC trace is applicable to the network where no MD, MA, or MEP is configured.
Procedure
Step 1 Configure the devices on both ends of a link and the intermediate device.
Perform the following operations on the devices at both ends of the link to be tested and
intermediate device.
1. Run:
system-view

2. Run:
trace mac enable
GMAC trace is enabled globally.

By default, GMAC trace is enable.
After GMAC ping is enabled on the device, the device can ping the remote device and
respond to received GMAC ping packets.

Step 2 Perform GMAC trace.

Perform the following operations on the device at one end of the link to be tested.
1. Run:
system-view

2. Run:
trace mac mac-address vlan vlan-id [ interface interface-type interface-
number | -t timeout | -h ]*
The device is configured to locate connectivity faults between the local and remote
devices.
A MEP is not required to initiate GMAC trace. The destination node can be not a MEP
or MIP. The destination node can be not a MEP or MIP. That is, GMAC trace can be
implemented without configuring the MD, MA, or MEP on the source device,
intermediate device, and destination device. All the intermediate devices can respond
with an LTR.
The two devices must be configured with IEEE 802.1ag of the same version. If the local
device is configured with IEEE 802.1ag Draft 7 and the remote device is configured with
IEEE Standard 802.1ag-2007, the trace mac command does not take effect. That is, the
connectivity fault cannot be located.
----End
4.9.1 Example for Configuring Interface-based VLAN Assignment

(Statically Configured Link Type)
As shown in Figure 4-24, multiple user terminals are connected to switches in an enterprise.
Users who use the same service access the enterprise network using different devices.
To ensure the communication security and avoid broadcast storms, the enterprise wants to
allow users who use the same service to communicate with each other and isolate users who
use different services.
Configure interface-based VLAN assignments on the switch and add interfaces connected to
terminals of users who use the same service to the same VLAN. Users in different VLANs
communicate at Layer 2, and users in the same VLAN can communicate directly.

Figure 4-24 Networking of interface-based VLAN assignment
GE1/0/3 GE1/0/3
SwitchA SwitchB
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
User1 User3 User2 User4

VLAN2 VLAN3 VLAN2 VLAN3
1. Create VLANs and add interfaces connecting to user terminals to VLANs to isolate
Layer 2 traffic between users who use different services.
2. Configure the type of link between SwitchA and SwitchB and VLANs to allow users
who use the same service to communicate.
Procedure
Step 1 Create VLAN 2 and VLAN 3 on SwitchA, and add interfaces connected to user terminals to
different VLANs. The configuration of SwitchB is similar to that of SwitchA, and is not
mentioned here.
[SwitchA-GigabitEthernet1/0/1] port link-type access
[SwitchA-GigabitEthernet1/0/1] port default vlan 2
Step 2 Configure the type of the interface connected to SwitchB on SwitchA and VLANs. The
configuration of SwitchB is similar to that of SwitchA, and is not mentioned here.

[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 2 3
Add User1 and User2 to the same IP address segment, for example, 192.168.100.0/24; add
User3 and User4 to the same IP address segment, for example, 192.168.200.0/24.
Only User1's and User2's terminals can ping each other, and only User3's and User4's
terminals can ping each other.
----End

Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return
SwitchB configuration file

#
sysname SwitchB
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return
4.9.2 Example for Configuring Interface-based VLAN Assignment

(LNP Dynamically Negotiates the Link Type)
Switching devices and user terminals are deployed on the network shown in Figure 4-25. To
implement Layer 2 connectivity, configure the link type for each interface and add interfaces
to VLANs. If the network scale is large, the configuration is complex. To simplify
configurations, switches are connected through the trunk link, and switches and user terminals
are connected through access links and added to VLANs.

Figure 4-25 Networking of interface-based VLAN assignment (LNP dynamically negotiates

the link type)
Network
Switch3
GE1/0/1 GE1/0/2
Switch1 Switch2
GE1/0/2 GE1/0/2
……
GE1/0/1 GE1/0/3 GE1/0/1 GE1/0/3
……
1. Enable LNP in the system view and interface view to implement auto-negotiation.
Because PCs do not support LNP, so switch interfaces connected to terminals are used as
access interfaces and interfaces between switches are used as trunk interfaces through
negotiation.
2. Create VLANs and add interfaces to VLANs to implement Layer 2 connectivity.
Procedure
Step 1 Enable global LNP
By default, global LNP is enabled. If LNP is disabled, run the undo lnp disable command in
the system view to enable LNP.
Step 2 Create VLANs.
You can create VLANs on each switch, or create VLANs on Switch3 and use the VLAN
Central Management Protocol (VCMP) to synchronize created VLANs to other switches. The
following describes how to create VLANs. If VCMP is used, you need to configure Switch3

as the VCMP server and Switch1 and Switch2 as the VCMP clients. For details, see 13
VCMP Configuration.
# Create VLAN 10 and VLAN 20 on Switch3. The configurations of Switch1 and Switch2 are
similar to the configuration of Switch3, and are not mentioned here.
[Switch3] vlan batch 10 20
Step 3 Enable LNP on interfaces, and add switch interfaces connected to PCs to a VLAN as access
interfaces and interfaces between switches to VLANs as trunk interfaces
NOTE
l If the interface is not a Layer 2 interface, you need to run the portswitch command to set the
interface to work in Layer 2 mode.
l By default, LNP is enabled. If LNP is disabled, run the undo port negotiation disable command to
enable LNP on the interface.
# Configure Switch1. The configurations of Switch2 is similar to the configuration of

Switch1, and are not mentioned here.
[Switch1] interface GigabitEthernet 1/0/1
[Switch1-GigabitEthernet1/0/1] port default vlan 10
[Switch1-GigabitEthernet1/0/2] port trunk allow-pass only-vlan 10 20
NOTE
The port trunk allow-pass only-vlan 10 20 command configures the interface to allow only VLAN 10
and VLAN 20.

After the preceding configuration is complete, run the display lnp interface interface-type
interface-number command to view auto-negotiation on the specified Layer 2 interface.
[Switch1] display lnp interface gigabitethernet1/0/2
LNP information for GigabitEthernet1/0/2:
Port link type: trunk
Negotiation mode: desirable
Hello timer expiration(s): 7
Negotiation timer expiration(s): 0
Trunk timer expiration(s): 278
FSM state: trunk
Packets statistics
56 packets received
0 packets dropped
bad version: 0, bad TLV(s): 0, bad port link type: 0,
bad negotiation state: 0, other: 0
58 packets output
0 packets dropped
other: 0

Run the display lnp summary command to view auto-negotiation information on all
interfaces of the Layer 2 device.
[Switch1] display lnp summary
Global LNP : Negotiation enable
-------------------------------------------------------------------------------
C: Configured; N: Negotiated; *: Negotiation disable;
Port link-type(C) link-type(N) InDropped OutDropped FSM
-------------------------------------------------------------------------------
GE1/0/1 desirable access 0 0 access
GE1/0/2 desirable trunk 0 0 trunk
GE1/0/3 desirable access 0 0 access
----End
Configuration Files
#
sysname Switch1
#
vlan batch 10 20
#
port default vlan 10
#
port trunk allow-pass only-vlan 10 20
#
#
return

#
sysname Switch2
#
vlan batch 10 20
#
#
#
#
return

#
sysname Switch3
#
vlan batch 10 20
#
#
#
return

4.9.3 Example for Configuring MAC Address-based

Assignment(the Switch Connects to Downstream Terminals)
On a company intranet, the network administrator adds the PCs in a department to the same
VLAN. To improve information security, only employees in this department are allowed to
access the intranet.
As shown in Figure 4-26, only PC1, PC2, and PC3 are allowed to access the intranet through
the switch.
You can assign VLANs based on MAC addresses and associate MAC addresses of PCs with
the specified VLAN.
Figure 4-26 Networking of MAC address-based assignment
Enterprise
network
GE1/0/1
Switch
GE1/0/2 GE1/0/4
GE1/0/3
MAC:22-22-22 MAC:33-33-33 MAC:44-44-44

PC1 PC2 PC3
VLAN 10
1. Create VLANs and determine which VLAN the PCs of employees belong to.
2. Add Ethernet interfaces to VLANs so that packets of the VLANs can pass through the
interfaces.
3. Associate MAC addresses of PC1, PC2, and PC3 with the specified VLAN so that the
VLAN of the packets can be determined based on the source MAC address.

Procedure
Step 1 Configure the Switch.
# Create VLANs.
[Switch] vlan batch 10
# Add interfaces to the VLANs. The configuration of GE1/0/3 or GE1/0/4 is similar to that of
GE1/0/2, and is not mentioned here.
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 10
# Associate MAC addresses of PC1, PC2, and PC3 with VLAN 10.
[Switch] vlan 10
[Switch-vlan10] mac-vlan mac-address 22-22-22
# Enable MAC address-based VLAN assignment on GE1/0/2. The configuration of GE1/0/3

or GE1/0/4 is similar to that of GE1/0/2, and is not mentioned here.
[Switch-GigabitEthernet1/0/2] mac-vlan enable

PC1, PC2, and PC3 can access the intranet, whereas other PCsusers cannot access the
intranet.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
vlan 10
mac-vlan mac-address 0022-0022-0022 priority 0
#
port hybrid tagged vlan 10
#
mac-vlan enable
#

mac-vlan enable
#
mac-vlan enable
#
return
4.9.4 Example for Configuring MAC Address-based VLAN

Assignment (the Switch Connects to Downstream Layer 2
Switching Devices)
On an enterprise network, the network administrator assigns different VLANs to different
departments. PCs of each department connect to the enterprise network through a Layer 2
switch. To improve information security, the enterprise allows only employees in the same
department to communicate with each other.
As shown in Figure 4-27, PC1 and PC2 belong to the same department, and access the
enterprise network and communicate with each other through VLAN 10. PC3 and PC4 belong
to the other department, and access the enterprise network and communicate with each other
through VLAN 20. Employees in the two departments are not allowed to communicate with
each other even if their PCs are moved to the same area.
Figure 4-27 Networking of MAC address-based VLAN assignment
Enterprise
network
GE1/0/2
Switch1
GE1/0/1
Layer 2
switch
VLAN 10 VLAN 20
PC1 PC2 PC3 PC4

MAC:11-11-11 MAC:22-22-22 MAC:33-33-33 MAC:44-44-44

1. Create VLANs and determine the VLANs to which the PCs belong.
2. Associate PCs' MAC addresses with VLANs so that VLANs are assigned based on
source MAC addresses in packets.
3. Add interfaces to VLANs to implement Layer 2 forwarding.
Procedure
Step 1 Configure Switch1.
# Create VLANs.
# Associate MAC addresses of PC1 and PC2 with VLAN 10 and MAC addresses of PC3 and
PC4 with VLAN 20.
[Switch1] vlan 10
[Switch1-vlan10] mac-vlan mac-address 11-11-11
[Switch1] vlan 20
# Enable MAC address-based VLAN assignment.

[Switch1-GigabitEthernet1/0/1] mac-vlan enable
# Configure GE1/0/1 connected to the Layer 2 switch as a hybrid interface and add it to the
VLANs associated with MAC addresses in untagged mode.
[Switch1-GigabitEthernet1/0/1] port link-type hybrid
[Switch1-GigabitEthernet1/0/1] port hybrid untagged vlan 10 20
# Configure GE1/0/2 connected to the enterprise network to transparently transmit packets

from the VLANs associated with MAC addresses.
[Switch1-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 20

l PC1 and PC2 access the enterprise network through VLAN 10, and PC3 and PC4 access
the enterprise network through VLAN 20.
l PCs of visitors cannot access the enterprise network.
----End

Configuration Files
Switch1 configuration file
#
sysname Switch1
#
vlan batch 10 20
#
vlan 10
vlan 20
#
port hybrid untagged vlan 10 20
mac-vlan enable
#
#
return
4.9.5 Example for Configuring IP Subnet-based VLAN

Assignment
A company has multiple services, including IPTV, VoIP, and Internet access. Each service
uses a different IP subnet. To facilitate management, the company requires that packets of the
same service be transmitted in the same VLAN and packets of different services in different
VLANs.
As shown in Figure 4-28, the Switch receives packets of multiple services such as data, IPTV,
and voice services. User devices of these services use IP addresses on different IP subnets.
The Switch needs to assign VLANs to packets of different services so that the router can
transmit packets with different VLAN IDs to different servers.

Figure 4-28 Networking of IP subnet-based VLAN assignment

IPTV
server
Router
GE1/0/1
GE1/0/2
Switch
GE1/0/1
Simplified Layer 2
switch
User host Multimedia terminal Phone

192.168.1.2/24 192.168.2.2/24 192.168.3.2/24
1. Create VLANs and add interfaces to VLANs so that the interfaces allow the IP subnet-
based VLANs.
2. Enable IP subnet-based VLAN assignment and associate IP subnets with VLANs so that
the Switch determines VLANs according to IP addresses or network segments of
packets.
NOTE
You do not need to perform any configuration on a simplified Layer 2 switch. To enable the router to
transmit packets with different VLAN IDs to different servers, perform the following operations:
l Add the router interface connected to the Switch to all service VLANs in tagged mode.
l Add each interface of each service network to a service VLAN and configure a VLANIF interface.
For details, see the router configuration guide.
Procedure
# Create VLAN 100, VLAN 200, and VLAN 300 on the Switch.

[Switch] vlan batch 100 200 300
Step 2 Configure interfaces.
# On the Switch, configure GE1/0/1 as the hybrid interface, add GE1/0/1 to VLAN 100,
VLAN 200, and VLAN 300 in untagged mode, and enable IP subnet-based VLAN
assignment.
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 100 200 300
[Switch-GigabitEthernet1/0/1] ip-subnet-vlan enable
# On the Switch, configure GE1/0/2 as the trunk interface, add GE1/0/2 to VLAN 100, VLAN
200, and VLAN 300 in tagged mode,
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200 300
Step 3 Configure IP subnet-based VLAN assignment.
# On the Switch, associate IP subnet 192.168.1.2/24 with VLAN 100 and set the 802.1p
priority of VLAN 100 to 2.
[Switch] vlan 100
[Switch-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2
[Switch] vlan 200
[Switch] vlan 300
Run the display ip-subnet-vlan vlan all command on the Switch. The following information
is displayed:
[Switch] display ip-subnet-vlan vlan all
----------------------------------------------------------------
Vlan Index IpAddress SubnetMask Priority
----------------------------------------------------------------
100 1 192.168.1.2 255.255.255.0 2
200 1 192.168.2.2 255.255.255.0 3
300 1 192.168.3.2 255.255.255.0 4
----------------------------------------------------------------
ip-subnet-vlan count: 3 total count: 3
----End

Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 200 300
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2
vlan 200
vlan 300
#
port hybrid untagged vlan 100 200 300
ip-subnet-vlan enable
#
port trunk allow-pass vlan 100 200 300
#
return
4.9.6 Example for Configuring Protocol-based VLAN Assignment

A company has multiple services, including IPTV, VoIP, and Internet access. Each service
uses a different protocol. To facilitate network management, each service is added to a
different VLAN.
As shown in Figure 4-29, Swithc1 receives packets of multiple services that use different
protocols. Users in VLAN 10 use IPv4 to communicate with remote users, and users in
VLAN 20 use IPv6 to communicate with the servers. Switch1 needs to assign VLANs to
packets of different services and transmit packets with different VLAN IDs to different
servers.

Figure 4-29 Networking diagram for protocol-based VLAN assignment
Voice
Network Internet
RouterA RouterB
GE1/0/2 GE1/0/3
Switch
GE1/0/1
GE1/0/1
Switch1
GE1/0/2 GE1/0/3
IPv4 IPv6
VLAN 10 VLAN 20
1. Create VLANs and determine which VLAN each service belongs to.
2. Associate protocols with VLANs so that the VLANs that received packets belong to can
be assigned based on protocols.
3. Add interfaces to VLANs so that packets of the protocol-based VLANs can pass through
the interfaces.
4. Associate interfaces with VLANs.
After the Switch receives a frame of a specified protocol, it assigns the VLAN ID
associated with the protocol to the frame.
Procedure
Step 2 Configure protocol-based VLAN assignment.
# Associate IPv4 with VLAN 10 on Switch1.

[Switch1] vlan 10
[Switch1-vlan10] protocol-vlan ipv4
# Associate IPv6 with VLAN 20 on Switch1.

[Switch1] vlan 20
[Switch1-vlan20] protocol-vlan ipv6
Step 3 Associate interfaces with protocol-based VLANs.
# Associate GE1/0/2 with VLAN 10 and set the 802.1p priority of VLAN 10 to 5 on Switch1.
[Switch1-GigabitEthernet1/0/2] protocol-vlan vlan 10 all priority 5
# Associate GE1/0/3 with VLAN 20 and set the 802.1p priority of VLAN 20 to 6 on Switch1.
[Switch1-GigabitEthernet1/0/3] protocol-vlan vlan 20 all priority 6
Step 4 Configure interfaces.
# Add GE1/0/1 to VLAN 10 and VLAN 20 in trunk mode on Switch1.

[Switch1-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20
# Add GE1/0/2 to VLAN 10 in untagged mode on Switch1.

[Switch1-GigabitEthernet1/0/2] port hybrid untagged vlan 10
# Add GE1/0/3 to VLAN 20 in untagged mode on Switch1.

# Add GE1/0/1 to VLAN 10 and VLAN 20 in trunk mode on the switch.

[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20
# Add GE1/0/2 to VLAN 10 in trunk mode on the switch.

# Add GE1/0/3 to VLAN 20 in trunk mode on the switch.

[Switch-GigabitEthernet1/0/3] return


After the configuration is complete, run the display protocol-vlan interface all command on
Switch1 to view the protocol-based VLAN assignment.
[Switch1] display protocol-vlan interface all
-------------------------------------------------------------------------------
Interface VLAN Index Protocol Type Priority
-------------------------------------------------------------------------------
GigabitEthernet1/0/2 10 0 IPv4 5
GigabitEthernet1/0/3 20 0 IPv6 6
----End
Configuration Files
#
sysname Switch1
#
vlan batch 10 20
#
vlan 10
protocol-vlan 0 ipv4
vlan 20
protocol-vlan 0 ipv6
#
#
protocol-vlan vlan 10 0 priority 5
#
protocol-vlan vlan 20 0 priority 6
#
return

#
sysname Switch
#
#
#
#
return

4.9.7 Example for Configuring VLANIF Interfaces to Implement

Inter-VLAN Communication
Different user hosts of a company transmit the same service, and are located on different
network segments. User hosts transmitting the same service belong to different VLANs and
need to communicate.
As shown in Figure 4-30, User1 and User2 use the same service but belong to different
VLANs and are located on different network segments. User1 and User2 need to
communicate.
Figure 4-30 Configuring VLANIF interfaces to implement inter-VLAN communication

Switch
GE1/0/1 GE1/0/2
VLANIF10 VLANIF20
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
User1 User2
10.10.10.3/24 10.10.20.3/24
1. Create VLANs and determine VLANs that users belong to.
2. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to
implement Layer 3 connectivity.
NOTE
To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as the gateway address.
Procedure
Step 1 Configure the switch.
# Create VLANs.
# Add interfaces to VLANs.



# Assign IP addresses to VLANIF interfaces.

[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.10.10.2 24
[Switch-Vlanif10] quit

Configure the IP address of 10.10.10.3/24 and default gateway address as 10.10.10.2/24
(VLANIF 10's IP address) for User1 in VLAN 10.
Configure the IP address of 10.10.20.3/24 and default gateway address as 10.10.20.2/24
(VLANIF 20's IP address) for User2 in VLAN 20.
After the configuration is complete, User1 in VLAN 10 and User2 in VLAN 20 can
communicate.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#
#
#
return

Intra-VLAN Communication
As shown in Figure 4-31, Switch_1 and Switch_2 are connected to Layer 2 networks that
VLAN 10 belongs to. Switch_1 communicates with Switch_2 through a Layer 3 network
where OSPF is enabled.
PCs of the two Layer 2 networks need to be isolated at Layer 2 and interwork at Layer 3.

Figure 4-31 Configuring VLANIF interfaces to implement intra-VLAN communication
Switch_1 Switch_2
GE1/0/2 GE1/0/2
OSPF
GE1/0/1 GE1/0/1
GE1/0/2 Switch_3 Switch_4 GE1/0/2
GE1/0/1
GE1/0/1
VLAN10 VLAN10
1. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
2. Configure IP addresses for VLANIF interfaces to implement Layer 3 connectivity.
3. Configure basic OSPF functions to implement interworking.
Procedure
Step 1 Configure Switch_1.
# Create VLAN 10 and VLAN 30.

[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 10 30
# Add GE1/0/1 to VLAN 10 and GE1/0/2 to VLAN 30.

[Switch_1] interface gigabitethernet 1/0/1
[Switch_1-GigabitEthernet1/0/1] port link-type trunk
[Switch_1-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch_1-GigabitEthernet1/0/1] quit
# Configure IP addresses of 10.10.10.1/24 and 10.10.30.1/24 for VLANIF 10 and VLANIF

30 respectively.
[Switch_1] interface vlanif 10
[Switch_1-Vlanif10] ip address 10.10.10.1 24
[Switch_1-Vlanif10] quit

# Configure basic OSPF functions.

[Switch_1] router id 1.1.1.1
[Switch_1] ospf
[Switch_1-ospf-1] area 0
[Switch_1-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[Switch_1-ospf-1-area-0.0.0.0] quit

[Switch_2] vlan batch 10 30
# Add GE1/0/1 to VLAN 10 and GE1/0/2 to VLAN 30.

# Configure IP addresses of 10.10.20.1/24 and 10.10.30.2/24 for VLANIF 10 and VLANIF

30 respectively.

[Switch_2] router id 2.2.2.2
[Switch_2] ospf

# Create VLAN 10, add GE1/0/1 to VLAN 10 in untagged mode and GE1/0/2 to VLAN 10 in
tagged mode. The configuration of Switch_4 is similar to that of Switch_3, and is not
mentioned here.
[Switch_3] vlan batch 10
[Switch_3-GigabitEthernet1/0/1] port link-type access
[Switch_3-GigabitEthernet1/0/1] port default vlan 10

On the PC of the Layer 2 network connected to Switch_1, set the default gateway address to
the IP address of VLANIF10, that is, 10.10.10.1/24.

On the PC of the Layer 2 network connected to Switch_2, set the default gateway address to
the IP address of VLANIF10, that is, 10.10.20.1/24.
After the configuration is complete, PCs on the two Layer 2 networks are isolated at Layer 2
and interwork at Layer 3.
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
router id 1.1.1.1
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return

#
sysname Switch_2
#
router id 2.2.2.2
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.20.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return


#
sysname Switch_3
#
vlan batch 10
#
#
#
return

#
sysname Switch_4
#
vlan batch 10
#
#
#
return

Communication of Hosts on Different Network Segments in the
Same VLAN
On the enterprise network shown in Figure 4-32, hosts in the same VLAN belong to network
segments of 10.1.1.1/24 and 10.1.2.1/24. Hosts on the two network segments are required to
access the Internet through the Switch and communicate.

Figure 4-32 Configuring VLANIF interfaces to implement communication of hosts on

different network segments in the same VLAN
Internet
Router 10.10.10.2/24
VLANIF10
GE1/0/3 Primary IP: 10.1.1.1/24
Secondary IP: 10.1.2.1/24
Switch VLANIF20
10.10.10.1/24
GE1/0/1 GE1/0/2
VLAN10
Host1 Host2
10.1.1.2/24 10.1.2.2/24
If only one IP address is configured for the VLANIF interface on the Switch, only hosts on
one network segment can access the Internet through the Switch. To enable all hosts on the
LAN can access the Internet through the Switch, configure a secondary IP address for the
VLANIF interface. To enable hosts on the two network segments to communicate, the hosts
on the two network segments need to use the primary and secondary IP addresses of the
VLANIF interface as default gateway addresses.
2. Configure VLANIF interfaces and assign IP addresses to them so that hosts on the two
network segments can communicate.
3. Configure a routing protocol so that hosts can access the Internet through the Switch.
Procedure
# Add GE1/0/1 and GE1/0/2 to VLAN 10 and GE1/0/3 to VLAN 20.


Step 2 Configure VLANIF interfaces.

# Create VLANIF 10 and configure the primary IP address of 10.1.1.1/24 and secondary IP
address of 10.1.2.1/24 for VLANIF 10, and create VLANIF 20 and configure the IP address
of 10.10.10.1/24 for VLANIF 20.
[Switch-Vlanif10] ip address 10.1.2.1 24 sub
Step 3 Configure a routing protocol.

# Configure basic OSPF functions and configure OSPF to advertise network segments of
hosts and the network segment between the Switch and router.
[Switch] ospf
[Switch-ospf-1] area 0
[Switch-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Switch-ospf-1-area-0.0.0.0] quit
[Switch-ospf-1] quit
NOTE
Perform the following configurations on the router:

l Add the interface connected to the Switch to VLAN 20 in tagged mode and specify an IP address
for VLANIF 20 on the same network segment as 10.10.10.1.
l Configure basic OSPF functions and configure OSPF to advertise the network segment between
the Switch and router.
For details, see the router documentation.

Configure the IP address of 10.1.1.2 and default gateway address of 10.1.1.1/24 (primary IP
address of VLANIF 10) for Host1; configure the IP address of 10.1.2.2 and default gateway
address of 10.1.2.1/24 (secondary IP address of VLANIF 10) for Host2.
After the configuration is complete, Host1 and Host2 can ping each other successfully, and
they can ping 10.10.10.2/24, IP address of the router interface connected to the Switch. That
is, they can access the Internet.
----End
Configuration Files
#
sysname Switch

#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
ip address 10.1.2.1 255.255.255.0 sub
#
interface Vlanif20
ip address 10.10.10.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.10.10.0 0.0.0.255
#
return
4.9.10 Example for Configuring a Traffic Policy to Implement

Inter-VLAN Layer 3 Isolation
As shown in Figure 4-33, to ensure communication security, a company assigns visitors,
employees, and servers to VLAN 10, VLAN 20, and VLAN 30 respectively. The
requirements are as follows:
l Employees, visitors, and servers can access the Internet.
l Visitors can access only the Internet, and cannot communicate with employees in any
other VLANs.
l Employee A can access all resources in the server area, and other employees can access
port 21 (FTP service) of server A.

Figure 4-33 Configuring a traffic policy to implement inter-VLAN Layer 3 isolation
Internet
Router
VLANIF 100
GE1/0/4 10.1.100.1/24
GE1/0/1 GE1/0/3
Switch_4 GE1/0/2
GE1/0/2 GE1/0/3 GE1/0/2

Switch_1 Switch_2 Switch_3
GE1/0/1 GE1/0/1 GE1/0/2 GE1/0/1
Visitor Employee Server
area area area
Visitor A Employee A Employee B Server A
10.1.1.2/24 10.1.2.2/24 10.1.2.3/24 10.1.3.2/24
1. Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of
visitors, employees, and servers.
2. Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
3. Configure a routing protocol so that visitors, employees, and servers can access the
Internet through the Switch.
4. Configure and apply a traffic policy so that employee A can access all resources in the
server area, other employees can access only port 21 (FTP service) of server A,
employees can access only servers, and visitors can access only the Internet.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of visitors,
employees, and servers.
# Create VLAN 10 on Switch_1, add GE1/0/1 to VLAN 10 in untagged mode and GE1/0/2 to
VLAN 10 in tagged mode. The configurations of Switch_2 and Switch_3 are similar to the
configuration of Switch_1, and are not mentioned here.

[Switch_1] vlan batch 10

[Switch_1-GigabitEthernet1/0/1] port link-type access
[Switch_1-GigabitEthernet1/0/1] port default vlan 10
# Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 on Switch_4, and add GE1/0/1-
GE1/0/4 to VLAN 10, VLAN 20, VLAN 30, and VLAN 100 in tagged mode.
[Switch_4] vlan batch 10 20 30 100
Step 2 Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
# On Switch_4, Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 and assign IP
addresses of 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and 10.1.100.1/24 to them respectively.
Step 3 Configure a routing protocol so that visitors, employees, and servers can access the Internet
through the Switch.
# Configure basic OSPF functions on Switch_4 and configure OSPF to advertise network
segments of hosts and the network segment between Switch_4 and the router.
[Switch_4] ospf
[Switch_4-ospf-1] quit

NOTE
Perform the following configurations on the router:

l Add the interface connected to the Switch to VLAN 100 in tagged mode and specify an IP address
for VLANIF 100 on the same network segment as 10.1.100.1.
l Configure basic OSPF functions and configure OSPF to advertise the network segment between
the Switch and router.
For details, see the router documentation.
Step 4 Configure and apply a traffic policy to control access of employees, visitors, and servers.
1. Configure ACLs to define flows.
# Configure ACL 3000 on Switch_4 to prevent visitors from accessing employees' PCs
and servers.
[Switch_4] acl 3000
[Switch_4-acl-adv-3000] rule deny ip destination 10.1.2.1 0.0.0.255
[Switch_4-acl-adv-3000] quit
# Configure ACL 3001 on Switch_4 so that employee A can access all resources in the
server area and other employees can access only port 21 of server A.
[Switch_4] acl 3001
[Switch_4-acl-adv-3001] rule permit tcp destination 10.1.3.2 0 destination-
port eq 21
[Switch_4-acl-adv-3001] rule permit ip source 10.1.2.2 0 destination 10.1.3.1
0.0.0.255
[Switch_4-acl-adv-3001] quit
2. Configure traffic classifiers to differentiate different flows.

# Configure traffic classifiers c_custom, and c_staff on Switch_4 and reference ACLs
3000, and 3001 in the traffic classifiers respectively.
[Switch_4] traffic classifier c_custom
[Switch_4-classifier-c_custom] if-match acl 3000
[Switch_4-classifier-c_custom] quit
[Switch_4] traffic classifier c_staff
[Switch_4-classifier-c_staff] if-match acl 3001
[Switch_4-classifier-c_staff] quit
3. Configure a traffic behavior and define an action.

# Configure a traffic behavior named b1 on Switch_4 and define the permit action.
[Switch_4] traffic behavior b1
[Switch_4-behavior-b1] permit
[Switch_4-behavior-b1] quit
4. Configure traffic policies and associate traffic classifiers with the traffic behavior in the
traffic policies.
# Create traffic policies p_custom, and p_staff on Switch_4, and associate traffic
classifiers c_custom, and c_staff with traffic behavior b1.
[Switch_4] traffic policy p_custom
[Switch_4-trafficpolicy-p_custom] classifier c_custom behavior b1
[Switch_4-trafficpolicy-p_custom] quit
[Switch_4] traffic policy p_staff
[Switch_4-trafficpolicy-p_staff] classifier c_staff behavior b1
[Switch_4-trafficpolicy-p_staff] quit
5. Apply the traffic policies to control access of employees, visitors, and servers.
# On Switch_4, apply traffic policies p_custom, and p_staff in the inbound direction of
VLAN 10, and VLAN 20 respectively.
[Switch_4] vlan 10
[Switch_4-vlan10] traffic-policy p_custom inbound

[Switch_4-vlan10] quit
[Switch_4] vlan 20
[Switch_4-vlan20] traffic-policy p_staff inbound
[Switch_4-vlan20] quit

Configure the IP address of 10.1.1.2 and default gateway address of 10.1.1.1/24 (VLANIF
10's IP address) for visitor A; configure the IP address of 10.1.2.2 and default gateway
address of 10.1.2.1/24 (VLANIF 20's IP address) for employee A; configure the IP address of
10.1.2.3 and default gateway address of 10.1.2.1/24 (VLANIF 20's IP address) for employee
B; configure the IP address of 10.1.3.2 and default gateway address of 10.1.3.1/24 (VLANIF
30's IP address) for server A.
After the configuration is complete, the following situations occur:
l Visitor A fails to ping employee A or server A, and employee A and server A fail to ping
visitor A.
l Employee A can successfully ping server A. That is, employee A can use server A and
the FTP service of server A.
l Employee B fail to ping server A, and can only use the FTP service of server A.
l Visitors, employees A and B, server A all can ping 10.1.100.2/24, IP address of the
router interface connected to Switch_4. That is, they can access the Internet.
----End
Configuration Files
#
sysname Switch_1
#
vlan batch 10
#
#
#
return

#
sysname Switch_2
#
vlan batch 20
#
#
#
#
return


#
sysname Switch_3
#
vlan batch 30
#
#
#
return

#
sysname Switch_4
#
vlan batch 10 20 30 100
#
acl number 3000
rule 5 deny ip destination 10.1.2.0 0.0.0.255
acl number 3001
rule 5 permit tcp destination 10.1.3.2 0 destination-port eq ftp
rule 10 permit ip source 10.1.2.2 0 destination 10.1.3.0 0.0.0.255
#
traffic classifier c_custom operator or precedence 5
if-match acl 3000
traffic classifier c_staff operator or precedence 10
if-match acl 3001
#
traffic behavior b1
permit
#
traffic policy p_custom match-order config
classifier c_custom behavior b1
traffic policy p_staff match-order config
classifier c_staff behavior b1
#
vlan 10
traffic-policy p_custom inbound
vlan 20
traffic-policy p_staff inbound
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.1.100.1 255.255.255.0
#
#
#


#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.100.0 0.0.0.255
#
return
4.9.11 Example for Configuring an mVLAN to Implement Remote

Management
As shown in Figure 4-34, users need to securely log in to the Switch for remote management.
There is no idle management interface on the Switch.
Figure 4-34 Configuring an mVLAN to implement remote management
10.1.1.1/24 10.10.10.2/24
IP GE1/0/1
network
PC Switch
A management interface or VLANIF interface of an mVLAN can be used to log in to the
device for remote management. The device has no idle management interface, so the mVLAN
is used. STelnet is used to ensure login security. The configuration roadmap is as follows:
1. Configure an mVLAN on the Switch and add an interface to the mVLAN.

2. Configure a VLANIF interface and assign an IP address to it on the Switch.
3. Enable STelnet on the Switch and configure an SSH user.
4. Log in to the Switch using STelnet from a user PC.
NOTE
l The user PC needs to be configured with the software for logging in to the SSH server, key pair
generation software, and public key conversion software.
l To ensure device security, change the password periodically.
Procedure
Step 1 Configure an mVLAN and add an interface to the mVLAN.

# Create VLAN 10 on the Switch and specify VLAN 10 as the mVLAN, and add GE1/0/1 to
VLAN 10 in tagged mode.
[Switch] vlan 10
[Switch-vlan10] management-vlan
Step 2 Configure a VLANIF interface and assign an IP address to the VLANIF interface.
# Create VLANIF 10 on the Switch and configure the IP address of 10.10.10.2/24 for it.
Step 3 Enable the STelnet service and configure an SSH user.

1. Configure the Switch to generate a local key pair.
[Switch] rsa local-key-pair create
The key name will be: Switch_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 2048]: //Press Enter.
Generating keys...
...................+++++
........................++
....++++
...........++
2. Configure an SSH user.

# Configure the VTY user interface on the Switch.
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] authentication-mode aaa
[Switch-ui-vty0-14] protocol inbound ssh
[Switch-ui-vty0-14] quit
# Create an SSH user named client001 on the Switch and configure password
authentication.
[Switch] aaa
[Switch-aaa] local-user client001 password irreversible-cipher Huawei@123
[Switch-aaa] local-user client001 privilege level 3
[Switch-aaa] local-user client001 service-type ssh
[Switch-aaa] quit
[Switch] ssh user client001 authentication-type password
3. Enable the STelnet service.

# Enable the STelnet service on the Switch.
[Switch] stelnet server enable
# Configure the STelnet service for SSH user client001.

[Switch] ssh user client001 service-type stelnet
NOTE
The PC connects to the switch through the intermediate device. The intermediate device needs to
transparently transmit packets from mVLAN 10 and has a route from 10.1.1.1/24 to 10.10.10.2/24.

After the configuration is complete, the user can log in to the Switch from the PC using
password authentication.
# Run the Putty software on the user PC. The dialog box shown in Figure 4-35 is displayed.
Enter 10.10.10.2 (IP address of the Switch) and select SSH.
Figure 4-35 Configuring an mVLAN to implement remote management
# Click Open. On the page that is displayed on the Switch, enter the user name and password,
and press Enter.
login as: client001
SSH server: User Authentication
Using keyboard-interactive authentication.
Password:
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2014-02-25 05:45:41+00:00.
<Switch>
The user can successfully log in to the Switch for remote management.
----End
Configuration Files

#
sysname Switch
#
vlan batch 10
#
vlan 10
management-vlan
#
aaa
local-user client001 password irreversible-cipher %^%#EqZEVTq=/
@T2XM0q0W{Ec[Fs2@&4YII@-=(lbr[K>4Dq76]3#BgqMOAxu^%$%^%#
local-user client001 privilege level 3
local-user client001 service-type ssh
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
#
user-interface vty 0 14
authentication-mode aaa
#
return
4.9.12 Example for Configuring Transparent Transmission of

Protocol Packets in a VLAN
A company has multiple subsidiary companies. When the parent company communicates with
a subsidiary company through the core switch, the core switch processes the packets before
forwarding them. If multiple subsidiary companies communicate with the parent company
simultaneously, processing capabilities of the core switch deteriorate. As a result, the
communication efficiency is lowered and communication costs increases. Transparent
transmission of protocol packets in a VLAN can be configured on the core switch to solve this
problem.
As shown in Figure 4-36, after transparent transmission of protocol packets in a VLAN is
enabled, the Switch forwards data from the specified VLAN without sending the data to its
CPU. This improves the processing efficiency, reduces communication costs, and minimizes
the probability of malicious attacks on the Switch.

Figure 4-36 VLAN transparent transmission
Parent Company
Pac
ket
GE1/0/2
s
of V
Switch
LAN
GE1/0/1 GE1/0/3
20
VLAN 10 VLAN 20
SwitchA SwitchB
Sub Company 1 Sub Company 2
1. Create VLANs.
2. Enable transparent transmission of protocol packets in a VLAN.
3. Add Ethernet interfaces to VLANs.
Procedure
# Create VLANs.
# Enable transparent transmission of protocol packets in a VLAN.

[Switch] vlan 20
[Switch-vlan20] protocol-transparent
# Add interfaces to the VLANs.



[Switch-GigabitEthernet1/0/2] port hybrid tagged vlan 10 20
Step 2 Configure SwitchA and SwitchB. Add upstream interfaces on SwitchA and SwitchB to
VLAN 10 and VLAN 20 in tagged mode, and add downstream interfaces to VLAN 10 and
VLAN 20 in default mode. The configuration details are not mentioned here.
# After the configuration is complete, run the display this command in the view of VLAN 20.
The command output shows that transparent transmission of protocol packets in a VLAN is
enabled.
[Switch] vlan 20
[Switch-vlan20] display this
#
vlan 20
#
return
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
vlan 20
#
#
#
#
return
4.10.1 A VLANIF Interface Fails to Be Created

Fault Symptom
When a user attempts to create a VLANIF interface, the system displays an error message. As
a result, the VLANIF interface fails to be created.
Procedure
Step 1 Check the error message during VLANIF interface creation.
Rectify the fault according to the error message. See Table 4-9.
Table 4-9 Fault rectification according to the error message
Message Cause Analysis and Solution

Check Method
Error: Can not create this The number of created Run the undo interface
interface because the interface VLANIF interfaces on the vlanif vlan-id command
number of this type has reached device has reached the to delete unnecessary
its maximum. limit. VLANIF interfaces, and
Run the display interface then create a specified
brief command to check VLANIF interface.
the number of VLANIF
interfaces, and check
whether the number of
VLANIF interfaces has
reached the limit in Table
4-7.
Error: The VLAN is used by The VLAN corresponding Create a VLANIF

XXX. to the VLANIF interfaces interface corresponding to
NOTE is a dynamic, control, or another VLAN.
XXX indicates a feature, such as reserved VLAN.
CSS, ERPS, RRPP, SEP, Smart
Run the display vlan
Link, GVRP, or VBST.
summary command to
check whether the value
of the Dynamic vlan or
Reserved vlan field is the
VLAN corresponding to
the VLANIF interface.
Step 2 If the fault persists, collect alarms and logs and contact Huawei technical support personnel.
----End
4.10.2 A VLANIF Interface Goes Down
Fault Symptom
A VLANIF interface goes Down.

Common Causes and Solutions

Table 4-10 describes common causes and solutions.
Table 4-10 Common causes and solutions
Common Cause Solution
The VLAN corresponding to the VLANIF Run the vlan vlan-id command to create a
interface is not created. VLAN corresponding to the VLANIF
interface.
The interface is not added to the VLAN. Run the following commands as required.
NOTE l Run the port default vlan vlan-id [ step
l The port trunk pvid vlan vlan-id command step-number [ increased | decreased ] ]
only configures the PVID on a trunk command in the interface view to add an
interface, but does not add a trunk interface access interface to a VLAN.
to a VLAN.
l Run the port trunk allow-pass vlan
l The port hybrid pvid vlan vlan-id command
only configures the PVID on a hybrid { { vlan-id1 [ to vlan-id2 ] }&<1-10> |
interface, but does not add a hybrid interface all } command in the interface view to
to a VLAN. add a trunk interface to a VLAN.
l You can add a hybrid interface to a
VLAN in tagged or untagged mode.
– Run the port hybrid tagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in tagged mode.
– Run the port hybrid untagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
interface to a VLAN in untagged
mode.
The physical status of all interfaces added to Rectify this fault. A VLANIF interface goes
the VLAN is Down. Up as long as one interface in the VLAN is
Up.
No IP address is assigned to the VLANIF Run the ip address command in the

interface. VLANIF interface view to assign an IP
address to the VLANIF interface.
The VLANIF interface is shut down. Run the undo shutdown command in the
VLANIF interface view to start the
VLANIF interface.
4.10.3 Users in a VLAN Cannot Communicate
Fault Symptom
Users in a VLAN cannot communicate.

Procedure
Step 1 Check that the interfaces connected to user terminals are in Up state.
Run the display interface interface-type interface-number command in any view to check the
status of the interfaces.
l If the interface is Down, rectify the interface fault.
l If the interface is Up, go to Step 2.
Step 2 Check whether the IP addresses of user terminals are on the same network segment. If they
are on different network segments, change the IP addresses of the user terminals to be on the
same network segment. If the fault persists, go to Step 3.
Step 3 Check that the MAC address entry is correct.
Run the display mac-address command on the Switch to check whether MAC addresses,
interfaces, and VLANs in the learned MAC address entries are correct. If the learned MAC
address entries are incorrect, run the undo mac-address mac-address vlan vlan-id command
in the system view to delete MAC address entries so that the Switch can learn MAC address
entries again.
After the MAC address table is updated, check the MAC address entries again.
l If the MAC address entries are incorrect, go to Step 4.
l If the MAC address entries are correct, go to Step 5.
Step 4 Check that the VLAN is properly configured.
Check the VLAN configuration according to the following table.
Check Item Method
Whether the Run the display vlan vlan-id command in any view to check whether
VLAN has been the VLAN has been created. If not, run the vlan command in the
created system view to create the VLAN.

Check Item Method
Whether the Run the display vlan vlan-id command in any view to check whether
interfaces are the VLAN contains the interfaces. If not, add the interfaces to the
added to the VLAN.
VLAN NOTE
If the interfaces are located on different switches, add the interfaces
connecting the switches to the VLAN.
The default type of an interface is Negotiation. You can run the port link-type
command to change the link type of an interface.
l Add an access interface to the VLAN by using either of the
following methods:
– Run the port default vlan command in the interface view.
– Run the port command in the VLAN view.
l Add a trunk interface to the VLAN.
Run the port trunk allow-pass vlan command in the interface
view.
l Add a hybrid interface to the VLAN by using either of the
following methods:
– Run the port hybrid tagged vlan command in the interface
view.
– Run the port hybrid untagged vlan command in the interface
view.
Whether Correctly connect user terminals to device interfaces.

connections
between interfaces
and user terminals
are correct
After the preceding operations, if the MAC address entries are correct, go to Step 5.
Step 5 Check whether port isolation is configured.
Run the interface interface-type interface-number command in the system view to enter the
interface view, and then run the display this command to check whether port isolation is
configured on the interface.
l If port isolation is not configured, go to Step 6.
l If port isolation is configured, run the undo port-isolate enable command on the
interface to disable port isolation. If the fault persists, go to Step 6.
Step 6 Check whether correct static Address Resolution Protocol (ARP) entries are configured on the
user terminals. If the static ARP entries are incorrect, modify them. Otherwise, go to Step 7.
Step 7 Collect logs and alarms and contact Huawei technical support personnel.
----End

4.10.4 IP Addresses of the Connected Interfaces Between Switches

Cannot Be Pinged
Fault Symptom
As shown in Figure 4-37, the IP address of VLANIF 10 on Switch_2 cannot be pinged from
Switch_1. Similarly, the IP address of VLANIF 10 on Switch_1 cannot be pinged from
Switch_2.
Figure 4-37 Connected switches

Switch_1 Switch_2
VLANIF10
VLANIF10
Procedure
Step 1 Check whether the VLANIF interface is Up.
Run the display interface vlanif vlan-id command on Switch_1 and Switch_2 and check the
current state and Line protocol current state fields.
l If the value of any one of the two fields is DOWN, the VLANIF interface is Down.
Rectify this fault according to 4.10.2 A VLANIF Interface Goes Down.
l If the values of the two fields are UP, the VLANIF interface is Up. Go to Step 2.
Step 2 Check whether the connected Ethernet interfaces between switches join a VLAN.
Run the display vlan vlan-id command on Switch_1 and Switch_2 and check the Ports field.
Check whether the connected Ethernet interfaces exist in the VLAN.
l If the connected Ethernet interfaces do not exist in the VLAN, add the connected
Ethernet interfaces to the VLAN.
l If the connected Ethernet interfaces exist in the VLAN and at least one of them joins the
VLAN in untagged mode (UT displayed before the interface), change the untagged mode
to tagged mode.
l If the connected Ethernet interfaces exist in the VLAN but the interfaces go Down (D
displayed after the interface), rectify the fault according to An Ethernet Interface Is
Physically Down.
l If none of the preceding configurations exists, go to Step 3.
Step 3 Check whether the PVID values on the connected Ethernet interface between switches are the
same.
Run the display port vlan interface-type interface-number command on Switch_1 and
Switch_2 to check the PVID values.
l If the PVID values are different, change them to be the same.
l If the PVID values are the same, go to Step 4.
Step 4 Collect logs and alarms and contact Huawei technical support personnel.
----End

4.11 FAQ
4.11.1 How Do I Create VLANs in a Batch?

Run the vlan batch command in the system view to create VLANs in a batch.
l Create 10 contiguous VLANs: VLAN 11 to VLAN 20.
[HUAWEI] vlan batch 11 to 20
l Create 10 incontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to VLAN 30.
[HUAWEI] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are
more than 10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19
25 28 to 30 command creates four incontiguous VLAN ranges.
4.11.2 How Do I Add Interfaces to a VLAN in a Batch?

You can add interfaces to a VLAN in a batch using a port group, and can directly add access
interfaces to a VLAN in a batch in the system view.
l Access interface
# Add GE1/0/1-GE1/0/5 to VLAN 10 in a batch.
– Add interfaces to a VLAN in a batch using a port group.
[HUAWEI] port-group pg1
[HUAWEI-port-group-pg1] group-member gigabitethernet1/0/1 to
gigabitethernet1/0/5
[HUAWEI-port-group-pg1] port link-type access
[HUAWEI-port-group-pg1] port default vlan 10
– Add interfaces to a VLAN in a batch in the VLAN view.

[HUAWEI] vlan 10
[HUAWEI-vlan10] port gigabitethernet 1/0/1 to 1/0/5
NOTE
Before performing this operation, configure interfaces to be added to a VLAN as access

interface.
l Trunk interface
# Add GE1/0/1-GE1/0/5 to VLAN 10 and VLAN 20 in a batch.
[HUAWEI-port-group-pg1] port link-type trunk
[HUAWEI-port-group-pg1] port trunk allow-pass vlan 10 20
l Hybrid interface
# Add GE1/0/1-GE1/0/5 to VLAN 10 and VLAN 20 in a batch.


[HUAWEI-port-group-pg1] port link-type hybrid
[HUAWEI-port-group-pg1] port hybrid tagged vlan 10
[HUAWEI-port-group-pg1] port hybrid untagged vlan 20
4.11.3 How Do I Restore the Default VLAN Configuration of an

Interface?
The default VLAN configuration of an interface involves the default VLAN of the interface
and the VLAN that the interface joins. By default, the default VLAN configuration of an
interface is as follows:
l Access: The default VLAN is VLAN 1, and an access interface joins VLAN 1 in
untagged mode.
l Trunk: The default VLAN is VLAN 1, and a trunk interface joins VLAN 1 to VLAN
4094 in tagged mode. That is, a trunk interface allows all VLANs.
l Hybrid: The default VLAN is VLAN 1, and a hybrid interface joins VLAN 1 in
untagged mode.
l Dot1q-tunnel: The default VLAN is VLAN 1, and a dot1q-tunnel interface joins VLAN
1.
l Negotiation-auto or Negotiation-desirable: If the interface is negotiated as an access
interface, the default VLAN configuration of the interface is the same as that of the
access interface. If the interface is negotiated as a trunk interface, the default VLAN is
VLAN 1 and the interface joins VLANs 1 to 4094 in tagged mode. That is, the interface
allows all VLANs.
Run the display this include-default | include link-type command in the interface view to
check the link type of the interface, and then perform one of the following configurations to
restore the default configuration of the interface.
l Restore the default VLAN configuration of an access or dot1q-tunnel interface.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo port default vlan
l Restore the default VLAN configuration of a trunk interface.

[HUAWEI-GigabitEthernet1/0/1] undo port trunk pvid vlan
[HUAWEI-GigabitEthernet1/0/1] undo port trunk allow-pass vlan all
[HUAWEI-GigabitEthernet1/0/1] port trunk allow-pass vlan 1
l Restore the default VLAN configuration of a hybrid interface.

[HUAWEI-GigabitEthernet1/0/1] undo port hybrid pvid vlan
[HUAWEI-GigabitEthernet1/0/1] undo port hybrid vlan all
[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 1
l Restore the default VLAN configuration of the Negotiation-auto or Negotiation-

desirable interface.
[HUAWEI-GigabitEthernet1/0/1] port trunk allow-pass vlan all
4.11.4 How Do I Change the Link Type of an Interface?

The link type of an interface can be access, trunk, hybrid, or Dot1q-tunnel. The methods used
to change the link type of an interface in different versions are different.
l In V200R005 and later versions, run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command and enter y or n as prompted. When the interface uses the
default VLAN configuration, the system does not display any message. The link type of
the interface is changed directly.
– When you enter y and press Enter, the device automatically deletes the non-default
VLAN configuration of the interface and sets the link type of the interface to the
specified one.
– When you enter n and press Enter, the device retains the current link type and
VLAN configuration of the interface.
Change the link type of the interface to hybrid.
[HUAWEI] interface GigabitEthernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
Warning: This command will delete VLANs on this port. Continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment...done.
l In earlier versions of V200R005, an interface joins VLAN 1 by default, and the PVID of
an interface is VLAN 1. You can run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command to change the link type of the interface.
– Change the link type of the interface to access.
[HUAWEI-GigabitEthernet1/0/1] port link-type access
[HUAWEI-GigabitEthernet1/0/1] port default vlan 10
– Change the link type of the interface to trunk.

[HUAWEI-GigabitEthernet1/0/1] port link-type trunk
[HUAWEI-GigabitEthernet1/0/1] port trunk pvid vlan 10
[HUAWEI-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 10 20
– Change the link type of the interface to hybrid.

[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 2 10
[HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 20
– Change the link type of the interface to Dot1q-tunnel.

[HUAWEI-GigabitEthernet1/0/1] port link-type dot1q-tunnel
[HUAWEI-GigabitEthernet1/0/1] port default vlan 10
When you change the link type of an interface that does not use the default VLAN
configuration, the system displays the message "Error: Please renew the default
configurations."
You need to restore the default configuration of the interface, and then change the link
type of the interface.
– Restore the default VLAN configuration of an access or Dot1q-tunnel interface.
– Restore the default VLAN configuration of a trunk interface.



[HUAWEI-GigabitEthernet1/0/1] undo port trunk allow-pass vlan all
[HUAWEI-GigabitEthernet1/0/1] port trunk allow-pass vlan 1
– Restore the default configuration of a hybrid interface.

[HUAWEI-GigabitEthernet1/0/1] undo port hybrid pvid vlan
[HUAWEI-GigabitEthernet1/0/1] undo port hybrid vlan all
[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 1
4.11.5 How Do I Rapidly Query the Link Types and Default

VLANs of All Interfaces?
Run the display port vlan command to check the link types and default VLANs of all
interfaces. Example:
l V200R005 and later versions
<HUAWEI> display port vlan
Port Link Type PVID Trunk VLAN List
------------------------------------------------------------------------------
-
Eth-Trunk0 desirable 1 1-4094
Eth-Trunk1 trunk 1 1 11
Eth-Trunk5 hybrid 1 -
Eth-Trunk10 desirable 1 1-4094
Eth-Trunk12 trunk 1 1
GigabitEthernet9/0/1 trunk 1 1 8
GigabitEthernet9/0/3 access 10 -
GigabitEthernet9/0/4 hybrid 1 -
GigabitEthernet9/0/6 desirable 1 1-4094
GigabitEthernet9/0/9 trunk 1 1 17
GigabitEthernet9/0/17 access 103 -
GigabitEthernet9/0/19 desirable 0 -
Wlan-Ess1 trunk 1 1
XGigabitEthernet6/0/0 desirable 1 1-4094
l Earlier versions of V200R005 (excluding V200R005)

<HUAWEI> display port vlan
Port Link Type PVID Trunk VLAN List
------------------------------------------------------------------------------
-
Eth-Trunk1 trunk 1 1-100
Ethernet3/0/0 trunk 1 1 101-500
Ethernet3/0/1 trunk 1 1 100 110
Ethernet3/0/2 hybrid 0 -

Ethernet3/0/47 trunk 1 1
The Link Type field indicates the link type of an interface, the PVID field indicates the
default VLAN, and the Trunk VLAN List field indicates the list of VLANs allowed by a
trunk interface. If the interface does not join any VLAN, the Trunk VLAN List field is
displayed as -. If the link type of an interface is negotiation-desirable or negotiation-auto,
the Trunk VLAN List field is displayed as 1 to 4094.
4.11.6 How Do I Delete a Single VLAN or VLANs in a Batch?

The device supports deletion of a single VLAN or VLANs in a batch.
l Delete VLAN 10.

[HUAWEI] undo vlan 10
l Delete VLAN 10 to VLAN 20 in a batch.

[HUAWEI] undo vlan batch 10 to 20
NOTE
The earlier versions of V200R005, before deleting a VLAN where a VLANIF interface has been
configured, run the undo interface vlanif command to delete the VLANIF interface.

4.11.7 Can Multiple Network Segments Be Configured in a

VLAN?
Hosts on multiple network segments in the same VLAN can communicate by configure the
primary and secondary IP addresses for a VLANIF interface.
As shown in Figure 4-38, Host_1 and Host_2 in VLAN 10 belong to 10.1.1.1/24 and
10.1.2.1/24 respectively. The two hosts need to communicate.
Figure 4-38 Communication for hosts on multiple network segments in the same VLAN
Switch VLANIF 10
Primary IP: 10.1.1.1/24
Secondary IP: 10.1.2.1/24
GE1/0/1 GE1/0/2
VLAN 10
Host1 Host2
10.1.1.2/24 10.1.2.2/24
Configure the Switch.

[Switch-Vlanif10] ip address 10.1.2.1 24 sub
After the preceding configurations are performed, Host_1 and Host_2 can communicate.
4.11.8 How Is the Inter-VLAN Communication Fault Rectified?

The possible causes for the fault of inter-VLAN communication through the VLANIF
interface are as follows:
1. The VLANIF interface is not Up.
Run the display interface vlanif vlan-id to check the current state and Line protocol
current state fields.
<HUAWEI> display interface vlanif 2
Vlanif2 current state : UP
Line protocol current state : UP
Last line protocol up time : 2014-12-26 11:09:08 UTC-08:00
Description:
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.1.1.2/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 4c1f-
cc41-3a64

Current system time: 2014-12-26 11:09:12-08:00

Input bandwidth utilization : --
Output bandwidth utilization : --
If the value of any one of the two fields is DOWN, the VLANIF interface is Down.
Rectify this fault according to Table 4-11.
Table 4-11 Common causes and solutions to the VLANIF interface Down event
Common Cause Solution
The VLAN corresponding to the Run the vlan vlan-id command to create a
VLANIF interface is not created. VLAN corresponding to the VLANIF
interface.
The interface is not added to the VLAN. Run the following commands as required.
NOTE l Run the port default vlan vlan-id
l The port trunk pvid vlan vlan-id command in the interface view to add
command only configures the PVID on a an access interface to a VLAN.
trunk interface, but does not add a trunk
interface to a VLAN. l Run the port trunk allow-pass vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
l The port hybrid pvid vlan vlan-id
command only configures the PVID on a | all } command in the interface view
hybrid interface, but does not add a hybrid to add a trunk interface to a VLAN.
interface to a VLAN. l You can add a hybrid interface to a
VLAN in tagged or untagged mode.
Run the port hybrid tagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
interface to a VLAN in tagged mode,
or run the port hybrid untagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
interface to a VLAN in untagged
mode.
The physical status of all interfaces added Rectify this fault. A VLANIF interface
to the VLAN is Down. goes Up as long as one interface in the
VLAN is Up.
No IP address is assigned to the VLANIF Run the ip address ip-address { mask |

interface. mask-length } command to configure an
IP address for the VLANIF interface.
The VLANIF interface is shut down. That Run the undo shutdown command in the
is, the value of current state is VLANIF interface view to start the
Administratively DOWN. VLANIF interface.
2. No corresponding routing entry is generated.

When inter-VLAN communication is implemented across Layer 3 switches, the routing
entries must exist on the switches. As shown in Figure 4-39, the routing entry with
destination IP address 10.2.1.0/24 and next hop address 10.1.4.2 must exist on Switch1,
and the routing entry with destination IP address 10.1.1.0/24 and next hop address
10.1.4.1 must exist on Switch2.

Figure 4-39 Inter-VLAN communication across switches

V L A N IF 2 V L A N IF 3
IP a d d r e s s ： 1 0 .1 .1 .1 S w itc h _ 1 S w itc h _ 2 IP a d d r e s s ： 1 0 .1 .2 .1
V L A N IF 4 VLAN4 V L A N IF 4
IP a d d r e s s ： 1 0 .1 .4 .1 IP a d d r e s s ： 1 0 .1 .4 .2
VLAN2 VLAN3
PC1 PC2
IP : 1 0 .1 .1 .2 IP : 1 0 .1 .2 .2
G a te w a y : 1 0 .1 .1 .1 G a te w a y : 1 0 .1 .2 .1
If routing entries do not exist, run the ip route-static command to configure a static
route.
– Switch1: ip route-static 10.1.2.0 255.255.255.0 10.1.4.2
– Switch2: ip route-static 10.1.1.0 255.255.255.0 10.1.4.1
4.11.9 Do VLANs Need to Be Assigned on the Intermediate

Device That Transparently Transmits Packets?
Figure 4-40 Layer 2 device networking

S w itc h 1 S w itc h S w itc h 2
G E 1 /0 /2 G E 1 /0 /3
G E 1 /0 /1 G E 1 /0 /1
As shown in Figure 4-40, the switch has been configured to transparently transmit Layer 2
packets. Do VLANs need to be assigned?
l If Switch1 and Switch2 where VLANs are not assigned use default VLAN configuration,
VLANs do not need to be assigned on the switch.
l If VLANs are assigned on Switch1 and Switch2, VLANs need to be assigned on the
switch.
For example, GE1/0/1 interfaces connecting Switch1 and Switch2 to the switch
transparently transmit packets from VLAN 10 and VLAN 20, so GE1/0/2 and GE1/0/3
on the switch need be configured to transparently transmit packets from VLAN 10 and
VLAN 20. Perform the following configurations.
[HUAWEI] vlan batch 10 20
[HUAWEI-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 20
[HUAWEI-GigabitEthernet1/0/2] quit
[HUAWEI-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
4.11.10 Why Are MAC-VLAN Entries Invalid?
MAC-VLAN entries are only valid for untagged packets. If MAC-VLAN entries are invalid,
check whether incoming packets carry VLAN tags.

4.11.11 Can the Switch Collect Statistics on Only Traffic Destined

for the VLANIF Interface Enabled with Traffic Statistics?
When the VLANIF interface is enabled with traffic statistics, the switch counts Layer 3 traffic
in the VLAN corresponding to the VLANIF interface. That is, statistics on all traffic passing
the VLANIF interface are collected.
4.12 References
RFC 3069 VLAN Aggregation for -

Efficient IP Address
Allocation
IEEE 802.1Q IEEE Standards for -

Local and Metropolitan
Area Networks: Virtual
Bridged Local Area
Networks
IEEE 802.1ad IEEE Standards for -

Area Networks: Virtual
Bridged Local Area
Networks—
Amendment 4
IEEE 802.10 IEEE Standards for -

Area Networks:
Standard for
Interoperable
LAN/MAN Security
YD/T 1260-2003 Technical and Testing -

Specification of Virtual
LAN Based on Port

Configuration Guide - Ethernet Switching 5 VLAN Aggregation Configuration
5 VLAN Aggregation Configuration
About This Chapter
This chapter describes how to configure VLAN aggregation. VLAN aggregation implements
communication of hosts on the same network segment in different VLANs. A network can
significantly save IP addresses with VLAN aggregation technology.
5.1 Introduction to VLAN Aggregation

5.2 Principles
VLAN aggregation defines the super-VLAN and sub-VLAN. A sub-VLAN, as an
independent broadcast domain, contains only physical interfaces; a super-VLAN contains no
physical interface, and is used for creating a Layer 3 VLANIF interface. By mapping a super-
VLAN to sub-VLANs, VLAN aggregation associates the Layer 3 VLANIF interface with
physical interfaces so that all sub-VLANs share one gateway to communicate with an external
network. In addition, proxy ARP is used to implement Layer 3 connectivity between sub-
VLANs. This technology isolates broadcast domains and conserves IP addresses.
5.3 Application Scenario
5.6 Configuring VLAN Aggregation
VLAN aggregation prevents users on the same network segment in different VLANs from
communicating and allows them to access public network resources, saving IP addresses.
5.8 FAQ

5.1 Introduction to VLAN Aggregation
Definition
VLAN aggregation, also called super-VLAN, partitions a broadcast domain into multiple
VLANs (sub-VLANs) on a physical network and aggregates the sub-VLANs into a single
logical VLAN (super-VLAN). The sub-VLANs use the same IP subnet and default gateway
address, so the number of IP addresses used is reduced.
Purpose
VLAN technology is widely applied to packet switching networks because it is capable of
flexibly controlling broadcast domains and is easy to deploy. Usually, a Layer 3 switch uses a
Layer 3 logical interface in each VLAN to allow hosts in different broadcast domains to
communicate. This wastes IP addresses. On a subnet corresponding to a VLAN, the subnet
ID, directed broadcast address, and subnet default gateway address cannot be used as IP
addresses of hosts in the VLAN. In addition, the number of hosts on a subnet may be less than
the number of IP addresses available in the subnet. These remaining IP addresses are
essentially wasted because they cannot be used by other VLANs.
As shown in Figure 5-1, VLAN 2 requires 10 host addresses. The subnet 10.1.1.0/28 with a
28-bit mask is assigned to VLAN 2, where 10.1.1.0 is the subnet ID, 10.1.1.15 is the directed
broadcast address, and 10.1.1.1 is the default gateway address. Hosts cannot use these three
addresses, but the other 13 addresses ranging from 10.1.1.2 to 10.1.1.14 are available to them.
At least three IP addresses are wasted for VLAN 2, and at least nine IP addresses are wasted
for three VLANs. Although VLAN 2 requires only 10 IP addresses, the remaining 3 IP
addresses cannot be used by other VLANs and are wasted. If more VLANs are added, more
IP addresses will be wasted.
Figure 5-1 Networking of a common VLAN

L3 switch
VLANIF 2: 10.1.1.1 VLANIF 4: 10.1.1.25
VLANIF 3: 10.1.1.17
L2 switch L2 switch L2 switch

10.1.1.0/28 10.1.1.16/29 10.1.1.24/30
VLAN aggregation is used to solve the preceding problem. VLAN aggregation maps each
sub-VLAN to a broadcast domain, associates a super-VLAN with multiple sub-VLANs, and

assigns only one IP subnet to the super-VLAN. This ensures that all sub-VLANs share the IP
address of the associated super-VLAN as the gateway IP address, effectively implementing
Layer 3 connectivity.
Sub-VLANs share one gateway address so that the number of subnet IDs, subnet default
gateway addresses, and directed broadcast IP addresses used is reduced. The switch assigns IP
addresses to hosts in sub-VLANs according to the actual number of hosts, ensuring that each
sub-VLAN is used as an independent broadcast domain to implement isolation. Therefore,
VLAN aggregation conserves IP addresses and implements flexible addressing.
5.2 Principles
VLAN aggregation defines the super-VLAN and sub-VLAN. A sub-VLAN, as an
independent broadcast domain, contains only physical interfaces; a super-VLAN contains no
physical interface, and is used for creating a Layer 3 VLANIF interface. By mapping a super-
VLAN to sub-VLANs, VLAN aggregation associates the Layer 3 VLANIF interface with
physical interfaces so that all sub-VLANs share one gateway to communicate with an external
network. In addition, proxy ARP is used to implement Layer 3 connectivity between sub-
VLANs. This technology isolates broadcast domains and conserves IP addresses.
Implementation
The super-VLAN and sub-VLAN are different from common VLANs that contain a Layer 3
logical interface and multiple physical interfaces:
l Sub-VLAN: contains only physical interfaces, and is used to isolate broadcast domains.
A sub-VLAN cannot be used for creating a Layer 3 VLANIF interface. Hosts in each
sub-VLAN use the VLANIF interface of the associated super-VLAN to communicate
with external devices at Layer 3.
l Super-VLAN: is only used for creating a Layer 3 VLANIF interface and contains no
physical interface. It corresponds to the subnet gateway. Unlike a VLANIF interface that
is Up as long as a physical interface in a common VLAN is Up, a VLANIF interface in a
super-VLAN is Up as long as a physical interface in any associated sub-VLAN is Up.
A super-VLAN can contain one or more sub-VLANs. A sub-VLAN does not occupy an
independent subnet. IP addresses of hosts in any sub-VLAN of a super-VLAN belong to the
subnet corresponding to the sub-VLAN.
That is, sub-VLANs share the same gateway. VLAN aggregation reduces subnet IDs, subnet
default gateway addresses, and directed broadcast IP addresses, allows different broadcast
domains to use the same subnet address, implements flexible addressing, and conserves IP
addresses.
The network topology used in 5.1 Introduction to VLAN Aggregation is used as an
example. Configure VLAN 10 as the super-VLAN, assign the subnet address 10.1.1.0/24 to
VLAN 10, and configure VLAN 2, VLAN 3, and VLAN 4 as sub-VLANs of super-VLAN
10, as shown in Figure 5-2.

Figure 5-2 Networking of VLAN aggregation

L3 switch Super-VLAN 10
VLANIF 10: 10.1.1.1/24
Sub-VLAN 2 Sub-VLAN 3 Sub-VLAN 4

10.1.1.2-10.1.1.11 10.1.1.12-10.1.1.16 10.1.1.17
Gateway: Gateway: Gateway:
10.1.1.1/24 10.1.1.1/24 10.1.1.1/24
Sub-VLAN 2, sub-VLAN 3, and sub-VLAN 4 share a subnet (10.1.1.1/24). The subnet ID

(10.1.1.0), default gateway address (10.1.1.1), and directed broadcast address of the subnet
(10.1.1.255) cannot be used as host IP addresses. VLAN aggregation allows the switch to
assign IP addresses to hosts in sub-VLANs according to the actual number of hosts. For
example, when sub-VLAN 2 requires 10 addresses, 10.1.1.2-10.1.1.11 are assigned to sub-
VLAN 2.
Communications Between Sub-VLANs

VLAN aggregation allows different sub-VLANs to use IP addresses on the same network
segment, but cannot implement Layer 3 forwarding between sub-VLANs. Hosts in different
common VLANs can communicate with each other at Layer 3 through their respective
gateways. In a super-VLAN, hosts in all sub-VLANs use IP addresses on the same network
segment and share the gateway address, so the hosts in different sub-VLANs implement only
Layer 2 forwarding but not Layer 3 forwarding through a gateway. In practice, hosts in
different sub-VLANs are isolated at Layer 2. As a result, sub-VLANs are unable to
To address this issue, configure proxy ARP.
NOTE
For details about proxy ARP, see Proxy ARP in S7700&S9700 Series Switches Configuration Guide - IP
Services.
The networking in Figure 5-2 is used as an example. Assuming that Host_1 in sub-VLAN 2
needs to communicate with Host_2 in sub-VLAN 3, enable proxy ARP on the VLANIF
interface of super-VLAN 10, as shown in Figure 5-3.

Figure 5-3 Using proxy ARP to implement Layer 3 communication between sub-VLANs
Super-VLAN 10
L3 switch VLANIF10: 10.1.1.1/24
Proxy ARP
Host_1 Host_2 Host_3

Sub-VLAN 2 Sub-VLAN 3 Sub-VLAN 4
10.1.1.2/24 10.1.1.12/24 10.1.1.17/24
Host_1 in sub-VLAN 2 communicates with Host_2 in sub-VLAN 3 as follows (assume that

the ARP table of Host_1 in sub-VLAN 2 has no entry of Host_2 in sub-VLAN 3):
1. Host_1 in sub-VLAN 2 compares the IP address of Host_2 in sub-VLAN 3 with its IP
address, and finds that both IP addresses are on the same network segment 10.1.1.0/24.
However, the ARP table of Host_1 in sub-VLAN 2 has no entry of Host_2 in sub-VLAN
3.
2. Host_1 in sub-VLAN 2 broadcasts an ARP Request packet with the destination IP
address of 10.1.1.12 to request the MAC address of Host_2 in sub-VLAN 3.
3. The Layer 3 switch (gateway) is enabled with proxy ARP between sub-VLANs. After
receiving the ARP Request packet from Host_1 in sub-VLAN 2, the Layer 3 switch
searches its routing table for the destination IP address in the ARP Request packet. The
Layer 3 switch finds a matched route in which the next hop address is the directly
connected network segment (10.1.1.0/24 of VLANIF 10), and broadcasts an ARP
Request packet to all sub-VLANs in super-VLAN 10, requesting the MAC address of
Host_2 in sub-VLAN 3.
4. After receiving the ARP Request packet, Host_2 in sub-VLAN 3 sends an ARP Reply
packet.
5. After receiving the ARP Reply packet, the Layer 3 switch encapsulates its MAC address
into the ARP Reply packet and sends it to Host_1 in sub-VLAN 2.
6. Subsequent packets sent by Host_1 in sub-VLAN 2 to Host_2 in sub-VLAN 3 are first
sent to the gateway. The gateway then performs Layer 3 forwarding.
The packets sent by Host_2 in sub-VLAN 3 to Host_1 in sub-VLAN 2 are processed in the
same way as the packets sent by Host_1 in sub-VLAN 2 to Host_2 in sub-VLAN 3.
Layer 3 Communication Between Hosts in Sub-VLANs and on an External

Network
The networking in Figure 5-4 is used as an example to describe the communication between
hosts in Sub-VLANs and on an external network.

As shown in Figure 5-4, user hosts and servers are on different network segments, sub-
VLANs 2 to 4 and VLAN 10 are configured on Switch_1, and VLAN 10 and VLAN 20 are
configured on Switch_2.
Figure 5-4 Layer 3 communication between hosts in sub-VLANs and on an external network
Switch_2 VLANIF 20
10.1.2.1/24
VLANIF 10
10.1.10.2/24
Server
10.1.2.2/24
VLANIF 10
10.1.10.1/24
Super-VLAN 4
Switch_1 VLANIF 4
10.1.1.1/24
Host_1 Host_2
Sub-VLAN 2 Sub-VLAN 3
10.1.1.2/24 10.1.1.12/24
When Host_1 in sub-VLAN 2 wants to communicate with the server connected to Switch_2,
the packet forwarding process is as follows (assume that a route to 10.1.2.0/24 has been
configured on Switch_1, a route to 10.1.1.0/24 has been configured on Switch_2, and no
Layer 3 forwarding entry exists on the two switches):
1. Host_1 compares the server's IP address (10.1.2.2) with its network segment 10.1.1.0/24
and finds that they are on different network segments. Host_1 then sends an ARP
Request packet to its gateway to request the gateway's MAC address. The ARP Request
packet carries an all-F destination MAC address and destination IP address 10.1.1.1.
2. After receiving the ARP Request packet, Switch_1 searches the mapping between the
super-VLAN and sub-VLANs. Switch_1 then sends an ARP Reply packet with the MAC
address of VLANIF 4 (corresponding to super-VLAN 4) from an interface of sub-VLAN
2 to Host_1.
3. After learning the gateway's MAC address, Host_1 sends a packet with the destination
MAC address as the MAC address of VLANIF 4 (corresponding to super-VLAN 4) and
destination IP address of 10.1.2.2.
4. After receiving the packet from Host_1, Switch_1 determines that the packet should be
forwarded at Layer 3 according to the mapping between the super-VLAN and sub-
VLANs and destination MAC address. Switch_1 searcher its Layer 3 forwarding table
for a matching entry, but no entry is found. Switch_1 sends the packet to the CPU, and
the CPU searches its routing table and obtains the next hop address of 10.1.10.2 and the
outbound interface of VLANIF 10. Switch_1 determines the outbound interface
according to the ARP entry and MAC address entry, and sends the packet to Switch_2.
5. Switch_2 sends the packet to server according to the Layer 3 forwarding process.

After receiving the packet from Host_1, the server sends a response packet with the
destination IP address of 10.1.1.2 and destination MAC address as the MAC address of
VLANIF 20 on the Switch_2. The process is as follows:
1. The response packet reaches Switch_1 according to the Layer 3 forwarding process.
When the response packet reaches Switch_1, the destination MAC address is changed to
the MAC address of VLANIF 10 on Switch_1.
2. After receiving the packet, Switch_1 determines that the packet should be forwarded at
Layer 3 according to the destination MAC address. Switch_1 searcher its Layer 3
forwarding table for a matching entry, but no entry is found. Switch_1 sends the packet
to the CPU, and the CPU searches its routing table and obtains the next hop address of
10.1.1.2 and the outbound interface of VLANIF 4. Switch_1 searches the mapping
between the super-VLAN and sub-VLANs and determines that the packet should be sent
to Host_1 from an interface in sub-VLAN 2 according to the ARP entry and MAC
address entry.
3. The response packet reaches Host_1.
Layer 2 Communication Between Hosts in Sub-VLANs and Other Devices

The networking in Figure 5-5 is used as example to describe Layer 2 communication between
hosts in sub-VLANs and other devices. Sub-VLAN 2, sub-VLAN 3, and super-VLAN 4 are
configured on Switch_1; IF_1 and IF_2 on Switch_1 are access interfaces; IF_3 is a trunk
interface that allows VLAN 2 and VLAN 3; the interface of Switch_2 connected to Switch_1
is a trunk interface and allows VLAN 2 and VLAN 3.
Figure 5-5 Layer 2 communication between hosts in sub-VLANs and on an external network
Internet
Switch_2
Trunk IF_1
Allowed VLAN=2,3 IF_3
Super-VLAN 4
Switch_1 VLANIF 4
10.1.1.1/24
IF_1 IF_2
Host_1 Host_2
Sub-VLAN 2 Sub-VLAN 3
10.1.1.2/24 10.1.1.12/24

The tag with VLAN 2 is added to packets sent from Host_1 to Switch_1. Although sub-
VLAN 2 belongs to super-VLAN 4, Switch_1 does not change the tag with VLAN 2 to the
tag with VLAN 4 in packets. That is, packets sent from IF_3 of Switch_1 still carry VLAN 2.
Switch_1 itself does not send packets from VLAN 4. When another device sends packets
from VLAN 4 to Switch_1, Switch_1 discards the packets because there is no physical
interface corresponding to super-VLAN 4 on Switch_1. Actually, IF_3 on Switch_1 does not
allow packets from super-VLAN 4. For other devices, only sub-VLAN 2 and sub-VLAN 3
are valid, and all packets are exchanged in the VLANs.
The communication between Switch_1 configured with VLAN aggregation and other devices
is similar to normal Layer 2 communication without using the super-VLAN, and is not
described here.

As shown in Figure 5-6, a company has many departments. To improve service security, the
company adds different departments to different VLANs. All departments want to access the
Internet; department 1 and department 2 need to communicate with each other; department 3
and department 4 need to communicate with each other; IP addresses of the company are
limited.
Internet
Switch
Proxy ARP
L2 switch L2 switch L2 switch L2 switch
Super-VLAN 2 Super-VLAN 3
Sub-VLAN 21 Sub-VLAN 22 Sub-VLAN 31 Sub-VLAN 32
VLAN aggregation can be deployed to meet the preceding requirements. Deploy super-
VLAN 2 and super-VLAN 3 on the switch, and add sub-VLAN 21 and sub-VLAN 22 to
super-VLAN 2 and sub-VLAN 31 and sub-VLAN 32 to super-VLAN 3. After IP addresses
are assigned to super-VLAN 2 and super-VLAN 3 on the switch, users in department 1 and
department 2 can access the Internet using the IP address of super-VLAN 2, and users in
department 3 and department 4 can access the Internet using the IP address of super-VLAN 3.

VLAN aggregation implements Internet access for each department and conserves IP
addresses.
Configure proxy ARP in super-VLAN 2 and super-VLAN 3 on the switch to implement
communication between department 1 and department 2, and between department 3 and
department 4.

License Support
VLAN aggregation, also called super-VLAN, is a basic feature of a switch and is not under
license control.
Version Support
Table 5-1 Products and versions supporting VLAN aggregation

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l The super-VLAN cannot be used with Layer 3 multicast or DHCP relay.
l VLAN 1 cannot be configured as a super-VLAN.
l A physical interface cannot be added to a VLAN configured as a super-VLAN.
l A traffic policy takes effect in a super-VLAN only after the traffic policy is configured in
all sub-VLANs of the super-VLAN.
l When the dot1q termination vid or qinq termination pe-vid ce-vid command is used
to configure a VLAN for the VLAN termination sub-interface, the VLAN cannot be
configured as the super-VLA or sub-VLAN.
l An IP address must have been assigned to the VLANIF interface corresponding to the
super-VLAN. Otherwise, proxy ARP cannot take effect.

Table 5-2 Default configuration of VLAN aggregation

Super-VLAN Not configured
Proxy ARP on a VLANIF interface Disabled

corresponding to a super-VLAN
5.6 Configuring VLAN Aggregation

VLAN aggregation prevents users on the same network segment in different VLANs from
communicating and allows them to access public network resources, saving IP addresses.
5.6.1 Creating a Sub-VLAN
Context
In VLAN aggregation, physical interfaces can be added to a sub-VLAN but no VLANIF
interface can be created for the sub-VLAN. All the interfaces in a sub-VLAN use the same IP
address of the VLANIF interface corresponding to a super-VLAN. VLAN aggregation
reduces subnet IDs, subnet default gateway addresses, and directed broadcast IP addresses,
allows the switch to assign IP addresses to hosts in sub-VLANs according to the actual
number of hosts, ensures that each sub-VLAN is used as independent broadcast domain to
implement isolation, saves IP addresses, and implements flexible addressing.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A sub-VLAN is created and its view is displayed.
NOTE
Step 3 Run:


Step 4 Configure the link type of the interface.
Run either of the following commands as needed:
l Set the link type of the interface to Access.
a. Run:
The link type of the interface is set to Access.

b. Run:
port default vlan vlan-id1
The interface is added to the sub-VLAN.

l Set the link type of the interface to Trunk.
a. Run:
The link type of the interface is set to Trunk.

b. Run:
port trunk allow-pass vlan vlan-id1

l Set the link type of the interface to Hybrid.
a. Run:
The link type of the interface is set to Hybrid.

b. Run:
port hybrid tagged vlan vlan-id1 or port hybrid untagged vlan vlan-id1

Step 5 Run:
quit
----End
5.6.2 Creating a Super-VLAN
Context
A super-VLAN consists of several sub-VLANs. No physical interface can be added to a
super-VLAN, but a VLANIF interface can be configured for the super-VLAN and an IP
address can be assigned to the VLANIF interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created and the VLAN view is displayed.
The VLAN ID of a super-VLAN must be different from each sub-VLAN ID.
Step 3 Run:
aggregate-vlan
A super-VLAN is created.
A super-VLAN cannot contain any physical interfaces.
VLAN 1 cannot be configured as a super-VLAN.
Step 4 Run:
access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
A sub-VLAN is added to a super-VLAN.
Before adding sub-VLANs to a super-VLAN, ensure that these sub-VLANs are not
configured with VLANIF interfaces.
If too many sub-VLANs are added to the super-VLAN, the ARP broadcast storm degrades the
system performance and affects the ARP learning. The number of sub-VLANs that are added
to a super-VLAN cannot exceed 50.
The super-VLAN cannot be used with Layer 3 multicast.
----End
5.6.3 Configuring a VLANIF Interface Corresponding to a Super-

VLAN
Context
The IP address of the VLANIF interface corresponding to a super-VLAN must contain the
subnets that users in sub-VLANs belong to. All the sub-VLANs use the IP address of the
VLANIF interface corresponding to the super-VLAN, thereby saving IP addresses.
Procedure
Step 1 Run:
system-view
Step 2 Run:
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is
displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }

An IP address is assigned to the VLANIF interface.
----End
5.6.4 (Optional) Enabling Proxy ARP on the VLANIF Interface

Corresponding to a Super-VLAN
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in
different sub-VLANs from communicating with each other at the network layer.
PCs in common VLANs can communicate with each other at the network layer using
different gateway addresses. VLAN aggregation enables PCs in a super-VLAN to use the
same subnet address and gateway address. Because PCs in different sub-VLANs belong to
one subnet, they communicate with each other only at Layer 2 but not Layer 3. These PCs are
isolated from each other at Layer 2. Consequently, PCs in different sub-VLANs cannot
Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another
sub-VLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are
created, proxy ARP must be enabled to allow the super-VLAN to forward or process ARP
Request and Reply packets. Proxy ARP allows PCs in sub-VLANs to communicate with each
other at the network layer.
NOTE
After proxy ARP is enabled on the VLANIF interface corresponding to a super-VLAN, hosts in all sub-
VLANs of the super-VLAN can communicate. If hosts in some sub-VLANs of the super-VLAN need to
communicate, see 5.8.1 How Do I Implement Communication Between Some Sub-VLANs in a
Super-VLAN.
VLAN aggregation simplifies configurations for the network where many VLANs are
configured and PCs in different VLANs need to communicate with each other.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the VLANIF interface corresponding to the super-VLAN is displayed.
Step 3 Run:
arp-proxy inter-sub-vlan-proxy enable
Proxy ARP is enabled between sub-VLANs.
----End

5.6.5 Checking the Configuration

Procedure
l Run the display vlan [ { vlan-id | vlan-name vlan-name } [ verbose ] ] command to
check information about all VLANs or a specified VLAN.
l Run the display interface vlanif [ vlan-id ] command to check the VLANIF interface
configuration.
l Run the display sub-vlan [ vlan-id ] command to check the sub-VLAN configuration.
l Run the display super-vlan [ vlan-id ] command to check the super-VLAN
configuration.
----End
5.7.1 Example for Configuring VLAN Aggregation

As shown in Figure 5-7, a company has many departments on the same network segment. To
improve service security, the company adds different departments to different VLANs. VLAN
2 and VLAN 3 belong to different departments. Each department wants to access the Internet,
and PCs in different departments need to communicate to meet service requirements.
Internet
Router
GE1/0/1
VLAN 10
SwitchB Super-VLAN 4
GE1/0/5
GE1/0/5
SwitchA
GE1/0/1 GE1/0/4
GE1/0/2 GE1/0/3
VLAN 2 VLAN 3

Configure VLAN aggregation on SwitchB to add VLANs of different departments to a super-
VLAN so that PCs in different departments can access the Internet using the super-VLAN.
Deploy proxy ARP in the super-VLAN so that PCs in different departments can
communicate. The configuration roadmap is as follows:
1. Configure VLANs and interfaces on SwitchA and SwitchB, add PCs of different
departments to different VLANs, and configure interfaces to transparently transmit
packets from VLANs to SwitchB.
2. Configure a super-VLAN, a VLANIF interface, and a static route on SwitchB so that
PCs in different departments can access the Internet.
3. Configure proxy ARP in the super-VLAN on SwitchB so that PCs in different
departments can communicate at Layer 3.
Procedure
Step 1 Configure VLANs and interfaces on SwitchA and SwitchB, add PCs of different departments
to different VLANs, and configure interfaces to transparently transmit packets from VLANs
to SwitchB.
1. Configure SwitchA.
# Configure GE1/0/1 as an access interface. The configurations of GE1/0/2, GE1/0/3,
and GE1/0/4 are similar to the configuration of GE1/0/1, and are not mentioned here.
# Create VLAN 2 and add GE1/0/1 and GE1/0/2 to VLAN 2.

[SwitchA] vlan 2
[SwitchA-vlan2] port gigabitethernet 1/0/1 1/0/2
[SwitchA-vlan2] quit
# Create VLAN 3 and add GE1/0/3 and GE1/0/4 to VLAN 3.

[SwitchA] vlan 3
[SwitchA-vlan3] port gigabitethernet 1/0/3 1/0/4
# Configure the interface of SwitchA connected to SwitchB to transparently transmit

packets from VLAN 2 and VLAN 3 to SwitchB.
2. Configure SwitchB.
# Create VLAN 2, VLAN 3, VLAN 4, and VLAN 10 and configure the interface of
SwitchB connected to SwitchA to transparently transmit packets from VLAN 2 and
VLAN 3 to SwitchB.
[SwitchB] vlan batch 2 3 4 10
[SwitchB] interface gigabitethernet 1/0/5
[SwitchB-GigabitEthernet1/0/5] port link-type trunk
[SwitchB-GigabitEthernet1/0/5] port trunk allow-pass vlan 2 3
[SwitchB-GigabitEthernet1/0/5] quit

Step 2 Configure a super-VLAN and a VLANIF interface corresponding to the super-VLAN.

# Configure super-VLAN 4 on SwitchB and add VLAN 2 and VLAN 3 to super-VLAN 4 as
sub-VLANs.
[SwitchB] vlan 4
[SwitchB-vlan4] aggregate-vlan
[SwitchB-vlan4] access-vlan 2 to 3
[SwitchB-vlan4] quit
# Create and configure VLANIF 4 so that PCs in different departments can access the Internet
using super-VLAN 4.
[SwitchB] interface vlanif 4
[SwitchB-Vlanif4] ip address 10.1.1.1 255.255.255.0
[SwitchB-Vlanif4] quit
Step 3 Configure a static route.

# Configure the uplink interface GE1/0/1 on SwitchB to transparently transmit packets from
the VLAN that SwitchB and router belong to.
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
# Create and configure VLANIF 10 and specify the IP address of VLANIF 10 as the IP
address for connecting SwitchB and the router (egress gateway).
[SwitchB-Vlanif10] ip address 10.10.1.1 255.255.255.0
# Configure a static route to the router on SwitchB so that PCs can access the Internet.
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
NOTE
Configure the router interface connected to SwitchB and assign the IP address of 10.10.1.2 to the router
interface. See the router configuration manual.
Step 4 Assign IP addresses to PCs.

Configure an IP address for each PC and make the PCs reside on the same network segment
as VLAN 4.
After the configuration is complete, PCs in each department can access the Internet, and PCs
in VLAN 2 and VLAN 3 cannot ping each other.
Step 5 Configure proxy ARP.
# Configure proxy ARP in super-VLAN 4 on SwitchB so that PCs in different departments
can communicate at Layer 3.
[SwitchB-Vlanif4] arp-proxy inter-sub-vlan-proxy enable

After the configuration is complete, PCs in VLAN 2 and VLAN 3 can ping each other and
access the Internet.
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 4 10
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.1.1.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
interface Vlanif10
ip address 10.10.1.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
#
return
5.8 FAQ
5.8.1 How Do I Implement Communication Between Some Sub-
VLANs in a Super-VLAN

When VLAN aggregation is configured, hosts in a super-VLAN use IP addresses on the same
network segment and share the same gateway address. Hosts in different sub-VLANs belong
to the same subnet, so the switch forwards packets between the hosts by searching for ARP
entries but not through the gateway. Proxy ARP allows the switch to establish ARP entries for
all sub-VLANs for interworking.
To implement interworking between some sub-VLANs, configure static ARP entries to bind
destination MAC addresses to the gateway IP address on hosts in the sub-VLANs.
For example, when host A with the gateway IP address of 192.168.1.1/24 wants to access host
B with the MAC address of 00-aa-00-62-c6-09, perform the following operations:
1. Choose Start > Run, enter cmd, and press Enter.
2. Enter arp -s 192.168.1.1 00-aa-00-62-c6-09.
After the preceding configuration is complete, host A can access host B. If host B needs to
access host A, configure a static ARP entry to bind host A's MAC address to the gateway IP
address on host B.
5.8.2 Can a Traffic Policy Be Configured in a Super-VLAN or Sub-

VLAN to Make the Traffic Policy Take Effect
The packets received and sent by the switch configured with VLAN aggregation carry sub-
VLAN tags but not super-VLAN tags, so a traffic policy must be configured in all sub-
VLANs of a super-VLAN. A traffic policy in the super-VLAN does not take effect.

Configuration Guide - Ethernet Switching 6 VLAN Switch Configuration
6 VLAN Switch Configuration
About This Chapter
The VLAN Switch function allows communication between user hosts in different VLANs
and between user hosts in the same VLAN that reside in different network segments. With the
VLAN Switch function, a device only searches a VLAN Switch table, but does not need to
search its MAC address table when forwarding data. Therefore, this function improves device
forwarding efficiency and security, and prevents MAC address attacks as well as broadcast
storms.
6.1 Introduction to VLAN Switch

6.5 Configuring VLAN Switch
6.6 Maintaining VLAN Switch

6.1 Introduction to VLAN Switch

VLAN Switch is a forwarding method that forwards data according to the information in
VLAN tags of received frames. This method requires a pre-configured static forwarding path
along switching nodes on the network. When receiving VLAN-tagged frames matching
VLAN Switch entries, a switching node forwards the frames to the interfaces manually
specified in the VLAN Switch table. VLAN Switch improves device forwarding efficiency
and security, and prevents MAC address attacks as well as broadcast storms.
VLAN Switch includes two sub-functions: switch-vlan and stack-vlan.
l Stack-vlan: adds an outer VLAN tag to packets.
l Switch-vlan: changes outer VLAN tags when forwarding packets between different
interfaces.
Stack-vlan
Similar to the VLAN stacking function, the stack-vlan function is a Layer 2 feature that adds
an outer VLAN tag to each frame, and decides which outer VLAN tags to be added to frames
depending on information in the original VLAN tags carried in the frames. Table 6-1 lists the
comparison between VLAN stacking and stack-vlan. For details about VLAN stacking, see
10.2.3 Selective QinQ.

Table 6-1 Comparison between stack-vlan and VLAN stacking

Functio Similarities Differences Advantages and
n Disadvantages
Stack- l A receiving VLAN Switch l Advantage:

vlan interface adds a requires a pre- Switching nodes forward
new VLAN tag configured static frames without searching
outside the forwarding path for the MAC address
original VLAN along switching table, which improves
tag of a received nodes on the forwarding efficiency and
frame. network. When network security, and
l An interface receiving VLAN- prevents MAC address
processes frames tagged frames attacks as well as
as follows: matching VLAN broadcast storms.
Switch entries, a
– Adds different switching node l Disadvantage:
VLAN tags to forwards the frames If a large number of user
the frames sent to the interfaces devices connect to a
from different manually specified in switching node, the
VLANs. the VLAN Switch network administrator
– Adds VLAN table. needs to configure a
tags when The VLANs used in VLAN Switch entry for
receiving VLAN Switch cannot each user device on the
frames; be created in the switching node to
removes the system view. establish a static
outer-most forwarding path. This
VLAN tags increases the network
when sending administrator's workload
frames out of and complicates network
the interface. management.
VLAN Frames are forwarded l Advantage:

stacking after looking up the The administrator does not
entries in the MAC need to specify a static
address table. forwarding path, thereby
simplifying user access.
Frames are forwarded
according to the
information in the MAC
address table.
l Disadvantage:
Device forwarding
efficiency is low, and the
network is prone to
broadcast storms and
MAC address attacks.

Switch-vlan
Similar to the VLAN mapping function, the switch-vlan function implements inter-VLAN
communication. Table 6-2 lists the comparison between VLAN mapping and switch-vlan. For
details about VLAN mapping, see 11.2 Principles.
Table 6-2 Comparison between switch-vlan and VLAN mapping

n Disadvantages
Switch- l After receiving a VLAN Switch l Advantage:

vlan VLAN-tagged requires a pre- Switching nodes forward
frame, an configured static frames without searching
interface replaces forwarding path for the MAC address
the outer VLAN along switching table, which improves
tag of the frame. nodes on the forwarding efficiency and
l Before sending a network. When network security, and
frame to another receiving VLAN- prevents MAC address
VLAN, an tagged frames attacks as well as
interface matching VLAN broadcast storms.
configured with Switch entries, a
switching node l Disadvantage:
VLAN mapping
or switch-vlan forwards the frames If a large number of user
replaces the to the interfaces devices connect to a
VLAN tag of the manually specified in switching node, the
frame with the the VLAN Switch network administrator
destination table. needs to configure a
VLAN tag. The VLANs used in VLAN Switch entry for
VLAN Switch cannot each user device on the
l After receiving a
be created in the switching node to
frame from
system view. establish a static
another VLAN,
forwarding path. This
an interface
increases the network
replaces the
administrator's workload
VLAN tag of the
and complicates network
frame with the
management.
local VLAN tag.


n Disadvantages
VLAN A switch configured l Advantage:

mapping with VLAN mapping The administrator does not
forwards frames need to specify a static
according to the forwarding path, thereby
MAC address table. simplifying user access.
VLAN mapping Frames are forwarded
requires that IP according to the
addresses of devices information in the MAC
in both VLANs be on address table.
the same network l Disadvantage:
segment.
Device forwarding
efficiency is low, and the
network is prone to
broadcast storms and
MAC address attacks.

In the networking example shown in Figure 6-1, PC1 in VLAN 2 and PC2 in VLAN 3 need
to communicate with each other.
Figure 6-1 Using VLAN Switch to implement inter-VLAN communication

2 3
Port2 Port3
SwitchA
VLAN 2 VLAN 3
PC1 PC2
Switch-vlan can be configured on SwitchA to implement inter-VLAN communication. After

switch-vlan is configured, user packets are forwarded along the specified path. SwitchA is
configured to change VLAN 2 in packets received by Port2 to VLAN 3 and send them

through Port3, and to change VLAN 3 in packets received by Port3 to VLAN 2 and send them
through Port2. In this manner, switch-vlan implements communication between VLAN 2 and
VLAN 3.
NOTE
If SwitchA is a Layer 3 switch, you can also use a VLANIF interface to implement inter-VLAN
communication. If SwitchA is a Layer 2 switch, you can only use switch-vlan to implement inter-VLAN
communication.

License Support
The VLAN switch function is a basic feature of a switch and is not under license control.
Version Support
Table 6-3 Products and versions supporting the VLAN switch function
Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l The source and destination interfaces specified in the vlan-switch command must be
hybrid or trunk interfaces, and cannot be access interfaces or Eth-Trunk member
interfaces.
l The VLANs used in the VLAN switch function cannot be created in the system view.
l When double-tagged VLAN switching is configured, both inbound and outbound
interfaces must be located on the X series cards or non X series cards.
l The switch still forwards the packets matching VLAN Switch entries when VLAN
Switch is configured on the interface of a card (Exclude the X series cards) and packets
are discarded, including but not limited to the following situations:

– The STP status of the interface is Blocking.

– The action is set to discard when the interface does not learn MAC address entries.
– The MAC address of packets is all 0s.
– The packets contain the blackhole MAC address.
To prevent the preceding problem, configure a traffic policy containing redirection to
replace VLAN Switch.
l The VLANs used in QinQ cannot be used by the VLAN switch function.
l When an outer VLAN tag in double-tagged frames is used for VLAN stacking, VLAN
mapping, or control VLAN, the VLAN tag cannot be used by the VLAN switch
function.
l On a ring network, packets matching VLAN switch entries can pass through the
interfaces blocked by loop prevention protocols. Consequently, broadcast storms may
occur. Therefore, the VLAN switch function is not recommended for a ring network.
l SA boards of S series do not support stack-vlan.
Table 6-4 Default configuration of VLAN Switch

VLAN Switch Not configured
6.5 Configuring VLAN Switch

The sub-functions switch-vlan and stack-vlan of VLAN Switch can be configured in any
sequence.
6.5.1 Configuring Switch-vlan

Context
Similar to the VLAN mapping function, the switch-vlan function replaces outer VLAN tags
of frames to implement inter-VLAN communication.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan-switch vlan-switch-name interface interface-type1 interface-number1 vlan
vlan-id1 [ inner-vlan vlan-id2 [ to vlan-id3 ] ] interface interface-type2
interface-number2 [ switch-vlan vlan-id4 ]
Switch-vlan is configured to replace outer VLAN tags.
NOTE
l VLAN Switch has the following requirements on interfaces:

The source and destination interfaces specified in the VLAN Switch configuration command must
be hybrid or trunk interfaces, and cannot be access or Eth-Trunk member interfaces.
l VLAN Switch has the following requirements on VLANs:
– The VLANs used in VLAN Switch cannot be created in the system view.
– The VLANs used in QinQ cannot be used by VLAN Switch.
– When an outer VLAN tag in double-tagged frames is used for VLAN stacking, VLAN
mapping, or control VLAN, the VLAN tag cannot be used by VLAN Switch.
l SA boards of S series cannot specify double tags before VLAN Switch.
l When double-tagged VLAN switching is configured, both inbound and outbound interfaces must be
located on the same X1E or non-X1E card.
l On a ring network, packets matching VLAN Switch entries can pass through the interfaces blocked
by loop prevention protocols. Consequently, broadcast storms may occur. Therefore, VLAN Switch
is not recommended for a ring network running a loop prevention protocol.
----End
6.5.2 Configuring Stack-vlan
Context
Similar to the VLAN stacking function, the stack-vlan function adds outer VLAN tags to
frames to implement communication within a VLAN across different ISP networks.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan-switch vlan-switch-name interface interface-type interface-number vlan vlan-
id1 [ to vlan-id2 ] interface interface-type interface-number [ stack-vlan vlan-
id3 ]
Stack-vlan is configured to add outer VLAN tags.

NOTE
l VLAN Switch has the following requirements on interfaces:

The source and destination interfaces specified in the VLAN Switch configuration command must
be hybrid or trunk interfaces, and cannot be access or Eth-Trunk member interfaces.
l VLAN Switch has the following requirements on VLANs:
– The VLANs used in VLAN Switch cannot be created in the system view.
– The VLANs used in QinQ cannot be used by VLAN Switch.
– When an outer VLAN tag in double-tagged frames is used for VLAN stacking, VLAN
mapping, or control VLAN, the VLAN tag cannot be used by VLAN Switch.
l SA boards of S series do not support stack-vlan.
l On a ring network, packets matching VLAN Switch entries can pass through the interfaces blocked
by loop prevention protocols. Consequently, broadcast storms may occur. Therefore, VLAN Switch
is not recommended for a ring network running a loop prevention protocol.
----End
Procedure
l Run the display vlan-switch [ vlan-switch-name | interface interface-type interface-
number ] command to check the VLAN Switch configuration, including the VLAN
Switch entry name, source interface, source VLAN, destination interface, destination
VLAN, operation type, and VLAN Switch status.
----End
6.6 Maintaining VLAN Switch
Context
If VLAN resources are insufficient when you configure VLAN Switch, run the display vlan-
translation resource command to view the total number of VLAN resources in the inbound
or outbound direction, and numbers of used and available VLAN resources. Refer to the
command output to determine the location of faults or congestion.
Procedure
l Run the display vlan-translation resource [ slot slot-number ] command to check
VLAN resources on a card.
----End

6.7.1 Example for Implementing Inter-VLAN Communication

Using VLAN Switch
In the networking example shown in Figure 6-2, GE1/0/1 and GE1/0/2 of the Switch are
connected to the uplink interfaces of Switch A and SwitchB, respectively.
The downlink interfaces of SwitchA and SwitchB are added to VLAN 10 and VLAN 20
respectively.
PCs in VLAN 10 and VLAN 20 need to communicate with each other.
Figure 6-2 communication between VLANs using VLAN Switch

Switch
GE1/0/1 GE1/0/2
VLAN 10 GE1/0/1 GE1/0/1 VLAN 20

SwitchA SwitchB
GE1/0/2 GE1/0/3 GE1/0/2 GE1/0/3
PC1 PC2 PC3 PC4
1. Add the uplink and downlink interfaces of SwitchA and SwitchB to the VLANs.
2. Configure the VLAN Switch function on the Switch.
NOTE
Ensure that VLAN 10 and VLAN 20 have not been created on the Switch , and GE1/0/1 and GE1/0/2
have not been added to VLAN 10 and VLAN 20 respectively. Otherwise, the VLAN Switch function
cannot be configured.
Procedure
Step 1 Create VLAN 10 on SwitchA, add GE1/0/1 to VLAN 10 in tagged mode, and add GE1/0/2
and GE1/0/3 to VLAN 10 in access mode. Configuration of SwitchB is the same as that of
SwitchA.
[SwitchA] vlan 10
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid tagged vlan 10



# Configure the VLAN Switch function.
[Switch] vlan-switch name1 interface gigabitethernet 1/0/1 vlan 10 interface
gigabitethernet 1/0/2 switch-vlan 20

When the configuration is complete, PCs in VLAN 10 and VLAN 20 can communicate with
each other.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
#
#
return

#
sysname SwitchB
#
vlan batch 20
#
#

#
#
return

#
sysname Switch
#
vlan-switch name1 interface GigabitEthernet1/0/1 vlan 10 interface
GigabitEthernet1/0/2 switch-vlan 20
#
#
#
return

Configuration Guide - Ethernet Switching 7 MUX VLAN Configuration
7 MUX VLAN Configuration
About This Chapter
This chapter describes how to configure the Multiplex VLAN (MUX VLAN). The MUX
VLAN allows communication between some users, and prohibits communication between
other users.
7.1 Introduction to MUX VLAN
7.4 Configuring the MUX VLAN
The MUX VLAN can implement inter-VLAN communication and intra-VLAN isolation.

7.1 Introduction to MUX VLAN

Background
The Multiple VXLAN (MUX VLAN) function is used to control network resources based on
VLANs.
For example, both enterprise employees and customers can access the servers on an enterprise
network. The enterprise allows employees to communicate with each other but prevents
customers from communicating with each other.
To allow all users to access the enterprise servers, inter-VLAN communication must be
configured. If there are a large number of users in an enterprise, VLANs need to be assigned
to the users that the enterprise wishes to restrict communication. This wastes VLAN IDs and
adds significant workload to network configuration and maintenance.
MUX VLAN meets the isolation requirements.
Basic Concepts
A MUX VLAN consists of principal VLANs and subordinate VLANs; subordinate VLANs
are classified into separate VLANs and group VLANs. See Table 7-1 for a description of
these roles.
Table 7-1 Roles in MUX VLAN
MUX VLAN VLAN Type Associated Access Authority

Interface
Principal - Principal A principal interface can

VLAN interface communicate with all interfaces in a
MUX VLAN.
Subordinate Separate Separate A separate interface can

VLAN VLAN interface communicate only with a principal
interface and is isolated from other
types of interfaces.
Each separate VLAN must be
bound to a principal VLAN.
Group VLAN Group A group interface can communicate

interface with a principal interface and the
other interfaces in the same group,
but cannot communicate with
interfaces in other groups or a
separate interface.
Each group VLAN must be bound
to a principal VLAN.

Communication in the MUX VLAN

As shown in Figure 7-1, the principal port connects to the enterprise server; the separate port
connects to enterprise customers; the group port connects to enterprise employees.
Accordingly, both enterprise customers and employees can access the enterprise server,
enterprise employees can communicate with each other, enterprise customers cannot
communicate with each other, and enterprise customers and employees cannot communicate
with each other.
Figure 7-1 MUX VLAN at the access layer

Switch
Principal interface
Group interface Separate interface

Enterprise
server
Enterprise Enterprise
employee customer
On an aggregation device, you can create a VLANIF interface for the principal VLAN. The IP
address of the VLANIF interface can be used as the gateway address for servers or user hosts.
As shown in Figure 7-2, MUX VLAN is configured on the aggregation device Switch1 to
implement user isolation or interworking.

Figure 7-2 MUX VLAN at the aggregation layer
Internet
Switch2
Switch1 Server
VLAN2
(Principal VLAN)
Switch3 Switch4 Switch5 Switch6
HostB HostC HostD HostE

VLAN3(Group VLAN) VLAN4(Separate VLAN)

License Support
The MUX VLAN is a basic feature of a switch and is not under license control.
Version Support
Table 7-2 Products and versions supporting MUX VLAN
Product Product Software version

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00


Model
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l Table 7-3 describes the specifications of the MUX VLAN.
Table 7-3 Specifications of the MUX VLAN
Item Specification
Maximum number of principal VLANs 128

on the entire device
Maximum number of separate VLANs in 1

each principal VLAN
Maximum number of group VLANs in 128

each principal VLAN NOTE
Each principal VLAN supports a total of 128
separate and group VLANs. That is, if one
separate VLAN is configured, a maximum of
127 group VLANs can be configured.
l The VLAN ID assigned to a principal VLAN cannot be used to configure VLAN

mapping, VLAN stacking, super-VLAN, or sub-VLAN.
l The VLAN ID assigned to a group or separate VLAN cannot be used to configure a
VLANIF interface, VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
l Disabling MAC address learning or limiting the number of learned MAC addresses on
an interface will compromise the performance of the MUX VLAN function.
l When VLAN mapping, VLAN stacking, port security, MAC address authentication, or
802.1x authentication is configured on an interface, the MUX VLAN cannot be
configured on the interface.
l When both DHCP snooping and MUX VLAN are configured, if DHCP snooping is
configured in the subordinate VLAN and DHCP clients are configured in the principal
VLAN, the DHCP clients may fail to obtain IP addresses. In this case, configure the
DHCP server in the principal VLAN.
l You can create a VLANIF interface for a principal VLAN, but cannot create a VLANIF
interface for a subordinate group VLAN or separate VLAN . If a VLANIF interface is
created for a principal VLAN, you cannot run the port mux-vlan enable vlan vlan-id
command on an interface of the SA boards of S series to enable the MUX VLAN
function including the principle and subordinate VLANs.

l When the interface is enabled with MUX VLAN and configured with the PVID using the
port trunk pvid vlan command, do not configure the PVID as the ID of the principal
VLAN or subordinate VLAN of the MUX VLAN. For example, VLAN 10 is the
principal VLAN, VLAN 11 is a subordinate group VLAN, and VLAN 12 is a
subordinate separate VLAN. After the port mux vlan enable 10 command is used on
the interface to enable MUX VLAN, do not run the port trunk pvid vlan command to
set the PVID to VLAN 11 or VLAN 12.
Table 7-4 Default configuration of the MUX VLAN

MUX VLAN on an interface Disabled
7.4 Configuring the MUX VLAN

The MUX VLAN can implement inter-VLAN communication and intra-VLAN isolation.
7.4.1 Configuring a Principal VLAN for MUX VLAN
Context
Interfaces in a principal VLAN can communicate with other interfaces in the same MUX
VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created and the VLAN view is displayed. If the VLAN already exists, the VLAN
view is displayed.
The VLAN ID ranges from 1 to 4094. To create VLANs in a batch, run the vlan batch { vlan-
id1 [ to vlan-id2 ] } &<1-10> command. Then run the vlan vlan-id command to enter the
view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configure names for the VLANs to facilitate VLAN
management.

Step 3 Run:
mux-vlan
The VLAN is configured as a principal VLAN.
The VLAN ID assigned to a principal VLAN cannot be used to configure VLAN mapping,
VLAN stacking, super-VLAN, or sub-VLAN.
----End
7.4.2 Configuring a Group VLAN for a Subordinate VLAN
Context
A VLAN associated with a group interface is called a group VLAN. Group interfaces in a
group VLAN can communicate with each other.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
The view of a created principal VLAN is displayed.
Step 3 Run:
subordinate group { vlan-id1 [ to vlan-id2 ] } &<1-10>
A group VLAN is configured for the subordinate VLAN.
A maximum of 128 group VLANs can be configured for a principal VLAN.
The VLAN ID assigned to a group VLAN cannot be used to configure VLANIF interface, ,
VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
----End
7.4.3 Configuring a Separate VLAN for a Subordinate VLAN
Context
A VLAN associated with separate interfaces is called a separate VLAN. Interfaces in a
separate VLAN cannot communicate with each other.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
The view of a created principal VLAN is displayed.

Step 3 Run:
subordinate separate vlan-id
A separate VLAN is configured for a subordinate VLAN.

Only one separate VLAN can be configured for a principal VLAN.
Group and separate VLANs in one MUX VLAN must use different VLAN IDs.
The VLAN ID assigned to a separate VLAN cannot be used to configure VLANIF interface,
VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
----End
7.4.4 Enabling the MUX VLAN Function on an Interface
Context
After the MUX VLAN function is enabled on an interface, the principal VLAN and
subordinate VLAN can communicate with each other; interfaces in a group VLAN can
communicate with each other; interfaces in a separate VLAN cannot communicate with each
other.
Before enable MUX VLAN function, complete the following task:
l The port has been added to a principal or subordinate VLAN as an access, hybrid, or
trunk interface.
l The port can allows multiple common VLANs, but can join only one MUX VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
port link-type { hybrid | access | trunk }
The link type of the interface is set.

Step 4 Run:
port mux-vlan enable vlan vlan-id
The MUX VLAN function is enabled.

After the MUX VLAN function is enabled on an interface, VLAN mapping or VLAN
stacking cannot be configured on the interface.
You can create a VLANIF interface for a principal VLAN, but cannot create a VLANIF
interface for a subordinate group VLAN or separate VLAN.If a VLANIF interface is created
for a principal VLAN, you cannot run the port mux-vlan enable vlan vlan-id command on
an interface of the SA boards of S series to enable the MUX VLAN function including the
principle and subordinate VLANs.
The port mux-vlan enable command is not supported on a negotiation-auto or negotiation-
desirable port.
NOTE
l Disabling MAC address learning or limiting the number of learned MAC addresses on an interface
will compromise the performance of the MUX VLAN function.
l MUX VLAN and port security cannot be configured on the same interface.
l MUX VLAN and MAC address authentication cannot be configured on the same interface.
l MUX VLAN and 802.1x authentication cannot be configured on the same interface.
l If a DHCP server is configured in the subordinate VLAN and DHCP clients are configured in the
principal VLAN, the DHCP clients may fail to obtain IP addresses. Therefore, when the DHCP
snooping function is configured, configure the DHCP server in the principal VLAN.
----End

Procedure
l Run the display mux-vlan command to check information about the MUX VLAN.
----End
7.5.1 Example for Configuring MUX VLAN on the Access Device

All users on an enterprise network are allowed to access the enterprise server. The enterprise
allows communication between some employees and prohibits communication between
others.
As shown in Figure 7-3, MUX VLAN can be configured on the Switch connecting to user
hosts. MUX VLAN meets the enterprise's requirements, conserves VLAN resources, and has
fewer requirements on network maintenance.

Figure 7-3 MUX VLAN configuration

Switch
GE1/0/1 Server
VLAN2
(Principal VLAN)
GE1/0/2 GE1/0/5
GE1/0/3 GE1/0/4

VLAN3(Group VLAN) VLAN4(Separate VLAN)
1. Configure a principal VLAN.
2. Configure a group VLAN.
3. Configure a separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function.
Procedure
Step 1 Configure the MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4.
[Switch] vlan batch 2 3 4
# Configure a group VLAN and a separate VLAN.

[Switch] vlan 2
[Switch-vlan2] mux-vlan
[Switch-vlan2] subordinate group 3
[Switch-vlan2] subordinate separate 4
[Switch-vlan2] quit
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
[Switch-GigabitEthernet1/0/1] port mux-vlan enable vlan 2


The server, HostB, HostC, HostD, and HostE are on the same subnet.
The server can communicate with HostB, HostC, HostD, and HostE at Layer 2.
HostB can communicate with HostC at Layer 2.
HostD cannot communicate with HostE at Layer 2.
HostB and HostC cannot communicate with HostD and HostE at Layer 2.
----End
Configuration Files
#
sysname Switch
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
port default vlan 2
port mux-vlan enable vlan 2
#
port default vlan 3
#
port default vlan 3
#
port default vlan 4
#
port default vlan 4

#
return
7.5.2 Example for Configuring MUX VLAN on the Aggregation

Device
All employees of an enterprise can access the server on the enterprise network. The enterprise
allows communication between some employees and prohibits communication between
others.
As shown in Figure 7-4, Switch1 is located at the aggregation layer and used as the gateway
of user hosts. Switch2, Switch3, Switch4, Switch5, and Switch6 are access devices. You can
configure MUX VLAN on Switch1 to conserve VLAN IDs on the enterprise network and has
fewer requirements on network maintenance.
Figure 7-4 Networking of the MUX VLAN
Internet
Switch2
Switch1 GE1/0/2 Server
GE1/0/3 GE1/0/6 VLAN 2

GE
(Principal VLAN)
4/
1/0
1/0
GE
/5

VLAN 3(Group VLAN) VLAN 4(Separate VLAN)
1. Configure a principal VLAN and a VLANIF interface. The IP address of the VLANIF
interface is used as the gateway IP address of user hosts and server.

2. Configure a group VLAN.

3. Configure a separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
5. Add interfaces of access devices to VLANs.
Procedure
Step 1 Configure the MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4, and VLANIF 2 on Switch1. The IP address of
VLANIF 2 is used as the gateway IP address for user hosts and server.
[Switch1] vlan batch 2 3 4
[Switch1] interface vlanif 2
[Switch1-Vlanif2] ip address 192.168.100.100 24
[Switch1-Vlanif2] quit
# Configure a group VLAN and a separate VLAN on Switch1.

[Switch1] vlan 2
[Switch1-vlan2] mux-vlan
[Switch1-vlan2] subordinate group 3
[Switch1-vlan2] subordinate separate 4
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
[Switch1-GigabitEthernet1/0/2] port mux-vlan enable vlan 2
Step 2 Add interfaces of access switches to VLANs. The configuration details are not mentioned
here.
The server can communicate with HostB, HostC, HostD, and HostE at Layer 2.
HostB can communicate with HostC at Layer 2.
HostD cannot communicate with HostE at Layer 2.

HostB and HostC cannot communicate with HostD and HostE at Layer 2.
----End
Configuration Files
Switch1 configuration file
#
sysname Switch1
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface Vlanif2
ip address 192.168.100.100 255.255.255.0
#
#
#
#
#
#
return

Configuration Guide - Ethernet Switching 8 VLAN Termination Configuration
8 VLAN Termination Configuration
About This Chapter
This chapter describes how to configure VLAN termination. The VLAN termination function
includes two sub-functions: Dot1q termination and QinQ termination. Dot1q termination
allows for inter-VLAN communication. Dot1q termination and QinQ termination can be used
together to implement LAN and WAN interconnection.
8.1 Introduction to VLAN Termination

Using a Dot1q Termination Sub-interface to Connect to a VPN
8.6 Configuring VLAN Termination

8.1 Introduction to VLAN Termination

Definition
VLAN termination is a VLAN tag processing mechanism. VLAN termination enables a
device to identify VLAN tags and remove single or double VLAN tags from received packets.
It then forwards the packets over Layer 3 or takes other actions as required. These VLAN tags
are only useful before termination, and are not used in Layer 3 forwarding or other
processing.
A device with VLAN termination enabled processes incoming and outgoing packets as
follows:
l Removes single or double VLAN tags from the packets received on interfaces, and then
selects an appropriate action such as forwarding the packets over Layer 3.
l Adds VLAN tags to the packets that will be sent out through interfaces.
Classification
Depending on the selected method for VLAN tagged packets processing, VLAN termination
has the following sub-functions:
l Dot1q termination: removes the outer VLAN tag from any received single-tagged or
double-tagged packets, and adds a VLAN tag to packets to be sent by an interface.
l QinQ termination: removes double VLAN tags from any received double-tagged
packets, and adds double VLAN tags to packets to be sent by an interface.
Generally, VLAN termination is configured on sub-interfaces. A sub-interface that terminates

single tags in packets is called a Dot1q termination sub-interface, and a sub-interface that
terminates double tags in packets is called a QinQ termination sub-interface.
NOTE
Dot1q and QinQ VLAN tag termination sub-interfaces do not support transparent transmission of
packets that do not contain a VLAN tag and will discard received packets without a VLAN tag.
Purpose
After VLANs are assigned on a network, hosts in the same VLAN can communicate with
each other over Layer 2 but cannot communicate with different VLANs. You can use
VLANIF interfaces on a Layer 3 switch to implement inter-VLAN Layer 3 connectivity, but
this encounters the following problem. As shown in Figure 8-1, when a Layer 3 switch uses
only one Layer 3 Ethernet interface to connect to users or a network, this interface needs to
transmit packets from multiple VLANs. A VLANIF interface cannot provide this function. o
solve this, you can virtualize a Layer 3 Ethernet interface into multiple logical sub-interfaces
with the Layer 3 Ethernet interface as the main interface.
However, a Layer 3 Ethernet sub-interface treats received VLAN packets as invalid packets
and discards them; therefore, VLAN termination needs to be configured on the Layer 3
Ethernet sub-interface so that the sub-interface can remove VLAN tags from packets.

Figure 8-1 Networking of configuring sub-interfaces to implement interworking

Layer 3 switch
Port1.1 Port1.2
VLAN trunk
Layer 2 switch
Host1 Host2 Host3 Host4

VLAN 2 VLAN 3

Using a Dot1q Termination Sub-interface to Connect to a VPN
8.2.1 Using a Dot1q Termination Sub-interface to Implement

Inter-VLAN Communication
In Figure 8-2, SwitchA is a Layer 3 switch configured with sub-interfaces and SwitchB is a
Layer 2 switch. SwitchA connects to SwitchB through a Layer 3 Ethernet interface. User
hosts are assigned to VLAN 2 and VLAN 3, and need to communicate with each other.
Figure 8-2 Using a Dot1q termination sub-interface to implement inter-VLAN

communication
SwitchA
Port1.1 Port1.2
VLAN trunk
SwitchB
Host1 Host2 Host3 Host4

VLAN 2 VLAN 3

Perform the following operations to implement inter-VLAN communication:

l Create sub-interfaces Port1.1 and Port1.2 on the Ethernet interface connecting SwitchA
to SwitchB.
l Configure Dot1q termination on Port1.1 and Port1.2 to remove VLAN tags in packets
sent by SwitchB.
l Assign IP addresses to Port1.1 and Port1.2.
l Configure the IP addresses of Port1.1 and Port1.2 as the default gateway addresses for
user hosts.
After the preceding operations are performed, user hosts in VLAN 2 and VLAN 3 can
communicate at Layer 3. When a host in VLAN 2 sends packets to a host in VLAN 3, the
process is as follows:
1. Port1.1 removes the VLAN tag of the packets sent from VLAN 2 through SwitchB, and
forwards the packets to Port1.2 at Layer 3.
2. Before sending the packets out, Port1.2 adds VLAN 3 to the packets so that the packets
can reach user hosts in VLAN 3.
The process is reversed when a host in VLAN 3 sends packets to a host in VLAN 2.
8.2.2 Using a Dot1q Termination Sub-interface to Connect to a

VPN
Using a Dot1q Termination Sub-interface to Connect to a PWE3/VLL/VPLS

Network
in Figure 8-3, different branches of an enterprise are interconnected through a carrier's
PWE3/VLL/VPLS network. PEs serve as edge devices of the carrier's PWE3/VLL/VPLS
network and connect to branch networks through sub-interfaces, packets sent from CEs to PEs
carry single or double VLAN tags. User hosts in different branches need to communicate with
each other.
Figure 8-3 Using a Dot1q termination sub-interface to connect to a PWE3/VLL/VPLS

network
PE1 PE2
ISP
Port1.1 PWE3/VLL/VPLS
Port1.1
CE1 CE2
Branch 1 Branch 2
Single-tagged packet

Dot1q termination and PWE3/VLL/VPLS are configured on sub-interfaces of PE1 and PE2.
When Branch 1 sends packets to Branch 2, the process is as follows:
1. 1. PE1 checks the outer VLAN tag of data packets sent from CE1. If the VLAN tag is the
same as that specified in the Dot1q termination configuration on Port1.1, PE1
encapsulates the packets with double MPLS labels and forwards the packets to the
carrier's PWE3/VLL/VPLS network. VLAN tags are transparent to the carrier's
PWE3/VLL/VPLS network.
2. When receiving the packets, PE2 removes the double MPLS labels from the packets, and
forwards the packets to CE2 according to the Dot1q termination configuration on
Port1.1.
3. CE2 forwards packets to user hosts.
The process is reversed when Branch 2 sends packets to Branch 1.
Using a Dot1q Termination Sub-interface to Connect to an L3VPN

In Figure 8-4, different branches of an enterprise are interconnected through a carrier's MPLS
L3VPN. PEs serve as edge devices of the carrier's MPLS L3VPN and connect to branch
networks through sub-interfaces, and packets sent from CEs to PEs carry single or double
VLAN tags. Hosts in different branches need to use the same services.
Figure 8-4 Using a Dot1q termination sub-interface to connect to an L3VPN
VPN1 VPN1
Branch 1 Branch 2
CE1 CE3
Port1.1 PE1 PE2
ISP Port1.1
Port1.2 MPLS L3VPN Port1.2
CE2 CE4
Branch 1 Branch 2
VPN2 VPN2
Dot1q termination and L3VPN are configured on sub-interfaces of PE1 and PE2. When a host
in branch 1 of VPN 1 sends packets to a host in branch 2 of VPN 1, the process is as follows:
1. Depending on the Dot1q termination configuration on Port1.1, PE1 removes the outer
VLAN tag of the packets sent from CE1.
2. PE1 binds the outer VLAN tag to VPN1, and forwards the packets to the L3VPN.
3. After the packets reach PE2, PE2 determines that the packets are destined for CE3 based
on the VPN instance.
4. PE2 adds an outer VLAN tag to the packets according to the Dot1q termination
configuration on Port1.1, and then forwards the packets to CE3.
5. CE3 forwards the packets to the destination user host.
The process is reversed when a host in branch 2 of VPN 1 sends packets to branch 1 of VPN
1.

8.2.3 Using a QinQ Termination Sub-interface to Connect to a

VPN
Using a QinQ Termination Sub-interface to Connect to a PWE3/VLL/VPLS

Network
In Figure 8-5, different branches of an enterprise are interconnected through a carrier's
PWE3/VLL/VPLS network. PEs serve as edge devices of the carrier's PWE3/VLL/VPLS
network and connect to branch networks through sub-interfaces, and packets sent fromCEs to
PEs carry double VLAN tags. User hosts in different branches need to communicate with
each other.
Figure 8-5 Using a QinQ termination sub-interface to connect to a PWE3/VLL/VPLS

network
PE1 PE2
ISP
Port1.1 PWE3/VLL/VPLS
Port1.1
CE1 CE2
Branch 1 Branch 2
Double-tagged packet
QinQ termination and PWE3/VLL/VPLS are configured on sub-interfaces of PE1 and PE2.
When Branch 1 sends packets to Branch 2, the process is as follows:
1. PE1 checks the inner and outer VLAN tags of data packets sent from CE1. If these
VLAN tags are the same as those specified in the QinQ termination configuration on
Port1.1, PE1 encapsulates the packets with double MPLS labels and forwards the packets
to the carrier's PWE3/VLL/VPLS network. VLAN tags are transparent to the carrier's
PWE3/VLL/VPLS network.
2. When receiving the packets, PE2 removes double MPLS labels from the packets, and
forwards the packets to CE2 according to the QinQ termination configuration on Port1.1.
3. CE2 forwards packets to user hosts.
The process is reversed when Branch 2 sends packets to Branch 1.
Using a QinQ Termination Sub-interface to Connect to an L3VPN

In Figure 8-6, different branches of an enterprise are interconnected through a carrier's MPLS
L3VPN. PEs serve as edge devices of the carrier's MPLS L3VPN and connect to branch
networks through sub-interfaces, and packets sent by CEs to PEs carry double VLAN tags.
Hosts in different branches need to use the same services.

Figure 8-6 Using a QinQ termination sub-interface to connect to an L3VPN
VPN1 VPN1
Branch 1 Branch 2
CE1 CE3
Port1.1 PE1 PE2
ISP Port1.1
Port1.2 MPLS L3VPN Port1.2
CE2 CE4
Branch 1 Branch 2
VPN2 VPN2
QinQ termination and L3VPN are configured on sub-interfaces of PE1 and PE2. When a host
in Branch 1 of VPN 1 sends packets to a host in Branch 2 of VPN 1, the process is as follows:
1. Depending on the Dot1q termination configuration on Port1.1, PE1 removes the inner
and outer VLAN tags of the packets sent from CE1.
2. PE1 binds the inner and outer VLAN tags to VPN1, and forwards the packets to the
L3VPN.
3. After the packets reach PE2, PE2 determines that the packets are destined for CE3 based
on the VPN instance.
4. PE2 adds inner and outer VLAN tags to the packets according to the QinQ termination
configuration on Port1.1, and then forwards the packets to CE3.
5. CE3 forwards the packets to the destination user host.
The process is reversed when a host in branch 2 of VPN 1 sends packets to branch 1 of VPN
1.

Table 8-1 describes the VLAN termination configuration tasks. The configuration tasks can
be performed in any sequence.
Table 8-1 VLAN termination configuration tasks

Configuration Applicable Scenario
Task
8.6.1 A Layer 3 switch connects to user hosts residing in different VLANs

Configuring a through a Layer 3 Ethernet interface, and these user hosts need to
Dot1q communicate with each other.
Termination
Sub-interface to
Implement
Inter-VLAN
Communication

Configuration Applicable Scenario

Task
8.6.2 A carrier's network provides the L2VPN service for users. PEs
Configuring a function as user access devices and connect to CEs through sub-
Dot1q interfaces to access user networks. The data packets that CEs send to
Termination PEs carry a single VLAN tag. User networks are required to interwork
Sub-interface with each other.
and Connecting
It to an L2VPN
Dot1q interfaces to access user networks. The data packets that CEs send to
Termination PEs carry a single VLAN tag. User networks are required to interwork
and Connecting
It to an L3VPN
QinQ interfaces to access user networks. The data packets that CEs send to
Termination PEs carry double VLAN tags. User networks are required to interwork
and Connecting
It to an L2VPN
QinQ interfaces to access user networks. The data packets that CEs send to
Termination PEs carry double VLAN tags. User networks are required to interwork
and Connecting
It to an L3VPN

License Support
VLAN termination, that is, QinQ and Dot1q on a subinterface, is often used on an MPLS
network, so the device must be enabled with MPLS. MPLS requires a license. By default,
MPLS of a newly purchased device is disabled. To use MPLS, apply for and purchase the
license from the equipment supplier. VLAN termination itself can be used without a license.

Software Version
Table 8-2 Products and versions supporting VLAN termination

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l On the S7700 and S9700, only E series cards, X series cards, and SC cards among S
series support the termination subinterface. Starting from V200R007C00, X1E cards
among X series support termination subinterfaces. For details, see the card classification
in Hardware Description.
l Termination subinterfaces cannot be configured on an Eth-Trunk member interface.
l You are advised to add member interfaces to an Eth-Trunk and configure termination
subinterfaces on the Eth-Trunk in sequence. Termination subinterfaces can be configured
successfully on an Eth-Trunk only when all series of cards where member interfaces
reside support termination subinterfaces.
l The VLAN IDs terminated by a subinterface cannot be created in the system view or be
displayed using a display command.
l When VLAN IDs terminated by a subinterface are used for Layer 3 forwarding, only the
first VLAN takes effect even if multiple inner VLAN IDs are specified.
l When VLAN IDs terminated by a subinterface are used for Layer 3 forwarding, it is
recommended that 128 VLANs be in all VLAN ranges.
l VLAN termination subinterfaces cannot be created on a VCMP client.
l When the dot1q termination vid or qinq termination pe-vid ce-vid command is used
to configure a VLAN for the VLAN termination sub-interface, the VLAN cannot be
configured as the super-VLA or sub-VLAN.
l If the PW-side interface is a Layer 3 interface switched by the undo portswitch
command, the AC-side interface cannot be a Layer 3 interface or subinterface belonging
to a Layer 3 interface; otherwise, traffic forwarding is abnormal.

Table 8-3 Default configurations for VLAN termination

Dot1q termination and QinQ termination on Not configured

each sub-interface
ARP broadcast on each sub-interface Disabled
8.6 Configuring VLAN Termination
8.6.1 Configuring a Dot1q Termination Sub-interface to

Implement Inter-VLAN Communication
When a Layer 3 switch connects to users located in different VLANs through a Layer 3
Ethernet interface, configure Dot1q termination sub-interfaces on this Layer 3 Ethernet
interface to implement inter-VLAN communication.
Context
When a Layer 3 switch connects to users on different network segments across different
VLANs, configure Dot1q termination and IP addresses for the sub-interfaces to implement
Layer 3 connectivity.
NOTE
l To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the
corresponding sub-interface as the default gateway address.
l When VLAN IDs terminated by a subinterface are used for Layer 3 forwarding, only the first VLAN
takes effect even if multiple inner VLAN IDs are specified.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
port link-type { hybrid | trunk }
Step 4 Run:
quit
Exit from the interface view.

Step 5 Run:
interface interface-type interface-number.subinterface-number
The sub-interface view is displayed.

Step 6 Run:
An IP address is assigned to the sub-interface.

Step 7 Run:
dot1q termination vid low-pe-vid [ to high-pe-vid ]
Dot1q termination is configured on the sub-interface.

Sub-interfaces of different main interfaces can be associated with the same VLAN, but sub-
interfaces of the same main interface cannot be associated with the same VLAN.
NOTE
When VLAN IDs terminated by a sub-interface are used for Layer 3 forwarding, it is recommended that
128 VLANs be in all VLAN ranges.
Step 8 Run:
arp broadcast enable
ARP broadcast is enabled on the sub-interface.

When you enable or disable ARP broadcast on a sub-interface, the routing status on the sub-
interface alternates between Down and Up. This may result in route flapping on the entire
network, and affects normal operation of services.
----End
8.6.2 Configuring a Dot1q Termination Sub-interface and

Connecting It to an L2VPN
When users are connected through an L2VPN and the packets that CEs send to PEs carry
double VLAN tags, configure a QinQ termination sub-interface and connect it to the L2VPN
to implement interworking between those users.
Before configuring a Dot1q termination sub-interface and connecting it to an L2VPN,
complete the following tasks:
l Ensure that devices are connected correctly.
l Configure VLANs to which CEs belong and basic Layer 2 forwarding so that each
packet sent from CEs to PEs carries one VLAN tag.
l Ensure that the device is not a VCMP client.

8.6.2.1 Configuring a Dot1q Termination Sub-interface
Context
When a VPN network connects to an ISP network through a sub-interface, the sub-interface
needs to terminate VLAN tags. A QinQ termination sub-interface can remove double VLAN
tags carried by packets sent from CEs to PEs.
Procedure
Step 1 On the PE device, run:
system-view

Step 2 Run:

Step 3 Run:
The port link-type is set.

Step 4 Run:
quit

Step 5 Run:
The view of the sub-interface connecting the PE to the CE is displayed.

Step 6 Run:

After a VLANIF interface is configured, the corresponding VLAN cannot be configured in a
sub-interface view.
----End
8.6.2.2 Configuring L2VPN
Context
After a Dot1q termination sub-interface is configured, you need to configure the virtual
private network (VPN) service on the sub-interface so that users at both ends of the L2VPN
can communicate with each other.
L2VPN includes Virtual leased line (VLL), Pseudo-Wire Emulation Edge to Edge (PWE3),
and Virtual Private LAN Service (VPLS).
l VLL technology emulates leased lines on an IP network to provide inexpensive,
asymmetrical digital data network (DDN) service. As a point-to-point (P2P) L2VPN
technology, VLL can support almost all link layer protocols.

l PWE3 is an implementation mode of VLL and an extension of the Martini protocol.

PWE3 reduces signaling costs and defines multi-segment PWs (MS-PWs), making
networking modes more flexible.
l VPLS technology implements multipoint-to-multipoint VPN networking. Using VPLS
technology, an ISP can provide Ethernet-based multipoint-to-multipoint services for
users through an MPLS backbone network.
For details about L2VPN, see "VLL Configuration, "PWE3 Configuration", and "VPLS
Configuration" in S7700&S9700 Series Switches Configuration Guide - VPN.
NOTE
A Dot1q termination sub-interface can be bound to a VLL that provides homogeneous or heterogeneous
transport in the following modes:
l Local Kompella connection
l Remote Kompella connection
l Local Martini connection
l Remote Martini connection
A Dot1q termination sub-interface supports the following VPLS connections:
l Martini VPLS
l Kompella VPLS
Procedure
l Run the display dot1q information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check dot1q termination sub-interface
information.
l Run the display vsi [ name vsi-name ] [ verbose ] command to check VSI information.
l Run the display mpls static-l2vc command to check static VC information.
l Run the display mpls l2vc command on the PE to check Martini VLL information on
the local PE.
l Run the display mpls l2vc remote-info command on the PE to check Martini VLL
information on the remote PE.
l Run the display vll ccc [ ccc-name | type { local | remote } ] command to check CCC
connection information.
----End
8.6.3 Configuring a Dot1q Termination Sub-interface and

When users are connected through an L3VPN and each packet that CEs send to PEs carries
one VLAN tag, configure a Dot1q termination sub-interface and connect it to the L3VPN.
Before configuring a Dot1q termination sub-interface and connecting it to an L3VPN,


l Configure VLANs to which CEs belong and basic Layer 2 forwarding so that each
packet sent from CEs to PEs carries one VLAN tag.
8.6.3.1 Configuring a Dot1q Termination Sub-interface
Context
Procedure
Step 1 On the PE device, run:
system-view

Step 2 Run:

Step 3 Run:

Step 4 Run:
quit

Step 5 Run:

Step 6 Run:

After a VLANIF interface is configured, the corresponding VLAN cannot be configured in a
sub-interface view.
----End

After a Dot1q termination sub-interface is configured, you need to configure the VPN service
so that users at both ends of the L3VPN can communicate with each other.
Configure L3VPN on the CE, PE, and P. For details, see BGP/MPLS IP VPN Configuration
in S7700&S9700 Series Switches Configuration Guide - VPN.

Procedure
l Run the display dot1q information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check dot1q termination sub-interface
information.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
VPN instance information.
----End
8.6.4 Configuring a QinQ Termination Sub-interface and

When users are connected through an L2VPN and the packets that CEs send to PEs carry
double VLAN tags, configure a QinQ termination sub-interface and connect it to the L2VPN
to implement interworking between those users.
Before configuring a QinQ termination sub-interface and connecting it to an L2VPN,
l Configure VLANs to which CEs belong and basic Layer 2 forwarding so that packets
sent from CEs to PEs carry double VLAN tags.
Configuration Process
8.6.4.1 Configuring a QinQ Sub-interface
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:


Step 4 Run:
quit

Step 5 Run:

Step 6 Run:
qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2 ]
QinQ termination is configured on the sub-interface.
----End
Context
L2VPN includes Virtual leased line (VLL), Pseudo-Wire Emulation Edge to Edge (PWE3),
and Virtual Private LAN Service (VPLS).
l VLL technology emulates leased lines on an IP network to provide inexpensive,
asymmetrical digital data network (DDN) service. As a point-to-point (P2P) L2VPN
technology, VLL can support almost all link layer protocols.
l PWE3 is an implementation mode of VLL and an extension of the Martini protocol.
PWE3 reduces signaling costs and defines multi-segment PWs (MS-PWs), making
networking modes more flexible.
l VPLS technology implements multipoint-to-multipoint VPN networking. Using VPLS
technology, an ISP can provide Ethernet-based multipoint-to-multipoint services for
users through an MPLS backbone network.
For details about L2VPN, see "VLL Configuration, "PWE3 Configuration", and "VPLS
Configuration" in S7700&S9700 Series Switches Configuration Guide - VPN.
NOTE
A QinQ termination sub-interface can be bound to a VLL that provides homogeneous or heterogeneous
transport in the following modes:
l Local CCC connection
l Remote CCC connection
l Remote SVC connection
l Local Kompella connection
l Remote Kompella connection
l Remote Martini connection
A QinQ termination sub-interface supports the following VPLS connections:
l Martini VPLS
l Kompella VPLS

Procedure
l Run the display qinq information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check QinQ termination sub-interface
information.
l Run the display vsi [ name vsi-name ] [ verbose ] command to check VSI information.
l Run the display vll ccc [ ccc-name | type { local | remote } ] command to check CCC
connection information.
l Run the display mpls static-l2vc command to check static VC information.
l Run the display mpls l2vc command on the PE to check Martini VLL information on
the local PE.
l Run the display mpls l2vc remote-info command on the PE to check Martini VLL
information on the remote PE.
----End
8.6.5 Configuring a QinQ Termination Sub-interface and

When users are connected through an L3VPN and each packet that CEs send to PEs carries
double VLAN tags, configure a QinQ termination sub-interface and connect it to the L3VPN.
Before configuring a QinQ termination sub-interface and connecting it to an L3VPN,
l Configure VLANs to which CEs belong and basic Layer 2 forwarding so that packets
sent from CEs to PEs carry double VLAN tags.
Configuration Process
8.6.5.1 Configuring a QinQ Sub-interface
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:


Step 3 Run:

Step 4 Run:
quit

Step 5 Run:

Step 6 Run:
qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2 ]
QinQ termination is configured on the sub-interface.
----End

After a QinQ termination sub-interface is configured, you need to configure the VPN service
so that users at both ends of the L3VPN can communicate with each other.
Configure L3VPN on the CE, PE, and P. For details, see "BGP/MPLS IP VPN Configuration"
in S7700&S9700 Series Switches Configuration Guide - VPN.
Procedure
l Run the display qinq information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check QinQ termination sub-interface
information.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
VPN instance information.
----End
8.7.1 Example for Configuring Dot1q Termination Sub-interfaces

to Implement Inter-VLAN Communication
An enterprise's departments are located on different network segments and use the same
services such as Internet access and VoIP. To allow the departments in different VLANs to use
the same service, inter-VLAN communication must be implemented.

In the networking example shown in Figure 8-7, both department 1 and department 2 located
in different VLANs and network segments need to use the Internet access service, and users
in department 1 and department 2 need to communicate with each other.
Figure 8-7 Networking for configuring Dot1q termination sub-interfaces to implement inter-
VLAN communication
Switch
GE1/0/1.1 GE1/0/2.1
10.10.10.1/24 10.10.20.1/24
GE1/0/2 GE1/0/2
SwitchA SwitchB
GE1/0/1 GE1/0/1
PC1 PC2
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
The configuration roadmap is as follows.
1. Configure the ID of the VLAN to which each interface belongs.
2. Configure Dot1q termination sub-interfaces.
3. Assign IP addresses to the sub-interfaces.
NOTE
VLAN termination sub-interfaces cannot be created on a VCMP client.
Procedure
Step 1 Add the uplink interface of SwitchA to VLAN 10 in tagged mode and the user-side interface
to VLAN 10 in untagged mode, and add the uplink interface of SwitchB to VLAN 20 in
tagged mode and the user-side interface to VLAN 20 in untagged mode.Configure VLANs on
interfaces of SwitchA and SwitchB.
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet1/0/1

[SwitchB] vlan batch 20
[SwitchB] interface gigabitethernet1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type access
[SwitchB-GigabitEthernet1/0/1] port default vlan 20
Step 2 Configure the interface on the Switch connected to SwitchA.

# Create and configure the Ethernet sub-interface GE1/0/1.1.
[Switch] vcmp role silent
[Switch] interface gigabitethernet1/0/1
[Switch] interface gigabitethernet1/0/1.1
[Switch-GigabitEthernet1/0/1.1] dot1q termination vid 10
[Switch-GigabitEthernet1/0/1.1] ip address 10.10.10.1 24
[Switch-GigabitEthernet1/0/1.1] arp broadcast enable
[Switch-GigabitEthernet1/0/1.1] quit
Step 3 Configure the interface on the Switch connected to SwitchB.

# Create and configure the Ethernet sub-interface GE1/0/2.1.
[Switch] interface gigabitethernet1/0/2
[Switch] interface gigabitethernet 1/0/2.1
[Switch-GigabitEthernet1/0/2.1] dot1q termination vid 20
[Switch-GigabitEthernet1/0/2.1] ip address 10.10.20.1 24
[Switch-GigabitEthernet1/0/2.1] arp broadcast enable
[Switch-GigabitEthernet1/0/2.1] quit

On PC1 in VLAN 10, set the default gateway address to 10.10.10.1/24, which is the IP
address of GE1/0/1.1.
On PC2 in VLAN 20, set the default gateway address to 10.10.20.1/24, which is the IP
address of GE1/0/2.1.
After the configuration is complete, PC1 in VLAN 10 and PC2 in VLAN 20 can
----End
Configuration Files
#
sysname Switch
#
vcmp role silent
#
#


ip address 10.10.10.1 255.255.255.0
#
#
ip address 10.10.20.1 255.255.255.0
#
return

#
sysname SwitchA
#
vlan batch 10
#
#
#
return

#
sysname SwitchB
#
vlan batch 20
#
#
#
return
8.7.2 Example for Configuring Dot1q Termination Sub-interfaces

to Implement Inter-VLAN Communication Across Different
Networks
In the networking example shown in Figure 8-8, SwitchA and SwitchB are connected to
Layer 2 networks that VLAN 10 and VLAN 20 belongs to. SwitchA communicates with
SwitchB through a Layer 3 network where OSPF is run.
PCs of the two Layer 2 networks need to be isolated at Layer 2 and interwork at Layer 3.

Figure 8-8 Networking for configuring Dot1q termination sub-interfaces to implement inter-
VLAN communication across a network
SwitchA SwitchB
GE1/0/2 GE1/0/1
OSPF
GE1/0/1.1 GE1/0/2.1
VLAN 10 VLAN 20
PC A PC B
10.10.10.2/24 10.10.20.2/24
1. Configure VLANs that interfaces belong to.
2. Assign IP addresses to VLANIF interfaces.
3. Set the encapsulation mode of sub-interfaces.
4. Configure VLANs allowed by sub-interfaces.
5. Assign IP addresses to the sub-interfaces.
6. Configure basic OSPF functions.
NOTE
l The VLANs allowed by a sub-interface cannot be created in the system view.

l VLAN termination sub-interfaces cannot be created on a VCMP client.
Procedure
Step 1 Configure SwitchA.
# Create a VLAN.
# Add an interface to the VLAN.

# Assign an IP address to a VLANIF interface.

[SwitchA] interface vlanif 30

[SwitchA-Vlanif30] ip address 10.10.30.1 24
[SwitchA-Vlanif30] quit
# Create and configure GE1/0/1.1.

[SwitchA] vcmp role silent
[SwitchA] interface gigabitethernet 1/0/1.1
[SwitchA-GigabitEthernet1/0/1.1] dot1q termination vid 10
[SwitchA-GigabitEthernet1/0/1.1] ip address 10.10.10.1 24
[SwitchA-GigabitEthernet1/0/1.1] arp broadcast enable
[SwitchA-GigabitEthernet1/0/1.1] quit

[SwitchA] router id 1.1.1.1
[SwitchA] ospf
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] return
Step 2 Configure SwitchB.
# Create a VLAN.
[SwitchB] vlan batch 30
# Add an interface to the VLAN.

# Assign an IP address to a VLANIF interface.

[SwitchB-Vlanif30] ip address 10.10.30.2 24
# Create and configure GE1/0/2.1.

[SwitchB] vcmp role silent
[SwitchB-GigabitEthernet1/0/2] port link-type hybrid
[SwitchB] interface gigabitethernet 1/0/2.1
[SwitchB-GigabitEthernet1/0/2.1] dot1q termination vid 20
[SwitchB-GigabitEthernet1/0/2.1] ip address 10.10.20.1 24
[SwitchB-GigabitEthernet1/0/2.1] arp broadcast enable
[SwitchB-GigabitEthernet1/0/2.1] quit

[SwitchB] router id 2.2.2.2
[SwitchB] ospf
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 10.10.20.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] return

On the PCs residing on the Layer 2 network connected to SwitchA, set the default gateway
address to 10.10.10.1/24, which is the IP address of GE1/0/1.1. The switch connected to
SwitchA allows VLAN 10.
On the PCs residing on the Layer 2 network connected to SwitchB, set the default gateway
address to 10.10.20.1/24, which is the IP address of GE1/0/2.1. The switch connected to
SwitchA allows VLAN 20.
After the configuration is complete, PCs on the two Layer 2 networks are isolated at Layer 2
and interwork at Layer 3.
----End
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vcmp role silent
#
vlan batch 30
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
#
ip address 10.10.10.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vcmp role silent
#
vlan batch 30
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
#

#
ip address 10.10.20.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
8.7.3 Example for Connecting Dot1q Sub-interfaces to a VLL

Network
In the networking example shown in Figure 8-9, CE1 and CE2 are connected to PE1 and
PE2, respectively, through VLANs.
A Martini VLL is created between CE1 and CE2 so that users residing on the networks
connected to CE1 and CE2 can communicate with each other.
Figure 8-9 Networking diagram for connecting Dot1q sub-interfaces to a VLL network

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE 2/0/0 GE 1/0/0
PE 1 PE 2
GE 2/0/0 GE1/0/0
GE1/0/0 GE 2/0/0
P
GE1/0/0 GE 1/0/0
Martini
CE 1 CE 2
Switch Interface VLANIF Interface IP Address
PE1 GigabitEthernet1/0/0 GigabitEthernet1/0/0.1 -
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
P GigabitEthernet1/0/0 VLANIF 30 10.2.2.2/24

- Loopback1 - 2.2.2.2/32
CE1 GigabitEthernet1/0/0 VLANIF 10 10.10.10.1/24
1. Configure a routing protocol on PE and P of the backbone network to implement
interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP to transmit data.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to implement VLL
access.
NOTE
Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs, and P belong and assign IP addresses
to VLANIF interfaces according to Figure 8-9.
# Configure CE1 to ensure that each packet that CE1 sends to PE1 carries a single VLAN tag.
[CE1] vlan batch 10
[CE1-Vlanif10] ip address 10.10.10.1 24
[CE1-Vlanif10] quit
# Configure CE2 to ensure that each packet that CE2 sends to PE2 carries a single VLAN tag.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20

[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[P-Vlanif20] ip address 10.1.1.2 24
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure an IGP, for example, OSPF, on the MPLS backbone network.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0

[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command to verify that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command to verify that the PEs
learn the route to the Loopback1 interface of each other. The following is the display on PE1:
[PE1] display ospf peer
OSPF Process 1 with Router ID 1.1.1.1

Neighbors
Area 0.0.0.0 interface 10.1.1.1(Vlanif20)'s neighbors

Router ID: 2.2.2.2 Address: 10.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
Dead timer due in 34 sec
Retrans timer interval: 5
Neighbor is up for 00:01:16
Authentication Sequence: [ 0 ]
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
Step 3 Configure basic MPLS functions and LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls

[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
Step 4 Create remote LDP sessions between PEs.

# Configure PE1.
# Configure PE2.
After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. An LDP session is set up between PE1 and PE2 as shown in the
following display:

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 5 Enable MPLS L2VPN on PEs and establish VC connections.

# On PE1, create a VC connection on GigabitEthernet1/0/0.1 connected to CE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] vcmp role silent
[PE1] interface gigabitethernet1/0/0
[PE1] interface gigabitethernet1/0/0.1
[PE1-GigabitEthernet1/0/0.1] mpls l2vc 3.3.3.3 101


[PE2] mpls l2vpn
[PE2-l2vpn] quit
Check L2VPN connections on PEs. You can see that an L2VC connection has been set up and
is in Up state.
The following is the display on PE1:

[PE1] display mpls l2vc interface gigabitethernet1/0/0.1
*client interface : GigabitEthernet1/0/0.1 is up
Administrator PW : no
session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
destination : 3.3.3.3
local group ID : 0 remote group ID : 0
local VC label : 23552 remote VC label : 23552
local AC OAM State : up
local PSN OAM State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN OAM state : up
remote forwarding state: forwarding
remote status code : 0x0
ignore standby state : no
BFD for PW : unavailable
VCCV State : up
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert ttl lsp-ping bfd
remote VCCV : alert ttl lsp-ping bfd
local control word : disable remote control word : disable
tunnel policy name : --
PW template name : --
load balance type : flow
Access-port : false
Switchover Flag : false
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x10031
Backup TNL type : lsp , TNL ID : 0x0
create time : 1 days, 22 hours, 15 minutes, 9 seconds
up time : 0 days, 22 hours, 54 minutes, 57 seconds
last change time : 0 days, 22 hours, 54 minutes, 57 seconds
VC last up time : 2010/10/09 19:26:37
VC total up time : 1 days, 20 hours, 42 minutes, 30 seconds
CKey : 8
NKey : 3
PW redundancy mode : --

AdminPw interface : --
AdminPw link state : --
Service Class : --
Color : --
DomainId : --
Domain Name : --
CE1 and CE2 can ping each other.

The following is the display on CE1:
[CE1] ping 10.10.10.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return

#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0

mpls
mpls ldp
#
#
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return

#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
#
return

8.7.4 Example for Connecting QinQ Termination Sub-interfaces

to a VLL Network
In the example network shown in Figure 8-10, CE1 and CE2 are connected to PE1 and PE2,
respectively, through VLANs.
A Martini VLL is set up between CE1 and CE2.
Switch1 is connected to CE1 and PE1.
Selective QinQ needs to be configured on the interfaces connected to CEs so that the Switch
adds the VLAN tags specified by the carrier to the packets sent from CEs.
A Switch connected to multiple CEs can add the same VLAN tag to the packets from those
CEs, thereby saving VLAN IDs on the public network.
Figure 8-10 Networking diagram for connecting QinQ termination sub-interfaces to a VLL
network

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE2/0/0 GE1/0/0
PE1 PE2
GE2/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32

- Loopback1 - 2.2.2.2/32
1. Configure a routing protocol on PE and P of the backbone network to implement
2. Use the default tunnel policy to create an LSP and configure the LSP to transmit data.
4. Configure QinQ sub-interfaces on PE interfaces connected to the switches to implement
VLL access.
5. Configure selective QinQ on the switch interfaces connected to CEs.
NOTE
Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs, and P belong and assign IP addresses
to VLANIF interfaces according to Figure 8-10.
# Configure CE1 to ensure that each packet sent from CE1 to Switch1 carries a single VLAN
tag.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
tag.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.

[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on interfaces of each Switch and specify the VLANs allowed by the
interfaces.
[Switch1] vlan 100
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100

[Switch2] vlan 100

Step 3 Configure an IGP, for example, OSPF, on the MPLS backbone network.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

Neighbors


DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0

------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
Step 4 Enable basic MPLS functions and MPLS LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
Step 5 Set up a remote LDP session between PEs.
# Configure PE1.


# Configure PE2.
view the LDP session setup. You can see an LDP session has been set up between PE1 and
PE2.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on PEs and set up VC connections.

# On PE1, create a VC connection on GigabitEthernet1/0/0.1 connected to Switch1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10

[PE2] mpls l2vpn
[PE2-l2vpn] quit

Check the L2VPN connections on PEs. You can see that an L2VC connection has been set up
and is in Up state.
session state : up
AC status : up

VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
link state : up
Access-port : false
VC last up time : 2010/10/09 19:26:37
CKey : 8
NKey : 3
Service Class : --
Color : --
DomainId : --
Domain Name : --

The following is the display on CE1:
[CE1] ping 10.10.10.2


0.00% packet loss

----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 100
#
port vlan-stacking vlan 10 stack-vlan 100
#
#
return

#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#

qinq termination pe-vid 100 ce-vid 10
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role

silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
#
sysname Switch2
#
vlan batch 100
#
#
#
return
#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#

#
return
8.7.5 Example for Connecting Dot1q Termination Sub-interfaces

to a VPLS Network
In the network example shown in Figure 8-11, VPLS is enabled on PE1 and PE2. CE1 is
connected to PE1 and CE2 is connected to PE2. CE1 and CE2 are on the same VPLS
network. PWs are established by using LDP as the VPLS signaling protocol, and VPLS is
configured to connect CE1 and CE2.
Figure 8-11 Networking diagram for connecting Dot1q termination sub-interfaces to a VPLS
network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE 1/0/0 GE 2/0/0
PE 1 PE 2
GE 2/0/0 GE1/0/0
GE1/0/0 P GE 2/0/0
GE1/0/0 GE 1/0/0
CE 1 CE 2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32

1. Configure a routing protocol on the backbone network to implement interworking
between devices.
2. Configure Dot1q sub-interfaces on PE interfaces connected to CEs so that the Dot1q
sub-interfaces can connect to the VPLS network.
3. Set up a remote LDP session between PEs.
4. Establish tunnels between PEs to transmit service data.
6. Create VSIs on PEs and specify the signaling protocol as LDP.
NOTE
Procedure
Step 1 Configure the VLAN to which each interface belongs and assign IP addresses to VLANIF
interfaces according to Figure 8-11.
NOTE
l The AC-side and PW-side physical interfaces of a PE cannot be added to the same VLAN;
otherwise, a loop may occur.
l Ensure that each packet sent from a CE to a PE carries a VLAN tag.
# Configure CE1.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20


[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure an IGP, for example, OSPF.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit

# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
and PE2. You can view the routes that PE1, P, and PE2 have learned from each other. The
following is the display on PE1:
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 4.4.4.5 Vlanif20
3.3.3.3/32 OSPF 10 2 D 4.4.4.5 Vlanif20
4.4.4.0/24 Direct 0 0 D 4.4.4.4 Vlanif20
4.4.4.4/32 Direct 0 0 D 127.0.0.1 Vlanif20
5.5.5.0/24 OSPF 10 2 D 4.4.4.5 Vlanif20
Step 3 Configure basic MPLS functions and MPLS LDP.

# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit

[PE2] mpls ldp

[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
and PE2. You can see that the peer relationships are set up between PE1 and P, and between P
and PE2. The status of the peer relationship is Operational. Run the display mpls ldp
command to view the MPLS LDP configuration. The following is the display on PE1:

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
# Configure PE1.
# Configure PE2.
PE2. You can see that the status of the peer relationship between PE1 and PE2 is
Operational.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 5 Enable MPLS L2VPN on PEs.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit

Step 6 Configure VSIs on PEs.

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Step 7 Bind interfaces to VSIs on PEs.

# Configure PE1.
[PE1-GigabitEthernet1/0/0.1] l2 binding vsi a2
# Configure PE2.

You can see that the VSI a2 sets up a PW to PE2 and the VSI status is Up.
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up

VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0
Interface Name : gigabitethernet1/0/0.1

State : up
Access Port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x22
Ckey : 0x2
Nkey : 0x1
Main PW Token : 0x22
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

[CE1] ping 10.1.1.2

0.00% packet loss
----End
Configuration Files

#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return
#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
#
l2 binding vsi a2
#


#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#

mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return

to a VPLS Network
In the network example shown in Figure 8-12, VPLS is enabled on PE1 and PE2. CE1
connects to PE1 through Switch1 and CE2 connects to PE2 through Switch2. CE1 and CE2
are on the same VPLS network. PWs are established by using LDP as the VPLS signaling
protocol, and VPLS is configured to connect CE1 and CE2.
A switch connected to multiple CEs can add the same VLAN tag to the packets from those
CEs, thereby saving VLAN IDs on the public network.

Figure 8-12 Networking diagram for connecting QinQ termination sub-interfaces to a VPLS
network

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE2/0/0 GE2/0/0
PE1 PE2
GE1/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
between devices.
2. Configure selective QinQ on Switch interfaces connected to CEs.
6. Create VSIs on PEs and specify the signaling protocol as LDP.

7. Configure QinQ termination sub-interfaces on PE interfaces connected to the Switch so

that QinQ interfaces can connect to the VPLS network.
NOTE
Procedure
Step 1 Configure the VLAN to which each interface belongs according to Figure 8-12, and assign IP
addresses to VLANIF interfaces.
NOTE
l Ensure that each packet sent from a CE to the Switch carries a single VLAN tag.
# Configure CE1.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P


[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on interfaces of the Switch and specify the VLANs allowed by the
interfaces.
[Switch1] vlan 100
[Switch2] vlan 100
Step 3 Configure an IGP, for example, OSPF.

# Configure PE1.


[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 4.4.4.5 Vlanif20
3.3.3.3/32 OSPF 10 2 D 4.4.4.5 Vlanif20
4.4.4.0/24 Direct 0 0 D 4.4.4.4 Vlanif20
4.4.4.4/32 Direct 0 0 D 127.0.0.1 Vlanif20
5.5.5.0/24 OSPF 10 2 D 4.4.4.5 Vlanif20
Step 4 Configure basic MPLS functions and MPLS LDP.

# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit

# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
# Configure PE2.
PE2. You can see that the status of the peer relationship between PE1 and PE2 is Operational.

------------------------------------------------------------------------------


------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
Step 7 Configure VSIs on PEs.

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Step 8 Bind interfaces to VSIs on PEs.

# Configure PE1.
# Configure PE2.


***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0

State : up
Access Port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x22
Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

[CE1] ping 10.1.1.2



0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 100
#
#
#
return

#
sysname Switch2
#
vlan batch 100
#

#
#
return
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
#
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#

vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#


#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
8.7.7 Example for Connecting Dot1q Termination Sub-interfaces

to an L3VPN
In the network example shown in Figure 8-13, CE1 and CE3 belong to VPN-A, and CE2 and
CE4 belong to VPN-B. The VPN targets of VPN-A and VPN-B are 111:1 and 222:2
respectively. Users in different VPNs cannot communicate with each other.

Figure 8-13 Networking diagram for connecting Dot1q termination sub-interfaces to an

L3VPN
VPN-A AS: 65410 AS: 65430 VPN-A
CE1 CE3
GE1/0/0 GE1/0/0
Loopback1
2.2.2.2/32
GE1/0/0 GE1/0/0
PE1 PE2
Loopback1 GE1/0/0 GE2/0/0 Loopback1
1.1.1.1/32 GE3/0/0 GE3/0/0 3.3.3.3/32
GE2/0/0 P GE2/0/0
MPLS backbone
AS: 100
GE1/0/0 GE1/0/0
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440
Switch Interface Layer 3 Interface IP Address
PE1 GigabitEthernet1/0/0 GigabitEthernet1/0/0.1 10.1.1.2/24
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 10.2.1.2/24
- GigabitEthernet3/0/0 VLANIF30 7.7.7.7/24
P GigabitEthernet1/0/0 VLANIF30 7.7.7.8/24
CE1 GigabitEthernet1/0/0 VLANIF10 10.1.1.1/24
1. Configure VPN instances on PEs connected to CEs on the backbone network, bind
interfaces connected to CEs to VPN instances, and assign IP addresses to interfaces
connected to CEs.

2. Configure OSPF on PEs to implement interworking between PEs.

3. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs.
4. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-
IBGP) on PEs to exchange VPN routing information.
5. Configure EBGP on CEs and PEs to exchange VPN routing information.
6. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to connect the Dot1q
sub-interfaces to the L3VPN.
NOTE
Procedure
Step 1 Configure an IGP, for example, OSPF, on the MPLS backbone network so that PEs and the P
# Configure PE1.
[PE1] vlan batch 30
[PE1-GigabitEthernet3/0/0] port hybrid untagged vlan 30
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[HUAWEI] sysname P
[P-LoopBack1] quit
[P-GigabitEthernet1/0/0] port hybrid untagged vlan 30
[P-Vlanif30] quit

[P-Vlanif60] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 60
[PE2-Vlanif60] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. You can see that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command. You can see that the
PEs learn each others routes to the Loopback1 interface.
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 7.7.7.8 Vlanif30
3.3.3.3/32 OSPF 10 2 D 7.7.7.8 Vlanif30
6.6.6.0/24 OSPF 10 2 D 7.7.7.8 Vlanif30
7.7.7.0/24 Direct 0 0 D 7.7.7.7 Vlanif30
7.7.7.7/32 Direct 0 0 D 127.0.0.1 Vlanif30

Neighbors

DR: 7.7.7.8 BDR: 7.7.7.7 MTU: 0

Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions can be set up between PE1 and the P, and
between the P and PE2. Run the display mpls ldp session command. You can see that the
Status field is Operational. Run the display mpls ldp lsp command to view the MPLS LDP
configuration.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------

1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0

*1.1.1.1/32 Liberal/1024 DS/2.2.2.2
2.2.2.2/32 NULL/3 - 7.7.7.8 Vlanif30
2.2.2.2/32 1024/3 2.2.2.2 7.7.7.8 Vlanif30
3.3.3.3/32 NULL/1025 - 7.7.7.8 Vlanif30
3.3.3.3/32 1025/1025 2.2.2.2 7.7.7.8 Vlanif30
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Configure a VPN instance on each PE and connect CEs to PEs.

# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0.1] arp broadcast enable
[PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
# Configure PE2.


# Assign IP addresses to interfaces on CE1 according to Figure 8-13. The configurations of

CE2, CE3, and CE4 are the same as the configuration of CE1, and are not mentioned here.
[CE1] vlan batch 10
[CE1-GigabitEthernet1/0/0] port link-type hybrid
[CE1-GigabitEthernet1/0/0] port hybrid pvid vlan 10
[CE1-GigabitEthernet1/0/0] port hybrid tagged vlan 10
[CE1-Vlanif10] quit
After the configuration is complete, run the display ip vpn-instance verbose command on
PEs to view the configurations of VPN instances. Each PE can successfully ping its connected
CE.
NOTE
If multiple interfaces of a PE are bound to the same VPN instance, run the ping -vpn-instance vpn-
instance-name -a source-ip-address dest-ip-address command with -a source-ip-address specified to
ping the CE connected to the remote PE. Otherwise, the ping operation may fail.

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
Total IPv4 VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Interfaces : Gigabitethernet1/0/0.1
Address family ipv4
Create date : 2013-08-28 21:01:00+00:00
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per instance
Per-Instance Label : 4098
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Address family ipv4
Create date : 2013-08-28 21:01:00+00:00
Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1



0.00% packet loss
Step 4 Set up EBGP peer relationships between PEs and CEs and configure CEs to import VPN
routes.
# Configure CE1. The configurations of CE2, CE3, and CE4 are the same as the configuration
of CE1, and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
# Configure PE1. The configuration of PE2 is the same as the configuration of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. You can see that BGP peer relationships between PEs and CEs have been established
and are in the Established state.
The following is the peer relationship between PE1 and CE1:
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.1

Local AS number : 100
VPN-Instance vpna, Router ID 1.1.1.1:

Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State

PrefRcv
10.1.1.1 4 65410 11 9 0 00:07:25 Established

1
Step 5 Set up an MP-IBGP peer relationship between PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.

[PE2] bgp 100

[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on PEs. You can see that the BGP peer relationships have been established between
the PEs.
[PE1] display bgp peer

Peer V AS MsgRcvd MsgSent OutQ Up/Down

State PrefRcv
3.3.3.3 4 100 12 6 0 00:02:21

Established 0
[PE1] display bgp vpnv4 all peer


PrefRcv
3.3.3.3 4 100 12 18 0 00:09:38 Established 0

Peer of IPv4-family for vpn instance :

10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
VPN-Instance vpnb, Router ID 1.1.1.1:
10.2.1.1 4 65420 21 22 0 00:17:10 Established 1

Run the display ip routing-table vpn-instance command on a PE. You can view the routes to
the remote CE.
[PE1] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
Routing Tables: vpna
10.1.1.0/24 Direct 0 0 D 10.1.1.2

Gigabitethernet1/0/0.1
10.1.1.2/32 Direct 0 0 D 127.0.0.1
10.3.1.0/24 IBGP 255 0 RD 3.3.3.3 Vlanif30
[PE1] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
Routing Tables: vpnb
10.2.1.0/24 Direct 0 0 D 10.2.1.2

10.2.1.2/32 Direct 0 0 D 127.0.0.1
10.4.1.0/24 IBGP 255 0 RD 3.3.3.3 Vlanif30
CEs in the same VPN can successfully ping each other but CEs in different VPNs cannot.
For example, CE1 can successfully ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1
0.00% packet loss
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
----End
Configuration Files
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.7 255.255.255.0
mpls

mpls ldp
#
#
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
#
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 7.7.7.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.8 255.255.255.0

mpls
mpls ldp
#
interface Vlanif60
ip address 6.6.6.6 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 6.6.6.0 0.0.0.255
network 7.7.7.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 60
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif60
ip address 6.6.6.7 255.255.255.0
mpls
mpls ldp
#
#
ip address 10.3.1.2 255.255.255.0

#
#
ip address 10.4.1.2 255.255.255.0
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 6.6.6.0 0.0.0.255
#
return
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
peer 10.1.1.2 enable
#
return

#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
#
sysname CE3
#
vlan batch 10
#
interface Vlanif10
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return
#
sysname CE4
#
vlan batch 20
#
interface Vlanif20
ip address 10.4.1.1 255.255.255.0
#
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return


to an L3VPN
In the network example shown in Figure 8-14, CE1 and CE3 belong to VPN-A, and CE2 and
CE4 belong to VPN-B. The VPN targets of VPN-A and VPN-B are 111:1 and 222:2
respectively. Users in different VPNs cannot communicate with each other.
When the Switch is connected to multiple CEs, the Switch can add the same VLAN tag to the
packets from different CEs, thereby saving VLAN IDs on the public network.
Figure 8-14 Networking diagram for connecting QinQ termination sub-interfaces to an

L3VPN
AS:
VPN-A AS: 65430 VPN-A
65410
CE1 CE3
GE1/0/0 GE1/0/0 GE1/0/0
GE1/0/0
Switch1 Loopback1 Switch3

GE2/0/0 2.2.2.2/32 GE2/0/0
GE1/0/0 PE1 PE2 GE1/0/0
Loopback1 GE1/0/0 GE2/0/0 Loopback1
1.1.1.1/32 GE3/0/0 GE3/0/0 3.3.3.3/32
GE2/0/0 P GE2/0/0
GE2/0/0 MPLS backbone GE2/0/0
Switch2 AS: 100 Switch4
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440

1. Configure VPN instances on PEs connected to CEs on the backbone network, bind
interfaces connected to CEs to VPN instances, and assign IP addresses to interfaces
connected to CEs.
2. Configure OSPF on PEs to implement interworking between PEs.
3. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs.
4. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-
IBGP) on PEs to exchange VPN routing information.
5. Configure EBGP on CEs and PEs to exchange VPN routing information.
6. Configure QinQ termination sub-interfaces on PE interfaces connected to the Switch, so
that the QinQ termination sub-interfaces can connect to the L3VPN.
7. Configure selective QinQ on Switch interfaces connected to CEs.
NOTE
Procedure
Step 1 Configure selective QinQ on interfaces of the Switch and specify the VLANs allowed by the
interfaces.
[Switch1] vlan 100
[Switch2] vlan 200


[Switch3] vlan 100
[Switch4] vlan 200
Step 2 Configure an IGP, for example, OSPF, on the MPLS backbone network so that PEs and the P
# Configure PE1.
[PE1] vlan batch 30
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.

[HUAWEI] sysname P
[P-LoopBack1] quit
[P-Vlanif30] quit
[P-Vlanif60] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 60
[PE2-Vlanif60] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. You can see that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command. You can see that the
PEs learn each others routes to the Loopback1 interface.
------------------------------------------------------------------------------


2.2.2.2/32 OSPF 10 1 D 7.7.7.8 Vlanif30
3.3.3.3/32 OSPF 10 2 D 7.7.7.8 Vlanif30
6.6.6.0/24 OSPF 10 2 D 7.7.7.8 Vlanif30
7.7.7.0/24 Direct 0 0 D 7.7.7.7 Vlanif30
7.7.7.7/32 Direct 0 0 D 127.0.0.1 Vlanif30

Neighbors

DR: 7.7.7.8 BDR: 7.7.7.7 MTU: 0
Step 3 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions can be set up between PE1 and the P, and
between the P and PE2. Run the display mpls ldp session command. You can see that the

Status field is Operational. Run the display mpls ldp lsp command to view the MPLS LDP
configuration.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/1024 DS/2.2.2.2
2.2.2.2/32 NULL/3 - 7.7.7.8 Vlanif30
2.2.2.2/32 1024/3 2.2.2.2 7.7.7.8 Vlanif30
3.3.3.3/32 NULL/1025 - 7.7.7.8 Vlanif30
3.3.3.3/32 1025/1025 2.2.2.2 7.7.7.8 Vlanif30
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 4 Configure a VPN instance on each PE and connect CEs to PEs.
# Configure PE1.
[PE1] interface GigabitEthernet 1/0/0
[PE1] interface GigabitEthernet 1/0/0.1


# Configure PE2.
# Assign IP addresses to interfaces on CE1 according to Figure 8-14. The configurations of

CE2, CE3, and CE4 are the same as the configuration of CE1, and are not mentioned here.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
After the configuration is complete, run the display ip vpn-instance verbose command on
PEs to check the VPN instance configuration. Each PE can successfully ping its connected
CE.
NOTE
If multiple interfaces of a PE are bound to the same VPN instance, run the ping -vpn-instance vpn-
instance-name -a source-ip-address dest-ip-address command with -a source-ip-address specified to
ping the CE connected to the remote PE. Otherwise, the ping operation may fail.

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Address family ipv4
Create date : 2013-08-28 21:01:00+00:00
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Address family ipv4
Create date : 2013-08-28 21:01:00+00:00
Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1

0.00% packet loss
Step 5 Set up EBGP peer relationships between PEs and CEs and configure CEs to import VPN
routes.
# Configure CE1. The configurations of CE2, CE3, and CE4 are the same as the configuration
of CE1, and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
# Configure PE1. The configuration of PE2 is the same as the configuration of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. You can see that BGP peer relationships between PEs and CEs have been established
and are in the Established state.
The following is the peer relationship between PE1 and CE1:
[PE1] display bgp vpnv4 vpn-instance vpna peer




PrefRcv
10.1.1.1 4 65410 11 9 0 00:07:25 Established

1
Step 6 Set up an MP-IBGP peer relationship between PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on PEs. You can see that the BGP peer relationships have been established between
the PEs.
[PE1] display bgp peer

Peer V AS MsgRcvd MsgSent OutQ Up/Down

State PrefRcv
3.3.3.3 4 100 12 6 0 00:02:21

Established 0
[PE1] display bgp vpnv4 all peer


PrefRcv
3.3.3.3 4 100 12 18 0 00:09:38 Established 0

Peer of IPv4-family for vpn instance :

10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
VPN-Instance vpnb, Router ID 1.1.1.1:
10.2.1.1 4 65420 21 22 0 00:17:10 Established 1

Run the display ip routing-table vpn-instance command on a PE. You can view the routes to
the remote CE.
[PE1] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
Routing Tables: vpna
10.1.1.0/24 Direct 0 0 D 10.1.1.2

10.1.1.2/32 Direct 0 0 D 127.0.0.1
10.3.1.0/24 IBGP 255 0 RD 3.3.3.3 Vlanif30
[PE1] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
Routing Tables: vpnb
10.2.1.0/24 Direct 0 0 D 10.2.1.2

10.2.1.2/32 Direct 0 0 D 127.0.0.1
10.4.1.0/24 IBGP 255 0 RD 3.3.3.3 Vlanif30
CEs in the same VPN can successfully ping each other but CEs in different VPNs cannot.
For example, CE1 can successfully ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1
0.00% packet loss
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
----End
Configuration Files
#
sysname PE1
#

router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 30
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.7 255.255.255.0
mpls
mpls ldp
#
#
ip address 10.1.1.2 255.255.255.0
#
#
ip address 10.2.1.2 255.255.255.0
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#

import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 7.7.7.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.8 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 6.6.6.6 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 7.7.7.0 0.0.0.255
network 6.6.6.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 60
#
ipv4-family

#
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif60
ip address 6.6.6.7 255.255.255.0
mpls
mpls ldp
#
#
ip address 10.3.1.2 255.255.255.0
#
#
ip address 10.4.1.2 255.255.255.0
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0

network 6.6.6.0 0.0.0.255

#
return
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
#
sysname CE3
#
vlan batch 10
#
interface Vlanif10
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430
#
ipv4-family unicast

import-route direct
#
return

#
sysname CE4
#
vlan batch 20
#
interface Vlanif20
ip address 10.4.1.1 255.255.255.0
#
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return

#
sysname Switch1
#
vlan batch 100
#
#
#
return

#
sysname Switch2
#
vlan batch 200
#
#
#
return

#
sysname Switch3
#
vlan batch 100
#

#
#
return

#
sysname Switch4
#
vlan batch 200
#
#
#
return

Configuration Guide - Ethernet Switching 9 Voice VLAN Configuration
9 Voice VLAN Configuration
About This Chapter
This chapter describes how to configure voice VLAN. A voice VLAN changes the priority of
voice data packets to improve voice data transmission quality.
9.1 Introduction to Voice VLAN

9.2 Typical Networking
9.3 Principles
9.4 Applicable Scenario
9.7 Configuring a Voice VLAN

9.1 Introduction to Voice VLAN

Definition
Voice VLAN is a technology that transmits voice data.
Purpose
Data, voice, and video services are often transmitted simultaneously over a network. Packet
loss and delay seriously affect the voice communication quality. Voice services, in particular,
require a higher forwarding priority than data or video services. When bandwidth is limited,
voice data must have transmission preference over other types of data. This can be done by
configuring a voice VLAN on the switch to transmit voice data and setting QoS parameters in
the voice VLAN so that voice data is given preference when congestion occurs.
Related Content
Videos
Huawei Switches Voice VLAN Feature Introduction
9.2 Typical Networking

As shown in Figure 9-1, a PC and an IP phone connect to a switch interface simultaneously.
Therefore, the switch interface transmits both voice and data services.
Figure 9-1 Connecting a PC and an IP phone to a switch
Network
PC IP Phone Switch
The connection mode in Figure 9-1 is widely used on networks.

Figure 9-2 shows another connection mode, in which only an IP phone connects to a switch
interface.
Figure 9-2 Connecting an IP phone to a switch
Network
IP Phone Switch
Some IP phones (for example, Cisco 7960) send tagged voice packets and some IP phones
(for example, Huawei MC850) send untagged voice packets. The following sections describe

how the MAC address-based voice VLAN and VLAN ID-based voice VLAN transmit tagged
and untagged voice packets.
9.3 Principles
A switch configured with voice VLAN can:
l Identify voice data.
l Increase the priority of voice data.
l Forward the voice data based on the increased priority.
The switch identifies voice data based on:
l Source MAC addresses of the received packets

The switch identifies data packets as voice data when the source MAC address matches
the Organizationally Unique Identifier (OUI). The OUI must be preconfigured and is
used in scenarios where IP phones send untagged voice packets.
l Source VLAN tags of the received packets
The switch identifies data packets as voice data when the VLAN ID matches with the
configured VLAN ID. This simplifies configurations when many IP phones connect to
the switch. IP phones must be able to obtain voice VLAN information from the switch to
use this mode.
The switch can identify voice data flows based on MAC addresses and VLAN IDs regardless
of whether the packets carry VLAN tags. However, OUIs must be configured in order for the
switch to differentiate untagged voice packets from data packets. If the voice packets are
tagged, configuring VLAN ID-based voice VLAN simplifies configuration when many IP
phones connect to the switch.
MAC Address-based Voice VLAN

l OUI
An OUI is the first 24 bits of a 48-bit MAC address assigned to each vendor by the
Institute of Electrical and Electronics Engineers (IEEE). Voice packets sent by IP phones
can be identified by the MAC address ranges requested by IP phone vendors.
In voice VLAN, the OUI is user-defined and not necessarily 24 bits long. The OUI is the
result of the AND operation between the MAC address and mask in the voice-vlan mac-
address command.
l Implementation
In Figure 9-3, after receiving an untagged packet from the PC and IP phone, the switch
processes the packet as follows:
– If the source MAC address matches the configured OUI, the switch adds the voice
VLAN tag to the untagged packet and increases the packet priority. (If the result of
the AND operation between the MAC address and mask is the OUI, the source
MAC address matches the OUI.)
– If the source MAC address does not match the configured OUI, the switch adds the
VLAN tag with the PVID to the untagged packet so that voice packets are
preferentially sent.

Figure 9-3 MAC address-based voice VLAN

Data packet Low-priority data packet
Network
PC IP Phone Switch
Voice packet High-priority voice packet
VLAN ID-based Voice VLAN

After receiving packets from the PC and IP phone, the switch determines whether the VLAN
IDs in the packets match the configured voice VLAN ID. If they match, the switch considers
data as voice data and increases the priority. The switch adds the VLAN tag of the PVID to
untagged packets from the PC. When VLAN ID-based voice VLAN is configured, the IP
phone must be able to obtain voice VLAN information from the switch.
LLDP is one of multiple methods in which an IP phone can obtain voice VLAN information
from a switch.
Figure 9-4 VLAN ID-based voice VLAN
Data packet Low-priority data packet
Network
PC IP Phone Switch
① Send an LLDPDU
② Encapsulate the voice VLAN ④ High-priority voice packet
ID in the LLDPDU
③ Send the tagged voice
packet to the switch
Figure 9-4 shows a PC and an IP phone connecting to a switch. The IP phone obtains voice
VLAN information from the switch through LLDP as follows:
1. After the IP phone goes online, it sends an LLDPDU to the switch.

2. After receiving the LLDPDU, the switch encapsulates voice VLAN information in the
LLDPDU and sends it to the IP phone.
3. After receiving the LLDPDU, the IP phone sends tagged voice packets.
4. The switch receives tagged voice packets. If the tag matches the voice VLAN ID on the
switch, the switch increases the priority of the packets and forwards them.
When receiving untagged packets, the switch still sends them in the VLAN specified by the
PVID. When congestion occurs, the switch preferentially sends voice packets.


Figure 9-5 shows PCs and IP phones connecting to the Internet through switches. Because
voice service is sensitive to delay and jitter, the priority of voice data flows needs to be
increased so that they can be preferentially forwarded when congestion occurs.
Figure 9-5 Applicable scenario of the voice VLAN
Switch Switch1
Internet
IP Phone A
IP Phone C
IP Phone B
PC A PC C
Configure a voice VLAN according to the type of voice packets sent by IP phones:
l Configure MAC address-based voice VLAN if voice packets are untagged.
l Configure VLAN ID-based voice VLAN if IP phones are able to obtain voice VLAN
information on the switch.

License Support
The voice VLAN is a basic feature of a switch and is not under license control.

Version Support
Table 9-1 Products and versions supporting the voice VLAN

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l The switch XGE interface connected to ACU2 does not support voice VLAN.
l VLAN 1 cannot be configured as a voice VLAN.
l To transmit different services, ensure that the voice VLAN and default VLAN on an
interface are different VLANs.
l Only one VLAN on an interface can be configured as a voice VLAN at a time.
l After a voice VLAN is configured on an interface, VLAN mapping, VLAN stacking, or
traffic policies cannot be configured on the interface.
l Do not set the VLAN ID to 0 on an IP phone.
l X series cards on modular switches do not support the automatic mode.
l In auto mode, access, negotiation-auto, or negotiation-desirable interfaces cannot be
added to a voice VLAN. To add the interface to the voice VLAN, run the port link-type
command to change the link type of the interface to trunk or hybrid.
l When an IP phone is connected to a switch through the OUI-based voice VLAN, do not
enable LLDP globally. If LLDP is enabled globally, the switch will allocate a voice
VLAN ID to the IP phone. The IP phone sends tagged packets to the switch, whereas the
switch sends untagged packets to the IP phone. As a result, the IP phone cannot go
online.
l In V200R003 and later versions, the automatic mode takes effect only when the voice-
vlan remark-mode mac-address command is configured to increase the priority of
voice packets based on MAC addresses and the voice-vlan enable command without
include-untagged specified is configured to enable voice VLAN on the interface.
l When the outbound interface is located on the ES0D0G24SA00 or ES0D0G24CA00 of
the S7700, or EH1D2G24SSA0 or EH1D2S24CSA0 of the S9700, the 802.1p priority
cannot be changed.
l When the remark (user group view) and voice-vlan remark commands are used
together to modify the user packet priority in V200R008, if the services conflict:

– For X series cards, the priority configured using the remark (user group view)
command takes effect.
– For the non-X series cards, the priority configured using the voice-vlan remark
command takes effect.

Voice VLAN on an interface Disabled
Increase in voice VLAN VLAN ID-based

priority
Adding an interface to voice Manual

VLAN
802.1p priority of the voice 6

VLAN
DSCP priority of the voice 46

VLAN
Working mode of the voice Normal

VLAN
Interworking with voice devices Disabled

of other vendors
9.7 Configuring a Voice VLAN

9.7.1 Configuring a MAC Address-based Voice VLAN
When the source MAC address in packets entering a switch interface matches the configured
OUI, the switch sends the packets to the voice VLAN and increases the packet priority.
9.7.1.1 Enabling the Voice VLAN Function
Context
To implement the voice VLAN function, configure the VLAN used to forward voice packets
on the switch as a voice VLAN and enable the voice VLAN. You are advised to configure
different VLANs for voice and data services to facilitate management.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
voice-vlan vlan-id enable [ include-untagged ]
A voice VLAN is configured and the voice VLAN function is enabled on the interface.
By default, the voice VLAN function is disabled on an interface. To allow IP phones to send
untagged packets, specify include-untagged.
NOTE

l To transmit different services, ensure that the voice VLAN and default VLAN on an interface are
different VLANs.
l Only one voice VLAN on an interface can be configured as a voice VLAN at a time.
l After a voice VLAN is configured on an interface, VLAN mapping, VLAN stacking, or traffic
policies cannot be configured on the interface.
----End
9.7.1.2 Configuring a Mode in Which the Priority of Voice Packets Is Increased

Based on MAC Addresses
Context
The switch can identify voice data flows according to the source MAC address of the received
data packets. The switch considers data packets with the source MAC address matching the
Organizationally Unique Identifier (OUI) as voice data flows.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
voice-vlan remark-mode mac-address
A mode in which the priority of voice packets is increased is configured.
By default, the priority of voice packets is increased based on VLAN IDs.
----End

9.7.1.3 Configuring an OUI for a Voice VLAN
Context
An OUI is the first 24 bits of a 48-bit MAC address assigned to each vendor by the Institute
of Electrical and Electronics Engineers (IEEE). Voice packets sent by IP phones can be
identified by the MAC address ranges requested by IP phone vendors.
In voice VLAN, the OUI is user-defined and not necessarily 24 bits long. The OUI is the
result of the AND operation between the MAC address and mask in the voice-vlan mac-
address command.
Procedure
Step 1 Run:
system-view
Step 2 Run:
voice-vlan mac-address mac-address mask oui-mask [ description text ]
An OUI is configured for a voice VLAN.
By default, no OUI address is set.
When configuring an OUI for a voice VLAN, note the following:
l The MAC address cannot be all 0s, multicast address, or broadcast address.
l The system supports a maximum of 100 OUIs. When the system is configured with 100
OUIs, subsequent configurations will not take effect.
l When you run the undo voice-vlan mac-address mac-address command to delete an
OUI, set mac-address to the result of the logical AND operation between the OUI and
the OUI mask that you set.
----End
9.7.1.4 Configuring a Mode in Which an Interface Is Added to a Voice VLAN
Context
Based on MAC addresses, an interface can be added to a voice VLAN in auto or manual
mode. You can configure a mode in which an interface is added to a voice VLAN according
to data flows on the interface.
l Auto
The system adds the interface connected to a voice device to the voice VLAN if the
source MAC address of packets sent from the voice device matches the OUI.
l Manual
In manual mode, the interface connected to a voice device must be added to the voice
VLAN manually after the voice VLAN function is enabled on the interface. Otherwise,
the voice VLAN does not take effect on the interface.

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

Step 4 Run:
voice-vlan mode { auto | manual }
A mode in which an interface is added to a voice VLAN is configured.

By default, an interface is added to a voice VLAN in manual mode.
NOTE
l The automatic mode of the voice VLAN is not supported on the X1E-series boards.
l In auto mode, access, negotiation-auto, or negotiation-desirable interfaces cannot be added to a voice
VLAN. To add the interface to the voice VLAN, run the port link-type command to change the link
type of the interface to trunk or hybrid.
l The automatic mode takes effect only when the voice-vlan remark-mode mac-address command is
configured to increase the priority of voice packets based on MAC addresses and the voice-vlan
enable command without include-untagged specified is configured to enable voice VLAN on the
interface and add voice VLAN IDs to only tagged packets.
Step 5 Add an interface to a voice VLAN in manual mode according to 4.7.1.1 Configuring
Interface-based VLAN Assignment (Statically Configured Interface Type).
----End
9.7.1.5 (Optional) Configuring the Secure or Normal Mode of a Voice VLAN
Context
Based on the data filtering mechanism, a voice VLAN works in either secure or normal mode.
Table 9-2 describes the voice VLAN working modes.

Table 9-2 Security and normal modes
Wor Scenario Packet Processing Configuration Note

king
Mod
e
Secu The inbound interface If the source MAC The secure mode takes
re enabled with the voice address does not match effect only when the
VLAN function allows the OUI, the interface voice-vlan remark-mode
only the voice packets in does not change the mac-address command is
which the source MAC priority of voice packets configured to increase the
address matches the OUI and prevents the voice priority of voice packets
address of the voice packets from being based on MAC addresses.
VLAN, and discards non- forwarded in the voice
voice packets from the VLAN.
voice VLAN and If the source MAC
forwards packets from address matches the OUI,
other VLANs. the interface changes the
priority of voice packets
and allows the voice
packets to be forwarded
in the voice VLAN.
Nor The inbound interface If the source MAC Transmitting voice and
mal enabled with the voice address does not match service data at the same
VLAN function transmits the OUI, the interface time in a voice VLAN is
both voice packets and does not change the not recommended. If a
non-voice packets. In priority of voice packets voice VLAN must
normal mode, the and allows the voice transmit both voice and
interface is vulnerable to packets to be forwarded service data, ensure that
attacks from malicious in the voice VLAN. the voice VLAN works in
data traffic. If the source MAC normal mode.
address matches the OUI,
the interface changes the
priority of voice packets
and allows the voice
packets to be forwarded
in the voice VLAN.
Procedure
l Configuring the secure mode
a. Run:
system-view

b. Run:

c. Run:
voice-vlan security enable
The voice VLAN is configured to work in secure mode.

By default, a voice VLAN works in normal mode.
l Configuring the normal mode
a. Run:
system-view

b. Run:

c. Run:
undo voice-vlan security enable
The voice VLAN is configured to work in normal mode.

By default, a voice VLAN works in normal mode.
----End
9.7.1.6 (Optional) Configuring the 802.1p Priority and DSCP Priority for a Voice
VLAN
Context
By default, the 802.1p priority and DSCP priority for a voice VLAN are 6 and 46
respectively. You can dynamically configure 802.1p priority and DSCP priority to plan
priorities for different voice services.
l The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN
frame. This field determines the transmission priority for data packets when a switching
device is congested.
l The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4
packet header. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP
networks. The traffic controller on the network gateway takes actions merely based on
the information carried by the 6 bits.
Procedure
Step 1 Run:
system-view
Step 2 Run:
voice-vlan remark { 8021p 8021p-value | dscp dscp-value } *
The 802.1p priority and DSCP priority are configured for a voice VLAN.
respectively.

NOTE
When the outbound interface is located on the ES0D0G24SA00 or ES0D0G24CA00 of the S7700, the
802.1p priority cannot be changed.
----End
Procedure
l Run the display voice-vlan [ vlan-id ] status command to check information about a
voice VLAN, including the status, working mode, 802.1p priority and DSCP priority of
the voice VLAN, and interface enabled with voice VLAN.
l Run the display voice-vlan oui command to check the organizationally unique identifier
(OUI), OUI mask, and OUI description of the voice VLAN.
----End
9.7.2 Configuring a VLAN ID-based Voice VLAN

If the VLAN ID in packets received by a switch interface is the same as the voice VLAN ID,
the switch considers the packets as voice packets and increases the packet priority.
9.7.2.1 Enabling the Voice VLAN Function
Context
To implement the voice VLAN function, configure the VLAN used to forward voice packets
on the switch as a voice VLAN and enable the voice VLAN. You are advised to configure
different VLANs for voice and data services to facilitate management.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
voice-vlan vlan-id enable [ include-untagged ]
A voice VLAN is configured and the voice VLAN function is enabled on the interface.
By default, the voice VLAN function is disabled on an interface. When IP phones send
untagged packets, specify include-untagged and configure an OUI for the voice VLAN.

NOTE

l To transmit different services, ensure that the voice VLAN and default VLAN on an interface are
different VLANs.
l Only one voice VLAN on an interface can be configured as a voice VLAN at a time.
l After a voice VLAN is configured on an interface, VLAN mapping, VLAN stacking, or traffic
policies cannot be configured on the interface.
----End
9.7.2.2 Configuring a Mode in Which the Priority of Voice Packets Is Increased

Based on VLAN IDs
Context
If the VLAN ID in packets received by a switch interface is the same as the voice VLAN ID,
the switch considers the packets as voice packets and increases the packet priority.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
voice-vlan remark-mode vlan
A mode in which the priority of voice packets is increased is configured.
By default, the priority of voice packets is increased based on VLAN IDs.
----End
9.7.2.3 Configuring a Mode in Which an Interface Is Added to a Voice VLAN
Context
When a VLAN ID-based voice VLAN is used, the interface connected to a voice device must
be added to the voice VLAN manually so that the voice VLAN can take effect.
Procedure
Step 1 Add an interface to a voice VLAN in manual mode according to 4.7.1.1 Configuring
Interface-based VLAN Assignment (Statically Configured Interface Type).
----End

9.7.2.4 Configuring the Switch to Advertise Voice VLAN Information to an IP

Phone
Context
Generally, IP phones that can send tagged voice packets can obtain voice VLAN information
from the switch using a protocol such as LLDP (LLDP is used as an example). LLDP needs to
be enabled. When the switch receives an LLDPDU from an IP phone, the switch encapsulates
voice VLAN information in the LLDPDU and sends it to the IP phone. The IP phone then
sends tagged voice packets.
The switch can encapsulate voice VLAN information into LLDPDUs and send them to
connected IP phones. However, IP phones of some vendors send Cisco Discovery Protocol
(CDP) packets. You can run the voice-vlan legacy enable command to enable CDP-
compatible function so that the switch encapsulates voice VLAN information in CDP packets
and sends them to connected IP phones.
Procedure
l Configuring the switch to advertise voice VLAN information to an IP phone through
LLDP
a. Run:
system-view

b. Run:
lldp enable
LLDP is enabled globally.

By default, LLDP is disabled globally.
c. Run:

d. Run:
lldp enable
LLDP is enabled on the interface.

After LLDP is enabled in the system view, all interfaces are enabled with LLDP.
l Configuring Cisco Discovery Protocol (CDP)-compatible Voice VLAN function
a. Run:
system-view

b. Run:

c. Run:
voice-vlan legacy enable
CDP-compatible Voice VLAN function is enabled so that the switch encapsulates

voice VLAN information in CDP packets and sends them to the IP phone.

By default, CDP-compatible Voice VLAN function is disabled.
----End
9.7.2.5 (Optional) Configuring the 802.1p Priority and DSCP Priority for a Voice
VLAN
Context
respectively. You can dynamically configure 802.1p priority and DSCP priority to plan
priorities for different voice services.
l The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN
frame. This field determines the transmission priority for data packets when a switching
device is congested.
l The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4
packet header. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP
networks. The traffic controller on the network gateway takes actions merely based on
the information carried by the 6 bits.
Procedure
Step 1 Run:
system-view
Step 2 Run:
voice-vlan remark { 8021p 8021p-value | dscp dscp-value } *
The 802.1p priority and DSCP priority are configured for a voice VLAN.
respectively.
NOTE
When the outbound interface is located on the ES0D0G24SA00 or ES0D0G24CA00 of the S7700, the
802.1p priority cannot be changed.
----End
Procedure
l Run the display voice-vlan [ vlan-id ] status command to check information about a
voice VLAN, including the status, 802.1p priority and DSCP priority of the voice
VLAN, and interface enabled with voice VLAN.
----End


9.8.1 Example for Configuring a MAC Address-based Voice
VLAN (IP Phones Send Untagged Voice Packets)
As shown in Figure 9-6, the switch connects to IP phones and a PC. The switch uses VLAN 2
to transmit voice packets and VLAN 3 to transmit data packets. PC A connects to IP phone A
and they connect to the switch, and IP phone B separately connects to the switch. IP phones
send untagged voice packets. Users require high quality of the VoIP service; therefore, voice
data flows must be transmitted with a high priority to ensure the call quality.
Figure 9-6 Networking for configuring a MAC address-based voice VLAN
Switch Switch1
Internet
GE1/0/1 GE1/0/2
IP Phone A GE1/0/1
MAC:0003-6B00-0001
Mask:ffff-ff00-0000
IP Phone C
IP Phone B
MAC:0003-6B00-0002
Mask:ffff-ff00-0000
PC A
PC C
286E-D400-0001
Because voice and data packets received by the switch are untagged, you need to configure
OUIs to differentiate voice and data traffic. The configuration roadmap is as follows:
1. Create VLANs on the switch and add interfaces to VLANs to implement Layer 2
connectivity.
2. Configure an OUI so that the switch adds a VLAN tag to voice packets in which the
source MAC address matches the OUI.
3. Configure VLAN 2 as the voice VLAN and configure the interface to allow voice
packets to pass through.

Procedure
Step 1 Configure VLANs and interfaces on the Switch.
# Create VLANs.
# Configure VLANs allowed by GE1/0/1.

[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 2 to 3
Step 2 Configure an OUI.

[Switch] voice-vlan mac-address 0003-6B00-0000 mask ffff-ff00-0000
Step 3 # Enable the voice VLAN function on GE1/0/1. The configuration of GE1/0/2 is similar to the
configuration of GE1/0/1, and is not mentioned here.
[Switch-GigabitEthernet1/0/1] voice-vlan 2 enable include-untagged
[Switch-GigabitEthernet1/0/1] voice-vlan remark-mode mac-address

Run the display voice-vlan 2 status command to check the voice VLAN configuration.
[Switch] display voice-vlan 2 status
Voice VLAN Configurations:
-----------------------------------------------------------
Voice VLAN ID : 2
Voice VLAN status : Enable
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark : 46
-----------------------------------------------------------
Port Information:
-------------------------------------------------------------------------------
Port Add-Mode Security-Mode Legacy PribyVLAN Untag
-------------------------------------------------------------------------------
GigabitEthernet1/0/2 Manual Normal Disable Disable Enable
GigabitEthernet1/0/1 Manual Normal Disable Disable Enable
----End
Configuration Files
#
sysname Switch
#
voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000
#
vlan batch 2 to 3
#

voice-vlan 2 enable include-untagged

port hybrid untagged vlan 2 to 3
#
voice-vlan 2 enable include-untagged
#
return
9.8.2 Example for Configuring a VLAN ID-based Voice VLAN (IP

Phones Send Tagged Voice Packets)
As shown in Figure 9-7, the switch connects to IP phones and a PC. The switch uses VLAN 2
to transmit voice packets and VLAN 3 to transmit data packets. PC A connects to IP phone A
and they connect to the switch, and IP phone B separately connects to the switch. IP phones
can obtain voice VLAN information through LLDP and send tagged voice packets. Users
require high quality of the VoIP service; therefore, voice data flows must be transmitted with
a high priority to ensure the call quality. In addition, the administrator manages many IP
phones and requires simplified configurations.
Figure 9-7 Networking for configuring a VLAN ID-based voice VLAN
Switch Switch1
Internet
GE1/0/1 GE1/0/2
GE1/0/1
IP Phone A
IP Phone C
IP Phone B
PC A PC C
1. Create VLANs on the switch and add interfaces to VLANs to implement Layer 2
connectivity.

2. Enable LLDP so that IP phones cna obtain voice VLAN information through LLDP.
3. Configure VLAN 2 as the voice VLAN and configure the interface to allow voice
packets to pass through. Configure a VLAN ID-based voice VLAN, which relieves you
from configuring OUIs.
Procedure
Step 1 Configure VLANs and interfaces on the Switch.
# Create VLANs.
# Configure VLANs allowed by GE1/0/1.

Step 2 Enable LLDP.

[Switch] lldp enable
Step 3 # Enable the voice VLAN function on GE1/0/1. The configuration of GE1/0/2 is similar to the
configuration of GE1/0/1, and is not mentioned here.
[Switch-GigabitEthernet1/0/1] voice-vlan 2 enable
[Switch-GigabitEthernet1/0/1] voice-vlan remark-mode vlan

Run the display voice-vlan 2 status command to check the voice VLAN configuration.
[Switch] display voice-vlan 2 status
Voice VLAN Configurations:
-----------------------------------------------------------
Voice VLAN ID : 2
Voice VLAN status : Enable
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark : 46
-----------------------------------------------------------
Port Information:
-------------------------------------------------------------------------------
Port Add-Mode Security-Mode Legacy PribyVLAN Untag
-------------------------------------------------------------------------------
GigabitEthernet1/0/2 Manual Normal Disable Enable Disable
GigabitEthernet1/0/1 Manual Normal Disable Enable Disable
----End
Configuration Files
#
sysname Switch

#
vlan batch 2 to 3
#
lldp enable
#
voice-vlan 2 enable
#
voice-vlan 2 enable
#
return

Configuration Guide - Ethernet Switching 10 QinQ Configuration
10 QinQ Configuration
About This Chapter
This chapter describes how to configure 802.1Q-in-802.1Q (QinQ).
10.1 Introduction to QinQ

10.2 Principles
10.3 Applications
10.6 Configuring QinQ
10.7 Maintaining QinQ
10.10 FAQ
10.11 References

10.1 Introduction to QinQ
Definition
QinQ expands VLAN space by adding an additional 802.1Q tag to 802.1Q tagged packets. It
allows services in a private VLAN to be transparently transmitted over a public network. A
packet transmitted on the backbone network carries two 802.1Q tags: a public VLAN tag and
a private VLAN tag.
Purpose
Ethernet is widely used on ISP networks, but 802.1Q VLANs are unable to identify and
isolate large numbers of users on metro Ethernet networks because the 12-bit VLAN tag field
defined in IEEE 802.1Q only identifies a maximum of 4096 VLANs. QinQ was developed to
expand VLAN space beyond 4096 VLANs so that a larger number of users can be identified
on a metro Ethernet network.
QinQ was originally developed to expand VLAN space by adding an additional 802.1Q tag to
an 802.1Q-tagged packet. In this way, the number of VLANs can increase to 4094 x 4094.
In addition to expanding VLAN space, QinQ is applied in other scenarios with the
development of metro Ethernet networks and carriers' requirements on refined service
operation. The outer and inner VLAN tags can be used to differentiate packets based on users
and services. For example, the inner tag represents a user, while the outer tag represents a
service. Moreover, QinQ is used as a simple and practical VPN technology because inner tags
of QinQ packets are transparently transmitted over a public network. It extends core MPLS
VPN services to metro Ethernet networks to establish an end-to-end VPN.
Since QinQ technology is easy to use, it has been widely applied in Internet Service Provider
(ISP) networks. For example, QinQ is combined with multiple services in metro Ethernet
solutions. Selective QinQ (VLAN stacking) makes QinQ more popular among ISPs. As the
metro Ethernet develops, equipment vendors have developed their own metro Ethernet
solutions, in which the simple and flexible QinQ technology plays an important role.
Benefits
QinQ offers the following benefits:
l Extends the VLAN space to isolate and identify more users.
l Facilitates service deployment by allowing the inner and outer tags to represent different
information. For example, the inner tag identifies a user and the outer tag identifies a
service.
l Allows ISPs to implement refined service operation by providing diversified
encapsulation and termination modes.
10.2 Principles

10.2.1 QinQ Fundamentals

QinQ expands VLAN space by adding an additional 802.1Q VLAN tag to an 802.1Q-tagged
packet. Devices forward packets over the public network according to outer VLAN tags of the
packets, and learn MAC addresses from the outer VLAN tags. The private VLAN tags in the
packets are forwarded as payload of the packets.
Figure 10-1 Typical QinQ application
VLAN 1~20 VLAN 1~10
CE2 CE3 CE4

Customer Customer
network B network A
VLAN 4 VLAN 3
Pubilc
PE1 PE2
network
VLAN 3 VLAN 4
Customer Customer
network A network B
CE1 CE2
VLAN 1~10 VLAN 1~20
In Figure 10-1, customer network A is divided into private VLANs 1 to 10, and customer
network B is divided into private VLANs 1 to 20. The carrier allocates public VLANs 3 and 4
to customer networks A and B respectively. When tagged packets from networks A and B
arrive at the carrier network, the packets are tagged outer VLANs 3 and 4. Therefore, the
packets from different customer networks are separated on the carrier network, even though
the customer networks use overlapping VLAN ranges. When the packets reach the PE on the
other side of the carrier network, the PE removes public VLAN tags from the packets and
forwards the packets to the CE of the appropriate customer network.
QinQ Packet Encapsulation Format

A QinQ packet has a fixed format, in which an 802.1Q tag is added outside the existing
802.1Q tag of the packet. A QinQ packet has 4 more bytes than an 802.1Q packet.
NOTE
Because a QinQ packet has 4 more bytes than an 802.1Q packet, the maximum frame length allowed by
each interface on the carrier network should be at least 1504 bytes. The default frame length allowed by
interfaces of a switch is larger than 1504 bytes, so you do not need to adjust it. For details on how to
configure the frame length allowed by an interface, see Setting the Jumbo Frame Length Allowed on an
Interface.
Figure 10-2 802.1Q encapsulation

TPID

QinQ Implementation
QinQ can be implemented in either of the following ways:
1. Basic QinQ
Basic QinQ is implemented based on interfaces. After basic QinQ is configured on an
interface, the device adds the default VLAN tag of this interface to all packets regardless
of whether the packets carry VLAN tags.
– If a single-tagged packet is received, the packet becomes a double-tagged packet.
– If an untagged packet is received, the packet is tagged with the default VLAN ID of
the local interface.
2. Selective QinQ
Selective QinQ is implemented based on interfaces and VLAN IDs. That is, an interface
can forward packets based on a single VLAN tag or double VLAN tags. In addition, the
device processes packets received on an interface as follows based on their VLAN IDs:
– Adds different outer VLAN tags to packets carrying different inner VLAN IDs.
– Marks outer 802.1p fields and adds different outer VLAN tags to packets according
to the 802.1p fields in inner VLAN tags.
In addition to separating carrier and customer networks, selective QinQ provides
extensive service features and allows flexible networking.
QinQ Encapsulation
QinQ encapsulation changes a single-tagged packet into a double-tagged packet, and is
usually performed on underlayer provider edge (UPE) interfaces connected to customer
networks.
Depending on the data encapsulated, QinQ encapsulation is applied as interface-based or

flow-based QinQ encapsulation. Additionally, QinQ encapsulation can be performed on
routed sub-interfaces.
l Interface-based QinQ encapsulation

This encapsulation mode is also called QinQ tunneling. It encapsulates packets arriving
at the same interface with the same outer VLAN tag, and therefore cannot distinguish
users and services at the same time.
l Flow-based QinQ encapsulation
This encapsulation mode classifies packets arriving at an interface into different flows,
and then determines whether to add outer VLAN tags and which outer VLAN tags to add
on a per flow basis. This mode is also called selective QinQ.
Traffic can be classified based on VLAN ID ranges if a customer uses different VLAN
IDs for different services. For example, PC users access the Internet through VLANs 101
to 200, IPTV users through VLANs 201 to 300, and VIPs through VLANs 301 to 400.
When receiving service data, the UPE adds outer tag 100 to packets from PCs, outer tag
300 to packets from IPTV users, and outer tag 500 to packets from VIPs.
l QinQ encapsulation on sub-interfaces
QinQ encapsulation can be performed on both Layer 2 interfaces and Layer 3 sub-
interfaces.

When service data is transparently transmitted over an MPLS/IP core network using
PWE3/VLL/VPLS, a network-end provider edge (NPE) sub-interface adds an outer
VLAN tag to a packet based on the inner VLAN tag. Then the packet is transmitted on
the VLL/PWE3/VPLS network using the outer VLAN tag. Packets from multiple private
VLANs can be transparently transmitted through a sub-interface, which is called a QinQ
stacking sub-interface.
QinQ encapsulation on a sub-interface is also a form of flow-based QinQ encapsulation.
The QinQ stacking sub-interface must be used with the L2VPN service (PWE3/VLL/
VPLS), and cannot support Layer 3 forwarding.
10.2.2 Basic QinQ

Basic QinQ, also called QinQ tunneling, is performed based on interfaces. After basic QinQ is
configured on an interface, packets received on the interface are tagged with the default
VLAN ID of the interface. After being processed by basic QinQ on an interface, single-tagged
packets change into double-tagged packets, and untagged packets change into single-tagged
packets with the default VLAN tag of the interface.
Basic QinQ can be configured to expand VLAN space when multiple VLANs are required.
In Figure 10-3, Department 1 has two offices and Department 2 has three offices. These
offices are connected to PE1 and PE2, respectively. Department 1 and Department 2 can plan
their own VLANs as required.
Figure 10-3 Networking diagram of QinQ tunneling

PE2
Port1 Port2
…… Port3 ……
PE1 Port4
Port1 Port2
Port3
…… ……
……
VLAN2 VLAN500 VLAN1000 VLAN2000 VLAN100 VLAN500
Department 1 Department 2 Department 1

Table 10-1 describes the outer VLAN tag plan for Department 1 and Department 2.
Table 10-1 VLAN plan for Department 1 and Department 2

Department VLAN ID Range Outer VLAN ID
Department 1 2 to 500 10
Department 2 500 to 4094 20
QinQ tunneling is configured on PE1 and PE2 in the following way to implement
communication within each department and isolate the two departments:
l Configure PE1 to add the outer VLAN 10 to packets received on Port1 and Port2 and
outer VLAN 20 to packets received on Port3.
l Configure PE2 to add the outer VLAN 20 to packets received on Port1 and Port2.
l Configure Port4 on PE1 and Port3 on PE2 to allow packets of VLAN 20 to pass.
10.2.3 Selective QinQ

Selective QinQ, also called VLAN stacking or QinQ stacking, is performed based on
interfaces and VLAN IDs. In addition to basic QinQ functions, selective QinQ has the
following functions:
l VLAN ID-based selective QinQ: adds outer VLAN tags based on inner VLAN IDs.
l 802.1p priority-based selective QinQ: adds outer VLAN tags based on 802.1p priorities
in inner VLAN tags.
l Traffic policy-based selective QinQ: adds outer VLAN tags based on traffic policies so
that differentiated services can be provided based on service types.
Selective QinQ is an extension of basic QinQ and is more flexible. The difference is as
follows:
l Basic QinQ: adds the same outer VLAN tag to all packets arriving at a Layer 2 interface.
l Selective QinQ: adds different outer VLAN tags to packets arriving at a Layer 2
interface based on inner VLAN tags.
In Figure 10-4, Department 1 and Department 2 have multiple offices.

Figure 10-4 Networking diagram of selective QinQ
PE2
Port1 Port2
…… Port3 ……
PE1 Port3
VLAN1000 VLAN4094 Port2 VLAN500 VLAN2500

Port1
……
……
……
VLAN100 VLAN500
Department 1
Table 10-2 VLAN plan for Department 1 and Department 2
Device Interface VLAN ID Range Outer VLAN ID
PE1 Port1 2 to 500 10
Port1 1000 to 2000 20
Port2 100 to 500 10
PE2 Port1 1000 to 4094 20
Port2 500 to 2500 20
l Department 1 uses VLANs 2 to 500.

l Department 2 uses VLANs 500 to 4094.
l Port1 on PE1 receives packets from VLANs of Department 1 and Department 2
simultaneously.

Selective QinQ is configured on PE1 and PE2 in the following way to implement
communication within each department and isolate the two departments.
l Configure outer VLAN tags for packets received on interfaces of PE1 and PE2 according
to Table 10-2.
l Configure Port3 on PE1 and Port3 on PE2 to allow packets of VLAN 20 to pass.
10.2.4 TPID
The Tag Protocol Identifier (TPID) specifies the protocol type of a VLAN tag. The TPID
value defined in IEEE 802.1Q is 0x8100.
Figure 10-5 shows the Ethernet packet format defined in IEEE 802.1Q. An IEEE 802.1Q tag,
containing the TPID, lies between the Source Address field and the Length/Type field. A
device checks the TPID value in a received packet to determine whether the VLAN tag is an
S-VLAN tag or C-VLAN tag. The device compares the configured TPID value with the TPID
value in the packet. For example, if a frame carries the VLAN tag with TPID 0x8100 but the
TPID configured for a customer network on a device is 0x8200, the device considers the
frame untagged.
Figure 10-5 802.1Q encapsulation

802.1Q Encapsulation
DA SA 802.1Q TAG Length/Type Data FCS
6 Bytes 6 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes
TPID 2 Bytes TCI 2 Bytes

0X8100 Priority CFI VLAN ID
3bits 1bit 12bits
Carrier's systems may use different TPID values in outer VLAN tags. When a Huawei device
needs to interoperate with such a carrier system, set the TPID value to the value used by the
carrier so that QinQ packets sent from the Huawei device can be transmitted across the carrier
network. To prevent errors in packet forwarding and processing, do not set the TPID to any of
values listed in Table 10-3.
Table 10-3 Protocol types and values

Protocol Type Value
ARP 0x0806
RARP 0x8035
IP 0x0800
IPv6 0x86DD
PPPoE 0x8863/0x8864

Protocol Type Value
MPLS 0x8847/0x8848
IPX/SPX 0x8137
LACP 0x8809
802.1x 0x888E
HGMP 0x88A7
Reserved 0xFFFD/0xFFFE/0xFFFF
10.2.5 QinQ Mapping

Implementation
QinQ mapping is performed after packets are received on the inbound interface and before
packets are forwarded through the outbound interface.
l Before sending a packet from a local VLAN, a sub-interface replaces the VLAN tag of
the packet sent with a specified VLAN tag.
l After receiving a packet, a sub-interface replaces the VLAN tag of packet with a local
VLAN tag.
In real-world applications, QinQ mapping can map customer VLAN (C-VLAN) tags to a
service VLAN (S-VLAN) tag to shield different customer VLANs.
QinQ mapping is generally deployed on edge devices of a metro Ethernet and often used to
map a VLAN tag carried in a packet to a specified VLAN tag before the packet is transmitted
on the public network. QinQ mapping applies to the following scenarios:
l The VLAN IDs deployed in new sites and old sites conflict, but new sites need to
communicate with old sites.
l Sites connected to the public network use conflicting VLAN IDs but do not need to
communicate with one another.
l The VLAN IDs on both ends of the public network are different.
Currently, the device supports the following QinQ mapping modes:
l 1-to-1 mapping
When a sub-interface receives a single-tagged packet, it maps the VLAN tag to a
specified tag.
l 2-to-1 mapping
When a sub-interface receives a double-tagged packet, it maps the outer VLAN tag to a
specified tag and retains the inner VLAN tag.

Figure 10-6 QinQ mapping
ISP
IP 50 IP 50
VLAN Tag:50
Device2 Device3
GE1/0/2 GE1/0/2
GE1/0/1.1
QinQ Mapping GE1/0/1.1
IP 20 IP 40
Device1 Device4
PC1 PC2
172.16.0.1/24 172.16.0.7/24
In Figure 10-6, 2-to-1 QinQ mapping is configured on GE1/0/1.1 interfaces of Device2 and
Device3. Frames sent from PC1 to PC2 are processed as follows:
1. PC1 sends an untagged frame to Device1. After receiving the frame, Device1 adds
VLAN tag 20 to the frame.
2. Device1 forwards the frame with VLAN tag 20 to Device2. Device2 replaces VLAN tag
20 with S-VLAN tag 50 on sub-interface GE1/0/1.1.
3. Device2 sends the frame with S-VLAN tag 50 through GE1/0/2.
4. The frame is transparently transmitted on the ISP network.
5. When the frame arrives at GE1/0/1.1 of Device3, Device3 replaces VLAN tag 50 with
VLAN tag 40.
Frames sent from PC2 to PC1 are processed in a similar way.
QinQ mapping allows PC1 to communicate with PC2.
Comparison Between QinQ Mapping and VLAN Mapping

Table 10-4 compares QinQ mapping and VLAN mapping.

Table 10-4 Comparison between QinQ mapping and VLAN mapping

Mapping Similarity Difference
1-to-1 The interface maps the tag l QinQ mapping is performed on sub-
in a received single-tagged interfaces and used for VPLS access.
packet to a specified tag. l VLAN mapping is performed on main
interfaces and applies to Layer 2 networks
where packets are forwarded based on
VLANs.
2-to-1 The interface maps the l QinQ mapping is performed on sub-

outer tag of a received interfaces and used for VPLS access.
double-tagged packet to a l VLAN mapping is performed on main
specified tag and retains interfaces and applies to Layer 2 networks
the inner tag. The inner tag where packets are forwarded based on
is transparently transmitted VLANs.
as service data.
10.3 Applications

10.3.1 Public User Services on a Metro Ethernet Network
Figure 10-7 QinQ application on a metro Ethernet network
Core Network
NPE
NPE VLAN1001 VLAN1XX

VLAN2001 VLAN3XX
VLAN1000 VLAN1XX
VRRP VLAN3001 VLAN5XX
VLAN2000 VLAN3XX Metro
VLAN3000 VLAN5XX Ethernet
UPE
VLAN101 VLAN101
VLAN301 VLAN301
VLAN501 VLAN501
HSI VOIP IPTV HSI VOIP IPTV
PVC101
PVC301
PVC501
In Figure 10-7, the digital subscriber line access multiplexers (DSLAMs) support multiple
permanent virtual channels (PVCs) so that a same user can use multiple services, such as
High-Speed Internet (HSI), Internet Protocol Television (IPTV), and voice over IP (VoIP).
The carrier assigns different PVCs and VLAN ranges to HSI, IPTV, and VoIP services, as
described in Table 10-5.
Table 10-5 Example of VLAN assignment
Service VLAN Range
HSI 101 to 300
VoIP 301 to 500
IPTV 501 to 700

A user accesses the VoIP service. When a VoIP packet reaches a DSLAM through a specified
PVC, the DSLAM marks the packet with a VLAN in the VLAN range mapped to the PVC,
such as 301. When the VoIP packet reaches the UPE, the UPE tags the packets with an outer
VLAN ID mapping the VoIP VLAN ID range, such as 2000. The inner VLAN ID represents
user information and the outer VLAN ID represents service information and the location of
the DSLAM (packets from different DSLAMs are tagged with different outer VLAN IDs).
When the packet reaches the NPE indicated by the outer VLAN tag, the VLAN tag is
terminated on the QinQ termination sub-interface. According to the core network
configuration, the packet is forwarded on the IP network or enters the corresponding VPN.
HSI and IPTV services are processed in the same manner, except that VLAN tags of HSI
services are terminated on a broadband remote access server (BRAS).
The NPE can perform HQoS scheduling based on double tags and generate a DHCP binding
table to avoid network attacks. In addition, the NPE can implement DHCP authentication
based on double tags or other information. You can also configure VRRP on QinQ
termination sub-interfaces to ensure service reliability.
10.3.2 Enterprise Network Connection Through Private Lines

In Figure 10-8, an enterprise has two sites in different places. Each site has three networks:
Finance, Marketing, and Others. To ensure network security, the enterprise requires that users
belonging to different networks be unable to communicate with each other.
Figure 10-8 Private line connection between enterprise users

Outside:VLAN1000 Inside:VLAN100 Outside:VLAN1000 Inside:VLAN100
ME MPLS/IP ME
UPE UPE
NPE NPE
VLAN100 VLAN100
VLAN100
VLAN200 VLAN200
VLAN200
VLAN300 VLAN300
VLAN300
Finance Others Others

Finance
VLAN100 VLAN300 VLAN300
VLAN100
Marketing
VLAN200 Marketing
VLAN200
The carrier uses VPLS technology on the MPLS/IP core network and QinQ technology on the
metro Ethernet network. Each site is assigned three VLANs 100, 200 and 300, which
represent Finance, Marketing, and Others departments respectively. The UPEs at two ends tag
received packets with outer VLAN 1000 (different outer VLAN tags are allowed on two
ends), and the same VSI is configured on the NPEs. This configuration ensures that only users
of the same VLAN in different sites can communicate with each other.


Table 10-6 describes the QinQ configuration tasks.
Table 10-6 QinQ configuration task summary

Configure basic QinQ After basic QinQ is 10.6.1 Configuring Basic

configured, the switch adds QinQ
a public tag to incoming
packets so that user packets
can be forwarded on the
public network.
Configure selective QinQ Selective QinQ is more 10.6.2 Configuring

flexible than QinQ. Selective QinQ
Set the TPID value in an This configuration allows a 10.6.3 Configuring the
outer VLAN tag Huawei device to TPID Value in an Outer
communicate with a non- VLAN Tag
Huawei device.
Configure the device to add The device can be 10.6.4 Configuring the
double VLAN tags to configured to add double Device to Add Double
untagged packets VLAN tags to untagged VLAN Tags to Untagged
packets. Packets
Configure QinQ mapping QinQ mapping maps C- 10.6.5 Configuring QinQ

VLAN tags to S-VLAN tags Mapping
to shield different C-VLAN
tags.

License Support
QinQ is a basic feature of a switch and is not under license control.

Version Support
Table 10-7 Products and versions supporting QinQ

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l For the points of attention when configuring QinQ on a sub-interface, see 8.4
Configuration Notes.
l ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700, and EH1D2G24SSA0 and
EH1D2S24CSA0 cards of the S9700 cannot add double tags to untagged packets,
whereas other cards can add double tags to untagged packets.
l The switch forwards packets based only on their outer VLAN tags and learns MAC
address entries based on the outer VLAN tags.
l Selective QinQ must be configured on the hybrid interface. Selective QinQ can only take
effect on the interface in the inbound direction.
l When an interface configured with VLAN stacking needs to remove the outer tag from
outgoing frames, the interface must join the VLAN specified by stack-vlan in untagged
mode. If the outer VLAN does not need to be removed, the interface must join the
VLAN specified by stack-vlan in tagged mode.
l The device configured with selective QinQ can only add an outer VLAN tag to a frame
with an inner VLAN tag on an interface, and the outer VLAN ID must exist. Otherwise,
the services where selective QinQ is configured are unavailable.
l If only single-tagged packets from a VLAN need to be transparently transmitted, do not
specify the VLAN as the inner VLAN for selective QinQ. For ES0D0G24SA00 and
ES0D0G24CA00 cards of the S7700, and EH1D2G24SSA0 and EH1D2S24CSA0 cards
of the S9700 of SA cards, after selective QinQ is configured on an interface of the SA
card, VLAN mapping, for example, port vlan-mapping vlan 20 map-vlan 20, must be
configured to map the VLAN to itself from which single-tagged packets need to be
transparently transmitted.
l When VLAN stacking is configured, do not configure stack-vlan to the VLAN
corresponding to the VLANIF interface.
l VLAN-based flow mirroring allows the device to identify only outer VLAN tags of
QinQ packets.

l The globally configured traffic-limit command that takes effect for all interfaces in the
inbound direction is invalid for QinQ packets.
l After VLAN stacking is configured on an interface of an SA series card, SEP, ERPS, or
RRPP cannot be configured on this interface.
l If the PW-side interface is a Layer 3 interface switched by the undo portswitch
command, the AC-side interface cannot be a Layer 3 interface or subinterface belonging
to a Layer 3 interface; otherwise, traffic forwarding is abnormal.
10.6 Configuring QinQ
10.6.1 Configuring Basic QinQ

Basic QinQ enables the device to add a public tag to incoming packets so that user packets
can be forwarded on the public network.
Background
To separate private networks from public networks and conserve VLAN resources, configure
double 802.1Q tags on QinQ interfaces of the device. Private VLAN tags are used on private
networks such as enterprise networks, and public VLAN tags are used on external networks
such as ISP networks. QinQ expands VLAN space to 4094x4094 and allows packets on
different private networks with the same VLAN IDs to be transparently transmitted.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN used on the public network is created.

Step 3 Run:
quit
Exit from the VLAN view.

Step 4 Run:

The interface can be a physical interface or an Eth-Trunk interface.
Step 5 Run:
port link-type dot1q-tunnel
The link type of the interface is set to Dot1q-tunnel.

By default, the LNP negotiation mode of an interface is negotiation-desirable.
Dot1q-tunnel interfaces do not support Layer 2 multicast.

Step 6 Run:
The VLAN ID of the public VLAN tag, that is, the default VLAN of the interface, is
configured.
By default, VLAN 1 is the default VLAN of all interfaces.
----End

l Run the display current-configuration interface interface-type interface-number
command to check the QinQ configuration on the interface.
10.6.2 Configuring Selective QinQ

Selective QinQ is implemented based on interfaces and VLAN IDs.
Before configuring selective QinQ, create the outer VLAN.
10.6.2.1 Configuring VLAN ID-based Selective QinQ
Context
VLAN ID-based selective QinQ allows an interface to add outer VLAN tags to packets based
on VLAN IDs of the packets.
NOTE
l Selective QinQ must be configured on the hybrid interface. Selective QinQ can only take effect on the
interface in the inbound direction.
l When an interface configured with VLAN stacking needs to remove the outer tag from outgoing frames,
the interface must join the VLAN specified by stack-vlan in untagged mode. If the outer VLAN does not
need to be removed, the interface must join the VLAN specified by stack-vlan in tagged mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The interface can be a physical interface or an Eth-Trunk interface.

Step 3 Run:
The link type of the interface is set to hybrid.


Step 4 Run:
port hybrid untagged vlan vlan-id
The interface is added to the VLAN in untagged mode.

You must specify an existing VLAN ID on the device in this command. You do not need to
create a VLAN specified by the original VLAN tag of a received packet.
Step 5 Run:
port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3
[ remark-8021p 8021p-value ]
Selective QinQ is configured.

By default, the priority in the stacked outer VLAN tag is 0 on SA boards of S series, and is
the same as the priority in the inner VLAN tag on other cards.
NOTE
VLAN Switch stack-vlan can also add outer VLAN tags based on inner VLAN tags. For details, see 6
VLAN Switch Configuration.
Step 6 Run:
quit
Exit from the interface view.

Step 7 Run:
The view of another interface is displayed.

This interface is the outbound interface for QinQ packets, different from the interface
specified in step 2.
Step 8 Run:
The link type of the interface is set to trunk.

Step 9 Run:
port trunk allow-pass vlan vlan-id3
The outer VLAN ID (stack-vlan) added to the original tagged packet is set.
----End

l Run the display current-configuration interface interface-type interface-number
command to check the selective QinQ configuration on the interface.
Configuration Tips
Deleting QinQ configuration
Use either of the following methods to delete the selective QinQ configuration on an
interface:
l Run the undo port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] [ stack-vlan vlan-id3 ]
command in the interface view to delete a selective QinQ entry on the interface.

l Run the undo port vlan-stacking all command in the interface view to delete all the
selective QinQ entries on the interface.
10.6.2.2 Configuring MQC-based Selective QinQ
Background
A traffic policy is configured by associating traffic classifiers with traffic behaviors. You can
specify a VLAN ID or other information in a traffic classifier and associate the traffic
classifier with a traffic behavior to implement selective QinQ. Then the device adds the
specified outer VLAN tag to packets matching the traffic classifier.
Traffic policy-based selective QinQ enables the device to provide differentiated services
based on service types.
Procedure
a. Run:
system-view

b. Run:
that:
NOTE


Rule

VLAN IDs id ]
in QinQ
packets


802.1p value &<1-8>
priority in
QinQ
packets

or inner
and outer
VLAN IDs
of QinQ
packets

actions.

tags in
QinQ
packets


Rule

or OR.
packets.



in the
Ethernet
frame
header
All if-match any -

packets


Rule

matches the traffic
of whether the
AND or OR.
simultaneously.

rules is AND.
command, a packet
matches the traffic
precedence values,
AND or OR.

protocol
type


Rule

IPv6 S7700, and

packet urg }

view.


AND or OR.

the ACL6.


Rule

traffic policies.
d. Run:
quit

a. Run:

b. Run:
nest top-most vlan-id vlan-id
The outer VLAN ID is specified in the traffic behavior.

You must specify an existing VLAN ID on the device in this command. You do not
need to create a VLAN specified by the original VLAN tag of a received packet.
c. Run:
quit

d. Run:
quit

a. Run:
system-view

b. Run:
existing traffic policy is displayed.
If no matching order is specified when you create a traffic policy, the default
matching order is config.

modify the matching order of traffic classifiers in the traffic policy. To modify the
matching order, delete the traffic policy, create a traffic policy, and specify the
matching order.
When creating a traffic policy, you can specify the matching order of matching rules
in the traffic policy. The matching order can be either automatic order or
configuration order:
n If automatic order is used, traffic classifiers are matched based on the priorities
of their types. Traffic classifiers based on Layer 2 and Layer 3 information,
Layer 2 information, and Layer 3 information are matched in descending order
of priority. The traffic classifier with the highest priority is matched first. If
data traffic matches multiple traffic classifiers, and the traffic behaviors
conflict with each other, the traffic behavior corresponding to the highest
priority rule takes effect.
n If configuration order is used, traffic classifiers are matched based on their
priorities. The traffic classifier with the highest priority is matched first. A
smaller priority value indicates a higher priority of a traffic classifier. If
precedence-value is not specified, the system allocates a priority to the traffic
classifier. The allocated priority value is [(max-precedence + 5) / 5] x 5, where
max-precedence specifies the maximum priority of a traffic classifier. For
details about the priority of a traffic classifier, refer to the traffic classifier
command.
c. Run:
A traffic behavior is bound to a traffic classifier in a traffic policy.

d. Run:
quit

e. Run:
quit

i. Run:
system-view

ii. Run:

iii. Run:

policing for all relevant packets that match traffic classification rules on the
interface.


i. Run:
system-view

ii. Run:
vlan vlan-id

iii. Run:

direction.
packets that belong to that VLAN and match the relevant traffic classification
rules. However, the traffic policy does not take effect for packets in VLAN 0.
i. Run:
system-view

ii. Run:
id ]

Only one traffic policy can be applied to the system or LPU for one direction.
A traffic policy cannot be applied to the same direction in the system and on
the LPU simultaneously.


10.6.2.3 Configuring 802.1p Priority-based Selective QinQ
Context
802.1p priority-based selective QinQ allows an interface to add an outer VLAN tag based on
802.1p priorities and VLAN IDs of incoming packets. This ensures communication of high-
priority users.
Procedure
Step 1 Configure 802.1p priority-based selective QinQ on an inbound interface.
1. Run:
system-view

2. Run:

3. Run:

4. Run:
The interface is added to the stacked VLAN.

5. Run the following commands as required on the inbound interface.
– To configure 802.1p priority-based selective QinQ, run port vlan-stacking 8021p
8021p-value stack-vlan vlan-id.
– To configure selective QinQ based on VLAN IDs and 802.1p priorities, run port
vlan-stacking vlan vlan-id1 [ to vlan-id2 ] 8021p 8021p-value1 [ to 8021p-
value2 ] stack-vlan vlan-id3 [ remark-8021p 8021p-value3 ].
NOTE
– VLAN stacking based on 802.1p priorities takes effect only for incoming packets.
– VLAN stacking based on 802.1p priorities can only be enabled on a trunk or hybrid interface.
Step 2 (Optional) Configure VLAN priority mapping on an outbound interface.

When a DiffServ domain has been created and priority mapping has been configured on the
inbound interface, the internal priority may be different from the 802.1p priority. Therefore,
you are advised to configure priority mapping on the outbound interface.
1. Run:
system-view

2. Run:
diffserv domain ds-domain-name
A DiffServ domain is created and its view is displayed.

3. Run:
8021p-outbound service-class color map 8021p-value
The device is configured to map the internal priority of outgoing packets to the 802.1p
priority in the DiffServ domain.
4. Run:
quit
Exit from the DiffServ domain view.

5. Run:

6. Run:

7. Run:
port hybrid tagged vlan vlan-id
The interface is added to the stacked VLAN.

8. Run:
trust upstream ds-domain-name
The interface is bound to the DiffServ domain, and the mapping in the DiffServ domain
is applied to the interface.
By default, the internal priority is copied to the external priority.
----End

l Run the display this command in the inbound interface view to check the configuration
of VLAN stacking based on 802.1p priorities.
l Run the display this command in the outbound interface view to check the configuration
of VLAN stacking based on 802.1p priorities.
10.6.3 Configuring the TPID Value in an Outer VLAN Tag

To enable interoperation between devices from different vendors, set the same TPID value in
outer VLAN tags on the devices.
Context
Devices from different vendors or in different network plans may use different TPID values in
VLAN tags of VLAN packets. To adapt to an existing network plan, the switch supports TPID
value configuration. You can set the TPID value on the switch to be the same as the TPID
value in the network plan to ensure compatibility with the current network.

NOTE
l To implement interoperability with a non-Huawei device, ensure that the protocol type in the outer
VLAN tag added by the switch can be identified by the non-Huawei device.
l The qinq protocol command identifies incoming packets, and adds or changes the TPID value of
outgoing packets.
l The protocol ID configured on an interface by the qinq protocol command must be different from
other commonly used protocol IDs; otherwise, the interface cannot distinguish packets of these
protocols. For example, protocol-id cannot be set to 0x0806, which is the ARP protocol ID.
l A maximum of four VLAN TPIDs can be configured on one card, and the TPID configured on an
interface of an X1E series card takes effect on all interfaces of the card.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
qinq protocol protocol-id
The protocol type in the outer VLAN tag is set.

The qinq protocol command cannot be used on Dot1q-tunnel interfaces.
By default, the TPID value in the outer VLAN tag is 0x8100.
----End
10.6.4 Configuring the Device to Add Double VLAN Tags to

Untagged Packets
You can configure one device to add double VLAN tags to untagged packets.
Context
Generally, two devices are required to add double tags to packets. Configuring one device to
add double VLAN tags to untagged packets can simplify configuration. In addition, a Layer 2
interface can add double tags to untagged packets to differentiate services or users.
NOTE
This configuration is not supported on the ES0D0G24SA00 and ES0D0G24CA00 boards on the S7700.
Procedure
Step 1 Run:
system-view

Step 2 Run:

vlan vlan-id
The outer VLAN is created.
Step 3 Run:
quit
Step 4 Run:
Step 5 Run:
Step 6 Run:
The interface is added to the outer VLAN.
Step 7 Run:
port vlan-stacking untagged stack-vlan vlan-id1 stack-inner-vlan vlan-id2
The interface is configured to add double VLAN tags to untagged packets.
NOTE
To enable an interface to add double VLAN tags to an untagged packet, you must set the link type of the
interface to hybrid, and add the interface to the outer VLAN in untagged mode.
If the PVID of an interface is not VLAN 1, restore the PVID to VLAN 1 before running the port vlan-
stacking untagged command.
The port vlan-stacking untagged command actually configures interface-based VLAN assignment.
Different VLAN assignment modes are in the following order of priority: policy-based VLAN
assignment > voice VLAN include-untagged > MAC address-based VLAN assignment > IP subnet-
based VLAN assignment > protocol-based VLAN assignment > interface-based VLAN assignment.
----End
10.6.5 Configuring QinQ Mapping

VLAN mapping maps C-VLAN tags to S-VLAN tags to shield different C-VLAN tags.
Before configuring QinQ mapping, complete the following tasks:
l Connect the device correctly.
l Configure the VLANs that users belong to so that user packets carry one or double
VLAN tags.

NOTE
The mapped VLAN IDs specified in QinQ mapping configuration must be different from the control
VLAN IDs for ring protocols such as SEP, RRPP, and ERPS. Otherwise, an error message will be
displayed, indicating that the configuration fails.
10.6.5.1 Configuring 1-to-1 QinQ Mapping
Context
1-to-1 QinQ mapping allows a sub-interface to map a tag in a received single-tagged packet to
a specified tag.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
Step 4 Run:
quit
Step 5 Run:
The view of the CE-side Ethernet or Eth-Trunk sub-interface of the PE is displayed.
Step 6 Run:
qinq mapping vid vlan-id1 [ to vlan-id2 ] map-vlan vid vlan-id3
The sub-interface is configured to map a tag of a packet to a specified tag.
The original VLAN IDs of single-tagged packets specified in the command must be different
from the outer VLAN IDs specified on all the other sub-interfaces.
NOTE
QinQ mapping cannot be used with stacking, QinQ termination, and Dot1q termination commands on
the same sub-interface.
----End

10.6.5.2 Configuring 2-to-1 QinQ Mapping
Context
2-to-1 QinQ mapping allows a sub-interface to map an outer tag in a received double-tagged
packet to a specified tag and retain the inner VLAN tag.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
Step 4 Run:
quit
Step 5 Run:
The view of the CE-side Ethernet or Eth-Trunk sub-interface of the PE is displayed.
Step 6 Run:
qinq mapping pe-vid vlan-id1 ce-vid vlan-id2 [ to vlan-id3 ] map-vlan vid vlan-id4
The sub-interface is configured to map the outer tag of double-tagged packets to a specified
tag.
The original outer tag of double-tagged packets specified in the command must be different
from outer tags specified on all the other sub-interfaces.
NOTE
QinQ mapping cannot be used with stacking, QinQ termination, and Dot1q termination commands on
the same sub-interface.
----End
10.7 Maintaining QinQ
10.7.1 Displaying VLAN Translation Resource Usage

Context
During QinQ configuration (excluding basic QinQ configuration), VLAN translation
resources may be insufficient. You can run command to view the total number of inbound/
outbound VLAN translation resources, the number of used VLAN translation resources, and
the number of remaining VLAN translation resources. The command output helps you locate
faults.
Procedure
Step 1 Run the display vlan-translation resource [ slot slot-number ] command in any view to view
VLAN translation resource usage on a card.
Step 2 Run the display spare-bucket resource [ slot slot-number ] command in any view to view
the usage of backup resources when VLAN translation resources on a card conflict.
NOTE
Only the X1E series cards support this command.
----End
10.8.1 Example for Configuring Basic QinQ
In Figure 10-9, there are two enterprises on the network, Enterprise 1 and Enterprise 2. Both
of them have two office locations, which connect to SwitchA and SwitchB of the ISP
network. A non-Huawei device on the ISP network uses the TPID value of 0x9100.
The requirements are as follows:
l Enterprise 1 and Enterprise 2 use independent VLAN plans that do not affect each other.
l Traffic of an enterprise's branches is transparently transmitted on the ISP network. Users
accessing the same service in an enterprise are allowed to communicate, and users
accessing different services are isolated.
You can configure QinQ to meet the preceding requirements. VLAN 100 and VLAN 200
provided by the ISP network can be used to transmit traffic for Enterprise 1 and Enterprise 2
respectively, thereby implementing communication within an enterprise and isolating the two
enterprises. To implement interoperation with the non-Huawei device, set the TPID value in
outer VLAN tags to 0x9100 on the interfaces of the Huawei devices connected to the non-
Huawei device.

Figure 10-9 Networking for configuring basic QinQ
ISP
VLAN 100,200
TPID=0x9100
GE1/0/3 GE1/0/3
SwitchA SwitchB
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
GE1/0/1 GE1/0/1 GE1/0/1 GE1/0/1

Enterprise 1 Enterprise 2 Enterprise 1 Enterprise 2

VLAN 10 to 50 VLAN 20 to 60 VLAN 10 to 50 VLAN 20 to 60
1. Create VLAN 100 and VLAN 200 on SwitchA and SwitchB. Configure interfaces
connected to the two enterprises as QinQ interfaces and add them to VLAN 100 and
VLAN 200 respectively, so that packets from the two enterprises are tagged with
different outer VLAN tags.
2. Add interfaces of SwitchA and SwitchB connected to the ISP network to VLAN 100 and
VLAN 200 so that packets from the two VLANs are allowed to pass through.
3. On the interfaces of SwitchA and SwitchB connected to the ISP network, set the TPID in
outer VLAN tags to the value used on the non-Huawei device so that SwitchA and
SwitchB can interwork with the non-Huawei device.
4. Create VLANs on Switch1, Switch2, Switch3, and Switch4, and add interfaces to
VLANs to implement Layer 2 connectivity.
Procedure
# Create VLAN 100 and VLAN 200 on SwitchA.

# Create VLAN 100 and VLAN 200 on SwitchB.

[SwitchB] vlan batch 100 200
# Create VLANs 10 to 50 on Switch1. The configuration of Switch3 is similar to that of

Switch1, and is not mentioned here.
[Switch1] vlan batch 10 to 50
# Create VLANs 20 to 60 on Switch2. The configuration of Switch4 is similar to that of

Switch2, and is not mentioned here.
[Switch2] vlan batch 20 to 60
Step 2 Set the link type of interfaces to Dot1q-tunnel.

# Configure GE1/0/1 and GE1/0/2 on SwitchA as QinQ interfaces, and set the default VLAN
of GE1/0/1 to VLAN 100 and the default VLAN of GE1/0/2 to VLAN 200. The configuration
of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA-GigabitEthernet1/0/1] port link-type dot1q-tunnel
[SwitchA-GigabitEthernet1/0/2] port link-type dot1q-tunnel
Step 3 Configure the interfaces of SwitchA and SwitchB connected to the ISP network.
# Add GE1/0/3 of SwitchA to VLAN 100 and VLAN 200. The configuration of SwitchB is
similar to the configuration of SwitchA, and is not mentioned here.
Step 4 Add interfaces of access switches to VLANs.

# Add GE1/0/1 on Switch1 to VLANs 10 to 50. The configuration of Switch3 is similar to
that of Switch1, and is not mentioned here.
[Switch1-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 to 50
# Add GE1/0/1 on Switch2 to VLANs 20 to 60. The configuration of Switch4 is similar to

that of Switch2, and is not mentioned here.
[Switch2-GigabitEthernet1/0/1] port trunk allow-pass vlan 20 to 60
Step 5 Configure the TPID value in outer VLAN tags.

# Set the TPID value in outer VLAN tags to 0x9100 on SwitchA.
[SwitchA-GigabitEthernet1/0/3] qinq protocol 9100

# Set the TPID value in outer VLAN tags to 0x9100 on SwitchB.

[SwitchB-GigabitEthernet1/0/3] qinq protocol 9100

In Enterprise 1, ping a PC in a VLAN of a branch from a PC in the same VLAN of another
branch. If the ping operation is successful, internal users of Enterprise 1 can communicate.
In Enterprise 2, ping a PC in a VLAN of a branch from a PC in the same VLAN of another
branch. If the ping operation is successful, internal users of Enterprise 2 can communicate.
Ping a PC in any VLAN of Enterprise 2 from a PC in the same VLAN of Enterprise 1. If the
ping operation fails, users in Enterprise 1 and Enterprise 2 are isolated.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
#
#
qinq protocol 9100
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
#
#
qinq protocol 9100
#
return

#
sysname Switch1
#

vlan batch 10 to 50
#
#
return

#
sysname Switch2
#
vlan batch 20 to 60
#
#
return

#
sysname Switch3
#
vlan batch 10 to 50
#
#
return

#
sysname Switch4
#
vlan batch 20 to 60
#
#
return
10.8.2 Example for Configuring Selective QinQ
In Figure 10-10, Internet access users (using PCs) and VoIP users (using VoIP terminals)
connect to the ISP network through SwitchA and SwitchB and communicate with each other
through the ISP network.
The enterprise assigns VLAN 100 to PCs and VLAN 300 to VoIP terminals. Packets from
PCs and VoIP terminals need to be transmitted over the ISP network in VLAN 2 and VLAN 3
respectively.

Figure 10-10 Networking diagram for configuring selective QinQ
SwitchA SwitchB
GE1/0/2 Carrier GE1/0/2
network
GE1/0/1 GE1/0/1
PC VoIP VoIP PC
1. Create VLANs on SwitchA and SwitchB.
2. Configure link types of interfaces on SwitchA and SwitchB and add the interfaces to
VLANs.
3. Configure selective QinQ on interfaces of SwitchA and SwitchB.
Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
Step 2 Configure selective QinQ on interfaces.

# Configure GE1/0/1 on SwitchA.
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 2
[SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 300 stack-vlan 3
# Configure GE1/0/1 on SwitchB.


[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchB-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 2
[SwitchB-GigabitEthernet1/0/1] port vlan-stacking vlan 300 stack-vlan 3
Step 3 Configure other interfaces.

# Add GE1/0/2 to VLAN 2 and VLAN 3 on SwitchA.
# Add GE1/0/2 to VLAN 2 and VLAN 3 on SwitchB.


If the configurations on SwitchA and SwitchB are correct, the following situations occur:
l PCs can communicate with each other through the ISP network.
l VoIP terminals can communicate with each other through the ISP network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 3
#
#

#
return
10.8.3 Example for Configuring Selective QinQ and VLAN

Mapping
In Figure 10-11, Internet access, IPTV, and VoIP services are provided for users through
home gateways.
The corridor switches allocate VLANs to the services as follows:
l VLANs for the Internet access service of different users: VLAN 1000 to VLAN 1100
l Shared VLAN for the IPTV service: VLAN 1101
l Shared VLAN for the VoIP service: VLAN 1102
l Shared VLAN for home gateways: VLAN 1103
Each community switch is connected to 50 downstream corridor switches, and maps VLAN
IDs in packets of the Internet access service from the corridor switches to VLANs 101-150.
The aggregation switch of the carrier is connected to 50 downstream community switches,

and adds outer VLAN IDs 21-70 to packets sent from the community switches.
Figure 10-11 Networking diagram for configuring selective QinQ and VLAN mapping
ME60
Internet
Aggregate switch of carrier SwitchA

GE1/0/0
…… ……
GE2/0/0
Community SwitchB
switch GE1/0/0
…… …… …… ……
Corridor
switch
…… …… …… ……
Home
gateway


2. Configure VLAN mapping on SwitchB and add GE 1/0/0 and GE 2/0/0 to VLANs.
3. Configure selective QinQ on SwitchA and add GE 1/0/0 to VLANs.
4. Add other downlink interfaces of SwitchA and SwitchB to VLANs. The configurations
are similar to the configurations of GE 1/0/0 interfaces, and are not mentioned here.
5. Configure other community switches. The configuration is similar to the configuration of
SwitchB, and is not mentioned here.
Procedure
# Create VLANs.
[SwitchA] vlan batch 21 to 70 1101 to 1103
# Add downlink interface gigabitethernet 1/0/0 to VLANs.

[SwitchA-GigabitEthernet1/0/0] port hybrid untagged vlan 21
[SwitchA-GigabitEthernet1/0/0] port hybrid tagged vlan 1101 to 1103
# Configure selective QinQ on gigabitethernet 1/0/0.

[SwitchA-GigabitEthernet1/0/0] port vlan-stacking vlan 101 to 150 stack-vlan 21
# Create VLANs.
[SwitchB] vlan batch 101 to 150 1000 to 1103

[SwitchB-GigabitEthernet1/0/0] port hybrid tagged vlan 101 1000 to 1103
[SwitchB-GigabitEthernet2/0/0] port hybrid tagged vlan 101 to 150 1101 to 1103
# Configure VLAN mapping on downlink interface gigabitethernet 1/0/0.

[SwitchB-GigabitEthernet1/0/0] port vlan-mapping vlan 1000 to 1100 map-vlan 101

The Internet access service, IPTV service, and VoIP service are available.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 21 to 70 1101 to 1103
#
port hybrid tagged vlan 1101 to 1103
port vlan-stacking vlan 101 to 150 stack-vlan 21
#
return

#
sysname SwitchB
#
vlan batch 101 to 150 1000 to 1103
#
port hybrid tagged vlan 101 1000 to 1103
port vlan-mapping vlan 1000 to 1100 map-vlan 101
#
port hybrid tagged vlan 101 to 150 1101 to 1103
#
return
10.8.4 Example for Configuring Traffic Selective QinQ and Traffic

Policy
In Figure 10-12, low-end switches at the user side connect to the Internet through the Switch.
The IPTV and Internet access services are deployed at the user side. User PCs obtain IP
addresses from ME60-A to connect to the Internet, and the set top boxes (STBs) obtain IP
addresses from ME60-B to provide the IPTV service.
The DSLAMs add different VLAN tags to packets of different services so that the PCs do not
obtain IP addresses from ME60-B.
The carrier assigns VLANs 100-999 to PPPoE packets and assigns VLANs 1000-1999 to
DHCP packets.
The STBs are provided by the carrier. The carrier can obtain MAC addresses of STBs but
cannot obtain MAC addresses of PCs. The MAC address segment of STBs is
00e0-8e00-0000/ffff-ff00-0000.
When a user starts a PC, a DHCP packet is sent to apply for an IP address. The DHCP packet
should be rejected, and the user must obtain an IP address using PPPoE.

Figure 10-12 Networking diagram for configuring selective QinQ and traffic policy
Internet
ME60-A ME60-B
GE3/0/0 GE4/0/0
GE1/0/0 GE2/0/0
Switch
SwitchA SwitchB
…… ……
SwitchC SwitchD SwitchE SwitchF
…… …… …… ……
1. Create VLANs on the Switch.
2. Configure GE1/0/0 and GE2/0/0 on the Switch as hybrid interfaces and configure
selective QinQ on the two interfaces.
3. Configure a traffic classifier based on VLAN IDs and MAC addresses, a traffic behavior,
and a traffic policy.
4. Apply the traffic policy in the inbound direction of GE1/0/0 and GE2/0/0 to prevent PCs
from obtaining IP addresses through DHCP packets.
Procedure
Step 1 Configure selective QinQ.
# Create VLANs.


[Switch-GigabitEthernet1/0/0] port hybrid untagged vlan 10 20
[Switch-GigabitEthernet2/0/0] port hybrid untagged vlan 10 20
# Configure selective QinQ on interfaces.

[Switch-GigabitEthernet1/0/0] port vlan-stacking vlan 100 to 999 stack-vlan 10
Step 2 Configure a traffic policy.
# Configure an ACL to filter packets based on source MAC addresses.

[Switch] acl number 4001
[Switch-acl-L2-4001] rule 1 permit source-mac 00e0-8e00-0000 ffff-ff00-0000
[Switch-acl-L2-4001] quit
# Configure a traffic classifier.

[Switch] traffic classifier STB operator and
[Switch-classifier-STB] if-match vlan-id 20
[Switch-classifier-STB] if-match acl 4001
[Switch-classifier-STB] quit
# Configure a traffic behavior.

[Switch] traffic behavior PermitMAC
[Switch-behavior-PermitMAC] permit
[Switch-behavior-PermitMAC] quit
# Configure a traffic policy.

[Switch] traffic policy PermitMAC
[Switch-trafficpolicy-PermitMAC] classifier STB behavior PermitMAC
[Switch-trafficpolicy-PermitMAC] quit
# Apply the traffic policy in the inbound direction of GE1/0/0 and GE2/0/0.
[Switch-GigabitEthernet1/0/0] traffic-policy PermitMAC inbound
[Switch-GigabitEthernet2/0/0] traffic-policy PermitMAC inbound

The IPTV and Internet access services are available. STBs obtain IP addresses from ME60-B,
and PCs obtain IP addresses from ME60-A.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
acl number 4001
rule 1 permit source-mac 00e0-8e00-0000 ffff-ff00-0000
#
traffic classifier STB operator and precedence 5
if-match vlan-id 20
if-match acl 4001
#
traffic behavior PermitMAC
permit
#
traffic policy PermitMAC match-order config
classifier STB behavior PermitMAC
#
traffic-policy PermitMAC inbound
#
traffic-policy PermitMAC inbound
#
#
#
return
10.8.5 Example for Configuring Flow-based Selective QinQ
In Figure 10-13, Internet access users (using PCs) and VoIP users (using VoIP terminals)
connect to the ISP network through SwitchA and SwitchB. These users communicate with
each other through the ISP network.
Packets from PCs and VoIP terminals need to be transmitted over the ISP network in VLAN 2
and VLAN 3 respectively.
You can configure a traffic policy to implement selective QinQ on the Switch.

Figure 10-13 Networking diagram for configuring flow-based selective QinQ
SwitchA SwitchB
GE1/0/2 Carrier GE1/0/2
network
GE1/0/1 GE1/0/1
PC VoIP VoIP PC
VLAN100~200 VLAN300~400 VLAN300~400 VLAN100~200

2. Configure traffic classifiers, traffic behaviors, and bind them in a traffic policy on
SwitchA and SwitchB.
3. Configure link types of interfaces on SwitchA and SwitchB, and add the interfaces to
VLANs.
4. Apply the traffic policy to interfaces of SwitchA and SwitchB to implement selective
QinQ.
Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
Step 2 Configure a traffic policy on SwitchA.
Configure traffic classifiers, traffic behaviors, and a traffic policy on SwitchA.

[SwitchA] traffic classifier name1

[SwitchA-classifier-name1] if-match vlan-id 100 to 200
[SwitchA-classifier-name1] quit
[SwitchA] traffic behavior name1
[SwitchA-behavior-name1] nest top-most vlan-id 2
[SwitchA-behavior-name1] quit
[SwitchA] traffic classifier name2
[SwitchA-classifier-name2] if-match vlan-id 300 to 400
[SwitchA-behavior-name2] nest top-most vlan-id 3
[SwitchA] traffic policy name1
[SwitchA-trafficpolicy-name1] classifier name1 behavior name1
[SwitchA-trafficpolicy-name1] quit
# Configure traffic classifiers, traffic behaviors, and a traffic policy on SwitchB.

[SwitchB] traffic classifier name1
[SwitchB-classifier-name1] if-match vlan-id 100 to 200
[SwitchB-classifier-name1] quit
[SwitchB] traffic behavior name1
[SwitchB-behavior-name1] nest top-most vlan-id 2
[SwitchB-behavior-name1] quit
[SwitchB] traffic classifier name2
[SwitchB-classifier-name2] if-match vlan-id 300 to 400
[SwitchB-behavior-name2] nest top-most vlan-id 3
[SwitchB] traffic policy name1
[SwitchB-trafficpolicy-name1] classifier name1 behavior name1
[SwitchB-trafficpolicy-name1] quit
Step 3 Apply the traffic policy to interfaces of SwitchA and SwitchB to implement selective QinQ.
# Configure GE 1/0/1 on SwitchA.

[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchA-GigabitEthernet1/0/1] traffic-policy name1 inbound
# Configure GE 1/0/1 on SwitchB.

[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchB-GigabitEthernet1/0/1] traffic-policy name1 inbound
Step 4 Configure other interfaces.
# Add GE 1/0/2 on SwitchA to VLAN 2 and VLAN 3.

# Add GE 1/0/2 on SwitchB to VLAN 2 and VLAN 3.



If the configurations on SwitchA and SwitchB are correct, the following situations occur:
l PCs can communicate with each other through the ISP network.
l VoIP terminals can communicate with each other through the ISP network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
traffic classifier name1 operator or precedence 5
if-match vlan-id 100 to 200
#
traffic behavior name1
permit
nest top-most vlan-id 2
permit
#
traffic policy name1 match-order config
classifier name1 behavior name1
#
traffic-policy name1 inbound
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 3
#
#
permit
permit
#
#


#
#
return
10.8.6 Example for Connecting a Single-Tag VLAN Mapping Sub-

Interface to a VLL Network
In Figure 10-14, CE1 and CE2 are connected to PE1 and PE2 respectively through VLANs.
NOTE
Figure 10-14 Networking diagram for connecting a single-tag VLAN mapping sub-interface
to a VLL network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE 2/0/0 GE 1/0/0
PE 1 PE 2
GE 2/0/0 GE1/0/0
GE1/0/0 P GE 2/0/0
GE1/0/0 GE 1/0/0
Martini
CE 1 CE 2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32

1. Configure a routing protocol on PE and P devices of the backbone network to implement
2. Use the default tunnel policy to create an LSP for data transmission.
4. Create a sub-interface on the interface of PE1 connected to CE1, configure VLAN
mapping of a single tag on the sub-interface, and create a VC to connect the sub-
interface to the VLL network.
5. Configure a Dot1q sub-interface on the interface of PE2 connected to CE2, and create a
VC to connect the sub-interface to the VLL network.
Procedure
Step 1 Add interfaces of CEs, PEs, and P to VLANs and configure IP addresses for the VLANIF
interfaces according to Figure 10-14.
# Configure CE1 to ensure that packets sent from CE1 to PE1 carry a VLAN tag.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2 to ensure that packets sent from CE2 to PE2 carry a VLAN tag.
[CE2] vlan batch 20
[CE2-Vlanif20] quit
# Configure PE1.
[PE1] vlan batch 20


[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure an IGP on the MPLS backbone network. OSPF is used in this example.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit

# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

Neighbors

DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
Step 3 Enable basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit


[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
# Configure PE1.
# Configure PE2.
view the LDP session setup. You can see that an LDP session has been set up between PE1
and PE2.
The output on PE1 is used as an example:


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 5 Enable MPLS L2VPN on PEs and create VC connections.

[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet1/0/0.1] qinq mapping vid 10 map-vlan vid 20


[PE2] mpls l2vpn
[PE2-l2vpn] quit
On PEs, check the L2VPN connections. You can see that an L2VC connection has been set up
and is in Up state.
The output on PE1 is used as an example:

session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
link state : up
Access-port : false
VC last up time : 2010/10/09 19:26:37
CKey : 8
NKey : 3

Service Class : --
Color : --
DomainId : --
Domain Name : --

The output on CE1 is used as an example:
[CE1] ping 10.10.10.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return

#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0

mpls
mpls ldp
#
#
qinq mapping vid 10 map-vlan vid 20
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return

#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.10.10.2 255.255.255.0
#
#
return

10.8.7 Example for Connecting a Double-Tag VLAN Mapping

Sub-Interface to a VLL Network
As shown in Figure 10-15, CE1 and CE2 are connected to PE1 and PE2 respectively through
VLANs.
A Martini VLL is set up between PE1 and PE2.
Selective QinQ is required on the switch interfaces connected to CEs to tag packets sent from
CEs with the VLAN IDs specified by the carrier.
When Switch1 and Switch2 add different VLAN tags to packets, configure double-tag VLAN
mapping on PE sub-interfaces and connect the sub-interfaces to the VLL network so that CE1
and CE2 can communicate with each other.
When a Switch is connected to multiple CEs, the Switch can add the same outer VLAN tag to
packets with different VLAN tags from different CEs, thereby saving VLAN IDs on the
public network.
NOTE
Figure 10-15 Networking diagram for connecting a double-tag VLAN mapping sub-interface
to a VLL network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE2/0/0 GE1/0/0
PE1 PE2
GE2/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
Switch Interface VLANIF Interface IP address

- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
4. Create a sub-interface on the PE1 interface connected to Switch1, configure double-tag
VLAN mapping, and create a VC to connect the QinQ sub-interface to a VLL network.
5. Create a sub-interface on the PE2 interface connected to Switch2, and create a VC to
connect the QinQ sub-interface to a VLL network.
Procedure
Step 1 Configure the VLANs on the CE, PE, and P devices, add interfaces to the VLANs, and assign
IP addresses to the corresponding VLANIF interfaces according to Figure 10-15.
tag.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
tag.

[CE2] vlan batch 10

[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on switch interfaces and specify the VLANs allowed by the
interfaces.
[Switch1] vlan 100


[Switch2] vlan 200
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit


Neighbors

DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp

[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit

# Configure PE1.
# Configure PE2.
view the LDP session setup. You can see that an LDP session has been set up between PE1
and PE2.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on PEs and create VC connections.

[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet1/0/0.1] qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200

[PE2] mpls l2vpn
[PE2-l2vpn] quit

and is in Up state.

The display on PE1 is used as an example.

session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
link state : up
Access-port : false
VC last up time : 2010/10/09 19:26:37
CKey : 8
NKey : 3
Service Class : --
Color : --
DomainId : --
Domain Name : --

The output on CE1 is used as an example:
[CE1] ping 10.10.10.2


0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 100
#
#
#
return

#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#

#
qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#

router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
#
sysname Switch2
#
vlan batch 200
#
#
#
return
#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#

#
return
10.8.8 Example for Connecting a VLAN Stacking Sub-interface to

a VLL Network
In Figure 10-16, CE1 and CE2 are connected to PE1 and PE2 respectively through VLANs.
Switch1 forwards the packets sent from CE1 without changing VLAN tags.
Selective QinQ needs to be configured on the interface connected to CE2 so that Switch2 adds
the carrier-specified VLAN tag to the packets sent from CE2.
The packets sent from Switch1 to PE1 contain only one VLAN tag, and the packets sent from
Switch2 to PE2 contain two VLAN tags. To allow CE1 and CE2 to communicate with each
other, configure VLAN stacking on the sub-interface of PE1 connected to Switch1, and
connect the sub-interface to a VLL network.
public network.
NOTE

Figure 10-16 Networking diagram for connecting a VLAN stacking sub-interface to a VLL
network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE2/0/0 GE1/0/0
PE1 PE2
GE2/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32

4. On PE1, configure VLAN stacking on the sub-interface connected to Switch1, and create
a VC to connect the sub-interface to a VLL network.

5. On PE2, configure a QinQ sub-interface on the interface connected to Switch2, and

create a VC connect the QinQ sub-interface to a VLL network.
6. On Switch1, add the interface connected to CE1 to a specified VLAN.
7. On Switch2, configure selective QinQ on the interface connected to CE2.
Procedure
Step 1 Create VLANs on the CE, PE, and P devices, add interfaces to the VLANs, and assign IP
addresses to VLANIF interfaces according to Figure 10-16.
tag.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
tag.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P

[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
interfaces.
[Switch1] vlan 10
[Switch2] vlan 100
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0


[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

Neighbors

DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
# Configure PE1.


[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit

# Configure PE1.
# Configure PE2.
view the LDP session setup. You can see that an LDP session is set up between PE1 and PE2.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on PEs and set up VC connections.

# On PE1, create a VC connection on GigabitEthernet1/0/0.1 that is connected to Switch1.

[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet1/0/0.1] qinq stacking vid 10 pe-vid 100
# On PE2, create a VC connection on GigabitEthernet2/0/0.1 that is connected to Switch2.

[PE2] mpls l2vpn
[PE2-l2vpn] quit

and is in Up state.
session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
link state : up

Access-port : false
VC last up time : 2010/10/09 19:26:37
CKey : 8
NKey : 3
Service Class : --
Color : --
DomainId : --
Domain Name : --

The display on CE1 is used as an example.
[CE1] ping 10.10.10.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 10
#
#

#
return
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq stacking vid 10 pe-vid 100
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls

mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255

#
return

#
sysname Switch2
#
vlan batch 100
#
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
#
return
10.8.9 Example for Connecting a Single-tag VLAN Mapping Sub-

interface to a VPLS Network
In Figure 10-17, VPLS is enabled on PE1 and PE2. CE1 is connected to PE1 and CE2 is
connected to PE2. CE1 and CE2 are on the same VPLS network. To implement
communication between CE1 and CE2, use LDP as the VPLS signaling protocol to establish
PWs and configure VPLS.
NOTE

Figure 10-17 Networking diagram for connecting a single-tag VLAN mapping sub-interface
to a VPLS network

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE 1/0/0 GE 2/0/0
PE 1 PE 2
GE 2/0/0 GE1/0/0
GE1/0/0 GE 2/0/0
P
GE1/0/0 GE 1/0/0
CE 1 CE 2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
between devices.
5. Create a VSI on the PEs and specify LDP as the signaling protocol.
6. Configure single-tag VLAN mapping on the PE1 sub-interface connected to CE1 and
bind the sub-interface the VSI to connect it to the VPLS network.
7. Configure a Dot1q sub-interface on the interface of PE2 connected to CE2 and bind the
sub-interface to the VSI to connect it to the VPLS network.

Procedure
Step 1 Create VLANs on the CE, PE, and P devices, add interfaces to the VLANs, and assign IP
addresses to VLANIF interfaces according to Figure 10-17.
NOTE
l After the configuration is complete, the packets sent from a CE to a PE must carry a VLAN tag.
# Configure CE1.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2.
[CE2] vlan batch 20
[CE2-Vlanif20] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit


[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure an IGP protocol. OSPF is used in this example.

# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
------------------------------------------------------------------------------



2.2.2.2/32 OSPF 10 1 D 4.4.4.5 Vlanif20
3.3.3.3/32 OSPF 10 2 D 4.4.4.5 Vlanif20
4.4.4.0/24 Direct 0 0 D 4.4.4.4 Vlanif20
4.4.4.4/32 Direct 0 0 D 127.0.0.1 Vlanif20
5.5.5.0/24 OSPF 10 2 D 4.4.4.5 Vlanif20
Step 3 Enable basic MPLS functions and MPLS LDP.

# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit

------------------------------------------------------------------------------

------------------------------------------------------------------------------
------------------------------------------------------------------------------
# Configure PE1.
# Configure PE2.
PE2. You can see that the peer status is Operational, indicating that a peer relationship has
been set up between PE1 and PE2. The display on PE1 is used as an example.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 5 Enable MPLS L2VPN on the PEs.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
Step 6 Configure a VSI on the PEs.
# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit

Step 7 Bind sub-interfaces on the PEs to the VSI.

# Configure PE1.

[PE1-GigabitEthernet1/0/0.1] qinq mapping vid 10 map-vlan vid 20
# Configure PE2.

***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0

State : up

Access Port : false

Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x22
Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

[CE1] ping 10.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 20

#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
#
#
return
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
#
qinq mapping vid 10 map-vlan vid 20
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30

#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#


#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
10.8.10 Example for Connecting a Double-tag VLAN Mapping

Sub-interface to a VPLS Network
In Figure 10-18, VPLS is enabled on PE1 and PE2. CE1 connects to PE1 through Switch1
and CE2 connects to PE2 through Switch2. CE1 and CE2 are on the same VPLS network. To
implement communication between CE1 and CE2, use LDP as the VPLS signaling protocol
to establish PWs and configure VPLS.
You are required to configure selective QinQ on the switch interfaces connected to CEs so
that Switch1 and Switch2 add the VLAN tags specified by the carrier to the packets sent from
CEs.
When Switch1 and Switch2 allow different VLAN tags, configure a double-tag VLAN
mapping sub-interface on a PE and connect the sub-interface to the VPLS to enable
communication between CE1 and CE2.
When the Switch is connected to multiple CEs, the Switch can add the same outer VLAN tag
to packets with different VLAN tags from different CEs, thereby saving VLAN IDs on the
public network.
NOTE

Figure 10-18 Networking diagram for connecting a double-tag VLAN mapping sub-interface
to a VPLS network

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE2/0/0 GE2/0/0
PE1 PE2
GE1/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
1. Configure a routing protocol on the backbone network to implement interworking.


7. Configure double-tag VLAN mapping on the sub-interface connected to Switch1 on PE1
and bind the sub-interface to the VSI to connect it to the VPLS network.
8. Configure a QinQ sub-interface on the interface connected to Switch2 on PE2 and bind
the sub-interface to the VSI to connect it to the VPLS network.
Procedure
Step 1 Create VLANs on the devices, add interfaces to the VLANs, and assign IP addresses to
VLANIF interfaces according to Figure 10-18.
NOTE
# Configure CE1.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P

[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
interfaces.
[Switch1] vlan 100
[Switch2] vlan 200

# Configure PE1.


[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 4.4.4.5 Vlanif20
3.3.3.3/32 OSPF 10 2 D 4.4.4.5 Vlanif20
4.4.4.0/24 Direct 0 0 D 4.4.4.4 Vlanif20
4.4.4.4/32 Direct 0 0 D 127.0.0.1 Vlanif20
5.5.5.0/24 OSPF 10 2 D 4.4.4.5 Vlanif20

# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit

# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
# Configure PE2.
PE2. You can see that the status of the peer relationship between PE1 and PE2 is
Operational. That is, the peer relationship is set up. The display on PE1 is used as an
example.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Step 8 Bind sub-interfaces interfaces to the VSI on PEs.

# Configure PE1.
[PE1-GigabitEthernet1/0/0.1] qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
# Configure PE2.


***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0

State : up
Access Port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x22
Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

<CE1> ping 10.1.1.2


0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 100
#
#
#
return

#
sysname Switch2

#
vlan batch 200
#
#
#
return
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
#
qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
#
sysname P

#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls

mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
10.8.11 Example for Connecting a VLAN Stacking Sub-interface to

a VPLS Network
In Figure 10-19, VPLS is enabled on PE1 and PE2. CE1 connects to PE1 through Switch1
and CE2 connects to PE2 through Switch2. CE1 and CE2 are on the same VPLS network. To
implement communication between CE1 and CE2, use LDP as the VPLS signaling protocol
to establish PWs and configure VPLS.
Switch1 forwards the packets sent from CE1 without changing VLAN tags of the packets.
You are required to configure selective QinQ on the interface connected to CE2 so that
Switch2 adds the carrier-specified VLAN tag to the packets sent from CE2.
The packets sent from Switch1 to PE1 contain only one VLAN tag, and the packets sent
fromSwitch2 to PE2 contain double VLAN tags. In this case, you need to configure VLAN
stacking on the sub-interface of PE1 connected to Switch1 and connect the sub-interface to
the VPLS network to enable communication between CE1 and CE2.
public network.
NOTE

Figure 10-19 Networking diagram for connecting a VLAN stacking sub-interface to a VPLS
network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE2/0/0 GE2/0/0
PE1 PE2
GE1/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
1. Configure a routing protocol on the backbone network to implement interworking.
2. Add the interface of Switch1 connected to CE1 to a specified VLAN.
3. Configure selective QinQ on the interface of Switch2 connected to CE2.
6. Enable MPLS L2VPN on the PEs.

8. Configure a VLAN stacking sub-interface on the interface of PE1 connected to Switch1
and bind the sub-interface to the VSI to connect it to the VPLS network.
9. Configure a QinQ sub-interface on the interface of PE2 connected to Switch2 and bind
the sub-interface to the VSI to connect the sub-interface to the VPLS network.
Procedure
Step 1 Create VLANs on the devices, add interfaces to the VLANs, and assign IP addresses to
VLANIF interfaces according to Figure 10-19.
NOTE
# Configure CE1.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P

[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
interfaces.
[Switch1] vlan 10
[Switch2] vlan 100

# Configure PE1.


[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 4.4.4.5 Vlanif20
3.3.3.3/32 OSPF 10 2 D 4.4.4.5 Vlanif20
4.4.4.0/24 Direct 0 0 D 4.4.4.4 Vlanif20
4.4.4.4/32 Direct 0 0 D 127.0.0.1 Vlanif20
5.5.5.0/24 OSPF 10 2 D 4.4.4.5 Vlanif20

# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit

# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
# Configure PE2.
PE2. You can see that the peer status is Operational, indicating that a peer relationship has
been set up between PE1 and PE2. The display on PE1 is used as an example.



------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Step 8 Bind sub-interfaces to the VSI on the PEs.

# Configure PE1.
[PE1-GigabitEthernet1/0/0.1] qinq stacking vid 10 pe-vid 100
# Configure PE2.


***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0

State : up
Access Port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x22
Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

<CE1> ping 10.1.1.2


0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 10
#
#
#
return

#
sysname Switch2
#

vlan batch 100

#
#
#
return
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
#
qinq stacking vid 10 pe-vid 100
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
#
sysname P
#

router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp

#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
10.9.1 QinQ Traffic Forwarding Fails Because the Outer VLAN Is

Not Created
Fault Symptom
After selective QinQ is configured on an interface, traffic forwarding fails.
Procedure
1. Run the display this command in the view of the interface configured with selective
QinQ to check the outer VLAN tag.
2. Run the display vlan summary command in any view to check whether the outer
VLAN has been created.
<HUAWEI> display vlan summary
Static
vlan:
Total 3 static
vlan.
1 9 to
10
Dynamic
vlan:
Total 0 dynamic
vlan.
Reserved vlan:
Total 0 reserved vlan.
– If the command output contains the outer VLAN ID, the outer VLAN has been
created. Continue to check for other common misconfigurations.
– If the command output does not contain the outer VLAN ID, the outer VLAN is not
created. Run the vlan batch command to create a VLAN and check whether QinQ

traffic can be correctly transmitted. If traffic forwarding still fails, continue to check
for other common misconfigurations.
10.9.2 QinQ Traffic Forwarding Fails Because the Interface Does

Not Transparently Transmit the Outer VLAN ID
Fault Symptom
After selective QinQ is configured on an interface, traffic forwarding fails.
Procedure
1. Run the display this command in the view of the interface configured with selective
QinQ to check the outer VLAN tag.
2. Run the display vlan vlan-id command in any view to check whether the interface
configured with selective QinQ belongs to the outer VLAN. vlan-id specifies the outer
VLAN ID.
<HUAWEI> display vlan 3
------------------------------------------------------------------------------
--
U: Up; D: Down; TG: Tagged; UT:
Untagged;
MP: Vlan-mapping; ST: Vlan-
stacking;
#: ProtocolTransparent-vlan; *: Management-
vlan;
------------------------------------------------------------------------------
--
VID Type
Ports
------------------------------------------------------------------------------
--
3 common
UT:GE1/0/2(U)
VID Status Property MAC-LRN Statistics

Description
------------------------------------------------------------------------------
--
3 enable default enable disable VLAN 0003
– If the system displays the message "Error:The VLAN does not exist.", the outer
VLAN is not created. Run the vlan batch command to create the outer VLAN and
run the display vlan vlan-id command to check whether the interface belongs to the
VLAN.
– If there is no interface configured with selective QinQ, run the port hybrid
untagged vlan vlan-id command to add the interface to the VLAN in untagged
mode.
– If the command output does not display the interface configured with selective
QinQ but the flag before the interface is not UT, run the port hybrid untagged
vlan vlan-id command to add the interface to the VLAN in untagged mode.
– If the command output displays the interface configured with selective QinQ and
the interface has joined the VLAN in untagged mode, continue to check for other
common misconfigurations.

10.9.3 An Interface Configured with Selective QinQ Fails to

Transparently Transmit the Single VLAN ID
Fault Symptom
After an interface on an SA card is configured with selective QinQ, the interface fails to
transparently transmit single-tagged packets.
NOTE
SA cards include the ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700.
Procedure
Run the display this command on the interface configured with selective QinQ to check
whether VLAN mapping is configured to map the VLAN ID to be transparently transmitted to
itself (for example, port vlan-mapping vlan 20 map-vlan 20).
l If such VLAN mapping is not configured, run the port vlan-mapping vlan vlan-id1
map-vlan vlan-id2 command on the interface to configure it.
l If such VLAN mapping is configured, collect logs and alarms and contact Huawei
technical support personnel.
10.10 FAQ
10.10.1 Does the Switch Support QinQ?

The switch supports QinQ. QinQ falls into basic QinQ and selective QinQ. After selective
QinQ is configured on an SA card, configure VLAN mapping to map the VLAN tag that
needs to be transparently transmitted to itself, for example, port vlan-mapping vlan 20 map-
vlan 20. SA cards include the ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700, and
the EH1D2S24CSA0 and EH1D2G24SSA0 cards of the S9700.
10.10.2 What Are Causes for QinQ Traffic Forwarding Failures?

Traffic forwarding on an interface configured with selective QinQ fails in the following
situations:
l The outer VLAN specified for selective QinQ is not created.
l The interface is not added to the outer VLAN specified for selective QinQ in untagged
mode.
l On an SA card, VLAN mapping, for example, port vlan-mapping vlan 20 map-vlan
20, is not configured to map the VLAN tag that needs to be transparently transmitted to
itself. SA cards include the ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700,
and the EH1D2S24CSA0 and EH1D2G24SSA0 cards of the S9700.
10.10.3 Why Does a Standard Card Fail to Transparently Transmit

Single-Tagged Packets from a VLAN?
The standard card refers to the SA card (ES0D0G24SA00 and ES0D0G24CA00 cards of the
S7700, and EH1D2S24CSA0 and EH1D2G24SSA0 cards of the S9700). After selective QinQ

is configured on an interface of the SA card, VLAN mapping, for example, port vlan-
mapping vlan 20 map-vlan 20, must be configured to map the VLAN tag that needs to be
transparently transmitted to itself.
10.10.4 Can I Rapidly Delete All QinQ Configurations of an

Interface?
On a switch running V100R003 or a later version, the undo port vlan-stacking all command
can be used to quickly delete all selective QinQ configurations from an interface.
10.10.5 Can I Directly Delete Inner VLAN IDs from QinQ

Configuration?
l If the switch is running V100R003 or an earlier version, one or more inner VLAN IDs in
QinQ cannot be directly deleted. You must delete the current selective QinQ
configuration, and then reconfigure the inner VLAN IDs that do not need to be deleted.
For example, the port vlan-stacking vlan 10 to 20 stack-vlan 100 command is
configured on the switch. To delete inner VLAN 15, perform the following operations:
a. Run the undo port vlan-stacking vlan 10 to 20 stack-vlan 100 command to delete
the current selective QinQ configuration.
b. Run the port vlan-stacking vlan 10 to 14 stack-vlan 100 and port vlan-stacking
vlan 16 to 20 stack-vlan 100 commands to reconfigure the inner VLAN IDs that
do not need to be deleted.
l If the switch is running a version later than V100R003, one or more inner VLAN IDs in
QinQ can be directly deleted.
10.10.6 Can the Switch Add Double VLAN Tags to Untagged

Packets?
The switch can add double VLAN tags to untagged packets. Note the following points:
l The link type of the interface must be hybrid.
l Interfaces on the SA card do not support this function. SA cards include the
ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700, and the EH1D2S24CSA0
and EH1D2G24SSA0 cards of the S9700.
10.11 References
The following table lists the references for the QinQ feature.
IEEE 802.1Q IEEE standard for local and metropolitan area -

networks: Virtual Bridged Local Area Networks
IEEE 802.1ad IEEE 802.1ad, "Virtual Bridged Local Area -

Networks: Provider Bridges"

Configuration Guide - Ethernet Switching 11 VLAN Mapping Configuration
11 VLAN Mapping Configuration
About This Chapter
This chapter describes how to configure VLAN mapping. VLAN mapping is configured on
the edge device of the public network so that the VLANs of private networks are isolated
from S-VLANs. This saves S-VLAN resources.
11.1 Introduction to VLAN Mapping

11.2 Principles
11.3 Applications
11.5 Configuring VLAN Mapping
11.6 Maintaining VLAN Mapping

11.1 Introduction to VLAN Mapping
Definition
VLAN mapping technology changes VLAN tags in packets to implement the mapping
between different VLANs.
Purpose
In some scenarios, two Layer 2 user networks in the same VLAN are connected through the
backbone network. To implement Layer 2 connectivity between users and deploy Layer 2
protocols such as MSTP uniformly, the two user networks need to seamlessly interwork with
each other. In this case, the backbone network needs to transmit VLAN packets from the user
networks. Generally, VLAN plan on the backbone network and user network is different, so
the backbone network cannot directly transmit VLAN packets from a user network.
One method is to configure a Layer 2 tunneling technology such as QinQ or VPLS to
encapsulate VLAN packets into packets on the backbone network so that VLAN packets are
transparently transmitted. However, this method increases extra cost because packets are
encapsulated. In addition, Layer 2 tunneling technology may not support transparent
transmission of packets of some protocol packets. The other method is to configure VLAN
mapping. When VLAN packets from a user network enter the backbone network, an edge
device on the backbone network changes the C-VLAN ID to the S-VLAN ID. After the
packets are transmitted to the other side, the edge device changes the S-VLAN ID to the C-
VLAN ID. This method implements seamless interworking between two user networks.
VLAN IDs in two directly connected Layer 2 networks are different because of different
plans. The user needs to manage the two networks as a single Layer 2 network. For example,
Layer 2 connectivity and Layer 2 protocols need to be deployed uniformly. VLAN mapping
can be configured on the switch connecting the two user networks to map VLAN IDs on the
two user networks. This implements Layer 2 connectivity and uniform management.
11.2 Principles
Basic Principles
After receiving a packet, the switch processes it based on tags:
l After receiving a tagged packet, the switch determines whether a single tag, double tags,
or the outer tag is to be replaced based on the VLAN mapping mode. Then the switch
learns the MAC addresses contained in the packet. Based on the source MAC address
and mapped VLAN ID, the switch updates the MAC address entries in the VLAN
mapping table. Based on the destination MAC address and the mapped VLAN ID, the
switch searches for the MAC address entries. If the destination MAC address matches no
entry, the switch broadcasts the packet in the specified VLAN; if the destination MAC
address matches an entry, the switch forwards the packet through the corresponding
outbound interface.
l If the packet has no tag, the switch determines whether to add a VLAN tag to the packet
based on the VLAN creation mode. If the packet cannot be added to a VLAN, the switch

delivers the packet to the CPU or discards it. If the packet can be added to a VLAN, the
switch adds a VLAN tag to it and learns the MAC addresses. Then the switch performs
Layer 2 forwarding based on the destination MAC address.
As shown in Figure 11-1, VLAN mapping between VLAN 2 and VLAN 3 is configured on
PORT 1. Before sending packets from VLAN 2 to VLAN 3, PORT 1 replaces the VLAN tags
with VLAN 3 tags. When receiving packets from VLAN 3 to VLAN 2, PORT 1 replaces the
VLAN tags with VLAN 2 tags. This implements the communication between devices in
VLAN 2 and VLAN 3.
Figure 11-1 VLAN mapping
VLAN 2 VLAN 3
2 3
PORT1
3
Switch Switch
A B
2
3
2
172.16.0.1/16 172.16.0.7/16
If devices in two VLANs need to communicate based on VLAN mapping, the IP addresses of
these devices must be on the same network segment. If their IP addresses are on different
network segments, communication between these devices must be implemented using Layer 3
routes, which makes VLAN mapping invalid.
VLAN Mapping Mode

The device supports VLAN-based, 802.1p-based and MQC-based VLAN mapping. There are
the following VLAN mapping modes:
l 1 to 1 VLAN mapping
When the primary interface on a device configured with VLAN mapping receives a
single-tagged packet, the interface maps the VLAN tag in the packet to an S-VLAN tag.
1:1 VLAN mapping maps a C-VLAN tag to an S-VLAN tag; N:1 VLAN mapping maps
multiple C-VLAN tags to an S-VLAN tag.
double-tagged packet, the interface maps the outer VLAN tag in the packet to an S-
VLAN tag and transparently transmits the inner VLAN tag.
double-tagged packet, the interface maps the double VLAN tags in the packet to the
double S-VLAN tags.

MQC-based VLAN mapping uses a traffic classifier to classify packets based on VLAN IDs,
associates the traffic classifier with a traffic behavior defining VLAN mapping so that the
device can re-mark the VLAN ID in packets matching the traffic classifier. MQC-based
VLAN mapping implements differentiated services.
11.3 Applications
When receiving a single-tagged packet, the primary interface maps the VLAN tag to a
specified single VLAN tag.
1 to 1 VLAN mapping applies to the network shown in Figure 11-2.

Figure 11-2 1 to 1 VLAN mapping

VLAN 2
HSI
Residential
VLAN 3 Gateway
IPTV
VLAN 2->VLAN 201

VLAN 3->VLAN 301
VoIP VLAN 4 VLAN 4->VLAN 401
Corridor
VLAN 2 Switch
HSI VLAN 2->VLAN 202
Residential VLAN 3->VLAN 302
VLAN 3 Gateway VLAN 4->VLAN 402
IPTV
VLAN 201~VLAN 300->VLAN 501
VoIP VLAN 401~VLAN 500->VLAN 503 Aggregation
VLAN 4 Switch
VLAN 2 VLAN 211~VLAN 310->VLAN 501

Community
HSI Switch
Residential
VLAN 3
Gateway
IPTV Internet
VLAN 2->VLAN 211

VLAN 3->VLAN 311
VoIP Corridor VLAN 4->VLAN 411
VLAN 4
Switch
VLAN 2
HSI
VLAN 2->VLAN 212
VLAN 3->VLAN 312
VLAN 3 VLAN 4->VLAN 412
IPTV
Residential
Gateway
VoIP VLAN 4
In the networking diagram shown in Figure 11-2, services (HSI, IPTV, and VoIP) of
each user are transmitted on different VLANs. Same services are transmitted on the same
C-VLAN. To differentiate users, deploy Corridor Switch to allow the same services used
by different users to be transmitted on different VLANs, which implements 1 to 1 VLAN
mapping. 1 to 1 VLAN mapping requires a large number of VLANs to isolate services of
different users; however, the VLAN quantity provided by the network access device at
the aggregation layer is limited. To resolve this problem, configure the VLAN
aggregation function to allow the same services to be transmitted on the same VLAN (N
to 1 VLAN mapping).

When the primary interface receives a double-tagged packet, the interface maps the outer
VLAN tag in the packet to an S-VLAN tag and transparently transmits the inner VLAN
tag.
Internet
Aggregation Switch
Community
Switch IP 501 2~3
S5
IP 501 4
Corridor IP 201 2 ~3
S3 S4
Switch IP 401 4
Residential
S1 Gateway S2
HSI VoIP IPTV HSI VoIP IPTV

VLAN 2 VLAN 3 VLAN 4 VLAN 2 VLAN 3 VLAN 4
In the networking diagram shown in Figure 11-3, Residential Gateway, Corridor Switch,
and Community Switch are connected to the aggregation layer on the network. To
differentiate users and services to facilitate network management and charging, configure
the QinQ function for Corridor Switch. To save VLAN resources, configure VLAN
mapping on Community Switch to transmit the same services on the same VLAN.

Switch2 Switch3
Internet
outside tag:50
inner tag:60
GE1/0/1
GE1/0/1
Switch1 GE1/0/1 GE1/0/1 Switch4
outside tag:100 outside tag:200

inner tag:10 inner tag:20
VLAN Mapping
In the networking diagram shown in Figure 11-4, QinQ is used to send double-tagged
packets, which prevents the conflict between C-VLAN IDs and S-VLAN IDs and
differentiates services and users. However, the primary interface will discard the packets
because C-VLAN IDs are different from S-VLAN IDs. To ensure communication
continuity, configure 2 to 2 VLAN mapping on the PE and replace double C-VLAN tags
with double S-VLAN tags.

License Support
VLAN mapping is a basic feature of a switch and is not under license control.
Software Version of VLAN Mapping
Table 11-1 Products and versions supporting VLAN mapping

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00


Model
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l The ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700 and EH1D2S24CSA0
and EH1D2G24SSA0 cards of the S9700 do not support 2:1 and 2:2 VLAN mapping.
l VLAN mapping can be configured only on a trunk or hybrid interface, and the hybrid
interface must be added to the translated VLAN.
l When N:1 VLAN mapping is configured, the interface needs to join the original VLAN
in tagged mode.
l When VLAN mapping is configured, do not configure map-vlan to the VLAN
corresponding to the VLANIF interface.
l N:1 VLAN mapping takes effect only when the packets with original VLANs are sent
first.
l SA boards of S series, X series, and FA series cards do not support N:1 VLAN mapping.
l N:1 VLAN mapping is not supported on an Eth-Trunk.
11.5 Configuring VLAN Mapping
11.5.1 Configuring VLAN ID-based VLAN Mapping
l Creating the specified VLAN
l Adding the primary interface to the translated VLAN
11.5.1.1 Configuring 1 to 1 VLAN Mapping
Context
When receiving a tagged packet, an interface maps the VLAN ID in the packet to an S-VLAN
ID.
Procedure
Step 1 Run:
system-view


Step 2 Run:

Step 3 Run:

Step 4 Run:
port vlan-mapping vlan vlan-id1 [ to vlan-id2 ] map-vlan vlan-id3 [ remark-8021p
8021p-value ]
Single-tagged VLAN mapping is configured on the interface.
NOTE
l When N:1 VLAN mapping is configured (VLAN IDs can be incontiguous before mapping), the
interface needs to be added to these VLANs in tagged mode, and the VLAN specified by map-vlan
cannot be a VLAN corresponding to a VLANIF interface.
l N:1 VLAN mapping takes effect only when the packets with original VLANs are sent first. N:1
VLAN mapping is not supported on the SA boards of S series, X1E-series, and FA-series boards.
l N:1 VLAN mapping is not supported on the Eth-Trunk interface.
----End
Context
ID.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

Step 4 Run:
port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 [ to vlan-id3 ] map-vlan vlan-
id4 [ remark-8021p 8021p-value ]
The outer VLAN tag is replaced.

NOTE
The ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700 do not support VLAN mapping for
double-tagged packets.
----End
Context
ID.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The Ethernet interface view is displayed.
Step 3 Run:
Step 4 Run:
port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 map-vlan vlan-id3 map-inner-
vlan vlan-id4 [ remark-8021p 8021p-value ]
The outer and inner VLAN tags are replaced.
NOTE
The ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700 do not support VLAN mapping for
double-tagged packets.
----End

After completing VLAN mapping configuration on an interface, you can run the following
commands in any view to check the VLAN mapping configuration on the interface.
Procedure
l Run the display vlan vlan-id command to check whether the interface is added to the
translated S-VLAN.
l Run the display current-configuration command to check the VLAN mapping
configuration on the interface.
----End

11.5.2 Configuring 802.1p Priority-based VLAN Mapping
Context
After 802.1p priority-based VLAN mapping is configured on a switch, the switch processes
VLAN tags of packets flexibly based on the 802.1p priority. Communication of users with a
higher priority is ensured.
Procedure
l Configuring VLAN mapping on the inbound interface based on the 802.1p priority
a. Run:
system-view

b. Run:

c. Run:

d. Run either of the following commands as required:
n To configure VLAN mapping on the inbound interface based on the 802.1p
priority, run port vlan-mapping 8021p 8021p-value map-vlan vlan-id
[ remark-8021p 8021p-value2 ].
n To configure VLAN mapping on the inbound interface based on the VLAN ID
and 802.1p priority, run port vlan-mapping vlan vlan-id1 [ to vlan-id2 ]
8021p 8021p-value1 [ to 8021p-value2 ] map-vlan vlan-id3 [ remark-8021p
8021p-value3 ].
NOTE
VLAN mapping based on the 802.1p priority is not supported on the SA boards of S series.
l (Optional) Configuring VLAN mapping on the outbound interface based on the 802.1p
priority
If the DiffServ domain is created on the inbound interface and VLAN mapping is
configured based on the priority, the internal priority may be different from the 802p.1
priority. You are advised to configure VLAN mapping on the outbound interface based
on the 802.1p priority.
a. Run:
system-view

b. Run:
diffserv domain ds-domain-name
The DiffServ domain is created, and the DiffServ domain view is displayed.
c. Run:
8021p-outbound service-class color map 8021p-value

The internal priority of VLAN packets on the outbound interface in the DiffServ
domain is mapped to the 802.1p priority.
d. Run:
quit
The DiffServ domain view is quit.

e. Run:

f. Run:
trust upstream ds-domain-name
The DiffServ domain is bound on the interface and the mapping in the DiffServ
domain is applied.
By default, an internal priority remains the same after being mapped to an external
priority.
----End
11.5.3 Configuring MQC-based VLAN Mapping
Context
A traffic policy is a QoS policy configured by binding traffic classifiers to traffic behaviors. A
traffic policy is bound to a traffic classifier and traffic behavior to implement VLAN mapping.
The traffic classifier defines rules based on VLAN IDs. VLAN mapping based on the traffic
policy implements differentiated services.
Procedure
a. Run:
system-view

b. Run:
that:


NOTE

Rule

VLAN IDs id ]
in QinQ
packets


802.1p value &<1-8>
priority in
QinQ
packets

or inner
and outer
VLAN IDs
of QinQ
packets

actions.

tags in
QinQ
packets


Rule

or OR.
packets.



in the
Ethernet
frame
header
All if-match any -

packets


Rule

matches the traffic
of whether the
AND or OR.
simultaneously.

rules is AND.
command, a packet
matches the traffic
precedence values,
AND or OR.

protocol
type


Rule

IPv6 S7700, and

packet urg }

view.


AND or OR.

the ACL6.


Rule

traffic policies.
d. Run:
quit

a. Run:

b. Run:
remark vlan-id vlan-id3
The traffic behavior is configured. The outer VLAN ID of the packet is re-marked.
c. (Optional) Run:
remark cvlan-id vlan-id4
The traffic behavior is configured. The inner VLAN ID of the packet is re-marked.
d. Run:
quit

e. Run:
quit

a. Run:
existing traffic policy is displayed. If you do not specify a matching order for traffic
classifiers in the traffic policy, the default matching order config is used.
change the matching order of traffic classifiers in the traffic policy. To change the

matching order, delete the traffic policy and create a new traffic policy with the
required matching order.
When creating a traffic policy, you can specify the matching order of traffic
classifiers in the traffic policy. The traffic classifiers can be matched in automatic
order (auto) or configuration order (config):
n If the matching order is auto, traffic classifiers are matched in descending
order of priorities pre-defined in the system: traffic classifiers based on Layer
2 and Layer 3 information, traffic classifiers based on Layer 2 information, and
finally traffic classifiers based on Layer 3 information. If a data flow matches
multiple traffic classifiers that are associated with conflicting traffic behavior,
the traffic behavior associated with the traffic classifier of the highest priority
takes effect.
n If the matching order is config, traffic classifiers are matched in descending
order of priorities either manually or dynamically allocated to them. This is
determined by the precedence value; a traffic classifier with a smaller
precedence value has a higher priority and is matched earlier. If you do not
specify precedence-value when creating a traffic classifier, the system
allocates a precedence value to the traffic classifier. The allocated value is
[(max-precedence + 5)/5] x 5, where max-precedence is the greatest value
among existing traffic classifiers.
NOTE
If more than 128 rate limiting ACL rules are configured in the system, traffic policies must
be applied to the interface view, VLAN view, and system view in sequence. To update an
ACL rule, delete all the associated traffic policies from the interface, VLAN, and system.
Then, reconfigure the traffic policies and reapply them to the interface, VLAN, and system.
b. Run:
A traffic behavior is bound to a traffic classifier in the traffic policy.

c. Run:
quit

d. Run:
quit

i. Run:
system-view

ii. Run:

iii. Run:



policing for all the incoming or outgoing packets that match traffic
classification rules on the interface.
i. Run:
system-view

ii. Run:
vlan vlan-id

iii. Run:

direction.
packets that belong to a VLAN and match traffic classification rules in the
inbound or outbound direction. However, the traffic policy does not take effect
for packets in VLAN 0.
i. Run:
system-view

ii. Run:
id ]

Only one traffic policy can be applied to the system or LPU in one direction. A
traffic policy cannot be applied to the same direction in the system and on the
LPU simultaneously.
11.6 Maintaining VLAN Mapping
11.6.1 Displaying VLAN Translation Resource Usage
Context
During VLAN Mapping configuration, VLAN translation resources may be insufficient. You
can run command to view the total number of inbound/outbound VLAN translation resources,
the number of used VLAN translation resources, and the number of remaining VLAN
translation resources. The command output helps you locate faults.

Procedure
Step 1 Run the display vlan-translation resource [ slot slot-number ] command in any view to view
VLAN translation resource usage on a card.
Step 2 Run the display spare-bucket resource [ slot slot-number ] command in any view to view
the usage of backup resources when VLAN translation resources on a card conflict.
NOTE
Only the X1E series cards support this command.
----End
11.7.1 Example for Configuring VLAN ID-based 1 to 1 VLAN

Mapping
Users in different communities use same services, such as the web, IPTV, and VoIP services.
To facilitate management, the network administrator of each community adds different
services to different VLANs. Communities in different VLANs need to use the same service,
so communication between VLANs must be implemented.
As shown in Figure 11-5, community 1 and community 2 have the same services, but belong
to different VLANs. Communication between community 1 and community 2 needs to be
implemented with low costs.
Figure 11-5 Networking diagram for configuring 1:1 VLAN mapping
PE1 PE2
GE1/0/1 ISP GE1/0/1
VLAN10
CE1 GE1/0/3 GE1/0/3 CE2
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
Community1 Community2
VLAN6 VLAN5
172.16.0.2/16 172.16.0.6/16
172.16.0.1/16 172.16.0.3/16 172.16.0.5/16 172.16.0.7/16
IP addresses of devices in the VLAN5 and VLAN6 must be in the same network segment.

1. Add the switch port connecting to community 1 to VLAN6 and add the switch port
connecting to community 2 to VLAN5.
2. Configure VLAN mapping on GE1/0/1 of PE1 and PE2 and map C-VLAN IDs to S-
VLAN IDs so that users in different VLANs can communicate with each other.
Procedure
Step 1 Add downlink interfaces on switches to specified VLANs.
# Configure CE1.
[CE1] vlan 6
[CE1-vlan6] quit
[CE1-GigabitEthernet1/0/1] port link-type access
[CE1-GigabitEthernet1/0/1] port default vlan 6
# Configure CE2.
[CE2] vlan 5
[CE2-vlan5] quit
Step 2 Configure VLAN mapping on the GE1/0/1 of PE1 and PE2.

# Configure PE1.
[PE1] vlan 10
[PE1-vlan10] quit
[PE1-GigabitEthernet1/0/1] port vlan-mapping vlan 6 map-vlan 10
# Configure PE2.

[PE2] vlan 10
[PE2-vlan10] quit
[PE2-GigabitEthernet1/0/1] port vlan-mapping vlan 5 map-vlan 10
Step 3 Verify the configurations.

Verify that users in community 1 and community 2 can communicate each other.
----End
Configuration Files
#
sysname CE1
#
vlan batch 6
#
port default vlan 6
#
port default vlan 6
#
#
return

#
sysname CE2
#
vlan batch 5
#
port default vlan 5
#
port default vlan 5
#
#
return

#
sysname PE1
#
vlan batch 10
#
port vlan-mapping vlan 6 map-vlan 10

#
return

#
sysname PE2
#
vlan batch 10
#
port vlan-mapping vlan 5 map-vlan 10
#
return
11.7.2 Example for Configuring VLAN ID-based N to 1 VLAN

Mapping
As shown in Figure 11-6, a large number of switches need to be deployed at the corridor so
that the same service used by different users can be sent on different VLANs. To save VLAN
resources, configure the VLAN aggregation function (N:1) on the switches so that same
services are sent on the same VLAN.
Figure 11-6 Networking diagram for configuring N:1 VLAN mapping
Internet
VLAN10
Switch GE1/0/1
VLAN100~109
SwitchA
…… …… ……
SwitchB SwitchC SwitchD SwitchE

1. Create the original VLAN and the translated VLAN on the Switch and add GE1/0/1 to
the VLANs in the tagged mode.
2. Configure VLAN mapping on GE1/0/1 on the Switch.
Procedure
# Create a VLAN.
[Switch] vlan batch 10 100 to 109
# Add GE1/0/1 to the VLAN.

[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 10 100 to 109
# Configure VLAN mapping on GE1/0/1.

[Switch-GigabitEthernet1/0/1] port vlan-mapping vlan 100 to 109 map-vlan 10

Verify that users in VLAN 100 to VLAN 109 can connect to the Internet through the Switch.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 100 to 109
#
interface gigabitethernet1/0/1
port vlan-mapping vlan 100 to 109 map-vlan 10
#
return
11.7.3 Example for Configuring VLAN ID-based 2 to 2 VLAN

Mapping
To avoid the conflict between C-VLAN IDs and S-VLAN IDs, the QinQ function is used. The
packets that a user sends are double-tagged, which saves VLAN ID resources. However, the
primary interface will discard the packets because C-VLAN IDs are different from S-VLAN
IDs.
As shown in Figure 11-7, the packets that users send to the ISP network are double-tagged.
The VLAN IDs in the packets are different from the S-VLAN IDs, so the packets cannot be

sent to the ISP network successfully. To resolve this problem, ensure that the users of the
Switch5 and Switch6 can communicate with each other.
Figure 11-7 Networking diagram for configuring 2 to 2 VLAN mapping
Switch3
Switch2 ISP
outside tag:50
inner tag:60
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Switch1 Switch4
GE1/0/1 GE1/0/1
GE1/0/2
GE1/0/2
Switch5 Switch6
GE1/0/1 GE1/0/1
VLAN 10 VLAN 30
VLAN Mapping
1. Add switch ports connecting to users to VLAN 10 and VLAN 30.
2. Configure the QinQ function on Switch1 and Switch4 so that packets sent to the ISP
network are double-tagged.
3. Configure 2 to 2 VLAN mapping on the switch connecting to the ISP network.
Procedure
Step 1 Add downlink interfaces on switches to specified VLANs.
[Switch5] vlan 10
[Switch5-GigabitEthernet1/0/1] port link-type access


[Switch6] vlan 30
[Switch6-GigabitEthernet1/0/1] port link-type access
Step 2 Configure the QinQ function on Switch1 and Switch4 so that packets sent to the ISP network
are double-tagged.
# Configure Switch 1.
[Switch1] vlan 20
# Configure Switch 4.
[Switch4] vlan 40
Step 3 Configure 2 to 2 VLAN mapping on the switch connecting to the ISP network.
[Switch2-GigabitEthernet1/0/1] port vlan-mapping vlan 20 inner-vlan 10 map-vlan
50 map-inner-vlan 60

[Switch3-GigabitEthernet1/0/1] port vlan-mapping vlan 40 inner-vlan 30 map-vlan
50 map-inner-vlan 60

Verify that users in Switch5 and users in Switch6 can communicate with each other.
----End
Configuration Files
#
sysname Switch1
#
vlan batch 20
#
#
#
return

#
sysname Switch2
#
port vlan-mapping vlan 20 inner-vlan 10 map-vlan 50 map-inner-vlan 60
#
return

#
sysname Switch3
#
port vlan-mapping vlan 40 inner-vlan 30 map-vlan 50 map-inner-vlan 60
#
return

#
sysname Switch4
#
vlan batch 40
#
#


#
return

#
sysname Switch5
#
vlan batch 10
#
#
#
return

#
sysname Switch6
#
vlan batch 30
#
#
#
return
11.7.4 Example for Configuring Traffic Policy-based 2 to 2 VLAN

Mapping
As shown in Figure 11-8, enterprises A and B plan their own C-VLAN IDs, but they are
different from S-VLAN IDs in the packets. The primary interface will discard the packets. To
resolve this problem, configure VLAN mapping at the user side to ensure the communication
between enterprise A and enterprise B.

Figure 11-8 Networking diagram for configuring 2 to 2 VLAN mapping
ISP Network
Outer VLAN 300
Inner VLAN 30
SwitchC SwitchD
GE1/0/1 GE1/0/2
SwitchA GE1/0/1 GE1/0/2 SwitchB
Enterprises A Enterprises B
Outer VLAN 100 Outer VLAN 200
Inner VLAN 10 Inner VLAN 20
1. Create outer VLANs on SwitchA, SwitchB, SwitchC, and SwitchD.

2. Create classes, traffic behaviors, and traffic policies on SwitchA and SwitchB.
3. Add interfaces on SwitchA, SwitchB, SwitchC, and SwitchD to their own VLANs.
4. Configure traffic policy-based VLAN mapping of double tags on GE1/0/1 of SwitchA.
5. Configure traffic policy-based VLAN mapping of double tags on GE1/0/2 of SwitchB.
Procedure
Step 1 Configure VLANs.
# Create VLAN 100 and VLAN 300 on SwitchA.

# Create VLAN 200 and VLAN 300 on SwitchB.

# Create VLAN 300 on SwitchC.

[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 300
# Create VLAN 300 on SwitchD.

[HUAWEI] sysname SwitchD
[SwitchD] vlan batch 300
Step 2 Add interfaces to VLANs.
# Add GE1/0/1 of SwitchA to VLAN 100 and VLAN 300 .

# Add GE 1/0/2 of SwitchB to VLAN 200 and VLAN 300 .

# Add GE 1/0/1 of SwitchC to VLAN 300.

[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 300
[SwitchC-GigabitEthernet1/0/1] quit
# Add GE 1/0/2 on SwitchD to VLAN 300.

[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] port link-type trunk
[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 300
[SwitchD-GigabitEthernet1/0/2] quit
Step 3 Configure traffic classifiers, traffic behaviors, and traffic policies.
# Configure the traffic classifier, traffic behavior, and traffic policy in the inbound direction of
SwitchA.
[SwitchA] traffic classifier name1 operator and
[SwitchA-classifier-name1] if-match vlan-id 300
[SwitchA-classifier-name1] if-match cvlan-id 30
[SwitchA-behavior-name1] remark vlan-id 100
[SwitchA-behavior-name1] remark cvlan-id 10
# Configure the traffic classifier, traffic behavior, and traffic policy in the outbound direction
of SwitchA.
[SwitchA] traffic classifier name2 operator and
[SwitchA-classifier-name2] if-match vlan-id 100
[SwitchA-classifier-name2] if-match cvlan-id 10
[SwitchA-behavior-name2] remark vlan-id 300
[SwitchA-behavior-name2] remark cvlan-id 30
# Configure the traffic classifier, traffic behavior, and traffic policy in the inbound direction of
SwitchB.

[SwitchB] traffic classifier name1 operator and

[SwitchB-classifier-name1] if-match vlan-id 300
[SwitchB-classifier-name1] if-match cvlan-id 30
[SwitchB-behavior-name1] remark vlan-id 200
[SwitchB-behavior-name1] remark cvlan-id 20
# Configure the traffic classifier, traffic behavior, and traffic policy in the outbound direction
of SwitchB.
[SwitchB] traffic classifier name2 operator and
[SwitchB-classifier-name2] if-match vlan-id 200
[SwitchB-classifier-name2] if-match cvlan-id 20
[SwitchB-behavior-name2] remark vlan-id 300
[SwitchB-behavior-name2] remark cvlan-id 30
Step 4 Configure traffic policy-based VLAN mapping of double tags.

# Configure traffic policy-based VLAN mapping of double tags on GE 1/0/1 of SwitchA.
[SwitchA] interface GigabitEthernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] traffic-policy name1 inbound
[SwitchA-GigabitEthernet1/0/1] traffic-policy name2 outbound
# Configure traffic policy-based VLAN mapping of double tags on GE 1/0/2 of SwitchB.

[SwitchB] interface GigabitEthernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] traffic-policy name1 inbound
[SwitchB-GigabitEthernet1/0/2] traffic-policy name2 outbound

Verify that users of enterprise A and enterprise B can communicate with each other.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 300
#
traffic classifier name1 operator and precedence 5
if-match vlan-id 300
if-match cvlan-id 30
#
permit
remark vlan-id 100
remark cvlan-id 10
permit

remark vlan-id 300

remark cvlan-id 30
#
#
traffic-policy name2 outbound
#
return
#
sysname SwitchB
#
vlan batch 200 300
#
#
permit
remark vlan-id 200
remark cvlan-id 20
permit
remark vlan-id 300
remark cvlan-id 30
#
#
traffic-policy name2 outbound
#
return
l SwitchC configuration file
#
sysname SwitchC
#
vlan batch 300
#
#
return
l SwitchD configuration file
#
sysname SwitchD
#
vlan batch 300
#


#
return
11.8.1 Communication Failure After VLAN Mapping

Configuration
Symptom
As shown in Figure 11-9, users in VLAN 6 need to communicate with users in VLAN 5 over
an ISP network. The carrier assigns VLAN 10 as the S-VLAN. Single-tag VLAN mapping is
configured on GE 1/0/1 of SwitchC and SwitchD to map C-VLANs 5 and 6 to S-VLAN 10.
Figure 11-9 VLAN mapping networking diagram
ISP network
VLAN10
SwitchC SwitchD
GE1/0/1 GE1/0/1
SwitchA SwitchB
VLAN6 GE1/0/1 GE1/0/1 VLAN5
GE1/0/2 GE1/0/3 GE1/0/3
GE1/0/2
172.16.0.1/16 172.16.0.2/16 172.16.0.3/16 172.16.0.5/16 172.16.0.6/16 172.16.0.7/16
After VLAN mapping is configured on the interfaces, users in different VLANs cannot
communicate with each other. This fault is commonly caused by one of the following:
l The translated VLAN (map-vlan) has not been created.
l The interfaces configured with VLAN mapping are not added to the translated VLAN.
l The translated VLAN ID configured on SwitchC and SwitchD is different from the S-
VLAN ID assigned by the carrier.
l The interfaces configured with VLAN mapping are faulty.

Procedure
1. In the user view, run the display vlan command to verify that the translated VLAN
(map-vlan) is created.
– If the translated VLAN has not been created, run the vlan command to create it.
– If the translated VLAN is created, go to the next step.
2. In the interface view, run the display this command to verify that the interfaces
configured with VLAN mapping have been added to the translated VLAN in tagged
mode.
NOTE
l VLAN mapping can be configured only on a trunk or hybrid interface, and the hybrid interface
must be added to the translated VLAN in tagged mode.
l If a range of original VLANs is specified by vlan-id1 to vlan-id2 on an interface, the interface must
be added to all the original VLANs in tagged mode, and the translated VLAN cannot have a
VLANIF interface.
l Limiting MAC address learning on an interface may affect N to 1 VLAN mapping on the interface.
– If the interfaces configured with VLAN mapping have not been added to the
translated VLAN in tagged mode, run the port trunk allow-pass vlan or port
hybrid tagged vlan command in the interface view to add the interfaces to the
translated VLAN in tagged mode.
– If the interfaces have been added to the translated VLAN in tagged mode, go to the
next step.
3. In the interface view, run the display this command to verify that the translated VLAN
ID configured on the interface is the same as the S-VLAN ID assigned by the carrier.
– If the translated VLAN ID on an interface is different from the S-VLAN ID
assigned by the carrier, run the undo port vlan-mapping command on the interface
to delete the VLAN mapping configuration, and run the port vlan-mapping vlan
command to set the translated VLAN ID to the S-VLAN ID.
– If the translated VLAN ID is the same as the S-VLAN ID assigned by the carrier,
go to the next step.
4. In the user view, run the display vlan vlan-id command to verify that user-side interfaces
are added to C-VLANs.
– If the user-side interfaces are not in the C-VLANs, run the port trunk allow-pass
vlan, port hybrid tagged vlan, or port default vlan command to add the
interfaces to the C-VLANs.

Configuration Guide - Ethernet Switching 12 GVRP Configuration
12 GVRP Configuration
About This Chapter
This chapter describes how to configure the Generic VLAN Registration Protocol (GVRP).
12.1 Introduction to GVRP

12.2 Principles
12.3 Applications
12.6 Configuring GVRP
12.7 Maintaining GVRP
12.9 FAQ
12.10 References

12.1 Introduction to GVRP
Definition
The Generic Attribute Registration Protocol (GARP) provides a mechanism to propagate
attributes so that a protocol entity can register and deregister attributes. By filling different
attributes into GARP packets, GARP supports different upper-layer applications.
The GARP VLAN Registration Protocol (GVRP) is used to register and deregister VLAN
attributes.
GARP identifies applications through destination MAC addresses. IEEE Std 802.1Q assigns
01-80-C2-00-00-21 to the VLAN application (GVRP).
Purpose
To deploy certain VLANs on all devices on a network, the network administrator needs to
manually create these VLANs on each device. As shown in Figure 12-1, three routers are
connected through trunk links. VLAN 2 is configured on Switch A, and VLAN 1 is
configured on Switch B and Switch C. To forward packets of VLAN 2 from Switch A to
Switch C, the network administrator must manually create VLAN 2 on Switch B and Switch
C.
Figure 12-1 Networking of GVRP application

SwitchA SwitchC
SwitchB
When a network is complicated and the network administrator is unfamiliar with the network
topology or when many VLANs are configured on the network, huge workload is required for
manual configuration. In addition, configuration errors may occur. In this case, you can
configure GVRP on the network to implement automatic registration of VLANs.
Benefits
GVRP is based on GARP and is used to maintain VLAN attributes dynamically on devices.
Through GVRP, VLAN attributes of one device can be propagated throughout the entire
switching network. GVRP enables network devices to dynamically deliver, register, and
propagate VLAN attributes, reducing workload of the network administrator and ensuring
correct configuration.

12.2 Principles
12.2.1 Basic Concepts
Participant
On a device, each port running a protocol is considered as a participant. On a device running
GVRP, each GVRP-enabled port is considered as a GVRP participant, as shown in Figure
12-2.
Figure 12-2 GVRP participant
GVRP participants
SwitchA SwitchC
SwitchB
VLAN Registration and Deregistration

GVRP implements automatic registration and deregistration of VLAN attributes. The
functions of VLAN registration and deregistration are:
l VLAN registration: adds a port to a VLAN.
l VLAN deregistration: removes a port from a VLAN.
GVRP registers and deregisters VLAN attributes through attribute declarations and reclaim
declarations as follows:
l When a port receives a VLAN attribute declaration, it registers the VLAN specified in
the declaration. That is, the port is added to the VLAN.
l When a port receives a VLAN attribute reclaim declaration, it deregisters the VLAN
specified in the declaration. That is, the port is removed from the VLAN.
A port registers or deregisters VLANs only when it receives GVRP messages.

Figure 12-3 VLAN registration and deregistration

Declaration Register
Reclaim Deregister
SwitchA declaration SwitchB
GARP Messages
GARP participants exchange VLAN information through GARP messages. Major GARP
messages are Join messages, Leave messages, and LeaveAll messages.
l Join message
When a GARP participant expects other devices to register its attributes, it sends Join
messages to other devices. When the GARP participant receives a Join message from
another participant or is configured with attributes statically, it also sends Join messages
to other devices for the devices to register the new attributes.
Join messages are classified into JoinEmpty messages and JoinIn messages. The
difference between the two types of messages is:
– JoinEmpty: declares an unregistered attribute.
– JoinIn: declares a registered attribute.
l Leave message
When a GARP participant expects other devices to deregister its attributes, it sends
Leave messages to other devices. When the GARP participant receives a Leave message
from another participant or some of its attributes are deregistered statically, it also sends
Leave messages to other devices.
Leave messages are classified into LeaveEmpty messages and LeaveIn messages. The
difference between the two types of messages is:
– LeaveEmpty: deregisters an unregistered attribute.
– LeaveIn: deregisters a registered attribute.
l LeaveAll message
When a participant starts, it starts the LeaveAll timer. When the LeaveAll timer expires,
the participant sends LeaveAll messages to other devices.
A participant sends LeaveAll messages to deregister all attributes so that other
participants can re-register attributes of the local participant. LeaveAll messages are used
to periodically delete useless attributes on the network. For example, an attribute of a
participant is deleted but the participant does not send Leave messages to request other
participants to deregister the attribute because of a sudden power failure. Then this
attribute becomes useless.
GARP Timers
The GARP protocol defines four timers:
l Join timer
The Join timer controls sending of Join messages including JoinIn messages and
JoinEmpty messages.

After sending the first Join message, a participant starts the Join timer. If the participant
receives a JoinIn message before the Join timer expires, it does not send the second Join
message. If the participant does not receive any JoinIn message, it sends the second Join
message when the Join timer expires. This ensures that the Join message can be sent to
other participants. Each port maintains an independent Join timer.
l Hold timer
The Hold timer controls sending of Join messages (JoinIn messages and JoinEmpty
messages) and Leave messages (LeaveIn messages and LeaveEmpty messages).
After a participant is configured with an attribute or receives a message, it does not send
the message to other participants before the Hold timer expires. The participant
encapsulates messages received within the hold time into a minimum number of packets,
reducing the packets sent to other participants. If the participant does not use the Hold
timer but forwards a message immediately after receiving one, a large number of packets
are transmitted on the network. This makes the network unstable and wastes data fields
of packets.
Each port maintains an independent Hold timer. The Hold timer value must be equal to
or smaller than half of the Join timer value.
l Leave timer
The Leave timer controls attribute deregistration.
A participant starts the Leave timer after receiving a Leave or LeaveAll message. If the
participant does not receive any Join message of the corresponding attribute before the
Leave timer expires, the participant deregisters the attribute.
A participant sends a Leave message if one of its attributes is deleted, but this attribute
may still exist on other participants. Therefore, the participant receiving the Leave
message cannot deregister the attribute immediately and needs to wait for messages from
other participants.
For example, an attribute has two sources on the network: participant A and participant
B. Other participants register the attribute through GARP. If the attribute is deleted from
participant A, participant A sends a Leave message to other participants. After receiving
the Leave message, participant B sends a Join message to other participants because the
attribute still exists on participant B. After receiving the Join message from participant
B, other participants retain the attribute. Other participants deregister the attribute only if
they do not receive any Join message of the attribute within a period longer than two
times the Join timer value. Therefore, the Leave timer value must be greater than two
times the Join timer value.
Each port maintains an independent Leave timer.
l LeaveAll timer
When a GARP participant starts, it starts the LeaveAll timer. When the LeaveAll timer
expires, the participant sends a LeaveAll message and restarts the LeaveAll timer.
After receiving a LeaveAll message, a participant restarts all GARP timers. The
participant sends another LeaveAll message when its LeaveAll timer expires. This
reduces LeaveAll messages sent in a period of time.
If LeaveAll timers of multiple devices expire at the same time, they send LeaveAll
messages at the same time, which causes unnecessary LeaveAll messages. To solve this
problem, each device uses a random value between the LeaveAll timer value and 1.5
times the LeaveAll timer value as its LeaveAll timer value. When a LeaveAll event
occurs, all attributes on the entire network are deregistered. The LeaveAll event affects
the entire network; therefore, you need to set the LeaveAll timer to a proper value, at
least greater than the Leave timer value.

Each device maintains a global LeaveAll timer.
Registration Modes
A manually configured VLAN is a static VLAN, and a VLAN created through GVRP is a
dynamic VLAN. GVRP provides three registration modes. Static VLANs and dynamic
VLANs are processed differently in each registration mode as follows:
l Normal mode: Dynamic VLANs can be registered on a port, and the port can send
declarations of static VLANs and dynamic VLANs.
l Fixed mode: Dynamic VLANs cannot be registered on a port, and the port can send only
declarations of static VLANs.
l Forbidden mode: Dynamic VLANs cannot be registered on a port. All VLANs except
VLAN 1 are deleted from the port, and the port can send only the declaration of VLAN
1.
12.2.2 Packet Structure
GARP packets are encapsulated in the IEEE 802.3 Ethernet format, as shown in Figure 12-4.
Figure 12-4 GARP packet structure
DA SA length DSAP SSAP Ctrl PDU Ethernet Frame

1 3 N
Protocol ID Message 1 … Message N End Mark GARP PDU structure
1 2 N
Attribute Type Attribute List Message structure
1 N
Attribute 1 … Attribute N End Mark Attribute List structure
1 2 3 N
Attribute Length Attribute Event Attribute Value Attribute structure
The following table describes the fields in a GARP packet.
Field Description Value
Protocol ID Indicates the protocol ID. The value is 1.
Message Indicates the messages in -

the packet. Each message
consists of the Attribute
Type and Attribute list
fields.

Field Description Value
Attribute Type Indicates the type of an The value is 0x01 for

attribute, which is defined GVRP, indicating that the
by the GARP application. attribute value is a VLAN
ID
Attribute List Indicates the attribute list of -

a message, which consists of
multiple attributes.
Attribute Indicates an attribute, which -

consists of the Attribute
Length, Attribute Event, and
Attribute Value fields.
Attribute Length Indicates the length of an The value ranges from 2 to

attribute. 255, in bytes.
Attribute Event Indicates the event that an The value can be:
attribute describes. l 0: LeaveAll Event
l 1: JoinEmpty Event
l 2: JoinIn Event
l 3: LeaveEmpty Event
l 4: LeaveIn Event
l 5: Empty Event
Attribute Value Indicates the value of an The value is a VLAN ID for

attribute. GVRP. This field is invalid
in a LeaveAll attribute.
End Mark Indicates the end of a GARP The value is 0x00.

PDU.
12.2.3 Working Procedure

This section describes the working procedure of GVRP by using an example. This example
illustrates how a VLAN attribute is registered and deregistered on a network in four phases.

One-Way Registration
Figure 12-5 One-way registration of a VLAN attribute

SwitchA SwitchC
Static vlan 2
Port 4
Port 1 JoinEmpty
JoinEmpty
Port 2 Port 3
SwitchB
Static VLAN 2 is created on RouterA. Ports on RouterB and RouterC can join VLAN 2
automatically through one-way registration. The process is as follows:
1. After VLAN 2 is created on RouterA, Port 1 of RouterA starts the Join timer and Hold
timer. When the Hold timer expires, Port 1 sends the first JoinEmpty message to
RouterB. When the Join timer expires, Port 1 restarts the Hold timer. When the Hold
timer expires again, Port 1 sends the second JoinEmpty message.
2. After Port 2 of RouterB receives the first JoinEmpty message, RouterB creates dynamic
VLAN 2 and adds Port 2 to VLAN 2. In addition, RouterB requests Port 3 to start the
Join timer and Hold timer. When the Hold timer expires, Port 3 sends the first JoinEmpty
message to RouterC. When the Join timer expires, Port 3 restarts the Hold timer. When
the Hold timer expires again, Port 3 sends the second JoinEmpty message. After Port 2
receives the second JoinEmpty message, RouterB does not take any action because Port
2 has been added to VLAN 2.
3. After Port 4 of RouterC receives the first JoinEmpty message, RouterC creates dynamic
VLAN 2 and adds Port 4 to VLAN 2. After Port 4 receives the second JoinEmpty
message, RouterC does not take any action because Port 4 has been added to VLAN 2.
4. Every time the LeaveAll timer expires or a LeaveAll message is received, each router
restarts the LeaveAll timer, Join timer, Hold timer, and Leave timer. Then Port 1 repeats
step 1 to send JoinEmpty messages. Port 3 of RouterB sends JoinEmpty messages to
RouterC in the same way.
Two-Way Registration
Figure 12-6 Two-way registration of a VLAN attribute

SwitchA SwitchC
Static vlan 2Static vlan 2

Port 4
JoinEmpty
Port 1 JoinIn
JoinIn
JoinEmpty
JoinIn
JoinIn
Port 2 Port 3
SwitchB

After one-way registration is complete, Port 1, Port 2, and Port 4 are added to VLAN 2 but
Port 3 is not added to VLAN 2 because only ports receiving a JoinEmpty or JoinIn message
can be added to dynamic VLANs. To transmit traffic of VLAN 2 in both directions, VLAN
registration from RouterC to RouterA is required. The process is as follows:
1. After one-way registration is complete, static VLAN 2 is created on RouterC (the
dynamic VLAN is replaced by the static VLAN). Port 4 of RouterC starts the Join timer
and Hold timer. When the Hold timer expires, Port 4 sends the first JoinIn message
(because it has registered VLAN 2) to RouterB. When the Join timer expires, Port 4
restarts the Hold timer. When the Hold timer expires, Port 4 sends the second JoinIn
message.
2. After Port 3 of RouterB receives the first JoinIn message, RouterB adds Port 3 to VLAN
2 and requests Port 2 to start the Join timer and Hold timer. When the Hold timer expires,
Port 2 sends the first JoinIn message to RouterA. When the Join timer expires, Port 2
restarts the Hold timer. When the Hold timer expires again, Port 2 sends the second
JoinIn message. After Port 3 receives the second JoinIn message, RouterB does not take
any action because Port 3 has been added to VLAN 2.
3. When RouterA receives the JoinIn message, it stops sending JoinEmpty messages to
RouterB. Every time the LeaveAll timer expires or a LeaveAll message is received, each
router restarts the LeaveAll timer, Join timer, Hold timer, and Leave timer. Port 1 of
RouterA sends a JoinIn message to RouterB when the Hold timer expires.
4. RouterB sends a JoinIn message to RouterC.
5. After receiving the JoinIn message, RouterC does not create dynamic VLAN 2 because
static VLAN 2 has been created.
One-Way Deregistration
Figure 12-7 One-way deregistration of a VLAN attribute

SwitchA SwitchC
Static vlan 2
LeaveEmpty Port 4
Port 1
LeaveIn
Port 2 Port 3
SwitchB
When VLAN 2 is not required on the routers, the routers can deregister VLAN 2. The process
is as follows:
1. After static VLAN 2 is manually deleted from RouterA, Port 1 of RouterA starts the
Hold timer. When the Hold timer expires, Port 1 sends a LeaveEmpty message to
RouterB. Port 1 needs to send only one LeaveEmpty message.
2. After Port 2 of RouterB receives the LeaveEmpty message, it starts the Leave timer.
When the Leave timer expires, Port 2 deregisters VLAN 2. Then Port 2 is deleted from

VLAN 2, but VLAN 2 is not deleted from RouterB because Port 3 is still in VLAN 2. At
this time, RouterB requests Port 3 to start the Hold timer and Leave timer. When the
Hold timer expires, Port 3 sends a LeaveIn message to RouterC. Static VLAN 2 is not
deleted from RouterC; therefore, Port 3 can receive the JoinIn message sent from Port 4
after the Leave timer expires. In this case, RouterA and RouterB can still learn dynamic
VLAN 2.
3. After RouterC receives the LeaveIn message, Port 4 is not deleted from VLAN 2
because VLAN 2 is a static VLAN on RouterC.
Two-Way Deregistration
Figure 12-8 Two-way deregistration of a VLAN attribute

SwitchA SwitchC
LeaveEmpty Port 4
Port 1 LeaveEmpty
LeaveEmpty LeaveIn
Port 2 Port 3
SwitchB
To delete VLAN 2 from all the routers, two-way deregistration is required. The process is as
follows:
1. After static VLAN 2 is manually deleted from RouterC, Port 4 of RouterC starts the
Hold timer. When the Hold timer expires, Port 4 sends a LeaveEmpty message to
RouterB.
2. After Port 3 of RouterB receives the LeaveEmpty message, it starts the Leave timer.
dynamic VLAN 2, and dynamic VLAN 2 is deleted from RouterB. At this time, RouterB
requests Port 2 to start the Hold timer. When the Hold timer expires, Port 2 sends a
LeaveEmpty message to RouterA.
3. After Port 1 of RouterA receives the LeaveEmpty message, it starts the Leave timer.
dynamic VLAN 2, and dynamic VLAN 2 is deleted from RouterA.
12.3 Applications
GVRP enables routers on a network to dynamically maintain and update VLAN information.
With GVRP, you can adjust the VLAN deployment on the entire network by configuring only
a few devices. You do not need to analyze the topology and manage configurations. As shown
in Figure 12-9, GVRP is enabled on all devices. Devices are interconnected through trunk
ports and each trunk port allows packets of all VLANs to pass. You simply need to configure
static VLANs 100 to 1000 on SwitchA and SwitchC. Then the other devices can learn
VLANs 100 to 1000 through GVRP.

Figure 12-9 Typical application of GVRP

SwitchB
SwitchA SwitchC
VLAN 100~1000 VLAN 100~1000

License Support
GVRP is a basic feature of a switch and is not under license control.
Version Support
Table 12-1 Products and versions supporting GVRP

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l When many dynamic VLANs need to be registered or the network radius is large, using
default values of timers may cause VLAN flapping and high CPU usage. In this case,
increase values of the timers. The following values are recommended depending on the
number of VLANs.

Table 12-2 Relationship between GARP timer values and number of dynamic VLANs
that need to be registered
Number of Dynamic VLANs to Be Registered (N)
Timer N <= 500 500 < N <= 1000 < N <= N > 1500
1000 1500
GARP Hold 100 200 800 1000

timer centiseconds centiseconds centiseconds centiseconds
(1 second) (2 seconds) (8 seconds) (10 seconds)
GARP Join 600 1200 4000 6000

(6 seconds) (12 seconds) (40 seconds) (1 minute)
GARP Leave 3000 6000 20000 30000

(30 seconds) (1 minute) (3 minutes and (5 minutes)
20 seconds)
GARP 12000 24000 30000 32765

LeaveAll timer centiseconds centiseconds centiseconds centiseconds
(2 minutes) (4 minutes) (5 minutes) (5 minutes and
27.65 seconds)
l The blocked port in instance 0 of STP/RSTP/MSTP can block GVRP packets; the
blocked ports of other MSTIs and other ring network protocols such as ERPS, SEP,
RRPP, Smart Link, and VBST cannot block GVRP packets. To ensure that GVRP runs
normally and prevent GVRP loops, do not enable GVRP on the blocked port of a ring
network protocol.
l The blocked ports of LDT and LBDT cannot block GVRP packets. To ensure that GVRP
runs normally and prevent GVRP loops, do not enable GVRP on the blocked port of
LDT and LBDT.
GVRP function The GVRP function is disabled globally and on

interfaces.
Registration mode of the GVRP normal

interface
LeaveAll timer 1000 centiseconds
Hold timer 10 centiseconds
Join timer 20 centiseconds
Leave timer 60 centiseconds

12.6 Configuring GVRP
12.6.1 Enabling GVRP
Context
Before enabling GVRP on an interface, you must enable GVRP globally. GVRP can be
enabled only on trunk interfaces. You must perform related configurations to ensure that all
dynamically registered VLANs can pass the trunk interfaces.
NOTE
When the VCMP role is the client or server, GVRP cannot be enabled. In this case, run the vcmp role
command to configure the VCMP role as silent or transparent. If GVRP has been enabled, do not switch the
VCMP role to client or server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
gvrp
GVRP is enabled globally.
Step 3 Run:
Step 4 Run:
The link type of the interface is set to trunk.
Step 5 Run:
port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The interface is added to the specified VLANs.
Step 6 Run:
gvrp
GVRP is enabled on the interface.
By default, GVRP is disabled globally and on each interface.

NOTE
VLAN configuration will trigger GVRP messages. If too many VLANs are configured, you are advised
to configure VLANs on devices one by one and configure the timer. Otherwise, dynamic VLANs may
flap.
When many dynamically registered VLANs such as 4094 VLANs are configured, run the car packet-
type gvrp cir cir-value command to increase the CPCAR value. To prevent a high load on the CPU, the
CPCAR cannot be increased infinitely. If the CPCAR values are adjusted improperly, network services
are affected. To adjust the CPCAR values, contact Huawei technical support engineers.
If an interface is changed to another link type, such as access, hybrid, negotiation-desirable, or
negotiation-auto, the GVRP configuration on the interface is automatically deleted.
The blocking port in instance 0 of STP/RSTP/MSTP can block GVRP packets; the blocking ports of
other MSTIs and other ring network protocols such as ERPS, SEP, RRPP, Smart Link, and VBST cannot
block GVRP packets. To ensure that GVRP runs normally and prevent GVRP loops, do not enable
GVRP on the blocking port of a ring network protocol.
----End
12.6.2 (Optional) Setting the Registration Mode for a GVRP

Interface
Context
A GVRP interface supports three registration modes:
l Normal: In this mode, the GVRP interface can dynamically register and deregister
VLANs, and transmit dynamic VLAN registration information and static VLAN
registration information.
l Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static VLAN registration information. If
the registration mode is set to fixed for a trunk interface, the interface allows only the
manually configured VLANs to pass even if it is configured to allow all the VLANs to
pass.
l Forbidden: In this mode, the GVRP interface is disabled from dynamically registering
and deregistering VLANs and can transmit only information about VLAN 1. If the
registration mode is set to forbidden for a trunk interface, the interface allows only
VLAN 1 to pass even if it is configured to allow all the VLANs to pass.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
gvrp registration { fixed | forbidden | normal }
The registration mode is set for the interface.

By default, the registration mode of a GVRP interface is normal.

NOTE
Before setting the registration mode for an interface, enable GVRP on the interface.
----End
12.6.3 (Optional) Setting the GARP Timers
Context
When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timer
expires, the GARP participant sends LeaveAll messages to request other GARP participants
to re-register all its attributes. Then the LeaveAll timer restarts.
Devices on a network may have different settings for the LeaveAll timer. In this case, all the
devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a
device expires, the device sends LeaveAll messages to other devices. After other devices
receive the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeaveAll
timer with the smallest value takes effect even if devices have different settings for the
LeaveAll timer.
When using the garp timer command to set the GARP timers, pay attention to the following
points:
l The undo garp timer command restores the default values of GARP timers. If the
default value of a timer is out of the valid range, the undo garp timer command does
not take effect.
l The value range of each timer changes with the values of the other timers. If a value you
set for a timer is not in the allowed range, you can change the value of the timer that
determines the value range of this timer.
l To restore the default values of all the GARP timers, restore the Hold timer to the default
value, and then sequentially restore the Join timer, Leave timer, and LeaveAll timer to
the default values.
When many dynamic VLANs need to be registered or the network radius is large, using
default values of timers may cause VLAN flapping and high CPU usage. In this case, increase
values of the timers. The following values are recommended depending on the number of
VLANs.
Table 12-3 Relationship between GARP timer values and number of dynamic VLANs that
need to be registered
Timer N<=500 500<N<=1000 1000<N<=150 N>1500
0
GARP Hold 100 200 800 1000

timer centiseconds (1 centiseconds (2 centiseconds (8 centiseconds
second) seconds) seconds) (10 seconds)
GARP Join 600 1200 4000 6000

timer centiseconds (6 centiseconds centiseconds centiseconds (1
seconds) (12 seconds) (40 seconds) minute)


Timer N<=500 500<N<=1000 1000<N<=150 N>1500
0
GARP Leave 3000 6000 20000 30000

timer centiseconds centiseconds (1 centiseconds (3 centiseconds (5
(30 seconds) minute) minutes and 20 minutes)
seconds)
GARP 12000 24000 30000 32765

LeaveAll timer centiseconds (2 centiseconds (4 centiseconds (5 centiseconds (5
minutes) minutes) minutes) minutes and
27.65 seconds)
Procedure
Step 1 Run:
system-view
Step 2 Run:
garp timer leaveall timer-value
The value of the LeaveAll timer is set.
The default value of the LeaveAll timer is 1000 centiseconds (10 seconds).
The Leave timer length on an interface is restricted by the global LeaveAll timer length.
When configuring the global LeaveAll timer, ensure that all the interfaces configured with a
GARP Leave timer are working properly.
Step 3 Run:
Step 4 Run:
garp timer { hold | join | leave } timer-value
The value of the Hold timer, Join timer, or Leave timer is set.
By default, the value of the Hold timer is 10 centiseconds, the value of the Join timer is 20
centiseconds, and the value of the Leave timer is 60 centiseconds.
----End
Procedure
l Run the display gvrp status command to view the status of global GVRP.

l Run the display gvrp statistics [ interface { interface-type interface-number [ to

interface-type interface-number ] }&<1-10> ] command to view the GVRP statistics on
an interface.
l Run the display garp timer [ interface { interface-type interface-number [ to interface-
type interface-number ] }&<1-10> ] command to view the values of the GARP timers.
----End
12.7 Maintaining GVRP
12.7.1 Clearing GVRP Statistics
Context
NOTICE
GVRP statistics cannot be restored after being cleared. Confirm your action before using this
command.
Procedure
Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type
interface-number ] }&<1-10> ] command in the user view to clear GARP statistics on the
specified interfaces.
----End
12.8.1 Example for Configuring GVRP
As shown in Figure 12-10, company A, a branch of company A, and company B are
connected using switches. To implement dynamic VLAN registration, enable GVRP. The
branch of company A can communicate with the headquarters using SwitchA and SwitchB.
Company B can communicate with company A using SwitchB and SwitchC. Interfaces
connected to company A allow only the VLAN to which company B belongs to pass.

Figure 12-10 Configuring GVRP

SwitchB
GE1/0/1 GE1/0/2
GE1/0/1 GE1/0/1 SwitchC
SwitchA
Company A
GE1/0/2 GE1/0/2
Branch of
Company B
company A
1. Enable GVRP to implement dynamic VLAN registration.
2. Configure GVRP on all switches of company A and set the registration mode to normal
for the interfaces to simplify configurations.
3. Configure GVRP on all switches of company A and set the registration mode to fixed for
the interfaces connecting to company A to allow only the VLAN to which company B
belongs to pass.
NOTE
Before enabling GVRP, you must configure the VCMP role as transparent or silent.
Procedure
# Enable GVRP globally.
[SwitchA] vcmp role silent
[SwitchA] gvrp
# Set the link type of GE 1/0/1 and GE 1/0/2 to trunk and configure the interfaces to allow all
VLANs to pass through.
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan all
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan all
# Enable GVRP and set the registration mode on the interfaces.

[SwitchA-GigabitEthernet1/0/1] gvrp

[SwitchA-GigabitEthernet1/0/1] gvrp registration normal

[SwitchA-GigabitEthernet1/0/2] gvrp
[SwitchA-GigabitEthernet1/0/2] gvrp registration normal
The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here.
[SwitchB] vcmp role silent
[SwitchB] gvrp
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan all
[SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan all

[SwitchB-GigabitEthernet1/0/1] gvrp
[SwitchB-GigabitEthernet1/0/1] gvrp registration normal
[SwitchB-GigabitEthernet1/0/2] gvrp
[SwitchB-GigabitEthernet1/0/2] gvrp registration normal
Step 3 Configure SwitchC.

# Create VLAN 101 to VLAN 200.
[SwitchC] vlan batch 101 to 200

[SwitchC] vcmp role silent
[SwitchC] gvrp
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan all
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan all


[SwitchC-GigabitEthernet1/0/1] gvrp
[SwitchC-GigabitEthernet1/0/1] gvrp registration fixed
[SwitchC-GigabitEthernet1/0/2] gvrp
[SwitchC-GigabitEthernet1/0/2] gvrp registration normal

After the configuration is complete, the branch of Company A can communicate with the
headquarters, and users of Company A in VLAN 101 to VLAN 200 can communicate with
users in Company B.
Run the display gvrp status command on SwitchA to check whether GVRP is enabled
globally. The following information is displayed:
[SwitchA] display gvrp status
Info: GVRP is enabled.
Run the display gvrp statistics command on SwitchA to view GVRP statistics on GVRP
interfaces, including the GVRP state of each interface, number of GVRP registration failures,
source MAC address of the last GVRP PDU, and registration mode of each interface.
[SwitchA] display gvrp statistics
GVRP statistics on port GigabitEthernet1/0/1

GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0000-0000-0000
GVRP registration type : Normal
GVRP statistics on port GigabitEthernet1/0/2

GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0000-0000-0000
GVRP registration type : Normal
Verify the configurations of SwitchB and SwitchC in the same way.
----End
Configuration Files
#
sysname SwitchA
#
vcmp role silent
#
gvrp
#
gvrp
#
gvrp
#
return

#
sysname SwitchB
#
vcmp role silent
#
gvrp
#
gvrp
#
gvrp
#
return

#
sysname SwitchC
#
vcmp role silent
#
vlan batch 101 to 200
#
gvrp
#
gvrp
gvrp registration fixed
#
gvrp
#
return
12.9 FAQ
12.9.1 Why Is the CPU Usage High When VLANs Are Created or
Deleted Through GVRP in Default Configuration?
The switch supports VLAN configuration on devices at both ends. When GVRP is enabled on
the network, it advertises information about dynamic VLANs in two directions. Then the
intermediate devices dynamically create and delete VLANs based on the information.
Dynamic maintenance of VLANs can greatly reduce manual configurations.
The maximum 4 K dynamic VLANs are frequently created and deleted, which triggers larger
amount of packet communication. Receiving packets and delivering dynamic VLANs occupy
large amount of CPU resources.
In actual networking, you need to adjust GVRP timers to the recommended values.

NOTE
The recommended values of the GVRP timers are as follows:
GARP Hold timer: 100 centiseconds (1 second)
GARP Join timer: 600 centiseconds (6 seconds)
GARP Leave timer: 3000 centiseconds (30 seconds)
GARP LeaveAll timer: 12,000 centiseconds (2 minutes)
When more than 100 dynamic VLANs are created, use the preceding recommended values. When the
number of dynamic VLANs increases, lengths of the GARP timers need to be increased.
12.10 References
IEEE Std 802.1D Information technology-Telecommunications -

and information exchange between systems-
Local and metropolitan area networks-
Common specifications-Media Access
Control (MAC) Bridges
IEEE Std 802.1Q IEEE Standards for Local and Metropolitan -

Area Networks: Virtual Bridged Local Area
Networks

Configuration Guide - Ethernet Switching 13 VCMP Configuration
13 VCMP Configuration
About This Chapter
This chapter describes how to configure the VLAN Central Management Protocol (VCMP).
VCMP allows VLAN creation and deletion on a switch to be synchronized to other specified
switches on a Layer 2 network, implementing centralized VLAN management and
maintenance and reducing network maintenance workload.
13.1 Introduction to VCMP

13.2 Principles
13.6 Configuring VCMP
13.7 Maintaining VCMP

13.1 Introduction to VCMP
Definition
The Virtual Local Area Network Central Management Protocol (VCMP), a Layer 2 protocol
in the Open System Interconnection (OSI) model, transmits VLAN information and ensures
consistent VLAN information on the Layer 2 network.
Purpose
In most cases, switches on an enterprise network need to synchronize VLAN information with
each other to ensure that they can correctly forward data. On a small-scale enterprise network,
the network administrator can log in to each switch to configure and maintain VLANs. On a
large-scale enterprise network, a lot of switches are deployed, so a large amount of VLAN
information needs to be configured and maintained. If the network administrator manually
configures and maintains all VLANs, the workload is heavy and VLAN information may be
inconsistent.
VCMP is used to implement centralized VLAN management. The network administrator

needs to create and delete VLAN information only on a switch. The changes on the switch are
automatically synchronized to other switches in a specified scope so that no manual operation
is required on these switches. In this way, the configuration workload is reduced and VLAN
information consistency is ensured.
NOTE
l VCMP can only help the network administrator synchronize VLAN information but not dynamically
assign VLANs. VCMP is often used with Link-type Negotiation Protocol (LNP) to simplify user
configurations. For details about LNP, see 4.2.2 LNP.
l Generic VLAN Registration Protocol (GVRP) can reduce VLAN configurations and dynamically
assign interfaces to VLANs. GVRP creates dynamic VLANs, but VCMP creates static VLANs.
Benefits to Customers
VCMP configured on a switch of a Layer 2 network brings in the following benefits:
l Implements centralized VLAN management and maintenance, and reduces the network
maintenance workload.
l Implements the plug-and-play function of access switches.
13.2 Principles
13.2.1 VCMP Concepts
VCMP uses a VCMP domain to manage switches and determine attributes of switches in the
VCMP domain based on roles. VCMP defines four roles: server, client, transparent, and
silent. Figure 13-1 shows VCMP domains and roles in the VCMP domains.

Figure 13-1 VCMP domains and roles
Server
VCMP VCMP
domain 1 domain 2
Transparent Silent Switch
Layer 2
network
Client Client Client
VCMP Domain
As shown in Figure 13-1, a VCMP domain is composed of switches that have the same
VCMP domain name and are connected through trunk or hybrid interfaces. All switches in the
VCMP domain must use the same domain name, and each switch can join only one VCMP
domain. Switches in different VCMP domains cannot synchronize VLAN information.
A VCMP domain specifies the scope for the administrative switch and managed switches.
Switches in a VCMP domain are managed by the administrative switch. There is only one
administrative switch and multiple managed switches in a VCMP domain.
VCMP Roles
VCMP determines attributes of switches based on VCMP roles. Table 13-1 describes VCMP
roles.
Table 13-1 VCMP roles
VCMP Function Remarks

Role
Server The VCMP server synchronizes VLAN information created and

VLAN information to other switches deleted on the VCMP server is
in the local VCMP domain. broadcast in a VCMP domain.
Client A VCMP client belongs to a VLAN information created and

specified VCMP domain and deleted on a VCMP client is not
synchronizes VLAN information broadcast in a VCMP domain, but is
with the VCMP server. overwritten by VLAN information
sent by the VCMP server.

VCMP Function Remarks

Role
Transparent A VCMP transparent switch does A VCMP transparent switch

not affect other switches in the local transparently forwards VCMP
VCMP domain and is not affected by packets to only trunk or hybrid links.
VCMP management behaviors such VLAN information created and
as VLAN creation and deletion. deleted on a VCMP transparent
switch is not affected by the VCMP
server and is not broadcast in a
VCMP domain.
In this way, some switches that do
not need to be managed by VCMP
can forward VCMP packets.
Silent Deployed at the edge of a VCMP A VCMP silent switch directly

domain, a VCMP silent switch does discards received VCMP packets.
not affect other switches in the local VLAN information created and
VCMP domain and is not affected by deleted on a VCMP silent switch is
VCMP management behaviors. The not affected by the VCMP server and
VCMP silent switch prevents VCMP is not broadcast in a VCMP domain.
packets in a VCMP domain from
being transmitted to other VCMP
domains.
NOTE
l VCMP transparent and silent switches do not belong to any VCMP domain.
l If an edge switch in a VCMP domain needs to be managed, configure the edge switch as a VCMP
client. To prevent VCMP packets in the local VCMP domain from being transmitted to other VCMP
domains, disable VCMP on the edge switch interface connected to other VCMP domains.
13.2.2 Implementation
VCMP enables switches of different roles to exchange VCMP packets to implement
centralized VLAN management. VCMP packets can be only transmitted in VLAN 1 on trunk
or hybrid interfaces. To retain the same VLAN information on the VCMP server and clients,
VCMP defines two types of multicast packets: Summary-Advert and Advert-Request. Table
13-2 describes the functions and applicable scenarios of the two types of packets.

Table 13-2 VCMP packets

Packet Function Applicable Scenario Sent By
Type
Summa The VCMP server sends l The VCMP server VCMP server
ry- Summary-Advert sends a Summary-
Advert packets to other devices Advert packet every
in the local VCMP 5 minutes to ensure
domain to notify them of real-time
the domain name, device synchronization of
ID, configuration VLAN information
revision number, and on the VCMP server
VLAN information. and clients and
prevent VLAN
information loss due
to packet loss.
l The VCMP server
configuration is
changed. For
example, VLANs are
created or deleted,
the VCMP domain
name or device ID is
changed, and the
VCMP server
restarts.
l The VCMP server
receives Advert-
Request packets
from VCMP clients
in the same VCMP
domain.
Advert- A VCMP client sends l A VCMP client is VCMP client

Reques Advert-Request packets added.
t to the VCMP server to l A VCMP client
request VLAN restarts or a client
information. interface becomes
Up.
Summary-Advert packets sent by the VCMP server carry the configuration revision number.
A VCMP client uses it to determine whether VLAN information sent from the VCMP server
is newer than the local VLAN information. If so, the VCMP client synchronizes VLAN
information with the VCMP server.
A configuration revision number is represented by an 8-digit hexadecimal number. The four
left-most bits indicate the change of the VCMP domain or device ID and the four right-most
bits indicate the VLAN change. Upon a VLAN change on the VCMP server, the configuration
revision number is automatically increased. When the VCMP domain name or device ID
changes, the four left-most bits of the configuration revision number are recalculated and the
four right-most bits are reset.

VLAN Synchronization When the VCMP Server Configuration Changes

When the VCMP server configuration changes, for example, creating and deleting VLANs,
changing the VCMP domain name and device ID, or restarting the VCMP server, the VCMP
server sends a Summary-Advert packet to instruct VCMP clients in the local VCMP domain
to synchronize VLAN information. The following uses creation of VLAN 100 on the VCMP
server as an example to describe synchronization upon a server configuration change.
In Figure 13-2:
l SwitchA: VCMP server
l SwitchB: VCMP transparent switch
l SwitchC, SwitchD and SwitchE: VCMP clients
l SwitchF: VCMP silent switch
Figure 13-2 VLAN synchronization when the VCMP server configuration changes
Create VLAN 100.
1. The server sends a Server

Summary-Advert packet. SwitchA
2. Directly forward Transparent

packets. SwitchB
Client Client Client

SwitchC SwitchD SwitchE
3. Create VLAN 100 3. Create VLAN 3. Create VLAN 100

and forward packets. 100 and forward and forward packets.
packets.
4. Discard packets.
Silent
VLAN 100 does not
SwitchF need to be created.
Summary-Advert packet
After VLAN 100 is created on SwitchA:

1. SwitchA sends a Summary-Advert packet carrying a VLAN information change to
notify the neighbor (SwitchB) of the VLAN information change.
2. When receiving the Summary-Advert packet, SwitchB directly forwards the packet.
3. After a VCMP client receives the Summary-Advert packet:

– If the VCMP client receives the packet for the first time, it learns the device ID,
revision number, and VLAN ID in the packet. If the VCMP domain name of the
VCMP client is empty, the VCMP client learns the VCMP domain name in the
packet.
– If it is not the first time the VCMP client receives the packet, the VCMP processes
the packet as follows:
i. The VCMP client performs VCMP authentication for the Summary-Advert
packet according to the configured authentication password, and VCMP
domain name, device ID, and configuration revision number in the Summary-
Advert packet. After the Summary-Advert packet is authenticated, the VCMP
client proceeds to the next step.
ii. If the VCMP domain name and device ID are saved locally, the VCMP client
compares the local ones with those in the Summary-Advert packet. When the
local ones are the same as those in the packet, the VCMP client proceeds to the
next step.
iii. The VCMP client compares the local configuration revision number with that
in the Summary-Advert packet:
○ If the four left-most bits are different, the VCMP client synchronizes
VLAN information with the VCMP server according to the Summary-
Advert packet and learns the VCMP domain name and device ID.
○ If the four left-most bits are the same, the VCMP client checks whether
the local four right-most bits are smaller than or equal to those in the
Summary-Advert packet. If so, the VCMP client only synchronizes
VLAN information with the VCMP server.
iv. The VCMP client forwards the Summary-Advert packet to other devices in the
local VCMP domain.
Here, it is not the first time the VCMP client receives the Summary-Advert packet. The
VCMP client finds that the highest four bits in the local revision number are the same as
those in the Summary-Advert packet but the lowest four bits in the local revision number
are smaller than or equal to those in the Summary-Advert packet. The VCMP client
therefore synchronizes information of the VCMP server according to the Summary-
Advert packet, and creates VLAN 100 locally.
4. SwitchF directly discards the packet.
NOTE
VLAN information synchronization is similar in other scenarios where Summary-Advert packets are
triggered.
l VLAN information synchronization is similar in other scenarios where Summary-Advert packets are
triggered.
l Within 30 minutes after a client synchronizes VLAN information from the server, the client
generates the vlan.dat file to store the current VLAN information. After the client restarts, the client
reads the vlan.dat file to obtain the VLAN information before the restart. The vlan.dat file cannot
be modified, deleted, or overwritten. The file is deleted when the following operations are
performed:
l Run the reset vcmp command to clear VCMP domain information.
l Run the vcmp role { server | silent | transparent } command to change the VCMP role to
non-client.
l Run the startup saved-configuration configuration-file command to configure a new
configuration file whose name is different from the name of the current configuration file.
l Run the reset saved-configuration command to delete the saved configuration file. This
operation will delete all the configuration.

VLAN Information Synchronization When a VCMP Client Is Added

To ensure VLAN information synchronization between the VCMP server and clients, the
VCMP server sends a Summary-Advert packet every 5 minutes to notify switches in the local
VCMP domain of the domain name, device ID, and configuration revision number. When a
VCMP client is added or a VCMP client restarts, the VCMP client sends an Advert-Request
packet to the VCMP server to request VLAN information on the VCMP server. The following
describes how the VCMP client synchronizes VLAN information.
In Figure 13-3:
l SwitchA: VCMP server
l SwitchB: VCMP transparent switch
l SwitchC and SwitchE: VCMP silent switches
l SwitchD: VCMP client
l SwitchF: new VCMP client
Figure 13-3 VLAN synchronization when a VCMP client is added

Server
SwitchA
Reply with a Summary-
Advert packet.
Transparent
SwitchB Directly forward VCMP packets.
Determine and
Silent Client Silent
forward VCMP
SwitchC SwitchD SwitchE
packets.
Directly discard Directly discard
VCMP packets. VCMP packets.
Trigger an Advert-
Request packet. Synchronize VLAN
information on the server.
New client
SwitchF
Summary-Advert packet
Advert-Request packet
After SwitchF is configured with VCMP and specified as a VCMP client, SwitchF becomes
the new VCMP client.

1. SwitchF sends an Advert-Request packet to SwitchD to request VLAN information on

SwitchA.
2. SwitchD forwards the Advert-Request packet to SwitchB.
3. SwitchB forwards the Advert-Request packet to its neighbors.
4. In the following situations:
– When the VCMP server receives an Advert-Request packet:
n The VCMP server performs VCMP authentication for the Advert-Request
packet according to the configured authentication password, and VCMP
domain name, device ID, and configuration revision number in the Advert-
Request packet. After the Advert-Request packet is authenticated, the VCMP
server proceeds to the next step.
n If the VCMP domain name or device ID in the Advert-Request packet is not
empty but is different from the VCMP domain name or device ID on the
VCMP server, the VCMP server discards the Advert-Request packet.
Otherwise, the VCMP server replies with a Summary-Advert packet carrying
its VLAN information.
– The VCMP silent switch directly discards the received Advert-Request packet.
5. After SwitchD, SwitchB, SwitchC and SwitchE, and SwitchF receive the Summary-
Advert packet from SwitchA, the Summary-Advert packet is processed according to
VLAN Synchronization When the VCMP Server Configuration Changes. SwitchD
compares the locally configured VCMP domain name, device ID, and configuration
revision number with those in the Summary-Advert packet. If they are the same,
SwitchD directly forwards the packet. SwitchF synchronizes VLAN information on
SwitchA. If the VCMP domain is not configured on the SwitchF, SwitchF learns the
VCMP domain name and device ID on SwitchA.
NOTE
Advert-Request packets are triggered when a VCMP client restarts or a VCMP interface goes Up.
VLAN information synchronization is similar.
Multi-Server Trap
Only one VCMP server exists in a VCMP domain. To prevent attacks of bogus VCMP
servers, the VCMP server matches the VCMP domain name, device ID, and source MAC
address in the received Summary-Advert packets with local ones. If the VCMP domain name
and device ID match local ones but the source MAC address in the packet is different from
the system MAC address, the VCMP server sends a trap about the multi-server event to the
NMS.
To prevent the VCMP server from being affected by too many traps, the VCMP server sends
traps to the NMS once every 30 minutes.
VCMP Authentication
When an unauthorized switch joins a VCMP domain, VLAN information on the switch may
be synchronized in the VCMP domain, affecting network stability. To prevent unauthorized
switches from joining a VCMP domain and enhance VCMP domain security, configure a
VCMP domain authentication password on the VCMP server and clients.
If the VCMP domain authentication password is configured on the VCMP server or a VCMP
client, the VCMP server or VCMP client uses the password character string (empty character

string is used by default) as the key and performs SHA-256 for the VCMP domain name, and
device ID to obtain a digest. Then the VCMP server encapsulates the digest in a Summary-
Advert packet or the VCMP client encapsulates the digest in an Advert-Request packet. When
each VCMP client in the VCMP domain receives a Summary-Advert packet from the VCMP
server, the VCMP client uses the locally configured password to perform SHA-256 for the
VCMP domain name, device ID, and configuration revision number, and compares the
calculated digest with the digest in the Summary-Advert packet. If the calculated digest
matches the digest in the Summary-Advert packet, the Summary-Advert packet passes
authentication and further VCMP processing is performed. Otherwise, the Summary-Advert
packet is discarded. When the VCMP server receives an Advert-Request packet from a
VCMP client, authentication and processing are similar.
If no domain authentication password is set, VCMP packets pass without authentication.
NOTE
l In a VCMP domain, the VCMP domain authentication password on the VCMP server and clients
must be the same.
l To ensure device security, change the password periodically.

As the enterprise network scale increases, more switches are deployed, and VLAN
information on the switches needs to be synchronized to ensure correct data forwarding.
Repeated VLAN creation and deletion on the switches are time-consuming and error-prone.
To solve this problem, deploy VCMP on the enterprise network, determine a VCMP domain
according to the management scope, and select the aggregation or core switch as the VCMP
server. When VLANs are created and deleted on the aggregation or core switch, VLAN
information is synchronized on access switches in the same VCMP domain. VCMP
implements centralized management and reduces the configuration and maintenance
workload. When no authentication password is configured in a VCMP domain and a non-
configured switch is added to the VCMP domain, the VCMP server notifies other switches in
the VCMP domain of synchronizing VLAN information. This implements plug-and-play.

Figure 13-4 Typical VCMP networking
Internet
Router
Core
switch
Department A Department B
Server Server
AGG1 AGG2 VCMP2
VCMP1
Client Client Client Client

ACC1 ACC2 ACC3 ACC4
VLANs 10-20 VLANs 30-40
As shown in Figure 13-4, departments A and B of an enterprise belong to different Layer 2

networks. The departments are large and a lot of VLANs need to be configured and
maintained. To facilitate VLAN configuration and maintenance, deploy VCMP domains
VCMP1 and VCMP2 for departments A and B respectively, and configure AGG1 as the
VCMP server in VCMP1, ACC1 and ACC2 as VCMP clients in VCMP1, AGG2 as the
VCMP server in VCMP2, and ACC3 and ACC4 as VCMP clients in VCMP2. The network
administrator needs to create and delete VLAN information only on AGG1 and AGG2. ACC1
to ACC4 synchronize VLAN information with AGG1 and AGG2 respectively. This
implements centralized VLAN configuration and management.
NOTE
VCMP packets can be only transmitted on trunk and hybrid interfaces. When deploying VCMP, you
need to deploy LNP to dynamically negotiate the link type, which simplifies use configurations. For
details about LNP, see 4.2.2 LNP.

License Support
VCMP is a basic feature of a switch and is not under license control.

Version Support
Table 13-3 Products and versions supporting VCMP

Model
S7700 S7703, V200R005C00, V200R006C00, V200R007C00,

S7706, V200R008C00, V200R009C00, V200R010C00
S7712
S9700 S9703, V200R005C00, V200R006C00, V200R007C00,

S9706, V200R008C00, V200R009C00, V200R010C00
S9712
NOTE

l XGE interfaces connected to the ACU2, ET1D2IPS0S00, ET1D2FW00S00,
ET1D2FW00S01, or ET1D2FW00S02 card do not support VCMP.
l VCMP can only help the network administrator synchronize VLAN information but not
dynamically assign VLANs. VCMP is often used with LNP to simplify user
configurations. For details about LNP, see "LNP" in "VLAN Configuration" in the
Configuration Guide - Ethernet Switching of the corresponding product version.
l VCMP packets can be only transmitted in VLAN 1. By default, all interfaces join VLAN
1. To prevent loops, deploy a loop prevention protocol such as STP in addition to VCMP.
l By default, a switch is a VCMP client. If a switch is upgraded from an earlier version to
V200R005C00, the default role of the switch is a VCMP silent switch.
l VCMP synchronizes only the VLAN ID in the current version.
l One switch can join only one VCMP domain, and only one VCMP server exists in a
VCMP domain.
l If the VCMP domain authentication password is set, ensure that the VCMP server and
clients use the same VCMP domain authentication password.
l If VLANs created or deleted on the VCMP server are the control VLANs of the Ethernet
Ring Protection Switch (ERPS), Rapid Ring Protection Protocol (RRPP), Smart Ethernet
Protocol (SEP), or Smart link, or reserved VLANs of stack, a VCMP client does not
create or delete the VLANs.
l If the Generic VLAN Registration Protocol (GVRP) or Hierarchy VLAN Register
Protocol (HVRP) has been enabled, the VCMP role can be only the transparent or silent
switch. If the VCMP role is set to client or server, do not use GVRP or HVRP.
l Termination sub-interfaces cannot be configured on a VCMP client. For details on how
to configure a termination sub-interface, see "Configuring a Sub-interface" in "Logical
Interface Configuration" in the Configuration Guide - Interface Management of the
corresponding product version.
l A VCMP client cannot be configured with the VLAN switch function. Before changing a
VCMP server configured with the VLAN switch function to a VCMP client, delete the

VLAN switch configuration. For details on how to configure the VLAN switch function,
see 6 VLAN Switch Configuration.
l After a VLAN is deleted on the VCMP server, VCMP clients delete the VLAN but do
not delete configurations in the VLAN. In addition, the vlan vlan-id configuration
command is generated in the configuration file, and the configurations in the deleted
VLAN specified by vlan-id are moved to the VLAN configuration view.
l When the device used as a VCMP client that connects to a VCMP server restarts, the
VLAN configuration before the restart takes effect. To make the saved VLAN
configuration take effect, use one of the following methods to delete the vlan.dat file
and then restart the device:
– Run the vcmp role { server | silent | transparent } command to change the device
role to a non-client.
– Run the startup saved-configuration configuration-file command to configure a
new configuration file. Ensure that the name of the new configuration file is
different from that of the current configuration file.
– Run the reset saved-configuration command to clear the saved configuration file.
This command will clear all the configuration.
NOTE
When the value of Server ID in the display vcmp status command output is not empty, the device
used as a VCMP client has been connected to a VCMP server.

VCMP domain Not configured
VCMP role Client

NOTE
If a switch is upgraded to V200R005, the default role is silent.
Device ID Not configured
VCMP domain authentication Not configured

password
VCMP on an interface Enabled
13.6 Configuring VCMP
Context
VCMP implements centralized VLAN management and manages network devices based on
VCMP domains (for details, see VCMP Domain). VCMP defines four roles: server, client,
transparent, and silent (for details, see VCMP Roles). Switches added to a VCMP domain as
clients are managed by the VCMP server in the same VCMP domain. After a VLAN is
created or deleted on the VCMP server, VCMP clients automatically synchronize VLAN

information with the server. VCMP reduces the workload on modifying the same VLAN
information on multiple switches and ensures VLAN information consistency.
You are advised to configure VCMP on an enterprise network as follows:
l Configure an aggregation or core switch as the VCMP server. Only one VCMP server
exists in a VCMP domain.
l Configure access switches as VCMP clients.
l Configure switches that do not need to be managed by the VCMP server and are located
between the VCMP server and clients as VCMP transparent switches.
l Configure edge devices connected to other networks as VCMP silent switches to prevent
the connected networks from being affected.
A VCMP client identifies the VCMP server by device ID. The VCMP client obtains the
device ID of the VCMP server from the first received VCMP packet, and synchronizes VLAN
information with only the VCMP server specified by the device ID. The device ID of the
VCMP server learned by a VCMP client remains unchanged unless the role of the VCMP
client changes. The VCMP server can receive and transmit VCMP packets and achieve
centralized management only when being configured with the device ID.
When an unauthorized switch is added to a VCMP domain, VCMP clients in this VCMP
domain may synchronize VLAN information of the unauthorized switch, affecting network
stability. To prevent unauthorized switches from joining a VCMP domain, configure an
authentication password on the VCMP server and clients in the VCMP domain.
Before configuring VCMP, complete the following tasks:
l Connect interfaces and set physical parameters of the interfaces to ensure that the
physical status of the interfaces is Up (for details about the configuration, see Ethernet
Interface Configuration in the S7700&S9700 Series Switches Configuration Guide -
Interface Management).
l Configure the link type of interfaces as trunk and hybrid so that the interfaces can
forward VCMP packets.
NOTE
l VCMP is often used with LNP to dynamically negotiate the link type, which simplifies use
configurations. For detailed LNP configuration, see steps 1 to 6 in 4.7.1.2 Configuring
Interface-based VLAN Assignment (LNP Dynamically Negotiates the Link Type).
l You can run the display lnp summary command to check whether LNP is configured on the
switch and check the link type of the interface. If LNP is not configured on the switch or the
link type of the interface is not trunk or hybrid, run the port link-type { hybrid | trunk }
command to configure the link type of the interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vcmp role { client | server | silent | transparent }
A VCMP role of the switch is configured.

By default, switches in a VCMP domain are VCMP clients.
NOTE
If a switch is upgraded to V200R005, the default role is silent.
Step 3 Perform the following operations based on the VCMP role of the switch.
l Perform the following operations on the VCMP server:
a. Run:
vcmp domain domain-name
A VCMP domain is configured.

By default, no VCMP domain is created.
All switches in a VCMP domain must use the same VCMP domain name.
Each switch can be added to only one VCMP domain.
b. Run:
vcmp device-id device-name
A device ID is set for the VCMP server.

By default, no device ID is set for the VCMP server.
c. (Optional) Run:
vcmp authentication sha2-256 password password
A VCMP domain authentication password is configured.

The VCMP server and clients in a VCMP domain must be configured with the same
authentication password. To ensure device security, change the password
periodically.
By default, no authentication password is configured in a VCMP domain, and
VCMP packets pass authentication.
l Perform the following operations on a VCMP client:
a. (Optional) Run:
vcmp domain domain-name
A VCMP domain is configured.

By default, no VCMP domain is created.
All switches in a VCMP domain must use the same VCMP domain name. If the
domain name is not set on a VCMP client, the VCMP client learns the domain
name in the first received VCMP packet.
Each switch can be added to only one VCMP domain.
b. (Optional) Run:
vcmp authentication sha2-256 password password
A VCMP domain authentication password is configured.

The VCMP server and clients in a VCMP domain must be configured with the same
authentication password. To ensure device security, change the password
periodically.
By default, no authentication password is configured in a VCMP domain, and
VCMP packets pass authentication.
l When the VCMP role is transparent or silent, go to the next step.
Step 4 Run:

The view of a Layer 2 Ethernet interface where VCMP is to be enabled is displayed.
VCMP can be enabled only on Layer 2 Ethernet interfaces.
Step 5 Run:
undo vcmp disable
VCMP is enabled on the interface.
By default, VCMP is enabled on all interfaces of a switch.
NOTE
If an edge switch in a VCMP domain needs to be managed, configure the edge switch as a VCMP client.
To prevent VCMP packets in the local VCMP domain from being transmitted to other VCMP domains,
run the vcmp disable command to disable VCMP on the edge switch interface connected to other
VCMP domains.

snmp-agent trap enablefeature-namevcmp
The VCMP trap function is enabled.
To protect the switch against attacks of bogus VCMP servers, enable the VCMP trap function.
When receiving VCMP packets from bogus VCMP servers, the switch sends traps about the
multi-server event to the NMS.
----End

After you configure VCMP, check whether the configuration takes effect.
l Run the display vcmp status command to check the VCMP configuration, including the
VCMP domain name, VCMP role, device ID, configuration revision number, and VCMP
domain authentication password.
l Run the display vcmp interface brief command to check the VCMP status on Layer 2
Ethernet interfaces.
13.7 Maintaining VCMP
13.7.1 Displaying VCMP Running Information
Context
If faults occur during VCMP running, you can view VCMP packet statistics or VLAN change
trace on the VCMP client to locate faults.
Procedure
l Run the display vcmp counters command in any view to view statistics on VCMP
packets.

l Run the display vcmp track command in any view to view the VLAN change trace on
the VCMP client.
----End
13.7.2 Clearing VCMP Running Information
Context
The VCMP domain ID and device ID learned by a VCMP client remain unchanged. The
VCMP client needs to learn VCMP information again when the VCMP server in the local
VCMP domain is changed. Therefore, clear learned VCMP information before the VCMP
client learns VCMP information.
Before viewing the VLAN change trace on the VCMP client in a given period of time, clear
the existing VLAN change trace.
NOTICE
VCMP running information cannot be restored after being cleared. Therefore, exercise
caution when you run these clearing commands.
Procedure
l Run the reset vcmp command in the user view to clear learned VCMP information.
l Run the reset vcmp track command in the user view to clear the existing VLAN change
trace.
----End
13.8.1 Example for Configuring VCMP to Implement Centralized

VLAN Management
As shown in Figure 13-5, the enterprise branch network is a Layer 2 network. The AGG is
the aggregation switch, ACC1 to ACC3 are access switches, and ACC1 is connected to
visitors. As the enterprise branch scale increases, the network administrator needs to
configure and maintain too much VLAN information. The workload is heavy and
configuration errors can easily occur. The administrator requires that the VLAN configuration
and maintenance workload be reduced and rights of visitors connected to the branch network
be limited. VLANs on ACC1 are required to be configured and maintained independently.

Figure 13-5 Networking for configuring VCMP to implement centralized VLAN

management
Internet
Router
GE1/0/1 GE1/0/3
Server
GE1/0/2 AGG
GE1/0/1 GE1/0/1 GE1/0/1

Silent Client Client
ACC1 ACC2 ACC3
GE1/0/2 GE1/0/2 GE1/0/2
Visitor Office PC Office PC
VCMP can be deployed on the enterprise branch network by configuring the AGG as the
VCMP server, ACC2 and ACC3 as VCMP clients, and ACC1 as a VCMP silent switch. In
this way, the network administrator only needs to modify VLAN information on the AGG.
The AGG sends the modified VLAN information to ACC1, ACC2, and ACC3 on the
enterprise branch network. ACC2 and ACC3 synchronize VLAN information with the AGG,
whereas ACC1 does not. VCMP reduces the workload on modifying the same VLAN
information on multiple switches and allows the independent VLAN configuration on ACC1.
To relieve the network administrator from setting the link type, configure LNP to
automatically negotiate the link type.
1. Configure LNP to automatically negotiate the link type, which simplifies use
configurations.
2. Specify VCMP roles for switches to determine the VCMP management scope,
administrative switch, and managed switches.
3. Set VCMP parameters such as the authentication password and device ID on the VCMP
server and clients to ensure secure communication and identity identification between
the VCMP server and clients.
4. Enable VCMP.

Procedure
Step 1 Configure LNP to automatically negotiate the link type.
By default, LNP is enabled globally and on all interfaces. That is, the link type of the
interfaces will be automatically negotiated through LNP.
You can run the display lnp summary command to check whether LNP is enabled globally
and on an interface (Global LNP and link-type(C) fields) and check the link type of the
interface (link-type(N)).
l If LNP is not enabled globally or on an interface, perform the following operations:
# Enable global LNP. The configurations of ACC1, ACC2, and ACC3 are similar to the
configuration of the AGG, and are not mentioned here.
[HUAWEI] sysname AGG
[AGG] undo lnp disable
# Enable LNP on interfaces. The configurations of ACC1, ACC2, and ACC3 are similar
to the configuration of the AGG, and are not mentioned here.
[AGG] interface GigabitEthernet 1/0/1
[AGG-GigabitEthernet1/0/1] undo port negotiation disable
[AGG-GigabitEthernet1/0/1] port link-type negotiation-desirable
[AGG-GigabitEthernet1/0/1] quit
l If LNP is enabled globally and on an interface but the link type of the interface
connecting switches is Access, run the port link-type { trunk | hybrid } command to
specify the link type of the interface so that VCMP can work properly.
Step 2 Specify VCMP roles for switches.
# Configure the AGG as the VCMP server.

[AGG] vcmp role server
# Configure ACC1 as a VCMP silent switch.

[ACC1] vcmp role silent
# Configure ACC2 as a VCMP client.

[ACC2] vcmp role client
# Configure ACC3 as a VCMP client.

[ACC3] vcmp role client
Step 3 Set VCMP parameters on the VCMP server and clients.
# On the AGG, configure the VCMP domain, device ID, and authentication password.
[AGG] vcmp domain vd1
[AGG] vcmp device-id server
[AGG] vcmp authentication sha2-256 password Hello
# On ACC2, configure the VCMP domain and authentication password.

[ACC2] vcmp domain vd1

[ACC2] vcmp authentication sha2-256 password Hello
# On ACC3, configure the VCMP domain and authentication password.

[ACC3] vcmp domain vd1
[ACC3] vcmp authentication sha2-256 password Hello
Step 4 Enable VCMP.

By default, VCMP is enabled on interfaces. To prevent VCMP packets from affecting the PC,
disable VCMP on the client interface connected to the PC.
[ACC2] interface GigabitEthernet 1/0/2
[ACC2-GigabitEthernet1/0/2] vcmp disable
[ACC2-GigabitEthernet1/0/2] quit
[ACC3] interface GigabitEthernet 1/0/2
[ACC3-GigabitEthernet1/0/2] vcmp disable
[ACC3-GigabitEthernet1/0/2] quit

After the configurations are complete, run the display vcmp status command to view the
VCMP configuration, including the VCMP domain name, VCMP role, device ID,
configuration revision number, and VCMP domain authentication password.
The display on the AGG is used as an example.
[AGG] display vcmp status
VCMP information:
Domain : vd1
Role : Server
Server ID : server
Configuration Revision : 0x239c0000
Password : ******
On the AGG, run the vlan vlan-id command to create VLAN 10, and run the display vlan
summary command on ACC1, ACC2, and ACC3 respectively to view VLAN information.
The command output shows that ACC2 and ACC3 have synchronized VLAN information
with that on the AGG, whereas ACC1 has not.
[AGG] vlan 10
[AGG-vlan10] quit
[AGG] display vlan summary
Static vlan:
Total 2 static vlan.
1 10
Dynamic vlan:
Total 0 dynamic vlan.
Reserved vlan:
[ACC1] display vlan summary
Static vlan:
1
Dynamic vlan:
Reserved vlan:
Static vlan:
1 10
Dynamic vlan:

Reserved vlan:
Static vlan:
1 10
Dynamic vlan:
Reserved vlan:
----End
Configuration Files
l AGG configuration file
#
sysname AGG
#
vcmp role server
vcmp domain vd1
vcmp device-id server
vcmp authentication sha2-256 password %^%#6dD+>}ffA7*[j2#]0%
%GfN#;I}#.lQ2Yfb2b1y"0%^%#
#
vlan batch 10
#
return
l ACC1 configuration file

#
sysname ACC1
#
vcmp role silent
#
return

#
sysname ACC2
#
vcmp domain vd1
#
vlan batch 10
#
vcmp disable
#
return

#
sysname ACC3
#
vcmp domain vd1
#
vlan batch 10
#
vcmp disable

#
return

Configuration Guide - Ethernet Switching 14 STP/RSTP Configuration
14 STP/RSTP Configuration
About This Chapter
This chapter describes how to configure the Spanning Tree Protocol (STP) and Rapid
Spanning Tree Protocol (RSTP).
14.1 Introduction to STP/RSTP

14.2 Principles
14.3 Applications
14.7 Configuring STP/RSTP
14.8 Maintaining STP/RSTP
14.10 FAQ
14.11 References

14.1 Introduction to STP/RSTP
Definition
Redundant links are used on an Ethernet switching network to implement link backup and
enhance network reliability. The use of redundant links, however, may produce loops, causing
broadcast storms and making the MAC address table unstable. As a result, network
communication may encounter quality deterioration or even be interrupted. STP solves this
problem.
Devices running STP exchange STP bridge protocol data units (BPDUs) to discover loops on
the network and block some ports. This ensures a loop-free tree network and that the packet
processing capabilities of switches is not impacted.
The STP network convergence speed is slow, so IEEE introduced RSTP (802.1w) in 2001 to
improve the network convergence speed of STP.
Purpose
After a spanning tree protocol is configured on an Ethernet switching network, the protocol
calculates the network topology to implement the following functions:
l Loop prevention: The spanning tree protocol blocks redundant links to prevent potential
loops on the network.
l Link redundancy: If an active link fails and a redundant link exists, the spanning tree
protocol activates the redundant link to ensure network connectivity.
14.2 Principles
14.2.1 Background
STP prevents loops on a local area network (LAN). Switching devices running STP exchange
information with one another to discover loops on the network and then block certain ports to
eliminate loops. As the scale of LANs continues to grow, STP has become an increasingly
important protocol.

Figure 14-1 Typical LAN networking
Host A
port1 port1
S1 S2
port2 port2
Host B
Data flow
On the network shown in Figure 14-1, the following situations may occur:
l Broadcast storms cause a breakdown of the network.
If a loop exists on the network, broadcast storms may occur. In Figure 14-1, STP is not
enabled on the switching devices. If Host A sends a broadcast request, both S1 and S2
receive the request on port 1 and forward the request through their port 2. Then, S1 and
S2 receive the request forwarded by each other on port 2 and forward the request through
port 1. As this process repeats, resources on the entire network are eventually exhausted,
and the network breaks down.
l MAC address flapping causes unstable MAC address entries.
Even unicast packets can cause MAC address flapping on switching devices.
HostA sends a unicast packet to HostB. If HostB is temporarily removed from the
network at this time, the MAC address entry for HostB will be deleted on S1 and S2.
When the unicast packet sent by HostA to HostB is received by port 1 on S1, no
matching MAC address entry is found, so the unicast packet is forwarded to port 2.
Port 2 on S2 receives the unicast packet from port 2 on S1 and sends it out through port
1. Port 1 on S2 also receives the unicast packet sent by HostA to HostB, and sends it out
through port 2. These transmissions repeat and port 1 and port 2 on S1 and S2
continuously receive unicast packets from HostA. S1 and S2 modify their MAC address
entries each time, causing the MAC address table to flap. As a result, MAC address
entries are unstable.
Root Bridge
As defined in STP, the device that functions as the root of a tree network is called the root
bridge.

There is only one root bridge on the entire STP network. The root bridge is the logical center,
but not necessarily the physical center, of the network. The root bridge changes dynamically
with the network topology.
After network convergence is completed, the root bridge generates and sends configuration
BPDUs to other devices at specific intervals. Other devices process and forward the
configuration BPDUs to communicate the topology changes to downstream devices.
Metrics for Spanning Tree Calculation

A spanning tree is calculated based on the following metrics: bridge ID (BID), port ID (PID),
and path cost.
l BID and PID
IDs are classified into bridge ID (BID) and port ID (PID).
According to the IEEE 802.1D standard, a BID is composed of a bridge priority
(leftmost 16 bits) and a bridge MAC address (rightmost 48 bits). On an STP network, the
device with the smallest BID acts as the root bridge.
A PID is composed of a port priority (leftmost 4 bits) and a port number (rightmost 12
bits). The PID is used to select the designated port.
NOTE
The port priority affects the role of a port in a spanning tree instance. For details, see 14.2.4 STP
Topology Calculation.
l Path cost
The path cost is a port variable used for link selection. STP calculates path costs to select
effective links, block redundant links, and trim the network into a loop-free tree
topology.
On an STP network, a port's path cost to the root bridge is the sum of the path costs of all
ports between the port and the root bridge. This path cost is called the root path cost.
Root Bridge, Root Port, and Designated Port

Three elements are involved in trimming a ring network into a tree network: root bridge, root
port, and designated port. Figure 14-2 shows the three elements in the STP network
architecture.

Figure 14-2 STP network architecture

root
bridge A B S2
PC=100;RPC=0 PC=100;RPC=100
S1
B A
PC=100;RPC=0 PC=99;RPC=100
A B
PC=100;RPC=100 PC=99;RPC=199
B A
S3 PC=200;RPC=100 PC=200;RPC=300 S4
PC: path cost

RPC: root path cost
root port
designated port
blocked port
l Root bridge
The root bridge is the bridge with the smallest BID as determined by exchanging
configuration BPDUs.
l Root port
The root port on an STP device is the port with the smallest path cost to the root bridge
and is responsible for forwarding data to the root bridge. An STP device has only one
root port, and there is no root port on the root bridge.
l Designated port
Table 14-1 explains the designated bridge and designated port.
Table 14-1 Designated bridge and designated port

Reference Designated Bridge Designated Port
Object
Device A directly connected device The designated bridge's port that

that forwards configuration forwards configuration BPDUs
BPDUs to the device to the device
LAN A device that forwards The designated bridge's port that

configuration BPDUs to the forwards configuration BPDUs
LAN to the LAN
In Figure 14-3, AP1 and AP2 are ports of S1; BP1 and BP2 are ports of S2; CP1 and
CP2 are ports of S3.

– S1 sends configuration BPDUs to S2 through AP1, so S1 is the designated bridge

for S2, and AP1 is the designated port on S1.
– S2 and S3 are connected to the LAN. If S2 forwards configuration BPDUs to the
LAN, S2 is the designated bridge for the LAN, and BP2 is the designated port on
S2.
Figure 14-3 Designated bridge and designated port
S1
AP1 AP2
BP1 CP1
S2 S3
BP2 CP2
LAN
After the root bridge, root ports, and designated ports are selected successfully, a tree
topology is set up on the entire network. When the topology is stable, only the root port and
designated ports forward traffic. The other ports are in Blocking state; they only receive STP
BPDUs and do not forward user traffic.
Comparison Principles
During role election, STP devices compare the four fields of a BPDU priority vector {root ID,
root path cost, sender BID, PID}.
Table 14-2 describes the four fields carried in a configuration BPDU.
Table 14-2 Four fields
Field Description
Root ID ID of the root bridge.
Root path cost Path cost to the root bridge. It is determined by the
distance between the port sending the configuration
BPDU and the root bridge.
Sender BID BID of the device that sends the configuration BPDU.
PID PID of the port that sends the configuration BPDU.

After a device on the STP network receives a configuration BPDU, it compares the fields
listed in Table 14-2 with its own values. The four comparison principles are as follows:
l Smallest BID: used to select the root bridge. Devices on an STP network select the
device with the smallest BID based on the root ID field in Table 14-2.
l Smallest root path cost: used to select the root port on a non-root bridge. On the root
bridge, the path cost of each port is 0.
l Smallest sender BID: used to select the root port from ports with the same root path cost.
The port with the smallest BID is selected as the root port in STP calculation. For
example, S2 has a smaller BID than S3 in Figure 14-2. If the BPDUs received on port A
and port B of S4 contain the same root path cost, port B becomes the root port on S4
because the BPDU received on port B has a smaller sender BID.
l Smallest PID: used to determine which port should be blocked when multiple ports have
the same root path cost. The port with the greatest PID is blocked. A scenario where
PIDs are compared is shown in Figure 14-4. The BPDUs received on ports A and B of
S1 both contain the same root path cost and sender BID, but Port A has a smaller PID
than port B. Therefore, port B is blocked to prevent loops.
Figure 14-4 Scenario where PIDs need to be compared
S1 S2
A B
designated port
blocked port
Port States
Table 14-3 describes the possible states of ports on an STP device.
Table 14-3 STP port states

Port Purpose Description
State
Forwardi A port in Forwarding state can Only the root port and designated port
ng forward user traffic and process can enter the Forwarding state.
BPDUs.
Learning When a port is in Learning state, the This is a transitional state, which is
device creates MAC address entries designed to prevent temporary loops.
based on user traffic received on the
port but does not forward user traffic
through the port.

Port Purpose Description

State
Listening All ports are in Listening state before This is a transitional state.
the root bridge, root port, and
designated port are selected.
Blocking A port in Blocking state receives and This is the final state of a blocked
forwards only BPDUs, and does not port.
forward user traffic.
Disabled A port in Disabled state does not The port is Down.

process BPDUs or forward user
traffic.
Figure 14-5 shows the state transitions of a port.
Figure 14-5 STP state transitions of a port
Disabled or
Down
①
⑤
Blocking
②
④ ⑤
Listening
③
④ ⑤
Learning
③
④ ⑤
Forwarding
1 The port is initialized or enabled, and enters the Blocking state.
2 The port is selected as the root or designated port, and enters

the Listening state.
3 When the time limit for keeping the port in a temporary state
expires, the port enters the next state (either Learning or
Forwarding). Then the port is selected as the root or designated port.
4 The port is not the root or designated port, and enters the blocking
state.
5 The port is disabled or the link fails.

NOTE
By default, a Huawei network device uses MSTP mode. After a device transitions from MSTP mode to
STP mode, its STP ports support only those states defined in MSTP, which are Forwarding, Learning,
and Discarding. Table 14-4 describes the three port states.
Table 14-4 MSTP port states

Port Description
State
Forwardi A port in Forwarding state can forward user traffic and process BPDUs.
ng
Learning This is a transitional state. When a port is in Learning state, it can send and
receive BPDUs, but does not forward user traffic. The device creates MAC
address entries based on user traffic received on the port but does not forward
user traffic through the port.
Discardin A port in Discarding state can only receive BPDUs.

g
The following parameters affect the STP port states and convergence.
l Hello Time
The Hello Time specifies the interval at which an STP device sends configuration BPDU
packets to detect link failures.
When the Hello Time is changed, the new value takes effect only after a new root bridge
is elected. The new root bridge includes the new Hello Time value in BPDUs it sends to
non-root bridges. If the network topology changes, TCN BPDUs are immediately
transmitted regardless of the Hello Time.
l Forward Delay
The Forward Delay timer specifies the length of delay before a port state transition.
When a link fails, STP calculation is triggered and the spanning tree structure changes.
However, new configuration BPDUs cannot be immediately spread over the entire
network. If the new root port and designated port forward data immediately, transient
loops may occur. Therefore, STP defines a port state transition delay mechanism. The
newly selected root port and designated port must wait for two Forward Delay intervals
before transitioning to the Forwarding state. During this period, the new configuration
BPDUs can be transmitted over the network, preventing transient loops.
The default Forward Delay timer value is 15 seconds. This means that the port stays in
Listening state for 15 seconds and then stays in Learning state for another 15 seconds
before transitioning to the Forwarding state. The port is blocked when it is in Listening
or Learning state, effectively preventing transient loops.
l Max Age
The Max Age specifies the aging time of BPDUs. This parameter is configurable on the
root bridge.
The Max Age is spread to the entire network with configuration BPDUs. After a non-
root bridge receives a configuration BPDU, it compares the Message Age value with the
Max Age value in the received configuration BPDU.

– If the Message Age value is smaller than or equal to the Max Age value, the non-
root bridge forwards the configuration BPDU.
– If the Message Age value is greater than the Max Age value, the non-root bridge
discards the configuration BPDU. When this happens, the network size is
considered too large and the non-root bridge disconnects from the root bridge.
If the configuration BPDU is sent from the root bridge, the Message Age value is 0.
Otherwise, the Message Age value is the total time spent to transmit the BPDU from the
root bridge to the local bridge, including the transmission delay. The Message Age value
of a configuration BPDU increases by 1 each time the configuration BPDU passes
through a bridge.
Table 14-5 provides the timer values defined in IEEE 802.1D.
Table 14-5 Values of STP timer parameters

Parameter Default Value Value Range
Hello Time 200 centiseconds (2 100-1000

seconds)
Max Age 2000 centiseconds (20 600-4000

seconds)
Forward Delay 1500 centiseconds (15 400-3000

seconds)
14.2.3 BPDU Format

A BPDU carries the BID, root path cost, and PID. There are two types of STP BPDUs:
l Configuration BPDUs are heartbeat packets. STP-enabled designated ports send
configuration BPDUs at Hello timer intervals.
l Topology Change Notification (TCN) BPDUs are sent only after a device detects a
network topology change.
A BPDU is encapsulated in an Ethernet frame. Its destination MAC address is a multicast
MAC address, 01-80-C2-00-00-00. The Length field specifies the MAC data length, and is
followed by the LLC header. Figure 14-6 shows the Ethernet frame format.
Figure 14-6 Format of an Ethernet frame

6 bytes 6 bytes 2 bytes 3 bytes 38-1492 bytes 4 bytes
DMAC SMAC Length LLC BPDU Data CRC
Configuration BPDU
Configuration BPDUs are the most common type of BPDU and are sent to exchange topology
information among STP devices.
Each bridge actively sends configuration BPDUs during initialization. After the network
topology becomes stable, only the root bridge actively sends configuration BPDUs. Other

bridges send configuration BPDUs only after receiving configuration BPDUs from upstream
devices.
A configuration BPDU is at least 35 bytes long and includes parameters such as the BID, root
path cost, and PID. A bridge processes a received configuration BPDU only if either the
sender BID or PID is different from that on the local bridge receive port. If both fields are the
same as those on the receive port, the bridge discards the configuration BPDU. Therefore, the
bridge does not need to process BPDUs with the same information as the local port.
A configuration BPDU is sent in one of the following scenarios:
l After STP is enabled on ports of a device, the designated port on the device sends
configuration BPDUs at Hello timer intervals.
l When the root port on a device receives a configuration BPDU, the device sends a copy
of the configuration BPDU to each of its designated ports.
l When a designated port receives an inferior configuration BPDU, the designated port
immediately sends its own configuration BPDU to the downstream device.
Table 14-6 describes fields in a BPDU.
Table 14-6 Fields in a BPDU

Field Byte Description
s
Protocol Identifier 2 The value is fixed at 0, representing a spanning tree

protocol.
Protocol Version 1 The value is fixed at 0, representing a spanning tree

Identifier protocol.
BPDU Type 1 Indicates the type of a BPDU. The value is one of the
following:
l 0x00: configuration BPDU
l 0x80: TCN BPDU
Flags 1 Indicates whether the network topology has changed.

l The rightmost bit is the Topology Change (TC) flag.
l The leftmost bit is the Topology Change
Acknowledgment (TCA) flag.
Root Identifier 8 Indicates the BID of the current root bridge.
Root Path Cost 4 Indicates the accumulated path cost from a port to the root
bridge.
Bridge Identifier 8 Indicates the BID of the bridge that sends the BPDU.
Port Identifier 2 Indicates the ID of the port that sends the BPDU.


s
Message Age 2 Records the time that has elapsed since the original BPDU
was generated on the root bridge.
If the configuration BPDU is sent from the root bridge, the
Message Age value is 0. Otherwise, the Message Age value
is the total time spent to transmit the BPDU from the root
bridge to the local bridge, including the transmission delay.
The Message Age value of a configuration BPDU increases
by 1 each time the configuration BPDU passes through a
bridge.
Max Age 2 Indicates the aging time of a BPDU.
Hello Time 2 Indicates the interval at which BPDUs are sent.
Forward Delay 2 Indicates the period during which a port stays in Listening
and Learning states.
Figure 14-7 shows the Flags field. Only the leftmost and rightmost bits are used in STP.
Figure 14-7 Format of the Flags field
Reserved
Bit7 Bit0
TCA (Topology Change TC (Topology

Acknowledgment flag) Change flag)
TCN BPDU
A TCN BPDU contains only three fields: Protocol Identifier, Version, and Type, as shown in
Table 14-6. The Type field is four bytes long and is fixed at 0x80.
When the network topology changes, TCN BPDUs are transmitted upstream until they reach
the root bridge. A TCN BPDU is sent in either of the following scenarios:
l A port transitions to the Forwarding state.
l A designated port receives a TCN BPDU and sends a copy to the root bridge.
14.2.4 STP Topology Calculation

After STP is enabled on all devices on a network, all devices initially consider themselves as
the root bridge. They only transmit and receive BPDUs and do not forward user traffic, and
all ports on the devices are in Listening state. The devices select the root bridge, root ports,
and designated ports based on configuration BPDUs.

BPDU Exchange
Figure 14-8 shows the initial information exchange process. The four parameters in a pair of
brackets represent the root ID (S1_MAC and S2_MAC are the BIDs of the two devices), root
path cost, sender BID, and PID carried in configuration BPDUs. Configuration BPDUs are
sent at Hello timer intervals.
Figure 14-8 Initial BPDU exchange
{S1_MAC,0,S1_MAC,A_PID}
A B
S1 {S2_MAC,0,S2_MAC,B_PID} S2
STP Algorithm Implementation

1. Initialization
Because each bridge considers itself the root bridge, the BPDU sent from a port is set as
follows:
The root ID is the BID of the local bridge, the root path cost is 0, the sender BID is the
BID of the local bridge, and the PID is the ID of the port that sends the BPDU.
2. Root bridge election
During network initialization, every device considers itself the root bridge and sets the
root ID to its own BID. Then devices exchange configuration BPDUs and compare their
root IDs to find the device with the smallest BID, which becomes the root bridge.
3. Root port and designated port selection
Table 14-7 describes the process of selecting the root port and designated port.
Table 14-7 Selecting the root port and designated port

Ste Process
p
1 A non-bridge device selects the port that receives the optimal configuration
BPDU as the root port. Table 14-8 describes the process of selecting the optimal
configuration BPDU.
2 The device generates a configuration BPDU for each port and modifies the
following fields based on the configuration BPDU on the root port and path cost
of the root port:
l Replaces the root ID with the root ID in the configuration BPDU on the root
port.
l Replaces the root path cost with the sum of the root path cost in the
configuration BPDU on the root port and the path cost of the root port.
l Replaces the sender BID with the local BID.
l Replaces the PID with the local port ID.

Ste Process
p
3 The device compares the calculated configuration BPDU with the configuration
BPDU received on the port:
l If the calculated configuration BPDU is superior, the port is selected as the
designated port and periodically sends the calculated configuration BPDU.
l If the port's own configuration BPDU is superior, the configuration BPDU
on the port is not updated and the port is blocked. After that, the port only
receives BPDUs, and does not forward data or send BPDUs.
Table 14-8 Selecting the optimal configuration BPDU

Ste Process
p
1 Each port compares the received configuration BPDU with its own
configuration BPDU:
l If the received configuration BPDU is inferior, the port discards the received
configuration BPDU and retains its own configuration BPDU.
l If the received configuration BPDU is superior, the port replaces its own
configuration BPDU with the received one.
2 The device compares configuration BPDUs on all the ports and selects the
optimal one.
Example of STP Topology Calculation

After the root bridge, root ports, and designated ports are selected successfully, a tree
topology is set up on the entire network. The following example illustrates how STP
calculation is implemented.

Figure 14-9 STP networking and calculated topology
DeviceA
Priority=0 DeviceA
Root
Bridge
Port A1 Port A2
STP Topology
Calculation
Pa
t=5
th
os
co
c
st=
th
Pa
10
Port B1 Port C1
Path cost=4
Port B2 Port C2
DeviceB DeviceC DeviceC
DeviceB
Priority=1 Priority=2
root port
designated port
blocked port
In Figure 14-9, DeviceA, DeviceB, and DeviceC are deployed on the network, with priorities
0, 1, and 2, respectively. The path costs between DeviceA and DeviceB, DeviceA and
DeviceC, and DeviceB and DeviceC are 5, 10, and 4, respectively.
1. Initial state of each device

Table 14-9 lists the initial state of each device.
NOTE
The fields in a configuration BPDU are {root ID, root path cost, sender BID, PID}.
Table 14-9 Initial state of each device
Device Port Configuration BPDU
DeviceA Port A1 {0, 0, 0, Port A1}
Port A2 {0, 0, 0, Port A2}
DeviceB Port B1 {1, 0, 1, Port B1}
Port B2 {1, 0, 1, Port B2}
DeviceC Port C1 {2, 0, 2, Port C1}
Port C2 {2, 0, 2, Port C2}
2. Configuration BPDU comparison and result

Table 14-10 describes configuration BPDU comparison process and result.

Table 14-10 Topology calculation process and result

Dev Comparison Configuration BPDU
ice After Comparison
Devi l Port A1 receives the configuration BPDU {1, l Port A1: {0, 0, 0, Port
ceA 0, 1, Port B1} from Port B1 and finds it A1}
inferior to its own configuration BPDU {0, 0, l Port A2: {0, 0, 0, Port
0, Port A1}, so Port A1 discards the received A2}
configuration BPDU.
l Port A2 receives the configuration BPDU {2,
0, 2, Port C1} from Port C1 and finds it
inferior to its own configuration BPDU {0, 0,
0, Port A2} superior, so Port A2 discards the
received configuration BPDU.
l DeviceA finds that the root bridge and
designated bridge specified in the
configuration BPDUs on its ports are on
itself. Therefore, DeviceA considers itself as
the root bridge and periodically sends
configuration BPDUs from each port without
modifying the BPDUs.
Devi l Port B1 receives the configuration BPDU {0, l Port B1: {0, 0, 0, Port
ceB 0, 0, Port A1} from Port A1 and finds it A1}
superior to its own configuration BPDU {0, l Port B2: {1, 0, 1, Port
0, 0, Port B1}, so Port B1 updates its B2}
configuration BPDU.
l Port B2 receives the configuration BPDU {2,
0, 2, Port C2} from Port C2 and finds it
inferior to its own configuration BPDU {1, 0,
1, Port B2}, so Port B2 discards the received
configuration BPDU.
l DeviceB compares the configuration BPDU l Root port (Port B1):

on each port and finds that Port B1 has an {0, 0, 0, Port A1}
optimal configuration BPDU. DeviceB l Designated port (Port
selects Port B1 as the root port and retains the B2): {0, 5, 1, Port B2}
configuration BPDU on Port B1.
l DeviceB calculates the configuration BPDU
{0, 5, 1, Port B2} for Port B2 based on the
configuration BPDU and path cost of the root
port, and compares the calculated
configuration BPDU with the original
configuration BPDU {1, 0, 1, Port B2} on
Port B2. The calculated configuration BPDU
is superior to the original one, so DeviceB
selects Port B2 as the designated port,
replaces Port B2's configuration BPDU with
the calculated one, and periodically sends
configuration BPDUs from Port B2.


Devi l Port C1 receives the configuration BPDU {0, l Port C1: {0, 0, 0, Port
ceC 0, 0, Port A2} from Port A2 and finds it A2}
superior to its own configuration BPDU {0, l Port C2: {1, 0, 1, Port
0, 0, Port C1}, so Port C1 updates its B2}
configuration BPDU.
l Port C2 receives the configuration BPDU {1,
0, 1, Port B2} from Port B2 and finds it
superior to its own configuration BPDU {1,
0, 1, Port C2}, so Port C2 updates its
configuration BPDU.
l DeviceC compares the configuration BPDU l Root port (Port C1):

on each port and finds that the configuration {0, 0, 0, Port A2}
BPDU on Port C1 is optimal. DeviceC selects l Designated port (Port
Port C1 as the root port and retains the C2): {0, 10, 2, Port
configuration BPDU on Port C1. C2}
l DeviceC calculates the configuration BPDU
{0, 10, 2, Port C2} for Port C2 based on the
port, and compares the calculated
configuration BPDU with the original
configuration BPDU {1, 0, 1, Port B2} on
Port C2. The calculated configuration BPDU
is superior to the original one, so DeviceC
selects Port C2 as the designated port and
replaces its configuration BPDU with the
calculated one.
l Port C2 receives the configuration BPDU {0, l Port C1: {0, 0, 0, Port
5, 1, Port B2} from Port B2 and finds it A2}
superior to its own configuration BPDU {0, l Port C2: {0, 5, 1, Port
10, 2, Port C2}, so Port C2 updates its B2}
configuration BPDU.
l Port C1 receives the configuration BPDU {0,
0, 0, Port A2} from Port A2 and finds it the
same as its own configuration BPDU, so Port
C1 discards the received configuration
BPDU.


l The root path cost of Port C1 is 10 (root path l Blocked port (Port C1):
cost 0 in the received configuration BPDU {0, 0, 0, Port A2}
plus the link patch cost 10), and the root path l Root port (Port C2):
cost of Port C2 is 9 (root path cost 5 in the {0, 5, 1, Port B2}
received configuration BPDU plus the link
patch cost 4). DeviceC finds that Port C2 has
a smaller root path cost and therefore
considers the configuration BPDU of Port C2
superior to that of Port C1. DeviceC then
selects Port C2 as the root port and retains its
configuration BPDU.
l DeviceC calculates the configuration BPDU
{0, 9, 2, Port C1} for Port C1 based on the
port, and finds the calculated configuration
BPDU inferior to the original configuration
BPDU {0, 0, 0, Port A2} on Port C2.
DeviceC blocks Port C1 and does not update
its configuration BPDU. Port C1 no longer
forwards data until STP recalculation is
triggered, for example, when the link between
DeviceB and DeviceC is down.
After the topology becomes stable, the root bridge still sends configuration BPDUs at Hello
timer intervals. Each non-root bridge forwards the received configuration BPDUs through its
designated port. When a non-root bridge receives a superior configuration BPDU on a port,
the non-root bridge replaces the configuration BPDU on the port with the received
configuration BPDU.
STP Topology Changes

Figure 14-10 shows the packet transmission process after an STP topology change.
Figure 14-10 Packet transmission after a topology change
Root Bridge Root Bridge

1. When the status of the interface at point T changes, a downstream device continuously
sends TCN BPDUs to the upstream device.
2. The upstream device processes only the TCN BPDUs received on the designated port
and discards TCN BPDUs received on other ports.
3. The upstream device sets the TCA bit of the Flags field in the configuration BPDUs to 1
and returns the configuration BPDUs to instruct the downstream device to stop sending
TCN BPDUs.
4. The upstream device sends a copy of the TCN BPDUs toward the root bridge.
5. Steps 1, 2, 3 and 4 are repeated until the root bridge receives the TCN BPDUs.
6. The root bridge sets the TC bit of the Flags field in the configuration BPDUs to 1 to
instruct the downstream devices to delete MAC address entries.
NOTE
l TCN BPDUs are used to inform the upstream device and root bridge of topology changes.
l Configuration BPDUs with the TCA bit set to 1 are used by the upstream device to inform the
downstream device that the topology changes are known and instruct the downstream device to stop
sending TCN BPDUs.
l Configuration BPDUs with the TC bit set to 1 are used by the upstream device to inform the
downstream device of topology changes and instruct the downstream device to delete MAC address
entries. This increases network convergence speed.
14.2.5 Improvements in RSTP

In 2001, IEEE 802.1w was published to introduce the Rapid Spanning Tree Protocol (RSTP),
an extension of the Spanning Tree Protocol (STP). RSTP was developed based on STP and
makes additions and modifications to STP.
Disadvantages of STP
STP ensures a loop-free network but has a slow network topology convergence speed, leading
to service quality deterioration. If the network topology changes frequently, the STP network
will frequently lose connection and suffer service interruptions, significantly impacting user
experience.
STP has the following disadvantages:
l STP does not distinguish port states and port roles clearly.
– Ports in Listening, Learning, and Blocking states are the same to users because they
are all prevented from forwarding service traffic.
– From the perspective of port use and configuration, the essential differences
between ports lie in the port roles rather than port states.
Both root and designated ports can be in Listening or Forwarding state, so the ports
cannot be distinguished solely by their states.
l STP determines topology changes after the timer expires, which slows down network
convergence.
l STP requires that the root bridge send configuration BPDUs after the network topology
becomes stable and other devices process and spread the configuration BPDUs to the
entire network. This also slows down topology convergence.

Improvements Made in RSTP

RSTP removes three port states, defines two new port roles, and distinguishes port attributes
based on port states and roles. In addition, RSTP provides enhanced features and protection
measures to ensure network stability and fast convergence.
Figure 14-11 Diagram of port roles
S1
root bridge
B A
S2 S3
A A a
S1
root bridge
B A
S2 S3
A a
B A
b
root port
designated port
Alternate port
Backup port
l RSTP defines additional port roles to simplify the learning and deployment of the
protocol.
Figure 14-11 shows the four port roles defined in RSTP: root port, designated port,
alternate port, and backup port.
The functions of the root port and designated port are the same as those defined in STP.
The alternate port and backup port are defined as follows:
– From the perspective of configuration BPDU transmission:
n An alternate port is blocked after learning a configuration BPDU sent from
another bridge.

n A backup port is blocked after learning a configuration BPDU sent from itself.
– From the perspective of user traffic:
n An alternate port acts as a backup of the root port and provides an alternate
path from the designated bridge to the root bridge.
n A backup port acts as a backup of the designated port and provides a backup
path from the root bridge to the related network segment.
After roles of all RSTP ports are determined, the topology convergence is
completed.
l RSTP redefines port states.
RSTP reduces the number of port states to 3. Depending on whether a port can forward
user traffic and learn MAC addresses, the port will be in one of the following states:
– If the port does not forward user traffic or learn MAC addresses, it is in the
Discarding state.
– If the port does not forward user traffic but learns MAC addresses, it is in the
Learning state.
– If the port forwards user traffic and learns MAC addresses, it is in the Forwarding
state.
Table 14-11 compares the port states defined in STP and RSTP. Port states are not
necessarily related to port roles. Table 14-11 lists possible states for different port roles.
Table 14-11 Comparison between port states defined in STP and RSTP
STP Port State RSTP Port State Port Role
Forwarding Forwarding Root port or designated port
Learning Learning Root port or designated port
Listening Discarding Root port or designated port
Blocking Discarding Alternate port or backup port
Disabled Discarding -
l RSTP changes the configuration BPDU format and uses the Flags field to describe port
roles.
RSTP retains the basic configuration BPDU format defined in STP with minor changes:
– The value of the Type field is changed from 0 to 2. Devices running STP will
discard configuration BPDUs sent from devices running RSTP.
– The Flags field uses the six bits reserved in STP. This configuration BPDU is called
an RST BPDU. Figure 14-12 shows the Flags field in an RST BPDU.

Figure 14-12 Format of the Flags field in an RST BPDU
Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0

TCA Agreement Forwarding Learning Port role Proposal TC
Topology Change Topology

Acknowledgment flag Change flag
Port role = 00 Unknown
01 Alternate/Backup port
10 Root port
11 Designated port
l RSTP processes configuration BPDUs differently from STP.

– Configuration BPDU transmission
In STP, the root bridge sends configuration BPDUs at Hello timer intervals after the
topology becomes stable. Non-root bridges send configuration BPDUs only after
they receive configuration BPDUs from upstream devices. This complicates the
STP calculation and slows down network convergence.
RSTP allows non-root bridges to send configuration BPDUs at Hello timer intervals
after the topology becomes stable, regardless of whether they have received
configuration BPDUs from the root bridge.
– BPDU timeout period
In STP, a device has to wait for a Max Age period before determining a negotiation
failure.
In RSTP, a device determines that the negotiation between its port and the upstream
device has failed if the port does not receive any configuration BPDUs sent from
the upstream device within the timeout interval (Hello Time x 3 x Timer Factor).
– Processing of inferior BPDUs
When an RSTP port receives an RST BPDU from the upstream designated bridge,
the port compares the received RST BPDU with its own RST BPDU.
If its RST BPDU is superior to the received one, the port discards the received RST
BPDU and immediately responds to the upstream device with its own RST BPDU.
After receiving the RST BPDU, the upstream device replaces its RST BPDU with
the received RST BPDU. This allows RSTP to rapidly process inferior BPDUs
without relying on timers.
l Rapid convergence
– Proposal/Agreement mechanism
In STP, a port that is selected as a designated port needs to wait at least one Forward
Delay interval in the Learning state before it enters the Forwarding state.
In RSTP, a port that is selected as a designated port enters the Discarding state, and
then the proposal/agreement mechanism allows the port to immediately enter the
Forwarding state. The proposal/agreement mechanism must be applied on P2P links
in full-duplex mode.
For details, see 14.2.6 RSTP Technology Details.
– Fast switchover of the root port

If a root port fails, the best alternate port becomes the root port and enters the
Forwarding state. This is because the network segment connected to this alternate
port has a designated port connected to the root bridge.
When the port role changes, the network topology changes accordingly. For details,
see 14.2.6 RSTP Technology Details.
– Edge ports
In RSTP, a designated port on the network edge is called an edge port. An edge port
directly connects to a terminal and does not connect to any other switching devices.
An edge port does not participate in RSTP calculation. This port can transition from
Disabled state to Forwarding state immediately. An edge port becomes a common
STP port once it is connected to a switching device and receives a configuration
BPDU. The spanning tree needs to be recalculated, which leads to network
flapping.
l Protection functions
RSTP provides the following functions:
– BPDU protection
On a switching device, ports directly connected to a user terminal such as a PC or
file server are edge ports. Usually, no RST BPDUs are sent to edge ports. If a
switching device receives malicious RST BPDUs on an edge port, the switching
device automatically sets the edge port to a non-edge port and performs STP
calculation. This causes network flapping.
BPDU protection enables a switching device to set the state of an edge port to error-
down if the edge port receives an RST BPDU. In this case, the port remains the
edge port, and the switching device sends a notification to the NMS.
– Root protection
The root bridge on a network may receive superior RST BPDUs due to incorrect
configurations or malicious attacks. When this occurs, the root bridge can no longer
serve as the root bridge and the network topology will incorrectly change. As a
result, traffic may be switched from high-speed links to low-speed links, leading to
network congestion.
If root protection is enabled on a designated port, the port role cannot be changed.
When the designated port receives a superior RST BPDU, the port enters the
Discarding state and does not forward packets. If the port does not receive any
superior RST BPDUs within a specified period (two Forward Delay periods by
default), the port automatically enters the Forwarding state.
NOTE
Root protection takes effect only on designated ports.

– Loop protection
On an RSTP network, a switching device maintains the states of the root port and
blocked ports based on RST BPDUs received from the upstream switching device.
If the ports cannot receive RST BPDUs from the upstream switching device
because of link congestion or unidirectional link failures, the switching device re-
selects a root port. Then, the previous root port becomes a designated port and the
blocked ports change to the Forwarding state, which can lead to loops on the
network.
In Figure 14-13, when the link between BP2 and CP1 is congested, the root port
CP1 on DeviceC cannot receive BPDUs from the upstream device. After a specified

period, the alternate port CP2 becomes the root port and CP1 becomes the
designated port. As a result, a loop occurs.
Figure 14-13 Topology change upon link congestion

DeviceA DeviceA
Root Root
Bridge Bridge
AP1 AP2 AP1 AP2
BP1 CP2 BP1 CP2
BP2 CP1 BP2 CP1

DeviceB DeviceC DeviceB DeviceC
a. The link is normal. b. Congestion occurs in the link.

root port
designated port
Alternate port
If the root port or alternate port does not receive BPDUs from the upstream device
for a specified period, a switch enabled with loop protection sends a notification to
the NMS. The root port enters the Discarding state and becomes the designated
port, whereas the alternate port remains blocked and becomes the designated port.
In this case, loops will not occur. After the link is no longer congested or
unidirectional link failures are rectified, the port receives BPDUs for negotiation
and restores its original role and status.
NOTE
Loop protection takes effect only on the root port and alternate ports.
– TC BPDU attack defense
A switching device deletes its MAC address entries and ARP entries after receiving
TC BPDUs. If an attacker sends a large number of malicious TC BPDUs to the
switching device within a short period, the device will constantly delete MAC
address entries and ARP entries. This increases the load on the switching device
and threatens network stability.
After enabling TC BPDU attack defense on a switching device, you can set the
number of TC BPDUs that the device can process within a specified period. If the
number of TC BPDUs that the switching device receives within a given time period
exceeds the specified threshold, the switching device processes only the specified
number of TC BPDUs. After the time period expires, the switching devices process
all the excess TC BPDUs together. This function prevents the switching device
from frequently deleting MAC entries and ARP entries.

14.2.6 RSTP Technology Details

The Proposal/Agreement mechanism enables a designated port to enter the Forwarding state
quickly. In Figure 14-14, root bridge S1 establishes a link with S2. On S2, p2 is an alternate
port, p3 is a designated port in Forwarding state, and p4 is an edge port.
Figure 14-14 Proposal/Agreement negotiation process

S1
p0 1 Proposal
3 Agreement
p1
S2
p2 E p4
p3
2 sync 2 sync 2 sync

(Leaves the port (Blocks the (Leaves the port
state unchanged) port) state unchanged)
Designated port
Alternate port
E Edge port
The Proposal/Agreement mechanism works as follows:

1. p0 and p1 become designated ports and send RST BPDUs to each other.
2. The RST BPDU sent from p0 is superior to that of p1, so p1 becomes a root port and
stops sending RST BPDUs.
3. p0 enters the Discarding state and sets the Proposal and Agreement fields in its RST
BPDU to 1.
4. After S2 receives an RST BPDU with the Proposal field set to 1, it sets the sync variable
to 1 for all its ports.
5. As p2 has been blocked, its state remains unchanged. p4 is an edge port and does not
participate in calculation, so only the non-edge designated port p3 needs to be blocked.
6. After p2 and p3 enter the Discarding state, their sync variable is set to 1. The sync
variable of the root port p1 is also set to 1, and p1 sends an RST BPDU with the
Agreement field set to S1. This RST BPDU carries the same information as the one sent
from the root bridge S1, except that the Agreement field is set to 1 and the Proposal field
is set to 0.
7. After S1 receives this RST BPDU, it identifies that the RST BPDU is a response to the
proposal that it has sent. Then p0 immediately enters the Forwarding state.

The proposal/agreement process can proceed to downstream devices.
STP can select designated ports quickly; however, to prevent loops, all ports must wait at least
one Forward Delay interval before initiating data forwarding. RSTP blocks non-root ports to
prevent loops and uses the proposal/agreement mechanism to shorten the time that an
upstream port waits before transitioning to the Forwarding state.
NOTE
The proposal/agreement mechanism applies only to P2P full-duplex links between two switching
devices. When proposal/agreement fails, a designated port is elected after two Forward Delay intervals,
same as designated port election in STP mode.
RSTP Topology Changes

RSTP considers that the network topology has changed when a non-edge port transitions to
the Forwarding state.
When detecting a topology change, RSTP devices react as follows:

l The local device starts a TC While timer on each non-edge designated port. The TC
While timer value is twice the Hello Time value.
Within the TC While time, the local device clears MAC address entries learned on ports
whose states have changed.
At the same time, these ports send out RST BPDUs with the TC bit set to 1. When the
TC While timer expires, the ports stop sending RST BPDUs.
l When other switching devices receive RST BPDUs, they clear MAC address entries
learned on all their ports except the ports that receive the RST BPDUs. These switching
devices also start a TC While timer on each non-edge designated port and repeat the
preceding process.
RST BPDUs are then flooded on the entire network.
Interoperability with STP

RSTP can interoperate with STP, but doing so causes RSTP to lose its advantages, such as fast
convergence.
On a network with both STP-capable and RSTP-capable devices, STP-capable devices

discard RST BPDUs. If a port on an RSTP-capable device receives a configuration BPDU
from an STP-capable device, the port switches to the STP mode and starts to send
configuration BPDUs after two Hello timer intervals.
After STP-capable devices are removed, Huawei RSTP-capable devices can be switched back
to the RSTP mode.
14.3 Applications
STP Application
Loops often occur on a complex network, because multiple physical links are often deployed
between two devices to implement link redundancy. Loops may cause broadcast storms and
unstable MAC address entries on network devices.

Figure 14-15 Typical STP application
Network
PE1 Root PE2

Bridge
STP
CE1 CE2
PC1 PC2
Blocked port
In Figure 14-15, STP is deployed on the devices. The devices exchange information to
discover loops on the network and block ports. This ensures a loop-free tree network and that
the packet processing capabilities of switches is not impacted.

Table 14-12 summarizes STP/RSTP configuration tasks.
Table 14-12 STP/RSTP configuration task summary

Configuring basic STP/ Configure STP/RSTP on 14.7.1 Configuring Basic

RSTP functions switching devices on a STP/RSTP Functions
network to ensure that the
network has a loop-free tree
topology.

Setting STP parameters that STP cannot implement rapid 14.7.2 Setting STP
affect STP convergence convergence. However, you Parameters that Affect
can set STP parameters, STP Convergence
including the network
diameter, timeout interval,
Hello timer interval, Max
Age timer value, and
Forward Delay timer value
to speed up convergence.
Setting RSTP parameters RSTP supports link type and 14.7.3 Setting RSTP
that affect RSTP fast transition configuration Parameters that Affect
convergence on ports to implement rapid RSTP Convergence
convergence.
Configuring RSTP You can configure one or 14.7.4 Configuring RSTP

protection functions more functions RSTP Protection Functions
protection functions on a
Huawei device.
Setting parameters for To implement interoperation 14.7.5 Setting Parameters

interoperation between between a Huawei device for Interoperation
Huawei and non-Huawei and a non-Huawei device, Between Huawei and Non-
devices select a fast transition mode Huawei Devices
according to the Proposal/
Agreement mechanism of
the non-Huawei device.

Other network elements also need to support STP or RSTP.
License Support
STP or RSTP is a basic feature of a switch and is not under license control.

Version Support
Table 14-13 Products and versions supporting STP or RSTP

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

When STP or RSTP is enabled on a ring network, STP or RSTP immediately starts spanning
tree calculation. Parameters such as the device priority and port priority affect spanning tree
calculation, and the change of these parameters may cause network flapping. To ensure fast
and stable spanning tree calculation, configure parameters such as the device priority and port
priority before enabling STP or RSTP.
On a switch enabled with a spanning tree protocol, when a terminal connects to the switch,
spanning tree calculation is performed again. As a result, it takes a long period of time for the
terminal to obtain an IP address. In this case, disable the spanning tree protocol on the switch
port connected to the terminal or configure this switch port as the edge port.
Working mode MSTP
STP/RSTP status Enabled globally and on an interface
Switching device priority 32768
Port priority 128
Algorithm used to calculate the dot1t, IEEE 802.1t

path cost
Forward Delay 1500 centiseconds (15 seconds)
Hello Time 200 centiseconds (2 seconds)

Max Age 2000 centiseconds (20 seconds)
14.7 Configuring STP/RSTP
14.7.1 Configuring Basic STP/RSTP Functions

You can configure STP/RSTP on an Ethernet network to ensure that the network has a loop-
free tree topology.
14.7.1.1 Configuring the STP/RSTP Mode
Context
A switching device supports three working modes: STP, RSTP, and MSTP. The default
working mode is MSTP. Use the STP mode on a ring network running only STP, and use the
RSTP mode on a ring network running only RSTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp mode { stp | rstp }
The working mode of the switching device is set to STP or RSTP.

By default, the working mode of a switching device is MSTP. MSTP is compatible with STP
and RSTP.
----End
14.7.1.2 (Optional) Configuring the Root Bridge and Secondary Root Bridge
Context
The root bridge of a spanning tree is automatically calculated. You can also manually specify
a root bridge or secondary root bridge.
l A spanning tree can have only one root bridge. When two or more devices are specified
as root bridges for a spanning tree, the device with the smallest MAC address is elected
as the root bridge.
l You can specify multiple secondary root bridges for each spanning tree. When the root
bridge fails or is powered off, a secondary root bridge becomes the new root bridge
unless a new root bridge is specified. If there are multiple secondary root bridges, the
one with smallest MAC address becomes the root bridge of the spanning tree.

NOTE
It is recommended that you specify the root bridge and secondary root bridge when configuring STP/
RSTP.
Procedure
l Perform the following operations on the device you want to use as the root bridge.
a. Run:
system-view

b. Run:
stp root primary
The device is configured as the root bridge.

By default, a switching device does not function as the root bridge. After you run
this command, the priority value of the device is set to 0 and cannot be changed.
l Perform the following operations on the device you want to use as the secondary root
bridge.
a. Run:
system-view

b. Run:
stp root secondary
The device is configured as the secondary root bridge.

By default, a switching device does not function as the secondary root bridge. After
you run this command, the priority value of the device is set to 4096 and cannot be
changed.
----End
14.7.1.3 (Optional) Setting a Priority for a Switching Device
Context
An STP/RSTP network can have only one root bridge, which is the logical center of the
spanning tree. The root bridge should be a high-performance switching device deployed at an
upper network layer; however, such a device may not have the highest priority on the
network. Therefore, you need to set a high priority for such a device to ensure that it can be
selected as the root bridge.
Low-performance devices at lower network layers are not suitable for root bridges, so you
need to set low priorities for these devices.
A smaller priority value indicates a higher priority of the switching device. The switching
device with a higher priority is more likely to be elected as the root bridge.
Procedure
Step 1 Run:
system-view


Step 2 Run:
stp priority priority
A priority is set for the switching device.

The default priority value of a switching device is 32768.
If the stp root primary or stp root secondary command has been executed to configure the
device as the root bridge or secondary root bridge, run the undo stp root command to remove
those configurations. Then run the stp priority priority command to set a priority.
----End
14.7.1.4 (Optional) Setting a Path Cost for a Port
Context
Path cost is the reference value used for link selection on an STP/RSTP network.
The path cost value range is determined by the calculation method. After the calculation
method is determined, it is recommended that you set smaller path cost values for the ports
with higher link rates.
In the Huawei calculation method, the link rate determines the recommended value for the
path cost. Table 14-14 lists the recommended path costs for ports with different link rates.
Table 14-14 Mappings between link rates and path cost values
Link Rate Recommended Recommended Allowable Path
Path Cost Path Cost Range Cost Range
10 Mbit/s 2000 200 to 20000 1 to 200000
100 Mbit/s 200 20 to 2000 1 to 200000
1 Gbit/s 20 2 to 200 1 to 200000
10 Gbit/s 2 2 to 20 1 to 200000
Over 10 Gbit/s 1 1 to 2 1 to 200000
If a network has loops, it is recommended that you set a large path cost for ports with low link
rates so that STP/RSTP blocks these ports.
Procedure
Step 1 Run:
system-view

stp pathcost-standard { dot1d-1998 | dot1t | legacy }

A path cost calculation method is specified.
By default, the IEEE 802.1t standard (dot1t) is used to calculate the path costs.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run:
The view of an interface participating in STP calculation is displayed.
Step 4 Run:
stp cost cost
A path cost is set for the interface.
l When the Huawei calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
14.7.1.5 (Optional) Setting a Priority for a Port
Context
In spanning tree calculation, priorities of the ports in a ring affect designated port election.
To block a port on a switching device, set a greater priority value than the default priority
value for the port.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp port priority priority
A priority is set for the interface.
The default priority value of a port on a switching device is 128.
----End

14.7.1.6 Enabling STP/RSTP
Context
NOTICE
Spanning tree calculations begin immediately after STP/RSTP is enabled on a ring network.
Configurations on a switching device, such as the device priority and port priority, affect
spanning tree calculation. Any change to those configurations may cause network flapping.
To ensure rapid, stable spanning tree calculation, perform basic configurations on the
switching device and its ports before enabling STP/RSTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp enable
STP/RSTP is enabled on the switching device.
By default, STP/RSTP is enabled on a device. If you specify a VLANIF interface of a VLAN

as the management network interface for an MSTP-enabled device, you can run the ethernet-
loop-protection ignored-vlan command to specify this VLAN as an ignored VLAN.
Interfaces in an ignored VLAN will not enter the Blocking state and instead remain in the
Forwarding state. Therefore, services will not be interrupted on these interfaces.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths for associated VLANs
are changed. Switching devices need to update the ARP entries corresponding to those
VLANs. STP/RSTP convergence mode can be set as fast or normal, which changes how the
switching device processes ARP entries.
l In fast mode, ARP entries to be updated are directly deleted.

l In normal mode, ARP entries to be updated are rapidly aged.
In normal mode, the remaining lifetime of ARP entries is set to 0 to immediately age the
ARP entries out. If the number of ARP aging probes is greater than 0, the switching
device performs aging probe for these ARP entries.
Run the stp converge { fast | normal } command in the system view to configure the STP/
RSTP convergence mode.
The default and recommended mode for STP/RSTP convergence is normal. If the fast mode is
used, ARP entries will be frequently deleted, causing high CPU usage and network flapping.

Procedure
l Run the display stp [ interface interface-type interface-number | slot slot-id ] [ brief ]
command to view the spanning tree status and statistics.
----End
14.7.2 Setting STP Parameters that Affect STP Convergence

STP cannot implement rapid convergence. However, STP parameters including the network
diameter, timeout interval, Hello timer interval, Max Age timer value, and Forward Delay
timer value can affect the STP convergence speed.
Before setting STP parameters that affect STP convergence, configure basic STP functions.
14.7.2.1 Setting the STP Network Diameter
Context
Any two terminals on a switching network are connected through a specific path spanning
multiple devices. The network diameter is the maximum number of devices between any two
terminals. A larger network diameter indicates a larger network scale.
A network diameter that is too large may cause slow network convergence and affect
communication. Run the stp bridge-diameter command to set an appropriate network
diameter based on the network scale to speed up convergence.
It is recommended that all devices be configured with the same network diameter.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bridge-diameter diameter
The network diameter is configured.

By default, the network diameter is 7.
NOTE
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. To help mitigate this, the network
diameter should not be set larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network
diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer
interval, and Max Age timer value based on the configured network diameter.
----End

14.7.2.2 Setting the STP Timeout Interval
Context
If a device does not receive any BPDUs from the upstream device within the timeout interval,
the device considers the upstream device to be down and triggers spanning tree recalculation.
Sometimes, a device cannot receive the BPDU from the upstream device within the timeout
interval because the upstream device is busy. In this case, recalculating the spanning tree will
waste network resources. Set a long timeout interval on a stable network to avoid this.
The timeout interval is calculated as follows:
Timeout interval = Hello Time x 3 x Timer Factor
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp timer-factor factor
The Timer Factor value is set. This parameter determines the timeout interval during which
the device waits for BPDUs from the upstream device.
By default, the timeout period is 9 times the Hello Time value.
----End
14.7.2.3 Setting STP Timers
Context
The following timers are used in spanning tree calculation:
l Forward Delay: specifies the delay before a state transition. After the topology of a ring
network changes, it takes some time to spread the new configuration BPDU throughout
the entire network. As a result, the original blocked port may be unblocked before a new
port is blocked. This creates a loop on the network. You can set the Forward Delay timer
to prevent loops. When the topology changes, all ports will be temporarily blocked
during the Forward Delay.
l Hello Time: specifies the interval at which Hello packets are sent. A switching device
sends configuration BPDUs at the specified interval to detect link failures. If the
switching device does not receive any BPDUs within a Hello timer interval, the
switching device triggers spanning tree recalculation.
l Max Age: determines when BPDUs expire. A switching device determines that a
received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values for Forward Delay, Hello Time, and Max
Age.
You are not advised to directly change the preceding three parameters as they are related to
the network scale; therefore, it is recommended that you set the network diameter so that the

spanning tree protocol automatically adjusts these timers. When the default network diameter
is used, the three timers also use their default values.
NOTICE
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and
Max Age timer values conform to the following formulas:
l 2 x (Forward Delay - 1 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1 second)
Procedure
Step 1 Run:
system-view

Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
1. Run:
stp timer forward-delay forward-delay
The Forward Delay timer is set for the switching device.

By default, the Forward Delay timer is 1500 centiseconds (15 seconds).
2. Run:
stp timer hello hello-time
The Hello Time is set for the switching device.

By default, the Hello Time is 200 centiseconds (2 seconds).
3. Run:
stp timer max-age max-age
The Max Age timer is set for the switching device.

By default, the Max Age timer is 2000 centiseconds (20 seconds).
----End
14.7.2.4 Setting the Maximum Number of Connections in an Eth-Trunk that

Affects Spanning Tree Calculation
Context
The path costs affect spanning tree calculation. Changes to path costs trigger spanning tree
recalculation. The path cost of an interface is affected by its bandwidth, so changes to the
interface bandwidth also affect spanning tree calculation.
In Figure 14-16, SwitchA and SwitchB are connected through two Eth-Trunk links. Eth-
Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member interfaces
in Up state. Each member link has the same bandwidth, and SwitchA is selected as the root
bridge.

l Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1
on SwitchB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.
l If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is set to 1,
the path cost of Eth-Trunk 1 becomes larger than the path cost of Eth-Trunk 2. Therefore,
the two devices perform spanning tree recalculation. Afterwards, Eth-Trunk 1 on
SwitchB becomes the alternate port and Eth-Trunk 2 becomes the root port.
Figure 14-16 Setting the maximum number of connections in an Eth-Trunk
SwitchA SwitchB
Before Eth-Trunk1
configuration Eth-Trunk2
Root Bridge
SwitchA SwitchB
After Eth-Trunk1
Root Bridge
Alternate port
Root port
Designated port
The maximum number of connections affects only the path cost of an Eth-Trunk interface
participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-
Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active
member interfaces in the Eth-Trunk.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
max bandwidth-affected-linknumber link-number
The maximum number of connections affecting the Eth-Trunk bandwidth is set.
By default, the maximum number of connections affecting the bandwidth of an Eth-Trunk is

8.
----End

Procedure
----End
14.7.3 Setting RSTP Parameters that Affect RSTP Convergence

RSTP supports link type and fast transition configuration on ports to implement rapid
convergence.
Before setting RSTP parameters that affect RSTP convergence, configure basic RSTP
functions.
14.7.3.1 Setting the RSTP Network Diameter
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

NOTE
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. To help mitigate this, the network
diameter should not be set larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network
diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer
interval, and Max Age timer value based on the configured network diameter.
----End

14.7.3.2 Setting the RSTP Timeout Interval
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The Timer Factor value is set. This parameter determines the timeout interval during which
the device waits for BPDUs from the upstream device.
By default, the timeout period is 9 times the Hello Time value.
----End
14.7.3.3 Setting RSTP Timers
Context
Age.

NOTICE
Procedure
Step 1 Run:
system-view

Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
1. Run:
The Forward Delay timer is set for the switching device.

By default, the Forward Delay timer is 1500 centiseconds (15 seconds).
2. Run:
The Hello Time is set for the switching device.

By default, the Hello Time is 200 centiseconds (2 seconds).
3. Run:
The Max Age timer is set for the switching device.

By default, the Max Age timer is 2000 centiseconds (20 seconds).
----End

Context
bridge.

SwitchA SwitchB
Before Eth-Trunk1
Root Bridge
SwitchA SwitchB
After Eth-Trunk1
Root Bridge
Alternate port
Root port
Designated port
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:

8.
----End

14.7.3.5 Setting the Link Type for a Port
Context
P2P links can implement rapid convergence. If the two ports connected by a P2P link are root
or designated ports, they can transition to the Forwarding state quickly by sending Proposal
and Agreement packets. This reduces the forwarding delay.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of an Ethernet interface participating in STP calculation is displayed.
Step 3 Run:
stp point-to-point { auto | force-false | force-true }
The link type is set for the interface.
By default, an interface automatically identifies whether it is connected to a P2P link. P2P

links implement rapid network convergence.
l If the Ethernet interface works in full-duplex mode, the interface is connected to a P2P
link. In this case, force-true can be specified in the command to implement rapid
network convergence.
l If the Ethernet interface works in half-duplex mode, you can run the stp point-to-point
force-true command to forcibly set the link type to P2P.
----End
14.7.3.6 Setting the Maximum Transmission Rate of an Interface
Context
If more BPDUs are sent from an interface within a Hello timer interval, more system
resources are consumed. Setting a proper transmission rate (packet-number) on an interface
prevents excess bandwidth usage when network flapping occurs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of an Ethernet interface participating in STP calculation is displayed.

Step 3 Run:
stp transmit-limit packet-number
The maximum transmission rate of BPDUs in a specified period of time is set for the
interface.
By default, an interface sends a maximum of six BPDUs per second. If the same maximum
transmission rate of BPDUs needs to be set for each interface on a device, run the stp
transmit-limit (system view) command.
----End
14.7.3.7 Switching to the RSTP Mode
Context
If an interface on an RSTP-enabled device is connected to an STP-enabled device, the
interface switches to the STP compatible mode.
If the STP-enabled device is powered off or disconnected from the RSTP-enabled device, the
interface cannot automatically switch back to the RSTP mode. Run the stp mcheck command
to switch the interface to the RSTP mode.
You need to manually switch the interface to the RSTP mode in the following situations:
l The STP-enabled device is shut down or disconnected.

l The STP-enabled device is switched to the RSTP mode.
Procedure
l Switching to the RSTP mode in the interface view
a. Run:
system-view

b. Run:
The view of an interface participating in spanning tree calculation is displayed.

c. Run:
stp mcheck
The interface is switched to the RSTP mode.

l Switching to the RSTP mode in the system view
a. Run:
system-view

b. Run:
stp mcheck
The device is switched to the RSTP mode.
----End

14.7.3.8 Configuring Edge Ports and BPDU Filter Ports
Context
A port that is located at the edge of a network and directly connected to a terminal device is
an edge port.
An edge port does not process configuration BPDUs or participate in RSTP calculation. It can
transition from the Disabled state to the Forwarding state without any delay.
Edge ports can still send BPDUs, but if the BPDUs are sent to another network then network
flapping may occur on that network. To prevent this problem, configure the BPDU filter
function on edge ports so that the edge ports do not process or send BPDUs.
NOTE
If all the ports are configured as both edge ports and BPDU filter ports in the system view, none of ports
on the local device can send BPDUs or negotiate STP states with directly connected ports on peer
devices. Additionally, all ports are in Forwarding state. This may cause loops on the network, leading to
broadcast storms. Exercise caution when deciding to perform this configuration.
After a specified port is configured as both an edge port and a BPDU filter port in the interface view, the
port does not process or send BPDUs and cannot negotiate the STP state with the directly connected port
on the peer device. Exercise caution when deciding to perform this configuration.
Procedure
l Configuring all ports as edge ports and BPDU filter ports
a. Run:
system-view

b. Run:
stp edged-port default
All ports are configured as edge ports.

By default, all ports are non-edge ports.
c. Run:
stp bpdu-filter default
All ports are configured as BPDU filter ports.

By default, all ports are non-BPDU filter ports.
l Configuring a specified port as an edge port and BPDU filter port
a. Run:
system-view

b. Run:
The view of an Ethernet interface that participates in spanning tree calculation is

displayed.
c. Run:
stp edged-port enable
The port is configured as an edge port.


d. Run:
stp bpdu-filter enable
The port is configured as a BPDU filter port.
By default, a port is a non-BPDU filter port.
----End
Procedure
----End
14.7.4 Configuring RSTP Protection Functions

Huawei network devices provide the following RSTP protection functions.
14.7.4.1 Configuring BPDU Protection on a Switching Device
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp bpdu-protection
BPDU protection is enabled on the switching device.
By default, BPDU protection is disabled on a switching device.
----End
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-
down auto-recovery cause bpdu-protection interval interval-value command in the system
view to configure the auto recovery function and set a recovery delay on the port. Then a port
in error-down state can automatically go Up after the recovery delay. Note the following when
setting the recovery delay:
l The auto recovery function is disabled by default and does not have a default value for
the recovery delay. When you enable the auto recovery function, you must set a recovery
delay.
l A smaller interval-value indicates a shorter time before an edge port goes Up, and a
higher frequency of Up/Down state transitions on the port.

l A larger interval-value indicates a longer time before an edge port goes Up, and a longer
service interruption time.
l The auto recovery function takes effect only for the interfaces that transition to the error-
down state after the error-down auto-recovery command is executed.
14.7.4.2 Configuring TC Protection on a Switching Device
Context
If an attacker sends a large number of malicious TC BPDUs to a switching device within a
short period, the device will constantly delete MAC address entries and ARP entries. This
wastes resources on the device and threatens network stability.
To suppress TC BPDUs, enable TC protection on a switching device and set the maximum
number of TC BPDUs that the device can process within a given time period. If the number of
TC BPDUs that the switching device receives within a given time period exceeds the
specified threshold, the switching device processes only the specified number of TC BPDUs.
After the specified time period expires, the switching devices process all the excess TC
BPDUs together. This function prevents the switching device from frequently deleting MAC
entries and ARP entries.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp tc-protection interval interval-value
The time period during which the device processes the maximum number of TC BPDUs is
set.
By default, the time period is the same as the Hello timer interval.
Step 3 Run:
stp tc-protection threshold threshold
The maximum number of TC BPDUs the switching device can process within a specified
time period is set.
By default, the device processes only one TC BPDU within a specified time period.
The switch only processes TC BPDUs up to the maximum specified by the stp tc-protection
threshold command within the time period specified by the stp tc-protection interval
command. Other packets are processed after a delay, so spanning tree convergence speed is
slower. For example, if the time period is set to 10 seconds and the maximum of TC BPDUs
is set to 5, the switch processes only the first five TC BPDUs within 10 seconds. Subsequent
TC BPDUs are processed together after a 10 second delay.
----End

14.7.4.3 Configuring Root Protection on a Port
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp root-protection
Root protection is enabled on the interface.
By default, root protection is disabled on the interface. Root protection takes effect only on
designated ports. Root protection and loop protection cannot be configured on the same
interface.
----End
14.7.4.4 Configuring Loop Protection on a Port
Context
On an RSTP network, a switching device maintains the states of the root port and blocked
ports based on BPDUs received from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream because of link congestion or unidirectional-link
failure, the switching device selects a new root port. The original root port becomes a
designated port, and the original blocked ports change to the Forwarding state, which may
cause loops on the network. To prevent this problem, configure loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device for a
specified period, a switch enabled with loop protection sends a notification to the NMS. If the
root port is used, the root port enters the Discarding state and becomes the designated port. If
the alternate port is used, the alternate port remains blocked and becomes the designated port.
In this case, loops will not occur. After the link is no longer congested or unidirectional link
failures are rectified, the port receives BPDUs for negotiation and restores its original role and
status.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the root port or alternate port is displayed.

Step 3 Run:
stp loop-protection
Loop protection is enabled on the root port or alternate port.

By default, loop protection is disabled on a port.
NOTE
An alternate port is a backup for a root port. If a switching device has an alternate port, configure loop
protection on both the root port and the alternate port.
Root protection and loop protection cannot be configured on the same port.
----End
Procedure
----End
14.7.5 Setting Parameters for Interoperation Between Huawei and

Non-Huawei Devices
To implement interoperation between a Huawei device and a non-Huawei device, select a fast
transition mode according to the Proposal/Agreement mechanism of the non-Huawei device.
Context
A switching device supports the following Proposal/Agreement modes:
l Enhanced mode: The device determines the root port when it calculates the
synchronization flag bit.
a. An upstream device sends a Proposal message to a downstream device to request a
fast state transition. After receiving the message, the downstream device sets the
port connected to the upstream device as the root port and blocks all non-edge ports.
b. The upstream device sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the
Forwarding state.
c. The downstream device responds with an Agreement message. After receiving the
message, the upstream device sets the port connected to the downstream device as
the designated port, and then the designated port transitions to the Forwarding state.
l Common mode: The device ignores the root port when it calculates the synchronization
flag bit.
a. An upstream device sends a Proposal message to a downstream device to request a
fast state transition. After receiving the message, the downstream device sets the
port connected to the upstream device as the root port and blocks all non-edge ports.
Then, the root port transitions to the Forwarding state.
b. The downstream device responds with an Agreement message. After receiving the
message, the upstream device sets the port connected to the downstream device as
the designated port, and then the designated port transitions to the Forwarding state.

On an STP network, if a Huawei switching device is connected to a non-Huawei device that

uses a different Proposal/Agreement mechanism, the two devices may not be able to
interoperate. Select the mode that matches the Proposal/Agreement mechanism of the non-
Huawei device.
Before setting parameters for interoperation between Huawei and non-Huawei devices,
configure basic STP/RSTP functions.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of an interface participating in spanning tree calculation is displayed.

Step 3 Run:
stp no-agreement-check
The common fast transition mode is specified.

By default, the enhanced fast transition mode is used on a port.
----End
14.8 Maintaining STP/RSTP
14.8.1 Clearing STP/RSTP Statistics

Context
NOTICE
STP/RSTP statistics cannot be restored after being cleared. Exercise caution when deciding to
clear STP/RSTP statistics.
Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to
clear spanning-tree statistics.
l Run the reset stp error packet statistics command to clear statistics about error STP
packets.
----End

14.8.2 Monitoring STP/RSTP Topology Change Statistics
Context
The statistics about STP/RSTP topology changes can be viewed. If the number of network
topology changes increase, network flapping is occurring on that network.
Procedure
l Run the display stp topology-change command to view statistics about STP/RSTP
topology changes.
l Run the display stp [ interface interface-type interface-number | slot slot-id ] tc-bpdu
statistics command to view statistics about sent and received TC/TCN packets.
----End
14.9.1 Example for Configuring Basic STP Functions

On a complex network, multiple physical links are often deployed between two devices for
link redundancy (one as the active link and the others as standby links). Redundant links may
cause loops on the network, which result in broadcast storms and unstable MAC address
entries.
STP can be deployed on a network to eliminate loops by blocking ports. In Figure 14-18, a
loop exists on the network, and SwitchA, SwitchB, SwitchC, and SwitchD are all running
STP. These devices exchange BPDUs to discover the loops and block the appropriate ports in
order to trim the ring topology into a loop-free tree topology. The tree topology prevents
infinite looping of packets, which in turn helps improve packet processing performance.

Figure 14-18 Networking diagram of basic STP configurations
Network
GE1/0/3 GE1/0/3
Root
SwitchD GE1/0/1 GE1/0/1
Bridge
GE1/0/2 GE1/0/2 SwitchA
STP
GE1/0/3 GE1/0/3
SwitchC SwitchB
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
PC1 PC2
Blocked port
1. Configure the STP mode for the switches on the ring network.
2. Configure the primary and secondary root bridges.
3. Set a path cost for the ports to be blocked.
4. Enable STP to eliminate loops. Because ports connected to the PCs do not participate in
STP calculation, configure these ports as both edge ports.
Procedure
Step 1 Configure basic STP functions.
1. Configure the STP mode for the switches on the ring network.
# Configure the STP mode on SwitchA.
[SwitchA] stp mode stp
# Configure the STP mode on SwitchB.

[SwitchB] stp mode stp

# Configure the STP mode on SwitchC.

[SwitchC] stp mode stp
# Configure the STP mode on SwitchD.

[SwitchD] stp mode stp

# Configure SwitchA as the primary root bridge.
[SwitchA] stp root primary
# Configure SwitchD as the secondary root bridge.

[SwitchD] stp root secondary

– The path cost value range depends on path cost calculation methods. This example
uses the Huawei proprietary calculation method and sets the path cost to 20000 (the
greatest value in the range).
– All switching devices on a network must use the same path cost calculation method.
# On Switch A, set the path cost calculation method to the Huawei proprietary method.
[SwitchA] stp pathcost-standard legacy
# On Switch B, set the path cost calculation method to the Huawei proprietary method.
[SwitchB] stp pathcost-standard legacy
# On Switch C, set the path cost of GigabitEthernet1/0/1 to 20000.

[SwitchC] stp pathcost-standard legacy
[SwitchC-GigabitEthernet1/0/1] stp cost 20000
# On SwitchD, set the path cost calculation method to the Huawei proprietary method.
[SwitchD] stp pathcost-standard legacy
4. Enable STP to eliminate loops.

– Configure the ports connected to PCs as both edge ports.
# Configure GigabitEthernet1/0/2 of SwitchB as both an edge port.
[SwitchB-GigabitEthernet1/0/2] stp edged-port enable
(Optional) Configure BPDU protection on SwitchB.

[SwitchB] stp bpdu-protection
# Configure GigabitEthernet1/0/2 of SwitchC as both an edge port.

[SwitchC-GigabitEthernet1/0/2] stp edged-port enable
(Optional) Configure BPDU protection on SwitchC.

[SwitchC] stp bpdu-protection
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU protection
is enabled, the edge ports will be shut down and their attributes remain unchanged after they
receive BPDUs.
– Enable STP globally.
# Enable STP globally on SwitchA.

[SwitchA] stp enable
# Enable STP globally on SwitchB.

[SwitchB] stp enable
# Enable STP globally on SwitchC.

[SwitchC] stp enable
# Enable STP globally on SwitchD.

[SwitchD] stp enable

After the preceding configuration is complete and the network becomes stable, perform the
following operations to verify the configuration:
# Run the display stp brief command on SwitchA to view the port states and protection type.
The following information is displayed:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
After SwitchA is configured as the root bridge, GigabitEthernet 1/0/2 connected to SwitchB
and GigabitEthernet 1/0/1connected to SwitchD are elected as designated ports through
spanning tree calculation.
# Run the display stp interface gigabitethernet 1/0/1 brief command on SwitchB to view
status of GigabitEthernet 1/0/1. The following information is displayed:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
GigabitEthernet 1/0/1 is elected as a designated port and is in the Forwarding state.

# Run the display stp brief command on SwitchC to view the interface states and protection
type. The following information is displayed:
[SwitchC] display stp brief
0 GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
GigabitEthernet 1/0/3 is elected as a root port and is in the Forwarding state.

GigabitEthernet 1/0/1 is elected as an alternate port and is in the Discarding state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
return

#
sysname SwitchB

#
stp mode stp
stp bpdu-protection
#
#
return

#
sysname SwitchC
#
stp mode stp
stp bpdu-protection
#
stp instance 0 cost 20000
#
#
return

#
sysname SwitchD
#
stp mode stp
stp instance 0 root secondary
#
return
14.9.2 Example for Configuring Basic RSTP Functions

On a complex network, multiple physical links are often deployed between two devices for
link redundancy (one as the active link and the others as standby links). Redundant links may
cause loops on the network, which result in broadcast storms and unstable MAC address
entries.
RSTP can be deployed on a network to eliminate loops by blocking ports. In Figure 14-19, a
loop exists on the network, and SwitchA, SwitchB, SwitchC, and SwitchD are all running
RSTP. These devices exchange BPDUs to discover the loops and block the appropriate ports
in order to trim the ring topology into a loop-free tree topology. The tree topology prevents
infinite looping of packets, which in turn helps improve packet processing performance.

Figure 14-19 Networking diagram of basic RSTP configurations
Network
GE1/0/3 GE1/0/3
Root
SwitchD GE1/0/1 GE1/0/1
Bridge
GE1/0/2 GE1/0/2 SwitchA
RSTP
GE1/0/3 GE1/0/3
SwitchC SwitchB
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
PC1 PC2
Blocked port
1. Configure basic RSTP functions.
a. Configure the RSTP mode for the switches on the ring network.
b. Configure the primary and secondary root bridges.
c. Set a path cost for the ports to be blocked.
d. Enable RSTP to eliminate loops. Because ports connected to the PCs do not
participate in RSTP calculation, configure these ports as both edge ports.
2. Configure RSTP protection functions. For example, configure root protection on
designated ports of the root bridge.
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the RSTP mode for the switches on the ring network.
# Configure the RSTP mode on SwitchA.
[SwitchA] stp mode rstp
# Configure the RSTP mode on SwitchB.

[SwitchB] stp mode rstp
# Configure the RSTP mode on SwitchC.

[SwitchC] stp mode rstp
# Configure the RSTP mode on SwitchD.

[SwitchD] stp mode rstp

# Configure SwitchA as the primary root bridge.
# Configure SwitchD as the secondary root bridge.

[SwitchD] stp root secondary

– The path cost value range depends on path cost calculation methods. This example
uses the Huawei proprietary calculation method and sets the path cost to 20000.
– All switching devices on a network must use the same path cost calculation method.
# On Switch A, set the path cost calculation method to the Huawei proprietary method.
# On Switch B, set the path cost calculation method to the Huawei proprietary method.
# On Switch C, set the path cost of GigabitEthernet1/0/1 to 20000.

[SwitchC-GigabitEthernet1/0/1] stp cost 20000
# On SwitchD, set the path cost calculation method to the Huawei proprietary method.
4. Enable RSTP to eliminate loops.

– Configure the ports connected to PCs as both edge ports.
# Configure GigabitEthernet1/0/2 on SwitchB as both an edge port.

# Configure GigabitEthernet1/0/2 on SwitchC as both an edge port.


NOTE
receive BPDUs.

– Enable RSTP globally.

# Enable RSTP globally on SwitchA.
# Enable RSTP globally on SwitchB.

# Enable RSTP globally on SwitchC.

# Enable RSTP globally on SwitchD.

Step 2 Configure RSTP protection functions. For example, configure root protection on designated
ports of the root bridge.
# Enable root protection on GE 1/0/1 on SwitchA.

[SwitchA-GigabitEthernet1/0/1] stp root-protection
# Enable root protection on GE 1/0/2 on SwitchA.

After the preceding configuration is complete and the network becomes stable, perform the
following operations to verify the configuration:
# Run the display stp brief command on SwitchA to view the port roles and states. The
following information is displayed:
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
After SwitchA is configured as the root bridge, GigabitEthernet1/0/2 connected to SwitchB

and GigabitEthernet1/0/1 connected to SwitchD are elected as designated ports through
spanning tree calculation. Root protection is enabled on the designated ports.
# Run the display stp interface gigabitethernet 1/0/1 brief command on SwitchB to view
the role and state of GigabitEthernet1/0/1. The following information is displayed:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
GigabitEthernet1/0/1 is elected as a designated port and is in the Forwarding state.
# Run the display stp brief command on SwitchC to view the port roles and states. The
following information is displayed:
0 GigabitEthernet1/0/2 DESI FORWARDING BPDU
GE1/0/1 is elected as an alternate port and is in the Discarding state.

GE1/0/3 is elected as a root port and is in the Forwarding state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode rstp
#
stp root-protection
#
stp root-protection
#
return

#
sysname SwitchB
#
stp mode rstp
stp bpdu-protection
#
#
return

#
sysname SwitchC
#
stp mode rstp
stp bpdu-protection
#
#
#
return

#
sysname SwitchD
#
stp mode rstp
#
return
14.10 FAQ

14.10.1 How to Prevent Low Convergence for STP Edge Ports that
Connect Terminals?
Terminal devices cannot participate in the STP calculation or respond to STP packets, causing
low convergence. You can prevent low convergence for STP edge switch ports for connecting
user terminals or servers as follows:
l On a port, run the stp edge-port enable command to configure the port as an STP edge
port, and run the stp bpdu-filter default command to enable the BPDU packet filtering
function and prevent the port from sending BPDU packets.
l Run the stp disable command on the port to disable the STP protocol and make the port
remain in forwarding state.
To ensure availability and security, you are advised to configure the port as an STP edge port.
This is because when a loop occurs on a terminal device connected to an edge port, the port
automatically switches to a non-edge port and enables the loop breaking function of STP.
14.10.2 Can Switches Using RSTP and STP Be Connected?
Switches using RSTP and STP can be connected. STP protocols include the STP, RSTP, and
MSTP protocols. These protocols support forward compatibility and connection to a certain
extent. The following table describes the connection effects.
Scenario Connection Effect
An RSTP device connects to RSTP connects to the STP port, and the mode
an MSTP device. automatically changes to STP to implement convergence
at a slow speed.
An RSTP device connects to The CIST can be connected. That is, instance 0 can be
an MSTP device. connected. The connection ports are inter-AS ports.
An MSTP device connects to MSTP connects to the STP port, and the mode
an STP device. automatically changes to STP to implement convergence
at a slow speed.
NOTE
When a port whose mode switches reconnects to another device, the original mode must be restored by
running the stp mcheck command.
14.10.3 Why Is the Recommended Value of STP Network Radius

Within 7?
In STP, the default interval for an STP switch to send BPDUs is 2 seconds. Each switch
receives and processes BPDUs for about 1 second each time, and supports a maximum of 20
hops.
In RSTP, packets are aged after three intervals (6 seconds) by default. If a hop takes 1 second
to process a packet, the packet times out after 6 hops. Therefore, the recommended value of
STP network radius is less than 7.

Additionally, there are also other considerations such as bandwidth usage, storm range, and
the maintainability and manageability of the network.
14.10.4 In What Situations Do I Need to Configure STP Edge

Ports?
User-side devices such as servers do not need to run STP. If STP is enabled on switch ports
connected to these devices, the ports will alternate between Up and Down or cannot
immediately enter the Forwarding state after a topology change on the STP network, which
could affect certain services.
To prevent this problem, configure the ports that do not need to run STP as edge ports. Edge
ports can enter the Forwarding state immediately after they go Up. In addition, edge ports do
not send TC BPDUs and therefore do not affect services on the STP network.
14.10.5 What Precautions Should Be Taken When Configuring the

Formats of Sent and Received BPDUs on an STP Interface?
There are two STP BPDU formats: standard IEEE 802.1s format and Huawei's proprietary
format. The switch supports both formats and works in auto mode by default. In auto mode,
an STP interface can parse BPDUs in any format received from the peer interface. You can
run the stp compliance command on an STP interface to change the packet format.
When a Huawei switch is connected to another vendor's device, the two devices may fail to
communicate because their BPDUs have different keys even though they have the same
domain name, revision level, and VLAN mapping table. To solve this problem, run the stp
config-digest-snoop command to enable digest snooping. This function enables the Huawei
switch to keep its BPDU key consistent with that used on the peer device.
14.10.6 How Do I Configure a User-Side Interface on an STP

Switch?
Terminal devices cannot participate in the STP calculation or respond to STP packets. You
can configure a user-side interface as follows:
14.10.7 How Do I Prevent Terminals' Failures to Ping the Gateway

or Slow Speeds for Obtaining IP Addresses When They Connect
to an STP Network?
Terminal devices such as servers or network management workstations do not support STP.
However, STP is enabled on switch interfaces by default. An STP interface enters the

Forwarding state 30 seconds after it changes to the Up state. If an interface alternates between
Up and Down states, the terminal connected to the interface will fail to communicate with the
gateway or the time to obtain an IP address will increase.
To solve this problem, configure interfaces connected to terminals as edge ports or disable
STP on the interfaces.
14.10.8 Can the Switch Work with Non-Huawei Devices Running

STP or RSTP?
The switch adopts the standard STP or RSTP algorithm. Whether the switch can work with
the STP or RSTP devices of other vendors depends on the protocols running on those STP or
RSTP devices:
l If a non-Huawei device runs the standard STP or RSTP protocol, the switch can
interwork with it.
l If a non-Huawei device runs a non-standard STP or RSTP protocol, besides the Cisco
Per VLAN Spanning Tree (PVST) protocol, the switch can transparently transmit the
STP or RSTP packets from the device after the stp disable and bpdu enable commands
are run on the interface.
l If a non-Huawei device is a Cisco device that runs PVST, the Huawei switch running a
version earlier than V200R005 cannot negotiate with the device, but can transparently
transmit the packets from the non-Huawei device. Huawei switches running V200R005
and later versions support the VLAN-based Spanning Tree (VBST) protocol that can
interwork with PVST.
14.10.9 What Is the Function of Automatic Edge-port Detecting?

After STP is enabled on a port, edge-port detecting is started automatically. If the port fails to
receive BPDU packets within (2 x Hello Time + 1) seconds, the port is set to an edge port.
Otherwise, the port is set to a non-edge port.
14.11 References
The following table lists the references for STP/RSTP.

rks
IEEE 802.1D IEEE Standard for: -

Local and metropolitan area networks
Media Access Control (MAC) Bridges
IEEE 802.1s IEEE Standard for: -

Virtual Bridged Local Area Networks


rks
IEEE 802.1w IEEE Standard for: -

Common specifications

Configuration Guide - Ethernet Switching 15 MSTP Configuration
15 MSTP Configuration
About This Chapter
This chapter how to configure the Multiple Spanning Tree Protocol (MSTP).
15.1 Introduction to MSTP

15.2 MSTP Principles
15.7 Configuring MSTP
15.8 Maintaining MSTP
15.10 FAQ
15.11 References

15.1 Introduction to MSTP
Definition
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and rendering the MAC address table unstable. As a result, the
communication quality deteriorates, and the communication service may even be interrupted.
The Spanning Tree Protocol (STP) is introduced to solve this problem.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP) defined
in IEEE 802.1w, and the Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1s.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table 15-1
shows the comparison between STP, RSTP, and MSTP.
Table 15-1 Comparison between STP, RSTP, and MSTP

Spanning Characteristics Usage Scenario
Tree
Protocol
STP l In an STP region, a loop-free tree STP or RSTP is used in a scenario

is generated. Broadcast storms where all VLANs share one spanning
are prevented and redundancy is tree. In this situation, users or
achieved. services do not need to be
l Route convergence is slow. differentiated.
RSTP l In an RSTP region, a loop-free

tree is generated. Broadcast
storms are prevented and
redundancy is achieved.
l RSTP allows fast convergence of
the network topology.
MSTP l In an MSTP region, multiple MSTP is used in a scenario where

loop-free trees are generated. traffic in different VLANs is
Therefore, broadcast storms are forwarded through different spanning
prevented and redundancy is trees that are independent of each
achieved. other to implement load balancing. In
l MSTP achieves fast convergence this situation, users or services are
of the network topology. distinguished by using VLANs.
l MSTP implements load
balancing among VLANs.
Traffic in different VLANs is
transmitted along different paths.

Purpose
After a spanning tree protocol is configured on an Ethernet switching network, it calculates
the network topology and implements the following functions to remove network loops:
l Loop cut-off: The potential loops on the network are cut off by blocking redundant links.
l Link redundancy: When an active path becomes faulty, a redundant link can be activated
to ensure network connectivity.
15.2 MSTP Principles
15.2.1 MSTP Background

RSTP, an enhancement to STP, implements fast convergence of the network topology. There
is a defect for both RSTP and STP: All VLANs on a LAN use one spanning tree, and VLAN-
based load balancing cannot be performed. Once a link is blocked, it will no longer transmit
traffic, wasting bandwidth and causing the failure in forwarding certain VLAN packets.
Figure 15-1 STP/RSTP defect
S1 S4
HostC HostA
（VLAN3） VLAN3 VLAN2 （VLAN2）
VLAN2 VLAN3
S2 S5
VLAN2 VLAN2
HostB HostD
VLAN3 VLAN3
（VLAN2）（VLAN3）
VLAN3
VLAN2 VLAN3
S3 S6
spanning tree(root bridge:S6)
On the network shown in Figure 15-1, STP or RSTP is enabled. The broken line shows the
spanning tree. S6 is the root switching device. The links between S1 and S4 and between S2
and S5 are blocked. VLAN packets are transmitted by using the corresponding links marked
with "VLAN2" or "VLAN3."
Host A and Host B belong to VLAN 2 but they cannot communicate with each other because
the link between S2 and S5 is blocked and the link between S3 and S6 denies packets from
VLAN 2.
To fix the defect of STP and RSTP, the IEEE released 802.1s in 2002, defining the Multiple
Spanning Tree Protocol (MSTP). MSTP implements fast convergence and provides multiple
paths to load balance VLAN traffic.

MSTP divides a switching network into multiple regions, each of which has multiple
spanning trees that are independent of each other. Each spanning tree is called a Multiple
Spanning Tree Instance (MSTI) and each region is call a Multiple Spanning Tree (MST)
region.
NOTE
An instance is a collection of VLANs. Binding multiple VLANs to an instance saves communication

costs and reduces resource usage. The topology of each MSTI is calculated independent of one another,
and traffic can be balanced among MSTIs. Multiple VLANs that have the same topology can be mapped
to one instance. The forwarding status of the VLANs for a port is determined by the port status in the
MSTI.
Figure 15-2 Multiple spanning trees in an MST region
S1 S4
HostC HostA
VLAN2
S2 S5
HostB VLAN2 VLAN2 HostD

VLAN3
VLAN2 VLAN3
S3 S6
As shown in Figure 15-2, MSTP maps VLANs to MSTIs in the VLAN mapping table. Each
VLAN can be mapped to only one MSTI. This means that traffic of a VLAN can be
transmitted in only one MSTI. An MSTI, however, can correspond to multiple VLANs.
Two spanning trees are calculated:
l MSTI 1 uses S4 as the root switching device to forward packets of VLAN 2.
l MSTI 2 uses S6 as the root switching device to forward packets of VLAN 3.
In this manner, devices within the same VLAN can communicate with each other; packets of
different VLANs are load balanced along different paths.
15.2.2 Basic MSTP Concepts

MSTP Network Hierarchy
As shown in Figure 15-3, the MSTP network consists of one or more MST regions. Each
MST region contains one or more MSTIs. An MSTI is a tree network consisting of switching
devices running STP, RSTP, or MSTP.

Figure 15-3 MSTP network hierarchy
MSTP Network
MSTI1 MSTI1
MSTI2 MSTI0 MSTI2 MSTI0

MST Region MST Region
MSTI1
MSTI2 MSTI0
MST Region
MST Region
An MST region contains multiple switching devices and network segments between them.
The switching devices of one MST region have the following characteristics:
l MSTP-enabled
l Same region name
l Same VLAN-MSTI mappings
l Same MSTP revision level
A LAN can comprise several MST regions that are directly or indirectly connected. Multiple
switching devices can be grouped into an MST region by using MSTP configuration
commands.
As shown in Figure 15-4, the MST region D0 contains the switching devices S1, S2, S3, and
S4, and has three MSTIs.

Figure 15-4 MST region
AP1
D0 S1
MSTI1
Master Bridge
root switch:S3
MSTI2
root switch:S2
MSTI0 (IST)
S2 S3 root switch:S1
VLAN1 MSTI1
VLAN2,VLAN3 MSTI2
S4 other VLANs MSTI0
VLAN Mapping Table

The VLAN mapping table is an attribute of the MST region. It describes mappings between
VLANs and MSTIs.
As shown in Figure 15-4, the mappings in the VLAN mapping table of the MST region D0
are as follows:
l VLAN 1 is mapped to MSTI 1.
l VLAN 2 and VLAN 3 are mapped to MSTI 2.
l Other VLANs are mapped to MSTI 0.
Regional Root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In the region B0, C0, and D0 on the network shown in Figure 15-6, the switching devices
closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI regional
root is the root of the MSTI. On the network shown in Figure 15-5, each MSTI has its own
regional root.

Figure 15-5 MSTI
MST Region
VLAN VLA
N10
10&20&30 &20
VLAN 20&30
30
VLAN VLAN VLAN
10&30 VLAN 10&30
20
VLAN 10
Root
Root
MSTI MSTI MSTI Root

corresponding to corresponding to corresponding to
MSTI links
MSTI links blocked by the protocol
MSTIs are independent of each other. an MSTI can correspond to one or more VLANs, but a
VLAN can be mapped to only one MSTI.
Master Bridge
The master bridge is the IST master, which is the switching device closest to the CIST root in
a region, for example, S1 shown in Figure 15-4.
If the CIST root is in an MST region, the CIST root is the master bridge of the region.

CIST Root
Figure 15-6 MSTP network
A0
CIST Root
D0 Region Root B0
Region Root
C0
Region Root
IST
CST
On the network shown in Figure 15-6, the CIST root is the root bridge of the CIST. The CIST
root is a device in A0.
CST
A Common Spanning Tree (CST) connects all the MST regions on a switching network.
If each MST region is considered a node, the CST is calculated by using STP or RSTP based
on all the nodes.
As shown in Figure 15-6, the MST regions are connected to form a CST.
IST
An IST resides within an MST region.
An IST is a special MSTI with the MSTI ID being 0, called MSTI 0.
An IST is a segment of the CIST in an MST region.
As shown in Figure 15-6, the switching devices in an MST region are connected to form an
IST.

CIST
A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching
network.
As shown in Figure 15-6, the ISTs and the CST form a complete spanning tree, the CIST.
SST
A Single Spanning Tree (SST) is formed in either of the following situations:
l A switching device running STP or RSTP belongs to only one spanning tree.
l An MST region has only one switching device.
As shown in Figure 15-6, the switching device in B0 forms an SST.
Port Role
Based on RSTP, MSTP has two additional port types. MSTP ports can be root ports,
designated ports, alternate ports, backup ports, edge ports, master ports, and regional edge
port.
The functions of root ports, designated ports, alternate ports, and backup ports have been
defined in RSTP. Table 15-2 lists all port roles in MSTP.
NOTE
Except edge ports, all ports participate in MSTP calculation.

A port can play different roles in different spanning tree instances.
Table 15-2 Port roles
Port Description
Role
Root port A root port is the non-root bridge port closest to the root bridge. Root bridges
do not have root ports.
Root ports are responsible for sending data to root bridges.
As shown in Figure 15-7, S1 is the root; CP1 is the root port on S3; BP1 is the
root port on S2.
Designate The designated port on a switching device forwards BPDUs to the downstream
d port switching device.
As shown in Figure 15-7, AP2 and AP3 are designated ports on S1; CP2 is a
designated port on S3.
Alternate l From the perspective of sending BPDUs, an alternate port is blocked after a
port BPDU sent by another bridge is received.
l From the perspective of user traffic, an alternate port provides an alternate
path to the root bridge. This path is different than using the root port.
As shown in Figure 15-7, BP2 is an alternate port.

Port Description
Role
Backup l From the perspective of sending BPDUs, a backup port is blocked after a
port BPDU sent by itself is received.
l From the perspective of user traffic, a backup port provides a backup/
redundant path to a segment where a designated port already connects.
As shown in Figure 15-7, CP3 is a backup port.
Master A master port is on the shortest path connecting MST regions to the CIST root.
port BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on ISTs
or CISTs and master ports in instances.
As shown in Figure 15-8, S1, S2, S3, and S4 form an MST region. AP1 on S1,
being the nearest port in the region to the CIST root, is the master port.
Regional A regional edge port is located at the edge of an MST region and connects to
edge port another MST region or an SST.
During MSTP calculation, the roles of a regional edge port in the MSTI and
the CIST instance are the same. If the regional edge port is the master port in
the CIST instance, it is the master port in all the MSTIs in the region.
As shown in Figure 15-8, AP1, DP1, and DP2 in an MST region are directly
connected to other regions, and therefore they are all regional edge ports of the
MST region.
Edge port An edge port is located at the edge of an MST region and does not connect to
any switching device.
Generally, edge ports are directly connected to terminals.
After MSTP is enabled on a port, edge-port detecting is started automatically.
If the port fails to receive BPDU packets within (2 x Hello Timer + 1) seconds,
the port is set to an edge port. Otherwise, the port is set to a non-edge port.

Figure 15-7 Root port, designated port, alternate port, and backup port
S1
Root
AP2 AP3
CP1 BP1
S3 S2
CP2 CP3 BP2
root port
designated port
Alternate port
Backup port
Figure 15-8 Master port and regional edge port

Connect to the
CIST root
AP1
Master
S1
S2 S3
S4
DP1 DP2 MST Region
The port is blocked
MSTP Port Status

Table 15-3 lists the MSTP port status, which is the same as the RSTP port status.

Table 15-3 Port status
Port Description
Status
Forwardi A port in the Forwarding state can send and receive BPDUs as well as forward
ng user traffic.
Learning A port in the Learning state learns MAC addresses from user traffic to
construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but not forward
user traffic.
Discardin A port in the Discarding state can only receive BPDUs.

g
There is no necessary link between the port status and the port role. Table 15-4 lists the
relationships between port roles and port status.
Table 15-4 Relationships between port roles and port status
Port Root Port/ Designated Regional Alternate Backup Port

Status Master Port Port Edge Port Port
Forwardi Yes Yes Yes No No

ng
Learning Yes Yes Yes No No
Discardi Yes Yes Yes Yes Yes

ng
Yes: The port supports this status. No: The port does not support this status.
15.2.3 MST BPDUs

MSTP calculates spanning trees on the basis of Multiple Spanning Tree Bridge Protocol Data
Units (MST BPDUs). By transmitting MST BPDUs, spanning tree topologies are computed,
network topologies are maintained, and topology changes are conveyed.
Table 15-5 shows differences between TCN BPDUs, configuration BPDUs defined by STP,
RST BPDUs defined by RSTP, and MST BPDUs defined by MSTP.
Table 15-5 Differences between BPDUs
Version Type Name
0 0x00 Configuration BPDU
0 0x80 TCN BPDU

Version Type Name
2 0x02 RST BPDU
3 0x02 MST BPDU
MST BPDU Format

Figure 15-9 shows the MST BPDU format.
Figure 15-9 MST BPDU format

Octet
Protocol Identifier 1-2
Protocol Version Identifier 3
BPDU Type
4
CIST Flags 5
CIST Root Identifier 6-13
CIST External Path Cost 14-17
CIST Regional Root Identifier 18-25
CIST Port Identifier 26-27
Message Age 28-29
Max Age 30-31
Hello Time 32-33
Forward Delay 34-35
Version 1 Length=0 36
Version 3 Length 37-38
MST Configuration Identifier 39-89
MST 90-93
CIST Internal Root Path Cost
special
CIST Bridge Identifier 94-101
fields
CIST Remaining Hops 102
MSTI Configuration Messages 103-39+Version
(may be absent) 3 Length
The first 36 bytes of an intra-region or inter-region MST BPDU are the same as those of an
RST BPDU.
Fields from the 37th byte of an MST BPDU are MSTP-specific. The field MSTI
Configuration Messages consists of configuration messages of multiple MSTIs.
Table 15-6 lists the major information carried in an MST BPDU.

Table 15-6 Major information carried in an MST BPDU

Protocol 2 Indicates the protocol identifier.

Identifier
Protocol 1 Indicates the protocol version identifier. 0 indicates

Version STP; 2 indicates RSTP; 3 indicates MSTP.
Identifier
BPDU Type 1 Indicates the BPDU type:

l 0x00: Configuration BPDU for STP
l 0x80: TCN BPDU for STP
l 0x02: RST BPDU or MST BPDU
CIST Flags 1 Indicates the CIST flags.
CIST Root 8 Indicates the CIST root switching device ID.

Identifier
CIST External 4 Indicates the total path costs from the MST region
Path Cost where the switching device resides to the MST region
where the CIST root switching device resides. This
value is calculated based on link bandwidth.
CIST Regional 8 Indicates the ID of the regional root switching device

Root Identifier on the CIST, that is, the IST master ID. If the root is in
this region, the CIST Regional Root Identifier is the
same as the CIST Root Identifier.
CIST Port 2 Indicates the ID of the designated port in the IST.

Identifier
Message Age 2 Indicates the lifecycle of the BPDU.
Max Age 2 Indicates the maximum lifecycle of the BPDU. If the

Max Age timer expires, it is considered that the link to
the root fails.
Hello Time 2 Indicates the Hello timer value. The default value is 2
seconds.
Forward Delay 2 Indicates the forwarding delay timer. The default value
is 15 seconds.
Version 1 1 Indicates the BPDUv1 length, which has a fixed value

Length of 0.
Version 3 2 Indicates the BPDUv3 length.

Length
MST 51 Indicates the MST configuration identifier, which has

Configuration four fields.
Identifier

CIST Internal 4 Indicates the total path costs from the local port to the
Root Path Cost IST master. This value is calculated based on link
bandwidth.
CIST Bridge 8 Indicates the ID of the designated switching device on

Identifier the CIST.
CIST 1 Indicates the remaining hops of the BPDU in the CIST.

Remaining
Hops
MSTI 16 Indicates an MSTI configuration message. Each MSTI

Configuration configuration message occupies 16 bytes. If there are n
Messages(may MSTIs, MSTI configuration messages are of nx16
be absent) bytes.
Configurable MST BPDU Format

Currently, there are two MST BPDU formats:
l dot1s: BPDU format defined in IEEE 802.1s.
l legacy: private BPDU format.
If a port transmits either dot1s or legacy BPDUs by default, the user needs to identify the
format of BPDUs sent by the peer, and then runs a command to configure the port to support
the peer BPDU format. Once the configuration is incorrect, a loop probably occurs due to
incorrect MSTP calculation.
By using the stp compliance command, you can configure a port on a Huawei datacom
device to automatically adjust the MST BPDU format. With this function, the port
automatically adopts the peer BPDU format. The following MST BPDU formats are
supported by Huawei datacom devices:
l auto
l dot1s
l legacy
In addition to dot1s and legacy formats, the auto mode allows a port to automatically switch
to the BPDU format used by the peer based on BPDUs received from the peer. In this manner,
the two ports use the same BPDU format. In auto mode, a port uses the dot1s BPDU format
by default, and keeps pace with the peer after receiving BPDUs from the peer.
Configurable Maximum Number of BPDUs Sent by a Port at a Hello Interval

BPDUs are sent at Hello intervals to maintain the spanning tree. If a switching device does
not receive any BPDU during a certain period of time, the spanning tree will be re-calculated.
After a switching device becomes the root, it sends BPDUs at Hello intervals. Non-root
switching devices adopt the Hello Time value set for the root.
Huawei datacom devices allow the maximum number of BPDUs sent by a port at a Hello
interval to be configured as needed.

The greater the Hello Time value, the more BPDUs sent at a Hello interval. Setting the Hello
Time to a proper value limits the number of BPDUs sent by a port at a Hello interval. This
helps prevent network topology flapping and avoid excessive use of bandwidth resources by
BPDUs.
15.2.4 MSTP Topology Calculation
MSTP Principle
MSTP can divide the entire Layer 2 network into multiple MST regions, and the CST is
generated through calculation. In an MST region, multiple spanning trees are calculated, each
of which is called an MSTI. Among these MSTIs, MSTI 0 is also known as the internal
spanning tree (IST). Like STP, MSTP uses configuration messages to calculate spanning
trees, but the configuration messages are MSTP-specific.
Vectors
Both MSTIs and the CIST are calculated based on vectors, which are carried in MST BPDUs.
Therefore, switching devices exchange MST BPDUs to calculate MSTIs and the CIST.
l Vectors are described as follows:

– The following vectors participate in the CIST calculation:
{ root ID, external root path cost, region root ID, internal root path cost, designated
switching device ID, designated port ID, receiving port ID }
– The following vectors participate in the MSTI calculation:
{ regional root ID, internal root path cost, designated switching device ID,
designated port ID, receiving port ID }
The priorities of vectors in braces are in descending order from left to right.
Table 15-7 describes the vectors.
Table 15-7 Vector description

Vector Name Description
Root ID Identifies the root switching device for the CIST. The root
identifier consists of the priority value (16 bits) and MAC address
(48 bits).
The priority value is the priority of MSTI 0.
External root path Indicates the path cost from a CIST regional root to the root.
cost (ERPC) ERPCs saved on all switching devices in an MST region are the
same. If the CIST root is in an MST region, ERPCs saved on all
switching devices in the MST region are 0s.
Regional root ID Identifies the MSTI regional root. The regional root ID consists
of the priority value (16 bits) and MAC address (48 bits).
The priority value is the priority of MSTI 0.
Internal root path Indicates the path cost from the local bridge to the regional root.
cost (IRPC) The IRPC saved on a regional edge port is greater than the IRPC
saved on a non-regional edge port.

Vector Name Description
Designated Identifies the nearest upstream bridge on the path from the local
switching device bridge to the regional root. If the local bridge is the root or the
ID regional root, this ID is the local bridge ID.
Designated port Identifies the port on the designated switching device connected
ID to the root port on the local bridge. The port ID consists of the
priority value (4 bits) and port number (12 bits). The priority
value must be a multiple of 16.
Receiving port ID Identifies the port receiving the BPDU. The port ID consists of
the priority value (4 bits) and port number (12 bits). The priority
value must be a multiple of 16.
l The vector comparison principle is as follows:

For a vector, the smaller the priority value, the higher the priority.
Vectors are compared based on the following rules:
a. Compare the IDs of the roots.
b. If the IDs of the roots are the same, compare ERPCs.
c. If ERPCs are the same, compare the IDs of regional roots.
d. If the IDs of regional roots are the same, compare IRPCs.
e. If IRPCs are the same, compare the IDs of designated switching devices.
f. If the IDs of designated switching devices are the same, compare the IDs of
designated ports.
g. If the IDs of designated ports are the same, compare the IDs of receiving ports.
If the priority of a vector carried in the configuration message of a BPDU received by a
port is higher than the priority of the vector in the configuration message saved on the
port, the port replaces the saved configuration message with the received one. In
addition, the port updates the global configuration message saved on the device. If the
priority of a vector carried in the configuration message of a BPDU received on a port is
equal to or lower than the priority of the vector in the configuration message saved on
the port, the port discards the BPDU.
CIST Calculation
After completing the configuration message comparison, the switching device with the
highest priority on the entire network is selected as the CIST root. MSTP calculates an IST
for each MST region, and computes a CST to interconnect MST regions. On the CST, each
MST region is considered a switching device. The CST and ISTs constitute a CIST for the
entire network.
MSTI Calculation
In an MST region, MSTP calculates an MSTI for each VLAN based on mappings between
VLANs and MSTIs. Each MSTI is calculated independently. The calculation process is
similar to the process for STP to calculate a spanning tree. For details, see 14.2.4 STP
Topology Calculation.
MSTIs have the following characteristics:

l The spanning tree is calculated independently for each MSTI, and spanning trees of
MSTIs are independent of each other.
l MSTP calculates the spanning tree for an MSTI in the manner similar to STP.
l Spanning trees of MSTIs can have different roots and topologies.
l Each MSTI sends BPDUs in its spanning tree.
l The topology of each MSTI is configured by using commands.
l A port can be configured with different parameters for different MSTIs.
l A port can play different roles or have different status in different MSTIs.
On an MSTP-aware network, a VLAN packet is forwarded along the following paths:
l MSTI in an MST region
l CST among MST regions
MSTP Responding to Topology Changes

MSTP topology changes are processed in the manner similar to that in RSTP. For details
about how RSTP processes topology changes, see 14.2.6 RSTP Technology Details.
15.2.5 MSTP Fast Convergence

MSTP supports both ordinary and enhanced Proposal/Agreement (P/A) mechanisms:
l Ordinary P/A
The ordinary P/A mechanism supported by MSTP is implemented in the same manner as
that supported by RSTP. For details about the P/A mechanism supported by RSTP, see
14.2.6 RSTP Technology Details.
l Enhanced P/A
Figure 15-10 Enhanced P/A mechanism
Upstream Downstream
device device
Send a proposal so
that the port can
rapidly enter the
Forwarding state Configure the root port
and block non-edge ports
Send an agreement
The root port
The designated enters the
port enters the Send an agreement Forwarding state
Forwarding state
Root port
Designated port
As shown in Figure 15-10, in MSTP, the P/A mechanism works as follows:

a. The upstream device sends a proposal to the downstream device, indicating that the
port connecting to the downstream device wants to enter the Forwarding state as
soon as possible. After receiving this BPDU, the downstream device sets its port
connecting to the upstream device to the root port, and blocks all non-edge ports.
b. The upstream device continues to send an agreement. After receiving this BPDU,
the root port enters the Forwarding state.
c. The downstream device replies with an agreement. After receiving this BPDU, the
upstream device sets its port connecting to the downstream device to the designated
port, and the port enters the Forwarding state.
By default, Huawei datacom devices use the fast transition mechanism in enhanced mode. To
enable a Huawei datacom device to communicate with a third-party device that use the fast
transition mechanism in common mode, configure the Proposal/Agreement mechanism on the
Huawei datacom device so that the Huawei datacom device works in common mode.
15.2.6 MSTP Multi-Process

Background
On the network shown in Figure 15-11:
l UPEs are deployed at the aggregation layer, running MSTP.
l UPE1 and UPE2 are connected by a Layer 2 link.
l Multiple rings are connected to UPE1 and UPE2 through different ports.
l Switching devices on the rings reside at the access layer, running STP or RSTP. In
addition, UPE1 and UPE2 work for different carriers, so they need to reside on different
spanning trees whose topology changes do not affect each other.

Figure 15-11 Application with both MSTP and STP/RSTP
Core
MPLS/IP Core
UPE3
UPE4
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
S1
Access
S4
S2 S3
On the network shown in Figure 15-11, switching devices and UPEs construct multiple Layer
2 rings. STP must be enabled on these rings to prevent loops. UPE1 and UPE2 are connected
to multiple access rings that are independent of each other. The spanning tree protocol cannot
calculate a single spanning tree for all switching devices. Instead, the spanning tree protocol
must be enabled on each ring to calculate a separate spanning tree.
MSTP supports MSTIs, but these MSTIs must belong to one MST region and devices in the
region must have the same configurations. If the devices belong to different regions, MSTP
calculates the spanning tree based on only one instance. Assume that devices on the network
belong to different regions, and only one spanning tree is calculated in one instance. In this
case, the status change of any device on the network affects the stability of the entire network.
On the network shown in Figure 15-11, the switching devices connected to UPEs support
only STP or RSTP but not MSTP. When MSTP-enabled UPEs receive RSTP BPDUs from the
switching devices, the UPEs consider that they and switching devices belong to different
regions. As a result, only one spanning tree is calculated for the rings composed of UPEs and
switching devices, and the rings affect each other.
To prevent this problem, MSTP multi-process is introduced. MSTP multi-process is an

enhancement to MSTP. The MSTP multi-process mechanism allows ports on switching
devices to be bound to different processes. MSTP calculation is performed based on

processes. In this manner, only ports that are bound to a process participate in the MSTP
calculation for this process. With the MSTP multi-process mechanism, spanning trees of
different processes are calculated independently and do not affect each other. The network
shown in Figure 15-11 can be divided into multiple MSTP processes by using MSTP multi-
process. Each process takes charge of a ring composed of switching devices. The MSTP
processes have the same functions and support MSTIs. The MSTP calculation for one process
does not affect the MSTP calculation for another process.
NOTE
MSTP multi-process is applicable to MSTP as well as RSTP and STP.
Purpose
On the network shown in Figure 15-11, MSTP multi-process is configured to implement the
following:
l Greatly improves applicability of STP to different networking conditions.
To help a network running different spanning tree protocols run properly, you can bind
the devices running different spanning tree protocols to different processes. In this
manner, every process calculates a separate spanning tree.
l Improves the networking reliability. For a network composed of many Layer 2 access
devices, using MSTP multi-process reduces the adverse effect of a single node failure on
the entire network.
The topology is calculated for each process. If a device fails, only the topology
corresponding to the process to which the device belongs changes.
l Reduces the network administrator workload during network expansion, facilitating
operation and maintenance.
To expand a network, you only need to configure new processes, connect the processes
to the existing network, and keep the existing MSTP processes unchanged. If device
expansion is performed in a process, only this process needs to be modified.
l Implements separate Layer 2 port management
An MSTP process manages parts of ports on a device. Layer 2 ports on a device are
separately managed by multiple MSTP processes.
Principle
l Public link status
As shown in Figure 15-11, the public link between UPE1 and UPE2 is a Layer 2 link
running MSTP. The public link between UPE1 and UPE2 is different from the links
connecting switching devices to UPEs. The ports on the public link need to participate in
the calculation for multiple access rings and MSTP processes. Therefore, the UPEs must
identify the process from which MST BPDUs are sent.
In addition, a port on the public link participates in the calculation for multiple MSTP
processes, and obtains different status. As a result, the port cannot determine its status.
To prevent this situation, it is defined that a port on a public link always adopts its status
in MSTP process 0 when participating in the calculation for multiple MSTP processes.
NOTE
After a device normally starts, MSTP process 0 exists by default, and MSTP configurations in the
system view and interface view belong to this process.
l Reliability

On the network shown in Figure 15-12, after the topology of a ring changes, the MSTP
multi-process mechanism helps UPEs flood a TC packet to all devices on the ring and
prevent the TC packet from being flooded to devices on the other ring. UPE1 and UPE2
update MAC and ARP entries on the ports corresponding to the changed spanning tree.
Figure 15-12 MSTP multi-process topology change
MPLS/IP Core
Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
S1
Access
S4
S2 S3
topology change
Flood for STP/RSTP TC in access layer
Flood for STP/RSTP TC in aggregation layer
On the network shown in Figure 15-13, if the public link between UPE1 and UPE2 fails,
multiple switching devices that are connected to the UPEs will unblock their blocked
ports.

Figure 15-13 Public link fault
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
S2
S4 Access
S1 S3
Assume that UPE1 is configured with the highest priority, UPE2 with the second highest
priority, and switching devices with default or lower priorities. After the link between
UPE1 and UPE2 fails, the blocked ports (replacing the root ports) on switching devices
no longer receive packets with higher priorities and re-performs state machine
calculation. If the calculation changes the blocked ports to designated ports, a permanent
loop occurs, as shown in Figure 15-14.

Figure 15-14 Loop between access rings
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
Access
S2 S4
S1 S3
Flood for MSTP TC in aggregation layer
Flood for STP/RSTP TC in access layer
l Solutions
To prevent a loop between access rings, use either of the following solutions:
– Configure an inter-board Eth-Trunk link between UPE1 and UPE2.
An inter-board Eth-Trunk link is used as the public link between UPE1 and UPE2
to improve link reliability, as shown in Figure 15-15.

Figure 15-15 inter-board Eth-Trunk link
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
Eth-Trunk
STP/RSTP
Access
S2 S4
S1 S3
– Configure root protection between UPE1 and UPE2.

If all physical links between UPE1 and UPE2 fail, configuring an inter-board Eth-
Trunk link cannot prevent the loop. Root protection can be configured to prevent
the loop shown in Figure 15-14.

Figure 15-16 MSTP multi-process with root protection
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
Root
protection
S2
S4
Access
STP/RSTP
S1 S3
Use the blue ring shown in Figure 15-16 as an example. UPE1 is configured with
the highest priority, UPE2 with the second highest priority, and switching devices
on the blue ring with default or lower priorities. In addition, root protection is
enabled on UPE2.
Assume that a port on S1 is blocked. When the public link between UPE1 and
UPE2 fails, the blocked port on S1 begins to calculate the state machine because it
no longer receives BPDUs of higher priorities. After the calculation, the blocked
port becomes the designated port and performs P/A negotiation with the
downstream device.
After S1, which is directly connected to UPE2, sends BPDUs of higher priorities to
the UPE2 port enabled with root protection, the port is blocked. From then on, the
port remains blocked because it continues receiving BPDUs of higher priorities. In
this manner, no loop will occur.

Application of MSTP
Figure 15-17 Networking diagram for a typical MSTP application
S1
MST Region S2
all VLAN
VLAN
VLAN VLAN
10&20 VLAN
20&30 20&30
10&20
VLAN
S3 20&40 S4
MSTP allows packets in different VLANs to be forwarded by using different spanning tree
instances, as shown in Figure 15-17. The configurations are as follows:
l All devices on the network belong to the same MST region.
l VLAN 10 packets are forwarded within MSTI 1; VLAN 30 packets are forwarded within
MSTI 3; VLAN 40 packets are forwarded within MSTI 4; VLAN 20 packets are
forwarded within MSTI 0.
In Figure 15-17, S1 and S2 are devices at the aggregation layer; S3 and S4 are devices at the
access layer. Traffic from VLAN 10 and VLAN 30 is terminated by aggregation devices, and
traffic from VLAN 40 is terminated by the access device. Therefore, S1 and S2 can be
configured as the roots of MSTI 1 and MSTI 3, and S3 can be configured as the root of MSTI
4.
Application of MSTP Multi-process

As shown in Figure 15-18, the UPEs are connected to each other through Layer 2 links and
enabled with MSTP. The rings connected to the UPEs must be independent of each other. The
devices on the rings connected to the UPEs support only RSTP, not MSTP.
After MSTP multi-process is enabled, each MSTP process corresponds to a ring connected to
the UPE. The spanning tree protocol on each ring calculates a tree independently.

Figure 15-18 Application with both MSTP and STP/RSTP
Core
MPLS/IP Core
UPE3
UPE4
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
S1
Access
S4
S2 S3

Table 15-8 lists the configuration task summary of MSTP.

Table 15-8 Configuration task summary of MSTP

Item Description Task
Configuring Basic MSTP MSTP is commonly 15.7.1 Configuring Basic

Functions configured on switching MSTP Functions
devices to trim a ring
network to a loop-free
network. Devices start
spanning tree calculation
after the working mode is
set and MSTP is enabled.
Use any of the following
methods if you need to
intervene in the spanning
tree calculation:
l Manually configure the
root bridge and
secondary root bridge
l Set a priority for a
switching device in an
MSTI
l Set a path cost for a port
in an MSTI
l Set a priority for a port in
an MSTI
Configuring MSTP Multi- On a network with Layer 2 15.7.2 Configuring MSTP

Process single-access rings and Multi-Process
multi-access rings deployed,
configure multiple MSTP
processes so that spanning
trees of different processes
are calculated independently
and do not affect each other.
Configuring MSTP Proper MSTP parameter 15.7.3 Configuring MSTP

Parameters on an Interface settings achieve rapid Parameters on an
convergence. Interface
Configuring MSTP You can configure one or 15.7.4 Configuring MSTP

Protection Functions more protection functions. Protection Functions
Configuring MSTP To communicate with a non- 15.7.5 Configuring MSTP

Interoperability Between Huawei device, set proper Interoperability Between
Huawei Devices and Non- parameters on the MSTP- Huawei Devices and Non-
Huawei Devices enabled Huawei device. Huawei Devices


Other network elements also need to support MSTP.
License Support
MSTP is a basic feature of a switch and is not under license control.
Version Support
Table 15-9 Products and versions supporting MSTP

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l Table 15-10 lists the specification of MSTP.
Table 15-10 Specification of MSTP

Item Specification
Maximum number of instances on the 65

entire system
l MSTP BPDUs may be discarded in a scenario wherein there are many MSTIs and MSTP
multi-process is configured. This is due to the default CIR of STP being insufficient.
(The default CIR of STP is insufficient because the length of MSTP BPDUs increases as
the number of MSTIs increases, and the number of outgoing MSTP BPDUs increases
when MSTP multi-process is configured.) To avoid this situation, increase the CIR of
STP.
If the CPCAR values are adjusted improperly, network services are affected. To adjust
the CPCAR values of STP BPDUs, contact technical support personnel.
l Enabling MSTP on a ring network immediately triggers spanning tree calculation. If
basic configurations are not performed on switches and interfaces before MSTP is
enabled, network flapping may occur upon changes to parameters such as device priority
and interface priority.


Working mode MSTP
MSTP status MSTP is enabled globally and on an interface.
Port priority 128
Algorithm used to calculate the dot1t, IEEE 802.1t

path cost
Forward Delay Time 1500 centiseconds
Hello Time 200 centiseconds
Max Age Time 2000 centiseconds
15.7 Configuring MSTP
15.7.1 Configuring Basic MSTP Functions

MSTP based on the basic STP/RSTP function divides a switching network into multiple
regions, each of which has multiple spanning trees that are independent of each other. MSTP
isolates different VLANs' traffic, and load-balances VLAN traffic.
Context
MSTP is commonly configured on switching devices to trim a ring network to a loop-free
network. Devices start spanning tree calculation after the working mode is set and MSTP is
enabled. Use any of the following methods if you need to intervene in the spanning tree
calculation:
l Manually configure the root bridge and secondary root bridge.
l Set a priority for a switching device in an MSTI: The lower the numerical value, the
higher the priority of the switching device and the more likely the switching device
becomes a root bridge; the higher the numerical value, the lower the priority of the
switching device and the less likely that the switching device becomes a root bridge.
l Set a path cost for a port in an MSTI: With the same calculation method, the lower the
numerical value, the smaller the cost of the path from the port to the root bridge and the
more likely the port becomes a root port; the higher the numerical value, the larger the
cost of the path from the port to the root bridge and the less likely that the port becomes
a root port.
l Set a priority for a port in an MSTI: The lower the numerical value, the more likely the
port becomes a designated port; the higher the numerical value, the less likely that the
port becomes a designated port.

15.7.1.1 Configuring the MSTP Mode
Context
Before configuring basic MSTP functions, set the working mode of a switching device to
MSTP. MSTP is compatible with STP and RSTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp mode mstp
The working mode of the switching device is set to MSTP. By default, the working mode is
MSTP.
STP and MSTP cannot recognize packets of each other, but MSTP and RSTP can. If an
MSTP-enabled switching device is connected to switching devices running STP, interfaces of
the MSTP-enabled switching device connected to devices running STP automatically
transition to STP mode, and other interfaces still work in MSTP mode. This enables devices
running different spanning tree protocols to interwork with each other.
----End
15.7.1.2 Configuring and Activating an MST Region
Context
An MST region contains multiple switching devices and network segments. These switching
devices are directly connected and have the same region name, same VLAN-to-instance
mapping, and the same configuration revision number after MSTP is enabled. One switching
network can have multiple MST regions. You can use MSTP commands to group multiple
switching devices into one MST region.
NOTE
Two switching devices belong to the same MST region when they have the same:
l Name of the MST region
l Mapping between VLANs and MSTIs
l Revision level of the MST region
Perform the following steps on a switching device that needs to join an MST region.
Procedure
Step 1 Run:
system-view

Step 2 Run:

stp region-configuration
The MST region view is displayed.

Step 3 Run:
region-name name
The name of an MST region is configured.

By default, the MST region name is the MAC address of the management network interface
on the MPU of the switching device.
Step 4 Perform either of the following steps to configure VLAN-to-instance mappings.
l Run the instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to
configure VLAN-to-instance mappings.
l Run the vlan-mapping modulo modulo command to enable VLAN-to-instance mapping
assignment based on a default algorithm.
By default, all VLANs in an MST region are mapped to MSTI 0.
l The VLAN-to-instance mappings generated using the vlan-mapping modulo modulo
commands cannot meet network requirements. It is recommended that you run the
instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure
VLAN-to-instance mappings.
l The vlan-mapping modulo specifies the formula (VLAN ID-1)%modulo+1. In the
formula, (VLAN ID-1)%modulo means the remainder of (VLAN ID-1) divided by the
value of modulo. This formula is used to map a VLAN to the corresponding MSTI. The
calculation result of the formula is the ID of the mapping MSTI.
l To configure the mapping between the spanning tree instance and MUX VLAN, you are
advised to configure the principal VLAN, and subordinate group VLANs and
subordinate separate VLANs of the MUX VLAN in the same protected instance.
Otherwise, loops may occur.
revision-level level
The MSTP revision number is set.

By default, the MSTP revision number is 0.
MSTP is a standard protocol; therefore, the MSTP revision level of a device is 0 by default. If
the revision level of some devices from a specified manufacturer is not 0, you must change
the value to 0 to facilitate tree calculation in an MST region.
NOTE
Changing MST region configurations (especially change of the VLAN mapping table) triggers spanning
tree recalculation and causes route flapping. Therefore:
l After configuring an MST region name, VLAN-to-instance mappings, and an MSTP revision
number, run the check region-configuration command in the MST region view to verify the
configuration. After confirming the region configurations, run the active region-configuration
command to activate MST region configurations.
l You are advised not to modify MST region parameters after the MST region is activated.
Step 6 Run:
active region-configuration
MST region configurations are activated so that the configured region name, VLAN-to-
instance mappings, and revision number can take effect.

If this step is not done, the preceding configurations cannot take effect.
If you have changed MST region configurations on the switching device after MSTP starts,
run the active region-configuration command to activate the MST region so that the changed
configurations can take effect.
Before using the active region-configuration command to activate the modified MST region
parameters, run the check region-configuration command to check whether parameters are
correct. After the active region-configuration command is executed, check whether a
message indicating an activation failure is displayed. If such a message is displayed,
reconfigure MSTP parameters.
----End
Context
The root bridge can be calculated through calculation. You can also manually configure the
root bridge or secondary root bridge.
l A switching device plays different roles in different spanning trees. The switching device
can function as the root switch or secondary root switch of a spanning tree and the root
switch or secondary root switch of another spanning tree. The switching device can
function as only the root switch or secondary root switch of the same spanning tree.
l In a spanning tree, only one root bridge takes effect. When two or more than two devices
are specified as root bridges of a spanning tree, the device with the smallest MAC
address is used as the root bridge.
bridge fails or is powered off, the secondary root bridge becomes the new root bridge. If
a new root bridge is specified, the secondary root bridge will not become the root bridge.
If multiple secondary root bridges are configured, the secondary root bridge with
smallest MAC address will become the root bridge of the spanning tree.
NOTE
It is recommended that the root bridge and secondary root bridge be configured manually.
Procedure
l Perform the following operations on the device to be used as the root bridge.
a. Run:
system-view

b. Run:
stp [ instance instance-id ] root primary
By default, a switching device does not function as the root bridge. After the
configuration is complete, the BID of the device is 0 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a root bridge.

l Perform the following operations on the device to be used as the secondary root bridge.

a. Run:
system-view

b. Run:
stp [ instance instance-id ] root secondary
the configuration is complete, the BID of the device is 4096 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a backup root bridge.
----End
15.7.1.4 (Optional) Configuring a Priority for a Switching Device in an MSTI
Context
In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During root
bridge selection, a high-performance switching device at a high network layer should be
selected as the root bridge; however, the priority of such a device may not be the highest on
the network. It is therefore necessary to set a high priority for the switching device to ensure
that the device functions as a root bridge.
Low-performance devices at lower network layers are not fit to serve as a root bridge.
Therefore, set low priorities for these devices.
A switching device with a high priority is more likely to be selected as the root bridge in an
MSTI. A smaller priority value indicates a higher priority.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.
The default priority value of the switching device is 32768.
If the instance-id is not designated, a priority is set for the switching device in MSTI0.
NOTE
If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root secondary
command has been executed to configure the device as the root bridge or secondary root bridge, to
change the device priority, run the undo stp [ instance instance-id ] root command to disable the root
bridge or secondary root bridge function and run the stp [ instance instance-id ] priority priority
command to set a priority.
----End

15.7.1.5 (Optional) Configuring a Path Cost of a Port in an MSTI
Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important basis for calculating spanning trees. If you set different
path costs for a port in different MSTIs, VLAN traffic can be transmitted along different
physical links for load balancing.
The MSTP path cost determines root port selection in an MSTI. The port with the lowest path
cost to the root bridge is selected as the root port.
If a network has loops, it is recommended that you set a relatively large path cost for ports
with low link rates.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A path cost calculation method is configured.

By default, the IEEE 802.1t standard (dot1t) is used to calculate the path cost.
Step 3 Run:

Step 4 Run:
stp instance instance-id cost cost
A path cost is set for the port in the current MSTI.

----End
15.7.1.6 (Optional) Configuring a Port Priority in an MSTI
Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected
as designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the
default value. This port will be blocked during designated port selection.

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
stp instance instance-id port priority priority
A port priority is set in an MSTI.

By default, the port priority is 128.
The value range of the priority is from 0 to 240, in steps of 16.
----End
15.7.1.7 Enabling MSTP
Context
After configuring basic MSTP functions on a switching device, enable MSTP function.
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and
port priority, will affect spanning tree calculation. Any change to the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation,
perform basic configurations on the switching device and its ports and enable MSTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp enable
MSTP is enabled on the switching device.

By default, the MSTP function is enabled on the device.

NOTE
If you specify a VLANIF interface of a VLAN as the management network interface for an MSTP-
enabled device, you can run the ethernet-loop-protection ignored-vlan command to specify this
VLAN as an ignored VLAN. Through MSTP calculation, the interface on which the ignored VLAN is
configured does not enter the congested state but stays in the forwarding state. Therefore, services are
not interrupted.
After MSTP is enabled on a port, edge-port detecting is started automatically. If the port fails to receive
BPDU packets within (2 x Hello Timer + 1) seconds, the port is set to an edge port. Otherwise, the port
is set to a non-edge port.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. MSTP processes ARP entries in either fast or normal mode.

The remaining lifetime of ARP entries to be updated is set to 0. The switching device
rapidly processes these aged entries. If the number of ARP aging probe attempts is not
set to 0, ARP implements aging probe for these ARP entries.
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
By default, the normal MSTP convergence mode is used.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on device to reach 100%. As a result, network flapping will frequently occur.
Procedure
l Run the display stp [ instance instance-id ] [ interface interface-type interface-number |
slot slot-id ] [ brief ] command to view spanning-tree status and statistics.
l Run the display stp region-configuration command to view configurations of activated
MST regions.
l Run the display stp region-configuration digest command to view the digest
configurations of activated MST regions.
----End
15.7.2 Configuring MSTP Multi-Process

On a network with Layer 2 single-access rings and multi-access rings deployed, configure
multiple MSTP processes so that spanning trees of different processes are calculated
independently and do not affect each other.

MSTP ensures that spanning trees in rings are calculated independently. After MSTP multi-
process is enabled, each MSTP process can manage some ports on a device. Layer 2
interfaces are managed by multiple MSTP processes, each of which runs the standard MSTP.
Before configuring MSTP multi-process, complete and activate the MST region
configuration.
15.7.2.1 Creating an MSTP Process
Context
A process ID uniquely identifies an MSTP multi-process. After an MSTP device binds its
ports to different processes, the MSTP device performs the MSTP calculation based on
processes, and only relevant ports in each process take part in MSTP calculation. Do as
follows on the devices connected to access rings:
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp process process-id
An MSTP process is created and the MSTP process view is displayed.

Step 3 Run:
stp mode mstp
A working mode is configured for the MSTP process.

The default mode is MSTP.
NOTE
l After a device starts, there is a default MSTP process with the ID 0. MSTP configurations in the
system view and interface view belong to this process. The default working mode of this process is
MSTP.
l To add an interface to an MSTP process with the ID of non-zero, run the stp process command and
then the stp binding process command.
----End
15.7.2.2 Adding a Port to an MSTP Process
Context
After being added to MSTP processes, interfaces can participate in MSTP calculation:
l The links connecting MSTP devices and access rings are called access links.
l The link shared by multiple access rings are called a share link. The interfaces on the
share link need to participate in MSTP calculation in multiple access rings in different
MSTP processes.

Procedure
l Adding a port to an MSTP process-access link
a. Run:
system-view

b. Run:
The interface specified in this command must be the interface that connects the
device and the access ring.
c. Run:
stp binding process process-id
The port is added to the specified MSTP process.
NOTE
if an interface joining the MSTP process has sub-interfaces configured with other features
such as VPLS, run the stp vpls-subinterface enable command. The main interface can then
notify its sub-interfaces to update MAC address entries and ARP entries after receiving a
TC-BPDU. This prevents service interruption. In addition, root protection needs to be
configured on the main interface. Switch XGE interfaces connected to the ACU2,
ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01 or ET1D2FW00S02 card do not
support the notification function.
A port on an access link can join only one MSTP process. If you run this command multiple
times, only the latest configuration takes effect.
l Adding a port to an MSTP process in link-share mode
a. Run:
system-view

b. Run:
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
The interface specified in this command must be an interface on the share link
between the devices configured with MSTP multi-process but not the interfaces that
connect an access ring and a device.
c. Run:
stp binding process process-id1 [ to process-id2 ] link-share
The port is added to multiple MSTP processes to complete MSTP calculation.
NOTE
In an MSTP process where there are multiple share links, run the stp enable command in the
MSTP multi-instance view. On an interface that is added to an MSTP process in link-share
mode, run the stp enable command in the interface view.
----End

Context
The root bridge can be calculated through calculation. You can also manually configure the
root bridge or secondary root bridge.
l A switching device plays different roles in different spanning trees. The switching device
can function as the root switch or secondary root switch of a spanning tree and the root
switch or secondary root switch of another spanning tree. The switching device can
function as only the root switch or secondary root switch of the same spanning tree.
l In a spanning tree, only one root bridge takes effect. When two or more than two devices
are specified as root bridges of a spanning tree, the device with the smallest MAC
address is used as the root bridge.
bridge fails or is powered off, the secondary root bridge becomes the new root bridge. If
a new root bridge is specified, the secondary root bridge will not become the root bridge.
If multiple secondary root bridges are configured, the secondary root bridge with
smallest MAC address will become the root bridge of the spanning tree.
NOTE
It is recommended that the root bridge and secondary root bridge be configured manually.
Procedure
l Perform the following operations on the device to be used as the root bridge.
a. Run:
system-view

b. Run:
The MSTP process view is displayed.

c. Run:
stp [ instance instance-id ] root primary

By default, a switching device does not function as the root bridge. After the
configuration is complete, the BID of the device is 0 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a root bridge.
l Perform the following operations on the device to be used as the secondary root bridge.
a. Run:
system-view

b. Run:

c. Run:
stp [ instance instance-id ] root secondary


the configuration is complete, the BID of the device is 4096 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a secondary root bridge.
----End
15.7.2.4 (Optional) Configuring a Priority for a Switching Device in an MSTI
Context
In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During root
bridge selection, a high-performance switching device at a high network layer should be
selected as the root bridge; however, the priority of such a device may not be the highest on
the network. It is therefore necessary to set a high priority for the switching device to ensure
that the device functions as a root bridge.
A switching device with a high priority is more likely to be selected as the root bridge in an
MSTI. A smaller priority value indicates a higher priority.
Low-performance devices at lower network layers are not fit to serve as a root bridge.
Therefore, set low priorities for these devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.

The default priority value of the switching device is 32768.
If the instance is not designated, a priority is set for the switching device in MSTI0.

NOTE
l To configure a switching device as the primary root bridge, run the stp [ instance instance-id ] root
primary command directly. The priority value of this switching device is 0.
l To configure a switching device as the secondary root bridge, run the stp [ instance instance-id ]
root secondary command. The priority value of this switching device is 4096.
In an MSTI, a switching device cannot act as the primary root bridge and secondary root bridge at
the same time.
l If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root secondary
command has been executed to configure the device as the root bridge or secondary root bridge, to
change the device priority, run the undo stp [ instance instance-id ] root command to disable the
root bridge or secondary root bridge function and run the stp [ instance instance-id ] priority
priority command to set a priority.
----End
15.7.2.5 (Optional) Configuring a Path Cost of a Port in an MSTI
Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important basis for calculating spanning trees. If you set different
path costs for a port in different MSTIs, VLAN traffic can be transmitted along different
physical links for load balancing.
The MSTP path cost determines root port selection in an MSTI. The port with the lowest path
cost to the root bridge is selected as the root port.
If a network has loops, it is recommended that you set a relatively large path cost for ports
with low link rates. MSTP then blocks these ports.
Procedure
Step 1 Run:
system-view
Step 2 Run:
By default, the IEEE 802.1t standard (dot1t) is used to calculate the path cost.
Step 3 Run:
Step 4 Run:
A port is bound to an MSTP process.

Step 5 Run:
stp [ process process-id ] instance instance-id cost cost
A path cost is set for the port in the current MSTI.

----End
15.7.2.6 (Optional) Configuring a Port Priority in an MSTI
Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected
as designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the
default value. This port will be blocked during designated port selection.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
A port is bound to an MSTP process.

Step 4 Run:
stp [ process process-id ] instance instance-id port priority priority
A port priority is set in an MSTI.

By default, the port priority is 128.
The value range of the priority is from 0 to 240, in steps of 16.
----End
15.7.2.7 Configuring TC Notification in MSTP Multi-process
Context
After the TC notification function is configured for MSTP multi-process, the current MSTP
process can notify the MSTIs in other specified MSTP processes to refresh MAC address
entries and ARP entries after receiving a TC-BPDU. Nonstop services are ensured. Do as
follows on the devices connected to access rings:

Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the created MSTP process is displayed.
Step 3 Run:
stp tc-notify process 0
TC notification is enabled in the MSTP process.
After the stp tc-notify process 0 command is run, the current MSTP process notifies the
MSTIs in MSTP process 0 to update MAC entries and ARP entries after receiving a TC-
BPDU. This prevents services from being interrupted.
----End
15.7.2.8 Enabling MSTP
Context
After MSTP multi-process is enabled on the switching device, you must enable MSTP in the
MSTP process view so that the MSTP configuration can take effect in the MSTP process.
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and
port priority, will affect spanning tree calculation. Any change to the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation,
perform basic configurations on the switching device and its ports and enable MSTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of a created MSTP process is displayed.
Step 3 Run:
stp enable
MSTP is enabled on the MSTP process of the device.
By default, the MSTP function is enabled on the device.
----End

Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. MSTP processes ARP entries in either fast or normal mode.
The remaining lifetime of ARP entries to be updated is set to 0. The switching device
rapidly processes these aged entries. If the number of ARP aging probe attempts is not
set to 0, ARP implements aging probe for these ARP entries.
In either fast or normal mode, MAC entries are directly deleted.
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
By default, the normal MSTP convergence mode is used.
NOTICE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently
deleted, causing the CPU usage on the MPU and LPU to reach 100%. As a result, network
flapping will frequently occur.
Procedure
l Run the display stp process process-id [ instance instance-id ] [ interface interface-
type interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and
statistics.
----End
15.7.3 Configuring MSTP Parameters on an Interface

Proper MSTP parameter settings achieve rapid convergence.
Before configuring MSTP parameters that affect route convergence, configure MSTP or
MSTP multi-process.
15.7.3.1 Setting the MSTP Network Diameter
Context

Procedure
Step 1 Run:
system-view

NOTE
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If
you perform configurations in the MSTP process 0, skip this step.
Step 3 Run:

l RSTP uses a single spanning tree instance on the entire network. As a result,
performance deterioration cannot be prevented when the network scale grows. Therefore,
the network diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the
network diameter. Then, the switching device calculates the optimal Forward Delay
period, Hello timer value, and Max Age timer value based on the set network diameter.
----End
15.7.3.2 Setting the MSTP Timeout Interval
Context
Procedure
Step 1 Run:
system-view


NOTE
Step 3 Run:
The timeout period for waiting for BPDUs from the upstream device is set.
By default, the timeout period is 9 times the Hello timer value.
----End
15.7.3.3 Setting the Values of MSTP Timers
Context
Age.
NOTICE

Procedure
Step 1 Run:
system-view

NOTE
Step 3 Set Forward Delay, Hello Time, and Max Age.

1. Run:
The value of Forward Delay of the switching device is set.

By default, the value of Forward Delay of the switching device is 1500 centiseconds.
2. Run:
The value of Hello Time of the switching device is set.

By default, the value of Hello Time of the switching device is 200 centiseconds.
3. Run:
The value of Max Age of the switching device is set.

By default, the value of Max Age of the switching device is 2000 centiseconds.
----End

Context
bridge.



SwitchA SwitchB
Before Eth-Trunk1
Root Bridge
SwitchA SwitchB
After Eth-Trunk1
Root Bridge
Alternate port
Root port
Designated port
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

8.
----End

15.7.3.5 Setting the Link Type of a Port
Context
It is easy to implement rapid convergence on a P2P link. If the two ports connected to a P2P
link are root or designated ports, the ports can transit to the forwarding state quickly by
sending Proposal and Agreement packets. This reduces the forwarding delay.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the Ethernet interface participating in STP calculation is displayed.

Step 3 Run:
The link type is configured for the interface.

By default, an interface automatically determines whether to connect to a P2P link. The P2P
link supports rapid network convergence.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this
case, force-true can be configured to implement rapid network convergence.
l If the Ethernet port works in half-duplex mode, you can run stp point-to-point force-
true to forcibly set the link type to P2P.
----End
15.7.3.6 Setting the Maximum Transmission Rate of an Interface
Context
.A larger value of packet-number indicates more BPDUs sent in a hello interval and
therefore more system resources occupied. Setting the proper value of packet-number
prevents excess bandwidth usage when route flapping occurs.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

The maximum number of BPDUs sent by a port in a specified period is set.
By default, the maximum number of BPDUs that a port sends is 6 per second.
----End
15.7.3.7 Switching to the MSTP Mode
Context
If an interface on an MSTP-enabled device is connected to an STP-enabled device, the
interface switches to the STP compatible mode.
If the STP-enabled device is powered off or disconnected from the MSTP-enabled device, the
interface cannot switch to the MSTP mode. In this case, you can switch the interface to the
MSTP mode by using the stp mcheck command.
In the following cases, you need to manually switch the interface back to the MSTP mode
manually:
l The STP-enabled device is shut down or disconnected.

l The STP-enabled device is switched to the MSTP mode.
Procedure
l Switching to the MSTP mode in the interface view
a. Run:
system-view

b. Run:
displayed.
c. Run:
stp mcheck
The device is switched to the MSTP mode.

l Switching to the MSTP mode in the system view
a. Run:
system-view

b. (Optional) Run:
NOTE
This step is needed only when you perform configurations in an MSTP process with a non-
zero ID. If you perform configurations in the MSTP process 0, skip this step.

c. Run:
stp mcheck
The device is switched to the MSTP mode.

----End
15.7.3.8 Configuring a Port as an Edge Port and BPDU Filter Port
Context
If a designated port is located at the edge of a network and is directly connected to terminal
devices, this port is called edge port.
An edge port does not receive or process configuration BPDUs, or MSTP calculation. It can
transit from Disable to Forwarding without any delay.
After a designated port is configured as an edge port, the port can still send BPDUs. Then
BPDUs are sent to other networks, causing flapping of other networks. You can configure a
port as an edge port and BPDU filter port so that the port does not process or send BPDUs.
NOTICE
After all ports are configured as edge ports and BPDU filter ports in the system view, none of
ports on the device send BPDUs or negotiate the STP status with directly connected ports on
the peer device. All ports are in forwarding state. This may cause loops on the network,
leading to broadcast storms. Exercise caution when you configure a port as an edge port and
BPDU filter port.
After a port is configured as an edge port and BPDU filter port in the interface view, the port
does not process or send BPDUs. The port cannot negotiate the STP status with the directly
connected port on the peer device. Exercise caution when you configure a port as an edge port
and BPDU filter port.
Procedure
l Configuring all ports as edge ports and BPDU filter ports in the system view
a. Run:
system-view

b. Run:

c. Run:


l Configuring a port as an edge port and BPDU filter port in the interface view
a. Run:
system-view

b. Run:
displayed.
c. (Optional) Run:

d. Run:

----End
15.7.3.9 Setting the Maximum Number of Hops in an MST Region
Context
Switching devices on a Layer 2 network running MSTP communicate with each other by
exchanging MST BPDUs. An MST BPDU has a field that indicates the number of remaining
hops.
l The number of remaining hops in a BPDU sent by the root switching device equals the
maximum number of hops.
l The number of remaining hops in a BPDU sent by a non-root switching device equals
the maximum number of hops minus the number of hops from the non-root switching
device to the root switching device.
l If a switching device receives a BPDU in which the number of remaining hops is 0, the
switching device will discard the BPDU.
Therefore, the maximum number of hops of a spanning tree in an MST region determines the
network scale. The stp max-hops command can be used to set the maximum number of hops
in an MST domain so that the network scale of a spanning tree can be controlled.
Procedure
Step 1 Run:
system-view


NOTE
Step 3 Run:
stp max-hops hop
The maximum number of hops in an MST region is set.

By default, the maximum number of hops of the spanning tree in an MST region is 20.
----End
Procedure
l Run the display stp [ process process-id ] [ instance instance-id ] [ interface interface-
statistics.
----End
15.7.4 Configuring MSTP Protection Functions

Huawei datacom devices provide the following MSTP protection functions. You can
configure one or more functions.
Before configuring MSTP protection functions, configure MSTP or MSTP multi-process.
15.7.4.1 Configuring BPDU Protection on a Switching Device
Context
Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers may
send pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, the
switching device configures the edge ports as non-edge ports and triggers a new spanning tree
calculation. Network flapping then occurs. BPDU protection can be used to protect switching
devices against malicious attacks.
Perform the following procedure on all switching devices that have edge ports.
Procedure
Step 1 Run:
system-view


NOTE
Step 3 Run:
stp bpdu-protection
BPDU protection is enabled on the switching device.

By default, BPDU protection is not enabled on the switching device.
----End
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-
down auto-recovery cause bpdu-protection interval interval-value command in the system
view to configure the auto recovery function and set a recovery delay on the port. Then a port
in error-down state can automatically go Up after the recovery delay. Note the following when
setting the recovery delay:
l The auto recovery function is disabled by default and does not have a default value for
the recovery delay. When you enable the auto recovery function, you must set a recovery
delay.
l A smaller interval-value indicates a shorter time before an edge port goes Up, and a
higher frequency of Up/Down state transitions on the port.
l A larger interval-value indicates a longer time before an edge port goes Up, and a longer
service interruption time.
l The auto recovery function takes effect only for the interfaces that transition to the error-
down state after the error-down auto-recovery command is executed.
15.7.4.2 Configuring TC Protection on a Switching Device
Context
If attackers forge TC-BPDUs to attack the switching device, the switching device receives a
large number of TC BPDUs within a short time. If MAC address entries and ARP entries are
deleted frequently, the switching device is heavily burdened, causing potential risks to the
network.
TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are
processed by a switching device within a given time period is configurable. If the number of
TC BPDUs that the switching device receives within a given time exceeds the specified
threshold, the switching device handles TC BPDUs only for the specified number of times.
Excess TC BPDUs are processed by the switching device as a whole for once after the
specified time period expires. This protects the switching device from frequently deleting
MAC entries and ARP entries, therefore avoiding overburden.
Procedure
Step 1 Run:
system-view


NOTE
Step 3 Run:
The time taken by the device to process the maximum number of TC BPDUs is set.
By default, the device processes the maximum number of TC BPDUs at an interval of the
Hello time.
Step 4 Run:
The number of times the MSTP process handles the received TC BPDUs and updates
forwarding entries within a given time is set.
NOTE
Within the time specified by stp tc-protection interval, the switch processes TC BPDUs of a number
specified by stp tc-protection threshold. Other packets are delayed, so spanning tree convergence may
be affected. For example, the period is set to 10s and the threshold is set to 5. After receiving TC
BPDUs, the device processes the first five TC BPDUs within 10s. After 10s, the device processes
subsequent TC BPDUs.
----End
15.7.4.3 Configuring Root Protection on an Interface
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to
serve as the root bridge and the network topology is changed, triggering spanning tree
recalculation. This also may cause the traffic that should be transmitted over high-speed links
to be transmitted over low-speed links, leading to network congestion. The root protection
function on a switching device is used to protect the root bridge by preserving the role of the
designated port.
NOTE
Perform the following steps on the root bridge in an MST region.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The port is bound to an MSTP process.
NOTE
This step is performed only when the interface needs to be bound to an MSTP process with a non-zero
ID. If the interface belongs to process 0, skip this step.
Step 4 Run:
stp root-protection
Root protection is configured on the switching device.

By default, root protection is disabled.
----End
15.7.4.4 Configuring Loop Protection on an Interface
Context
On a network running MSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching
device cannot receive BPDUs from the upstream device because of link congestion or
unidirectional-link failure, the switching device re-selects a root port. The original root port
becomes a designated port and the original blocked ports change to the Forwarding state. This
switching may cause network loops, which can be mitigated by configuring loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device for a long
time, the switch enabled with loop protection sends a notification to the NMS. If the root port
is used, the root port enters the Discarding state and becomes the designated port. If the
alternate port is used, the alternate port keeps blocked and becomes the designated port. In
this case, loops will not occur. After the link is not congested or unidirectional link failures
are rectified, the port receives BPDUs for negotiation and restores its original role and status.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Perform the following steps on the root port and alternate port on a switching device in an
MST region.
Procedure
Step 1 Run:
system-view

Step 2 Run:


The port is bound to an MSTP process.
NOTE
This step is performed only when the interface needs to be bound to an MSTP process with a non-zero
ID. If the interface belongs to process 0, skip this step.
Step 4 Run:
stp loop-protection
Loop protection for the root port is configured on the switching device.
By default, loop protection is disabled.
Root protection and loop protection cannot be configured simultaneously.
----End
15.7.4.5 Configuring Share-Link Protection on a Switching Device
Context
Share-link protection is used in the scenario where a switching device is dual homed to a
network.
When a share link fails, share-link protection forcibly changes the working mode of a local
switching device to RSTP. This function can also be used together with root protection to
avoid network loops.
Procedure
Step 1 Run:
system-view
Step 2 Run:
NOTE
Step 3 Run:
stp link-share-protection
Share-link protection is enabled.
----End

Procedure
statistics.
----End
15.7.5 Configuring MSTP Interoperability Between Huawei

Devices and Non-Huawei Devices
To communicate with a non-Huawei device, set proper parameters on the MSTP-enabled
Huawei device.
15.7.5.1 Configuring a Proposal/Agreement Mechanism
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. All
switching devices support the following modes:
l Enhanced mode: The current interface counts the root port calculation when it computes
the synchronization flag bit.
– An upstream device sends a Proposal message to a downstream device, requesting
rapid status transition. After receiving the message, the downstream device sets the
port connected to the upstream device as a root port and blocks all non-edge ports.
– The upstream device then sends an Agreement message to the downstream device.
After the downstream device receives the message, the root port transitions to the
Forwarding state.
– The downstream device responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected
to the downstream device as a designated port, and the designated port transitions to
l Common mode: The current interface ignores the root port when it computes the
– An upstream device sends a Proposal message to a downstream device, requesting
rapid status transition. After receiving the message, the downstream device sets the
port connected to the upstream device as a root port and blocks all non-edge ports.
The root port then transitions to the Forwarding state.
– The downstream device responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected
to the downstream device as a designated port. The designated port then transitions
to the Forwarding state.
When Huawei devices are connected to non-Huawei devices, select the same mode as that
used on non-Huawei devices.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
The common rapid transition mechanism is configured.
By default, the interface uses the enhanced rapid transition mechanism.
----End
15.7.5.2 Configuring the MSTP Protocol Packet Format on an Interface
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets).
You can specify the packet format and use the auto mode. In auto mode, the switching device
switches the MSTP protocol packet format based on the received MSTP protocol packet
format so that the switching device can communicate with the peer device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp compliance { auto | dot1s | legacy }
The MSTP protocol packet format is configured on the interface.
The auto mode is used by default.
NOTE
The negotiation will fail if the format of MSTP packets is set to dot1s at one end and legacy at the other
end.
----End

15.7.5.3 Enabling the Digest Snooping Function
Context
Interconnected Huawei and non-Huawei devices cannot communicate with each other if they
have the same region name, revision number, and VLAN-to-instance mappings but different
BPDU keys. To address this problem, enable the digest snooping function on the Huawei
device.
Perform the following steps on a switching device in an MST region to enable the digest
snooping function.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
stp config-digest-snoop
The digest snooping function is enabled.
----End
Procedure
statistics.
----End
15.8 Maintaining MSTP
15.8.1 Clearing MSTP Statistics

Context
NOTICE
MSTP statistics cannot be restored after being cleared.

Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to
clear spanning-tree statistics.
l Run the reset stp error packet statistics to clears the statistics of error STP packets.
----End
15.8.2 Monitoring the Statistics on MSTP Topology Changes

Procedure
l Run the display stp [ process process-id ] [ instance instance-id ] topology-change
command to view the statistics about MSTP topology changes.
In the case of a non-zero process, the stp process process-id command must be used to
create a process before the display stp [ process process-id ] [ instance instance-id ]
topology-change command is used.
type interface-number | slot slot-id ] tc-bpdu statistics command to view the statistics
about TC/TCN packets.
In the case of a non-zero process, the stp process process-id command must be used to
create a process before the display stp [ process process-id ] [ instance instance-id ]
[ interface interface-type interface-number | slot slot-id ] tc-bpdu statistics command is
used.
----End
15.9.1 Example for Configuring MSTP

To implement redundancy on a complex network, network designers tend to deploy multiple
physical links between two devices, one of which is the master and the others are the backup.
Loops occur, causing broadcast storms or damaging MAC addresses. After the network is
planned, deploy MSTP on the network to prevent loops. MSTP blocks redundant links and
prunes a network into a tree topology free from loops.
As shown in Figure 15-20,SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. To load
balance traffic from VLANs 2 to 10 and VLANs 11 to 20, use MSTP multi-instance. You can
configure a VLAN mapping table to associate VLANs with MSTIs.

Figure 15-20 Networking diagram of MSTP configuration
Network
RG1
SwitchA Eth-Trunk1 SwitchB
GE1/0/1 Eth-Trunk1 GE1/0/1
GE1/0/3 GE1/0/3
GE1/0/2
SwitchC SwitchD
GE1/0/2
GE1/0/1 GE1/0/1
VLAN 2~10 MSTI 1

VLAN 11~20 MSTI 2
MSTI 1:
Root Switch:SwitchA
Blocked port
MSTI 2:
Root Switch:SwitchB
Blocked port
1. Configure basic MSTP functions on the switch on the ring network. Because ports
connected to the PCs do not participate in MSTP calculation, configure these ports as
edge ports.
2. Configure protection functions to protect devices or links. You can configure root
protection on the designated port of the root bridge.

NOTE
When the link between the root bridge and secondary root bridge goes Down, the port enabled with root
protection becomes Discarding because root protection takes effect.
To improve the reliability, you are advised to bind the link between the root bridge and secondary root
bridge to an Eth-Trunk.
3. Configure Layer 2 forwarding.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD in the same MST region named
RG1 and create MSTI 1 and MSTI 2.
NOTE
Two switching devices belong to the same MST region when they have the same:
– Name of the MST region
– Mapping between VLANs and MSTIs
– Revision level of the MST region
# Configure an MST region on SwitchA.
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 2 to 10
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
# Configure an MST region on SwitchB.

[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name RG1
[SwitchB-mst-region] instance 1 vlan 2 to 10
[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
# Configure an MST region on SwitchC.

[SwitchC] stp region-configuration
[SwitchC-mst-region] region-name RG1
[SwitchC-mst-region] instance 1 vlan 2 to 10
[SwitchC-mst-region] active region-configuration
[SwitchC-mst-region] quit
# Configure an MST region on SwitchD.

[SwitchD] stp region-configuration
[SwitchD-mst-region] region-name RG1
[SwitchD-mst-region] instance 1 vlan 2 to 10
[SwitchD-mst-region] active region-configuration
[SwitchD-mst-region] quit
2. In the MST region RG1, configure the root bridge and secondary root bridge in MSTI 1
and MSTI 2.

– Configure the root bridge and secondary root bridge in MSTI 1.

# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
# Configure SwitchB as the secondary root bridge in MSTI 1.

[SwitchB] stp instance 1 root secondary
– Configure the root bridge and secondary root bridge in MSTI 2.

# Configure SwitchB as the root bridge in MSTI 2.
[SwitchB] stp instance 2 root primary
# Configure SwitchA as the secondary root bridge in MSTI 2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be greater than the
default value.
NOTE
– The path cost values depend on path cost calculation methods. This example uses the Huawei
calculation method as an example to set the path cost to 20000 for the ports to be blocked.
– All switches on a network must use the same path cost calculation method.
# Configure SwitchA to use Huawei calculation method to calculate the path cost.
# Configure SwitchB to use Huawei calculation method to calculate the path cost.
# Configure SwitchC to use Huawei calculation method to calculate the path cost, and
set the path cost of GE1/0/2 in MSTI 2 to 20000.
[SwitchC-GigabitEthernet1/0/2] stp instance 2 cost 20000
# Configure SwitchD to use Huawei calculation method to calculate the path cost, and
set the path cost of GE1/0/2 in MSTI 1 to 20000.
[SwitchD-GigabitEthernet1/0/2] stp instance 1 cost 20000
4. Enable MSTP to eliminate loops.

– Enable MSTP globally.
# Enable MSTP on SwitchA.
# Enable MSTP on SwitchB.

# Enable MSTP on SwitchC.

# Enable MSTP on SwitchD.

– Configure the ports connected to the terminal as edge ports.

# Configure GE1/0/1 of SwitchC as an edge port.

# Configure GE1/0/1 of SwitchD as an edge port.

[SwitchD-GigabitEthernet1/0/1] stp edged-port enable
(Optional) Configure BPDU protection on SwitchD.

[SwitchD] stp bpdu-protection
NOTE
receive BPDUs.
Step 2 Configure root protection on the designated port of the root bridge.
# Enable root protection on GE1/0/1 of SwitchA.
# Enable root protection on GE1/0/1 of SwitchB.

[SwitchB-GigabitEthernet1/0/1] stp root-protection
Step 3 Configure Layer 2 forwarding on devices on the ring network.

l Create VLANs 2 to 20 on SwitchA, SwitchB, SwitchC, and SwitchD.
# Create VLANs 2 to 20 on SwitchA.
[SwitchA] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchB.

[SwitchB] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchC.

# Create VLANs 2 to 20 on SwitchD.

[SwitchD] vlan batch 2 to 20
l Add ports on switches to VLANs.

# Add GE1/0/1 on SwitchA to a VLAN.
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 20
# Add Eth-Trunk1 on SwitchA to a VLAN.

[SwitchA] interface Eth-Trunk 1
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/2
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/3
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 2 to 20
# Add GE1/0/1 on SwitchB to a VLAN.

[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 20
# Add Eth-Trunk1 on SwitchB to a VLAN.

[SwitchB] interface Eth-Trunk 1

[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/2
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/3
[SwitchB-Eth-Trunk1] port link-type trunk
[SwitchB-Eth-Trunk1] port trunk allow-pass vlan 2 to 20
[SwitchB-Eth-Trunk1] quit
# Add GE1/0/1 on SwitchC to a VLAN.

[SwitchC-GigabitEthernet1/0/1] port link-type access
[SwitchC-GigabitEthernet1/0/1] port default vlan 2

[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 20

# Add GE1/0/1 on SwitchD to a VLAN.

[SwitchD-GigabitEthernet1/0/1] port link-type access
[SwitchD-GigabitEthernet1/0/1] port default vlan 11

[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 20


After the preceding configurations are complete and the network topology becomes stable,
perform the following operations to verify the configuration.
NOTE
MSTI 1 and MSTI 2 are used as examples. You do not need to check the interface status in MSTI 0.
# Run the display stp brief command on SwitchA to view the status and protection mode on
the ports. Output similar to the following is displayed:
0 Eth-Trunk1 DESI FORWARDING NONE
2 Eth-Trunk1 ROOT FORWARDING NONE
In MSTI 1, GE1/0/1 and Eth-Trunk1 are designated ports because SwitchA is the root bridge.
In MSTI 2, Eth-Trunk1 are designated ports because SwitchA is the root bridge. In MSTI 2,
GE1/0/1 on SwitchA is the designated port and Eth-Trunk1 is the root port.

# Run the display stp brief command on SwitchB. Output similar to the following is
displayed:
[SwitchB] display stp brief
In MSTI 2, GE1/0/1 and Eth-Trunk1 are designated ports because SwitchB is the root bridge.
In MSTI 1, GE1/0/1 on SwitchB is the designated port and Eth-Trunk1 is the root port.
# Run the display stp interface brief commands on SwitchC. Output similar to the following
is displayed:
[SwitchC] display stp interface gigabitethernet 1/0/3 brief
GE1/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchC is the
designated port in MSTI 1 but is blocked in MSTI 2.
# Run the display stp interface brief commands on SwitchD. Output similar to the following
is displayed:
[SwitchD] display stp interface gigabitethernet 1/0/3 brief
[SwitchD] display stp interface gigabitethernet 1/0/2 brief
GE1/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchD is the
blocked port in MSTI 1 and is the designated port in MSTI 2.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 20
#
#
region-name RG1
instance 1 vlan 2 to 10

#
#
stp root-protection
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname SwitchB
#
vlan batch 2 to 20
#
#
region-name RG1
#
#
stp root-protection
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp bpdu-protection
#
region-name RG1
#

port default vlan 2

#
#
#
return

#
sysname SwitchD
#
vlan batch 2 to 20
#
stp bpdu-protection
#
region-name RG1
#
#
#
#
return
15.9.2 Example for Configuring MSTP + VRRP Network
As shown in Figure 15-21, hosts connect to SwitchC, and SwitchC connects to the Internet
through SwitchA and SwitchB. To improve access reliability, the user configures redundant
links. The redundant links causes a network loop, which leads to broadcast storm and destroy
MAC address entries.
It is required that the network loop be prevented when redundant links are deployed, traffic be
switched to another link when one link is broken, and network bandwidth be effectively used.
MSTP can be configured on the network to prevent loops. MSTP blocks redundant links and
prunes a network into a tree topology free from loops. In addition, VRRP needs to be
configured on SwitchA and SwitchB. HostA connects to the Internet by using SwitchA as the
default gateway and SwitchB as the secondary gateway. HostB connects to the Internet by
using SwitchB as the default gateway and SwitchA as the secondary gateway. Traffic is thus
load balanced and communication reliability is improved.

Figure 15-21 MSTP + VRRP network

VRRP VRID 1 SwitchA
Virtual IP Address: VRID 1:Master
HostA
10.1.2.100 VRID 2:Backup
VLAN2
10.1.2.101/24 /1 GE
E1/0 1/0
G / 3 RouterA
GE
GE1/0/2
1/0 /1
/2 1/0
GE
SwitchC MSTP Internet
GE1/0/2
GE
/ 0/3 1/0
G E1 SwitchC /4
GE RouterB
HostB 1/0 /0 /3
/1 GE1
VLAN3
10.1.3.101/24 SwitchB
VRID 1:Backup
VRRP VRID 2 VRID 2:Master
Virtual IP Address:
10.1.3.100
VLAN2 MSTI1 VLAN3 MSTI2
MSTI1: MSTI2:
Root Switch:SwitchA Root Switch:SwitchB

Blocked port Blocked port
Device Interface VLANIF Interface IP Address
SwitchA GE1/0/1 and VLANIF 2 10.1.2.102/24

GE1/0/2
GE1/0/1 and VLANIF 3 10.1.3.102/24

GE1/0/2
GE1/0/3 VLANIF 4 10.1.4.102/24
SwitchB GE1/0/1 and VLANIF 2 10.1.2.103/24

GE1/0/2
GE1/0/1 and VLANIF 3 10.1.3.103/24

GE1/0/2
GE1/0/3 VLANIF 5 10.1.5.103/24

1. Configure basic MSTP on the switches, including:
a. Configure MST and create multi-instance, map VLAN 2 to MSTI1, and map
VLAN 3 to MSTI2 to load balance traffic.
b. Configure the root bridge and backup bridge in the MST region.
c. Configure the path cost on an interface so that the interface can be blocked.
d. Enable MSTP to prevent loops:
n Enable MSTP globally.
n Enable MSTP on all interfaces except the interfaces connecting to hosts.
NOTE
Because the interfaces connecting to hosts do not participate in MSTP calculation, configure
these ports as edge ports.
2. Enable the protection function to protect devices or links. For example, enable the
protection function on the root bridge of each instance to protect roots.
3. Configure Layer 2 forwarding.
4. Assign an IP address to each interface and configure the routing protocol on each device
to ensure network connectivity.
5. Create VRRP group 1 and VRRP group 2 on SwitchA and SwitchB. Configure SwitchA
as the master device and SwitchB as the backup device of VRRP group 1. Configure
SwitchB as the master device and SwitchA as the backup device of VRRP group 2.
Procedure
1. Add SwitchA, SwitchB, and SwitchC to region RG1, and create instances MSTI1 and
MSTI2.
# Configure an MST region on SwitchA.
[SwitchA-mst-region] instance 1 vlan 2
[SwitchA-mst-region] instance 2 vlan 3
# Configure an MST region on SwitchB.

[SwitchB-mst-region] instance 1 vlan 2
[SwitchB-mst-region] instance 2 vlan 3
# Configure an MST region on SwitchC.

[SwitchC-mst-region] region-name RG1

[SwitchC-mst-region] instance 1 vlan 2

[SwitchC-mst-region] instance 2 vlan 3
2. Configure the root bridges and backup bridges for MSTI1 and MSTI2 in RG1.
– Configure the root bridge and backup bridge for MSTI1.
# Set SwitchA as the root bridge of MSTI1.
[SwitchA] stp instance 1 root primary
# Set SwitchB as the backup bridge of MSTI1.

[SwitchB] stp instance 1 root secondary
– Configure the root bridge and backup bridge for MSTI2.

# Set SwitchB as the root bridge of MSTI2.
[SwitchB] stp instance 2 root primary
# Set SwitchA as the backup bridge of MSTI2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the interfaces that you want to block on MSTI1 and MSTI2 to be
greater than the default value.
NOTE
– The path cost range is decided by the calculation method. The Huawei calculation method is
used as an example. Set the path costs of the interfaces to 20000.
– The switches on the same network must use the same calculation method to calculate path
costs.
# Set the path cost calculation method on SwitchA to Huawei calculation method.
# Set the path cost calculation method on SwitchB to Huawei calculation method.
# Set the path cost calculation method on SwitchC to Huawei calculation method. Set the
path cost of GE1/0/1 in MSTI2 to 20000; set the path cost of GE1/0/4 in MSTI1 to
20000.
4. Enable MSTP to prevent loops.

– Enable MSTP globally.
# Enable MSTP on SwitchA.
# Enable MSTP on SwitchB.

# Enable MSTP on SwitchC.

– Configure the ports connected to hosts as edge ports.

# Configure GE1/0/2 and GE1/0/3 of Switch C as an edge port.



– Configure the ports connected to Router as edge ports.

# Configure GE1/0/3 of Switch A as an edge port.
[SwitchA-GigabitEthernet1/0/3] stp edged-port enable
(Optional) Configure BPDU protection on SwitchA.

[SwitchA] stp bpdu-protection
# Disable STP on GE1/0/3 of Switch B as an edge port.


NOTE
receive BPDUs.
Step 2 Enable the protection function on the designated interfaces of each root bridge.
# Enable root protection on GE1/0/1 of SwitchA.
# Enable root protection on GE1/0/1 of SwitchB.

Step 3 Configure Layer 2 forwarding on the switches in the ring.

l Create VLANs 2 and 3 on SwitchA, SwitchB, and SwitchC.
# Create VLANs 2 and 3 on SwitchA.
# Create VLANs 2 and 3 on SwitchB.

# Create VLANs 2 and 3 on SwitchC.

l Add the interfaces connecting to the loops to VLANs.

# Add GE1/0/1 of SwitchA to VLANs.
# Add GE1/0/2 of SwitchA to VLANs.



# Add GE1/0/1 of SwitchB to VLANs.

# Add GE1/0/2 of SwitchB to VLANs.

# Add GE1/0/1 of SwitchC to VLANs.

# Add GE1/0/2 of SwitchC to VLAN 2.

# Add GE1/0/3 of SwitchC to VLAN 3.

# Add GE1/0/4 of SwitchC to VLANs.


perform the following operations to verify the configuration.
NOTE
MSTI 1 and MSTI 2 are used as examples. You do not need to focus on the interface status in MSTI 0.
# Run the display stp brief command on SwitchA to view the status and protection type on
interfaces. The displayed information is as follows:
In MSTI1, GE1/0/2 and GE1/0/1 of SwitchA are set as designated interfaces because SwitchA
is the root bridge of MSTI1. In MSTI2, GE1/0/1 of SwitchA is set as the designated interface
and GE1/0/2 is set as the root interface.
# Run the display stp brief command on SwitchB. The displayed information is as follows:


In MSTI2, GE1/0/1 and GE1/0/2 of SwitchB are set as designated interfaces because SwitchB
is the root bridge of MSTI2. In MSTI1, GE1/0/1 of SwitchB is set as the designated interface
and GE1/0/2 is set as the root interface.
# Run the display stp interface brief command on SwitchC. The displayed information is as
follows:
GE1/0/1 of SwitchC is the root interface of MSTI1, and is blocked in MSTI2. GE1/0/4 of
SwitchC is the root interface of MSTI2, and is blocked in MSTI1.
Step 5 Connect devices.
# Assign an IP address to each interface, for example, the interfaces on SwitchA. The
configurations on SwitchB are similar to the configurations on SwitchA. For details, see the
configuration file.
# Run OSPF on SwitchA, SwitchB, and routers. The configurations on SwitchA are used as
an example. The configurations on SwitchB are similar to the configurations on SwitchA. For
details, see the configuration file.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
Step 6 Configure VRRP groups.

# Create VRRP group 1 on SwitchA and SwitchB. Set SwitchA as the master device, priority
to 120, and preemption delay to 20 seconds. Set SwitchB as the backup device and retain the
default priority.


[SwitchA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
[SwitchA-Vlanif2] vrrp vrid 1 priority 120
[SwitchA-Vlanif2] vrrp vrid 1 preempt-mode timer delay 20
[SwitchB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
# Create VRRP group 2 on SwitchA and SwitchB. Set SwitchB as the master device, priority
to 120, and preemption delay to 20 seconds. Set SwitchA as the backup device and retain the
default priority.
[SwitchB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
[SwitchB-Vlanif3] vrrp vrid 2 priority 120
[SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20
[SwitchA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
# Set the virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of Host A,
and the virtual IP address 10.1.3.100 of VRRP group 2 as the default gateway of Host B.
# After completing the preceding configurations, run the display vrrp command on SwitchA.
SwitchA's VRRP status is master in VRRP group 1 and backup in VRRP group 2.
[SwitchA] display vrrp
Vlanif2 | Virtual Router 1
State : Master
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

State : Backup
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
# Run the display vrrp command on SwitchB. SwitchB's VRRP status is backup in VRRP
group 1 and master in VRRP group 2.

[SwitchB] display vrrp

State : Backup
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

State : Master
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
----End
Configuration File
#
sysname SwitchA
#
vlan batch 2 to 4
#
stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.100
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
#

interface Vlanif4
ip address 10.1.4.102 255.255.255.0
#
stp root-protection
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 2 to 3 5
#
stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.103 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.103 255.255.255.0
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 20
#
interface Vlanif5
ip address 10.1.5.103 255.255.255.0
#
stp root-protection
#
#
#
ospf 1

area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 2 to 3
#
stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
#
port default vlan 2
#
port default vlan 3
#
#
return
15.9.3 Example for Connecting CEs to the VPLS in Dual-Homing

Mode Through MSTP
NOTE
The switch XGE interface connected to the ACU2 does not support this configuration.
The switch XGE interface connected to the ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01 or
ET1D2FW00S02 does not support this configuration.
As shown in Figure 15-22, each CE is dual-homed to PEs. The PEs establish a VPLS full
mesh. The CEs and PEs run the MSTP protocol. Generally, traffic is forwarded through the
primary link. When the primary link fails, traffic is switched to the secondary link.

Figure 15-22 Network diagram for connecting CEs to the VPLS in dual-homing mode
1.1.1.1/32 2.2.2.2/32
PE1 PE2
GE1/0/0 GE2/0/0 GE2/0/0 GE1/0/0
GE1/0/0 GE3/0/0 GE3/0/0 GE1/0/0
GE2/0/0 VPLS GE2/0/0
CE1 GE3/0/0 GE2/0/0 CE2
PC1 GE1/0/1 GE2/0/0 GE3/0/0 GE1/0/1 PC2
10.1.1.1/24 GE1/0/0 GE1/0/0 10.1.1.2/24
PE4 PE3
4.4.4.4/32 3.3.3.3/32
Switch Interface VLANIF interface IP address
PE1 GigabitEthernet1/0/ GigabitEthernet1/0/ -

0 0.1
GigabitEthernet2/0/ VLANIF 10 172.16.1.1/24

0

0
Loopback1 - 1.1.1.1/32

0 0.1

0

0
Loopback1 - 2.2.2.2/32

0 0.1

0

0
Loopback1 - 3.3.3.3/32

0 0.1

Switch Interface VLANIF interface IP address

0

0
Loopback1 - 4.4.4.4/32
CE1 GigabitEthernet1/0/ - -
0
GigabitEthernet1/0/ - -
1
0
CE2 GigabitEthernet1/0/ - -
0
1
0
1. Configure the routing protocol on the backbone network to implement interworking.
2. Set up a remote LDP session between the PEs.
3. Establish a VPLS full mesh between PEs.
4. Configure MSTP. Configure PE1 and PE2 as the primary roots, and configure PE3 and
PE4 as the secondary roots.
Procedure
Step 1 Specify the VLANs that device interfaces belong to and set the IP addresses of the
corresponding VLANIF interfaces according to Figure 15-22.
NOTE
l Packets sent from CEs to PEs must contain VLAN tags.
# Configure CE1.
[CE1] vlan batch 100

# Configure CE2.
[CE2] vlan batch 100
# Configure PE1.
[PE1-Vlanif10] quit
[PE1-Vlanif40] quit
# Configure PE2.
[PE2-Vlanif10] quit
[PE2-Vlanif20] quit
# Configure PE3.


[PE3-Vlanif20] quit
[PE3-Vlanif30] quit
# Configure PE4.
[PE4-Vlanif30] quit
[PE4-Vlanif40] quit
Step 2 Configure an IGP. In this example, OSPF is adopted.

When configuring OSPF, advertise 32-bit loopback interface addresses (LSR IDs) of PE1,
PE2, PE3, and PE4.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# Configure PE3.

[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
# Configure PE4.
[PE4] ospf 1
[PE4-ospf-1] area 0
[PE4-ospf-1] quit
# Wait for 40s and run the display ip routing-table command on PE1, PE2, and PE3. You
can see that the PEs have learned the routes to one another. The display on PE1 is used as an
example.
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 172.16.1.2 Vlanif10
3.3.3.3/32 OSPF 10 2 D 172.19.1.1 Vlanif40
OSPF 10 2 D 172.16.1.2 Vlanif10
4.4.4.4/32 OSPF 10 1 D 172.19.1.1 Vlanif40
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif10
172.16.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
172.17.1.0/24 OSPF 10 2 D 172.16.1.2 Vlanif10
172.18.1.0/24 OSPF 10 2 D 172.19.1.1 Vlanif40
172.19.1.0/24 Direct 0 0 D 172.19.1.2 Vlanif40
172.19.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif40
Step 3 Configure basic MPLS functions and LDP.

# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif10] mpls
[PE1-Vlanif10] quit
[PE1-Vlanif40] mpls
[PE1-Vlanif40] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp

[PE2-mpls-ldp] quit
[PE2-Vlanif10] mpls
[PE2-Vlanif10] quit
[PE2-Vlanif20] mpls
[PE2-Vlanif20] quit
# Configure PE3.
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3-Vlanif20] mpls
[PE3-Vlanif20] quit
[PE3-Vlanif30] mpls
[PE3-Vlanif30] quit
# Configure PE4.
[PE4] mpls
[PE4-mpls] quit
[PE4] mpls ldp
[PE4-mpls-ldp] quit
[PE4-Vlanif30] mpls
[PE4-Vlanif30] quit
[PE4-Vlanif40] mpls
[PE4-Vlanif40] quit
Step 4 Create a remote LDP session between PEs.
# Configure PE1.
# Configure PE2.
# Configure PE3.
# Configure PE4.
After the configuration is complete, run the display mpls ldp session command on the PEs.
The command output shows that the status of the remote LDP peer relationship is

Operational, indicating that remote LDP sessions have been set up. The output on PE1 is used
as an example:

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] quit
# Configure PE4.
[PE4] mpls l2vpn
[PE4-l2vpn] quit
# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Configuration of PE3 and PE4 is similar to configuration of PE1 and PE2.
Step 7 Bind the VSI to interfaces on the PEs.

NOTE
Before configuring the termination sub-interface, run the display vcmp status command to view the VCMP
role. If the value of the Role field is Client, run the vcmp role { silent | transparent } command to change
the VCMP role to silent or transparent.
# Configure PE1.
# Configure PE2.
# Configure PE3.
# Configure PE4.
Step 8 Configure STP.

1. Configure the MST region and activate the region.
# Configure PE1.
[PE1] stp region-configuration
[PE1-mst-region] region-name RG1
[PE1-mst-region] active region-configuration
[PE1-mst-region] quit
# Configure PE4.
# Configure CE1.
[CE1] stp region-configuration
[CE1-mst-region] region-name RG1
[CE1-mst-region] active region-configuration
[CE1-mst-region] quit
# Configure PE2.


# Configure PE3.
# Configure CE2.
[CE2-mst-region] region-name RG1
2. Configure the priorities of the PEs to make PE1 and PE2 the primary roots and PE3 and
PE4 the secondary roots.
# Configure PE1.
[PE1] stp instance 0 priority 0
# Configure PE2.
# Configure PE3.
# Configure PE4.
3. Enable association between MSTP and VPLS on the CEs and PEs, and configure root
protection on the secondary roots.
# Configure CE1.
[CE1] stp enable
[CE1-GigabitEthernet1/0/1] stp enable
[CE1-GigabitEthernet2/0/0] stp edged-port enable
[CE1-GigabitEthernet2/0/0] stp bpdu-filter enable
# Configure CE2.
[CE2] stp enable
[CE2-GigabitEthernet2/0/0] stp edged-port enable
[CE2-GigabitEthernet2/0/0] stp bpdu-filter enable
# Configure PE1.
[PE1] stp enable
[PE1-GigabitEthernet1/0/0] stp vpls-subinterface enable
[PE1-GigabitEthernet1/0/0] stp enable
[PE1-GigabitEthernet2/0/0] stp disable

# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
[PE3-GigabitEthernet1/0/0] stp root-protection
# Configure PE4.
[PE4] stp enable
[PE4-GigabitEthernet1/0/0] stp root-protection

Run the display vsi name a2 verbose command on PE1. The command output shows that the
VSI state is Up.
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable

VSI State : up
VSI ID : 2
VC Label : 4099
Peer Type : dynamic
Session : up
Tunnel ID : 0xd
Broadcast Tunnel ID : 0xd
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0
VC Label : 4100
Peer Type : dynamic
Session : up
Tunnel ID : 0xf
Broadcast Tunnel ID : 0xf
CKey : 4
NKey : 3
Stp Enable : 0
PwIndex : 0
VC Label : 4101
Peer Type : dynamic
Session : up
Tunnel ID : 0xb
Broadcast Tunnel ID : 0xb
CKey : 6
NKey : 5
Stp Enable : 0
PwIndex : 0
Interface Name : GigabitEthernet1/0/0.1

State : up
Access Port : false
Last Up Time : 2015/03/16 15:56:44
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0xf
Broadcast Tunnel ID : 0xf
Ckey : 0x4
Nkey : 0x3
Main PW Token : 0xf


Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2015/03/16 15:56:48
PW State : up
PW Type : label
Tunnel ID : 0xb
Broadcast Tunnel ID : 0xb
Ckey : 0x6
Nkey : 0x5
Main PW Token : 0xb
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2015/03/16 15:56:49
PW State : up
PW Type : label
Tunnel ID : 0xd
Broadcast Tunnel ID : 0xd
Ckey : 0x2
Nkey : 0x1
Main PW Token : 0xd
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2015/03/16 15:57:06
PC1 (10.1.1.1) can ping PC2 (10.1.1.2).

When the link between CE1 and PE1 fails or PE1 is faulty, PE4 becomes the primary root. In
this case, PC1 and PE2 can still ping each other.
----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
stp region-
configuration
region-name
RG1
active region-
configuration
#

#
#
port link-type
access
stp bpdu-filter
enable

#
return
#
sysname CE2
#
vlan batch 100
#
stp region-
configuration
region-name
RG1
#
#
#
port link-type
access
stp bpdu-filter
enable

#
return
#
sysname PE1
#
router id 1.1.1.1
#
vlan batch 10 40
#
stp instance 0 priority 0
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
mpls lsr-id 1.1.1.1
mpls
#

mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 2.2.2.2
peer 3.3.3.3
peer 4.4.4.4
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif10
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 172.19.1.2 255.255.255.0
mpls
mpls ldp
#
stp vpls-subinterface enable
#
l2 binding vsi a2
#
stp disable
#
stp disable
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.19.1.0 0.0.0.255
#
return
#
sysname PE2
#
router id 2.2.2.2
#
vlan batch 10 20
#
#
stp region-
configuration
region-name
RG1
active region-
configuration
#

mpls lsr-id 2.2.2.2

mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 3.3.3.3
peer 4.4.4.4
#
mpls ldp
#
remote-ip 4.4.4.4
#
interface Vlanif10
ip address 172.16.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 172.17.1.1 255.255.255.0
mpls
mpls ldp
#
#
l2 binding vsi a2
#
stp disable
#
stp disable
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
return
#
sysname PE3
#
router id 3.3.3.3
#
vlan batch 20 30
#
#
stp region-
configuration
region-name
RG1

active region-
configuration
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 2.2.2.2
peer 4.4.4.4
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif20
ip address 172.17.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 172.18.1.1 255.255.255.0
mpls
mpls ldp
#
stp root-protection
#
l2 binding vsi a2
#
stp disable
#
stp disable
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 172.17.1.0 0.0.0.255
network 172.18.1.0 0.0.0.255
#
return
#
sysname PE4
#
router id 4.4.4.4
#
vlan batch 30 40
#
#

stp region-
configuration
region-name
RG1
active region-
configuration
#
mpls lsr-id 4.4.4.4
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 2.2.2.2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 2.2.2.2
#
interface Vlanif30
ip address 172.18.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 172.19.1.1 255.255.255.0
mpls
mpls ldp
#
stp root-protection
#
l2 binding vsi a2
#
stp disable
#
stp disable
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 172.18.1.0 0.0.0.255
network 172.19.1.0 0.0.0.255
#
return

15.9.4 Example for Configuring MSTP Multi-Process for Layer 2

Single-Access Rings and Layer 2 Multi-Access Rings
On the network with both Layer 2 single-access rings and multi-access rings deployed,
switching devices transmit both Layer 2 and Layer 3 services. To enable different rings to
transmit different services, configure MSTP multi-process. Spanning trees of different
processes are calculated independently.
As shown in Figure 15-23, both Layer 2 single-access rings and dual-access rings are
deployed and switches A and B carry both Layer 2 and Layer 3 services. In this networking,
switches A and B connected to dual-access rings are also connected to a single-access ring.
NOTE
In the ring where MSTP multi-process is configured, you are advised not to block the interface directly
connected to the root protection-enabled designated port.
Figure 15-23 MSTP multi-process for Layer 2 single-access rings and multi-access rings
Network
SwitchC
GE1/0/5 GE1/0/5
Region name:RG1
PE2
PE1 SwitchB
SwitchA
CE CE
GE1/0/4 GE1/0/1 GE1/0/4
GE1/0/1
GE1/0/3 GE1/0/3
GE1/0/2 GE1/0/2
CE
CE
Instance1:VLAN2~100 Instance3:VLAN201~300
Process 1 Process 3
CE CE
Instance2:VLAN101~200
Process 2
1. Configure basic MSTP functions, add devices to MST regions, and create MSTIs.

NOTE
l Each ring can belong to only one region.

l Each CE can join only one ring.
2. Configure multiple MSTP processes:
a. Create multiple MSTP processes and add interfaces to these processes.
b. Configure a shared link.
3. Configure MSTP protection functions:
– Configure priorities of MSTP processes and enable root protection.
– Configure shared link protection.
4. Configure the Layer 2 forwarding function on devices.
Procedure
Step 1 Configure basic MSTP functions, add devices to an MST region, and create MSTIs.
1. Configure MST regions and create MSTIs.
# Configure an MST region and create MSTIs on SwitchA.
# Configure an MST region and create MSTIs on SwitchB.

2. Enable MSTP.
# Configure SwitchA.
# Configure SwitchB.
Step 2 Configure multiple MSTP processes.

1. Create multiple MSTP processes and add interfaces to these processes.
# Create MSTP processes 1 and 2 on SwitchA.
[SwitchA] stp process 1
[SwitchA-mst-process-1] quit
# Create MSTP processes 2 and 3 on SwitchB.

[SwitchB] stp process 2
[SwitchB-mst-process-2] quit


# Add GE 1/0/3 and GE 1/0/4 on SwitchA to MSTP process 1 and GE 1/0/2 to MSTP
process 2.
[SwitchA-GigabitEthernet1/0/4] stp binding process 1
# Add GE 1/0/3 and GE 1/0/4 on SwitchB to MSTP process 3 and GE 1/0/2 to MSTP
process 2.
[SwitchB-GigabitEthernet1/0/4] stp binding process 3
2. Configure a shared link.

[SwitchA-GigabitEthernet1/0/1] stp binding process 2 link-share
[SwitchB-GigabitEthernet1/0/1] stp binding process 2 link-share
3. Enable the MSTP function in MSTP multi-process.

[SwitchA-mst-process-1] stp enable
[SwitchA-mst-process-2] stp enable
[SwitchB-mst-process-3] stp enable
[SwitchB-mst-process-2] stp enable
Step 3 Configure MSTP protection functions.

l Configure priorities of MSTP processes and enable root protection.
[SwitchA-mst-process-1] stp instance 0 root primary

[SwitchB-mst-process-3] stp instance 0 root primary
[SwitchB-mst-process-3] stp instance 3 root primary
[SwitchB-mst-process-2] stp instance 0 root secondary
[SwitchB-mst-process-2] stp instance 2 root secondary
NOTE
– In each ring, the priority of the MSTP process on the downstream CE must be lower than the
priority of the MSTP process on the switching device.
– For switches A and B on the dual-access ring, you are recommended to configure them as the
primary root bridges of different MSTIs.
l Configure shared link protection.
[SwitchA-mst-process-2] stp link-share-protection
[SwitchB-mst-process-2] stp link-share-protection
Step 4 Create VLANs and add interfaces to VLANs.

# Create VLANs 2 to 200 on SwitchA. Add GE 1/0/3 and GE 1/0/4 to VLANs 2 to 100, and
add GE 1/0/1 and GE 1/0/2 to VLANs 101 to 200.
# Create VLANs 101 to 300 on SwitchB. Add GE 1/0/3 and GE 1/0/4 to VLANs 201 to 300,
and add GE 1/0/1 and GE 1/0/2 to VLANs 101 to 200.



l Run the display stp interface brief command on SwitchA.
# GE 1/0/4 is a designated port in the CIST of MSTP process 1 and in MSTI 1.
[SwitchA] display stp process 1 interface gigabitethernet 1/0/4 brief

[SwitchA] display stp process 2 interface gigabitethernet 1/0/2 brief
l Run the display stp interface brief command on SwitchB.

[SwitchB] display stp process 3 interface gigabitethernet 1/0/4 brief

[SwitchB] display stp process 2 interface gigabitethernet 1/0/2 brief
----End
Configuration Files
Only the MSTP-related configuration files are provided.
#
sysname
SwitchA
#
vlan batch 2 to
200
stp region-
configuration
region-name
RG1
instance 1 vlan 2 to
100
200


300
active region-
configuration
#
stp process
1
stp instance 0 root
primary
stp instance 1 root
primary
stp
enable
stp process
2
stp instance 0 root
primary
stp instance 2 root
primary
stp link-share-
protection
stp
enable
#
interface
GigabitEthernet1/0/1
port trunk allow-pass vlan 101 to
200
stp binding process 2 link-
share
#
interface
200
stp binding process
2
stp root-
protection
#
interface
100
stp binding process
1
#
interface
100
stp binding process 1
#
return
#
sysname
SwitchB
#

vlan batch 101 to

300
stp region-
configuration
region-name
RG1
100
200
300
active region-
configuration
#
stp process
2
stp instance 0 root
secondary
stp instance 2 root
secondary
stp link-share-
protection
stp
enable
stp process
3
stp instance 0 root
primary
stp instance 3 root
primary
stp
enable
#
interface
200
stp binding process 2 link-
share
#
interface
200
stp binding process
2
stp root-
protection
#
interface
300
stp binding process
3
#

interface
300
stp binding process
3
#
return
15.10 FAQ
15.10.1 How to Configure the MSTP Region?

The MSTP region is configured in the stp region-configuration view. The devices in the same
MSTP region share the same MSTP region configuration. A device is deleted of the region if
the MSTP region setting of the device is changed.
The following parameters can be set for an MSTP region:
l Format selector: The default value is 0 and cannot be set through the command.
l Region name: It is the bridge MAC address by default.
l Revision level: The default value is 0.
l Instance/Vlans Mapped: Mapping between instances and VLANs. By default, all
VLANs are mapped to instance 0.
15.10.2 Can a Huawei STP Switch Work with a Non-Huawei STP

Device?
Huawei switches use the standard STP protocol. Whether a switch can work with a non-
Huawei STP device depends on the protocol running on the non-Huawei device:
l If the non-Huawei device runs a standard STP protocol, including STP, MSTP, and
RSTP, the Huawei switch can work with it.
l If the non-Huawei device runs a non-standard STP protocol, except for the Cisco Per
VLAN Spanning Tree (PVST) protocol, the Huawei switch can transparently transmit
the STP packets from the device after you run the stp disable and bpdu enable
commands on the interface connected to the non-Huawei device.
l If a non-Huawei device is a Cisco device that runs PVST, the Huawei switch running a
version earlier than V200R005 cannot negotiate with the device, but can transparently
transmit the packets from the non-Huawei device. Huawei switches running V200R005
and later versions support the VLAN-based Spanning Tree (VBST) protocol that can
interwork with PVST.
15.10.3 Why Cannot Information About an STP Instance with a

Non-Zero ID Be Displayed?
The switch supports the MSTP protocol, which is compatible with STP and RSTP. An
instance with a non-zero ID takes effect only in MSTP mode. When STP works in STP or
RSTP mode, only instance 0 takes effect.

To query information about an instance with a non-zero ID, run the stp mode mstp command
to set the STP working mode to MSTP.
15.10.4 How to Prevent Low Convergence for STP Edge Ports that
Connect Terminals?
Terminal devices cannot participate in the STP calculation or respond to STP packets, causing
low convergence. You can prevent low convergence for STP edge switch ports for connecting
user terminals or servers as follows:
15.10.5 How Do I Configure a User-Side Interface on an STP

Switch?
Terminal devices cannot participate in the STP calculation or respond to STP packets. You
can configure a user-side interface as follows:
15.10.6 How Do I Prevent Terminals' Failures to Ping the Gateway

or Slow Speeds for Obtaining IP Addresses When They Connect
to an STP Network?
Terminal devices such as servers or network management workstations do not support STP.
However, STP is enabled on switch interfaces by default. An STP interface enters the
Forwarding state 30 seconds after it changes to the Up state. If an interface alternates between
Up and Down states, the terminal connected to the interface will fail to communicate with the
gateway or the time to obtain an IP address will increase.
To solve this problem, configure interfaces connected to terminals as edge ports or disable
STP on the interfaces.

15.11 References
The following table lists the references of MSTP.

rks
IEEE 802.1D IEEE Standard for: -

IEEE 802.1s IEEE Standard for: -

IEEE 802.1w IEEE Standard for: -

Common specifications

Configuration Guide - Ethernet Switching 16 VBST Configuration
16 VBST Configuration
About This Chapter
This chapter describes how to configure VLAN-based Spanning Tree (VBST). VBST is a
spanning tree protocol developed by Huawei. It constructs a spanning tree in each VLAN to
load balance traffic from different VLANs, improving link use efficiency.
16.1 Introduction to VBST

16.2 Principles
16.7 Configuring VBST
16.8 Maintaining VBST

16.1 Introduction to VBST
Definition
VBST, a Huawei spanning tree protocol, constructs a spanning tree in each VLAN so that
traffic from different VLANs is forwarded through different spanning trees. VBST is
equivalent to STP or RSTP running in each VLAN. Spanning trees in different VLANs are
independent of each other.
Purpose
Currently, there are three standard spanning tree protocols: Spanning Tree Protocol (STP),
Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). STP
and RSTP cannot implement VLAN-based load balancing, because all the VLANs on a LAN
share a spanning tree and packets in all VLANs are forwarded along this spanning tree. In
addition, the blocked link does not carry any traffic, which wastes bandwidth and may cause a
failure to forward packets from some VLANs. In real-world situations, MSTP is preferred
because it is compatible with STP and RSTP, ensures fast convergence, and provides multiple
paths to load balance traffic.
On enterprise networks, enterprise users need functions that are easy to use and maintain,
whereas the configuration of MSTP multi-instance and multi-process are complex and has
high requirements for engineers' skills.
To address this issue, Huawei develops VBST. VBST constructs a spanning tree in each
VLAN so that traffic from different VLANs is load balanced along different spanning trees. In
addition, VBST is easy to configure and maintain.
Benefits
VBST brings in the following benefits:
l Eliminates loops.
l Implements link multiplexing and load balancing, and therefore improves link use
efficiency.
l Reduces configuration and maintenance costs.
Comparisons Between VBST and Standard Spanning Tree Protocols

Table 16-1 lists the comparisons between VBST and STP/RSTP/MSTP.

Table 16-1 Comparisons between VBST and STP/RSTP/MSTP

Spannin Difference
g Tree Similarity
Protocol Convergenc Traffic Usage Complex
e Speed Forwarding Scenario ity
VBST Forms a RSTP/ A spanning l Service Medium

loop-free tree MSTP/VBST tree is formed traffic needs
topology to provides in each to be
prevent faster VLAN, so differentiated
broadcast convergence that traffic and load
storms and than STP. from balanced.
implement different l VBST
link backup. VLANs is interworks
forwarded with PVST,
through PVST+, and
different Rapid PVST
spanning +.
trees that are
independent
of each other.
MSTP Provides Service traffic High

mappings needs to be
between differentiated
MSTIs and and load
VLANs so balanced.
that traffic
from
different
VLANs is
forwarded
through
different
spanning
trees that are
independent
of each other.
RSTP Maps all Service traffic Low

VLANs to does not need to
STP Slowest one spanning be differentiated. Low
tree, so traffic
from all
VLANs is
forwarded
through the
same
spanning
tree.

16.2 Principles
VBST is equivalent to running STP or RSTP in each VLAN so that spanning trees in different
VLANs are independent of each other. Though VBST does not provide multi-instance, VBST
implements load balancing of traffic from different VLANs.
VBST inherits the following concepts of STP/RSTP:
l One root bridge
l Two measurements: ID and path cost
l Three port statuses: Discarding, Learning, and Forwarding
l Five port roles: root port, alternate port, backup port, designated port, and edge port
l Three timers: Hello Time, Forward Delay, and Max Age
Unlink STP/RSTP, VBST transmits VBST BPDUs in VLANs to determine the network
topology. VBST BPDUs are based on STP/RSTP BPDUs and a 4-byte 802.1q tag is added
between the source MAC address and protocol length. Figure 16-1 shows the comparisons
between the STP/RSTP BPDU and VBST BPDU.
Figure 16-1 Comparisons between the formats of the STP/RSTP BPDU and VBST BPDU
6 bytes 6 bytes 2 bytes 38-1492 bytes 4 bytes
STP/RSTP BPDU
encapsulation DMAC SMAC Length LLC Data CRC
format
DSAP SSAP Control

1 byte 1 byte 1 byte
VBST BPDU 6 bytes 6 bytes 4 bytes 2 bytes 38-1492 bytes 4 bytes

encapsulation
DMAC SMAC 802.1Q Tag Length LLC Data CRC
format
DSAP SSAP Control

1 byte 1 byte 1 byte
The DMAC identifies the destination MAC address of packets. The DMAC in a VBST BPDU
is 0100-0CCC-CCCD; the Data field in a standard RSTP/STP BPDU is used as the Data field
in a VBST BPDU. By default, the Data field in a standard RSTP BPDU is used as the Data
field in a VBST BPDU.
VBST implements VLAN-based spanning tree calculation, topology convergence, and
interworking with spanning tree protocols of other vendors.
VBST Topology Calculation

VBST supports VLAN-based topology calculation. Tagged VBST BPDUs are sent in each
VLAN except VLAN 1 and topology calculation is performed separately. The VBST topology
calculation method is similar to the STP/RSTP calculation method. For details, see 14.2.4

STP Topology Calculation. Different root bridges can be selected in VLANs. Figure 16-2
shows the topology calculation results of STP/RSTP and VBST.
Figure 16-2 Topology calculation results of STP/RSTP and VBST

S1 S4
VLAN 3 VLAN 2, 3 VLAN 2
HostC HostA
(VLAN 3) VLAN 3 VLAN 2 (VLAN 2)
VLAN 2
S2 S5
HostB VLAN 2, 3 VLAN 2, 3 HostD

(VLAN 2) (VLAN 3)
VLAN 3
VLAN2 VLAN 3
S3 S6
STP/RSTP spanning tree (root bridge S6)

S1 S4
VLAN 3 VLAN 2, 3 VLAN 2
HostC HostA
(VLAN 3) VLAN 3 VLAN 2 (VLAN 2)
VLAN 2
S2 S5
HostB VLAN 2, 3 VLAN 2, 3 HostD

(VLAN 2) (VLAN 3)
VLAN 3
VLAN 2 VLAN 3
S3 S6
Spanning tree for VBST VLAN 2 (root bridge S4)

Spanning tree for VBST VLAN 3 (root bridge S6)
In Figure 16-2:
l Through topology calculation, STP/RSTP generates a spanning tree with the root bridge
as S6. The links between S2 and S5 and between S1 and S4 are blocked. HostA and
HostB belong to VLAN 2. The link between S2 and S5 does not permit packets of
VLAN 2 to pass through because the link between S2 and S5 is blocked. Therefore,
HostA fails to communicate with HostB.

l Through topology calculation, VBST generates spanning trees VLAN 2 and VLAN 3
with root bridges as S4 and S6 respectively. Traffic in VLAN 2 and VLAN3 is forwarded
through their respective spanning trees so that traffic is load balanced between paths S2-
S5 and S3-S6.
Fast Convergence of VBST

VBST supports the Proposal/Agreement mechanism in common and enhanced modes:
l Common mode
The Proposal/Agreement mechanism in common mode supported by VBST is similar to
that supported by RSTP. For details, see 14.2.6 RSTP Technology Details.
l Enhanced mode
The Proposal/Agreement mechanism in enhanced mode supported by VBST is similar to
that supported by MSTP. For details, see 15.2.5 MSTP Fast Convergence.
Protection Mechanisms of VBST

Similar to RSTP, VBST provides BPDU protection, TC protection, root protection, and loop
protection. For details, see Protection functions.
Interworking Between VBST and Standard STP/RSTP

On a live network, VBST-enabled devices may connect to STP/RSTP-enabled devices. VBST
and STP/RSTP use different BPDU formats, so there are interworking problems. To
implement interworking between VBST and standard STP/RSTP, take the following
measures:
l On a trunk interface:
– When a VBST-enabled device connects to an RSTP-enabled device, the VBST-
enabled device uses standard RSTP BPDUs in VLAN 1 and VBST BPDUs with the
Data field of RSTP BPDUs in other VLANs to exchange with the RSTP-enabled
device.
– When a VBST-enabled device connects to an STP-enabled device, the VBST-
enabled device uses standard STP BPDUs in VLAN 1 and VBST BPDUs with the
Data field of STP BPDUs in other VLANs to exchange with the STP-enabled
device.
The following describes spanning tree implementation, as shown in Figure 16-3.
As shown in Figure 16-3, STP/RSTP is deployed on S1 and S2, and VBST is deployed
on S3 and S4. Devices are connected through trunk interfaces, and interfaces on S1
through S4 allow packets from VLAN 1 and VLAN 10 to pass through.

Figure 16-3 Interworking between VBST and STP/RSTP on a trunk interface

S1 S2
STP/RSTP STP/RSTP
VLAN1, 10
VLAN1, 10 VLAN1, 10
VLAN1, 10
VBST VBST
S3 S4
Spanning tree Spanning tree Spanning tree for

for VLAN 1 for VLAN 10 VLAN 1 and 10
Root bridge
Unblocked link
Blocked link
Blocked port
An STP/RSTP-enabled device can only send and receive STP/RSTP BPDUs, and
transparently transmit VBST BPDUs, so a spanning tree is formed in VLAN 1 as defined
by STP/RSTP.
Assume that the congestion point of the spanning tree in VLAN 1 is on S4. Because
VBST runs on S4, so the congestion point exists in VLAN 1. S4 can still receive and
forward VBST BPDUs in VLAN 10. Loops occur in VLAN 10, so spanning tree
calculation in VLAN 10 is triggered. S1 and S2 transparently transmit VBST BPDUs in
VLAN 10, so only four interfaces on S3 and S4 participate in spanning tree calculation
in VLAN 10. Then the spanning trees in VLAN 1 and VLAN 10 are formed, as shown in
Figure 16-3.
Assume that the blocking point of the spanning tree in VLAN 1 is on S2. STP/RSTP
runs on S2, so the blocking port exists on S2. S2 cannot forward VBST BPDUs from
VLAN 10 and no loop occurs in VLAN 10, so spanning tree calculation in VLAN 10 is
not triggered. VBST BPDUs from VLAN 10 can be forwarded along the spanning tree in
VLAN 1, that is, VLAN 10 and VLAN 1 share the spanning tree. as shown in Figure
16-3.
l On an access interface, a VBST-enabled device uses standard STP or RSTP BPDUs to
exchange with the remote end according to the VLAN that the access interface belongs
to. Topology calculation is performed as defined by STP/RSTP. Because STP/RSTP does
not differentiate VLANs, a spanning tree shared by VLANs is formed.

When a VBST-enabled device connects to an STP/RSTP-enabled device, the trunk interface

must be used to connect the two devices and the blocking point must be located on the VBST-
enabled device to implement load balancing.
Interworking Between VBST and PVST/PVST+/Rapid PVST+

On a live network, a VBST-enabled device may connect to a device enabled with PVST/
PVST+/Rapid PVST+.
l Trunk interface
– When a VBST-enabled device connects to a device enabled with Rapid PVST+, the
VBST-enabled device sends standard RSTP BPDUs (or VBST BPDUs with the
Data field of RSTP BPDUs) and VBST BPDUs with the Data field of RSTP
BPDUs in other VLANs to exchange with the device enabled with Rapid PVST+.
– When a VBST-enabled device connects to a device enabled with PVST+, the
VBST-enabled device sends standard STP BPDUs (or VBST BPDUs with the Data
field of STP BPDUs) and VBST BPDUs with the Data field of STP BPDUs in
other VLANs to exchange with the device enabled with PVST+.
– When a VBST-enabled device connects to a PVST-enabled device, packet exchange
is similar to that in the scenario where a VBST-enabled device connects to a device
enabled with PVST+. The difference is that the VBST-enabled device and PVST-
enabled device send only VBST BPDUs with the Data field of STP BPDUs in
VLAN 1.
The two devices can identify the BPDUs carrying VLAN information, so a VLAN-based
spanning tree is formed. The connection between a VBST-enabled device and a device
enabled with PVST/PVST+/Rapid PVST+ through a trunk interface is similar to the
connection between two VBST-enabled devices.
l Access interface
A VBST-enabled device uses standard STP BPDUs to exchange with the device enabled
with PVST/PVST+ or RSTP BPDUs to exchange with the device enabled with Rapid
PVST+ according to the VLAN that the access interface belongs to. Topology
calculation is performed as defined by STP/RSTP. Because STP/RSTP does not
differentiate VLANs, a spanning tree shared by VLANs is formed.

To improve reliability of an enterprise network, access switches often connect to aggregation
switches in dual-homing or multi-homing mode networking. In such networking, one link is
the active link, and other links are standby links. When multiple links are used, loops may
occur. As a result, broadcast storms occur and MAC address entries are damaged. In
addition, one access switch often needs to transmit services from different VLANs.
Deploying MSTP can eliminate loops and load balance traffic from different VLANs,
whereas it is difficult to configure and maintain MSTP multi-instance and multi-process.
You can deploy VBST. VBST constructs a spanning tree in each VLAN so that traffic from
different VLANs is forwarded through different spanning trees. This eliminates loops and
implements load balancing of traffic. In addition, VBST is easy to configure and maintain.

Figure 16-4 VBST implementing load balancing
Core Network
SwitchA SwitchB
Aggregation
VLAN 10, 20, 30 switch
VLAN 10, 20 VLAN 20, 30

0 VL
,2 AN
10 20
,
AN 30
VL
Access
switch
SwitchC SwitchD
Spanning tree Spanning tree Spanning tree

for VLAN 10 for VLAN 20 for VLAN 30
Forwarding path for
Root bridge traffic from VLAN 30
Unblocked link Forwarding path for
Blocked link traffic from VLAN 20
Blocked port Forwarding path for
traffic from VLAN 10
As shown in Figure 16-4, SwitchC and SwitchD are access switches; SwitchA and SwitchB
are aggregation switches. SwitchC and SwitchD are dual-homed to SwitchA and SwitchB. To
eliminate loops and load balance traffic from different VLANs, deploy VBST on SwitchA,
SwitchB, SwitchC, and SwitchD. Configure SwitchA as the root bridge of VLAN 10 and
VLAN 20 and SwitchB as the root bridge of VLAN 30.
Loops are eliminated based on VLANs. Figure 16-4 shows the formed spanning trees and
forwarding paths. In Figure 16-4, traffic from VLAN 10, VLAN 20, and VLAN 30 is
forwarded through their respective spanning trees. In this manner, traffic from VLAN 10,
VLAN 20, and VLAN 30 is load balanced on paths SwitchC<->SwitchA, SwitchD<-
>SwitchA, and SwitchD<->SwitchB.

Table 16-2 describes the VBST configuration tasks. VBST blocks redundant links and prunes
a network into a tree topology to eliminate loops and implement load balancing. You can
perform the following configurations to meet requirements in special scenarios:
l Setting VBST parameters that affect VBST convergence
l Configuring protection functions
l Setting parameters for interworking between a Huawei datacom device and a non-
Huawei device
Table 16-2 VBST configuration task summary

(Mandatory) Configure After you configure the 16.7.1 Configuring Basic

basic VBST functions operation mode of VBST VBST Functions
and start VBST, VBST
calculates the spanning tree
and prunes a network into a
tree network to eliminate
loops. You can perform the
following configurations to
manually adjust the
spanning tree calculation
result:
l Manually configure the
root bridge and
secondary root bridge.
l Configure the switch
priority. A smaller
priority value indicates a
higher priority of the
switch and higher
probability of becoming
the root bridge.
l Configure the port path
cost. A smaller path cost
indicates a smaller cost
from the port to the root
bridge and higher
probability of becoming
the root port.
l Configure the port
priority. A smaller
priority value indicates
higher probability of
becoming the designated
port.

(Optional) Set VBST The network diameter, 16.7.2 Setting VBST

parameters that affect VBST timeout interval, Hello time, Parameters That Affect
convergence Max Age, and Forward VBST Convergence
Delay affect VBST
convergence. Proper settings
of these parameters can
speed up VBST
convergence speed.
(Optional) Configure Huawei datacom devices 16.7.3 Configuring

protection functions provide the following Protection Functions of
protection functions: VBST
l BPDU protection:
prevents malicious
attacks from bogus
BPDUs.
l TC protection: reduces
the impact of malicious
attacks from bogus TCN
BPDUs.
l Root protection: protects
the role of the root
bridge by retaining the
role of the designated
port and prevents
network congestion
caused by malicious
attacks.
l Loop protection:
prevents loops caused by
link congestion.
(Optional) Set parameters To implement interworking 16.7.4 Setting Parameters

for interworking between a between a Huawei datacom for Interworking Between
Huawei datacom device and device and a non-Huawei a Huawei Datacom Device
a non-Huawei device device, configure the fast and a Non-Huawei Device
transition mode according to
the Proposal/Agreement
mechanism of the non-
Huawei device.

Other network elements also need to support VBST.

License Support
VBST is a basic feature of a switch and is not under license control.
Version Support
Table 16-3 Products and versions supporting VBST

Model
S7700 S7703, V200R005C00, V200R006C00, V200R007C00,

S7706, V200R008C00, V200R009C00, V200R010C00
S7712
S9700 S9703, V200R005C00, V200R006C00, V200R007C00,

S9706, V200R008C00, V200R009C00, V200R010C00
S9712
NOTE

l Table 16-4 describes the specifications of VBST.
Table 16-4 Specifications of VBST

Item Specification
Number of protected VLANs 128

Item Specification
PV quantity (production of number of l The CPU usage of VBST is in direct

VBST-enabled ports and number of proportion to the PV quantity.
VLANs) l EE series, and X series cards,
ES1D2X08SED4/ES1D2X08SED5,
and ES1D2L02QFC0 cards of the
S7700, and EH1D2X08SED4/
EH1D2X08SED5, EH1D2L02QFC0,
EH1D2L08QFC0, and
EH1D2X48SEC0 cards of the S9700
support up to 1200 PVs, and other
cards support up to 300 PVs.
l The number of PVs supported by the
switch is the total number of PVs
supported by running cards of the
switch.
l For an Eth-Trunk, in V200R009 and
earlier versions, the device supports
up to 300 PVs. In later versions of
V200R009, the maximum number of
PVs depends on the MPU model:
S7700: 300 for MCUA; 600 for
SRUA and SRUB; 1000 for SRUH,
SRUE
S9700: 300 for MCUA; 1000 for
SRUC and SRUD
NOTICE
If the PV quantity exceeds the specifications,
the CPU usage may exceed the threshold. As
a result, the switch cannot process tasks in a
timely manner, protocol calculation is
affected, and even the device cannot be
managed by the NMS.
l When HVRP is enabled on the switch, do not change the STP mode to VBST.
l When VBST is enabled on a ring network, VBST immediately starts spanning tree
calculation. Parameters such as the device priority and port priority affect spanning tree
calculation, and the change of these parameters may cause network flapping. To ensure
fast and stable spanning tree calculation, perform basic configurations on the switch and
interfaces before enabling VBST.
l If the protected instance has been configured in a SEP segment or ERPS ring but the
mapping between protected instances and VLANs is not configured, VBST cannot be
enabled.
l VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS, RRPP,
SEP, or Smart Link.
l If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the switch,
delete the mapping before changing the STP working mode to VBST.

l If the stp vpls-subinterface enable command has been configured on a switch, run the
undo stp vpls-subinterface enable command on an interface before changing the STP
working mode to VBST.
l If the device has been configured as the root bridge or secondary root bridge, run the
undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to disable the root
bridge or secondary root bridge function and run the stp vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10> priority priority command to change the device priority.
l When more than 128 MSTIs are dynamically specified, STP is disabled in a created
VLAN in the configuration file, for example, stp vlan 100 disable.
l To prevent frequent network flapping, ensure that the values of Hello time, Forward
Delay, and Max Age conform to the following formulas:
– 2 x (Forward Delay - 1.0 second) ≥ Max Age
– Max Age ≥ 2 x (Hello Time + 1.0 second)
l It is recommended that fast convergence in normal mode be used. If fast is used,
frequently deleting ARP entries may result in 100% CPU usage of the MPU and LPU.
As a result, packet processing expires and network flapping occurs.
l After all ports are configured as edge ports and BPDU filter ports in the system view,
none of ports on the switch send BPDUs or negotiate the VBST status with directly
connected ports on the remote device. All ports are in forwarding state. This may cause
loops on the network, leading to broadcast storms. Exercise caution when you configure
a port as an edge port and BPDU filter port.
l After a port is configured as an edge port and BPDU filter port in the interface view, the
port does not process or send BPDUs. The port cannot negotiate the VBST status with
the directly connected port on the peer device. Exercise caution when you configure a
port as an edge port and BPDU filter port.
l Root protection takes effect only on designated ports.
l An alternate port is the backup of the root port. If a switch has an alternate port,
configure loop protection on both the root port and alternate port.
Working mode MSTP
VBST Enabled globally, enabled on an interface, and STP

enabled in each VLAN
Port priority 128
Algorithm used to calculate the Dot1t, IEEE 802.1t

default path cost
Forward Delay 1500 centiseconds
Hello time 200 centiseconds
Max Age 2000 centiseconds

16.7 Configuring VBST
16.7.1 Configuring Basic VBST Functions

After you configure the working mode of VBST and start VBST, VBST calculates the
spanning tree and prunes a network into a tree network to eliminate loops. Network planners
can also set parameters such as the switch priority, port path cost, and port priority to adjust
the spanning tree calculation result.
Before configuring basic VBST functions, connect ports and set physical parameters of each
interface to make the physical layer in Up state (see Basic Configuration for Interfaces and
Ethernet Interface Configuration in S7700&S9700 Series Switches Configuration Guide -
Interface Management).
16.7.1.1 (Optional) Setting the Device Priority
Context
The device priority is used in spanning tree calculation, and determines whether the device
can be configured as a root bridge of a spanning tree. A smaller value indicates a higher
priority.
Generally, a high-performance switch at a high network layer is required to be selected as the

root bridge. However, the high-performance switch at a high network layer may not have a
high priority. It is necessary to set the device priority to ensure that the device functions as the
root bridge. Low-performance devices at lower network layers are not fit to serve as root
bridges. Therefore, set low priorities for these devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> priority priority
The priority of the switch in a specified VLAN is set.
By default, the priority of the device is 32768.

NOTE
If the device has been configured as the root bridge or secondary root bridge, to change the device
priority, run the undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to disable the root
bridge or secondary root bridge function and run the stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
priority priority command to set the device priority.
----End
16.7.1.2 (Optional) Setting the Path Cost for a Port
Context
A path cost is port-specific and is used by VBST to select a link. A port in different VLANs
may have different path costs on a network running VBST. Traffic from different VLANs is
forwarded through different physical links by setting a proper path cost enable, therefore
implementing VLAN-based load balancing.
The path cost value range is determined by the calculation method. The following calculation
methods are used:
l dot1d-1998: IEEE 802.1d standard is used to calculate the path cost.
l dot1t: IEEE 802.1T standard is used to calculate the path cost.
l legacy: Huawei calculation method is used to calculate the path cost.
After the calculation method is determined, the path cost of a port can be set. Generally, a
higher path cost indicates higher probability of a port to be blocked. If the link rate of a port is
small, you are advised to set a large path cost so that the port is selected as the blocking port
during spanning tree calculation and its link is blocked.
The default path cost varies according to the interface rate. Huawei calculation method is used
as an example. Table 16-5 shows the mapping between link rates and path costs.
Table 16-5 Mappings between link rates and path costs

Interface Rate Default Value Recommended Path Cost Range
Value Range
10 Mbit/s 2000 200-20000 1-200000
100 Mbit/s 200 20-2000 1-200000
1 Gbit/s 20 2-200 1-200000
10 Gbit/s 2 2-20 1-200000
Over 10 Gbit/s 1 1-2 1-200000
Procedure
Step 1 Run:
system-view

Step 2 Run:

By default, IEEE 802.1T standard is used to calculate the path cost.
All switches on the same network must use the same path cost calculation method.
Step 3 Run:
The view of the Ethernet interface that participates in spanning tree calculation is displayed.
Step 4 Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> cost cost
The path cost of the port in each VLAN is set.

l If Huawei calculation method is used, the path cost ranges from 1 to 200000.
l If IEEE 802.1D standard is used, the path cost ranges from 1 to 65535.
l If IEEE 802.1T standard is used, the path cost ranges from 1 to 200000000.
----End
16.7.1.3 (Optional) Configuring Port Priorities
Context
In VBST spanning tree calculation, the port path cost, bridge ID of the sending switch, and
port priority determine whether the port can be selected as the designated port. A smaller
priority value indicates higher probability of becoming the designated port, and a larger
priority value indicates higher probability of becoming the blocking port.
On a network running VBST, a port can function as different roles in different spanning trees
so that traffic from different VLANs is forwarded through different physical paths.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the Ethernet interface that participates in spanning tree calculation is displayed.
Step 3 Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> port priority priority
The priority of the port in each VLAN is set.

By default, the priority of a switch port is 128.
----End

16.7.1.4 (Optional) Manually Configuring the Mapping between MSTIs and

VLANs
Context
Based on the mappings between MSTIs and VLANs of MSTP, VBST maps each MSTI to a
VLAN to establish 1:1 mapping. The 1:1 mapping between MSTIs and VLANs are used only
by the switch to determine the VBST forwarding status. This does not mean that VBST
supports multi-instance.
The mapping between MSTIs and VLANs can be manually configured or dynamically
specified.
l You can manually configure the mapping between MSTIs and VLANs on the switch. If a
static mapping is also configured for a VLAN, the static mapping takes effect.
l After VBST is enabled, the system dynamically allocates instance IDs to existing or new
VLANs in ascending order. The dynamically specified mapping cannot be changed
manually. After a VLAN is deleted or STP is disabled globally, its mapping is
automatically deleted.
NOTE
When more than 128 MSTIs are dynamically specified, if a VLAN is created, in the configuration
file, STP is disabled, for example, stp vlan 100 disable.
The following steps are performed to manually configure the mapping between MSTIs and
VLANs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
instance instance-id vlan vlan-id
1:1 mapping between MSTIs and VLANs is configured.
By default, all VLANs in an MST region are mapped to MSTI 0.
NOTE
After this step is performed, the dynamic mapping between MSTIs and VLANs cannot be canceled even
if VLANs are deleted or STP is disabled globally.
Step 4 Run:
1:1 mapping between MSTIs and VLANs is activated.

NOTICE
The change of 1:1 mapping between MSTIs and VLANs causes VBST recalculation and
network flapping. Therefore, it is recommended that you run the check region-configuration
command in the MST region view to check whether the parameters of the MST region are set
correctly before activating the configuration of the MST region. When determining that
parameters of the MST region are set correctly, run the active region-configuration
command to activate 1:1 mapping between MSTIs and VLANs.
----End
16.7.1.5 Enabling VBST
Context
The VBST configuration takes effect only when VBST is enabled.
NOTICE
When VBST is enabled on a ring network, VBST immediately starts spanning tree
calculation. Parameters such as the switch priority and port priority affect spanning tree
calculation, and change of these parameters may cause network flapping. To ensure fast and
stable spanning tree calculation, perform basic configurations on the switch and ports before
enabling VBST.
The PV quantity is the number of VBST-enabled interfaces multiplied by the number of
VLANs. If the PV quantity exceeds the specifications, the CPU usage may exceed the
threshold. As a result, the switch cannot process tasks in a timely manner, protocol calculation
is affected, and even the device cannot be managed by the NMS. The PV quantity supported
by the device is as follows:
l The CPU usage of VBST is in direct proportion to the PV quantity.
l EE, and X1E cards, ES1D2X08SED4/ES1D2X08SED5 and ES1D2L02QFC0 cards of the
S7700, and EH1D2X08SED4/EH1D2X08SED5, EH1D2L02QFC0, EH1D2L08QFC0,
and EH1D2X48SEC0 cards of the S9700 support up to 1200 PVs, and other cards support
up to 300 PVs.
l The number of PVs supported by the switch is the total number of PVs supported by
running cards of the switch.
l For an Eth-Trunk, the device supports up to 300 PVs.
Procedure
Step 1 Run:
system-view

Step 2 Run:

stp mode vbst
The working mode of the switch is set to VBST.
By default, the switch works in MSTP mode.
NOTE
l The VBST mode cannot be used with the STP/RSTP/MSTP mode.

l When HVRP is enabled on the switch, do not change the STP mode to VBST.
l If a protected instance in a segment has been configured by the protected-instance (sep segment
view) command or a protected instance in an ERPS ring has been configured by the protected-
instance (ERPS ring view) command, you must perform the operation of 16.7.1.4 (Optional)
Manually Configuring the Mapping between MSTIs and VLANs. Otherwise, the STP working
mode cannot be changed to VBST.
l If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the switch, the mapping
must be deleted before changing the STP working mode to VBST.
l If stp vpls-subinterface enable has been configured on the switch, the undo stp vpls-subinterface
enable command must be run on the interface before changing the STP working mode to VBST.
Step 3 Run:
stp enable
Global STP is enabled.
By default, STP is enabled globally.
Step 4 Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> enable
VBST is enabled in each VLAN.
By default, VBST is enabled in a VLAN.
NOTE
VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS, RRPP, SEP, or Smart
Link.
If VLAN mapping or VLAN stacking is configured on an interface corresponding to the VLAN, VBST
negotiation for this VLAN will fail.
Step 5 Run:
Step 6 Run:
stp enable
STP is enabled on the interface.
By default, STP is enabled on each switch interface.
NOTE
STP cannot be used with SEP or Smart Link. An STP-enabled interface cannot join a SEP segment or
Smart Link group. Similarly, the interface that has joined the SEP segment or Smart Link group cannot
be enabled with STP.
----End

Procedure
l Run the display stp [ vlan vlan-id ] [ interface interface-type interface-number | slot
slot-id ] [ brief ] command to check the spanning tree status and statistics.
l Run the display stp [ vlan vlan-id ] active command to check details of and statistics on
spanning trees of all ports in Up state.
l Run the display stp [ vlan vlan-id ] bridge { root | local } command to check the
spanning tree status of the local bridge and root bridge.
l Run the display stp global command to check the summary of the spanning tree
protocol.
l Run the display stp region-configuration [ digest ] command to check the mapping
between instances and VLANs.
----End
16.7.2 Setting VBST Parameters That Affect VBST Convergence

After basic VBST functions are configured, VBST implements fast convergence using default
parameters. To achieve better convergence, set parameters that affect VBST convergence.
Background
All steps in this configuration task are optional. You can perform the steps as needed.
Before configuring VBST parameters that affect VBST convergence, perform the task of
Configuring Basic VBST Functions.
16.7.2.1 Setting the Network Diameter
Context
Any two terminals on a switching network are connected through a specific path along which
multiple devices are located. The network diameter is the maximum number of devices
between any two terminals. A larger network diameter indicates a larger network scale.
An improper network diameter may cause slow network convergence and affect
communication. Setting a proper network diameter according to the network scale helps speed
up network convergence.
The switch calculates the Forward Delay, Hello time, and Max-Age based on the configured
network diameter. It is recommended that you set the network diameter to configure timers.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> bridge-diameter diameter
A network diameter is set.
l Rapid Spanning Tree Protocol (RSTP) uses a single spanning tree instance on the entire
network. As a result, performance deteriorate when the network scale grows. Therefore,
the network diameter cannot be larger than 7.
l It is recommended that all devices on a ring network use the same network diameter.
----End
16.7.2.2 Setting Values of VBST Timers
Context
VBST uses the following parameters in spanning tree calculation:
l Forward Delay: determines the interval for port status transition. On a network where a
spanning tree algorithm is used, when the network topology changes, new BPDUs are
transmitted throughout the network after a given period of time. During the period, the
port that should enter the blocking state may be not blocked and the originally blocked
port may be unblocked, causing temporary loops. To address this problem, set the
Forward Delay during which all ports are blocked temporarily.
l Hello time: is the interval at which Hello packets are sent. The switch sends BPDUs to
neighboring devices at an interval of the Hello time to check whether links are faulty. If
the switch does not receive any BPDU at an interval of Hello time, the switch
recalculates the spanning tree due to BPDU timeout.
l Max Age: determines whether BPDUs expire. The switch determines whether the
received BPDU expires based on this value. If the received BPDU expires, the spanning
tree needs to be recalculated.
Devices on a ring network must use the same values of Forward Delay, Hello time, and Max
Age.
Generally, you are not advised to adjust values of the three parameters. This is because the
three parameters are relevant to the network scale. It is recommended that the network
diameter be adjusted so that the spanning tree protocol automatically adjusts the three
parameters. When the default network diameter is used, the default values of the three
parameters are used.
NOTICE
To prevent frequent network flapping, ensure that the values of Hello time, Forward Delay,
and Max Age conform to the following formulas:
l 2 x (Forward Delay - 1.0 second) ≥ Max Age
l Max Age ≥ 2 x (Hello time + 1.0 second)

Procedure
Step 1 Run:
system-view

Step 2 Set values of Hello time, Forward Delay, and Max Age.
l Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> timer forward-delay forward-
delay
The value of Forward Delay is set.

By default, the value of Forward Delay is 1500 centiseconds.
l Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> timer hello hello-time
The value of Hello time is set.

By default, the value of Hello time is 200 centiseconds.
l Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> timer max-age max-age
The value of Max Age is set.

By default, the value of Max Age is 2000 centiseconds.
----End
16.7.2.3 Setting the VBST Timeout Interval
Context
The timeout interval of the switch is calculated through the following formula:
l Timeout interval = Hello time x 3 x Timer factor
On a network running VBST, when the network topology becomes stable, the non-root-bridge
switch forwards BPDUs sent by the root bridge to neighboring switches at an interval of
Hello time to check whether links are faulty. If the switch does not receive any BPDU from
the upstream device within the timeout interval, the switch considers that the upstream device
fails and recalculates the spanning tree.
Sometimes, the switch may not receive BPDUs in a long time from the upstream device
because the upstream device is very busy. In this case, the device should not recalculate its
spanning tree. Therefore, you can set a long timeout interval for the device on a stable
network to reduce waste of network resources.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The timeout interval for the switch to wait for BPDUs from the upstream device is set.
By default, the timeout interval is 9 times the value of Hello time.
----End
16.7.2.4 Setting the Link Type of a Port
Context
Implementing fast convergence on a P2P link is easy. If the two ports connected to a P2P link
are root or designated ports, the ports can transit to the forwarding state quickly by sending
Proposal and Agreement packets. This reduces the forwarding delay.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface that participates in spanning tree calculation is displayed.
Step 3 Run:

By default, the link type of a port is auto.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. You
can specify force-true to implement fast convergence.
l If the Ethernet port works in half-duplex mode, specify force-true to forcibly set the link
type to P2P to implement fast convergence.
l In other situations, specify auto so that the port identifies whether it is connected to a
P2P link.
----End
16.7.2.5 Setting the Maximum Transmission Rate of a Port
Context
The maximum transmission rate of a port indicates the maximum number of BPDUs sent per
second. A larger value of the maximum transmission rate of a port indicates more BPDUs
sent at an interval of Hello time and therefore more system resources are occupied.
Setting the proper value of this parameter prevents excess bandwidth usage when route
flapping occurs. If network flapping occurs frequently, and the switch needs to detect
topology change in a timely manner and has sufficient bandwidth resources, set a large value
for this parameter.

Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
The maximum number of BPDUs that the port can send at an interval of Hello time is set.
By default, a port sends a maximum of 6 BPDUs per second.
NOTE
If the maximum number of BPDUs needs to be set on all ports of the switch, run the stp transmit-limit
(system view) command.
----End
16.7.2.6 Manually Switching to the VBST Mode
Context
When a port on a VBST-enabled switch is connected to an STP-enabled switch, the port
automatically switches to the STP mode.
In the following cases, you need to switch the port back to the VBST mode manually:
l The STP-enabled switch is shut down or disconnected.
l The STP-enabled switch is switched to the RSTP/MSTP mode.
When a VBST-enabled switch connects to an MSTP-enabled switch, the connected port of the
MSTP-enabled switch automatically switches to the RSTP mode through negotiation. When
the VBST-enabled switch switches to the MSTP mode, the connected ports of the two
switches may still work in RSTP mode due to the time sequence problem. You can perform
the following operations to manually switch the ports to the MSTP mode.
Procedure
l Switching a port to the VBST mode
a. Run:
system-view

b. Run:
c. Run:
stp mcheck

The port is switched to the VBST mode.

l Switching the switch to the VBST mode
a. Run:
system-view

b. Run:
stp mcheck
The switch is switched to the VBST mode.
After the switch is switched to the VBST mode in the system view, all ports switch
to the VBST mode.
----End
16.7.2.7 Configuring a VBST Convergence Mode
Context
When the topology of an MSTI changes, the forwarding path of the VLAN mapping the
MSTI also changes. The MAC address entries and ARP entries relevant to the VLAN need to
be updated. VBST provides the following convergence modes:
l fast: The system directly deletes ARP entries to be updated.

l normal: The system rapidly ages ARP entries to be updated.
In fast or normal mode, the system directly deletes MAC addresses.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp converge { fast | normal }
A convergence mode is configured.
By default, the VBST convergence mode of a port is normal.
NOTE
normal is recommended. If fast is used, frequently deleting ARP entries may result in 100% CPU usage
of the MPU and LPU. As a result, packets are not processed in a timely manner and network flapping
occurs.
----End
16.7.2.8 Configuring a Port as an Edge Port and BPDU Filter Port

Context
If a designated port is located at the edge of a network and is directly connected to terminals,
this port is called edge port. The switch does not learn whether a port is directly connected to
terminals, the port needs to be manually configured as an edge port.
An edge port does not receive or process configuration BPDUs, or participate in VBST
calculation. It can transit from Disable to Forwarding without any delay to implement fast
convergence.
After a designated port is configured as an edge port, the port can still send BPDUs. Then
BPDUs are sent to other networks, causing flapping of other networks. You can configure a
port as an edge port and BPDU filter port so that the port does not process or send BPDUs.
NOTICE
l After all ports are configured as edge ports and BPDU filter ports in the system view, none
of ports on the switch send BPDUs or negotiate the VBST status with directly connected
ports on the peer device. All ports are in forwarding state. This may cause loops on the
network, leading to broadcast storms. Exercise caution when you configure a port as an
edge port and BPDU filter port.
l After a port is configured as an edge port and BPDU filter port in the interface view, the
port does not process or send BPDUs. The port cannot negotiate the VBST status with the
directly connected port on the peer device. Exercise caution when you configure a port as
an edge port and BPDU filter port.
Procedure
l Configuring all ports as edge ports and BPDU filter ports in the system view
a. Run:
system-view

b. Run:

By default, a port is a non-edge port.
c. Run:

By default, a port is a non-BPDU-filter port.
l Configuring a port as an edge port and BPDU filter port in the interface view
a. Run:
system-view

b. Run:

displayed.
c. Run:

By default, a port is a non-edge port.
d. Run:

By default, a port is a non-BPDU-filter port.
----End
Procedure
slot-id ] [ brief ] command to check the spanning tree status and statistics.
spanning trees of all ports in Up state.
l Run the display stp [ vlan vlan-id ] bridge { root | local } command to check the
spanning tree status of the local bridge and root bridge.
protocol.
----End
16.7.3 Configuring Protection Functions of VBST

VBST provides BPDU protection, TC protection, root protection, and loop protection, and
you can configure one or more protection functions as needed.
Before configuring protection functions of VBST, complete the following tasks:
l Perform the task of Configuring Basic VBST Functions.
l (Optional) Perform the task of Configuring an Edge Port before configuring BPDU
protection.
16.7.3.1 Configuring BPDU Protection on the Switch
Context
Edge ports are directly connected to user terminals and will not receive BPDUs. If a switch is
attacked by bogus BPDUs, edge ports will receive these BPDUs. The switch then sets the
edge ports as non-edge ports and recalculates the spanning tree, resulting in network flapping.

BPDU protection can be used to protect the switch against malicious attacks. After BPDU
protection is enabled on the switch, the switch shuts down an edge port if the edge port
receives a BPDU.
Perform the following operations on the switch configured with an edge port.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bpdu-protection
BPDU protection is enabled on the switch.

By default, BPDU protection is disabled on the switch.
----End
Follow-up Procedure
To configure a shutdown edge port to go Up automatically, run the error-down auto-
recovery cause bpdu-protection interval interval-value command in the system view to
configure the automatic recovery function and set the recovery delay. After the delay expires,
the port automatically goes Up. Note the following when setting interval interval-value:
l A smaller value indicates a shorter delay for the port to go Up automatically and a higher
frequency at which the port alternates between Up and Down states.
l A larger value indicates a longer delay for the port to go Up automatically and longer
traffic interruption.
16.7.3.2 Configuring TC Protection on the Switch
Context
When malicious attackers send bogus TC BPDUs to attack the switch, the switch receives a
large number of TC BPDUs within a short time. If MAC address entries and ARP entries are
deleted frequently, the switch is heavily burdened, causing potential risks to the network.
TC protection is used to suppress TC BPDUs. You can set the number of times the switch
processes TC BPDUs within a given time period. If the number of TC BPDUs that the switch
receives within a given time exceeds the specified threshold, the switch processes TC BPDUs
only for the specified number of times. After the specified number of times is reached, the
switch processes excess TC BPDUs at one time only. For example, the period is set to 10s and
the threshold is set to 5. After the switch receives TC BPDUs, the switch processes the first
five TC BPDUs within 10s. After 10s, the switch processes subsequent TC BPDUs. In this
way, the switch does not need to frequently delete MAC entries and ARP entries.
Procedure
Step 1 Run:
system-view

Step 2 Configure either of or both of the parameters.

l Run:
The time taken by the switch to process the maximum of TC BPDUs is 10s.
By default, the time is the Hello timer length.
l Run:
10102
The maximum number of TC BPDUs processed by the switch in a given time is set.
By default, the default number of times that the switch handles the TC BPDUs and
updates forwarding entries is 1 within a unit time.
NOTE
Within the time specified by stp tc-protection interval, the switch processes TC BPDUs of a number
specified by stp tc-protection threshold. Other packets are delayed, so convergence may be affected.
----End
16.7.3.3 Configuring Root Protection on a Port
Context
Due to incorrect configurations or malicious attacks on a network, a valid root bridge may
receive BPDUs with a higher priority. Consequently, the valid root bridge is no longer able to
serve as the root bridge and the network topology is changed, triggering spanning tree
recalculation. As a result, traffic may be switched from high-speed links to low-speed links,
causing network congestion. To prevent network congestion, enable root protection on the
switch to protect the role of the root switch by retaining the role of the designated port.
NOTE

Perform the following operations on the root bridge.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
stp root-protection
Root protection is enabled on the switch.

By default, root protection is disabled on a switch port.
----End
16.7.3.4 Configuring Loop Protection on a Port
Context
On a network running VBST, the switch maintains the root port status and status of blocked
ports by receiving BPDUs from an upstream switch. If the switch cannot receive any BPDU
from the upstream switch because of link congestion or unidirectional link failures, the switch
selects a new root port. The original root port becomes a designated port and the original
blocked ports change to the Forwarding state. This switching may cause network loops, which
can be mitigated by configuring loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device for a long
time, the switch enabled with loop protection sends a notification to the NMS. If the root port
is used, the root port enters the Discarding state and becomes the designated port. If the
alternate port is used, the alternate port keeps blocked and becomes the designated port. In
this case, loops will not occur. After the link is not congested or unidirectional link failures
are rectified, the port receives BPDUs for negotiation and restores its original role and status.
NOTE
An alternate port is the backup of the root port. If a switch has an alternate port, you need to configure
loop protection on both the root port and alternate port.
Perform the following operations on the root port and alternate port of the switch.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the root port or alternate port is displayed.

Step 3 Run:
stp loop-protection
Loop protection is enabled.

By default, loop protection is disabled on a switch port.
----End
Procedure
slot-id ] [ brief ] command to check the spanning tree status, including the root
protection status and information about other protection functions.

spanning trees of all ports in Up state, including the root protection status and
information about other protection functions.
protocol.
----End
16.7.4 Setting Parameters for Interworking Between a Huawei

Datacom Device and a Non-Huawei Device
To implement interworking between a Huawei datacom device and a non-Huawei device,
configure the fast transition mode according to the Proposal/Agreement mechanism of the
non-Huawei device.
Context
The switch supports the following modes on the Proposal/Agreement mechanism:
l Enhanced mode: The port participates in calculation of the root port when calculating the
a. An upstream device sends a Proposal message to a downstream device, requesting
fast transition. After receiving the message, the downstream device sets the port
connected to the upstream device as a root port and blocks all non-edge ports.
b. The upstream device then sends an Agreement message to the downstream device.
After the downstream device receives the message, the root port transitions to the
Forwarding state.
c. The downstream device sends an Agreement message to the upstream device. After
receiving the Agreement message, the upstream device sets the port connected to
the downstream device as a designated port, and the designated port transitions to
l Common mode: The port ignores the root port when calculating the synchronization flag
bit.
a. An upstream device sends a Proposal message to a downstream device, requesting
fast transition. After receiving the Proposal message, the downstream device sets
the port connected to the upstream device as a root port and blocks all non-edge
ports. The root port then transitions to the Forwarding state.
b. The downstream device sends an Agreement message to the upstream device. After
receiving the Agreement message, the upstream device sets the port connected to
the downstream device as a designated port, and the designated port transitions to
On a network running VBST protocol, a Huawei datacom device and the connected non-
Huawei device may fail to communicate if they use different Proposal/Agreement modes. The
Huawei datacom device can select the same mode as that on the non-Huawei device to
implement interworking.
If Huawei datacom device and Handremanet switch are deployed on the VBST network, non-
standard STP/RSTP packets sent by the Handremanet switch may cause temporary loops.
Therefore, the Huawei datacom device interface needs to be configured to discard non-
standard STP/RSTP packets to prevent temporary loops.

Before setting parameters for interworking between a Huawei datacom device and a non-
Huawei device, perform the task of Configuring Basic VBST Functions.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
The common mode is configured.
By default, the enhanced mode is used on a port.

stp agreement-legacy
The interface is configured to discard non-standard STP/RSTP packets sent by the

Handremanet switch.
By default, Huawei datacom device interface does not discard non-standard STP/RSTP
packets sent by the Handremanet switch.
----End
16.8 Maintaining VBST
16.8.1 Displaying VBST Running Information and Statistics
Context
You can view the VBST running information and statistics on VBST BPDUs. If the number
of topology change times increases, network flapping occurs.
Procedure
l Run the display stp [ vlan vlan-id ] topology-change command to check VBST
topology change statistics.
l Run the display stp error packet command to check the number of received error
packets and the content of recently received error packets.
l Run the display vbst [ vlan vlan-id ] [ interface interface-type interface-number | slot
slot-id ] bpdu-statistics command to check BPDU statistics.

slot-id ] tc-bpdu statistics command to check statistics on TC or TCN BPDUs on the
VBST-enabled port.
----End
16.8.2 Clearing VBST Statistics
Context
Before recollecting statistics on VBST BPDUs in a certain period, clear existing statistics on
VBST BPDUs.
NOTICE
Cleared statistics on VBST BPDUs cannot be restored. Exercise caution when you run the
reset vbst command.
Procedure
l Run the reset vbst [ interface interface-type interface-number | slot slot-id ] bpdu-
statistics command in the user view to clear statistics on VBST BPDUs.
----End
16.9.1 Example for Configuring VBST
As shown in Figure 16-5, SwitchC and SwitchD (access switches) are dual-homed to
SwitchA and SwitchB (aggregation switches) respectively. SwitchC transmits traffic from
VLAN 10 and VLAN 20, and SwitchD transmits traffic from VLAN 20 and VLAN 30. A
ring network is formed between the access layer and aggregation layer. The enterprise
requires that service traffic in each VLAN be correctly forwarded and service traffic from
different VLANs be load balanced to improve link use efficiency.

Figure 16-5 VBST networking
Core Network
SwitchA SwitchB
GE1/0/1 GE1/0/1
VLAN10, 20, 30
GE1/0/3 GE1/0/2 GE1/0/2 GE1/0/3
VLAN10, 20 VLAN20, 30
20 VL
1 0, AN
AN 20
,3
VL 0
GE1/0/3 GE1/0/3
GE1/0/2 GE1/0/2
SwitchC SwitchD
GE1/0/4 GE1/0/5 GE1/0/4 GE1/0/5
Spanning tree Spanning tree Spanning tree

for VLAN 10 for VLAN 20 for VLAN 30
Root bridge
Unblocked link
Blocked link
Blocked port
wozh
VBST can be used to eliminate loops between the access layer and aggregation layer and
ensures that service traffic in each VLAN is correctly forwarded. In addition, traffic from
different VLANs can be load balanced. The configuration roadmap is as follows:
1. Configure Layer 2 forwarding on access and aggregation switches.
2. Configure basic VBST functions on SwitchA, SwitchB, SwitchC, and SwitchD. Perform
the following operations so that a spanning tree shown in Figure 16-5 is formed through
calculation:

– Configure the root bridge and secondary root bridge of VLAN 10 as SwitchA and
SwitchB respectively, configure the root bridge and secondary root bridge of VLAN
20 as SwitchA and SwitchB respectively, and configure the root bridge and
secondary root bridge of VLAN 30 as SwitchB and SwitchA respectively, to ensure
root bridge reliability.
– Set a larger path cost for GE1/0/2 on SwitchC in VLAN 10 and VLAN 20 so that
GE1/0/2 is blocked in spanning trees of VLAN 10 and VLAN 20 accordingly, set a
larger path cost for GE1/0/2 on SwitchD in VLAN 20 and VLAN 30 so that
GE1/0/2 is blocked in the spanning tree of VLAN 20 and VLAN 30 accordingly.
3. Configure ports on SwitchC and SwitchD connected to terminals as edge ports to reduce
VBST topology calculation and improve topology convergence.
Procedure
Step 1 Configure Layer 2 forwarding on switches on the ring network.
l Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA, SwitchB, SwitchC, and
SwitchD.
# Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA.
[SwitchA] vlan batch 10 20 30
# Create VLAN 10, VLAN 20, and VLAN 30 on SwitchB.

[SwitchB] vlan batch 10 20 30
# Create VLAN 10 and VLAN 20 on SwitchC.

[SwitchC] vlan batch 10 20
# Create VLAN 20 and VLAN 30 on SwitchD.

[SwitchD] vlan batch 20 30
l Add ports connected to the ring to VLANs.

# Add GE1/0/1 on SwitchA to VLAN 10, VLAN 20, and VLAN 30.
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30
# Add GE1/0/2 on SwitchA to VLAN 20 and VLAN 30.

# Add GE1/0/3 on SwitchA to VLAN 10 and VLAN 20.

# Add GE1/0/1 on SwitchB to VLAN 10, VLAN 20, and VLAN 30.
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30

# Add GE1/0/2 on SwitchB to VLAN 10 and VLAN 20.

# Add GE1/0/3 on SwitchB to VLAN 20 and VLAN 30.

# Add GE1/0/2 on SwitchC to VLAN 10 and VLAN 20.

[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 20
# Add GE1/0/3 on SwitchC to VLAN 10 and VLAN 20.

[SwitchC-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
# Add GE1/0/4 on SwitchC to VLAN 10 and GE1/0/5 to VLAN 20.

# Add GE1/0/2 on SwitchD to VLAN 20 and VLAN 30.

[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 30
# Add GE1/0/3 on SwitchD to VLAN 20 and VLAN 30.

[SwitchD-GigabitEthernet1/0/3] port trunk allow-pass vlan 20 30
# Add GE1/0/4 on SwitchD to VLAN 20 and GE1/0/5 to VLAN 30.

Step 2 Configure basic VBST functions.

1. Configure switches on the ring network to work in VBST mode.
# Configure SwitchA to work in VBST mode.
[SwitchA] stp mode vbst
# Configure SwitchB to work in VBST mode.

[SwitchB] stp mode vbst
# Configure SwitchC to work in VBST mode.

[SwitchC] stp mode vbst

# Configure SwitchD to work in VBST mode.

[SwitchD] stp mode vbst
2. Configure the root bridge and secondary root bridge.

– Configure the root bridge and secondary root bridge in VLAN 10.
# Configure SwitchA as the root bridge in VLAN 10.
[SwitchA] stp vlan 10 root primary
# Configure SwitchB as the secondary root bridge in VLAN 10.

[SwitchB] stp vlan 10 root secondary
# Configure SwitchA as the root bridge in VLAN 20.
[SwitchA] stp vlan 20 root primary
# Configure SwitchB as the secondary root bridge in VLAN 20.

[SwitchB] stp vlan 20 root secondary
# Configure SwitchB as the root bridge in VLAN 30.
[SwitchB] stp vlan 30 root primary
# Configure SwitchA as the secondary root bridge in VLAN 30.

[SwitchA] stp vlan 30 root secondary
3. Configure the path cost for a port so that the port can be blocked.
NOTE
– The path cost range depends on the algorithm. IEEE 802.1t standard is used as an example. Set
the path costs of the ports to be blocked to 2000000.
– All switches on the same network must use the same path cost calculation method.
# Set the path cost of GE1/0/2 on SwitchC to 2000000 in VLAN 10 and VLAN 20.
[SwitchC-GigabitEthernet1/0/2] stp vlan 10 cost 2000000
[SwitchC-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
# Set the path cost of GE1/0/2 on SwitchD to 2000000 in VLAN 20 and VLAN 30.
[SwitchD-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
[SwitchD-GigabitEthernet1/0/2] stp vlan 30 cost 2000000
4. Enable VBST to eliminate loops.

– Disable VBST in VLAN 1.
NOTE
By default, all interfaces join VLAN 1 and VBST in VLAN 1 is enabled. In this example, to
reduce spanning tree calculation, VBST is disabled in VLAN 1. To prevent loops in VLAN 1
after VBST is disabled, delete interfaces from VLAN 1.
# Disable VBST in VLAN 1 on SwitchA. The configurations on SwitchB, SwitchC,
and SwitchD are similar to the configuration of SwitchA, and are not mentioned
here.
[SwitchA] stp vlan 1 disable
# Delete GE1/0/1 through GE1/0/3 on SwitchA from VLAN 1. The configurations

on SwitchB, SwitchC, and SwitchD are similar to the configuration of SwitchA, and
are not mentioned here. The difference is that GE1/0/4 and GE1/0/5 on SwitchC
and SwitchD do not need to be removed from VLAN 1.


[SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
– Enable VBST globally.

By default, VBST is enabled globally.
Run the display stp global command to check the VBST status. If VBST is
disabled, run the stp enable command in the system view to enable VBST globally.
– Enable VBST in a VLAN.
By default, VBST is enabled in a VLAN.
Run the display stp vlan vlan-id command to check the VBST status. If the
message "The protocol is disabled" is displayed, VBST is disabled in the VLAN.
Run the stp vlan vlan-id enable command in the system view to enable VBST in
the VLAN.
– Enable VBST on ports.
By default, VBST is enabled on Layer 2 Ethernet ports.
Run the display stp interface interface-type interface-number command to check
the VBST status on an interface. If the message "The protocol is disabled" is
displayed, VBST is disabled on the interface. Run the stp enable command in the
interface view to enable VBST on the interface.
Step 3 Configure ports connected to terminals as edge ports to improve topology convergence.
# Configure GE1/0/4 and GE1/0/5 on SwitchC connected to terminals as edge ports. The edge
port configuration on SwitchD is similar to that of SwitchC, and is not mentioned here.

After the configuration is complete and the network topology becomes stable, perform the
following operations to verify the configuration.
# Run the display stp bridge local command on SwitchA to view the STP working mode.
[SwitchA] display stp bridge local
VLAN-ID Bridge ID Hello Max Forward Protocol
Time Age Delay
----- -------------------- ----- --- ------- ---------------------------
10 0.0200-0000-6703 2 20 15 VBST
20 0.0200-0000-6703 2 20 15 VBST
30 4096.0200-0000-6703 2 20 15 VBST
The preceding information shows that the VBST mode is used.

# Run the display stp brief command on SwitchA to view the port status.
VLAN-ID Port Role STP State Protection


The preceding information shows that SwitchA participates in spanning tree calculation in
VLAN 10, VLAN 20, and VLAN 30. For example, SwitchA is the root bridge in VLAN 10
and VLAN 20, so GE1/0/1 and GE1/0/3 in VLAN 10 are selected as designated ports.
GE1/0/1, GE1/0/2, and GE1/0/3 in VLAN 20 are selected as designated ports. SwitchA is the
secondary root bridge in VLAN 30, so GE1/0/1 is selected as the root port and GE1/0/2 is
selected as the designated port in VLAN 30.
# Run the display stp vlan 10 command on SwitchA to view detailed information about
VLAN 10.
[SwitchA] display stp vlan 10
-------[VLAN 10 Global Info]-------
Bridge ID :0 .0200-0000-6703
Config Times :Hello 2s MaxAge 20s FwDly 15s
Active Times :Hello 2s MaxAge 20s FwDly 15s
Root ID / RPC :0 .0200-0000-6703 / 0 (This bridge is the root)
RootPortId :0.0
Root Type :Primary
----[Port4093(GigabitEthernet1/0/1)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=20000
Desg. Bridge/Port :0 .0200-0000-6703 / 128.4093
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Transit Limit :6 packets/hello
Protection Type :None
----[Port4092(GigabitEthernet1/0/3)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=199999
Desg. Bridge/Port :0 .0200-0000-6703 / 128.4092
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Transit Limit :6 packets/hello
Protection Type :None
The preceding information shows that SwitchA is selected as the root bridge in VLAN 10 and
GE1/0/1 and GE1/0/3 are selected as designated ports in Forwarding state.
# Run the display stp brief command on SwitchB, SwitchC, and SwitchD to view the port
status.

[SwitchD] display stp brief

The preceding information shows that SwitchB participates in spanning tree calculation in
VLAN 10, VLAN 20, and VLAN 30, SwitchC participates in spanning tree calculation in
VLAN 10 and VLAN 20, and SwitchD participates in spanning tree calculation in VLAN 20
and VLAN 30. After the calculation is complete, ports are selected as different roles to
eliminate loops.
Different spanning trees are formed in VLAN 10, VLAN 20, and VLAN 30, and traffic in
VLAN 10, VLAN 20, and VLAN 30 is forwarded along different spanning trees to implement
load balancing.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 30 root secondary
stp vlan 10 20 root primary
#
undo port trunk allow-pass vlan 1
#
#
#
return

#
sysname SwitchB
#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 10 20 root secondary
stp vlan 30 root primary
#


#
#
#
return
#
sysname SwitchC
#
vlan batch 10 20
#
stp mode vbst
#
stp vlan 1 disable
#
stp vlan 10 20 cost 2000000
#
#
#
#
return
#
sysname SwitchD
#
vlan batch 20 30
#
stp mode vbst
#
stp vlan 1 disable
#
stp vlan 20 30 cost 2000000
#
#


#
#
return

Configuration Guide - Ethernet Switching 17 SEP Configuration
17 SEP Configuration
About This Chapter
This chapter describes how to configure the Smart Ethernet Protection (SEP). SEP is a ring
network protocol specially used for the Ethernet link layer. It blocks redundant links to
prevent logical loops on a ring network.
17.1 Introduction to SEP

17.2 Principles
17.3 Applications
17.6 Configuring SEP
17.7 Maintaining SEP

17.1 Introduction to SEP
Definition
The Smart Ethernet Protection (SEP) protocol is a ring network protocol specially used for the
Ethernet link layer. A SEP segment consists of interconnected Layer 2 switching devices
configured with the same SEP segment ID and control VLAN ID. A SEP segment is the basic
unit for SEP.
Purpose
causing broadcast storms and rendering the MAC address table unstable. As a result,
communication quality deteriorates, and services may even be interrupted. To solve the loop
problem, Huawei datacom devices support the following ring network protocols:
l STP/RSTP/MSTP
STP, RSTP, and MSTP are standard protocols for breaking loops on Ethernet networks.
They are mature and widely used. Huawei devices running STP, RSTP, or MSTP can
communicate with non-Huawei devices. Networks running these protocols converge
slowly (in seconds), failing to meet transmission requirements of some real-time
services. The convergence time is affected by the network topology.
l RRPP
RRPP is a Huawei-proprietary protocol. It provides fast convergence (less than 50 ms).
However, its configuration is complex. A Huawei device running RRPP cannot
communicate with any non-Huawei device. RRPP requires a physical topology to be
divided into logical topologies so that major rings and sub-rings can be differentiated.
Therefore, RRPP does not apply to complex networks.
Huawei developed SEP to overcome the disadvantages of the preceding ring network
protocols. Compared with RRPP, SEP has the following advantages:
l Applies to diverse complex networks and supports all topologies and network topology
query. For example, a network running SEP can connect to a network running STP,
RSTP, MSTP, or RRPP.
Network topology display helps locate blocked interfaces quickly. When a fault occurs,
SEP can quickly locate the fault, improving network maintainability.
l Allows selectively interface blocking, which effectively implements traffic load
balancing.
l Prevents traffic from being switched back after link recovery, which improves network
stability.
17.2 Principles

17.2.1 Principles of SEP

SEP is a ring network protocol dedicated to the Ethernet link layer. A SEP segment is the
basic unit for SEP. Only two interfaces on a switching device can be added to the same SEP
segment.
To prevent loops in a SEP segment, a ring protection mechanism is used to selectively block
interfaces to eliminate Ethernet redundant links. When a link on a ring network fails, the
device running SEP immediately unblocks the interface and performs link switching to restore
communication between nodes.
Figure 17-1 shows a typical SEP application. CE1 is connected to Network Provider Edges
(NPEs) through a semi-ring formed by switches. A VRRP group is deployed on the NPEs.
Initially, NPE1 serves as the master and NPE2 as backup to NPE1. When the link between
NPE1 and LSW5 or a node on the link becomes faulty, NPE1 becomes the backup to NPE2,
which then becomes the master. The following situations occur depending on whether SEP is
deployed. The following assumes that the link between LSW1 and LSW5 becomes faulty.
l If SEP is not deployed on the semi-ring, CE1 traffic is still transmitted along the original
path, but NPE1 does not forward traffic, causing traffic interruption.
l If SEP is deployed on the semi-ring, the blocked interface on LSW5 is unblocked, enters
the Forwarding state, and sends link state advertisements (LSAs) to instruct other nodes
on the SEP segment to update their LSA databases. Then CE1 traffic is transmitted along
backup link LSW5->LSW2->LSW4->NPE2, ensuring uninterrupted traffic transmission.

Figure 17-1 Schematic diagram for SEP

Access Aggregation Core
LSW1 LSW3 Master Backup
NPE1 IP/MPLS
VRRP+peer BFD Core
NPE2
CE1
LSW5
LSW2 LSW4 Backup Master
a,SEP is not deployed on the semi-ring

SEP NPE1 IP/MPLS

Segment VRRP+peer BFD Core
NPE2
CE1
LSW5
SEP NPE1 IP/MPLS

Segment VRRP+peer BFD Core
NPE2
CE1
LSW5
b,SEP is deployed on the semi-ring

Primary Edge Port
Secondary Edge Port
Block Port
In common SEP networking, a physical ring can be configured with only one SEP segment in
which only one interface can be blocked. If an interface in a complete SEP segment is
blocked, all service data is transmitted only along the path where the primary edge interface is
located. The path where the secondary edge interface is located remains idle, wasting
bandwidth.

SEP multi-instance is used to improve bandwidth efficiency and implement traffic load
balancing. SEP multi-instance allows two SEP segments to be configured on a physical ring.
Each SEP segment independently detects the completeness of the physical ring, blocks or
unblocks interfaces without affecting the other.
For details about SEP multi-instance, see 17.2.3 SEP Implementation Mechanisms.
17.2.2 Basic Concepts of SEP
Network Architecture of SEP

As shown in Figure 17-2, LSW1 through LSW5 constitute a ring and are dual-homed to an
upper-layer or a Layer 2 network. Two edge devices LSW1 and LSW5 are indirectly
connected. This networking is called open-ring networking. This access mode will cause a
loop on the entire network. To eliminate redundant links and ensure link connectivity, a
mechanism used to prevent loops is required.
Figure 17-2 shows the typical networking of an open ring running SEP. The following
describes the basic concepts of SEP.
Figure 17-2 Networking diagram of an open ring running SEP
Network Network
LSW5
LSW1 LSW1 LSW5
SEP SEP
Segment Segment
LSW2 LSW4 LSW2 LSW4
LSW3 LSW3
CE CE
No-Neighbor Primary Edge Port
No-Neighbor Secondary Edge Port
Primary Edge Port
Secondary Edge Port
Block Port
l SEP segment
A SEP segment consists of interconnected Layer 2 switching devices configured with the
same SEP segment ID and control VLAN ID. A SEP segment is the basic unit for SEP.

A SEP segment is a ring or linear Ethernet topology. Each SEP segment has a control
VLAN, edge interfaces, and common interfaces.
l Control VLAN
In a SEP segment, the control VLAN is used to transmit only SEP packets.
Each SEP segment must have a control VLAN. After an interface is added to a SEP
segment that has a control VLAN, the interface is automatically added to the control
VLAN.
Different SEP segments can use the same control VLAN.
Different from a control VLAN, a data VLAN is used to transmit data packets.
l Node
Each Layer 2 switching device in a SEP segment is a node. Each node can have at most
two interfaces added to the same SEP segment.
l Interface role
As defined in SEP, there are two interface roles: common interfaces and edge interfaces.
As shown in Table 17-1, edge interfaces are further classified into primary edge
interfaces, secondary edge interfaces, no-neighbor primary edge interfaces, and no-
neighbor secondary edge interfaces.
NOTE
Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.
Table 17-1 Interface roles

Interface Role Sub-role Description
Edge interface Primary edge A SEP segment has only one primary
interface edge interface, which is determined by
the configuration and election.
The primary edge interface initiates
blocked interface preemption, terminates
packets, and sends topology change
notification messages to other networks.
Secondary edge A SEP segment has only one secondary

interface edge interface, which is determined by
the configuration and election.
The secondary edge interface terminates
packets and sends topology change
notification messages to other networks.

Interface Role Sub-role Description
No-neighbor An interface at the edge of a SEP segment

primary edge is a no-neighbor edge interface, which is
interface determined by the configuration and
election.
The no-neighbor primary edge interface
terminates packets and sends topology
change notification messages to other
networks.
No-neighbor primary edge interfaces are
used to interconnect Huawei devices and
non-Huawei devices or interconnect
Huawei devices and devices that do not
support SEP.
No-neighbor A SEP segment has only one no-neighbor

secondary edge secondary edge interface, which is
interface determined by the configuration and
election.
The no-neighbor secondary edge interface
terminates packets and sends topology
change notification messages to other
networks.
No-neighbor secondary edge interfaces
are used to interconnect Huawei devices
and non-Huawei devices or interconnect
Huawei devices and devices that do not
support SEP.
Common - In a SEP segment, all interfaces except

interface edge interfaces are common interfaces.
A common interface monitors the status
of the directly-connected SEP link. When
the link status changes, the interface
sends a topology change notification
message to notify its neighbors. Then the
topology change notification message is
flooded on the link until it finally reaches
the primary edge interface. The primary
edge interface determines how to process
the link change.
l Blocked interface
In a SEP segment, some interfaces are blocked to prevent loops.
Any interface in a SEP segment may be blocked if no interface is specified for blocking.
A complete SEP segment has only one blocked interface.
l Status of a SEP interface
In a SEP segment, a SEP interface has two working states: Forwarding and Discarding,
as shown in Table 17-2.

Table 17-2 Interface status

Interface Description
Status
Forwarding The interface can forward user traffic, receive and send SEP packets.
Discarding The interface can receive and send SEP packets but cannot forward user
traffic.
An interface may be in Forwarding or Discarding state regardless of its role.
SEP Packet
Table 17-3 shows the types of SEP packets.
Table 17-3 Types of SEP packets

Packet Type Packet Subtype Description
Hello packet - After an interface is added to a SEP segment,

neighbor negotiations start. The interface and its
neighbor exchange Hello packets to establish a
neighbor relationship. After neighbor negotiations
succeed, the two interfaces continue to exchange
Hello packets to detect their neighbor status.
LSA LSA request After an interface has SEP enabled, the interface
packet periodically sends LSAs to its neighbor. After the
state machine of the neighbor goes Up, the two
LSA ACK packet interfaces update their LSA databases, that is, all
topology information.
TC packet - When the topology of a SEP segment changes, the

device where the SEP segment and the upper-layer
network are intersected sends a Topology Change
(TC) packet to notify the upper-layer network. Then
all nodes on the upper-layer network need to update
their MAC address tables and ARP tables.
GR packet - When a device is performing an active/standby

switchover, it sends a SEP Graceful Restart (GR)
packet to instruct other nodes to prolong the aging
time of the LSAs received from the device. After the
active/standby switchover is complete, the device
needs to send another GR packet to instruct other
nodes to restore the aging time of the LSAs received
from the device to the previous value.

Packet Type Packet Subtype Description
Primary edge - After an interface has SEP enabled, it considers itself

interface the primary edge interface if it is qualified for
election primary edge interface selection. The interface then
packet periodically sends primary edge interface election
packets without waiting for the success of neighbor
negotiations. A primary edge interface election
packet contains the interface role (primary edge
interface, secondary edge interface, or common
interface), bridge MAC address of the interface,
interface ID, and integrity of the topology database.
Preemption Preemption A preemption packet is used to block a specified

packet request packet interface.
Preemption ACK Preemption packets are sent by the elected primary

packet edge interface or brother interface of a no-neighbor
primary edge interface.
17.2.3 SEP Implementation Mechanisms
Neighbor Negotiation Mechanism

After an interface is added to a SEP segment, neighbor negotiations start. The interface and its
neighbor exchange Hello packets to establish a neighbor relationship. After neighbor
negotiations succeed, the two interfaces continue to exchange Hello packets to detect their
neighbor status.
Neighbor negotiations prevent unidirectional links because neighbor negotiations are

bidirectional. Interfaces at both ends of a link, must send Hello packets to each other, as a
means of status confirmation. If an interface does not receive a Hello packet from an interface
at the other end of a link within a specified period, the interface considers the other to be
Down.
Neighbor negotiations provide information required to obtain the SEP segment topology.
Interfaces establish neighbor relationships through neighbor negotiations, forming a complete
SEP segment. Therefore, the SEP segment topology can be obtained.
Synchronization of SEP LSA Databases and Topology Display

l Synchronization of SEP link state advertisement (LSA) databases
After neighbor negotiations are complete, devices in a SEP segment enter the LSA
database synchronization phase and periodically send LSAs. After a device receives
LSAs from other devices, the device updates its LSA database. This ensures that the
LSA databases of all devices in the SEP segment are consistent.
If a device does not receive LSAs from its peer device or other devices in the SEP
segment within three LSA transmission intervals, the device will age the database that
saves the LSAs of the other devices in the SEP segment.
When a faulty device in a SEP segment recovers, the device needs to obtain topology
information from the other devices in the SEP segment and sends LSA request packets to

the other devices. After receiving LSA request packets from the device, neighboring
interfaces reply with LSA ACK packets that contain the latest link state information.
l SEP segment topology display
The topology display function allows you to view the topology with the highest network
connectivity on any device in a SEP segment. Link state synchronization ensures that all
devices in a SEP segment display the same topology.
Table 17-4 shows the types of SEP segment topologies.
Table 17-4 Types of SEP segment topologies
Topology Type Description Constraint
Ring topology Each interface in a SEP l If the primary edge

segment has a neighboring interface is elected on a
interface in Up state and a ring, the primary edge
brother interface, and each interface is listed first
node has two interfaces in in the topology
the SEP segment. information displayed
on each interface.
l If the primary edge
interface is not elected
but the secondary edge
interface is elected, the
secondary edge
interface is listed first
in the topology
information displayed
on each interface.
Linear topology All topologies except ring For interfaces at both ends
topologies are linear of a link:
topologies. l If one interface
functions as the
primary edge interface,
the primary edge
in the topology
on each interface.
l If the primary edge
interface is not elected
but the secondary edge
interface is elected, the
secondary edge
in the topology
on each interface.

NOTE
The constraints listed in Table 17-4 ensure that each node in a ring or linear topology displays the
same topology information.
Primary Edge Interface Election

Only interfaces that are configured as no-neighbor edge interfaces, primary edge interfaces,
and secondary edge interfaces can participate in primary edge interface election.
NOTE
If only one interface on a node has SEP enabled, you must set the role of the interface to edge so that the
interface can function as an edge interface.
As shown in Figure 17-3, if there is no faulty link on the network and SEP is enabled on the
interfaces, the following situations occur:
l Common interfaces do not participate in primary edge interface election. Only P1 on
LSW1 and P1 on LSW5 participate in primary edge interface election.
l If P1 on LSW1 and P1 on LSW5 have the same role, P1 with a higher MAC address is
elected as the primary edge interface.
After the primary edge interface is selected, it periodically sends primary edge interface
election packets without waiting for the success of neighbor negotiations. A primary edge
interface election packet contains the interface role (primary edge interface, secondary edge
interface, or common interface), bridge MAC address of the interface, interface ID, and
integrity of the topology database.
Figure 17-3 Networking diagram of electing the primary edge interface
Network Network
LSW1 LSW5 LSW1 LSW5
P1 P1 P1 P1
SEP SEP
Segment Segment
LSW2 LSW4 LSW2 LSW4

Failed
Failed
LSW3 LSW3
Primary Edge Port

Secondary Edge Port
Election packet of
Primary Edge Port

As shown in Figure 17-3, if a link fault occurs in the SEP segment, P1 on LSW1 and P1 on
LSW5 receive fault notification packets or P1 on LSW5 does not receive primary edge
interface election packets within a specified period. Then P1 on LSW1 becomes the
secondary edge interface. Consequently, two secondary edge interfaces exist in the SEP
segment and periodically send primary edge interface election packets.
When all link faults in the SEP segment are rectified, the two secondary edge interfaces can
receive primary edge interface election packets and elect a new primary edge interface within
a configured interval (1s by default).
Specifying an Interface to Block

Normally, a blocked interface is one of the two interfaces that complete neighbor negotiations
last. In some cases, however, the negotiated blocked interface may not be the required one.
You can specify an interface to block according to network requirements. The specified
interface preempts to be the blocked interface only after the preemption mechanism takes
effect.
l Interface blocking mode
You can configure the interface blocking mode to specify a blocked interface. Table 17-5
lists interface blocking modes.
Table 17-5 Interface blocking mode

Interface Blocking Mode Description
Specify the interface with SEP compares interface priorities as follows:

the highest priority as the 1. Compares configured interface priority values. A
blocked interface. larger value indicates a higher priority.
2. Compares bridge MAC addresses of interfaces
with same priority values. A smaller bridge MAC
address indicates a higher priority.
3. Compares interface numbers of interfaces with
identical bridge MAC addresses. A smaller
interface number indicates a higher priority.
Specify the interface in the -

middle of a SEP segment as
the blocked interface.
Specify a blocked interface SEP sets the hop count of the primary edge interface
based on the configured hop to 1 and the hop count of the neighboring interface of
count. the primary interface to 2. Hop counts of other
interfaces increase by steps of 1 in the downstream
direction of the primary edge interface.

Interface Blocking Mode Description
Specify a blocked interface After SEP is configured, the interface to be blocked is

based on the device and determined by the device and interface names. Before
interface names. specifying an interface to block, run the display
command to view the current ring topology and all
interfaces, and then specify the device and interface
names.
If multiple interfaces on the ring have the same device
and interface names, SEP blocks the interface nearest
to the primary edge interface in the topology.
NOTE
If you change the device name or interface name after
specifying the interface to block, the interface cannot
preempt to be the blocked interface.
l Preemption
After the interface blocking mode is specified, whether a specified interface will be
blocked is determined by the preemption mode. Table 17-6 lists the preemption modes.
Table 17-6 Preemption mode

Preemption Mode Description
Non-preemption mode When all link faults are rectified or the last two
interfaces enabled with SEP complete neighbor
negotiations, interfaces send blocking status packets to
each other. The interface with the highest priority is
then blocked, and the other interfaces enter the
Forwarding state.

Preemption Mode Description
Preemption Mode Preemption is classified into delayed preemption and

NOTE manual preemption.
Preemption can only be l Delayed preemption
implemented on the device
where the primary edge After all the faulty interfaces recover, the edge
interface or no-neighbor interfaces no longer receive fault notification
primary edge interface resides. packets. If the primary edge interface does not
receive fault advertisement packets within 3
seconds, it starts the delay timer. After the delay
timer expires, nodes in the SEP segment start
blocked interface preemption.
l Manual preemption
When the link status databases of the primary edge
interface and secondary edge interface are
complete, the primary edge interface or brother
interface of the no-neighbor primary edge interface
sends preemption packets to block a specified
interface. The specified interface then sends
blocking status packets to request the previously
blocked interface to transition to the Forwarding
state.
NOTE
Only two interfaces on a device can be added to the same
SEP segment. If one interface is the no-neighbor primary
edge interface, the other interface is the brother interface
of the no-neighbor primary edge interface.
Whether the brother interface of the no-neighbor primary
edge interface needs to send preemption packets depends
on whether the brother interface is blocked.
l If the brother interface is blocked, it does not need to
send preemption packets.
l If the brother interface is unblocked, it needs to send
preemption packets.
SEP Topology Change Notification

SEP considers that the topology of a SEP-enabled network changes in either of the following
situations described in Table 17-7.

Table 17-7 SEP topology change notification

SEP Topology Change Description
Notification
An interface fault occurs. Figure 17-4 shows an interface fault in a SEP segment.
An interface fault can be a link fault or neighboring
interface fault.
If a device having an interface in Forwarding state in the
SEP segment receives a fault advertisement packet, the
device needs to send a Flush-Forwarding Database
(Flush-FDB) packet through the interface to notify other
nodes in the SEP segment that there is a change in
topology.
The fault is rectified and the After faults occur in the SEP segment and the last faulty
preemption function takes interface recovers, the blocked interface is preempted
effect. and the topology is considered changed.
Preemption is triggered by the primary edge interface.
When an interface in a SEP segment receives a
preemption packet from the primary edge interface, the
interface needs to send Flush-FDB packets to notify
other nodes in the SEP segment that there is a change in
topology.

Figure 17-4 Networking diagram for SEP topology change notification
Network
LSW8
SEP SEP
LSW1 Segment1 Segment3 LSW13
LSW9 LSW10
LSW2 SEP LSW11SEP LSW12

Segment2 Segment4
LSW3 LSW4 LSW5 LSW6 Failed LSW7
Primary Edge Port

Block Port
Forwarding Database
Topology Change
NOTE
The topology change notification function is configured on devices that connect an upper-layer network
and a lower-layer network. If the topology of one network changes, devices affected inform the other
network of the change.
Table 17-8 lists the scenarios in which topology changes are reported.

Table 17-8 SEP topology change notification

SEP Scenario Description Solution
Topology
Change
Notification
Topology A SEP network is l If the blocked interface Configure the SEP

change connected to an on a lower-layer SEP topology change
notification upper-layer network network is manually notification
from a lower- running other changed, the topology of function.
layer network features such as the SEP segment
to an upper- SEP, STP, changes. Because the
layer network Smartlink, VPLS upper-layer network is
and RRPP. unable to detect the
change in topology,
traffic is interrupted.
l If an interface on a
lower-layer SEP network
becomes faulty, the
topology of the SEP
segment changes but the
upper-layer network is
unable to detect the
change. As a result,
traffic is interrupted.
A host is connected During an active/standby Enable the edge

to a SEP network switchover of member devices in the SEP
using a SmartLink interfaces in the SmartLink segment to process
group. group, the host sends a SmartLink Flush
SmartLink Flush packet to packets.
notify connected devices in
the SEP segment of the
switchover.
If connected devices in the
SEP segment cannot
identify the SmartLink
Flush packet (that is, if
these connected devices in
the SEP segment are unable
to detect any topology
change of the lower-layer
network), traffic is
interrupted.

SEP Scenario Description Solution

Topology
Change
Notification
Topology A SEP network is If a fault occurs on the Configure

change connected to an upper-layer network, the association
notification upper-layer network topology of that network between SEP and
from an upper- where CFM is changes but the lower-layer CFM.
layer network deployed. network is unable to detect As shown in
to a lower- the change. As a result, Figure 17-5,
layer network traffic is interrupted. association
between SEP and
CFM is configured
on LSW1.
Figure 17-5 Networking diagram of association between SEP and CFM
IP/MPLS Core
CFM
PE-AGG1 PE-AGG2
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
CE
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
Block Port
SEP associated with Ethernet CFM

As shown in Figure 17-5, association between SEP and CFM is configured on LSW1 in the
SEP segment. When CFM detects a fault on the network at the aggregation layer, LSW1
sends a CCM to notify the Operation, Administration, and Maintenance (OAM) module of the
fault. The SEP status of the interface associated with CFM then changes to Down.
The interface associated with CFM is in the SEP segment. If this interface goes Down, LSW2
needs to send a Flush-FDB packet to notify other nodes in the SEP segment of the topology
has changed. After LSW3 receives the Flush-FDB packet, the blocked interface on LSW3 is
unblocked and enters the Forwarding state. This interface then sends a Flush-FDB packet to
instruct other nodes in the SEP segment to update their MAC address forwarding tables and
ARP tables. The lower-layer network can then detect the faults on the upper-layer network,
ensuring reliable service transmission.
Suppression of SEP TC Notification Packets

Topology changes of a SEP segment are advertised to other SEP segments or upper-layer
networks. A large number of topology change (TC) notification packets are generated in the
following cases:
l A link becomes disconnected transiently.
l A SEP segment is attacked by invalid TC notification packets.
l There are multiple SEP ring networks.
Figure 17-6 shows a networking scenario with three SEP ring networks. If the topology
of SEP segment 3 changes, the number of TC notification packets doubles and SEP
segment 2 is flooded with these packets. Each time TC notification packets pass through
a SEP segment, the number of TC notification packets doubles.

Figure 17-6 Networking diagram for multiple SEP ring networks
LSW9 LSW10
SEP
Segment 1
LSW7 LSW8
SEP
Segment2
LSW4 LSW6
LSW5
SEP
Segment3
LSW1 LSW3
LSW2
Primary Edge Port

Secondary Edge Port
Block Port
Sending a large number of TC notification packets reduces the CPU capability to quickly
process other types of packets. In addition, devices in SEP segments frequently update MAC
address entries, heavily consuming bandwidth resources. To solve such problems, the
following measures can be taken to suppress TC notification packets:
l Configure a device to process only one of the TC notification packets carrying the same
source address.
l Configure a device to process a specified number of TC notification packets within a
specified period. By default, three TC notification packets with different source
addresses are processed in 2s.
l Avoid the networking scenario having more than three SEP ring networks.
SEP Multi-Instance
In common SEP networking shown in Figure 17-7, a physical ring network can be configured
with only one SEP segment in which only one interface can be blocked.
If an interface in a complete SEP segment is blocked, all service data is transmitted only along
the path where the primary edge interface is located. The path where the secondary edge
interface is located remains idle, wasting bandwidth.

Figure 17-7 Networking diagram for SEP
LSW2 LSW4
SEP
Segment1
LSW1 LSW3
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance allows two SEP segments to be configured on a physical ring. Each SEP
segment independently detects the completeness of the physical ring, blocks or unblocks
interfaces without affecting the other.
A physical ring may contain one or two SEP segments. Each SEP segment needs to be
configured with a protected instance, each protected instance indicating a VLAN range. The
topology calculated by a SEP segment is only valid for that SEP segment.
After different protected instances are configured for SEP segments and the mapping between
protected instances and VLANs is set, a blocked interface is only valid for the VLANs
protected by the SEP segment where the blocked interface resides. Data traffic for different
VLANs can be transmitted along different paths. This implements traffic load balancing and
link backup.

Figure 17-8 Networking diagram for SEP multi-instance
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
Instance1: Instance2:
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
As shown in Figure 17-8, the SEP multi-instance ring network that consists of LSW1 to
LSW4 has two SEP segments. P1 is the blocked interface in SEP segment 1, and P2 is the
blocked interface in SEP segment 2.
l Protected instance 1 is configured in SEP segment 1 to protect the data from VLAN 100
to VLAN 200. The data is transmitted along path LSW1->LSW2. As the blocked
interface in SEP segment 2, P2 blocks only the data from VLAN 201 to VLAN 400.
l Protected instance 2 is configured in SEP segment 2 to protect the data from VLAN 201
to VLAN 400. The data is transmitted along path LSW3->LSW4. As the blocked
interface in SEP segment 1, P1 blocks only the data from VLAN 100 to VLAN 200.
When a node fault or link fault occurs, each SEP segment calculates its own topology
independently, and the nodes in each SEP segment update their own LSA databases.
As shown in Figure 17-9, a fault occurs on the link between LSW3 and LSW4. The link fault
does not affect the transmission path for the data from VLAN 100 to VLAN 200 in SEP
segment 1, but blocks the transmission path for the data from VLAN 201 to VLAN 400 in
SEP segment 2.

Figure 17-9 Networking diagram for a link fault on a SEP multi-instance network
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
After the link between LSW3 and LSW4 becomes faulty, LSW3 starts to send LSAs to
instruct the other devices in SEP segment 2 to update their LSA databases, and the blocked
interface enters the Forwarding state. After the topology of SEP segment 2 is recalculated, the
data from VLAN 201 to VLAN 400 is transmitted along path LSW3->LSW1->LSW2.
After the link between LSW3 and LSW4 recovers, the devices in SEP segment 2 perform
delayed preemption. After the preemption delay expires, P1 becomes the blocked interface
again, and sends LSAs to instruct the other devices in SEP segment 2 to update their LSA
databases. After the topology of SEP segment 2 is recalculated, the data from VLAN 201 to
VLAN 400 is transmitted along path LSW3->LSW4.
17.3 Applications
17.3.1 Open-Ring Networking

As shown in Figure 17-10, LSW1 to LSW5 form an open ring to access a Layer 2 network.
The two edge devices on the Layer 2 network, that is, LSW1 and LSW5, are not directly
connected. This networking is called open-ring networking. The open-ring networking is at
the access layer and is used to transparently transmit Layer 2 unicast and multicast services.
When SEP runs at the access layer, redundancy protection switching can be implemented at
the access layer and topology of the SEP segment can be displayed.
On an open-ring network, edge interfaces are located on the two edge devices in the SEP
segment.

Figure 17-10 Networking diagram of an open ring running SEP
Network
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
CE
Primary Edge Port

Secondary Edge Port
Block Port
17.3.2 Closed-Ring Networking

As shown in Figure 17-11, LSW1 to LSW5 form a dual-homed link to access a Layer 2
network. LSW1 and LSW5 at the edge of the Layer 2 network are directly connected. This
networking is called closed-ring networking. The networking is at the aggregation layer and is
used to aggregate Layer 2 unicast and multicast services. When SEP runs at the aggregation
layer, redundancy protection switching can be implemented at the aggregation layer and the
topology of the SEP segment can be displayed.
On a closed-ring network, two edge interfaces are located on the same edge device.

Figure 17-11 Networking diagram of a closed ring running SEP
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
CE1 CE2 CE3
Primary Edge Port

Secondary Edge Port
Block Port
17.3.3 Multi-Ring Networking

As shown in Figure 17-12, the networking composed of LSW1 to LSW14 is called multi-ring
networking. LSW1 to LSW5 are at the aggregation layer, and LSW6 to LSW14 are at the
access layer. Layer 2 services are transparently transmitted at the access layer and the
aggregation layer. When SEP runs at the access layer and the aggregation layer, redundancy
protection switching can be implemented at the access layer and the aggregation layer and the
topology of the SEP segment can be displayed.
If the topology of the access layer changes, a node in the SEP segment sends a Flush-FDB
packet to instruct other nodes in the SEP segment to update their MAC address forwarding
tables and ARP tables. Edge devices in the SEP segment send TC packets to notify the upper-
layer network that the topology of the SEP segment changes.
In multi-ring networking, the topology change notification function needs to be configured
among ring networks.

Figure 17-12 Networking diagram of multiple rings running SEP
LSW1 SEP LSW5

Segment 1
LSW2 LSW4
LSW3
Se
SE en
gm
P t3
t2
gm E P
SEP
en
Se S
LSW9
LSW6 Segment 4
LSW12
SEP
LSW8 Segment 5
LSW14
LSW7 LSW13
LSW10 LSW11
Block Port
17.3.4 Hybrid SEP+MSTP Ring Networking

As shown in Figure 17-13, LSW1 to LSW3 form a SEP segment to access the MSTP ring.
The networking is called hybrid SEP+MSTP ring networking. LSW1 to LSW3 are at the
access layer and transparently transmit Layer 2 unicast and multicast services. When SEP
runs at the access layer, redundancy protection switching can be implemented at the access
layer.
tables and ARP tables. LSW1 and LSW2 at the edge of the SEP segment send a TC packet to
notify the aggregation layer of the topology change in the SEP segment.
In hybrid-ring networking, no-neighbor edge interfaces need to be deployed on the edge
devices of SEP networks, and the SEP networks need to report topology changes to MSTP
networks.

Figure 17-13 Networking diagram of hybrid rings running SEP+MSTP
PE3 PE4
MSTP
PE1 PE2
Do not Support SEP
SEP
Segment
LSW1 LSW2
LSW3
Block Port
17.3.5 Hybrid SEP+RRPP Ring Networking

As shown in Figure 17-14, PE1, PE2 and LSW1 to LSW3 form a SEP segment to access the
RRPP ring. The networking is called hybrid SEP+RRPP ring networking. PE1, PE2 and
LSW1 to LSW3 are at the access layer and transparently transmit Layer 2 unicast and
multicast services. When SEP runs at the access layer, redundancy protection switching can
be implemented at the access layer.
tables and ARP tables. PE1 and PE2 at the edge of the SEP segment send a TC packet to
notify the aggregation layer of the topology change in the SEP segment.
In hybrid SEP+RRPP ring networking, SEP networks need to report topology changes to
RRPP networks on the edge devices of SEP networks.

Figure 17-14 Networking diagram of hybrid rings running SEP and RRPP
PE3 PE4
RRPP
PE1 PE2
SEP
Segment
LSW1 LSW2
LSW3
Primary Edge Port
Secondary Edge Port
Block Port
17.3.6 SEP Multi-Instance

As shown in Figure 17-15, SEP multi-instance allows two SEP segments to be configured on
a physical ring. Each SEP segment independently detects the completeness of the physical
ring, blocks or unblocks interfaces without affecting the other.
A physical ring may contain one or two SEP segments. Each SEP segment needs to be
configured with a protected instance, each protected instance indicating a VLAN range. The
topology calculated by a SEP segment is only valid for that SEP segment.
After different protected instances are configured for SEP segments and the mapping between
protected instances and VLANs is set, a blocked interface is only valid for the VLANs
protected by the SEP segment where the blocked interface resides. Data traffic for different
VLANs can be transmitted along different paths. This implements traffic load balancing and
link backup.

LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
17.3.7 Association Between SEP and VPLS

As shown in Figure 17-16, a CE is connected to a VPLS network through an open-ring
network. SEP is enabled on the open-ring network to eliminate redundant links. If a link on
the ring network becomes faulty, SEP can quickly restore the communication between nodes
on the ring network.
Association between SEP and VPLS can be configured on the edge devices of the SEP
network to enable the VPLS network to detect any topology change of the SEP network. If
the topology of the SEP network changes, these edge devices send MAC Withdraw packets to
the VPLS network. After receiving the MAC Withdraw packets, the devices on the VPLS
network update their MAC address entries and ARP entries to ensure reliable traffic
transmission.

Figure 17-16 Networking diagram for association between SEP and VPLS
VPLS
LSW1 LSW5
SEP
Segment1
LSW2 LSW4
LSW3
CE1
Primary Edge Port
Secondary Edge Port
Block Port

17.3.8 Association Between SEP and CFM

Figure 17-17 Networking diagram of association between SEP and CFM
IP/MPLS Core
CFM
PE-AGG1 PE-AGG2
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
CE
Block Port
SEP associated with Ethernet CFM
As shown in Figure 17-17, LSW1 to LSW5 run SEP to implement redundancy protection
switching at the access layer and display the topology. Association between SEP and CFM is
configured on LSW1 in the SEP segment. When CFM detects a fault on the network at the
aggregation layer, LSW1 sends a CCM to notify the fault to the Operation, Administration,
and Maintenance (OAM) module. The SEP status of the interface associated with CFM then
changes to Down.
The interface associated with CFM is in the SEP segment. Therefore, when the SEP status of
the interface associated with CFM goes Down, LSW2 needs to send a Flush-FDB packet to
notify other nodes in the SEP segment of the topology changes. After LSW3 receives the
Flush-FDB packet, the blocked interface on LSW3 is unblocked and enters the Forwarding
state. Then, the interface sends a Flush-FDB packet to instruct the other nodes in the SEP
segment to update their MAC address forwarding tables and ARP tables. Therefore, the

lower-layer network can then detect the faults on the upper-layer network, ensuring reliable
service transmission.

Table 17-9 lists the configuration task summary of SEP.
Table 17-9 Configuration task summary of SEP

Configuring Basic SEP After basic SEP functions 17.6.1 Configuring Basic
Functions are configured on devices, SEP Functions
the devices start SEP
negotiation. One of the two
interfaces that complete
neighbor negotiations last is
blocked to eliminate
redundant links.
NOTE
When logging in to nodes on a
SEP semi-ring through Telnet
to configure the nodes, note
the following points:
l VLANIF interfaces and
their IP addresses need to
be configured, because
these nodes are Layer 2
devices. The VLANs to
which these VLANIF
interfaces correspond must
be mapped to SEP
protected instances.
l Basic SEP functions need
to be configured from the
node at one end of the
semi-ring to the node at
the other end of the semi-
ring.
Specifying an Interface to In some cases, however, the 17.6.2 Specifying an

Block negotiated blocked interface Interface to Block
may not be the required one.
You can specify an interface
to block according to
network requirements.
Configuring SEP Multi- To implement load 17.6.3 Configuring SEP

Instance balancing and make efficient Multi-Instance
use of bandwidth, protected
instances need to be
deployed on a SEP network
and mapped to VLANs.

Configuring the Topology A SEP network usually 17.6.4 Configuring the

Change Notification needs to work together with Topology Change
Function another network running Notification Function
other features. To ensure
network reliability, if the
topology of one network
changes, the other network
must be able to detect the
topology change and take
measures to ensure reliable
data transmission.
Therefore, the topology
change notification function
needs to be enabled on the
SEP network.

Other network elements also need to support SEP.
License Support
SEP is a basic feature of a switch and is not under license control.
Version Support
Table 17-10 Products and versions supporting SEP

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE


l Table 17-11 lists the specification of SEP.
Table 17-11 Specification of SEP

Item Specification
Maximum number of segments on the 256

device
l On a SEP network where there are no-neighbor edge interfaces, a device that is not in a
SEP segment cannot be added to the control VLAN of the SEP segment. Otherwise, a
loop will occur on the network.
l SEP and VLAN stacking cannot be configured on an interface of an SA series card
simultaneously.
17.6 Configuring SEP
17.6.1 Configuring Basic SEP Functions

When there is no faulty link on a ring network running SEP, SEP can eliminate loops on the
Ethernet. When a link fault occurs on the ring network, SEP can immediately restore the
communication between the nodes on the network.
Before configuring basic SEP functions, complete the following tasks:
l Establish the ring network.
l Ensure that the devices are powered on correctly and operate properly.
17.6.1.1 Configuring a SEP Segment
Context
A SEP segment is the basic unit for SEP. A SEP segment consists of interconnected Layer 2
switching devices configured with the same SEP segment ID and control VLAN ID.
After SEP is configured on a device, you can run the description command to configure the
description of the SEP segment, including the SEP segment ID, to facilitate maintenance.
Procedure
Step 1 Run:
system-view

Step 2 Run:
sep segment segment-id

A SEP segment is created and the view of the SEP segment is displayed.

description text
A description is configured for the SEP segment.
By default, no description is configured for an SEP segment.
----End
17.6.1.2 Configuring a Control VLAN
Context
In a SEP segment, a control VLAN is used to transmit SEP packets but not service packets,
enhancing SEP security. Each SEP segment must be configured with a control VLAN. After
being added to a SEP segment configured with a control VLAN, an interface is added to the
control VLAN automatically.
NOTE
On a SEP network that has no-neighbor edge interfaces, a device that is not in a SEP segment cannot be
added to the control VLAN of the SEP segment. Otherwise, a loop will occur on the network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
control-vlan vlan-id
A control VLAN is configured for the SEP segment to transmit SEP packets.
The control VLAN must be not created, and is not used by RRPP, dynamic instances of
VBST, VLAN mapping, and VLAN stacking. Additionally, no interface is added to the
control VLAN in trunk, access, hybrid, or qinq mode.
l Different SEP segments can use the same control VLAN.

l If an interface has been added to the SEP segment, the control VLAN of the SEP
segment cannot be deleted directly. To delete the control VLAN, run the undo sep
segment segment-id command in the interface view to delete the interface from the SEP
segment, and then run the undo control-vlan command in the SEP segment view to
delete the control VLAN.
l If no interface is added to the SEP segment, you can run the control-vlan vlan-id
command multiple times. Only the latest configuration takes effect.
l After the control VLAN is created successfully, the command used to create a common
VLAN will be displayed in the configuration file.

Each SEP segment must be configured with a control VLAN. After an interface is added
to a SEP segment configured with a control VLAN, the interface is automatically added
to the control VLAN.
– If the interface type is trunk, in the configuration file, the port trunk allow-pass
vlan command is displayed in the view of the interface added to the SEP segment.
– If the interface type is hybrid, in the configuration file, the port hybrid tagged vlan
command is displayed in the view of the interface added to the SEP segment.
----End
17.6.1.3 Configuring a Protected Instance
Context
Interfaces can be added to a SEP segment only after the SEP segment is configured with
protected instances.
Procedure
Step 1 Run:
system-view

Step 2 (Optional) Create and configure the mapping between MSTIs and VLANs.
NOTE
If the stp mode vbst command sets the STP working mode to VBST, you must perform this step to
configure the mapping between MSTIs and VLANs. Otherwise, the protected instance in a SEP segment
cannot be configured.
1. Run:

2. Run:
instance instance-id vlan vlan-id
The mapping between MSTIs and VLANs is created and configured.

By default, all VLANs map to MSTI 0.
3. Run:
The mapping between MSTIs and VLANs is activated.

4. Run:
quit
Exit from the MST region view.

Step 3 Run:
Step 4 Run:
protected-instance { all | { instance-id1 [ to instance-id2 ] } &<1-10> }

A protected instance is configured in a SEP segment.

When the mapping between MSTIs and VLANs is configured, instance-id in this step must be
the same as instance-id in the instance command.
By default, no protected instance is configured in a SEP segment.
NOTE
When the mapping between MSTIs and VLANs is not configured, the SEP protected instance is valid
for all VLANs.
----End
17.6.1.4 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for
the Interface
Context
To ensure that SEP packets are forwarded correctly in a SEP segment, add Layer 2 interfaces
to the SEP segment and configure different roles for the interfaces.
After an interface is added to a SEP segment, the interface sets its interface role to the primary
edge interface if the interface has the right to participate in primary edge interface election.
Then, the interface periodically sends a primary edge interface election packet without
waiting for the success of neighbor negotiations.
A primary edge interface election packet contains the interface role (primary edge interface,
secondary edge interface, or common interface), bridge MAC address of the interface,
interface ID, and integrity of the topology database.
Table 17-12 lists interface roles.

Table 17-12 Interface roles

Interface Sub-role Description Deployment Scenario
Role
Common - In a SEP segment, all -

interface interfaces except edge
interfaces and blocked
interfaces are common
interfaces.
A common interface
monitors the status of the
directly-connected SEP link.
When the link status
changes, the interface sends
a topology change
notification message to
notify its neighbors. Then
the topology change
notification message is
flooded on the link until it
finally reaches the primary
edge interface. The primary
edge interface determines
how to process the link
change.
Edge interface Primary A SEP segment has only one Open-ring networking
edge primary edge interface, Closed-ring networking
interface which is determined by the
configuration and election. Multi-ring networking
The primary edge interface Hybrid SEP+RRPP ring

initiates blocked interface networking
preemption, terminates
packets, and sends topology
change notification
messages to other networks.
Secondary A SEP segment has only one

edge secondary edge interface,
interface which is determined by the
configuration and election.
The secondary edge
interface terminates packets
and sends topology change
notification messages to
other networks.

Interface Sub-role Description Deployment Scenario

Role
No- An interface at the edge of a Hybrid SEP+MSTP ring

neighbor SEP segment is a no- networking
primary neighbor edge interface,
edge which is determined by the
interface configuration and election.
The no-neighbor primary
edge interface terminates
packets and sends topology
change notification
messages to other networks.
No-neighbor primary edge
interfaces are used to
interconnect Huawei devices
and non-Huawei devices or
and devices that do not
support SEP.
No- The no-neighbor secondary

neighbor edge interface terminates
secondary packets and sends topology
edge change notification
interface messages to other networks.
No-neighbor secondary edge
interfaces are used to
and non-Huawei devices or
and devices that do not
support SEP.
NOTE
l Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.
l Before adding a Layer 2 interface to a SEP segment, ensure that STP has been disabled on the
interface (except that the interface is a no-neighbor edge interface).
l Before adding an interface to a SEP segment, disable Smart Link on the interface.
l Before adding an interface to a SEP segment, disable port security on the interface; otherwise, loops
cannot be prevented.
Procedure
Step 1 Run:
system-view
Step 2 Run:

The view of an Ethernet interface added to the SEP segment is displayed.
Step 3 Run:
port link-type { trunk | hybrid }
The link type of the interface is set to trunk or hybrid.

stp disable
STP is disabled on the interface.
Step 5 Run:
sep segment segment-id [ edge [ no-neighbor ] { primary | secondary } ]
The Ethernet interface is added to a specified SEP segment and a role is configured for the
interface.
NOTE
An interface can be added to a maximum of two SEP segments.
----End
Procedure
l Run the display sep segment { segment-id | all } command to check the configurations
of SEP segments.
l Run the display sep interface [ interface-type interface-number | segment segment-id ]
[ verbose ] command to check information about interfaces that are added to a specified
SEP segment.
l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
17.6.2 Specifying an Interface to Block

By default, the blocked interface is one of the two interfaces that complete neighbor
negotiations last. Sometimes, the negotiated blocked interface, however, may not be the
expected one. You can configure a blocked interface to suit your needs.
17.6.2.1 Setting an Interface Blocking Mode
Context
In a SEP segment, some interfaces are blocked to prevent loops.
You can configure the interface blocking mode to specify a blocked interface. Table 17-13
lists interface blocking modes.

Table 17-13 Interface blocking mode

Interface Blocking Description
Mode
Specify the interface This mode applies to a large-scale network.

with the highest priority After fault recovery, the interface with the highest priority in a
as the blocked interface. SEP segment becomes the blocked interface. In this mode, the
priorities of the interfaces in the SEP segment need to be set in
advance.
Specify the interface in This mode applies to a network where traffic is symmetrically
the middle of a SEP distributed.
segment as the blocked After fault recovery, the interface in the middle of a SEP
interface. segment becomes the blocked interface.
Specify a blocked This mode applies to a small-scale network.

interface based on the After fault recovery, a specified interface is blocked based on
configured hop count. the hop count. A network planner needs to be familiar with the
topology of the entire SEP segment and the number of hops
from the blocked interface to the primary edge interface.
Specify a blocked This mode applies to a small-scale network.

interface based on the After fault recovery, a specified interface is blocked based on
device and interface the device and interface names. A network planner needs to be
names. familiar with the names of devices and interfaces in the entire
SEP segment and ensures that each device name is unique.
Perform the following operations on the device where the primary edge interface or no-
neighbor primary edge interface is located:
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
block port { optimal | middle | hop hop-id | sysname sysname interface
{ interface-type interface-number | interface-name } }
An interface blocking mode is set.
By default, one of the interfaces at two ends of the link that is set up last or recovers from a
fault last is blocked.
----End

Follow-up Procedure
If the interface with the highest priority is specified to block, run the sep segment segment-id
priority priority command in the view of the interface to be blocked to increase its priority.
When a fault is rectified, the specified interface is blocked.
The default priority of an interface added to a SEP segment is 64. The priority value of an
interface is an integer that ranges from 1 to 128. A larger priority value indicates a higher
priority.
17.6.2.2 Configuring the Preemption Mode
Context
After the interface blocking mode is specified, whether a specified interface will be blocked is
determined by the preemption mode. Table 17-14 lists the preemption modes.
Table 17-14 Preemption mode

Preemption Advantage Disadvantage
Mode
Non-preemption SEP is in non- The blocked interface is one of the two

mode preemption mode by interfaces that complete neighbor
default. negotiations last.
In this mode, blocking
an interface does not
disconnect any link in a
SEP segment.
Preempt Delayed Each time a fault is l The delayed preemption mode needs
ion preempt rectified, the system to be specified in advance. There is no
mode ion automatically completes default delay in preemption, and the
preemption and ensures delay time needs to be configured
that the specified using a command.
interface is blocked. l After delayed preemption is
configured successfully, a fault needs
to be simulated to ensure that the
specified interface is blocked.
Manual Whether the specified l The manual preemption mode needs to

preempt interface will be blocked be specified in advance.
ion can be controlled l After a network fault is rectified and
manually. the preemption action is taken, manual
preemption no longer takes effect.
Manual preemption needs to be
configured again to ensure that the
blocked point can be moved to the
specified point after the next fault is
rectified. This increases the
maintenance workload.

The following conditions must be met to trigger preemption:
l The SEP segment topology is complete.

l The primary edge interface or no-neighbor primary edge interface has been elected in the
SEP segment.
l The function of flexibly specifying a blocked interface is enabled on the device where
the primary edge interface or no-neighbor primary edge interface resides.
Perform the following operations on the Layer 2 switching device where the primary edge
interface or no-neighbor primary edge interface resides.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
preempt { manual | delay seconds }
The preemption mode is configured on the primary edge interface.
By default, no preemption mode is configured on the primary edge interface, that is, the non-
preemption mode is used.
----End
Procedure
l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
17.6.3 Configuring SEP Multi-Instance
Applicable Environment
bandwidth.

IP/MPLS Core
Core
group 1:Master group 2:Master
group 2:Backup group 1:Backup
NPE1 NPE2
VRRP+peer BFD
Aggregation
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
Access
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance is used to improve bandwidth efficiency and implement traffic load
balancing and link backup. As shown in Figure 17-18, multiple instances are deployed in the
SEP segment, and protected instances are mapped to different VLANs. Data traffic for
different VLANs can then be transmitted along different paths.
NOTE
Currently, SEP multi-instance allows two SEP segments to be configured on a physical ring. Different
blocked interfaces and priorities need to be configured for the two SEP segments.
Before configuring SEP multi-instance, complete the following tasks:
l Configure basic SEP functions.
l Specify an interface to block.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>
Mappings between protected instances and VLANs are configured.
The value of instance-id specified in this command must be the same as that of instance-id
specified in the protected-instance command.
Before you switch a VLAN from one SEP segment to another segment, shut down the
blocked port. If you do not shut down the blocked port, a routing loop may occur after the
VLAN switchover.
NOTE
To configure the mapping between the protected instance and MUX VLAN, you are advised to
configure the principal VLAN, and subordinate group VLANs and subordinate separate VLANs of the
MUX VLAN in the same protected instance. Otherwise, loops may occur.
Step 4 Run:
Mappings between protected instances and VLANs are activated.
After mappings between protected instances and VLANs take effect, topology changes of a
SEP segment affect only corresponding VLANs. This ensures reliable service data
transmission.
----End
17.6.4 Configuring the Topology Change Notification Function

The topology change notification function is configured on the device that connects a lower-
layer network to an upper-layer network. This function enables the device to notify the peer
device of topology changes in the lower-layer and upper-layer networks. All the devices on
the network where the peer device resides then delete original MAC addresses and ARP
entries and learn new MAC addresses to ensure uninterrupted traffic forwarding.
17.6.4.1 Reporting Topology Changes in a Lower-Layer Network - SEP Topology

Change Notification
Context
SEP runs on devices at the access layer. The topology change notification function enables
devices to detect topology changes on the upper and lower-layer networks.

If the upper-layer network fails to be notified of the topology change in a SEP segment, the
MAC address entries remain unchanged on the upper layer network and user traffic may be
interrupted. To ensure uninterrupted traffic forwarding, configure devices on the lower-layer
network to report topology changes to the upper-layer network and specify the devices on the
upper-layer network that will be notified of topology changes.
NOTE
Currently, topology changes in a SEP segment can be reported to other SEP segments, STP networks,
RRPP networks, VPLS networks, and SmartLink networks.
Switch XGE interfaces connected to the ACU2, ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01 or
ET1D2FW00S02 card do not support SEP topology change notification on the VPLS network.
After receiving a topology change notification from a lower-layer network, a device on the
upper-layer network sends TC packets to instruct other devices on the upper-layer network to
clear original MAC addresses and learn new MAC addresses after the topology of the lower-
layer network changes. This ensures uninterrupted traffic forwarding.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
tc-notify { segment { segment-id1 [ to segment-id2 ] } &<1-10> | stp | rrpp |
smart-link send-packet vlan vlan-id | vpls }
The topology change of the specified SEP segment is reported to another SEP segment or a
network running other ring protocols such as STP or RRPP.
By default, the topology change of a SEP segment is not reported.
----End
Follow-up Procedure
In the networking scenario where three or more SEP ring networks exist, when a topology
change notification is sent through multiple links, the upper-layer network will receive it
multiple times. This reduces packet processing efficiency on the upper-layer network.
Therefore, topology change notifications need to be suppressed. Suppressing topology change
notifications frees the upper-layer network from processing multiple duplicate packets and
protects the devices in the SEP segment against topology change notification attacks.
Run the tc-protection interval interval-value command in the SEP segment view to set the
interval for suppressing topology change notifications.
By default, the interval for suppressing topology change notifications is 2s, and three
topology change notifications with different source addresses are processed within 2s.

NOTE
l In the networking scenario where three or more SEP ring networks exist, the tc-protection interval
interval-value command must be run. If this command is not run, the default interval for suppressing
topology change notifications is used.
l A longer interval ensures stable SEP operation but reduces convergence performance.
17.6.4.2 Reporting Topology Changes in a Lower-Layer Network - Enabling the

Devices in a SEP Segment to Process SmartLink Flush Packets
Context
When a host is connected to a SEP network using a Smart Link group, the host sends Smart
Link Flush packets to inform the remote device in the SEP segment if devices in the Smart
Link group experience an active/standby switchover. Therefore, devices in a SEP segment
must be able to process Smart Link Flush packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
deal smart-link-flush
The device in a SEP segment is configured to process Smart Link Flush packets.
By default, no device in a SEP segment is configured to process Smart Link Flush packets.
Step 4 Run:
quit
Step 5 Run:
Step 6 Run:
smart-link flush receive control-vlan vlan-id [ password { simple | sha }
password ]
The interface is configured to receive Flush packets.
By default, an interface is prohibited from receiving Flush packets.
The password parameter is optional. If no password is specified, no password is used for

authentication.

The control VLAN ID and password contained in Flush packets on both devices must be the
same.
----End
17.6.4.3 Reporting Topology Changes in an Upper-Layer Network - Configuring

Association Between SEP and CFM
Context
SEP runs on devices at the access layer or aggregation layer. To enable devices running SEP
to detect the topology changes in an upper-layer network, you must configure on SEP and
CFM association the device connecting the lower-layer network to the upper-layer network.
When CFM detects a fault on the upper-layer network, the edge device sends a CFM packet to
notify the OAM module of the fault. Then the SEP status of the interface associated with
CFM on the edge device changes to Down.
The peer device (on the SEP segment) of the edge device notifies other nodes in the same SEP
segment of topology changes by sending Flush-FDB packets. After a device in the SEP
segment receives the Flush-FDB packet, the blocked interface on the device is unblocked,
enters the Forwarding state, and sends a Flush-FDB packet to instruct other nodes in the SEP
segment to refresh their MAC forwarding tables and ARP tables. Therefore, the lower-layer
network can then detect the faults on the upper-layer network, ensuring reliable service
transmission.
NOTE
IEEE 802.1ag, also known as Connectivity Fault Management (CFM), defines OAM functions, such as
continuity check (CC), link trace (LT) and loopback (LB), for Ethernet networks. CFM is network-level
OAM and applies to large-scale end-to-end networking.
Procedure
Step 1 Run:
system-view

Step 2 Run:
oam-mgr
The OAM management view is displayed.

Step 3 Run:
oam-bind ingress cfm md md-name ma ma-name egress sep segment segment-id
Association between SEP and CFM is configured.
----End

Procedure
l Run the display sep interface verbose command to check information about the
interfaces added to a SEP segment.
l Run the display this command in the OAM management view to check the
configuration of topology change notification on the upper-layer network topology.
----End
17.7 Maintaining SEP
17.7.1 Clearing SEP Statistics

You can run the reset command to clear existing SEP statistics before re-collecting SEP
statistics.
Context
NOTICE
SEP statistics cannot be restored after being cleared. Therefore, exercise caution when you
run reset commands.
Procedure
Step 1 Run the reset sep interface interface-type interface-number statistics command in the user
view to clear SEP packet statistics on a specified interface in a SEP segment.
----End
17.8.1 Example for Configuring SEP on a Closed Ring Network
Generally, redundant links are used to connect an Ethernet switching network to an upper-
layer network to provide link backup and enhance network reliability. The use of redundant
links, however, may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, communication quality deteriorates, and services may even be
interrupted. SEP can be deployed on the ring network to eliminate loops and restore
communication if a link fault occurs.

In the closed ring networking, CE1 is dual-homed to a Layer 2 network through multiple
Layer 2 switching devices. The two edge devices connected to the upper-layer Layer 2
network are directly connected to each other. The closed ring network is deployed at the
aggregation layer to transparently transmit Layer 2 unicast and multicast packets. SEP runs at
the aggregation layer to implement link redundancy.
As shown in Figure 17-19, Layer 2 switching devices LSW1 to LSW5 form a ring network.
SEP runs at the aggregation layer.

l When there is no faulty link on a ring network, SEP can eliminate loops on the network.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes on the network.
Figure 17-19 Networking diagram of a closed ring SEP network
GE1/0/2 GE1/0/3 GE1/0/2

LSW1 LSW5
GE1/0/3
GE1/0/1 GE1/0/1
Aggregation
SEP
Segment1
GE1/0/1 GE1/0/1
LSW2 LSW4
LSW3
GE1/0/2 GE1/0/2
GE1/0/1 GE1/0/2
GE1/0/3
GE1/0/1
Access
Primary Edge Port

CE1
Secondary Edge Port
VLAN
100 Block Port
1. Configure basic SEP functions.

a. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the
control VLAN of SEP segment 1.
b. Add all devices on the ring to SEP segment 1, and configure the roles of GE1/0/1
and GE1/0/3 of LSW1 in SEP segment 1.
c. On the device where the primary edge interface is located, specify the interface with
the highest priority to block.
d. Set priorities of the interfaces in the SEP segment.

Set the highest priority for GE1/0/2 of LSW3 and retain the default priority of the
other interfaces so that GE1/0/2 of LSW3 will be blocked.
e. Configure delayed preemption on the device where the primary edge interface is
located.
2. Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure LSW1.
[HUAWEI] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
NOTE
– The control VLAN must be a VLAN that has not been created or used, but the configuration
file automatically displays the command for creating the VLAN.
– Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the
control VLAN.
2. Add all devices on the ring to SEP segment 1 and configure interface roles on the
devices.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.

# On LSW1, configure GE1/0/1 as the primary edge interface and GE1/0/3 as the
secondary edge interface.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] port link-type hybrid
[LSW1-GigabitEthernet1/0/1] stp disable
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge primary
[LSW1-GigabitEthernet1/0/1] quit
[LSW1-GigabitEthernet1/0/3] sep segment 1 edge secondary
# Configure LSW2.
[LSW2-GigabitEthernet1/0/1] sep segment 1
# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
3. Specify an interface to block.

# On LSW1 where the primary edge interface is located, specify the interface with the
highest priority to block.
[LSW1-sep-segment1] block port optimal
4. Set the priority of GE1/0/2 on LSW3.


[LSW3-GigabitEthernet1/0/2] sep segment 1 priority 128
5. Configure the preemption mode.

# Configure delayed preemption on LSW1.
[LSW1-sep-segment1] preempt delay 30
NOTE
– You must set the preemption delay when delayed preemption is used because there is no
default delay time.
– When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the
fault. For example:
Run the shutdown command on GE1/0/1 of LSW2 to simulate an interface fault, and then run
the undo shutdown command on GE1/0/2 to rectify the fault.
Step 2 Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
For details about the configuration, see the configuration files.
l Run the shutdown command on GE1/0/1 of LSW3 to simulate an interface fault, and
then run the display sep interface command on LSW3 to check whether GE1/0/2 of
LSW3 has switched from the Discarding state to the Forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
----End
Configuration Files
l LSW1 configuration file
#
sysname LSW1
#
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
protected-instance 0 to 48
#
stp disable
sep segment 1 edge primary
#


#
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1 edge secondary
#
return
#
sysname LSW2
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
sep segment 1 priority 128
#
#
return
#
sysname LSW4
#
vlan batch 10 100
#
sep segment 1

control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname LSW5
#
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
#
stp disable
sep segment 1
#
return
#
sysname CE1
#
vlan batch 100
#
#
return
17.8.2 Example for Configuring SEP on a Multi-Ring Network


In multi-ring networking, multiple rings consisting of Layer 2 switching devices are deployed
at the access layer and aggregation layer. SEP runs at the access layer and aggregation layer to
implement link redundancy.
As shown in Figure 17-20, multiple Layer 2 switching devices form ring networks at the
access layer and aggregation layer.
SEP runs at the access layer and aggregation layer. When there is no faulty link on a ring
network, SEP can eliminate loops on the network. When a link fails on the ring network, SEP
can rapidly restore communication between nodes on the network.
Figure 17-20 Networking diagram of a multi-ring SEP network
LSW1 GE1/0/3 GE1/0/3 LSW5

GE1/0/1 GE1/0/1
Aggregation
SEP
GE1/0/1 Segment 1 GE1/0/3
LSW4
LSW2 G GE1/0/1
E1 GE1/0/2
GE1/0/2
0/ LSW3
/
3
GE1/0/4
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
Se S
t2
gm EP
gm EP
en
Se S
LSW6 GE1/0/2 en LSW11

GE1/0/2 LSW8 t3
GE1/0/1
GE1/0/1 GE1/0/1 GE1/0/2
GE1/0/1 GE1/0/2 LSW9 GE1/0/1
LSW7 GE1/0/3 LSW10 GE1/0/3
Access
GE1/0/1 GE1/0/1
CE2
CE1
VLAN VLAN
200 100
Primary Edge Port Control VLAN 10

Secondary Edge Port Control VLAN 20
Block Port Control VLAN 30


a. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30
as their respective control VLANs.
n Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the
n Configure SEP segment 2 on LSW2, LSW3, and LSW6 to LSW8, and
configure VLAN 20 as the control VLAN of SEP segment 2.
n Configure SEP segment 3 on LSW3, LSW4, and LSW9 to LSW11, and
configure VLAN 30 as the control VLAN of SEP segment 3.
b. Add devices on the rings to the SEP segments and configure interface roles on the
edge devices of the SEP segments.
n On LSW1 to LSW5, add the interfaces on the ring at the access layer to SEP
segment 1. Configure the roles of GE1/0/1 and GE1/0/3 of LSW1 in SEP
segment 1.
n Add GE1/0/2 of LSW2, GE1/0/1 and GE1/0/2 of LSW6 to LSW8, and
GE1/0/2 of LSW3 to SEP segment 2. Configure the roles of GE1/0/2 of LSW2
n Add GE1/0/1 of LSW3, GE1/0/1 and GE1/0/2 of LSW9 to LSW11, and
GE1/0/1 of LSW4 to SEP segment 3. Configure the roles of GE1/0/1 of LSW3
c. Specify an interface to block on the device where the primary edge interface is
located.
n In SEP segment 1, specify the interface with the highest priority to block.
n In SEP segment 2, specify the device and interface names to block the
specified interface.
n In SEP segment 3, specify the blocked interface based on the configured hop
count.
d. Configure the preemption mode on the device where the primary edge interface is
located.
Configure delayed preemption in SEP segment 1 and manual preemption in SEP
segment 2 and SEP segment 3.
e. Configure the topology change notification function on the edge devices between
SEP segments, namely, LSW2, LSW3, and LSW4.
2. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW11.
Procedure
1. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as
their respective control VLANs, as shown in Figure 17-20.
# Configure LSW1.
# Configure LSW2.

# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
# Configure LSW6 to LSW11.

The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to
LSW5 except for the control VLANs of different SEP segments.
NOTE
control VLAN.
2. Add devices on the rings to the SEP segments and configure interface roles according to
Figure 17-20.
NOTE

# On LSW1, configure GE1/0/1 as the primary edge interface and GE1/0/3 as the
secondary edge interface.
# Configure LSW2.
# Configure LSW3.
# Configure LSW4.

# Configure LSW5.
# Configure LSW6 to LSW11.

The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to
LSW5 except for the interface roles.
# On LSW1 where the primary edge interface of SEP segment 1 is located, specify the
interface with the highest priority to block.
[LSW1-sep-segment1] block port optimal
# On LSW3, set the priority of GE1/0/4 to 128, which is the highest priority among the
interfaces so that GE1/0/4 will be blocked.
Retain the default priority of the other interfaces in SEP segment 1.

# On LSW2 where the primary edge interface of SPE segment 2 is located, specify the
device and interface names so that the specified interface will be blocked.
Before specifying the interface to block, use the display sep topology command to view
the current topology information and obtain information about all the interfaces in the
topology. Then specify the device and interface names.
[LSW2-sep-segment2] block port sysname LSW7 interface gigabitethernet 1/0/1
# On LSW4 where the primary edge interface of SEP segment 3 is located, specify the
blocked interface based on the configured hop count.
[LSW4-sep-segment3] block port hop 5
NOTE
SEP sets the hop count of the primary edge interface to 1 and the hop count of the secondary edge
interface to 2. Hop counts of other interfaces increase by steps of 1 in the downstream direction of
the primary interface.
# Configure delayed preemption on LSW1.

NOTE
– You must set the preemption delay when delayed preemption is used because there is no
default delay time.
– When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the
fault. For example:
Run the shutdown command on GE1/0/1 of LSW2 to simulate an interface fault, and then run
the undo shutdown command on GE1/0/2 to rectify the fault.
# Configure manual preemption on LSW2.
[LSW2-sep-segment2] preempt manual
# Configure the manual preemption mode on LSW4.

5. Configure the topology change notification function.

# Configure devices in SEP segment 2 to notify SEP segment 1 of topology changes.
# Configure LSW2.
[LSW2-sep-segment2] tc-notify segment 1
# Configure LSW3.
# Configure SEP segment 3 to notify SEP segment 1 of topology changes.

# Configure LSW3.
# Configure LSW4.
NOTE
The topology change notification function is configured on edge devices between SEP segments
so that the upper-layer network can be notified of topology changes on the lower-layer network.
Step 2 Configure the Layer 2 forwarding function on the CEs and LSW1 to LSW11.
After completing the preceding configurations, verify the configuration. LSW1 is used as an
example.

SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
#
stp disable
#
#
port hybrid tagged vlan 10 100 200 300
stp disable
#
return

#
sysname LSW2
#
vlan batch 10 20 100 200
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 20
block port sysname LSW7 interface GigabitEthernet1/0/1
tc-notify segment 1
#
stp disable
sep segment 1
#
stp disable

#
stp disable
sep segment 1
#
return
#
sysname LSW3
#
vlan batch 10 20 30 100 200
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 20
tc-notify segment 1
sep segment 3
control-vlan 30
tc-notify segment 1
#
stp disable
#
stp disable
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname LSW4
#
vlan batch 10 30 100 200
#
sep segment 1
control-vlan 10
sep segment 3
control-vlan 30
block port hop 5
tc-notify segment 1
#


stp disable
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname LSW5
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
#
port hybrid tagged vlan 10 100 200 300
stp disable
sep segment 1
#
return
#
sysname LSW6
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2

#
return
#
sysname LSW7
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2
#
#
return
#
sysname LSW8
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2
#
return
#
sysname LSW9
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#
stp disable
sep segment 3

#
stp disable
sep segment 3
#
return
#
sysname LSW10
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#
stp disable
sep segment 3
#
stp disable
sep segment 3
#
#
return
#
sysname LSW11
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#
stp disable
sep segment 3
#
stp disable
sep segment 3
#
return
#
sysname CE1
#
vlan batch 100
#

#
return

#
sysname CE2
#
vlan batch 200
#
#
return
17.8.3 Example for Configuring a Hybrid SEP+MSTP Ring

Network
NOTE
In this example, devices at the aggregation layer run the MSTP protocol.
As shown in Figure 17-21, multiple Layer 2 switching devices form a ring at the access layer,
and multiple Layer 3 devices form a ring at the aggregation layer. The two devices where the
access layer and the aggregation layer are intersected do not support SEP. You can configure
SEP at the access layer to implement redundancy protection switching and configure the
topology change notification function on an edge device in a SEP segment. This function
enables an upper-layer network to detect topology changes in a lower-layer network in time.
l When there is no faulty link on the ring network, SEP can eliminate loops.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes.
l The topology change notification function must be configured on an edge device in a
SEP segment. This enables an upper-layer network to detect topology changes in a
lower-layer network in time.
After receiving a message indicating the topology change in a lower-layer network, a device
on an upper-layer network sends TC packets to instruct other devices to delete original MAC
addresses and learn new MAC addresses after the topology of the lower-layer network
changes. This ensures uninterrupted traffic forwarding.

Figure 17-21 Networking diagram of a hybrid-ring SEP network
GE1/0/2
GE1/0/3 GE1/0/3
GE1/0/2
Aggregation
PE3 PE4
GE1/0/1
GE1/0/1
MSTP
GE1/0/2 PE1 PE2 GE1/0/2
GE1/0/3
GE1/0/1 Do not Support SEP GE1/0/1
GE1/0/1 GE1/0/1
SEP
LSW1 Segment1 LSW2
GE1/0/2 GE1/0/2
GE1/0/2 GE1/0/1
Access
GE1/0/3LSW3
GE1/0/1
CE
VLAN100
Block Port(SEP)
Block Port(MSTP)

a. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the
b. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles on the edge
devices (LSW1 and LSW2) of the SEP segment.
NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of LSW1 and LSW2
connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located, specify the
interface in the middle of the SEP segment as the interface to block.
d. Configure manual preemption.
e. Configure the topology change notification function so that the upper-layer network
running MSTP can be notified of topology changes in the SEP segment.

2. Configure basic MSTP functions.

a. Add LSW1, LSW2, PE1 to PE4 to an MST region RG1.
b. Create VLANs on LSW1, LSW2, PE1 to PE4 and add interfaces on the STP ring to
the VLANs.
c. Configure PE3 as the root bridge and PE4 as the backup root bridge.
3. Configure the Layer 2 forwarding function on CE and LSW1 to LSW3.
Procedure
1. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure LSW1.
# Configure LSW2.
# Configure LSW3.
NOTE
control VLAN.
2. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles.
NOTE
# Configure LSW1.
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor primary
# Configure LSW2.


[LSW2-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor secondary
# Configure LSW3.

# On LSW1 where the no-neighbor primary edge interface of SEP segment 1 is located,
specify the interface in the middle of the SEP segment as the interface to block.
[LSW1-sep-segment1] block port middle

# Configure the manual preemption mode on LSW1.

# Configure devices in SEP segment 1 to notify the MSTP network of topology changes.
# Configure LSW1.
[LSW1-sep-segment1] tc-notify stp
# Configure LSW2.
[LSW2-sep-segment1] tc-notify stp

1. Configure an MST region.
# Configure PE1.
# Configure PE2.
# Configure PE3.


# Configure PE4.
# Configure LSW1.
[LSW1] stp region-configuration
[LSW1-mst-region] region-name RG1
[LSW1-mst-region] active region-configuration
[LSW1-mst-region] quit
# Configure LSW2.
[LSW2-mst-region] region-name RG1
2. Create VLANs and add interfaces to VLANs.

# On PE1, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
# On PE2, PE3, and PE4, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to
VLAN 100.
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1. For
details about the configuration, see the configuration files.
# On LSW1 and LSW2, create VLAN 100 and add GE1/0/1 to VLAN 100. The
configurations of LSW1 and LSW2 are similar to the configuration of PE1. For details
about the configuration, see the configuration files.
3. Enable MSTP.
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure PE4.
[PE4] stp enable
# Configure LSW1.
[LSW1] stp enable

# Configure LSW2.
[LSW2] stp enable
4. Configure PE3 as the root bridge and PE4 as the backup root bridge.
# Set the priority of PE3 to 0 in MSTI0 to ensure that PE3 functions as the root bridge.
[PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTI0 to ensure that PE4 functions as the backup
root bridge.
[PE4] stp root secondary
Step 3 Configure the Layer 2 forwarding function on the CE and LSW1 to LSW3.
After the configurations are complete and network becomes stable, run the following
commands to verify the configuration. LSW1 is used as an example.
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100
#
region-name RG1
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
#
sep segment 1 edge no-neighbor primary
#
stp disable
sep segment 1
#
return

#
sysname LSW2
#
vlan batch 10 100
#
region-name RG1
#
sep segment 1
control-vlan 10
tc-notify stp
#
sep segment 1 edge no-neighbor secondary
#
stp disable
sep segment 1
#
return
#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
port hybrid tagged vlan vlan 100
#
return
#
sysname PE1
#
vlan batch 100
#
region-name RG1
#
#


#
#
return
#
sysname PE2
#
vlan batch 100
#
region-name RG1
#
#
#
#
return
#
sysname PE3
#
vlan batch 100 200
#
#
region-name RG1
#
#
#
#
return
#
sysname PE4
#
vlan batch 100 200
#
#

region-name RG1
#
#
#
#
return
l CE configuration file
#
sysname CE
#
vlan batch 100
#
#
return
17.8.4 Example for Configuring a Hybrid SEP+RRPP Ring

Network
In this example, you can configure SEP at the access layer to implement redundancy
protection switching and configure the topology change notification function on an edge
device in a SEP segment. This enables an upper-layer network to detect topology changes in a
lower-layer network in time.

Figure 17-22 Hybrid rings running SEP and RRPP
Network
NPE1 NPE2
GE1/0/2
GE1/0/3 GE1/0/3
GE1/0/2
Aggregation
PE3 PE4
GE1/0/1
GE1/0/1
RRPP
GE1/0/2 PE1 PE2 GE1/0/2
GE1/0/3
GE1/0/1 GE1/0/1
GE1/0/1 GE1/0/1
SEP
LSW1 Segment1 LSW2
GE1/0/2 GE1/0/2
GE1/0/2 GE1/0/1
Access
GE1/0/3LSW3
GE1/0/1
CE
Primary Edge Port
Secondary Edge Port
VLAN100
Block Port(SEP)
Block Port(RRPP)
As shown in Figure 17-22, multiple Layer 2 switching devices at the access layer and
aggregation layer form a ring network to access the core layer. RRPP has been configured at
the aggregation layer to eliminate loops. In this case, SEP needs to run at the access layer to
implement the following functions:
l Eliminates loops when there is no faulty link on the ring network.
l Rapidly restores communication between nodes when a link fault occurs on the ring
network.
l Provides the topology change notification function on an edge device in a SEP segment.
This function enables an upper-layer network to detect topology changes in a lower-layer
network in time.

After receiving a message indicating the topology change in a lower-layer network, a

device on an upper-layer network sends TC packets to instruct other devices to delete
original MAC addresses and learn new MAC addresses after the topology of the lower-
layer network changes. This ensures uninterrupted traffic forwarding.
a. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN
10 as the control VLAN of SEP segment 1.
b. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1, and configure interface
roles on edge devices (PE1 and PE2) of the SEP segment.
c. Set an interface blocking mode on the device where a primary edge interface is
located to specify an interface to block.
d. Configure the preemption mode to ensure that the specified interface is blocked
when a fault is rectified.
e. Configure the topology change notification function so that the topology change in
the local SEP segment can be notified to the upper-layer network where RRPP is
enabled.
2. Configure basic RRPP functions.
a. Add PE1 to PE4 to RRPP domain 1, create control VLAN 5 on PE1 to PE4, and
configure a protected VLAN.
b. Configure PE1 as the master node and PE2 to PE4 as transit nodes on the major
ring, and configure the primary and secondary interfaces of the major ring.
c. Create a VLAN on PE1 to PE4, and add the interfaces on the RRPP ring network to
the VLAN.
3. Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.
Procedure
1. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN 10 as
the control VLAN of SEP segment 1.
# Configure PE1.
[PE1] sep segment 1
[PE1-sep-segment1] control-vlan 10
[PE1-sep-segment1] protected-instance all
[PE1-sep-segment1] quit
# Configure PE2.
[PE2] sep segment 1
# Configure LSW1.


# Configure LSW2.
# Configure LSW3.
2. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1 and configure interface roles.
NOTE
By default, STP is enabled on an interface. Before adding an interface to a SEP segment, disable
STP on the interface.
# Configure PE1.
[PE1-GigabitEthernet1/0/1] sep segment 1 edge primary
# Configure LSW1.
[LSW1-GigabitEthernet1/0/1] port link-type trunk
# Configure LSW2.
# Configure LSW3.

# Configure PE2.
[PE2-GigabitEthernet1/0/1] sep segment 1 edge secondary
After completing the preceding configurations, run the display sep topology command
on PE1 to view the topology of the SEP segment. The command output shows that the
blocked interface is one of the two interfaces that complete neighbor negotiations last.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW1 GE1/0/1 common forwarding 2
PE2 GE1/0/1 secondary discarding 8
3. Set an interface blocking mode.

# In SEP segment 1, block the interface in the middle of the SEP segment on PE1 where
the primary edge interface resides.
[PE1] sep segment 1
[PE1-sep-segment1] block port middle
4. Set the preemption mode.

# In SEP segment 1, set manual preemption on PE1 where the primary edge interface
resides.
[PE1-sep-segment1] preempt manual

# Configure devices in SEP segment 1 to notify topology changes to the RRPP ring
network.
# Configure PE1.
[PE1-sep-segment1] tc-notify rrpp
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] tc-notify rrpp
After the preceding configurations are successful, perform the following operations to verify
the configurations. PE1 is used as an example.
l Run the display sep topology command on PE1 to view the topology of the SEP
segment.
The command output shows that the status of GE 1/0/2 on LSW3 is discarding and the
status of the other interfaces is forwarding.
SEP segment 1
-------------------------------------------------------------------------
-------------------------------------------------------------------------


LSW3 GE1/0/2 common discarding 4
PE2 GE1/0/1 secondary forwarding 8
l Run the display sep interface verbose command on PE1 to view detailed information
about the interfaces added to the SEP segment.
[PE1] display sep interface verbose
SEP segment 1
Control-vlan :10
Preempt Delay Timer :0
TC-Notify Propagate to :rrpp
----------------------------------------------------------------
Interface :GE1/0/1
Port Role :Config = primary / Active = primary
Port Priority :64
Port Status :forwarding
Neighbor Status :up
Neighbor Port :LSW1 - GE1/0/1 (00e0-0829-7c00.0000)
NBR TLV rx :2124 tx :2126
LSP INFO TLV rx :2939 tx :135
LSP ACK TLV rx :113 tx :768
PREEMPT REQ TLV rx :0 tx :3
PREEMPT ACK TLV rx :3 tx :0
TC Notify rx :5 tx :3
EPA rx :363 tx :397
Step 2 Configure basic RRPP functions.

1. Add PE1 to PE4 to RRPP domain 1, create control VLAN 5 on PE1 to PE4, and
configure a protected VLAN.
# Configure PE1.
[PE1-mst-region] instance 1 vlan 5 6 100
[PE1] rrpp domain 1
[PE1-rrpp-domain-region1] control-vlan 5
[PE1-rrpp-domain-region1] protected-vlan reference-instance 1
# Configure PE2.
[PE2] rrpp domain 1
# Configure PE3.
[PE3] rrpp domain 1
# Configure PE4.
[PE4] rrpp domain 1

2. Create a VLAN and add interfaces on the ring network to the VLAN.
# Create VLAN 100 on PE1, and add GE 1/0/1, GE 1/0/2, and GE 1/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
# Create VLAN 100 on PE2, and add GE 1/0/1, GE 1/0/2, and GE 1/0/3 to VLAN 100.
[PE2] vlan 100
[PE2-vlan100] quit
# Create VLAN 100 on PE3, and add GE 1/0/1 and GE 1/0/2 to VLAN 100.
[PE3] vlan 100
[PE3-vlan100] quit
# Create VLAN 100 on PE4, and add GE 1/0/1 and GE 1/0/2 to VLAN 100.
[PE4] vlan 100
[PE4-vlan100] quit

3. Configure PE1 as the master node and PE2 to PE4 as transit nodes of the major ring, and
configure the primary and secondary interfaces of the major ring.
# Configure PE1.
[PE1] rrpp domain 1
[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet1/0/2 secondary-port gigabitethernet1/0/3 level 0
[PE1-rrpp-domain-region1] ring 1 enable
# Configure PE2.
[PE2] rrpp domain 1
[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port
# Configure PE3.
[PE3] rrpp domain 1
# Configure PE4.
[PE4] rrpp domain 1
4. Enable RRPP.
# Configure PE1.
[PE1] rrpp enable
# Configure PE2.
[PE2] rrpp enable
# Configure PE3.
[PE3] rrpp enable
# Configure PE4.
[PE4] rrpp enable
After completing the preceding configurations, run the display rrpp brief or display rrpp
verbose domain command on PE1 to check the RRPP configuration.
[PE1] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
RRPP Protocol Status: Enable

RRPP Working Mode: HW
RRPP Linkup Delay Timer: 0 sec (0 sec default)
Number of RRPP Domains: 1
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is
ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
1 0 M GigabitEthernet1/0/2 GigabitEthernet1/0/3 Yes
The command output shows that RRPP is enabled on PE1. In domain 1, VLAN 5 is the major
control VLAN, VLAN 6 is the sub-control VLAN, Instance 1 is the protected VLAN, and
PE1 is the master node in major ring 1 with the primary and secondary interfaces as
GigabitEthernet1/0/2 and GigabitEthernet1/0/3 respectively.
[PE1] display rrpp verbose domain 1

Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/2 Port status: UP
Secondary port : GigabitEthernet1/0/3 Port status: BLOCKED
The command output shows that in domain 1, VLAN 5 is the major control VLAN, VLAN 6
is the sub-control VLAN, Instance 1 is the protected VLAN, PE1 is the master node in major
ring 1 with the primary and secondary interfaces as GigabitEthernet1/0/2 and
GigabitEthernet1/0/3 respectively, and the node status is Complete.
Step 3 Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.
For the configuration details, see the configuration files.
After the previous configurations, run the following commands to verify the configuration
when the network is stable. LSW1 is used as an example.
then run the display sep interface command on LSW3 to check whether the status of
GE1/0/2 changes from blocked to forwarding.
[LSW3] display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return


#
sysname LSW2
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
#
return

#
sysname PE1
#
vlan batch 5 to 6 10 100
#
rrpp enable
#
instance 1 vlan 5 to 6 100
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet 1/0/2 secondary-port
GigabitEthernet 1/0/3 level 0

ring 1 enable
#
sep segment 1
control-vlan 10
block port middle
tc-notify rrpp
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100
stp disable
#
stp disable
#
return

#
sysname PE2
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 node-mode transit primary-port GigabitEthernet 1/0/2 secondary-port
ring 1 enable
#
sep segment 1
control-vlan 10
tc-notify rrpp
#
stp disable
#
stp disable
#
stp disable
#
return

#
sysname PE3
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
#
return
#
sysname PE4
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
#
return


#
sysname CE1
#
vlan batch 100
#
#
return
17.8.5 Example for Configuring SEP Multi-Instance
On a closed ring network, two SEP segments are configured to process different VLAN
services, implement load balancing, and provide link backup.
bandwidth.
To improve bandwidth efficiency and implement traffic load balancing, Huawei develops SEP
multi-instance.

Figure 17-23 SEP multi-instance on a closed ring network
Network
/0 /3 GE1
/0/3
GE1/0/2 GE 1 GE1/0/2
LSW1
LSW4
GE1/0/1
GE1/0/1
Aggregation
P2 P1 GE1/0/1
GE1/0/1
LSW2 GE LSW3
1 /0 /0 /2
GE1/0/3 /2 GE 1 GE1/0/3
GE1/0/1 GE1/0/1
Access
CE1 CE2
VLAN VLAN
100~300 301~500
SEP Segment1
SEP Segment2
Primary Edge Port
Secondary Edge Port
Block Port
As shown in Figure 17-23, a ring network comprising Layer 2 switches (LSW1 to LSW5) is
connected to the network. SEP runs at the aggregation layer. SEP multi-instance is configured
on LSW1 to LSW4 to allow for two SEP segments to improve bandwidth efficiency,
implement load balancing, and provide link backup.

a. Create two SEP segments and a control VLAN on LSW1 to LSW4.

Different SEP segments can use the same control VLAN.

b. Configure SEP protected instances, and set mappings between SEP protected
instances and user VLANs to ensure that topology changes affect only
corresponding VLANs.
c. Add all the devices on the ring network to the SEP segments, and configure
GE1/0/1 as the primary edge interface and GE1/0/3 as the secondary edge interface
on LSW1.
d. Configure an interface blocking mode on the device where the primary edge
interface resides.
e. Configure the preemption mode to ensure that the specified interface is blocked
when a fault is rectified.
2. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.
Procedure
l Configure SEP segment 1 and control VLAN 10.
# Configure LSW1.
# Configure LSW2.
[LSW2] sep segment1
# Configure LSW3.
# Configure LSW4.
l Configure SEP segment 2 and control VLAN 10.

# Configure LSW1.
# Configure LSW2.
[LSW2] sep segment2
# Configure LSW3.
# Configure LSW4.


NOTE
l The control VLAN must be a new one.

l The command used to create a common VLAN is automatically displayed in a configuration file.
l Each SEP segment must be configured with a control VLAN. After being added to a SEP segment
configured with a control VLAN, an interface is added to the control VLAN automatically. You do
not need to run the port trunk allow-pass vlan command. In the configuration file, the port trunk
allow-pass vlan command, however, is displayed in the view of the interface added to the SEP
segment.
Step 2 Configure SEP protected instances, and configure mappings between SEP protected instances
and user VLANs.
# Configure LSW1.
[LSW1] vlan batch 100 to 500
[LSW1-sep-segment1] protected-instance 1
[LSW1-sep-segment2] protected-instance 2
[LSW1-mst-region] instance 1 vlan 100 to 300
[LSW1-mst-region] instance 2 vlan 301 to 500
The configurations of LSW2 to LSW4 are similar to that of LSW1, and are not mentioned
here. For details, see the configuration files.
Step 3 Add all the devices on the ring network to the SEP segments and configure interface roles.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable
STP on the interface.
# On LSW1, configure GE1/0/1 as the primary edge interface and GE1/0/3 as the secondary
edge interface.
# Configure LSW2.


# Configure LSW3.
# Configure LSW4.
Step 4 Specify an interface to block.
# Configure delayed preemption and block an interface based on the device and interface
names on LSW1 where the primary edge interface is located.
NOTE
l In this configuration example, an interface fault needs to be simulated and then rectified to
implement delayed preemption. To ensure that delayed preemption takes effect on the two SEP
segments, simulate an interface fault in the two SEP segments. For example:
– In SEP segment 1, run the shutdown command on GE 1/0/1 of LSW2 to simulate an interface
fault. Then, run the undo shutdown command on GE1/0/1 to simulate interface fault recovery.
– In SEP segment 2, run the shutdown command on GE 1/0/1 of LSW3 to simulate an interface
fault. Then, run the undo shutdown command on GE1/0/1 to simulate interface fault recovery.
Step 5 Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.
The configuration details are not mentioned here. For details, see the configuration files.
Simulate a fault, and then check whether the status of the blocked interface changes from
blocked to forwarding.
Run the shutdown command on GE1/0/1 of LSW2 to simulate an interface fault.

Run the display sep interface command on LSW3 to check whether the status of GE1/0/1 in
SEP segment 1 changes from blocked to forwarding.
[LSW3] display sep interface gigabitethernet 1/0/1
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
SEP segment 2
----------------------------------------------------------------
----------------------------------------------------------------
The preceding command output shows that the status of GE1/0/1 changes from blocked to
forwarding and the forwarding path change in SEP segment 1 does not affect the forwarding
path in SEP segment 2.
----End
Configuration Files
#
sysname LSW1
#
#
#
sep segment 1
control-vlan 10
preempt delay 15
protected-instance 1
sep segment 2
control-vlan 10
preempt delay 15
#
stp disable
#
stp disable
#
return

#
sysname LSW2
#
#

#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#
stp disable
sep segment 1
sep segment 2
#
stp disable
sep segment 1
sep segment 2
#
#
return

#
sysname LSW3
#
#
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#
stp disable
sep segment 1
sep segment 2
#
stp disable
sep segment 1
sep segment 2
#
#
return


#
sysname LSW4
#
vlan batch 10 60 100 to 500
#
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#
stp disable
sep segment 1
sep segment 2
#
stp disable
sep segment 1
sep segment 2
#
return

#
sysname CE1
#
#
#
return

#
sysname CE2
#
#
#
return
17.8.6 Example for Configuring Association Between SEP and

VPLS (Reporting Topology Changes of a Lower-Layer Network)
As shown in Figure 17-24, CE1 is connected to a VPLS network through an open ring. SEP
is enabled on the open ring network to eliminate redundant links. When a link on the ring

network becomes faulty, SEP can immediately restore the communication between nodes on
the ring network. The traffic between CEs, however, is still interrupted.
To solve the problem, association between SEP and VPLS must be enabled on PE1 and PE2.
With association between SEP and VPLS, PE1 and PE2 can detect topology changes of the
SEP network immediately after a fault occurs on the SEP network. This ensures reliable
traffic transmission.
Figure 17-24 Networking diagram for configuring association between SEP and VPLS
PE3 CE2
GE1/0/3
GE1/0/2
GE1/0/1 GE1/0/2
GE1/0/1
GE1/0/3 GE1/0/3 VLAN100

GE1/0/1 GE1/0/1
PE1 GE1/0/2 GE1/0/2 PE2
GE1/0/2 GE1/0/2
LSW1 SEP LSW3
Segment1
GE1/0/1 GE1/0/1
GE1/0/1 GE1/0/2
LSW2 GE1/0/3
GE1/0/2
CE1
GE1/0/1
Primary Edge Node

VLAN100
Secondary Edge Node
Block Port
Table 17-15
PE1 GE1/0/1 VLANIF20 10.1.1.1 30
GE1/0/2 VLANIF100 -
GE1/0/3 VLANIF30 10.2.1.1 30
Loopback1 - 1.1.1.1 32

PE2 GE1/0/1 VLANIF20 10.2.1.2 30
GE1/0/2 VLANIF100 -
GE1/0/3 VLANIF40 10.3.1.1 30
Loopback1 - 2.2.2.2 32
PE3 GE1/0/1 VLANIF30 20.1.1.2 30
GE1/0/2 VLANIF40 10.3.1.2 30
GE1/0/3 VLANIF100 -
Loopback1 - 3.3.3.3 32
a. Create a SEP segment and a control VLAN.
b. Add all the devices on the ring network to the SEP segment and configure a role for
each interface added to the SEP segment.
NOTE
When being added to multiple SEP segments, an interface must be configured with the same
role. Otherwise, SEP multi-instance fails to be configured.
c. Enable the function of specifying an interface to block on the device where the
primary edge interface resides.
d. Configure the SEP preemption mode to ensure that the specified blocked interface
takes effect when a fault is rectified.
2. Configure VPLS on PE1, PE2, and PE3.
3. Configure association between SEP and VPLS on the devices connecting the SEP
network and the VPLS network.
4. Configure the Layer 2 forwarding function on CE1, CE2, LSW1 to LSW3, and PE1 to
PE3.
Procedure
1. Create a SEP segment and a control VLAN.
# Configure PE1.
[PE1] sep segment 1
# Configure LSW1.

# Configure LSW2.
[LSW2] sep segment1
# Configure LSW3.
# Configure PE2.
[PE2] sep segment 1
NOTE
– The control VLAN must be a new one.

– After the control VLAN is created successfully, the command used to create a common VLAN
will be displayed in the configuration file.
Each SEP segment must be configured with a control VLAN. After an interface is added to a
SEP segment configured with a control VLAN, the interface will be automatically added to the
control VLAN.
n If the interface type is Trunk, in the configuration file, the port trunk allow-pass vlan
n If the interface type is Hybrid, in the configuration file, the port hybrid tagged vlan
2. Add all the devices on the ring network to the SEP segment and configure a role for each
interface added to the SEP segment.
Configure GE 1/0/2 on PE1 as a primary edge interface, GE 1/0/2 on PE2 as a secondary
edge interface, and other interfaces as common interfaces.
# Configure PE1.
[PE1-GigabitEthernet1/0/2] sep segment 1 edge primary
# Configure PE2.
[PE2-GigabitEthernet1/0/2] sep segment 1 edge secondary
# Configure LSW1.


# Configure LSW2.
# Configure LSW3.
After completing the preceding configurations, run the display sep topology command
on PE1 to view the topology of the SEP segment. You can see that the blocked interface
is the one of the last two interfaces that complete neighbor negotiation.
SEP segment 1
-------------------------------------------------------------------------
-------------------------------------------------------------------------
PE2 GE1/0/2 secondary discarding 8

– Configure an interface blocking mode.
# Configure the interface priority-based interface blocking mode on PE1 where the
primary edge interface resides in SEP segment 1, and block the interface with the
highest priority.
[PE1] sep segment 1
[PE1-sep-segment1] block port optimal
# On LSW2, set the priority of GE 1/0/2 to 128 and allow the other interfaces to use
the default priority.
– Configure the preemption mode.

# Set the preemption mode on PE1 where the primary edge interface resides as
delayed preemption.

[PE1-sep-segment1] preempt delay 600

NOTE
– The preemption delay has no default value. Therefore, you must run the related command to
set the preemption delay.
– When the last faulty edge interface recovers, it does not receive any fault advertisement
packet. If the primary edge interface does not receive any fault advertisement packet within
three seconds, it immediately starts the delay timer. After the delay timer expires, the nodes on
the SEP segment block a specified interface.
Therefore, in this example, an interface fault is simulated and then rectified to implement
delayed preemption. For example:
Run the shutdown command on GE 1/0/2 of LSW2 to simulate an interface fault. Then, run
the undo shutdown command on GE 1/0/2 to rectify the fault.
After completing the preceding operations, view the topology of the SEP segment. Use
the display on PE1 as an example.
Run the display sep topology command on PE1 to view the information about the
topology of the SEP segment.
SEP segment 1
-------------------------------------------------------------------------
-------------------------------------------------------------------------
LSW2 GE1/0/2 common discarding 5
PE2 GE1/0/2 secondary forwarding 8
The preceding command output shows that the status of GE 1/0/2 is discarding and the
status of the other interfaces is forwarding on LSW2 in SEP segment 1.
Step 2 Configure a VPLS network.
1. Configure an IP address for each interface and an IGP on the VPLS backbone network.
In this example, IS-IS is used as an IGP.
Configure VPLS connections between the PEs (the VPLS connections use the LDP
signaling, and the VSI name is ldp1). The configuration details are not provided here.
For details, see the chapter "VPLS Configuration" in the S7700&S9700 Configuration
Guide - VPN or configuration files in this example.
After the preceding configurations are complete, the PEs ping each other successfully.
[PE3] ping 10.1.1.1

0.00% packet loss
[PE1] ping 2.2.2.2



0.00% packet loss
2. Bind the VLANIF interfaces at the user side on the PEs to the same VSI.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface Vlanif 100
[PE1-Vlanif100] l2 binding vsi ldp1
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
# Configure PE3.
[PE3] vlan 100
[PE3-vlan100] quit
After completing the preceding configurations, run the display vsi name ldp1 verbose
command on PE1. You can see that PE1 in a VSI named ldp1 in the Up state sets up a
PW to PE2 and another PW to PE3.
[PE1] display vsi name ldp1 verbose
***VSI Name : ldp1

VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 1
VC Label : 1026
Peer Type : dynamic

Session : up
Tunnel ID : 0x5
CKey : 2
NKey : 1
StpEnable : 0
PwIndex : 0
VC Label : 1027
Peer Type : dynamic
Session : up
Tunnel ID : 0x6
CKey : 4
NKey : 3
StpEnable : 0
PwIndex : 0
Interface Name : Vlanif100

State : up
Access Port : false
Last Up Time : 2010/07/05 19:59:31
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x5
Ckey : 0x2
Nkey : 0x1
Main PW Token : 0x5
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/07/05 20:00:21
PW State : up
PW Type : label
Tunnel ID : 0x6
Ckey : 0x4
Nkey : 0x3
Main PW Token : 0x6
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/07/05 20:09:01
Step 3 Configure association between SEP and VPLS.

# Configure PE1.

[PE1] sep segment 1

[PE1-sep-segment1] tc-notify vpls
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] tc-notify vpls
Step 4 Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW3.
The configuration details are not provided here. For details, see configuration files in this
example.
Simulate a fault, and then check whether the status of the blocked interface changes from
blocked to forwarding.
Run the shutdown command on GE 1/0/1 of LSW2 to simulate an interface fault.
l Run the display sep interface command on LSW2 to check whether the status of GE
1/0/2 in SEP segment 1 changes from blocked to forwarding.
[LSW2] display sep interface GigabitEthernet 1/0/2
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
l The CEs can ping each other successfully.
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 20 30 100
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 600
tc-notify vpls
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 2.2.2.2
peer 3.3.3.3
#
mpls ldp
#
isis 1
is-level level-2
network-entity 49.0010.0100.1009.00

#
interface Vlanif20
ip address 10.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif100
l2 binding vsi ldp1
#
#
stp disable
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
return
#
sysname PE2
#
vlan batch 10 20 40 100
#
sep segment 1
control-vlan 10
tc-notify vpls
#
mpls lsr-id 2.2.2.2
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 1.1.1.1
peer 3.3.3.3
#
mpls ldp
#
isis 1
is-level level-2
network-entity 49.0020.0200.2009.00
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#

interface Vlanif40
ip address 10.3.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif100
l2 binding vsi ldp1
#
#
stp disable
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
return
#
sysname PE3
#
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 1.1.1.1
peer 2.2.2.2
#
mpls ldp
#
isis 1
is-level level-2
network-entity 49.0030.0300.3009.00
#
interface Vlanif30
ip address 20.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif40
ip address 10.3.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif100
l2 binding vsi ldp1
#

#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
isis enable 1
#
return

#
sysname LSW1
#
vlan batch 10
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW2
#
vlan batch 10
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
#
return

#
sysname LSW3
#
vlan batch 10
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname CE1
#
vlan batch 100
#
#
#
return

#
sysname CE2
#
vlan batch 100
#
#
#
return

Configuration Guide - Ethernet Switching 18 RRPP Configuration
18 RRPP Configuration
About This Chapter
This chapter describes how to configure the Rapid Ring Protection Protocol (RRPP) to
prevent loops and implement fast convergence on ring networks.
18.1 Introduction to RRPP

18.2 Principles
18.3 Application Scenarios
18.7 Configuring RRPP
18.8 Maintaining RRPP
18.11 FAQ
18.12 References

18.1 Introduction to RRPP
Definition
The Rapid Ring Protection Protocol (RRPP) is a link layer protocol used to prevent loops on
an Ethernet ring network.
When the network is complete, RRPP-enabled devices discover and eliminate loops on the
network by blocking certain interfaces. If a network fault occurs, RRPP-enabled devices
unblock blocked interfaces and switch data services to a running link.
Purpose
The ring network topology is applied to MANs and enterprise intranets to improve network
reliability. If a fault occurs on a node or on a link between nodes, data services are switched to
the backup link to ensure service. However, broadcast storms may occur on ring networks.
Many protocols can prevent broadcast storms on ring networks. However, if a fault occurs on
a ring network, it takes some time for the device to switch data services to the backup link.
The network convergence is slow and if the convergence takes too much time, services are
interrupted.
To shorten the convergence time and eliminate the impact of network scale on convergence
time, Huawei developed RRPP. Compared with other Ethernet ring technologies, RRPP has
the following advantages as described in Table 18-1:
l RRPP applies to large networks because the convergence time is not affected by the
number of nodes on the ring network.
l RRPP prevents broadcast storms caused by data loops when an Ethernet ring is
complete.
l In case of an Ethernet ring network failure, the backup link rapidly restores the
communication among the Ethernet ring network nodes.
Table 18-1 Comparison of ring network protocols

Ring Network Characteristics
Protocol
Token Ring The token ring was the first ring technology introduced to the data
communication field and applied in LANs.
The token ring does not have the self-healing capability.
FDDI Fiber Distributed Digital Interface (FDDI) is an improved token ring

technology that uses a token to transmit the right to control a ring
network. FDDI uses a double-ring structure.
FDDI uses optical fibers for transmission, which greatly improves the
performance and efficiency compared with the token ring. FDDI does
not have self-healing capability.
The bandwidth of an FDDI ring network cannot be efficiently utilized
because FDDI uses source address stripping technology.

Ring Network Characteristics

Protocol
SDH/SONET Synchronous Digital Hierarchy/Synchronous Optical Network (SDH/

SONET) is a widely used ring technology that supports both single
and multiple rings. SDH/SONET features high reliability and an
automatic protection switching (APS)-based self-healing mechanism.
On an SDH/SONET network, the bandwidth between two nodes is
fixed and reserved based on its point-to-point (P2P) structure and the
circuit switching design. The bandwidth cannot adapt to the actual
situation, which leads to inefficient bandwidth use. As a result, the
SDH/SONET technology cannot meet the bandwidth requirements of
IP data services with frequent data bursts.
In addition, broadcast and multicast packets on the SDH/SONET
network are transmitted as unicast packets, wasting bandwidth. APS
requires a maximum of 50% redundant bandwidth, which makes a
flexible selection mechanism impossible.
RPR Resilient Packet Ring (RPR) is a MAC-layer protocol on the ring

topology developed and standardized by IEEE 802.17 and RPR
alliance. RPR defines a logical P2P closed ring based on the MAC
layer.
On the physical layer, an RPR network is a ring network that consists
of P2P links; on the data link layer, an RPR network is a broadcast
network similar to an Ethernet network.
RPR is implemented based on dedicated hardware and a complex
fairness algorithm.
STP/RSTP/MSTP The Spanning Tree Protocol (STP)/Rapid Spanning Tree Protocol

(RSTP)/Multi-Spanning Tree Protocol (MSTP) builds a loop-free tree
to prevent broadcast storms and implement redundancy backup.
Multiple spanning trees perform load balancing and transmit traffic in
different VLANs along different paths.
As a protocol with the automatic calculation function, STP/RSTP/
MSTP supports any topology.
The network convergence time is affected by the topology.
RRPP RRPP is short for Rapid Ring Protection Protocol.

The network convergence time is not determined by the number of
nodes on a ring network.
RRPP multi-instance supports load balancing of different types of
service traffic.
RRPP is a Huawei proprietary protocol. To use RRPP, ensure that only
Huawei devices exist on the ring network.
18.2 Principles

18.2.1 Basic RRPP Concepts
After an RRPP domain and ring are created, RRPP specifies devices on the ring network as
nodes in different roles. Nodes on the ring network detect the ring network status and transmit
topology changes by sending, receiving, and processing RRPP packets through primary and
secondary interfaces. Nodes on the ring network block or unblock the interfaces based on the
ring network status. RRPP can prevent loops when the ring is complete, and rapidly switch
service data to the backup link if a device or link fails, ensuring nonstop service transmission.
RRPP Composition
A group of interconnected switches configured with the same domain ID and control VLAN
constitute an RRPP domain.
Figure 18-1 illustrates the entities in an RRPP domain.
Figure 18-1 RRPP networking

RRPP Domain
Transit Node Edge Node

Master Node SwitchA SwitchC SwitchE Master Node
S S
E
P C P
Major Ring Sub Ring
C
E
Transit Node SwitchB SwitchD SwitchF Transit Node

Transit Node Assistant-Edge Node
P: Primary Interface
S: Secondary Interface
C: Common Interface
E: Edge Interface
RRPP Domain ID
An RRPP domain ID distinguishes an RRPP domain.
RRPP Ring
A physical RRPP ring uses an Ethernet ring topology. An RRPP domain comprises a single
ring or multiple interconnected rings. When multiple interconnected rings exist, one ring is
the major ring and the others are sub-rings.
An RRPP domain may have multiple sub-rings but only one major ring. The RRPP domain in
Figure 18-1 consists of a major ring and a sub-ring.

RRPP is applied to the networking of a single ring, intersecting rings, and tangent rings. For
details about networking modes, see Common RRPP Rings.
Control VLAN and Data VLAN

The control VLAN is relative to the data VLAN. In an RRPP domain, a control VLAN is
used to transmit only RRPP packets, while a data VLAN is used to transmit data packets.
When an RRPP domain consists of a major ring and sub-rings, the RRPP domain is
configured with two control VLANs: major control VLAN and sub-control VLAN. A major
control VLAN belongs to a major ring, while a sub-control VLAN belongs to a sub-ring. You
must only specify the major control VLAN. The VLAN whose ID is one greater than the ID
of the major control VLAN becomes the sub-control VLAN.
Protocol packets on the major ring are transmitted in the major control VLAN, and RRPP
packets on the sub-rings are transmitted in the sub-control VLAN. Protocol packets on the
sub-rings are transmitted as data packets on the major ring. For example, in Figure 18-1,
when the secondary interface of the master node on the major ring is blocked, both data
packets and protocol packets on the sub-ring must be blocked. When the secondary interface
is unblocked, both data packets and protocol packets on the sub-ring are forwarded. Protocol
packets on the sub-ring are transmitted as data packets on the major ring, and protocol packets
on the major ring are only transmitted on the major ring.
Node
Each device on an RRPP ring is a node. Nodes on the RRPP ring are classified into the
following types:
NOTE
The status of the RRPP ring on a node is the status of the node.
l Master node
The master node determines how to handle topology changes. Each RRPP ring must
have only one master node.
Any device on an Ethernet ring can serve as the master node.
The master node can be in either Complete or Failed state. The master node status
indicates the RRPP ring status.
l Transit node
On an RRPP ring, all nodes except the master node are transit nodes. A transit node
monitors the status of its directly-connected links and notifies the master node of link
changes.
A transit node can be in LinkUp, LinkDown, or Preforwarding state.
– When the primary and secondary interfaces of a transit node are Up, the transit node
is in LinkUp state. The transit node can receive and forward data packets and RRPP
packets.
– When the primary or secondary interface of a transit node is Down, the transit node
is in LinkDown state.
– When the primary or secondary interface of a transit node is Blocked, the transit
node is in Preforwarding state and can receive and forward only RRPP packets.
l Edge node and assistant edge node
A switch functions as an edge node or an assistant edge node on a sub-ring, and
functions as a transit node on the major ring.

On the link where the major ring and sub-ring overlap, if the switch on one intersection
point is an edge node, the switch on the other intersection point is an assistant edge node.
A sub-ring has only one edge node and one assistant edge node.
Edge nodes and assistant edge nodes are special transit nodes. They support the same
states as transit nodes but have the following differences:
– If an edge interface is Up, the edge node or assistant edge node is in LinkUp state
and can receive and forward data packets and RRPP packets.
– If an edge interface is Down, the edge node or assistant edge node is in LinkDown
state.
– If an edge interface is blocked, the edge node or assistant edge node is in
Preforwarding state and can receive and forward only RRPP packets.
If the state transition is caused by the changes of the link status on the interface of an
edge node or assistant edge node, only the edge interface status changes.
Interfaces
l Primary interface and secondary interface
On both the master node and transit node, one of the two interfaces connected to an
Ethernet ring is the primary interface, and the other is the secondary interface. The
interface roles depend on the configuration.
The primary and secondary interfaces on the master node provide different functions:
– The master node sends Hello packets from its primary interface and receives Hello
packets on its secondary interface.
– Based on the network status, the master node blocks the secondary interface to
prevent loops or unblocks the secondary interface to ensure communication among
all the nodes on the ring.
The primary and secondary interfaces on a transit node provide the same function.
l Common interface and edge interface
On an edge node or an assistant edge node, an interface shared by the major ring and a
sub-ring is called the common interface. An interface used only by a sub-ring is called
the edge interface.
The common interface is considered an interface on the major ring and belongs to both
the major control VLAN and sub-control VLAN. The edge interface belongs only to the
sub-control VLAN.
Common RRPP Rings

RRPP is applied to the networking of a single ring, intersecting rings, and tangent rings.
Different networks use different RRPP domain modes:
l All the devices on a single ring must be configured in the same RRPP domain.
l All the devices on intersecting rings must be configured in the same RRPP domain.
l Devices on two tangent rings must be configured in different RRPP domains. The
tangent rings are equal to two single rings and must be configured in two RRPP
domains. Each RRPP domain has only one ring.

Single Ring
Figure 18-2 Single ring

Domain 1
SwitchA SwitchB
Master Node Transit Node
Ring 1
Transit Node Transit Node

SwitchD SwitchC
When only one ring exists in the network topology, you can define one RRPP domain and one
RRPP ring. This topology features quick response to topology changes and short convergence
time. It is applicable to simple ring networks.
Intersecting Rings
Figure 18-3 Intersecting rings

Domain 1
SwitchA SwitchB
Edge Node
Master Node
SwitchE
Ring 1
Ring 2
Master Node
Transit Node Assistant-Edge Node

SwitchD SwitchC

When two or more rings exist in the network topology, but multiple common nodes exist
between two neighboring rings, you need to define only one RRPP domain. Configure one
ring as the major ring and the remaining rings as sub-rings. This topology is applicable when
the master node on a sub-ring needs to be dual-homed to the major ring through the edge node
and assistant edge node to provide uplink backup.
Tangent Rings
Figure 18-4 Tangent rings

Domain 1
SwitchA SwitchE
Transit Node
Transit Node
SwitchB
SwitchD
Ring 2
SwitchF
Master Node Ring 1
SwitchC Transit Node
Transit Node Master Node
SwitchG
Domain 2
Transit Node
When two or more rings exist in the network topology and only one common node exists
between two neighboring rings, you need to configure the rings to belong to different RRPP
domains. This topology is applicable to large-scale networks that require domain-based
management.
18.2.2 RRPP Packets

Table 18-2 lists different types of RRPP packets.
Table 18-2 Types of RRPP packets

RRPP Packet Description
Type
Hello Packet sent by the master node to check for loops on a network.
(HEALTH)
LINK-DOWN Packet sent by transit nodes, edge nodes, or assistant edge nodes to
notify the master node that an interface is Down.

RRPP Packet Description

Type
COMMON- Packet sent by the master node to request that transit nodes, edge
FLUSH-FDB nodes, or assistant edge nodes update their MAC address forwarding
entries, ARP entries and ND entries.
COMPLETE- Packet sent by the master node to request that transit nodes, edge
FLUSH-FDB nodes, or assistant edge nodes update their MAC address forwarding
entries, ARP entries and ND entries, and enable transit nodes to
unblock temporarily blocked interfaces to forward data packets.
EDGE-HELLO Packet sent by the edge node on a sub-ring and received by the
assistant edge node on the same sub-ring to check whether the major
ring is complete in the same RRPP domain as the sub-ring.
MAJOR-FAULT Packet sent by the assistant edge node on a sub-ring to notify the edge
node that the major ring in the RRPP domain fails when the assistant
edge node does not receive the Edge-Hello packet from the edge
interface within a specified period.
Figure 18-5 demonstrates the format of an RRPP packet.
Figure 18-5 Format of an RRPP packet

0 7 8 15 16 23 24 31 32 47
Destination MAC address (6 bytes)
Source MAC address (6 bytes)
EtherType PRI VLAN ID Frame Length
DSAP/SSAP CONTROL OUI = 0x00e02b
0x00bb 0x99 0x0b RRPP Length
RRPP_VER RRPP TYPE Domain ID Ring ID
0x0000 SYSTEM_MAC_ADDR (6 bytes)
HELLO_TIMER FAIL_TIMER
0x00 LEVEL HELLO_SEQ 0x0000
RESERVED(0x000000000000)
RESERVED(0x000000000000)
RESERVED(0x000000000000)
RESERVED(0x000000000000)
RESERVED(0x000000000000)
RESERVED(0x000000000000)
The description of each field in an RRPP packet is as follows:

l Destination MAC address: indicates the destination MAC address of the packet. The
field occupies 48 bits.
l Source MAC address: indicates the source MAC address of the packet. The MAC
address is the bridge MAC address. The field occupies 48 bits.
l EtherType: indicates the encapsulation type. The EtherType value is fixed as 0x8100,
which indicates tagged encapsulation. The field occupies 16 bits.
l PRI: indicates the Class of Service (CoS) value. The PRI value is fixed as 0xe. The field
occupies 4 bits.
l VLAN ID: indicates the ID of the VLAN to which the packet belongs. The field
occupies 12 bits.
l Frame Length: indicates the length of the Ethernet frame. The Frame Length value is
fixed as 0x0048. The field occupies 16 bits.
l DSAP/SSAP: indicates the destination or source service access point. The DSAP/SSAP
value is fixed as 0xaaaa. The field occupies 16 bits.
l CONTROL: The field has no significance and occupies 8 bits. The CONTROL value is
fixed as 0x03.
l OUI: The field has no significance and occupies 24 bits. The OUI value is fixed as
0x00e02b.
l RRPP_LENGTH: indicates the length of the RRPP data unit. The RRPP_LENGTH
value is fixed as 0x0040. The field occupies 16 bits.
l RRPP_VER: indicates the RRPP version. The current version is 0x01. The field
occupies 8 bits.
l RRPP TYPE: indicates the type of the RRPP packet. The field occupies 8 bits. The
RRPP packet types and values are described as follows:
– HEALTH = 0x05
– COMPLETE-FLUSH-FDB = 0x06
– COMMON-FLUSH-FDB = 0x07
– LINK-DOWN = 0x08
– EDGE-HELLO = 0x0a
– MAJOR-FAULT = 0x0b
l DOMAIN_ID: indicates the ID of the RRPP domain to which the packet belongs. The
field occupies 16 bits.
l RING_ID: indicates the ID of the RRPP ring to which the packet belongs. The field
occupies 16 bits.
l SYSTEM_MAC_ADDR: indicates the bridge MAC address from which the packet is
sent. The field occupies 48 bits.
l HELLO_TIMER: indicates the timeout period (in seconds) of the Hello timer on the
node that sends the packet. The field occupies 16 bits.
l FAIL_TIMER: indicates the timeout period (in seconds) of the Fail timer on the node
that sends the packet. The field occupies 16 bits.
l LEVEL: indicates the level of the RRPP ring to which the packet belongs. The field
occupies 8 bits.
l HELLO-SEQ: indicates the sequence number of the Hello packet. The field occupies 16
bits.

18.2.3 Implementation of a Single RRPP Ring (When the Ring is

Complete)
Implementation of a Single RRPP Ring

When all the links and nodes on a single ring are Up, the master node is in Complete state.
As demonstrated in Figure 18-6, the master node blocks its secondary interface to prevent
broadcast loops caused by data packets. The blocked secondary interface can only receive
RRPP packets but cannot forward data packets. Hello packets sent by the master node to
monitor the ring status can pass through the secondary interface.
Figure 18-6 RRPP ring implementation
Network
Router1 Router2
Master Node
Block
P S
User
network
primary interface
secondary interface
Data Packet
Hello
Polling Mechanism
The master node uses the polling mechanism to monitor the ring status and perform
operations by sending Hello packets.
Hello timer and Fail timer

The polling mechanism uses the Hello timer and Fail timer.
l The value of the Hello timer specifies the interval at which the master node sends Hello
packets from the primary interface.
l The value of the Fail timer specifies the maximum delay in which the primary interface
sends a Hello packet and the secondary interface receives the Hello packet.
l The value of the Fail timer must be three times or larger the value of the Hello timer.
The master node determines whether to unblock the secondary interface by sending a Hello
packet according to the value of the Hello timer and checking whether the secondary interface
receives the Hello packet within the delay specified by the Fail timer.
Process of the polling mechanism
1. The master node periodically sends a Hello packet from its primary interface based on
the value of the Hello timer.
2. As shown in Figure 18-6, the Hello packet is transmitted along transit nodes on the ring.
The master node typically receives the Hello packet on its secondary interface.
– If the secondary interface on the master node receives the Hello packet before the
Fail timer times out, the master node considers the ring complete.
– If the secondary interface on the master node does not receive the Hello packet after
the Fail timer times out, the master node considers the ring faulty.
18.2.4 Implementation of a Single RRPP Ring (When the Ring is

Faulty)

As demonstrated in Figure 18-7, the link between SwitchA and SwitchB fails. SwitchA and
SwitchB are transit nodes on the ring.

Figure 18-7 RRPP implementation
Network
Router1 Router2
Interface2
SwitchB
Link Failure
SwitchA
Interface1 Master Node
P S
User
network
primary interface
secondary interface
Data Packet
LINK-DOWN
l When SwitchA and SwitchB detect the link failure, they send LinkDown packets to the
master node from Interface1 and Interface2 respectively.
l Upon receiving a LinkDown packet, the master node changes from Complete state to
Failed state and unblocks the secondary interface so that data packets can pass through.
l When the network topology changes, the master node updates the forwarding entries to
ensure correct packet forwarding. In addition, the master node sends a Common-Flush-
FDB packet from the primary interface to request that all transit nodes update the
forwarding entries.
Fault Detection and Processing

Faults on a ring can be detected in the following two ways:
LinkDown notification mechanism
Nodes on an RRPP ring monitor the link status of their interfaces. If a fault occurs on a link,
the status of the interface directly connected to the link changes to Down. Upon detecting the
Down state, the node immediately takes the following measures:
l If the primary interface on the master node is Down, the master node detects the link
fault and immediately unblocks the secondary interface. In addition, the master node

sends a Common-Flush-FDB packet from the secondary interface to request that all the
transit nodes on the ring update their MAC address forwarding entries and ARP entries.
l If the interface on a transit node is Down, the node sends a LinkDown packet from its
interface in Up state to the master node. When receiving the LinkDown packet, the
master node changes to Failed state and unblocks its secondary interface. When the
network topology changes, the master node must update its MAC address forwarding
entries and ARP entries to prevent incorrect packet forwarding. In addition, the master
node sends a Common-Flush-FDB packet from its primary and secondary interfaces to
request that all transit nodes update their MAC address forwarding entries and ARP
entries.
Polling mechanism
If the LinkDown packet is lost during transmission, the polling mechanism is used on the
master node.
The master node periodically sends Hello packets from its primary interface. The packets are
then transmitted through all transit nodes on the ring. If the secondary interface on the master
node does not receive the Hello packet from the primary interface in the specified period, the
master node considers the ring faulty. The fault is processed in the same way as a fault
actively reported by a transit node. The master node changes to Failed state and unblocks the
secondary interface. In addition, the master node sends a Common-Flush-FDB packet from its
primary and secondary interfaces to request that all transit nodes update their MAC address
forwarding entries and ARP entries.
The LinkDown notification mechanism processes faults more quickly than the polling
mechanism so that RRPP can implement fast link switchover and convergence.
18.2.5 Implementation of a Single RRPP Ring (When the Fault is

Recovered)

Figure 18-8 demonstrates that:
1. When the faulty interface on a transit node is recovered, the transit node changes to
Preforwarding state and blocks the recovered interface.
2. After all the failed links on the ring are recovered, the secondary interface on the master
node receives the Hello packets sent from the primary interface.
3. When receiving the Hello packets, the master node changes to Complete state and blocks
the secondary interface.
4. The master node sends a Complete-Flush-FDB packet from the primary interface to
request that all transit nodes update the forwarding entries.
5. When receiving the Complete-Flush-FDB packet, the transit node changes to LinkUp
state, unblocks the temporarily blocked interface, and updates the forwarding entries.

Figure 18-8 RRPP implementation
Network
Router1 Router2
Master Node
Block
P S
User
network
primary interface
secondary interface
Data Packet
COMPLETE-FLUSH-FDB
Fault Recovery Detection and Processing

When the interface on a transit node changes to Up, the master node does not immediately
detect the change and the secondary interface remains unblocked. If the transit node
immediately switches back to LinkUp state, a temporary loop caused by data packets occurs
on the ring. As a result, when the primary and secondary interfaces on the transit node
recover, the transit node immediately blocks the recovered interfaces and enters
Preforwarding state. However, the ring does not recover because ring recovery is initiated by
the master node. When all links on the ring are Up and the secondary interface on the master
node can receive the Hello packets sent by the primary interface on the master node, the
master node enters Complete state.
When the network topology changes, the master node must update the MAC address
forwarding entries and ARP entries. The master node must also send a Common-Flush-FDB
packet from the primary interface to request that all transit nodes update their MAC address
forwarding entries and ARP entries. Upon receiving the Complete-Flush-FDB packet from
the master node, the transit nodes in Preforwarding state enter LinkUp state.
If the Complete-Flush-FDB packet is lost during transmission, a backup mechanism is used to
unblock the temporarily blocked interfaces on transit nodes. If a transit node is in
Preforwarding state, the transit node unblocks the temporarily blocked interfaces when

receiving no Complete-Flush-FDB packet from the master node in the period specified by the
Fail timer. The transit node then updates its MAC address forwarding entries and ARP entries
to recover data communication.
LinkUp Timer
After the link recovers, traffic transmission paths are switched frequently if the link status
changes frequently on a ring. As a result, loop flapping occurs and system performance
deteriorates. To address this problem, a LinkUp timer is used to set the period after which the
master node changes to Complete state. This prevents transmission paths from changing
frequently and reduces loop flapping impact on system performance.
If a LinkUp timer is configured, the master node does not immediately enter Complete state
when its secondary interface receives a Hello message. Instead, the master node triggers the
LinkUp timer and performs the following operations:
l Before the LinkUp timer expires, the master node does not process the Hello message
received from the secondary interface and the RRPP ring topology remains unchanged.
If the link status changes (for example, the master node receives a LinkDown packet or
the link goes Down) the timer is closed.
l After the LinkUp timer expires, the master node processes the Hello message. The
master node blocks its secondary interface and requests all transit nodes to update their
forwarding entries. The RRPP ring is re-converged.

Figure 18-9 LinkUp timer implementation
Network
Router1 Router2
SwitchD
Link Failure
Master Node
SwitchC
Block
P S
User
network
primary interface
secondary interface
Data Flow1
Data Flow2
As demonstrated in Figure 18-9, traffic between SwitchC and SwitchD is forwarded along
data flow 1 when the ring fails. After the fault is rectified, the RRPP ring recalculates the
topology. Traffic between SwitchC and SwitchD is switched to data flow 2.
l When no LinkUp timer is configured, if the recovered link is unstable and fails again, the
RRPP ring recalculates the topology. Traffic between SwitchC and SwitchD is switched
to data flow 1. This may cause frequent changes of traffic transmission paths. As a result,
traffic is lost and system performance deteriorates.
l When a LinkUp timer is configured, traffic is not switched immediately when the fault is
rectified. If the recovered link fails again, traffic between SwitchC and SwitchD is still
transmitted along data flow 1.
18.2.6 Implementation of Multiple Rings

A multi-ring RRPP network works in almost the same way as a single-ring RRPP network.
On a multiple-ring network:
l When receiving Common-Flush-FDB or Complete-Flush-FDB packets from a sub-ring,
a node on the major ring relearns the entries and updates its forwarding entries. Data
flows re-select the path.

l A transit node on the major ring unblocks the temporarily blocked interface only when
receiving a Complete-Flush-FDB packet sent from the major ring instead of the sub-ring.
l The path status detection mechanism for sub-ring protocol packets on the major ring is
used in the case of multiple rings. For details, see Path Status Detection Mechanism
for Sub-Ring Protocol Packets on the Major Ring.
l Ring groups are used to improve system performance. For details, see Ring Group.
Path Status Detection Mechanism for Sub-Ring Protocol Packets on the Major
Ring
This mechanism applies to networks where multiple sub-rings are intersecting with the master
ring to prevent loops among sub-rings after secondary interfaces are unblocked by master
nodes on sub-rings.
As shown in Figure 18-10, when the common link between the major ring and sub-ring is
faulty and at least one non-common link is faulty, the master node on each sub-ring unblocks
its secondary interface (S in the preceding figure) because the secondary interface does not
receive Hello packets. In this case, broadcast loops (blue dashed lines in the preceding figure)
may occur between sub-rings. To prevent loops, the network deploys the path status detection
mechanism for sub-ring protocol packets on the major ring. After this mechanism is
configured, the edge node and assistant edge node detect the path status. When the edge node
detects that the path is interrupted, the edge interfaces on the two sub-rings are blocked before
the master nodes on the two sub-rings unblock their secondary interfaces. This prevents loops
between sub-rings. The edge interfaces on the edge nodes of sub-ring 1 and sub-ring 2 are
blocked, preventing loops.

Figure 18-10 Loop formation between sub-rings
Network
Router1 Router2
Master Transit
Major Ring
Edge
Assistant-Edge
Block Block
Sub-Ring1 Sub-Ring2
P P
Sub S Sub
S
Master 1 Master2
PC1 PC2
Block MAJOR_FAULT packets
P Primary Interface EDGE-HELLO packets
S Secondary Interface Possible ring if the Edge interfaces are not blocked
The path status detection mechanism for sub-ring protocol packets on the major ring prevents
loops in the following procedures:
1. The edge node checks the path status of sub-ring protocol packets on the major ring.
The edge node on a sub-ring periodically sends Edge-Hello packets to the major ring
through two RRPP interfaces on the major ring. Edge-Hello packets are transmitted
through all transit nodes on the ring. The assistant edge node does not forward the
received Edge-Hello packets.
As shown in Figure 18-11, the edge node sends Edge-Hello packets to the major ring
through Interface1 and Interface2, which are also located on the major ring.

Figure 18-11 Edge node sending Edge-Hello packets
Network
Router1 Router2
P
Master
S Block
Major Ring
Interface1
Edge
Assistant
Interface2
Sub Ring
Block
S P
Master
EDGE-HELLO
Data Packet
Block
PC
P Primary Interface
S Secondary Interface
If the assistant edge node receives the Edge-Hello packets within the specified period,
the protocol packet path is normal; if the assistant edge node receives no Edge-Hello
packets within the specified period, the path is faulty.
2. The path is disconnected and the edge node blocks the edge interfaces.
Upon detecting that the sub-ring protocol packet path is disconnected, the assistant edge
node immediately sends a Major-Fault packet to the edge node. After receiving the
Major-Fault packet, the edge node blocks its edge interfaces.
As shown in Figure 18-12, the assistant node sends a Major-Fault packet to the edge
node from Interface3.

Figure 18-12 Blocking edge interfaces
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3 Block
Sub Ring
S P
Block Master
MAJOR-FAULT
Data Packet
Block
PC
P Primary Interface
3. The master node on the sub-ring unblocks the secondary interface after the Fail timer
expires.
After the edge node blocks its edge interfaces, the path for sub-ring protocol packets is
disconnected because of the failure on the major ring. As a result, the master node on the
sub-ring cannot receive the Hello packet sent by the master node within the specified
period. The master node changes to Failed state and unblocks the secondary interface.
As Figure 18-13 demonstrates, the edge node blocks its edge interfaces. The master
node on the sub-ring unblocks the secondary interface that is blocked in Figure 18-12.

Figure 18-13 Sub-ring disconnected due to the blocked path on the major ring
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3 Block
Sub Ring
S P
Master
Data Packet
Block
PC
P Primary Interface
4. The sub-ring protocol packet path recovers.
As Figure 18-14 demonstrates, after the link on the major ring recovers, the
communication between the edge node and assistant edge node recovers, and the path for
the sub-ring protocol packets is recovered. The secondary interface on the sub-ring can
receive the Hello packets sent from the master node. The master node then changes to
Complete state and blocks the secondary interface.

Figure 18-14 Recovery of the sub-ring protocol packet path
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3 Block
Sub Ring
S P
Block Master
Hello
Data Packet
Block
PC
P Primary Interface
As Figure 18-15 demonstrates, the master node on the sub-ring sends a Complete-Flush-
FDB packet. Upon receiving the packet, the edge node unblocks the edge interfaces.

Figure 18-15 Unblocking the edge interfaces on the edge node of the sub-ring
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3
Sub Ring
S P
Block Master
Hello
Data Packet
Block
PC
P Primary Interface
Ring Group
In RRPP multi-instance, sub-rings are grouped to reduce the number of received and sent
Edge-Hello packets and to improve system performance.
In the path status detection mechanism for sub-ring protocol packets on the major ring, the
edge node on a sub-ring periodically sends Edge-Hello packets to the two RRPP interfaces on
the major ring to detect the completeness of the path for sub-ring protocol packets.
As Figure 18-16 demonstrates, the edge nodes on multiple sub-rings (sub-ring 2 and sub-ring
3 in domain 1; sub-ring 2 and sub-ring 3 in domain 2) are the same device, and the assistant
edge nodes on the sub-rings are the same device. In addition, edge nodes and assistant edge
nodes connect to the major ring in the same link. The Edge-Hello packets from edge nodes on
the sub-rings arrive at assistant edge nodes along the same path. In this case, the sub-rings
with the same edge nodes and assistant edge nodes can be added into a ring group. A sub-ring
in the ring group is selected to send Edge-Hello packets to detect the path for sub-ring

protocol packets on the major ring. This reduces the number of received and sent Edge-Hello
packets and improves system performance.
Figure 18-16 Ring group in RRPP multi-instance
Network
Router1 Router2
SwitchC SwitchD
Domain 1 Major ring 1
Domain 2 Major ring 1
Edge
Assistant SwitchB
SwitchA
Domain 1 sub ring 2 Domain 1 sub ring 3

Domain 2 sub ring 2
Domain 2 sub ring 3
SwitchE SwitchF
Master Master
PC1 PC2
domain 1
domain 2
A sub-ring in the ring group is selected to send the Edge-Hello packet in the following
procedure:
1. The sub-rings with the smallest domain ID are selected from all the activated rings in the
ring group on the edge node. In Figure 18-16, the sub-rings with the smallest domain ID
are Ring 2 in Domain 1 and Ring 3 in Domain 1.
2. The smallest ring ID is selected from the rings with the smallest domain ID. The edge
node on the ring with the smallest ring ID then sends Edge-Hello packets. In Figure
18-16, the sub-ring with the smallest ring ID is Ring 2 in Domain 1. Therefore, the edge
node on Ring 2 in Domain 1 sends Edge-Hello packets in the ring group formed by Ring
2 in Domain 1, Ring 3 in Domain 1, Ring 2 in Domain 2, and Ring 3 in Domain 2.

3. When any sub-ring receives an Edge-Hello packet on all the activated rings in the ring
group where assistant edge nodes reside, the sub-ring notifies other sub-rings of the
packet.
18.2.7 RRPP Multi-Instance

On a common RRPP network, a physical ring contains only one RRPP domain.
As Figure 18-17 illustrates, when the RRPP ring is in Complete state, the master node blocks
the secondary interface, which prevents all service packets from passing through. All service
packets are transmitted on the RRPP ring along one path. As a result, the link on the
secondary interface side of the master node becomes idle, wasting bandwidth. The link
between SwitchA and SwitchC is idle and does not forward data.
Figure 18-17 RRPP networking diagram

SwitchC
S( Block)
Master
SwitchA P
VLAN100-200
SwitchE
RRPP ring Backbone
network
VLAN201-400
SwitchB
Block
SwitchD P Primary interface

S Secondary interface
VLAN 100 - 200
VLAN 201 - 400
The device supports multiple RRPP domains on one physical ring. The RRPP protocol in a
domain takes effect for data from its protected VLANs in the domain. Therefore, you can
configure different protected VLANs for each domain. When the master node in a domain
blocks its secondary interface, data from protected VLANs in different domains is transmitted
through different paths. This implements link backup and traffic load balancing.
NOTE
In RRPP implementation, you must configure protected VLANs. The RRPP protocol takes effect for
data only from protected VLANs. The control VLANs and data VLANs are typically configured as
protected VLANs. Loops may occur if data does not belong to the protected VLANs.
As illustrated in Figure 18-18, two domains exist on the RRPP multi-instance ring that
consists of SwitchA, SwitchB, SwitchC, SwitchD, and SwitchE. SwitchC is the master node
in Domain 2 and SwitchD is the master node in Domain 1.

l Instance1 is created in Domain 1, and data in VLANs 100 to 200 is mapped to Instance1
and transmitted along the path SwitchA -> SwitchC -> SwitchE. Master2 (SwitchC)
serves as the master node in Domain 2. The secondary interface on Master2 is blocked.
Only data in VLANs 201 to 400 is blocked and data in VLANs 100 to 200 can pass
through.
l Instance2 is created in Domain 2, and data in VLANs 201 to 400 is mapped to Instance2
and transmitted along the path SwitchB -> SwitchD -> SwitchE. Master1 (SwitchD)
serves as the master node in Domain 1. The secondary interface on Master1 is blocked.
Only data in VLANs 100 to 200 is blocked and data in VLANs 201 to 400 can pass
through.
Figure 18-18 RRPP multi-instance

SwitchC
S(Block) Master2
SwitchA P
Instance1:
VLAN 100 - 200
SwitchE
RRPP ring Backbone
network
Instance2:
VLAN 201 - 400
SwitchB P
S(Block) Master1
SwitchD
Block
P Primary interface
Instance1:VLAN100-200
When a node or link is faulty, each RRPP domain independently calculates the topology and
updates forwarding entries on each node.
In Figure 18-19, a fault occurs on the link between SwitchD and SwitchE. This fault does not
affect the transmission path for the packets in VLANs 100 to 200 in Domain 1, but the
transmission path is blocked for the packets in VLANs 201 to 400 in Domain 2.
The master node SwitchC in Domain 2 cannot receive Hello packets on the secondary
interface. As a result, SwitchC unblocks the secondary interface and requests nodes in
Domain 2 to update their forwarding entries. After the topology in Domain 2 re-converges,
the transmission path of the packets in VLANs 201 to 400 changes to SwitchB ->SwitchA -
>SwitchC->SwitchE.

Figure 18-19 RRPP multi-instance (when the link is faulty)

SwitchC
S(Unblock) Master2
SwitchA P
Instance1:
VLAN 100 - 200
SwitchE Backbone
RRPP ring network
Instance2:
VLAN 201 - 400
SwitchB
P
S(Block) Master1
SwitchD Block
P Primary interface
After the link between SwitchD and SwitchE recovers, SwitchC receives Hello packets on the
secondary interface. As a result, SwitchC blocks the secondary interface and requests nodes in
Domain 2 to update their forwarding entries. After the topology in Domain 2 re-converges,
the packets in VLANs 201 to 400 are switched back to the original path SwitchB ->SwitchD -
>SwitchE.
18.3 Application Scenarios
18.3.1 Application of a Single Ring

To provide link backup and improve network reliability, you can construct a ring on the
network. In Figure 18-20, Transit 1, Transit 2, Transit 3, and Master constitute a single RRPP
ring. Data traffic is transmitted along the path Transit 1 -> Transit 2 -> Master.

Figure 18-20 Networking diagram of a single ring

RRPP Domain
Transit 2
CE
Master
P
Core Net
CE Transit 1 S
BLOCK MSE/NPE
Data Flow
CE：Customer Edge
MSE：Multi Service Edge
Transit 3 NPE：Network Provider Edge
If RRPP detects a fault on the link between Transit 1 and Transit 2, Master unblocks its
secondary interface and immediately requests that other nodes on the ring update their MAC
address entries and ARP entries. Traffic on the RRPP ring is then switched to the path Transit
1 -> Transit 3 -> Master.
18.3.2 Application of Tangent RRPP Rings

The metro Ethernet typically uses two-layer rings:
l One layer is the aggregation layer between aggregation devices PE-AGGs (RRPP
Domain 1 in Figure 18-21, for example).
l The other layer is the access layer between PE-AGGs and UPEs (RRPP Domain 2 and
RRPP Domain 3 in Figure 18-21, for example).
As Figure 18-21 illustrates, tangent RRPP rings are applicable to this networking. The
aggregation layer and access layer are RRPP rings and the two rings are tangent.

Figure 18-21 Tangent RRPP rings
Master
UPE
UPE PE-AGG
RRPP Transit 1
Domain2
Master
PE-AGG
UPE RRPP P IP/MPLS
Domain1 Core
UPE S
UPE Block NPE
RRPP Transit 2
Domain3
PE-AGG
PE-AGG：PE-Aggregation
NPE：Network Provider Edge
Master UPE：Underlayer Provider Edge
UPE
Two tangent rings cannot belong to the same RRPP domain. The tangent point on the tangent
rings is on both rings. The master node on a ring can be the node at the tangent point.
On multiple tangent RRPP rings, the failure of a ring in a domain does not affect other
domains. The convergence process of RRPP rings in the domain is the same as that of a single
ring.
18.3.3 Application of Intersecting RRPP Rings

The metro Ethernet typically uses two-layer rings:
l One layer is the aggregation layer between aggregation devices PE-AGGs.
l The other layer is the access layer between PE-AGGs and UPEs
As Figure 18-22 illustrates, intersecting RRPP rings are applicable to this networking. The
aggregation layer is the RRPP major ring and the access layer is the RRPP sub-ring.

Figure 18-22 Intersecting RRPP rings

RRPP Domain
UPE
PE-AGG
Edge Master
Sub PE-AGG
Ring 1
Master
Major P Core Net
Ring S
UPE Sub Block NPE
LANSwitch Ring 2
Assistant
PE-AGG PE-AGG：PE-Aggregation
Master NPE：Network Provider Edge
UPE：Underlayer Provider Edge
CE
The RRPP major ring on the aggregation layer and the RRPP sub-rings belong to the same
RRPP domain.
The major ring and sub-rings have two intersecting points. A node cannot exist on the
intersecting segments. These two nodes can be configured only as transit nodes on the major
ring. On a sub-ring, when one node is the edge node, the other is configured as the assistant
edge node.
18.3.4 Application of the RRPP and STP Network

RRPP cannot be configured with STP/RSTP/MSTP on the same interface at the same time,
but you can configure RRPP and STP on different interfaces of a device.
Figure 18-23 RRPP and STP network

STP Network

NPE：Network Provider Edge
PE-AGG：PE-Aggregation
UPE5 PE-AGG NPE NPE

UPE4
Master
UPE1
RRPP Ring
UPE3
PE-AGG NPE
UPE2
In Figure 18-23, RRPP is applied to an Ethernet network enabled with STP/RSTP/MSTP in

tangent mode. You can enable RRPP and STP/RSTP/MSTP on different interfaces of the

intersecting device (UPE1) so that the RRPP network and the STP/RSTP/MSTP network are
used together.
18.3.5 Application of Intersecting RRPP Rings of Multi-Instance

in MAN
As Figure 18-24 illustrates, Customer Edges (CEs) are dual-homed to Underlayer Provider
Edges (UPEs) and two RRPP rings are formed.
Figure 18-24 Intersecting RRPP rings of multi-instance in a MAN (CEs supporting RRPP
multi-instance)
CE
Master Domain 1 ring 2 Domain 1 ring 1
UPE
Edge UPE
Domain 2
ring 2
PE-AGG
Backbone
network
ring 3 Master
Domain 2
Assistant
UPE
Master UPE
Block
CE Domain 1 ring 3 Instance1: VLAN 101-200
Domain 2 ring 1
Instance2: VLAN 1-100
domain 1
domain 2
UPE: Underlayer Provider Edge NPE: Network Provider Edge
PE-AGG: PE-Aggregation -
Four UPEs and one PE-AGG construct a ring and RRPP multi-instance is configured on the
ring. Traffic on the RRPP ring flows into the backbone network through the PE-AGG.
Two RRPP rings are configured on the four UPEs and the PE-AGG: Ring 1 in Domain 1 and
Ring 1 in Domain 2. Domain 1 processes data in VLANs 101 to 200 and Domain 2 processes
data in VLANs 1 to 100.
Four RRPP rings are configured on the two CEs and two UPEs: Ring 2 in Domain 1, Ring 2
in Domain 2, Ring 3 in Domain 1, and Ring 3 in Domain 2.
Various services are sent to sub-rings. RRPP rings provide master/slave protection and load
balancing for the Layer 2 services in VLANs 1 to 200. When all the nodes and links on the
rings are normal, traffic sent to sub-rings is transmitted along different paths according to the
service VLAN, implementing load balancing.
As Figure 18-25 illustrates, CEs may not support RRPP multi-instance. The major ring
constructed by four UPEs and one PE-AGG belongs to multiple domains; however, the sub-

rings constructed by CEs and UPEs belong to only one domain. Load balancing is not
implemented on the sub-ring, and data in all VLANs is transmitted along the same path on the
sub-ring. After entering the major ring, the traffic sent to sub-rings is transmitted along
different paths according to the service VLAN, implementing load balancing.
Figure 18-25 Intersecting RRPP rings of multi-instance in a MAN (CEs not supporting multi-
instance)
CE
Master Domain 1 ring 1
UPE
Edge UPE
Domain 1
ring 2
PE-AGG
Backbone
network
Master
Domain 1
ring 3
Assistant
UPE
Master UPE
Block
CE Instance1: VLAN 101-200
Domain 2 ring 1
domain 1
domain 2
18.3.6 Application of Tangent RRPP Rings of Multi-Instance in

MAN
In Figure 18-26, two RRPP rings (Ring 1 in Domain 1 and Ring 1 in Domain 2) are
configured on the five UPEs on the CE (left) side. One RRPP ring (Ring 1 in Domain 3) is
configured on the four UPEs on the right side.

Figure 18-26 Tangent RRPP rings of multi-instance in a MAN

Domain 1 ring 1
UPE
CE UPE UPE
UPE
Master Domain 3 ring 1

Master
UPE
CE UPE UPE
Domain 2 ring 1 UPE

Block
domain 1
domain 2
domain 3
Domain 1 processes data in VLANs 101 to 200, Domain 2 processes data in VLANs 1 to 100,
and Domain 3 processes data in VLANs 1 to 200.
The RRPP ring on the left side implements master/slave protection and load balancing for the
Layer 2 services in VLANs 1 to 200. When all the nodes and links on the RRPP rings are
normal, traffic sent to rings from CEs is transmitted along different paths according to the
service VLAN, implementing traffic load balancing.
Traffic in VLANs 1 to 200 flows from the tangent node into the RRPP ring on the right side.
18.3.7 Application of Multiple Instances Single-homed to an

RRPP Aggregation Ring
As Figure 18-27 illustrates, CEs access an RRPP ring through UPEs, and then access the
backbone network through the PE-AGG.

Figure 18-27 Multiple instances single-homed to an RRPP aggregation ring

CE
UPE
in S
s ta
nc P
e1
UPE
Master 2
2
a nce
inst Backbone
network
CE PE-AGG
Master 1 Block
UPE P Primary interface
P S Secondary interface
S UPE Domain 1
Domain 2
Four UPEs and one PE-AGG construct a ring in two domains: Ring 1 in Domain 1 and Ring 1
in Domain 2. Domain 1 processes data in VLANs 101 to 200 and Domain 2 processes data in
VLANs 1 to 100.
Domain 1 maps Instance 1 and Domain 2 maps Instance 2. Services in VLANs 1 to 200 are
sent from CEs.
Service VLANs processed in the two RRPP domains do not overlap and all service VLANs
are processed. Traffic in Domain 1 and Domain 2 is load balanced on the RRPP ring.
18.3.8 Application of the RRPP Multi-instance Ring and

SmartLink Network
As Figure 18-28 illustrates, CEs are dual-homed to UPEs through SmartLink technology.

Figure 18-28 RRPP multi-instance ring and SmartLink network

Domain 1 ring 1
UPE UPE
PE-AGG
CE
Backbone
network
Master
UPE UPE
Block
Domain 2 ring 1
domain 1
domain 2
Four UPEs and one PE-AGG construct a ring. After RRPP multi-instance on the ring is
enabled, traffic flows into the backbone network through the PE-AGG.
Nodes on the RRPP ring and the PE-AGG must support SmartLink.
18.3.9 Application of RRPP Snooping

RRPP snooping notifies the VPLS network of changes in the RRPP ring. After RRPP
snooping is enabled on sub-interfaces or VLANIF interfaces, the VPLS network can
transparently transmit RRPP packets, detect changes in the RRPP ring, and upgrade
forwarding entries, ensuring that traffic can be rapidly switched to a non-blocking path.
As Figure 18-29 illustrates, UPEs are connected as an RRPP ring to the VPLS network where
NPEs reside. NPEs are connected through a PW, and therefore cannot serve as RRPP nodes to
directly respond to RRPP packets. As a result, the VPLS network cannot sense the status
change of the RRPP ring. When the RRPP ring topology changes, each node on the VPLS
network forwards downstream data according to the MAC address table generated before the
RRPP ring topology changes. As a result, the downstream traffic cannot be forwarded.

Figure 18-29 RRPP and VPLS network

NPEB
NPEA VPLS NPEC
GE1/0/0.100 GE2/0/0.100
NPED
GE RRPP ring
Control VLAN:100
P User VLAN:10~20
UPEA UPEB
S
data packet
hello packet
P primary interface
S secondary interface
RRPP snooping is enabled on the sub-interface or VLANIF interface of NPED and associated
with other VSIs on the local device. When the RRPP ring is faulty, NPED on the VPLS
network clears the forwarding entries of the VSIs (including the associated VSIs) on the local
node and the forwarding entries of the remote NPEB to re-learn forwarding entries. This
ensures that traffic can be switched to a normal path and downstream traffic can be properly
forwarded.
As Figure 18-30 demonstrates, when the link between NPED and UPEA is faulty, and the
master node UPEA sends a Common-Flush-FDB packet to request that the transit nodes on
the RRPP ring clear their MAC address tables.

Figure 18-30 RRPP and VPLS network (when the RRPP ring is faulty)
NPEB
VPLS NPEC
NPEA
GE1/0/0.100 GE2/0/0.100
NPED
GE RRPP ring
Control VLAN:100
P User VLAN:10~20
UPEA UPEB
S
data packet
COMMON-FLUSH-FDB
P primary interface
The original MAC address table is not cleared because NPED cannot process the Common-
Flush-FDB packet. If downstream service packets are still sent to UPEA, NPED sends the
packets to UPEA along the original path. This interrupts the downstream traffic between
NPED and NPEA. After UPEB clears the MAC address table, the upstream service packets
sent by UPEA are regarded as unknown unicast packets and are forwarded to the VPLS
network along the path UPEA -> UPEB -> NPED. After re-learning the MAC address, NPED
can forward the downstream traffic destined to UPEA.
When the fault on the RRPP ring is recovered, the master node UPEA sends a Complete-
Flush-FDB packet to request that the transit nodes clear their MAC address tables. The
downstream traffic between NPED and UPEA is interrupted because NPED cannot process
the Complete-Flush-FDB packet.
Figure 18-31 demonstrates that after RRPP snooping is enabled on sub-interfaces
GE1/0/0.100 and GE2/0/0.100 of NPED, NPED can process the Common-Flush-FDB and
Complete-Flush-FDB packets.

Figure 18-31 RRPP and VPLS network (when RRPP snooping is enabled)
NPEB
NPEA VPLS NPEC
GE1/0/0.100 GE2/0/0.100
RRPP snooping RRPP snooping
NPED
GE RRPP ring
Control VLAN:100
P User VLAN:10~20
UPEA UPEB
S
data packet
COMMON-FLUSH-FDB
P primary interface
When the RRPP ring topology changes and NPED receives the Common-Flush-FDB or
Complete-Flush-FDB packet from the master node UPEA, NPED clears the MAC address
table of the VSI associated with sub-interfaces GE1/0/0.100 and GE2/0/0.100. NPED then
requests that other NPEs in this VSI clear their MAC address tables.
If the downstream data packets are still sent to UPEA, the packets are regarded as unknown
unicast packets and are broadcast in the VLAN and sent to UPEA along the path UPED ->
UPEB -> NPEA because NPED cannot find mapping MAC address entries. This ensures
downstream traffic continuity.

You can deploy RRPP only after basic functions of RRPP are configured. If RRPP is
deployed with VPLS, you need to configure RRPP snooping. Table 18-3 describes the RRPP
configuration tasks.

Table 18-3 RRPP configuration task summary

Configure RRPP RRPP prevents loops when 18.7.1 Configuring RRPP

the ring is complete. RRPP
can rapidly restore
communication on the ring
network when the ring
network is faulty. There are
three networking modes:
single ring, intersectant ring,
and tangent ring.
Configure RRPP snooping RRPP snooping notifies the 18.7.2 Configuring RRPP
VPLS network of changes in Snooping
an RRPP ring. After RRPP
snooping is enabled on sub-
interfaces or VLANIF
interfaces, the VPLS
network can transparently
transmit RRPP packets,
detect changes in the RRPP
ring, and update forwarding
entries, ensuring that traffic
can be rapidly switched to a
non-blocking path.

License Support
RRPP is a basic feature of a switch and is not under license control.
RRPP snooping can be only used on the device enabled with MPLS. MPLS requires a license.
By default, MPLS of a newly purchased device is disabled. To use MPLS, apply for and
purchase the license from the equipment supplier.

Version Support
Table 18-4 Products and versions supporting RRPP

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l SA series cards do not support RRPP snooping.
l Switch XGE interfaces connected to the ET1D2IPS0S00, ET1D2FW00S00,
ET1D2FW00S01, ET1D2FW00S02, and ACU2 cards do not support RRPP snooping.
l After VLAN stacking is configured on an interface of an SA series card, the interface
cannot be configured in an RRPP ring.
l When you configure the list of protected VLANs, note the following points:
– Protected VLANs must be configured before you configure an RRPP ring.
– You can delete or change existing protected VLANs before configuring an RRPP
ring. The protected VLANs cannot be changed after the RRPP ring is configured.
– In the same physical topology, the control VLAN in a domain cannot be configured
as a protected VLAN in another domain.
– The control VLAN must be included in the protected VLANs; otherwise, the RRPP
ring cannot be configured.
– The control VLAN can be mapped to other instances before the RRPP ring is
created. After the RRPP ring is created, the mapping cannot be changed unless you
delete the RRPP ring.
– When the mapping between instances and VLANs changes, the protected VLANs
in the RRPP domain also change.
– All the VLANs allowed by an RRPP interface must be configured as protected
VLANs.

Table 18-5 lists the detailed RRPP default configuration.

Table 18-5 RRPP default configuration

Parameter Default Value
RRPP domain Not created
RRPP ring Not created
RRPP protocol Disabled
RRPP snooping Disabled
RRPP working mode HW mode
LinkUp delay timer 0 seconds
Hello timer 1 second
Fail timer 6 seconds
18.7 Configuring RRPP
18.7.1 Configuring RRPP

RRPP prevents loops when a ring is complete and implements fast convergence to rapidly
restore communication between nodes on the ring when the ring fails.
18.7.1.1 Configuring Interfaces on an RRPP Ring
Context
Data in different VLANs is transmitted on the RRPP ring, including data VLANs and control
VLANs. You need to configure an interface to allow data from these VLANs to pass through,
ensuring data transmission on the ring.
RRPP cannot be configured on an interface configured with Smart Link, Loopback Detection
(LDT), MUX VLAN, or MSTP. Before configuring RRPP, ensure that the interface is not
configured with protocols that conflict with RRPP.
Procedure
Step 1 Run:
system-view
Step 2 Run:

Step 3 Run:
The link type of the an interface is configured as hybrid.

Step 4 Run:
port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The VLAN allowed by an RRPP-enabled interface is specified.

An RRPP-enabled interface needs to allow packets of control VLANs and data VLANs to
pass through, so the interface must be configured as a trunk or hybrid interface.
After the control-vlan command is use in the RRPP domain view to configure a control
VLAN and the ring node-mode command is configured, the interfaces in the RRPP ring
allow packets of the control VLAN to pass through. Therefore, you need to specify only the
IDs of data VLANs in this step.
NOTE
If RRPP snooping is enabled on the VLANIF interface of a VLAN, RRPP-enabled interfaces cannot be
added to the VLAN.
Step 5 Run:
stp disable
STP is disabled on the RRPP interface.

RRPP and STP cannot be configured on an interface simultaneously. By default, STP is
enabled on all the interfaces on the device. Therefore, before creating an RRPP ring, disable
STP on the interfaces that need to be added to the RRPP ring.
----End
18.7.1.2 Creating an RRPP Domain and the Control VLAN
Context
A group of interconnected switches configured with the same domain ID and control VLAN
constitute an RRPP domain. Different RRPP domains must be configured with different
domain IDs and control VLANs.
An RRPP domain has two control VLANs, that is, the major control VLAN and sub-control
VLAN. Protocol packets on the major ring are transmitted in the major control VLAN, and
RRPP packets on the sub-rings are transmitted in the sub-control VLAN.
Procedure
Step 1 On each switch in an RRPP domain, run:
system-view

Step 2 Run:
rrpp domain domain-id
An RRPP domain is created and the RRPP domain view is displayed.

A maximum of 64 domains can be created on the device.

When creating an RRPP domain, specify the domain ID. If the domain to be configured
exists, the domain view is displayed.
description text
A description is configured for the RRPP domain.

By default, no description is configured for an RRPP domain.
After RRPP is configured on a device, you can run the description command to configure the
description of the RRPP domain, including the RPPP domain ID, to facilitate maintenance.
Step 4 Run:
A control VLAN is created.

An RRPP domain has two control VLANs, that is, the major control VLAN and sub-control
VLAN. You need to specify only the major control VLAN. The VLAN whose ID is one
greater than the ID of the major control VLAN becomes the sub-control VLAN.
The control VLAN specified by vlan-id and the sub-control VLAN specified by vlan-id plus
one must be VLANs that have not been created or used.
After configuring a control VLAN for an RRPP domain, you cannot directly change the
control VLAN. To change the control VLAN, you need to delete the domain and then
configure a new control VLAN. You can also run the undo control-vlan command to delete
the control VLAN and then configure a new control VLAN. The sub-control VLAN is deleted
when the RRPP domain is deleted.
NOTE
DHCP services cannot be configured for control VLANs.

Do not run the mac-limit command in the control VLAN view to configure a MAC address limiting
rule.
VLAN 1 is the default VLAN and cannot be configured as the control VLAN.
----End
18.7.1.3 Creating an Instance
Context
You can map data in VLANs to an instance and configure the instance to the protected VLAN
so that the device can control data in VLANs based on RRPP.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
The mapping between the instance and VLAN is configured.
instance-id in this command must be the same as instance-id used by the protected-instance
command.
NOTE
The control VLANs of the major ring and the sub-rings must be contained in the VLAN list.
To configure the mapping between the instance and MUX VLAN, you are advised to configure the
principal VLAN, and subordinate group VLANs and subordinate separate VLANs of the MUX VLAN
in the same instance. Otherwise, loops may occur.
Instance 0 is the default instance and does not need to be created.
By default, all VLANs are mapped to Instance 0.
Step 4 Run:
The configuration of the MST domain is activated.
----End
18.7.1.4 Configuring a Protected VLAN
Context
The device controls only data in the protected VLANs based on RRPP. Data out of the
protected VLANs may cause storms on the ring network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The RRPP domain view is displayed.
Step 3 Run:
protected-vlan reference-instance { { instance-id1 [ to instance-id2 ] } &<1-10>
| all }
The list of protected VLANs in the RRPP domain is configured.
All the VLANs whose packets need to pass through an RRPP interface, including the control
VLANs and data VLANs, must be configured as protected VLANs.

NOTE
When you configure the list of protected VLANs, note the following points:
l Protected VLANs must be configured before you configure an RRPP ring.
l You can delete or change existing protected VLANs before configuring an RRPP ring. The protected
VLANs cannot be changed after the RRPP ring is configured.
l In the same physical topology, the control VLAN in a domain cannot be configured as a protected
VLAN in another domain.
l The control VLAN must be included in the protected VLANs; otherwise, the RRPP ring cannot be
configured.
l The control VLAN can be mapped to other instances before the RRPP ring is created. After the
RRPP ring is created, the mapping cannot be changed unless you delete the RRPP ring.
l When the mapping between an instance and VLANs changes, the protected VLANs in the RRPP
domain also change.
l All the VLANs allowed by an RRPP interface must be configured as protected VLANs.
----End
18.7.1.5 (Optional) Setting the RRPP Working Mode
Context
The device can use the RRPP version defined by Huawei or the national standard of China.
RRPP defined by Huawei supports some Huawei proprietary protocols. The RRPP version
defined by the national standard of China is provided for users with customized requirements
and the version defined by Huawei is used by other users as required.
The RRPP working mode is set on the master node in the RRPP domain.
NOTE
l Only the RRPP version defined by Huawei supports functions and configurations of edge nodes,
assistant edge nodes, common interfaces, edge interfaces, and ring groups.
l Each node on an RRPP ring must use the same working mode. Otherwise, the entire ring network
cannot be restored after a transit node link recovers.
Procedure
Step 1 Run:
system-view
Step 2 Run:
rrpp working-mode { hw | gb }
The RRPP working mode is set.
hw indicates the RRPP version defined by Huawei; gb indicates the RRPP version defined by
the national standard of China.
By default, the RRPP version defined by Huawei is used.
----End

18.7.1.6 Creating and Enabling an RRPP Ring
Context
You need to manually add nodes to an RRPP ring and configure an interface role for each
node.
The RRPP ring can be activated only when both the RRPP ring and the RRPP protocol are
enabled on all the switches on an RRPP ring.
Prerequisites
STP has been disabled on the interfaces that need to be added to the RRPP ring. (By default,
STP is enabled on all interfaces of the device.)
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ring ring-id node-mode { master | transit } primary-port interface-type interface-
number secondary-port interface-type interface-number level level-value
An RRPP ring is created.

Level 0 indicates the major ring, and Level 1 indicates a sub-ring.
NOTE
l A domain contains only one major ring. Before creating a sub-ring, you must create the major ring.
l In the RRPP version defined by the national standard of China, the master node on the sub-ring
cannot serve as the assistant edge node. In the RRPP version defined by Huawei, the master node on
the sub-ring cannot server as the edge node or the assistant edge node.
l A maximum of 64 RRPP rings can be configured on a device.
l Before adding an interface to a RRPP ring, disable port security on the interface; otherwise, loops
Step 4 Configuring an RRPP sub-ring using the following commands based on versions
l For the RRPP version defined by the national standard of China:
Run:
ring ring-id node-mode transit secondary-port interface-type interface-number
An edge transit node is configured on an RRPP sub-ring.

In the RRPP version defined by the national standard of China, you only need to
configure edge transmit nodes for RRPP sub-rings. The system automatically sets the
level of the ring where the edge transmit nodes reside to 1.
l For the RRPP version defined by Huawei:

Run:
ring ring-id node-mode { assistant-edge | edge } common-port interface-type
interface-number edge-port interface-type interface-number
An edge node and an assistant edge node on the RRPP sub-ring are configured.
In the RRPP version defined by Huawei, you need to configure an edge node and an
assistant edge node for an RRPP sub-ring.
The common interfaces on the edge node and assistant edge node must be located on the
major ring.
The system automatically sets the level of the ring where the edge node and assistant
edge node reside to 1.
Step 5 Run:
ring ring-id enable
The RRPP ring is enabled.
----End
18.7.1.7 Enabling RRPP
Context
After the RRPP ring is enabled, you need to enable the RRPP protocol for devices on the
RRPP ring so that RRPP can work properly.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rrpp enable
RRPP is enabled.
----End
18.7.1.8 (Optional) Creating a Ring Group
Context
To reduce the number of received and sent Edge-Hello packets, you can use a ring group,
which is a group of sub-rings with the same configuration of edge nodes or assistant edge
nodes are added to the ring group.
Procedure
Step 1 On the edge node or assistant edge node, run:
system-view

Step 2 Run:
rrpp ring-group ring-group-id
A ring group is created.

A ring group can be created only on an edge node or an assistant edge on a sub-ring.
All the sub-rings in a ring group must be on nodes of the same type, for example, all the sub-
rings are located on edge nodes or assistant edge nodes.
Step 3 Run:
domain domain-id ring { ring-id1 [ to ring-id2 ] } &<1-10>
Sub-rings are added to the ring group.

Sub-rings in the same ring group share the same edge node, and the same assistant edge node.
A sub-ring can belong to only one ring group.
When you add a sub-ring to a ring group or delete a sub-ring from the ring group, note the
following points:
l To add an activated sub-ring to a ring group, add the sub-ring to the ring group on the
assistant edge node, and then perform the same operation on the edge node.
l To delete an activated sub-ring from a ring group, delete the sub-ring from the ring group
on the edge node, and then perform the same operation on the assistant edge node.
----End
18.7.1.9 (Optional) Setting the Values of the Hello Timer and Fail Timer in an
RRPP Domain
Context
The Hello timer and Fail timer are used when the master node sends and receives RRPP
packets. The value of the Hello timer specifies the interval at which the master node sends
Hello packets from the primary interface. The value of the Fail timer specifies the maximum
delay in which the primary interface on the master node sends a Hello packet and the
secondary interface receives the Hello packet.
You only need to set the values of the Hello timer and Fail timer on the master node in an
RRPP domain.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
timer hello-timer hello-value fail-timer fail-value

The values of the Hello timer and the Fail timer in an RRPP domain are set.
The value of the Fail timer must be no smaller than three times the value of the Hello timer.
By default, the value of the Hello timer on an edge node is half of the value of the Hello timer
on the master node of the major ring.
The values of both the Hello timer and Fail timer must be set the same on each node in an
RRPP domain; otherwise, edge interfaces on the edge nodes may be unstable.
It is recommended that the value of the Fail timer be configured based on the actual
networking. If the value of the Fail timer is incorrect, for example, the value is too small,
loops may occur.
----End
18.7.1.10 (Optional) Setting the Value of the Link-Up Timer
Context
After the value of the Link-Up timer is set, the RRPP link does not immediately change its
status but changes the status when the Link-Up timer times out. This reduces flapping of the
link status.
You only need to set the value of the Link-Up timer on the master node.
Procedure
Step 1 On the master node, run:
system-view

Step 2 Run:
rrpp linkup-delay-timer linkup-delay-timer-value
The value of the Link-Up timer is set for the RRPP link.
The value set by the linkup-delay-timer-value command must be no larger than the value of
the Fail timer minus twice the value of the Hello timer. The default value of the Link-Up
timer is 0.
----End
Procedure
l Run the display stp region-configuration command to check the mapping between
MSTIs and VLANs.
l Run the display rrpp brief [ domain domain-id ] command to check summary
information about an RRPP domain.
l Run the display rrpp verbose domain domain-id [ ring ring-id ] command to check
detailed information about an RRPP domain.

l Run the display rrpp statistics domain domain-id [ ring ring-id ] command to check
the statistics on packets in an RRPP domain.
----End
18.7.2 Configuring RRPP Snooping

RRPP snooping is a technology that notifies the VPLS network of changes in the RRPP ring.
After RRPP snooping is enabled on sub-interfaces or VLANIF interfaces, the VPLS network
can transparently transmit RRPP packets, detect changes in the RRPP ring, and upgrade
forwarding entries, ensuring that traffic can be rapidly switched to a non-blocking path.
Prerequisites
Before configuring RRPP snooping, complete the following tasks:
l Configure a VPLS network.
l Configure RRPP.
18.7.2.1 Enabling RRPP Snooping
Context
When RRPP snooping is enabled on an interface, the status of the RRPP ring can be detected
through RRPP control packets. When the status of the RRPP ring changes, the interface
requests the VSI bound to the interface to update its MAC address table.
NOTE
RRPP and RRPP snooping cannot be simultaneously configured on the same interface.
Configure RRPP snooping only on the node connecting the RRPP ring to the VPLS network.
Procedure
Step 1 Run:
system-view

Step 2 Entering the view of the interface to be enabled with RRPP snooping using the following
commands as required
l Run:

l Run:

Specifying that the sub-interface or VLANIF interface permits only the packets in the control
VLAN of the RRPP domain to pass through.
Step 3 Run:
rrpp snooping enable

RRPP snooping is enabled.

Before running this command, bind the sub-interface or VLANIF interface to the VSI.
If the sub-interface or VLANIF interface is removed from the VSI, RRPP snooping is
automatically disabled on the interface.
After RRPP snooping is enabled on the sub-interface or VLANIF interface, the sub-interface
or VLANIF interface is automatically associated with the VSI.
By default, RRPP snooping is disabled.
----End
18.7.2.2 (Optional) Configuring the VSI Associated with RRPP Snooping
Context
If you associate an RRPP snooping-enabled sub-interface or VLANIF interface with another
VSI on the device, the interface notifies the associated VSI of changes of the RRPP ring
status. In this way, the VSI can immediately update the MAC address table.
You only need to configure the VSI associated with RRPP snooping on the NPE node
connecting the RRPP ring to the VPLS network.
Procedure
Step 1 Run:
system-view

Step 2 Entering the view of the interface to be enabled with RRPP snooping using the following
commands as required
l Run:

l Run:

The VLANIF interface in this step must map the RRPP control VLAN. For example, if
the RRPP control VLAN ID is 100, the VLANIF interface here must be VLANIF 100.
Step 3 Configuring the VSI associated with RRPP snooping on the sub-interface or VLANIF
interface using the following commands as required
l Run:
rrpp snooping vsi vsi-name
The VSI associated with RRPP snooping is configured on the sub-interface or VLANIF
interface.
l Run:
rrpp snooping all-vsi
VSIs that are bound to all the other sub-interfaces connected to the same main interface
are automatically associated on the sub-interface.

NOTE
The rrpp snooping vsi vsi-name command associates the interface with only one VSI at a time. To
associate the sub-interface or VLANIF interface with multiple VSIs, run this command multiple times.
----End
Procedure
l Run the display rrpp snooping enable { all | interface vlanif interface-number } or the
display rrpp snooping enable { all | interface interface-type interface-
number.subinterface-number } command to check the interfaces that are enabled with
RRPP snooping.
l Run the display rrpp snooping vsi { all | interface vlanif interface-number } or the
display rrpp snooping vsi { all | interface interface-type interface-number.subinterface-
number } command to check the VSIs associated with RRPP snooping.
----End
18.8 Maintaining RRPP
18.8.1 Clearing RRPP Statistics
Context
You can set the RRPP statistics to 0 for collecting new statistics about RRPP packets.
NOTICE
RRPP statistics cannot be restored after you clear them. Therefore, exercise caution when you
run the command.
Procedure
Step 1 Run the reset rrpp statistics domain domain-id [ ring ring-id ] command in the user view to
clear RRPP statistics.
----End

18.9.1 Example for Configuring a Single RRPP Ring with a Single

Instance
As shown in Figure 18-32, SwitchA, SwitchB, and SwitchC constitute a ring network. The
network is required to prevent loops when the ring is complete and implement fast
convergence to rapidly restore communication between nodes on the ring when the ring fails.
You can enable RRPP on SwitchA, SwitchB, and SwitchC to meet this requirement.
Figure 18-32 Networking diagram of a single RRPP ring

SwitchB
GE2/0/2
GE2/0/1 GE2/0/1
Ring 1
GE2/0/2 GE2/0/2 SwitchC
GE2/0/1
SwitchA
Primary interface
Secondary interface
1. Configure interfaces to be added to the RRPP domain on the devices so that data can
pass through the interfaces. Disable protocols that conflict with RRPP, such as STP.
2. Create an RRPP domain and its control VLAN.
3. Map data that needs to pass through the VLANs on the RRPP ring to Instance 1,
including data VLANs 100 to 300 and control VLANs 20 and 21 (VLAN 21 is the sub-
control VLAN generated by the device).
4. In the RRPP domain, configure a protected VLAN, create an RRPP ring and configure
SwitchA, SwitchB, and SwitchC as nodes on Ring 1 in Domain 1. Configure SwitchA as
the master node on Ring 1, and configure SwitchB and SwitchC as transit nodes on Ring
1.
5. Enable the RRPP ring and RRPP protocol on devices to make RRPP take effect.
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure SwitchA. The configurations on SwitchB and SwitchC are similar to that on
SwitchA and not mentioned here. For details, see the configuration files.

[SwitchA] rrpp domain 1

[SwitchA-rrpp-domain-region1] control-vlan 20
[SwitchA-rrpp-domain-region1] quit
Step 2 Map Instance 1 to control VLANs 20 and 21 and data VLANs 100 to 300.
# Configure SwitchA. The configurations on SwitchB and SwitchC are the same as that of
[SwitchA-mst-region] instance 1 vlan 20 21 100 to 300
Step 3 Configure the interfaces to be added to the RRPP ring as trunk interfaces, allow data VLANs
100 to 300 to pass through the interfaces, and disable STP on the interfaces.
# Configure SwitchA. The configurations on SwitchB and SwitchC are the same as that
ofSwitchA and not mentioned here. For details, see the configuration files.
[SwitchA-GigabitEthernet2/0/1] stp disable
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchA-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure SwitchC.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
Step 5 Enable RRPP.

# Configure SwitchA. The configurations on SwitchB and SwitchC are the same as that of
[SwitchA] rrpp enable


After the preceding configurations are complete and the network becomes stable, run the
following commands to verify the configuration. The display on Switch A is used as an
example.
# Run the display rrpp brief command on SwitchA. The command output is as follows:
[SwitchA] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on SwitchA, the major control VLAN of
domain 1 is VLAN 20 and the sub-control VLAN is VLAN 21, and SwitchA is the master
node on Ring 1. The primary interface is GigabitEthernet2/0/1 and the secondary interface is
GigabitEthernet2/0/2.
# Run the display rrpp verbose domain command on SwitchA. The command output is as
follows:
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The command output shows that the RRPP ring is complete.
----End
Configuration Files
#
sysname SwitchA
#
#
rrpp enable
#
instance 1 vlan 20 to 21 100 to 300

#
rrpp domain 1
control-vlan 20
ring 1 node-mode master primary-port GigabitEthernet2/0/1 secondary-port
GigabitEthernet2/0/2 level 0
ring 1 enable
#
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
stp disable
#
return
#
sysname SwitchB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 20
ring 1 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 20


ring 1 enable
#
stp disable
#
stp disable
#
return
18.9.2 Example for Configuring Intersecting RRPP Rings with a

Single Instance (RRPP Defined by the National Standard of
China)
A metro Ethernet network uses two-layer rings: one is the aggregation layer between
aggregation devices PE-AGGs and the other is the access layer between PE-AGGs and UPEs.
Figure 18-33 Networking diagram of intersecting RRPP rings with a single instance
RRPP Domain
UPE1 PE-AGG2
Edge Master
Sub PE-AGG1
Ring 1
Master
Major P Core Net
Ring S
UPE Sub Block NPE
LANSwitch Ring 2
Assistant
PE-AGG3 PE-AGG：PE-Aggregation
CE
As shown in Figure 18-33, the network is required to prevent loops when the ring is complete
and implement fast convergence to rapidly restore communication between nodes on the ring
when the ring fails. RRPP can meet this requirement. RRPP supports multiple rings. You can
configure the aggregation layer as the major ring and the access layer as the sub-ring,
simplifying the network configuration. To enable devices from different vendors to
communicate with each other on the network, you can use the RRPP version defined by the
national standard of China.
As shown in Figure 18-34, SwitchB, SwitchA, SwitchD, and SwitchC map PE-AGG1, PE-
AGG2, PE-AGG3, and UPE1 in Figure 18-33 respectively. Figure 18-34 is used as an

example to describe how to configure intersecting RRPP rings with a single instance in the
RRPP version defined by national standard of China.
Figure 18-34 Networking diagram of intersecting RRPP rings with a single instance (RRPP
defined by the national standard of China)
SwitchA
GE1/0/3 GE1/0/1
SwitchC GE1/0/2 SwitchB

GE1/0/2 GE2/0/1
sub-ring major ring
GE1/0/1 GE2/0/2
GE1/0/2
GE1/0/3 GE1/0/1
SwitchD
3. Map the VLANs that needs to pass through the RRPP ring to Instance 1, including data
VLANs 2 to 9 and control VLANs 10 and 11 (VLAN 11 is the sub-control VLAN
generated by the device).
4. Configure the devices to use the RRPP version defined by the national standard of
China.
5. Configure a protected VLAN and create an RRPP ring in the RRPP domain.
a. Configure Ring 1 (major ring) in RRPP Domain 1 on SwitchA, SwitchB, and
SwitchD.
b. Configure Ring 2 (sub-ring) in RRPP Domain 1 on SwitchA, SwitchC, and
SwitchD.
c. Configure SwitchB as the master node on the major ring and configure SwitchA
and SwitchD as transit nodes on the major ring.
d. Configure SwitchC as the master node on the sub-ring and configure SwitchA and
SwitchD as edge transit nodes on the sub-ring.
Procedure
Step 1 Configure SwitchB as the master node on the major ring.
# Create data VLANs 2 to 9 on SwitchB.


# Configure Instance 1, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.
# Configure Domain 1 on SwitchB. Configure VLAN 10 as the major control VLAN and bind
Instance 1 to the protected VLAN in Domain 1.
[SwitchB-rrpp-domain-region1] control-vlan 10
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP
interface as a trunk interface to allow data from VLANs 2 to 9 to pass through.
[SwitchB-GigabitEthernet2/0/1] undo port trunk allow-pass vlan 1
[SwitchB-GigabitEthernet2/0/1] stp disable
# Configure SwitchB to use the RRPP version defined by the national standard of China.
[SwitchB] rrpp working-mode gb
# Configure the primary interface and secondary interface on the master node of the major
ring.
[SwitchB-rrpp-domain-region1] ring 1 node-mode master primary-port
Step 2 Configure SwitchC as the master node on the sub-ring.

# Create data VLANs 2 to 9 on SwitchC.
RRPP interface.
# Configure Domain 1 on SwitchC. Configure VLAN 10 as the major control VLAN and bind
[SwitchC-rrpp-domain-region1] control-vlan 10

[SwitchC-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchC-GigabitEthernet1/0/1] stp disable
# Configure SwitchC to use the RRPP version defined by the national standard of China.
[SwitchC] rrpp working-mode gb
# Configure the primary interface and secondary interface on the master node of the sub-ring.
[SwitchC-rrpp-domain-region1] ring 2 node-mode master primary-port
Step 3 Configure SwitchA as the transit node on the major ring and the edge node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchA.
RRPP interface.
# Configure Domain 1 on SwitchA. Then configure VLAN 10 as the major control VLAN
and bind Instance 1 to protected VLANs in Domain 1.


# Configure SwitchA to use the RRPP version defined by the national standard of China.
[SwitchA] rrpp working-mode gb
# Configure the primary interface and secondary interface on the transit node of the major
ring.
[SwitchA-rrpp-domain-region1] ring 1 node-mode transit primary-port
# Configure the edge interface of the edge transit node on the sub-ring.
[SwitchA-rrpp-domain-region1] ring 2 node-mode transit secondary-port
gigabitethernet 1/0/3
Step 4 Configure SwitchD as the transit node on the major ring and the edge node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchD.
RRPP interface.
# On SwitchD, configure Domain 1. Configure VLAN 10 as the major control VLAN and
bind Instance 1 to the protected VLAN in Domain 1.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] control-vlan 10
[SwitchD-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchD-rrpp-domain-region1] quit
interface as a trunk interface.
[SwitchD-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/1] stp disable


# Configure SwitchD to use the RRPP version defined by the national standard of China.
[SwitchD] rrpp working-mode gb
ring.
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port
[SwitchD-rrpp-domain-region1] ring 1 enable
# Configure the edge interface of the edge transit node on the sub-ring.
[SwitchD-rrpp-domain-region1] ring 2 node-mode transit secondary-port
Step 5 Enable RRPP.

# Configure SwitchA. The configurations on SwitchB, SwitchC, and SwitchD are the same as
that of SwitchA and not mentioned here. For details, see the configuration files.

following commands to verify the configuration.
# Run the display rrpp brief command on SwitchB. The command output is as follows:
[SwitchB] display rrpp brief
M - Master , T - Transit , EM - Edge Master, ET - Edge Transit

RRPP Working Mode: GB
Domain Index : 1
Ring Ring Node Primary Secondary/Edge Is

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on SwitchB. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11; SwitchB is the master node on the major
ring, with GE2/0/1 as the primary interface and GE2/0/2 as the secondary interface.
# Run the display rrpp verbose domain command on SwitchB. The command output is as
follows:
[SwitchB] display rrpp verbose domain 1
Domain Index : 1

RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The command output shows that the ring is in Complete state, and the secondary interface on
the master node is blocked.
# Run the display rrpp brief command on SwitchC. The command output is as follows:
[SwitchC] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on SwitchC. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchC is the master node on the sub-
# Run the display rrpp verbose domain command on SwitchC. The command output is as
follows:
[SwitchC] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 2
Ring Level : 1
Node Mode : Master
You can find that the sub-ring is in Complete state, and the secondary interface of the master
node on the sub-ring is blocked.


Domain Index : 1

----------------------------------------------------------------------------
1 0 T GigabitEthernet1/0/2 GigabitEthernet1/0/1 Yes
2 1 ET GigabitEthernet1/0/2 GigabitEthernet1/0/3 Yes
The command output shows that RRPP is enabled on SwitchA. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchA is the master node on the major
SwitchA is also the edge transit node on the sub-ring, with GE1/0/3 as the edge interface.
follows:
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Secondary port : GigabitEthernet1/0/1 Port status: UP
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge Transit
Ring State : LinkUp
GigabitEthernet1/0/1 Port status: UP
# Run the display rrpp brief command on SwitchD. The command output is as follows:
[SwitchD] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------

The command output shows that RRPP is enabled on SwitchD. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchD is the transit node on the major
ring, with GE1/0/2 as the primary interface and GE1/0/1 as the secondary interface. SwitchD
is also the edge transit node on the sub-ring, with GE1/0/3 as the edge interface.
# Run the display rrpp verbose domain command on SwitchD. The command output is as
follows:
[SwitchD] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring : 2
Ring Level : 1
Ring State : LinkUp
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 11
#
rrpp enable
rrpp working-mode GB
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 1 node-mode transit primary-port Gigabitethernet1/0/2 secondary-port
Gigabitethernet1/0/1 level 0
ring 1 enable
ring 2 node-mode transit secondary-port Gigabitethernet1/0/3
ring 2 enable
#
stp disable
#


stp disable
#
stp disable
#
return
#
sysname SwitchB
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 1 node-mode master primary-port Gigabitethernet2/0/1 secondary-port
Gigabitethernet2/0/2 level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1
control-vlan 10

ring 2 enable
#
stp disable
#
stp disable
#
return

#
sysname SwitchD
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 1 enable
ring 2 node-mode transit secondary-port GigabitEthernet1/0/3
ring 2 enable
#
stp disable
#
stp disable
#
stp disable
#
return
18.9.3 Example for Configuring Intersecting RRPP Rings with a

Single Instance (RRPP Defined by Huawei)

A metro Ethernet network uses two-layer rings: one is the aggregation layer between
aggregation devices PE-AGGs and the other is the access layer between PE-AGGs and UPEs.
Figure 18-35 Networking diagram of intersecting RRPP rings with a single instance
RRPP Domain
UPE1 PE-AGG2
Edge Master
Sub PE-AGG1
Ring 1
Master
Major P Core Net
Ring S
UPE Sub Block NPE
LANSwitch Ring 2
Assistant
PE-AGG3 PE-AGG：PE-Aggregation
CE
configure the aggregation layer as the major ring and the access layer as the sub-ring,
simplifying the network configuration. All the devices on the network are Huawei devices;
therefore, the RRPP version defined by Huawei is used.
As shown in Figure 18-36, SwitchB, SwitchA, SwitchD, and SwitchC map PE-AGG1, PE-
AGG2, PE-AGG3, and UPE1 in Figure 18-35 respectively. Figure 18-36 is used as an
example to describe how to configure intersecting RRPP rings with a single instance in the
RRPP version defined by Huawei.
Figure 18-36 Networking diagram of intersecting RRPP rings with a single instance (RRPP
defined by Huawei)
SwitchA
GE1/0/3 GE1/0/1
SwitchC GE1/0/2 SwitchB

GE1/0/2 GE2/0/1
sub-ring major ring
GE1/0/1 GE2/0/2
GE1/0/2
GE1/0/3 GE1/0/1
SwitchD


2. Map the VLANs that needs to pass through the RRPP ring to Instance 1, including data
VLANs 2 to 9 and control VLANs 10 and 11 (VLAN 11 is the sub-control VLAN
generated by the device).
3. Configure the devices to use the RRPP version defined by Huawei.
5. Configure a protected VLAN and create an RRPP ring in the RRPP domain.
a. Configure Ring 1 (major ring) in Domain 1 on SwitchA, SwitchB, and SwitchD.
b. Configure Ring 2 (sub-ring) in Domain 1 on SwitchA, SwitchC, and SwitchD.
c. Configure SwitchB as the master node on the major ring and configure SwitchA
and SwitchD as transit nodes on the major ring.
d. Configure SwitchC as the master node on the sub-ring, configure SwitchA as the
edge node on the sub-ring, and configure SwitchD as the assistant edge node on the
sub-ring.
Procedure
Step 1 Configure SwitchB as the master node on the major ring.
# Create data VLANs 2 to 9 on SwitchB.

# Configure instance 1, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.
# Configure Domain 1 on SwitchB. Configure VLAN 10 as the major control VLAN and bind
[SwitchB-rrpp-domain-region1] control-vlan 10
# Configure the RRPP interface as a trunk interface to allow data from VLANs 2 to 9 to pass
through and disable STP on the interface to be added to the RRPP ring.

# Configure the primary interface and secondary interface on the master node of the major
ring.
[SwitchB-rrpp-domain-region1] ring 1 node-mode master primary-port
Step 2 Configure SwitchC as the master node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchC.

RRPP interface.
# Configure Domain 1 on SwitchC. Configure VLAN 10 as the major control VLAN and bind
[SwitchC-rrpp-domain-region1] control-vlan 10
# Configure the primary interface and secondary interface on the master node of the sub-ring.
[SwitchC-rrpp-domain-region1] ring 2 node-mode master primary-port
Step 3 Configure SwitchA as the transit node on the major ring and the edge node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchA.

RRPP interface.


# Configure Domain 1 on SwitchA. Configure VLAN 10 as the major control VLAN and
ring.
[SwitchA-rrpp-domain-region1] ring 1 node-mode transit primary-port
# Configure the common interface and edge interface on the edge node of the sub-ring.
[SwitchA-rrpp-domain-region1] ring 2 node-mode edge common-port gigabitethernet
1/0/2 edge-port gigabitethernet 1/0/3
Step 4 Configure SwitchD as the transit node on the major ring and the assistant edge node on the
sub-ring.
# Create data VLANs 2 to 9 on SwitchD.
RRPP interface.

# On SwitchD, configure Domain 1. Configure VLAN 10 as the major control VLAN and
[SwitchD-rrpp-domain-region1] control-vlan 10
[SwitchD-rrpp-domain-region1] protected-vlan reference-instance 1
# Disable STP on the interface to be added to the RRPP ring, configure the RRPP interface as
a trunk interface, and configure the interfaces to allow service packets of VLAN 2 to VLAN 9
to pass through.
ring.
# Configure the common interface and edge interface on the assistant edge node of the sub-
ring.
[SwitchD-rrpp-domain-region1] ring 2 node-mode assistant-edge common-port
gigabitethernet 1/0/2 edge-port gigabitethernet 1/0/3
Step 5 Configure the devices to use the default RRPP version defined by Huawei.
[SwitchA] rrpp working-mode hw
Step 6 Enable RRPP.


following commands to verify the configuration.

# Run the display rrpp brief command on SwitchB. The command output is as follows:
[SwitchB] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on SwitchB. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11; SwitchB is the master node on the major
# Run the display rrpp verbose domain command on SwitchB. The command output is as
follows:
[SwitchB] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The command output shows that the ring is in Complete state, and the secondary interface on
the master node is blocked.

Domain Index : 1

----------------------------------------------------------------------------

You can find that RRPP is enabled on SwitchC. The major control VLAN is VLAN 10, and
the sub-control VLAN is VLAN 11; SwitchC is the master node on the sub-ring, with
GE1/0/1 as the primary interface and GE1/0/2 as the secondary interface.
# Run the display rrpp verbose domain command on SwitchC. The command output is as
follows:
Domain Index : 1
RRPP Ring : 2
Ring Level : 1
Node Mode : Master
The command output shows that the sub-ring is in Complete state, and the secondary interface
on the master node of the sub-ring is blocked.

Domain Index : 1

----------------------------------------------------------------------------
2 1 E GigabitEthernet1/0/2 GigabitEthernet1/0/3 Yes
The command output shows that RRPP is enabled on SwitchA. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchA is the transit node on the major
ring. The primary interface is GE10/2 and the secondary interface is GE1/0/1.
SwitchA is also the edge node on the sub-ring, with GE1/0/2 as the common interface and
GE1/0/3 as the edge interface.
follows:
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp


RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
Common port : GigabitEthernet1/0/2 Port status: UP
Edge port : GigabitEthernet1/0/3 Port status: UP
# Run the display rrpp brief command on SwitchD. The command output is as follows:
[SwitchD] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
2 1 A GigabitEthernet1/0/2 GigabitEthernet1/0/3 Yes
The command output shows that RRPP is enabled on SwitchD. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchD is the transit node on the major
ring, with GE1/0/2 as the primary interface and GE1/0/1 as the secondary interface. SwitchD
is also the assistant edge node on the sub-ring, with GE1/0/2 as the common interface and
GE1/0/3 as the edge interface.
# Run the display rrpp verbose domain command on SwitchD. The command output is as
follows:
[SwitchD] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring : 2
Ring Level : 1
Node Mode : Assistant-edge
Ring State : LinkUp
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
ring 2 node-mode edge common-port GigabitEthernet1/0/2 edge-port
ring 2 enable
#
stp disable
#
stp disable
#
stp disable
#
return

#
sysname SwitchB
#
vlan batch 2 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#

stp disable
#
return
#
sysname SwitchC
#
vlan batch 2 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 2 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchD
#
vlan batch 2 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
ring 2 node-mode assistant-edge common-port GigabitEthernet1/0/2 edge-port
ring 2 enable
#
stp disable
#


stp disable
#
stp disable
#
return
18.9.4 Example for Configuring Tangent RRPP Rings
A metro Ethernet network uses two-layer rings:
l One layer is the aggregation layer between aggregation devices PE-AGGs, such as RRPP
Domain 1 in Figure 18-37.
l The other layer is the access layer between PE-AGGs and UPEs, such as RRPP Domain
2 and RRPP Domain 3 in Figure 18-37.
Figure 18-37 Tangent RRPP rings
Master
UPE1
UPE2 PE-AGG3
RRPP Transit 1
Domain2
Master
PE-AGG1
UPE RRPP P IP/MPLS
Domain1 Core
UPE S
UPE Block NPE
RRPP Transit 2
Domain3
PE-AGG2
Master PE-AGG：PE-Aggregation
UPE NPE：Network Provider Edge
UMG：Universal Media Gateway
DSLAM：Digital Subscriber Line Access Multiplexer
LANSwitch CE DSLAM UMG
configure the aggregation layer and access layer as RRPP rings and the two rings are tangent,
simplifying the network configuration.

As shown in Figure 18-38, SwitchE, SwitchD, SwitchC, SwitchA, and SwitchB map PE-
AGG1, PE-AGG2, PE-AGG3, UPE 1, and UPE 2 in Figure 18-37 respectively. Figure 18-38
is used as an example to describe how to configure tangent RRPP rings with a single instance.
Figure 18-38 Networking diagram of tangent RRPP rings
Domain 2 Domain 1
SwtichA GE2/0/2 GE1/0/1 SwtichE
GE2/0/1 GE2/0/1 GE1/0/2 GE1/0/2
Ring 2 SwtichC Ring 1

GE2/0/2 GE1/0/1
GE2/0/2 GE1/0/1
SwtichB
GE2/0/1 GE1/0/2 SwtichD
1. Create different RRPP domains and control VLANs to configure an RRPP ring.
2. Map the VLANs that need to pass through Ring 1 to Instance 1, including data VLANs
and control VLANs to configure protected VLANs.
Map the VLANs that need to pass through Ring 2 to Instance 2, including data VLANs
and control VLANs to configure protected VLANs.
3. Configure timers for different RRPP domains.
NOTE
You can configure two timers for tangent points because two tangent rings locate in different
domains.
5. Configure protected VLANs and create RRPP rings in RRPP domains.
a. Configure Ring 2 in Domain 2 on SwitchA, SwitchB, and SwitchC.
b. Configure Ring 1 in Domain 1 on SwitchC, SwitchD, and SwitchE.
c. Configure SwitchA as the master node on Ring 2, and configure SwitchB and
SwitchC as transit nodes on Ring 2.
d. Configure SwitchE as the master node on Ring 1, and configure SwitchC and
SwitchD as transit nodes on Ring 1.
Procedure
Step 1 Configure instance 2, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.

# Configure SwitchA. The configurations on SwitchB, SwitchC, SwitchD, and SwitchE are
similar to that on SwitchA and not mentioned here. For details, see the configuration files.
Step 2 Create RRPP domains and configure control VLANs and protected VLANs in the domains.
# Configure SwitchE. The configurations on SwitchB, SwitchC, and SwitchD are similar to
that on SwitchA and not mentioned here. For details, see the configuration files.
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] control-vlan 10
[SwitchE-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchE-rrpp-domain-region1] quit
Step 3 Set the timers of RRPP domains.

# Set the timers for SwitchE, the master node on Ring 1.
[SwitchE-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchD, the transit node on Ring 1.

[SwitchD-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchC, the transit node on Ring 1.

[SwitchC-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchA, the master node on Ring 2.

[SwitchA-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
# Set the timers for SwitchB, the transit node on Ring 2.

[SwitchB-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
# Set the timers for SwitchC, the transit node on Ring 2.

[SwitchC-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
Step 4 Configure the interfaces to be added to the RRPP ring as trunk interfaces and disable STP on
the interfaces.
the same as that of SwitchA and not mentioned here. For details, see the configuration files.

Step 5 Create and enable RRPP rings.

l Configure nodes on Ring 2. The configuration procedure is as follows:
# Configure SwitchA as the master node on Ring 2 and specify the primary and
secondary interfaces.
[SwitchA-rrpp-domain-region2] ring 2 node-mode master primary-port
# Configure SwitchB as a transit node on Ring 2 (major ring) and specify the primary
and secondary interfaces.
[SwitchB-rrpp-domain-region2] ring 2 node-mode transit primary-port
# Configure SwitchC as a transit node on Ring 2 and specify the primary and secondary
interfaces.
l Configure nodes on Ring 1. The configuration procedure is as follows:

# Configure SwitchE as the master node on Ring 1 (major ring) and specify the primary
and secondary interfaces.
[SwitchE-rrpp-domain-region1] ring 1 node-mode master primary-port
[SwitchE-rrpp-domain-region1] ring 1 enable
# Configure SwitchC as a transit node on Ring 1 and specify the primary and secondary
interfaces.
# Configure SwitchD as a transit node on Ring 1 and specify the primary and secondary
interfaces.
Step 6 Enable RRPP.

the same as that of SwitchA and not mentioned here. For details, see the configuration files.

perform the following operations to verify the configuration. The tangent point SwitchC is
used as an example.

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on SwitchC. In Domain 1, the major
control VLAN is VLAN 10, and the sub-control VLAN is VLAN 11. SwitchC is the transit
node on the major ring, with GigabitEthernet1/0/1 as the primary interface and
GigabitEthernet1/0/2 as the secondary interface.
In Domain 2, the major control VLAN is VLAN 20, and the sub-control VLAN is VLAN 21.
SwitchC is a transit node on Ring 2. GigabitEthernet2/0/1 is the primary interface and
GigabitEthernet2/0/2 is the secondary interface.
Run the display rrpp verbose domain command on SwitchC. The command output is as
follows:
# Display detailed information about Domain 1 on SwitchC.

Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
# Display detailed information about Domain 2 on SwitchC.


Domain Index : 2
RRPP Ring : 2
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 20 to 21
#
rrpp enable
#
#
rrpp domain 2
control-vlan 20
timer hello-timer 3 fail-timer 10
ring 2 enable
#
stp disable
#
stp disable
#
return

#
sysname SwitchB
#
vlan batch 20 to 21
#
rrpp enable
#
#
rrpp domain 2
control-vlan 20


ring 2 enable
#
stp disable
#
stp disable
#
return

#
sysname SwitchC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
rrpp domain 2
control-vlan 20
ring 2 enable
#
stp disable
#
stp disable
#
stp disable
#
stp disable

#
return
#
sysname SwitchD
#
vlan batch 10 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
l SwitchE configuration file
#
sysname SwitchE
#
vlan batch 10 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

18.9.5 Example for Configuring a Single RRPP Ring with

Multiple Instances
As shown in Figure 18-39, on a ring network, idle links are required to forward data. In this
way, data in different VLANs are forwarded along different paths, improving network
efficiency and implementing load balancing.
Figure 18-39 Networking diagram of single RRPP ring with multiple instances
UPEB
GE1/0/0 GE2/0/0
CE 1
VLAN 100-300
PEAGG
GE2/0/0 Ring GE1/0/0
Master 1 Backbone
UPEA 1
network
Master 2
GE1/0/0 GE2/0/0
CE 2
VLAN 100-300
Domain 1 ring 1
GE2/0/0 GE1/0/0
Domain 2 ring 1
UPEC
Table 18-6 shows the mapping between protected VLANs and instances in Domain 1 and
Domain 2.
Table 18-6 Mapping between the protected VLAN and instance

Domain Control VLAN ID Data VLAN ID Instance ID
ID
Domain 1 VLANs 5 and 6 VLANs 100 to 200 Instance 1
Table 18-7 shows the master node on each ring and the primary and secondary interfaces on
each master node.

Table 18-7 Master node and its primary and secondary interfaces
Ring ID Master Node Primary Port Secondary Port
Ring 1 in Domain 1 PEAGG GE1/0/0 GE2/0/0
Ring 1 in Domain 2 PEAGG GE2/0/0 GE1/0/0
1. Create different RRPP domains and control VLANs.

2. Map the VLANs that need to pass through Ring 1 in Domain 1 to Instance 1, including
data VLANs and control VLANs.
Map the VLANs that need to pass through Ring 1 in Domain 2 to Instance 2, including
data VLANs and control VLANs.
a. Add UPEA, UPEB, UPEC, and PEAGG to Ring 1 in Domain 1. Configure PEAGG
as the master node on Ring 1 in Domain 1 and configure UPEA, UPEB, and UPEC
as transit nodes.
b. Add UPEA, UPEB, UPEC, and PEAGG to Ring 1 in Domain 2. Configure PEAGG
as the master node on Ring 1 in Domain 2 and configure UPEA, UPEB, and UPEC
as transit nodes.
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure UPEA. The configurations on UPEB, UPEC, and PEAGG are similar to that on
UPEA and not mentioned here. For details, see the configuration files.
[HUAWEI] sysname UPEA
[UPEA] rrpp domain 1
[UPEA-rrpp-domain-region1] control-vlan 5
[UPEA-rrpp-domain-region1] quit
Step 2 Configure instances, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# Configure UPEA. The configurations on UPEB, UPEC, and PEAGG are the same as that of
[UPEA] vlan batch 100 to 300
[UPEA] stp region-configuration
[UPEA-mst-region] instance 1 vlan 5 6 100 to 200

[UPEA-mst-region] active region-configuration

[UPEA-mst-region] quit
Step 3 Configure the interfaces to be added into the RRPP rings.

[UPEA] interface gigabitethernet 1/0/0
[UPEA-GigabitEthernet1/0/0] port link-type trunk
[UPEA-GigabitEthernet1/0/0] undo port trunk allow-pass vlan 1
[UPEA-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 300
[UPEA-GigabitEthernet1/0/0] stp disable
[UPEA-GigabitEthernet1/0/0] quit
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
# Configure UPEA as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEA.
[UPEA-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEA-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEA-rrpp-domain-region1] ring 1 enable
# Configure UPEB as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEB.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[UPEB-rrpp-domain-region1] ring 1 enable
[UPEB-rrpp-domain-region1] quit
[UPEB-rrpp-domain-region2] protected-vlan reference-instance 2
# Configure UPEC as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEC.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] protected-vlan reference-instance 1

[UPEC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet

[UPEC-rrpp-domain-region1] ring 1 enable
[UPEC-rrpp-domain-region1] quit
[UPEC-rrpp-domain-region2] protected-vlan reference-instance 2
# Configure PEAGG as the master node on Ring 1 in Domain 1, with GE1/0/0 as the primary
interface and GE2/0/0 as the secondary interface.
[PEAGG] rrpp domain 1
[PEAGG-rrpp-domain-region1] protected-vlan reference-instance 1
[PEAGG-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
[PEAGG-rrpp-domain-region1] ring 1 enable
[PEAGG-rrpp-domain-region1] quit
[PEAGG-rrpp-domain-region2] protected-vlan reference-instance 2
Step 5 Enable RRPP.

[UPEA] rrpp enable

following commands to verify the configuration. UPEA and PEAGG are used as examples.
# Run the display rrpp brief command on UPEA. The command output is as follows:
[UPEA] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------

Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPEA.

In Domain 1, the major control VLAN is VLAN 5 and the protected VLANs are VLANs
mapping Instance 1. UPEA is a transit node on Ring 1. GigabitEthernet1/0/0 is the primary
interface and GigabitEthernet2/0/0 is the secondary interface.
In Domain 2, the major control VLAN is VLAN 10 and the protected VLANs are VLANs
mapping Instance 2. UPEA is a transit node on Ring 1. GigabitEthernet1/0/0 is the primary
# Run the display rrpp brief command on PEAGG. The command output is as follows:
[PEAGG] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on PEAGG.

In Domain 1, the major control VLAN is VLAN 5, the protected VLAN is the VLAN mapped
to Instance 1, and the master node on Ring 1 is PEAGG. GigabitEthernet1/0/0 is the primary
In Domain 2, the major control VLAN is VLAN 10, the protected VLAN is the VLAN
mapped to Instance 2, and the master node on Ring 1 is PEAGG. GigabitEthernet2/0/0 is the
primary interface and GigabitEthernet1/0/0 is the secondary interface.
# Check detailed information about UPEA in Domain 1. Run the display rrpp verbose
domain command on UPEA. The command output is as follows:
[UPEA] display rrpp verbose domain 1
Domain Index : 1


RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The command output shows that the control VLAN in Domain 1 is VLAN 5, and the
protected VLANs are the VLANs mapping Instance 1. UPEA is a transit node in Domain 1
and is in LinkUp state.
# Check detailed information about UPEA in Domain 2.
[UPEA] display rrpp verbose domain 2
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The command output shows that, in Domain 2, the control VLAN is VLAN 10 and the
protected VLAN is the VLAN mapped to Instance 2. UPEA is a transit node in Domain 2 and
is in LinkUp state.
Run the display rrpp verbose domain command on PEAGG. The command output is as
follows:
# Check detailed information about PEAGG in Domain 1.
[PEAGG] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
protected VLANs are the VLANs mapping Instance 1.
PEAGG is the master node in Domain 1 and is in Complete state.
The primary interface is GigabitEthernet1/0/0 and the secondary interface is
Domain Index : 2


RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The command output shows that, in Domain 2, the control VLAN is VLAN 10, and the
protected VLAN is the VLAN mapped to Instance 2.
----End
Configuration Files
l UPEA configuration file
#
sysname UPEA
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
stp disable
#
return
l UPEB configuration file

#
sysname UPEB

#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
l UPEC configuration file
#
sysname UPEC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#


stp disable
#
return
l PEAGG configuration file

#
sysname PEAGG
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
18.9.6 Example for Configuring Intersecting RRPP Rings with

Multiple Instances (RRPP Defined by the National Standard of
China)
efficiency and implementing load balancing. To enable devices from different vendors to
communicate with each other on the network, you can use the RRPP version defined by the
national standard of China.

Figure 18-40 Networking diagram of intersecting RRPP rings with multiple instances
Backbone
network
GE1/0/0 GE2/0/0
PEAGG
Master 1
GE2/0/0 Master 2 GE1/0/0
UPEA Domain 1 ring 1 UPED
GE1/0/0 Domain 2 ring 1 GE2/0/0
GE2/0/0 Edge Transit Edge Transit

GE1/0/0
UPEB GE1/0/0 UPEC
GE2/0/0
GE3/0/0 GE3/0/1
GE3/0/1 GE3/0/0
Domain 2 ring 2 Domain 2 ring 3

GE1/0/0 GE2/0/0
Master 1 Master 1
Master 2 GE2/0/0 GE1/0/0 Master 2
CE1 Domain 1 ring 2 Domain 1 ring 3
CE2
VLAN 100-300 VLAN 100-300
Domain 1
Domain 2
Domain 2.

Domain ID Control VLAN ID Data VLAN ID Instance ID
each master node.

Ring ID Master Node Primary Port Secondary Port Ring Type
Ring 1 in PEAGG GE1/0/0 GE2/0/0 Major ring

Domain 1

Domain 2
Ring 2 in CE1 GE1/0/0 GE2/0/0 Sub-ring

Domain 1

Domain 2

Domain 1

Domain 2
Table 18-10 shows the edge transit nodes and edge nodes on the sub-rings.
Table 18-10 Edge transit nodes and edge nodes on the sub-rings
Ring ID Edge-Transit Edge Port Edge-Transit Edge Port
Node Node
Ring 2 in UPEB GE3/0/0 UPEC GE3/0/0

Domain 1

Domain 1

Domain 2

Domain 2
2. Map the VLANs that need to pass through Domain 1 to Instance 1, including data
VLANs and control VLANs.
Map the VLANs that need to pass through Domain 2 to Instance 2, including data

4. Configure the devices to use the RRPP version defined by the national standard of
China.
a. Add UPEA, UPEB, UPEC, UPED, and PEAGG to Ring 1 in Domain 1 and Ring 1
in Domain 2.
b. Add CE1, UPEB, and UPEC to Ring 2 in Domain 1 and Ring 2 in Domain 2.
c. Add CE2, UPEB, and UPEC to Ring 3 in Domain 1 and Ring 3 in Domain 2.
d. Configure PEAGG as the master node and configure UPEA, UPEB, UPEC, and
UPED as transit nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
e. Configure CE1 as the master node and configure UPEB and UPEC as transit nodes
on Ring 2 in Domain 1 and Ring 2 in Domain 2.
f. Configure CE2 as the master node and configure UPEB and UPEC as transit nodes
on Ring 3 in Domain 1 and Ring 3 in Domain 2.
6. To prevent topology flapping, set the LinkUp timer on the master nodes.
Procedure
interface.
# Configure CE1. The configurations on CE2, UPEA, UPEB, UPEC, UPED, and PEAGG are
the same as that of CE1 and not mentioned here. For details, see the configuration files.
[CE1-mst-region] instance 1 vlan 5 6 100 to 200

[CE1] vlan batch 100 to 300
[CE1-GigabitEthernet1/0/0] undo port trunk allow-pass vlan 1
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 300
[CE1-GigabitEthernet1/0/0] stp disable
Step 3 Create RRPP domains, configure the device to use the RRPP version defined by the national
standard of China, and configure protected VLANs and control VLANs.
[CE1] rrpp working-mode gb
[CE1] rrpp domain 1

[CE1-rrpp-domain-region1] protected-vlan reference-instance 1

[CE1-rrpp-domain-region1] control-vlan 5
[CE1-rrpp-domain-region1] quit
[CE1] rrpp domain 2
Step 4 Create RRPP rings.

# Configure CE1 as the master node on Ring 2 in Domain 1. Configure GE1/0/0 as the
primary interface and GE2/0/0 as the secondary interface.
[CE1] rrpp domain 1
[CE1-rrpp-domain-region1] ring 2 node-mode master primary-port gigabitethernet
[CE1-rrpp-domain-region1] ring 2 enable
[CE1] rrpp domain 2
[CE2] rrpp domain 1
[CE2] rrpp domain 2


# Configure UPEB as an edge transit node on Ring 2 in Domain 1 and configure GE3/0/0 as
the edge interface.
[UPEB-rrpp-domain-region1] ring 2 node-mode transit secondary-port
the edge interface.
the edge interface.
the edge interface.

# Configure UPEC as an edge transit node on Ring 2 in Domain 1 and configure GE3/0/0 as
the edge interface.
[UPEC-rrpp-domain-region1] ring 2 node-mode transit secondary-port
the edge interface.
the edge interface.
the edge interface.
# Configure UPED as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPED.
[UPED] rrpp domain 1
[UPED-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[UPED-rrpp-domain-region1] ring 1 enable
[UPED-rrpp-domain-region1] quit
# Configure UPED as a transit node of Ring 1 in Domain 2 and specify primary and


Step 5 Enable RRPP.
[CE1] rrpp enable
Step 6 Set the LinkUp timer.
# Set the LinkUp timer to 1 second. CE1 is used as an example. The configurations on CE2
and PEAGG are the same as that of CE1 and not mentioned here. For details, see the
configuration files.
[CE1] rrpp linkup-delay-timer 1
following commands to verify the configuration. UPEB and PEAGG are used as examples.
# Run the display rrpp brief command on UPEB. The command output is as follows:
[UPEB] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPEB.
In Domain 1:

The major control VLAN is VLAN 5, and the protected VLANs are the VLANs mapped to
Instance 1.
UPEB is a transit node on Ring 1. GigabitEthernet1/0/0 is the primary interface and GE2/0/0
is the secondary interface.
UPEB is an edge transit node on Ring 2. The edge interface is GigabitEthernet3/0/0.
In Domain 2:
Instance 2.
UPEB is a transit node on Ring 1. GigabitEthernet1/0/0 is the primary interface and
[PEAGG]display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on PEAGG, and the LinkUp timer is 1
second.
to Instance 1, and the master node on Ring 1 is PEAGG. GigabitEthernet1/0/0 is the primary
mapped to Instance 2, and the master node on Ring 1 is PEAGG. GigabitEthernet2/0/0 is the
primary interface and GigabitEthernet1/0/0 is the secondary interface.
Run the display rrpp verbose domain command on UPEB. The command output is as
follows:

# Check detailed information about UPEB in Domain 1.

[UPEB] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring :
2
Ring Level :
1
Node Mode :
Edge Transit
Ring State :
LinkUp
Is Enabled :
Enable Is Active: Yes
Primary port :
RRPP Ring :
3
Ring Level :
1
Node Mode :
Edge Transit
Ring State :
LinkUp
Is Enabled :
Primary port :
UPEB is a transit node on Ring 1 in Domain 1 and is in LinkUp state.
UPEB is a transit node on Ring 2 in Domain 1 and is in LinkUp state. GE3/0/0 is the edge
interface.
UPEB is an edge transit node of Ring 3 in Domain 1 and is in LinkUp state. GE3/0/1 is the
edge interface.

Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring : 2
Ring Level : 1
Ring State : LinkUp


RRPP Ring :
3
Ring Level :
1
Node Mode :
Edge Transit
Ring State :
LinkUp
Is Enabled :
Primary port :
edge interface.
edge interface.
Run the display rrpp verbose domain command on PEAGG. The command output is as
follows:

Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
GigabitEthernet1/0/0 is the primary interface and GigabitEthernet2/0/0 is the secondary

interface.

Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master

GigabitEthernet2/0/0 is the primary interface and GigabitEthernet1/0/0 is the secondary
interface.
----End
Configuration Files
#
sysname CE1
#
#
rrpp enable
rrpp linkup-delay-timer 1
#
#
rrpp domain 1
control-vlan 5
ring 2 enable
rrpp domain 2
control-vlan 10
ring 2 enable
#
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
stp disable
#
return

#
sysname CE2
#
#
rrpp enable
#

#
rrpp domain 1
control-vlan 5
ring 3 enable
rrpp domain 2
control-vlan 10
ring 3 enable
#
stp disable
#
stp disable
#
return
#
sysname UPEA
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable

#
return
#
sysname UPEB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
ring 2 enable
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
ring 2 enable
ring 3 enable
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
#
sysname UPEC
#
#

rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
ring 2 enable
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
ring 2 enable
ring 3 enable
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
l UPED configuration file
#
sysname UPED
#
#
rrpp enable
#
#
rrpp domain 1

control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname PEAGG
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

18.9.7 Example for Configuring Intersecting RRPP Rings with

Multiple Instances (RRPP Defined by Huawei)
efficiency and implementing load balancing. All the devices on the network are Huawei
devices; therefore, the RRPP version defined by Huawei is used.
Figure 18-41 Networking diagram of intersecting RRPP rings with multiple instances
Backbone
network
GE1/0/0 GE2/0/0
PEAGG
Master 1
GE2/0/0 Master 2 GE1/0/0
UPEA Domain 1 ring 1 UPED
GE1/0/0 Domain 2 ring 1 GE2/0/0
GE2/0/0 Edge Transit Edge Transit

GE1/0/0
UPEB GE1/0/0 UPEC
GE2/0/0
GE3/0/0 GE3/0/1
GE3/0/1 GE3/0/0

GE1/0/0 GE2/0/0
Master 1 Master 1
Master 2 GE2/0/0 GE1/0/0 Master 2
CE1 Domain 1 ring 2 Domain 1 ring 3
CE2
VLAN 100-300 VLAN 100-300
Domain 1
Domain 2
Domain 2.

Domain ID Control VLAN ID Data VLAN ID Instance ID
each master node.
Ring ID Master Node Primary Port Secondary Port Ring Type

Domain 1

Domain 2
Ring 2 in CE1 GE1/0/0 GE2/0/0 Sub ring

Domain 1

Domain 2

Domain 1

Domain 2
Table 18-13 shows the edge nodes, assistant edge nodes, common interface, and edge
interfaces of the sub-rings.
Table 18-13 Edge nodes, assistant edge nodes, common interface, and edge interfaces of the
sub-rings
Ring Edge Common Edge Edge-Assistant Common Edge

ID Node Port Port Node Port Port
Ring 2 UPEB GE1/0/0 GE3/0/0 UPEC GE2/0/0 GE3/0/0

in
Domain
1

in
Domain
1

Ring Edge Common Edge Edge-Assistant Common Edge

ID Node Port Port Node Port Port

in
Domain
2

in
Domain
2
2. Map the VLANs that need to pass through Domain 1 to Instance 1, including data
Map the VLANs that need to pass through Domain 2 to Instance 2, including data
4. Configure the devices to use the RRPP version defined by Huawei.
a. Add UPEA, UPEB, UPEC, UPED, and PEAGG to Ring 1 in Domain 1 and Ring 1
in Domain 2.
b. Add CE1, UPEB, and UPEC to Ring 2 in Domain 1 and Ring 2 in Domain 2.
c. Add CE2, UPEB, and UPEC to Ring 3 in Domain 1 and Ring 3 in Domain 2.
d. Configure PEAGG as the master node and configure UPEA, UPEB, UPEC, and
UPED as transit nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
e. Configure CE1 as the master node, UPEB as an edge node, and UPEC as an
assistant edge node on Ring 2 in Domain 1 and Ring 2 in Domain 2.
f. Configure CE2 as the master node, UPEB as an edge node, and UPEC as an
assistant edge node on Ring 3 in Domain 1 and Ring 3 in Domain 2.
6. To prevent topology flapping, set the LinkUp timer on the master nodes.
7. To reduce the Edge-Hello packets sent on the major ring and increase available
bandwidth, add the four sub-rings to a ring group.
Procedure
interface.


[CE1] vlan batch 100 to 300
Step 3 Create RRPP domains and configure protected VLANs and control VLANs.
[CE1] rrpp domain 1
[CE1] rrpp domain 2


# Configure UPEB as an edge node on Ring 2 in Domain 1, with GE1/0/0 as the common
interface and GE3/0/0 as the edge interface.
[UPEB-rrpp-domain-region1] ring 2 node-mode edge common-port gigabitethernet


# Configure UPEC as an assistant edge node on Ring 2 in Domain 1, with GE2/0/0 as the
common interface and GE3/0/0 as the edge interface.
[UPEC-rrpp-domain-region1] ring 2 node-mode assistant-edge common-port

# Configure CE1 as the master node on Ring 2 in Domain 1, with GE1/0/0 as the primary
[CE1] rrpp domain 1
[CE1] rrpp domain 2
[CE2] rrpp domain 1
[CE2] rrpp domain 2
Step 5 Configure the devices to use the default RRPP version defined by Huawei.
the same as that of CE1 and not mentioned here.
[CE1] rrpp working-mode hw
Step 6 Enable RRPP.

[CE1] rrpp enable
Step 7 Configure ring groups.

# Create ring group 1 on UPEC, which consists of four sub-rings: Ring 2 in Domain 1, Ring 3
[UPEC] rrpp ring-group 1
[UPEC-rrpp-ring-group1] domain 1 ring 2 to 3
[UPEC-rrpp-ring-group1] domain 2 ring 2 to 3
[UPEC-rrpp-ring-group1] quit
# Create ring group 1 on UPEB, which consists of four sub-rings: Ring 2 in Domain 1, Ring 3
[UPEB] rrpp ring-group 1
[UPEB-rrpp-ring-group1] domain 1 ring 2 to 3
[UPEB-rrpp-ring-group1] domain 2 ring 2 to 3
[UPEB-rrpp-ring-group1] quit

Step 8 Set the LinkUp timer.

# Set the LinkUp timer to 1 second. CE1 is used as an example. The configurations on CE2
and PEAGG are the same as that of CE1 and not mentioned here. For details, see the
configuration files.
[CE1] rrpp linkup-delay-timer 1

perform the following operations to verify the configuration. UPEB and PEAGG are used as
examples.
# Run the display rrpp brief command on UPEB. The command output is as follows:
[UPEB] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPEB.

In Domain 1:
The major control VLAN is VLAN 5 and the protected VLANs are the VLANs mapped to
Instance 1.
UPEB is a transit node on Ring 1. The primary interface is GE1/0/0 and the secondary
interface is GE2/0/0.
On Ring 2, UPEB is the edge node. GE1/0/0 is the common interface and GE3/0/0 is the edge
interface.
interface.
In Domain 2:

Instance 2.
UPEB is a transit node on Ring 1. The primary interface is GE1/0/0 and the secondary
interface is GE2/0/0.
interface.
interface.
[PEAGG] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on PEAGG, and the LinkUp timer is 2
seconds.
to Instance 1, and the master node on Ring 1 is PEAGG. The primary interface is GE1/0/0
and the secondary interface is GE2/0/0.
mapped to Instance 2, and the master node on Ring 1 is PEAGG. The primary interface is
GE2/0/0 and the secondary interface is GE1/0/0.
Run the display rrpp verbose domain command on UPEB. The command output is as
follows:
Domain Index : 1
RRPP Ring : 1

Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
RRPP Ring : 3
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
UPEB is the edge node on Ring 2 in Domain 1 and is in LinkUp state. GE1/0/0 is the
common interface and GE3/0/0 is the edge interface.
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
RRPP Ring : 3
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
You can find that, in Domain 2, the control VLAN is VLAN 10, and the protected VLAN is
the VLAN mapped to Instance 2.

Run the display rrpp verbose domain 1 command on PEAGG. The command output is as
follows:

Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
GE1/0/0 is the primary interface and GE2/0/0 is the secondary interface.

Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
GE2/0/0 is the primary interface and GE1/0/0 is the secondary interface.
Run the display rrpp ring-group command on UPEB to check the configuration of the ring
group.
# Check the configuration of ring group 1.

[UPEB] display rrpp ring-group 1
Ring Group 1:
domain 1 ring 2 to 3

domain 1 ring 2 send Edge-Hello packet
----End
Configuration Files
#
sysname CE1
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 2 enable
rrpp domain 2
control-vlan 10
ring 2 enable
#
stp disable
#
stp disable
#
return

#
sysname CE2
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 3 enable

rrpp domain 2
control-vlan 10
ring 3 enable
#
stp disable
#
stp disable
#
return
#
sysname UPEA
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname UPEB
#
#
rrpp enable
#


#
rrpp domain 1
control-vlan 5
ring 1 enable
ring 2 enable
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
ring 2 enable
ring 3 enable
#
rrpp ring-group 1
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
#
sysname UPEC
#
#
rrpp enable
#

#
rrpp domain 1
control-vlan 5
ring 1 enable
ring 2 enable
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
ring 2 enable
ring 3 enable
#
rrpp ring-group 1
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
#
sysname UPED
#
#
rrpp enable
#
#

rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname PEAGG
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

18.9.8 Example for Configuring Tangent RRPP Rings with

Multiple Instances
efficiency and implementing load balancing.
Figure 18-42 Networking diagram of tangent RRPP rings with multiple instances
UPEB UPEE
GE1/0/0 GE2/0/0
GE1/0/0 GE2/0/0
Domain 1 ring 1
CE GE2/0/0 GE1/0/0
GE1/0/1 GE1/0/0 UPEF
Master 1
UPEA
Master 2 UPED Master 3
VLAN 100-300 GE1/0/0 GE2/0/0 GE2/0/1 GE2/0/0
GE2/0/0 GE1/0/0 GE2/0/0 GE1/0/0
UPEC UPEG
domain 1
domain 2
domain 3
Table 18-14 shows the mapping between protected VLANs and instances in Domain 1,
Domain 2, and Domain 3.
Domain ID Control VLAN Data VLAN Instance ID
Domain 3 (on VLANs 20 and 21 VLANs 100 to 300 Instance 1, Instance

UPED) 2, and Instance 3
Domain 3 (on VLANs 20 and 21 VLANs 100 to 300 Instance 1

UPEE, UPEF,
and UPEG)
Table 18-15 shows the master node on each ring, and its primary and secondary interfaces.

Ring ID Master Node Primary Port Secondary Port
Ring 1 in Domain 1 UPED GE1/0/0 GE2/0/0
Ring 1 in Domain 2 UPED GE2/0/0 GE1/0/0
Ring 1 in Domain 3 UPEF GE1/0/0 GE2/0/0
2. Map the VLANs that need to pass through the domain to the instance.
a. Add UPEA, UPEB, UPEC, and UPED to Ring 1 in Domain 1 and Ring 1 in
Domain 2.
b. Add UPED, UPEE, UPEF, and UPEG to Ring 1 in Domain 3.
c. Configure UPED as the master node and configure UPEA, UPEB, and UPEC as
transit nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
d. Configure UPEF as the master node and configure UPED, UPEE, and UPEG as
transit nodes on Ring 1 in Domain 3.
Procedure
interface.
# Configure UPEA. The configurations on UPEB, UPEC, UPED, UPEE, UPEF, and UPEG
are the same as that of UPEA and not mentioned here. For details, see the configuration files.
[HUAWEI] sysname UPEA
[UPEA] stp region-configuration
[UPEA-mst-region] active region-configuration
[UPEA-mst-region] quit

[UPEA] vlan batch 100 to 300

Step 3 Create RRPP domains and configure protected VLANs and control VLANs.
are similar to that on UPEA and not mentioned here. For details, see the configuration files.


# Configure UPED as the master node on Ring 1 in Domain 1 and specify GE1/0/0 as the
primary interface and GE2/0/0 as the secondary interface on UPED.
[UPED-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
# Configure UPED as the master node on Ring 1 in Domain 2 and specify GE2/0/0 as the
primary interface and GE1/0/0 as the secondary interface on UPED.
[UPED-rrpp-domain-region2] ring 1 node-mode master primary-port gigabitethernet
# Configure UPEE as a transit node on Ring 1 in Domain 3 and specify primary and
secondary interfaces on UPEE.
[UPEE] rrpp domain 3
[UPEE-rrpp-domain-region3] ring 1 node-mode transit primary-port gigabitethernet
[UPEE-rrpp-domain-region3] ring 1 enable
[UPEE-rrpp-domain-region3] quit
# Configure UPEF as the master node on Ring 1 in Domain 3 and specify GE1/0/0 as the
primary interface and GE2/0/0 as the secondary interface on UPEF.
[UPEF] rrpp domain 3

[UPEF-rrpp-domain-region3] ring 1 node-mode master primary-port gigabitethernet
[UPEF-rrpp-domain-region3] ring 1 enable
[UPEF-rrpp-domain-region3] quit
# Configure UPEG as a transit node on Ring 1 in Domain 3 and specify primary and
[UPEG] rrpp domain 3
[UPEG-rrpp-domain-region3] ring 1 node-mode transit primary-port gigabitethernet
[UPEG-rrpp-domain-region3] ring 1 enable
[UPEG-rrpp-domain-region3] quit
Step 5 Enable RRPP.


[UPEA] rrpp enable

perform the following operations to verify the configuration. UPED is used as an example.
# Run the display rrpp brief command on UPED. The command output is as follows:
[UPED] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
Domain Index : 3
Protected VLAN : Reference Instance 1 to 3

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPED.

In Domain 1:
Instance 1.
UPED is the master node on Ring 1. GigabitEthernet1/0/0 is the primary interface and
In Domain 2:
Instance 2.
UPED is the master node on Ring 1. GigabitEthernet2/0/0 is the primary interface and
In Domain 3:

instances 1 to 3.
UPED is a transit node on Ring 1. GigabitEthernet1/0/1 is the primary interface and
Run the display rrpp verbose domain command on UPED. The command output is as
follows:
# Check detailed information about UPED in Domain 1.
[UPED] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
UPED is the master node in Domain 1 and is in Complete state.
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
UPED is the master node in Domain 2 and is in Complete state.
Domain Index : 3
Protected VLAN : Reference Instance 1 to 3
RRPP Ring : 1

Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The command output shows that, in Domain 3, the control VLAN is VLAN 20 and the
protected VLANs are the VLANs mapped to instances 1 to 3.
UPED is a transit node in Domain 3 and is in LinkUp state.
----End
Configuration Files
#
sysname UPEA
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname UPEB
#
#
rrpp enable
#

#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname UPEC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable

#
return
#
sysname UPED
#
vlan batch 5 to 6 10 to 11 20 to 21 100 to 300
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
rrpp domain 3
control-vlan 20
protected-vlan reference-instance 1 to 3
ring 1 enable
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
l UPEE configuration file
#
sysname UPEE
#
#
rrpp enable
#

#
rrpp domain 3
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return
l UPEF configuration file
#
sysname UPEF
#
#
rrpp enable
#
#
rrpp domain 3
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return
l UPEG configuration file
#
sysname UPEG
#
#
rrpp enable
#
#

rrpp domain 3
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return
18.10.1 A Loop Occurs After the RRPP Configuration is Complete
Fault Description
After the RRPP configuration is complete, a loop occurs.
This fault is commonly caused by one of the following:
l RRPP is incorrectly configured.
l The values of the Fail timers are set different on the devices of the ring.
Procedure
Step 1 Check whether nodes are correctly configured on the RRPP ring.
Run the display this command in the RRPP domain view on nodes of the ring to check RRPP
configurations.
Check whether nodes on the RRPP ring are located in the same domain, whether the control
VLAN map the instance, and whether only one master node exists on the RRPP ring.
l If a fault occurs in the preceding configurations, see 18 RRPP Configuration in the
S7700&S9700 Series Switches Configuration Guide - Reliability Configuration.
l If the preceding configurations are correct, go to step 2.
Step 2 Check whether the values of Fail timers are set the same on nodes of the RRPP ring.
Run the display rrpp verbose domain domain-id command in any view to check detailed
information about the RRPP configuration.
If the values of the Fail timer are set different on nodes of the RRPP ring, see 18 RRPP
Configuration in the S7700&S9700 Series Switches Configuration Guide - Reliability
Configuration.
----End

18.10.2 After the Primary Port of a Transit Node on an RRPP Ring

Network Becomes Down and Then Recovers, the Transit Node
and Other Transit Nodes Cannot Register With the Master Node
Fault Symptom
After the primary port of a transit node on an RRPP ring network becomes down and then
recovers, the transit node and other transit nodes cannot register with the master node.
Procedure
Step 1 Check the master node on the RRPP ring.
Run the display rrpp verbose domaindomain-id [ ringring-id ] command in any view on
each node on an RRPP ring to view the role of each node.
If the value of Node Mode is Master, the node is the master node.
Then go to step 2.
Step 2 Check whether MAC address entries and ARP entries of the master node are updated.
Run the display mac-address and display arp all commands in any view of the master node
on an RRPP ring to check the MAC address table and ARP table on the master node. Check
whether there are MAC address entries and ARP entries of transit nodes that cannot register.
l If there are no MAC address entries and ARP entries of transit nodes that cannot register,
MAC address entries and ARP entries of the master node are not updated. Go to step 3.
l If there are MAC address entries and ARP entries of transit nodes that cannot register, go
to step 4.
Step 3 Check whether nodes on an RRPP ring use the same working mode.
Run the display rrpp brief [ domaindomain-id ] command in any view to view the RRPP
configuration.
Check whether the configuration contains the rrpp working-mode gb command. If the rrpp
working-mode gb command has been executed on a node, the node uses the RRPP standard
version. If the rrpp working-mode gb command is not executed on a node, the node uses
Huawei proprietary version.
l If the master node and other transit nodes use different working modes, run the undo
rrpp enable command in the system view of the chassis switch to disable RRPP and
deactivate all RRPP rings. Then run the rrpp working-mode { hw | gb} command to
change the working mode of each node to be the same.
l If the master node and other transit nodes use the same working mode, go to step 4.
Step 4 Collect alarms, logs, and location information, and then contact Huawei technical support
personnel.
----End
18.11 FAQ

18.11.1 What Should Be Noted When Configuring RRPP?

l Limited by hardware specifications, the Rapid Ring Protection Protocol (RRPP) can use
a maximum of 96 ACL rules on a 24-port board and 144 ACL rules on a 48-port board.
When multiple RRPP rings are configured, allocate ACL rules properly.
l RRPP and the Multi-Spanning Tree Protocol (MSTP) cannot be enabled on the same
interface. Before creating an RRPP ring, disable STP on the interfaces to be added to the
RRPP ring.
l The RRPP convergence speed depends on the number of domains and rings. The
convergence speed is high when the number of domains and rings is small.
18.11.2 Can RRPP and VRRP Be Used Together on a Switch?

RRPP and VRRP can be configured simultaneously on an switch.
18.11.3 Can Data Packets Be Blocked in the Control VLAN of

RRPP?
Data packets are not blocked in the control VLAN though the control VLAN is configured in
the instance.
18.12 References
RRPP is a Huawei proprietary protocol.

Configuration Guide - Ethernet Switching 19 ERPS (G.8032) Configuration
19 ERPS (G.8032) Configuration
About This Chapter
This chapter describes how to configure the Ethernet Ring Protection Switching (ERPS).
ERPS is a protocol defined by the International Telecommunication Union -
Telecommunication Standardization Sector (ITU-T) to eliminate loops at Layer 2. It
implements convergence of carrier-class reliability standards, and allows all ERPS-capable
devices on a ring network to communicate.
19.1 Introduction to ERPS

19.2 Principles
19.7 Configuring ERPS
19.8 Maintaining ERPS
19.11 References

19.1 Introduction to ERPS
Definition
ERPS is a protocol defined by the International Telecommunication Union -
Telecommunication Standardization Sector (ITU-T) to eliminate loops at Layer 2. Because
the standard number is ITU-T G.8032/Y1344, ERPS is also called G.8032. ERPS defines
Ring Auto Protection Switching (RAPS) Protocol Data Units (PDUs) and protection
switching mechanisms.
ERPS has two versions: ERPSv1 released by ITU-T in June 2008 and ERPSv2 released in
August 2010. EPRSv2, fully compatible with ERPSv1, provides the following enhanced
functions:
l Multi-ring topologies, such as intersecting rings
l RAPS PDU transmission on virtual channels (VCs) and non-virtual-channels (NVCs) in
sub-rings
l Forced Switch (FS) and Manual Switch (MS)
l Revertive and non-revertive switching
Purpose
Generally, redundant links are used on an Ethernet switching network such as a ring network
to provide link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address table unstable.
As a result, communication quality deteriorates, and communication services may even be
interrupted. Table 19-1 describes ring network protocols supported by devices.
Table 19-1 Ring network protocols supported by devices
Ring Network Advantage Disadvantage

Protocol
RRPP Provides fast convergence and l Supports only level-1 sub-

carrier-class reliability. ring in ring networking.
l Is a Huawei proprietary
protocol that cannot be used
for communication between
Huawei and non-Huawei
devices.
STP/RSTP/MSTP l Applies to all Layer 2 Provides low convergence on a

networks. large network, which cannot
l Is a standard IEEE protocol meet the carrier-class reliability
that allows Huawei devices requirement.
to communicate with non-
Huawei devices.

Ring Network Advantage Disadvantage

Protocol
SEP l Applies to all Layer 2 Is a Huawei proprietary

networks. protocol that cannot be used for
l Provides fast convergence communication between
and carrier-class reliability. Huawei and non-Huawei
devices.
l Displays the topology of an
entire ring, facilitating fault
location and device
maintenance.
ERPS l Provides fast convergence Requires the network topology

and carrier-class reliability. to be planned in advance. The
l Is a standard ITU-T configuration is complex.
protocol that allows Huawei
devices to communicate
with non-Huawei devices.
l Supports single-ring and
multi-ring topologies in
ERPSv2.
Ethernet networks demand faster protection switching. STP does not meet the requirement for
fast convergence. RRPP and SEP are Huawei proprietary ring protocols, which cannot be
used for communication between Huawei and non-Huawei devices on a ring network.
ERPS, a standard ITU-T protocol, prevent loops on ring networks. It optimizes detection and
performs fast convergence. ERPS allows all ERPS-capable devices on a ring network to
communicate.
Benefits
l Prevents broadcast storms and implements fast traffic switchover on a network where
there are loops.
l Provides fast convergence and carrier-class reliability.
l Allows all ERPS-capable devices on a ring network to communicate.
19.2 Principles
19.2.1 Basic ERPS Concepts

ERPS eliminates loops at the link layer of an Ethernet network. ERPS works for ERPS rings.
There are several nodes in an ERPS ring. ERPS blocks the RPL owner port and controls
common ports to switch the port status between Forwarding and Discarding and eliminate
loops. ERPS uses the control VLAN, data VLAN, and Ethernet Ring Protection (ERP)
instance.
On the network shown in Figure 19-1, SwitchA through SwitchD constitute a ring and are
dual-homed to the upstream network. This access mode will cause a loop on the entire

network. To eliminate redundant links and ensure link connectivity, ERPS is used to prevent
loops.
Figure 19-1 ERPS single-ring networking
Network
Router1 Router2
SwitchA SwitchD
ERPS
RPL SwitchC
SwitchB
User
network
RPL owner
RPL neighbour
ERPS can be deployed on the network shown in Figure 19-1.
ERPS Ring
An ERPS ring consists of interconnected Layer 2 switching devices configured with the same
control VLAN.
An ERPS ring can be a major ring or a sub-ring. By default, an ERPS ring is a major ring.
The major ring is a closed ring, whereas a sub-ring is a non-closed ring. The major ring and
sub-ring are configured using commands. On the network shown in Figure 19-2, SwitchA
through SwitchD constitute a major ring, and SwitchC through SwitchF constitute a sub-ring.
Only ERPSv2 supports sub-rings.

Figure 19-2 ERPS major ring and sub-ring networking

SwitchC
SwitchA SwitchE
Major Ring Sub-Ring
SwitchB SwitchF
SwitchD
Node
A node refers to a Layer 2 switching device added to an ERPS ring. A maximum of two ports
on each node can be added to the same ERPS ring. SwitchA through SwitchD in Figure 19-2
are nodes in an ERPS major ring.
Port Role
ERPS defines three port roles: RPL owner port, RPL neighbor port (only in ERPSv2), and
common port.
l RPL owner port
An RPL owner port is responsible for blocking traffic over the Ring Protection Link
(RPL) to prevent loops. An ERPS ring has only one RPL owner port.
When the node on which the RPL owner port resides receives an RAPS PDU indicating
a link or node fault in an ERPS ring, the node unblocks the RPL owner port. Then the
RPL owner port can send and receive traffic to ensure nonstop traffic forwarding.
The link where the RPL owner port resides is the RPL.
l RPL neighbor port
An RPL neighbor port is directly connected to an RPL owner port.
Both the RPL owner port and RPL neighbor ports are blocked in normal situations to
prevent loops.
If an ERPS ring fails, both the RPL owner and neighbor ports are unblocked.
The RPL neighbor port helps reduce the number of FDB entry updates on the device
where the RPL neighbor port resides.
l Common port
Common ports are ring ports other than the RPL owner and neighbor ports.
A common port monitors the status of the directly connected ERPS link and sends RAPS
PDUs to notify the other ports of its link status changes.
Port Status
On an ERPS ring, an ERPS-enabled port has two statuses:
l Forwarding: forwards user traffic and sends and receives RAPS PDUs.
l Discarding: only sends and receives RAPS PDUs.

Control VLAN
A control VLAN is configured in an ERPS ring to transmit RAPS PDUs.
Each ERPS ring must be configured with a control VLAN. After a port is added to an ERPS
ring configured with a control VLAN, the port is added to the control VLAN automatically.
Different ERPS rings must use different control VLANs.
Data VLAN
Unlike control VLANs, data VLANs are used to transmit data packets.
ERP Instance
On a Layer 2 device running ERPS, the VLAN in which RAPS PDUs and data packets are
transmitted must be mapped to an Ethernet Ring Protection (ERP) instance so that ERPS
forwards or blocks the packets based on configured rules. If the mapping is not configured,
the preceding packets may cause broadcast storms on the ring network. As a result, the
network becomes unavailable.
Timer
ERPS defines four timers: Guard timer, WTR timer, Holdoff timer, and WTB timer (only in
ERPSv2).
l Guard timer
After a faulty link or node recovers or a clear operation is executed, the device sends
RAPS No Request (NR) messages to inform the other nodes of the link or node recovery
and starts the Guard timer. Before the Guard timer expires, the device does not process
any RAPS (NR) messages to avoid receiving out-of-date RAPS (NR) messages. After
the Guard timer expires, if the device still receives an RAPS (NR) message, the local
port enters the Forwarding state.
l WTR timer
If an RPL owner port is unblocked due to a link or node fault, the involved port may not
go Up immediately after the link or node recovers. Blocking the RPL owner port may
cause network flapping. To prevent this problem, the node where the RPL owner port
resides starts the wait to restore (WTR) timer after receiving an RAPS (NR) message. If
the node receives an RAPS Signal Fail (SF) message before the timer expires, it
terminates the WTR timer. If the node does not receive any RAPS (SF) message before
the timer expires, it blocks the RPL owner port when the timer expires and sends an
RAPS (no request, root blocked) message. After receiving this RAPS (NR, RB)
message, the nodes set their recovered ports on the ring to the Forwarding state.
l Holdoff timer
On Layer 2 networks running EPRS, there may be different requirements for protection
switching. For example, on a network where multi-layer services are provided, after a
server fails, users may require a period of time to rectify the server fault so that clients do
not detect the fault. You can set the Holdoff timer. If the fault occurs, the fault is not
immediately sent to ERPS until the Holdoff timer expires.
l WTB timer
The wait to block (WTB) timer starts when Forced Switch (FS) or Manual Switch (MS)
is performed. Because multiple nodes on an ERPS ring may be in FS or MS state, the

clear operation takes effect only after the WTB timer expires. This prevents the RPL
owner port from being blocked immediately.
The WTB timer value cannot be configured. Its value is the Guard timer value plus 5.
The default WTB timer value is 7s.
Revertive and Non-revertive Switching

After link faults in an ERPS ring are rectified, re-blocking the RPL owner port depends on the
switching mode:
l In revertive switching, the RPL owner port is re-blocked after the WTR timer expires,
and the RPL is blocked.
l In non-revertive switching, the WTR timer is not started, and the original faulty link is
still blocked.
ERPS rings use revertive switching by default.
ERPSv1 supports only revertive switching. ERPSv2 supports both revertive and non-revertive
switching.
Port Blocking Modes

Because the Ring Protection Link (RPL) may have high bandwidth, you can block the low-
bandwidth link so that user traffic can be transmitted on the RPL. ERPSv2 supports both
Forced Switch (FS) and Manual Switch (MS) modes for blocking an ERPS port:
l FS: forcibly blocks a port immediately after FS is configured, irrespective of whether
link failures have occurred.
l MS: blocks a port on which MS is configured when the ERPS ring is in Idle or Pending
state.
In addition to FS and MS operations, ERPS also supports the clear operation. The clear
operation has the following functions:
l Clears an existing FS or MS operation.
l Triggers revertive switching before the WTR or WTB timer expires in the case of
revertive switching operations.
l Triggers revertive switching in the case of non-revertive switching operations.
Only ERPSv2 supports port blocking modes.
RAPS PDU Transmission Mode in a Sub-ring

ERPSv2 supports single-ring and multi-ring topologies. In multi-ring topologies, both the
virtual channel (VC) and non-virtual-channel (NVC) can be used to transmit RAPS PDUs in
sub-rings.
l VC: RAPS PDUs in sub-rings are transmitted to the major ring through interconnected
nodes. The RPL owner port of the sub-ring blocks both RAPS PDUs and data traffic.
l NVC: RAPS PDUs in sub-rings are terminated on the interconnected nodes. The RPL
owner port blocks data traffic but not RAPS PDUs in each sub-ring.
On the network shown in Figure 19-3, a major ring is interconnected with two sub-rings. The
sub-ring on the left has a VC, whereas the sub-ring on the right has an NVC.

Figure 19-3 Interconnected rings with a VC or NVC
Major Ring
Sub-Ring Sub-Ring
with virtual without virtual
channel channel
Ethernet Ring Node
Interconnection Node
RPL owner Interface
RAPS Virtual Channel
By default, sub-rings use NVCs to transmit RAPS PDUs, except for the scenario shown in
Figure 19-4.
NOTE
When sub-ring links are incontiguous, VCs must be used.
On the network shown in Figure 19-4, links b and d belong to major rings 1 and 2
respectively; links a and c belong to the sub-ring. As links a and c are incontiguous, they
cannot detect the status change between each other, so VCs must be used for RAPS PDU
transmission.

Figure 19-4 VC networking

a
Sub-Ring
with virtual
channel
b d
Major Major
Ring1 Ring2
c
Ethernet Ring Node
Interconnection Node
RPL owner Interface
RAPS Virtual Channel
Table 19-2 lists the advantages and disadvantages of RAPS PDU transmission modes in sub-
rings with VCs or NVCs.
Table 19-2 Comparison between RAPS PDU transmission modes in a sub-ring with VCs or
NVCs
RAPS Advantage Disadvantage
PDU
Transmis
sion
Mode in
a Sub-
ring
VC Applies to scenarios in which Requires VC resource reservation and

sub-ring links are incontiguous. controls VLAN assignment from adjacent
rings.
NVC Does not need to reserve Is not applicable to scenarios in which sub-
resources or control VLAN ring links are incontiguous.
assignment from adjacent rings.

19.2.2 RAPS PDUs

ERPS protocol packets are called Ring Auto Protection Switching (RAPS) Protocol Data
Units (PDUs), which are transmitted in ERPS rings to convey ERPS ring information. Figure
19-5 shows the RAPS PDU format.
Figure 19-5 RAPS PDU format

1 2 3 4
8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1
1
MEL Version(0) OpCode(R-APS=40) Flags(0) TLV Offset(32)
5
... R-APS Specific Information(32 octets)
...
37
[optional TLV starts here;otherwise End TLV]
last End TLV(0)
Table 19-3 describes the fields in an RAPS PDU.
Table 19-3 Fields in an RAPS PDU

Field Lengt Description
h
MEL 3 bits Identifies the maintenance entity group (MEG) level of the
RAPS PDU.
Version 5 bits l 0x00: ERPSv1

l 0x01: EPRSv2
OpCode 8 bits Indicates an RAPS PDU. The value of this field is 0x28.
Flags 8 bits Is ignored upon RAPS PDU receiving. The value of this field
is 0x00.
TLV Offset 8 bits Indicates that the TLV starts after an offset of 32 bytes. The
value of this field is 0x20.
R-APS Specific 32x8 Is the core field in an RAPS PDU and carries ERPS ring
Information bits information. There are differences between sub-fields in
ERPSv1 and ERPSv2. Figure 19-6 shows the R-APS
Specific Information field format in ERPSv1. Figure 19-7
shows the R-APS Specific Information field format in
ERPSv2.
TLV Not Describes information to be loaded. The end TLV value is

limite 0x00.
d

Figure 19-6 Format of the R-APS Specific Information field in ERPSv1

1 2 3 4
8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1
Request Reserved Status Node ID(6 octets)

/State 1 R D
Status
B N
Reserved
F
(Node ID)
Reserved 2(24 octets)
Figure 19-7 Format of the R-APS Specific Information field in ERPSv2

1 2 3
4
8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1
Request Status Node ID(6 octets)

Sub-code
/State R D B
Status
B N P
Reserved
F R
(Node ID)
Reserved 2(24 octets)
Table 19-4 describes sub-fields in the R-APS Specific Information field.
Table 19-4 Sub-fields in the R-APS Specific Information field
Sub-Field Length Description
Request/ 4 bits Indicates that this RAPS PDU is a request or state PDU. The
State value can be:
l 1101: forced switch (FS)
l 1110: Event
l 1011: signal failed (SF)
l 0111: manual switch (MS)
l 0000: no request (NR)
l Others: reserved
Reserved 1 4 bits Reserved 1 is used in ERPSv1 for message reply or protection

identifier.
Sub-code is used in ERPSv2. The value depends on the
Request/State field value:

Sub-Field Length Description
Sub-code l If the Request/State field value is 1110, the Sub-code value

is 0000, indicating FDB entry update.
l If the Request/State field value is any other value than
1110, the Sub-code value is 0000 and ignored upon RAPS
PDU receiving.
Status 8 bits Includes the following status information:

l RPL Blocked (RB) (1 bit): The value 1 indicates that the
RPL owner port is blocked; the value 0 indicates that the
RPL owner port is unblocked. The nodes where the RPL
owner port is not configured set this sub-field to 0 in
outgoing RAPS PDUs.
l Do Not Flush (DNF) (1 bit): The value 1 indicates that
FDB entries are not updated when RAPS PDU are
received; the value 0 indicates that FDB entries may be
updated when RAPS PDU are received.
l Blocked port reference (BPR) (1 bit): The value 0 indicates
that ring link 0 is blocked; The value 1 indicates that ring
link 1 is blocked.
BPR is valid only in ERPSv2.
l Status Reserved: This sub-field is reserved. This sub-field
is all 0s during RAPS PDU transmission, and is ignored
upon RAPS PDU receiving. In ERPSv1, this sub-field has
6 bits. In ERPSv2, this sub-field has 5 bits.
Node ID 6 x 8 bits Identifies the MAC address of a node in an ERPS ring. It is

informational and does not affect protection switching in the
ERPS ring.
Reserved 2 24 x 8 bits Is reserved and ignored upon RAPS PDU receiving. The value
is all 0 during RAPS PDU transmission.
19.2.3 ERPS Single-ring Principles

ERPS is a standard ring protocol used to prevent loops in ERPS rings at the Ethernet link
layer. A maximum of two ports on each Layer 2 switching device can be added to the same
ERPS ring.
To prevent loops in an ERPS ring, you can enable a loop-breaking mechanism to block the
Ring Protection Link (RPL) owner port to eliminate loops. If a link on the ring network fails,
the ERPS-enabled device immediately unblocks the blocked port and performs link switching
to restore communication between nodes on the ring network.
This section describes how ERPS is implemented on a single-ring network when links are
normal, when a link fails, and when the link recovers (including protection switching
operations).

Links Are Normal

On the network shown in Figure 19-8, SwitchA through SwitchE constitute a ring network,
and they can communicate with each other.
1. To prevent loops, ERPS blocks the RPL owner port and also the RPL neighbor port (if
any is configured). All other ports can transmit service traffic.
2. The RPL owner port sends RAPS (NRRB) messages to all other nodes in the ring at an
interval of 5s, indicating that ERPS links are normal.
Figure 19-8 ERPS single-ring networking (links are normal)
Network
Router1 Router2
SwitchA SwitchE
ERPS
SwitchB RPL SwitchD
RPL owner SwitchC
User
network
Blocked Interface
Data Flow
A Link Fails
As shown in Figure 19-9, if the link between SwitchD and SwitchE fails, the ERPS
protection switching mechanism is triggered. The ports on both ends of the faulty link are
blocked, and the RPL owner port and RPL neighbor port are unblocked to send and receive
traffic. This mechanism ensures nonstop traffic transmission. The process is as follows:
1. After SwitchD and SwitchE detect the link fault, they block their ports on the faulty link
and update Filtering Database (FDB) entries.

2. SwitchD and SwitchE send three consecutive RAPS Signal Fail (SF) messages to the
other LSWs and send one RAPS (SF) message at an interval of 5s afterwards.
3. After receiving an RAPS (SF) message, the other LSWs update their FDB entries.
SwitchC on which the RPL owner port resides and SwitchB on which the RPL neighbor
port resides unblock the respective RPL owner port and RPL neighbor port, and update
FDB entries.
Figure 19-9 ERPS single-ring networking (unblocking the RPL owner port and RPL neighbor
port if a link fails)
Network
Router1 Router2
SwitchA SwitchE
ERPS
SwitchB RPL SwitchD
RPL owner SwitchC
User
network
Failed Link
Blocked Interface
Data Flow
The Link Recovers

After the link fault is rectified, either of two situations may occur:
l If the ERPS ring uses revertive switching, the RPL owner port is blocked again, and the
link that has recovered is used to forward traffic.
l If the ERPS ring uses non-revertive switching, the RPL remains unblocked, and the link
that has recovered is still blocked.
The following example uses revertive switching to illustrate the process after the link
recovers.

1. After the link between SwitchD and SwitchE recovers, SwitchD and SwitchE start the
Guard timer to avoid receiving out-of-date RAPS PDUs. The two switches do not
receive any RAPS PDUs before the timer expires. At the same time, SwitchD and
SwitchE send RAPS (NR) messages to the other LSWs.
2. After receiving an RAPS (NR) message, SwitchC on which the RPL owner port resides
starts the WTR timer. After the WTR timer expires, SwitchC blocks the RPL owner port
and sends RAPS (NR, RB) messages.
3. After receiving an RAPS (NR, RB) message, SwitchD and SwitchE unblock the ports at
the two ends of the link that has recovered, stop sending RAPS (NR) messages, and
update FDB entries. The other LSWs also update FDB entries after receiving an RAPS
(NR, RB) message.
Protection Switching
l Forced switch
On the network shown in Figure 19-10, SwitchA through SwitchE in the ERPS ring can
communicate with each other. A forced switch (FS) operation is performed on the
SwitchE's port that connects to SwitchD, and the SwitchE's port is blocked. Then the
RPL owner port and RPL neighbor port are unblocked to send and receive traffic. This
mechanism ensures nonstop traffic transmission. The process is as follows:
a. After the SwitchD's port that connects to SwitchE is forcibly blocked, SwitchE
update FDB entries.
b. SwitchE sends three consecutive RAPS (SF) messages to the other LSWs and sends
one RAPS (SF) message at an interval of 5s afterwards.
c. After receiving an RAPS (SF) message, the other LSWs update their FDB entries.
SwitchC on which the RPL owner port resides and SwitchB on which the RPL
neighbor port resides unblock the respective RPL owner port and RPL neighbor
port, and update FDB entries.

Figure 19-10 Layer 2 ERPS ring networking (blocking a port in FS mode)
Network
Router1 Router2
SwitchE
SwitchA
ERPS
SwitchB RPL
SwitchD
RPL owner SwitchC
User
network
Blocked Interface
Data Flow
l Clear
After a clear operation is performed on SwitchE, the port that is forcibly blocked by FS
sends RAPS (NR) messages to all other ports in the ERPS ring.
– If the ERPS ring uses revertive switching, the RPL owner port starts the WTB timer
after receiving an RAPS (NR) message. After the WTB timer expires, the FS
operation is cleared. Then the RPL owner port is blocked, and the blocked port on
SwitchE is unblocked. If you perform a clear operation on SwitchC on which the
RPL owner port resides before the WTB timer expires, the RPL owner port is
immediately blocked, and the blocked port on SwitchE is unblocked.
– If the ERPS ring uses non-revertive switching and you want to block the RPL
owner port, perform a clear operation on SwitchC on which the RPL owner port
resides.
l Manual switch
The MS process in an ERPS ring is similar to the FS process. The difference is that the
MS operation does not take effect when the ERPS ring is not idle or pending.

19.2.4 ERPS Multi-ring Principles

Ethernet Ring Protection Switching Version 1 (ERPSv1) supports only single-ring topology,
whereas ERPSv2 supports single-ring and multi-ring topologies.
A multi-ring network consists of one or more major rings and sub-rings. A sub-ring can have
a virtual channel (VC) or non-virtual channel (NVC), depending on whether RAPS PDUs in
the sub-ring will be transmitted to a major ring.
This section describes how ERPS is implemented on a multi-ring network where sub-rings
use NVCs when links are normal, when a link fails, and when the link recovers.
Links Are Normal

On the multi-ring network shown in Figure 19-11, SwitchA through SwitchE constitute a
major ring; SwitchB, SwitchC, and SwitchF constitute sub-ring 1, and SwitchC, SwitchD, and
SwitchG constitute sub-ring 2. The LSWs in each ring can communicate with each other.
1. To prevent loops, each ring blocks its RPL owner port. All other ports can transmit
service traffic.
2. The RPL owner port on each ring sends RAPS (NRRB) messages to all other nodes in
the same ring at an interval of 5s. The RAPS (NRRB) messages in the major ring are
transmitted only in this ring. The RAPS (NRRB) messages in each sub-ring are
terminated on the interconnected nodes and therefore are not transmitted to the major
ring.
Traffic between PC1 and the upper-layer network travels along the path PC1 -> SwitchF ->
SwitchB -> SwitchA -> Router1; traffic between PC2 and the upper-layer network travels
along the path PC2 -> SwitchG -> SwitchD -> SwitchE -> Router2.

Figure 19-11 ERPS multi-ring networking (links are normal)
Network
Router1 Router2
SwitchA SwitchE
Major Ring SwitchD

SwitchB
L
RP
Sub-Ring2
Sub-Ring1 RP
L SwitchC L
RP
SwitchF SwitchG
PC1 PC2
RPL owner
Data Flow
A Link Fails
As shown in Figure 19-12, if the link between SwitchD and SwitchG fails, the ERPS
protection switching mechanism is triggered. The ports on both ends of the faulty link are
blocked, and the RPL owner port in sub-ring 2 is unblocked to send and receive traffic. In this
situation, traffic from PC1 still travels along the original path. SwitchC and SwitchD inform
the other nodes in the major ring of the topology change so that traffic from PC2 is also not
interrupted. Traffic between PC2 and the upper-layer network travels along the path PC2 ->
SwitchG -> SwitchC -> SwitchB -> SwitchA -> SwitchE -> Router2. The process is as
follows:
1. After SwitchD and SwitchG detect the link fault, they block their ports on the faulty link
and update Filtering Database (FDB) entries.
2. SwitchG sends three consecutive RAPS (SF) messages to the other LSWs and sends one
RAPS (SF) message at an interval of 5s afterwards.

3. SwitchG then unblocks the RPL owner port and updates FDB entries.
4. After the interconnected node SwitchC receives an RAPS (SF) message, it updates FDB
entries. SwitchC and SwitchD then send RAPS Event messages within the major ring to
notify the topology change in sub-ring 2.
5. After receiving an RAPS Event message, the other LSWs in the major ring update FDB
entries.
Then traffic from PC2 is switched to a normal link.
Figure 19-12 ERPS multi-ring networking (unblocking the RPL owner port if a link fails)
Network
Router1 Router2
SwitchA SwitchE
Major Ring
SwitchB
RPL SwitchD
Sub-Ring2
Sub-Ring1 RP
L SwitchC L
RP
SwitchF SwitchG
PC1 PC2
Blocked Interface
Data Flow
The Link Recovers

After the link fault is rectified, either of two situations may occur:
l If the ERPS ring uses revertive switching, the RPL owner port is blocked again, and the
link that has recovered is used to forward traffic.

l If the ERPS ring uses non-revertive switching, the RPL remains unblocked, and the link
that has recovered is still blocked.
The following example uses revertive switching to illustrate the process after the link
recovers.
1. After the link between SwitchD and SwitchG recovers, SwitchD and SwitchG start the
Guard timer to avoid receiving out-of-date RAPS PDUs. The two devices do not receive
any RAPS PDUs before the timer expires. Then SwitchD and SwitchG send RAPS (NR)
messages within sub-ring 2.
2. SwitchG on which the RPL owner port resides starts the WTR timer. After the WTR
timer expires, SwitchG blocks the RPL owner port and unblocks its port on the link that
has recovered and then sends RAPS (NR, RB) messages within sub-ring 2.
3. After receiving an RAPS (NR, RB) message from SwitchG, SwitchD unblocks its port
on the recovered link, stops sending RAPS (NR) messages, and updates FDB entries.
SwitchC also updates FDB entries.
4. SwitchC and SwitchD (interconnected nodes) send RAPS Event messages within the
major ring to notify the link recovery of sub-ring 2.
5. After receiving an RAPS Event message, the other LSWs in the major ring update FDB
entries.
Then traffic changes to the normal state, as shown in Figure 19-11.
19.2.5 ERPS Multi-instance

On a common ERPS network, a physical ring can be configured with a single ERPS ring, and
only one blocked port can be specified in the ring. When the ERPS ring is in normal state, the
blocked port prohibits all service packets from passing through. As a result, all service data is
transmitted through one path over the ERPS ring, and the other link on the blocked port
becomes idle, wasting bandwidth. As shown in Figure 19-13, when only ERPS Ring1 is
configured, Interface1 is blocked and data is forwarded through the path where Data Flow1
travels. The link SwitchC -> SwitchD -> SwitchE is idle.

Figure 19-13 Networking diagram of ERPS multi-instance
Network
Router1 Router2
SwitchE
SwitchA
ERPS Ring2
ERPS Ring1
SwitchD
SwitchB
Interface2 Interface1
SwitchC
Ring1 Blocked Port
CE1 Ring2 Blocked Port
Data Flow1
VLAN100-200 Data Flow2
and VLAN300-
400
To improve link use efficiency, only two logical rings can be configured in the same physical
ring in the ERPS multi-instance. A port may have different roles in different ERPS rings and
different ERPS rings use different control VLANs. A physical ring can have two blocked
ports accordingly. Each blocked port independently monitors the physical ring status and is
blocked or unblocked. An ERPS ring must be configured with an ERP instance, and each
ERP instance specifies a range of VLANs. The topology calculated for a specific ERPS ring
only takes effect in the ERPS ring. Different VLANs can use separate paths, implementing
traffic load balancing and link backup.
As shown in Figure 19-13, you can configure ERPS Ring1 and ERPS Ring2 in the physical
ring consisting of SwitchA through SwitchE. Interface1 is the blocked port in ERPS Ring1.
The VLANs mapping to the ERP instance is VLANs 100 to 200. Interface2 is the blocked
port in ERPS Ring2. The VLANs mapping to the ERP instance is VLANs 300 to 400. After
the configuration is completed, data from VLANs 100 to 200 is forwarded through Data
Flow1, and data from VLANs 300 to 400 is forwarded through Data Flow2. In this manner,
load balancing is implemented and link use efficiency is improved.


communication quality deteriorates, and communication services may even be interrupted.
To prevent loops caused by redundant links, enable ERPS on the nodes of the ring network.
ERPS is a Layer 2 loop-breaking protocol defined by the ITU-T, and provides fast
convergence of carrier-class reliability standards.
Figure 19-14 Layer 2 application of ERPS
Network
Router1 Router2
SwitchE
SwitchA
ERPS SwitchD
SwitchB
RPL
RPL Owner
SwitchC
User
network1 User
network3
User
network2
Blocked Port
Data Flow1
Data Flow2
Data Flow3

As shown in Figure 19-14, SwitchA through SwitchE constitute a ring. The ring runs ERPS
to provide protection switching for Layer 2 redundant links and prevent loops that cause
broadcast storms and render the MAC address table unstable.
Generally, the RPL owner port is blocked and does not forward service packets, preventing
loops. If a fault occurs on the link between SwitchA and SwitchB, ERPS will unblock the
blocked RPL owner port and traffic from User network1 and User network2 is forwarded
through the path SwitchC ->SwitchD ->SwitchE.

After a single ERPS ring or intersecting ERPS ring is configured, a specified port can be
blocked to remove loops. Table 19-5 describes the ERPS configuration tasks.
Table 19-5 ERPS configuration task summary
Configure ERPS single-ring You can configure ERPS 19.7.1 Configuring

networking single-ring networking when ERPSv1
there is only one ring in the
network topology.
Configure ERPS You can configure ERPS 19.7.2 Configuring

intersecting-ring networking intersecting-ring networking ERPSv2
when there are two or more
rings in the network
topology and many common
nodes between two rings.
Configure association ERPS cannot automatically 19.7.1.7 (Optional)

between ERPS and CFM detect link faults. When Configuring Association
there are transmission Between ERPS and
devices in an ERPS ring, Ethernet CFM
ERPS cannot detect whether
faults on transmission
devices cause slow
convergence and traffic
interruption. Association
between ERPS and CFM
solves this problem.

Other network elements are required to support ERPS functions.

License Support
ERPS is a basic feature of a switch and is not under license control.
Version Support
Table 19-6 Products and versions supporting ERPS

Model
S7700 S7703, V200R001(C00&C01), V200R002C00, V200R003C00,

S7706, V200R005C00, V200R006C00, V200R007C00,
S7712 V200R008C00, V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l V200R002 and earlier versions support only ERPSv1.
l Before adding a port to an ERPS ring, ensure that port security has been disabled on the
port. Otherwise, loops cannot be eliminated.
l Before adding a port to an ERPS ring, ensure that the Spanning Tree Protocol (STP),
Rapid Ring Protection Protocol (RRPP), Smart Ethernet Protection (SEP), or Smart Link
is not enabled on the port.
l ERPS and VLAN stacking cannot be configured on an interface of an SA series card
simultaneously.

Table 19-7 describes default ERPS settings.
Table 19-7 ERPS default settings

ERPS ring Not created
Guard timer 200 centiseconds
Wait to restore (WTR) timer 5 minutes
Holdoff timer 0 deciseconds
ERPS version ERPSv1

19.7 Configuring ERPS
19.7.1 Configuring ERPSv1

If there is no link fault on a ring network, ERPS can eliminate loops on the Ethernet network.
If a link fault occurs on the ring network, ERPS can quickly restore communication between
nodes on the ring network.
19.7.1.1 Creating an ERPS Ring
Context
ERPS works for ERPS rings. An ERPS ring consists of interconnected Layer 2 switching
devices configured with the same control VLAN and data VLAN. Before configuring other
ERPS functions, you must configure an ERPS ring.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
An ERPS ring is created and the ERPS ring view is displayed.

description
The description of the device is configured. The description can contain the ERPS ring ID,
which facilitate device maintenance in an ERPS ring.
By default, the description of an ERPS ring is the ERPS ring name, for example, Ring 1.
----End
19.7.1.2 Configuring the Control VLAN
Context
In an ERPS ring, the control VLAN is used only to forward RAPS PDUs but not service
packets, so the security of ERPS is improved. All the devices in an ERPS ring must be
configured with the same control VLAN, and different ERPS rings must use different control
VLANs.

Procedure
Step 1 Run:
system-view

Step 2 Run:
erps ring ring-id
The ERPS ring view is displayed.

Step 3 Run:
The control VLAN of the ERPS ring is configured.

l The control VLAN specified by vlan-id must be a VLAN that has not been created or
used.
l If you run the control-vlan command multiple times, only the latest configuration takes
effect.
l If the ERPS ring contains ports, the control VLAN cannot be changed. To delete the
configured control VLAN, run the undo erps ring command in the interface view or the
undo port command in the ERPS ring view to delete ports from the ERPS ring, and run
the undo control-vlan command to delete the control VLAN.
l After a control VLAN is created, the vlan batch vlan-id1 [ to vlan-id2 ] &<1-10>
command used to create common VLANs is displayed in the configuration file.
l After a port is added to an ERPS ring configured with a control VLAN, the port is added
– If the port is a trunk port, the port trunk allow-pass vlan vlan-id command is
displayed in the record of the port that has been added to the ERPS ring in the
configuration file.
– If the port is a hybrid port, the port hybrid tagged vlan vlan-id command is
configuration file.
----End
19.7.1.3 Configuring an ERP Instance and Activating the Mapping Between the
ERP Instance and VLAN
Context
transmitted must be mapped to an ERP instance so that ERPS forwards or blocks the packets
based on configured rules. If the mapping is not configured, the preceding packets may cause
broadcast storms on the ring network. As a result, the network becomes unavailable.
Procedure
Step 1 Run:
system-view


Step 2 Run:
erps ring ring-id

Step 3 Run:
protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10> } }
An ERP instance is created for the ERPS ring.

By default, no ERP instance is configured in an ERPS ring.
NOTE
l If the stp mode (system view) command is used to set the STP working mode to VLAN-based
Spanning Tree (VBST), the ERP instance specified by the protected-instance command must be the
created static instance.
l If you run the protected-instance command multiple times in the same ERPS ring, multiple ERP
instances are configured.
l If the ERPS ring contains ports, the ERP instance cannot be changed. To delete the configured ERP
instance, run the undo erps ring command in the interface view or the undo port command in the
ERPS ring view to delete ports from the ERPS ring, and run the undo protected instance command
to delete the ERP instance.
Step 4 Run:
quit

Step 5 Configure the mapping between an ERP instance and VLAN.
1. Run:
The Multiple Spanning Tree (MST) region view is displayed.

2. Run:
The mapping between the ERP instance and VLAN is configured.

By default, all VLANs in an MST region are mapped to instance 0.
instance-id in this command must be the same as instance-id used by the protected-
instance command.
NOTE
– A VLAN cannot be mapped to multiple MSTIs. If you map a VLAN that has already been
mapped to an MSTI to another MSTI, the original mapping will be deleted.
– The vlan-mapping modulo modulo command configures the mapping between MSTIs and
VLANs based on the default algorithm. However, the mapping configured using this command
cannot always meet the actual demand. Therefore, running this command is not recommended.
– To configure the mapping between an ERP instance and a MUX VLAN, you are advised to
configure the principal VLAN, subordinate group VLANs, and subordinate separate VLANs
of the MUX VLAN in the same ERP instance. Otherwise, loops may occur.
3. Run:
The mapping between the ERP instance and the VLAN is activated.
----End

19.7.1.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role
Context
After ERPS is configured, add Layer 2 ports to an ERPS ring and configure port roles so that
ERPS can work properly.
You can add a Layer 2 port to an ERPS ring in either of the following ways:
l In the ERPS ring view, add a specified port to the ERPS ring and configure the port role.
l In the interface view, add the current port to the ERPS ring and configure the port role.
NOTE
l A port can be added to at most two ERPS rings, but cannot be added to ERPS rings configured with
the same protected instance.
l An ERPS-enabled port needs to allow packets of control VLANs and data VLANs to pass through,
so the link type of the port must be configured as trunk or hybrid.
l Flush-FDB packets for updating MAC addresses cannot be separately sent, so do not configure a
direct link between two upstream nodes as the RPL.
l Before changing the port role, use the shutdown command to disable the port. When the port role is
changed, use the undo shutdown command to enable the port. This prevents traffic interruptions.
l Before adding an interface to a ERPS ring, disable port security on the interface; otherwise, loops
Prerequisites
l The port is not a Layer 3 port. If the port is a Layer 3 port, run the portswitch command
to switch the port to the Layer 2 mode.
l Spanning Tree Protocol (STP), Rapid Ring Protection Protocol (RRPP), Smart Ethernet
Protection (SEP), or Smart Link is not enabled on the port.
– If the port has STP enabled, run the stp disable command in the interface view to
disable STP.
– If the port has RRPP enabled, run the undo ring ring-id command in the RRPP
domain view to disable RRPP.
– If the port has SEP enabled, run the undo sep segment segment-id command in the
interface view to disable SEP.
– If the port has Smart Link enabled, run the undo port command in the Smart Link
group view to disable Smart Link.
l The control-vlan command has been executed to configure a control VLAN and the
protected-instance command has been executed to configure an ERP instance.
Procedure
Step 1 Run:
system-view
Step 2 Add a Layer 2 port to an ERPS ring and configure the port role in either of the following
ways.

a. Run:

b. Run:
stp disable
STP is disabled on the ERPS-enabled port.

c. Run:
The link type of the ERPS-enabled port is configured as trunk.

d. Run:
The VLANs allowed by the ERPS-enabled port are specified.

After the control-vlan command is used in the ERPS ring view to configure a
control VLAN and the port interface-type interface-number [ rpl owner ]
command is configured, the ports in the ERPS ring allow packets of the control
VLAN to pass through. Therefore, you need to specify only the IDs of data VLANs
in this step.
e. Run:
quit

f. Run:
erps ring ring-id

g. Run:
port interface-type interface-number [ rpl owner ]
The port is added to the ERPS ring and its role is configured. If rpl owner is
specified, the port is configured as an RPL owner port. If rpl owner is not
specified, the port is a common port.
a. Run:
The specified interface view is displayed.

b. Run:
stp disable

c. Run:

d. Run:

control VLAN and the port interface-type interface-number [ rpl owner ]
command is configured, the ports in the ERPS ring allow packets of the control

VLAN to pass through. Therefore, you need to specify only the IDs of data VLANs
in this step.
e. Run:
erps ring ring-id [ rpl owner ]
The current port is added to the ERPS ring and its role is configured. If rpl owner
is specified, the port is configured as an RPL owner port. If rpl owner is not
specified, the port is a common port.
----End
19.7.1.5 (Optional) Configuring Timers in an ERPS Ring
Context
After a link or node failure in an ERPS ring recovers, the device starts timers in the ERPS
ring to reduce traffic interruptions. This prevents network flapping.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
Step 3 Configure the WTR timer, Guard timer, and Holdoff timer in the ERPS ring according to
actual networking.
l Run:
wtr-timer time-value
The WTR timer is set.

By default, the WTR timer is 5 minutes in an ERPS ring.
l Run:
guard-timer time-value
The Guard timer is set.

By default, the Guard timer is 200 centiseconds in an ERPS ring.
l Run:
holdoff-timer time-value
The Holdoff timer is set.

By default, the Holdoff timer is 0 deciseconds in an ERPS ring.
----End
19.7.1.6 (Optional) Configuring the MEL Value

Context
On a Layer 2 network running ERPS, if another fault detection protocol (for example, CFM)
is enabled, the MEL field in RAPS PDUs determines whether the RAPS PDUs can be
forwarded. If the MEL value in an ERPS ring is smaller than the MEL value of the fault
detection protocol, the RAPS PDUs have a lower priority and are discarded. If the MEL value
in an ERPS ring is larger than the MEL value of the fault detection protocol, the RAPS PDUs
can be forwarded. In addition, the MEL value can also be used for interworking with other
vendors' devices in an ERPS ring. The same MEL value ensures smooth communication
between devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
Step 3 Run:
raps-mel level-id
The MEL value in the ERPS ring is set.
By default, the MEL value in RAPS PDUs is 7.
----End
19.7.1.7 (Optional) Configuring Association Between ERPS and Ethernet CFM
Context
Association between Ethernet Connectivity Fault Management (CFM) and Ethernet Ring
Protection Switching (ERPS) on a port added to an ERPS ring accelerates fault detection,
implements fast convergence, and shortens traffic interruptions.
Before configuring association between ERPS and Ethernet CFM, configure basic CFM
functions on the port added to the ERPS ring. For details, see Configuring Basic Ethernet
CFM Functions.
Procedure
Step 1 Run:
system-view
Step 2 Run:

Step 3 Run:
erps ring ring-id track cfm md md-name ma ma-name mep mep-id remote-mep rmep-id
ERPS is associated with Ethernet CFM to fast detect link failures.
The association between ERPS and CFM takes effect only when the interface has ERPS
associated with CFM and has an interface-based MEP created using the mep mep-id
command.
----End
Follow-up Procedure
After ERPS is associated with Ethernet CFM, ensure that the maintenance entity group level
(MEL) value of Ring Auto Protection Switching (RAPS) Protocol Data Units (PDUs) in
ERPS rings is larger than the MEL value in CFM protocol packets. Otherwise, Ethernet CFM
cannot allow RAPS PDUs to pass through. The MEL value can be used for interworking with
other vendors' devices in an ERPS ring. The same MEL value ensures smooth communication
between devices.
You can run the raps-mel level-id command in the ERPS ring view to set the MEL value in
RAPS PDUs.
By default, the MEL in RAPS PDUs is 7.
Procedure
l Run the display erps [ ring ring-id ] [ verbose ] command to check the device ports
added to an ERPS ring and ERPS ring configurations.
l Run the display erps interface interface-type interface-number [ ring ring-id ]
command to check physical configurations of the port added to an ERPS ring.
----End
19.7.2 Configuring ERPSv2

When there is no faulty link on a ring network, Ethernet Ring Protection Switching (ERPS)
can eliminate loops on the network. When a link fails on the ring network, ERPS can
immediately restore communication between nodes on the network. ERPSv2, compatible with
ERPSv1, supports multi-ring topologies and association with connectivity fault management
(CFM), in addition to ERPSv1 functions such as single ring topologies and multi-instance.
19.7.2.1 Creating an ERPS Ring
Context
ERPS works for ERPS rings. An ERPS ring consists of interconnected Layer 2 switching
devices configured with the same control VLAN and data VLAN. Before configuring other
ERPS functions, configure an ERPS ring.

Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
An ERPS ring is created and the ERPS ring view is displayed.
By default, an ERPS ring configured using the erps ring ring-id command is a major ring.
Step 3 Run:
version v2
ERPSv2 is specified.
By default, ERPSv1 is used.
Before specifying ERPSv1 for an ERPSv2-enabled device, delete all ERPS configurations
that ERPSv1 does not support.

sub-ring
The ERPS ring is configured as a sub-ring.
By default, an ERPS ring is a major ring. Major rings are closed, and sub-rings are open. This
step is performed only when an existing ERPS ring needs to be used as a sub-ring.
An ERPS ring that has a port cannot be configured as a sub-ring. Before configuring an ERPS
ring that has a port as a sub-ring, run the undo erps ring command in the interface view or
the undo port command in the ERPS ring view to delete the port from the ERPS ring. Then
run the sub-ring command to configure the ERPS ring as a sub-ring.

virtual-channel { enable | disable }
The RAPS PDU transmission mode is specified in the sub-ring.
By default, sub-rings use non-virtual-channels (NVCs) to transmit RAPS PDUs. The default
transmission mode is recommended. When sub-ring links are incontiguous, VCs must be
used. This step takes effect only in a sub-ring.
NOTE
If a virtual channel (VC) needs to be used, configure VCs on all nodes of a sub-ring and intersecting
point of the sub-ring and major ring.

description text
The description is configured for the ERPS ring.
By default, the description of an ERPS ring is the ERPS ring name, for example, Ring 1.
----End

19.7.2.2 Configuring the Control VLAN
Context
In an ERPS ring, the control VLAN is used only to forward RAPS PDUs but not service
packets, so the security of ERPS is improved. All the devices in an ERPS ring must be
configured with the same control VLAN, and different ERPS rings must use different control
VLANs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
Step 3 Run:
The control VLAN of the ERPS ring is configured.
l The control VLAN specified by vlan-id must be a VLAN that has not been created or
used.
l If you run the control-vlan command multiple times, only the latest configuration takes
effect.
l If the ERPS ring contains ports, the control VLAN cannot be changed. To delete the
configured control VLAN, run the undo erps ring command in the interface view or the
undo port command in the ERPS ring view to delete ports from the ERPS ring, and run
the undo control-vlan command to delete the control VLAN.
l After a control VLAN is created, the vlan batch vlan-id1 [ to vlan-id2 ] &<1-10>
command used to create common VLANs is displayed in the configuration file.
l After a port is added to an ERPS ring configured with a control VLAN, the port is added
– If the port is a trunk port, the port trunk allow-pass vlan vlan-id command is
configuration file.
– If the port is a hybrid port, the port hybrid tagged vlan vlan-id command is
configuration file.
----End
19.7.2.3 Configuring an ERP Instance and Activating the Mapping Between the
ERP Instance and VLAN

Context
transmitted must be mapped to an ERP instance so that ERPS forwards or blocks the packets
based on configured rules. If the mapping is not configured, the preceding packets may cause
broadcast storms on the ring network. As a result, the network becomes unavailable.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
Step 3 Run:
protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10> } }
An ERP instance is created for the ERPS ring.
By default, no ERP instance is configured in an ERPS ring.
NOTE
l If the stp mode (system view) command is used to set the STP working mode to VLAN-based
Spanning Tree (VBST), the ERP instance specified by the protected-instance command must be the
created static instance.
l If you run the protected-instance command multiple times in the same ERPS ring, multiple ERP
instances are configured.
l If the ERPS ring contains ports, the ERP instance cannot be changed. To delete the configured ERP
instance, run the undo erps ring command in the interface view or the undo port command in the
ERPS ring view to delete ports from the ERPS ring, and run the undo protected instance command
to delete the ERP instance.
Step 4 Run:
quit
Step 5 Configure the mapping between an ERP instance and VLAN.

1. Run:
The Multiple Spanning Tree (MST) region view is displayed.

2. Run:
The mapping between the ERP instance and VLAN is configured.

By default, all VLANs in an MST region are mapped to instance 0.
instance-id in this command must be the same as instance-id used by the protected-
instance command.

NOTE
– A VLAN cannot be mapped to multiple MSTIs. If you map a VLAN that has already been
mapped to an MSTI to another MSTI, the original mapping will be deleted.
– The vlan-mapping modulo modulo command configures the mapping between MSTIs and
VLANs based on the default algorithm. However, the mapping configured using this command
cannot always meet the actual demand. Therefore, running this command is not recommended.
– To configure the mapping between an ERP instance and a MUX VLAN, you are advised to
configure the principal VLAN, subordinate group VLANs, and subordinate separate VLANs
of the MUX VLAN in the same ERP instance. Otherwise, loops may occur.
3. Run:
The mapping between the ERP instance and the VLAN is activated.
----End
19.7.2.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role
Context
After ERPS is configured, add Layer 2 ports to an ERPS ring and configure port roles so that
ERPS can work properly.
You can add a Layer 2 port to an ERPS ring in either of the following ways:
NOTE
l A port can be added to a maximum of two ERPS rings.

l An ERPS-enabled port needs to allow packets of control VLANs and data VLANs to pass through,
so the link type of the port must be configured as trunk or hybrid.
l Flush-FDB packets for updating MAC addresses cannot be separately sent, so do not configure a
direct link between two upstream nodes as the RPL.
l Before changing the port role, use the shutdown command to disable the port. When the port role is
changed, use the undo shutdown command to enable the port. This prevents traffic interruptions.
l Before adding an interface to a ERPS ring, disable port security on the interface; otherwise, loops
Prerequisites
l The port is not a Layer 3 port. If the port is a Layer 3 port, run the portswitch command
to switch the port to the Layer 2 mode.
l Spanning Tree Protocol (STP), Rapid Ring Protection Protocol (RRPP), Smart Ethernet
Protection (SEP), or Smart Link is not enabled on the port.
– If the port has STP enabled, run the stp disable command in the interface view to
disable STP.
– If the port has RRPP enabled, run the undo ring ring-id command in the RRPP
domain view to disable RRPP.
– If the port has SEP enabled, run the undo sep segment segment-id command in the
interface view to disable SEP.

– If the port has Smart Link enabled, run the undo port command in the Smart Link
group view to disable Smart Link.
l The control-vlan command has been executed to configure a control VLAN and the
protected-instance command has been executed to configure an ERP instance.
Procedure
Step 1 Run:
system-view

Step 2 Add a Layer 2 port to an ERPS ring and configure the port role in either of the following
ways.
a. Run:

b. Run:
stp disable

c. Run:

d. Run:

control VLAN and the port interface-type interface-number [ rpl { owner |
neighbour } ] command is configured, the ports in the ERPS ring allow packets of
the control VLAN to pass through. Therefore, you need to specify only the IDs of
data VLANs in this step.
e. Run:
quit

f. Run:
erps ring ring-id

g. Run:
port interface-type interface-number [ rpl { owner | neighbour } ]
The port is added to the ERPS ring and its role is configured.
a. Run:
The specified interface view is displayed.

b. Run:

stp disable

c. Run:

d. Run:

control VLAN and the port interface-type interface-number [ rpl { owner |
neighbour } ] command is configured, the ports in the ERPS ring allow packets of
the control VLAN to pass through. Therefore, you need to specify only the IDs of
data VLANs in this step.
e. Run:
erps ring ring-id [ rpl { owner | neighbour } ]
The current port is added to the ERPS ring and its role is configured.
----End
19.7.2.5 Configuring the Topology Change Notification Function
Context
If an upper-layer Layer 2 network is not notified of the topology change in an ERPS ring, the
MAC address entries remain unchanged on the upper-layer network and therefore user traffic
is interrupted. To ensure nonstop traffic transmission, configure the topology change
notification function and specify the ERPS rings that will be notified of the topology change.
In addition, if an ERPS ring frequently receives topology change notifications, its nodes will
have lower CPU processing capability and repeatedly update Flush-FDB packets, consuming
much bandwidth. To resolve this problem, set the topology change protection interval at
which topology change notifications are sent to suppress topology change notification
transmission, and set the maximum number of topology change notifications that can be
processed during the topology change protection interval to prevent frequent MAC address
and ARP entry updates.
Procedure
Step 1 Run:
system-view

Step 2 Run:
erps ring ring-id

Step 3 Run:
tc-notify erps ring { ring-id1 [ to ring-id2 ] } &<1-10>
The ERPS ring is configured to notify other ERPS rings of its topology change.

ring-id1 [ to ring-id2 ] specifies the start and end ring IDs of the ERPS rings that will be
notified of the topology change. Ensure that the ERPS rings specified by ring-id1 and ring-
id2 exist. If the specified rings do not exist, the topology change notification function does not
take effect.
After the ERPS rings receive the topology change notification from an ERPS ring, they send
Flush-FDB messages on their separate rings to instruct their nodes to update MAC addresses
so that user traffic is not interrupted.
tc-protection interval interval-value
The topology change protection interval at which topology change notification messages are
sent is set.
tc-protection threshold threshold-value
The number of times ERPS parses topology change notifications and updates forwarding
entries in the topology change protection interval is set.
The topology change protection interval is the one specified by the tc-protection interval
command.
----End
19.7.2.6 (Optional) Configuring ERPS Protection Switching
Context
To ensure that ERPS rings function normally when a node or link fails, configure revertive/
non-revertive switching, port blocking mode, and timers.
Procedure
Step 1 Run:
system-view

Step 2 Run:
erps ring ring-id

Step 3 Run:
revertive { enable | disable }
The protection switching mode is specified.

By default, ERPS rings use revertive switching.
Step 4 Run:
quit

Step 5 Run:

Step 6 Run:
erps ring ring-id protect-switch { force | manual }
A port blocking mode is specified.
The ERPS ring specified by ring ring-id must be the one to which the port belongs.
To delete the specified port blocking mode, run the clear command in the ERPS ring view.
Step 7 Run:
quit
----End
19.7.2.7 (Optional) Configuring Timers in an ERPS Ring
Context
After a link or node failure in an ERPS ring recovers, the device starts timers in the ERPS
ring to reduce traffic interruptions. This prevents network flapping.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
Step 3 Configure the WTR timer, Guard timer, and Holdoff timer in the ERPS ring according to
actual networking.
l Run:
wtr-timer time-value
The WTR timer is set.

By default, the WTR timer is 5 minutes in an ERPS ring.
l Run:
guard-timer time-value
The Guard timer is set.

By default, the Guard timer is 200 centiseconds in an ERPS ring.
l Run:
holdoff-timer time-value
The Holdoff timer is set.

By default, the Holdoff timer is 0 deciseconds in an ERPS ring.
----End
19.7.2.8 (Optional) Configuring Association Between ERPS and Ethernet CFM
Context
Association between Ethernet Connectivity Fault Management (CFM) and Ethernet Ring
Protection Switching (ERPS) on a port added to an ERPS ring accelerates fault detection,
implements fast convergence, and shortens traffic interruptions.
Before configuring association between ERPS and Ethernet CFM, configure basic CFM
functions on the port added to the ERPS ring. For details, see Configuring Basic Ethernet
CFM Functions.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
erps ring ring-id track cfm md md-name ma ma-name mep mep-id remote-mep rmep-id
ERPS is associated with Ethernet CFM to fast detect link failures.
The association between ERPS and CFM takes effect only when the interface has ERPS
associated with CFM and has an interface-based MEP created using the mep mep-id
command.
----End
Follow-up Procedure
After ERPS is associated with Ethernet CFM, ensure that the maintenance entity group level
(MEL) value of Ring Auto Protection Switching (RAPS) Protocol Data Units (PDUs) in
ERPS rings is larger than the MEL value in CFM protocol packets. Otherwise, Ethernet CFM
cannot allow RAPS PDUs to pass through. The MEL value can be used for interworking with
other vendors' devices in an ERPS ring. The same MEL value ensures smooth communication
between devices.
You can run the raps-mel level-id command in the ERPS ring view to set the MEL value in
RAPS PDUs.
By default, the MEL in RAPS PDUs is 7.

Procedure
l Run the display erps [ ring ring-id ] [ verbose ] command to check the device ports
added to an ERPS ring and ERPS ring configurations.
l Run the display erps interface interface-type interface-number [ ring ring-id ]
command to check physical configurations of the port added to an ERPS ring.
----End
19.8 Maintaining ERPS
19.8.1 Clearing ERPS Statistics
Context
Before recollecting ERPS statistics, run the reset erps command to clear existing ERPS
statistics.
NOTICE
The cleared ERPS statistics cannot be restored. Exercise caution when you run this command.
Procedure
Step 1 Run the reset erps [ ring ring-id ] statistics command to clear packet statistics in an ERPS
ring.
----End
19.9.1 Example for Configuring ERPS Multi-instance
Figure 19-15 shows a network on which a multi-instance ERPS ring is used. SwitchA
through SwitchD constitute a ring network at the aggregation layer to implement service

aggregation at Layer 2 and process Layer 3 services. ERPS is used on the ring network to
provide protection switching for Layer 2 redundant links. ERPS ring 1 and ERPS ring 2 are
configured on SwitchA through SwitchD. P1 on SwitchB is a blocked port in ERPS ring 1,
and P2 on SwitchA is a blocked port in ERPS ring 2, implementing load balancing and link
backup.
Figure 19-15 ERPS multi-instance networking
Network
Router1 Router2
SwitchC GE1/0/1
SwitchD
GE1/0/2
GE1/0/1
GE1/0/2
ERPS
GE1/0/2
GE1/0/1
SwitchA P2 GE1/0/2
SwitchB
GE1/0/1
P1
VLAN: VLAN:
100~200 300~400
ERPS ring1
ERPS ring2
Blocked Port1
Blocked Port2
Data Flow1
Data Flow2
1. Configure the link type of all ports to be added to ERPS rings as trunk.

2. Create ERPS rings and configure control VLANs and Ethernet Ring Protection (ERP)
instances in the ERPS rings.
3. Add Layer 2 ports to ERPS rings and specify port roles.
4. Configure the Guard timers and WTR timers in the ERPS rings.
5. Configure Layer 2 forwarding on SwitchA through SwitchD.
Procedure
Step 1 Configure the link type of all ports to be added to an ERPS ring as trunk.
# Configure SwitchD.
Step 2 Create ERPS ring 1 and ERPS ring 2 and configure ERP instances in the two rings. Set the
control VLAN ID of ERPS ring 1 to 10 and the control VLAN ID of ERPS ring 2 to 20.
Enable ERPS ring 1 to transmit data packets from VLANs 100 to 200 and enable ERPS ring 2
to transmit data packets from VLANs 300 to 400.
[SwitchA] erps ring 1
[SwitchA-erps-ring1] control-vlan 10
[SwitchA-erps-ring1] protected-instance 1
[SwitchA-erps-ring1] quit


[SwitchA-mst-region] instance 1 vlan 10 100 to 200
[SwitchA-mst-region] instance 2 vlan 20 300 to 400
[SwitchB] erps ring 1
[SwitchB-erps-ring1] control-vlan 10
[SwitchB-erps-ring1] protected-instance 1
[SwitchB-erps-ring1] quit
[SwitchB-mst-region] instance 1 vlan 10 100 to 200
[SwitchB-erps-ring2] control-vlan 20
[SwitchB-erps-ring2] protected-instance 2
[SwitchB-mst-region] instance 2 vlan 20 300 to 400
[SwitchC] erps ring 1
[SwitchC-erps-ring1] control-vlan 10
[SwitchC-erps-ring1] protected-instance 1
[SwitchC-erps-ring1] quit
[SwitchC-mst-region] instance 1 vlan 10 100 to 200
[SwitchC-erps-ring2] control-vlan 20
[SwitchC-erps-ring2] protected-instance 2
[SwitchC-mst-region] instance 2 vlan 20 300 to 400
[SwitchD] erps ring 1
[SwitchD-erps-ring1] control-vlan 10
[SwitchD-erps-ring1] protected-instance 1
[SwitchD-erps-ring1] quit
[SwitchD-mst-region] instance 1 vlan 10 100 to 200
[SwitchD-erps-ring2] control-vlan 20
[SwitchD-erps-ring2] protected-instance 2
[SwitchD-mst-region] instance 2 vlan 20 300 to 400

Step 3 Add Layer 2 ports to ERPS rings and specify port roles. Configure GE 1/0/1 on SwitchA and
GE 1/0/2 on SwitchB as their respective RPL owner ports.
[SwitchA-GigabitEthernet1/0/1] erps ring 1
[SwitchA-GigabitEthernet1/0/1] erps ring 2 rpl owner
[SwitchB-GigabitEthernet1/0/1] erps ring 1
[SwitchB-GigabitEthernet1/0/2] erps ring 1 rpl owner
[SwitchC-GigabitEthernet1/0/1] erps ring 1
[SwitchD-GigabitEthernet1/0/1] erps ring 1
Step 4 Configure the Guard timers and WTR timers in the ERPS rings.
[SwitchA-erps-ring1] wtr-timer 6
[SwitchA-erps-ring1] guard-timer 100


[SwitchB-erps-ring1] wtr-timer 6
[SwitchB-erps-ring1] guard-timer 100
[SwitchB-erps-ring2] wtr-timer 6
[SwitchB-erps-ring2] guard-timer 100
[SwitchC-erps-ring1] wtr-timer 6
[SwitchC-erps-ring1] guard-timer 100
[SwitchC-erps-ring2] wtr-timer 6
[SwitchC-erps-ring2] guard-timer 100
[SwitchD-erps-ring1] wtr-timer 6
[SwitchD-erps-ring1] guard-timer 100
[SwitchD-erps-ring2] wtr-timer 6
[SwitchD-erps-ring2] guard-timer 100
Step 5 Configure Layer 2 forwarding on SwitchA through SwitchD.

[SwitchA] vlan batch 100 to 200 300 to 400
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchB] vlan batch 100 to 200 300 to 400
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchC] vlan batch 100 to 200 300 to 400
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchD] vlan batch 100 to 200 300 to 400
[SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 to 200 300 to 400

[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400


# After the network becomes stable, run the display erps command to check brief
information about the ERPS ring and ports added to the ERPS ring. SwitchB is used as an
example.
[SwitchB] display erps
D : Discarding
F : Forwarding
R : RPL Owner
N : RPL Neighbour
FS : Forced Switch
MS : Manual Switch
Total number of rings configured = 2
Ring Control WTR Timer Guard Timer Port 1 Port 2
ID VLAN (min) (csec)
--------------------------------------------------------------------------------
1 10 6 100 (F)GE1/0/1 (D,R)GE1/0/2
2 20 6 100 (F)GE1/0/1 (F)GE1/0/2
--------------------------------------------------------------------------------
# Run the display erps verbose command to check detailed information about the ERPS ring
and ports added to the ERPS ring. SwitchB is used as an example.
[SwitchB] display erps verbose
Ring ID : 1
Description : Ring 1
Control Vlan : 10
Protected Instance : 1
Service Vlan : 100 to 200
WTR Timer Setting (min) : 6 Running (s) : 0
Guard Timer Setting (csec) : 100 Running (csec) : 0
Holdoff Timer Setting (deciseconds) : 0 Running (deciseconds) : 0
WTB Timer Running (csec) : 0
Ring State : Idle
RAPS_MEL : 7
Revertive Mode : Revertive
R-APS Channel Mode : -
Version : 1
Sub-ring : No
Forced Switch Port : -
Manual Switch Port : -
TC-Notify : -
Time since last topology change : 0 days 0h:35m:5s
--------------------------------------------------------------------------------
Port Port Role Port Status Signal Status
--------------------------------------------------------------------------------
GE1/0/1 Common Forwarding Non-failed
GE1/0/2 RPL Owner Discarding Non-failed
Ring ID : 2
Control Vlan : 20
Ring State : Idle
RAPS_MEL : 7
Version : 1
Sub-ring : No


TC-Notify : -
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 100 to 200 300 to 400
#
instance 1 vlan 10 100 to 200
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2 rpl owner
#
stp disable
erps ring 1
erps ring 2
#
return

#
sysname SwitchB
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2

control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 2
#
return
#
sysname SwitchC
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return
#
sysname SwitchD
#
vlan batch 10 20 100 to 200 300 to 400
#
#

erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return
19.9.2 Example for Configuring Intersecting ERPS Rings
causing broadcast storms and rendering the MAC address table unstable. As a result, the
As shown in Figure 19-16, intersecting ERPS rings are used. SwitchA, SwitchB, SwitchC,
and SwitchD constitute the major ring, and SwitchA, LSW1, LSW2, LSW3, and SwitchD
constitute a sub-ring.

Figure 19-16 Networking of intersecting ERPS rings
Network
Router1 Router2
GE1/0/2
GE1/0/2 SwitchC
SwitchB
GE1/0/1
GE1/0/1
major ring
ring 1
GE1/0/2 SwitchA SwitchD GE1/0/2
GE1/0/3
GE1/0/1 GE1/0/3 GE1/0/1
GE1/0/1 sub-ring GE1/0/2

ring 2 LSW3
LSW1
GE1/0/2 GE1/0/1
GE1/0/1 GE1/0/2
LSW2 RPL owner
1. Configure the link type of all ports to be added to ERPS rings as trunk.
2. Create ERPS rings and configure control VLANs and Ethernet Ring Protection (ERP)
instances in the ERPS rings.
3. Specify the ERPS version and configure a sub-ring.
4. Add Layer 2 ports to ERPS rings and specify port roles.
5. Configure the topology change notification and TC protection.
6. Configure the Guard timers and WTR timers in the ERPS rings.
7. Configure Layer 2 forwarding on SwitchA through SwitchD and LSW1 through LSW3.
Procedure
Step 1 Configure the link type of all ports to be added to ERPS rings as trunk.
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, LSW1, LSW2, and
LSW3 are similar to the configuration of SwitchA, and are not mentioned here.

Step 2 Create ERPS ring 1 and ERPS ring 2 and configure ERP instances in the two rings. Set the
control VLAN ID of ERPS ring 1 to 10 and the control VLAN ID of ERPS ring 2 to 20.
Enable ERPS rings 1 and 2 to transmit data packets from VLANs 100 to 200.
[SwitchA-mst-region] instance 1 vlan 10 20 100 to 200
Step 3 Specify ERPSv2 and configure ERPS ring 2 as a sub-ring.
[SwitchA-erps-ring1] version v2
[SwitchA-erps-ring2] version v2
[SwitchA-erps-ring2] sub-ring
Step 4 Add the ports to ERPS rings and specify port roles. Configure GE1/0/1 on SwitchB and
GE1/0/2 on LSW3 as their respective RPL owner ports.
# Configure SwitchA. The configurations of SwitchC, SwitchD, LSW1, and LSW2 are
similar to the configuration of SwitchA, and are not mentioned here.
# Configure SwitchB. The configurations of LSW3 is similar to the configuration of SwitchB,



[SwitchB-GigabitEthernet1/0/1] erps ring 1 rpl owner
Step 5 Configure the topology change notification function and TC protection on SwitchA and
SwitchD (interconnecting nodes).
[SwitchA-erps-ring1] tc-protection interval 200
[SwitchA-erps-ring1] tc-protection threshold 60
[SwitchA-erps-ring2] tc-notify erps ring 1
[SwitchD-erps-ring1] tc-protection interval 200
[SwitchD-erps-ring1] tc-protection threshold 60
[SwitchD-erps-ring2] tc-notify erps ring 1
Step 6 Configure the Guard timers and WTR timers in the ERPS rings.
Step 7 Configure Layer 2 forwarding on SwitchA through SwitchD.
# After the network becomes stable, run the display erps command to check brief
information about the ERPS ring and ports added to the ERPS ring. SwitchB is used as an
example.

[SwitchB] display erps

D : Discarding
F : Forwarding
R : RPL Owner
N : RPL Neighbour
FS : Forced Switch
MS : Manual Switch
Total number of rings configured = 1
Ring Control WTR Timer Guard Timer Port 1 Port 2
ID VLAN (min) (csec)
--------------------------------------------------------------------------------
1 10 6 100 (D,R)GE1/0/1 (F)GE1/0/2
--------------------------------------------------------------------------------
# Run the display erps verbose command to check detailed information about the ERPS ring
and ports added to the ERPS ring.
[SwitchB] display erps verbose
Ring ID : 1
Control Vlan : 10
Ring State : Idle
RAPS_MEL : 7
Version : 2
Sub-ring : No
TC-Notify : -
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
GE1/0/1 RPL Owner Discarding Non-failed
----End
Configuration Files
#
sysname SwitchA
#
#
instance 1 vlan 10 20 100 to 200
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
version v2
tc-protection interval 200
tc-protection threshold 60
erps ring 2
control-vlan 20

wtr-timer 6
guard-timer 100
version v2
sub-ring
tc-notify erps ring 1
#
port trunk allow-pass vlan 20 100 to 200
stp disable
erps ring 2
#
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return
#
sysname SwitchB
#
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
version v2
#
stp disable
#
stp disable
erps ring 1
#
return
#
sysname SwitchC
#
#
#
erps ring 1
control-vlan 10

wtr-timer 6
guard-timer 100
version v2
#
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return
#
sysname SwitchD
#
#
instance 1 vlan 10 20 100 to 200
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
version v2
tc-protection interval 200
tc-protection threshold 60
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
version v2
sub-ring
tc-notify erps ring 1
#
stp disable
erps ring 2
#
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return
#
sysname LSW1
#

#
#
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
version v2
sub-ring
#
stp disable
erps ring 2
#
stp disable
erps ring 2
#
return
#
sysname LSW2
#
#
#
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
version v2
sub-ring
#
stp disable
erps ring 2
#
stp disable
erps ring 2
#
return
#
sysname LSW3
#
#
#
erps ring 2

control-vlan 20
wtr-timer 6
guard-timer 100
version v2
sub-ring
#
stp disable
erps ring 2
#
stp disable
#
return
19.10.1 Traffic Forwarding Fails in an ERPS Ring
Fault Description
After ERPS is configured, user traffic cannot be properly forwarded due to abnormal ERPS
ring status.
Procedure
Step 1 Check the port roles in the ERPS ring and status of each device in the ring.
In an ERPS ring, there should be only one RPL owner port. Other ports are common ports or
RPL neighbor ports.
Run the display erps [ ring ring-id ] verbose command in any view to check whether the
value of Ring State is Idle. (Perform this operation on each device in the ERPS ring.)
If the ERPS ring is incomplete or its status is abnormal, perform the following operations:
1. Verify that all nodes in the ERPS ring are added to the ERPS ring.
2. Check whether the ERPS ring configuration including the ERPS version number and
major ring/sub-ring on devices in the ERPS ring are the same.
3. Verify that port roles, control VLANs, and protected instances are correctly configured
on all nodes in the ERPS ring.
4. Verify that ports can allow packets of the specified VLANs to pass.
----End
19.11 References

Document Description Remark

s
ITU-T G.8032/Y.1344 Recommendation ITU-T G.8032/Y.1344 defines the ERPSv1

(06/2008) automatic protection switching (APS) protocol and
protection switching mechanisms for ETH layer
Ethernet ring topologies. Included are details
pertaining to Ethernet ring protection characteristics,
architectures and the ring APS protocol.
ITU-T G.8032/Y.1344 Recommendation ITU-T G.8032/Y.1344 defines the ERPSv2

(03/2010) automatic protection switching (APS) protocol and
protection switching mechanisms for ETH layer
Ethernet ring topologies. Included are details
pertaining to Ethernet ring protection characteristics,
architectures and the ring APS (R-APS) protocol.

Configuration Guide - Ethernet Switching 20 LDT and LBDT Configuration
20 LDT and LBDT Configuration
About This Chapter
This chapter describes how to configure Loop detection (LDT) and loopback detection
(LBDT), which allow the device to detect loopbacks on an interface, loops on the downstream
network or device and loops between two device interfaces. When detecting a loop, the device
notifies users in a timely manner and takes a preconfigured action on the problematic
interface to minimize the impact of the loop on the device and network.
20.1 Introduction to LBDT and LDT

20.2 Principles
20.6 Configuring LDT to Detect Loops
To detect loops in more than eight VLANs or on an Eth-Trunk, configure LDT.
20.7 Configuring LBDT to Detect Loops

20.1 Introduction to LBDT and LDT

LBDT and LDT periodically send detection packets through an interface to detect loops on
the interface, on the downstream network or device, or between two device interfaces.
When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are
circulated on the network. This wastes network resources or even causes network breakdown.
Quickly detecting loops on a Layer 2 network can minimize the impact of loops on the entire
network; therefore, a detection technology that notifies users of loops is required. When a
loop occurs, users are requested to check network connections and configurations, and control
the problematic interface.
LDT and LBDT technologies meet the preceding requirements. LDT and LBDT periodically
send detection packets on an interface to check whether the packets return to the local device
(through the same interface or another interface), and determines whether a loop occurs on the
interface, on the downstream network or device, or between two device interfaces. After a
loop is detected, the device sends a trap to the NMS and records a log, and takes a
preconfigured action on the problematic interface (the interface is shut down by default) to
minimize impact of the loop on the device and entire network.
NOTE
LDT and LBDT can only detect loops on a single node, but cannot eliminate loops on the entire network
in the same manner as ring network technologies of ERPS, RRPP, SEP, Smart Link, and STP/RSTP/
MSTP/VBST.
The S7700&S9700 support LDT and LBDT. Table 20-1 describes the differences between
LDT and LBDT.
Table 20-1 Differences between LDT and LBDT

Item LDT LBDT
Detection packet Sends only tagged detection Sends tagged and untagged
packets, so loops are detection packets, so loops
detected based on VLANs. are detected based on
interfaces and VLANs.
Action taken after a loop is Provide actions of Trap, Block, Shutdown, No Learning,
detected and Quitvlan. (See Action Taken After a Loop Is
Detected.)
Automatic recovery of the Attempts to restore the Attempts to restore the

problematic interface interface when detection interface after a recovery
packets are not received time. However, the interface
within the recovery time. shut down by LBDT cannot
be restored.
Applicable scenario Detect loopbacks on an interface, loops on the downstream

network or device and loops between two device interfaces

Item LDT LBDT
Deployment l Deployed at the l Deployed at the access

aggregation layer. layer.
l Deployed based on l Deployed based on
VLANs. interfaces or VLANs.
l Can detect loops on an l Cannot detect loops on
Eth-Trunk. an Eth-Trunk.
Maximum number of 4094 8

VLANs that can be detected
20.2 Principles
LDT and LBDT periodically send detection packets on an interface (see Detection Packet) to
check whether the packets return to the local device (through the same interface or another
interface), and determines whether a loop occurs on the interface, on the downstream network
or device, or between two device interfaces.
l If detection packets are received by the same interface, a loopback occurs on the
interface or a loop occurs on the downstream network or device connected to the
interface.
l If detection packets are received by another interface on the same device, a loop occurs
on the device or network connected to the interface.
After a loop is detected, the device sends a trap to the NMS and records a log, and takes a
preconfigured action on the interface (see Action Taken After a Loop Is Detected) to
minimize the impact of the loop on the device and entire network.
The problematic interface continues to send detection packets. When the device does not
receive detection packets from the interface within a given period of time, the device
considers that the loop is eliminated and restores the interface. Details about this process are
described in Automatic Recovery of an Interface.
Detection Packet
LDT and LBDT periodically send detection packets on an interface to check whether the
packets return to the local device, and determine whether loops occur on the interface, on the
downstream network or device, or between two device interfaces. The following conditions
must be met:
l When a loop occurs on an interface or network connected to the interface, detection
packets sent from the interface can be sent back to the local device.
l The system can identify detection packets sent from the local device and the interface
that sends the detection packets.
A detection packet sent from a device carries the device MAC address and outbound interface
number so that the device can identify the packet sent by itself and the interface from which it
sends the packet. In addition, the packet carries the broadcast or multicast destination MAC
address to ensure that the packet can be sent back to the local device when a loop occurs on
the interface or network connected to the interface. Figure 20-1 shows the format of LDT and
LBDT packets.

Figure 20-1 Format of LDT and LBDT packets
a. LDT packet type
DMAC SMAC 802.1Q Tag LDT-Type PortInfo
b. LBDT packet type
DMAC SMAC 802.1Q Tag LDT-Type PortInfo Flag
Table 20-2 describes the fields.
Table 20-2 Description of each field
Item Description
DMAC Destination MAC address

l The destination MAC address of an LDT packet is all Fs.
l The destination MAC address of a tagged LBDT packet is all Fs; the
destination MAC address of an untagged LBDT packet is a BPDU
MAC address(0180-C200-000A), broadcast MAC address, or
multicast MAC address.
The broadcast destination MAC address (all Fs), multicast destination
MAC address, or BPDU MAC address ensures that the detection packet
can be sent back to the local device when a loop occurs on the interface or
network connected to the interface.
SMAC Source MAC address. The value is the system MAC address of the
device, which identifies packets sent from the local device.
802.1Q Tag Tag Protocol Identifier (TPID). The value of the TPID is 0x8100,
representing the 802.1Q tagged frame.
LDT-Type Detection packet type, including the protocol number and subprotocol
number.
The protocol number is 0x9998. The subprotocol number is as follows:
l 0x0001: indicates LBDT packets.
l 0x0002: indicates LDT packets.
PortInfo Information about the interface that sends detection packets, which is
used by the device to determine whether packets are sent from the
interface.
Flag Untagged detection packet flag:

l 0x0003: indicates untagged packets.
l 0x0004: indicates tagged packets.

LDT sends only tagged detection packets. LBDT sends tagged and untagged detection
packets. Therefore, LDT can detect loops based on VLANs only, whereas LBDT can detect
loops based on interfaces and VLANs.
Action Taken After a Loop Is Detected

When the system detects a loop on an interface, it can take a preconfigured action on the
interface. Table 20-3 describes the actions.
Table 20-3 Actions taken after a loop is detected
Action Description Usage Scenario
Trap The device only sends a trap to the Select this action when only traps need
NMS and records a log. to be reported without affecting traffic
forwarding on the interface.
This action cannot suppress broadcast
storms.
Block The device sends a trap to the NMS, Select this action when the interface
blocks the interface, and allows only needs to be disabled from forwarding
BPDUs to pass through. data packets and needs to forward some
BPDUs such as Link Layer Discovery
Protocol Data Units (LLDPDUs).
This action can suppress broadcast
storms.
Shutdo The device sends a trap to the NMS Select this action to prevent broadcast
wn and shuts down the interface. storms when the interface does not
participate in any calculation or
forwarding.
storms.
No The device sends a trap to the NMS Select this action when the interface
learnin and disables the interface from still needs to process data packets and
g learning new MAC addresses. to send them to the correct link.
This action cannot suppress broadcast
storms.
Quitvla The device sends a trap to the NMS Select this action when loops in a
n and removes the interface from the VLAN need to be eliminated without
VLAN where the loop occurs. affecting traffic forwarding in other
VLANs.
storms.
Regardless of which action is taken, loops on an interface or a network affect normal services.
LDT and LBDT can only detect loops on a single node, but cannot eliminate loops on the
entire network. After a loop is detected, you are advised to eliminate the loop immediately.

Automatic Recovery of an Interface

Automatic recovery mechanism of LDT and LBDT allows the problematic interface to be
restored immediately after a loop is eliminated.
LDT and LBDT define different automatic recovery processes:
l LDT: If the device does not receive detection packets from the problematic interface
within the recovery time, it considers that the loop is eliminated on the interface and
restores the interface.
l LBDT: After the configured recovery time expires, the device attempts to restore the
problematic interface. If the device does not receive detection packets from the
problematic interface within the next recovery time, it considers that the loop is
eliminated on the interface and restores the interface.
NOTE
The interface shut down by LBDT cannot be restored automatically.

LDT and LBDT can be used to detectloopbacks on an interface, a loop on the downstream
network or device or a loop between two device interfaces. LBDT can detect loops based
on VLANs and interfaces, whereas LDT can detect loops based on VLANs only. LDT can
detect loops in a maximum of 4094 VLANs, whereas LBDT can detect loops in a maximum
of eight VLANs.
Detecting Loopbacks on an Interface

During network deployment, a loopback may occur between the Tx and Rx ends of an
interface due to incorrect fiber connection or high voltage damage on the interface. Tx
represents the transmit end and Rx reprensents the receive end. As shown in Figure 20-2, a
loopback occurs on an interface of the Switch. As a result, packets sent from this interface is
looped back to the same interface, which may cause traffic forwarding errors or MAC address
flapping on the interface.
Figure 20-2 Detecting loopbacks on an interface

Switch
Tx Rx
You can configure LDT or LBDT on the interface of the Switch to detect loopbacks. When
detecting a loopback on the interface, the Switch reports a trap and records a log, and takes a
preconfigured action (such as Shutdown, Block, No learning, or Quitvlan) on the interface
to reduce the impact of the loopback on the Switch. When the Switch detects that the

loopback is eliminated on the interface, the interface can be restored. However, the interface
shut down by LBDT cannot be restored.
Detecting a Loop on the Downstream Network or Device

As shown in Figure 20-3, a loop occurs on the downstream network or device connected to
the Switch. Packets that are sent from Interface1 and pass through the downstream network or
device are sent back to Interface1.
Figure 20-3 Detecting a loop on the downstream network or device

Switch
Switch
Interface1
Interface1
a. Loop on the b. Loop on the

downstream network downstream device
You can configure LDT or LBDT on Interface1 of the Switch to detect whether a loop occurs
on the downstream network or device. When detecting a loop on the downstream network or
device, the Switch reports a trap and records a log, and takes a preconfigured action (such as
Shutdown, Block, No learning, or Quitvlan) on the interface to reduce the impact of the
loop on the Switch. When the Switch detects that the loop is eliminated on the downstream
network or device, the interface can be restored. However, the interface shut down by LBDT
cannot be restored.
Detecting a Loop Between Two Device Interfaces

As shown in Figure 20-4, a loop occurs on the network where the Switch resides. Packets
sent from Interface1 are forwarded by devices on other networks and looped back to
Interface2.

Figure 20-4 Detecting a loop between two device interfaces
Switch
Interface1 Interface2 Switch
Interface1 Interface2
a. Loop on the local b. Loop between two

network device interfaces
You can configure LDT or LBDT on Interface1 and Interface2 of the Switch to detect whether
a loop occurs on the local network or between two device interfaces. When detecting a loop,
the Switch reports a trap and records a log, and takes preconfigured actions (such as
Shutdown, Block, No learning, or Quitvlan) on Interface1 and Interface2 to reduce the
impact of the loop on the Switch. When the Switch detects that the loop is eliminated on the
local network or between two interfaces, Interface1 or Interface2 can be restored. However,
the interface shut down by LBDT cannot be restored.

License Support
LDT and LBDT are basic features of a switch and are not under license control.
Version Support
Table 20-4 Products and versions supporting LDT and LBDT

Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00

NOTE
Feature Dependencies and Limitations of LDT

l In V200R008C00 and earlier versions, LDT does not take effect in dynamic VLANs. In
V200R008C00 and later versions, the LDT-enabled switch can detect loops in dynamic
VLANs, but the Quitvlan action is invalid for dynamic VLANs.
l LDT and LBDT cannot be configured simultaneously.
l The switch enabled with LDT needs to send a large number of detection packets to
detect loops, occupying system resources. Disable LDT if loops do not need to be
detected.
l LDT performance is lowered when loops occur on multiple interfaces in multiple
VLANs. This is due to the limitations of security policies and processing capability of
the CPU. The more VLANs and interfaces involved, the lower the performance is,
especially the performance of the standby chassis in the cluster. In this case, you need to
eliminate the loops manually.
l LDT cannot be used with ring network technologies including ERPS, RRPP, SEP, Smart
Link, STP, RSTP, MSTP, and VBST. Do not configure ring network technologies on an
interface of the LDT-enabled VLAN. If LDT has been enabled globally and a ring
network technology needs to be configured on an interface, disable LDT on that interface
first.
l The blocked ports of LDT cannot block GVRP packets. To ensure that GVRP runs
normally and prevent GVRP loops, do not enable GVRP on the blocked port of LDT.
Feature Dependencies and Limitations of LBDT

l Since V200R001, the switch supports LBDT.
l In V200R008C00 and earlier versions, LBDT does not take effect in dynamic VLANs.
In V200R008C00 and later versions, the LBDT-enabled switch can detect loops in
dynamic VLANs, but the Quitvlan action is invalid for dynamic VLANs.
l LBDT and LDT cannot be configured simultaneously.
l LBDT requires that the device should send a large number of detection packets to detect
loops, occupying system resources. Therefore, disable LBDT if loops do not need to be
detected.
l LBDT cannot be configured on an Eth-Trunk or its member interfaces.
l LBDT cannot be used with ERPS, RRPP, SEP, Smart Link, STP, RSTP, MSTP, or VBST.
l The blocked ports of LBDT cannot block GVRP packets. To ensure that GVRP runs
normally and prevent GVRP loops, do not enable GVRP on the blocked port of LBDT.
Table 20-5 Default configuration of LDT

LDT Disabled globally and in a VLAN, and

enabled on an interface

Action taken after a loop is detected Shutdown
Interval for sending LDT packets 5s
Interface recovery time 255s
Table 20-6 Default configuration of LBDT

LBDT Disabled on an interface and in a VLAN
Action after a loop is detected Shutdown
Interval for sending LBDT packets 5s
Interface recovery time 3 times the interval for sending detection

packets
20.6 Configuring LDT to Detect Loops

To detect loops in more than eight VLANs or on an Eth-Trunk, configure LDT.
20.6.1 Enabling LDT
Context
After global LDT is enabled in the system view, the system does not detect loops in any
VLAN by default. To make LDT take effect, you must first enable global LDT and then
enable LDT in a specified VLAN.
NOTICE
l LDT needs to send a large number of detection packets to detect loops, occupying system
resources. Therefore, run the undo loop-detection enable or undo loop-detection enable
vlan command to disable LDT if loops do not need to be detected.
l LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart Link,
and STP/RSTP/MSTP/VBST. Do not configure ring network technologies on an interface
of a LDT-enabled VLAN. In contrary, if LDT is enabled globally and ring network
technologies need to be configured on an interface, run the loop-detection disable
command to disable LDT on the interface.
l When loops occur in multiple VLANs on many interfaces, LDT performance is lowered
due to limitations of security policies and CPU processing capability. The more VLANs
and interfaces are involved, the lower the performance is, especially performance of the
standby chassis in the cluster. Manually eliminating loops is recommended.

Procedure
Step 1 Run:
system-view

Step 2 Run:
loop-detection enable
Global LDT is enabled.

By default, global LDT is disabled.
Step 3 Run:

Step 4 Select either of the following configurations to add the interface to the LDT-enabled VLANs.
l Access interface
a. Run:
The link type of the interface is configured as access.

b. Run:
The interface is added to the LDT-enabled VLANs.
l Hybrid interface
a. Run:
The link type of the interface is configured as hybrid.

b. Run:
port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The hybrid interface is added to the LDT-enabled VLANs in tagged mode.

l Trunk interface
a. Run:
The link type of the interface is configured as trunk.

b. Run:
The trunk interface is added to the LDT-enabled VLANs.

Step 5 Run:
quit

Step 6 Run:
loop-detection enable vlan { { vlan-id1 [ to vlan-id2 ] } & <1-10> | all }
LDT is enabled in VLANs.

By default, LDT is disabled in all VLANs.

LDT does not take effect in dynamic VLANs, and support LDT in a maximum of 4094
VLANs.
----End
20.6.2 (Optional) Setting the Interval for Sending LDT Packets
Context
An LDT-enabled interface sends LDT packets at intervals. A shorter interval indicates that the
system sends more LDT packets in a given period and detects loops more accurately.
However, more system resources are consumed and system performance is affected. You can
adjust the interval for sending LDT packets according to actual networking to balance system
performance and LDT accuracy.
Procedure
Step 1 Run:
system-view
Step 2 Run:
loop-detection interval-time interval-time
The interval for sending LDT packets is set.
By default, the interval for sending LDT packets is 5s.
----End
20.6.3 Configuring an Action Taken After a Loop Is Detected
Context
By default, when a loop on an interface or the network connected to the interface, the device
does not take any action. To notify users of network connections and configurations when a
loop occurs on an interface, and minimize the impact of loops on the device and entire
network, configure an action taken on the problematic interface.
The device provides the following actions after LDT detects a loop:
l Trap: The device reports a trap to the NMS and records a log, but does not take any
action on the interface.
l Block: The device isolates an interface where a loop occurs from other interfaces, and
can forward only BPDUs.
l No learning: The interface is disabled from learning MAC addresses.
l Shutdown: The device shuts down the interface.
l Quitvlan: The interface is removed from the VLAN where a loop occurs.
For details about the actions, see Action Taken After a Loop Is Detected. You can configure
one of the actions according to actual networking.

Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap enable
Or, run:
snmp-agent trap enable feature-name ldttrap
The trap function is enabled for LDT. This function allows the device to send traps of LDT.
By default, the trap function is disabled for LDT.
Step 3 Run:
Step 4 Run:
loop-detection mode { port-trap | port-blocking | port-nolearning | port-shutdown
| port-quitvlan }
An action taken after a loop is detected is configured.
By default, an interface is shut down after LDT detects a loop.
NOTICE
l When a loop occurs on the network-side interface where the block or shutdown action is
configured, all services on the device are interrupted. Do not deploy LDT on the network-
side interface.
l The Quitvlan action cannot be used with such functions as GVRP, HVRP and the
function of removing an interface from the VLAN where MAC address flapping occurs.
These functions dynamically delete an interface from a VLAN.
----End
20.6.4 (Optional) Setting the Recovery Time of an Interface
Context
When LDT detects a loop on an interface, a preconfigured action is taken on the interface.
You can set the recovery time of the interface after the loop is eliminated. When the system
does not receive LDT packets from the interface in the recovery time, it considers that the
loop is eliminated on the interface and restores the interface.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
loop-detection recovery-time recovery-time
The recovery time is set.
By default, the recovery time of an interface is 255s.
NOTE
l To prevent interface status flapping, set the interface recovery time to be larger than the interval for
sending LDT packets.
l Configure the interface recovery time according to the network situation and LDT scope. The LDT
scope is determined by the total number of VLANs and interfaces where LDT is enabled. A larger
number indicates a wider scope. When there are many loops on the network and LDT is enabled in a
wide scope, it is recommended that you retain the default recovery time or set a longer recovery time
(for example, 100s). If the recovery time is short in this situation, the CPU usage becomes high.
----End
Procedure
Step 1 Run the display loop-detection [ interface interface-type interface-number ] command to
check the LDT configuration and interface status.
If interface-type and interface-number are not specified, the status of the global LDT function
is displayed. If the function is enabled, the system displays the interval for sending LDT
packets, ID of the VLANs with this function enabled, detected loops, and actions taken on the
interfaces where loops are detected.
If interface-type and interface-number are specified, the system displays the interface status,
interface recovery time, and LDT-enabled VLAN.
----End
20.7 Configuring LBDT to Detect Loops

20.7.1 Enabling LBDT

Context
NOTICE
LBDT needs to send a large number of LBDT packets to detect loops, occupying system
resources. Therefore, disable LBDT if loops do not need to be detected.
An LBDT-enabled interface periodically sends untagged LBDT packets with the destination
MAC address as the BPDU MAC address to detect loops. Generally, the switch does not
allow BPDUs to pass through, so LBDT can only detect loopbacks on an Interface, but
cannot detect a loop on the downstream network or device or between two device
interfaces.
To enable LBDT to detect a loop on the downstream network or device, configure LBDT
in a specified VLAN. When the connected interface is an access interface or the PVIDs of the
inbound and outbound interfaces are the same, you can also run the loopback-detect untagged
mac-address command to detect loops.
To enable LBDT to detect a loop between two device interfaces, configure LBDT in a
specified VLAN.
On the S7700&S9700, you can enable LBDT on all interfaces in the system view or on an
interface.
Procedure
Step 1 Run:
system-view

Step 2 Run the following commands as required.
l Enable LBDT on all interfaces.
Run the loopback-detect enable command to enable LBDT on all interfaces.
When LBDT needs to be configured on most interfaces, perform this operation. This
operation simplifies the configuration.
l Enable LBDT on an interface.
a. Run the interface interface-type interface-number command to enter the interface
view.
b. Run the loopback-detect enable command to enable LBDT on the interface.
By default, LBDT is disabled on an interface.
Step 3 Run the following commands as needed.
If Detecting Loopbacks on an Interface is required, skip this step.
If Detecting a Loop on the Downstream Network or Device or Detecting a Loop Between
Two Device Interfaces is required, perform this step.

l Configuring LBDT in a specified VLAN

a. Run:

b. Select either of the following configurations to add the VLAN where loops need to
be detected.
n Access interface
1) Run:
The link type of the interface is configured as access.

2) Run:
The access interface is added to the VLAN where loops need to be

detected.
n Hybrid interface
1) Run:
The link type of the interface is configured as hybrid.

2) Run:
port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> |
all } or port hybrid untagged vlan { { vlan-id1 [ to vlan-
id2 ] }&<1-10> | all }
The hybrid interface is added to the VLAN where loops need to be

detected.
n Trunk interface
1) Run:
The link type of the interface is configured as trunk.

2) Run:
port trunk allow-pass vlan { { vlan-id1 [ to vlan-
id2 ] }&<1-10> | all }
The trunk interface is added to the VLAN where loops need to be

detected.
c. Run:
loopback-detect packet vlan { vlan-id1 [ to vlan-id2 ] } &<1-8>
Configure LBDT in a specified VLAN.

By default, LBDT is disabled in a VLAN.
NOTE
– An interface sends tagged LBDT packets only when the specified VLAN has been created.
– LBDT does not take effect in dynamic VLANs.
– Loops may be not detected in a VLAN specified by the PVID of an interface or VLAN where
an interface is added in untagged mode. This is because VLAN tags of LBDT packets are
removed and the packet priority changes.
l Configuring the destination MAC address of untagged LBDT packets

Run the loopback-detect untagged mac-address mac-address command to set the

destination MAC address of untagged LBDT packets.
By default, the destination MAC address of untagged LBDT packets is 0180-
C200-000A.
Do not configure the destination MAC address of untagged LBDT packets as the
destination MAC address of other protocols. You are advised to set the destination MAC
address of untagged LBDT packets to a broadcast MAC address (all Fs).
----End
20.7.2 (Optional) Setting the Interval for Sending LBDT Packets
Context
An LBDT-enabled interface sends LBDT packets at intervals. A shorter interval indicates that
the system sends more LBDT packets in a given period and detects loops more accurately.
However, more system resources are consumed and system performance is affected. You can
adjust the interval for sending LBDT packets according to actual networking to balance
system performance and LBDT accuracy.
Procedure
Step 1 Run:
system-view

Step 2 Run:
loopback-detect packet-interval packet-interval-time
The interval for sending LBDT packets is set.

By default, the interval for sending LBDT packets is 5s.
----End
20.7.3 Configuring an Action Taken After a Loop Is Detected

Context
By default, when a loop occurs on a network, the device does not take any action. In this case,
the interface needs to be shut down to prevent the impact of the loop on the device and
network.
You can preconfigure an action to be taken after LBDT detects a loop. After detecting a loop,
the device takes the preconfigured action on the interface to prevent the impact of the loop on
the device and entire network.
The device provides the following actions after LBDT detects a loop:
l Trap: The device reports a trap to the NMS and records a log, but does not take any
action on the interface.
l Block: The device isolates an interface where a loop occurs from other interfaces, and
can forward only BPDUs.

l No learning: The interface is disabled from learning MAC addresses.

l Shutdown: The device shuts down the interface.
l Quitvlan: The interface is removed from the VLAN where a loop occurs.
For details about the actions, see Action Taken After a Loop Is Detected. You can configure
one of the actions according to actual networking.
Procedure
Step 1 Run:
system-view

snmp-agent trap enable
Or, run:
snmp-agent trap enable feature-name lbdt
The trap function is enabled for LBDT. This function allows the device to send traps of
LBDT.
By default, the trap function is enabled for LBDT.
Step 3 Run:

Step 4 Run:
loopback-detect action { block | nolearn | shutdown | trap | quitvlan }
An action taken on an interface where LBDT detects a loop is configured.

By default, the shutdown action is taken on an interface where LBDT detects a loop.
NOTE
l When the Quitvlan action is used, the configuration file remains unchanged.
l The Quitvlan action cannot be used with such functions as GVRP, HVRP and the function of
removing an interface from the VLAN where MAC address flapping occurs. These functions
dynamically delete an interface from a VLAN.
----End
20.7.4 (Optional) Setting the Recovery Time of an Interface
Context
An LBDT-enabled interface periodically sends LBDT packets to detect loops. After a loop is
detected, an action configured by the loopback-detect action command is taken on the
interface. In addition, the system counts the time. After the configured recovery time expires,
the system attempts to restore the problematic interface. If the device does not receive
detection packets from the problematic interface within the next recovery time, it considers
that the loop is eliminated on the interface and restores the interface.

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
loopback-detect recovery-time recovery-time
The interface recovery time after a loop is removed is set.

By default, the interface recovery time is three times the interval for sending LBDT packets.
NOTE
l It is recommended that the interface recovery time be three times the packet sending interval. If the
packet sending interval has been set to a small value, the interface recovery time should be at least
10 seconds longer than the packet sending interval.
l Automatic recovery is valid for Trap, Quitvlan, Block, and No learning. After a loop is eliminated,
the shutdown interface cannot be restored automatically. You must run the shutdown and undo
shutdown commands or run the restart command to restore the interface.
----End
Procedure
l Run the display loopback-detect command to check the LBDT configuration and status
of LBDT-enabled interfaces.
----End
20.8.1 Example for Configuring LDT to Detect Loops on the

Downstream Network
As shown in Figure 20-5, a new branch network of an enterprise connects to the aggregation
switch Switch, and VLANs 10 to 20 are deployed on the branch network. Loops may occur
due to incorrect connections or configurations. As a result, communication on the Switch and
uplink network may be Haffected.
It is required that the Switch should immediately detect loops on the new branch network to
prevent the impact of loops on the Switch and uplink network.

Figure 20-5 Networking for configuring LDT to detect loops on the downstream network
Switch
GE1/0/1
New branch
VLAN 10-20
Loops need to be detected in VLANs 10 to 20 (more than eight VLANs) on the new branch
network, so you need to configure LDT on the Switch to detect loops on the new branch
network. The configuration roadmap is as follows:
1. Enable LDT on the GE1/0/1 of the Switch to detect loops in a specified VLAN so that
loops on the downstream network can be detected.
2. Configure an action after loops are detected so that the Switch can immediately shut
down the interface where a loop is detected. This prevents the impact of the loop on the
Switch and uplink network.
NOTE
l Configure interfaces on other switching interfaces as trunk or hybrid interfaces and configure these
interfaces to allow packets from VLANs to pass through to ensure Layer 2 connectivity on the new
branch network and between the new branch network and the Switch.
l The configurations in this example can also be performed to detect loopbacks on interfaces
connecting switching devices.
Procedure
Step 1 Enable global LDT.
[Switch] loop-detection enable
Step 2 Enable LDT in VLANs.

[Switch] vlan batch 10 to 20
[Switch] loop-detection enable vlan 10 to 20
Step 3 Set the interval for sending LDT packets on the interface.
[Switch] loop-detection interval-time 10
Step 4 Configure an action taken after a loop is detected.

# Enable the trap function for LDT.

[Switch] snmp-agent trap enable feature-name ldttrap
Set the action to Shutdown.

[Switch-GigabitEthernet1/0/1] stp disable
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 10 to 20
[Switch-GigabitEthernet1/0/1] loop-detection mode port-shutdown
# After the configuration is complete, run the display loop-detection command to check
global LDT information.
[Switch] display loop-detection
Loop Detection is enabled.
Detection interval time is 10 seconds.
Following vlans enable loop-detection:
vlan 10 to 20
Following ports are blocked for loop:
NULL
Following ports are shutdown for loop:
GigabitEthernet1/0/1 Include Vlans:
10
Following ports are nolearning for loop:
NULL
Following ports are trapped for loop:
NULL
Following ports are quitvlan for loop:
NULL
# Check LDT information on GE1/0/1.

[Switch] display loop-detection interface gigabitethernet 1/0/1
The port is enabled.
The port's status list:
Status WorkMode Recovery-time EnabledVLAN
-----------------------------------------------------------------------
Shutdown Shutdown 255 10
Normal Shutdown 255 11
The command output shows that LDT is enabled in VLAN 10 to VLAN 20 and the
Shutdown action is taken on GE1/0/1 in VLAN 10, indicating that a loop is detected in
VLAN 10.
NOTE
When the system detects loops in one or more VLANs, the Shutdown action is taken on the interface.
The loops are therefore eliminated; however, loops in all VLANs cannot be detected.
----End
Configuration Files

#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
stp disable
#
snmp-agent
snmp-agent local-engineid 800007DB03020000000211
snmp-agent sys-info version v3
snmp-agent trap enable feature-name LDTTRAP
#
return
20.8.2 Example for Configuring LDT to Detect Loops on the Local

Network
As shown in Figure 20-6, an enterprise uses Layer 2 networking. The Switch is the
aggregation switch, and each switch allows packets from VLANs 10 to 20 to pass through.
Because employees often move, the network topology changes frequently. Connections or
configurations may be incorrect due to misoperations. As a result, loops may occur in VLANs
10 to 20.
Loops cause broadcast storms and affect device and network communication. It is required
that loops be detected and eliminated in VLANs in a timely manner to prevent broadcast
storms.
Figure 20-6 Networking for configuring LDT to detect loops on the local network
Switch
GE1/0/0 GE2/0/0
VLAN 10~20
Loops need to be detected in VLANs 10 to 20. Because there are more than eight VLANs,
you can configure LDT to detect loops and configure an action after loops are detected to
prevent broadcast storms. All VLANs share a link. To prevent loop removal in a VLAN from

affecting data forwarding in other VLANs, configure the QuitVLAN action. The
configuration roadmap is as follows:
1. Enable LDT on GE1/0/0 and GE2/0/0 on the Switch to detect loops in VLANs 10 to 20.
2. Configure an action taken after a loop is detected on GE1/0/0 and GE2/0/0, and set the
recovery time so that the Switch can immediately take the preconfigured action on the
interface to prevent broadcast storms after a loop is detected. In addition, the Switch can
restore the interface after the loop is eliminated.
NOTE
l Configure interfaces on other switching interfaces as trunk or hybrid interfaces and configure these
interfaces to allow packets from VLANs to pass through to ensure Layer 2 connectivity.
l The configurations in this example can also be performed to detect loopbacks on interfaces
connecting switching devices.
Procedure
Step 1 Enable global LDT.
[Switch] loop-detection enable
Step 2 Enable LDT in VLANs.

[Switch] vlan batch 10 to 20
[Switch] loop-detection enable vlan 10 to 20
Step 3 Set the interval for sending LDT packets on the interface.
[Switch] loop-detection interval-time 10
Step 4 Configure an action taken after a loop is detected.
# Enable the trap function for LDT.

[Switch] snmp-agent trap enable feature-name ldttrap
Set the action to Quitvlan.

[Switch-GigabitEthernet1/0/0] loop-detection mode port-quitvlan
[Switch-GigabitEthernet2/0/0] loop-detection mode port-quitvlan
Step 5 Set the interface recovery time.

[Switch-GigabitEthernet1/0/0] loop-detection recovery-time 30
[Switch-GigabitEthernet2/0/0] loop-detection recovery-time 30

1. Check the LDT configuration.

# After the configuration is complete, run the display loop-detection command to check
global LDT information.
[Switch] display loop-detection
Loop Detection is
enabled.
Detection interval time is 10
seconds.
Following vlans enable loop-detection:
vlan 10 to 20
Following ports are blocked for
loop:
NULL
Following ports are shutdown for

loop:
NULL
Following ports are nolearning for

loop:
NULL
Following ports are trapped for

loop:
NULL
Following ports are quitvlan for

loop:
10 11 12 16 19
13 14 15 17 18
20
# Check LDT information on GE1/0/0 and GE2/0/0.
The port is
enabled.
The port's status
list:
Status WorkMode Recovery-time
EnabledVLAN
-----------------------------------------------------------------------
Quitvlan Quitvlan 30 10
Normal Quitvlan 30
13
Normal Quitvlan 30
14
Normal Quitvlan 30
15
Normal Quitvlan 30
17
Normal Quitvlan 30
18
Normal Quitvlan 30
20
The port is
enabled.
The port's status
list:
EnabledVLAN
-----------------------------------------------------------------------

Normal Quitvlan 30 10
Normal Quitvlan 30
11
Normal Quitvlan 30
12
Normal Quitvlan 30
16
Normal Quitvlan 30
19
LDT is enabled in VLAN 10 to VLAN 20, the Quitvlan action is taken on GE1/0/0 and
GE2/0/0, GE1/0/0 is deleted from VLANs 10, 11, 12, 16, and 19, and GE2/0/0 is deleted
from VLAN 13s, 14, 15, 17, 18, and 20.
NOTE
The VLANs where an interface is deleted are uncertain, but the interface is deleted from all
VLANs on the network where the loop occurs.
2. After the loop is eliminated (for example, GE2/0/0 is shut down, and faults in the
connection between devices are rectified), check whether GE1/0/0 and GE2/0/0 are
restored.
The port is
enabled.
The port's status
list:
EnabledVLAN
-----------------------------------------------------------------------
Normal Quitvlan 30
10
Normal Quitvlan 30
11
Normal Quitvlan 30
12
Normal Quitvlan 30
13
Normal Quitvlan 30
14
Normal Quitvlan 30
15
Normal Quitvlan 30
16
Normal Quitvlan 30
17
Normal Quitvlan 30
18
Normal Quitvlan 30
19
Normal Quitvlan 30
20
The port is
enabled.
The port's status
list:
EnabledVLAN
-----------------------------------------------------------------------
Normal Quitvlan 30

10
Normal Quitvlan 30
11
Normal Quitvlan 30
12
Normal Quitvlan 30
13
Normal Quitvlan 30
14
Normal Quitvlan 30
15
Normal Quitvlan 30
16
Normal Quitvlan 30
17
Normal Quitvlan 30
18
Normal Quitvlan 30
19
Normal Quitvlan 30 20
The command output shows that GE1/0/0 and GE2/0/0 are restored.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
snmp-agent
snmp-agent local-engineid 800007DB03020000000211
snmp-agent sys-info version v3
snmp-agent trap enable feature-name LDTTRAP
#
return
20.8.3 Example for Configuring LBDT to Detect Loopbacks on an

Interface
As shown in Figure 20-7, aggregation switch SwitchA on an enterprise network connects to a
new access switch SwitchB. To prevent a loopback from occurring between the Tx and Rx

ends of GE1/0/0 due to incorrect fiber connection or high voltage damage, SwitchA is
required to detect loopbacks on GE1/0/0. Furthermore, it is required that the interface be
blocked to reduce the impact of the loopback on the network when a loopback is detected, and
the interface be restored after the loopback is removed.
Figure 20-7 Networking for configuring LBDT to detect loopbacks on an interface

SwitchA
GE1/0/0
Tx Rx
GE1/0/0
SwitchB
To detect loopbacks on downlink interface GE1/0/0 of SwitchA, configure LBDT on GE1/0/0
of SwitchA. The configuration roadmap is as follows:
1. Enable LBDT on GE1/0/0 of SwitchA to detect loopbacks.
2. Configure an action taken after a loopback is detected and set the recovery time. After a
loopback is detected, the system blocks the interface to reduce the impact of the
loopback on the network. After a loop is eliminated, the system restores the interface.
Procedure
Step 1 Enable LBDT on an interface.
[SwitchA-GigabitEthernet1/0/0] loopback-detect enable
Step 2 Configure an action taken after a loopback is detected and set the recovery time.
[SwitchA-GigabitEthernet1/0/0] loopback-detect action block
[SwitchA-GigabitEthernet1/0/0] loopback-detect recovery-time 30

1. Run the display loopback-detect command to check the LBDT configuration.
[SwitchA] display loopback-detect
Loopback-detect sending-packet interval:
5
------------------------------------------------------------------------------
----
Interface RecoverTime Action Status

------------------------------------------------------------------------------
----
GigabitEthernet1/0/0 30 block NORMAL
------------------------------------------------------------------------------
----
The preceding command output shows that the LBDT configuration is successful.
2. After about 5s, run the display loopback-detect command to check whether GE1/0/0 is
blocked.
5
------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
GigabitEthernet1/0/0 30 block BLOCK(Loopback detected)
------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/0 is blocked, indicating that a
loopback occurs on GE1/0/0.
3. Manually remove the loopback. Run the display loopback-detect command to check
whether GE1/0/0 is restored.
5
------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/0 is restored.
----End
Configuration Files
#
sysname SwitchA
#
loopback-detect recovery-time 30
loopback-detect enable
loopback-detect action block
#
return
20.8.4 Example for Configuring LBDT to Detect Loops on the

Downstream Network

As shown in Figure 20-8, a new department of an enterprise connects to aggregation switch
Switch, and this department belongs to VLAN 100. Loops may occur due to incorrect
connections or configurations. As a result, communication on the Switch and uplink network
may be affected.
It is required that the Switch should detect loops on the new network to prevent the impact of
loops on the Switch and connected network.
Figure 20-8 Networking for configuring LBDT to detect loops on the downstream network
Switch
GE1/0/1
New department
VLAN 100
The new department network has only VLAN 100, so configure LBDT on the Switch to
detect loops. The configuration roadmap is as follows:
1. Enable LBDT on the GE1/0/1 of the Switch to detect loops in a specified VLAN so that
loops on the downstream network can be detected.
2. Set LBDT parameters so that the Switch can immediately shut down GE1/0/1 after a
loop is detected. This prevents the impact of the loop on the Switch and connected
network.
NOTE
Configure interfaces on other switching interfaces as trunk or hybrid interfaces and configure these
interfaces to allow packets from VLANs to pass through to ensure Layer 2 connectivity on the new
network and between the new network and the Switch.
Procedure
Step 1 Enable LBDT on the interface.
[Switch-GigabitEthernet1/0/1] loopback-detect enable

Step 2 Specify the VLAN ID of LBDT packets.

[Switch] vlan 100
[Switch-GigabitEthernet1/0/1] loopback-detect packet vlan 100
Step 3 Configure LBDT parameters.

# Set the interval for sending LBDT packets.
[Switch] loopback-detect packet-interval 10
# Configure an action taken after a loop is detected.

[Switch-GigabitEthernet1/0/1] loopback-detect action shutdown

[Switch] display loopback-detect
Loopback-detect sending-packet interval: 10
------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 - shutdown NORMAL
------------------------------------------------------------------------------
----
2. Construct loops on the downstream network and run the display loopback-detect
command to check whether GE1/0/1 is shut down.
10
------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 - shutdown SHUTDOWN(Loopback
detected)
------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/1 is shut down.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100

#
loopback-detect packet-interval 10
#
loopback-detect packet vlan 100
#
return
20.8.5 Example for Configuring LBDT to Detect Loops on the

Local Network
As shown in Figure 20-9, a small-scale enterprise uses Layer 2 networking and belongs to
VLAN 100. Because employees often move, the network topology changes frequently. Loops
may occur due to incorrect connections or configurations during the change. As a result,
broadcast storms may occur and affect communication of the Switch and entire network.
The requirements are as follows: The Switch detects loops. When a loop exists, the interface
is blocked to reduce the impact of the loop on the Switch and network. When the loop is
eliminated, the interface can be restored.
Figure 20-9 Networking for configuring LBDT to detect loops on the local network
Switch
GE1/0/1 GE1/0/2
VLAN 100
To detect loops on the network where the Switch is deployed, configure LBDT on GE1/0/1
and GE1/0/2 of the Switch. In this example, untagged LBDT packets sent by the Switch will
be discarded by other switches on the network. As a result, the packets cannot be sent back to
the Switch, and LBDT fails. Therefore, LBDT is configured in a specified VLAN. The
configuration roadmap is as follows:
1. Enable LBDT on an interface and configure the Switch to detect loops in VLAN 100 to
implement LBDT on the network where the Switch is deployed.
2. Configure an action taken after a loop is detected and set the recovery time. After a loop
is detected, the Switch blocks the interface to reduce the impact of the loop on the
network. After a loop is eliminated, the Switch restores the interface.

NOTE
Configure interfaces on other switching interfaces as trunk or hybrid interfaces and configure these
interfaces to allow packets from VLANs to pass through to ensure Layer 2 connectivity.
Procedure
Step 1 Enable LBDT on an interface.
Step 2 Specify the VLAN ID of LBDT packets.

[Switch] vlan 100
Step 3 Configure an action taken after a loop is detected and set the recovery time.
[Switch-GigabitEthernet1/0/1] loopback-detect action block
[Switch-GigabitEthernet1/0/1] loopback-detect recovery-time 30
[Switch-GigabitEthernet1/0/2] loopback-detect action block
[Switch-GigabitEthernet1/0/2] loopback-detect recovery-time 30

5
------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
2. After about 5s, run the display loopback-detect command to check whether GE1/0/1 or
GE1/0/2 is blocked.
5

------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
GigabitEthernet1/0/2 30 block BLOCK(Loopback detected)
------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/2 is blocked.

3. Shut down GE1/0/1. After 30s, run the display loopback-detect command to check
whether GE1/0/2 is restored.
5
------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/2 is restored.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#
#
return

Configuration Guide - Ethernet Switching 21 HVRP Configuration
21 HVRP Configuration
About This Chapter
This chapter describes how to configure the Hierarchy VLAN Register Protocol (HVRP).
21.1 Introduction to HVRP

21.2 Principles
21.3 Applications
21.6 Configuring HVRP
A Layer 2 switch needs to learn a large number of MAC addresses. To reduce the MAC
addresses that the switch needs to learn, enable HVRP on the switch.
21.8 References

21.1 Introduction to HVRP
Definition
Through dynamic VLAN registration and aging mechanism, the Hierarchy VLAN Register
Protocol (HVRP) ages the VLANs that interfaces join and are not used to forward packets on
an interface and saves only necessary VLANs. This saves MAC address entries.
Purpose
The ring or tree topology is widely used for network deployment. Regardless of topology,
aggregation devices must support a large number of MAC address entries to meet
requirements of downstream users. As users on the network increase quickly, MAC address
entries supported by a switch may be insufficient. As a result, the switch cannot learn the
MAC addresses of some users. In this case, packets of these users are broadcast in the VLAN,
wasting bandwidth and deteriorating network performance.
HVRP can be used when the number of MAC addresses supported by the switch is smaller
than the total number of users connected to the switch. In special networking, HVRP can
dynamically register and age VLANs to save MAC addresses and increase the number of
users that the switch supports.
21.2 Principles
HVRP Concepts
l HVRP interface
An interface that is configured with HVRP attributes. It can send, receive, and process
HVRP packets.
l HVRP root interface
An HVRP interface that functions as the root interface in a Spanning Tree Protocol
(STP) region.
l HVRP designated interface
An HVRP interface that functions as the designated interface in an STP region.
l Local VLAN/User VLAN
A VLAN that does not contain any HVRP interface.
l VLAN registration
A process of adding HVRP interfaces to VLANs that meet certain conditions in tagged
mode.
l VLAN aging
A process of deleting a VLAN from an HVRP interface.

l Permanent VLAN
A VLAN that is never aged by an HVRP interface.
l Local VLAN information sending
The HVRP root interface sends HVRP packets containing local VLAN information after
STP and HVRP are enabled.
l VLAN registration timer
A timer that specifies the interval at which HVRP VLAN registration packets are sent.
l Aging timer of registered VLANs
A timer that specifies the aging time of registered VLANs. If the HVRP designated
interface does not receive any registration packets of a VLAN within the aging time, the
VLAN is aged on the HVRP designated interface.
HVRP Packet Format

Figure 21-1 shows the HVRP packet format.
Figure 21-1 HVRP packet format
Protocol Protocol
DMAC SMAC MSTI ID Packet content
flag type
l Protocol flag: HVRP packet flag bit.

l Protocol type: HVRP packet type, which can be user VLAN registration or interface
status change notification.
l MSTI ID: Multiple Spanning Tree Instance (MSTI) ID.
l Packet content: This field is invalid for interface status change notification packets. In
user VLAN registration packets, this field contains information about all authorized user
VLANs.
21.2.2 Working Process
Through dynamic VLAN registration and aging mechanism, HVRP ages the VLANs that are
not used to forward packets on an interface and saves only necessary VLANs. When a VLAN
contains one or two interfaces, MAC addresses do not need to be learned. Instead, data
packets are broadcast in the VLAN without affecting the bandwidth.
In Figure 21-2:
l STP is enabled on the entire network, and the HVRP root interface and HVRP
designated interfaces are calculated through STP.
l The switches are connected through trunk interfaces. All trunk interfaces are enabled
with HVRP and can forward packets of VLAN 101 through VLAN 500.
l HVRP is disabled on STP edge interfaces.
Figure 21-2 shows HVRP networking. The HVRP working mechanism is described based on
this networking.

Figure 21-2 HVRP working mechanism

Router
VLAN:101-500
VLAN:301-400 SwitchA VLAN:401-500
SwitchB SwitchC
SwitchD SwitchE
VLAN:101-200 VLAN:201-300
SwitchA is the root bridge. Links between SwitchD and SwitchE are blocked by STP. The
VLANs created on each switch include all user VLANs on the ring.
Generally, data packets of users connected to SwitchD are forwarded by the interface
connecting SwitchD to SwitchB. The interface connecting SwitchD to SwitchE does not
forward packets of VLAN 101 through VLAN 200 to other devices. Based on the Layer 2
forwarding principle:
l When there are more than two interfaces on a Layer 2 switch, the switch searches the
MAC address table for the outbound interface based on the destination MAC address in
the packet. If no outbound interface is found, the switch broadcasts a packet to all
interfaces.
l When there are only two interfaces on a Layer 2 switch, the switch forwards the data
packet through the other interface but not the receive interface. The switch does not need
to search the destination MAC address or establish a MAC address entry.
Three interfaces on SwitchD belong to VLAN 101 through VLAN 200, so SwitchD must
learn MAC addresses. However, the interface connecting SwitchD to SwitchE does not
forward packets of VLAN 101 through VLAN 200 to other devices. HVRP deletes the
interfaces that do not forward packets from VLANs so that the switch does not need to learn
MAC addresses. This reduces the number of MAC addresses that the switch learns and
improves stability and manageability of the switch.
VLAN Registration
Each switch periodically sends VLAN registration packets from the root interface to register
VLANs of the local switch. For example, SwitchD periodically sends VLAN registration
packets of VLAN 101 through VLAN 200 to other devices on the ring through the root

interface. After receiving a VLAN registration packet from SwitchD, SwitchB registers
VLAN 101 through VLAN 200 with the interface that receives the VLAN registration packet
and forwards the packet upstream through the root interface.
SwitchB sends VLAN registration packets of local user VLAN 301 to VLAN 400 through the
root interface. After receiving VLAN registration packets from SwitchB and VLAN
registration packets of SwitchD forwarded by SwitchB, SwitchA registers VLANs of SwitchB
and SwitchD on the interface that receives the packets. SwitchA is the root bridge, so it does
not forward or generate VLAN registration packets.
The following are some important points on VLAN registration:

l VLANs can be registered only on designated interfaces.
l A VLAN can be registered on an interface only after the interface is manually added to
the VLAN. For example, if an HVRP designated interface does not belong to VLAN
999, VLAN 999 cannot be registered on this interface even if the interface receives a
registration packet of VLAN 999.
VLAN Aging
If a switch does not receive any registration packets containing a registered VLAN within a
certain period of time, the VLAN is deleted from the non-root interface.
VLAN aging is implemented only on HVRP non-root interfaces. VLANs on the HVRP root
interface never age out because all packets must pass through the HVRP root interface.
SwitchB is used as an example to describe VLAN aging on a switch. SwitchB is on a ring,

and has a root interface, a designate interface, and a non-HVRP interface.
l The interface connected to users is a non-HVRP interface and does not age out VLANs.
l The interface connected to SwitchA is the HVRP root interface, so VLANs on this
interface will never be aged out.
l The interface connecting to SwitchD is an HVRP designated interface and is manually
added to VLAN 101 through VLAN 500. This interface periodically receives registration
packets of VLAN 101 through VLAN 200 from SwitchD. VLAN 101 through VLAN
200 are not aged out, but VLAN 201 through VLAN 500 are aged out after the aging
time.
After the VLANs are aged out, VLAN 101 through VLAN 200 contain only the interface
connected to SwitchA and the interface connected to SwitchD. VLAN 301 through VLAN
400 contain only the interface connected to SwitchA and the interface connected to users.
Therefore, SwitchB does not need to learn MAC addresses in VLAN 101 through VLAN 500.
After receiving data packets of a VLAN on an interface, SwitchB only needs to forward the
packets through the other interface in the VLAN.
Sending and Maintaining Local VLAN Information

The HVRP root interface periodically sends local VLAN registration packets according to the
VLAN registration timer.
When the role of a local VLAN changes, for example, the VLAN is not a local VLAN any
more because the configuration is changed, the switch sends the local VLAN information
through the HVRP root interface immediately.

Re-registering VLANs When the Status of an HVRP Interface Changes to Up or

Down
Interface status change indicates that the status of an interface changes to Up or Down.
When the status of an HVRP interface changes to Up or Down, the aged VLANs may
interrupt forwarding of Layer 2 packets on the entire network. Therefore, when a switch
detects that the status of an HVRP interface changes, the switch immediately notify all the
other switches on the network. The switches re-register the aged VLANs on the original
interfaces.
Re-registering VLANs When the STP Role of an HVRP Interface Changes

After STP is enabled globally, each interface on a switch plays as a role, such as root
interface, designated interface, and backup interface.
When the role of an HVRP interface changes, aged VLANs on the interface may interrupt the
forwarding of Layer 2 packets over the entire network. Therefore, when a switch detects that
the role of an HVRP interface is changed, the switch re-registers the aged VLANs on the
original interface.
Updating Interfaces in a VLAN

l The number of interfaces is updated in a VLAN each time an interface is added to or
deleted from the VLAN, the VLAN is registered, or the VLAN is aged.
l Physical interfaces that belong to the Eth-Trunk interface are counted as one interface.
Learning MAC Addresses in a VLAN

l When a VLAN contains more than two non-aged interfaces, the switch learns MAC
addresses.
l When a VLAN contains two or fewer non-aged interfaces, the switch does not learn
MAC addresses. In addition, the dynamic MAC addresses learned before are deleted.
21.3 Applications
A switch on a Layer 2 network needs to learn a large number of MAC addresses. To reduce
the MAC addresses that the switch needs to learn, enable HVRP on the switch. As shown in
Figure 21-3, HVRP needs to be configured on a single-ring network. In practice, HVRP
applies to two types of networking.
Single-ring Network
As shown in Figure 21-3, HVRP is configured on a single-ring network.

Figure 21-3 HVRP networking 1

Router
VLAN:101-500
SwitchB SwitchC
SwitchD SwitchE
VLAN:101-200 VLAN:201-300
The single-ring network supported by HVRP has the following characteristics:

l STP is enabled on the entire network.
l SwitchA, SwitchB, SwitchC, SwitchD, and SwitchE are Layer 2 switches, SwitchA is
the root bridge, and other devices connect to Layer 3 devices through SwitchA.
l The link between SwitchD and SwitchE is blocked by STP.
l User devices in Figure 21-3 refer to all downstream user devices.
l SwitchA can be a Layer 2/3 device.
HVRP is deployed on SwitchA, SwitchB, SwitchC, SwitchD, and SwitchE. Through dynamic
VLAN registration and aging mechanism, HVRP saves only necessary VLANs. When a
VLAN contains one or two interfaces, MAC addresses do not need to be learned. This solves
the problem when the device connects to more users and many MAC addresses need to be
learned.
Multi-ring Network
As shown in Figure 21-4, HVRP is configured on a multi-ring network.

Figure 21-4 HVRP networking 2

Router
SwitchA
SwitchB-1 …... SwitchB-n
SwitchC-1 SwitchC-n
SwitchD-1 SwitchD-n SwitchE-n

SwitchE-1
The multi-ring network supported by HVRP has the following characteristics:

l MSTP is enabled on the entire network. Each ring maps an MSTI, and all the devices
belong to the same MST region.
l SwitchB-1, SwitchC-1, SwitchD-1, SwitchE-1...SwitchB-n, SwitchC-n, SwitchD-n, and
SwitchE-n are Layer 2 switches, SwitchA is the root bridge in all MSTIs, and other
devices connect to Layer 3 devices through SwitchA. (SwitchA can be a Layer 2/3
device.)
Deploy HVRP on SwitchB-1, SwitchC-1, SwitchD-1, SwitchE-1...SwitchB-n, SwitchC-n,
SwitchD-n, and SwitchE-n to solve the problem when the device connects to more users and
many MAC addresses need to be learned.

Other network elements also need to support HVRP.
License Support
HVRP is a basic feature of a switch and is not under license control.

Version Support
Table 21-1 Products and versions supporting HVRP

Model
S7700 S7703, V200R005C00, V200R006C00, V200R007C00,

S7706, V200R008C00, V200R009C00, V200R010C00
S7712
S9700 S9703, V200R005C00, V200R006C00, V200R007C00,

S9706, V200R008C00, V200R009C00, V200R010C00
S9712

l After HVRP is enabled, the system dynamically sets the MAC address learning mode in
a VLAN. Therefore, you do not need to set the maximum number of MAC addresses that
can be learned in the VLAN.
l HVRP and GVRP cannot be enabled simultaneously.
l When you configure HVRP attributes, it is recommended that you delete the default
VLAN (VLAN 1) from an interface.
l After HVRP is disabled globally, HVRP is disabled on all the interfaces.
l After HVRP is disabled on an interface, all HVRP-related configurations such as the
VLAN registration timers become invalid.
Table 21-2 HVRP default configuration

Global HVRP Disabled
HVRP on an interface Disabled
VLAN registration timer 5 seconds
Aging timer of registered VLANs 15 seconds
Permanent VLAN No
VLAN aging Local VLANs
21.6 Configuring HVRP

A Layer 2 switch needs to learn a large number of MAC addresses. To reduce the MAC
addresses that the switch needs to learn, enable HVRP on the switch.

Before configuring HVRP, complete the following tasks:
l Ensuring that interfaces enabled with HVRP are trunk interfaces
l Enabling STP globally
l Deleting the MSTP multi-process
21.6.1 Enabling HVRP Globally
Context
Through dynamic VLAN registration and aging mechanisms, HVRP ages the VLANs that do
not forward packets on their interfaces and saves only necessary VLANs. When a VLAN
contains 0 to 2 interfaces, the interfaces do not learn MAC addresses, data packets are
broadcast in the VLAN and no extra bandwidth is consumed.
NOTE
l When STP works in VBST mode, do not enale HVRP. When HVRP is enabled, do not change the
working mode of the STP to VBST.
l When the VCMP role is the client or server, HVRP cannot be enabled. In this case, run the vcmp
role command to configure the VCMP role as silent or transparent. If HVRP has been enabled, do
not switch the VCMP role to client or server.
l After HVRP is enabled, the switch dynamically sets the MAC address learning mode for the VLAN.
Therefore, you do not need to set the maximum number of MAC addresses that can be learned in the
VLAN.
l HVRP and GVRP can not be enabled simultaneously.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hvrp enable
HVRP is enabled globally.
By default, HVRP is disabled globally.
----End
21.6.2 Enabling HVRP on an Interface
Context
An interface enabled with HVRP is an HVRP interface. VLAN registration and aging can be
performed only on HVRP interfaces.

NOTE
l When you configure HVRP attributes, it is recommended that you delete the default VLAN (VLAN
1) from the interface.
l After HVRP is disabled globally, HVRP is disabled on all interfaces.
l After HVRP is disabled on an interface, all HVRP-related configurations such as the VLAN
registration timers become invalid.
l The PVID of the interface is not aged.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
hvrp enable
HVRP is enabled on an interface.

By default, HVRP is disabled on an interface.
----End
21.6.3 (Optional) Setting the VLAN Registration Timer
Context
The HVRP root interface on each switch periodically sends user VLAN registration packets
according to the VLAN registration timer. HVRP interfaces that receive registration packets
from user VLANs are added to the user VLANs. The switch learns only MAC addresses in
registered VLANs. This reduces the number of MAC addresses that the switch learns and
improves the stability of the switch in network flapping.
NOTE
l The value of the VLAN registration timer must be smaller than the value of the aging timer of
registered VLANs. It is recommended that the value of the aging timer of registered VLANs be
three times the value of the VLAN registration timer or larger.
l All switches on a ring network must be configured with the same VLAN registration timer value.
Procedure
Step 1 Run:
system-view

Step 2 Run:
hvrp timer registervlan timer-interval

The VLAN registration timer is set.

The default value of the VLAN registration timer is 5 seconds.
----End
21.6.4 (Optional) Setting the Aging Timer of Registered VLANs
Context
If an HVRP interface does not receive any registration packets from a VLAN within the aging
time, the VLAN is deleted from the HVRP interface. The switch learns only MAC addresses
in registered VLANs. This reduces the number of MAC addresses that the switch learns and
improves the stability of the switch in network flapping.
NOTE
l VLAN aging is implemented only on HVRP non-root interfaces. VLANs on the HVRP root
interface never age out because all packets must pass through the HVRP root interface.
l The value of the VLAN registration timer must be smaller than the value of the aging timer of
registered VLANs. It is recommended that the value of the aging timer of registered VLANs be
three times the value of the VLAN registration timer or larger.
Procedure
Step 1 Run:
system-view

Step 2 Run:
hvrp timer registervlan-age timer-interval
The aging timer of registered VLANs is set.

The default value of the aging timer of registered VLANs is 15 seconds.
----End
21.6.5 (Optional) Configuring Permanent VLANs
Context
A permanent VLAN is never aged by an HVRP interface. If an HVRP interface does not
receive any registration packets from a VLAN within the aging time, the VLAN is deleted
from the HVRP interface. If dedicated services are configured for some VLANs and the
VLANs do not need to be aged(such as Management VLAN), you can configure the VLANs
as permanent VLANs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
hvrp permanent-vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
The VLAN is configured as a permanent VLAN.

By default, no VLAN is a permanent VLAN.
----End
21.6.6 (Optional) Aging All VLANs
Context
On a network with one or more rings, you can enable the device to age all VLANs or only the
local VLANs.
You are advised to enable the device to age all VLANs when the device is located at the
intersection point of rings.
Procedure
Step 1 Run:
system-view

Step 2 Run:
hvrp vlan-age all
All VLANs are aged.

By default, only local VLANs are aged.
NOTE
In HVRP, VLAN 1 is not identified as the local VLAN. When the PVID is not VLAN 1 and the hvrp vlan-
age all command is executed, VLAN 1 will be aged.
----End
Procedure
l Run the display hvrp verbose command to check detailed information about HVRP.
l Run the display hvrp local-vlan command to check information about local VLANs.
----End
21.7.1 Example for Configuring HVRP

As shown in Figure 21-5, switches on the enterprise network are connected through Layer 2
interfaces and constitute a Layer 2 network. STP is used to eliminate loops. SwitchA is the
root bridge and the link between SwitchD and SwitchE is blocked. Because enterprise users
increase continuously, MAC addresses on the switch cannot meet requirements. The
enterprise requires that users increase without switch upgrade.
Figure 21-5 HVRP networking

Router
VLAN:101-500
GE2/0/0
GE3/0/0 GE1/0/0
GE2/0/0 GE2/0/0
GE1/0/0 GE1/0/0
GE3/0/0 SwitchB SwitchC GE3/0/0
GE2/0/0 SwitchD SwitchE GE2/0/0
GE1/0/0 GE1/0/0
GE3/0/0 GE3/0/0
VLAN:101-200 VLAN:201-300
Configure HVRP to meet the preceding requirements. HVRP dynamically registers and ages
VLANs to reserve necessary VLANs. When one or two interfaces exist in a VLAN, the
switch can be disabled from learning MAC addresses to reduce the number of learned MAC
addresses and increase downstream users connected to the switch. The configuration roadmap
is as follows:
1. Enable STP on devices of the ring network to eliminate loops.
2. Configure link types of interfaces and VLANs to implement Layer 2 connectivity.
3. Enable HVRP globally and interfaces so that VLANs are dynamically registered and
aged, and the number MAC addresses learned by the switch is reduced.
Procedure
Step 1 Enable STP on devices of the ring network. SwitchD is used as an example. The
configurations of other devices in the STP ring are similar to the configuration of SwitchD,

Step 2 Configure SwitchA as the root device to block the link between SwitchD and SwitchE.
Step 3 Create VLANs, and configure link types of interfaces and add interfaces to VLANs. SwitchD
is used as an example. The configurations of other devices in the STP ring are similar to the
configuration of SwitchD, and are not mentioned here.
Step 4 Enable HVRP. SwitchD is used as an example. The configurations of other devices in the STP
ring are similar to the configuration of SwitchD, and are not mentioned here.
[SwitchD] hvrp enable
[SwitchD-GigabitEthernet1/0/0] hvrp enable
[SwitchD-GigabitEthernet2/0/0] hvrp enable

Run the display hvrp verbose command to view detailed information about HVRP.
[SwitchD] display hvrp verbose
HVRP is enabled globally.
HVRP registervlan timer :5s.
HVRP registervlan age timer :15s.
HVRP age all VLAN :Disabled.
HVRP Permanent-vlan :
HVRP statistics on port GigabitEthernet1/0/0 (PORT_LINK_UP)
Mstp Role :
0 - designated
HVRP statistics on port GigabitEthernet2/0/0 (PORT_LINK_UP)
Mstp Role :
0 - root
When the service volume is the same, run the display mac-address command to view the
number of learned MAC addresses. After HVRP is configured, the number of learned MAC
addresses is reduced, This indicates that HVRP reduces the number of MAC addresses
learned by the switch.
----End
Configuration Files
#
sysname SwitchA
#

#
#
hvrp enable
#
hvrp enable
#
#
hvrp enable
#
return

#
sysname SwitchB
#
#
hvrp enable
#
#
hvrp enable
#
hvrp enable
#
return

#
sysname SwitchC
#
#
hvrp enable
#
#
hvrp enable
#
hvrp enable
#
return


#
sysname SwitchD
#
#
hvrp enable
#
hvrp enable
#
hvrp enable
#
#
return
l SwitchE configuration file

#
sysname SwitchE
#
#
hvrp enable
#
hvrp enable
#
hvrp enable
#
#
return
21.8 References
IEEE Std 802.1D Information technology-Telecommunications -

and information exchange between systems-
Local and metropolitan area networks-
Common specifications-Media Access
Control (MAC) Bridges

IEEE Std 802 1Q IEEE Standards for Local and Metropolitan -

Networks

S7700&S9700 Series Switches 22 Layer 2 Protocol Transparent Transmission
Configuration Guide - Ethernet Switching Configuration
22 Layer 2 Protocol Transparent

Transmission Configuration
About This Chapter
This chapter describes how to configure Layer 2 protocol transparent transmission.
22.1 Introduction to Layer 2 Protocol Transparent Transmission

22.2 Principles
22.6 Configuring Layer 2 Protocol Transparent Transmission
22.8 FAQ
22.9 References

22.1 Introduction to Layer 2 Protocol Transparent

Transmission
Definition
Layer 2 protocol transparent transmission is a Layer 2 tunneling technology that transparently
transmits BPDUs between private networks at different locations over a specified tunnel on a
public Internet Service Provider (ISP) network.
Purpose
Leased lines of ISPs are often used to establish Layer 2 networks. As a result, private
networks of a user can be located at two sides of the ISP network. As shown in Figure 22-1,
User A has two networks: network1 and network2. The two networks are connected through
the ISP network. When network1 and network2 run the same Layer 2 protocol (such as
MSTP), Layer 2 protocol packets from network1 and network2 must be transmitted through
the ISP network to perform Layer 2 protocol calculation (for example, calculating a spanning
tree). Generally, the destination MAC addresses in Layer 2 protocol packets of the same
Layer 2 protocol are the same. For example, the MSTP PDUs are BPDUs with the destination
MAC address 0180-C200-0000. Therefore, when a Layer 2 protocol packet reaches an edge
device on the ISP network, the edge device cannot identify whether the Layer 2 protocol
packet comes from a user network or the ISP network and sends the Layer 2 protocol packets
to the CPU to calculate a spanning tree.
In Figure 22-1, devices on user network1 build a spanning tree together with PE1 but not
with devices on user network2. As a result, the Layer 2 protocol packets on user network1
cannot traverse the ISP network to reach user network2.
Figure 22-1 Transparent transmission of Layer 2 protocol packets on the ISP network
ISP
network
PE1 PE2
CE1 CE2
User A User A
network1 network2
You can use Layer 2 protocol transparent transmission to transparently transmit Layer 2
protocol packets from the user network for the ISP network. This addresses the network
identity issue. The procedure is as follows:

1. After receiving Layer 2 protocol packets sent from CE1, PE1 replaces the destination
MAC address with a specified multicast MAC address. Then PE1 forwards the packets
on the ISP network.
2. The Layer 2 protocol packets are forwarded to PE2. PE2 restores the original destination
MAC address of the packets, and sends the packets to CE2.
Huawei device can transparently transmit packets of the following Layer 2 protocols:
l Spanning Tree Protocol (STP)
l Link Aggregation Control Protocol (LACP)
l Ethernet Operation, Administration, and Maintenance 802.3ah (EOAM3ah)
l Link Layer Discovery Protocol (LLDP)
l Generic VLAN Registration Protocol (GVRP)
l Generic Multicast Registration Protocol (GMRP)
l HUAWEI Group Management Protocol (HGMP)
l VLAN Trunking Protocol (VTP)
l Unidirectional Link Detection (UDLD)
l Port Aggregation Protocol (PAGP)
l Cisco Discovery Protocol (CDP)
l Per VLAN Spanning Tree Plus (PVST+)
l Dynamic Trunking Protocol (DTP)
l Device Link Detection Protocol (DLDP)
l User-defined protocols
22.2 Principles
Layer 2 protocol packets are transparently transmitted based on the following principles:
l On the ingress Provider Edge (PE) of the ISP network, the destination multicast MAC
address of a Layer 2 protocol packet is replaced with a specified multicast MAC address.
l The devices on the ISP network determine whether to process the protocol packet based
on the configured transparent transmission mode.
l When the Layer 2 protocol packet reaches the egress, the PE restores the destination
multicast MAC address of the Layer 2 protocol packet to the standard destination
multicast MAC address based on the mapping between the specified destination
multicast MAC address and the Layer 2 protocol configured on the device. The egress
PE also determines whether to process the packet based on the configured transparent
transmission mode.
To transparently transmit Layer 2 protocol packets on the ISP network, ensure that the
following requirements are met:
l Each branch of a user network must be able to receive the Layer 2 protocol packets from
other branches.
l The CPUs of the devices on the ISP network must not process Layer 2 protocol packets
from a user network.
l Layer 2 protocol packets from different user networks must be isolated and not affect
each other.

Huawei devices support the following Layer 2 protocol transparent transmission modes in
different scenarios:
l Interface-based Layer 2 protocol transparent transmission
l VLAN-based Layer 2 protocol transparent transmission
l QinQ-based Layer 2 protocol transparent transmission
Interface-based Layer 2 Protocol Transparent Transmission
Figure 22-2 Interface-based Layer 2 protocol transparent transmission
ISP Network
BPDU Tunnel
PE1 PE2
Port based Port based

VLAN 300 VLAN 300
LAN-A LAN-A
MSTP MSTP
As shown in Figure 22-2, each interface on a PE connects to one user network. The user
networks do not belong to the same LAN. If BPDUs received from user networks do not carry
any VLAN tag, the PE must identify the LAN that the BPDUs come from. BPDUs of a user
network in LAN-A must be sent to other user networks in LAN-A. In addition, BPDUs must
not be processed by devices on the ISP network.
In this scenario, the following processing methods are available:
l Change the default multicast MAC address of the Layer 2 protocol packet that can be
identified by the devices on the ISP network to another multicast MAC address. This
method applies only to the STP, RSTP, or MSTP protocol, and the configuration
command is bpdu-tunnel stp bridge role provider.
a. Set the roles of all devices on the ISP network to provider, so that the multicast
MAC addresses of the BPDUs sent by these devices are changed to 01-80-
C2-00-00-08.
b. Set the roles of all devices on a user network to customer, so that the multicast
MAC addresses of the BPDUs sent by the user network are 01-80-C2-00-00-00.
c. On the device of the ISP network, add the interfaces that connect to the same user
network to the same VLAN. PEs add VLAN tags to received Layer 2 protocol
packets based on default VLANs of the interfaces.
d. PEs (providers) do not consider the packets as Layer 2 BPDUs and do not send the
packets to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets
based on the default VLAN IDs of the interfaces.
e. Internal nodes on the ISP network forward the packets through the ISP network as
common Layer 2 packets.
f. PEs on the ISP network forward the packets to CEs without modifying the packets.

l Replace the original multicast MAC address of the Layer 2 protocol packet with a
specified multicast MAC address.
a. On the device of the ISP network, add the interfaces that connect to the same user
network to the same VLAN. After receiving and identifying the Layer 2 protocol
packet (such as a BPDU of the STP protocol) from the user network, the device on
the ISP network adds the default VLAN ID of the interface to the Layer 2 protocol
packet. This method applies to all types of Layer 2 protocol transparent
transmission.
b. Based on the mapping between the specified destination multicast MAC address
and the Layer 2 protocol, the ingress PE on the ISP network replaces the standard
destination multicast MAC address of the Layer 2 protocol packet with the
specified destination multicast MAC address.
c. Internal nodes on the ISP network forward the packet through the ISP network as a
common Layer 2 packet.
d. The egress PE on the ISP network restores the original standard destination MAC
address of the packet based on the mapping between the specified destination
multicast MAC address and the Layer 2 protocol and forwards the packet to the CE.
1. On the device of the ISP network, add the interfaces that connect to the same user
network to the same VLAN. After receiving and identifying the Layer 2 protocol packet
(such as a BPDU of the STP protocol) from the user network, the device on the ISP
network adds the default VLAN ID of the interface to the Layer 2 protocol packet.
2. Based on the mapping between the specified destination multicast MAC address and the
Layer 2 protocol, the ingress PE on the ISP network replaces the standard destination
multicast MAC address of the Layer 2 protocol packet with the specified destination
multicast MAC address.
3. Internal nodes on the ISP network forward the packet through the ISP network as a
common Layer 2 packet.
4. The egress PE on the ISP network restores the original standard destination MAC
address of the packet based on the mapping between the specified destination multicast
MAC address and the Layer 2 protocol and forwards the packet to the CE.

VLAN-based Layer 2 Protocol Transparent Transmission
Figure 22-3 VLAN-based Layer 2 protocol transparent transmission
LAN-B LAN-B
MSTP MSTP
CE-VLAN 100 CE-VLAN 100
PE 1 ISP Network PE 2
BPDU Tunnel

Trunk Link Trunk Link
100-200 100-200
LAN-A LAN-A
MSTP MSTP
In most cases, a PE serves as an aggregation device. As shown in Figure 22-3, the

aggregation interface on PE1 receives Layer 2 protocol packets from LAN-A and LAN-B. To
differentiate BPDUs from two LANs, BPDUs sent from CEs to PEs must have VLAN tags.
Packets sent from LAN-A contain VLAN ID 200 and packets sent from LAN-B contain
VLAN ID 100. BPDUs of a user network in LAN-A must be forwarded to other user
networks in LAN-A, but not to user networks in LAN-B. In addition, BPDUs cannot be
processed by PEs on the ISP network. In this case, you can configure VLAN-based Layer 2
protocol transparent transmission on PEs, so that Layer 2 protocol packets can traverse the
ISP network through Layer 2 tunnels.
Similar to interface-based Layer 2 protocol transparent transmission, you can use either of the
following methods to implement VLAN-based Layer 2 protocol transparent transmission:
l Change the default multicast MAC address of the Layer 2 protocol packet that can be
identified by the devices on the ISP network to another multicast MAC address. This
method applies only to the STP, RSTP, or MSTP protocol, and the configuration
command is bpdu-tunnel stp bridge role provider.
a. Set the roles of all devices on the ISP network to provider, so that the multicast
MAC addresses of the BPDUs sent by these devices are changed from 01-80-
C2-00-00-00 to 01-80-C2-00-00-08.
b. Set the roles of all devices on a user network to customer, so that the multicast
MAC addresses of the BPDUs sent by the user network are still 01-80-
C2-00-00-00.

c. Set specified VLAN IDs for Layer 2 protocol packets sent from user networks to
the ISP network.
d. Enable the devices on the ISP network to identify Layer 2 protocol packets with the
specified VLAN IDs and allow these packets to pass.
e. PEs (providers) do not consider these packets Layer 2 protocol BPDUs and do not
send them to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets
based on the default VLANs of interfaces.
f. Internal nodes on the ISP network forward the packets through the ISP network as
g. PEs on the ISP network forward the packets to CEs without modifying the packets.
l Replace the original multicast MAC address of the Layer 2 protocol packet with a
specified multicast MAC address. This method applies to all types of Layer 2 protocol
transparent transmission.
a. Set specified VLAN IDs for Layer 2 protocol packets sent from user networks to
the ISP network.
b. Enable the devices on the ISP network to identify Layer 2 protocol packets with the
specified VLAN IDs and allow these packets to pass.
c. Based on the mapping between the specified destination multicast MAC address
and the Layer 2 protocol, the ingress PE on the ISP network replaces the standard
destination multicast MAC address of the Layer 2 protocol packet with the
specified destination multicast MAC address.
d. Internal nodes on the ISP network forward the packets through the ISP network as
e. The egress PE on the ISP network restores the original standard destination MAC
address of the packet based on the mapping between the specified destination
multicast MAC address and the Layer 2 protocol and forwards the packets to the
CE.
QinQ-based Layer 2 Protocol Transparent Transmission

If Layer 2 protocol packets are still transmitted transparently in VLAN-based mode when
many user networks are connected to the ISP network, a large number of VLAN IDs of the
ISP network are required. This may result in insufficient VLAN ID resources. To conserve
VLAN IDs, you can configure QinQ-based Layer 2 protocol transparent transmission to
forward Layer 2 protocol packets on the ISP network.
The QinQ protocol is a Layer 2 tunneling protocol based on IEEE 802.1Q. QinQ technology
improves utilization of VLANs by adding another 802.1Q tag to a packet, allowing services
on a private VLAN to be transparently transmitted to the public network.

Figure 22-4 QinQ-based Layer 2 protocol transparent transmission
LAN-B LAN-B
MSTP MSTP
PE-VLAN20:CE-VLAN 100~199
PE 2
PE 1 ISP Network
CE-VLAN 100 BPDU Tunnel CE-VLAN 100

BPDU Tunnel
PE-VLAN30:CE-VLAN 200~299
LAN-A LAN-A
MSTP MSTP
As shown in Figure 22-4, QinQ-based Layer 2 protocol transparent transmission is

configured on aggregation interfaces of PEs. Packets from different user networks are
encapsulated in different outer VLAN tags. QinQ-based Layer 2 protocol transparent
transmission is implemented as follows:
1. Set specified VLAN IDs for Layer 2 protocol packets sent from user networks to the ISP
network.
2. Enable Layer 2 protocol transparent transmission and QinQ on interfaces of the ingress
PE on the ISP network.
3. Configure PEs to add different outer VLAN tags (public VLAN IDs) to packets based on
customer VLAN IDs.
4. PEs select different Layer 2 tunnels based on outer VLAN tags of packets. Internal nodes
on the ISP network forward the packets through the ISP network as common Layer 2
packets.
5. Enable Layer 2 protocol transparent transmission and QinQ on interfaces of the egress
PE on the ISP network.
6. The egress PE removes outer VLAN tags of the packets and forwards the packets to user
networks based on customer VLAN IDs.
As shown in Figure 22-4, PEs add outer VLAN ID 20 to Layer 2 protocol packets of VLAN
100 to VLAN 199, add outer VLAN ID 30 to Layer 2 protocol packets of VLAN 200 to
VLAN 299, and forward the packets to other devices on the ISP network. In this way, Layer 2
protocol packets of different user networks can be transparently transmitted on the ISP
network and carrier VLAN IDs are conserved.

As shown in Figure 22-5, CE1 and CE2 are edge devices on private networks of User A in
different locations. The two private networks connect to the ISP network through PE1 and
PE2. Networks of User A have redundant links, so MSTP is used to remove loops on the
Layer 2 network. When MSTP packets sent by CEs reach PEs, PEs send the packets to the
CPUs for processing because they cannot identify the network that MSTP packets come from.
Layer 2 protocol calculations on the user network and ISP network affect each other and
cannot be implemented independently.
You can configure Layer 2 protocol transparent transmission on PEs, so that MSTP packets
are not sent to the CPUs of PEs for processing. This prevents PEs from participating in
spanning tree calculation.
Figure 22-5 Interface-based transparent transmission of Layer 2 control protocol packets on a

Layer 2 network
ISP
network
PE1 PE2
CE1 CE2
User A User A
network1 network2

Table 22-1 lists the configuration task summary of Layer 2 protocol transparent transmission.

Table 22-1 Configuration task summary of Layer 2 protocol transparent transmission

Configuring interface-based When each interface of a 22.6.1 Configuring

Layer 2 protocol transparent backbone device is Interface-based Layer 2
transmission connected to only one user Protocol Transparent
network and Layer 2 Transmission
protocol packets sent from
the user network do not
need VLAN tags, configure
interface-based Layer 2
protocol transparent
transmission on the interface
connected to the user
network. This configuration
allows Layer 2 protocol
packets to be transparently
transmitted on the backbone
network.
Configuring VLAN-based When each interface of a 22.6.2 Configuring VLAN-

Layer 2 protocol transparent backbone device is based Layer 2 Protocol
transmission connected to multiple user Transparent Transmission
networks and Layer 2
user networks contain
VLAN tags, configure
VLAN-based Layer 2
protocol transparent
transmission. This
configuration allows Layer
2 protocol packets to be
transparently transmitted on
the backbone network.
Configuring basic QinQ- When each interface of a 22.6.3 Configuring QinQ-

based Layer 2 protocol backbone device is based Layer 2 Protocol
transparent transmission connected to multiple user Transparent Transmission
networks and Layer 2
user networks contain
VLAN tags, you can
configure basic QinQ-based
Layer 2 protocol transparent
transmission. This
configuration allows Layer
2 protocol packets to be
transparently transmitted on
the backbone network and
reduces VLAN IDs that the
carrier uses.


License Support
Layer 2 protocol transparent transmission is a basic feature of a switch and is not under
license control.
Version Support
Table 22-2 Products and versions supporting Layer 2 protocol transparent transmission
Model
S7700 S7703, V100R003C01, V100R006C00, V200R001(C00&C01),

S7706, V200R002C00, V200R003C00, V200R005C00,
S7712 V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,

S9706, V200R005C00, V200R006C00, V200R007C00,
S9712 V200R008C00, V200R009C00, V200R010C00
NOTE

l When the default CPCAR value is used, the device transparently transmits a maximum
of 60 Layer 2 protocol packets per second. Excess packets are discarded.
l In V200R005 and later versions, when PVST+ packets need to be transparently
transmitted, disable VBST on the interface. Otherwise, PVST+ packets cannot be
transparently transmitted.
l Do not replace the destination MAC addresses of STP, GVRP, and GMRP packets with
the same multicast MAC address.
l When configuring Layer 2 protocol transparent transmission, do not use any of the
following multicast MAC addresses to replace the destination MAC address of Layer 2
protocol packets:
– Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
– Destination MAC address of Smart Link packets: 010F-E200-0004
– Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
– Common multicast MAC addresses that have been used on the device

l To transparently transmit BPDUs such as DLDP and EFM packets on a physical

interface, the L2PT tunnel egress cannot be the Eth-Trunk. Otherwise, BPDU negotiation
may be abnormal.
l When an interface is enabled to transparently transmit the packets of a certain protocol,
these packets do not participate in protocol processing. For example, after an interface is
enabled to transparently transmit STP packets, the interface does not participate in STP
calculation. Therefore, you are advised not to enable a protocol and the transparent
transmission of this protocol on the same interface.
22.6 Configuring Layer 2 Protocol Transparent

Transmission
22.6.1 Configuring Interface-based Layer 2 Protocol Transparent

Transmission
When each interface of a backbone device is connected to only one user network and Layer 2
protocol packets sent from the user network do not need VLAN tags, configure interface-
based Layer 2 protocol transparent transmission on the interface connected to the user
network. This configuration allows Layer 2 protocol packets to be transparently transmitted
on the backbone network.
Before configuring interface-based Layer 2 protocol transparent transmission, complete the
following task:
l Set link layer protocol parameters and IP addresses for interfaces to ensure that the link
layer protocol on the interfaces is Up.
22.6.1.1 (Optional) Defining Characteristic Information About a Layer 2 Protocol
Context
When non-standard Layer 2 protocol packets with a specified multicast destination MAC
address need to be transparently transmitted on the backbone network, define characteristic
information about the Layer 2 protocol on the PE. The characteristics of the Layer 2 protocol
include the protocol name, Ethernet encapsulation format, destination MAC address, and
MAC address that replaces the destination MAC address of Layer 2 protocol packets.
When defining characteristic information about a Layer 2 protocol, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol
packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F

l Destination MAC address of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the device
Perform the following operations on PEs.

Procedure
Step 1 Run:
system-view

Step 2 Run:
l2protocol-tunnel user-defined-protocol protocol-name protocol-mac protocol-mac
[ encap-type { { ethernetii | snap } protocol-type protocol-type | llc dsap dsap-
value ssap ssap-value } ] group-mac { group-mac | default-group-mac }
Characteristic information about a Layer 2 protocol is defined.
----End
22.6.1.2 Configuring Layer 2 Protocol Transparent Transmission Mode
Context
You can configure the following Layer 2 protocol transparent transmission modes:
l Configure the device to replace the default multicast MAC address of Layer 2 protocol
packets that can be identified by PEs with another multicast MAC address. This mode
can be used to transparently transmit Layer 2 protocol packets of STP, RSTP, and MSTP.
l Configure the device to replace the original multicast MAC address of Layer 2 protocol
packets with a specified multicast MAC address. This mode can be used to transparently
transmit all types of Layer 2 protocol packets.
Use either of the following methods on PEs based on the Layer 2 protocol type and the
required transparent transmission mode.
Procedure
l Replace the default multicast MAC address of Layer 2 protocols that can be identified by
PEs with another multicast MAC address.
a. Run:
system-view

b. Run:
bpdu-tunnel stp bridge role provider
The PE is configured as a provider.

l Replace the original multicast MAC address of Layer 2 protocol packets from user
networks with a specified multicast MAC address.
a. Run:
system-view

b. Run:
l2protocol-tunnel protocol-type group-mac group-mac
The original multicast destination MAC address of Layer 2 protocol packets is

replaced with a specified multicast MAC address.

NOTE
Do not replace the destination MAC addresses of STP, GVRP, and GMRP packets with the
same multicast MAC address.
When configuring Layer 2 protocol transparent transmission, do not use the following
packets:
----End
22.6.1.3 Enabling Layer 2 Protocol Transparent Transmission on an Interface
Context
Perform the following operations on PEs based on the required Layer 2 protocol transparent
transmission mode.
NOTE
The l2protocol-tunnel and l2protocol-tunnel vlan commands cannot specify the same protocol type on
the same interface. Otherwise, the configurations conflict.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The user-side interface view is displayed.
Step 3 Run:
Step 4 Run:
port hybrid pvid vlan vlan-id
The default VLAN of the interface is configured.
Step 5 Run:
The interface is added to the default VLAN in untagged mode.
Step 6 Run:
l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name }
enable

Layer 2 protocol transparent transmission is enabled on the interface.
----End
Procedure
l Run the display l2protocol-tunnel group-mac { all | protocol-type | user-defined-
protocol protocol-name } command to check information about transparent transmission
of specified or all Layer 2 protocol packets.
----End
22.6.2 Configuring VLAN-based Layer 2 Protocol Transparent

Transmission
When each interface of a backbone device is connected to multiple user networks and Layer 2
protocol packets sent from user networks contain VLAN tags, configure VLAN-based Layer
2 protocol transparent transmission. This configuration allows Layer 2 protocol packets to be
transparently transmitted on the backbone network.
following task:
Context
packets:


Procedure
Step 1 Run:
system-view

Step 2 Run:
----End
Context
Procedure
a. Run:
system-view

b. Run:

a. Run:
system-view

b. Run:


NOTE
Do not replace the destination MAC addresses of STP, GVRP, and GMRP packets with the
same multicast MAC address.
When configuring Layer 2 protocol transparent transmission, do not use the following
packets:
----End
22.6.2.3 Enabling VLAN-based Layer 2 Protocol Transparent Transmission on an

Interface
Context
Perform the following operations on PEs according to the type of Layer 2 protocol packets to
be transparently transmitted.
NOTE
The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type on
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

Step 4 Run:
port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The interface is added to the specified VLANs in tagged mode.
NOTE
l The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packets
from user networks.
l The VLAN for VLAN-based Layer 2 protocol transparent transmission must be the static VLAN,
and cannot be the VLAN dynamically created by GVRP and VCMP.
Step 5 Run:


vlan { low-id [ to high-id ] } &<1-10>
VLAN-based Layer 2 protocol transparent transmission is enabled on the interface.
----End
Procedure
----End
22.6.3 Configuring QinQ-based Layer 2 Protocol Transparent

Transmission
When each interface of a backbone device is connected to multiple user networks and Layer 2
protocol packets sent from user networks contain VLAN tags, you can configure QinQ-based
Layer 2 protocol transparent transmission. This configuration allows Layer 2 protocol packets
to be transparently transmitted on the backbone network and reduces VLAN IDs that the
carrier uses.
following task:
Context
packets:

Procedure
Step 1 Run:
system-view

Step 2 Run:
----End
Context
Procedure
a. Run:
system-view

b. Run:

a. Run:
system-view

b. Run:


NOTE
When configuring Layer 2 protocol transparent transmission, do not use the following multicast
MAC addresses to replace the destination MAC address of Layer 2 protocol packets:
----End
22.6.3.3 Enabling QinQ-based Layer 2 Transparent Transmission on an Interface
Context
Perform the following operations on PEs based on the required Layer 2 protocol transparent
transmission mode.
NOTE
The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type on
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
Step 4 Run:
The interface is added to the specified VLANs in untagged mode.
Step 5 Run:
port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3
The interface is configured to add an outer VLAN tag to the Layer 2 protocol packets.
Step 6 Run:
vlan { low-id [ to high-id ] } &<1-10>
QinQ-based Layer 2 protocol transparent transmission is enabled on the interface.

NOTE
l The outer VLAN tag (vlan-id3) specified in port vlan-stacking command must be included in the
VLAN range specified inport hybrid untagged vlancommand.
----End
Procedure
----End
22.6.4 Displaying Statistics About Layer 2 Protocol Packets That

Are Transparently Transmitted on an Interface
Context
You can run the display l2protocol-tunnel statistics command in any view to check the
statistics about Layer 2 protocol packets that are transparently transmitted on an interface,
which helps you locate faults.
Procedure
l Run the display l2protocol-tunnel statistics command in any view to check the
statistics about Layer 2 protocol packets that are transparently transmitted on an
interface.
----End
22.6.5 Clearing Statistics About Layer 2 Protocol Packets That Are

Transparently Transmitted on an Interface
Context
Before recollecting statistics about Layer 2 protocol packets transparently transmitted on an
interface in a certain period, clear existing statistics on the interface.
NOTICE
The cleared statistics cannot be restored. Exercise caution when you run this command.

Procedure
l Run the reset l2protocol-tunnel statistics command in any view to clear the statistics
about Layer 2 protocol packets that are transparently transmitted on an interface.
----End
22.7.1 Example for Configuring Interface-based Layer 2 Protocol

Transparent Transmission
As shown in Figure 22-6, CEs are edge devices on two private networks of an enterprise
located in different areas, and PE1 and PE2 are edge devices on the ISP network. The two
private networks of the enterprise are Layer 2 networks and they are connected through the
ISP network. STP is run on the Layer 2 networks to prevent loops. Enterprise users require
that STP run only on the private networks so that spanning trees can be generated correctly.
Figure 22-6 Networking diagram for configuring interface-based Layer 2 protocol transparent
transmission
PE1 PE2
ISP
GE1/0/2 network GE1/0/2
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/0
CE1
CE2
User A User A
network1 network2
1. Configure STP on CEs to prevent loops on Layer 2 networks.

2. Add PE interfaces connected to CEs to specified VLANs so that PEs forward packets
from the VLANs.
3. Configure interface-based Layer 2 protocol transparent transmission on PEs so that STP
packets are not sent to the CPUs of PEs for processing.

Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] stp enable
[CE1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] stp enable
[CE2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
Step 2 Add GE1/0/0 on PE1 and PE2 to VLAN 100 and enable Layer 2 protocol transparent
transmission on PEs.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1-GigabitEthernet1/0/0] l2protocol-tunnel stp enable
[PE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2-GigabitEthernet1/0/0] l2protocol-tunnel stp enable
Step 3 Configure PEs to replace the destination MAC address of STP packets received from CEs.

# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-0100-0100
# Configure PE2.
Step 4 Configure CE2 to the priority of a switching device is 4096.

[CE2] stp priority 4096

# After the configuration is complete, run the display l2protocol-tunnel group-mac
command on PEs. You can view the protocol type or name, multicast destination MAC
address, group MAC address, and priority of Layer 2 protocol packets to be transparently
transmitted.
[PE1] display l2protocol-tunnel group-mac stp
Protocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-0100-0100 0
ssap 0x42
# After 30s, Run the display stp command on CE1 and CE2 to view the root in the MSTP
region. You can find that a spanning tree is calculated between CE1 and CE2. GE1/0/0 on
CE1 is the root port and GE1/0/0 on CE2 is the designated port.
[CE1] display stp brief
----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
#
return

#
sysname CE2
#
vlan batch 100
#
#

#
return

#
sysname PE1
#
vlan batch 100
#
l2protocol-tunnel stp group-mac 0100-0100-0100
#
l2protocol-tunnel stp enable
#
port link-type
trunk
#
return

#
sysname PE2
#
vlan batch 100
#
#
l2protocol-tunnel stp enable
#
port link-type
trunk
#
return
22.7.2 Example for Configuring VLAN-based Layer 2 Protocol

located in different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100
and VLAN 200 are Layer 2 networks for different users and are connected through the ISP
network. STP is run on the Layer 2 networks to prevent loops. Enterprise users require that
STP run only on the private networks so that spanning trees can be generated correctly.
l All the devices in VLAN 100 participate in calculation of a spanning tree.

Figure 22-7 Networking diagram for configuring VLAN-based Layer 2 protocol transparent
transmission
PE1 PE2
GE1/0/3 ISP GE1/0/3
network
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
GE1/0/0 GE1/0/0 GE1/0/0

GE1/0/0
CE1 CE2 CE4
CE3
VLAN 100 VLAN 200

VLAN 100 VLAN 200
User A User B
User A User B
2. Configure CEs to send STP packets with specified VLAN tags to PEs so that calculation
of a spanning tree is complete independently in VLAN 100 and VLAN 200.
3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STP
Procedure
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and configure CE3
and CE4 to send STP packets with VLAN tag 200 to PEs.

# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1-GigabitEthernet1/0/0] stp bpdu vlan 100
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
Step 3 Configure PE interfaces to transparently transmit STP packets of CEs to the peer ends.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] vlan 200
[PE1-vlan200] quit
[PE1-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 100
# Configure PE2.
[PE2] vlan 100

[PE2-vlan100] quit
[PE2] vlan 200
[PE2-vlan200] quit
# Configure PE1.
# Configure PE2.
Step 5 Configure CE2 and CE4 to the priority of a switching device is 4096.
# Configure CE2.
# Configure CE4.

transmitted.
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-0100-0100 0
ssap 0x42
# After 30s, run the display stp command on CE1 and CE2 to view the root in the MSTP


----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
stp bpdu vlan 100
#
return

#
sysname CE2
#
vlan batch 100
#
#
stp bpdu vlan 100
#
return

#
sysname CE3
#
vlan batch 200
#
stp bpdu vlan 200
#
return

#
sysname CE4
#
vlan batch 200
#
#
#
stp bpdu vlan 200
#
return


#
sysname PE1
#
vlan batch 100 200
#
#
l2protocol-tunnel stp vlan 100
#
#
port link-type
trunk
#
return

#
sysname PE2
#
vlan batch 100 200
#
#
#
#
port link-type
trunk
#
return
22.7.3 Example for Configuring QinQ-based Layer 2 Protocol

located in different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100
and VLAN 200 are Layer 2 networks for different users and are connected through the ISP
network. STP is run on the Layer 2 networks to prevent loops. Enterprise users require that
STP run only on the private networks so that spanning trees can be generated correctly.


Because of shortage of public VLAN resources, VLAN IDs on carrier networks must be
saved.
Figure 22-8 Networking diagram for configuring QinQ-based Layer 2 protocol transparent
transmission
User A User A
VLAN100 VLAN100
GE1/0/0
GE1/0/0
GE1/0/1
GE1/0/1
CE1 CE2
GE1/0/3 ISP GE1/0/3
PE1 Network PE2
CE3 GE1/0/2 GE1/0/2

CE4
GE1/0/0
User B GE1/0/0
User B
VLAN200 VLAN200
2. Configure CEs to send STP packets with specified VLAN tags to PEs so that calculation
of a spanning tree is complete independently in VLAN 100 and VLAN 200.
3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STP
4. Configure QinQ (VLAN stacking) on PEs so that PEs add outer VLAN tag 10 to STP
packets sent from CEs, saving public network VLAN IDs.
Procedure
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable

# Configure CE4.
[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and configure CE3
and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
Step 3 Configure QinQ-based Layer 2 protocol transparent transmission on PEs so that STP packets
with VLAN tags 100 and 200 are tagged with outer VLAN 10 by PEs and can be transmitted
on the ISP network.
# Configure PE1.
[PE1] vlan 10
[PE1-vlan10] quit
[PE1-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 10


# Configure PE2.
[PE2] vlan 10
[PE2-vlan10] quit
# Configure PE1.
# Configure PE2.
Step 5 Configure CE2 and CE4 to the priority of a switching device is 4096.
# Configure CE2.
# Configure CE4.

transmitted.
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-0100-0100 0
ssap 0x42


----End
Configuration Files
#
sysname CE1
#
vlan batch 100

#
stp bpdu vlan 100
#
return

#
sysname CE2
#
vlan batch 100
#
#
stp bpdu vlan 100
#
return

#
sysname CE3
#
vlan batch 200
#
stp bpdu vlan 200
#
return

#
sysname CE4

#
vlan batch 200
#
#
stp bpdu vlan 200
#
return
#
sysname PE1
#
vlan batch 10
#
#
#
#
port link-type
trunk
#
return
#
sysname PE2
#
vlan batch 10
#
#
#
#
port link-type
trunk
#
return
22.8 FAQ

22.8.1 How to Configure BPDU Tunnel to Transparently Transmit

BPDUs?
l To transparently transmit untagged BPDUs, perform the following configuration:
– In earlier versions of V100R003:
[HUAWEI-GigabitEthernet3/0/0] bpdu-tunnel stp enable
– In V100R003 and later versions:

[HUAWEI-GigabitEthernet3/0/0] l2protocol-tunnel stp enable
l To transparently transmit tagged BPDUs, perform the following configuration:

– In earlier versions of V100R003:
[HUAWEI-GigabitEthernet3/0/0] bpdu-tunnel stp vlan 3
– In V100R003 and later versions:

[HUAWEI-GigabitEthernet3/0/0] l2protocol-tunnel stp vlan 3
22.8.2 How to View and Change MAC Addresses of BPDUs?

Run the display bpdu mac-address command to query the current BPDU MAC addresses.
By default, all multicast MAC addresses in the segment from 0180-c200-0010 to 0180-
c200-002f are BPDU MAC addresses, and 0100-0ccc-cccd is also a BPDU MAC address.
Run the bpdu mac-address mac-address command to specify an MAC address to be a BPDU
MAC address.
Example: bpdu mac-address 0100-0ccc-cccc
22.9 References
The following table lists the references for this document.
IEEE802.1Q IEEE Standards for Local and Metropolitan -

Networks
IEEE 802.1ad/ Virtual Bridged Local Area Networks- -

D6.0 Amendment 4: Provider Bridges


Huawei Certification HCNP Lab Guide HCNP IERN V1 6 OSPF BGP ACL Multicast 473 Pages

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Huawei Certification HCNP Lab Guide HCNP IERN V1 6 OSPF BGP ACL Multicast 473 Pages

Загружено:

Авторское право:

Доступные форматы

S7700&S9700 Series Switches

Configuration Guide - Ethernet

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 07 (2017-11-30) Huawei Proprietary and Confidential i

About This Document

This document is intended for:

l Data configuration engineers

Indicates an imminently hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Issue 07 (2017-11-30) Huawei Proprietary and Confidential ii

NOTE Calls attention to important information,

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

&<1-n> The parameter before the & sign can be repeated 1 to n

# A line starting with the # sign is comments.

Interface Numbering Conventions

Issue 07 (2017-11-30) Huawei Proprietary and Confidential iii

– When configuring a password, the cipher text is recommended. To ensure device

Mappings between Product Software Versions and NMS

Issue 07 (2017-11-30) Huawei Proprietary and Confidential iv

S7700&S9700 Product Software NMS

V200R008C00 eSight V300R003C20

Changes in Issue 07 (2017-11-30) V200R008C00

Changes in Issue 06 (2017-07-30) V200R008C00

Changes in Issue 05 (2017-04-30) V200R008C00

Changes in Issue 04 (2017-01-10) V200R008C00

Changes in Issue 03 (2016-10-30) V200R008C00

Changes in Issue 02 (2015-10-23) V200R008C00

Changes in Issue 01 (2015-07-31) V200R008C00

Issue 07 (2017-11-30) Huawei Proprietary and Confidential v

About This Document.....................................................................................................................ii

2 MAC Address Table Configuration.........................................................................................21

Issue 07 (2017-11-30) Huawei Proprietary and Confidential vi

2.4 Configuration Task Summary.......................................................................................................................................35

Issue 07 (2017-11-30) Huawei Proprietary and Confidential vii

2.11.4 How Do I Rapidly Determine a Loop?....................................................................................................................99

3 Link Aggregation Configuration............................................................................................101

Issue 07 (2017-11-30) Huawei Proprietary and Confidential viii

3.7.2.11 Checking the Configuration................................................................................................................................150

4 VLAN Configuration................................................................................................................ 186

Issue 07 (2017-11-30) Huawei Proprietary and Confidential ix

4.2.4 Intra-VLAN Communication.................................................................................................................................. 205

Issue 07 (2017-11-30) Huawei Proprietary and Confidential x

5 VLAN Aggregation Configuration........................................................................................ 298

Issue 07 (2017-11-30) Huawei Proprietary and Confidential xi

6 VLAN Switch Configuration.................................................................................................. 316

7 MUX VLAN Configuration..................................................................................................... 328

8 VLAN Termination Configuration........................................................................................ 342

Issue 07 (2017-11-30) Huawei Proprietary and Confidential xii

8.6.3.2 Configuring L3VPN............................................................................................................................................. 355

9 Voice VLAN Configuration.....................................................................................................435

Issue 07 (2017-11-30) Huawei Proprietary and Confidential xiii

9.7.2.6 Checking the Configuration..................................................................................................................................450

Issue 07 (2017-11-30) Huawei Proprietary and Confidential xiv